Section |
Page |
ProSecure Unified Threat Management (UTM) Appliance |
1 |
Contents |
4 |
1. Introduction |
13 |
What Is the ProSecure Unified Threat Management (UTM) Appliance? |
13 |
Key Features and Capabilities |
14 |
Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing |
15 |
Wireless Features |
15 |
DSL Features |
15 |
Advanced VPN Support for Both IPSec and SSL |
16 |
A Powerful, True Firewall |
16 |
Stream Scanning for Content Filtering |
16 |
Security Features |
17 |
Autosensing Ethernet Connections with Auto Uplink |
17 |
Extensive Protocol Support |
18 |
Easy Installation and Management |
18 |
Maintenance and Support |
19 |
Model Comparison |
19 |
Service Registration Card with License Keys |
20 |
Package Contents |
21 |
Hardware Features |
22 |
Front Panel UTM5 and UTM10 |
22 |
Front Panel UTM25 |
23 |
Front Panel UTM50 |
24 |
Front Panel UTM150 |
24 |
Front Panel UTM9S and Modules |
25 |
LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150 |
27 |
LED Descriptions, UTM9S and Modules |
28 |
Rear Panel UTM5, UTM10, and UTM25 |
30 |
Rear Panel UTM50 and UTM150 |
31 |
Rear Panel UTM9S |
31 |
Bottom Panels with Product Labels |
32 |
Choose a Location for the UTM |
35 |
Use the Rack-Mounting Kit |
36 |
2. Using the Setup Wizard to Provision the UTM in Your Network |
37 |
Steps for Initial Connection |
37 |
Qualified Web Browsers |
38 |
Requirements for Entering IP Addresses |
38 |
Log In to the UTM |
38 |
Web Management Interface Menu Layout |
40 |
Use the Setup Wizard to Perform the Initial Configuration |
42 |
Setup Wizard Step 1 of 10: LAN Settings |
43 |
Setup Wizard Step 2 of 10: WAN Settings |
46 |
Setup Wizard Step 3 of 10: System Date and Time |
49 |
Setup Wizard Step 4 of 10: Services |
51 |
Setup Wizard Step 5 of 10: Email Security |
53 |
Setup Wizard Step 6 of 10: Web Security |
55 |
Setup Wizard Step 7 of 10: Web Categories to Be Blocked |
57 |
Setup Wizard Step 8 of 10: Email Notification |
59 |
Setup Wizard Step 9 of 10: Signatures & Engine |
60 |
Setup Wizard Step 10 of 10: Saving the Configuration |
61 |
Verify Correct Installation |
61 |
Test Connectivity |
62 |
Test HTTP Scanning |
62 |
Register the UTM with NETGEAR |
62 |
Electronic Licensing |
64 |
What to Do Next |
64 |
3. Manually Configuring Internet and WAN Settings |
66 |
Internet and WAN Configuration Tasks |
67 |
Automatically Detecting and Connecting the Internet Connections |
67 |
Set the UTM’s MAC Address |
71 |
Manually Configure the Internet Connection |
71 |
Configure the WAN Mode |
75 |
Configure Network Address Translation (All Models) |
77 |
Configure Classical Routing (All Models) |
77 |
Configure Auto-Rollover Mode and the Failure Detection Method (Multiple WAN Port Models) |
78 |
Configure Load Balancing and Optional Protocol Binding |
81 |
Configure Secondary WAN Addresses |
85 |
Configure Dynamic DNS |
87 |
Configure Advanced WAN Options |
90 |
Additional WAN-Related Configuration Tasks |
92 |
4. LAN Configuration |
93 |
Manage Virtual LANs and DHCP Options |
93 |
Port-Based VLANs |
94 |
Assign and Manage VLAN Profiles |
95 |
VLAN DHCP Options |
96 |
Configure a VLAN Profile |
98 |
Configure VLAN MAC Addresses and Advanced LAN Settings |
103 |
Configure Multihome LAN IPs on the Default VLAN |
104 |
Manage Groups and Hosts (LAN Groups) |
106 |
Manage the Network Database |
107 |
Change Group Names in the Network Database |
110 |
Set Up Address Reservation |
111 |
Configure and Enable the DMZ Port |
112 |
Manage Routing |
115 |
Configure Static Routes |
116 |
Configure Routing Information Protocol |
118 |
Static Route Example |
120 |
5. Firewall Protection |
121 |
About Firewall Protection |
121 |
Administrator Tips |
122 |
Use Rules to Block or Allow Specific Kinds of Traffic |
122 |
Service-Based Rules |
123 |
Order of Precedence for Rules |
130 |
Set LAN WAN Rules |
130 |
Set DMZ WAN Rules |
133 |
Set LAN DMZ Rules |
136 |
Inbound Rule Examples |
139 |
Outbound Rule Example |
143 |
Configure Other Firewall Features |
144 |
VLAN Rules |
144 |
Attack Checks, VPN Pass-through, and Multicast Pass-through |
146 |
Set Session Limits |
150 |
Manage the Application Level Gateway for SIP Sessions |
151 |
Create Services, QoS Profiles, and Bandwidth Profiles |
152 |
Add Customized Services |
152 |
Create Service Groups |
154 |
Create IP Groups |
156 |
Create Quality of Service Profiles |
158 |
Create Bandwidth Profiles |
160 |
Set a Schedule to Block or Allow Specific Traffic |
163 |
Enable Source MAC Filtering |
164 |
Set Up IP/MAC Bindings |
166 |
Configure Port Triggering |
168 |
Configure Universal Plug and Play |
171 |
Use the Intrusion Prevention System |
172 |
6. Content Filtering and Optimizing Scans |
175 |
About Content Filtering and Scans |
175 |
Default Email and Web Scan Settings |
176 |
Configure Email Protection |
178 |
Customize Email Protocol Scan Settings |
178 |
Customize Email Antivirus and Notification Settings |
179 |
Email Content Filtering |
183 |
Protect Against Email Spam |
186 |
Configure Web and Services Protection |
194 |
Customize Web Protocol Scan Settings and Services (Web Applications) |
194 |
Configure Web Malware Scans |
197 |
Configure Web Content Filtering |
199 |
Configure Web URL Filtering |
206 |
HTTPS Scan Settings |
209 |
Manage Digital Certificates for HTTPS Scans |
213 |
Specify Trusted Hosts |
218 |
Configure FTP Scans |
219 |
Set Web Access Exception Rules |
221 |
Create Custom Groups for Web Access Exceptions |
228 |
Create Custom Categories for Web Access Exceptions |
231 |
Set Scanning Exclusions |
235 |
7. Virtual Private Networking Using IPSec Connections |
237 |
Considerations for Dual WAN Port Systems (Multiple WAN Port Models Only) |
237 |
Use the IPSec VPN Wizard for Client and Gateway Configurations |
239 |
Create Gateway-to-Gateway VPN Tunnels with the Wizard |
239 |
Create a Client-to-Gateway VPN Tunnel |
243 |
Test the Connection and View Connection and Status Information |
258 |
Test the NETGEAR VPN Client Connection |
258 |
NETGEAR VPN Client Status and Log Information |
260 |
View the UTM IPSec VPN Connection Status |
260 |
View the UTM IPSec VPN Log |
261 |
Manage IPSec VPN Policies |
262 |
Manage IKE Policies |
262 |
Manage VPN Policies |
269 |
Configure Extended Authentication (XAUTH) |
277 |
Configure XAUTH for VPN Clients |
277 |
User Database Configuration |
278 |
RADIUS Client Configuration |
279 |
Assign IP Addresses to Remote Users (Mode Config) |
281 |
Mode Config Operation |
281 |
Configure Mode Config Operation on the UTM |
281 |
Configure the ProSafe VPN Client for Mode Config Operation |
288 |
Test the Mode Config Connection |
295 |
Modify or Delete a Mode Config Record |
296 |
Configure Keep-Alives and Dead Peer Detection |
297 |
Configure Keep-Alives |
297 |
Configure Dead Peer Detection |
298 |
Configure NetBIOS Bridging with IPSec VPN |
299 |
Configure the PPTP Server (UTM9S Only) |
300 |
View the Active PPTP Users |
302 |
Configure the L2TP Server (UTM9S Only) |
303 |
View the Active L2TP Users |
304 |
8. Virtual Private Networking Using SSL Connections |
306 |
SSL VPN Portal Options |
306 |
Use the SSL VPN Wizard for Client Configurations |
307 |
SSL VPN Wizard Step 1 of 6 (Portal Settings) |
308 |
SSL VPN Wizard Step 2 of 6 (Domain Settings) |
310 |
SSL VPN Wizard Step 3 of 6 (User Settings) |
314 |
SSL VPN Wizard Step 4 of 6 (Client Addresses and Routes) |
316 |
SSL VPN Wizard Step 5 of 6 (Port Forwarding) |
317 |
SSL VPN Wizard Step 6 of 6 (Verify and Save Your Settings) |
319 |
Access the New SSL Portal Login Screen |
320 |
View the UTM SSL VPN Connection Status |
322 |
View the UTM SSL VPN Log |
322 |
Manually Configure and Edit SSL Connections |
323 |
Create the Portal Layout |
324 |
Configure Domains, Groups, and Users |
328 |
Configure Applications for Port Forwarding |
328 |
Configure the SSL VPN Client |
331 |
Use Network Resource Objects to Simplify Policies |
334 |
Configure User, Group, and Global Policies |
336 |
9. Managing Users, Authentication, and VPN Certificates |
343 |
Authentication Process and Options |
343 |
Configure Authentication Domains, Groups, and Users |
345 |
Login Portals |
345 |
Active Directories and LDAP Configurations |
349 |
Configure Domains |
353 |
Configure Groups |
359 |
Configure User Accounts |
362 |
Set User Login Policies |
365 |
Change Passwords and Other User Settings |
369 |
DC Agent |
370 |
Configure RADIUS VLANs |
376 |
Configure Global User Settings |
377 |
View and Log Out Active Users |
378 |
Manage Digital Certificates for VPN Connections |
381 |
VPN Certificates Screen |
382 |
Manage CA Certificates |
382 |
Manage Self-Signed Certificates |
384 |
Manage the Certificate Revocation List |
388 |
10. Network and System Management |
389 |
Performance Management |
389 |
Bandwidth Capacity |
389 |
Features That Reduce Traffic |
390 |
Features That Increase Traffic |
393 |
Use QoS and Bandwidth Assignments to Shift the Traffic Mix |
396 |
Monitoring Tools for Traffic Management |
396 |
System Management |
397 |
Change Passwords and Administrator and Guest Settings |
397 |
Configure Remote Management Access |
399 |
Use a Simple Network Management Protocol Manager |
401 |
Manage the Configuration File |
403 |
Update the Firmware |
405 |
Update the Scan Signatures and Scan Engine Firmware |
410 |
Configure Date and Time Service |
412 |
Connect to a ReadyNAS and Configure Quarantine Settings (UTM9S Only) |
414 |
Log Storage |
414 |
Connect to a ReadyNAS |
415 |
Configure the Quarantine Settings |
416 |
11. Monitoring System Access and Performance |
418 |
Enable the WAN Traffic Meter |
419 |
Configure Logging, Alerts, and Event Notifications |
422 |
Configure the Email Notification Server |
422 |
Configure and Activate System, Email, and Syslog Logs |
423 |
How to Send Syslogs over a VPN Tunnel between Sites |
427 |
Configure and Activate Update Failure and Attack Alerts |
429 |
Configure and Activate Firewall Logs |
432 |
Monitor Real-Time Traffic, Security, and Statistics |
433 |
View Status Screens |
439 |
View the System Status |
439 |
View the Active VPN Users |
451 |
View the VPN Tunnel Connection Status |
452 |
View the PPTP and L2TP Server Status (UTM9S Only) |
453 |
View the Port Triggering Status |
454 |
View the WAN Ports Status |
456 |
View Attached Devices and the DHCP Log |
457 |
Query the Logs |
460 |
Query and Download Logs |
461 |
Example: Use the Logs to Identify Infected Clients |
466 |
Log Management |
466 |
Query the Quarantine Logs (UTM9S Only) |
467 |
Query the Quarantined Logs |
467 |
View and Manage the Quarantined Spam Table |
470 |
View and Manage the Quarantined Infected Files Table |
471 |
Spam Reports for End Users |
472 |
View, Schedule, and Generate Reports |
473 |
Report Filtering Options |
474 |
Use Report Templates and View Reports Onscreen |
476 |
Schedule, Email, and Manage Reports |
480 |
Use Diagnostics Utilities |
482 |
Use the Network Diagnostic Tools (All UTM Models Except the UTM9S) |
483 |
Use the Network Diagnostic Tools (UTM9S) |
484 |
Use the Real-Time Traffic Diagnostics Tool (All UTM Models Except the UTM9S) |
486 |
Use the Real-Time Traffic Diagnostics Tool (UTM9S) |
487 |
Gather Important Log Information and Generate a Network Statistics Report (All Models) |
488 |
12. Troubleshooting and Using Online Support |
491 |
Basic Functioning |
492 |
Power LED Not On |
492 |
Test LED Never Turns Off |
492 |
LAN or WAN Port LEDs Not On |
493 |
Troubleshoot the Web Management Interface |
493 |
When You Enter a URL or IP Address, a Time-Out Error Occurs |
494 |
Troubleshoot the ISP Connection |
494 |
Troubleshoot a TCP/IP Network Using a Ping Utility |
496 |
Test the LAN Path to Your UTM |
496 |
Test the Path from Your PC to a Remote Device |
497 |
Restore the Default Configuration and Password |
498 |
Problems with Date and Time |
499 |
Use Online Support |
499 |
Enable Remote Troubleshooting |
499 |
Send Suspicious Files to NETGEAR for Analysis |
500 |
Access the Knowledge Base and Documentation |
501 |
A. xDSL Module for the UTM9S |
502 |
xDSL Module Configuration Tasks |
502 |
Configure the xDSL Settings |
503 |
Automatically Detecting and Connecting the Internet Connection |
505 |
Set the UTM’s MAC Address |
508 |
Manually Configure the Internet Connection |
508 |
Configure the WAN Mode |
512 |
Configure Network Address Translation |
513 |
Configure Classical Routing |
514 |
Configure Auto-Rollover Mode and the Failure Detection Method |
514 |
Configure Load Balancing and Optional Protocol Binding |
517 |
Configure Secondary WAN Addresses |
521 |
Configure Dynamic DNS |
523 |
Configure Advanced WAN Options |
526 |
Additional WAN-Related Configuration Tasks |
528 |
B. Wireless Module for the UTM9S |
529 |
Overview of the Wireless Module |
529 |
Configuration Order |
530 |
Wireless Equipment Placement and Range Guidelines |
530 |
Configure the Basic Radio Settings |
531 |
Operating Frequency (Channel) Guidelines |
534 |
Wireless Data Security Options |
534 |
Wireless Security Profile |
536 |
Before You Change the SSID, WEP, and WPA Settings |
537 |
Configure and Enable Wireless Security Profiles |
538 |
Configure the Access Point |
542 |
Restrict Wireless Access by MAC Address |
545 |
View the Access Point Status and Connected Clients |
546 |
Configure a Wireless Distribution System |
548 |
Configure Advanced Radio Settings |
549 |
Configure Advanced Profile and WMM QoS Priority Settings |
551 |
Advanced Profile Settings |
551 |
WMM QoS Priority Settings |
553 |
Test Basic Wireless Connectivity |
554 |
C. Network Planning for Dual WAN Ports (Multiple WAN Port Models Only) |
556 |
What to Consider Before You Begin |
556 |
Cabling and Computer Hardware Requirements |
557 |
Computer Network Configuration Requirements |
558 |
Internet Configuration Requirements |
558 |
Overview of the Planning Process |
560 |
Inbound Traffic |
561 |
Inbound Traffic to a Single WAN Port System |
562 |
Inbound Traffic to a Dual WAN Port System |
562 |
Virtual Private Networks |
563 |
VPN Road Warrior (Client-to-Gateway) |
564 |
VPN Gateway-to-Gateway |
567 |
VPN Telecommuter (Client-to-Gateway through a NAT Router) |
569 |
D. ReadyNAS Integration |
572 |
Supported ReadyNAS Models |
572 |
Install the UTM9S Add-On on the ReadyNAS |
573 |
Connect to the ReadyNAS on the UTM9S |
575 |
E. Two-Factor Authentication |
578 |
Why Do I Need Two-Factor Authentication? |
578 |
What Are the Benefits of Two-Factor Authentication? |
578 |
What Is Two-Factor Authentication? |
579 |
NETGEAR Two-Factor Authentication Solutions |
579 |
F. System Logs and Error Messages |
582 |
System Log Messages |
583 |
System Startup |
583 |
Reboot |
583 |
Service Logs |
583 |
NTP |
584 |
Login/Logout |
584 |
Firewall Restart |
585 |
IPSec Restart |
585 |
WAN Status |
585 |
Traffic Metering Logs |
589 |
Unicast, Multicast, and Broadcast Logs |
589 |
Invalid Packet Logging |
590 |
Content-Filtering and Security Logs |
592 |
Web Filtering and Content-Filtering Logs |
592 |
Spam Logs |
594 |
Traffic Logs |
595 |
Virus Logs |
595 |
Email Filter Logs |
595 |
IPS Logs |
596 |
Port Scan Logs |
596 |
Application Logs |
596 |
Routing Logs |
597 |
LAN-to-WAN Logs |
597 |
LAN-to-DMZ Logs |
597 |
DMZ-to-WAN Logs |
597 |
WAN-to-LAN Logs |
598 |
DMZ-to-LAN Logs |
598 |
WAN-to-DMZ Logs |
598 |
G. Default Settings and Technical Specifications |
599 |
Default Settings |
599 |
Physical and Technical Specifications |
601 |
H. Notification of Compliance (Wired) |
605 |
I. Notification of Compliance (Wireless) |
609 |