NETGEAR ProSafe SRX5308 Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. ProSAFE SRX5308
  6. Reference manual

NETGEAR ProSafe SRX5308 Reference Manual

Gigabit quad wan ssl vpn firewall
Hide thumbs Also See for ProSafe SRX5308:
Table of Contents

Advertisement

Quick Links

See also: Reference Manual , Cli Reference Manual
350 East Plumeria Drive
San Jose, CA 95134
USA
July 29, 2011
202-10536-02
1.0
ProSafe Gigabit Quad WAN
SSL VPN Firewall SRX5308
Reference M anua l

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ProSafe SRX5308 and is the answer not in the manual?

Questions and answers

Related Manuals for NETGEAR ProSafe SRX5308

Summary of Contents for NETGEAR ProSafe SRX5308

  • Page 1 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference M anua l 350 East Plumeria Drive San Jose, CA 95134 July 29, 2011 202-10536-02...

  • Page 2: Technical Support

    NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at http://support.netgear.com.

  • Page 3: Table Of Contents

    Chapter 1 Introduction What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? . . . 9 Key Features and Capabilities ........10 Quad-WAN Ports for Increased Reliability and Outbound Load Balancing .
  • Page 4 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Advanced WAN Options ......51 Additional WAN-Related Configuration Tasks .
  • Page 5 Test the Connection and View Connection and Status Information ..155 Test the NETGEAR VPN Client Connection..... 155 NETGEAR VPN Client Status and Log Information .
  • Page 6 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Edit Network Resources to Specify Addresses ....209 Configure User, Group, and Global Policies ..... . 210 View Policies .
  • Page 7 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the WAN Port Connection Status......285 View the Attached Devices and DHCP Log ..... 287 Use the Diagnostics Utilities .
  • Page 8 What Is Two-Factor Authentication ......342 NETGEAR Two-Factor Authentication Solutions ....342...

  • Page 9: Chapter 1 Introduction

    What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? The ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308, hereafter referred to as the VPN firewall, connects your local area network (LAN) to the Internet through up to four external broadband access devices such as cable modems or DSL modems.

  • Page 10: Key Features And Capabilities

    Advanced IPSec VPN and SSL VPN support with support for up to 125 concurrent IPSec VPN tunnels and up to 50 concurrent SSL VPN tunnels. • Bundled with a single-user license of the NETGEAR ProSafe VPN Client software (VPN01L). •...

  • Page 11: Advanced Vpn Support For Both Ipsec And Ssl

    VPN client software on the remote computer. IPSec VPN with broad protocol support for secure connection to other IPSec gateways and clients. Bundled with a single-user license of the NETGEAR ProSafe VPN Client software (VPN01L). Supports 125 concurrent IPSec VPN tunnels.

  • Page 12: Security Features

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Security Features The VPN firewall is equipped with several features designed to maintain security: • PCs hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN.

  • Page 13: Easy Installation And Management

    Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall: • Flash memory for firmware upgrades.

  • Page 14: Package Contents

    Application Notes and other helpful information ProSafe VPN Client software (VPN01L) If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair.
  • Page 15 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ LED Left WAN LEDs Power LED Left LAN LEDs Internet LEDs Right LAN LEDs Right WAN LEDs Test LED Figure 1. Table 1. LED descriptions Activity Description Power On (green) Power is supplied to the VPN firewall.

  • Page 16: Rear Panel

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 1. LED descriptions (continued) Activity Description WAN Ports Left LED On (green) The WAN port has a valid connection with a device that provides an Internet connection. Blinking (green) Data is being transmitted or received by the WAN port.

  • Page 17: Bottom Panel With Product Label

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Bottom Panel with Product Label The product label on the bottom of the VPN firewall’s enclosure displays factory default settings, regulatory compliance, and other information. Figure 3. Choose a Location for the VPN Firewall The VPN firewall is suitable for use in an office environment where it can be free-standing (on its runner feet) or mounted into a standard 19-inch equipment rack.

  • Page 18: Using The Rack-Mounting Kit

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Using the Rack-Mounting Kit Use the mounting kit for the VPN firewall to install the appliance in a rack. Attach the mounting brackets using the hardware that is supplied with the mounting kit.

  • Page 19: Chapter 2 Connecting The Vpn Firewall To The Internet

    Connect the VPN firewall physically to your network. Connect the cables and restart your network according to the instructions in the installation guide. See the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide for complete steps. A PDF of the Installation Guide is on the NETGEAR website at http://support.netgear.com/app/products/model/a_id/13568.

  • Page 20: Qualified Web Browsers

    To connect and log in to the VPN firewall: Start any of the qualified web browsers, as explained in Qualified Web Browsers page 20. Enter https://192.168.1.1 in the address field. The NETGEAR Configuration Manager Login screen displays in the browser. Connecting the VPN Firewall to the Internet...
  • Page 21 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall factory default IP address is 192.168.1.1. If you change the IP address, you need to use the IP address that you assigned to the VPN firewall to log in to the VPN firewall.
  • Page 22 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 6. Note: After 10 minutes of inactivity (the default login time-out), you are automatically logged out. Connecting the VPN Firewall to the Internet...

  • Page 23: Web Management Interface Menu Layout

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Web Management Interface Menu Layout The following figure shows the menu at the top of the web management interface. Option arrow: Additional screen for submenu item 3rd Level: Submenu tab (blue) 2nd Level: Configuration menu link (gray) 1st Level: Main Navigation menu link (orange) Figure 7.

  • Page 24: Configure The Internet Connections

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Auto Detect. Enable the VPN firewall to detect the configuration automatically and suggest values for the configuration. • Next. Go to the next screen (for wizards). • Back. Go to the previous screen (for wizards).

  • Page 25: Automatically Detecting And Connecting

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Automatically Detecting and Connecting  To automatically configure the WAN ports for connection to the Internet: Select Network Configuration > WAN Settings. The WAN screen displays: Figure 10. The WAN Settings table displays the following fields: •...
  • Page 26 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 11. Click the Auto Detect button at the bottom of the screen. The auto detect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support.
  • Page 27 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 2. Internet connection methods Connection method Manual data input required DHCP (Dynamic IP) No data is required. PPPoE Login, Password, Account Name, Domain Name PPTP Login, Password, Account Name, My IP Address, and Server IP Address.

  • Page 28: Set The Vpn Firewall's Mac Address

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For more information about the WAN Connection Status screen, see View the WAN Port Connection Status on page 285. Repeat step step 3, and step 4 for the other WAN interfaces that you want to configure.
  • Page 29 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the ISP Login section, select one of the following options: • If your ISP requires an initial login to establish an Internet connection, select Yes. (The default is No.) • If a login is not required, select No and ignore the Login and Password fields.
  • Page 30 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 3. PPTP and PPPoE settings (continued) Setting Description Austria (PPTP) Server IP The IP address of the PPTP server. (continued) Address Other (PPPoE) If you have installed login software, then your connection type is PPPoE. Select this radio...
  • Page 31 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 4. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the VPN firewall using DHCP network protocol.

  • Page 32: Configure The Wan Mode

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click Test to evaluate your entries. The VPN firewall attempts to make a connection according to the settings that you entered. Click Apply to save any changes to the WAN ISP settings. (Or click Reset to discard any changes and revert to the previous settings.)

  • Page 33: Configure Network Address Translation

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Network Address Translation Network Address Translation (NAT) allows all PCs on your LAN to share a single public Internet IP address. From the Internet, there is only a single device (the VPN firewall) and a single IP address.

  • Page 34: Configure The Auto-Rollover Mode And Failure Detection Method

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the Auto-Rollover Mode and Failure Detection Method To use a redundant ISP link for backup purposes, ensure that the backup WAN interface has already been configured. Then select the WAN interface that will act as the primary link for this mode and configure the WAN failure detection method on the WAN Mode screen to support auto-rollover.
  • Page 35 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the Load Balancing Settings section of the screen, configure the following settings: a. Select the Primary WAN Mode radio button. b. From the corresponding drop-down list on the right, select a WAN interface to function as the primary WAN interface.

  • Page 36: Configure Load Balancing And Optional Protocol Binding

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 6. Failure detection method settings Setting Description Failure Detection Select a failure detection method from the drop-down list: Method • WAN DNS. DNS queries are sent to the DNS server that is configured in the...
  • Page 37 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 routes all outbound HTTPS traffic from the computers on the LAN through the WAN1 port. All outbound FTP traffic is routed through the WAN2 port. Protocol binding addresses two issues: • Segregation of traffic between links that are not of the same speed.
  • Page 38 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 then a new FTP session could start on the WAN2 interface, and then any new connection to the Internet could be made on the WAN3 interface. This load-balancing method ensures that a single WAN interface does not carry a disproportionate distribution of sessions.
  • Page 39 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 21. Configure the protocol binding settings as explained in the following table: Table 7. Add Protocol Binding screen settings Setting Description Service From the drop-down list, select a service or application to be covered by this rule. If the...
  • Page 40 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 7. Add Protocol Binding screen settings (continued) Setting Description Destination The destination network settings determine which Internet locations (based on their IP Network address) are covered by the rule. Select one of the following options from the drop-down list: All Internet IP address.

  • Page 41: Configure Secondary Wan Addresses

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Secondary WAN Addresses You can set up a single WAN Ethernet port to be accessed through multiple IP addresses by adding aliases to the port. An alias is a secondary WAN address. One advantage is, for example, that you can assign different virtual IP addresses to a web server and an FTP server, even though both servers use the same physical IP address.

  • Page 42: Configure Dynamic Dns

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click the Secondary Addresses option arrow in the upper right of the screen. The WAN Secondary Addresses screen displays for the WAN interface that you selected. (The following figure see shows the WAN1 Secondary Addresses screen as an example and includes one entry in the List of Secondary WAN addresses table.)
  • Page 43 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently—hence, the...
  • Page 44 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 23. Click the Information option arrow in the upper right of a DNS screen for registration information. Connecting the VPN Firewall to the Internet...
  • Page 45 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 24. Access the website of the DDNS service provider and register for an account (for example, for DynDNS.org, go to http://www.dyndns.com/). Configure the DDNS service settings as explained in the following table: Table 8.

  • Page 46: Configure Wan Qos Profiles

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure WAN QoS Profiles The VPN firewall can support multiple quality of service (QoS) profiles for each WAN interface. You can assign profiles to services such as HTTP, FTP, and DNS and to LAN groups or IP addresses.
  • Page 47 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 25. To enable QoS, select the Yes radio button. By default, the No radio button is selected. Specify the profile type that should be active by selecting one of the following radio buttons.
  • Page 48 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 26. Enter the settings as explained in the following table: Table 9. Add QoS screen settings for a rate control profile Setting Description QoS Type Rate Control (for Priority, see Figure 27...
  • Page 49 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 9. Add QoS screen settings for a rate control profile (continued) Setting Description Congestion Priority From the drop-down list, select the priority queue that determines the allocation of excess bandwidth and the classification level of the packets among other priority queues on the VPN firewall: •...
  • Page 50 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To add a priority QoS profile: Select Network Configuration > QoS. The QoS screen displays. Under the List of QoS Profiles table, click the Add table button. The Add QoS screen displays.

  • Page 51: Configure Advanced Wan Options

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 10. Add QoS screen settings for a priority profile (continued) Setting Description Priority From the drop-down list, select the priority queue that determines the allocation of bandwidth: • Low. All services that are assigned a low priority queue share 10 percent of interface bandwidth.
  • Page 52 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: You can also configure the failure detection method for the auto-rollover mode on the Advanced screen. This procedure is discussed in Configure the Failure Detection Method on page 35.  To configure advanced WAN options: Select Network Configuration >...
  • Page 53 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 11. WAN Advanced Options screen settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value.

  • Page 54: Additional Wan-Related Configuration Tasks

    If you want the ability to manage the VPN firewall remotely, enable remote management (see Configure Remote Management Access on page 250). If you enable remote management, NETGEAR strongly recommend that you change your password (see Change Passwords and Administrator Settings on page 248). •...

  • Page 55: Chapter 3 Lan Configuration

    LAN Configuration This chapter describes how to configure the advanced LAN features of your VPN firewall. This chapter contains the following sections: • Manage Virtual LANs and DHCP Options • Configure Multi-Home LAN IP Addresses on the Default VLAN • Manage Groups and Hosts (LAN Groups) •...

  • Page 56: Port-Based Vlans

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • They are easy to manage. The addition of nodes, as well as moves and other changes, can be dealt with quickly and conveniently from a management interface rather than from the wiring closet.

  • Page 57: Assign And Manage Vlan Profiles

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN port are forwarded to the default VLAN with PVID 1; packets that leave the LAN port with the same default PVID 1 are untagged. Assign and Manage VLAN Profiles  To assign VLAN profiles to the LAN ports and manage VLAN profiles: Select Network Configuration >...

  • Page 58: Vlan Dhcp Options

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For information about how to add and edit a VLAN profile, including its DHCP options, see Configure a VLAN Profile on page 59. VLAN DHCP Options For each VLAN, you need to specify the Dynamic Host Configuration Protocol (DHCP) options.

  • Page 59: Configure A Vlan Profile

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DNS Proxy When the DNS Proxy option is enabled for a VLAN, the VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS servers (as configured on the WAN ISP Settings screens).
  • Page 60 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Either select an entry from the VLAN Profiles table and click the corresponding Edit table button, or add a new VLAN profile by clicking the Add table button under the VLAN Profiles table.
  • Page 61 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 12. Edit VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. Note: You can also change the profile name of the default VLAN.
  • Page 62 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 12. Edit VLAN Profile screen settings (continued) Setting Description Enable DHCP Select the Enable DHCP Server radio button to enable the VPN firewall to function Server as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN.
  • Page 63 • ou (for organizational unit) • o (for organization) • c (for country) • dc (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).

  • Page 64: Configure Vlan Mac Addresses And Lan Advanced Settings

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Once you have completed the LAN setup, all outbound traffic is allowed and all inbound traffic is discarded except responses to requests from the LAN side. For information about how to change...

  • Page 65: Configure Multi-Home Lan Ip Addresses On The Default Vlan

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To configure a VLAN to have a unique MAC address: Select Network Configuration > LAN Settings. The LAN submenu tabs display, with the LAN Setup screen in view (see Figure 30 on page 59).
  • Page 66 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 It is important that you ensure that any secondary LAN addresses are different from the primary LAN, WAN, and DMZ IP addresses and subnet addresses that are already configured on the VPN firewall.The following is an example of correctly configured IP addresses: WAN1 IP address: 10.0.0.1 with subnet 255.0.0.0...

  • Page 67: Manage Groups And Hosts (Lan Groups)

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To edit a secondary LAN IP address: On the LAN Multi-homing screen (see the previous screen), click the Edit button in the Action column for the secondary IP address that you want to modify. The Edit Secondary LAN IP address screen displays.

  • Page 68: Manage The Network Database

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • There is no need to reserve an IP address for a PC in the DHCP server. All IP address assignments made by the DHCP server are maintained until the PC or device is removed from the network database, either by expiration (inactive for a long time) or by you.
  • Page 69 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The Known PCs and Devices table lists the entries in the network database. For each PC or device, the following fields are displayed: • Check box. Allows you to select the PC or device in the table.
  • Page 70 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 13. Known PCs and devices settings (continued) Setting Description MAC Address Enter the MAC address of the PC or device’s network interface. The MAC address format is six colon-separated pairs of hexadecimal characters (0–9 and A–F), such as 01:23:45:67:89:AB.

  • Page 71: Change Group Names In The Network Database

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Deleting PCs or Devices from the Network Database  To delete one or more PCs or devices from the network database: On the LAN Groups screen (see Figure 34 on page 68), select the check box to the left of the PC or device that you want to delete, or click the Select All table button to select all PCs and devices.

  • Page 72: Set Up Address Reservation

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set Up Address Reservation When you specify a reserved IP address for a PC or device on the LAN (based on the MAC address of the device), that PC or device always receives the same IP address each time it accesses the VPN firewall’s DHCP server.
  • Page 73 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To enable and configure the DMZ port: Select Network Configuration > DMZ Setup. The DMZ Setup screen displays: Figure 37. Enter the settings as explained in the following table: Table 14. DMZ Setup screen settings...
  • Page 74 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 14. DMZ Setup screen settings (continued) Setting Description DHCP Disable DHCP Server If another device on your network is the DHCP server for the VLAN, or if you will manually configure the network settings of all of your computers, select the Disable DHCP Server radio button to disable the DHCP server.

  • Page 75: Manage Routing

    • ou (for organizational unit) • o (for organization) • c (for country) • dc (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).

  • Page 76: Configure Static Routes

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall automatically sets up routes between VLANs and secondary IP addresses that you have configured on the LAN Multi-homing screen (see Configure Multi-Home LAN IP Addresses on the Default VLAN on page 65).
  • Page 77 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 15. Add Static Route screen settings Setting Description Route Name The route name for the static route (for purposes of identification and management).

  • Page 78: Configure Routing Information Protocol

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Routing Information Protocol Routing Information Protocol (RIP), RFC 2453, is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). RIP enables a router to exchange its routing information automatically with other routers, to dynamically adjust its routing tables, and to adapt to changes in the network.
  • Page 79 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 16. RIP Configuration screen settings Setting Description RIP Direction From the RIP Direction drop-down list, select the direction in which the VPN firewall sends and receives RIP packets: •...

  • Page 80: Static Route Example

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 16. RIP Configuration screen settings (continued) Setting Description Authentication for Not Valid Before The beginning of the lifetime of the MD5 key. Enter the month, RIP-2B/2M required? date, year, hour, minute, and second. Before this date and time, the MD5 key is not valid.

  • Page 81: Chapter 4 Firewall Protection

    Firewall Protection This chapter describes how to use the firewall features of the VPN firewall to protect your network. This chapter contains the following sections: • About Firewall Protection • Use Rules to Block or Allow Specific Kinds of Traffic •...

  • Page 82: Administrator Tips

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Administrator Tips Consider the following operational items: As an option, you can enable remote management if you have to manage distant sites from a central location (see Configure VPN Authentication Domains, Groups, and Users...

  • Page 83: Services-Based Rules

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 17. Number of supported firewall rule configurations (continued) Traffic rule Maximum number of Maximum number of Maximum number of outbound rules inbound rules supported rules LAN DMZ Maximum Number of Supported Rules The maximum number of supported outbound rules is 300, and the maximum number of supported inbound rules is 300.
  • Page 84 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING! Allowing inbound services opens security holes in your VPN firewall. Enable only those ports that are necessary for your network. The following table describes the fields that define the rules for outbound traffic and that are...
  • Page 85 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 18. Outbound rules overview (continued) Setting Description LAN Users The settings that determine which computers on your network are affected by this rule. The options are: • Any. All PCs and devices on your LAN.
  • Page 86 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 18. Outbound rules overview (continued) Setting Description Bandwidth Profile Bandwidth limiting determines the way in which the data is sent to and from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic, thus preventing the LAN users from consuming all the bandwidth of the Internet link.
  • Page 87 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 screen to keep the PC’s IP address constant (see Set Up Address Reservation page 72). • Local PCs need to access the local server using the PCs’ local LAN address. Attempts by local PCs to access the server using the external WAN IP address will fail.
  • Page 88 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19. Inbound rules overview Setting Description Service The service or application to be covered by this rule. If the service or application does not appear in the list, you need to define it using the Services screen (see...
  • Page 89 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19. Inbound rules overview (continued) Setting Description LAN Users The settings that determine which computers on your network are affected by this rule. The options are: • Any. All PCs and devices on your LAN.

  • Page 90: Order Of Precedence For Rules

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19. Inbound rules overview (continued) Setting Description The setting that determines whether packets covered by this rule are logged. The options are: • Always. Always log traffic considered by this rule, whether it matches or not. This is useful when you are debugging your rules.

  • Page 91: Set Lan Wan Rules

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 41. Set LAN WAN Rules The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (outbound).
  • Page 92 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 42. Next to Default Outbound Policy, select Block Always from the drop-down list. Next to the drop-down list, click the Apply table button.  To make changes to an existing outbound or inbound service rule: In the Action column to the right of the rule, click one of the following table buttons: •...
  • Page 93 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN WAN Outbound Services Rules You can define rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
  • Page 94 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the Internet to the LAN) is blocked.

  • Page 95: Set Dmz Wan Rules

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set DMZ WAN Rules The firewall rules for traffic between the DMZ and the Internet are configured on the DMZ WAN Rules screen. The default outbound policy is to allow all traffic from and to the Internet to pass through.
  • Page 96 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To delete or disable one or more rules: Select the check box to the left of the rule that you want to delete or disable, or click the Select All table button to select all rules.
  • Page 97 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the Internet to the DMZ) is allowed.

  • Page 98: Set Lan Dmz Rules

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ. The default outbound and inbound policies are to allow all traffic between the local LAN and DMZ network.

  • Page 99: Lan Dmz Outbound Services Rules

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To delete or disable one or more rules: Select the check box to the left of the rule that you want to delete or disable, or click the Select All table button to select all rules.
  • Page 100 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN DMZ Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the LAN to the DMZ) is allowed.

  • Page 101: Inbound Rules Examples

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Inbound Rules Examples LAN WAN Inbound Rule: Hosting a Local Public Web Server If you host a public web server on your local network, you can define a rule to allow inbound web (HTTP) requests from any outside IP address to the IP address of your web server at any time of the day.
  • Page 102 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 52. LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping In this example, we will configure multi-NAT to support multiple public IP addresses on one WAN interface. By creating an inbound rule, we will configure the VPN firewall to host an additional public IP address and associate this address with a web server on the LAN.
  • Page 103 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses is used as the primary IP address of the router that provides Internet access to your LAN PCs through NAT.
  • Page 104 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 From the Service drop-down list, select HTTP for a web server. From the Action drop-down list, select ALLOW Always. In the Send to LAN Server field, enter the local IP address of your web server PC (192.168.1.2 in this example).

  • Page 105: Outbound Rules Example

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 1. Select Any and Allow Always (or Allow by Schedule). 2. Place the rule below all other inbound rules. Figure 54. Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio, or other nonessential sites.

  • Page 106: Configure Other Firewall Features

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 55. Configure Other Firewall Features You can configure attack checks, set session limits, and manage the application level gateway (ALG) for Session Initiation Protocol (SIP) sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the DMZ, LAN, and WAN networks.
  • Page 107 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 56. Enter the settings as explained in the following table: Table 20. Attack Checks screen settings Setting Description WAN Security Checks Respond to Ping on Select the Respond to Ping on Internet Ports check box to enable the VPN Internet Ports firewall to respond to a ping from the Internet.
  • Page 108 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 20. Attack Checks screen settings (continued) Setting Description LAN Security Checks. Block UDP flood Select the Block UDP flood check box to prevent the VPN firewall from accepting more than 20 simultaneous, active UDP connections from a single device on the LAN.

  • Page 109: Set Session Limits

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set Session Limits The session limits feature allows you to specify the total number of sessions that are allowed, per user, over an IP connection across the VPN firewall. The session limits feature is disabled by default.
  • Page 110 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 21. Session Limit screen settings Setting Description Session Limit Session Limit Control From the drop-down list, select one of the following options: •...

  • Page 111: Manage The Application Level Gateway For Sip Sessions

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the Application Level Gateway for SIP Sessions The application level gateway (ALG) facilitates multimedia sessions such as voice over IP (VoIP) sessions that use the Session Initiation Protocol (SIP) across the firewall and provides support for multiple SIP clients.

  • Page 112: Add Customized Services

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add Customized Services Services are functions performed by server computers at the request of client computers. You can configure up to 125 custom services. For example, web servers serve web pages, time servers serve time and date information, and game hosts serve data about other players’...
  • Page 113 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the Add Customer Service section of the screen, enter the settings as explained in the following table: Table 22. Services screen settings Setting Description Name A descriptive name of the service for identification and management purposes.

  • Page 114: Create Ip Groups

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To delete one or more services: In the Custom Services table, select the check box to the left of the service that you want to disable, or click the Select All table button to select all services.
  • Page 115 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 62. In the IP Address fields, type an IP address. Click the Add table button to add the IP address to the IP Addresses Grouped table. Repeat the previous two steps to add more IP addresses to the IP Addresses Grouped table.

  • Page 116: Create Quality Of Service (Qos) Profiles

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Create Quality of Service (QoS) Profiles A Quality of Service (QoS) profile defines the relative priority of an IP packet when multiple connections are scheduled for simultaneous transmission on the VPN firewall. A QoS profile becomes active only when it is associated with a nonblocking inbound or outbound firewall rule and traffic matching the firewall rule flows through the router.
  • Page 117 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 63. The screen displays the List of QoS Profiles table with the user-defined profiles. Under the List of QoS Profiles table, click the Add table button. The Add QoS Profile screen displays: Figure 64.

  • Page 118: Create Bandwidth Profiles

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 23. Add QoS Profile screen settings (continued) Setting Description Re-Mark QoS Value The QoS value in the ToS or Diffserv byte of an IP header. The QoS (continued) value that you enter depends on your selection from the QoS drop-down list: •...
  • Page 119 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 For example, when a new connection is established by a device, the device locates the firewall rule corresponding to the connection: • If the rule has a bandwidth profile specification, the device creates a bandwidth class in the kernel.
  • Page 120 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 66. Enter the settings as explained in the following table: Table 24. Add Bandwidth Profile screen settings Setting Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes.

  • Page 121: Set A Schedule To Block Or Allow Specific Traffic

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 24. Add Bandwidth Profile screen settings (continued) Setting Description Type From the Type drop-down list, select the type for the bandwidth profile: • Group. The profile applies to all users, that is, all user share the available bandwidth.
  • Page 122 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 67. In the Scheduled Days section, select one of the following radio buttons: • All Days. The schedule is in effect all days of the week. • Specific Days. The schedule is active only on specific days. To the right of the radio buttons, select the check box for each day that you want the schedule to be in effect.

  • Page 123: Content Filtering

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Content Filtering If you want to restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s content filtering and web components filtering features. By default, these features are disabled;...

  • Page 124: Enable And Configure Content Filtering

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 You can apply the keywords to one or more groups. Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked. Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled.
  • Page 125 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 68. Firewall Protection...

  • Page 126: Enable Source Mac Filtering

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 25. Block Sites screen settings Setting Description Web Components Select the check boxes of any \web components that you wish to block. The web components are...
  • Page 127 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For additional ways of restricting outbound traffic, see Outbound Rules (Service Blocking) on page 83.  To enable MAC filtering and add MAC addresses to be permitted or blocked: Select Security > Address Filter. The Address Filter submenu tabs display, with the Source MAC Filter screen in view.

  • Page 128: Set Up Ip/Mac Bindings

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To remove one or more entries from the table: Select the check box to the left of the MAC address that you want to delete, or click the Select All table button to select all entries.
  • Page 129 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 70. Enter the settings as explained in the following table: Table 26. IP/MAC Binding screen settings Setting Description Email IP/MAC Violations Do you want to Select one of the following radio buttons: enable E-mail •...

  • Page 130: Configure Port Triggering

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To edit an IP/MAC binding: In the IP/MAC Bindings table, click the Edit table button to the right of the IP/MAC binding that you want to edit. The Edit IP/MAC Binding screen displays.
  • Page 131 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To add a port triggering rule: Select Security > Port Triggering. The Port Triggering screen displays. (See the following figure, which shows one rule in the Port Triggering Rule table as an example.) Figure 71.

  • Page 132: Configure Universal Plug And Play

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To edit a port triggering rule (for example, to enable the rule): In the Port Triggering Rules table, click the Edit table button to the right of the port triggering rule that you want to edit. The Edit Port Triggering Rule screen displays.
  • Page 133 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 73. To enable the UPnP feature, select the Yes radio button. (The feature is disabled by default.) To disable the feature, select No. Configure the following fields: Advertisement Period. Enter the period in minutes that specifies how often the VPN firewall should broadcast its UPnP information to all devices within its range.

  • Page 134: Chapter 5 Virtual Private Networking Using Ipsec Connections

    Virtual Private Networking Using IPSec Connections This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer. This chapter contains the following sections: •...
  • Page 135 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WAN Auto-Rollover: FQDN Required for VPN VPN Firewall WAN 1 Port Rest of VPN Firewall VPN Firewall Internet WAN Port Rollover VPN Firewall WAN 2 Port Control Functions Functions Same FQDN required for both WAN ports Figure 74.

  • Page 136: Use The Ipsec Vpn Wizard For Client And Gateway Configurations

    Configurations You can use the IPSec VPN Wizard to configure multiple gateway or client VPN tunnel policies. The following section provides wizard and NETGEAR ProSafe VPN Client software configuration procedures for the following scenarios: • Using the wizard to configure a VPN tunnel between two VPN gateways.
  • Page 137 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 77. To view the wizard default settings, click the VPN Wizard Default Values option arrow in the upper right of the screen. A popup window appears (see Figure 78 on page 138) displaying the wizard default values.
  • Page 138 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 78. Complete the settings as explained the following table; Table 29. IPSec VPN Wizard settings for a gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to Select the Gateway radio button. The local WAN port’s IP address or the following peers Internet name appears in the End Point Information section of the screen.
  • Page 139 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 29. IPSec VPN Wizard settings for a gateway-to-gateway tunnel (continued) Setting Description End Point Information What is the Remote WAN's IP Enter the IP address or Internet name (FQDN) of the WAN interface on Address or Internet Name? the remote VPN tunnel endpoint.

  • Page 140: Create A Client To Gateway Vpn Tunnel

    Use the VPN Wizard Configure the Gateway for a Client Tunnel on page 141 • Use the NETGEAR VPN Client Wizard to Create a Secure Connection on page 143 or Manually Create a Secure Connection Using the NETGEAR VPN Client...
  • Page 141 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the VPN Wizard Configure the Gateway for a Client Tunnel  To set up a client-to-gateway VPN tunnel using the VPN Wizard: Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays. (The following figure contains some entries as an example.)
  • Page 142 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 30. IPSec VPN Wizard settings for a client-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to Select the VPN Client radio button. The default remote FQDN the following peers: (srx_remote.com) and the default local FQDN (srx_local.com) appear in...
  • Page 143 255.255.255.0 Router’s WAN IP Address 10.34.116.22 Use the NETGEAR VPN Client Wizard to Create a Secure Connection The VPN client lets you to set up the VPN connection manually (see Manually Create a Secure Connection Using the NETGEAR VPN Client on page 148) or with the integrated Configuration Wizard, which is the easier and preferred method.
  • Page 144 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed.  To use the Configuration Wizard to set up a VPN connection between the VPN client and the VPN firewall: Right-click the VPN client icon in your Windows system tray, and select Configuration Panel.
  • Page 145 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 85. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays. Figure 86. Specify the following VPN tunnel parameters: •...
  • Page 146 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 87. This screen is a summary screen of the new VPN configuration. Click Finish. Specify the local and remote IDs: a. In the tree list pane of the Configuration Panel screen, click Gateway (the default name given to the authentication phase).
  • Page 147 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 c. Specify the settings that are explained in the following table. Table 32. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the negotiation mode with the VPN firewall.
  • Page 148 Manually Create a Secure Connection Using the NETGEAR VPN Client Note: Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed. To manually configure a VPN connection between the VPN client and the VPN firewall, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters.
  • Page 149 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the Authentication Settings (Phase 1 Settings)  To create new authentication settings: Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays.
  • Page 150 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
  • Page 151 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Click the Advanced tab in the Authentication pane. The Advanced pane displays. Figure 93.
  • Page 152 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 34. VPN client advanced authentication settings (continued) Setting Description Local and Remote ID Local ID As the type of ID, select DNS from the Local ID drop-down list because you specified FQDN in the VPN firewall configuration.
  • Page 153 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 94. Specify the settings that are explained in the following table. Table 35. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that is used by the VPN client in the VPN firewall’s LAN;...
  • Page 154 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Configure the Global Parameters  To specify the global parameters: Click Global Parameters in the left column of the Configuration Panel screen.

  • Page 155: Test The Connection And View Connection And Status Information

    Test the Connection and View Connection and Status Information Both the NETGEAR ProSafe VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.

  • Page 156: Netgear Vpn Client Status And Log Information

    Figure 100. NETGEAR VPN Client Status and Log Information  To view detailed negotiation and error information on the NETGEAR VPN client: Right-click the VPN client icon in the system tray, and select Console. The VPN Client Console Active screen displays.

  • Page 157: View The Vpn Firewall Ipsec Vpn Connection Status

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 101. View the VPN Firewall IPSec VPN Connection Status  To review the status of current IPSec VPN tunnels: Select VPN > Connection Status. The VPN Connection Status submenu tabs display, with the IPSec VPN Connection Status screen in view.

  • Page 158: View The Vpn Firewall Ipsec Vpn Logs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 36. IPSec VPN Connection Status screen information Item Description Policy Name The name of the VPN policy that is associated with this SA. Endpoint The IP address on the remote VPN endpoint.

  • Page 159: Manage Ipsec Vpn Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage IPSec VPN Policies After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy.
  • Page 160 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IKE Policies Screen  To access the IKE Policies screen: Select VPN > IPSec VPN. The IPSec VPN submenu tabs display, with the IKE Policies screen in view (The following figure shows some examples).
  • Page 161 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click the Delete table button. To add or edit an IKE policy, see Manually Add or Edit an IKE Policy on this page. Note: You cannot delete or edit an IKE policy for which the VPN policy is active.
  • Page 162 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Complete the settings as explained the following table. Table 38. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Specify whether or not the IKE policy uses a Mode Config record. For information...
  • Page 163 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38. Add IKE Policy screen settings (continued) Setting Description Local Select Local Gateway From the drop-down list, select one of the four WAN interfaces to function as the local gateway. Identifier Type...
  • Page 164 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the VPN firewall and the remote endpoint.

  • Page 165: Configure Vpn Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38. Add IKE Policy screen settings (continued) Setting Description XAUTH Configuration Authentication For an Edge Device configuration: from the drop-down list, (continued) Type select one of the following authentication types: • User Database. XAUTH occurs through the VPN firewall’s user database.
  • Page 166 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In addition, a certification authority (CA) can also be used to perform authentication (see Manage Digital Certificates on page 234). To use a CA, each VPN gateway needs to have a certificate from the CA. For each certificate, there is both a public key and a private key. The public key is freely distributed, and is used by any sender to encrypt data intended for the receiver (the key owner).
  • Page 167 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 40 on page 169. Table 39. VPN Policies screen information Item...
  • Page 168 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manually Add or Edit a VPN Policy  To manually add a VPN policy: Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see Figure 106 on page 166).
  • Page 169 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Complete the settings as explained the following table: Table 40. Add New VPN Policy screen settings Setting Description General Policy Name A descriptive name of the VPN policy for identification and management purposes.
  • Page 170 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40. Add New VPN Policy screen settings (continued) Setting Description Traffic Selection Local IP From the drop-down list, select the address or addresses that are part of the VPN tunnel on the VPN firewall: •...
  • Page 171 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40. Add New VPN Policy screen settings (continued) Setting Description SPI-Outgoing The Security Parameters Index (SPI) for the outbound policy. Enter a hexadecimal value between 3 and 8 characters (for example: 0x1234).

  • Page 172: Configure Extended Authentication (Xauth)

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40. Add New VPN Policy screen settings (continued) Setting Description PFS Key Group Select this check box to enable Perfect Forward Secrecy (PFS), and then select a Diffie-Hellman (DH) group from the drop-down list. The DH Group sets the strength of the algorithm in bits.

  • Page 173: Configure Xauth For Vpn Clients

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: If a RADIUS-PAP server is enabled for authentication, XAUTH first checks the local user database for the user credentials. If the user account is not present, the VPN firewall then connects to a RADIUS server.

  • Page 174: User Database Configuration

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 41. Extended authentication settings (continued) Setting Description Authentication For an Edge Device configuration: from the drop-down list, select one of the Type following authentication types: • User Database. XAUTH occurs through the VPN firewall’s user database. You...
  • Page 175 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 108. Complete the settings as explained the following table: Table 42. RADIUS Client screen settings Settings Description Primary RADIUS Server Select the Yes radio button to enable and configure the primary RADIUS server, and then enter the settings for the three fields to the right.

  • Page 176: Assign Ip Addresses To Remote Users (Mode Config)

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 42. RADIUS Client screen settings (continued) Settings Description Backup Server IP Address The IP address of the backup RADIUS server. Secret Phrase A shared secret phrase to authenticate the transactions between the client and the backup RADIUS server.

  • Page 177: Configure Mode Config Operation On The Vpn Firewall

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: After configuring a Mode Config record, you need to manually configure an IKE policy and select the newly created Mode Config record from the Select Mode Config Record drop-down list (see Configure Mode Config Operation on the VPN Firewall page 177).
  • Page 178 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 110. Complete the settings as explained the following table: Table 43. Add Mode Config Record screen settings Settings Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes.
  • Page 179 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 43. Add Mode Config Record screen settings (continued) Settings Description DNS Server Enter the IP address of the DNS server that is used by remote VPN clients in the Primary field. You can enter the IP address of a second DNS server in the Secondary field.
  • Page 180 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 111. On the Add IKE Policy screen, complete the settings as explained the following table. Virtual Private Networking Using IPSec Connections...
  • Page 181 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The settings that are explained in the following table are specifically for a Mode Config configuration. Table 38 on page 162 explains the general IKE policy settings. Table 44. Add IKE Policy screen settings for a Mode Config configuration...
  • Page 182 The period in seconds for which the IKE SA is valid. When the period times out, the next rekeying needs to occur. The default is 28800 seconds (8 hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour).

  • Page 183: Configure The Netgear Vpn Client For Mode Config Operation

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 44. Add IKE Policy screen settings for a Mode Config configuration (continued) Settings Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended...
  • Page 184 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters.
  • Page 185 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 113. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane.
  • Page 186 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Specify the settings that are explained in the following table. Table 45. VPN client authentication settings (Mode Config) Setting Description Interface Select Any from the drop-down list. Remote Gateway Enter the remote IP address or DNS name of the VPN firewall. For example, enter 10.34.116.22.
  • Page 187 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Specify the settings that are explained in the following table. Table 46. VPN client advanced authentication settings (Mode Config) Setting Description Advanced features Mode Config Select this check box to enable Mode Config.
  • Page 188 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The IPSec pane displays in the Configuration Panel screen, with the IPSec tab selected by default. Figure 116. Specify the settings that are explained in the following table. Table 47. VPN client IPSec configuration settings (Mode Config)
  • Page 189 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 47. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description Encryption Select 3DES as the encryption algorithm from the drop-down list. Authentication Select SHA-1 as the authentication algorithm from the drop-down list.

  • Page 190: Test The Mode Config Connection

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Specify the following default lifetimes in seconds to match the configuration on the VPN firewall: • Authentication (IKE), Default. Enter 3600 seconds. • Encryption (IPSec), Default. Enter 3600 seconds. Select the Dead Peer Detection (DPD) check box, and configure the following DPD settings to match the configuration on the VPN firewall: •...

  • Page 191: Modify Or Delete A Mode Config Record

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 120. From the client PC, ping a computer on the VPN firewall LAN. Modify or Delete a Mode Config Record  To edit a Mode Config record: On the Mode Config screen (see...

  • Page 192: Configure Keep-Alives

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Keep-alives The keep-alive feature maintains the IPSec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies. To configure the keep-alive feature on a configured VPN policy: Select VPN >...

  • Page 193: Configure Dead Peer Detection

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 48. Keep-alive settings (continued) Setting Description Enable Keepalive Detection Period The period in seconds between the keep-alive requests. (continued) The default setting is 10 seconds. Reconnect after The maximum number of keep-alive requests before the...

  • Page 194: Configure Netbios Bridging With Ipsec Vpn

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the settings as explained the following table: Table 49. Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Select the Yes radio button to enable DPD.
  • Page 195 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 123. Select the Enable NetBIOS check box. Click Apply to save your settings. Virtual Private Networking Using IPSec Connections...

  • Page 196: Chapter 6 Virtual Private Networking Using Ssl Connections

    Virtual Private Networking Using SSL Connections The VPN firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the VPN firewall can authenticate itself to an SSL-enabled client, such as a standard web browser.

  • Page 197: Overview Of The Ssl Configuration Process

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The SSL VPN client provides a point-to-point (PPP) connection between the client and the VPN firewall, and a virtual network interface is created on the user’s PC. The VPN firewall assigns the PC an IP address and DNS server IP addresses, allowing the remote PC to access network resources in the same manner as if it were connected directly to the corporate network, subject to any policy restrictions that you configure.

  • Page 198: Create The Portal Layout

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Because you need to assign a group when creating a SSL VPN user account, the user account is created after you have created the group. For port forwarding, define the servers and services...
  • Page 199 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall’s default portal address is https://<IP_Address>/portal/SSL-VPN. The default domain geardomain is attached to the SSL-VPN portal. You can define individual layouts for the SSL VPN portal. The layout configuration includes the menu layout, theme, portal pages to display, and web cache control options.
  • Page 200 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 125. Complete the settings as explained the following table: Table 50. Add Portal Layout screen settings Setting Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout. This name is part of the path of the SSL VPN portal URL.
  • Page 201 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 50. Add Portal Layout screen settings (continued) Setting Description Banner Message The text of a banner message that users see before they log in to the portal, for example, In case of login difficulty, call 123-456-7890. Enter a plain text message or include HTML and JavaScript tags.

  • Page 202: Configure Domains, Groups, And Users

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To delete one or more portal layouts: On the Portal Layouts screen (see Figure 124 on page 199), select the check box to the left of the portal layout that you want to delete, or click the Select All table button to select all layouts.
  • Page 203 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 126. In the Add New Application for Port Forwarding section of the screen, specify information in the following fields: • IP Address. The IP address of an internal server or host computer that a remote user has access to.

  • Page 204: Add A New Host Name

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 51. Port-forwarding applications/TCP port numbers (continued) TCP application Port number Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 a. Users can specify the port number together with the host name or IP address.

  • Page 205: Configure The Ssl Vpn Client

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete a name from the List of Configured Host Names for Port Forwarding table, select the check box to the left of the name that you want to delete, and then click the Delete table button in the Action column.
  • Page 206 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 127. Complete the settings as explained the following table: Table 52. SSL VPN client IP address range settings Setting Description Client IP Address Range Enable Full Tunnel Support Select this check box to enable full tunnel support. If you leave this check...

  • Page 207: Add Routes For Vpn Tunnel Clients

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 52. SSL VPN client IP address range settings (continued) Setting Description Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients.

  • Page 208: Use Network Resource Objects To Simplify Policies

    Defining network resources is optional; smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources. But for most organizations, NETGEAR recommends that you use network resources. If your server or network configuration changes, you can perform an update quickly by using network resources instead of individually updating all of the user and group policies.

  • Page 209: Edit Network Resources To Specify Addresses

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Port Forwarding. The resource applies only to a port forwarding. All. The resource applies both to a VPN tunnel and to port forwarding. Click the Add table button. The new resource is added to the List of Resources table.

  • Page 210: Configure User, Group, And Global Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 53. Edit Resources screen settings (continued) Setting Description Object Type From the drop-down list, select one of the following options: • IP Address. The object is an IP address. You need to enter the IP address or the FQDN in the IP Address / Name field.

  • Page 211: View Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource. For example, assume the following global policy configuration: •...

  • Page 212: Add A Policy

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 130. Make your selection from the following Query options: • Click Global to view all global policies. • Click Group to view group policies, and choose the relevant group’s name from the drop-down list.
  • Page 213 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 131. Complete the settings as explained the following table: Table 54. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy: •...
  • Page 214 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 54. Add SSL VPN Policy screen settings (continued) Setting Description Add SSL VPN Policies Apply Select one of the following radio buttons to specify how the policy is applied: Policy For •...
  • Page 215 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 54. Add SSL VPN Policy screen settings (continued) Setting Description Apply IP Network Policy Name A descriptive name of the SSL VPN policy for identification and Policy For management purposes. (continued)

  • Page 216: Access The Ssl Portal Login Screen

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: If you have configured SSL VPN user policies, ensure that HTTPS remote management is enabled (see Configure Remote Management Access on page 250). If HTTPS remote management is not enabled, all SSL VPN user connections are disabled.
  • Page 217 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 132. Enter a user name and password that are associated with the SSL portal and the domain (see Configure VPN Authentication Domains, Groups, and Users on page 219). Click Login. The default User Portal screen displays: Figure 133.

  • Page 218: View The Ssl Vpn Connection Status And Ssl Vpn Logs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Change Password. Allows the user to change their password. • Support. Provides access to the NETGEAR website. View the SSL VPN Connection Status and SSL VPN Logs  To review the status of current SSL VPN tunnels: Select VPN >...

  • Page 219: Chapter 7 Managing Users, Authentication, And Certificates

    Managing Users, Authentication, and Certificates This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. This chapter contains the following sections: • Configure VPN Authentication Domains, Groups, and Users • Manage Digital Certificates Configure VPN Authentication Domains, Groups, and Users Users are assigned to a group, and a group is assigned to a domain.
  • Page 220 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 determines the network resources to which the associated users have access. The default domain of the VPN firewall is named geardomain. You cannot delete the default domain. The following table summarizes the authentication protocols and methods that the VPN firewall supports: Table 55.
  • Page 221 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 136. The List of Domains table displays the domains with the following fields: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain. The default domain name (geardomain) is appended by an asterisk.
  • Page 222 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 56. Add Domain screen settings Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Authentication Type From the drop-down list, select the authentication method that the VPN firewall applies to the domain.
  • Page 223 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click Apply to save your settings. The domain is added to the List of Domains table. If you use local authentication, make sure that it is not disabled: Select the No radio button...

  • Page 224: Configure Groups For Vpn Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Groups for VPN Policies The use of groups simplifies the configuration of VPN policies when different sets of users have different restrictions and access controls. Like the default domain of the VPN firewall, the default group is also named geardomain.
  • Page 225 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 138. The List of Groups table displays the VPN groups with the following fields: • Check box. Allows you to select the group in the table. • Name. The name of the group. If the group name is appended by an asterisk, the group was created by default when you created the domain with the identical name as the default group.
  • Page 226 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 default group; you can only delete the domain with the identical name as the default group (see Configure Domains on page 219), which causes the default group to be deleted. Click the Delete table button.

  • Page 227: Configure User Accounts

    SSL VPN User. A user who can only log in to the SSL VPN portal. • IPSEC VPN User. A user who can only make an IPSec VPN connection via a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see...
  • Page 228 • SSL VPN User. User who can only log in to the SSL VPN portal. • IPSEC VPN User. User who can only make an IPSec VPN connection via a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 172).

  • Page 229: Set User Login Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To delete one or more user accounts: In the List of Users table, select the check box to the left of the user account that you want to delete, or click the Select All table button to select all accounts. You cannot delete a default user account.
  • Page 230 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For security reasons, the Deny Login from WAN Interface check box is selected by default for guests and administrators. The Disable Login check box is disabled (masked out) for administrators. Click Apply to save your settings.
  • Page 231 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the Add Defined Addresses section of the screen, add an address to the Defined Addresses table by entering the settings as explained in the following table: Table 59. Defined addresses settings...
  • Page 232 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 144. In the Defined Browsers Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Browsers. Deny logging in from the browsers in the Defined Browsers table.

  • Page 233: Change Passwords And Other User Settings

    • SSL VPN User. User who can only log in to the SSL VPN portal. • IPSEC VPN User. User who can only make an IPSec VPN connection via a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 172).

  • Page 234: Manage Digital Certificates

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 60. Edit User screen settings (continued) Setting Description Check to Edit Password Select this check box to make the password fields accessible to modify the password. Enter Your Password Enter the old password.

  • Page 235: Certificates Screen

    The VPN firewall contains a self-signed certificate from NETGEAR. This certificate can be downloaded from the VPN firewall login screen for browser import. However, NETGEAR recommends that you replace this digital certificate with a digital certificate from a well-known commercial CA prior to deploying the VPN firewall in your network.

  • Page 236: Manage Ca Certificates

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage CA Certificates  To view and upload trusted certificates: Select VPN > Certificates. The Certificates screen displays. The following figure shows the top section of the screen with the trusted certificate information and one example certificate in the Trusted Certificates (CA Certificate) table.

  • Page 237: Manage Self-Signed Certificates

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage Self-Signed Certificates Instead of obtaining a digital certificate from a CA, you can generate and sign your own digital certificate. However, a self-signed certificate triggers a warning from most browsers because it provides no protection against identity theft of the server.
  • Page 238 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 148. Certificates, screen 2 of 3 In the Generate Self Certificate Request section of the screen, enter the settings as explained in the following table: Table 61. Generate self-certificate request settings...
  • Page 239 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 61. Generate self-certificate request settings (continued) Setting Description Signature Key Length From the drop-down list, select one of the following signature key lengths in bits: • 512 • 1024 • 2048...
  • Page 240 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 c. When prompted for the requested data, copy the data from your saved text file (including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”). d. Submit the CA form. If no problems ensue, the digital certificate is issued by the CA.

  • Page 241: Manage The Certificate Revocation List

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the Certificate Revocation List A Certificate Revocation List (CRL) file shows digital certificates that have been revoked and are no longer valid. Each CA issues its own CRLs. It is important that you keep your CRLs up-to-date.

  • Page 242: Chapter 8 Network And System Management

    Network and System Management This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the VPN firewall. This chapter contains the following sections: • Performance Management • System Management Performance Management Performance management consists of controlling the traffic through the VPN firewall so that the necessary traffic gets through when there is a bottleneck and either reducing unnecessary traffic or rescheduling some traffic to low-peak times to prevent bottlenecks...

  • Page 243: Features That Reduce Traffic

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Using four WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall, but there is no backup in case one of the WAN ports fails. When such a failure occurs, the traffic that would have been sent on the failed WAN port is diverted to another WAN port that is still working, thus increasing its load.
  • Page 244 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 on the Services screen (see Services-Based Rules on page 83 and Add Customized Services on page 112). • LAN users. You can specify which computers on your network are affected by an outbound rule.

  • Page 245: Features That Increase Traffic

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on the LAN, you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses.

  • Page 246: Port Triggering

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 When you define inbound firewall rules, you can further refine their application according to the following criteria: • Services. You can specify the services or applications to be covered by an inbound rule.

  • Page 247: Use Qos And Bandwidth Assignment To Shift The Traffic Mix

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 request rather than a response to a requests from the LAN network. As such, it would be handled in accordance with the inbound port forwarding rules, and most likely would be blocked.

  • Page 248: Monitoring Tools For Traffic Management

    The default administrator and default guest passwords for the web management interface are both password. NETGEAR recommends that you change the password for the administrator account to a more secure password, and that you configure a separate secure password for the guest account.
  • Page 249 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To modify the administrator user account settings, including the password: Select Users > Users. The Users screen displays. The following figure shows the VPN firewall’s default users—admin and guest—and, as an example, one other user in the List of Users table.

  • Page 250: Configure Remote Management Access

    IP address and default password. Because a malicious WAN user can reconfigure the VPN firewall and misuse it in many ways, NETGEAR highly recommends that you change the admin and guest default passwords before...
  • Page 251 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To configure the VPN firewall for remote management: Select Administration > Remote Management. The Remote Management screen displays: Figure 153. Network and System Management...
  • Page 252 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 62. Remote Management screen settings Setting Description Secure HTTP Management Allow Secure HTTP Management? Select the Yes radio button to enable HTTPS remote management (which is the default setting) and specify the IP address settings and port number settings.

  • Page 253: Using The Command-Line Interface

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For enhanced security, and if practical, restrict remote management access to a single IP address or a small range of IP addresses. Note: To maintain security, the VPN firewall rejects a login that uses http://address rather than the SSL https://address.

  • Page 254: Use A Simple Network Management Protocol Manager

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To access the CLI: From your computer’s command-line prompt, enter the following command: telnet 192.168.1.1 Enter admin and password when prompted for the login and password information (or enter guest and password to log in as a read-only guest).
  • Page 255 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the Create New SNMP Configuration Entry section of the screen, enter the settings as explained in the following table: Table 63. SNMP screen settings Setting Description IP Address The IP addresses of the SNMP management station that is allowed to receive the VPN firewall’s SNMP traps.

  • Page 256: Manage The Configuration File

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the VPN Firewall’s SNMP System Information The following VPN firewall identification information is available to an SNMP manager: system contact, system location, and system name.  To modify the SNMP identification information: Select Administration >...
  • Page 257 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To display the Settings Backup and Firmware Upgrade screen: Select Administration > Settings Backup and Firmware Upgrade. Figure 157. Back Up Settings The backup feature saves all VPN firewall settings to a file. These settings include the IP addresses, subnet masks, gateway addresses, and so on.
  • Page 258 On the Settings Backup and Firmware Upgrade screen (see the previous screen), next to Restore saved settings from file, click Browse. Locate and select the previously saved backup file (by default, SRX5308.cfg). After you have selected the file, click the Restore button. A warning message might appear, and you might have to confirm that you want to restore the configuration.
  • Page 259 To download a firmware version and upgrade the VPN firewall: Go to the NETGEAR website at http://www.netgear.com/support: a. Under Find Your Product, enter SRX5308, and then click on the product number. The SRX5308 support screen displays. b. Click the orange Downloads tab.

  • Page 260: Configure Date And Time Service

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING! Do not try to go online, turn off the VPN firewall, shut down the computer or do anything else to the VPN firewall until the VPN firewall finishes the upgrade! When the Test light turns off, wait a few more seconds before doing anything.
  • Page 261 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The bottom of the screen displays the current weekday, date, time, time zone, and year (in the example in the previous figure: Current Time: Wed Jul 2015:24:51 GMT-0800 2011). Enter the settings as explained in the following table: Table 64.
  • Page 262 Note: If you select this option but leave either the Server 1 or Server 2 field blank, both fields are set to the default NETGEAR NTP servers. Note: A list of public NTP servers is available at http://ntp.isc.org/bin/view/Servers/WebHome.

  • Page 263: Chapter 9 Monitoring System Access And Performance

    Monitoring System Access and Performance This chapter describes the system monitoring features of the VPN firewall. You can be alerted to important events such as changes in WAN port status, WAN traffic limits reached, hacker probes and login attempts, dropped packets, and more. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more.
  • Page 264 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 159. Enter the settings for the WAN1 port as explained in the following table: Table 65. WAN Traffic Meter screen settings Setting Description Enable Traffic Meter Do you want to Select one of the following radio buttons to configure traffic metering: enable Traffic •...
  • Page 265 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 65. WAN Traffic Meter screen settings (continued) Setting Description Do you want to Select one of the following radio buttons to specify if or how the VPN firewall applies enable Traffic...

  • Page 266: Enable The Lan Traffic Meter

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The contents of the WAN2 Traffic Meter, WAN3 Traffic Meter, and WAN4 Traffic Meter screens are identical to the WAN1 TrafficMeter screen with the exception of WAN interface number.  To display a report of the Internet traffic by type for the WAN1 interface: Click the Traffic by Protocol option arrow in the upper right of the WAN1 Traffic Meter screen.
  • Page 267 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 161. The LAN Traffic Meter table show the following columns, all of which are explained in detail in the following table: • LAN IP Address. The LAN IP address that is subject to the traffic meter.
  • Page 268 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 66. Add LAN Traffic Meter Account screen settings Setting Description Add LAN Traffic Meter Account LAN IP Address The LAN IP address for the account.

  • Page 269: Activate Notification Of Events, Alerts, And Syslogs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 163.  To edit a LAN traffic meter account: In the LAN Traffic Meter table, click the Edit table button to the right of the account that you want to edit. The Edit LAN Traffic Meter Account screen displays. This screen shows...
  • Page 270 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 164. Monitoring System Access and Performance...
  • Page 271 Enter the name of the log in the Log Identifier field. The Log Identifier is a mandatory field used to identify which device sent the log messages. The identifier is appended to the log messages. The default identifier is SRX5308. Routing Logs...
  • Page 272 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 67. Firewall Logs & E-mail screen settings (continued) Setting Description Enable E-Mail Logs Do you want logs to Select the Yes radio button to enable the VPN firewall to send logs to an email be emailed to you? address.
  • Page 273 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 67. Firewall Logs & E-mail screen settings (continued) Setting Description Enable SysLogs Enable Select one of the following radio buttons to configure the syslog server: Yes. The VPN firewall sends a log file to a syslog server. Complete the SysLog Server and SysLog Severity fields that are shown on the right side of the screen (see explanations later in this table).

  • Page 274: View Status And Log Screens

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 165. You can refresh the logs, clear the logs, or send the logs to an email address. View Status and Log Screens The VPN firewall provides real-time information in a variety of status screens that are described in the following sections: •...

  • Page 275: View The System (Router) Status And Statistics

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the System (Router) Status and Statistics The Router Status screen, Detailed Status screen, and Router Statistics screen provide real-time information about the following important components of the VPN firewall: • Firmware versions that are loaded on the VPN firewall •...
  • Page 276 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 166. View the Detailed Status Screen  To view the Detailed Status screen: Select Monitoring > Router Status > Detailed Status. The Detailed Status screen displays. (Because of the large size of the screen and to avoid duplication of information, the following figure shows parts of the screen.)
  • Page 277 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 167. The following table explains the fields of the Detailed Status screen: Table 69. Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the four LAN port.
  • Page 278 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 69. Detailed Status screen information (continued) Item Description VLAN ID The VLAN ID that you assigned to this port on the Add VLAN Profile screen (see Configure a VLAN Profile on page 59). If the default VLAN profile is used, the VLAN ID is 1, which means that all tagged and untagged traffic can pass on this port.
  • Page 279 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 69. Detailed Status screen information (continued) Item Description IP Address The IP address of the WAN port. These settings are either obtained Subnet Mask The subnet mask of the WAN port.

  • Page 280: View The Vlan Status

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table explains the fields of the Router Statistics screen: Table 70. Router Statistics screen information Item Description System up Time: the period since the last time that the VPN firewall was started up.

  • Page 281: View And Disconnect Active Users

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To view the VLAN Status screen: Select Monitoring > Router Status > VLAN Status. The VLAN Status screen displays: Figure 168. The following table explains the fields of the VLAN Status screen: Table 71.

  • Page 282: View The Vpn Tunnel Connection Status

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 169. The active user’s user name, group, and IP address are listed in the table with a timestamp indicating the time and date that the user logged in. To disconnect an active user, click the Disconnect table button to the right of the user’s table entry.

  • Page 283: View The Vpn Logs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 72. IPSec VPN Connection Status screen information (continued) Item Description Tx (KB) The amount of data that is transmitted over this SA. Tx (Packets) The number of IP packets that are transmitted over this SA.
  • Page 284 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 172.  To view the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays: Figure 173. Monitoring System Access and Performance...

  • Page 285: View The Port Triggering Status

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the Port Triggering Status  To view the status of the port triggering feature: Select Security > Port Triggering. The Port Triggering screen displays (see Figure 71 on page 131). Click the Status option arrow in the upper right of the Port Triggering screen. The Port Triggering Status screen appears in a popup window: Figure 174.
  • Page 286 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 175. The Connection Status screen displays the information that is described in the following table. The information that is shown on the Connection Status screen depends on the nature of the connection—static IP address or dynamically assigned IP address.

  • Page 287: View The Attached Devices And Dhcp Log

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the Attached Devices and DHCP Log The LAN Groups screen shows the network database, which is the Known PCs and Devices table that contains all IP devices that the VPN firewall has discovered on the local network.
  • Page 288 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 drop-down list in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen (see Figure 35 on page 70). • Profile Name. The VLAN to which the PC or device is assigned.

  • Page 289: Use The Diagnostics Utilities

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the Diagnostics Utilities From the Diagnostics screen you can perform diagnostics that are discussed in the following sections: • Send a Ping Packet or Trace a Route • Look Up a DNS Address •...

  • Page 290: Look Up A Dns Address

    Select Monitoring > Diagnostics to return to the Diagnostics screen. Look Up a DNS Address A DNS (Domain Name Server) converts the Internet name (for example, www.netgear.com) to an IP address. If you need the IP address of a web, FTP, mail, or other server on the Internet, request a DNS lookup to find the IP address.

  • Page 291: Reboot The Vpn Firewall

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 appears as a popup window. (The IP addresses that are shown in the following figure do not relate to other figures and examples in this manual.) Figure 179. Reboot the VPN Firewall You can perform a remote reboot (restart), for example, when the VPN firewall seems to have become unstable or is not operating normally.
  • Page 292 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 180. From the Select Network drop-down list, select a WAN interface, DMZ interface (if enabled), or VLAN. Click the Start button to start capturing the traffic flow. The following text appears in the popup window: Packet tracing started.

  • Page 293: Chapter 10 Troubleshooting And Using Online Support

    The date or time is not correct. Go to Problems with Date and Time on page 300. • I need help from NETGEAR. Go to Access the Knowledge Base and Documentation on page 301. Note: The VPN firewall’s diagnostic tools are explained in...

  • Page 294: Basic Functioning

    VPN firewall and that the power supply adapter is correctly connected to a functioning power outlet. If the error persists, you have a hardware problem and should contact NETGEAR Technical Support. Test LED Never Turns Off When the VPN firewall is powered on, the Test LED turns on for approximately 2 minutes and then turns off when the VPN firewall has completed its initialization.

  • Page 295: Lan Or Wan Port Leds Not On

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the VPN firewall and at the hub, router, or workstation.

  • Page 296: When You Enter A Url Or Ip Address A Time-Out Error Occurs

    To check the WAN IP address for a WAN interface: Launch your browser and navigate to an external site such as www.netgear.com. Access the web management interface of the VPN firewall’s configuration at https://192.168.1.1.
  • Page 297 A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP provides the addresses of one or two DNS servers for your use. You can configure your PC manually with DNS addresses, as explained in your operating system documentation.

  • Page 298: Troubleshoot A Tcp/Ip Network Using The Ping Utility

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Troubleshoot a TCP/IP Network Using the Ping Utility Most TCP/IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device. The device then responds with an echo reply. You can easily troubleshoot a TCP/IP network by using the ping utility in your PC or workstation.

  • Page 299: Test The Path From Your Pc To A Remote Device

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Test the Path from Your PC to a Remote Device After verifying that the LAN path works correctly, test the path from your PC to a remote device. From the Windows run menu, type: ping -n 10 <IP address>...

  • Page 300: Problems With Date And Time

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 181. The VPN firewall reboots. During the reboot process, the Settings Backup and Firmware Upgrade screen might remain visible. The reboot process is complete after several minutes when the Test LED on the front panel goes off.

  • Page 301: Access The Knowledge Base And Documentation

    Daylight Savings Time check box. Access the Knowledge Base and Documentation To access NETGEAR’s knowledge base for the VPN firewall, select Web Support > Knowledgebase. To access NETGEAR’s documentation library for the VPN firewall, select Web Support > Documentation.

  • Page 302: Appendix A Default Settings And Technical Specifications

    Default Settings and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset (for more information, see Revert to Factory Default Settings on page 258). •...
  • Page 303 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 75. VPN firewall default configuration settings (continued) Feature Default behavior (continued) RIP authentication Disabled DHCP server Enabled DHCP starting IP address 192.168.1.2 DHCP starting IP address 192.168.1.100 Management Time zone Time zone adjusted for daylight savings time...
  • Page 304 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 76. VPN firewall physical and technical specifications (continued) Feature Specification Environmental specifications Operating temperatures 0º to 45º 32º to 113º Storage temperatures –20º to 70º –4º to 158º Operating humidity 90% maximum relative humidity, noncondensing...
  • Page 305 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table shows the SSL VPN specifications for the VPN firewall: Table 78. VPN firewall SSL VPN specifications Setting Specification Network Management Web-based configuration and status monitoring Number of concurrent users supported SSL versions SSLv3, TLS1.0...

  • Page 306: Appendix B Network Planning For Multiple Wan Ports

    Network Planning for Multiple WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has more than one WAN port. This appendix contains the following sections: • What to Consider Before You Begin •...

  • Page 307: Cabling And Computer Hardware Requirements

    The VPN firewall is capable of being managed remotely, but this feature needs to be enabled locally after each factory default reset. NETGEAR strongly advises you to change the default management password to a strong password before enabling remote management.

  • Page 308: Computer Network Configuration Requirements

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Computer Network Configuration Requirements The VPN firewall integrates a web management interface. To access the configuration screens on the VPN firewall, you need to use a Java-enabled web browser that supports HTTP uploads such as Microsoft Internet Explorer 6 or later, Mozilla Firefox 3 or later, or Apple Safari 3 or later with JavaScript, cookies, and SSL enabled.
  • Page 309 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Internet Connection Information Print this page with the Internet connection information. Fill in the configuration settings that are provided to you by ISP. _________________________________________________________________________ • ISP Login Name: The login name and password are case-sensitive and need to be entered exactly as given by your ISP.

  • Page 310: Overview Of The Planning Process

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Overview of the Planning Process The areas that require planning when you use a firewall that has multiple WAN ports such as the VPN firewall include the following: • Inbound traffic (port forwarding, port triggering) •...

  • Page 311: Inbound Traffic

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 183. Features such as multiple exposed hosts are not supported in auto-rollover mode because the IP addresses of each WAN port needs to be in the identical range of fixed addresses.

  • Page 312: Inbound Traffic To A Single Wan Port System

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Inbound Traffic to a Single WAN Port System The Internet IP address of the VPN firewall’s WAN port needs to be known to the public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled.

  • Page 313: Virtual Private Networks

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port traffic.

  • Page 314: Vpn Road Warrior (Client-To-Gateway)

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Dual WAN ports in auto-rollover mode. A dual WAN port auto-rollover gateway configuration is different from a single WAN port gateway configuration when you specify the IP address of the VPN tunnel endpoint. Only one WAN port is active at a time, and when it rolls over, the IP address of the active WAN port always changes.
  • Page 315 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Road Warrior: Single Gateway WAN Port (Reference Case) In a single WAN port gateway configuration, the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway WAN port needs to act as the responder.

  • Page 316: Vpn Gateway-To-Gateway

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 192. The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (that is, WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or reestablish a VPN tunnel.
  • Page 317 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Dual-gateway WAN ports for load balancing VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case) In a configuration with two single WAN port gateways, either gateway WAN port can initiate the VPN tunnel with the other gateway WAN port because the IP addresses are known in advance.
  • Page 318 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 After a rollover of a gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN_A2 in the following figure), and one of the gateways needs to reestablish the VPN tunnel.

  • Page 319: Vpn Telecommuter (Client-To-Gateway Through A Nat Router)

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Telecommuter (Client-to-Gateway through a NAT Router) Note: The telecommuter case presumes the home office has a dynamic IP address and NAT router. The following situations exemplify the requirements for a remote PC client connected to the...
  • Page 320 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 199. The IP addresses of the gateway WAN ports can be either fixed or dynamic, but you always need to use an FQDN because the active WAN port could be either WAN1 or WAN2 (that is, the IP address of the active WAN port is not known in advance).
  • Page 321 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 201. The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional.

  • Page 322: Appendix C System Logs And Error Messages

    • DHCP Logs This appendix uses the following log message terms. Table 81. Log message terms Term Description [SRX5308] System identifier. [kernel] Message from the kernel. CODE Protocol code (e.g., protocol is ICMP, type 8) and CODE=0 means successful reply.

  • Page 323: System Log Messages

    Nov 28 12:31:14 [SRX5308] [ntpdate] adjust time server 69.25.106.19 offset 0.140254 sec Nov 28 12:31:14 [SRX5308] [ntpdate] Synchronized time with time-f.netgear.com Nov 28 12:31:16 [SRX5308] [ntpdate] Date and Time Before Synchronization: Tue Nov 28 12:31:13 GMT+0530 2006 Nov 28 12:31:16 [SRX5308] [ntpdate] Date and Time After Synchronization: Tue...

  • Page 324: Login/Logout

    This section describes logs generated by the administrative interfaces of the device. Table 83. System logs: login/logout Message Nov 28 14:45:42 [SRX5308] [login] Login succeeded: user admin from 192.168.10.10 Explanation Login of user admin from host with IP address 192.168.10.10.

  • Page 325: Firewall Restart

    Recommended Action None Unicast, Multicast, and Broadcast Logs Table 88. System logs: unicast Message Nov 24 11:52:55 [SRX5308] [kernel] UCAST IN=SELF OUT=WAN SRC= 192.168.10.1 DST=192.168.10.10 PROTO=UDP SPT=800 DPT=2049 Explanation • This packet (unicast) is sent to the device from the WAN network.

  • Page 326: Wan Status

    0 Multicast/Broadcast Logs Table 90. System logs: multicast/broadcast Message Jan 1 07:24:13 [SRX5308] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC= 192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 Explanation • This multicast or broadcast packet is sent to the device from the WAN network.
  • Page 327 Table 92. System logs: WAN status, auto-rollover Message Nov 17 09:59:09 [SRX5308] [wand] [LBFO] WAN1 Test Failed 1 of 3 times_ Nov 17 09:59:39 [SRX5308] [wand] [LBFO] WAN1 Test Failed 2 of 3 times_ Nov 17 10:00:09 [SRX5308] [wand] [LBFO] WAN1 Test Failed 3 of 3 times_...
  • Page 328 Nov 29 13:12:49 [SRX5308] [pppd] remote IP address 50.0.0.1 Nov 29 13:12:49 [SRX5308] [pppd] primary DNS address 202.153.32.3 Nov 29 13:12:49 [SRX5308] [pppd] secondary DNS address 202.153.32.3 Nov 29 11:29:26 [SRX5308] [pppd] Terminating connection due to lack of activity. Nov 29 11:29:28 [SRX5308] [pppd] Connect time 8.2 minutes.
  • Page 329 Nov 29 11:19:05 [SRX5308] [pppd] secondary DNS address 202.153.32.2 Nov 29 11:20:45 [SRX5308] [pppd] No response to 10 echo-requests Nov 29 11:20:45 [SRX5308] [pppd] Serial link appears to be disconnected. Nov 29 11:20:45 [SRX5308] [pppd] Connect time 1.7 minutes. Nov 29 11:20:45 [SRX5308] [pppd] Sent 520 bytes, received 80 bytes.

  • Page 330: Resolved Dns Names

    Table 95. System logs: WAN status, PPP authentication Message Nov 29 11:29:26 [SRX5308] [pppd] Starting link Nov 29 11:29:29 [SRX5308] [pppd] Remote message: Login incorrect Nov 29 11:29:29 [SRX5308] [pppd] PAP authentication failed Nov 29 11:29:29 [SRX5308] [pppd] Connection terminated.WAN2(DOWN)_ Explanation Starting link: Starting PPPoE connection process.
  • Page 331 "pol1"_ Messages 8 through 19 2000 Jan 1 04:13:39 [SRX5308] [IKE] Configuration found for 20.0.0.1[500]._ 2000 Jan 1 04:13:39 [SRX5308] [IKE] Received request for new phase 1 negotiation: 20.0.0.2[500]<=>20.0.0.1[500]_ 2000 Jan 1 04:13:39 [SRX5308] [IKE] Beginning Identity Protection mode._ 2000 Jan 1 04:13:39 [SRX5308] [IKE] Received Vendor ID: RFC XXXX_...
  • Page 332 2000 Jan 1 04:32:25 [SRX5308] [IKE] purged IPSec-SA proto_id=ESP spi= 181708762._ 2000 Jan 1 04:32:25 [SRX5308] [IKE] purged IPSec-SA proto_id=ESP spi= 153677140._ 2000 Jan 1 04:32:25 [SRX5308] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._ 2000 Jan 1 04:32:25 [SRX5308] [IKE] IPSec configuration with identifier "pol1" deleted successfully_ 2000 Jan 1 04:32:25 [SRX5308] [IKE] no phase 2 bounded._...
  • Page 333 192.168.11.0/24<->192.168.10.0/24_ 2000 Jan 1 04:52:33 [SRX5308] [IKE] Configuration found for 20.0.0.1._ 2000 Jan 1 04:52:59 [SRX5308] [IKE] Phase 1 negotiation failed due to time up for 20.0.0.1[500]. b73efd188399b7f2:0000000000000000_ 2000 Jan 1 04:53:04 [SRX5308] [IKE] Phase 2 negotiation failed due to time up waiting for phase 1.
  • Page 334 Message 2000 Jan 1 02:34:45 [SRX5308] [IKE] Deleting generated policy for 20.0.0.1[0]_ 2000 Jan 1 02:34:45 [SRX5308] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._ 2000 Jan 1 02:34:45 [SRX5308] [IKE] Purged IPSec-SA with proto_id=ESP and spi=3000608295(0xb2d9a627)._...
  • Page 335 "SSL VPN Tunnel" src=20.0.0.1 user=sai dst=20.0.0.2 arg="" op="" result="" rcvd= "" msg="SSL VPN Tunnel" Explanation A SSL VPN tunnel is established for ID SRX5308 with the WAN host 20.0.0.1 through WAN interface 20.0.0.2 and logged in with the username “sai.” Recommended Action None Table 105.

  • Page 336: Traffic Meter Logs

    Transport (Java)" src=192.168.11.2 user=sai dst=192.168.11.1 arg= "" op="" result="" rcvd="" msg="Virtual Transport (Java)" Explanation A SSL VPN tunnel through port forwarding is established for ID SRX5308 from the LAN host 192.168.11.2 with interface 192.168.11.1 and logged in with the username “sai.”...

  • Page 337: Lan To Dmz Logs

    DMZ to LAN Logs Table 112. Routing Logs: DMZ to WAN Message Nov 29 09:44:06 [SRX5308] [kernel] DMZ2LAN[DROP] IN=DMZ OUT=LAN SRC= 192.168.20.10 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from DMZ to LAN has been dropped by the firewall.

  • Page 338: Wan To Dmz Logs

    Recommended Action Change the session limit to 2 to prevent packets from being dropped. Source MAC Filter Logs Table 115. Other Event Logs: Source MAC Filter Logs Message 2000 Jan 1 06:40:10 [SRX5308] [kernel] SRC_MAC_MATCH[DROP] SRC MAC = 00:12:3f:34:41:14 IN=LAN OUT=WAN SRC=192.168.11.3 DST=209.85.153.103 PROTO=ICMP TYPE=8 CODE=0 Explanation Because MAC address 00:12:3f:34:41:14 of LAN host with IP address 192.168.11.3 is filtered so that it cannot access the Internet, the packets sent by...

  • Page 339: Bandwidth Limit Logs

    2000 Jan 1 07:27:48 [SRX5308] [dhcpd] DHCPOFFER on 192.168.11.2 to 00:0f:1f:8f:7c:4a via eth0.1 Message 5 2000 Jan 1 07:27:48 [SRX5308] [dhcpd] Wrote 2 leases to leases file. Message 6 2000 Jan 1 07:27:48 [SRX5308] [dhcpd] DHCPREQUEST for 192.168.11.2 (192.168.11.1) from 00:0f:1f:8f:7c:4a via eth0.1 Message 7 2000 Jan 1 07:27:48 [SRX5308] [dhcpd] DHCPACK on 192.168.11.2 to...
  • Page 340 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 118. DHCP Logs (continued) Explanation Message 1: The DHCP server is listening on eth0.1. Message 2: Release of the currently assigned IP address from the host by the DHCP server. Message 3: DHCP broadcast by the host is discovered by the DHCP server.

  • Page 341: Appendix D Two-Factor Authentication

    NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. NETGEAR has implemented a more robust authentication system known as Two-Factor Authentication (2FA or T-FA) to help address the fast-growing network security issues.

  • Page 342: What Is Two-Factor Authentication

    NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 Two-Factor Authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to perform Two-Factor Authentication on NETGEAR SSL and VPN firewall products.
  • Page 343 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To use WiKID (for end users): Launch the WiKID token software, enter the PIN that has been provided (something the user knows), and then click Continue to receive the OTP from the WiKID authentication server: Figure 202.
  • Page 344 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 204. Two-Factor Authentication...

  • Page 345: Appendix E Notification Of Compliance

    This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. FCC Declaration Of Conformity We, NETGEAR, Inc., 350 East Plumeria Drive, San Jose, CA 95134, declare under our sole responsibility that the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 complies with Part 15 of FCC Rules.
  • Page 346 Canadian Department of Communications Radio Interference Regulations This digital apparatus, ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308, does not exceed the Class B limits for radio-noise emissions from digital apparatus as set out in the Radio Interference Regulations of the Canadian Department of Communications.

  • Page 347: Index

    Index Numerics for IPSec VPN pre-shared key 10BaseT, 100BaseT, and 1000BaseT RSA signature – 3322.org See also RADIUS, MIAS, WiKID, NT Domain, Active Directory, LDAP. authentication domain authentication, authorization, and accounting (AAA) AAA (authentication, authorization, and accounting) authorative mode, NTP servers AC input auto uplink, autosensing Ethernet connections access, remote management...
  • Page 348 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 on LAN port counter LAN traffic proxy (server) WAN traffic sessions sites to reduce traffic critical messages, syslog traffic CRL (Certificate Revocation List) scheduling of crossover cable when reaching LAN limit CSR (certificate signing request)
  • Page 349 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Differentiated Services Code Point (DSCP) emails, sending logs Diffie-Hellman (DH) group emergency messages, syslog DiffServ (Differentiated Services) environmental specifications LAN QoS error messages, syslog WAN QoS error messages, understanding digital certificates. See certificates.
  • Page 350 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IP groups increasing WAN traffic limit assigning in inbound rules info messages, syslog assigning in outbound rules Installation Guide creating instant messaging, blocking applications LAN groups interface specifications assigning in inbound rules...
  • Page 351 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 See also VPN tunnels search base, search objects server, DHCP IPSec VPN logs VLANs IPSec VPN Wizard LEDs client-to-gateway tunnels, setting up – explanation of default settings – troubleshooting description gateway-to-gateway tunnels, setting up...
  • Page 352 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 – maximum transmission unit (MTU) NT Domain MD5 (Message-Digest algorithm 5) NTP (Network Time Protocol) IKE polices modes and servers ModeConfig troubleshooting RIP-2 self certificate requests VPN policies Media Access Control. See MAC addresses.
  • Page 353 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 pinging description auto-rollover priority responding on Internet ports LAN QoS profile responding on LAN ports WAN QoS profile troubleshooting TCP/IP private routes using the ping utility profiles pinouts, console port LAN bandwidth...
  • Page 354 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 requirements, hardware logging dropped packets reserved IP addresses severities, syslog reset button SHA-1 (Secure Hash Algorithm 1) IKE policies restarting the traffic meter (or counter) ModeConfig LAN traffic self certificate requests WAN traffic...
  • Page 355 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 status WAN QoS profile tunnel description tracert, using with DDNS – user account tracing a route (traceroute) user portal trademarks viewing logs traffic stateful packet inspection (SPI) blocking static IP address configuring content filtering...
  • Page 356 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 UPnP (Universal Plug and Play), configuring load balancing single WAN port mode user accounts, configuring using IPSec VPN Wizard user database IKE policies user name, default – managing user portal ModeConfig user types...
  • Page 357 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN IPSec mode status, viewing NAT mode secondary IP addresses single port mode WAN aliases WAN inbound rules DMZ WAN LAN WAN WAN interfaces, primary and backup WAN LEDs WAN outbound rules...

Table of Contents