NETGEAR SRX5308 - ProSafe® Quad WAN Gigabit SSL VPN Firewall Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. SRX5308 - ProSafe® Quad WAN Gigabit SSL VPN...
  6. Reference manual

NETGEAR SRX5308 - ProSafe® Quad WAN Gigabit SSL VPN Firewall Reference Manual

Gigabit quad wan ssl vpn firewall
Hide thumbs Also See for SRX5308 - ProSafe® Quad WAN Gigabit SSL VPN Firewall:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Using Manual
ProSafe Gigabit Quad WAN
SSL VPN Firewall SRX5308
Reference Manual
NETGEAR, Inc.
350 East Plumeria Drive
San Jose, CA 95134
202-10536-01
April 2010
v1.0

Advertisement

Table of Contents
loading

Related Manuals for NETGEAR SRX5308 - ProSafe® Quad WAN Gigabit SSL VPN Firewall

Summary of Contents for NETGEAR SRX5308 - ProSafe® Quad WAN Gigabit SSL VPN Firewall

  • Page 1 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 202-10536-01 April 2010 v1.0...

  • Page 2: Technical Support

    In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

  • Page 3: Table Of Contents

    Contents ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual About This Manual Conventions, Formats, and Scope ................... xi How to Print This Manual ....................xii Revision History ........................xii Chapter 1 Introduction What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall? ........1-1 Key Features and Capabilities ..................1-2 Quad-WAN Ports for Increased Reliability and Outbound Load Balancing ..................1-3...
  • Page 4 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Logging In to the VPN Firewall ..................2-3 Understanding the Web Management Interface Menu Layout .........2-5 Configuring the Internet Connections ................2-7 Automatically Detecting and Connecting ..............2-7 Setting the VPN Firewall’s MAC Address .............. 2-11 Manually Configuring the Internet Connection ............
  • Page 5 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Chapter 4 Firewall Protection About Firewall Protection ....................4-1 Administrator Tips ....................4-2 Using Rules to Block or Allow Specific Kinds of Traffic ..........4-2 Services-Based Rules ....................4-3 Order of Precedence for Rules ................4-10 Setting LAN WAN Rules ..................
  • Page 6 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Testing the Connections and Viewing Status Information ..........5-16 Testing the VPN Connection ..................5-16 NETGEAR VPN Client Status and Log Information ..........5-17 Viewing the VPN Firewall IPsec VPN Connection Status ........5-19 Viewing the VPN Firewall IPSec VPN Logs ............5-20 Managing IPsec VPN Policies ..................5-20...
  • Page 7 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Adding New Network Resources ................6-14 Editing Network Resources to Specify Addresses ..........6-15 Configuring User, Group, and Global Policies ..............6-17 Viewing Policies .....................6-18 Adding a Policy ......................6-19 Accessing the SSL Portal Login Screen ...............6-23 Viewing the SSL VPN Connection Status and SSL VPN Logs ........6-25 Chapter 7 Managing Users, Authentication, and Certificates...
  • Page 8 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Chapter 9 Monitoring System Access and Performance Enabling the WAN Traffic Meter ..................9-1 Activating Notification of Events, Alerts, and Syslogs .............9-5 Viewing Status and Log Screens ..................9-9 Viewing the System (Router) Status and Statistics ..........9-10 Viewing the VLAN Status ..................9-16 Viewing and Disconnecting Active Users ...............9-17 Viewing the VPN Tunnel Connection Status ............9-18...
  • Page 9 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Appendix A Default Settings and Technical Specifications Appendix B Network Planning for Multiple WAN Ports What to Consider Before You Begin ................B-1 Cabling and Computer Hardware Requirements ............ B-3 Computer Network Configuration Requirements ............
  • Page 10 Two-Factor Authentication Why Do I Need Two-Factor Authentication? ..............D-1 What Are the Benefits of Two-Factor Authentication? ..........D-1 What Is Two-Factor Authentication ................. D-2 NETGEAR Two-Factor Authentication Solutions ............D-2 Appendix E Related Documents Appendix F Notification of Compliance Index v1.0, April 2010...

  • Page 11: About This Manual

    About This Manual The NETGEAR ® ProSafe™ Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual describes how to install, configure, and troubleshoot a ProSafe Gigabit Quad WAN SSL VPN Firewall. The information in this manual is intended for readers with intermediate computer and networking skills.

  • Page 12: How To Print This Manual

    NETGEAR Website in Appendix E, “Related Documents.” Note: Product updates are available on the NETGEAR website at http://kbserver.netgear.com/products/SRX5308.asp. How to Print This Manual Your computer must have the free Adobe Acrobat Reader installed for you to view and print PDF files.

  • Page 13: Introduction

    Chapter 1 Introduction This chapter provides an overview of the features and capabilities of the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308. This chapter contains the following sections: • “What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall?” on this page •...

  • Page 14: Key Features And Capabilities

    Advanced IPsec VPN and SSL VPN support with support for up to 125 concurrent IPsec VPN tunnels and up to 50 concurrent SSL VPN tunnels. • Bundled with a single-user license of the NETGEAR ProSafe VPN Client software (VPN01L). •...

  • Page 15: Quad-Wan Ports For Increased Reliability And Outbound Load Balancing

    VPN client software on the remote computer. – IPsec VPN with broad protocol support for secure connection to other IPsec gateways and clients. – Bundled with a single-user license of the NETGEAR ProSafe VPN Client software (VPN01L). – Supports 125 concurrent IPsec VPN tunnels. •...

  • Page 16: A Powerful, True Firewall With Content Filtering

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual A Powerful, True Firewall with Content Filtering Unlike simple NAT routers, the SRX5308 is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks. Its firewall features have the following capabilities: •...

  • Page 17: Autosensing Ethernet Connections With Auto Uplink

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Autosensing Ethernet Connections with Auto Uplink With its internal four-port 10/100/1000 Mbps switch and four 10/100/1000 WAN ports, the SRX5308 can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit Ethernet network.

  • Page 18: Easy Installation And Management

    ISP account. • IPsec VPN Wizard. The SRX5308 includes the NETGEAR IPsec VPN Wizard so you can easily configure IPsec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure that the IPsec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.

  • Page 19: Package Contents

    – ProSafe VPN Client software (VPN01L) If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair. Hardware Features The front panel ports and LEDs, rear panel ports, and bottom label of the SRX5308 are described in the following sections.
  • Page 20 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in Table 1-1.

  • Page 21: Rear Panel

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 1-1. LED Descriptions (continued) Object Activity Description Right LED On (Green) The LAN port is operating at 1000 Mbps. On (Amber) The LAN port is operating at 100 Mbps. The LAN port is operating at 10 Mbps.

  • Page 22: Bottom Panel With Product Label

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Viewed from left to right, the rear panel contains the following components: 1. Cable security lock receptacle. 2. Console port. Port for connecting to an optional console terminal. The ports has a DB9 male connector.

  • Page 23: Choosing A Location For The Srx5308

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Choosing a Location for the SRX5308 The SRX5308 is suitable for use in an office environment where it can be free-standing (on its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can rack-mount the SRX5308 in a wiring closet or equipment room.
  • Page 24 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 1-12 Introduction v1.0, April 201012...

  • Page 25: Connecting The Vpn Firewall To The Internet

    Typically, the VPN firewall is installed as a network gateway to function as a combined LAN switch and firewall in order to protect the network from incoming threats and provide secure connections. To complement the firewall protection, NETGEAR advises that you use a gateway security appliance such as a NETGEAR ProSecure STM appliance.

  • Page 26: Qualified Web Browsers

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Configure the Internet connections to your ISPs. During this phase, you connect to your ISPs. You can also program the WAN traffic meters at this time if desired. See “Configuring the Internet Connections”...

  • Page 27: Logging In To The Vpn Firewall

    “Qualified Web Browsers” on page 2-2. 2. Enter https://192.168.1.1 in the address field. The NETGEAR Configuration Manager Login screen displays in the browser. Note: The VPN firewall factory default IP address is 192.168.1.1. If you change the IP address, you must use the IP address that you assigned to the VPN firewall to log in to the VPN firewall.
  • Page 28 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: The first time that you remotely connect to the VPN firewall with a browser via an SSL connection, you might get a warning message regarding the SSL certificate. Follow the directions of your browser to accept the SSL certificate. 3.

  • Page 29: Understanding The Web Management Interface Menu Layout

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: After 10 minutes of inactivity (the default login time-out), you are automatically logged out. Understanding the Web Management Interface Menu Layout Figure 2-3 shows the menu at the top of the Web Management Interface. Option arrow: Additional screen for submenu item 3rd Level: Submenu tab (blue) 2nd Level: Configuration menu link (gray)
  • Page 30 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The bottom of each screen provides action buttons. The nature of the screen determines which action buttons are shown. Figure 2-4 shows an example. Figure 2-4 Any of the following action buttons might be displayed on screen (this list might not be complete): •...

  • Page 31: Configuring The Internet Connections

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Down. Move down the selected entry in the table. • Apply. Apply the selected entry. Almost all screens and sections of screens have an accompanying help screen. To open the help screen, click the Help icon ( Configuring the Internet Connections To set up your VPN firewall for secure Internet connections, you configure WAN ports 1...
  • Page 32 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The WAN Settings table displays the following fields: • WAN. The WAN interface (WAN1, WAN2, WAN3, and WAN4). • Status. The status of the WAN interface (UP or DOWN). • WAN IP.
  • Page 33 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-7 3. Click the Auto Detect button at the bottom of the screen. The auto detect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support.
  • Page 34 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The auto detect process returns one of the following results: • If the auto-detect process is successful, a status bar at the top of the screen displays the results (for example, “DHCP service detected”). •...

  • Page 35: Setting The Vpn Firewall's Mac Address

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, skip ahead to “Manually Configuring the Internet Connection” on this page or see “Troubleshooting the ISP Connection”...
  • Page 36 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click the Edit button in the Action column of the WAN interface for which you want to automatically configure the connection to the Internet. The WAN ISP Settings screen displays (see Figure 2-7 on page 2-9, which shows the WAN1 ISP Settings screen as an example).
  • Page 37 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 6. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as explained in Table 2-2. Table 2-2. PPTP and PPPoE Settings Setting Description (or Subfield and Description) Austria (PPTP) If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this radio button and enter the following settings:...
  • Page 38 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 7. In the Internet (IP) Address section of the screen, configure the IP address settings as explained in Table 2-3. Click the Current IP Address link to see the currently assigned IP address.
  • Page 39 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 8. In the Domain Name Server (DNS) Servers section of the screen, specify the DNS settings as explained in Table 2-4. Figure 2-12 Table 2-4. DNS Server Settings Setting Description (or Subfield and Description) Get Automatically If your ISP has not assigned any Domain Name Server (DNS) addresses, select from ISP...

  • Page 40: Configuring The Wan Mode

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring the WAN Mode The VPN firewall can be configured on a mutually exclusive basis for either auto-rollover (for increased system reliability) or load balancing (for maximum bandwidth efficiency). If you do not select load balancing, you need to specify one WAN interface as the primary interface.

  • Page 41: Configuring Classical Routing

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note the following about NAT: • The VPN firewall uses NAT to select the correct PC (on your LAN) to receive any incoming data. • If you have only a single public Internet IP address, you must use NAT (the default setting). •...

  • Page 42: Configuring The Auto-Rollover Mode And Failure Detection Method

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring the Auto-Rollover Mode and Failure Detection Method To use a redundant ISP link for backup purposes, ensure that the backup WAN interface has already been configured. Then select the WAN interface that will act as the primary link for this mode and configure the WAN failure detection method on the WAN Mode screen to support auto- rollover.
  • Page 43 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-13 3. In the Load Balancing Settings section of the screen, configure the following settings: a. Select the Primary WAN Mode radio button. b. From the corresponding drop-down list on the right, select a WAN interface to function as the primary WAN interface.
  • Page 44 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring the Failure Detection Method To configure failure detection method: 1. Select Network Configuration > WAN Settings from the menu. The WAN screen displays (see Figure 2-6 on page 2-7). 2.

  • Page 45: Configuring Load Balancing And Optional Protocol Binding

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 2-5. Failure Detection Method Settings (continued) Setting Description (or Subfield and Description) Ping Pings are sent to a server with a public IP address. This server should not reject the ping request and should not consider ping traffic to be abusive.
  • Page 46 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Load Balancing To configure load balancing: 1. Select Network Configuration > WAN Settings from the menu. 2. Click the WAN Mode tab. The WAN Mode screen displays. Figure 2-15 3.
  • Page 47 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Protocol Binding (Optional) To configure protocol binding and add protocol binding rules: 1. Select Network Configuration > Protocol Binding from the menu. 2. Select the Load Balancing radio button. The Protocol Bindings screen displays. (Figure 2-16 shows two examples in the Protocol Binding table.) Figure 2-16...
  • Page 48 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-17 4. Configure the protocol binding settings as explained in Table 2-6. Table 2-6. Protocol Binding Settings Setting Description (or Subfield and Description) Service From the drop-down list, select a service or application to be covered by this rule. If the service or application does not appear in the list, you must define it using the Services screen (see “Services-Based Rules”...

  • Page 49: Configuring Secondary Wan Addresses

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 2-6. Protocol Binding Settings (continued) Setting Description (or Subfield and Description) Destination The destination network settings determine which Internet locations (based on their IP Network address) are covered by the rule. Select one of the following options from the drop- down list: All Internet IP address.
  • Page 50 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For more information about firewall rules, see “Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-2). Note: It is important that you ensure that any secondary WAN addresses are different from the primary WAN, LAN, and DMZ IP addresses that are already configured on the VPN firewall.

  • Page 51: Configuring Dynamic Dns

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-18 The List of Secondary WAN addresses table displays the secondary LAN IP addresses added for the selected WAN interface. 4. In the Add WAN Secondary Addresses section of the screen, enter the following settings: •...
  • Page 52 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently—hence, the need for a commercial DDNS service, which allows you to register an extension to its domain, and restores DNS requests...
  • Page 53 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-19 Connecting the VPN Firewall to the Internet 2-29 v1.0, April 2010...
  • Page 54 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click the Information option arrow in the upper right corner of a DNS screen for registration information. Figure 2-20: 4. Access the website of the DDNS service provider and register for an account (for example, for DynDNS.org, go to http://www.dyndns.com/).

  • Page 55: Configuring Advanced Wan Options

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 6. Click Apply to save your configuration. Configuring Advanced WAN Options The advanced options include configuration of the maximum transmission unit (MTU) size, port speed, VPN firewall’s MAC address, and setting a rate limit on the traffic that is being forwarded by the VPN firewall.
  • Page 56 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 2-21 4. Enter the settings as explained in Table 2-8. Table 2-8. Advanced WAN Settings Setting Description (or Subfield and Description) MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value.
  • Page 57 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 2-8. Advanced WAN Settings (continued) Setting Description (or Subfield and Description) Custom Select the Custom radio button and enter an MTU value in the Bytes field. For some ISPs, you might need to reduce the MTU. This is rarely required, and should not be done unless you are sure it is necessary for your ISP connection.

  • Page 58: Additional Wan-Related Configuration Tasks

    If you want the ability to manage the VPN firewall remotely, enable remote management (see “Configuring Remote Management Access” on page 8-10). If you enable remote management, NETGEAR strongly recommend that you change your password (see “Changing Passwords and Administrator Settings” on page 8-8).

  • Page 59: What To Do Next

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual What to Do Next The following sections describe important tasks that you might want to address before you deploy the VPN firewall in your network: • “Configuring VPN Authentication Domains, Groups, and Users” on page 7-1.
  • Page 60 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2-36 Connecting the VPN Firewall to the Internet v1.0, April 2010...

  • Page 61: Lan Configuration

    Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your VPN firewall. This chapter contains the following sections: • “Managing Virtual LANs and DHCP Options” on this page • “Configuring Multi-Home LAN IP Addresses on the Default VLAN” on page 3-12 •...

  • Page 62: Understanding The Vpn Firewall's Port-Based Vlans

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VLANs have a number of advantages: • They make it easy to set up network segmentation. Users who communicate most frequently with each other can be grouped into common VLANs, regardless of physical location. Each group’s traffic is contained largely within the VLAN, reducing extraneous traffic and improving the efficiency of the whole network.

  • Page 63: Assigning And Managing Vlan Profiles

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual When you create a VLAN profile, assign LAN ports to the VLAN, and enable the VLAN, the LAN ports that are members of the VLAN can send and receive both tagged and untagged packets. Untagged packets that enter these LAN ports are assigned to the default PVID 1;...

  • Page 64: Vlan Dhcp Options

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For each VLAN profile, the following fields are displayed in the VLAN Profiles table: • Check box. Allows you to select the VLAN profile in the table. • Status icon. Indicates the status of the VLAN profile: –...
  • Page 65 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The VPN firewall delivers the following settings to any LAN device that requests DHCP: • An IP address from the range that you have defined • Subnet mask • Gateway IP address (the VPN firewall’s LAN IP address) •...

  • Page 66: Configuring A Vlan Profile

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual LDAP Server A Lightweight Directory Access Protocol (LDAP) server allows a user to query and modify directory services that run over TCP/IP. For example, clients can query email addresses, contact information, and other service information using an LDAP server.
  • Page 67 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Either select an entry from the VLAN Profiles table and click the corresponding Edit table button, or add a new VLAN profile by clicking the Add table button under the VLAN Profiles table.
  • Page 68 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Enter the settings as explained in Table 3-1. Table 3-1. VLAN Profile Settings Setting Description (or Subfield and Description) VLAN Profile Profile Name Enter a unique name for the VLAN profile. Note: You can also change the profile name of the default VLAN.
  • Page 69 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-1. VLAN Profile Settings (continued) Setting Description (or Subfield and Description) Enable DHCP Select the Enable DHCP Server radio button to enable the VPN firewall to Server function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN.
  • Page 70 • ou (for organizational unit) • o (for organization) • c (for country) • dc (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).

  • Page 71: Configuring Vlan Mac Addresses And Lan Advanced Settings

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Click Apply to save your settings. Note: Once you have completed the LAN setup, all outbound traffic is allowed and all inbound traffic is discarded except responses to requests from the LAN side. For information about how to change these default traffic rules, see Chapter 4, “Firewall...

  • Page 72: Configuring Multi-Home Lan Ip Addresses On The Default Vlan

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Select the Advanced option arrow at the top right of the LAN Setup screen. The LAN Advanced screen displays. Figure 3-4 3. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) 4.
  • Page 73 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual It is important that you ensure that any secondary LAN addresses are different from the primary LAN, WAN, and DMZ IP addresses and subnet addresses that are already configured on the VPN firewall.The following is an example of correctly configured IP addresses: WAN1 IP address: 10.0.0.1 with subnet 255.0.0.0 WAN2 IP address: 20.0.0.1 with subnet 255.0.0.0...

  • Page 74: Managing Groups And Hosts (Lan Groups)

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Repeat step 3 step 4 for each secondary IP address that you want to add to the Available Secondary LAN IPs table. Note: Secondary IP addresses cannot be configured on the DHCP server. The hosts on the secondary subnets must be manually configured with the IP addresses, gateway IP address, and DNS server IP addresses.

  • Page 75: Managing The Network Database

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Some advantages of the network database are: • Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the name of the desired PC or device. •...
  • Page 76 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 3-6 The Known PCs and Devices table lists the entries in the network database. For each PC or device, the following fields are displayed: • Check box. Allows you to select the PC or device in the table. •...
  • Page 77 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Adding PCs or Devices to the Network Database To add PCs or devices manually to the network database: 1. In the Add Known PCs and Devices section of the LAN Groups screen (see Figure 3-6 on page 3-16), enter the settings as explained in...

  • Page 78: Changing Group Names In The Network Database

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Editing PCs or Devices in the Network Database To edit PCs or devices manually in the network database: 1. In the Known PCs and Devices table of the LAN Groups screen (see Figure 3-6 on page 3-16), click the Edit table button of a table entry.

  • Page 79: Setting Up Address Reservation

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click the Edit Group Names option arrow at the top right of the LAN Groups screen. The Network Database Group Names screen displays. (Figure 3-8 shows some examples.) Figure 3-8 4.

  • Page 80: Configuring And Enabling The Dmz Port

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To reserve an IP address, select Reserved (DHCP Client) from the IP Address Type drop-down list on the LAN Groups screen as described in “Adding PCs or Devices to the Network Database” on page 3-17 or on the Edit Groups and Hosts screen as described in “Editing PCs or Devices in...
  • Page 81 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To enable and configure the DMZ port: 1. Select Network Configuration > DMZ Setup from the menu. The DMZ Setup screen displays. Figure 3-9 2. Enter the settings as explained in Table 3-3 on page 3-22.
  • Page 82 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-3. DMZ Setup Settings Setting Description (or Subfield and Description) DMZ Port Setup Do you want to Select one of the following radio buttons: enable DMZ Port? • Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and Subnet Mask fields.
  • Page 83 • ou (for organizational unit) • o (for organization) • c (for country) • dc (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).

  • Page 84: Managing Routing

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-3. DMZ Setup Settings (continued) Setting Description (or Subfield and Description) DNS Proxy Enable DNS Proxy This is optional. Select the Enable DNS Proxy radio button to enable the VPN firewall to provide a LAN IP address for DNS address name resolution.

  • Page 85: Configuring Static Routes

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Static Routes To add a static route to the Static Route table: 1. Select Network Configuration > Routing from the menu. The Routing screen displays. Figure 3-10 For information about the fields of the Static Routes table, see Table 3-4 on page 3-26.
  • Page 86 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Enter the settings as explained in Table 3-4. Table 3-4. Static Route Settings Setting Description (or Subfield and Description) Route Name The route name for the static route (for purposes of identification and management).

  • Page 87: Configuring Routing Information Protocol

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Routing Information Protocol Routing Information Protocol (RIP), RFC 2453, is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). RIP enables a router to exchange its routing information automatically with other routers, to dynamically adjust its routing tables, and to adapt to changes in the network.
  • Page 88 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-5. RIP Configuration Settings Setting Description (or Subfield and Description) RIP Direction From the RIP Direction drop-down list, select the direction in which the VPN firewall sends and receives RIP packets: •...

  • Page 89: Static Route Example

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 3-5. RIP Configuration Settings (continued) Setting Description (or Subfield and Description) Authentication for Not Valid Before The beginning of the lifetime of the MD5 key. Enter the RIP-2B/2M required? month, date, year, hour, minute, and second.
  • Page 90 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3-30 LAN Configuration v1.0, April 2010...

  • Page 91: About Firewall Protection

    Chapter 4 Firewall Protection This chapter describes how to use the firewall features of the VPN firewall to protect your network. This chapter contains the following sections: • “About Firewall Protection” on this page • “Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-2 •...

  • Page 92: Administrator Tips

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Administrator Tips Consider the following operational items: 1. As an option, you can enable remote management if you have to manage distant sites from a central location (see “Configuring VPN Authentication Domains, Groups, and Users” on page 7-1 “Configuring Remote Management Access”...

  • Page 93: Services-Based Rules

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The firewall rules for blocking and allowing traffic on the VPN firewall can be applied to a combination of LAN-WAN traffic, DMZ-WAN traffic, and LAN-DMZ traffic. Table 4-1. Number of Supported Firewall Rule Configurations Maximum Number of Maximum Number of Maximum Number of...
  • Page 94 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Outbound Rules (Service Blocking) The VPN firewall allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. Note: See “Enabling Source MAC Filtering”...
  • Page 95 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-2. Outbound Rules Overview (continued) Setting Description (or Subfield and Description) Select Schedule The time schedule (that is, Schedule1, Schedule2, or Schedule3) that is used by this rule. • This drop-down list is activated only when “BLOCK by schedule, otherwise allow” or “ALLOW by schedule, otherwise block”...
  • Page 96 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-2. Outbound Rules Overview (continued) Setting Description (or Subfield and Description) Bandwidth Profile Bandwidth limiting determines the way in which the data is sent to and from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic, thus preventing the LAN users from consuming all the bandwidth of the Internet link.
  • Page 97 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP address might change periodically as the DHCP lease expires. Consider using Dyamic DNS so that external users can always find your network (see “Configuring Dynamic DNS”...
  • Page 98 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • “Setting LAN DMZ Rules” on page 4-18. Table 4-3. Inbound Rules Overview Setting Description (or Subfield and Description) Service The service or application to be covered by this rule. If the service or application does not appear in the list, you must define it using the Services screen (see “Adding Customized Services”...
  • Page 99 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-3. Inbound Rules Overview (continued) Setting Description (or Subfield and Description) WAN Users The settings that determine which Internet locations are covered by the rule, based on their IP address. The options are: •...

  • Page 100: Order Of Precedence For Rules

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP might periodically check for servers and might suspend your account if it discovers any active servers at your location.

  • Page 101: Setting Lan Wan Rules

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Setting LAN WAN Rules The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (outbound).
  • Page 102 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To make changes to an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: • Edit. Allows you to make any changes to the definition of an existing rule. Depending on your selection, either the Edit LAN WAN Outbound Service screen (identical to Figure 4-3 on page 4-13) or Edit LAN WAN Inbound Service screen (identical to...
  • Page 103 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To create a new outbound LAN WAN service rule: 1. In the LAN WAN Rules screen, click the Add table button under the Outbound Services table. The Add LAN WAN Outbound Service screen displays (Figure 4-3 shows an example).

  • Page 104: Setting Dmz Wan Rules

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-4 2. Enter the settings as explained in Table 4-3 on page 4-8. 3. Click Apply to save your changes. The new rule is now added to the Inbound Services table. Setting DMZ WAN Rules The firewall rules for traffic between the DMZ and the Internet are configured on the DMZ WAN Rules screen.
  • Page 105 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To access the DMZ WAN Rules screen: 1. Select Security > Firewall from the menu. The Firewall submenu tabs display. 2. Click the DMZ WAN Rules submenu tab. The DMZ WAN Rules screen displays. (Figure 4-5 shows a rule in the Outbound Services table as an example).
  • Page 106 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click one of the following table buttons: • Disable. Disables the rule or rules. The “!” status icon changes from a green circle to a gray circle, indicating that the selected rule or rules are disabled. (By default, when a rule is added to the table, it is automatically enabled.) •...
  • Page 107 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled. DMZ WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed.

  • Page 108: Setting Lan Dmz Rules

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Setting LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ. The default outbound and inbound policies are to allow all traffic between the local LAN and DMZ network.
  • Page 109 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To delete or disable one or more rules: 1. Select the check box to the left of the rule that you want to delete or disable, or click the Select All table button to select all rules.
  • Page 110 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Enter the settings as explained in Table 4-2 on page 4-4. 3. Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled. LAN DMZ Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic.

  • Page 111: Inbound Rules Examples

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Inbound Rules Examples LAN WAN Inbound Rule: Hosting a Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of the day.
  • Page 112 By creating an inbound rule, we will configure the VPN firewall to host an additional public IP address and associate this address with a Web server on the LAN. The following addressing scheme is used to illustrate this procedure: • NETGEAR VPN firewall: – WAN1 IP address: 99.180.226.101 –...
  • Page 113 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ.
  • Page 114 Figure 4-14 on page 4-25. Warning: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.

  • Page 115: Outbound Rules Example

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 1. Select Any and Allow Always (or Allow by Schedule). 2. Place the rule below all other inbound rules. Figure 4-14 Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio, or other nonessential sites.

  • Page 116: Configuring Other Firewall Features

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-15 Configuring Other Firewall Features You can configure attack checks, set session limits, and manage the application level gateway (ALG) for Session Initiation Protocol (SIP) sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the DMZ, LAN, and WAN networks.
  • Page 117 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-16 3. Enter the settings as explained in Table 4-4. Table 4-4. Attack Checks Settings Setting Description (or Subfield and Description) WAN Security Checks Respond to Ping on Select the Respond to Ping on Internet Ports check box to enable the VPN Internet Ports firewall to respond to a ping from the Internet.
  • Page 118 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-4. Attack Checks Settings (continued) Setting Description (or Subfield and Description) LAN Security Checks. Block UDP flood Select the Block UDP flood check box to prevent the VPN firewall from accepting more than 20 simultaneous, active UDP connections from a single device on the LAN.

  • Page 119: Setting Session Limits

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Setting Session Limits The session limits feature allows you to specify the total number of sessions that are allowed, per user, over an IP connection across the VPN firewall. The session limits feature is disabled by default.

  • Page 120: Managing The Application Level Gateway For Sip Sessions

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-5. Session Limit Settings (continued) Setting Description (or Subfield and Description) User Limit Enter a number to indicate the user limit. If the User Limit Parameter is set to Percentage of Max Sessions, the number specifies the maximum number of sessions that are allowed from a single- source device as a percentage of the total session connection capacity of the VPN firewall.

  • Page 121: Creating Services, Qos Profiles, And Bandwidth Profiles

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-18 3. Select the Enable SIP ALG check box. 4. Click Apply to save your settings. Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: •...
  • Page 122 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number.
  • Page 123 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. In the Add Customer Service section of the screen, enter the settings as explained in Table 4-6. Table 4-6. Services Settings Setting Description (or Subfield and Description) Name A descriptive name of the service for identification and management purposes. Type From the Type drop-down list, select the Layer 3 protocol that the service uses as its transport protocol:...

  • Page 124: Creating Quality Of Service (Qos) Profiles

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click Apply to save your changes. The modified service is displayed in the Custom Services Table. Creating Quality of Service (QoS) Profiles A Quality of Service (QoS) profile defines the relative priority of an IP packet when multiple connections are scheduled for simultaneous transmission on the VPN firewall.
  • Page 125 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To create a QoS profile: 1. Select Security > Services from the menu. The Services submenu tabs display, with the Services screen in view. 2. Click the QoS Profiles submenu tab. The QoS Profiles screen displays. Figure 4-21 shows some profiles in the List of QoS Profiles table as an example.
  • Page 126 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: This document assumes that you are familiar with QoS concepts such QoS priority queues, IP precedence, DHCP, and their values. Table 4-7. QoS Profile Settings Setting Description (or Subfield and Description) Profile Name A descriptive name of the QoS profile for identification and management purposes.

  • Page 127: Creating Bandwidth Profiles

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Modify the settings that you wish to change (see Table 4-7 on page 4-36). 3. Click Apply to save your changes. The modified QoS profile is displayed in the List of QoS Profiles table.
  • Page 128 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-23 The screen displays the List of Bandwidth Profiles table with the user-defined profiles. 2. Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwidth Profile screen displays.
  • Page 129 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Enter the settings as explained in Table 4-8. Table 4-8. Bandwidth Profile Settings Setting Description (or Subfield and Description) Profile Name A descriptive name of the bandwidth profile for identification and management purposes. Direction From the Direction drop-down list, select the direction in which the bandwidth profile is applied:...

  • Page 130: Setting A Schedule To Block Or Allow Specific Traffic

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To edit a bandwidth profile: 1. In the List of Bandwidth Profiles table, click the Edit table button to the right of the bandwidth profile that you want to edit. The Edit Bandwidth Profile screen displays. 2.

  • Page 131: Content Filtering (Blocking Internet Sites)

    VPN firewall’s content filtering and Web components filtering features. By default, these features are disabled; all requested traffic from any website is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message.

  • Page 132: Enabling And Configuring Content Filtering

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual – ActiveX. Similar to Java applets, ActiveX controls are installed on a Windows computer running Internet Explorer. A malicious ActiveX control can be used to compromise or infect computers. Enabling this setting blocks ActiveX applets from being downloaded. –...
  • Page 133 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-26 Firewall Protection 4-43 v1.0, April 2010...

  • Page 134: Enabling Source Mac Filtering

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Enter the settings as explained in Table 4-9. Table 4-9. Content Filtering Settings Setting Description (or Subfield and Description) Web Components Select the check boxes of any \Web components that you wish to block. The Web components are explained in “Understanding the VPN Firewall’s Content Filtering”...
  • Page 135 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed. When the source MAC address filter is enabled, depending on the selected policy, traffic is either permitted or blocked if it comes from any PCs or devices whose MAC addresses are listed in MAC Addresses table.

  • Page 136: Setting Up Ip/Mac Bindings

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. In the same section, below the radio buttons, select one of the following options from the drop- down list: • Block. Traffic coming from all addresses in the MAC Addresses table is blocked. •...
  • Page 137 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual If all of the preceding host entry examples are added to the IP/MAC Bindings table, the following scenarios indicate the possible outcome. • Host1. Matching IP address and MAC address in the IP/MAC Bindings table. •...

  • Page 138: Configuring Port Triggering

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Enter the settings as explained in Table 4-10. Table 4-10. IP/MAC Binding Settings Setting Description (or Subfield and Description) Email IP/MAC Violations Do you want to Select one of the following radio buttons: enable E-mail •...
  • Page 139 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Once configured, port triggering operates as follows: 1. A PC makes an outgoing connection using a port number that is defined in the Port Triggering Rules table. 2. The VPN firewall records this connection, opens the additional incoming port or ports that are associated with the rule in the port triggering table, and associates them with the PC.
  • Page 140 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-29 2. Below Add Port Triggering Rule, enter the settings as explained in Table 4-11. Table 4-11. Port Triggering Settings Setting Description (or Subfield and Description) Name A descriptive name of the rule for identification and management purposes. Enable From the drop-down list, select Yes to enable the rule.

  • Page 141: Configuring Universal Plug And Play

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To edit a port triggering rule (for example, to enable the rule): 1. In the Port Triggering Rules table, click the Edit table button to the right of the port triggering rule that you want to edit.
  • Page 142 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-31 2. To enable the UPnP feature, select the Yes radio button. (The feature is disabled by default.) To disable the feature, select No. 3. Configure the following fields: –...

  • Page 143: Virtual Private Networking Using Ipsec Connections

    Chapter 5 Virtual Private Networking Using IPsec Connections This chapter describes how to use the IP security (IPsec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer. This chapter contains the following sections: •...
  • Page 144 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The following diagrams and table show how the WAN mode selection relates to VPN configuration. WAN Auto-Rollover: FQDN Required for VPN VPN Firewall WAN 1 Port Rest of VPN Firewall VPN Firewall Internet WAN Port...

  • Page 145: Using The Ipsec Vpn Wizard For Client And Gateway Configurations

    Using the IPsec VPN Wizard for Client and Gateway Configurations You can use the IPsec VPN Wizard to configure multiple gateway or client VPN tunnel policies. ProSaf The following section provides wizard and NETGEAR e VPN Client software configuration procedures for the following scenarios: •...
  • Page 146 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-4 To view the wizard default settings, click the VPN Wizard Default Values option arrow at the top right of the screen. A popup window appears (see Figure 5-5 on page 5-5) displaying the wizard default values.
  • Page 147 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-5 3. Select the radio buttons and complete the fields and as explained Table 5-2. Table 5-2. (IPsec) VPN Wizard Settings for a Gateway-to-Gateway Tunnel Setting Description (or Subfield and Description) About VPN Wizard This VPN tunnel will connect Select the Gateway radio button.
  • Page 148 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-2. (IPsec) VPN Wizard Settings for a Gateway-to-Gateway Tunnel (continued) Setting Description (or Subfield and Description) Enable RollOver? If you have configured the VPN firewall to function in WAN auto- rollover mode (see “Configuring the Auto-Rollover Mode and Failure Detection Method”...
  • Page 149 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Click Apply to save your settings. The IPsec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen. By default, the VPN policy is enabled. Figure 5-6 5.

  • Page 150: Creating A Client To Gateway Vpn Tunnel

    “Using the VPN Wizard Configure the Gateway for a Client Tunnel” on page 5-8. • “Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection” on page 5-11. Using the VPN Wizard Configure the Gateway for a Client Tunnel To set up a client-to-gateway VPN tunnel using the VPN Wizard: 1.
  • Page 151 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-9 To display the wizard default settings, click the VPN Wizard Default Values option arrow at the top right of the screen. A popup window appears (see Figure 5-5 on page 5-5), displaying the wizard default values.
  • Page 152 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-3. (IPsec) VPN Wizard Settings for a Client-to-Gateway Tunnel Setting Description (or Subfield and Description) About VPN Wizard This VPN tunnel will connect Select the VPN Client radio button. The default remote FQDN to the following peers: (srx_remote1.com) and the default local FQDN (srx_local1.com) appear in the End Point Information section of the screen.
  • Page 153 Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR ProSafe VPN Client installed, configure a VPN client policy to connect to the VPN firewall: 1. Right-click the VPN client icon in your Windows toolbar, and select Security Policy Editor.
  • Page 154 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-11 2. In the upper left of the Policy Editor window, click the New Connection icon (the first icon on the left) to open a new connection. Give the new connection a name; in this example, we are using MainOffice.
  • Page 155 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Enter the settings as explained in Table 5-4. Table 5-4. Security Policy Editor: Remote Party Settings Setting Description (or Subfield and Description) Connection Security Select the Secure radio button. If you want to connect manually only, select the Only Connect Manually check box.
  • Page 156 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 5. In the left frame, click My Identity. The screen adjusts. Figure 5-13 6. Enter the settings as explained in Table 5-5. Table 5-5. Security Policy Editor: My Identity Settings Setting Description (or Subfield and Description) Select Certificate...
  • Page 157 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-5. Security Policy Editor: My Identity Settings (continued) Setting Description (or Subfield and Description) ID Type From the drop-down list, select Domain Name. Then, below, enter the remote FQDN that you entered on the VPN firewall’s VPN Wizard screen (see Figure 5-9 on page 5-9).

  • Page 158: Testing The Connections And Viewing Status Information

    Testing the Connections and Viewing Status Information Both the NETGEAR ProSafe VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.

  • Page 159: Netgear Vpn Client Status And Log Information

    My Connections\UTM_SJ” within 30 seconds. The VPN client icon in the system tray should say On: NETGEAR VPN Client Status and Log Information To view more detailed additional status and troubleshooting information from the NETGEAR VPN client: •...
  • Page 160 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Right-click the VPN client icon in the system tray and select Log Viewer. The Log Viewer screen displays details about the active connection or troubleshooting information that might help you to determine why you cannot get an active connection. Figure 5-17 The VPN client system tray icon provides a variety of status indications, which are listed below.

  • Page 161: Viewing The Vpn Firewall Ipsec Vpn Connection Status

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Viewing the VPN Firewall IPsec VPN Connection Status To review the status of current IPsec VPN tunnels: Select VPN > Connection Status from the menu. The VPN Connection Status submenu tabs display, with the IPSec VPN Connection Status screen in view.

  • Page 162: Viewing The Vpn Firewall Ipsec Vpn Logs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Viewing the VPN Firewall IPSec VPN Logs To view the IPsec VPN logs: Select Monitoring > VPN Logs from the menu. The VPN Logs submenu tabs display, with the IPSec VPN Logs screen in view. Figure 5-19 Click Refresh Log to view the most recent entries.

  • Page 163: Configuring Ike Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring IKE Policies The Internet Key Exchange (IKE) protocol performs negotiations between the two VPN gateways, and provides automatic management of the keys that are used for IPsec connections. It is important to remember that: •...
  • Page 164 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual IKE Policies Screen To access the IKE Policies screen: Select VPN > IPSec VPN from the menu. The IPsec VPN submenu tabs display, with the IKE Policies screen in view (Figure 5-20 shows some examples).
  • Page 165 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To delete one or more IKE polices: 1. Select the check box to the left of the policy that you want to delete, or click the Select All table button to select all IKE policies. 2.
  • Page 166 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-21 3. Complete the fields, select the radio buttons, and make your selections from the drop-down lists as explained Table 5-10 on page 5-25. 5-24 Virtual Private Networking Using IPsec Connections v1.0, April 2010...
  • Page 167 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-10. Add IKE Policy Settings Item Description (or Subfield and Description) Mode Config Record Do you want to use Specify whether or not the IKE policy uses a Mode Config record. For Mode Config Record? information about how to define a Mode Config record, see “Mode Config...
  • Page 168 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-10. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Local Select Local Gateway From the drop-down list, select one of the four WAN interfaces to function as the local gateway.
  • Page 169 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-10. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Authentication From the drop-down list, select one of the following two algorithms to use in Algorithm the VPN header for the authentication process: •...
  • Page 170 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-10. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and–if enabled–which device is used to Note: For more verify user account information:...

  • Page 171: Configuring Vpn Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Modify the settings that you wish to change (see Table 5-10 on page 5-25). 4. Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE Policies table.
  • Page 172 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click the VPN Policies submenu tab. The VPN Policies screen displays. (Figure 5-22 shows some examples.) Figure 5-22 Each policy contains the data that are explained in Table 5-11. These fields are explained in more detail in Table 5-12 on page 5-33.
  • Page 173 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-11. List of VPN Policies Information (continued) Item Description (or Subfield and Description) Auth The authentication algorithm that is used for the VPN tunnel. This setting must match the setting on the remote endpoint. Encr The encryption algorithm that is used for the VPN tunnel.
  • Page 174 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-23 5-32 Virtual Private Networking Using IPsec Connections v1.0, April 2010...
  • Page 175 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Complete the fields, select the radio buttons and check boxes, and make your selections from the drop-down lists as explained Table 5-12. Table 5-12. Add VPN Policy Settings Item Description (or Subfield and Description) General Policy Name...
  • Page 176 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-12. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Enable Keepalive Select a radio button to specify if keepalive is enabled: • Yes. This feature is enabled. Periodically, the VPN firewall sends keepalive Note: See also requests (ping packets) to the remote endpoint to keep the tunnel alive.
  • Page 177 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-12. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Encryption Algorithm From the drop-down list, select one of the following five algorithms to negotiate the security association (SA): •...
  • Page 178 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-12. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Auto Policy Parameters Note: These fields apply only when you select Auto Policy as the policy type. SA Lifetime The lifetime of the security association (SA) is the period or the amount of transmitted data after which the SA becomes invalid and must be...

  • Page 179: Configuring Extended Authentication (Xauth)

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To edit a VPN policy: 1. Select VPN > IPSec VPN from the menu. The IPsec VPN submenu tabs display, with the IKE Policies screen in view (see Figure 5-20 on page 5-22).

  • Page 180: Configuring Xauth For Vpn Clients

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the User Database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server. Note: You cannot modify an existing IKE policy to add XAUTH while the IKE policy is in use by a VPN policy.

  • Page 181: User Database Configuration

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-13. Settings (continued) Extended Authentication Item Description (or Subfield and Description) Username The user name for XAUTH. Password The password for XAUTH. 4. Click Apply to save your settings. User Database Configuration When XAUTH is enabled in an Edge Device configuration, users must be authenticated either by a local user database account or by an external RADIUS server.
  • Page 182 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click the RADIUS Client submenu tab. The RADIUS Client screen displays. Figure 5-24 3. Complete the fields and select the radio buttons as explained Table 5-14. Table 5-14. Settings RADIUS Client Item Description (or Subfield and Description)
  • Page 183 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-14. Settings (continued) RADIUS Client Item Description (or Subfield and Description) Primary Server NAS The primary Network Access Server (NAS) identifier that must be present Identifier in a RADIUS request. Note: The VPN firewall functions as as NAS, allowing network access to external users after verification of their authentication information.

  • Page 184: Assigning Ip Addresses To Remote Users (Mode Config)

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Assigning IP Addresses to Remote Users (Mode Config) To simplify the process of connecting remote VPN clients to the VPN firewall, use the Mode Config feature to assign IP addresses to remote users, including a network access IP address, subnet mask, WINS server, and DNS address from the VPN firewall.
  • Page 185 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click the Mode Config submenu tab. The Mode Config screen displays. Figure 5-25 As an example, the screen shows two Mode Config records with the names EMEA Sales and NA Sales: •...
  • Page 186 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-26 4. Complete the fields, select the check box, and make your selections from the drop-down lists as explained Table 5-15. Table 5-15. Add Mode Config Record Settings Item Description (or Subfield and Description) Client Pool Record Name...
  • Page 187 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-15. Add Mode Config Record Settings (continued) Item Description (or Subfield and Description) First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable the VPN firewall to allocate these to remote VPN clients.
  • Page 188 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-15. Add Mode Config Record Settings (continued) Item Description (or Subfield and Description) Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: •...
  • Page 189 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-27 8. On the Add IKE Policy screen, complete the fields, select the radio buttons, and make your selections from the drop-down lists as explained Table 5-16 on page 5-48.
  • Page 190 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: The settings that are explained in Table 5-16 are specifically for a Mode Config configuration. Table 5-10 on page 5-25 explains the general IKE policy settings. Table 5-16. Add IKE Policy Settings for a Mode Config Configuration Item Description (or Subfield and Description) Mode Config Record...
  • Page 191 The period in seconds for which the IKE SA is valid. When the period times out, the next rekeying must occur. The default is 28800 seconds (8 hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour).

  • Page 192: Configuring The Prosafe Vpn Client For Mode Config Operation

    9. Click Apply to save your settings. The IKE policy is added to the List of IKE Policies table. Configuring the ProSafe VPN Client for Mode Config Operation From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection for Mode Config operation: 1.
  • Page 193 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. In the upper left of the Policy Editor window, click the New Connection icon (the first icon on the left) to open a new connection. Give the new connection a name; in this example, we are using ModeConfigTest.
  • Page 194 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-17. Security Policy Editor: Remote Party, Mode Config Settings (continued) Setting Description (or Subfield and Description) Protocol From the drop-down list, select All. Select the Use check box. Then, from the drop-down list, select Secure Gateway Tunnel.
  • Page 195 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 5. In the left frame, click My Identity. The screen adjusts. Figure 5-29 6. Enter the settings as explained in Table 5-18. Table 5-18. Security Policy Editor: My Identity, Mode Config Settings Setting Description (or Subfield and Description) Select Certificate...
  • Page 196 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-18. Security Policy Editor: My Identity, Mode Config Settings (continued) Setting Description (or Subfield and Description) ID Type From the drop-down list, select Domain Name. Then, below, enter the remote FQDN that you specified in the VPN firewall’s Mode Config IKE policy.

  • Page 197: Testing The Mode Config Connection

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 9. Enter the settings as explained in Table 5-19. Table 5-19. Security Policy Editor: Security Policy, Mode Config Settings Setting Description (or Subfield and Description) Select Phase 1 Negotiation Select the Aggressive Mode radio button. Mode Enable Perfect Forward Select the Enable Perfect Forward Secrecy (PFS) check box.

  • Page 198: Configuring Keepalives

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Keepalives The keepalive feature maintains the IPsec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies. To configure the keepalive feature on a configured VPN policy: 1.

  • Page 199: Configuring Dead Peer Detection

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 5-20. Keepalive Settings Item Description (or Subfield and Description) General Enable Keepalive Select a radio button to specify if keepalive is enabled: • Yes. This feature is enabled. Periodically, the VPN firewall sends keepalive requests (ping packets) to the remote endpoint to keep the tunnel alive.
  • Page 200 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 5-32 3. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the fields as explained Table 5-21. Table 5-21. Dead Peer Detection Settings Item Description (or Subfield and Description) IKE SA Parameters...

  • Page 201: Configuring Netbios Bridging With Ipsec Vpn

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring NetBIOS Bridging with IPsec VPN Windows networks use the Network Basic Input/Output System (NetBIOS) for several basic network services such as naming and neighborhood device discovery. Because VPN routers do not normally pass NetBIOS traffic, these network services do not function for hosts on opposite ends of a VPN connection.
  • Page 202 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 5-60 Virtual Private Networking Using IPsec Connections v1.0, April 2010...

  • Page 203: Virtual Private Networking

    Chapter 6 Virtual Private Networking Using SSL Connections The VPN firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the VPN firewall can authenticate itself to an SSL-enabled client, such as a standard Web browser.

  • Page 204: Planning For An Ssl Vpn

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The SSL capability of the user’s browser provides authentication and encryption, establishing a secure connection to the VPN firewall. Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote PC to allow the remote user to virtually join the corporate network.
  • Page 205 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The domain determines the authentication method that is used and the portal layout that is presented, which in turn determines the network resources to which the users are granted access. Because you must assign a portal layout when creating a domain, the domain is created after you have created the portal layout.

  • Page 206: Creating The Portal Layout

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Creating the Portal Layout The Portal Layouts screen that you can access from the SSL VPN menu allows you to create a custom page that remote users see when they log in to the portal. Because the page is completely customizable, it provides an ideal way to communicate remote access instructions, support information, technical contact information, or VPN-related news updates to remote users.
  • Page 207 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 6-1 3. Under the List of Layouts table, click the Add table button. The Add Portal Layout screen displays. (Figure 6-2 shows an example.) Figure 6-2 Virtual Private Networking Using SSL Connections v1.0, April 2010...
  • Page 208 <meta http-equiv=”cache-control” content=”no-cache”> <meta http-equiv=”cache-control” content=”must- revalidate”> Note: NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out-of-date Web pages, themes, and data being stored in a user’s Web browser cache. Virtual Private Networking Using SSL Connections...

  • Page 209: Configuring Domains, Groups, And Users

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 6-1. Settings (continued) Add Portal Layout Item Description (or Subfield and Description) ActiveX web cache Select this check box to enable ActiveX cache control to be loaded when cleaner users log in to the SSL VPN portal.

  • Page 210: Configuring Applications For Port Forwarding

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Applications for Port Forwarding Port forwarding provides access to specific defined network services. To define these services, you must specify the internal server addresses and port numbers for TCP applications that are intercepted by the port-forwarding client on the user’s PC.
  • Page 211 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. In the Add New Application for Port Forwarding section of the screen, specify information in the following fields: • IP Address. The IP address of an internal server or host computer that a remote user has access to.

  • Page 212: Adding A New Host Name

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Adding a New Host Name After you have configured port forwarding by defining the IP addresses of the internal servers and the port number for TCP applications that are available to remote users, you then can also specify host-name-to-IP-address resolution for the network servers as a convenience for users.

  • Page 213: Configuring The Client Ip Address Range

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The following are some additional considerations: • So that the virtual (PPP) interface address of a VPN tunnel client does not conflict with addresses on the local network, configure an IP address range that does not directly overlap with addresses on your local network.
  • Page 214 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 6-4 3. Select the check box and complete the fields as explained Table 6-3. Table 6-3. Settings Client IP Address Range Item Description (or Subfield and Description) Client IP Address Range Enable Full Tunnel Support Select this check box to enable full tunnel support.

  • Page 215: Adding Routes For Vpn Tunnel Clients

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 6-3. Settings (continued) Client IP Address Range Item Description (or Subfield and Description) Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients.

  • Page 216: Using Network Resource Objects To Simplify Policies

    IP addresses or IP networks rather than predefined network resources. But for most organizations, NETGEAR recommends that you use network resources. If your server or network configuration changes, you can perform an update quickly by using network resources instead of individually updating all of the user and group policies.

  • Page 217: Editing Network Resources To Specify Addresses

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 6-5 3. In the Add New Resource section of the screen, specify information in the following fields: • Resource Name. A descriptive name of the resource for identification and management purposes.
  • Page 218 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To edit a resource: 1. Select VPN > SSL VPN from the menu. The SSL VPN submenu tabs display, with the Policies screen in view. 2. Click the Resources submenu tab. The Resources screen displays (see Figure 6-5 on page 6-15, which shows some examples).

  • Page 219: Configuring User, Group, And Global Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 6-4. Settings (continued) Add Resource Addresses Item Description (or Subfield and Description) Object Type From the drop-down list, select one of the following options: • IP Address. The object is an IP address. You must enter the IP address or the FQDN in the IP Address / Name field.

  • Page 220: Viewing Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For example, a policy that is configured for a single IP address takes precedence over a policy that is configured for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over a policy that is applied to all IP addresses.

  • Page 221: Adding A Policy

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 6-7 2. Make your selection from the following Query options: • Click Global to view all global policies. • Click Group to view group policies, and choose the relevant group’s name from the drop- down list.
  • Page 222 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 6-8 3. Select the radio buttons, complete the fields, and make your selection from the drop-down lists as explained Table 6-5. Table 6-5. Settings Add SSL VPN Policy Item Description (or Subfield and Description) Policy For Select one of the following radio buttons to specify the type of SSL VPN policy:...
  • Page 223 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 6-5. Settings (continued) Add SSL VPN Policy Item Description (or Subfield and Description) Add SSL VPN Policies Apply Select one of the following radio buttons to specify how the policy is applied: Policy For •...
  • Page 224 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 6-5. Settings (continued) Add SSL VPN Policy Item Description (or Subfield and Description) Apply IP Network Policy Name A descriptive name of the SSL VPN policy for identification Policy For and management purposes.

  • Page 225: Accessing The Ssl Portal Login Screen

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. Click Apply to save your settings. The policy is added to the List of SSL VPN Policies table on the Policies screen. The new policy goes into effect immediately. Note: If you have configured SSL VPN user policies, ensure that HTTPS remote management is enabled (see “Configuring Remote Management Access”...
  • Page 226 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 6-9 4. Enter a user name and password that are associated with the SSL portal and the domain (see “Configuring VPN Authentication Domains, Groups, and Users” on page 7-1). 5.

  • Page 227: Viewing The Ssl Vpn Connection Status And Ssl Vpn Logs

    • Change Password. Allows the user to change their password. • Support. Provides access to the NETGEAR website. Viewing the SSL VPN Connection Status and SSL VPN Logs To review the status of current SSL VPN tunnels: 1. Select VPN > Connection Status from the menu. The Connection Status submenu tabs display, with the IPSec VPN Connection Status screen in view.
  • Page 228 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To view the SSL VPN Logs: 1. Select Monitoring > VPN Logs from the menu. The VPN Logs submenu tabs display, with the IPSec VPN Logs screen in view. 2. Click the SSL VPN Logs submenu tab. The SSL VPN Logs screen displays. Figure 6-12 6-26 Virtual Private Networking Using SSL Connections...

  • Page 229: Managing Users, Authentication, And Certificates

    Chapter 7 Managing Users, Authentication, and Certificates This chapter describes how to manage users, authentication, and security certificates for IPsec VPN and SSL VPN. This chapter contains the following sections: • “Configuring VPN Authentication Domains, Groups, and Users” on this page •...

  • Page 230: Configuring Domains

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Domains The domain determines the authentication method to be used for associated users. For SSL connections, the domain also determines the portal layout that is presented, which in turn determines the network resources to which the associated users have access.
  • Page 231 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 7-1. Authentication Protocols and Methods (continued) Authentication Description (or Subfield and Description) Protocol or Method LDAP A network-validated domain-based authentication method that functions with a Lightweight Directory Access Protocol (LDAP) authentication server. LDAP is a standard for querying and updating a directory.
  • Page 232 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Under the List of Domains table, click the Add table button. The Add Domain screen displays. Figure 7-2 3. Enter the settings as explained in Table 7-2. Table 7-2. Add Domain Settings Setting Description (or Subfield and Description) Domain Name...
  • Page 233 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 7-2. Add Domain Settings (continued) Setting Description (or Subfield and Description) Authentication Type • WIKID-CHAP. WiKID Systems CHAP. Complete the Authentication Server (continued) and Authentication Secret fields. • MIAS-PAP. Microsoft Internet Authentication Service (MIAS) PAP.

  • Page 234: Configuring Groups For Vpn Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 6. If you change local authentication, click Apply in the Domain screen to save your settings. To delete one or more domains: 1. In the List of Domains table, select the check box to the left of the domain that you want to delete, or click the Select All table button to select all domains.
  • Page 235 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 7-3 The List of Groups table displays the VPN groups with the following fields: • Check box. Allows you to select the group in the table. • Name. The name of the group. If the group name is appended by an asterisk, the group was created by default when you created the domain with the identical name as the default group.
  • Page 236 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click the Add table button. The new group is added to the List of Groups table. To delete one or more groups: 1. In the List of Groups table, select the check box to the left of the group that you want to delete, or click the Select All table button to select all groups.

  • Page 237: Configuring User Accounts

    SSL VPN User. A user who can only log in to the SSL VPN portal. • IPSEC VPN User. A user who can only make an IPsec VPN connection via a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see “Configuring...
  • Page 238 • SSL VPN User. User who can only log in to the SSL VPN portal. • IPSEC VPN User. User who can only make an IPsec VPN connection via a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see “Configuring Extended Authentication (XAUTH)”...

  • Page 239: Setting User Login Policies

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 7-4. Add User Settings (continued) Setting Description (or Subfield and Description) Select Group The drop-down list shows the groups that are listed on the Group screen. From the drop-down list, select the group to which the user is assigned. For information about how to configure groups, see “Configuring Groups for VPN Policies”...
  • Page 240 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 7-7 3. In the User Login Policies section of the screen, make the following selections: • To prohibit this user from logging in to the VPN firewall, select the Disable Login check box.
  • Page 241 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 7-8 4. In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table.
  • Page 242 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 7. Click the Add table button. The address is added to the Defined Addresses table. 8. Repeat step 6 step 7 for any other addresses that you want to add to the Defined Addresses table.

  • Page 243: Changing Passwords And Other User Settings

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 4. In the Defined Browsers Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Browsers. Deny logging in from the browsers in the Defined Browsers table.
  • Page 244 • SSL VPN User. User who can only log in to the SSL VPN portal. • IPSEC VPN User. User who can only make an IPsec VPN connection via a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see “Configuring Extended Authentication (XAUTH)”...

  • Page 245: Managing Digital Certificates

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 7-6. Edit User Settings (continued) Setting Description (or Subfield and Description) Idle Timeout The period after which an idle user is automatically logged out of the Web Management Interface. De default idle timeout period is 10 minutes. 4.

  • Page 246: Understanding The Certificates Screen

    The VPN firewall contains a self-signed digital certificate from NETGEAR. This certificate can be downloaded from the VPN firewall login screen for browser import. However, NETGEAR recommends that you replace this digital certificate with a digital certificate from a well-known commercial CA prior to deploying the VPN firewall in your network.

  • Page 247: Managing Ca Certificates

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Certificate Revocation Lists (CRL) table. Contains the lists with digital certificates that have been revoked and are no longer valid, that were issued by CAs, and that you uploaded. Note, however, that the table displays only the active CAs and their critical release date (see “Managing the Certificate Revocation List”...

  • Page 248: Managing Self Certificates

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. Click the Upload table button. If the verification process on the VPN firewall approves the digital certificate for validity and purpose, the digital certificate is added to the Trusted Certificates (CA Certificate) table.
  • Page 249 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Generating a CSR and Obtaining a Self Certificate from a CA To use a self certificate, you must first request the digital certificate from a CA, and then download and activate the digital certificate on the VPN firewall. To request a self certificate from a CA, you must generate a Certificate Signing Request (CSR) for and on the VPN firewall.
  • Page 250 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. In the Generate Self Certificate Request section of the screen, enter the settings as explained in Table 7-7. Table 7-7. Generate Self Certificate Request Settings Setting Description (or Subfield and Description) Name A descriptive name of the domain for identification and management purposes.
  • Page 251 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 7-14 5. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from “-----BEGIN CERTIFICATE REQUEST-----” to “-----END CERTIFICATE REQUEST-----.”...

  • Page 252: Managing The Certificate Revocation List

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 11. Click the Upload table button. If the verification process on the VPN firewall approves the digital certificate for validity and purpose, the digital certificate is added to the Active Self Certificates table.
  • Page 253 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To view the currently loaded CRLs and upload a new CRL: 1. Select VPN > Certificates from the menu. The Certificates screen displays. Figure 7-15 shows the bottom section of the screen with the Certificate Revocation Lists (CRL) table. There is one example in the table.
  • Page 254 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 7-26 Managing Users, Authentication, and Certificates v1.0, April 2010...

  • Page 255: Network And System Management

    Chapter 8 Network and System Management This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the VPN firewall. This chapter contains the following sections: • “Performance Management” on this page •...

  • Page 256: Features That Reduce Traffic

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual As a result, and depending on the traffic that is being carried, the WAN side of the VPN firewall is the limiting factor to throughput for most installations. Using four WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall, but there is no backup in case one of the WAN ports fails.
  • Page 257 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual When you define outbound firewall rules, you can further refine their application according to the following criteria: • Services. You can specify the services or applications to be covered by an outbound rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see “Services-Based Rules”...

  • Page 258: Features That Increase Traffic

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Content Filtering If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall’s content filtering feature. By default, this feature is disabled; all requested traffic from any website is allowed.
  • Page 259 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Warning: This feature is for advanced administrators only! Incorrect configuration might cause serious problems. Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always •...
  • Page 260 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • WAN users. You can specify which Internet locations are covered by an inbound rule, based on their IP address: – Any. The rule applies to all Internet IP addresses. –...

  • Page 261: Using Qos And Bandwidth Assignment To Shift The Traffic Mix

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For information about how to enable the DMZ port, see “Configuring and Enabling the DMZ Port” on page 3-20. For the procedures on how to configure DMZ traffic rules, see “Setting DMZ WAN Rules”...

  • Page 262: Monitoring Tools For Traffic Management

    The default administrator and default guest passwords for the Web Management Interface are both password. NETGEAR recommends that you change the password for the administrator account to a more secure password, and that you configure a separate secure password for the guest account.
  • Page 263 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 8-1 2. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit User screen displays. Figure 8-2 3.

  • Page 264: Configuring Remote Management Access

    Web Management Interface is accessible to anyone who knows its IP address and default password. Because a malicious WAN user can reconfigure the VPN firewall and misuse it in many ways, NETGEAR highly recommends that you change the admin and guest default passwords before continuing (see “Changing Passwords and Administrator Settings”...
  • Page 265 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To configure the VPN firewall for remote management: 1. Select Administration > Remote Management from the menu. The Remote Management screen displays. Figure 8-3 2. Enter the settings as explained in Table 8-1 on page 8-9.
  • Page 266 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 8-1. Remote Management Settings Setting Description (or Subfield and Description) Secure HTTP Management Allow Secure HTTP Management? Select the Yes radio button to enable HTTPS remote management (which is the default setting) and specify the IP address settings and port number settings.
  • Page 267 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: For enhanced security, and if practical, restrict remote management access to a single IP address or a small range of IP addresses. Note: To maintain security, the VPN firewall rejects a login that uses http://address rather than the SSL https://address.

  • Page 268: Using The Command-Line Interface

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Using the Command-Line Interface You can access the command-line interface (CLI) using the console port on the rear panel of the VPN firewall (see “Rear Panel” on page 1-9). To access the CLI from a communications terminal when the VPN firewall is still set to its factory defaults (or use your own settings if you have changed them): 1.
  • Page 269 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 8-4 2. In the Create New SNMP Configuration Entry section of the screen, enter the settings as explained in Table 8-2. Table 8-2. SNMP Settings Setting Description (or Subfield and Description) IP Address The IP addresses of the SNMP management station that is allowed to receive the VPN firewall’s SNMP traps.
  • Page 270 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To delete one or more SNMP configuration entries: 1. In the SNMP Configuration table on the SNMP screen, select the check box to the left of the entry that you want to delete, or click the Select All table button to select all entries. 2.

  • Page 271: Managing The Configuration File

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Managing the Configuration File The configuration settings of the VPN firewall are stored in a configuration file on the VPN firewall. This file can be saved (backed up) to a PC, retrieved (restored) from the PC, or cleared to factory default settings.
  • Page 272 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Backing Up Settings The backup feature saves all VPN firewall settings to a file. These settings include the IP addresses, subnet masks, gateway addresses, and so on. Back up your VPN firewall settings periodically, and store the backup file in a safe place. Tip: You can use a backup file to export all settings to another VPN firewall that has the same language and management software versions.
  • Page 273 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. After you have selected the file, click the Restore button. A warning message might appear, and you might have to confirm that you want to restore the configuration. The VPN firewall reboots. An alert message appears indicating the status of the restore operation. You must manually restart the VPN firewall for the restored settings to take effect.
  • Page 274 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To download a firmware version and upgrade the VPN firewall: 1. Go to the NETGEAR website at http://www.netgear.com/support: a. In the Product Support & Downloads field in the middle of the screen, where it says “Enter model number”, enter and then select SRX5308.

  • Page 275: Configuring Date And Time Service

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring Date and Time Service Configure date, time, and NTP server designations on the Time Zone screen. Network Time Protocol (NTP) is a protocol that is used to synchronize computer clock times in a network of computers.
  • Page 276 Note: If you select this option but leave either the Server 1 or Server 2 field blank, both fields are set to the default NETGEAR NTP servers. Note: A list of public NTP servers is available at http://ntp.isc.org/bin/view/Servers/WebHome Server 1 Name / IP Address Enter the IP address or host name the primary NTP server.

  • Page 277: Enabling The Wan Traffic Meter

    Chapter 9 Monitoring System Access and Performance This chapter describes the system monitoring features of the VPN firewall. You can be alerted to important events such as changes in WAN port status, WAN traffic limits reached, hacker probes and login attempts, dropped packets, and more. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more.
  • Page 278 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-1 2. Enter the settings for the WAN1 port as explained in Table 9-1 on page 9-3. Monitoring System Access and Performance v1.0, April 2010...
  • Page 279 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-1. WAN Traffic Meter Settings Setting Description (or Subfield and Description) Enable Traffic Meter Do you want to Select one of the following radio buttons to configure traffic metering: enable Traffic •...
  • Page 280 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-1. WAN Traffic Meter Settings (continued) Setting Description (or Subfield and Description) When Limit is reached Block Traffic Select one of the following radio buttons to specify what action the VPN firewall performs when the traffic limit has been reached: •...

  • Page 281: Activating Notification Of Events, Alerts, And Syslogs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The incoming and outgoing volume of traffic for each protocol and the total volume of traffic are displayed. Traffic counters are updated in MBs; the counter starts only when traffic passed is at least 1 MB.
  • Page 282 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-3 Monitoring System Access and Performance v1.0, April 2010...
  • Page 283 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Enter the settings as explained in Table 9-2. Table 9-2. E-mail and Syslog Settings Setting Description (or Subfield and Description) Log Options Log Identifier Enter the name of the log in the Log Identifier field. The Log Identifier is a mandatory field used to identify which device sent the log messages.
  • Page 284 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-2. E-mail and Syslog Settings (continued) Setting Description (or Subfield and Description) Enable E-Mail Logs Do you want logs to Select the Yes radio button to enable the VPN firewall to send logs to an email be emailed to you? address.

  • Page 285: Viewing Status And Log Screens

    • LOG INFO. Informational messages. • LOG DEBUG. Debug-level messages. 3. Click Apply to save your settings. Note: Enabling logs might generate a significant volume of log messages. NETGEAR recommends that you enable firewall logs for debugging purposes only. Viewing Status and Log Screens...

  • Page 286: Viewing The System (Router) Status And Statistics

    Description (or Subfield and Description) System Info System Name The NETGEAR product name. Firmware Version (Primary) The current software version that the VPN firewall is using. Firmware Version (Secondary) The secondary software version. This version is for display only. (In the current release, you cannot configure this version.)
  • Page 287 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-4 Viewing the Detailed Status Screen To view the Detailed Status screen: 1. Select Monitoring > Router Status. The Status tabs display, with the Router Status screen in view (see Figure 9-4).
  • Page 288 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-5 Table 9-4 on page 9-13 explains the fields of the Detailed Status screen. 9-12 Monitoring System Access and Performance v1.0, April 2010...
  • Page 289 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-4. Detailed Status Screen Fields Setting Description (or Subfield and Description) LAN Port Configuration The following fields are shown for each of the four LAN port. VLAN Profile The name of the VLAN profile that you assigned to this port on the LAN Setup screen (see “Assigning and Managing VLAN Profiles”...
  • Page 290 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-4. Detailed Status Screen Fields (continued) Setting Description (or Subfield and Description) Connection Type The connection type can be “Static IP,” “DHCP,” “PPPoE,” or “PPTP,” depending on whether the WAN address is obtained dynamically through a DHCP server or assigned statically by you.
  • Page 291 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Viewing the Router Statistics Screen To view the Router Statistics screen: 1. Select Monitoring > Router Status. The Status tabs display, with the Router Status screen in view (see Figure 9-4 on page 9-11).

  • Page 292: Viewing The Vlan Status

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-5. Router Statistics Screen Fields (continued) Setting Description (or Subfield and Description) Rx B/s The number of received bytes per second on the port. Up TIme The period that the port has been active since it was restarted. To change the poll interval period, enter a new value in the Poll Interval field, and then click Set interval.

  • Page 293: Viewing And Disconnecting Active Users

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-5 explains the fields of the VLAN Status screen. Table 9-6. VLAN Status Screen Fields Setting Description (or Subfield and Description) Profile Name The unique name for the VLAN that you have assigned on the Add VLAN Profile screen (see “Configuring a VLAN Profile”...

  • Page 294: Viewing The Vpn Tunnel Connection Status

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The active user’s user name, group, and IP address are listed in the table with a timestamp indicating the time and date that the user logged in. To disconnect an active user, click the Disconnect table button to the right of the user’s table entry. Viewing the VPN Tunnel Connection Status To view the status of current IPsec VPN tunnels: Select VPN >...

  • Page 295: Viewing The Vpn Logs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-7. IPsec VPN Connection Status Information (continued) Item Description (or Subfield and Description) State The current status of the SA. Phase 1 is the authentication phase, and Phase 2 is the key exchange phase.
  • Page 296 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-11 To view the SSL VPN log: 1. Select Monitoring > VPN Logs from the menu. The VPN Logs submenu tabs display, with the IPSec VPN Logs screen in view. 2.

  • Page 297: Viewing The Port Triggering Status

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Viewing the Port Triggering Status To view the status of the port triggering feature: 1. Select Security > Port Triggering from the menu. The Port Triggering screen displays (see Figure 4-29 on page 4-50).
  • Page 298 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 2. Click the Status button in the Action column of the WAN interface for which you want to view the connection status. The Connection Status screen appears in a popup window. Figure 9-14 The Connection Status screen displays the information that is described in Table...

  • Page 299: Viewing The Attached Devices And Dhcp Log

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Depending on the type of connection, any of the following buttons might be displayed on the Connection Status screen: • Renew. Click to renew the DHCP lease. • Release. Click to disconnect the DHCP connection. •...
  • Page 300 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The Known PCs and Devices table contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the VPN firewall, or have been discovered by other means.

  • Page 301: Using The Diagnostics Utilities

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 9-16 Using the Diagnostics Utilities From the Diagnostics screen you can perform diagnostics that are discussed in the following sections: • “Sending a Ping Packet or Tracing a Route” on page 9-26.

  • Page 302: Sending A Ping Packet Or Tracing A Route

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual To view the Diagnostics screen, select Monitoring > Diagnostics from the menu. The Diagnostics screen displays. Figure 9-17 Sending a Ping Packet or Tracing a Route Use the ping utility to perform one of the following diagnostic actions: •...

  • Page 303: Looking Up A Dns Address

    Monitoring > Diagnostics from the menu to return to the Diagnostics screen. Looking Up a DNS Address A DNS (Domain Name Server) converts the Internet name (for example, www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, mail, or other server on the Internet, request a DNS lookup to find the IP address.

  • Page 304: Displaying The Routing Table

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Displaying the Routing Table Displaying the internal routing table can assist NETGEAR Technical Support in diagnosing routing problems. To display the routing table, in the Router Options section on the Diagnostics screen, next to Display the Routing Table, click the Display button.
  • Page 305 5. Click the Download button. Select a location to save the captured traffic flow. (The default file name is pkt.CAP.) The file is downloaded to the location that you specify. 6. Send the file to NETGEAR Technical Support for analysis. Monitoring System Access and Performance 9-29 v1.0, April 2010...
  • Page 306 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 9-30 Monitoring System Access and Performance v1.0, April 2010...

  • Page 307: Troubleshooting And Using Online Support

    The date or time is not correct. Go to “Problems with Date and Time” on page 10-10. • I need help from NETGEAR. Go to “Accessing the Knowledge Base and Documentation” on page 10-10. Note: The VPN firewall’s diagnostic tools are explained in “Using the Diagnostics...

  • Page 308: Basic Functioning

    192.168.1.1. This procedure is explained in “Restoring the Default Configuration and Password” on page 10-8. If the error persists, you might have a hardware problem and should contact NETGEAR Technical Support. 10-2 Troubleshooting and Using Online Support v1.0, April 2010...

  • Page 309: Lan Or Wan Port Leds Not On

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the VPN firewall and at the hub, router, or workstation.

  • Page 310: When You Enter A Url Or Ip Address A Time-Out Error Occurs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Tip: If you do not want to revert to the factory default settings and lose your configuration settings, you can reboot the VPN firewall and use a sniffer to capture packets sent during the reboot. Look at the ARP packets to locate the VPN firewall’s LAN interface address.

  • Page 311: Troubleshooting The Isp Connection

    Web Management Interface. To check the WAN IP address for a WAN interface: 1. Launch your browser and navigate to an external site such as www.netgear.com. 2. Access the Web Management Interface of the VPN firewall’s configuration at https://192.168.1.1.

  • Page 312: Troubleshooting A Tcp/Ip Network Using The Ping Utility

    A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP provides the addresses of one or two DNS servers for your use. You can configure your PC manually with DNS addresses, as explained in your operating system documentation.

  • Page 313: Testing The Lan Path To Your Vpn Firewall

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Testing the LAN Path to Your VPN Firewall You can ping the VPN firewall from your PC to verify that the LAN path to the VPN firewall is set up correctly. To ping the VPN firewall from a PC running Windows 95 or later: 1.

  • Page 314: Restoring The Default Configuration And Password

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual If the path is functioning correctly, replies as in the previous section are displayed. If you do not receive replies: • Check that your PC has the IP address of your VPN firewall listed as the default gateway. If the IP configuration of your PC is assigned by DHCP, this information is not visible in your PC’s Network Control Panel.
  • Page 315 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 10-1 The VPN firewall reboots. During the reboot process, the Settings Backup & Firmware Upgrade screen might remain visible. The reboot process is complete after several minutes when the Test LED on the front panel goes off.

  • Page 316: Problems With Date And Time

    Savings Time check box. Accessing the Knowledge Base and Documentation To access NETGEAR’s Knowledgebase for the VPN firewall, select Web Support > Knowledgebase from the menu. To access NETGEAR’s documentation library for the VPN firewall, select Web Support > Documentation from the menu.
  • Page 317 Appendix A Default Settings and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset (for more information, see “Reverting to Factory Default Settings” on page 8-19).
  • Page 318 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table A-1. VPN Firewall Default Configuration Settings (continued) Feature Default Behavior (continued) RIP authentication Disabled DHCP server Enabled DHCP starting IP address 192.168.1.2 DHCP starting IP address 192.168.1.100 Management Time zone Time zone adjusted for daylight savings time Disabled SNMP...
  • Page 319 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table A-2. VPN Firewall Physical and Technical Specifications (continued) Feature Specification Environmental Specifications 0º to 45º Operating temperatures 32º to 113º Storage temperatures –20º to 70º –4º to 158º Operating humidity 90% maximum relative humidity, noncondensing Storage humidity 95% maximum relative humidity, noncondensing...
  • Page 320 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table A-4 shows the SSL VPN specifications for the VPN firewall. Table A-4. VPN Firewall SSL VPN Specifications Setting Specification Network Management Web-based configuration and status monitoring Number of concurrent users supported SSL versions SSLv3, TLS1.0 SSL encryption algorithm...

  • Page 321: Network Planning For Multiple Wan Ports

    Appendix B Network Planning for Multiple WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has more than one WAN port. This appendix contains the following sections: • “What to Consider Before You Begin”...
  • Page 322 The VPN firewall is capable of being managed remotely, but this feature must be enabled locally after each factory default reset. NETGEAR strongly advises you to change the default management password to a strong password before enabling remote management. Network Planning for Multiple WAN Ports...

  • Page 323: Cabling And Computer Hardware Requirements

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • You can choose a variety of WAN options if the factory default settings are not suitable for your installation. These options include enabling a WAN port to respond to a ping, and setting MTU size, port speed, and upload bandwidth.
  • Page 324 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • ISP Domain Name Server (DNS) addresses • One or more fixed IP addresses (also known as static IP addresses) Where Do I Get the Internet Configuration Information? There are several ways you can gather the required Internet connection information. •...

  • Page 325: Overview Of The Planning Process

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Gateway IP Address: ______.______.______.______ Subnet Mask: ______.______.______.______ • ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following: Primary DNS Server IP Address: ______.______.______.______ Secondary DNS Server IP Address: ______.______.______.______ •...
  • Page 326 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual These various types of traffic and auto-rollover or load balancing all interact to make the planning process more challenging: • Inbound traffic. Unrequested incoming traffic can be directed to a PC on your LAN rather than being discarded.

  • Page 327: Inbound Traffic To A Single Wan Port System

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • Dual WAN ports in load balancing mode. Load balancing for a VPN firewall with dual WAN ports is similar to a single WAN gateway configuration when you specify the IP address. Each IP address is either fixed or dynamic based on the ISP: You must use FQDNs when the IP address is dynamic, but FQDNs are optional when the IP address is static.

  • Page 328: Inbound Traffic To A Dual Wan Port System

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual In the single WAN case, the WAN’s Internet address is either fixed IP or an FQDN if the IP address is dynamic. Figure B-4 Inbound Traffic to a Dual WAN Port System The IP address range of the VPN firewall’s WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled.

  • Page 329: Virtual Private Networks

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port traffic. Figure B-6 Virtual Private Networks When implementing virtual private network (VPN) tunnels, you must use a mechanism for...
  • Page 330 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual For a single WAN gateway configuration, use ann FQDN when the IP address is dynamic and either an FQDN or the IP address itself when the IP address is fixed. The situation is different in dual WAN port gateway configurations.

  • Page 331: Vpn Road Warrior (Client-To-Gateway

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Road Warrior (Client-to-Gateway) The following situations exemplify the requirements for a remote PC client with no firewall to establish a VPN tunnel with a gateway VPN firewall such as an VPN firewall: •...
  • Page 332 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure B-10 The IP addresses of the WAN ports can be either fixed or dynamic, but you must always use an FQDN because the active WAN port could be either WAN1 or WAN2 (that is, the IP address of the active WAN port is not known in advance).

  • Page 333: Vpn Gateway-To-Gateway

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing In a dual WAN port load balancing gateway configuration, the remote PC initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the active WAN port is not known in advance.
  • Page 334 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure B-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you must use an FQDN. If an IP address is fixed, an FQDN is optional. VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability In a configuration with two dual WAN port VPN gateways that function in auto-rollover mode, either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate...
  • Page 335 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual After a rollover of a gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN_A2 in Figure B-15), and one of the gateways must reestablish the VPN tunnel.

  • Page 336: Vpn Telecommuter (Client-To-Gateway Through A Nat Router

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Telecommuter (Client-to-Gateway through a NAT Router) Note: The telecommuter case presumes the home office has a dynamic IP address and NAT router. The following situations exemplify the requirements for a remote PC client connected to the Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway VPN firewall such as an VPN firewall at the company office: •...
  • Page 337 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability In a dual WAN port auto-rollover gateway configuration, the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in Figure B-18) because the IP address of the remote NAT router is not known in advance.
  • Page 338 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The purpose of the FQDN is to toggle the domain name of the gateway between the IP addresses of the active WAN port that is, WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or reestablish a VPN tunnel.

  • Page 339: System Logs And Error Messages

    Appendix C System Logs and Error Messages This appendix provides examples and explanations of system logs and error message. When applicable, a recommended action is provided. This appendix contains the following sections: • “System Log Messages” on page C-2. • “Routing Logs”...

  • Page 340: System Log Messages

    Table C-2. System Logs: NTP Message Nov 28 12:31:13 [SRX5308] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [SRX5308] [ntpdate] Requesting time from time-f.netgear.com Nov 28 12:31:14 [SRX5308] [ntpdate] adjust time server 69.25.106.19 offset 0.140254 sec Nov 28 12:31:14 [SRX5308] [ntpdate] Synchronized time with time-f.netgear.com...

  • Page 341: Login/Logout

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Login/Logout This section describes logs generated by the administrative interfaces of the device. Table C-3. System Logs: Login/Logout Message Nov 28 14:45:42 [SRX5308] [login] Login succeeded: user admin from 192.168.10.10 Explanation Login of user admin from host with IP address 192.168.10.10.

  • Page 342: Firewall Restart

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Firewall Restart This section describes logs that are generated when the VPN firewall restarts. Table C-6. System Logs: Firewall Restart Message Jan 23 16:20:44 [SRX5308] [wand] [FW] Firewall Restarted Explanation Log generated when the VPN firewall is restarted.

  • Page 343: Wan Status

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-9. System Logs: Unicast, Redirect (continued) Recommended Action To enable these logs, from the CLI command prompt of the router, enter this command: monitor/firewallLogs/logger/loggerConfig logIcmpRedirect 1 And to disable it enter: monitor/firewallLogs/logger/loggerConfig logIcmpRedirect 0 Multicast/Broadcast Logs Table C-10.
  • Page 344 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-11. System Logs: WAN Status, Load Balancing (continued) Explanation Message 1 and Message 2 indicate that both the WANs are restarted. Message 3: This message shows that both the WANs are up and the traffic is balanced between the two WAN interfaces.
  • Page 345 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual System Logs: WAN Status, Auto-Rollover (continued) Explanation The logs suggest that the failover was detected after 5 attempts instead of 3. However, the reason that the messages appear in the log is because of the WAN state transition logic, which is part of the failover algorithm.
  • Page 346 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-12. System Logs: WAN Status, PPPoE Idle Timeout (continued) Explanation Message 1: PPPoE connection started. Message 2: Message from PPPoE server for correct login. Message 3: Authentication for PPP succeeded. Message 4: Local IP address assigned by the server.

  • Page 347: Resolved Dns Names

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual • PPP Authentication Logs Table C-14. System Logs: WAN Status, PPP Authentication Message Nov 29 11:29:26 [SRX5308] [pppd] Starting link Nov 29 11:29:29 [SRX5308] [pppd] Remote message: Login incorrect Nov 29 11:29:29 [SRX5308] [pppd] PAP authentication failed Nov 29 11:29:29 [SRX5308] [pppd] Connection terminated.WAN2(DOWN)_ Explanation...
  • Page 348 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-16. System Logs: IPsec VPN Tunnel, Tunnel Establishment Messages 1 through 5 2000 Jan 1 04:01:39 [SRX5308] [wand] [IPSEC] IPSEC Restarted 2000 Jan 1 04:02:09 [SRX5308] [wand] [FW] Firewall Restarted 2000 Jan 1 04:02:29 [SRX5308] [IKE] IKE stopped_ 2000 Jan 1 04:02:31 [SRX5308] [IKE] IKE started_ 2000 Jan 1 04:02:31 [SRX5308] [wand] [IPSEC] IPSEC Restarted...
  • Page 349 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-16. System Logs: IPsec VPN Tunnel, Tunnel Establishment (continued) Explanation Message 1–5: IPsec, IKE, and VPN firewall restart. Message 6–7: IPsec and IKE configurations are added with the identifier “pol1.” Message 8–19: New phase 1 negotiation starts by determining the configuration for the WAN host.
  • Page 350 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-18. System Logs: IPsec VPN Tunnel, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN Tunnel Not Reestablished Message 2000 Jan 1 04:52:33 [SRX5308] [IKE] Using IPsec SA configuration: 192.168.11.0/ 24<->192.168.10.0/24_ 2000 Jan 1 04:52:33 [SRX5308] [IKE] Configuration found for 20.0.0.1._ 2000 Jan 1 04:52:59 [SRX5308] [IKE] Phase 1 negotiation failed due to time up for...
  • Page 351 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-20. System Logs: IPsec VPN Tunnel, Dead Peer Detection and Keepalive (Default 30 sec), VPN Tunnel Torn Down Message 1 2000 Jan 1 06:01:18 [SRX5308] [VPNKA] Keep alive to peer 192.168.10.2 failed 3 consecutive times and 5 times cumulative_ Message 2 2000 Jan 1 06:01:19 [SRX5308] [IKE] DPD R-U-THERE sent to...
  • Page 352 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-21. System Logs: IPsec VPN Tunnel, Client Policy, Tunnel Establishment Messages 1 and 2 2000 Jan 1 02:17:05 [SRX5308] [IKE] Adding IKE configuration with identifier "clientpol1"_ 2000 Jan 1 02:17:05 [SRX5308] [IKE] Adding IPSec configuration with identifier "clientpol1"_ Message 3 2000 Jan 1 02:23:53 [SRX5308] [IKE] Remote configuration for identifier...
  • Page 353 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-21. System Logs: IPsec VPN Tunnel, Client Policy, Tunnel Establishment Explanation Message 1–2: IPsec and IKE configurations are added with the identifier “clientpol1.” Message 3: The remote configuration is found with an identifier instead with an IP address.
  • Page 354 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-23. System Logs: IPsec VPN Tunnel, Client Policy Behind a NAT Device 2000 Jan 1 01:54:21 [SRX5308] [IKE] Floating ports for NAT-T with peer 20.0.0.1[4500]_ 2000 Jan 1 01:54:21 [SRX5308] [IKE] NAT-D payload matches for 20.0.0.2[4500]_ Message 3 2000 Jan 1 01:54:21 [SRX5308] [IKE] NAT-D payload does not match for...

  • Page 355: Traffic Meter Logs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-25. System Logs: VPN Log Messages, Port Forwarding, WAN Host and Interface Message 2000 Jan 1 01:30:08 [SRX5308] [portforwarding] id=SRX5308 time="2000-1-1 1:30: 8" fw=20.0.0.2 pri=6 rule=access-policy proto="Port Forwarding" src=20.0.0.1 user=sai dst=20.0.0.2 arg="" op="" result="" rcvd=""...

  • Page 356: Routing Logs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Routing Logs This section explains the logging messages for the various network segments (such as LAN to WAN) for debugging purposes. These logs might generate a significant volume of messages. LAN to WAN Logs Table C-28.

  • Page 357: Wan To Lan Logs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual WAN to LAN Logs Table C-31. Routing Logs: WAN to LAN Message Nov 29 10:05:15 [SRX5308] [kernel] WAN2LAN[ACCEPT] IN=WAN OUT=LAN SRC=192.168.1.214 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to WAN has been allowed by the firewall. •...

  • Page 358: Other Event Logs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Other Event Logs This section describes the log messages generated by other events such source MAC filtering, session limiting, and bandwidth limiting. For information about how to select these logs, see “Activating Notification of Events, Alerts, and Syslogs”...

  • Page 359: Dhcp Logs

    ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-37. Other Event Logs: Bandwidth Limit, Inbound Bandwidth Profile Message 2000 Jan 1 00:08:21 [SRX5308] [kernel] [BW_LIMIT_DROP] IN=LAN OUT=WAN SRC=22.0.0.2 DST=192.168.100.2 PROTO=ICMP TYPE=112 CODE=113 TC_INDEX=10 CLASSID=10:2 Explanation This log is generated when an inbound packet is dropped because the packet size exceeds the specified bandwidth limit.
  • Page 360 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual C-22 System Logs and Error Messages v1.0, April 2010...

  • Page 361: Two-Factor Authentication

    NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. As part the new maintenance firmware release, NETGEAR has...

  • Page 362: What Is Two-Factor Authentication

    NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 Two-Factor Authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to perform Two-Factor Authentication on NETGEAR SSL and VPN firewall products.
  • Page 363 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The request-response architecture is capable of self-service initialization by end users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token software, enters the PIN that has been given to him or her (something he or she knows), and then presses Continue to receive the OTP from the WiKID authentication server.
  • Page 364 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note: The one-time passcode is time-synchronized to the authentication server so that the OTP can be used only once and must be used before the expiration time. If a user does not use this passcode before it is expired, the user must go through the request process again to generate a new OTP.

  • Page 365: Appendix E Related Documents

    Appendix E Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.com/reference/enu/wsdhcp/index.htm...
  • Page 366 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Related Documents v1.0, April 2010...
  • Page 367 Directive 2004/108/EC and Low Voltage Directive 2006/95/EC. Compliance is verified by testing to the following standards: EN55022, EN55024, and EN60950-1. For the EU Declaration of Conformity, please visit: http://kb.netgear.com/app/answers/detail/a_id/11621/sno/0 Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Gigabit Quad WAN SSL VPN Firewall gemäß der im BMPT-AmtsblVfg 243/ 1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist.
  • Page 368 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Voluntary Control Council for Interference (VCCI) Statement This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
  • Page 369 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1.
  • Page 370 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
  • Page 371 Index Numerics application level gateway (ALG) 4-30 ARP (Address Resolution Protocol) 10BaseT, 100BaseT, and 1000BaseT 2-33 broadcasting, configuring 3-12 3322.org 2-27, 2-30 requests 3-14 arrow (Web Management Interface) attached devices monitoring with SNMP 8-14 AAA (authentication, authorization, and accounting) 5-39 viewing 9-23 AC input...
  • Page 372 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual bandwidth profiles capturing packets, diagnostics 9-28 assigning to firewall rule 4-37 category 5 cable description 4-37 Certificate Authority. See CA. direction 4-39 Certificate Revocation List. See CRL. shifting traffic mix type 4-39 Certificate Signing Request.
  • Page 373 CSR (Certificate Signing Request) 7-21 time 3-9, 3-23 custom services, firewall 4-3, 4-31 log messages, explanation C-21 logs, viewing 9-24 customer support, NETGEAR relay 3-5, 3-9, 3-23 server 3-4, 3-8, 3-22 settings 3-8, 3-22 VLANs Data Encryption Standard. See DES. WINS server...
  • Page 374 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual subnet mask 3-22 specifications surrounding for placement 1-11 DNS (domain name server) automatic configuration of PCs error messages, understanding dynamic 2-27 Ethernet ports looking up an address 9-27 exchange mode, IKE policies 5-22, 5-25 ModeConfig 5-45...
  • Page 375 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual auto-rollover mode 2-28 managing 5-21 load balancing mode 2-28 ModeConfig 5-25, 5-46 multiple WAN ports 5-1, 5-2, B-1, B-9 XAUTH 5-28 SSL VPN, port forwarding inbound rules VPN tunnels configuring front panel default LEDs...
  • Page 376 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual DNS servers 2-15, 3-9, 3-23 dynamically assigned 2-14 gateway, ISP 2-14 bandwidth capacity LAN, multi-home 3-12 configuration MAC binding 4-46 default port MAC addresses 9-14 port forwarding, SSL VPN default settings reserved 3-19 groups...
  • Page 377 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual local area network. See LAN. IKE polices 5-27 ModeConfig 5-46 local user database RIP-2 3-28 location, placement of the VPN firewall 1-11 self certificate requests 7-22 lock, security 1-10 VPN policies 5-35 log messages (system logs and error messages) Media Access Control.
  • Page 378 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual planning, multiple WAN ports resources, SSL VPN 6-14 package contents, VPN firewall Network Access Server. See NAS. packets Network Address Translation. See NAT. accepted and dropped, configuring logs network database capturing, diagnostics 9-28 adding PCs or devices...
  • Page 379 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual manually generated (manual) 5-29 bandwidth capacity SSL VPN description 2-16 managing 6-17 priority queue, QoS 4-3, 4-36 settings 6-20 private routes 3-26 policy hierarchy 6-17 profiles pools, ModeConfig 5-45 bandwidth 4-37 port filtering.
  • Page 380 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual RADIUS-CHAP 5-28, 5-37, 5-38, 7-4 Road Warrior (client-to-gateway) B-11 RADIUS-MSCHAP(v2) round-robin load balancing 2-22 RADIUS-PAP 5-28, 5-37, 5-38, 7-4 routes server, configuring 5-39 active and private 3-26 rate-limiting, traffic 2-34 routing table 9-28 read/write access...
  • Page 381 6-11 status screens spoofing, MAC addresses 10-6 stealth mode 4-27 SSL certificate, warning and downloading submenu tabs (Web Management Interface) SSL VPN support, NETGEAR ActiveX Web cache cleaner SYN flood 4-27 ActiveX-based client syslog server banners cache control system certificates supported...
  • Page 382 8-13 TCP/IP, network, troubleshooting 10-6 testing the LAN path 10-7 testing your setup 10-7 technical specifications time-out error 10-4 technical support, NETGEAR using the utilities 9-25 Telnet, management 8-12 Web Management Interface 10-3 Test LED 1-8, 10-2 trusted time...
  • Page 383 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual failover 5-6, 5-10, 5-33 FQDNs 5-2, B-9 vendor class identifier 2-14 gateway-to-gateway videoconferencing auto-rollover B-14 DMZ port 3-20 load balancing B-15 from restricted address 4-21 single WAN port mode B-13 using IPsec VPN Wizard virtual LAN.
  • Page 384 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual weighted load balancing 2-22 WiKID authentication, overview advanced settings 2-32 description aliases 2-25 WiKID-CHAP auto-rollover mode WiKID-PAP configuring 2-18 WINS server DDNS 2-28 DHCP 3-9, 3-23 description 2-16 ModeConfig 5-45 settings 2-19 VPN IPsec...

This manual is also suitable for:

Prosafe srx5308

Table of Contents