Page 1 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference M anua l 350 East Plumeria Drive San Jose, CA 95134 November 22, 2011 202-10536-03...
Page 2: Technical Support
NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at http://support.netgear.com.
Page 3: Table Of Contents
Chapter 1 Introduction What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? . . . 9 Key Features and Capabilities ........10 Quad-WAN Ports for Increased Reliability and Outbound Load Balancing .
Page 4 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Advanced WAN Options ......51 Additional WAN-Related Configuration Tasks .
Page 5 Test the Connection and View Connection and Status Information ..156 Test the NETGEAR VPN Client Connection..... 156 NETGEAR VPN Client Status and Log Information .
Page 6 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Edit Network Resources to Specify Addresses ....211 Configure User, Group, and Global Policies ..... . 212 View Policies .
Page 7 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the WAN Port Connection Status......287 View the Attached Devices and DHCP Log ..... 289 Use the Diagnostics Utilities .
Page 8 What Is Two-Factor Authentication? ......344 NETGEAR Two-Factor Authentication Solutions ....344...
Page 9: Chapter 1 Introduction
What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? The ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308, hereafter referred to as the VPN firewall, connects your local area network (LAN) to the Internet through up to four external broadband access devices such as cable modems or DSL modems.
Page 10: Key Features And Capabilities
Advanced IPSec VPN and SSL VPN support with support for up to 125 concurrent IPSec VPN tunnels and up to 50 concurrent SSL VPN tunnels. • Bundled with a single-user license of the NETGEAR ProSafe VPN Client software (VPN01L). •...
Page 11: Advanced Vpn Support For Both Ipsec And Ssl
VPN client software on the remote computer. IPSec VPN with broad protocol support for secure connection to other IPSec gateways and clients. Bundled with a single-user license of the NETGEAR ProSafe VPN Client software (VPN01L). Supports 125 concurrent IPSec VPN tunnels.
Page 12: Security Features
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 log to you at specified intervals. You can also configure the VPN firewall to send immediate alert messages to your email address or email pager when a significant event occurs. Security Features The VPN firewall is equipped with several features designed to maintain security: •...
Page 13: Easy Installation And Management
ISP account. • IPSec VPN Wizard. The VPN firewall includes the NETGEAR IPSec VPN Wizard so you can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure that the IPSec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
Page 14: Maintenance And Support
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall: • Flash memory for firmware upgrades. • Technical support seven days a week, 24 hours a day. Information about support is available on the NETGEAR website at http://support.netgear.com/app/answers/detail/a_id/212.
Page 15 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in the following table.
Page 16: Rear Panel
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 1. LED descriptions (continued) Activity Description DMZ LED On (green) Port 4 is operating as a dedicated hardware DMZ port. Port 4 is operating as a normal LAN port. WAN Ports...
Page 17: Bottom Panel With Product Label
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Factory Defaults Reset button. Using a sharp object, press and hold this button for about 8 seconds until the front panel Test LED flashes to reset the VPN firewall to factory default settings.
Page 18: Use The Rack-Mounting Kit
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Airflow around the unit and through the vents in the side of the case is not restricted. Provide a minimum of 25 mm or 1 inch clearance. • The air is as free of dust as possible.
Page 19: Chapter 2 Connecting The Vpn Firewall To The Internet
Connect the VPN firewall physically to your network. Connect the cables and restart your network according to the instructions in the installation guide. See the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide for complete steps. A PDF of the Installation Guide is on the NETGEAR website at http://support.netgear.com/app/products/model/a_id/13568.
Page 20: Qualified Web Browsers
To connect and log in to the VPN firewall: Start any of the qualified web browsers, as explained in Qualified Web Browsers page 20. Enter https://192.168.1.1 in the address field. The NETGEAR Configuration Manager Login screen displays in the browser. Connecting the VPN Firewall to the Internet...
Page 21 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall factory default IP address is 192.168.1.1. If you change the IP address, you need to use the IP address that you assigned to the VPN firewall to log in to the VPN firewall.
Page 22 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 6. Note: After 10 minutes of inactivity (the default login time-out), you are automatically logged out. Connecting the VPN Firewall to the Internet...
Page 23: Web Management Interface Menu Layout
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Web Management Interface Menu Layout The following figure shows the menu at the top of the web management interface. Option arrow: Additional screen for submenu item 3rd level: Submenu tab (blue) 2nd level: Configuration menu link (gray) 1st level: Main navigation menu link (orange) Figure 7.
Page 24: Configure The Internet Connections
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Auto Detect. Enable the VPN firewall to detect the configuration automatically and suggest values for the configuration. • Next. Go to the next screen (for wizards). • Back. Go to the previous screen (for wizards).
Page 25: Automatically Detecting And Connecting
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Automatically Detecting and Connecting  To automatically configure the WAN ports for connection to the Internet: Select Network Configuration > WAN Settings. The WAN screen displays: Figure 10. The WAN Settings table displays the following fields: •...
Page 26 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 11. Click the Auto Detect button at the bottom of the screen. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support.
Page 27 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 2. Internet connection methods Connection method Manual data input required DHCP (Dynamic IP) No data is required. PPPoE Login, Password, Account Name, Domain Name. PPTP Login, Password, Account Name, My IP Address, and Server IP Address.
Page 28: Set The Vpn Firewall's Mac Address
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For more information about the WAN Connection Status screen, see View the WAN Port Connection Status on page 287. Repeat step step 3, and step 4 for the other WAN interfaces that you want to configure.
Page 29 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the ISP Login section, select one of the following options: • If your ISP requires an initial login to establish an Internet connection, select Yes. (The default is No.) • If a login is not required, select No and ignore the Login and Password fields.
Page 30 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 3. PPTP and PPPoE settings (continued) Setting Description Austria (PPTP) Server IP The IP address of the PPTP server. (continued) Address Other (PPPoE) If you have installed login software, then your connection type is PPPoE. Select this radio...
Page 31 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 4. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the VPN firewall using DHCP network protocol.
Page 32: Configure The Wan Mode
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click Test to evaluate your entries. The VPN firewall attempts to make a connection according to the settings that you entered. Click Apply to save any changes to the WAN ISP settings. (Or click Reset to discard any changes and revert to the previous settings.)
Page 33: Configure Network Address Translation
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Network Address Translation Network Address Translation (NAT) allows all computers on your LAN to share a single public Internet IP address. From the Internet, there is only a single device (the VPN firewall) and a single IP address.
Page 34: Configure The Auto-Rollover Mode And Failure Detection Method
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the Auto-Rollover Mode and Failure Detection Method To use a redundant ISP link for backup purposes, ensure that the backup WAN interface has already been configured. Then select the WAN interface that will act as the primary link for this mode, and configure the WAN failure detection method on the WAN Mode screen to support auto-rollover.
Page 35 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the Load Balancing Settings section of the screen, configure the following settings: a. Select the Primary WAN Mode radio button. b. From the corresponding drop-down list on the right, select a WAN interface to function as the primary WAN interface.
Page 36: Configure Load Balancing And Optional Protocol Binding
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 6. Failure detection method settings Setting Description Failure Detection Select a failure detection method from the drop-down list: Method • WAN DNS. DNS queries are sent to the DNS server that is configured in the...
Page 37 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 routes all outbound HTTPS traffic from the computers on the LAN through the WAN1 port. All outbound FTP traffic is routed through the WAN2 port. Protocol binding addresses two issues: • Segregation of traffic between links that are not of the same speed.
Page 38 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 then a new FTP session could start on the WAN2 interface, and then any new connection to the Internet could be made on the WAN3 interface. This load-balancing method ensures that a single WAN interface does not carry a disproportionate distribution of sessions.
Page 39 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 21. Configure the protocol binding settings as explained in the following table: Table 7. Add Protocol Binding screen settings Setting Description Service From the drop-down list, select a service or application to be covered by this rule. If the...
Page 40 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 7. Add Protocol Binding screen settings (continued) Setting Description Destination The destination network settings determine which Internet locations (based on their IP Network address) are covered by the rule. Select one of the following options from the drop-down list: All Internet IP address.
Page 41: Configure Secondary Wan Addresses
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Secondary WAN Addresses You can set up a single WAN Ethernet port to be accessed through multiple IP addresses by adding aliases to the port. An alias is a secondary WAN address. One advantage is, for example, that you can assign different virtual IP addresses to a web server and an FTP server, even though both servers use the same physical IP address.
Page 42: Configure Dynamic Dns
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click the Secondary Addresses option arrow in the upper right of the screen. The WAN Secondary Addresses screen displays for the WAN interface that you selected. (The following figure shows the WAN1 Secondary Addresses screen as an example and includes one entry in the List of Secondary WAN addresses table.)
Page 43 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently—hence, the...
Page 44 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 23. Click the Information option arrow in the upper right of a DNS screen for registration information. Connecting the VPN Firewall to the Internet...
Page 45 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 24. Access the website of the DDNS service provider and register for an account (for example, for DynDNS.org, go to http://www.dyndns.com/). Configure the DDNS service settings as explained in the following table: Table 8.
Page 46: Configure Wan Qos Profiles
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure WAN QoS Profiles The VPN firewall can support multiple Quality of Service (QoS) profiles for each WAN interface. You can assign profiles to services such as HTTP, FTP, and DNS and to LAN groups or IP addresses.
Page 47 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 25. To enable QoS, select the Yes radio button. By default, the No radio button is selected. Specify the profile type that should be active by selecting one of the following radio buttons.
Page 48 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 26. Enter the settings as explained in the following table: Table 9. Add QoS screen settings for a rate control profile Setting Description QoS Type Rate Control (for Priority, see Figure 27...
Page 49 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 9. Add QoS screen settings for a rate control profile (continued) Setting Description Congestion Priority From the drop-down list, select the priority queue that determines the allocation of excess bandwidth and the classification level of the packets among other priority queues on the VPN firewall: •...
Page 50 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To add a priority QoS profile: Select Network Configuration > QoS. The QoS screen displays. Under the List of QoS Profiles table, click the Add table button. The Add QoS screen displays.
Page 51: Configure Advanced Wan Options
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 10. Add QoS screen settings for a priority profile (continued) Setting Description Priority From the drop-down list, select the priority queue that determines the allocation of bandwidth: • Low. All services that are assigned a low-priority queue share 10 percent of interface bandwidth.
Page 52 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: You can also configure the failure detection method for the auto-rollover mode on the Advanced screen. This procedure is discussed in Configure the Failure Detection Method on page 35.  To configure advanced WAN options: Select Network Configuration >...
Page 53 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 11. WAN Advanced Options screen settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value.
Page 54: Additional Wan-Related Configuration Tasks
If you want the ability to manage the VPN firewall remotely, enable remote management (see Configure Remote Management Access on page 252). If you enable remote management, NETGEAR strongly recommend that you change your password (see Change Passwords and Administrator Settings on page 250). •...
Page 55: Chapter 3 Lan Configuration
LAN Configuration This chapter describes how to configure the advanced LAN features of your VPN firewall. The chapter contains the following sections: • Manage Virtual LANs and DHCP Options • Configure Multi-Home LAN IP Addresses on the Default VLAN • Manage Groups and Hosts (LAN Groups) •...
Page 56: Port-Based Vlans
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • They are easy to manage. The addition of nodes, as well as moves and other changes, can be dealt with quickly and conveniently from a management interface rather than from the wiring closet.
Page 57: Assign And Manage Vlan Profiles
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN port are forwarded to the default VLAN with PVID 1; packets that leave the LAN port with the same default PVID 1 are untagged. Assign and Manage VLAN Profiles  To assign VLAN profiles to the LAN ports and manage VLAN profiles: Select Network Configuration >...
Page 58: Vlan Dhcp Options
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For information about how to add and edit a VLAN profile, including its DHCP options, see Configure a VLAN Profile on page 59. VLAN DHCP Options For each VLAN, you need to specify the Dynamic Host Configuration Protocol (DHCP) options.
Page 59: Configure A Vlan Profile
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DNS Proxy When the DNS Proxy option is enabled for a VLAN, the VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS servers (as configured on the WAN ISP Settings screens).
Page 60 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Either select an entry from the VLAN Profiles table and click the corresponding Edit table button, or add a new VLAN profile by clicking the Add table button under the VLAN Profiles table.
Page 61 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 12. Edit VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. Note: You can also change the profile name of the default VLAN.
Page 62 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 12. Edit VLAN Profile screen settings (continued) Setting Description Enable DHCP Select the Enable DHCP Server radio button to enable the VPN firewall to function Server as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN.
Page 63 • ou (for organizational unit) • o (for organization) • c (for country) • dc (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).
Page 64: Configure Vlan Mac Addresses And Lan Advanced Settings
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Once you have completed the LAN setup, all outbound traffic is allowed and all inbound traffic is discarded except responses to requests from the LAN side. For information about how to change...
Page 65: Configure Multi-Home Lan Ip Addresses On The Default Vlan
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To configure a VLAN to have a unique MAC address: Select Network Configuration > LAN Settings. The LAN submenu tabs display, with the LAN Setup screen in view (see Figure 30 on page 59).
Page 66 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 It is important that you ensure that any secondary LAN addresses are different from the primary LAN, WAN, and DMZ IP addresses and subnet addresses that are already configured on the VPN firewall.The following is an example of correctly configured IP addresses: WAN1 IP address: 10.0.0.1 with subnet 255.0.0.0...
Page 67: Manage Groups And Hosts (Lan Groups)
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To edit a secondary LAN IP address: On the LAN Multi-homing screen (see the previous screen), click the Edit button in the Action column for the secondary IP address that you want to modify. The Edit Secondary LAN IP address screen displays.
Page 68: Manage The Network Database
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Some advantages of the network database are: • Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the name of the desired computer or device.
Page 69 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 34. The Known PCs and Devices table lists the entries in the network database. For each computer or device, the following fields are displayed: • Check box. Allows you to select the computer or device in the table.
Page 70 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add Computers or Devices to the Network Database  To add computers or devices manually to the network database: In the Add Known PCs and Devices section of the LAN Groups screen (see...
Page 71: Change Group Names In The Network Database
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 35. In the Edit Known PC and Device section, modify the settings as explained in Table 13 page 70. Click Apply to save your settings in the Known PCs and Devices table.
Page 72: Set Up Address Reservation
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 36. Select the radio button next to any group name to enable editing. Type a new name in the field. The maximum number of characters is 15; spaces and double quotes (") are not allowed.
Page 73: Configure And Enable The Dmz Port
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure and Enable the DMZ Port The demilitarized zone (DMZ) is a network that, by default, has fewer firewall restrictions when compared to the LAN. The DMZ can be used to host servers (such as a web server, FTP server, or email server) and provide public access to them.
Page 74 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 37. Enter the settings as explained in the following table: Table 14. DMZ Setup screen settings Setting Description DMZ Port Setup Do you want to Select one of the following radio buttons: enable DMZ Port? •...
Page 75 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 14. DMZ Setup screen settings (continued) Setting Description DHCP Disable DHCP Server If another device on your network is the DHCP server for the VLAN, or if you will manually configure the network settings of all of your computers, select the Disable DHCP Server radio button to disable the DHCP server.
Page 76: Manage Routing
• ou (for organizational unit) • o (for organization) • c (for country) • dc (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).
Page 77: Configure Static Routes
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall automatically sets up routes between VLANs and secondary IP addresses that you have configured on the LAN Multi-homing screen (see Configure Multi-Home LAN IP Addresses on the Default VLAN on page 65).
Page 78 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 15. Add Static Route screen settings Setting Description Route Name The route name for the static route (for purposes of identification and management).
Page 79: Configure Routing Information Protocol
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Routing Information Protocol Routing Information Protocol (RIP), RFC 2453, is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). RIP enables a router to exchange its routing information automatically with other routers, to dynamically adjust its routing tables, and to adapt to changes in the network.
Page 80 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 16. RIP Configuration screen settings Setting Description RIP Direction From the RIP Direction drop-down list, select the direction in which the VPN firewall sends and receives RIP packets: •...
Page 81: Static Route Example
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 16. RIP Configuration screen settings (continued) Setting Description Authentication for Not Valid Before The beginning of the lifetime of the MD5 key. Enter the month, RIP-2B/2M required? date, year, hour, minute, and second. Before this date and time, the MD5 key is not valid.
Page 82: Chapter 4 Firewall Protection
Firewall Protection This chapter describes how to use the firewall features of the VPN firewall to protect your network. The chapter contains the following sections: • About Firewall Protection • Use Rules to Block or Allow Specific Kinds of Traffic •...
Page 83: Administrator Tips
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Administrator Tips Consider the following operational items: As an option, you can enable remote management if you have to manage distant sites from a central location (see Configure VPN Authentication Domains, Groups, and Users...
Page 84: Services-Based Rules
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 17. Number of supported firewall rule configurations (continued) Traffic rule Maximum number of Maximum number of Maximum number of outbound rules inbound rules supported rules LAN DMZ Maximum number of supported rules The maximum number of supported outbound rules is 300, and the maximum number of supported inbound rules is 300.
Page 85 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING! Allowing inbound services opens security holes in your VPN firewall. Enable only those ports that are necessary for your network. The following table describes the fields that define the rules for outbound traffic and that are...
Page 86 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 18. Outbound rules overview (continued) Setting Description LAN Users The settings that determine which computers on your network are affected by this rule. The options are: • Any. All computers and devices on your LAN.
Page 87 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 18. Outbound rules overview (continued) Setting Description Bandwidth Profile Bandwidth limiting determines the way in which the data is sent to and from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic, thus preventing the LAN users from consuming all the bandwidth of the Internet link.
Page 88 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN Groups screen to keep the computer’s IP address constant (see Set Up Address Reservation on page 72). • Local computers need to access the local server using the computers’ local LAN address.
Page 89 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19. Inbound rules overview Setting Description Service The service or application to be covered by this rule. If the service or application does not appear in the list, you need to define it using the Services screen (see...
Page 90 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19. Inbound rules overview (continued) Setting Description LAN Users The settings that determine which computers on your network are affected by this rule. The options are: • Any. All computers and devices on your LAN.
Page 91: Order Of Precedence For Rules
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19. Inbound rules overview (continued) Setting Description The setting that determines whether packets covered by this rule are logged. The options are: • Always. Always log traffic considered by this rule, whether it matches or not. This is useful when you are debugging your rules.
Page 92: Set Lan Wan Rules
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 41. Set LAN WAN Rules The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (outbound).
Page 93 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 42. Next to Default Outbound Policy, select Block Always from the drop-down list. Next to the drop-down list, click the Apply table button.  To make changes to an existing outbound or inbound service rule: In the Action column to the right of the rule, click one of the following table buttons: •...
Page 94 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN WAN Outbound Services Rules You can define rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
Page 95 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the Internet to the LAN) is blocked.
Page 96: Set Dmz Wan Rules
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set DMZ WAN Rules The firewall rules for traffic between the DMZ and the Internet are configured on the DMZ WAN Rules screen. The default outbound policy is to allow all traffic from and to the Internet to pass through.
Page 97 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To delete or disable one or more rules: Select the check box to the left of the rule that you want to delete or disable, or click the Select All table button to select all rules.
Page 98 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the Internet to the DMZ) is allowed.
Page 99: Set Lan Dmz Rules
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ. The default outbound and inbound policies are to allow all traffic between the local LAN and DMZ network.
Page 100 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To delete or disable one or more rules: Select the check box to the left of the rule that you want to delete or disable, or click the Select All table button to select all rules.
Page 101 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN DMZ Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the LAN to the DMZ) is allowed.
Page 102: Inbound Rule Examples
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Inbound Rule Examples LAN WAN Inbound Rule: Hosting a Local Public Web Server If you host a public web server on your local network, you can define a rule to allow inbound web (HTTP) requests from any outside IP address to the IP address of your web server at any time of the day.
Page 103 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 52. LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping In this example, we configure multi-NAT to support multiple public IP addresses on one WAN interface. By creating an inbound rule, we configure the VPN firewall to host an additional public IP address and associate this address with a web server on the LAN.
Page 104 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses is used as the primary IP address of the router that provides Internet access to your LAN computers through NAT.
Page 105 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 From the Service drop-down list, select HTTP for a web server. From the Action drop-down list, select ALLOW Always. In the Send to LAN Server field, enter the local IP address of your web server (192.168.1.2 in this example).
Page 106: Outbound Rules Example
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 1. Select Any and Allow Always (or Allow by Schedule). 2. Place the rule below all other inbound rules. Figure 54. Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio, or other nonessential sites.
Page 107: Configure Other Firewall Features
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 55. Configure Other Firewall Features You can configure attack checks, set session limits, and manage the application level gateway (ALG) for Session Initiation Protocol (SIP) sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the DMZ, LAN, and WAN networks.
Page 108 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 56. Enter the settings as explained in the following table: Table 20. Attack Checks screen settings Setting Description WAN Security Checks Respond to Ping on Select the Respond to Ping on Internet Ports check box to enable the VPN Internet Ports firewall to respond to a ping from the Internet.
Page 109 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 20. Attack Checks screen settings (continued) Setting Description LAN Security Checks. Block UDP flood Select the Block UDP flood check box to prevent the VPN firewall from accepting more than 20 simultaneous, active UDP connections from a single device on the LAN.
Page 110: Set Session Limits
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set Session Limits The session limits feature allows you to specify the total number of sessions that are allowed, per user, over an IP connection across the VPN firewall. The session limits feature is disabled by default.
Page 111 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 21. Session Limit screen settings Setting Description Session Limit Session Limit Control From the drop-down list, select one of the following options: •...
Page 112: Manage The Application Level Gateway For Sip Sessions
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the Application Level Gateway for SIP Sessions The application level gateway (ALG) facilitates multimedia sessions such as voice over IP (VoIP) sessions that use the Session Initiation Protocol (SIP) across the firewall and provides support for multiple SIP clients.
Page 113: Add Customized Services
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add Customized Services Services are functions performed by server computers at the request of client computers. You can configure up to 125 custom services. For example, web servers serve web pages, time servers serve time and date information, and game hosts serve data about other players’...
Page 114 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the Add Customer Service section of the screen, enter the settings as explained in the following table: Table 22. Services screen settings Setting Description Name A descriptive name of the service for identification and management purposes.
Page 115: Create Ip Groups
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To delete one or more services: In the Custom Services Table, select the check box to the left of the service that you want to disable, or click the Select All table button to select all services.
Page 116 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 62. In the IP Address fields, type an IP address. Click the Add table button to add the IP address to the IP Addresses Grouped table. Repeat the previous two steps to add more IP addresses to the IP Addresses Grouped table.
Page 117: Create Quality Of Service (Qos) Profiles
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Create Quality of Service (QoS) Profiles A Quality of Service (QoS) profile defines the relative priority of an IP packet when multiple connections are scheduled for simultaneous transmission on the VPN firewall. A QoS profile becomes active only when it is associated with a nonblocking inbound or outbound firewall rule and traffic matching the firewall rule flows through the router.
Page 118 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 63. The screen displays the List of QoS Profiles table with the user-defined profiles. Under the List of QoS Profiles table, click the Add table button. The Add QoS Profile screen displays: Figure 64.
Page 119: Create Bandwidth Profiles
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 23. Add QoS Profile screen settings (continued) Setting Description Re-Mark QoS Value The QoS value in the ToS or DiffServ byte of an IP header. The QoS (continued) value that you enter depends on your selection from the QoS drop-down list: •...
Page 120 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 For example, when a new connection is established by a device, the device locates the firewall rule corresponding to the connection: • If the rule has a bandwidth profile specification, the device creates a bandwidth class in the kernel.
Page 121 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 66. Enter the settings as explained in the following table: Table 24. Add Bandwidth Profile screen settings Setting Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes.
Page 122: Set A Schedule To Block Or Allow Specific Traffic
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 24. Add Bandwidth Profile screen settings (continued) Setting Description Type From the Type drop-down list, select the type for the bandwidth profile: • Group. The profile applies to all users, that is, all user share the available bandwidth.
Page 123 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 67. In the Scheduled Days section, select one of the following radio buttons: • All Days. The schedule is in effect all days of the week. • Specific Days. The schedule is active only on specific days. To the right of the radio buttons, select the check box for each day that you want the schedule to be in effect.
Page 124: Content Filtering
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Content Filtering If you want to restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s content filtering and web components filtering features. By default, these features are disabled;...
Page 125: Enable And Configure Content Filtering
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 You can apply the keywords to one or more groups. Requests from the computers in the groups for which keyword blocking has been enabled are blocked. Blocking does not occur for the computers that are in the groups for which keyword blocking has not been enabled.
Page 126 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 68. Firewall Protection...
Page 127: Enable Source Mac Filtering
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 25. Block Sites screen settings Setting Description Web Components Select the check boxes of any web components that you wish to block. The web components are...
Page 128 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For additional ways of restricting outbound traffic, see Outbound Rules (Service Blocking) on page 84.  To enable MAC filtering and add MAC addresses to be permitted or blocked: Select Security > Address Filter. The Address Filter submenu tabs display, with the Source MAC Filter screen in view.
Page 129: Set Up Ip/Mac Bindings
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To remove one or more entries from the table: Select the check box to the left of the MAC address that you want to delete, or click the Select All table button to select all entries.
Page 130 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 70. Enter the settings as explained in the following table: Table 26. IP/MAC Binding screen settings Setting Description Email IP/MAC Violations Do you want to Select one of the following radio buttons: enable E-mail •...
Page 131: Configure Port Triggering
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To edit an IP/MAC binding: In the IP/MAC Bindings table, click the Edit table button to the right of the IP/MAC binding that you want to edit. The Edit IP/MAC Binding screen displays.
Page 132 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To add a port triggering rule: Select Security > Port Triggering. The Port Triggering screen displays. (See the following figure, which shows one rule in the Port Triggering Rules table as an example.) Figure 71.
Page 133: Configure Universal Plug And Play
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To edit a port triggering rule (for example, to enable the rule): In the Port Triggering Rules table, click the Edit table button to the right of the port triggering rule that you want to edit. The Edit Port Triggering Rule screen displays.
Page 134 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 73. To enable the UPnP feature, select the Yes radio button. (The feature is disabled by default.) To disable the feature, select No. Configure the following fields: Advertisement Period. Enter the period in minutes that specifies how often the VPN firewall should broadcast its UPnP information to all devices within its range.
Page 135: Chapter 5 Virtual Private Networking Using Ipsec Connections
Virtual Private Networking Using IPSec Connections This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer. The chapter contains the following sections: •...
Page 136 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WAN Auto-Rollover: FQDN Required for VPN VPN Firewall WAN 1 Port Rest of VPN Firewall VPN Firewall Internet WAN Port Rollover VPN Firewall WAN 2 Port Control Functions Functions Same FQDN required for both WAN ports Figure 74.
Page 137: Use The Ipsec Vpn Wizard For Client And Gateway Configurations
Configurations You can use the IPSec VPN Wizard to configure multiple gateway or client VPN tunnel policies. The following section provides wizard and NETGEAR ProSafe VPN Client software configuration procedures for the following scenarios: • Using the wizard to configure a VPN tunnel between two VPN gateways.
Page 138 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 77. To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up window appears (see Figure 78 on page 139) displaying the wizard default values.
Page 139 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 78. Complete the settings as explained the following table: Table 29. IPSec VPN Wizard settings for a gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to Select the Gateway radio button. The local WAN port’s IP address or the following peers Internet name displays in the End Point Information section of the screen.
Page 140 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 29. IPSec VPN Wizard settings for a gateway-to-gateway tunnel (continued) Setting Description What is the Local WAN's IP When you select the Gateway radio button in the About VPN Wizard Address or Internet Name? section of the screen, the IP address of the VPN firewall’s active WAN...
Page 141: Create A Client-To-Gateway Vpn Tunnel
Use the VPN Wizard Configure the Gateway for a Client Tunnel on page 142. • Use the NETGEAR VPN Client Wizard to Create a Secure Connection on page 144 or Manually Create a Secure Connection Using the NETGEAR VPN Client on page 149.
Page 142 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the VPN Wizard Configure the Gateway for a Client Tunnel  To set up a client-to-gateway VPN tunnel using the VPN Wizard: Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays. (The following figure contains some entries as an example.)
Page 143 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 30. IPSec VPN Wizard settings for a client-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to Select the VPN Client radio button. The default remote FQDN the following peers: (srx_remote.com) and the default local FQDN (srx_local.com) display in...
Page 144 Router’s LAN network mask 255.255.255.0 Router’s WAN IP address 10.34.116.22 Use the NETGEAR VPN Client Wizard to Create a Secure Connection The VPN client lets you set up the VPN connection manually (see Manually Create a Secure Connection Using the NETGEAR VPN Client on page 149) or with the integrated Configuration Wizard, which is the easier and preferred method.
Page 145 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed.  To use the Configuration Wizard to set up a VPN connection between the VPN client and the VPN firewall: Right-click the VPN client icon in your Windows system tray, and select Configuration Panel.
Page 146 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 85. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays. Figure 86. Specify the following VPN tunnel parameters: •...
Page 147 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click Next. The Configuration Summary wizard screen (screen 3 of 3) displays. Figure 87. This screen is a summary screen of the new VPN configuration. Click Finish. Specify the local and remote IDs: a.
Page 148 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 c. Specify the settings that are explained in the following table. Table 32. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the VPN firewall.
Page 149 Instead of using the wizard on the VPN client, you can also manually configure the VPN client, which is explained in the following section. Manually Create a Secure Connection Using the NETGEAR VPN Client Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed.
Page 150 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the Authentication Settings (Phase 1 Settings)  To create new authentication settings: Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays.
Page 151 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
Page 152 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Click the Advanced tab in the Authentication pane. The Advanced pane displays. Figure 93.
Page 153 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 34. VPN client advanced authentication settings (continued) Setting Description Local and Remote ID Local ID As the type of ID, select DNS from the Local ID drop-down list because you specified FQDN in the VPN firewall configuration.
Page 154 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 94. Specify the settings that are explained in the following table. Table 35. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that is used by the VPN client in the VPN firewall’s LAN;...
Page 155 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 35. VPN client IPSec configuration settings (continued) Setting Description Encryption Select 3DES as the encryption algorithm from the drop-down list. Authentication Select SHA-1 as the authentication algorithm from the drop-down list.
Page 156: Test The Connection And View Connection And Status Information
Test the Connection and View Connection and Status Information Both the NETGEAR ProSafe VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.
Page 157 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Perform one of the following tasks: Double-click Gateway-Tunnel. Right-click Gateway-Tunnel, and select Open tunnel. Click Gateway-Tunnel, and press Ctrl+O. Figure 97. • Use the system-tray icon. Right-click the system tray icon, and select Open tunnel ‘Tunnel’.
Page 158: Netgear Vpn Client Status And Log Information
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 NETGEAR VPN Client Status and Log Information  To view detailed negotiation and error information on the NETGEAR VPN client: Right-click the VPN client icon in the system tray, and select Console. The VPN Client Console Active screen displays.
Page 159: View The Vpn Firewall Ipsec Vpn Logs
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 102. The Active IPSec SAs table lists each active connection with the information that is described in the following table. The default poll interval is 5 seconds. To change the poll interval period, enter a new value in the Poll Interval field, and then click Set Interval.
Page 160: Manage Ipsec Vpn Policies
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 103. Click Refresh Log to view the most recent entries. Click Clear Log to remove all entries. Manage IPSec VPN Policies After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables.
Page 161 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • If the VPN policy is of a Manual Policy type, the settings that are specified in the Manual Policy Parameters section of the Add New VPN Policy screen (see Figure 107...
Page 162 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Each policy contains the data that are explained in the following table These fields are explained in more detail in Table 38 on page 164. Table 37. IKE Policies screen information Item...
Page 163 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 105. Complete the settings as explained the following table. Virtual Private Networking Using IPSec Connections...
Page 164 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Specify whether or not the IKE policy uses a Mode Config record. For information Mode Config Record?
Page 165 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38. Add IKE Policy screen settings (continued) Setting Description Local Select Local Gateway From the drop-down list, select one of the four WAN interfaces to function as the local gateway. Identifier Type...
Page 166 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the VPN firewall and the remote endpoint.
Page 167: Configure Vpn Policies
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38. Add IKE Policy screen settings (continued) Setting Description XAUTH Configuration Authentication For an Edge Device configuration: From the drop-down list, (continued) Type select one of the following authentication types: • User Database. XAUTH occurs through the VPN firewall’s user database.
Page 168 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In addition, a certification authority (CA) can also be used to perform authentication (see Manage Digital Certificates on page 236). To use a CA, each VPN gateway needs to have a certificate from the CA. For each certificate, there is both a public key and a private key. The public key is freely distributed, and is used by any sender to encrypt data intended for the receiver (the key owner).
Page 169 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 40 on page 171. Table 39. VPN Policies screen information Item...
Page 170 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manually Add or Edit a VPN Policy  To manually add a VPN policy: Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see Figure 106 on page 168).
Page 171 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Complete the settings as explained the following table: Table 40. Add New VPN Policy screen settings Setting Description General Policy Name A descriptive name of the VPN policy for identification and management purposes.
Page 172 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40. Add New VPN Policy screen settings (continued) Setting Description Traffic Selection Local IP From the drop-down list, select the address or addresses that are part of the VPN tunnel on the VPN firewall: •...
Page 173 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40. Add New VPN Policy screen settings (continued) Setting Description SPI-Outgoing The security parameters index (SPI) for the outbound policy. Enter a hexadecimal value between 3 and 8 characters (for example: 0x1234).
Page 174: Configure Extended Authentication (Xauth)
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40. Add New VPN Policy screen settings (continued) Setting Description PFS Key Group Select this check box to enable Perfect Forward Secrecy (PFS), and then select a Diffie-Hellman (DH) group from the drop-down list. The DH Group sets the strength of the algorithm in bits.
Page 175: Configure Xauth For Vpn Clients
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: If a RADIUS-PAP server is enabled for authentication, XAUTH first checks the local user database for the user credentials. If the user account is not present, the VPN firewall then connects to a RADIUS server.
Page 176: User Database Configuration
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 41. Extended Authentication section settings (continued) Setting Description Authentication For an Edge Device configuration: From the drop-down list, select one of the Type following authentication types: • User Database. XAUTH occurs through the VPN firewall’s user database. You...
Page 177 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 108. Complete the settings as explained the following table: Table 42. RADIUS Client screen settings Settings Description Primary RADIUS Server Select the Yes radio button to enable and configure the primary RADIUS server, and then enter the settings for the three fields to the right.
Page 178: Assign Ip Addresses To Remote Users (Mode Config)
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 42. RADIUS Client screen settings (continued) Settings Description Backup Server IP Address The IP address of the backup RADIUS server. Secret Phrase A shared secret phrase to authenticate the transactions between the client and the backup RADIUS server.
Page 179: Configure Mode Config Operation On The Vpn Firewall
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: After configuring a Mode Config record, you need to manually configure an IKE policy and select the newly created Mode Config record from the Select Mode Config Record drop-down list (see Configure Mode Config Operation on the VPN Firewall page 179).
Page 180 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 110. Complete the settings as explained the following table: Table 43. Add Mode Config Record screen settings Settings Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes.
Page 181 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 43. Add Mode Config Record screen settings (continued) Settings Description DNS Server Enter the IP address of the DNS server that is used by remote VPN clients in the Primary field. You can enter the IP address of a second DNS server in the Secondary field.
Page 182 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 111. On the Add IKE Policy screen, complete the settings as explained the following table. Virtual Private Networking Using IPSec Connections...
Page 183 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The settings that are explained in the following table are specifically for a Mode Config configuration. Table 38 on page 164 explains the general IKE policy settings. Table 44. Add IKE Policy screen settings for a Mode Config configuration...
Page 184 The period in seconds for which the IKE SA is valid. When the period times out, the next rekeying needs to occur. The default is 28800 seconds (8 hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour).
Page 185: Configure The Netgear Vpn Client For Mode Config Operation
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 44. Add IKE Policy screen settings for a Mode Config configuration (continued) Settings Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended...
Page 186 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters.
Page 187 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 113. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane.
Page 188 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Specify the settings that are explained in the following table. Table 45. VPN client authentication settings (Mode Config) Setting Description Interface Select Any from the drop-down list. Remote Gateway Enter the remote IP address or DNS name of the VPN firewall. For example, enter 10.34.116.22.
Page 189 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Specify the settings that are explained in the following table. Table 46. VPN client advanced authentication settings (Mode Config) Setting Description Advanced features Mode Config Select this check box to enable Mode Config.
Page 190 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The IPSec pane displays in the Configuration Panel screen, with the IPSec tab selected by default. Figure 116. Specify the settings that are explained in the following table. Table 47. VPN client IPSec configuration settings (Mode Config)
Page 191 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 47. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description Encryption Select 3DES as the encryption algorithm from the drop-down list. Authentication Select SHA-1 as the authentication algorithm from the drop-down list.
Page 192: Test The Mode Config Connection
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Specify the following default lifetimes in seconds to match the configuration on the VPN firewall: • Authentication (IKE), Default. Enter 3600 seconds. • Encryption (IPSec), Default. Enter 3600 seconds. Select the Dead Peer Detection (DPD) check box, and configure the following DPD settings to match the configuration on the VPN firewall: •...
Page 193: Modify Or Delete A Mode Config Record
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 120. From the client computer, ping a computer on the VPN firewall LAN. Modify or Delete a Mode Config Record  To edit a Mode Config record: On the Mode Config screen (see...
Page 194: Configure Keep-Alives
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Keep-Alives The keep-alive feature maintains the IPSec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies.  To configure the keep-alive feature on a configured VPN policy: Select VPN >...
Page 195: Configure Dead Peer Detection
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 48. Keep-alive settings (continued) Setting Description Enable Keepalive Detection Period The period in seconds between the keep-alive requests. (continued) The default setting is 10 seconds. Reconnect after The maximum number of keep-alive requests before the...
Page 196: Configure Netbios Bridging With Ipsec Vpn
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the settings as explained the following table: Table 49. Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Select the Yes radio button to enable DPD.
Page 197 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 123. Select the Enable NetBIOS check box. Click Apply to save your settings. Virtual Private Networking Using IPSec Connections...
Page 198: Chapter 6 Virtual Private Networking Using Ssl Connections
Virtual Private Networking Using SSL Connections The VPN firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the VPN firewall can authenticate itself to an SSL-enabled client, such as a standard web browser.
Page 199: Overview Of The Ssl Configuration Process
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The SSL VPN client provides a point-to-point (PPP) connection between the client and the VPN firewall, and a virtual network interface is created on the user’s computer. The VPN firewall assigns the computer an IP address and DNS server IP addresses, allowing...
Page 200: Create The Portal Layout
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 c. Create one or more SSL VPN user accounts. Because you need to assign a group when creating a SSL VPN user account, the user account is created after you have created the group.
Page 201 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall’s default portal address is https://<IP_Address>/portal/SSL-VPN. The default domain geardomain is attached to the SSL-VPN portal. You can define individual layouts for the SSL VPN portal. The layout configuration includes the menu layout, theme, portal pages to display, and web cache control options.
Page 202 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 125. Complete the settings as explained the following table: Table 50. Add Portal Layout screen settings Setting Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout. This name is part of the path of the SSL VPN portal URL.
Page 203 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 50. Add Portal Layout screen settings (continued) Setting Description Banner Message The text of a banner message that users see before they log in to the portal, for example, In case of login difficulty, call 123-456-7890. Enter a plain text message or include HTML and JavaScript tags.
Page 204: Configure Domains, Groups, And Users
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To delete one or more portal layouts: On the Portal Layouts screen (see Figure 124 on page 201), select the check box to the left of the portal layout that you want to delete, or click the Select All table button to select all layouts.
Page 205 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 126. In the Add New Application for Port Forwarding section of the screen, specify information in the following fields: • IP Address. The IP address of an internal server or host computer that a remote user has access to.
Page 206: Add A New Host Name
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 51. Port-forwarding applications/TCP port numbers (continued) TCP application Port number Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 a. Users can specify the port number together with the host name or IP address.
Page 207: Configure The Ssl Vpn Client
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete a name from the List of Configured Host Names for Port Forwarding table, select the check box to the left of the name that you want to delete, and then click the Delete table button in the Action column.
Page 208 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 127. Complete the settings as explained the following table: Table 52. SSL VPN Client IP Address Range section settings Setting Description Client IP Address Range Enable Full Tunnel Support Select this check box to enable full tunnel support. If you leave this check...
Page 209: Add Routes For Vpn Tunnel Clients
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 52. SSL VPN Client IP Address Range section settings (continued) Setting Description Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients.
Page 210: Use Network Resource Objects To Simplify Policies
Defining network resources is optional; smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources. But for most organizations, NETGEAR recommends that you use network resources. If your server or network configuration changes, you can perform an update quickly by using network resources instead of individually updating all of the user and group policies.
Page 211: Edit Network Resources To Specify Addresses
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Port Forwarding. The resource applies only to port forwarding. All. The resource applies both to a VPN tunnel and to port forwarding. Click the Add table button. The new resource is added to the List of Resources table.
Page 212: Configure User, Group, And Global Policies
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 53. Edit Resources screen settings (continued) Setting Description Object Type From the drop-down list, select one of the following options: • IP Address. The object is an IP address. You need to enter the IP address or the FQDN in the IP Address / Name field.
Page 213: View Policies
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource. For example, assume the following global policy configuration: •...
Page 214: Add A Policy
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 130. Make your selection from the following Query options: • Select Global to view all global policies. • Select Group to view group policies, and select the relevant group’s name from the drop-down list.
Page 215 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 131. Complete the settings as explained the following table: Table 54. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy: •...
Page 216 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 54. Add SSL VPN Policy screen settings (continued) Setting Description Add SSL VPN Policies Apply Select one of the following radio buttons to specify how the policy is applied: Policy For •...
Page 217 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 54. Add SSL VPN Policy screen settings (continued) Setting Description Apply IP Network Policy Name A descriptive name of the SSL VPN policy for identification and Policy For management purposes. (continued)
Page 218: Access The Ssl Portal Login Screen
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: If you have configured SSL VPN user policies, ensure that HTTPS remote management is enabled (see Configure Remote Management Access on page 252). If HTTPS remote management is not enabled, all SSL VPN user connections are disabled.
Page 219 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 132. Enter a user name and password that are associated with the SSL portal and the domain (see Configure VPN Authentication Domains, Groups, and Users on page 221). Click Login. The default User Portal screen displays: Figure 133.
Page 220: View The Ssl Vpn Connection Status And Ssl Vpn Logs
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Change Password. Allows the user to change his or her password. • Support. Provides access to the NETGEAR website. View the SSL VPN Connection Status and SSL VPN Logs  To review the status of current SSL VPN tunnels: Select VPN >...
Page 221: Chapter 7 Managing Users, Authentication, And Certificates
Managing Users, Authentication, and Certificates This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. The chapter contains the following sections: • Configure VPN Authentication Domains, Groups, and Users • Manage Digital Certificates Configure VPN Authentication Domains, Groups, and Users Users are assigned to a group, and a group is assigned to a domain.
Page 222 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 determines the network resources to which the associated users have access. The default domain of the VPN firewall is named geardomain. You cannot delete the default domain. The following table summarizes the authentication protocols and methods that the VPN firewall supports: Table 55.
Page 223 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 136. The List of Domains table displays the domains with the following fields: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain. The default domain name (geardomain) is appended by an asterisk.
Page 224 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 56. Add Domain screen settings Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Authentication Type From the drop-down list, select the authentication method that the VPN firewall applies to the domain.
Page 225 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Click Apply to save your settings. The domain is added to the List of Domains table. If you use local authentication, make sure that it is not disabled: Select the No radio button...
Page 226: Configure Groups For Vpn Policies
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Groups for VPN Policies The use of groups simplifies the configuration of VPN policies when different sets of users have different restrictions and access controls. Like the default domain of the VPN firewall, the default group is also named geardomain.
Page 227 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 138. The List of Groups table displays the VPN groups with the following fields: • Check box. Allows you to select the group in the table. • Name. The name of the group. If the group name is appended by an asterisk, the group was created by default when you created the domain with the identical name as the default group.
Page 228 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 default group; you can delete only the domain with the identical name as the default group (see Configure Domains on page 221), which causes the default group to be deleted. Click the Delete table button.
Page 229: Configure User Accounts
SSL VPN User. A user who can only log in to the SSL VPN portal. • IPSEC VPN User. A user who can only make an IPSec VPN connection through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 174).
Page 230 • SSL VPN User. User who can only log in to the SSL VPN portal. • IPSEC VPN User. User who can only make an IPSec VPN connection through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 174).
Page 231: Set User Login Policies
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To delete one or more user accounts: In the List of Users table, select the check box to the left of the user account that you want to delete, or click the Select All table button to select all accounts. You cannot delete a default user account.
Page 232 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For security reasons, the Deny Login from WAN Interface check box is selected by default for guests and administrators. The Disable Login check box is disabled (masked out) for administrators. Click Apply to save your settings.
Page 233 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the Add Defined Addresses section of the screen, add an address to the Defined Addresses table by entering the settings as explained in the following table: Table 59. Defined addresses settings...
Page 234 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 144. In the Defined Browsers Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Browsers. Deny logging in from the browsers in the Defined Browsers table.
Page 235: Change Passwords And Other User Settings
• SSL VPN User. User who can only log in to the SSL VPN portal. • IPSEC VPN User. User who can only make an IPSec VPN connection through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 174).
Page 236: Manage Digital Certificates
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 60. Edit User screen settings (continued) Setting Description Check to Edit Password Select this check box to make the password fields accessible to modify the password. Enter Your Password Enter the old password.
Page 237: Certificates Screen
The VPN firewall contains a self-signed certificate from NETGEAR. This certificate can be downloaded from the VPN firewall login screen for browser import. However, NETGEAR recommends that you replace this digital certificate with a digital certificate from a well-known commercial CA prior to deploying the VPN firewall in your network.
Page 238: Manage Ca Certificates
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage CA Certificates  To view and upload trusted certificates: Select VPN > Certificates. The Certificates screen displays. The following figure shows the top section of the screen with the trusted certificate information and one example certificate in the Trusted Certificates (CA Certificate) table.
Page 239: Manage Self-Signed Certificates
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage Self-Signed Certificates Instead of obtaining a digital certificate from a CA, you can generate and sign your own digital certificate. However, a self-signed certificate triggers a warning from most browsers because it provides no protection against identity theft of the server.
Page 240 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 148. Certificates, screen 2 of 3 In the Generate Self Certificate Request section of the screen, enter the settings as explained in the following table: Table 61. Generate self-certificate request settings...
Page 241 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 61. Generate self-certificate request settings (continued) Setting Description Signature Key Length From the drop-down list, select one of the following signature key lengths in bits: • 512 • 1024 • 2048...
Page 242 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 c. When prompted for the requested data, copy the data from your saved text file (including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”). d. Submit the CA form. If no problems ensue, the digital certificate is issued by the CA.
Page 243: Manage The Certificate Revocation List
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the Certificate Revocation List A Certificate Revocation List (CRL) file shows digital certificates that have been revoked and are no longer valid. Each CA issues its own CRLs. It is important that you keep your CRLs up-to-date.
Page 244: Chapter 8 Network And System Management
Network and System Management This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the VPN firewall. The chapter contains the following sections: • Performance Management • System Management Performance Management Performance management consists of controlling the traffic through the VPN firewall so that the necessary traffic gets through when there is a bottleneck and either reducing unnecessary traffic or rescheduling some traffic to low-peak times to prevent bottlenecks...
Page 245: Features That Reduce Traffic
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Using four WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall, but there is no backup in case one of the WAN ports fails. When such a failure occurs, the traffic that would have been sent on the failed WAN port is diverted to another WAN port that is still working, thus increasing its load.
Page 246 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 on the Services screen (see Services-Based Rules on page 84 and Add Customized Services on page 113). • LAN users. You can specify which computers on your network are affected by an outbound rule.
Page 247: Features That Increase Traffic
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain computers on the LAN, you can use the source MAC filtering feature to drop the traffic received from the computers with the specified MAC addresses.
Page 248: Port Triggering
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 When you define inbound firewall rules, you can further refine their application according to the following criteria: • Services. You can specify the services or applications to be covered by an inbound rule.
Page 249: Use Qos And Bandwidth Assignment To Shift The Traffic Mix
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 request rather than a response to a requests from the LAN network. As such, it would be handled in accordance with the inbound port forwarding rules, and most likely would be blocked.
Page 250: Monitoring Tools For Traffic Management
The default administrator and default guest passwords for the web management interface are both password. NETGEAR recommends that you change the password for the administrator account to a more secure password, and that you configure a separate secure password for the guest account.
Page 251 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To modify the administrator user account settings, including the password: Select Users > Users. The Users screen displays. The following figure shows the VPN firewall’s default users—admin and guest—and, as an example, one other user in the List of Users table.
Page 252: Configure Remote Management Access
IP address and default password. Because a malicious WAN user can reconfigure the VPN firewall and misuse it in many ways, NETGEAR highly recommends that you change the admin and guest default passwords before...
Page 253 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To configure the VPN firewall for remote management: Select Administration > Remote Management. The Remote Management screen displays: Figure 153. Network and System Management...
Page 254 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 62. Remote Management screen settings Setting Description Secure HTTP Management Allow Secure HTTP Management? Select the Yes radio button to enable HTTPS remote management (which is the default setting) and specify the IP address settings and port number settings.
Page 255: Use The Command-Line Interface
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For enhanced security, and if practical, restrict remote management access to a single IP address or a small range of IP addresses. Note: To maintain security, the VPN firewall rejects a login that uses http://address rather than the SSL https://address.
Page 256: Use A Simple Network Management Protocol Manager
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To access the CLI: From your computer’s command-line prompt, enter the following command: telnet 192.168.1.1 Enter admin and password when prompted for the login and password information (or enter guest and password to log in as a read-only guest).
Page 257 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the Create New SNMP Configuration Entry section of the screen, enter the settings as explained in the following table: Table 63. SNMP screen settings Setting Description IP Address The IP addresses of the SNMP management station that is allowed to receive the VPN firewall’s SNMP traps.
Page 258: Manage The Configuration File
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the VPN Firewall’s SNMP System Information The following VPN firewall identification information is available to an SNMP manager: system contact, system location, and system name.  To modify the SNMP identification information: Select Administration >...
Page 259 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To display the Settings Backup and Firmware Upgrade screen: Select Administration > Settings Backup & Firmware Upgrade. Figure 157. Back Up Settings The backup feature saves all VPN firewall settings to a file. These settings include the IP addresses, subnet masks, gateway addresses, and so on.
Page 260 On the Settings Backup and Firmware Upgrade screen (see the previous screen), next to Restore saved settings from file, click Browse. Locate and select the previously saved backup file (by default, SRX5308.cfg). After you have selected the file, click the Restore button. A warning message might appear, and you might have to confirm that you want to restore the configuration.
Page 261 To download a firmware version and upgrade the VPN firewall: Go to the NETGEAR website at http://www.netgear.com/support: a. Under Find Your Product, enter SRX5308, and then click the product number. The SRX5308 support screen displays. b. Click the orange Downloads tab.
Page 262: Configure Date And Time Service
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING! Do not try to go online, turn off the VPN firewall, shut down the computer or do anything else to the VPN firewall until the VPN firewall finishes the upgrade! When the Test LED turns off, wait a few more seconds before doing anything.
Page 263 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The bottom of the screen displays the current weekday, date, time, time zone, and year (in the example in the previous figure: Current Time: Wed Jul 2015:24:51 GMT-0800 2011). Enter the settings as explained in the following table: Table 64.
Page 264 Note: If you select this option but leave either the Server 1 or Server 2 field blank, both fields are set to the default NETGEAR NTP servers. Note: A list of public NTP servers is available at support.ntp.org/bin/view/Servers/WebHome.
Page 265: Chapter 9 Monitoring System Access And Performance
Monitoring System Access and Performance This chapter describes the system monitoring features of the VPN firewall. You can be alerted to important events such as changes in WAN port status, WAN traffic limits reached, hacker probes and login attempts, dropped packets, and more. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more.
Page 266 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 159. Enter the settings for the WAN1 port as explained in the following table: Table 65. WAN TrafficMeter screen settings Setting Description Enable Traffic Meter Do you want to Select one of the following radio buttons to configure traffic metering: enable Traffic •...
Page 267 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 65. WAN TrafficMeter screen settings (continued) Setting Description Do you want to Select one of the following radio buttons to specify if or how the VPN firewall applies enable Traffic restrictions when the traffic limit is reached: Metering on WAN1? •...
Page 268: Enable The Lan Traffic Meter
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The contents of the WAN2 TrafficMeter, WAN3 TrafficMeter, and WAN4 TrafficMeter screens are identical to the WAN1 TrafficMeter screen with the exception of the WAN interface number.  To display a report of the Internet traffic by type for the WAN1 interface: Click the Traffic by Protocol option arrow in the upper right of the WAN1 TrafficMeter screen.
Page 269 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 161. The LAN Traffic Meter Table show the following columns, all of which are explained in detail in the table that follows the next figure: • LAN IP Address. The LAN IP address that is subject to the traffic meter.
Page 270 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enter the settings as explained in the following table: Table 66. Add LAN Traffic Meter Account screen settings Setting Description Add LAN Traffic Meter Account LAN IP Address The LAN IP address for the account.
Page 271: Activate Notification Of Events, Alerts, And Syslogs
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 163.  To edit a LAN traffic meter account: In the LAN Traffic Meter Table, click the Edit table button to the right of the account that you want to edit. The Edit LAN Traffic Meter Account screen displays. This screen shows...
Page 272 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 164. Monitoring System Access and Performance...
Page 273 Enter the name of the log in the Log Identifier field. The Log Identifier is a mandatory field used to identify which device sent the log messages. The identifier is appended to the log messages. The default identifier is SRX5308. Routing Logs...
Page 274 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 67. Firewall Logs & E-mail screen settings (continued) Setting Description Enable E-Mail Logs Do you want logs to Select the Yes radio button to enable the VPN firewall to send logs to an email be emailed to you? address.
Page 275 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 67. Firewall Logs & E-mail screen settings (continued) Setting Description Enable SysLogs Enable Select one of the following radio buttons to configure the syslog server: Yes. The VPN firewall sends a log file to a syslog server. Complete the SysLog Server and SysLog Severity fields that are shown on the right side of the screen (see explanations later in this table).
Page 276: View Status And Log Screens
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 165. You can refresh the logs, clear the logs, or send the logs to an email address. View Status and Log Screens The VPN firewall provides real-time information in a variety of status screens that are described in the following sections: •...
Page 277: View The System (Router) Status And Statistics
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the System (Router) Status and Statistics The Router Status screen, Detailed Status screen, and Router Statistics screen provide real-time information about the following important components of the VPN firewall: • Firmware versions that are loaded on the VPN firewall •...
Page 278 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 166. View the Detailed Status Screen  To view the Detailed Status screen: Select Monitoring > Router Status > Detailed Status. The Detailed Status screen displays. (Because of the large size of the screen and to avoid duplication of information, the following figure shows parts of the screen.)
Page 279 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 167. The following table explains the fields of the Detailed Status screen: Table 69. Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the four LAN port.
Page 280 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 69. Detailed Status screen information (continued) Item Description VLAN ID The VLAN ID that you assigned to this port on the Add VLAN Profile screen (see Configure a VLAN Profile on page 59). If the default VLAN profile is used, the VLAN ID is 1, which means that all tagged and untagged traffic can pass on this port.
Page 281 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 69. Detailed Status screen information (continued) Item Description IP Address The IP address of the WAN port. These settings are either obtained Subnet Mask The subnet mask of the WAN port.
Page 282: View The Vlan Status
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table explains the fields of the Router Statistics screen: Table 70. Router Statistics screen information Item Description System up Time: The period since the last time that the VPN firewall was started up.
Page 283: View And Disconnect Active Users
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To view the VLAN Status screen: Select Monitoring > Router Status > VLAN Status. The VLAN Status screen displays: Figure 168. The following table explains the fields of the VLAN Status screen: Table 71.
Page 284: View The Vpn Tunnel Connection Status
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 169. The active user’s user name, group, and IP address are listed in the table with a time stamp indicating the time and date that the user logged in. To disconnect an active user, click the Disconnect table button to the right of the user’s table entry.
Page 285: View The Vpn Logs
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 72. IPSec VPN Connection Status screen information (continued) Item Description Tx (KB) The amount of data that is transmitted over this SA. Tx (Packets) The number of IP packets that are transmitted over this SA.
Page 286 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 172.  To view the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays: Figure 173. Monitoring System Access and Performance...
Page 287: View The Port Triggering Status
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the Port Triggering Status  To view the status of the port triggering feature: Select Security > Port Triggering. The Port Triggering screen displays (see Figure 71 on page 132). Click the Status option arrow in the upper right of the Port Triggering screen. The Port Triggering Status screen displays in a pop-up window: Figure 174.
Page 288 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 175. The Connection Status screen displays the information that is described in the following table. The information that is shown on the Connection Status screen depends on the nature of the connection—static IP address or dynamically assigned IP address.
Page 289: View The Attached Devices And Dhcp Log
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the Attached Devices and DHCP Log The LAN Groups screen shows the network database, which is the Known PCs and Devices table that contains all IP devices that the VPN firewall has discovered on the local network.
Page 290 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Group drop-down list in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen (see Figure 35 on page 71). • Profile Name. The VLAN to which the computer or device is assigned.
Page 291: Use The Diagnostics Utilities
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the Diagnostics Utilities From the Diagnostics screen you can perform diagnostics that are discussed in the following sections: • Send a Ping Packet or Trace a Route • Look Up a DNS Address •...
Page 292: Look Up A Dns Address
Select Monitoring > Diagnostics to return to the Diagnostics screen. Look Up a DNS Address A DNS (Domain Name Server) converts the Internet name (for example, www.netgear.com) to an IP address. If you need the IP address of a web, FTP, mail, or other server on the Internet, request a DNS lookup to find the IP address.
Page 293: Reboot The Vpn Firewall
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 displays as a pop-up window. (The IP addresses that are shown in the following figure do not relate to other figures and examples in this manual.) Figure 179. Reboot the VPN Firewall You can perform a remote reboot (restart), for example, when the VPN firewall seems to have become unstable or is not operating normally.
Page 294 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 180. From the Select Network drop-down list, select a WAN interface, DMZ interface (if enabled), or VLAN. Click the Start button to start capturing the traffic flow. The following text displays in the pop-up window: Packet tracing started.
Page 295: Chapter 10 Troubleshooting And Using Online Support
The date or time is not correct. Go to Problems with Date and Time on page 302. • I need help from NETGEAR. Go to Access the Knowledge Base and Documentation on page 303. Note: The VPN firewall’s diagnostic tools are explained in...
Page 296: Basic Functioning
VPN firewall and that the power supply adapter is correctly connected to a functioning power outlet. If the error persists, you have a hardware problem and should contact NETGEAR technical support. Test LED Never Turns Off When the VPN firewall is powered on, the Test LED turns on for approximately 2 minutes and then turns off when the VPN firewall has completed its initialization.
Page 297: Lan Or Wan Port Leds Not On
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the VPN firewall and at the hub, router, or workstation.
Page 298: When You Enter A Url Or Ip Address A Time-Out Error Occurs
 To check the WAN IP address for a WAN interface: Launch your browser and navigate to an external site such as www.netgear.com. Access the web management interface of the VPN firewall’s configuration at https://192.168.1.1.
Page 299 A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP provides the addresses of one or two DNS servers for your use. You can configure your computer manually with DNS addresses, as explained in your operating system documentation.
Page 300: Troubleshoot A Tcp/Ip Network Using The Ping Utility
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Troubleshoot a TCP/IP Network Using the Ping Utility Most TCP/IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device. The device then responds with an echo reply. You can easily troubleshoot a TCP/IP network by using the ping utility in your computer or workstation.
Page 301: Test The Path From Your Computer To A Remote Device
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Test the Path from Your Computer to a Remote Device After verifying that the LAN path works correctly, test the path from your computer to a remote device. From the Windows Run menu, type: ping -n 10 <IP address>...
Page 302: Problems With Date And Time
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 181. The VPN firewall reboots. During the reboot process, the Settings Backup and Firmware Upgrade screen might remain visible. The reboot process is complete after several minutes when the Test LED on the front panel goes off.
Page 303: Access The Knowledge Base And Documentation
Daylight Savings Time check box. Access the Knowledge Base and Documentation To access NETGEAR’s knowledge base for the VPN firewall, select Web Support > Knowledgebase. To access NETGEAR’s documentation library for the VPN firewall, select Web Support > Documentation.
Page 304: Appendix A Default Settings And Technical Specifications
Default Settings and Technical Specifications You can use the Factory Defaults Reset button on the rear panel to reset all settings to their factory defaults. This is called a hard reset (for more information, see Revert to Factory Default Settings on page 260).
Page 305 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 75. VPN firewall default configuration settings (continued) Feature Default behavior (continued) RIP authentication Disabled DHCP server Enabled DHCP starting IP address 192.168.1.2 DHCP starting IP address 192.168.1.100 Management Time zone Time zone adjusted for daylight savings time...
Page 306 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 76. VPN firewall physical and technical specifications (continued) Feature Specification Environmental specifications Operating temperatures 0º to 45º 32º to 113º Storage temperatures –20º to 70º –4º to 158º Operating humidity 90% maximum relative humidity, noncondensing...
Page 307 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table shows the SSL VPN specifications for the VPN firewall: Table 78. VPN firewall SSL VPN specifications Setting Specification Network Management Web-based configuration and status monitoring Number of concurrent users supported SSL versions SSLv3, TLS1.0...
Page 308: Appendix B Network Planning For Multiple Wan Ports
Network Planning for Multiple WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has more than one WAN port. This appendix contains the following sections: • What to Consider Before You Begin •...
Page 309: Cabling And Computer Hardware Requirements
The VPN firewall is capable of being managed remotely, but this feature needs to be enabled locally after each factory default reset. NETGEAR strongly advises you to change the default management password to a strong password before enabling remote management.
Page 310: Computer Network Configuration Requirements
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Computer Network Configuration Requirements The VPN firewall integrates a web management interface. To access the configuration screens on the VPN firewall, you need to use a Java-enabled web browser that supports HTTP uploads such as Microsoft Internet Explorer 6 or later, Mozilla Firefox 3 or later, or Apple Safari 3 or later with JavaScript, cookies, and SSL enabled.
Page 311 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Internet Connection Information Print this page with the Internet connection information. Fill in the configuration settings that are provided to you by ISP. _________________________________________________________________________ • ISP Login Name: The login name and password are case-sensitive and need to be entered exactly as given by your ISP.
Page 312: Overview Of The Planning Process
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Overview of the Planning Process The areas that require planning when you use a firewall that has multiple WAN ports such as the VPN firewall include the following: • Inbound traffic (port forwarding, port triggering) •...
Page 313: Inbound Traffic
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 183. Features such as multiple exposed hosts are not supported in auto-rollover mode because the IP addresses of each WAN port need to be in the identical range of fixed addresses.
Page 314: Inbound Traffic To A Single Wan Port System
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Inbound Traffic to a Single WAN Port System The Internet IP address of the VPN firewall’s WAN port needs to be known to the public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled.
Page 315: Virtual Private Networks
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port traffic.
Page 316: Vpn Road Warrior (Client-To-Gateway)
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Dual WAN ports in auto-rollover mode. A gateway configuration with dual WAN ports that function in auto-rollover mode is different from a gateway configuration with a single WAN port when you specify the IP address of the VPN tunnel endpoint. Only one WAN port is active at a time, and when it rolls over, the IP address of the active WAN port always changes.
Page 317 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Road Warrior: Single Gateway WAN Port (Reference Case) In a single WAN port gateway configuration, the remote computer client initiates the VPN tunnel because the IP address of the remote computer client is not known in advance. The gateway WAN port needs to act as the responder.
Page 318: Vpn Gateway-To-Gateway
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 192. The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (that is, WAN1 and WAN2) so that the remote computer client can determine the gateway IP address to establish or reestablish a VPN tunnel.
Page 319 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Redundant dual-gateway WAN ports for increased reliability (before and after rollover) • Dual-gateway WAN ports for load balancing VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case) In a configuration with two single WAN port gateways, either gateway WAN port can initiate the VPN tunnel with the other gateway WAN port because the IP addresses are known in advance.
Page 320 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 After a rollover of a gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN_A2 in the following figure), and one of the gateways needs to reestablish the VPN tunnel.
Page 321: Vpn Telecommuter (Client-To-Gateway Through A Nat Router)
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Telecommuter (Client-to-Gateway through a NAT Router) Note: The telecommuter case presumes the home office has a dynamic IP address and NAT router. The following situations exemplify the requirements for a remote computer client connected...
Page 322 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 199. The IP addresses of the gateway WAN ports can be either fixed or dynamic, but you always need to use an FQDN because the active WAN port could be either WAN1 or WAN2 (that is, the IP address of the active WAN port is not known in advance).
Page 323 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 201. The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional.
Page 324: Appendix C System Logs And Error Messages
• DHCP Logs This appendix uses the following log message terms. Table 81. Log message terms Term Description [SRX5308] System identifier. [kernel] Message from the kernel. CODE Protocol code (for example, protocol is ICMP, type 8) and CODE=0 means successful reply.
Page 325: System Log Messages
Nov 28 12:31:14 [SRX5308] [ntpdate] adjust time server 69.25.106.19 offset 0.140254 sec Nov 28 12:31:14 [SRX5308] [ntpdate] Synchronized time with time-f.netgear.com Nov 28 12:31:16 [SRX5308] [ntpdate] Date and Time Before Synchronization: Tue Nov 28 12:31:13 GMT+0530 2006 Nov 28 12:31:16 [SRX5308] [ntpdate] Date and Time After Synchronization: Tue...
Page 326: Login/Logout
This section describes logs generated by the administrative interfaces of the device. Table 83. System logs: login/logout Message Nov 28 14:45:42 [SRX5308] [login] Login succeeded: user admin from 192.168.10.10 Explanation Login of user admin from host with IP address 192.168.10.10.
Page 327: Firewall Restart
None Unicast, Multicast, and Broadcast Logs Table 88. System logs: unicast Message Nov 24 11:52:55 [SRX5308] [kernel] UCAST IN=SELF OUT=WAN SRC= 192.168.10.1 DST=192.168.10.10 PROTO=UDP SPT=800 DPT=2049 Explanation • This packet (unicast) is sent to the device from the WAN network.
Page 328: Wan Status
0 Multicast/Broadcast Logs Table 90. System logs: multicast/broadcast Message Jan 1 07:24:13 [SRX5308] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC= 192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 Explanation • This multicast or broadcast packet is sent to the device from the WAN network.
Page 329 Table 92. System logs: WAN status, auto-rollover Message Nov 17 09:59:09 [SRX5308] [wand] [LBFO] WAN1 Test Failed 1 of 3 times_ Nov 17 09:59:39 [SRX5308] [wand] [LBFO] WAN1 Test Failed 2 of 3 times_ Nov 17 10:00:09 [SRX5308] [wand] [LBFO] WAN1 Test Failed 3 of 3 times_...
Page 330 Nov 29 13:12:49 [SRX5308] [pppd] remote IP address 50.0.0.1 Nov 29 13:12:49 [SRX5308] [pppd] primary DNS address 202.153.32.3 Nov 29 13:12:49 [SRX5308] [pppd] secondary DNS address 202.153.32.3 Nov 29 11:29:26 [SRX5308] [pppd] Terminating connection due to lack of activity. Nov 29 11:29:28 [SRX5308] [pppd] Connect time 8.2 minutes.
Page 331 Nov 29 11:19:05 [SRX5308] [pppd] secondary DNS address 202.153.32.2 Nov 29 11:20:45 [SRX5308] [pppd] No response to 10 echo-requests Nov 29 11:20:45 [SRX5308] [pppd] Serial link appears to be disconnected. Nov 29 11:20:45 [SRX5308] [pppd] Connect time 1.7 minutes. Nov 29 11:20:45 [SRX5308] [pppd] Sent 520 bytes, received 80 bytes.
Page 332: Resolved Dns Names
Table 95. System logs: WAN status, PPP authentication Message Nov 29 11:29:26 [SRX5308] [pppd] Starting link Nov 29 11:29:29 [SRX5308] [pppd] Remote message: Login incorrect Nov 29 11:29:29 [SRX5308] [pppd] PAP authentication failed Nov 29 11:29:29 [SRX5308] [pppd] Connection terminated.WAN2(DOWN)_ Explanation Starting link: Starting PPPoE connection process.
Page 333 "pol1"_ Messages 8 through 19 2000 Jan 1 04:13:39 [SRX5308] [IKE] Configuration found for 20.0.0.1[500]._ 2000 Jan 1 04:13:39 [SRX5308] [IKE] Received request for new phase 1 negotiation: 20.0.0.2[500]<=>20.0.0.1[500]_ 2000 Jan 1 04:13:39 [SRX5308] [IKE] Beginning Identity Protection mode._ 2000 Jan 1 04:13:39 [SRX5308] [IKE] Received Vendor ID: RFC XXXX_...
Page 334 2000 Jan 1 04:32:25 [SRX5308] [IKE] purged IPSec-SA proto_id=ESP spi= 181708762._ 2000 Jan 1 04:32:25 [SRX5308] [IKE] purged IPSec-SA proto_id=ESP spi= 153677140._ 2000 Jan 1 04:32:25 [SRX5308] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._ 2000 Jan 1 04:32:25 [SRX5308] [IKE] IPSec configuration with identifier "pol1" deleted successfully_ 2000 Jan 1 04:32:25 [SRX5308] [IKE] no phase 2 bounded._...
Page 335 192.168.11.0/24<->192.168.10.0/24_ 2000 Jan 1 04:52:33 [SRX5308] [IKE] Configuration found for 20.0.0.1._ 2000 Jan 1 04:52:59 [SRX5308] [IKE] Phase 1 negotiation failed due to time up for 20.0.0.1[500]. b73efd188399b7f2:0000000000000000_ 2000 Jan 1 04:53:04 [SRX5308] [IKE] Phase 2 negotiation failed due to time up waiting for phase 1.
Page 336 Message 2000 Jan 1 02:34:45 [SRX5308] [IKE] Deleting generated policy for 20.0.0.1[0]_ 2000 Jan 1 02:34:45 [SRX5308] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._ 2000 Jan 1 02:34:45 [SRX5308] [IKE] Purged IPSec-SA with proto_id=ESP and spi=3000608295(0xb2d9a627)._...
Page 337 "SSL VPN Tunnel" src=20.0.0.1 user=sai dst=20.0.0.2 arg="" op="" result="" rcvd= "" msg="SSL VPN Tunnel" Explanation A SSL VPN tunnel is established for ID SRX5308 with the WAN host 20.0.0.1 through WAN interface 20.0.0.2 and logged in with the user name “sai.” Recommended action None Table 105.
Page 338: Traffic Meter Logs
Transport (Java)" src=192.168.11.2 user=sai dst=192.168.11.1 arg= "" op="" result="" rcvd="" msg="Virtual Transport (Java)" Explanation A SSL VPN tunnel through port forwarding is established for ID SRX5308 from the LAN host 192.168.11.2 with interface 192.168.11.1 and logged in with the user name “sai.”...
Page 339: Lan To Dmz Logs
DMZ to LAN Logs Table 112. Routing logs: DMZ to WAN Message Nov 29 09:44:06 [SRX5308] [kernel] DMZ2LAN[DROP] IN=DMZ OUT=LAN SRC= 192.168.20.10 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from DMZ to LAN has been dropped by the firewall.
Page 340: Wan To Dmz Logs
Change the session limit to 2 to prevent packets from being dropped. Source MAC Filter Logs Table 115. Other event logs: source MAC filter logs Message 2000 Jan 1 06:40:10 [SRX5308] [kernel] SRC_MAC_MATCH[DROP] SRC MAC = 00:12:3f:34:41:14 IN=LAN OUT=WAN SRC=192.168.11.3 DST=209.85.153.103 PROTO=ICMP TYPE=8 CODE=0 Explanation Because MAC address 00:12:3f:34:41:14 of LAN host with IP address 192.168.11.3 is filtered so that it cannot access the Internet, the packets sent by...
Page 341: Bandwidth Limit Logs
2000 Jan 1 07:27:48 [SRX5308] [dhcpd] DHCPOFFER on 192.168.11.2 to 00:0f:1f:8f:7c:4a via eth0.1 Message 5 2000 Jan 1 07:27:48 [SRX5308] [dhcpd] Wrote 2 leases to leases file. Message 6 2000 Jan 1 07:27:48 [SRX5308] [dhcpd] DHCPREQUEST for 192.168.11.2 (192.168.11.1) from 00:0f:1f:8f:7c:4a via eth0.1 Message 7 2000 Jan 1 07:27:48 [SRX5308] [dhcpd] DHCPACK on 192.168.11.2 to...
Page 342 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 118. DHCP logs (continued) Explanation Message 1: The DHCP server is listening on eth0.1. Message 2: Release of the currently assigned IP address from the host by the DHCP server. Message 3: DHCP broadcast by the host is discovered by the DHCP server.
Page 343: Appendix D Two-Factor Authentication
NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. NETGEAR has implemented a more robust authentication system known as two-factor authentication (2FA or T-FA) to help address the fast-growing network security issues.
Page 344: What Is Two-Factor Authentication
NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented two two-factor authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to perform two-factor authentication on NETGEAR SSL and VPN firewall products.
Page 345 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308  To use WiKID (for end users): Launch the WiKID token software, enter the PIN that has been provided (something you know), and then click Continue to receive the OTP from the WiKID authentication server: Figure 202.
Page 346 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 204. Two-Factor Authentication...
Page 347: Appendix E Notification Of Compliance
This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. FCC Declaration Of Conformity We, NETGEAR, Inc., 350 East Plumeria Drive, San Jose, CA 95134, declare under our sole responsibility that the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 complies with Part 15 of FCC Rules.
Page 348 Canadian Department of Communications Radio Interference Regulations This digital apparatus, ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308, does not exceed the Class B limits for radio-noise emissions from digital apparatus as set out in the Radio Interference Regulations of the Canadian Department of Communications.
Page 349 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Additional Copyrights Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK. All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions: Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
Page 350 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function.
Page 351: Index
Index Numerics pre-shared key RSA signature 10BASE-T, 100BASE-T, and 1000BASE-T speeds authentication domain – 3322.org authentication, authorization, and accounting (AAA) authentication, for See also AAA (authentication, authorization, and accounting) AD (Active Directory) LDAP AC input MIAS (Microsoft Internet Authentication Ser- access, remote management vice) account name, PPTP and PPPoE...
Page 352 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 instant messaging applications configuration, default settings Internet sites and Java applets congestion priority, WAN QoS profile keywords connection, WAN, speed and type newsgroups console port ping replies content filtering on Internet port...
Page 353 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DHCP lease, renewing or releasing dynamically assigned IP addresses – DHCP log messages, explanation of DynDNS.org DHCP logs, viewing DHCP relay DHCP server e-commerce, using SSL connections diagnostics – edge device Differentiated Services Code Point (DSCP)
Page 354 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 fully qualified domain names. See FQDNs. settings increasing traffic – features port forwarding and DoS attack gateway IP address, ISP increasing WAN traffic limit group policies, precedence info messages, syslog groups Installation Guide...
Page 355 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IP precedence, QoS LAN WAN IP security. See IPSec hosts (XAUTH), IPSec VPN LAN ports Wizard, IPSec VPN. explained status, viewing IP/MAC binding – – LAN profiles, QoS IPSec hosts (XAUTH) LAN traffic meter (or counter)
Page 356 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 – configuring managing defaults, LAN and WAN ports network planning for multiple WAN ports filtering – network resources and objects, SSL VPN format Network Time Protocol (NTP) IP binding modes and servers...
Page 357 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 pass-through, multicast VLAN membership configuring passwords – – changing viewing default Power LED RADIUS, WiKID, MIAS power receptacle restoring power specifications, adapter Perfect Forward Secrecy (PFS) PPP connections, SSL performance management –...
Page 358 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 rate-limiting, traffic security lock read-only access security parameters index (SPI) – rebooting remotely self-signed certificates – reducing traffic, features service blocking reducing traffic regulatory compliance rules relay gateway, DHCP service numbers, common protocols Remote Authentication Dial In User Service.
Page 359 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 FQDNs, port forwarding time – logs setting – network resources and objects troubleshooting – policies, managing time-out error, troubleshooting port forwarding time-out, sessions – configuring tips for administrators, firewall and content filtering...
Page 360 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 two-factor authentication (WiKID) VPN IPSec Wizard. See IPSec VPN Wizard. – CHAP and PAP VPN tunnels – overview active users Type of Service. See ToS. auto-rollover mode client policy, creating – TZO.com...
Page 361 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 described VPN IPSec bandwidth capacity classical routing mode connection speed and type connection type, viewing default port MAC addresses – failure detection method load balancing mode – configuring DDNS described VPN IPSec...

NETGEAR SRX5308 Reference Manual

Chapter 1 Introduction

Chapter 2 Connecting the VPN Firewall to the Internet

Chapter 3 LAN Configuration

Chapter 4 Firewall Protection

Chapter 5 Virtual Private Networking Using Ipsec Connections

Chapter 6 Virtual Private Networking Using SSL Connections

Chapter 7 Managing Users, Authentication, and Certificates

Chapter 8 Network and System Management

Chapter 9 Monitoring System Access and Performance

Chapter 10 Troubleshooting and Using Online Support

Appendix A Default Settings and Technical Specifications

Appendix B Network Planning for Multiple WAN Ports

Appendix C System Logs and Error Messages

Appendix D Two-Factor Authentication

Appendix E Notification of Compliance

Index

Quick Links

Related Manuals for NETGEAR SRX5308

Summary of Contents for NETGEAR SRX5308