NETGEAR SRX5308-100NAS manual

Page 1

350 East Plumeria Drive San Jose, CA 95134 USA July , 2012 202-10536-04 v1.0 Pr oSaf e Gi ga bit Qu ad W AN S SL VPN F ir e w all SRX5 308 Refe ren c e M a nu a l[...]

2 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX53 08 © 2010–2012 NETGEAR, Inc. Al l rights reserved. No part of this publication may be re produced, transmitted, tran scribed, stored in a retrie val system, or translated into any langu age in any form or by any means without the written permission of NETGEAR, Inc. Te c h n i c a l S u p p o r t[...]

Page 3

3 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 202-10536-02 1.0 July 201 1 Added new features that are documented in the followi ng sections: • Configure WAN QoS Profiles • Inbound Rules (Port Forwarding) and Create LAN WAN Inbound Service Rules • Attack Checks • Set Limit s for IPv4 Sessions • Create IP Groups • Use the NETGEAR V[...]

Page 4

4 Contents Chapter 1 Introduction What Is the ProSafe Gigabit Qua d WAN SSL VPN Firewall SRX5308? . . 11 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Quad-WAN Ports for Increase d Reliability and Load Balancing . . . . . . . 13 Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . .[...]

Page 5

5 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure a Static IPv6 Internet Connec tion. . . . . . . . . . . . . . . . . . . . . . 57 Configure a PPPoE IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . . 60 Configure 6to4 Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Configure ISATAP Automatic T[...]

Page 6

6 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Order of Precedence for Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Create LAN WAN Out bound Service Rules . . . . . . . . . . . . . . . . . . . . . 143 Create LAN WAN Inb[...]

Page 7

7 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 RADIUS Client and Server C onfiguration . . . . . . . . . . . . . . . . . . . . . . . 241 Assign IPv4 Addresses to Remote Users (M ode Config) . . . . . . . . . . . . . 244 Mode Config Operation. . . .[...]

Page 8

8 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 VPN Certificates Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Manage VPN CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 316 Manage the V[...]

Page 9

9 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 When You Enter a URL or IP Address, a Time-Out Erro r Occurs . . . . . . 387 Troubleshoot the ISP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Troubleshoot a TCP/IP Networ[...]

Page 10

10 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 DMZ to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Other Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

Page 11

11 1 1. Intr odu cti on This chapter provides an ove rview of the features and cap abilities of the ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 and explains how to log in to the device and use it s web management interface. The chap ter contains the fo llowing sections: • What Is the ProSafe Gigabit Quad W A N SSL VPN Firewa ll SRX5308? ?[...]

Page 12

Introduction 12 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The VPN firewall is a security solution that prot ects yo ur network from attacks a nd intrusions. For example, the VPN firewall provides support fo r stateful packet inspection (SPI), denial of service (DoS) attack protection, an d multi-NA T support. The VPN firewall supports mult[...]

Page 13

Introduction 13 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 • One console port for local management. • SNMP support with SNMPv1, SNMPv2c, and SNMPv3, and mana gement optimized for the NETGEAR ProSafe Network Management So ftware (NMS200) over a LANJ connection. • F ront panel LEDs fo r easy moni toring of st atus and activity . • F [...]

Page 14

Introduction 14 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 - Allows browser-based, platform-indepe ndent remote access through a number of popular browsers, such as Microsoft Intern et Explorer , Mozilla Firefox, and Apple Safari. - Provides granular access to corporat e resources based on user type or group membership. A P owerful, T rue F[...]

Page 15

Introduction 15 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 network, a 1000-Mbps Gigabit Ethernet network, or a combinat ion of these networks. All LAN and W AN interfaces are autosensing and cap able of full-duplex or half-duplex operation. The VPN firewall incorporates Auto Uplink TM tech nology . Each Ethernet port automat ically senses [...]

Page 16

Introduction 16 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • Auto-detection of ISP . The VPN firewall automatically senses the type of Internet connection, asking you only for the information required for you r type of ISP account. • IPSec VPN W izard . The VPN firewall includes the NE TGEAR IPSec VPN Wizard so you can easily configure [...]

Page 17

Introduction 17 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Hardware Features • Front Panel • Rear Panel • Bottom Panel with Product Label The front pa nel port s and LEDs, rear p anel port s, and bottom label of the VPN firewall are d escribed in the following section s. F ront P anel V iewed from left to rig ht, the VPN firewall fr [...]

Page 18

Introduction 18 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 1. LED descriptions LED Activity Description Power On (green) Power is suppli ed to the VPN firewall. Off Power is not supplied to the VPN fire wall. T est On (amber) during startup. T est mo de: The VPN firewall is initiali zing. After approximately 2 minutes, when the VPN f[...]

Page 19

Introduction 19 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Re ar P a ne l The rear p anel of the VPN firewa ll includes a console port, a Factory Defaults Reset button, a cable lock receptacle, a n AC pow er connection, and a power switch. Figure 2. V iewed from left to rig ht, the rear panel co ntains the following co mponent s: 1. Cab le[...]

Page 20

Introduction 20 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Choose a Location for the VPN Firewall The VPN firewall is suitable for use in an of fi ce environment where it can be freestanding (on its runner fe et) or mounted into a stan dard 19 -inch equipment rack. Alternatively , you can rack-mount the VPN firewall in a wiring clo set or e[...]

Page 21

Introduction 21 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Log In to the VPN Firewall Note: T o connect the VPN firewall physically to your network, connect the cables and restart you r network according to the instructions in the ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Installation Guide . A PDF of this guide is on the NETGEAR [...]

Page 22

Introduction 22 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: The first time that you remotely conn ect to the VPN firewall with a browser through an SSL connection, yo u might get a warning message regarding the SSL certificate. Follow the directions of your browser to accept the SSL certificate. 3. In the User Name field, type admin . [...]

Page 23

Introduction 23 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 W eb Management Interface Menu Layout The following figure shows the menu at the top the web management interface: Figure 7. The web management interface menu consists of the following component s: • 1 st level: Main navigation me nu links . The main navigation menu in the orange[...]

Page 24

Introduction 24 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 - The IPv6 button is operational but the IPv4 button is disabled . Y ou can configure the feature o nscreen for IPv6 functionality only . - Both buttons are disabled . IP functionality does not apply . The bottom of each screen provides action buttons. The nature of the screen deter[...]

Page 25

Introduction 25 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 R equirements for Ente ring IP Addresses T o connect to the VPN firewall, your computer needs to be configured to obtain an IP address automatically from the VPN firewall, either an IPv4 address throug h DHCP or an IPv6 address through DHCPv6, or both. IPv4 The fourth octet of an I[...]

Page 26

26 2 2. IPv4 and IPv6 In ter net an d W AN Setting s This chapter explains how to configure the IPv4 and IPv6 Intern et and W AN settings. The chapter conta ins the following sections: • Internet and W AN Configuration T asks • Configure the IPv4 Internet Conn ection and WAN Settings • Configure the IPv6 Internet Conn ection and WAN Settings [...]

Page 27

IPv4 and IPv6 Internet and W AN Settings 27 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T asks to Set Up IPv4 Intern et Connections to Y our ISP s  Complete these t asks: 1. Confi gure the IPv4 routing mode . Select either NA T or classical routing: see Configure the IPv4 W AN Mode on page 28 . 2. Con figure the IPv4 Internet connectio n[...]

Page 28

IPv4 and IPv6 Internet and W AN Settings 28 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Configure the IPv6 tunnels . Enable 6to4 tunnels and configu re ISA T AP tunnels: See Configure 6to4 Automa tic T unneling on page 63 and Configure ISA T AP Automatic T unneling on p age 64 . 4. (Op tional) Configure St ateless IP/ ICMP T ranslation (S[...]

Page 29

IPv4 and IPv6 Internet and W AN Settings 29 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note the following about NA T : • The VPN firewall uses NA T to select the correct computer (on your LAN) to rece ive any incoming dat a. • I f you have only a single public Intern et IP address, you need to use NA T (the default setting). • I f yo[...]

Page 30

IPv4 and IPv6 Internet and W AN Settings 30 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. In the NA T (Network Address T ra nslation) section of the screen, select the NA T radio button or the Classical Routing radio button. W ARNING: Changing the W AN mode causes all LAN W AN and DMZ W AN inbound rules to revert to default settings. 3. Cli[...]

Page 31

IPv4 and IPv6 Internet and W AN Settings 31 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Y ou can set the failure detection method for each W AN interface on its correspon ding W AN Advanced Options screen (see Configure the Auto-Rollo ver Mode and Failure Detection Method o n p age 44 ). • Action . Th e Edit t able button provides access [...]

Page 32

IPv4 and IPv6 Internet and W AN Settings 32 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • If the autodetect process senses a connect ion method th at requires input fro m you, it prompts you for the inf ormation. The follow ing table explains the settings that you might have to enter: • If the autodetect process does not find a connectio[...]

Page 33

IPv4 and IPv6 Internet and W AN Settings 33 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 13. The Connection S tatus screen should show a valid IP addr ess and gat eway , and you are connected to the Internet. If the configur ation was not successful, skip ahead to Manually Configure an IPv4 Internet Connectio n on p age 33 , or see T [...]

Page 34

IPv4 and IPv6 Internet and W AN Settings 34 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The IPv4 W AN Settings table displays the following fields: • WA N . The W AN interface (W AN1, W AN2, WAN3, an d W AN4). • St atu s . The status of the W AN interface (UP or DOWN). • W AN IP . The IPv4 address of the W AN interface. • Fa ilure De[...]

Page 35

IPv4 and IPv6 Internet and W AN Settings 35 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 16. 6. If your connection is PPTP or PPPoE, your ISP r equires an initial login. Enter the settings as explained in the following table: T able 3. PPTP and PPPoE settings Setting Description Austria (PPTP) Note: For login and password information,[...]

Page 36

IPv4 and IPv6 Internet and W AN Settings 36 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 7. In the Internet (IP) Address sect ion of the screen (see th e following figure), configure the IP address settings as explained in the following table. Click the Curren t IP Address link to see the currently assigned IP address. Figure 17. Other (PPPoE[...]

Page 37

IPv4 and IPv6 Internet and W AN Settings 37 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 8. In the Domain Name Server (DNS) Servers section of the screen (se e the following figure), specify the DNS settin gs as explained in the following table. Figure 18. T able 4. Internet IP addres s se ttings Setting Description Get Dynamically from ISP [...]

Page 38

IPv4 and IPv6 Internet and W AN Settings 38 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 9. Click Apply to save your changes. 10. Click Te s t to evaluate your entries. The VPN firewall attempts to make a connection according to the settings that you entered. 11. V erify the connection: a. Select Network Configuration > W AN Settings > [...]

Page 39

IPv4 and IPv6 Internet and W AN Settings 39 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Configure Load Balancing or Auto -R ollover The VPN firewall can be configured on a mutually exclusive basis for either auto -rollo ver (for increased system reliability) or load bala ncing (for maximum bandwid th efficiency). If you do not select load b[...]

Page 40

IPv4 and IPv6 Internet and W AN Settings 40 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Protocol binding addre sses two issues: • Segregation of traf fic between links that are not of the same speed. High-volume traf fic can be routed through the W AN port connected to a high-speed link, and low-volume traff ic can be routed through the W [...]

Page 41

IPv4 and IPv6 Internet and W AN Settings 41 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 connection to the Internet could be ma de on the WAN3 in terface. This load balancing method ensures that a single WAN interfa c e does n ot carry a d isproportionate distribution o f sessions. 3. Click App ly to save your settings. Configure Protocol Bi[...]

Page 42

IPv4 and IPv6 Internet and W AN Settings 42 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 22. 4. Configure the protocol binding settings as explained in the following table: T able 6. Add Protocol Binding screen settings Setting Description Service From the drop-down list, select a service or application to be covered by this rule. If t[...]

Page 43

IPv4 and IPv6 Internet and W AN Settings 43 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your sett ings. The protocol binding rule is added to the Protocol Binding table. The rule is automatically enabled, which is indicated by the ! status icon that displays a green circle.  T o edit a protocol binding: 1. On the P[...]

Page 44

IPv4 and IPv6 Internet and W AN Settings 44 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure the A uto-Rollover Mode and F ailure Detection Method T o use a redundant ISP link for backup purposes, ensure that th e backup W AN interface has already been configured. Then select the WAN interface th at will act as the primary link for this[...]

Page 45

IPv4 and IPv6 Internet and W AN Settings 45 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. In the Load Balancing Settings section of the screen, configure the following settings: a. Select the Primary W AN Mode radio button. b. F rom the corresponding drop-down list on the right, select a W AN interface to function as the primary W AN inter[...]

Page 46

IPv4 and IPv6 Internet and W AN Settings 46 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: The default time to roll over af ter the primary W AN interface fails is 2 minutes. The minimum test period is 3 0 seconds, and the minimum numbe r of tests is 2. 5. Click Apply to save your settings. Y ou can co nfigure the VPN firewall to generate[...]

Page 47

IPv4 and IPv6 Internet and W AN Settings 47 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 After you have configured secondary W AN add resses, these addresse s are displayed on the following firewall rule screens: • In the W AN Destination IP Address drop-down list s of the following inbound firewall rule screens: - Add LAN W AN Inbound Ser[...]

Page 48

IPv4 and IPv6 Internet and W AN Settings 48 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 24. The List of Secondary W AN addresses t able displays the secondary LAN IP ad dresses added for the selected W AN interface. 4. In the Add W AN Secondary Addresses section of the screen, enter the following settings: • IP Address . Enter th e [...]

Page 49

IPv4 and IPv6 Internet and W AN Settings 49 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 domain, and restores DNS request s for the resulting fully qualified domain name (FQDN) to your frequently changing I P address. After you have configured your account in formation on the VPN firewall, when your ISP-assigned IP address changes, your VPN [...]

Page 50

IPv4 and IPv6 Internet and W AN Settings 50 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 25. 3. Click the Inf ormation option arrow in the upper right of a DNS screen for registration information (for example, DynDNS Information). Figure 26. 4. Access the website of the DDNS service provi der , and register for an account (fo r example[...]

Page 51

IPv4 and IPv6 Internet and W AN Settings 51 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Configure the DDNS service settings as explained in the following table: 6. Click App ly to save your configuration. Configure the IPv6 Internet Connection and W AN Settings • Configure the IPv6 Routing Mode • Use a DHCPv6 Server to Configure an I[...]

Page 52

IPv4 and IPv6 Internet and W AN Settings 52 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: Y ou can configure only o ne WAN interface for IPv6. This restriction might be lifted in a later release. Y ou can configure the other three W AN interfaces for IPv4. The nature of your IPv6 network d etermines how you need to configure the IPv6 Int[...]

Page 53

IPv4 and IPv6 Internet and W AN Settings 53 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 These are the options: • IPv4-only mode . The VPN f irewall communicates only with devices that have IPv4 addresses. • I Pv4/IPv6 mode . The VPN firewall communicates with both devices that have IPv4 addresses and devices that have IPv6 ad dresses. N[...]

Page 54

IPv4 and IPv6 Internet and W AN Settings 54 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 W ARNING: Changing the IP routing mode causes the VPN fi rewall to reboot. 3. Click Apply to save your changes. Use a DHCPv6 Server to Configure an IPv6 Internet Connection The VPN firewall can autoconfigure its ISP settings through a DHCPv6 server by usi[...]

Page 55

IPv4 and IPv6 Internet and W AN Settings 55 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The IPv6 W AN Settings table displays the following fields: • WA N . The W AN interface (W AN1, W AN2, W AN3, and W AN4). • S t atus . The status o f the WAN interface (UP or DOWN). • W AN IP . The IPv6 address of the W AN interface. • Action . T[...]

Page 56

IPv4 and IPv6 Internet and W AN Settings 56 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. As an optional step: If you have selected the S tateless Address Auto Configurat ion radio button, you can select the Prefix Delegation check box: • Pre fix delegation check box is se lected . A prefix is assigned by the I SP’s stateful DHCPv6 serv[...]

Page 57

IPv4 and IPv6 Internet and W AN Settings 57 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Configure a Static IPv6 Internet Connection T o configure a static IPv6 or PPPoE I Pv6 Internet connection, you need to enter the I Pv6 address information that you should have received from yo ur ISP .  T o configure st atic IPv6 ISP settings for a W[...]

Page 58

IPv4 and IPv6 Internet and W AN Settings 58 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 32. 4. In the Internet Address section of the screen, from the IPv6 drop-down list, select Sta ti c IPv6 . 5. In the S tatic IP Address section of the screen, en ter the settings as explained in the following table. Y ou should have received st ati[...]

Page 59

IPv4 and IPv6 Internet and W AN Settings 59 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 6. Click Apply to save your changes. 7. V erif y the connection: a. Select Ne twork Configuration > W AN Settings > W AN Setup . b. In the upper right of the screen, select the IPv6 ra di o b utt on . The WAN Setup screen displays the IPv6 settings[...]

Page 60

IPv4 and IPv6 Internet and W AN Settings 60 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure a PPP oE IPv6 Internet Connection T o configure a PPPoE IPv6 Internet connection, yo u need to enter the PPPoE IPv6 information that you sho uld have received from your ISP .  T o configure PPPoE IPv6 ISP settings for a W AN interface: 1. Sel[...]

Page 61

IPv4 and IPv6 Internet and W AN Settings 61 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 35. 4. In the Internet Address section of the screen, from the IPv6 drop-down list, select PPPoE . 5. In the PPPoE IPv6 section of the screen, enter the settings as explained in the following table. Y ou should have received PPPoE IPv6 information[...]

Page 62

IPv4 and IPv6 Internet and W AN Settings 62 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. Click Apply to save your changes. 7. V erify the connection: a. Select Network Configuration > W AN Settings > W AN Setup . b. In the upper right of the screen, select the IPv6 rad io b ut to n. The W AN Setup screen displays the IPv6 settings (s[...]

Page 63

IPv4 and IPv6 Internet and W AN Settings 63 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: If your ISP requires MAC authentication and anothe r MAC address has been previously registered with your ISP , then you need to enter that address on the W AN Advanced Options screen for th e corresponding W AN interface (see Configure Advanced W [...]

Page 64

IPv4 and IPv6 Internet and W AN Settings 64 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 36. 2. Select the Enable Automatic T unneling check box. 3. Click Apply to save your changes. Configure ISA T AP Automatic T unneling If your network is an IPv4 netwo rk or IPv6 network that consist s of both IPv4 and IPv6 devices, you need to make[...]

Page 65

IPv4 and IPv6 Internet and W AN Settings 65 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308  T o configure an ISA T AP tunnel: 1. Select Network Configuration > W AN Settings > ISA T AP T unnels . The ISA T AP T unnels screen displays. (The followi ng figure shows some examples.) Figure 37. 2. Click the Add table button under the List [...]

Page 66

IPv4 and IPv6 Internet and W AN Settings 66 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o edit an ISA T AP tunnel: 1. On the ISA T AP T unnels screen, click the Edit button in the Action column for th e tunnel that you want to modify . The Edit ISA T AP T unnel screen displays. This screen is identical to the Add ISA T AP T unnel scree[...]

Page 67

IPv4 and IPv6 Internet and W AN Settings 67 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 SIIT functions with IPv4-translated ad dresses, which are addresses of the format 0::ff ff:0:0:0/96 for IPv6 -enabled devices. Y ou can substitute an IPv4 address in the format a.b.c.d for p art of the IPv6 address so that the IPv4-translated address bec[...]

Page 68

IPv4 and IPv6 Internet and W AN Settings 68 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o configure advanced W AN options: 1. Select Network Configuration > W AN Settings > W AN Setup . In the upper right of the screen, the IPv4 radio butt on is selected by default. The W AN Setup screen displays the IPv4 settings: Figure 41. 2. [...]

Page 69

IPv4 and IPv6 Internet and W AN Settings 69 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click the Advanced op tion arrow in the upper right of the screen. The W AN Advanced Options screen displays for the WAN interface that you selected. (The following figure sh ows the W AN2 Advanced Options screen as an example.) Figure 43. 4. Enter th[...]

Page 70

IPv4 and IPv6 Internet and W AN Settings 70 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Spee d In most cases, the VPN firewall can automatically det ermine the connection speed of the W AN port of the device (modem, dish, or rou ter) that provides the W AN connection. If you cannot establish an Internet connection, you might need to manually[...]

Page 71

IPv4 and IPv6 Internet and W AN Settings 71 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your changes. W ARNING: Depending on the changes that you made, when you click Apply , the VPN firewall might rest art, or services such as HTTP and SMTP might rest art. Failure Detection Method Failure Detection Method Select a fa[...]

Page 72

IPv4 and IPv6 Internet and W AN Settings 72 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 If you want to configure the advanced settings for an a dditional WAN interface, sele ct another W AN interface and repeat these step s. Configure W AN QoS Profiles The VPN firewall can support multiple Quality of Service (QoS) prof iles for each W AN int[...]

Page 73

IPv4 and IPv6 Internet and W AN Settings 73 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 44. 2. T o enable QoS, select the Ye s radio button. By default, the No radio button is select ed. 3. S pecify the profile type that should be active by selecting one of the following radio buttons: • Rate con trol . All rate co ntrol QoS profil[...]

Page 74

IPv4 and IPv6 Internet and W AN Settings 74 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 45. 3. Enter the settings as explained in the following t able: T able 13. Add QoS screen settings for a rate control profile Setting Description QoS T ype Rate Control (for Priority , see Figure 46 on page 76 and T able 14 on page 76). Interface F[...]

Page 75

IPv4 and IPv6 Internet and W AN Settings 75 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Congestion Priority F rom the drop-down list, select the priority queue that de termi nes the allocation of excess bandwidth and the classification level of the packets among other priority queues on the VPN firewall: • Defa ult . T raffic is mapped ba[...]

Page 76

IPv4 and IPv6 Internet and W AN Settings 76 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The profile is added to the List of QoS Profiles table on the QoS screen.  T o add a priority queue QoS profile: 1. Select Netwo rk Configuration > QoS . The QoS screen displays. 2. Under the List of QoS Profile[...]

Page 77

IPv4 and IPv6 Internet and W AN Settings 77 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The p rofile is added to the L ist of QoS Profiles table on the QoS screen. Service From the drop-down list, select a serv ice or app licatio n to be covered by this profile. If th e service or application does n ot [...]

Page 78

IPv4 and IPv6 Internet and W AN Settings 78 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o edit a QoS profile: 1. In the List of QoS Pr ofiles t able, click the Edit t able button to the right of the profile that you want to edit. The Edit QoS screen displays. T his s cr een sho ws the same fields as the Add QoS screen (see the previous[...]

Page 79

79 3 3. L AN Co nfigu r at io n This chapter describes how to configure the LAN features o f your VPN firewall. The chapter contains the following sections: • Manage IPv4 Virtual LANs and DHCP Options • Configure IPv4 Multihome LAN IP Addresse s on the Default VLAN • Manage IPv4 Group s and Hosts (IPv4 LAN Group s) • Manage the IPv6 LAN •[...]

Page 80

LAN Configuration 80 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 a single VLAN, they can share resources and bandwidth as if they were connected to the same segment. The resources of other dep artments can be invisible to the ma rketing VLAN members, accessible to all, or accessible only to specified individuals, depending on how the IT mana[...]

Page 81

LAN Configuration 81 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 packet s. Untagged packet s that enter these LAN ports are assigned to the default PVID 1; packet s that leave these LAN ports with the same default PVID 1 are unt agged. All other packet s are tagged according to the VLAN ID that you assigned to the VLAN when you created the [...]

Page 82

LAN Configuration 82 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 For each VLAN profile, the following fields displa y in the VLAN Profiles table: • Check box . Allows you to select the VLAN profile in the table. • St atus icon . Indicates the statu s of the VLAN profile: - Green circle . The VLAN profile is enabled. - Gray circle . Th e [...]

Page 83

LAN Configuration 83 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 DHCP Re lay DHCP relay options allow you to make the VPN firewall a DHCP relay agent for a VLAN. The DHCP relay agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of th ese types of messages. The DHCP relay agent is there[...]

Page 84

LAN Configuration 84 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 48. 2. Click the Add t able butt on under the VLAN Profiles t able. The Add VLAN Profile screen displays: Figure 49.[...]

Page 85

LAN Configuration 85 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Enter the settings as explained in the followin g t able: T able 15. Add VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. VLAN ID Enter a unique ID number for the VL AN profile. No two VLANs can have the sa[...]

Page 86

LAN Configuration 86 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Enable DHCP Server Select the Enable DHCP Server radio button to enable the VPN firewall to function as a Dynamic Host Configurat ion Protocol (DHCP) server , providing TCP/IP configuration for al l computers co nnected to th e VLAN. (For the default VLAN, the DHCP serve r is e[...]

Page 87

LAN Configuration 87 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. Note: Once you have completed the LAN setup, a ll outbound traf fic is allowed and all inbound traf fic is discarded except responses to requests from the LAN side. For information about how to ch ange these default traf fic rules, see Cha[...]

Page 88

LAN Configuration 88 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o edit a VLAN profile: 1. On the LAN Se tup screen for IPv4 (see Figure 48 on page 84 ), click the Edit button in the Action column for the VLAN profile that yo u want to modify . The Edit VLAN Profile screen displays. This screen is identical to the Add VLAN Profile scre[...]

Page 89

LAN Configuration 89 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 50. 3. From the MAC Address for VLANs drop-down list, select Unique . (The default is Sa me.) 4. As an option, you can disable the broadcast of ARP packet s for the default VLAN by clearing the Enable ARP Broadcast check box. (The broa dcast of ARP packets is enabled by[...]

Page 90

LAN Configuration 90 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The following is an example of correctly configured I Pv4 addresses: • W AN IP address. 10.0.0.1 with subnet 255.0.0.0 • DMZ IP a ddress. 176.16.2.1 with subnet 255.2 55.255.0 • Primary LAN IP ad dress. 192.168.1.1 with subn et 255.255.255.0 • Seco ndary LAN IP address.[...]

Page 91

LAN Configuration 91 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308  T o edit a secondary LAN IP address: 1. On the LAN Multi-homing screen for IPv4 (see the previous figure), click the Edit button in the Action column for the secondary IP address that you want to modify . The Edit LAN Multi-homing screen displays. 2. Mo dify the IP address[...]

Page 92

LAN Configuration 92 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 These are some advantages of th e network database: • Generally , you do not need to en ter an IP address or a MAC address. Instead, you can select the name of the desire d computer or device. • There is no need to reserve an IP address for a computer in the DHCP server . A[...]

Page 93

LAN Configuration 93 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 52. The Known PCs and Devices t able lists the ent ries in the network database. For each computer or device, the following fields display: • Check box . Allows you to select the comp uter or device in the ta ble. • Name . The name of the computer or device. For com[...]

Page 94

LAN Configuration 94 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Add C omputers or Devices to the Network Database  T o add computers or devices manually to the n etwork dat abase: 1. In t he Add Known PCs and Devices section of the LAN Group s screen (see the previous figure), enter the settings as explained in the following t able: 2. C[...]

Page 95

LAN Configuration 95 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Edit Computers or Device s in the Network Database  T o edit computers or devices manually i n the network dat abase: 1. I n the Known PCs and Devices t able of the LAN Groups screen (see Figure 52 on pag e 93 ), click the Ed it t able button of a t able entry . The Edit LA[...]

Page 96

LAN Configuration 96 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o edit the name of one of the eight availab le group s: 1. Select Network Configuration > LAN Settings > LAN Group s . The LAN Groups screen displays (see Figure 52 on page 93 , which sho ws some examples in the Known PCs and Devices table). 2. Click the Edit Group [...]

Page 97

LAN Configuration 97 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: The reserved address is not assigned until the n ext time the computer or device cont acts the VPN firewall’ s DHCP server . Reboot the computer or device, or access it s IP configuration and force a DHCP release and renew . Note: The saved binding is also displa yed o[...]

Page 98

LAN Configuration 98 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 DHCPv6 Server Options The IPv6 clients in the LAN ca n autoconfigure their own IPv6 address or obtain a n IPv6 address through a DHCPv6 server . For the LAN, there are three DHCPv6 options: Stateless DHCPv6 Server The IPv6 clients in t he LAN generate their own IP address b y u[...]

Page 99

LAN Configuration 99 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Stateful DHCPv6 Server The IPv6 clients in the LAN obt ain an interface IP address, configuration information such as DNS server information, and other parameters from the DHCPv6 server . The IP address is a dynamic address. For st ate ful DHCPv6 , y ou ne ed t o config ure I [...]

Page 100

LAN Configuration 100 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following t able. The IPv6 address pools and prefixes for prefix delegation are explained in the sections following the table. T able 17. LAN Setup screen settings for IPv6 Setting Description IPv6 LAN Setup IPv6 Address Enter the LAN [...]

Page 101

LAN Configuration 101 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your changes. IPv6 LAN A ddress P ools If you configure a stateful DHCPv6 server for the LAN, you need to add local DHCP IPv6 address pools so the DHCPv6 server can contro l the allocation of IPv6 addresses in the LAN.  T o add an IPv6 LAN address po[...]

Page 102

LAN Configuration 102 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 56. 2. Enter the settings as explained in the following t able: 3. Click Apply to save your changes a nd add the new IPv6 address po ol to the L is t o f I P v6 Address Pools table on the LAN Setup scree n for IPv6.  T o edit an IPv6 LAN address pool: 1. On the LAN S[...]

Page 103

LAN Configuration 103 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 IPv6 LAN Pr efixes for Pr efix Delegation If you configure a stateless DHCPv6 se rver for the LAN and select the Prefix Delegation check box (both on the ISP IPv6 W AN Settings screen and on the LAN Setup screen for IPv6, a prefix delegation pool is auto matically added to th[...]

Page 104

LAN Configuration 104 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure the IPv6 R outer Advertisement Daemon and Advertisement P refixes for the LAN Note: If you do not configure stateful DHCPv6 for the LAN but use stateless DHCPv6, you need to conf igure the Router Advertisement Deamon (RADVD) and advertisement prefixes. The RADVD is a[...]

Page 105

LAN Configuration 105 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308  T o configure the Router Advertiseme nt Daemon for the LAN: 1. Select Network Configuration > LAN Settings . 2. In the uppe r right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings (see Figure 55 on p age 99 .) 3. T o the rig[...]

Page 106

LAN Configuration 106 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 5. Click Apply to save your changes. Advertisement Prefixes for the LAN Y ou need to configure the prefixes that are adv ertised in the LAN RAs. For a 6to4 address, you need to specify only t he site level aggregation identifier (SLA ID) and the pr efix lifetime. For a global,[...]

Page 107

LAN Configuration 107 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 59. 2. Enter the settings as explained in the followin g t able: 3. Click App ly to save your changes and add the new IPv6 address pool to the Li s t of Prefixes to Advertise t able on the RADVD screen for the LAN.  T o edit an advertisement prefix: 1. On the RA DV [...]

Page 108

LAN Configuration 108 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your settings.  T o delete one or more advertisement prefixes: 1. On the R AD VD screen for the LAN (see Figure 58 on p age 105 ), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All t able bu[...]

Page 109

LAN Configuration 109 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. In the Add Secondary LAN IP Address section of the screen, enter the following settings: • I Pv6 Address . Enter the secondary add ress that you want to assign to the LAN port s. • Prefix Length . Enter the prefix len gth for the secondary IP address. 4. Click the Ad d[...]

Page 110

LAN Configuration 11 0 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 By default, the DMZ port and both inb ound and outbound DMZ traf fic are disabled. Enabling the DMZ port and allowing traf fic to and from the DMZ increases the traf fic through the W AN ports. Using a DMZ port is also help ful with online games and videoconferencing applicat[...]

Page 111

LAN Configuration 111 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 61. 2. Enter the settings as explained in the followin g t able: T able 22. DMZ Setup screen settings for IPv4 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Ye s . Enable s you to configure the DMZ por[...]

Page 112

LAN Configuration 11 2 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 DHCP for DMZ Connected Computers Disable DHCP Server If another device on your networ k is th e DHCP server for the VLAN, or if you will manually configure the netwo rk settings of all of your comput ers, select t he Disab le DHCP Server radio button to disable the DHCP serve[...]

Page 113

LAN Configuration 11 3 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click Apply to save your settings. DMZ P ort for IPv6 T raffic The DMZ Setup (IPv6) screen lets you set up the DMZ port for IPv6 traffic. Y ou can enable or disable the hardware DMZ port ( LAN p ort 4; see Front Panel on page 17) for IPv6 traf fic and configure an IPv6 ad[...]

Page 114

LAN Configuration 11 4 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • St ateful DHCPv6 server . The IPv6 clients in the DMZ obt ain an interface IP address, configuration informat ion such as DNS server informa tion, and other p arameters from the DHCPv6 server . The IP address is a dynamic address. For st ateful DHCPv6, you need to configu[...]

Page 115

LAN Configuration 11 5 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Enter the settings as explained in the followin g t able: T able 23. DMZ Setup screen settings for IPv6 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Ye s . Enables you to co nfigure the DMZ port settings[...]

Page 116

LAN Configuration 11 6 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. IPv6 DMZ A ddress P ools If you configure a sta teful DHCPv6 server for the DMZ, you n eed to add local DHCP IPv6 address pools so the DHCPv6 server can control the allocation of IPv6 addresses in the DMZ.  T o add an IPv6 DMZ address [...]

Page 117

LAN Configuration 11 7 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. Enter the settings as explained in the followin g t able: 3. Click App ly to save your changes and add the new IPv6 address pool to the Li s t of IP v6 Address Pools table on the DMZ Setup (IPv6) screen.  T o edit an IPv6 DMZ addre ss pool: 1. On the DMZ Setup screen f[...]

Page 118

LAN Configuration 11 8 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Hosts and rou ters in the LAN use NDP to de termine the link-layer addresses and relate d information of neighbors in the LAN that can forward p ackets on their behalf. The VPN firewall periodically distributes router adver tisement s (RAs) throughout the DMZ to provide such [...]

Page 119

LAN Configuration 11 9 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 64. 4. Enter the settings as explained in the followin g t able: T able 26 . RADVD screen settings for the DMZ Setting Description RADVD S tatus S pecify the RADVD status by ma king a selection from the drop-down list: • Enable . The RADVD is enabled, and the RADVD [...]

Page 120

LAN Configuration 120 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 5. Click Apply to save your changes. Advertisement Prefixes for the DMZ Y ou need to configure the prefixes that are adv ertised in the DMZ RAs. For a 6to4 address, you need to specify only t he site level aggregation identifier (SLA ID) and the pr efix lifetime. For a global,[...]

Page 121

LAN Configuration 121 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 65. 2. Enter the settings as explained in the followin g t able: 3. Click App ly to save your changes and add the new IPv6 address pool to the Li s t of Prefixes to Advertise t able on the RADVD screen for the DMZ.  T o edit an advertisement prefix: 1. On the RADVD [...]

Page 122

LAN Configuration 122 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your settings.  T o delete one or more advertisement prefixes: 1. On the RADVD screen fo r the DMZ screen (see Figure 64 on page 11 9 ), select the check box to the lef t of each advertisement pr ef ix that you want to delete, or click the Select All [...]

Page 123

LAN Configuration 123 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 66. 2. Click the Add table button under the S tatic Routes table. The Add S tatic Route screen displays: Figure 67. 3. Enter the settings as explained in the followin g t able: T able 28. Add St atic Route screen set tings for IPv4 Setting Description Route Name The ro[...]

Page 124

LAN Configuration 124 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The new static route is added to the S tatic Routes t able.  T o edit an IPv4 st atic route: 1. On the S tatic Routing screen for IPv4 (see Figure 66 on p age 123 ), click the Edit button in the Action column for the route that yo u wan[...]

Page 125

LAN Configuration 125 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 68. 3. Enter the settings as explained in the followin g t able: T able 29. RIP Configuration screen settings Setting Description RIP RIP Direction From the RIP Direction drop-down list, select the direction in which the VPN firewall sends and receives RIP packets: •[...]

Page 126

LAN Configuration 126 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. RIP V ersion By default, the RIP version is set to Disab led. From the RIP V ersion drop-down list, select the version: • RIP-1 . Cl assful routing that does not include subnet information. This is the mo st commonly supported version. ?[...]

Page 127

LAN Configuration 127 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 IPv4 Static R oute Example In this example, we assume the following: • T he VPN firewall’ s primary Internet access is through a cable modem to an ISP . • T he VPN firewall is on a local LAN with IP address 192.168.1.10 0. • T he VPN firewall connects to a remote net [...]

Page 128

LAN Configuration 128 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 69. 3. Click the Add t able butt on under the S tatic Routes t able. The Add IPv6 S tatic Routing screen displays: Figure 70. 4. Enter the settings as explained in the following t able: T able 30. Add IPv6 St atic Routing screen settings Setting Description Route Name T[...]

Page 129

LAN Configuration 129 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The n ew static route is added to the List of IPv6 S tatic Routes table.  T o edit an IPv6 st atic route: 1. On the S tatic Routing screen for IPv6 (see Figure 69 on page 128 ), click the Edit button in the Action column for the route [...]

Page 130

130 4 4. F i rewa l l P ro te c t io n This chapter describes how to use the fire wall fe atures of the VPN firewall to protect your network. The chapter contains t he following sections: • About Firewall Protection • Overview of Rules to Block or Allow Specific Kinds of T raffic • Configure LAN W AN Rules • Configure DMZ W AN Rules • Con[...]

Page 131

Firewall Protection 131 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 incoming p acket is in response to an outgoing request, but true st ateful packet inspection goes far beyond NA T . For IPv6, which in it self provides stronger securi ty th an IPv4, a firewall in particular controls the exchange of traf fic between the Internet, DMZ, and L[...]

Page 132

Firewall Protection 132 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 A firewall has two default rules, one for inbound traffic a nd one for outbound. The default rules of the VPN firewall are: • Inbound . Block all access from out side except responses to requests from the LAN side. • Outbound . Allow all access from the LAN sid e to the [...]

Page 133

Firewall Protection 133 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Outbound R ules (Service Blocking) The VPN firewall allows you to block the use of cert ain Internet services by computers on your network. This is called service blocking or p o rt filterin g. Note: See Enable Source MAC Filtering on p age 186 for yet another way to block [...]

Page 134

Firewall Protection 134 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 LAN Users The settings that determine which computers on your network are affected by this rule. The options are: • Any . All computers and de vices on your LAN. • Si ngle addres s . Enter the required address in the St art fie ld to apply the rule to a single device on [...]

Page 135

Firewall Protection 135 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Inbound R ules (P ort Forwarding) If you have enabled Network Address T ranslation (NA T), your network present s one IP address only to the Internet, and outside users cannot directly access any of your local computers (LAN users). (For information about config uring NA T [...]

Page 136

Firewall Protection 136 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Whether or not DHCP is enabled, how the computer accesses the server ’ s LAN address impact s the inbound rules. For example: • If your external IP addre ss is assigned dyna mically by your ISP (DHCP e nabled), the IP address might ch ange periodically as the DHCP lease [...]

Page 137

Firewall Protection 137 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T able 33. Inbound rules overview Setting Description Inbound Rule s Service The servi ce or appli cation to be covered by this rule. If the service or application does not display in the list, you need to define it using the Se rvices screen (see Add Customized Services on[...]

Page 138

Firewall Protection 138 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 LAN Users These settings ap ply to a LAN WAN inbound rule when the WA N mode is classical routing, an d determine which computers on your network ar e af fected by this rule. The op ti o ns a re: • Any . All computers and de vices on your LAN. • Single address . Enter th[...]

Page 139

Firewall Protection 139 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: Some residential broadband ISP account s do not allow you to run any server processes (such as a web or FT P server) from your location. Y our ISP might periodically check for servers and might suspend your account if it discovers any active servers at your location. [...]

Page 140

Firewall Protection 140 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 71. For any traf fic attempting to pass through the firewall, the p acket information is subjected to the rules in the order shown in the Ou tbound Services and Inbound Services tables, beginning at the top of each table and proceeding to the bottom of each table. In [...]

Page 141

Firewall Protection 141 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 72. 2. From the Default Outbound Policy drop-down list, select Block Always . (By default, Allow Always is selected.) 3. Next to th e drop-down list, click the Apply table button. T o change an existing outbound or inbound service rule, in the Action column to the ri[...]

Page 142

Firewall Protection 142 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 73. 3. From the Default Outbound Policy drop-down list, select Block Always . (By default, Allow Always is selected.) 4. Next to the dro p-down list, click the Apply table button. T o change an existing outbound or inbo und service rule, in the Action column to the ri[...]

Page 143

Firewall Protection 143 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Create LAN W A N Outbound Service R ules Y ou can def ine rules that specify exceptions to the default rules. By adding custom rules, yo u can block or allow access base d on the service or application, source or de stination IP addresses, and time of day . An outbound rule[...]

Page 144

Firewall Protection 144 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Un le ss y ou r se le ct io n fr om t he Actio n drop-down list is BLOCK always, you also need to ma k e s e l e c t i o n s f r o m t he following drop-down lists: • Select Sch edule • Qo S Profile • Bandwid th Prof ile • NA T IP (This drop-down list is available o [...]

Page 145

Firewall Protection 145 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Create LAN W A N Inbound Service R ules The Inbound Services t able lists all e x isting rules for inbound traffic. If you have not defined any rules, no rules are listed. By de fault, all inbound traf fic (from the Internet to the LAN) is blocked. Remember that allowing in[...]

Page 146

Firewall Protection 146 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. Enter the settings as explained in T able 33 on p age 137 . In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-do wn lists: • W AN Destination IP Address • LAN Users (This drop -down list is[...]

Page 147

Firewall Protection 147 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Enter the settings as explained in T able 33 on page 137 . In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • LA N Users • W AN Users Un le ss y ou r se le ct io n fr om t he [...]

Page 148

Firewall Protection 148 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 78. T o change an existing outbound or inbo und service rule, in the Action column to the right of the rule, click one of the following t able buttons: • Up . Mo ves the rule up one posit ion in the table ran k. • Down . Moves the rule down one position in the tab[...]

Page 149

Firewall Protection 149 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 79. T o change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following t able buttons: • Up . Moves the rule up one position in the t able rank. • Down . Moves the rule down one position in th e tabl[...]

Page 150

Firewall Protection 150 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 IPv4 DMZ WAN Outbou nd Service Rules  T o create a new IPv4 DMZ W AN outbound rule: 1. In the upper right of the DMZ W AN Rules screen, the IPv4 radio button is selected by default. The screen displays the IPv4 settings (see Figure 78 on p age 148 ). Click the Add t able [...]

Page 151

Firewall Protection 151 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 IPv6 DMZ WAN Outbound Service R ules  T o create a new IPv6 DMZ W AN outbound rule: 1. In the upper right of the DMZ W AN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 79 on p age 149 ). 2. Click the Ad d table button under[...]

Page 152

Firewall Protection 152 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 IPv4 DMZ WAN Inbound Service R ules  T o create a new IPv4 DMZ W AN inbound rule: 1. In the upper right of the DMZ W AN Rules screen, the IPv4 radio button is selected by default. The screen displays the IPv4 settings (see Figure 78 on p age 148 ). Click the Add t able bu[...]

Page 153

Firewall Protection 153 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 IPv6 DMZ WAN Inbound Service R ules  T o create a new IPv6 DMZ W AN inbound rule: 1. In the upper right of the DMZ W AN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 79 on p age 149 ). 2. Click the Ad d table button under t[...]

Page 154

Firewall Protection 154 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 There is no drop-down list that let s you set the default outbound policy as there is on the LAN W AN Rules screen. Y ou can change the def ault outbound policy by allowing all outbound traffic and then blocking specific services from passing through th e VPN firewall. Y ou [...]

Page 155

Firewall Protection 155 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 85. T o change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following t able buttons: • Up . Moves the rule up one position in the t able rank. • Down . Moves the rule down one position in th e tabl[...]

Page 156

Firewall Protection 156 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 IPv4 LAN DMZ Outbou nd Service Rules  T o create a new IPv4 LAN DMZ outbound rule: 1. In the upper right of the LAN DMZ Rules screen, the IPv4 radio button is selected by default. The screen displays the IPv4 settings (see Figure 84 on p age 154 ). Click the Add t able bu[...]

Page 157

Firewall Protection 157 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 87. 3. Enter the settings as explained in T able 32 on page 133 . In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • LA N Users • DMZ Users Un le ss y ou r se le ct io n f[...]

Page 158

Firewall Protection 158 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 88. 2. Enter the settings as explained in T able 33 on p age 137 . In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-do wn lists: • LAN Users • DMZ Users Un le ss y ou r se le ct io n f[...]

Page 159

Firewall Protection 159 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 89. 3. Enter the settings as explained in T able 33 on page 137 . In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • LA N Users • DMZ Users Un le ss y ou r se le ct io n f[...]

Page 160

Firewall Protection 160 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 90. IPv4 LAN W AN Inbound R u le: Allow a Videoconfere nce from Restricted Addresses If you want to allow incoming videoconferencing to be initiated fro m a restricted range of outside IP addresses, such as from a branch of fice, you can create an inbound rule (see th[...]

Page 161

Firewall Protection 161 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 91. IPv4 LAN W AN or IPv4 DMZ WAN Inbound R ule: Set Up One -to- One NA T Mapping In this example, multi-NA T is configured to support multiple pub lic IP addresses on one W AN interface. An inbound rule configures th e VPN fi rewall to host an additional public IP a[...]

Page 162

Firewall Protection 162 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Tip: If you arrange with your ISP to have more than one pub lic IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses is used as the primary IP address of the router that pro v ides Int [...]

Page 163

Firewall Protection 163 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 this address on the W AN2 Secondary Addresses screen (see Configure Secondary WAN Addresses on page 46 ) before you can select it from the W AN Destination IP Address drop-down list. 8. Click App ly to save your settings. The rule is now added to the Inbound Services t a bl[...]

Page 164

Firewall Protection 164 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 W ARNING: For security , NETGEAR strongly recommends that you a void creating an exposed host. When a compu ter is designated as the exposed host, it loses much of the prote ction of the firewall and is exposed to many exploit s from the Internet. If compromised, the compute[...]

Page 165

Firewall Protection 165 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 95. IPv6 DMZ W AN Outbound Rule: Allow a Group of DMZ User to Access an FTP Site on the Internet If you want to allow a group of DMZ users to access a p articular FTP site on the Internet during working hours, you can create an outbound rule to allow such traf fic by[...]

Page 166

Firewall Protection 166 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure Other Firewall Features • Attack Checks • Set Limits for IPv4 Sessions • Manage the Application Level Ga teway for SIP Sessions Y ou can co nfigure attack checks, set session limit s, and manage the application level gateway (ALG) for SIP sessions. Attack Che[...]

Page 167

Firewall Protection 167 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. Enter the settings as explained in the followin g t able: T able 34 . Attack Checks screen se tt in g s fo r IPv4 Setting Description W AN Security Checks Respond to Ping on Internet Ports Select the Respond to Ping o n Internet Port s check box to enable the VPN firewal[...]

Page 168

Firewall Protection 168 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. IPv6 Attack Checks  T o enable IPv6 att ack checks for your network environment: 1. Select Security > Firewall > Att ack Checks . 2. In the upper right of the screen, select the IPv6 radio button. The Attack Checks screen displa[...]

Page 169

Firewall Protection 169 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 address. A ping can be used as a diagnostic tool. Keep this check box cleared unless you have a specific reason to enable the VPN firewall to respond to a ping from the Internet. • IP sec . Select the IPsec check box to enable IPSec VPN traffic that is initiated from the [...]

Page 170

Firewall Protection 170 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following t able: 4. Click Apply to save your settings. T able 35. Session Limit screen sett ing s Setting Description Session Limi t Session Limit Control From the drop-down list, select o ne of the following options: • Wh en sing[...]

Page 171

Firewall Protection 171 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Manage the Application Level Gateway for SIP Sessions The application level gateway (ALG) fa cilitates multimedia sessions such as voice over IP (V oIP) sessions that use the Session Initiation Protocol (SIP) acro ss the firewall and provides support for multiple SIP client[...]

Page 172

Firewall Protection 172 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: A schedule narrows down the period during which a firewall rule is applied. For information about specifying sche dules, see Set a Schedule to Block or Allow Specific T raffic on p age 185 . Add Customized Services Services are functions performed by server comp uters [...]

Page 173

Firewall Protection 173 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 101. 2. In the Add Customer Service section of the screen, enter the settings as explained in the following table: 3. Click Appl y to save your settings. The new custom service is added to the Custom Services tab le .  T o edit a service: 1. I n the Custom Service[...]

Page 174

Firewall Protection 174 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 10 2. 2. Modify the settings that you wish to change (see the previous t able). 3. Click Ap ply to save your changes. The modified service is displayed in the Custom Services table.  T o delete one or more services: 1. In the Custom Services t able, select the chec[...]

Page 175

Firewall Protection 175 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. In the Add New Custom IP Group section of the screen, do the following: • I n t he IP Gr ou p N am e f i e l d, enter a name for the group. • From the IP Group T ype drop-down list, select LAN Group or W AN Group . 3. Click Appl y to save your changes. The new IP gro[...]

Page 176

Firewall Protection 176 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o delete an IP group: 1. In the C us tom I P Gro up s t a bl e, select the che c k box to the lef t of the IP group that you want to delete, or click the Select All t able button to select all group s. 2. Click the Delete t able button. Create Bandwidth P rofiles Bandw[...]

Page 177

Firewall Protection 177 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 105. 2. Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwid t h Profile screen displays: Figure 106. 3. Enter the settings as explained in the followin g t able: T able 37. Add Bandwid th Profile screen settin gs Setting Descriptio[...]

Page 178

Firewall Protection 178 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The new bandwidth profile is added to the List of Bandwidth Profiles table. 5. In the Bandwidth Profiles section of the screen, sele ct the Ye s radio button under Enable Bandwidth Profiles? (By default the No radio button is selected.) [...]

Page 179

Firewall Protection 179 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Create Quality of Service P rofiles for IPv4 Firewall R u les A Quality of Service (QoS) profile defines the rela tive priority of an IP p acket when multiple connections are scheduled for simult aneo us tr ansmission on the VPN fire wall. A QoS profile becomes active only [...]

Page 180

Firewall Protection 180 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 10 8. 3. Enter the settings as explained in the following t able. 4. Click Appl y to save your settings. The new QoS prof ile is added to the List of QoS Profiles table. T able 38. Add QoS Profile screen settings Setting Description Profile Name A descriptive name of [...]

Page 181

Firewall Protection 181 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308  T o edit a QoS profile: 1. In the List of QoS Profiles table, click the Edit table button to the right of th e QoS profile that you want to edit. The Edit QoS Profile screen displays. 2. Mo dify the settings that yo u wish to change (see the previous table). 3. Click Ap[...]

Page 182

Firewall Protection 182 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Several types of blocking are available: • Web compon ent blocking . Y ou can block the following web component types: proxy , Java, ActiveX, and cookies. Even sites that are listed in the T rusted Domains table are subject to web component blocking when the blocking of a [...]

Page 183

Firewall Protection 183 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 • If the keyword “.com” is specified, o nly w ebsites with other domain suf fixes (such as .edu, .org, or .gov) can be vie wed. • I f you wish to block all Internet browsing access, enter . (period) as the keyword.  T o enable and configure content filtering: 1. [...]

Page 184

Firewall Protection 184 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. In the W eb Components section of the screen, select the components that you want to block (by default, none of these components are blocked, that is, none of these check boxes are selected): • Proxy . Blocks proxy servers. • Java . Blocks Java applet s from being dow[...]

Page 185

Firewall Protection 185 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Set a Schedule to Block or Allow Specific T raffic Schedules define the time frame s under which firewall rules can be applie d. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these wh en defining firewall ru les.  [...]

Page 186

Firewall Protection 186 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Enable Source MA C Filtering The Source MAC Filter screen enables you to permit or block traf fic coming from certain known computers or d evices. By default, the source MAC address filter is disabled. All the t raf fic received from computers with any MAC address is allowed[...]

Page 187

Firewall Protection 187 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The MAC Address field in the Add Source MAC Ad dress section of the screen now becomes available. 5. Build your list of source MAC addresses to be permitted or blocked by entering the first MAC address in the MAC Address field. A MAC ad[...]

Page 188

Firewall Protection 188 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 There are three possible scenarios in relation to the ad dresses in the IP/MAC Bindings t able: • Host 1 has not changed it s IP and MAC addresse s. A p acket coming from Host 1 has IP and MAC addresses that match those in the IP/MAC Bindings table. • Host 2 has changed [...]

Page 189

Firewall Protection 189 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click Apply to save your changes. 4. In the IP/MAC Bindings sections of the screen, enter the settings as explained in the following table: 5. Click the Ad d table button. The new IP/MAC rule is added to the IP/MAC Bindings table.  T o edit an IP/MAC binding: 1. I n t[...]

Page 190

Firewall Protection 190 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. Click the Stop button. W ait until the Poll Interval field becomes available. 3. Enter new poll interva l in seconds. 4. Click the Set Inter val button. W ait for the confirmation that the operat ion has succeeded before you close the window . IPv6/MAC Bindings  T o se[...]

Page 191

Firewall Protection 191 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. In the IP/MAC Bindings sections of the screen, enter the settings as explained in the following table: 6. Click the Ad d table button. The new IP/MAC rule is added to the IP/MAC Bindings table.  T o edit an IP/MAC binding: 1. I n the IP/MAC Bindings ta ble, click the [...]

Page 192

Firewall Protection 192 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click the Set Interval button. W ait for the confirmation that the operat ion has succeeded before you close the window . Configure P ort T riggering Port triggering allows some applications running on a LAN network to be available to external applications that would othe[...]

Page 193

Firewall Protection 193 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 1 16. 2. In the Add Port T riggering Rule section, enter th e settings as explained in the following table: 3. Click the Add table button. The new port triggering rule is added to the Port T riggering Rules tab le .  T o edit a port triggering rule: 1. I n the Por[...]

Page 194

Firewall Protection 194 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o remove one or more port triggering rules from the table: 1. Select the check box to the lef t of each port triggering rule th at you want to delete, or click the Select All table button to select all rules. 2. Click the Delete t able button.  T o display the st at[...]

Page 195

Firewall Protection 195 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The UPnP Portmap T able in the lower p art of the screen shows the IP addresse s and other settings of UPnP devices that h ave accessed the VPN firewall and that ha ve been automatically detected by the VPN firewall: • Active . A Y es or No indicates if the UPnP device po[...]

Page 196

196 5 5. Vi r t u a l P r iva t e N e t work i ng Us in g IP Se c an d L2TP Co nnecti ons This chapter describes how to use the IP se cu rity (IPSec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypte d communications between your local network and a remote network or computer . The chapter contains the f ollo[...]

Page 197

Virtual Private Networking Us ing IPSec and L2TP Connections 197 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The following diagrams and t able show how the W AN mode selection relates to VPN configuration. Figure 1 19. Figure 120. The following table summarizes the W AN ad dressing requirements (FQDN or IP address) for a VPN tunnel in eithe[...]

Page 198

Virtual Private Networking Usin g IPSec and L2TP Connections 198 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Use the IPSec VPN Wizard for Client and Gateway Configurations Y ou can use the I P Sec VPN Wizard to confi gure multiple gateway or client VPN tunnel policies. The following sections provide wizard and NETGEAR ProSafe VPN Client sof [...]

Page 199

Virtual Private Networking Us ing IPSec and L2TP Connections 199 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 following screen cont ains some examples that do not relate to other examples in this manual.) Figure 122. T o view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A p o[...]

Page 200

Virtual Private Networking Usin g IPSec and L2TP Connections 200 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 12 3. 2. Complete the settings as explained in the following t able: T able 4 3. IPSec VPN Wizard setti ngs for an IPv4 ga teway-to-gateway t unnel Setting Description About VPN Wizard This VPN tunnel will connect to th e follo[...]

Page 201

Virtual Private Networking Us ing IPSec and L2TP Connections 201 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Tip: T o ensure that tunnels st ay active, af ter completing the wizard, manually edit the VPN policy to ena ble keep-alives, which periodically sends ping packet s to the host on the peer side of the network to keep the tunnel alive[...]

Page 202

Virtual Private Networking Usin g IPSec and L2TP Connections 202 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 12 4. 4. Configure a VPN policy on the remote gateway that allows connection to the VPN firewall. 5. Activate the IPSec VPN conn ection: a. Select VPN > Connection St atus . Th e Connection S tatus submenu t abs d isplay wit[...]

Page 203

Virtual Private Networking Us ing IPSec and L2TP Connections 203 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Create an IPv6 Gateway -to - Gateway VPN T unnel with the Wizard Figure 126.  T o set up an IPv6 gateway-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN Wizard . 2. In the upper right of the scree[...]

Page 204

Virtual Private Networking Usin g IPSec and L2TP Connections 204 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o view the wizard default settings, click the VPN Wizard default va lues option arrow in the upper right of the screen. A pop-u p screen displays (see the following figure), showing the wizard default values. The default values are [...]

Page 205

Virtual Private Networking Us ing IPSec and L2TP Connections 205 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Tip: T o ensure that tunnels st ay active, af ter completing the wizard, manually edit the VPN policy to ena ble keep-alives, which periodically sends ping packet s to the host on the peer side of the network to keep the tunnel alive[...]

Page 206

Virtual Private Networking Usin g IPSec and L2TP Connections 206 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. Activate the IPSec VPN connection: a. Select VPN > Connection St atus . Th e Connection S tatus submenu t abs d isplay with the IPSec VPN Connection S tatus screen in view: Figure 13 0. b. Locate the policy in the table, and cli[...]

Page 207

Virtual Private Networking Us ing IPSec and L2TP Connections 207 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Use the VPN Wizard to Configure the Gateway for a Client T unnel  T o set up a client-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN Wizard . In the upper rig ht of the screen, the IPv4 radio but[...]

Page 208

Virtual Private Networking Usin g IPSec and L2TP Connections 208 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. The IPSec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen for IPv4. By default, the VPN policy is enabled. Connection Name and Remote IP T ype What is the new [...]

Page 209

Virtual Private Networking Us ing IPSec and L2TP Connections 209 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 133. Note: When you are using FQDNs, if the Dy namic DNS service is slow to update its servers when your DHCP W A N address changes, the VPN tunnel will fail because th e FQDNs do not resolve to your new address. If you have t[...]

Page 210

Virtual Private Networking Usin g IPSec and L2TP Connections 210 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: Perform these t asks from a computer that ha s the NETGEAR ProSafe VPN Client installed. The VPN Client support s IPv4 only; an upcoming release of the VPN Client will support IPv6.  T o use the Configuration Wizard to set up[...]

Page 211

Virtual Private Networking Us ing IPSec and L2TP Connections 21 1 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 135. 3. Select the A router or a VP N gatew a y radio button, and click Next . The VPN tunnel paramete rs wizard screen (screen 2 of 3) displays: Figure 136. 4. S pecify the following VPN tunnel parameters: • I P or DNS pub[...]

Page 212

Virtual Private Networking Usin g IPSec and L2TP Connections 212 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 13 7. 6. This screen is a summary screen of the new VPN configuration. Click Finish . 7. S pecify the local and remote IDs: a. In the tree list pa ne of the Configuration Panel screen, click Ga teway (the default name given to [...]

Page 213

Virtual Private Networking Us ing IPSec and L2TP Connections 213 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 c. S pecify the settings that are explained in the following table. 8. Conf igure the global parameters: a. Click Gl obal Parameters in the lef t column of the Configuration Panel screen. The Global Parameters p ane displays in the C[...]

Page 214

Virtual Private Networking Usin g IPSec and L2TP Connections 214 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 13 9. b. S pecify the default lifetimes in seconds: • Authentica tion (IKE) , Default . The default lifetime va lue is 3600 seconds. Change this setting to 28800 se conds to match the configuration of the VPN firewall. • En[...]

Page 215

Virtual Private Networking Us ing IPSec and L2TP Connections 215 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Configure the Authentication Settings (Pha se 1 Settings)  T o create new authentication settings: 1. Right-click the VPN client icon in yo ur Windows system tray , and select Configura tion Panel . The Configuration Panel screen [...]

Page 216

Virtual Private Networking Usin g IPSec and L2TP Connections 216 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: This is the name for the authentication ph ase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The Authentication pa[...]

Page 217

Virtual Private Networking Us ing IPSec and L2TP Connections 217 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to use the new settings imme diately , and click Save to keep the settings for future use. 6. Click the Advan ced tab in the Authentication p ane. The Adv an ce d p ane displays: Figure 143. 7. S pecify the settings th[...]

Page 218

Virtual Private Networking Usin g IPSec and L2TP Connections 218 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 8. Click Apply to use the n ew settings immediately , and click Save to keep th e settings for future use. Create the IPSec Configuration (Ph ase 2 Settings) Note: On the VPN firewall, the IPSec configuration (phase 2 settings) is ref[...]

Page 219

Virtual Private Networking Us ing IPSec and L2TP Connections 219 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 144. 3. S pecify the settings that are explained in the following table. T able 50. VPN client IP Sec configuration settings Setting Description VPN Client addre ss Either ente r 0.0.0.0 as the IP address, or enter a virtual I[...]

Page 220

Virtual Private Networking Usin g IPSec and L2TP Connections 220 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to use the n ew settings immediately , and click Save to keep th e settings for future use. Configure the Global Parameters  T o specify the global p arameters: 1. Click Global Parame ters in the lef t column of the [...]

Page 221

Virtual Private Networking Us ing IPSec and L2TP Connections 221 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T est the Connection and View Connection and Status Information • T est th e NETGEAR VPN Client Connection • NETGEAR VPN Client S tatus and Log Information • V iew the VPN Firewall IPSec VPN Connection S tatus • V iew the VPN[...]

Page 222

Virtual Private Networking Usin g IPSec and L2TP Connections 222 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 14 7. • Use the system-tray icon . Right-click th e system tray icon, and select Open tunnel ‘T unnel’ . Figure 14 8. Whichever way you choose to open the tun nel, when the tunnel opens successfully , the T unnel opened m[...]

Page 223

Virtual Private Networking Us ing IPSec and L2TP Connections 223 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 NETGEAR VPN Client Status and Log Information  T o view det ailed negotiation and error information on the NETGEAR VPN c lient: Right-click the VPN client icon in the system tray , and select Co nsole . The VPN Client Console Acti[...]

Page 224

Virtual Private Networking Usin g IPSec and L2TP Connections 224 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 interval period, enter a new value in t he Poll Interval field, and then click the Set Interval button. T o stop polling, click the Stop button. View the VPN Firewall IPSec VPN Log  T o display the IPSec VPN log: Select Monitoring [...]

Page 225

Virtual Private Networking Us ing IPSec and L2TP Connections 225 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Manage IPSec VPN P olicies • Manage IKE Policies • Manage VPN Policies After you have used th e VPN Wiza rd to se t up a VPN tunnel, a VPN policy and an IKE policy are stored in sep arate policy tables. The name that you selected[...]

Page 226

Virtual Private Networking Usin g IPSec and L2TP Connections 226 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 examples.) T o display the IPv6 settings on th e IKE Policies screen, select the IPv6 radio button. Figure 15 4. Each policy contains t he data that are e x plained in t he following table. These fields are explained in more det ail i[...]

Page 227

Virtual Private Networking Us ing IPSec and L2TP Connections 227 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: Y ou ca nnot delete or edit an IKE policy for which the VPN policy is active without first disabling or de leting the VPN policy . Manually Add or Edit an IKE P olicy  T o manually add an IKE policy for IPv4 or IPv6: 1. Sele[...]

Page 228

Virtual Private Networking Usin g IPSec and L2TP Connections 228 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Complete the settings as explained in the following t able: T able 53. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Mod e Config Record? Specify whether the IKE policy uses a Mode Config [...]

Page 229

Virtual Private Networking Us ing IPSec and L2TP Connections 229 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Identifier From the drop-down list, sele ct one of th e following ISAKMP identi fiers to be used by the VPN firewall, and then specify t he identifi er in the Identifier field: • Lo cal W an IP . The W AN IP address of the VPN fire[...]

Page 230

Virtual Private Networking Usin g IPSec and L2TP Connections 230 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Authentication Method Select one of the foll owing radio butt ons to specify the authentica ti on method: • Pre-shared key . A secret that is shared between the VPN firewall and the remote endpoint. • RSA-Signa ture . Uses the act[...]

Page 231

Virtual Private Networking Us ing IPSec and L2TP Connections 231 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The IKE po licy is added to the List of IKE Policies table.  T o edit an IKE policy: 1. Select VPN > IPSec VPN . The IPSec VPN sub menu tabs display with th e IKE Policies screen for IPv4 i[...]

Page 232

Virtual Private Networking Usin g IPSec and L2TP Connections 232 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 endpoint s (the local ID endpoint and the remo te ID endpoint). Y ou still need to manually enter all settings on the remote VPN endpoint (unless the remo te VPN e nd point also has a VPN Wizard). In addition, a certification authorit[...]

Page 233

Virtual Private Networking Us ing IPSec and L2TP Connections 233 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Each policy cont ains the data that are explai ned in the following t able. These fields are explained in more det ail in T able 55 on p age 235 .  T o delete one or more VPN polices: 1. Select the check box to the lef t of each p[...]

Page 234

Virtual Private Networking Usin g IPSec and L2TP Connections 234 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. S pecify the IP version for which you want to add a VPN policy: • IPv4 . In the upper right of the screen, the IP v4 radio butt on is already selected by default. Go to St ep 4 . • IPv6 . Select the IPv6 r ad io b ut to n. The [...]

Page 235

Virtual Private Networking Us ing IPSec and L2TP Connections 235 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 158. Add New VPN Policy screen for IPv6 4. Complete the settings as explained in the following t able. The only differences between IPv4 and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6). T able 55 . Add Ne[...]

Page 236

Virtual Private Networking Usin g IPSec and L2TP Connections 236 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Policy T ype From the drop-down list, select one of the following policy types: • Auto Policy . Some settings (the ones i n the Manual Policy Parameters section of th e screen) for the VPN tunnel a re generated automatically . • M[...]

Page 237

Virtual Private Networking Us ing IPSec and L2TP Connections 237 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T raffic Selection Local IP From the drop-down list, select the addr ess or addresses that are part of the VPN tunnel on the VPN firewall: • Any . Al l compute rs and devices on the network. Note that you cannot select Any for both[...]

Page 238

Virtual Private Networking Usin g IPSec and L2TP Connections 238 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Key-Out The encryption key for the outbo und polic y . The length of the key depend s on the selected encryption a lgorithm: • 3D ES . Enter does is not apply . • DES . Enter 8 characters. • AES-128 . Enter 16 characters. • AE[...]

Page 239

Virtual Private Networking Us ing IPSec and L2TP Connections 239 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The VPN policy is added to the List of VPN Policies table.  T o edit a VPN policy: 1. Select VPN > IPSec VPN > VPN Policies . The VPN Policies screen displays the IPv4 settings (see Figu[...]

Page 240

Virtual Private Networking Usin g IPSec and L2TP Connections 240 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 requesting individual authenticat ion inf ormation from the user . A local user database or an external authentication server , such as a RADI US server , provides a method for storing the authentication information centrally in the l[...]

Page 241

Virtual Private Networking Us ing IPSec and L2TP Connections 241 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. In the Extended Authentication sect ion on the screen , complete th e settings as explained in the following table: 5. Click App ly to save your settings. User Database Configuration When XAUTH is enabled in an Edge Device c onfig[...]

Page 242

Virtual Private Networking Usin g IPSec and L2TP Connections 242 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 user name and p assword information. The gateway then attempts to verify this information first against a local user dat abase (if RADIUS-P AP is enabled) and then by relaying the information to a central authen tication server such a[...]

Page 243

Virtual Private Networking Us ing IPSec and L2TP Connections 243 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click Apply to save your settings. Note: Y ou ca n select the RADIUS authentica tion protocol (P AP or CHAP) on the Edit IKE Policy scr een or Add IKE Policy screen (see Configure XAUTH for VPN Clients on p age 240 ). Primary Serv[...]

Page 244

Virtual Private Networking Usin g IPSec and L2TP Connections 244 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Assign IPv4 Addresses to R emote Users (Mode Config) • Mode Config Operation • Configure Mode Config Operation on the VPN Firewa ll • Configure the ProSafe VPN Client for Mode Config Operat ion • T est the Mode Conf ig Connect[...]

Page 245

Virtual Private Networking Us ing IPSec and L2TP Connections 245 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308  T o configure Mode Config on the VPN firewall: 1. Select VPN > IPSec VPN > Mode Config . The Mode Config screen displa ys: Figure 160. As an example, the screen shows two Mode Config record s with the name s EMEA Sales and [...]

Page 246

Virtual Private Networking Usin g IPSec and L2TP Connections 246 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Complete the settings as explained in the following t able: T able 58. Add Mode Config Record screen settings Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identi fication and manageme[...]

Page 247

Virtual Private Networking Us ing IPSec and L2TP Connections 247 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The new Mode Config record is added to the List of Mode Config Records table. Continue the Mode Config configuration procedu re by configuring an IKE policy . 5. Select VP N > IPSec VPN . The [...]

Page 248

Virtual Private Networking Usin g IPSec and L2TP Connections 248 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 16 2. 8. On the Add IKE Policy screen, complete the settings as explained in the following table. Note: The IKE policy settings that are explained i n the f ol lo wi ng t a bl e are specifically for a Mode Config configuration.[...]

Page 249

Virtual Private Networking Us ing IPSec and L2TP Connections 249 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T able 59. Add IKE Policy screen settings for a Mode Config configuration Setting Description Mode Config Reco rd Do you want to use Mo de Config Record? Select the Ye s radio button. Note: Because Mode Config functi ons only in Aggr[...]

Page 250

Virtual Private Networking Usin g IPSec and L2TP Connections 250 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 IKE SA Parameters Note: Generally, the default settings wo rk we l l for a Mode Config configuration. Encryption Algorithm T o ne gotiate the security association ( SA), from t he drop-down list, select the 3DES algorithm. Authenticat[...]

Page 251

Virtual Private Networking Us ing IPSec and L2TP Connections 251 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 9. Click Apply to save your settings. The IKE po licy is added to the List of IKE Policies table. Configure the ProSafe VPN Client for Mode Config Operation When the Mode Config feature is enab led, the following information is negot[...]

Page 252

Virtual Private Networking Usin g IPSec and L2TP Connections 252 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: Perform these t asks from a computer that ha s the NETGEAR ProSafe VPN Client inst alled. T o configure the VPN client for Mode Conf ig operation, creat e authentication settings (phase 1 settings), create an associa ted IPSec c[...]

Page 253

Virtual Private Networking Us ing IPSec and L2TP Connections 253 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Change the name of the authentication phase (the def ault is Gateway): a. R i gh t- cl ic k t he authentication phase na m e . b. Select Rename . c. T ype GW_ModeConfig . d. Click anywh ere in the tree list pane. Note: This is the[...]

Page 254

Virtual Private Networking Usin g IPSec and L2TP Connections 254 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 5. Click Apply to use the n ew settings immediately , and click Save to keep th e settings for future use. 6. Click the Adv anced tab in the Authentication pane. The Ad va n ce d pa n e d is pl a ys : Figure 16 6. 7. S pecify the sett[...]

Page 255

Virtual Private Networking Us ing IPSec and L2TP Connections 255 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 8. Click Apply to use the new settings imme diately , and click Save to keep the settings for future use. Create the Mode Config IPSec Configuration (Ph ase 2 Settings) Note: On the VPN firewall, the IPSec conf iguration (phase 2 set[...]

Page 256

Virtual Private Networking Usin g IPSec and L2TP Connections 256 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 16 7. 3. S pecify the sett ings that are explained in the following table. T able 62. VPN client IPSec conf iguration settings (Mode Conf ig) Setting Description VPN Client ad dress This field is masked out because Mode Config [...]

Page 257

Virtual Private Networking Us ing IPSec and L2TP Connections 257 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to use the new settings imme diately , and click Save to keep the settings for future use. Configure the Mode Config Global Parameters  T o specify the global p arameters: 1. Click Glob al Parameters in the left col[...]

Page 258

Virtual Private Networking Usin g IPSec and L2TP Connections 258 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. S pecify the follo wing default lifetimes in seconds to ma tc h t he co n fi gu r at io n o n t he VP N firewall: • Authentica tion (IKE) , Default . Enter 3600 se conds. Note: The default setting is 28800 second s (8 hours). How[...]

Page 259

Virtual Private Networking Us ing IPSec and L2TP Connections 259 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 171. 3. From the client computer , ping a computer on the VPN firewall LAN. Modify or Delete a Mode Config R e cord Note: Before you modify or delete a Mode Config record, make sure that it is not used in an IKE policy .  T[...]

Page 260

Virtual Private Networking Usin g IPSec and L2TP Connections 260 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 For DPD to function, the peer VPN device on the other end o f the tunnel also needs to support DPD. Keep-alive, though less reliable than DPD, does not require any support from the peer device. Configure K eep - Alives The keep-alive [...]

Page 261

Virtual Private Networking Us ing IPSec and L2TP Connections 261 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Enter the settings as explained in the followin g t able: 5. Click App ly to save your settings. Configure Dead P eer Detection The Dead Peer Detection (DPD) feature le ts the VPN firewall main tain the IKE SA by exchanging period[...]

Page 262

Virtual Private Networking Usin g IPSec and L2TP Connections 262 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 17 3. 4. In th e IKE SA Parameters section o f the screen, locate the DPD fields, and complete the settings as explained the following table: 5. Click Apply to save your settings. Configure NetBIOS Bridging with IPSec VPN Windo[...]

Page 263

Virtual Private Networking Us ing IPSec and L2TP Connections 263 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. S pecify the IP version for which you want to edit a VPN policy: • IP v4 . In the upper right of the screen, the IPv4 radio button is already selected by default. Go to S tep 3 . • IP v6 . Select the IPv6 radio button. The VPN[...]

Page 264

Virtual Private Networking Usin g IPSec and L2TP Connections 264 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o enable the PPTP server and configure the PPTP server po ol, authentication, and encryption: 1. Select VPN > PPTP Server . The PPTP Server screen displays. (Th e f ol lo wi ng f ig ur e contains an example.) Figure 17 5. 2. [...]

Page 265

Virtual Private Networking Us ing IPSec and L2TP Connections 265 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The List of PPTP Active Users t able lists each active connection with the information that is described in the following t able. The default poll interval is 5 second s. T o change the poll interval period, enter a new value in t he[...]

Page 266

Virtual Private Networking Usin g IPSec and L2TP Connections 266 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 17 7. 2. Enter the settings as explained in the following table: 3. Click Apply to save your settings. View the Active L2TP Users T o view the active L2TP tunnel users, select VPN > Connection S tatus > L2TP Active Users [...]

Page 267

Virtual Private Networking Us ing IPSec and L2TP Connections 267 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The List of L2TP Active Users table list s each ac tive connection with the information that is described in the following t able. T able 68. L2TP Active Us ers screen informatio n Item Description Username The name of the L2TP user [...]

Page 268

268 6 6. Vi r t u a l P r iva t e N e t work i ng Us in g SS L Con ne ction s The VPN firewall provides a hardware-based SSL VPN solution designed specifically to provid e remote access for mobile users to their corporate resou rces, bypassing the need for a preinstalled VPN client o n their computers. Us ing the familiar Secure Socket s Layer (SSL[...]

Page 269

Virtual Private Networking Using SSL Connections 269 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The SSL VPN client provides a point-to- point (PPP) connection between the client and the VPN firewall, and a virtual network interface is created on the user ’ s computer . The VPN firewall assigns the computer an IP address and DNS server IP[...]

Page 270

Virtual P rivate Networking Using SSL Connections 270 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Because you need to assign a group when creating an SSL VPN user account, the user account is created af ter you have created the group. 3. Fo r port forwarding, def ine the servers and services (see Configure Applications for Port Forwarding on[...]

Page 271

Virtual Private Networking Using SSL Connections 271 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Y ou can define individual layouts for the SSL VPN port al. The layout configuration includes the menu layout, theme, port al pages to displa y , and web cache control options. The default portal la yout is the SSL-VPN portal. Y ou can add addit[...]

Page 272

Virtual P rivate Networking Using SSL Connections 272 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • Port al URL: - Port al URL (IPv4) . The IPv4 URL at which the portal can be accessed. T he IPv4 address in the URL is the public W A N address of the VPN firewall (see Configure the IPv4 Internet Connection and W AN Settings o n page 28 ). B[...]

Page 273

Virtual Private Networking Using SSL Connections 273 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Complete the settings as explained in the following table: T able 69 . Add Port al Layout screen settings Setting Description Port al La yo ut a nd Th eme Name Portal Layout Name A descriptive name for the portal layout. Th is name is part of[...]

Page 274

Virtual P rivate Networking Using SSL Connections 274 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The new portal layout is added to the List of Layouts table. For information about how to display the new portal layout, see Access the New SSL Portal Login Screen on p age 290 .  T o edit a port al layou[...]

Page 275

Virtual Private Networking Using SSL Connections 275 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 access policies. When you create a group, you need to specify a domain. Therefore, you should create any domains first, then group s, and then user accounts. For information about how to configure domains, groups, and users, see Configure Authen[...]

Page 276

Virtual P rivate Networking Using SSL Connections 276 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. In the Add New Application for Po rt Forwarding section of the screen, specify info rmation in the following fields: • IP Address . The IP address of an intern al server or host computer that a remo te user has access to. • TCP Port . The[...]

Page 277

Virtual Private Networking Using SSL Connections 277 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308  T o add servers and host names for c lient name resolution: 1. Select VPN > SSL VPN > Port Forwarding . The Port Forwarding screen displays (see Figure 182 on p age 275 ). 2. In the Add New Ho st Name for Port Forwarding section of the[...]

Page 278

Virtual P rivate Networking Using SSL Connections 278 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • Select whether you want to enable full-tunn el or split-tunnel support based on your bandwidth: - A full tunn el sends all of the cli ent’ s traf fic across the VPN tunnel. - A split tu nnel sends only tr affic that is destined for the loc[...]

Page 279

Virtual Private Networking Using SSL Connections 279 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 184. SSL VPN Client screen for IPv6 3. Complete the settings as explained in the following table: T able 71 . SSL VPN Client screen set tings for IPv4 and IPv6 Setting Description Client IP Address Range Enable Full Tunnel Support Select [...]

Page 280

Virtual P rivate Networking Using SSL Connections 280 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. VPN tunnel clients are now able to connect to the VPN firewall and receive a virtual IP address in the client address range. Add R outes for VPN T unnel Clients The VPN tunnel client s assume that the follow[...]

Page 281

Virtual Private Networking Using SSL Connections 281 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 If VPN tunnel client s are already con nected, disconnect and the n reconnect the client s on the SSL VPN Connection S tatus screen (see V iew the SSL VPN Connection S tatus and SSL VPN Log on p age 292 ). Doing so allows th e clients to receive[...]

Page 282

Virtual P rivate Networking Using SSL Connections 282 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 18 5. 2. In the Add New Re source section of the screen, specify information in the following fields: • Resource Nam e . A descriptive name of the resource for identification and management purposes. • Service . F rom the Service drop[...]

Page 283

Virtual Private Networking Using SSL Connections 283 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 IPv6, this screen is identical to the screen for IPv4 (see the next figure, which shows some examples). Figure 186. 4. Complete the settings as explained in the following table: T able 72. Resources sc reen settings to ed it a resource Setting D[...]

Page 284

Virtual P rivate Networking Using SSL Connections 284 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The new configurat ion is added to the Defined Resource Addresses table. T o delete a configuration from the Defi ned Resource Addresse s t able, click the Delete t able button to the right of the con figura[...]

Page 285

Virtual Private Networking Using SSL Connections 285 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Assuming that no conflicting user or group pol icies have been configure d, if a user attempted to access FTP servers at the followin g addresses, the actions listed would occu r: • 1 0.0.0.1. The user would be blocked by Policy 1. • 1 0.0.1[...]

Page 286

Virtual P rivate Networking Using SSL Connections 286 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click the Dis play action button. The List of SSL VPN Policies t able displays the list for your selected Query option. Add an IPv4 or IPv6 SSL VPN P olicy  T o add an SSL VPN policy: 1. Select VPN > SSL VPN . The SSL VPN submenu t abs [...]

Page 287

Virtual Private Networking Using SSL Connections 287 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 . Figure 189. Add SSL VPN Policy screen for IPv6 4. Complete the settings as explained in the following table: T able 73. Add SSL VPN Policy s creen settings Setting Description Policy For Select one of the following radio buttons to specify the[...]

Page 288

Virtual P rivate Networking Using SSL Connections 288 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Apply Policy to? (continued) IP Address Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. IP Address The IPv4 or IPv6 address to which the SSL VPN policy is ap plied. Port Range / Port Number A port[...]

Page 289

Virtual Private Networking Using SSL Connections 289 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The policy is added to the List of SSL VPN Policies t a ble on the Policies screen. The new policy goes into effect immediately . Note: If you have configured SSL VPN user policies, make sure that secure HTT[...]

Page 290

Virtual P rivate Networking Using SSL Connections 290 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Access the New SSL P ortal Login Screen All screens that you can access from the SSL VPN menu of the web management interface display a user port al link in the upper right of the scr een, above the menu b ars ( ). When you click the User Port a[...]

Page 291

Virtual Private Networking Using SSL Connections 291 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 192. 4. Enter a user name and password that are associated with a domain, that, in turn, is associated with the portal. For information about creating login credentials to access a portal, see Configure Domains, Groups, and Users on page [...]

Page 292

Virtual P rivate Networking Using SSL Connections 292 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 19 4. The User Portal screen displa ys a simple menu that, depending on the resources allocated, provides the SSL user with th e following menu selections: • VPN T unnel . Provides full network connectivity . • Port Forwarding . Provi[...]

Page 293

Virtual Private Networking Using SSL Connections 293 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 195. The active user ’ s name, group, and IP address are listed in the t able with a time stamp indicating the time and date that the user conne cted. T o disconnect an active user , click the Disc onnect table button to the right of th[...]

Page 294

294 7 7. M anage User s, Authenti c ation , and VPN Cer tif icates This chapter describes how to manage users, aut henticat ion, and security certificates for IPSec VPN and SSL VPN. The chapter cont ains the following sections: • The VPN Firewall’s Auth entication Process and Options • Configure Authentication Domains, Groups, and Users • M[...]

Page 295

Manage Users, Authenticat ion, and VPN Certificates 295 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Except in the case of IPSec VPN users, when you create a user account, you need to specify a group. When you create a grou p, you need to specify a doma i n. The following ta ble summarizes the external authentication pro tocols and methods t[...]

Page 296

Manage Users, Authentication, and VPN Certificates 296 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure Authentication Do mains, Groups, and Users • Configure Domains • Configure Groups • Configure User Account s • Set User Login Policies • Change Passwords and Other User Setting s Configure Domains The domain determines the a[...]

Page 297

Manage Users, Authenticat ion, and VPN Certificates 297 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The List of Domains t able displays the domains with the following fields: • Che ck box . Allows you to select the d omain in the table. • Domain Name . The name of the domain. The name of the default domain (geardomain) to which the defa[...]

Page 298

Manage Users, Authentication, and VPN Certificates 298 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Authentication T ype (continued) Note: If you select an y type of RADIUS authentication, make sure that one or more RADIUS servers are configured (see RADIUS Client and Server Configuration on page 241 ). • Ra dius-CHAP . RADIUS Challenge Han[...]

Page 299

Manage Users, Authenticat ion, and VPN Certificates 299 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The domain is added to the List of Domains table. 5. If you use local authentication, make sure that it is not disabled: in the Local Aut hentication section of the Domain screen (see Figure 197 on p age [...]

Page 300

Manage Users, Authentication, and VPN Certificates 300 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Edit Domains  T o edit a domain: 1. Select Users > Domains . The Doma ins screen displays (see Figure 197 on page 296 ). 2. In the Action column of the List of Domains table, click the Edit table button for the domain that you want to edi[...]

Page 301

Manage Users, Authenticat ion, and VPN Certificates 301 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Create Groups  T o create a VPN group: 1. Select Us ers > Group s . The Groups screen d isplays. (The following figure sh ows the VPN firewall’ s default group—geardomain—and, as an example, several o ther groups in the List of Gr[...]

Page 302

Manage Users, Authentication, and VPN Certificates 302 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Complete the settings as explained in the following table: 4. Click Apply to save your changes. The new group is added to the List of Groups t able.  T o delete one or more group s: 1. In the List of Groups table, select the check b ox to[...]

Page 303

Manage Users, Authenticat ion, and VPN Certificates 303 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Configure User Accounts When you create a user account, you n eed to assign the user to a user group. When you create a group, you need to assign the group to a domain that specifies the authentication method. Therefore, you should first crea[...]

Page 304

Manage Users, Authentication, and VPN Certificates 304 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 20 1. The List of Users t able displays th e users and has the following fields: • Check b ox . Allows you to select the user in th e table. • Name . The na me of the user . If the user name is appended by an asterisk, the user is a [...]

Page 305

Manage Users, Authenticat ion, and VPN Certificates 305 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Enter the settings as explained in the followin g t able: 4. Click App ly to save your settings. The user is added to the List of Users table.  T o delete one or more user account s: 1. I n the List of User s table, select the check box[...]

Page 306

Manage Users, Authentication, and VPN Certificates 306 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Set User Login P olicies Y ou can restrict the ab ility of defined users to log in to the VPN firewall’ s web management interface. Y ou can also require or prohibit logging in from certain IP addresses or from particular browsers. This secti[...]

Page 307

Manage Users, Authenticat ion, and VPN Certificates 307 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Configure L ogin Rest rictions Based on IPv4 Addresses  T o restrict logging in based on IPv4 addresses: 1. Select Us ers > Users . The Users screen displays (see Figure 201 on p age 304 ). 2. In the Action column of the List of Users t[...]

Page 308

Manage Users, Authentication, and VPN Certificates 308 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. In the Add Defined Ad dresses section of the screen, add an address to the Defined Addresses table by entering the settings as explained in the following table: 7. Click the Add t able button. The address is added to the Defined Addresses ta[...]

Page 309

Manage Users, Authenticat ion, and VPN Certificates 309 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 205. 5. In the Defined Addresses S tatus section of the screen, select one of the following radio buttons: • Den y Login from Defined Addresses . Deny log ging in from the IP addresses in the Defined Addresses t ab le. • Allo w Log[...]

Page 310

Manage Users, Authentication, and VPN Certificates 310 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o delete one or more IPv6 addresses: 1. In the Defined Addresses table, select the check box to the left of each address that you want to delete, or click the Select All table button to select all addresses. 2. Click the Delete t able but[...]

Page 311

Manage Users, Authenticat ion, and VPN Certificates 31 1 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 6. In the Add Defined Browser section of the screen, add a browser to the Defined Browsers table by selecting one of the following browsers from the drop-down list: • I nternet Explorer . • Opera . • Net scape Navigator . • Fi refox [...]

Page 312

Manage Users, Authentication, and VPN Certificates 312 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o modify user settings, including p asswords: 1. Select Users > Users . The Users screen displays (see Fig ure 201 on page 30 4 ). 2. In the Action column of the List of Users table, click the Edit table button for the user for which y[...]

Page 313

Manage Users, Authenticat ion, and VPN Certificates 313 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. Manage Digital Certific ates for VPN Connections • VPN Certificates Screen • Manage VPN CA Certificates • Manage VPN Self-Signed Certifica tes • Manage the VPN Certificate Revocation List The VPN [...]

Page 314

Manage Users, Authentication, and VPN Certificates 314 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 both the IPSec VPN certificate repository and the SSL VPN certificate repository . However , if the defined purpose is for IPSec VPN only , the certif icate is uploaded only to the IPSec VPN certificate repository . The VPN firewall uses digita[...]

Page 315

Manage Users, Authenticat ion, and VPN Certificates 315 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 • Self Certificate Request s t able . Contains the self-signed certificate request s that you generated. These request s might or might not have been submitted to CAs, and CAs might or might not have issued digit al certific ates for these [...]

Page 316

Manage Users, Authentication, and VPN Certificates 316 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. In the Upload Trusted Certificates section of the screen, click the Browse button and navigate to the trusted digital certificate file that you downloaded on your computer . 3. Click the Upload t able button. If the verification process on t[...]

Page 317

Manage Users, Authenticat ion, and VPN Certificates 317 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 VPN firewall. The CSR is a file that cont ains information about your comp any and about the device that holds the certificate . Refer to th e CA for guidelines abou t the information t hat you need to include in your CSR.  T o generate a [...]

Page 318

Manage Users, Authentication, and VPN Certificates 318 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click the Generate table button. A new SCR is created and added to the Self Certificate Requests t able. 4. In the Self Certificate Requ est s table, click the View t able button in the Act ion column to view the new SCR. The Certificate Req[...]

Page 319

Manage Users, Authenticat ion, and VPN Certificates 319 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 6. Submit your SCR to a CA: a. Con nect to the website of th e CA. b. S tart the SCR procedure. c. W hen prompted for the requested dat a, copy the data from your saved text file (including “-----BEGIN CERTIFICA TE REQUEST -----” and “-[...]

Page 320

Manage Users, Authentication, and VPN Certificates 320 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Manage the VPN Certificate R evocation List A Certificate Revocation List (CRL) file sh ows digital certificates that have been revoked an d are no longer valid. Each CA issues its own CRLs. It is import ant that you keep your CRLs up-to-date. [...]

Page 321

321 8 8. Net w or k and S y stem Managemen t This chapter describes the tools for managing th e network traf fic to optimize its performance and the system management features of the VPN fi rewall. The chapter contains the following sections: • Performance Manageme nt • System Management P erformance Management • Bandwid th Capacity • Featu[...]

Page 322

Network and System Management 322 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 In practice, the W AN-side bandwidth cap acity is much lower when DSL or cable modems are used to connect to t he Internet. At 1.5 Mbps, the W AN ports support th e following traf fic rates: • Lo ad balancing mode. 6 Mbp s (four WAN po rts at 1.5 Mbp s each) • [...]

Page 323

Network and System Management 323 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The following section summarizes the various crit eria that you can ap ply to outbound rules in order to reduce traf fic. For more information about outbound rules, see Outbou nd Rules (Service Blocking) on page 133 . For det ailed procedures on how to configure o[...]

Page 324

Network and System Management 324 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 For information about how to define bandwid th profiles, see Create Bandwidth Profiles on page 176 . Content Fi ltering If you want to reduce traffic by preve nting access to cert ain sites on the Internet, you can use the VPN firewall’ s content-filtering featur[...]

Page 325

Network and System Management 325 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 ON the LAN W AN screen, if you have not defined any rules, only the default rule is listed. The default LAN W AN inbound rule blocks all access from outs ide except responses to request s from the LAN side. W ARNING: Incorrect configuration of inbound firewall rul[...]

Page 326

Network and System Management 326 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 addresses to group s. For more information, see Create IP Group s on page 174 . (LAN IP groups do not apply to DMZ W AN inbound rules.) • W AN users . Y ou can specify which Internet locations are covered by an inbound rule, based on their IP address: - Any . The[...]

Page 327

Network and System Management 327 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Exposed Hosts S pecifying an exposed host allows you to set up a comp uter or server that is available to anyone on the Internet for services that you have not yet defined. For an example of how to set up an exposed host, see IPv4 LAN WAN or IPv4 DMZ W AN Inbound [...]

Page 328

Network and System Management 328 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 method for allocating and limiting traf fic, thus allocating LAN users suf ficient bandwidth while preventing them from consuming all the bandwid th on your W A N links. For more information about bandwid th profiles, see Create Bandwid th Profiles on p age 176 . M[...]

Page 329

Network and System Management 329 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 213. 2. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit Users screen displays: Figure 214. Y ou cann ot modify the administrator user name, user type, or group assignment. 3. Select th [...]

Page 330

Network and System Management 330 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. Click Apply to save your settings. 7. Repeat St e p 1 through St ep 6 for the user with the name guest. Note: After a factory defa ults reset, t he password and time-out value are changed back to p assword and 5 minutes, respectively . Y ou can also change the a[...]

Page 331

Network and System Management 331 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 misuse it in many ways, NETGEAR highly recommends that you change the admin and guest default p asswords before continuing (see Change Passwords and Administra tor and Guest Settings on pag e 328 ).  T o configure the VPN firewall for remote management: 1. Sele[...]

Page 332

Network and System Management 332 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 216. Remote Management sc reen for IPv6 3. Enter the settings as explained in the following table: T able 82. Remote Management screen set ting s for IPv4 and IPv6 Setting Description Secure HTTP Manage ment Allow Secure HTTP Man agement? T o enable secure H[...]

Page 333

Network and System Management 333 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 W ARNING: If you are remotely connected to the VPN firewall and y ou select the No radio button to disable secure HTTP management, you and all other SSL VPN users are disconnected when you click Apply . 4. Click Apply to save your changes. About Remote Access When[...]

Page 334

Network and System Management 334 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Tip: If you are using a Dynamic DNS service such as TZO, you can identify the W AN IP address of your VPN firewall by running tracert from the Windows Run menu option. T race the route to your registered F QDN. For example, enter tracert VPN firewall.mynet gear.net[...]

Page 335

Network and System Management 335 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308  T o configure the SNMP settings: 1. Select Administration > SNMP . The SNMP screen displays. (The following figure contains an example.) Figure 217. The SNMPv3 Users ta ble includes the default SNMPv3 users that are preconfigured on the VPN firewall. The SN[...]

Page 336

Network and System Management 336 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. T o specify a new SNMP configuration, in the Create New SNMP Configu ration Entry section of the screen, configure the settings as explained in the following table: 3. Click Add to add the new SNMP configuration to the S NM P C on f ig u ra ti o n ta bl e.  T[...]

Page 337

Network and System Management 337 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308  T o delete one or more SNMP configurations: 1. On the SNMP sc reen (see Figure 217 on p age 335 ), select the check box to the lef t of each SNMP configuration tha t you want to delete, or click the Se lect All table button to select all SNMP configurations. 2[...]

Page 338

Network and System Management 338 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your changes.  T o configure the SNMP system information: 1. On the SNMP screen (see Figure 217 on page 335 ), click the SNMP System Info option arrow in the upper righ t of the screen. The SNMP SysCon figuration screen displays: Figure 22[...]

Page 339

Network and System Management 339 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Manage the Configuration File The configuration set tings of the VPN firewall are stored in a configuration file on the VPN firewall. This file can be sav ed (backed up) t o a computer , retrieved (restored) from the computer , cleared to factory default settings,[...]

Page 340

Network and System Management 340 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Back Up Settings The backup feature saves all VPN firewall settings to a file. Back up your settings periodically , and store the backup file in a saf e place. Tip: Y ou can use a backup file to export all setting s to another VPN firewall that has the same langua [...]

Page 341

Network and System Management 341 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 W ARNING: Once you st art restoring settings, do not inte rrupt the process. Do not try to go online, turn off the VPN firewall, shut d own the computer , or do anything else to the VPN firewall until the settings have been fully rest ored. R evert to Factory Defa[...]

Page 342

Network and System Management 342 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Upgrade the Firmware Y ou can inst all a different version of the VPN firewall firmware from the Settings Backup and Firmware Upgrade screen. T o view the current vers ion of the firmware that the VPN firewall is running, from the main menu, select Monitoring . The[...]

Page 343

Network and System Management 343 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Select the Firmware and R eboot the VPN Firewall After you have u pgraded the firmware, the newly installed firmware is t he active firmware, and the previously insta lled firmware has beco me the secondary firmware. However , you can still revert to the secondary[...]

Page 344

Network and System Management 344 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o set time, date, and NTP servers: 1. Select Administrati on > Time Zone . The T ime Zone screen displays: Figure 22 2. The bottom of the screen display the current weekday , d ate, time, time zone, and year (in the example in the previous figure: Current [...]

Page 345

Network and System Management 345 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Select NTP Mode In all three NTP modes, the VPN firewall functions both as a client and a server . The VPN firewall synchronizes its clo ck with the specified NTP server or servers and provid es time service to clie nts. From the drop-down list, select the NTP mod[...]

Page 346

Network and System Management 346 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. Note: If you select the default NTP servers or if you enter a cust om server FQDN, the VPN firewall determines th e IP address of the NTP server by performing a DNS lookup. Before the VPN firewall can perform this lookup, you n[...]

Page 347

347 9 9. M on i tor S ystem Ac ce ss and P er f orma nc e This chapter describes the system-monitoring featur es of the VPN firewall. Y ou can be alerted to important event s such W A N traffic limits reach ed, login failures, and attacks. Y ou can also view status information abo ut the firewall, W AN ports, LAN port s, active VPN users and tunnel[...]

Page 348

Monitor System Access and Performance 348 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 22 3. 2. Enter the settings for th e W AN1 interface as explained in the following table. If you want to configure the settings for another W AN interface, first select the associated tab for that interface. T able 87. W AN1 T raffic Meter screen set[...]

Page 349

Monitor System Access and Performance 349 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click Apply to save your settings. 4. If you want to enable the traffic meter for another W AN interface, click the associated W AN T raffic Meter tab for that interface, an d repeat St e p 2 and St e p 3 for that W AN interface. The content s of the W [...]

Page 350

Monitor System Access and Performance 350 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 screen displays the traf fic meter ’s start an d end dates. If you did not configure the traf fic meter , the start date is blank. Figure 22 4. Configure and Enable the LAN T raffic Meter If your ISP charges by traf fic volume over a period and you nee d [...]

Page 351

Monitor System Access and Performance 351 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click the LAN T ra ffic Meter tab. The LAN T raffic Meter screen displays. (Th e f ol lo wi n g figure shows some examples in the LAN T raffic Met er T able.) Figure 226. The L AN T ra ff ic M et er T able shows the following columns, all of which are e[...]

Page 352

Monitor System Access and Performance 352 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. Click Apply to save your settings. The new account is added to the LAN T raffic Meter T a bl e on the LAN T raffic Meter screen.  T o view the LAN IP traffic meter st atistics: In the LAN T raffic Meter T able, click the Edit t ab le button to the rig[...]

Page 353

Monitor System Access and Performance 353 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 228.  T o edit a LAN traffic meter account: 1. I n the LAN T raffic Meter T able, click the Edit table button to the right of the account that you want to edit. The Edit LAN T raffic Meter Account screen displays. T hi s sc ree n sh ows th e s am[...]

Page 354

Monitor System Access and Performance 354 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 22 9.[...]

Page 355

Monitor System Access and Performance 355 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. Enter the settings as explained in the followin g t able: T able 89. Firewall Logs & E-mail screen se ttings Setting Description Log Options Log Identifier Enter the name o f the log identifier . The ident ifier is appended to log messages to iden t[...]

Page 356

Monitor System Access and Performance 356 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Enable E-mail Logs Do you want logs to be emailed to you? Select the Ye s radio button to enable the VPN firewall to email logs to a specified email address. Complete the fields that are shown on the rig ht side of the screen. Select the No radio button to [...]

Page 357

Monitor System Access and Performance 357 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click Apply to save your settings. Note: Enabling routing and other event logs might gen erate a significant volume of log messages. NETGEAR recommend s that you enable firewall logs for debugging p urposes only .  T o view the routing logs, system l[...]

Page 358

Monitor System Access and Performance 358 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 23 0. Y ou can refresh the logs, clear the logs, or send the logs to an email address.  T o view the DNS logs onscreen: 1. Select Mon itoring > Firewall Logs & E-mail . The Firewall Logs & E-mail screen displays. 2. Click the DNS Logs o[...]

Page 359

Monitor System Access and Performance 359 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 How to Send Syslogs over a VPN T unnel between Sites  T o send syslogs from one site to anothe r over a gateway-to-gateway VPN tunnel: 1. At Site 1, se t up a syslog server that is connected to Gateway 1. 2. Set up a VPN tun nel between Gateway 1 at Sit[...]

Page 360

Monitor System Access and Performance 360 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. In the Traf fic Selector section of the screen, make the following changes: • From the Remote IP d rop-down list, select Single . • In the S tart IP fields, type 10.0.0.2 , which is the W AN IP address of Gateway 2. 5. Click Apply to save the setting[...]

Page 361

Monitor System Access and Performance 361 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 View Status Screens • V iew the System S tatus • V iew the VPN Connection S tatus, L2TP Users, an d PPTP Users • V iew the VPN Logs • V iew the Port T riggering S tatus • V iew the WAN Port S tatus • V iew the Attached Devices and the DHCP Log [...]

Page 362

Monitor System Access and Performance 362 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Router Status Screen  T o view the Router St atus screen: Select Monitoring > Route r St atus . The Router S tatus screen displays: Figure 23 2. The following t able explains the fiel ds of the Router S tatus screen: T able 90. Router St atus screen i[...]

Page 363

Monitor System Access and Performance 363 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 LAN (VLAN) IPv4 Information For each of the four LAN ports, the screen shows t he IPv4 LAN address and subnet mask. For more detailed information, see T able 92 on p age 366 . LAN IPv6 Information MAC Address The MAC address of the VPN firewall. IPv6 Addre[...]

Page 364

Monitor System Access and Performance 364 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Ro ute r S ta t ist ic s S cr ee n  T o view the Router St atistics screen: 1. Select Mon itoring > Router S tatus . The Router S tatus screen displays (see the previous figure). 2. Click the Show S t atistics option arrow in the upper right of the Ro[...]

Page 365

Monitor System Access and Performance 365 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Detailed Status Screen T o view the Detailed S tatus screen, select Monitoring > Ro uter St atus > Det ailed St atus . The Detailed S tatus screen displays: Figure 234.[...]

Page 366

Monitor System Access and Performance 366 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The following t able explains the fiel ds of the Detailed S tatus screen: T able 92. Det ailed Stat us screen information Item Description LAN Port Configuration The following fields are shown for each of the LAN ports. VLAN Profile The name of the VLAN pro[...]

Page 367

Monitor System Access and Performance 367 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 DMZ IPv6 Config ura tion IPv6 Address T he IPv6 address and pref ix length for the DMZ. For informa tio n about configuring the IPv6 DMZ, see DMZ Port for IPv6 T raffic on page 1 13. DHCP S tatus The status of the DHCPv6 server for the DMZ (En abled or Dis[...]

Page 368

Monitor System Access and Performance 368 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 VLAN Status Screen The VLAN S tatus scre en displays information about the VLANs that are enabled. Disabled VLANs are not displayed. For informat ion about enabling and disabling VLANs, see Assign and Manage VLAN Profiles o n p age 81 .  T o view the st [...]

Page 369

Monitor System Access and Performance 369 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The following ta ble explains the fields of the VLAN S tatus screen: T unnel Status Screen The IPv6 T unnel S tatus screen displays the sta t us o f all active 6 to4 and ISA T AP tunnels and their IPv6 addresses.  T o view the st atus of the tunnels and[...]

Page 370

Monitor System Access and Performance 370 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The IPv6 T unnel S tatus t able shows the following fields: • T unnel Name . The tunnel name for the 6to4 tunnel is always sit0-W AN1 (SIT stands for simple Internet transition); the tunnel name for an ISA T AP tunnel is isat apx-LAN, in which x is an int[...]

Page 371

Monitor System Access and Performance 371 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 238. The active user ’ s user name, group, and IP addre ss are listed in the t able with a time stamp indicating the time and date that the user conne cted. T o disconnect an active connectio n, click the Disconnect table button t o the right of t[...]

Page 372

Monitor System Access and Performance 372 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 24 0. The List of PPTP Active Users t able lists each ac tive connection with the info rmation that is described in the following t able. View the VPN Logs  T o display the IPSec VPN log: Select Monitoring > VPN Logs . The Lo gs t abs display w[...]

Page 373

Monitor System Access and Performance 373 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308  T o display the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs . The SSL VPN Logs screen displays: Figure 242. View the P ort T riggering Status  T o view the st atus of the port triggering feature : 1. Select Se curity > Port T r[...]

Page 374

Monitor System Access and Performance 374 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 24 4. The Port T riggering S tatus screen displays t he information that is described in t he following tab le: View the WA N P ort Status Y ou can view the st atus of the IPv4 and IPv6 W AN connections, the DNS servers, and the DHCP servers. IPv4 WA[...]

Page 375

Monitor System Access and Performance 375 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 245. 2. In the Action column, click the Sta tu s button of the WAN interface for which you want to display the Connection S tatus pop-up screen. (The following figure shows a static IP address configuration.) Figure 246. The type of connection deter[...]

Page 376

Monitor System Access and Performance 376 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Click Disconnect to disconnect the connection ; click Connect to establish the connection. IPv6 WAN P o rt Status  T o view the IPv6 st atus of the W AN port: 1. Select Netwo rk Configuration > W AN Settings > W AN Setup . 2. In the u pper right of[...]

Page 377

Monitor System Access and Performance 377 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 248. The type of connection determines th e inform ation that is displayed on the Connection S tatus screen. The screen can display the info rmation that is described in the following table: Click Disconn ect to disconnect the connect ion; click Con[...]

Page 378

Monitor System Access and Performance 378 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 View the A ttached Devices  T o view the att ached devices on the LAN Group s screen: Select Network Configuration > LAN Settings > L AN G rou p s . The LAN Group s screen displays. (The following figure shows some examples in the Known PCs and Dev[...]

Page 379

Monitor System Access and Performance 379 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: If the VPN firewall is rebooted, the data in the Known PCs and Devices table is lost until th e VPN firewall rediscovers the devices. View the DHCP L og  T o review the most recent entries in the DHCP log: 1. Select Network Configuratio n > LAN[...]

Page 380

Monitor System Access and Performance 380 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Diagnostics Utilities • Send a Ping Packet • T race a Route • Look Up a DNS Address • Display the Routing T ables • Capture Packets in Real Time • Reboot the VPN Firewall Remotely The VPN firewall provides diagnostic tools that h elp you analyze[...]

Page 381

Monitor System Access and Performance 381 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 252. The various t asks that you can perform on the Diagnostics screen are explained in the following sections. Send a Ping P acket Use the ping utility to se nd a ping packet r equest in order to check the connection between the VPN firewall and a [...]

Page 382

Monitor System Access and Performance 382 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  T o send a traceroute: 1. On the Diagnostics screen for IPv4, in the IP Address / Domain Na m e field of the Ping or T race an IP Address section, enter the IP address or domain name that you want to trace; on the Diagnostics screen for IPv6, i n th e D[...]

Page 383

Monitor System Access and Performance 383 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 253. 2. From the Select Network drop-down list, select the physical or virtual interface for which you want to capture packets. 3. Click St ar t . After a few seconds, the packet-tracing process start s, which is indicated by a message onscreen. 4. [...]

Page 384

384 10 10. Tr o u b l e s h o o t i n g This chapter provides trouble shooting tips an d information for the VPN firewall. Af ter each problem description, instructions are provi ded to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the VPN firewall on? Go to Basic Functioning on p age 3[...]

Page 385

T roubleshooting 385 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: The VPN firewall’ s diagnostic tools are explained in Diagnostics Utilities on p age 380 . Basic F unctioning • Power LED No t On • T est LED Never T urns Off • LAN or WAN Port LEDs Not On  Af ter you turn on power to the VPN firewall, verify that the follo wi[...]

Page 386

T roubleshooting 386 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308  If all LEDs are still on more than several minutes minute after power-up, do the following: • T urn off the power , and then turn it on again to see if th e VPN firewall recovers. • Reset the VPN firewall’ s configuration to factory default settings. Do ing so sets th[...]

Page 387

T roubleshooting 387 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 • Make sure that you are using the SSL http s:// address login rather than the http:// address login. • Make sure that your browser has Java, JavaScript, or ActiveX enab led. If you are using Internet Explorer , click Refresh to be sure that the Java applet is loaded. • [...]

Page 388

T roubleshooting 388 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T roubleshoot the ISP Connection If your VPN firewall is unable to access the Internet, you should first determine whether the VPN firewall is able to obt ain a W AN IP address from the ISP . Unless you have been assigned a static IP address, your VPN firewall req uests an IP a[...]

Page 389

T roubleshooting 389 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 assigned domain name or workgro up name in the Domain Name field, and you might have to enter additional in formation. For more information, see Manually Configure an IPv4 Internet Connection on p age 33 . • Y our ISP allows only one Ethernet MAC addre ss to connect to the I[...]

Page 390

T roubleshooting 390 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 - Windows Server 2008 R2, all versions - Wind ows Server 2003, all versions - Wind ows Server 2003 R2, all versions - Lin ux and other UNIX-based systems with a correctly configured kernel - MAC OS X • Make sure tha t IPv6 is enabled on the co mputer . On a computer that runs[...]

Page 391

T roubleshooting 391 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 c. Click or double-click Vie w st atus of this connection . The Local Area Conn ection S tatus screen displa ys: Figure 255. d. Make sure that Internet access shows for th e IPv6 connection. (The previous fig ure shows that there is no Internet access.) e. Click Det ails . The[...]

Page 392

T roubleshooting 392 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 f. Make sure that an IPv6 address shows. The previous figure does not show an IPv6 address for the computer but only a link-l ocal IPv6 address and an IPv6 default gateway address, both of which start , in this case, with FE80. T roubleshoot a T CP/IP Network Using a Ping Utili[...]

Page 393

T roubleshooting 393 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T est the P ath from Y our Co mputer to a R emote Device After verifying that the LAN p ath works correctly , test the path from your computer to a remote device. From the Windows Run dialog box, type: ping -n 10 <IP address> in which <IP address> is the IP address[...]

Page 394

T roubleshooting 394 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 25 7. b. In the Backup / Restore Settings section of the screen , click the Default button. The VPN firewall reboot s. During the reboot process, the Settings Backup a nd Firmware Upgrade screen might remain visible, or a st at us message with a counter might show the nu[...]

Page 395

T roubleshooting 395 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Address P r oblems with Date and Time The System Date & T ime screen displays the current date and t ime of day (see Configure Date and Time Service on p age 343 ). The VPN firewall uses the Network T ime Protocol (NTP) to obtain the current time from one of several networ[...]

Page 396

396 A A. De fa ult Settings and T echni cal Sp ecificat ion s This appendix provides the de fault settings and th e physical and technical specifications of the VPN firewall in the following sections: • Factory Default Settings • Physical and T echnical Specifications Factory Default Settings Y ou can use th e factory default Reset button loca [...]

Page 397

Default Settings and T echnical S pecifications 397 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 W AN settings W AN IPv4 mode (all WAN interfaces) NA T W AN IPv4 load balancing settings (all W AN interfaces) Primary W AN mode W AN IPv6 mode (all WAN interfaces) IPv4 only mode S tateless IP/ICMP Translation (SIIT) Disabled W AN MAC addre ss (a[...]

Page 398

Default Settings and T echnical Specifications 398 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 DMZ DHCP IPv4 starting address 176.16.2.100 DMZ DHCP IPv4 ending address 176.16.2.254 RIP direction None RIP version Disabled RIP authentication Disabled IPv6 LAN and DMZ setti ngs LAN IPv6 address fec0::1 LAN IPv6 prefix length 64 LAN DHCPv6 ser v[...]

Page 399

Default Settings and T echnical S pecifications 399 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Session limits Disabled TCP time-out 1200 seconds UDP time-out 180 seconds ICMP time-out 8 seconds SIP ALG Disabled Source MAC filtering Disabled IP/MAC bindings Disabled Port triggeri ng rule s None UPnP Disabled Bandwidth profiles None QoS profi[...]

Page 400

Default Settings and T echnical Specifications 400 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Authentication method Pre-shared Key Key group DH-Group 2 (1 024 bit) Life time 8 hours VPN IPsec Wizard: VPN policy settings for IPv4 and IPv6 gateway-to-gateway tunnels Encryption algorithm 3DES Authentication algorithm SHA-1 Life time 1 hour Key[...]

Page 401

Default Settings and T echnical S pecifications 401 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 RADIUS settings Primary RADIUS server Disabled and none configured Secondary RADIUS server Disabled and none configured RADIUS time-out period 30 seconds RADIUS maximum retry count 4 SSL VPN se t tings SSL VPN IPv4 client address range 192.168.251[...]

Page 402

Default Settings and T echnical Specifications 402 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Physical and T echnical Specifications The following t able shows the physical and techni cal specifications for the VPN firewall: T able 100. VPN firewall physical and technical spe cifications Feature Specification Network pr otoc ol and st andar[...]

Page 403

Default Settings and T echnical S pecifications 403 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The following ta ble shows the IPSec VPN specifications for the VPN firewall: The following ta ble shows the SSL VPN specifications for th e VPN firewall: T able 101. VPN firewall IPSe c VPN specification s Setting Specification Network Management[...]

Page 404

404 B B. Ne t w or k P lanning f or Multipl e W AN P orts (IPv4 Onl y) This appendix describes the factors to co nsider when planning a network using a f irewall that has more than one W AN port. This appendix contains the following sections: • What to Consider Before Y ou Begin • Overview of t he Planning Process • Inbound T raffic • Virtu[...]

Page 405

Network Planning for Multiple W AN Ports (IPv4 Only) 405 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 • Protocol binding. - F or auto-rollover mode, protocol b inding does not apply . - F or load balancing mode, decide wh ich protocols should be bound to a specific W AN port. - Y ou can also add your own service protocols to the list. 2. S[...]

Page 406

Network Planning for Multiple W AN Ports (IPv4 Only) 406 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Cabling and Computer Hardware R equirements For you to use the VPN firewall in your network, each computer needs to have an Ethernet network interface card (NIC) inst alled and needs to be equipped with an Ethernet cab le. If the computer wil[...]

Page 407

Network Planning for Multiple W AN Ports (IPv4 Only) 407 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 After you have loca ted your Internet configurat ion information, you might want to record the information in the following section. Internet Connection Information Print this page with the Internet connection inform ation. Fill in the confi[...]

Page 408

Network Planning for Multiple W AN Ports (IPv4 Only) 408 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Overview of the Planning P rocess The areas that require planning when you use a fire wall that has multiple W AN ports such as the VPN firewall include the following: • Inbou nd traf fic (port forwarding, port trigger ing) • Ou tbound tr[...]

Page 409

Network Planning for Multiple W AN Ports (IPv4 Only) 409 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Features such as multiple exposed host s are not supported in auto-rollover mode because the IP addresses o f each W AN port need to be in the identical range o f fixed addresses. • Dua l W AN ports in load balancing m ode . Load balancing[...]

Page 410

Network Planning for Multiple W AN Ports (IPv4 Only) 410 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 26 1. Inbound T raffic to a Dual WAN P ort System The IP address range of the VPN firewall’ s WA N port needs to be both fixed and public so that the public can send incoming tra ffic to t he mu ltiple exposed host s when this featur[...]

Page 411

Network Planning for Multiple W AN Ports (IPv4 Only) 41 1 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 263. Virtual P rivate Networks • VPN Road Warrior (Clie nt-to-Gateway) • VPN Gateway-to-Gateway • VPN T elecommuter (Clie nt-to-Gateway through a NA T Router) When implementing virtual privat e network (VPN) tunnels, you need t[...]

Page 412

Network Planning for Multiple W AN Ports (IPv4 Only) 412 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • Dual W AN port s in auto-rollover mode . A gateway configuration with dual W AN ports that function in auto-rollover mode is dif fer ent from a gateway configuration with a single W AN port when you specify the IP addres s of the VPN tunn[...]

Page 413

Network Planning for Multiple W AN Ports (IPv4 Only) 413 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 VPN Road W arrior: Single - Gateway WAN P ort (Reference Case) In a single W AN port gateway configuration, th e remo te computer client initiates the VPN tunnel because the IP address of the remote co mp uter client is not known in advance.[...]

Page 414

Network Planning for Multiple W AN Ports (IPv4 Only) 414 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 26 8. The purpose of the FQDN in this case is to toggle the domain name of the ga teway firewall between the IP addresses of the active W AN port (that is, W AN1 and W AN2) so that the remote computer client can determine the ga tewa y[...]

Page 415

Network Planning for Multiple W AN Ports (IPv4 Only) 415 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 VPN Gateway -to - Gateway The following situations exemplify the requirement s for a gateway VPN firewall to esta blish a VPN tunnel with another gateway VPN firewall: • Single -gateway W AN ports • Red undant dual-gateway W AN ports for[...]

Page 416

Network Planning for Multiple W AN Ports (IPv4 Only) 416 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 27 1. The IP addresses of the gateway W AN ports can be eithe r fixed or dynamic, but you always need to use an FQDN because the active W AN ports could be either W AN_A1, W AN_A2, W AN_B1, or W AN_B2 (that is, the IP address of the ac[...]

Page 417

Network Planning for Multiple W AN Ports (IPv4 Only) 417 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 273. The IP addresses of the gateway W AN ports can be either fixed or dynamic. If an IP a ddress is dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional. VPN T elecommuter (Client-to- Gateway through a NA [...]

Page 418

Network Planning for Multiple W AN Ports (IPv4 Only) 418 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The IP address of the gateway W AN port can be eit her fixed or dynamic. If the IP address is dynamic, you need to use an FQDN. If the IP address is fixed, an FQDN is optional. VPN T elecommuter: Dual - Gateway WAN P orts fo r Improved Reliab[...]

Page 419

Network Planning for Multiple W AN Ports (IPv4 Only) 419 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 VPN T elecommuter: Dual- Gateway WAN P orts for Load Balancing In a gateway configuration with dual W AN po rts that funct ion in load balancing mode, the remote computer client initiates the VPN tunnel with the appro priate gateway W AN por[...]

Page 420

420 C C. Sy s t e m L o g s a n d E r ro r M e s s a g e s This appendix provides example s and explana ti ons of system logs and error message. When applicable, a recommended action is provided. This appendix cont ains the following sections: • System Log Messages • Routing Logs • Other Event Logs • DHCP Logs This appendix uses the f ollow[...]

Page 421

System Logs and Error Messages 421 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 System Log Messages • NTP • Login/Logout • System S tartup • Reboot • Firewall Restart • IPSec Restart • Unicast, Multicast, and Broadcast Logs • WAN S tatus • Resolved DNS Names • VPN Log Messages • T raffic Meter Logs This section describes[...]

Page 422

System Logs an d Error Messages 422 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Login/Logout This section describes logs generated by th e administrative interfaces of the device. System Startup This section describes the log mess age generated during system st artup. Explanation Messag e 1: DNS resolution fo r the NTP server (time-f.netgear[...]

Page 423

System Logs and Error Messages 423 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 R eboot This section describes the log message generated during system reboo t. Firewall R estart This section describes logs that are genera ted when the VPN firewall restarts. IPSec Restart This section describes logs that are generated when IPSec rest arts. Uni[...]

Page 424

System Logs an d Error Messages 424 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 ICMP Redirect L ogs Multicast/Broadcast Logs WAN St at us This section describes the logs generate d by the W AN component. If there are several ISP links for Internet connectivity , the VPN firewall can be configured either in a uto-rollover or load balancing mo[...]

Page 425

System Logs and Error Messages 425 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Aut o-R oll ove r When the W AN mode is configured for auto-rollover , the primary link is active, and the secondary link acts only as a backup. Wh en the primary link goes down, the second ary link becomes active only until the primary link comes back up. The VPN[...]

Page 426

System Logs an d Error Messages 426 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 PPP Logs This section describes the W AN PPP connecti on logs. The PPP type can be configured from the web management interface (see Ma nually Configure an IPv4 Internet Connectio n on page 33). • PPPo E Idle T imeout Logs Explanation The lo gs suggest that the[...]

Page 427

System Logs and Error Messages 427 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • PPTP Idle T imeout Logs Explanation Message 1: PPPoE connection started. Message 2: Message from PPPoE server for correct login. Message 3: Authentication for PPP succeeded. Message 4: Local IP address assigned by the server . Message 5: Server side IP address[...]

Page 428

System Logs an d Error Messages 428 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • PPP Authentication Logs R esolved DNS Names This section describes the logs of DNS n ame resolution messages. VPN Log Messages This section explains logs that are generat ed by IPSec VPN a nd SSL VPN policies. These logs are generated automat ically and do no[...]

Page 429

System Logs and Error Messages 429 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 121. System logs: IPSec VPN tunnel, tunnel e st ablishment Messages 1 through 5 Messages 6 and 7 Messages 8 through 19 Messages 20 and 21 Messages 22 and 23 Messages 24 and 25 2000 Jan 1 04:01:39 [SRX5308] [wand] [IPSEC] IPSEC Restarted 2000 Jan 1 04:02:09 [...]

Page 430

System Logs an d Error Messages 430 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 122. System logs: IPSec VPN tunnel, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN tunnel is reest ablished Message 1 Messages 2 through 6 Message 7 Messages 8 through 1 1 2000 Jan 1 04:32:25 [SRX5308] [IKE] Sending Informational Exchange: delet[...]

Page 431

System Logs and Error Messages 431 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 123. System logs : IPSec VPN tunn el, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN tunnel not reest ablished Message 2000 Jan 1 04:52:33 [SRX5308] [IKE] Using IPSec SA configuration: 192.168.1 1.0/24<-> 19 2.168.10.0/24_ 2000 Jan 1 04:52:[...]

Page 432

System Logs an d Error Messages 432 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 125. System logs: IPSec VPN tunnel, Dead Pee r De tection and ke ep-alive (def ault 30 sec), VPN tunn el torn down Message 1 Message 2 Message 3 2000 Jan 1 06:01:18 [SRX530 8] [VPNKA] Keep alive to peer 192.168.10.2 failed 3 consecutive times and 5 time s [...]

Page 433

System Logs and Error Messages 433 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 SSL VPN Logs This section describes the log messages that are generated by SSL VPN policies. T able 127. System logs: IPSec VPN tu nnel, client policy behind a NA T device Message 3 Message 6 2000 Jan 1 01:54:21 [SRX5308] [IKE] Floating ports for NA T-T with peer [...]

Page 434

System Logs an d Error Messages 434 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T raffic Meter Logs R outing Logs • LAN to WAN Logs • LAN to DMZ Logs • DMZ to WAN Logs • WAN to LAN Logs • DMZ to LAN Logs • WAN to DMZ Logs This section explains the logging messag es fo r the vario us network segment s (such as LAN to W AN) for deb[...]

Page 435

System Logs and Error Messages 435 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 LAN to W A N Logs LAN to DMZ Logs DMZ to W A N Logs W AN to LAN Logs T able 132. Routing logs: LAN to W AN Message Nov 29 09:19 :43 [SRX5308] [kerne l] LAN2W AN[AC CEPT] IN=LAN OUT=W AN SRC=192.168.10. 10 DST=72.14.207. 99 PROTO=ICMP TYPE=8 CODE=0 Explanation • [...]

Page 436

System Logs an d Error Messages 436 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 DMZ to LAN Logs WAN to DM Z L o gs Other Event Logs • Session Limit Logs • Source MAC Filter Logs • Bandwid th Limit Logs This section describes the log messages gener a ted by other event s such source MAC filtering, session limiting, and bandwid th limiti[...]

Page 437

System Logs and Error Messages 437 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Source MA C Filter Logs Bandwidth Limit Logs DHCP Logs This section explains the log message s that are generated when a host is assigned a dynamic IP address. These messa ges are disp layed on the DHCP Lo g screen (see V iew the DHCP Log on page 3 79). T able 139[...]

Page 438

System Logs an d Error Messages 438 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 142. DHCP logs Message 1 Message 2 Message 3 Message 4 Message 5 Message 6 Message 7 2000 Jan 1 07:27:28 [SRX5 308] [d hcpd] Listening on LPF/eth0.1/00:1 1:22:78 :8 9:90/192.168.1 1/24 2000 Jan 1 07:27:37 [SRX5308] [d hcpd] DHCPRELEASE of 192.168.10.2 from[...]

Page 439

439 D D. T w o -F ac tor A ut henti cati on This appendix provides an overview of two-factor authentication, and an example of how to implement the WiKID solution. This appendi x cont ains the fo llowing sections: • Why Do I Need T wo-Factor Authent ication? • NETGEAR T wo-Factor Authentication Solutions Why Do I Need T wo -Factor Authenticatio[...]

Page 440

T wo-Factor Authentication 440 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • Quick to deploy and manag e . The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall p roducts. • Pro ven regulatory compliance . T wo-factor authentication has been used as a mandatory authentication process for many corporations a nd en[...]

Page 441

T wo-Factor Authentication 441 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Here is an example of how WiKID works:  T o use WiKID (for end users): 1. Launch the WiKID token sof tware, enter the PIN that has been provided ( some thing the user know s), and then click Continue to re ceive the OTP from the WiKID authentication server: Figure [...]

Page 442

T wo-Factor Authentication 442 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Proceed to the 2 Factor Authentication login scr een, and enter the on e-time passcode as the login password. Figure 28 0.[...]

Page 443

443 E E. No tif ica tion o f Co m pli ance (W ir ed) NET GEAR W ir ed Pr oducts Regulatory Compliance Information This section includes user requirement s for oper ating this p roduct in accordance with National laws for usage of radio spectrum and ope ration of radio devices. Failure of the end-user to comply with the applicable re quirements may [...]

Page 444

Notification of Compliance (Wired) 444 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 FCC Radio Frequency Interference W arnings & Instructions This equipment has been tested and foun d to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. T hese limits a re designed to provide reasonable protection a[...]

Page 445

Notification of Compliance (Wired) 445 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Additional Copyrights AES Copyright (c) 2001, Dr . Brian Gladma n, brg@gladman.uk.net, W o rcester , UK. All rights reserved. TERMS Redistribution and use in source and binary fo rms, with or without modificatio n, are permitted subject to the foll owing condi[...]

Page 446

Notification of Compliance (Wired) 446 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 MD5 Copyright (C) 1990, RSA Data Secu rity , Inc. All rights r eserved. License to copy and use this software is grant ed provided that it is identified as the “RSA Data Security , Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencin[...]

Page 447

447 Inde x Numerics 10BASE-T , 100BASE-T , and 1000BASE-T speeds 70 3322.org 48 – 51 6to4 tunnels configuring globally 63 DMZ, configuring for 121 LAN, configuring for 107 A AAA (authentication, authorization, and accounting) 241 AC input 19 access, remote management 330 account name, PPTP and PPPoE 35 action buttons (web management interface) 24[...]

Page 448

448 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 B backing up configurati on fi le 340 bandwidth allocation, W AN traffic 72 – 76 bandwidth cap acity 321 bandwidth limits, logging dropped packets 355 bandwidth profiles creating 176 – 178 shifting traf fic mix 327 baud rate 19 blocking cookies 182 instan t me ssa gi n g (ru le exa m p l e)[...]

Page 449

449 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 firewall rules 132 group, users 300 idle time-out peri ods groups 302 L2TP server 266 PPTP se rver 264 users 305 IPSec VPN Wizard 199 IPv4 gateway 37 IPv4 routing mode 28 IPv6 gateway 58 IPv6 routing mode 52 LAN group 93 LAN IPv6 address 100 LAN IPv6 prefix length 100 load balancing method 40 l[...]

Page 450

450 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Domain Name Se rver . Se e DNS. domain name, PPTP an d PPPoE connections 35 domains for authenti cation 296 , 304 DoS (denial of service) attack check settings 167 default protection 14 , 136 downloading firmware 342 SSL certificate 22 DPD (Dead Peer Detection) 230 , 261 DSCP (Differentiated Se[...]

Page 451

451 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 H hardware front panel ports 17 rear panel components 19 require ments 406 Help button (web ma nagement interface) 24 hosts exposed, increasing traffic 327 exposed, specifying (rule exampl e) 163 name resolution 276 public web server (rule example) 159 HTTP manageme nt 332 humidity , operatin g[...]

Page 452

452 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 resources, configuring 283 static or permanent 32 , 37 subnet mask, default 85 subnet mask, DMZ port 111 VPN tunnels 201 , 208 , 229 , 237 IPv4 DMZ, configuring 11 0 – 113 IPv4 gateway 37 IPv4 Internet connection autodetecting 30 manually configuring 33 setting up 27 IPv4 ISP , loggi ng in 34[...]

Page 453

453 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 bandwidth capacity 321 default port MAC addresses 366 default settings 398 groups, assigning and managing 93 – 96 IPv4 settings, configuring 81 IPv6 settings, configuring 99 Known PCs and Devices table 93 – 94 network database 91 – 95 port status, viewing 366 prefix delegation (IPv6) 98 ,[...]

Page 454

454 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 metric static IPv4 routes 12 4 static IPv6 routes 12 9 MIAS (Microsoft Internet Authentication Service) described 295 MIAS-CHAP and MIAS-P AP 298 Mode Config operation configuring 244 – 251 record 228 monitoring default settings 401 MTU (maximum tra n s mi ssi on un i t) default 69 IPv6 DMZ p[...]

Page 455

455 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 WiKID pass-through, multicast 168 passwords changing 311 , 328 default 22 restoring 393 Perfect Forward Secrecy (PFS) 239 , 246 performance management 321 permanent addresses IPv4 address 32 , 37 IPv6 address 58 PFS (Perfect Forward Secrecy) 23 9 , 246 physical specifications 402 pinging auto-r[...]

Page 456

456 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 LAN advertiseme nt s 107 prefixes, IPv6 6to4 tunnel 63 DMZ advertisements 121 ISA T AP tunnel 65 LAN advertiseme nt s 107 pre-shared key client-to-gateway VPN tunnel 208 gateway-to-gateway VPN tunnel 200 , 204 IKE policy settings 230 primary W AN mode bandwidth cap acity 322 described 39 priori[...]

Page 457

457 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 IPv6 (IPv4-only and IPv4/I Pv6) 52 routing table adding static IPv4 routes 122 adding static IPv6 routes 127 displaying 382 RSA signatures 230 rules See inbound rules. See outbound rules. S SA (security association) IKE policies 226 , 229 IPSec VPN Wizard 198 Mode Config operation 246 VPN conne[...]

Page 458

458 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 stateless and stateful IPv6 addresses, autoconfiguration 54 , 100 , 115 S tateless IP/ICMP Translation (SIIT) 66 static addresses IPv4 address 32 , 37 IPv6 address 58 static routes IPv4 routes configuring 122 – 127 routing table 122 IPv6 routes configuring 127 – 129 routing table 127 statis[...]

Page 459

459 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 U UDP (User Datagram Protocol) 193 UDP flood , bl o cki ng 167 UDP time-out 170 unicast packet s, IPv6 DMZ, configurin g for 119 LAN, configuring for 105 Universal Plug and Pla y (UPnP), configuring 194 unsolicited multicast packets , IPv6 DMZ, configurin g for 119 LAN, configuring for 105 upgr[...]

Page 460

460 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 pre-shared key client-to-gateway tunnel 208 gateway-to-g ateway tu nnel 200 , 204 IKE policy settings 230 Road W arrior auto-rollover 413 load bala nci n g 414 single WAN port mod e 413 rollover See auto-rollover mode. RSA signature 230 sending syslogs 359 testing connections 221 VPN T elecommu[...]

NETGEAR SRX5308-100NAS manual

Similar user manuals

Switch

NETGEAR GS700TP, 724TP

Switch

NETGEAR PS104

Switch

NETGEAR 724TS

Switch

NETGEAR FS516

Switch

NETGEAR EN108

Switch

NETGEAR DS116

Switch

NETGEAR READYNAS 314

Switch

NETGEAR GSM7248

A good user manual

What is an instruction?

What should a perfect user manual contain?

Why don't we read the manuals?

Why one should read the manuals?

Table of contents for the manual

Page 1

Page 2

Page 3

Page 4

Page 5

Page 6

Page 7

Page 8

Page 9

Page 10

Page 11

Page 12

Page 13

Page 14

Page 15

Page 16

Page 17

Page 18

Page 19

Page 20

Page 21

Page 22

Page 23

Page 24

Page 25

Page 26

Page 27

Page 28

Page 29

Page 30

Page 31

Page 32

Page 33

Page 34

Page 35

Page 36

Page 37

Page 38

Page 39

Page 40

Page 41

Page 42

Page 43

Page 44

Page 45

Page 46

Page 47

Page 48

Page 49

Page 50

Page 51

Page 52

Page 53

Page 54

Page 55

Page 56