NETGEAR STM150EW-100NAS manual

Page 1

350 East Plumeria Drive San Jose, CA 95134 USA October 2012 202-10780-03 v1.0 Pr oSec ur e Unif i ed T hr eat M anagement (UTM) App l ia nc e Refe re n c e M a n ua l[...]

2 ProSecure Unified Thr eat Management (UTM) Appliance Support Thank you for choosing NETGEAR. After installing your device, locate the serial number on the labe l of your product and use it to register your product at https://my .n etgear . com . Y ou must register your product befor e you can use NETGEAR telephone support. NETGEAR recommends regi[...]

Page 3

3 ProSecure Unified Threat Management (UTM) Appliance 202-10780-03 (continued) 1.0 (continued) October 20 12 (continued) (continued) • Added Appendix C, 3G/4G Don gles for the UTM9S and UTM25S . • Added many more default value s to Appendix H, Default Settings and T echnica l Specifications . 202-10780-02 2.0 May 2012 • Updated the ma in navi[...]

Page 4

4 ProSecure Unified Thr eat Management (UTM) Appliance 202-10780-01 1.0 September 201 1 • A dded the UTM9S with the following maj or new features: - xDSL module (see Chapte r 1, Introduction and Chap ter 3, Manually Configure Interne t and WAN Settings ) - Wireless module (see Chapter 1, Introduction and Appendix B, Wireless Network Module for th[...]

Page 5

5 Contents Chapter 1 Introduction What Is the ProSecure Un ified Threat Managem ent (UTM) Appliance? . . 15 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

Page 6

6 ProSecure Unified Thr eat Management (UTM) Appliance Web Management Interf ace Menu Layout . . . . . . . . . . . . . . . . . . . . . . . . . 44 Use the Setup Wizard to Perf orm the Initial Conf iguration . . . . . . . . . . . . . 47 Setup Wizard Step 1 of 10: LAN Settings. . . . . . . . . . . . . . . . . . . . . . . . 48 Setup Wizard Step 2 of 10[...]

Page 7

7 ProSecure Unified Th reat Management (UTM) Ap pliance Manage the Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 12 Change Group Names in the Network Dat abase . . . . . . . . . . . . . . . . . 115 Set Up Address Reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Configure and Enable the[...]

Page 8

8 ProSecure Unified Thr eat Management (UTM) Appliance Chapter 6 Content Filterin g and Optimizing Scans About Content Filtering and Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Default Email and Web Scan Sett ings . . . . . . . . . . . . . . . . . . . . . . . . . 193 Configure Email Protection . . . . . . . . . . . . . . .[...]

Page 9

9 ProSecure Unified Th reat Management (UTM) Ap pliance RADIUS Client and Server C onfiguration . . . . . . . . . . . . . . . . . . . . . . . 310 Assign IP Addresses to Remote Users (Mode Config) . . . . . . . . . . . . . . . 3 12 Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 12 Configure Mode Conf[...]

Page 10

10 ProSecure Unified Thr eat Management (UTM) Appliance Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 01 Set User Login Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 04 Change Passwords and Other User Settings . . . . . . . . . . . . . . . . . . . . 408 DC Agent [...]

Page 11

11 ProSecure Unified Th reat Management (UTM) Ap pliance View the Active PPTP and L2TP Users . . . . . . . . . . . . . . . . . . . . . . . . 501 View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 02 View the WAN, xDSL, or USB Port Status . . . . . . . . . . . . . . . . . . . . . . 504 View Attached Devices[...]

Page 12

12 ProSecure Unified Thr eat Management (UTM) Appliance Appendix A xDSL Network Modu le for the UTM9S and UTM25S xDSL Network Module Co nfiguration Tasks . . . . . . . . . . . . . . . . . . . . . . . 550 Configure the xDSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550 Automatically Detecting and Connecting the xDS[...]

Page 13

13 ProSecure Unified Th reat Management (UTM) Ap pliance Appendix D Network Planning for Dual WAN Ports (Multiple WAN Port Models Only) What to Consider Before You B egin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622 Plan Your Network and Network Mana gement and Set Up Accounts . 622 Cabling and Computer Hardwa re Requirements . . . [...]

Page 14

14 ProSecure Unified Thr eat Management (UTM) Appliance Email Filter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661 IPS Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662 Anomaly Behavior Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

Page 15

15 1 1. Intr oduc tio n This chapter provides an overview of the featur es and capabilities o f the NETGEAR ProSecure® Unified Threat Management (UTM) Appliance . Thi s chapter contain s the following sections: • What Is the ProSecure Unified Threat Management (UTM) Appliance? • Key Features and Cap abilities • Service Registration Card with[...]

Page 16

Introduction 16 ProSecure Unified Thr eat Management (UTM) Appliance carry session traf fic, or to maintain a backup conn ection in case of failure of your primar y Internet connection. As a complete security solution, t he UTM combines a powerful, flexible firewall with a conten t scan engine that uses NETGEAR S tream Scanning technology to prote [...]

Page 17

Introduction 17 ProSecure Unified Thr eat Management (UTM) Appliance • Depending on the model, bundled with a one -u ser license of the NETGEAR ProSafe VPN Client software (VPN01L). • Advanced stateful p acket inspection (SPI) firewall with multi-NA T support. • Patent-pending S trea m Scanning technology that enables scanning of real-time pr[...]

Page 18

Introduction 18 ProSecure Unified Thr eat Management (UTM) Appliance Wireless Features Wireless client connections are support ed on the UTM9S and UTM25S with an NMWLSN wireless network module installed. T he UT M9S and UTM25S support the following wirele ss features: • 2.4-GHz radio and 5-GHz radio . Either 2.4-GHz band support with 802.1 1b/g/n[...]

Page 19

Introduction 19 ProSecure Unified Thr eat Management (UTM) Appliance • SSL VPN provides remote access for mobile users to selected corporate re sources without requiring a preinst alled VPN client on their computers. - Uses the familiar Secure Sockets L a yer (SSL) protocol, commonly used for e-commerce transactions, to provide clie nt-free acces[...]

Page 20

Introduction 20 ProSecure Unified Thr eat Management (UTM) Appliance analysis to stop both known and un known threats. T he malware database contains hundreds of thousands of sign atures of spyware, viruses, and other malware. • Objectionable traffic protection . Th e UTM prevents objectionable content from reaching your computers. Y ou can contr[...]

Page 21

Introduction 21 ProSecure Unified Thr eat Management (UTM) Appliance Extensive P rotocol Support The UTM support s the T ransmission Control Pr otocol/Internet Proto col (TCP/IP) and Routing Information Protocol (RIP). For f urther information about TCP/IP , see Internet Configuration Requirements o n page 624. The UTM provides the following protoc[...]

Page 22

Introduction 22 ProSecure Unified Thr eat Management (UTM) Appliance • SNMP . The UTM supports the Simple Network Man agement Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager . The SNMP system configuration let s you change the system variables for MIB2. • Diagnostic functions . The UTM in corpor[...]

Page 23

Introduction 23 ProSecure Unified Thr eat Management (UTM) Appliance Service R egistration Card with License Keys Be sure to store the license key ca rd that came with your UTM (see a sample ca rd in the following figure) in a secure location. If you do not use electronic licensing (see Electro nic Licensing on p age 67), you need these service lic[...]

Page 24

Introduction 24 ProSecure Unified Thr eat Management (UTM) Appliance Note: When you reset the UTM to the original factory defa ult settings af ter you have entered t he license keys to activate the UTM (see Register the UTM with NETGEAR on page 65), the license keys are erased. The license keys and the dif ferent types of licenses that are availabl[...]

Page 25

Introduction 25 ProSecure Unified Thr eat Management (UTM) Appliance • Rear Panel UTM50 and UTM1 50 • Rear Panel UTM9S and UTM25S • Bottom Panels with Product Labels The front pan els contain ports and LEDs; the r ear panels contain port s, connectors, and other components; and t he bottom pane ls cont ain product labels. F ront P anel UTM5 a[...]

Page 26

Introduction 26 ProSecure Unified Thr eat Management (UTM) Appliance F ront P anel UTM25 Viewed from lef t to right, the UTM25 front panel cont ains the following ports: • One nonfunctioning USB port. Th is port is included for future managemen t enhancements. The port is currently not operable on the UTM. • LAN Ethernet ports. F our switched N[...]

Page 27

Introduction 27 ProSecure Unified Thr eat Management (UTM) Appliance Figure 4. Front p anel UTM50 F ront P anel UTM150 V iewed from left to rig ht, the UTM150 front p anel contains the following port s: • One nonfunctioning USB port. This port is included for future ma nagement enhancement s. The port is currently not operable on the UTM. • LAN[...]

Page 28

Introduction 28 ProSecure Unified Thr eat Management (UTM) Appliance F ront P anel UTM9S and UTM25S and Network Modules Viewe d from left to right, the UTM9 S and UTM 25S front panel cont ains the following port s and slots: • One USB port that can accept a 3G/4G dongle for wireless connectivity to an ISP . The port is currently operable on the U[...]

Page 29

Introduction 29 ProSecure Unified Thr eat Management (UTM) Appliance xDSL Network Modules The following xDSL network modules a re available for insertion in one of the UTM9S or UTM25S slots: • NMSDSLA. VDSL/ADSL2+ network module, Annex A. • NMSDSLB. VDSL/ADSL2+ network module, Annex B. Note: In previous releases for the UTM9S, these network mod[...]

Page 30

Introduction 30 ProSecure Unified Thr eat Management (UTM) Appliance Figure 8. Wire less network mod ule LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150 The following t able describes t he function of each LED. T able 2. LED descriptions UTM5, UTM10, UTM2 5, UTM 50, and UTM150 LED Activity Description Power LED On (gree n) Power is supplied[...]

Page 31

Introduction 31 ProSecure Unified Thr eat Management (UTM) Appliance LAN ports Left LED Off The LAN port ha s no link. On (green) The LAN p ort has dete cted a link with a connected Ethernet device. Blinking (green) Data is transmitted or re ceived by the LAN port. Right LED Off The LAN port is operating at 10 Mbps. On (amber) The LAN port is opera[...]

Page 32

Introduction 32 ProSecure Unified Thr eat Management (UTM) Appliance LED Descriptions, UTM9S , UTM25S , and their Network Modules The following table describ es the function of each LED on the UTM9S and UTM25S and their network modules. T able 3. LED descriptions UTM9S and UTM25S LED Activity Description Power LED On (gree n) Power is supplied to t[...]

Page 33

Introduction 33 ProSecure Unified Thr eat Management (UTM) Appliance R ear P anel UTM5, UTM10, and UTM25 The rear p anel of the UTM5, UTM10, and UT M25 includes the cable lock recept acle, the console port, the Factory Default s reset button, and the AC power connection. Figure 9. Rear p anel of the UTM5, UTM10, and UTM25 Right LED Off The W AN por[...]

Page 34

Introduction 34 ProSecure Unified Thr eat Management (UTM) Appliance Viewe d from left to right, the rear panel of the UTM5, UTM1 0, and UTM25 cont ains the following components : 1. Cable security lock receptacle. 2. Console port. Port for connecting to an optional co nsole terminal. The port has a DB9 male connector . The default baud rate is 960[...]

Page 35

Introduction 35 ProSecure Unified Thr eat Management (UTM) Appliance R ear P anel UTM9S and UTM25S The rear pa nel of the UTM9S and UTM25S incl udes the cable lock recept acle, the console port and console switch, th e Factory Defaults reset button, the AC power connection, an d the power switch. Figure 1 1. Rear panel of the UTM9S and UTM25S V iew[...]

Page 36

Introduction 36 ProSecure Unified Thr eat Management (UTM) Appliance Bottom P anels with Product Labels The product label on the bottom of the UTM’ s enclosure displays factory defaults settings, regulatory compliance, and other information. The following figure shows the pr od uct label for the UTM5: Figure 12. The following figure shows the pr [...]

Page 37

Introduction 37 ProSecure Unified Thr eat Management (UTM) Appliance The following figure shows the product label for the UTM25: Figure 14. The following figure shows the product label for the UTM50: Figure 15.[...]

Page 38

Introduction 38 ProSecure Unified Thr eat Management (UTM) Appliance The following figure shows the pr od uct label for the UTM150: Figure 16. The following figure shows the pr od uct label for the UTM9S: Figure 17.[...]

Page 39

Introduction 39 ProSecure Unified Thr eat Management (UTM) Appliance The following figure shows the product label for the UTM25S: Figure 18. Choose a Location for the UTM The UTM is suit able for use in an of fice environment where it can be fre estanding (on its runner feet) or mounted into a st andard 19-inch equipment rack. Alternatively , you c[...]

Page 40

Introduction 40 ProSecure Unified Thr eat Management (UTM) Appliance Use the R ack -Mounting Kit Use the mounting kit for the UTM to install the appl iance in a rack. (A mounting kit is provide d in the package for the multiple W AN port models.) Attach the mounting brackets using the hardware that is supplied with the mounting kit. Figure 19. Befo[...]

Page 41

41 2 2. Us e the Setu p W i z ar d to Pr o v isi on the UTM in Y our Ne t w o r k This chapter explains how to log in to the UT M and use the web manageme nt interface, how to use the Setup Wizard to provision the UTM in your network, and how to register the UTM with NETGEAR. The chapter cont ains the following sections: • S teps for In itial Con[...]

Page 42

Use the Setup Wizard t o Provision the UTM in Y our Network 42 ProSecure Unified Thr eat Management (UTM) Appliance 4. V erify the installation . See V erify Co rrect Installation on page 68. 5. Register the UTM . See Register the UTM with NETGEAR on page 65. Each of these tasks is d escribed separat ely in this chapter . The configuration of the W[...]

Page 43

Use the Setup Wizard to Provision the UTM in Y our Net work 43 ProSecure Unified Thr eat Management (UTM) Appliance Figure 20. 3. In the User Name field, type admi n . Use lowercase letters. 4. In the Password / Passcode field, type password . Here, too, use lowercase letters. Note: The UTM user name and p assword are not the same as any user name [...]

Page 44

Use the Setup Wizard t o Provision the UTM in Y our Network 44 ProSecure Unified Thr eat Management (UTM) Appliance Figure 21. W eb Management Interface Menu Layout The following figure shows the menu at the to p the UTM50 web manageme nt interface as an example.[...]

Page 45

Use the Setup Wizard to Provision the UTM in Y our Net work 45 ProSecure Unified Thr eat Management (UTM) Appliance Figure 22. The web management interface menu consists of th e following component s: • 1st level: Main navigation me nu links . The main navigation menu in the orange b ar across the top of the web mana gement interfac e provides ac[...]

Page 46

Use the Setup Wizard t o Provision the UTM in Y our Network 46 ProSecure Unified Thr eat Management (UTM) Appliance • Back . Go to the previous screen (for wizards). • Search . Perform a search operation. • Cancel . Cancel the operation. • Send Now . Send a file or report. When a screen includes a table, t able buttons di splay to let you c[...]

Page 47

Use the Setup Wizard to Provision the UTM in Y our Net work 47 ProSecure Unified Thr eat Management (UTM) Appliance Use the Setup Wizard to P erf orm the Initial Configuration • Setup Wizard S tep 1 of 10: LAN Settings • Setup Wizard S tep 2 of 10: WAN Settin gs • Setup Wizard S tep 3 of 10: System Date and T ime • Setup Wizard S tep 4 of 1[...]

Page 48

Use the Setup Wizard t o Provision the UTM in Y our Network 48 ProSecure Unified Thr eat Management (UTM) Appliance Setup Wizard Step 1 of 10: LAN Settings Figure 26. Enter the settings as explained in the fo llowing table, and t hen click Next to go the following screen. Note: In this first step, you are configur ing the LAN settings for the UTM?[...]

Page 49

Use the Setup Wizard to Provision the UTM in Y our Net work 49 ProSecure Unified Thr eat Management (UTM) Appliance T a ble 4. Setup Wizard Step 1: LAN Setti ngs screen se ttings Setting Description LAN TCP/IP Setup IP Address Enter the IP address of the UTM’s default VLAN (the factory default address is 192.168.1.1). Note: Always make sure that [...]

Page 50

Use the Setup Wizard t o Provision the UTM in Y our Network 50 ProSecure Unified Thr eat Management (UTM) Appliance Enable DHCP Server (continued) Primary DNS Server This setting is optional. If an IP address is specified, the UTM provides this address as the prim ary DNS server IP address. If no address is specified, the UTM provides its own LAN I[...]

Page 51

Use the Setup Wizard to Provision the UTM in Y our Net work 51 ProSecure Unified Thr eat Management (UTM) Appliance After you have completed the steps in the Setup Wizard, you can change the LAN setting s by selecting Network Config > LAN Settings > Edit LAN Profile . Fo r more information about these LAN settings, see VLAN DHCP Options on p [...]

Page 52

Use the Setup Wizard t o Provision the UTM in Y our Network 52 ProSecure Unified Thr eat Management (UTM) Appliance Enter the settings as explained in the fo llowing table, and t hen click Next to go the following screen. Note: Instead of manually entering the settin gs, you can also click the Auto Detect action button at the bottom of the screen. [...]

Page 53

Use the Setup Wizard to Provision the UTM in Y our Net work 53 ProSecure Unified Thr eat Management (UTM) Appliance Austria (PPTP) (continued) My IP Address The IP address assigned by the ISP to make the connection with the ISP server . Server IP Address The IP address of the PPTP server . Other (PPPoE) If you ha ve installed login software such as[...]

Page 54

Use the Setup Wizard t o Provision the UTM in Y our Network 54 ProSecure Unified Thr eat Management (UTM) Appliance After you have comp leted the steps in the Set up Wizard, you can change to the W AN se ttings by selecting Network Config > W AN Settings . Then click the Edit button in the Action column of the W AN interface for which you want t[...]

Page 55

Use the Setup Wizard to Provision the UTM in Y our Net work 55 ProSecure Unified Thr eat Management (UTM) Appliance Enter the settings as explained in th e following table, a nd then click Next to go the following screen. After you have complete d the steps in the Setup Wizard, you can chan ge the date and time by selecting Administration > Syst[...]

Page 56

Use the Setup Wizard t o Provision the UTM in Y our Network 56 ProSecure Unified Thr eat Management (UTM) Appliance Enter the settings as explained in the fo llowing table, and t hen click Next to go the following screen. IMPORT ANT : T o enable scanning of encrypted emails, you need to configure the SSL settings (see Configure HTTPS Scanning and S[...]

Page 57

Use the Setup Wizard to Provision the UTM in Y our Net work 57 ProSecure Unified Thr eat Management (UTM) Appliance Setup Wizard Step 5 of 10: Email Security Figure 30. Enter the settings as explained in th e following table, a nd then click Next to go the following screen. T a ble 8. Setup Wizard Step 5: Email Sec urity screen se ttings Setting De[...]

Page 58

Use the Setup Wizard t o Provision the UTM in Y our Network 58 ProSecure Unified Thr eat Management (UTM) Appliance After you have completed the step s in the Setup Wizard, you can change t he email security settings by selecting Application Security > Email An ti-Virus . The Email Anti-V irus screen also lets you specify notification set tings [...]

Page 59

Use the Setup Wizard to Provision the UTM in Y our Net work 59 ProSecure Unified Thr eat Management (UTM) Appliance After you have complete d the steps in the Setup Wizard, you can chan ge the web security settings by selecting Application Security > HTTP/HTTPS > Malware Scan . The Malware T a ble 9. Setup Wizard Step 6: Web Security sc reen [...]

Page 60

Use the Setup Wizard t o Provision the UTM in Y our Network 60 ProSecure Unified Thr eat Management (UTM) Appliance Scan screen also lets you specify HTML scanning and notification settings. For more information about these settings, see Con figure Web Malware or Antivirus Scans on page 216. Setup Wizard Step 7 of 10: W eb Ca tegories to Be Blocked[...]

Page 61

Use the Setup Wizard to Provision the UTM in Y our Net work 61 ProSecure Unified Thr eat Management (UTM) Appliance Enter the settings as explained in th e following table, a nd then click Next to go the following screen. After you have completed the step s in the Setup Wizard, you can change the content-filte ring settings by selecting Application[...]

Page 62

Use the Setup Wizard t o Provision the UTM in Y our Network 62 ProSecure Unified Thr eat Management (UTM) Appliance Setup Wizard Step 8 of 10: Email Notification Figure 33. Enter the settings as explained in the fo llowing table, and t hen click Next to go the following screen. After you have completed the step s in the Setup Wizard, you can change[...]

Page 63

Use the Setup Wizard to Provision the UTM in Y our Net work 63 ProSecure Unified Thr eat Management (UTM) Appliance Setup Wizard Step 9 of 10: Signatures & Engine Figure 34. Enter the settings as explained in th e following table, a nd then click Next to go the following screen. T able 12. Setup Wizard Step 9: Signatu res & Engine screen se[...]

Page 64

Use the Setup Wizard t o Provision the UTM in Y our Network 64 ProSecure Unified Thr eat Management (UTM) Appliance After you have co mpleted t he steps in the Se tup Wizard , you can cha nge th e signatu r es a nd engine settings by selecting Administration > System Up date > Signatures & Engine . For more information about these setting[...]

Page 65

Use the Setup Wizard to Provision the UTM in Y our Net work 65 ProSecure Unified Thr eat Management (UTM) Appliance R egister the UTM with NETGEAR • Use the Web Manag ement Interface to Activate Licenses • Electronic Licensing • Automatic Retrieval of Licenses af ter a Factory Default Reset Use the W eb Management Interface to Activate Licens[...]

Page 66

Use the Setup Wizard t o Provision the UTM in Y our Network 66 ProSecure Unified Thr eat Management (UTM) Appliance Note: If you have used the 30-day trial licenses, these trial lice nses are revoked once you activate the purchased service license keys. The purchased service license keys of fe r 1 year or 3 years of service. 4. Click Register . The[...]

Page 67

Use the Setup Wizard to Provision the UTM in Y our Net work 67 ProSecure Unified Thr eat Management (UTM) Appliance  T o change customer or V AR information af ter you have registered the UTM: 1. Make the changes on the Registration screen. 2. Click Up date Info . Th e n ew da t a i s s a ve d b y th e registration and update server .  T o re[...]

Page 68

Use the Setup Wizard t o Provision the UTM in Y our Network 68 ProSecure Unified Thr eat Management (UTM) Appliance V erify Correct Installation • T est Connectivity • T est HTTP Scanning T est the UTM before deploying it in a live production environment. The following instructions walk you through a couple of quick test s that are designed to [...]

Page 69

Use the Setup Wizard to Provision the UTM in Y our Net work 69 ProSecure Unified Thr eat Management (UTM) Appliance The UTM is ready for use. However , the follow ing sections describe important t asks that you might want to address before you deploy the UTM in your network: • Configure the W AN Mode (required if you want to use multiple W AN por[...]

Page 70

70 3 3. Manuall y Conf igur e In te r net an d W AN Settings This chapter contains the following sections: • Internet and W AN Configu ration T asks • Automatically Detecting and Conn ecting the Internet Connections • Manually Configure the Internet Connectio n • Configure the W AN Mode • Configure Secondary W AN Addresses • Configure D[...]

Page 71

Manually Configure Internet and W AN Settings 71 ProSecure Unified Thr eat Management (UTM) Appliance Internet and W AN Configuration T a sks Note: For information about configuring the DSL interface of the UTM9S and UTM25S, see Append ix A, xDSL Network Module for the UTM9S and UTM25S . The in formation in this chapter also applies to the W AN int[...]

Page 72

Manually Configure Int ernet and W AN S ettings 72 ProSecure Unified Thr eat Management (UTM) Appliance  T o configure the W AN port s automatically for connection to the Inte rnet: 1. Select Network Confi g > W AN Settings . The W AN screen displays. (The following figure shows the UTM50.) Figure 37. The UTM5 and UTM10 screens show one W AN [...]

Page 73

Manually Configure Internet and W AN Settings 73 ProSecure Unified Thr eat Management (UTM) Appliance Figure 38. 3. Click the Auto Detect button at the bottom of the screen. The autodetect process probes the W AN port for a range of connection methods and suggests one that your ISP is most likely to support. The autodetect process returns one of th[...]

Page 74

Manually Configure Int ernet and W AN S ettings 74 ProSecure Unified Thr eat Management (UTM) Appliance • If the autodetect process does not find a c onnection, you are prompted to check th e physical connection betwe en your UTM and th e cable or DSL modem, satellite d ish, or wireless ISP radio antenna, or to check your UTM’ s MAC address. Fo[...]

Page 75

Manually Configure Internet and W AN Settings 75 ProSecure Unified Thr eat Management (UTM) Appliance What to do next: • If the automatic ISP configuration is succ essful : Y ou are connected to the Internet through the W AN interface that you just configured. For the multiple W AN port models, continue with the configuration process for th e oth[...]

Page 76

Manually Configure Int ernet and W AN S ettings 76 ProSecure Unified Thr eat Management (UTM) Appliance Figure 41. 6. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as explained in the following table: T able 14. PPTP and PPPoE settings Setting Description Austria (PPTP) If your ISP is Austria T elecom o[...]

Page 77

Manually Configure Internet and W AN Settings 77 ProSecure Unified Thr eat Management (UTM) Appliance 7. In the Internet (IP) Address section of the screen (see the following figure), configure the IP address settings as explained in the following table. Click the Current IP Address link to see the currently assigned IP address. Figure 42. Other (P[...]

Page 78

Manually Configure Int ernet and W AN S ettings 78 ProSecure Unified Thr eat Management (UTM) Appliance 8. In the Domain Name Server (DNS) Se rvers section of the screen (see the following figure), specify the DNS settings as explained in the following table. Figure 43. T able 15. Internet IP address settings Setting Description Get Dynamically fro[...]

Page 79

Manually Configure Internet and W AN Settings 79 ProSecure Unified Thr eat Management (UTM) Appliance 9. Click Apply to save any changes to the W AN ISP settings. (Or click Reset to discard any changes and revert to the previous settings.) 10. Click Te s t to evaluate your entries. The UTM attempts to make a connection according to the settings tha[...]

Page 80

Manually Configure Int ernet and W AN S ettings 80 ProSecure Unified Thr eat Management (UTM) Appliance Configure the W A N Mode • Overview of the WAN Mo des • Configure Network Address T ranslation (All Models) • Configure Classical Routing (All Models) • Configure Auto-Rollover Mode and the Failure Detection Method (Multiple W AN Port Mod[...]

Page 81

Manually Configure Internet and W AN Settings 81 ProSecure Unified Thr eat Management (UTM) Appliance W AN interfaces, the remaining interfaces are disabled. As long as the primary link is up, all traf fic is sent over the primary link. When the primary link goes down, the rollover link is brought up to send the traf fic. When the primary link come[...]

Page 82

Manually Configure Int ernet and W AN S ettings 82 ProSecure Unified Thr eat Management (UTM) Appliance W ARNING: Changing the W AN mode from classical routin g to NA T causes all LAN W AN and DMZ W AN inbound rules to revert to default settings.  T o configure NA T : 1. Select Network Confi g > W AN Settings > W AN Mode . The W AN Mode sc[...]

Page 83

Manually Configure Internet and W AN Settings 83 ProSecure Unified Thr eat Management (UTM) Appliance When the UTM is configured in auto-rollover mode , it uses the selected W AN failure detection method to detect the st atus of the primary link connection at regular intervals. Link failure is detected in one of the following ways: • DNS queries [...]

Page 84

Manually Configure Int ernet and W AN S ettings 84 ProSecure Unified Thr eat Management (UTM) Appliance Note: Ensure that the backup W AN interface is configu red before enabling auto-rollover mode. 3. Click Apply to save your settings. Configure the Failure Detection Method  T o configure the failure detection method: 1. Select Network Confi g [...]

Page 85

Manually Configure Internet and W AN Settings 85 ProSecure Unified Thr eat Management (UTM) Appliance Note: After the primary W AN interface fails, the default time to roll over is 2 minutes. The minimum test period is 30 seconds, and the minimum number of tests is 4. 5. Click Apply to save your settings. Note: Y ou can configure the UTM to ge nera[...]

Page 86

Manually Configure Int ernet and W AN S ettings 86 ProSecure Unified Thr eat Management (UTM) Appliance Configure Load Balancing (M ultiple W AN P ort Models)  T o configure load balancing: 1. Select Network Confi g > W AN Settings > W AN Mode . The W AN Mode screen displays: Figure 47. Note: Y ou cannot configure load ba lancing when you [...]

Page 87

Manually Configure Internet and W AN Settings 87 ProSecure Unified Thr eat Management (UTM) Appliance This load-balancin g method ensure s that a single W AN interface does n ot carry a disproportionate distribution o f sessions. 3. Click Apply to save your settings. Configure P rotocol Binding (Optional)  T o configure protocol binding and add [...]

Page 88

Manually Configure Int ernet and W AN S ettings 88 ProSecure Unified Thr eat Management (UTM) Appliance Figure 49. 3. Configure the protocol binding settings as explained in the following table: T able 18. Add Protocol Binding screen settings Setting Description Service From the drop-down list, select a service or application to be covered by this [...]

Page 89

Manually Configure Internet and W AN Settings 89 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The protocol binding rule is added to the Protocol Bindings table. The rule is automatically enabled, which is indicated by the ! status icon, a green circle.  T o edit a protocol binding: 1. On the Protocol[...]

Page 90

Manually Configure Int ernet and W AN S ettings 90 ProSecure Unified Thr eat Management (UTM) Appliance It is important that you ensure th at any sec ondary W AN addresses are dif ferent from the primary W AN, LAN, and DMZ IP addresses that are already configured on the UTM. However , primary and secondary W AN addresses can be in the same subnet. [...]

Page 91

Manually Configure Internet and W AN Settings 91 ProSecure Unified Thr eat Management (UTM) Appliance 5. Click the Add table button in the rightmost column to add the secondary IP address to the List of Secondary W AN addre sses table. Repeat Ste p 4 and St e p 5 for each secondary IP address that you want to a dd to the List of Secondary W AN addr[...]

Page 92

Manually Configure Int ernet and W AN S ettings 92 ProSecure Unified Thr eat Management (UTM) Appliance  T o configure DDNS: 1. Select Network Confi g > Dynamic DNS . The Dynamic DNS screen displays (see the following figure). The W AN Mode section onscreen reports the currently configured W AN mode (for example, Single Port W AN1, Load Balan[...]

Page 93

Manually Configure Internet and W AN Settings 93 ProSecure Unified Thr eat Management (UTM) Appliance Figure 52. 4. Access the website of the DDNS se rvice provi der , and regist er for an account (for example, for DynDNS.org, go to http://www .dyndns.com/ ). 5. Configure the DDNS service settings as explained in the following table: 6. Click Apply[...]

Page 94

Manually Configure Int ernet and W AN S ettings 94 ProSecure Unified Thr eat Management (UTM) Appliance Set the UTM’s MA C Address and Configure Advanced W A N Options The advanced options include configuring the ma ximum transmission un it (MTU) size, the port speed, and the UTM’ s MAC address, and setti ng a rate limit on the traf fic that is[...]

Page 95

Manually Configure Internet and W AN Settings 95 ProSecure Unified Thr eat Management (UTM) Appliance Figure 53. 4. Enter the settings as explained in the followin g t able: T a ble 20. Adva nced W A N settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit [...]

Page 96

Manually Configure Int ernet and W AN S ettings 96 ProSecure Unified Thr eat Management (UTM) Appliance Spee d In most cases, the UTM can automatically determine the connection spee d of t he W AN port of the device (modem or router) that provides the WAN connection. If you cannot establish an Internet connection, you might need to select the port [...]

Page 97

Manually Configure Internet and W AN Settings 97 ProSecure Unified Thr eat Management (UTM) Appliance 5. Click Apply to save your changes. W ARNING: Depending on the changes that you made, when you click Apply , the UTM rest arts, or services suc h as HTTP and SMTP might rest art. If you want to configure the advanced settings for an additional W A[...]

Page 98

98 4 4. L A N Con fig urat ion This chapter describes how to configure the advanc ed LAN features o f your UTM. This chapter contains the following sections: • Manage V irtual LANs and DHCP Options • Configure Multiho me LAN IP Addresses on the De fault VLAN • Manage Groups an d Hosts (LAN Groups) • Configure and En able the DMZ Port • Ma[...]

Page 99

LAN Configuration 99 ProSecure Unified Thr eat Management (UTM) Appliance A virtual LAN (VLAN) is a local area network wi th a definition that maps workst ations on some basis other than geographic location (f or example, by department, type o f user , or primary application). T o enable traffic to flow betwee n VLANs, traffic need s to go through [...]

Page 100

LAN Configuration 100 ProSecure Unified Thr eat Management (UTM) Appliance • When a port receives an unt agged packet , this packet is forwarde d to a VLAN based on the PVID. • When a port receives a t agged packet, this p acket is forwarded to a VLAN based on the ID that is extracted from the ta gged packet. When you create a VLAN profile, ass[...]

Page 101

LAN Configuration 101 ProSecure Unified Thr eat Management (UTM) Appliance Figure 54. For each VLAN profile, the following fields disp lay in the VLAN Profiles table: • Check box . Allows you to select the VLAN pro file in the t able. • St atus icon . Indicates the st atus of the VLAN profile: - Green circle . The VLAN profile is en abled. - Gr[...]

Page 102

LAN Configuration 102 ProSecure Unified Thr eat Management (UTM) Appliance DHCP Server The default VLAN (VLAN 1) has the DHCP serv er option enabled by default, allowing the UTM to assign IP , DNS server , WINS server , and default gateway addresses to all computers connected to the UTM’ s LAN. The assigned defaul t gateway address is the LAN add[...]

Page 103

LAN Configuration 103 ProSecure Unified Thr eat Management (UTM) Appliance configuration in auto-rollover mode with route di versity (t hat is, with two dif ferent ISPs) and you cannot ensure that the DNS server is available af ter a rollover has occurred. LDAP Server A Lightweight Directory Access Protocol (LD AP) server allows a user to query and[...]

Page 104

LAN Configuration 104 ProSecure Unified Thr eat Management (UTM) Appliance 2. Either select an entry from the VLAN Profiles table and click the corresponding Edit table button, or add a VLAN profile by clicking the Add table button under the VLAN Profiles t able. The Edit VLAN Profile scree n displays. The following figure shows the Edit VLAN Pro f[...]

Page 105

LAN Configuration 105 ProSecure Unified Thr eat Management (UTM) Appliance 3. Enter the settings as explained in the followin g t able: T able 21. Edit VLAN Pr ofile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. Note: You can also change the profile name of the default VL AN. VLAN ID Enter a[...]

Page 106

LAN Configuration 106 ProSecure Unified Thr eat Management (UTM) Appliance Enable DHCP Server Select the Enable DHCP Server radio button to e nable the UTM to function a s a Dynamic Host Configuration Protocol (DHCP) server , providing TCP/IP configuration for all computers co nne ct ed to the VLAN. Enter the following settings: Domain Name This se[...]

Page 107

LAN Configuration 107 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. Enable LDAP information T o enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information, select the Enable LDAP informatio n check box. Enter the following settings. Note: The LDAP settings that you [...]

Page 108

LAN Configuration 108 ProSecure Unified Thr eat Management (UTM) Appliance Note: When you have completed the LAN setup, all outbound tra ffic is allowed and all inbound traf fic is discarded except responses to requests fro m the LAN side. For information abou t how to change these default traf fic rules, see Chapter 5, Firewall Protection .  T [...]

Page 109

LAN Configuration 109 ProSecure Unified Thr eat Management (UTM) Appliance Figure 57. 3. From the MAC Address for VLANs drop-down list, select Unique . (The default is Sa me.) 4. As an option, you can disable the broadcast of ARP packet s for the default VLAN by clearing the Enable ARP Broadcast check box. (The broa dcast of ARP packets is enabled [...]

Page 110

LAN Configuration 11 0 ProSecure Unified Thr eat Management (UTM) Appliance The following is an example of correctly configured I P addresses on a multiple W AN port model: • W AN1 IP address. 10.0.0.1 with subnet 255.0.0.0 • W AN2 IP address. 20.0.0.1 with subnet 255.0.0.0 • DMZ IP address. 192.168.10.1 with sub net 255.255.255.0 • Primary[...]

Page 111

LAN Configuration 111 ProSecure Unified Thr eat Management (UTM) Appliance  T o edit a secondary LAN IP address: 1. On the LAN Multi-homing screen (see the previo us screen), click the Edit button in the Action column for the secondary IP address that yo u want to modify . The Edit Secondary LAN IP address screen displays. 2. Modify the IP addre[...]

Page 112

LAN Configuration 11 2 ProSecure Unified Thr eat Management (UTM) Appliance These are some advantages of th e network database: • Generally , you do not need to enter an IP address or a MAC address. Instead, you can just select the name of the desired compu ter or device. • There is no need to reserve an IP address for a computer in the DHCP se[...]

Page 113

LAN Configuration 11 3 ProSecure Unified Thr eat Management (UTM) Appliance Figure 59. The Known PCs and Devices t able lists the ent ries in the network dat abase. For each computer or device, the following fields display: • Check box . Allows you to select the comp uter or device in the ta ble. • Name . The name of the computer or device. For[...]

Page 114

LAN Configuration 11 4 ProSecure Unified Thr eat Management (UTM) Appliance Add C omputers or Devices to the Network Database  T o add computers or devices manually to the network dat abase: 1. In the Add Known PCs and Devices section of the L AN Groups screen (see the previous figure), enter the settings as explained in the following t able: 2.[...]

Page 115

LAN Configuration 11 5 ProSecure Unified Thr eat Management (UTM) Appliance Figure 60. 2. Modify the settings as explained in T able 22 on page 1 14. 3. Click Apply to save your settings in the Known PCs and Devices table. Delete Computers or Device s from the Network Database  T o delete one or more computers or devices from the network dat aba[...]

Page 116

LAN Configuration 11 6 ProSecure Unified Thr eat Management (UTM) Appliance Figure 61. 3. Select the radio button next to the group name that you want to edit. 4. T ype a new name in th e field. The maximum number of characters is 15; spaces and double quotes (") are not allowed. 5. Repeat Ste p 3 and St e p 4 for any oth er group names. 6. Cl[...]

Page 117

LAN Configuration 11 7 ProSecure Unified Thr eat Management (UTM) Appliance Configure and Enable the DMZ P ort The demilit arized zone (DMZ) is a network that, by defa ult, has fewer firewall restrictions than the LAN. The DMZ can be used to host se rvers (such as a web server , FTP server , or email server) and provide public access to them . The [...]

Page 118

LAN Configuration 11 8 ProSecure Unified Thr eat Management (UTM) Appliance Figure 62. 2. Enter the settings as explained in the following table: T able 23. DMZ Setup screen settings Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Ye s . Enables you to configu re the DMZ port setting[...]

Page 119

LAN Configuration 11 9 ProSecure Unified Thr eat Management (UTM) Appliance DHCP Disable DHCP Server If another device on your network is the DHCP server for the VLAN, or if you will configure the network se ttings of all of yo ur computers manually , select the Disable DHCP Server radio button to di sable the DHCP server . By default, this radio b[...]

Page 120

LAN Configuration 120 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. Note: For all UTM models except for the UTM50, the DMZ LED next to LAN port 4 (see Hardware Features on p age 24) lights green to indicate that the DMZ p ort is enabled. For the UTM50, the DMZ LED next to LAN port 6 lights green to indic[...]

Page 121

LAN Configuration 121 ProSecure Unified Thr eat Management (UTM) Appliance Manage R outing • Configure S tatic Routes • Configure Routing Information Protocol • S tatic Route Example S tatic routes provid e additional routing information to your UTM. Under no rmal circumstances, the UT M has adequate routing inf ormation af ter it has been co[...]

Page 122

LAN Configuration 122 ProSecure Unified Thr eat Management (UTM) Appliance Figure 64. 3. Enter the settings as explained in the following table: 4. Click Apply to save your settings. The new st atic route is added to the S tatic Routes table. T able 24. Add St atic Route screen settings Setting Description Route Name The route name for the static r[...]

Page 123

LAN Configuration 123 ProSecure Unified Thr eat Management (UTM) Appliance  T o edit a sta tic route that is in the S tatic Routes t able: 1. On the Routi ng screen (see Figure 63 on page 121), click the Edit button in the Action column for the route that you want to modify . The Edit S tatic Route screen displays. This screen is identical to th[...]

Page 124

LAN Configuration 124 ProSecure Unified Thr eat Management (UTM) Appliance Figure 65. 3. Enter the settings as explained in the following table: T able 25. RIP Configuration screen settings Setting Description RIP RIP Direction From the RIP Direction drop-down list, select the direction in which the UTM sends and receives RIP packet s: • None . T[...]

Page 125

LAN Configuration 125 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. RIP V ersion By defau lt, the RIP version is set to Disa bled. From the RIP Version drop-down list, select the version: • RIP-1 . Classful routing that d oes not include subnet i nformation. This is the most commonly supported version.[...]

Page 126

LAN Configuration 126 ProSecure Unified Thr eat Management (UTM) Appliance Static R oute Example In this example, we assume the fo llowing: • The UTM’s primary Internet access is thro ugh a cable modem to an ISP . • The UTM is on a local LAN with IP address 192.168.1.100 . • The UTM connects to a re mote network where you need to access a d[...]

Page 127

127 5 5. F i r ewa l l P r o t e c t io n This chapter describes how to use the firewall feat ures of the UTM to protect your ne two rk. Th is chapter conta ins the following sections: • About Firewall Protection • Overview of Rules to Block or Allow Specific Kinds of T raffic • Configure LAN W AN Rules • Configure DMZ W AN Rules • Config[...]

Page 128

Firewall Protection 128 ProSecure Unified Thr eat Management (UTM) Appliance Administrator Tips Consider the following operational items: 1. As an option, you can enable remote managemen t if you have to manage dist ant sites from a central location (see Configu re Authentication Domains, Gr oups, and Users on page 380 and Configure Remote Manageme[...]

Page 129

Firewall Protection 129 ProSecure Unified Thr eat Management (UTM) Appliance A firewall has two default rules, one for inbo und traffic and one for outbound. The default rules of the UTM are: • Inbound . Block all access from out side except re sponses to requests from the L AN side. • Outbound . Allow all access from the LAN side to the outs i[...]

Page 130

Firewall Protection 130 ProSecure Unified Thr eat Management (UTM) Appliance W ARNING: Allowing inbound services opens security holes in your UTM. Enable only those port s that are necessary for your network. The following t able describes the fi elds that define the rules for outbound traf fic and that are common to most Outbound Service screens ([...]

Page 131

Firewall Protection 131 ProSecure Unified Thr eat Management (UTM) Appliance LAN Users Th e se ttings that determine which computers on your network are affected by this rule. The options are: • Any . All computers and devices on your LAN. • Single address . Enter the required address in the St a rt field to apply the rule to a single device on[...]

Page 132

Firewall Protection 132 ProSecure Unified Thr eat Management (UTM) Appliance QoS Profile The priority assigned to IP p ackets of this service. The priorities are defined by T ype of Service ( T oS) in the Internet Protocol Su ite standards, RFC 1349. The QoS pr ofile determines the priority of a service, which, in turn, determines the quality of th[...]

Page 133

Firewall Protection 133 ProSecure Unified Thr eat Management (UTM) Appliance Inbound R ules (P ort Forwarding) If you have enabled Network Address T ranslation (NA T), your network presents only one IP address to the Internet, and outside users ca nnot di rectly access any of your lo cal computers (LAN users). (For information about con figuring NA[...]

Page 134

Firewall Protection 134 ProSecure Unified Thr eat Management (UTM) Appliance • Local computers need to access the local se rver using the computers’ local LAN address. Attempts by local computers to access the se rver using the external W AN IP address will fail. Note: See Configure Port T riggering on page 183 for yet another way to allow cert[...]

Page 135

Firewall Protection 135 ProSecure Unified Thr eat Management (UTM) Appliance T able 28. Inbound rules over view Setting Description Inbound Rules Service (also referred to as Service Name) The service or application to be covered by this rule. If the service or application does not di splay in the list, yo u need to define it usi ng the Services sc[...]

Page 136

Firewall Protection 136 ProSecure Unified Thr eat Management (UTM) Appliance LAN Users The setti ngs th at determine which computers on your network are affected by this rule. The options are: • Any . All computers and de vices on your LAN. • Single address . Enter the required address in the S tart field to apply the rule to a single device on[...]

Page 137

Firewall Protection 137 ProSecure Unified Thr eat Management (UTM) Appliance QoS Profile The priority ass igned to IP packet s of this service. The p riorities are defined by T y pe of Service (T oS) in the Internet Protocol Suite standards, RFC 1349. The QoS profile determines the priority of a service which, in turn, determines the quality of tha[...]

Page 138

Firewall Protection 138 ProSecure Unified Thr eat Management (UTM) Appliance Note: Some residential broadband ISP account s do not allow you to run any server processes (such as a web or FTP server) from your locat ion. Y our ISP might periodically check for servers and might suspend your account if it discovers any active servers at your loca tion[...]

Page 139

Firewall Protection 139 ProSecure Unified Thr eat Management (UTM) Appliance For any traff ic attempting to p ass through the firewall, the p acket information is subjected to the rules in the order shown in the Rules t able, beginning at the top and proceeding to the bottom. In some cases, the order of pre cedence of two or more rules might be imp[...]

Page 140

Firewall Protection 140 ProSecure Unified Thr eat Management (UTM) Appliance  T o change an existing outbound or inbound service rule: In the Action column to the right of to the rule, click one of the following t able buttons: • Edit . Allows you to make any changes to the definition of a n existing rule. Depending on your selection, either t[...]

Page 141

Firewall Protection 141 ProSecure Unified Thr eat Management (UTM) Appliance Figure 68. 2. Enter the settings as explained in T able 27 on p age 130. 3. Click Apply to save your changes. The new rule is now add ed to the Outbound Services tab l e. Create LAN W AN Inbound Service R ules The Inbound Services t able lists all e xisting rules for inbou[...]

Page 142

Firewall Protection 142 ProSecure Unified Thr eat Management (UTM) Appliance Figure 69. 2. Enter the settings as explained in T able 28 on page 135. 3. Click Apply to save your chan ges. The new rule is now added to the Inbound Services table. Configure DMZ W AN Rules • Create DMZ WAN Outbound Service Rules • Create DMZ WAN Inbound Service Rule[...]

Page 143

Firewall Protection 143 ProSecure Unified Thr eat Management (UTM) Appliance adding outbound services rules (see Create DMZ W AN Outbound Service Rules on page 144). T o access the DMZ WA N Rules screen, select Network Sec urity > Firewall > DMZ W AN Rules . The DMZ W AN Rules screen displays. (The following figure shows some rules as an exam[...]

Page 144

Firewall Protection 144 ProSecure Unified Thr eat Management (UTM) Appliance Create DMZ W AN Outbound Service R ules Y ou can change the default outbound policy or define rules that specify exceptions to the default outbound policy . By adding custom rules, you can block or allow access based on the service or application, source or dest ination IP[...]

Page 145

Firewall Protection 145 ProSecure Unified Thr eat Management (UTM) Appliance  T o create an inbound DMZ W AN service rule: 1. In the DMZ W AN Rules screen, click the Add table button under the Inbound Services table. The Add DMZ W AN Inbound Se rvice screen displays: Figure 72. 2. Enter the settings as explained in T able 28 on p age 135. 3. Cli[...]

Page 146

Firewall Protection 146 ProSecure Unified Thr eat Management (UTM) Appliance T o access the LAN DMZ Rules screen and to change an existing outbo und or inbound service rule, select Network Security > Firewall > LAN DMZ Rules . The LAN DMZ Rules screen displays: Figure 73. In the Action column to the right of to the rule, click one of the foll[...]

Page 147

Firewall Protection 147 ProSecure Unified Thr eat Management (UTM) Appliance Create LAN DMZ Outbound Service R ules Y ou can change the default outbound policy or define rules t hat specify exceptions to the default outbound policy . By adding custom rules, you can block or allo w access based on the service or application, source or destination IP[...]

Page 148

Firewall Protection 148 ProSecure Unified Thr eat Management (UTM) Appliance Figure 75. 2. Enter the settings as explained in T able 28 on page 135. 3. Click Apply to save your chan ges. The new rule is now added to the Inbound Services table. Examples of Firewall R ules • Inbound Rule Examples • Outbound Rule Example Inbound R ule Examples LAN[...]

Page 149

Firewall Protection 149 ProSecure Unified Thr eat Management (UTM) Appliance Figure 76. LAN W AN Inbound Rule: Allow Videocon ference from Re stricted A ddresses If you want to allow inco ming videoconferencing to be initiate d from a restricted range of outside IP addresses, such as from a branch off ice, you can create an inboun d rule (see the f[...]

Page 150

Firewall Protection 150 ProSecure Unified Thr eat Management (UTM) Appliance Figure 77. LAN WAN or DMZ W AN Inbound Rule: Set Up One-to - One NA T Mapping In this example, multi-NA T is configured to support multiple public IP addresses on one WA N interface. An inbound rule configures the UTM to ho st an additional public IP address and associate [...]

Page 151

Firewall Protection 151 ProSecure Unified Thr eat Management (UTM) Appliance Tip: If you arrange with your ISP to have more than one public IP address fo r your use, you can use the additiona l public IP addr esses to map to servers on your LAN or DMZ. One of these pub lic IP addresses is used as the primary IP address of the rou ter that provides [...]

Page 152

Firewall Protection 152 ProSecure Unified Thr eat Management (UTM) Appliance 6. In the Send to LAN Server field, enter the lo cal IP address of your web server computer (192.168.1.2 in this example). 7. For the multiple W A N port models only: From the W AN Destination IP Add ress drop-down list, select the web server (the simulated 10.1.0.52 addre[...]

Page 153

Firewall Protection 153 ProSecure Unified Thr eat Management (UTM) Appliance W ARNING: For security , NETGEAR strongly recommends that you avoi d creating an exposed host. When a c omputer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploit s from the Internet. If compromised, the comput[...]

Page 154

Firewall Protection 154 ProSecure Unified Thr eat Management (UTM) Appliance Configure Other Firewall Features • VLAN Rules • Attack Checks, VPN Pass-throu gh, and Multicast Pass-through • Set Session Limits • Manage the Application Level Ga teway for SIP Sessions and VPN Scanning Y ou can configure global VLAN rules, configure att ack chec[...]

Page 155

Firewall Protection 155 ProSecure Unified Thr eat Management (UTM) Appliance Figure 82. 3. Enter the settings as explained in the followin g t able. T abl e 29 . Add VLAN- VL AN Servic e sc ree n settin gs Setting Description Service The service or application to be covered by this rule. If the service or application does not display i n the list, [...]

Page 156

Firewall Protection 156 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Appl y to save your settings. The new VLAN rule is added to the VLAN Services table.  T o change the position of an existing VLAN rul e in the VLAN Services t able: In the Action column to the right of the rule, click one of the following t able buttons: • Up[...]

Page 157

Firewall Protection 157 ProSecure Unified Thr eat Management (UTM) Appliance Attack Checks, VPN P ass -through, and Multicast P ass -through The Attack Checks scre en allows you to specify whether the UTM should be prote cted against common att acks in the DMZ, LAN, and W AN networks, and let s you configure VPN pass-through a nd multicast pass-thr[...]

Page 158

Firewall Protection 158 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. Configure Multicast P ass- T hrough  T o configure multicast p ass-through: 1. Select Network Security > Firewall > IGMP . The IGMP screen displays. (The following figure shows one alternate network as an example.) LAN Securit[...]

Page 159

Firewall Protection 159 ProSecure Unified Thr eat Management (UTM) Appliance Figure 84. 2. In the Multicast Pass through section of the screen, select the Ye s radio button to enable multicast pass-through. (By default the Y es radio button is enabled.) When you enable multicast p ass-through, an Internet Group Management Protocol (IGMP) proxy is e[...]

Page 160

Firewall Protection 160 ProSecure Unified Thr eat Management (UTM) Appliance  T o delete one or more multicast source addresses: 1. In the Alternate Networks t able, select the c heck box to the left of each address that you want to delete, or click the Select All t able button to select all addresses. 2. Click the Delete table button. Set Sessi[...]

Page 161

Firewall Protection 161 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. Manage the Application Level Gateway for SIP Sessions and VPN Scanning The application level gateway (ALG) fa cilitates multimedia sessions such as voice over IP (V oIP) sessions that use t he Session Initiation Protocol (SIP) across t[...]

Page 162

Firewall Protection 162 ProSecure Unified Thr eat Management (UTM) Appliance Figure 86. 2. In the ALG section, select the Enable SIP ALG check box. 3. In the ALG section, click Apply to save your settings. 4. In the VPN scan section, select the Enable VPN scan check box. 5. In the VPN scan section, click Apply to save your settings. Create Services[...]

Page 163

Firewall Protection 163 ProSecure Unified Thr eat Management (UTM) Appliance • QoS profiles . A Quality of Service (QoS) profile de fines the relative priority of an IP packet for traf fic that matches the firewall rule. For information about creating QoS profiles, see Create Quality of Se rvice Profiles on p age 169. • Bandwid th profiles . A [...]

Page 164

Firewall Protection 164 ProSecure Unified Thr eat Management (UTM) Appliance  T o add a customized service: 1. Select Network Security > Services . T he Services screen displays. The Custom Services table shows the user-d efined se rvices. (The following figure shows some examples.) Figure 87. 2. In the Add Customer Service section of the scr[...]

Page 165

Firewall Protection 165 ProSecure Unified Thr eat Management (UTM) Appliance  T o edit a service: 1. In the Custom Services t able, click the Edit table button to the right of the service that you want to edit. The Edit Service screen displays: Figure 88. 2. Modify the settings that yo u wish to change (see the previous table). 3. Click Apply to[...]

Page 166

Firewall Protection 166 ProSecure Unified Thr eat Management (UTM) Appliance Figure 89. 2. Under the Custom Service Group table, click the Add table button. The Add Service Group screen displays: Figure 90. 3. In the Name field, en ter a name for the service. 4. Use the move buttons (<< and >>) to move services between the Av ailable Se[...]

Page 167

Firewall Protection 167 ProSecure Unified Thr eat Management (UTM) Appliance Create IP Groups An IP group cont ains a collection of individual IP addresses that do not need to be within the same IP address range. Y ou specify an IP group as either a LAN group or W AN group. Y ou use the group as a firewall ob ject to which you apply a firewall rule[...]

Page 168

Firewall Protection 168 ProSecure Unified Thr eat Management (UTM) Appliance Figure 92. 5. In the IP Address fields, type an IP address. 6. Click the Add table button to add the IP address to the IP Addresses Grouped t able. 7. Repeat the previous two steps to add more IP addresses to the IP Addresses Grouped table. 8. Click the Edit table button t[...]

Page 169

Firewall Protection 169 ProSecure Unified Thr eat Management (UTM) Appliance Create Quality of Service P rofiles A Quality of Service (QoS) profile defines the rela tive priority of an IP p acket when multiple connections are scheduled for simult aneous transmission on the UTM. A QoS p rofile becomes active only when it is associated with a nonbloc[...]

Page 170

Firewall Protection 170 ProSecure Unified Thr eat Management (UTM) Appliance Figure 93. The screen displays the List of QoS Prof iles t able with the user-defined profile s. 2. Under the List of QoS Profiles table, click the Add table button. The Add QoS Profile screen displays: Figure 94. 3. Enter the settings as explained in the following table. [...]

Page 171

Firewall Protection 171 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The new QoS profile is added to the List of QoS Profiles tab l e.  T o edit a QoS profile: 1. In the List of QoS Profiles table, click the Edit table button to the right of th e QoS profile that you want to edit. The Edit QoS Profil[...]

Page 172

Firewall Protection 172 ProSecure Unified Thr eat Management (UTM) Appliance When a new connection is est ablished by a device, the device locates the firewall rule corresponding to the conn ection. • If the rule has a bandwid th profile specification, the device creates a bandwid th class in the kernel. • If multiple connections correspond to [...]

Page 173

Firewall Protection 173 ProSecure Unified Thr eat Management (UTM) Appliance Figure 96. 3. Enter the settings as explained in the followin g t able: T able 34. Add Bandwidth Profile scre en settings Setting Description Profile Name A descri ptive name of the bandwidth profile for identification and manageme nt purposes. Direction From the Direction[...]

Page 174

Firewall Protection 174 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The new bandwid t h profile is added to the List of Bandwidth Profiles table. 5. In the Bandwidth Profiles section of the screen, select the Ye s radio bu tton under Enable Bandwidth Profiles? (By default the No radio button is selecte[...]

Page 175

Firewall Protection 175 ProSecure Unified Thr eat Management (UTM) Appliance both downloaded and upload ed traffic. When a pplied to multiple firewall rules, a single profile can be applied to each firewall rule sep a rately , or to all firewall rules together . After you have create d a traffic met er profile, you can assign the profile to firewal[...]

Page 176

Firewall Protection 176 ProSecure Unified Thr eat Management (UTM) Appliance Figure 98. 3. Enter the settings as explained in the following table: T able 35. Add T raffic Meter Profile screen settings Setting Description Profile Name A descriptive name of the tra ffic meter profile for identificati on and management purposes. Direction From the Dir[...]

Page 177

Firewall Protection 177 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The new traffic meter profile is added to the List of T raffic Meter Profiles table. Y ou now can select the profile when you create or change a firewall rule.  T o edit a traffic meter profile: 1. In the List of T raffic Meter Prof[...]

Page 178

Firewall Protection 178 ProSecure Unified Thr eat Management (UTM) Appliance Figure 10 0. 3. Enter the settings as explained in the following table: T able 36. Add Schedule screen settings Setting Description Profile Name A name of the schedule for identification and management purpo ses. Description A description to further help identificatio n fo[...]

Page 179

Firewall Protection 179 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settin gs. The new schedule is added to the List of Schedules table. Y ou now can se lect the schedule when you create or change a firewall rule.  T o edit a schedule: 1. In the List of Schedules tab le, click the Edit table button to the rig[...]

Page 180

Firewall Protection 180 ProSecure Unified Thr eat Management (UTM) Appliance  T o enable MAC filtering and add MAC addresses to be permitted or blocked: 1. Select Network Security > Address Filte r . The Address Filter submenu t abs display , with the Source MAC Filter screen in view . (The following figure shows one address in the MAC Addres[...]

Page 181

Firewall Protection 181 ProSecure Unified Thr eat Management (UTM) Appliance Set Up IP/MA C Bindings IP/MAC binding allows yo u to bind an IP address to a MAC address and the o ther way around. Some computers or devices ar e configured with st atic addresses. T o prevent users from changing their st atic IP addresses, the IP/MAC bin ding feature ne[...]

Page 182

Firewall Protection 182 ProSecure Unified Thr eat Management (UTM) Appliance Figure 10 2. 2. Enter the settings as explained in the following table: 3. Click the Add table button. The new IP/MAC rule is added to the IP/MAC Bindings table. 4. Click Apply to save your chan ges. T able 37. IP/MAC Binding screen settings Setting Description Email IP/MA[...]

Page 183

Firewall Protection 183 ProSecure Unified Thr eat Management (UTM) Appliance  T o edit an IP/MAC binding: 1. In the IP/MAC Bindings ta ble, click the Edit table button to the right of the IP/MAC binding that you want to edit. The Ed it IP/MAC Binding scre en displays. 2. Modify the settings that yo u wish to change (see the previous table). 3. C[...]

Page 184

Firewall Protection 184 ProSecure Unified Thr eat Management (UTM) Appliance  T o add a port-triggering rule: 1. Select Network Security > Port T riggering . The Port T riggering screen displays. (The following figure shows a rule in the Port T riggering Rule t able as an example.) Figure 10 3. 2. In the Add Port Triggering Rule section, ente[...]

Page 185

Firewall Protection 185 ProSecure Unified Thr eat Management (UTM) Appliance  T o edit a port-triggering rule: 1. In the Port T riggering Rules tab le, click the Edit t able button to the right of the port-triggering rule that you want to edit. The Edit Port T riggering Rule screen displays. 2. Modify the settings that yo u wish to change (see t[...]

Page 186

Firewall Protection 186 ProSecure Unified Thr eat Management (UTM) Appliance Configure Universal Plug and Play The Universal Plug and Play (UPnP) feature enables the UTM to discover and configure devices automatically when it sea rches the LAN and W AN. 1. Select Security > UPnP . The UPnP screen displays: Figure 10 5. The UPnP Portmap T able in[...]

Page 187

Firewall Protection 187 ProSecure Unified Thr eat Management (UTM) Appliance Enable and Configure the Intrusion P revention System The intrusion prevention system (IPS) of the UTM m onitors all network traffic to detect, in real time, distributed denial-of-se rvice (DDoS) attacks, network attacks, an d port scans, and to protect your network from s[...]

Page 188

Firewall Protection 188 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. Note: T raffic that p asses on the UTM’ s VLANs and on the secondary IP addresses that you have co nfigured on the LAN Multi-homing screen (see Configure Multihome LAN IP Addresses on the Defa ult VLAN on page 109) is also scanned by[...]

Page 189

Firewall Protection 189 ProSecure Unified Thr eat Management (UTM) Appliance Figure 106. IPS, screen 1 of 2[...]

Page 190

Firewall Protection 190 ProSecure Unified Thr eat Management (UTM) Appliance Figure 10 7. IPS, scree n 2 of 2 4. Click Apply to save your settings. The following t able explains some of the less familiar att ack names in the IPS: T able 40. IPS: uncommon attack na mes Attack Name Description Web Web-Misc Detects some specific web attack tools, such[...]

Page 191

Firewall Protection 191 ProSecure Unified Thr eat Management (UTM) Appliance Note: T o ensure that alert s are emailed to an administrator , you need to configure the email notification server (see Configure the Email Notification Server on p age 466) and the IPS alerts (see Conf igure and Activate Upd ate Failure and Attack Aler ts on p age 473). [...]

Page 192

192 6 6. Co n te nt F ilter ing an d Optimi zing Scans This chapter describes how to apply the content-filtering features of the UTM and how to optimize scans to protect your network. Thi s chapter cont ains the following sections: • About Content Filtering and Scans • Configure Email Protectio n • Configure W eb and Services Protection • C[...]

Page 193

Content Filtering and Optimizing Scans 193 ProSecure Unified Thr eat Management (UTM) Appliance Note: The UTM can quarantine spa m and malware only if you have integrated a ReadyNAS (see Connect t o a ReadyNAS on p age 459) and configured the quarantine settings (see Configure the Quarantine Settings on p age 460). Default Email and W eb Scan Setti[...]

Page 194

Content Filtering and Optim izing Scans 194 ProSecure Unified Thr eat Management (UTM) Appliance Configure Email P rotection • Customize Email Protocol Scan Se ttings • Customize Email Antivirus and Notifica tion Settings • Email Content Filtering • Protect Against Email Sp am The UTM lets you configure the following settings to p rotect th[...]

Page 195

Content Filtering and Optimizing Scans 195 ProSecure Unified Thr eat Management (UTM) Appliance Note: For information about web protocols and port s, see Customize Web Protocol Scan Setting s on page 210. Figure 108. 2. In the Email section of the screen, select the protocols to scan by selecting the Enable check boxes, and enter the p ort numbers [...]

Page 196

Content Filtering and Optim izing Scans 196 ProSecure Unified Thr eat Management (UTM) Appliance Customize Email Antivirus and Notification Settings Whether or not the UTM detect s an email virus, you can configure it to take a variety of actions (some of the default actions are listed in T able 41 on page 193) and send notifications, emails, or bo[...]

Page 197

Content Filtering and Optimizing Scans 197 ProSecure Unified Thr eat Management (UTM) Appliance 2. Enter the settings as explained in the followin g t able: T able 42. Anti-Virus scree n set tings for email traffic Setting Description Action SMTP The Anti-Virus check box for SMTP is selected by default. When the UTM detects an infected email that i[...]

Page 198

Content Filtering and Optim izing Scans 198 ProSecure Unified Thr eat Management (UTM) Appliance Scan Exceptions The default maximum si ze of the email message that is sca nned is 2048 KB, but you can define a maximum size of up to 10240 KB. However , settin g the maximum size to a high value might affect the UTM’s performance (see Perfor ma nce [...]

Page 199

Content Filtering and Optimizing Scans 199 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. Email Content Filtering The UTM provides several options to filter unwanted content f rom emails. Y ou can filter content from emails based on keywords in the subject line, file type of the att achment, and file name[...]

Page 200

Content Filtering and Optim izing Scans 200 ProSecure Unified Thr eat Management (UTM) Appliance  T o configure email content filtering: 1. Select Application Security > Email > Email Filters . The Email Filters screen d isplays: Figure 1 10.[...]

Page 201

Content Filtering and Optimizing Scans 201 ProSecure Unified Thr eat Management (UTM) Appliance 2. Enter the settings as explained in the followin g t able: T abl e 43. Email Filters screen settings Setting Description Email Filters By default, the email filters are blank and enabl ed, that is, the Y es radio button is selected. After you have crea[...]

Page 202

Content Filtering and Optim izing Scans 202 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. P rotect Against Email Spam The UTM integrates multiple antisp am technol ogies to provide comprehensive protection against unwanted email. Y ou can enable all or a combination of these antispam te chnologies. The U[...]

Page 203

Content Filtering and Optimizing Scans 203 ProSecure Unified Thr eat Management (UTM) Appliance This order of implement ation ensures the optimum balance bet ween spam prevention and system performance. For example, if an email or iginates from a whitelisted source , the UTM delivers the email immediately to it s dest inatio n inbox without impleme[...]

Page 204

Content Filtering and Optim izing Scans 204 ProSecure Unified Thr eat Management (UTM) Appliance  T o configure the whitelist and blacklist: 1. Select Application Security > Email > Whitelist/Blacklist . The Whitelist/Blackl ist screen displays. Figure 1 1 1.[...]

Page 205

Content Filtering and Optimizing Scans 205 ProSecure Unified Thr eat Management (UTM) Appliance 2. Enter the settings as explained in the followin g t able: Note: In the fields of the Whitelist/Blacklist screen, use commas to separate multiple entries. For IP addresses, use a hyphen to indicate a range (for example, 192.168 .32.2-192.168.32.8). T a[...]

Page 206

Content Filtering and Optim izing Scans 206 ProSecure Unified Thr eat Management (UTM) Appliance Configure the Real- Time Blacklist Blacklist providers are organizations tha t collect IP addresses of verified open SMTP relays that might be used by spa mmers as media for sending sp am. These known spam relays are compiled by blacklist pr oviders and[...]

Page 207

Content Filtering and Optimizing Scans 207 ProSecure Unified Thr eat Management (UTM) Appliance  T o delete a blacklist provider from the real-time blacklist: 1. In the real-time blacklist, click the Delete table butto n next to the blacklist provider that you want to delete. 2. Click Apply to save your settings. Configure Distributed Spam Analy[...]

Page 208

Content Filtering and Optim izing Scans 208 ProSecure Unified Thr eat Management (UTM) Appliance Figure 1 13. 2. Enter the settings as explained in the following table: T able 45. Distributed Sp am Analysis screen settings Setting Description Distributed Sp am Analysis SMTP Select the SMTP check box to enabl e distributed sp am analysis for the SMT[...]

Page 209

Content Filtering and Optimizing Scans 209 ProSecure Unified Thr eat Management (UTM) Appliance Sensitivity From the Sensitivity drop -dow n list, select the level of sensitivity for the antispam engine that performs the analysis: Low . Medium-Low . Medium . Medium High . This is the default setting. High . Note: A low sensitivity allows more email[...]

Page 210

Content Filtering and Optim izing Scans 210 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. The Distribu ted S pam Analysis section and the Anti-S p am Engine Settings section each have their own Apply and Reset buttons to enable you to change these sections separately . Configure W eb and Services P rotec[...]

Page 211

Content Filtering and Optimizing Scans 21 1 ProSecure Unified Thr eat Management (UTM) Appliance Scanning all protocols enhances ne twork security but might af fect the performance of the UTM. For an optimum balance between security and performance, ena ble scanning of only the most commonly used protocols o n your net work. For example, you can sc[...]

Page 212

Content Filtering and Optim izing Scans 212 ProSecure Unified Thr eat Management (UTM) Appliance service on your network uses both port 80 and port 8080, enter both port numbers in the Ports to Scan field and separate them by a comma. 4. Click Apply to save your settings. Configure HTTPS Smart Block Y ou can block access to HTTPS domains with out e[...]

Page 213

Content Filtering and Optimizing Scans 213 ProSecure Unified Thr eat Management (UTM) Appliance 2. In the HTTPS Smart Block Port section of the screen, enter up to five port numbers, s ep a ra te d by co m ma s, f or wh i c h y ou wan t t h e HTTPS Smart Block feature to function. Each port number needs to be between 1 and 65535. By default, the fe[...]

Page 214

Content Filtering and Optim izing Scans 214 ProSecure Unified Thr eat Management (UTM) Appliance Figure 1 17. The HTTPS Smart Block Profiles table sh ows all the configured profiles, whether enabled or disabled. The HTTPS Smart Block List shows all the prof iles that ar e enabled globally . By default, the t able contains the All Doma ins profile. [...]

Page 215

Content Filtering and Optimizing Scans 215 ProSecure Unified Thr eat Management (UTM) Appliance  T o change a profile: 1. In t he Ac tio n c ol um n of th e HTTPS Smart Block Profiles table, cl ic k th e Edit t able button for the profile that you want to change. The A d d o r E di t H TT PS S ma rt Bl oc k Pr o fi le sc re en displays (see Figu[...]

Page 216

Content Filtering and Optim izing Scans 216 ProSecure Unified Thr eat Management (UTM) Appliance Configure W eb Malware or Antivirus Scans Whether or not the UTM detect s web-based malware threat s, you can configure it to take a variety of actions (some of t he default actions are listed in T able 41 on page 193) and send notifications, emails, or[...]

Page 217

Content Filtering and Optimizing Scans 217 ProSecure Unified Thr eat Management (UTM) Appliance 2. Enter the settings as explained in the followin g t able: 3. Click Apply to save your settings. T able 47. Anti-Virus screen setting s for HTTP/HTTPS traffic Setting Description Action HTTP and HTTPS Action The Anti-Virus check boxes for HTTP and HTTP[...]

Page 218

Content Filtering and Optim izing Scans 218 ProSecure Unified Thr eat Management (UTM) Appliance Configure W eb Content Filtering If you want to restrict access by inte rnal LAN users to certain types of information and objects on the Internet, use the UT M’s content filtering and web object s filtering. Except for the web content categories that[...]

Page 219

Content Filtering and Optimizing Scans 219 ProSecure Unified Thr eat Management (UTM) Appliance Note: Y ou can bypass any type of web blocking for truste d hosts by addin g the exact matching domain names to the trusted host list (see Specify T rusted Hosts for HTTPS Scanning on page 235). Access to the domains on the trusted host list is allowed f[...]

Page 220

Content Filtering and Optim izing Scans 220 ProSecure Unified Thr eat Management (UTM) Appliance Figure 120. Content filtering, screen 2 of 3[...]

Page 221

Content Filtering and Optimizing Scans 221 ProSecure Unified Thr eat Management (UTM) Appliance Figure 121. Content filterin g, screen 3 of 3 2. Enter the settings as explained in the followin g t able: T able 48. Content Filtering screen settin gs Setting Description Content Filterin g Log HTTP T raffic Se lect this check box to log HTTP traffic. [...]

Page 222

Content Filtering and Optim izing Scans 222 ProSecure Unified Thr eat Management (UTM) Appliance Block Files with the Following Extensions By default, the File Extension field lists the most common fi le extensio ns. Y ou can manually add or delete extensions . Use commas to separate dif ferent extensions. Y ou can enter a maximum of 4 0 file exten[...]

Page 223

Content Filtering and Optimizing Scans 223 ProSecure Unified Thr eat Management (UTM) Appliance Select the Web Categories Y ou Wish to Block Select the Enab le Blocking check box to enable blocking of web categories. (By d efault, this check box is selected.) Select the check boxes of any web ca tegories that you want to block. Us e the action butt[...]

Page 224

Content Filtering and Optim izing Scans 224 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. Note: When the UTM blocks access to a link of a cert ain blocked web category , the UTM displays an HTML warning screen th at includes a link to submit a URL misclassifia tion. T o submit a misclassified or uncatego[...]

Page 225

Content Filtering and Optimizing Scans 225 ProSecure Unified Thr eat Management (UTM) Appliance  T o configure web URL filtering: 1. Select Application Securi ty > HTTP/HTTPS > URL Filtering . The URL Filtering screen displays. Figure 122.[...]

Page 226

Content Filtering and Optim izing Scans 226 ProSecure Unified Thr eat Management (UTM) Appliance 2. Enter the settings as explained in the following table: T able 49. URL Filtering screen settings Setting Description Whitelist Enable Select this check box to bypass scanning of the URLs that are listed in the URL field. Users are allo wed to access [...]

Page 227

Content Filtering and Optimizing Scans 227 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. URL (continued) Delete T o delete one or more URLs, highlight the URLs, and cl ick the Delete table button. Export T o export the URLs, click the Ex port table button, and follow the instructions of your browser . Ad[...]

Page 228

Content Filtering and Optim izing Scans 228 ProSecure Unified Thr eat Management (UTM) Appliance Configure HTTPS Scanning and SSL Certificates • How HTTPS Scanning Works • Configure the HTTPS Scan Settings • Manage SSL Certificates for HTTPS Scanning • Specify T rusted Hosts for HTTPS Scanning • Configure the SSL Setting s for HTTPS Scann[...]

Page 229

Content Filtering and Optimizing Scans 229 ProSecure Unified Thr eat Management (UTM) Appliance During SSL authentication, the HTTPS client authen ticates three items: • Is the SSL certificate trusted? • Has the SSL certificate expired? • Does the name on the SSL certificate match that of the website? If one of these items is not aut henticat[...]

Page 230

Content Filtering and Optim izing Scans 230 ProSecure Unified Thr eat Management (UTM) Appliance Configure the HTTPS Scan Settings  T o configure the HTTPS scan settings: 1. Select Application Security > HTTP/HTTPS > HT TPS Settings . The HTTPS Settings screen displays: Figure 12 5. 2. Enter the settings as explained in the following table[...]

Page 231

Content Filtering and Optimizing Scans 231 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. Manage SSL Certificates for HTTPS Scanning Note: For information about digit al certificates for VPN connections, see Manage Digital Certificates fo r VPN Connections on page 419. Before enabling HTTPS scanning, you [...]

Page 232

Content Filtering and Optim izing Scans 232 ProSecure Unified Thr eat Management (UTM) Appliance recommends that you replace this digital certificat e with a digit al certificate from a well-known commercial certification authority (CA) such as an interna l Windows server or an external organization such as V eriSign or Thawte. Becaus e a commercia[...]

Page 233

Content Filtering and Optimizing Scans 233 ProSecure Unified Thr eat Management (UTM) Appliance  T o download the current certificate into your browser: 1. Click Download for Browser Import . 2. Follow the instructions of your b rowser to save the Roo tCA.crt file on your computer .  T o reload the default NETGEAR certificate: 1. Select the U[...]

Page 234

Content Filtering and Optim izing Scans 234 ProSecure Unified Thr eat Management (UTM) Appliance The T rusted Certificates table cont ains the trusted certificates from third-party we bsites that are signed by the certification authorities. The UTM comes st andard with trusted certificates that are preloaded in the T rusted Certificates table.  [...]

Page 235

Content Filtering and Optimizing Scans 235 ProSecure Unified Thr eat Management (UTM) Appliance  T o delete an untrusted certificate: 1. From the Exceptions - Untrusted Certificates But Granted Access table, select the certificate. 2. Click Delete Selected .  T o move an untrusted certificate to the T rusted Certificate Authorities t able: 1.[...]

Page 236

Content Filtering and Optim izing Scans 236 ProSecure Unified Thr eat Management (UTM) Appliance Figure 13 0. 2. Enter the settings as explained in the following table: 3. Click Apply to save your settings. T able 51. T rusted Hosts s creen settings Setting Description Do Not Intercept HT TPS Connection s for the followi ng Host s Enable Select thi[...]

Page 237

Content Filtering and Optimizing Scans 237 ProSecure Unified Thr eat Management (UTM) Appliance Configure the SSL Settings for HTTPS Scanning  T o configure the SSL settings for HTT PS scanning: 1. Select Application Security > SSL Settings > SSL Settings . The SSL Sett ings screen displays . Figure 131. 2. Enter the settings as explained [...]

Page 238

Content Filtering and Optim izing Scans 238 ProSecure Unified Thr eat Management (UTM) Appliance Configure FTP Scanning • Customize FTP Antivirus Settings • Configure FTP Content Filtering Some malware threat s are specifically deve loped to spread through th e FTP protocol. By default, the UTM scans FTP traf fic, but you can disable scanning o[...]

Page 239

Content Filtering and Optimizing Scans 239 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. Configure FTP Content Filtering  T o configure the FTP filters: 1. Select Application Securi ty > FTP > FTP Filters . The FTP Filters screen disp lays: Figure 133. 2. Enter the settings as explained in the f[...]

Page 240

Content Filtering and Optim izing Scans 240 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. Configure Application Control Application control enables you to safegua rd data, protect users, and enhance productivity . Y ou can control multiple applications in the following ca tegories: • Instant messaging [...]

Page 241

Content Filtering and Optimizing Scans 241 ProSecure Unified Thr eat Management (UTM) Appliance • Private protocols • Social networks Control is set for entire categories of a pplic ations (for example, to block gaming during business hours), for individual applications (for example, to allow Skype but blo ck some other applications), or for a [...]

Page 242

Content Filtering and Optim izing Scans 242 ProSecure Unified Thr eat Management (UTM) Appliance  T o configure an application control profile and enable application c ontrol: 1. Select Application Security > Applica tion Control . The Application Control screen displays. (The following figure cont ains an ex ample in the Applica tion Control[...]

Page 243

Content Filtering and Optimizing Scans 243 ProSecure Unified Thr eat Management (UTM) Appliance Figure 135. 3. Configure the common settings in the uppe r part of the screen as explained in the following tab l e: T able 55. Common settings on the Add or Edit Application Control Profile screen Setting Description Name A name of the profile for i den[...]

Page 244

Content Filtering and Optim izing Scans 244 ProSecure Unified Thr eat Management (UTM) Appliance 4. In the lower part of the screen, select the categories of applications and individual applications that you want to include in the profile by using the following methods: • T o select one or more categories of applications: In the left p ane, selec[...]

Page 245

Content Filtering and Optimizing Scans 245 ProSecure Unified Thr eat Management (UTM) Appliance 5. In the Active Categories and Individual Applications t able, set t he po li cy f or e a ch s e le ct e d category of applications and individual application by clicking th e Edit table button to the right of each selection. The Application Control Pol[...]

Page 246

Content Filtering and Optim izing Scans 246 ProSecure Unified Thr eat Management (UTM) Appliance 6. Configure the policy as explained in the following table: T able 56. Application Control Policy pop-up screen settings Setting Description Policy for a catego r y of application s Application Policy Fro m the drop-down list, select the action fo r th[...]

Page 247

Content Filtering and Optimizing Scans 247 ProSecure Unified Thr eat Management (UTM) Appliance 7. Click Apply to save the policy settings. The pop-up screen closes. 8. Repeat St e p 5 through St ep 7 for other selections in the Active Categories and Individual Applications table. 9. On the Add or Edit Application Control Profile screen, click Appl[...]

Page 248

Content Filtering and Optim izing Scans 248 ProSecure Unified Thr eat Management (UTM) Appliance 2. Modify the settings that you wish to change (see the previous procedure). 3. Click Apply to s av e y o ur ch a ng es . T he m od if i ed application control profile is di sp la ye d i n the Global Application Control Profile table or the Application [...]

Page 249

Content Filtering and Optimizing Scans 249 ProSecure Unified Thr eat Management (UTM) Appliance • A combination of file extensions and protoco ls • One URL or URL expression • One built-in web category group or built-in individual web category T o further refine exception rules, you can crea te custom categories th at allow you to include eit[...]

Page 250

Content Filtering and Optim izing Scans 250 ProSecure Unified Thr eat Management (UTM) Appliance 2. Under the File Extension table at the bottom of the screen, click the Add table button to specify an exception rule. The Add or Edit Exceptions screen displays. The content of the lower part of the screen depends on the selectio n of the Category dro[...]

Page 251

Content Filtering and Optimizing Scans 251 ProSecure Unified Thr eat Management (UTM) Appliance • File Extension . Figure 140. Add or edit exceptions : file extensions • HTTPS Smart Block . Figure 141. Add or edit excepti ons: HTTPS Smart Block[...]

Page 252

Content Filtering and Optim izing Scans 252 ProSecure Unified Thr eat Management (UTM) Appliance • URL Filtering . Figure 142. Add or edit exceptions: URL filtering • Web Category . Figure 143. Add or edit exception s: web categories 4. Complete the fields and make your selections from the drop-down lists as explained in the following table: T [...]

Page 253

Content Filtering and Optimizing Scans 253 ProSecure Unified Thr eat Management (UTM) Appliance Domain User/Group Click the Edit button to open the Applies T o pop-up screen, which lets you configure a domain, group, or individu al user to which t he exception needs to ap ply (see the screen later in this table). If applicable, on the Applies T o s[...]

Page 254

Content Filtering and Optim izing Scans 254 ProSecure Unified Thr eat Management (UTM) Appliance Domain User/Grou p (continued) Local Groups Do the following: 1. From the Name drop-down list, select a local group. 2. Click the Apply button to apply the exception to the selecte d local group. Y ou can specify lo cal groups on the Groups screen (see [...]

Page 255

Content Filtering and Optimizing Scans 255 ProSecure Unified Thr eat Management (UTM) Appliance Domain User/Group (continued) Custom Groups Do the following: 1. From the Name drop-down list, select a custom group. 2. Click the Apply button to apply the exception to the selected grou p. Y ou can specify custo m groups on the Custom Group s screen (s[...]

Page 256

Content Filtering and Optim izing Scans 256 ProSecure Unified Thr eat Management (UTM) Appliance Category (and related information) (continued) File Extensions The acti on applies to one or more file extensions and one or more protocols, which you need to specify onscreen: 1. File Extensi ons . Manually enter up to 40 file extensions. Use commas to[...]

Page 257

Content Filtering and Optimizing Scans 257 ProSecure Unified Thr eat Management (UTM) Appliance 5. Click Apply to save your settings. The new exception rule is added to the associated table on the Exceptions screen and is enabled by default. T o return to the Exceptions screen without adding the rule, click Cancel . 6. Optional step: If you do not [...]

Page 258

Content Filtering and Optim izing Scans 258 ProSecure Unified Thr eat Management (UTM) Appliance Create Custom Categories for Exception s for W eb and Application Access Use custom categories to set exceptions for web a nd application access on the Exceptions screen (see Set Exception Rules for W eb and Application Access on page 248). Each custom [...]

Page 259

Content Filtering and Optimizing Scans 259 ProSecure Unified Thr eat Management (UTM) Appliance • Application . Figure 145. Custom categories: applications • URL Filtering . Figure 146. Custom ca tegories: URL filtering[...]

Page 260

Content Filtering and Optim izing Scans 260 ProSecure Unified Thr eat Management (UTM) Appliance • Web Category . Figure 147. Cu stom categorie s: web categories 4. Complete the fields and make your selections from the drop-down lists as explained in the following table: T able 58. Custom Categories screen settings Setting Description Name A name[...]

Page 261

Content Filtering and Optimizing Scans 261 ProSecure Unified Thr eat Management (UTM) Appliance Category T ype (continued) Application (continued) T o remove one or more categories or applica t io ns from the Applications in this Ca tegory table: 1. Select the check boxes that are associated with the catego ries or applications, or select all entri[...]

Page 262

Content Filtering and Optim izing Scans 262 ProSecure Unified Thr eat Management (UTM) Appliance 5. Click Apply to save your settings. The new ca tegory is added to the Custom Categories table. T o return to the Custom Categories screen without adding the category , click Cancel .  T o change an existing custom category: 1. In the Action column [...]

Page 263

Content Filtering and Optimizing Scans 263 ProSecure Unified Thr eat Management (UTM) Appliance Figure 148. 2. In the Add Scanning Exclusions section of the screen, specify an exclusion rule as explained in the following table: 3. In the Add column, click the Add table button to add the exclusion rule to the Scanning Exclusions table. The new exclu[...]

Page 264

264 7 7. Vi r t u a l P rivat e N e t wo rk i n g Us in g IPSe c, PPTP , or L 2T P Co nn e ct ion s This chapter describes how to use the IP se cu rity (IPSec) virtual private networking (VPN) features of the UTM to provide secure, en cr ypted communications between your local networ k and a remote network or computer . This chapter contains the fo[...]

Page 265

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 265 ProSecure Unified Thr eat Management (UTM) Appliance balancing mode if t he IP addresses are st atic, but mandatory if the W AN IP addresses are dynamic. See Vi rtual Private Networks on pag e 629 for more information about th e IP addressing requirement s for VPNs in the dual [...]

Page 266

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 266 ProSecure Unified Thr eat Management (UTM) Appliance Use the IPSec VPN Wizard for Client and Gateway Configurations • Create Gateway-to-Gateway VPN T unnels with the Wizard • Create a Client-to-Gateway VPN T unnel Y ou can use the IPSec VPN Wizard to configure multiple gat[...]

Page 267

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 267 ProSecure Unified Thr eat Management (UTM) Appliance • Multiple W AN port models. A drop-down list to select the W AN interface, a check box to enable VPN rollover , and another drop-down list to select a W AN inte rface for VPN rollover . If the multiple W A N port model is [...]

Page 268

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 268 ProSecure Unified Thr eat Management (UTM) Appliance Figure 15 3. The VPN Wizard default values screen lists some in correct default values. The correct values are listed in the following t able. T able 61. IPSec VPN Wizard default values for a gatewa y-to-gateway tunnel Setti[...]

Page 269

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 269 ProSecure Unified Thr eat Management (UTM) Appliance 2. Select the radio buttons and complete the fields and as explained in the followin g t able: Key group DH-Group 2 (1024 bit) NetBIOS Enabled T able 62. IPSec VPN Wizard s ettings for a ga teway-to-gateway tunnel Setting Des[...]

Page 270

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 270 ProSecure Unified Thr eat Management (UTM) Appliance Tip: T o ensure that tunnels stay active, af ter completing the wizard, manually edit the VPN policy to enable keep-ali ves, which periodically sends ping packet s to the host on the peer side of th e network to keep the tun[...]

Page 271

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 271 ProSecure Unified Thr eat Management (UTM) Appliance Figure 155. b. Locate the policy in the t able, and click the Connect t able button. The IPSec VPN connection becomes active. Note: When using FQDNs, if the Dynamic DNS service is slow to u pdate its servers when your DHCP W [...]

Page 272

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 272 ProSecure Unified Thr eat Management (UTM) Appliance Use the VPN Wizard to Configure the Gateway for a Client T unnel  T o set up a client-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN W izard . The VPN Wizard screen displays (see the fol[...]

Page 273

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 273 ProSecure Unified Thr eat Management (UTM) Appliance T o display the wizard default settings, cli ck the VPN W i zard defa ult values option arrow in the upper right of the screen. A pop-up scree n displa ys (see Figure 153 on p ag e 268), showing the wizard default values. The[...]

Page 274

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 274 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. The IPSec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen. By de fault, the VPN policy is enable d. This VPN tunnel will use following local WAN Inte[...]

Page 275

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 275 ProSecure Unified Thr eat Management (UTM) Appliance Figure 158. Note: When you are using FQDNs and a Dy namic DNS (DDNS) service, if the DDNS service is slow to update it s servers when your DHCP W AN address changes, the VPN tunnel fails because the FQDNs do not resolve to yo[...]

Page 276

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 276 ProSecure Unified Thr eat Management (UTM) Appliance Use the NETGEAR VPN Client Wizard to C reate a Se cure Connection The VPN client lets you set up the VPN connection manually (see Manually Create a Secure Connection Using the NETGEAR VPN Client on p age 280) or with the int[...]

Page 277

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 277 ProSecure Unified Thr eat Management (UTM) Appliance Figure 160. 3. Select the A router or a VPN gatew ay radio button, and click Next . The VPN tunnel paramete rs wizard screen (screen 2 of 3) displays. Figure 161. 4. S pecify the following VPN tunnel parameters: • IP or DNS[...]

Page 278

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 278 ProSecure Unified Thr eat Management (UTM) Appliance Figure 16 2. 6. This screen is a summary screen of the new VPN conf iguration. Click Finish . 7. S pecify the local and remote IDs: a. In the tree list pa ne of the Configuration Panel screen, click Ga teway (the default nam[...]

Page 279

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 279 ProSecure Unified Thr eat Management (UTM) Appliance c. S pecify the settings that are explained in the following t able. 8. Configure the global parameters: a. Click Global Parameters in the lef t column of the Configuration Panel screen. The Global Parameters p ane displays i[...]

Page 280

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 280 ProSecure Unified Thr eat Management (UTM) Appliance Figure 16 4. b. S pecify the default lifetimes in seconds: • Authentication (IKE) , Default . The default lifetime va lue is 3600 seconds. Change this setting to 28800 se conds to match the configuration of the UTM. • En[...]

Page 281

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 281 ProSecure Unified Thr eat Management (UTM) Appliance Configure the Authentication Settings (Pha se 1 Settings)  T o create new authentication settings: 1. Right-click the VPN client icon in yo ur Windows system tray , and select Configuration Panel . The Configuration Panel [...]

Page 282

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 282 ProSecure Unified Thr eat Management (UTM) Appliance Note: This is the name for the authentication phase t hat is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The Authent[...]

Page 283

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 283 ProSecure Unified Thr eat Management (UTM) Appliance 5. Click Apply to use the new settings immediately , and click Save to keep the settings for future use. 6. Click the Advanced tab in the Authentication p ane. The Adv an c ed p ane displays. Figure 168. 7. S pecify the setti[...]

Page 284

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 284 ProSecure Unified Thr eat Management (UTM) Appliance 8. Click Apply to use the new settings immediat ely , and click Save to keep the set tings for future use. Create the IPSec Configuration (Ph ase 2 Settings) Note: On the UTM, the IPSec configuration (phase 2 settin gs) is r[...]

Page 285

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 285 ProSecure Unified Thr eat Management (UTM) Appliance Figure 169. 3. S pecify the settings that are explained in the following table. T abl e 69. VPN client IP Sec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a vi[...]

Page 286

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 286 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to use the new settings immediat ely , and click Save to keep the set tings for future use. Configure the Global Parameters  T o specify the global p arameters: 1. Click Global Parameters in the left col um[...]

Page 287

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 287 ProSecure Unified Thr eat Management (UTM) Appliance T est the Connection and View Connection and Status Information • T est the NETGEAR VPN Client Connection • NETGEAR VPN Client S tatus and Log Information • V iew the UTM IPSec VPN Connection S tatus • V iew the UTM I[...]

Page 288

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 288 ProSecure Unified Thr eat Management (UTM) Appliance Perform one of the following t asks: - Double-click Gateway-T unnel . - Right-click Gateway-T unnel , and select Open tunnel . - Click Gateway-T unnel , and press Ctrl+O . Figure 17 2. • Use the system-tray icon . Right-cl[...]

Page 289

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 289 ProSecure Unified Thr eat Management (UTM) Appliance NETGEAR VPN Client Status and Log Information  T o view det ailed negotiation and error info rmation about the NETGEAR VPN client: Right-click the VPN client icon in the system tray , and select Console . The VPN Client Co[...]

Page 290

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 290 ProSecure Unified Thr eat Management (UTM) Appliance The Active IPSec SA(s) table list s each active connection with the information that is described in the following t able. The default poll interval is 5 seconds. T o change the poll interval period, enter a new value in t h[...]

Page 291

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 291 ProSecure Unified Thr eat Management (UTM) Appliance Figure 178. Manage IPSec VPN and IKE P olicies • Manage IKE Policies • Manage VPN Policies After you have used th e VPN Wiza rd to se t up a VPN tu nnel, a VPN policy and an IKE policy are stored in sep arate policy t abl[...]

Page 292

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 292 ProSecure Unified Thr eat Management (UTM) Appliance Manage IKE P olicies The Internet Key Exchange (IKE) proto col performs negotiations between the two VPN gateways and provides automa tic management of the ke ys that are used for IPSec connections. It is import ant to remem[...]

Page 293

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 293 ProSecure Unified Thr eat Management (UTM) Appliance Figure 179. Each policy cont ains the dat a that are explai ned in the following t able. These fields are explained in more det ail in T able 72 on page 296. T abl e 71. List of IKE Policies table information Setting Descript[...]

Page 294

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 294 ProSecure Unified Thr eat Management (UTM) Appliance  T o delete one or more IKE polices: 1. Select the check box to the left of each policy that you want to delete, or click the Select All table button to select all IKE policies. 2. Click the Delete table button. For infor[...]

Page 295

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 295 ProSecure Unified Thr eat Management (UTM) Appliance Figure 180.[...]

Page 296

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 296 ProSecure Unified Thr eat Management (UTM) Appliance 3. Complete the fields, select the radio buttons, and make your selections from the drop-down lists as explained in the following table: T able 72. Add IKE Policy screen sett ings Setting Description Mode Config Record Do yo[...]

Page 297

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 297 ProSecure Unified Thr eat Management (UTM) Appliance Identifier T ype From the drop-down list, select on e of the following ISAKMP i dentifiers to be used by the UTM, and then specify the iden ti fier in the Identifier field: • Local W AN IP . T he W AN IP ad dress of the UTM[...]

Page 298

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 298 ProSecure Unified Thr eat Management (UTM) Appliance Authentication Method Select one of the following radio buttons to specify the authenti cation method: • Pre-shared key . A secret that is sha red between the UTM and the remote endpoint. • RSA-Signature . Uses the activ[...]

Page 299

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 299 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The IKE po licy is added to the List of IKE Policies table.  T o edit an IKE policy: 1. Select VPN > IPSec VPN . The IPSec VPN submenu t abs display with the IKE Policies screen in [...]

Page 300

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 300 ProSecure Unified Thr eat Management (UTM) Appliance Manage VPN P olicies Y ou can create two types of VPN policies. When you use the VPN Wizard to create a VPN policy , only the Auto method is available. • Manual . Y ou manually enter all settings (includi ng the keys) for [...]

Page 301

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 301 ProSecure Unified Thr eat Management (UTM) Appliance Figure 181. Each policy cont ains the dat a that are explai ned in the following t able. These fields are explained in more det ail in T able 74 on page 304. T a ble 73. Lis t of VPN Policies table information Setting Descrip[...]

Page 302

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 302 ProSecure Unified Thr eat Management (UTM) Appliance  T o delete one or more VPN polices: 1. Select the check box to the left of each policy that you want to delete, or click the Select All table button to select all VPN po licies. 2. Click the Delete table button.  T o [...]

Page 303

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 303 ProSecure Unified Thr eat Management (UTM) Appliance Figure 182.[...]

Page 304

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 304 ProSecure Unified Thr eat Management (UTM) Appliance 3. Complete the fields, select the radio buttons and check boxes, and make your selections from the drop-down lists as explained in the following t a ble: T able 74. Add New VPN Policy screen settings Setting Description Gen[...]

Page 305

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 305 ProSecure Unified Thr eat Management (UTM) Appliance Enable Keepalive Note: See also Configure Keep-Alives and Dead Peer Detection on page 328. Select a radio button to specify if keep-alive is enabled: • Ye s . This feature i s enabled: Periodically , th e UTM sends keep-a l[...]

Page 306

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 306 ProSecure Unified Thr eat Management (UTM) Appliance Encryption Algorithm From the drop-down list, sele ct one of the following five algorithms to negotiate the security association (SA): • DES . Data Encryption S tandard (DES). • 3DES . T riple DES. This is the default al[...]

Page 307

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 307 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The VPN policy is added to the List of VPN Policies table. Auto Policy Paramete rs Note: These fields apply only when you select Auto Poli cy as the policy type. SA Lifetime The lifetime [...]

Page 308

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 308 ProSecure Unified Thr eat Management (UTM) Appliance  T o edit a VPN policy: 1. Select VPN > IPSec VPN > VPN Policies . The VPN Policies screen d isplays (see Figure 181 on p age 301). 2. In the List of VPN Policies table, click the Edit table button to the right of t[...]

Page 309

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 309 ProSecure Unified Thr eat Management (UTM) Appliance Configure XA UTH for VPN Clients Once the XAUTH has been enabled, you need to est ablish user accounts in the user database to be authenticated against XAUTH, or you need to enable a RADIUS-CHAP or RADIUS-P AP server . Note: [...]

Page 310

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 310 ProSecure Unified Thr eat Management (UTM) Appliance User Database Configuration When XAUTH is enabled in an Edge Device configuration, users need to be authenticated either by a local user databa se account or by an external RADIUS server . Whether or not you use a RADIUS ser[...]

Page 311

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 31 1 ProSecure Unified Thr eat Management (UTM) Appliance 2. Complete the fields and select the radio buttons as explained in the following table: 3. Click Apply to save your settings. Note: Y ou can select the RADIUS authentication protocol (P AP or CHAP) on the Edit IKE Policy sc[...]

Page 312

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 312 ProSecure Unified Thr eat Management (UTM) Appliance Assign IP Addresses to R e mote Users (Mode Config) • Mode Config Operation • Configure Mode Config Operation on the UTM • Configure the ProSafe VPN Client for Mode Config Operat ion • T est the Mode Config Connectio[...]

Page 313

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 313 ProSecure Unified Thr eat Management (UTM) Appliance  T o configure Mode Config on the UTM: 1. Select VPN > IPSec VPN > Mode Config . The Mode Config screen displays: Figure 184. As an example, the screen shows two Mode Config record s with the name s EMEA Sales and NA[...]

Page 314

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 314 ProSecure Unified Thr eat Management (UTM) Appliance Figure 18 5. 3. Complete the fields, select the check box, and make your selections from the drop-down lists as explained in the following table: T able 77. Add Mode Config Record screen settings Setting Description Client P[...]

Page 315

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 315 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The new Mode Config record is added to the List of Mode Config Records table. Continue the Mode Config configuration procedure by configuring an IKE policy . 5. Select VPN > IP Sec VPN[...]

Page 316

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 316 ProSecure Unified Thr eat Management (UTM) Appliance 6. Under the List of IKE Policies table, click the Add table button. The Add IKE Policy screen displays. (The following figure shows the upper part only of a multiple W AN port model screen.) The W AN drop-down list (next to[...]

Page 317

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 317 ProSecure Unified Thr eat Management (UTM) Appliance Note: The IKE policy settings that are expla ined i n th e fo l lo wi ng t ab le are specifically for a Mode Config configuratio n. T able 72 on page 296 explains the general IKE policy settings. T able 78. IKE policy setting[...]

Page 318

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 318 ProSecure Unified Thr eat Management (UTM) Appliance IKE SA Parameters Note: Generally, the default settings wo rk we ll for a Mode Config configuration. Encryption Algorithm T o negotiate the security asso ciation (SA), from the drop-down list, select the 3DES algorithm. Auth[...]

Page 319

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 319 ProSecure Unified Thr eat Management (UTM) Appliance 8. Click Apply to save your settings. The IKE po licy is added to the List of IKE Policies table. Configure the ProSafe VPN Client for Mode Config Operation When the Mode Config feature is enab led, the following information [...]

Page 320

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 320 ProSecure Unified Thr eat Management (UTM) Appliance Note: Perform these tasks from a comp uter that has the NETGEAR ProSafe VPN Client inst alled. T o configure the VPN client for Mode Config op eration, create authentication settings (phase 1 settings), create an associated [...]

Page 321

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 321 ProSecure Unified Thr eat Management (UTM) Appliance Figure 188. 3. Change the name of the authentication phase (the def ault is Gateway): a. Ri g h t- c li c k th e authentication phase na m e . b. Select Rename . c. T ype GW _ModeConfig . d. Click anywhere in the tree list p [...]

Page 322

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 322 ProSecure Unified Thr eat Management (UTM) Appliance 4. S pecify the settings that are explained in the following table. 5. Click Apply to use the new settings immediat ely , and click Save to keep the set tings for future use. 6. Click the Advanced t ab in the Authentication [...]

Page 323

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 323 ProSecure Unified Thr eat Management (UTM) Appliance 7. S pecify the settings that are explaine d in the following table. 8. Click Apply to use the new settings immediately , and click Save to keep the settings for future use. Create the Mode Config IPSec Configuration (Ph ase [...]

Page 324

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 324 ProSecure Unified Thr eat Management (UTM) Appliance Note: This is the name for the IPSec configuration t hat is used only for the VPN client, not during IPSec negotiati on. You can view and chang e this name in the tree list pane. This name needs to be a unique name. The IPSe[...]

Page 325

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 325 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to use the new settings immediately , and click Save to keep the settings for future use. Configure the Mode Config Global Parameters  T o specify the global p arameters: 1. Click Global Parameters in the le[...]

Page 326

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 326 ProSecure Unified Thr eat Management (UTM) Appliance 2. S pecify the following default lifetimes in seconds t o m at c h th e c o nf ig u ra ti o n on th e U TM : • Authentication (IKE) , Default . Enter 3600 se conds. • Encryption (IPSec) , Default . Enter 3600 second s. [...]

Page 327

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 327 ProSecure Unified Thr eat Management (UTM) Appliance Figure 195. 3. From the client computer , ping a computer on the UTM LAN. Modify or Delete a Mode Config R ecord Note: Before you modify or delete a Mode Config record, make sure that it is not used in an IKE policy .  T o[...]

Page 328

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 328 ProSecure Unified Thr eat Management (UTM) Appliance Configure K eep -Alives and Dead P eer Detection • Configure Keep-Alives • Configure Dead Peer Detection In some cases, you might not want a VPN tunnel to be discon nected when traf fic is idle, for example, when client-[...]

Page 329

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 329 ProSecure Unified Thr eat Management (UTM) Appliance 3. Enter the settings as explained in the followin g t able: 4. Click Apply to save your settings. Configure Dead P eer Detection The Dead Peer Detection (DPD) feature le ts the UTM ma intain the IKE SA by exchanging periodic[...]

Page 330

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 330 ProSecure Unified Thr eat Management (UTM) Appliance 3. In the IKE SA Pa rameters section of the screen, locate the DPD fields, an d complete the fields as explained the following table: 4. Click Apply to save your settings. Configure NetBIOS Bridging with IPSec VPN Windows ne[...]

Page 331

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 331 ProSecure Unified Thr eat Management (UTM) Appliance Figure 198. 3. Select the Enable NetBIOS check box. 4. Click Apply to save your settings. Configure the PPTP Server As an alternate solution to IPSec VPN and L2 TP tunnels, you can configure a Point-to -Point T unnel Protoco [...]

Page 332

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 332 ProSecure Unified Thr eat Management (UTM) Appliance  T o enable the PPTP server and configure the PPTP server pool, authentication , and encryption: 1. Select VPN > PPTP Server . The PPTP Server screen displays: Figure 19 9. 2. Enter the settings as explained in the fol[...]

Page 333

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 333 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. View the Active PPTP Users  T o view the active PPTP tunnel users: Select Monitoring > Active Users & VPNs > PPTP Active Users . The PPTP Active Users screen displays: Figure[...]

Page 334

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 334 ProSecure Unified Thr eat Management (UTM) Appliance The List of PPTP Active Users t able lists each ac tive connection with the info rmation that is described in the following t able. The default poll interval is 5 seconds. T o change the poll interval period, enter a new val[...]

Page 335

Virtu al Private Networking Using IPSec, PPTP , or L2TP Connections 335 ProSecure Unified Thr eat Management (UTM) Appliance Figure 201. 2. Enter the settings as explained in the followin g t able: 3. Click Apply to save your settings. T a ble 86. L2T P Server scree n settings Setting Description L2TP Server Enable L2T P Server T o enable the L 2TP[...]

Page 336

Virtual P rivate Networking Usin g IPSec, PPTP , or L2TP Connections 336 ProSecure Unified Thr eat Management (UTM) Appliance View the Active L2TP Users  T o view the active L2TP tunnel users: Select Monitoring > Active Users & VPNs > L2TP Active Users . The L2TP Active Users screen displays: Figure 20 2. The List of L2TP Active Users [...]

Page 337

337 8 8. Vi r t u a l P rivat e N e t wo rk i n g Us i ng SSL Co n n ec t ion s The UTM provides a hardware-based SSL VPN solution designed specifically to p rovide remote access for mobile users to corporate or co mme rcial resources, byp assing the need for a preinstalled VPN client o n their computers. Us ing the familiar Secure Socket s Layer ([...]

Page 338

Virtual Private Networ king Using SSL Connections 338 ProSecure Unified Thr eat Management (UTM) Appliance • SSL port forwarding . Like an SSL VPN tunnel, port forwarding is a web-based client that is installed transp arently and then creates a virtual, encrypted tunnel to the remote network. However , port forwarding dif fers from an SSL VPN tun[...]

Page 339

Virtual Private Networking Using SSL Connections 339 ProSecure Unified Thr eat Management (UTM) Appliance 2. Select the SSL VPN Wizard radio button. 3. Click Next . The first SSL VPN Wizard screen displays. The following sections explain the five confi guration screens o f the SSL VPN Wiza rd. On the sixth screen, you can save your SSL VPN p olicy [...]

Page 340

Virtual Private Networ king Using SSL Connections 340 ProSecure Unified Thr eat Management (UTM) Appliance W ARNING: Do not enter an existing port al layout name in the Port al Layout Name field; otherwise, the SSL VPN W izard fails when yo u attempt to apply the settings (although the UTM doe s not reboot in this situation). If you leave the Port [...]

Page 341

Virtual Private Networking Using SSL Connections 341 ProSecure Unified Thr eat Management (UTM) Appliance After you have complete d the steps in the SSL VPN Wizard, you can chan ge the portal settings by selecting VPN > SSL VPN > Port al Layout . For more information about porta l settings, see Manually Create or Mo dify the Portal Layout on [...]

Page 342

Virtual Private Networ king Using SSL Connections 342 ProSecure Unified Thr eat Management (UTM) Appliance SSL VPN Wizard Step 2 of 6 (Domain Settings) Figure 20 5. Enter the settings as explained in the fo llowing table, and t hen click Next to go the following screen. Note: If you leave the Domain Name fie ld blank, the SSL VPN Wizard uses the de[...]

Page 343

Virtual Private Networking Using SSL Connections 343 ProSecure Unified Thr eat Management (UTM) Appliance W ARNING: Do not enter an existing domain name i n the Domain Name field; otherwise, the SSL VPN Wizard fa ils when you attempt to apply the settings and the UTM reboot s to recover it s configuration. T able 89. SSL VPN Wizard Step 2 of 6 scre[...]

Page 344

Virtual Private Networ king Using SSL Connections 344 ProSecure Unified Thr eat Management (UTM) Appliance Authentication T ype (continued) • WIKID-CHAP . WiKID Systems CHAP . Complete the following fi elds: - Authentication Server - Authentication Secret - Radius Port - Repeat - T imeout • MIAS-P AP . Microsoft Internet Authentication Service [...]

Page 345

Virtual Private Networking Using SSL Connections 345 ProSecure Unified Thr eat Management (UTM) Appliance Portal The portal that you selected on the first SSL VPN Wizard scree n. Y ou cannot change the portal on this screen; the portal is disp layed for information only . Authentication Serve r All authentication types except the Local User Databas[...]

Page 346

Virtual Private Networ king Using SSL Connections 346 ProSecure Unified Thr eat Management (UTM) Appliance After you have completed the step s in the SSL VPN Wizard, you can change t he domain settings by selecting Users > Domains . For mo re information about domain settings, see Configure Domains on page 388. Search Base LDAP and Active Direct[...]

Page 347

Virtual Private Networking Using SSL Connections 347 ProSecure Unified Thr eat Management (UTM) Appliance SSL VPN Wizard Step 3 of 6 (User Settings) Figure 206. Note that the previous figure cont ains an exam ple. Enter the settings as explained in the following t able, and then click Next to go the following screen. W ARNING: Do not enter an exist[...]

Page 348

Virtual Private Networ king Using SSL Connections 348 ProSecure Unified Thr eat Management (UTM) Appliance After you have completed the step s in the SSL VPN Wizard, you can change t he user settings or add more users fo r this portal by selecting Users > Users . For more information about user settings, see Config ure User Account s on pa ge 40[...]

Page 349

Virtual Private Networking Using SSL Connections 349 ProSecure Unified Thr eat Management (UTM) Appliance W ARNING: Do not enter an existing route for a VPN tunnel client in the Destination Network and Subnet Mask fields; otherwise, the SSL VPN Wizard fails when yo u attempt to apply the settings and the UTM reboot s to recover it s configuration. [...]

Page 350

Virtual Private Networ king Using SSL Connections 350 ProSecure Unified Thr eat Management (UTM) Appliance SSL VPN Wizard Step 5 of 6 (P ort Forwa rding) Note: This screen displays only if you have selected the Port Forward ing check box on the SSL VPN Wizard S tep 1 of 6 screen (see Figure 204 on page 339). Figure 20 8. Note that the previous figu[...]

Page 351

Virtual Private Networking Using SSL Connections 351 ProSecure Unified Thr eat Management (UTM) Appliance After you have complete d the steps in the SSL VPN Wizard, you can chan ge the client IP address range and routes by selecting VPN > SSL VPN > Port Forwarding . For more information about po rt-forwarding settings, see Configure Applicati[...]

Page 352

Virtual Private Networ king Using SSL Connections 352 ProSecure Unified Thr eat Management (UTM) Appliance Figure 20 9.[...]

Page 353

Virtual Private Networking Using SSL Connections 353 ProSecure Unified Thr eat Management (UTM) Appliance Click Apply to save your settings. If the setting s are accepted by the UTM, a message Operation Succeeded d isplays at the top of the screen, an d the Welcome to th e Netgear Configuration Wizard screen displays ag ain (see Figure 203 on pa ge[...]

Page 354

Virtual Private Networ king Using SSL Connections 354 ProSecure Unified Thr eat Management (UTM) Appliance Figure 21 1. 3. T o verify access, enter the user name and password that you created with the SSL VPN Wizard. Note: Any user for whom you have set up a user account that is linked to the domain for the portal and who has knowledge of the porta[...]

Page 355

Virtual Private Networking Using SSL Connections 355 ProSecure Unified Thr eat Management (UTM) Appliance Figure 212. Figure 213. A portal screen displays a simple menu that provides the SSL user with the following menu selections: • VPN T unnel . Provides full network connectivity . • Port Forwarding . Provides access to the network service s [...]

Page 356

Virtual Private Networ king Using SSL Connections 356 ProSecure Unified Thr eat Management (UTM) Appliance Note: The first time that a user attempt s to connect through the VPN tunnel, the NETGEAR SSL VPN tunnel adapte r is installed; the first time that a user attempts to connect through the port-forwarding tunnel, the NETGEAR port-forwarding engi[...]

Page 357

Virtual Private Networking Using SSL Connections 357 ProSecure Unified Thr eat Management (UTM) Appliance View the UTM SSL VPN Log  T o query the SSL VPN log: 1. Select Monitoring > Logs & Report s > Logs Query . The Logs Query screen displa ys. 2. From the Log T ype drop-down, select SSL VPN . The SSL VPN logs d isplay . Figure 215. M[...]

Page 358

Virtual Private Networ king Using SSL Connections 358 ProSecure Unified Thr eat Management (UTM) Appliance 2. Create authentication domains, user groups, and user accounts (see Configure Domains, Groups, and Users on p age 362) a. Create one or more authentication domains f or authentication of SSL VPN users. When remote users log in to the UTM, th[...]

Page 359

Virtual Private Networking Using SSL Connections 359 ProSecure Unified Thr eat Management (UTM) Appliance Manually Create or Modify the P ortal Layout The Portal Layouts screen that you can access from the SSL VPN con figuration menu allows you to create a custom p age that remote users see when th ey log in to the port al. Because the page is cust[...]

Page 360

Virtual Private Networ king Using SSL Connections 360 ProSecure Unified Thr eat Management (UTM) Appliance The List of Layout s table disp lays the fo llowing fields: • Layout Name . The descrip tive name of the portal. • Description . The banner message that is displayed at the top of the portal (see Figure 21 1 on page 354). • Use Count . T[...]

Page 361

Virtual Private Networking Using SSL Connections 361 ProSecure Unified Thr eat Management (UTM) Appliance 3. Complete the fields and select the check boxes as explained in the following table: T able 93. Add Portal Layout screen setting s Setting Description Port al Layout and Theme Name Portal Layout Name A descriptive name for the portal layout. [...]

Page 362

Virtual Private Networ king Using SSL Connections 362 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The new portal layout is added to the List of Layouts table. For information about how to display the new portal layout, see Access the New SSL VPN Portal on p age 353.  T o edit a port al layout: 1. On[...]

Page 363

Virtual Private Networking Using SSL Connections 363 ProSecure Unified Thr eat Management (UTM) Appliance Configure Applications for P ort Forwarding Port forwarding provides access to specific defined network se rvices. T o define these services, you need to specify the internal server addresses and port numbers for TCP applications that are inter[...]

Page 364

Virtual Private Networ king Using SSL Connections 364 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click the Add table button. The new application entry is added to the List of Configured Applications for Port Forwarding table. Remote users can now securely access network applications once they have logged in to the SSL VPN portal and la[...]

Page 365

Virtual Private Networking Using SSL Connections 365 ProSecure Unified Thr eat Management (UTM) Appliance 2. In the Add New Host Name for Port Forwarding section of the screen, specify inf ormation in the following fields: • Local Server IP Ad dress . The IP address of a n internal server or host computer that you want to name. • Fully Qualifie[...]

Page 366

Virtual Private Networ king Using SSL Connections 366 ProSecure Unified Thr eat Management (UTM) Appliance Configure the Client IP Address Range First determine the address range to be assig ned to VPN tunnel clients, and the n define the address range.  T o define the client IP address range: 1. Select VPN > SSL VPN > SSL VPN Client . The[...]

Page 367

Virtual Private Networking Using SSL Connections 367 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. VPN tunnel clients are now able to connect to the UTM and receive a virtual IP address in the client address range. Add Routes for VPN T unnel Clients The VPN tunnel client s assume that the following netwo[...]

Page 368

Virtual Private Networ king Using SSL Connections 368 ProSecure Unified Thr eat Management (UTM) Appliance  T o change the specifications of an existing route and to delet e an old route: 1. Add a new route to the Configured Client Ro utes table. 2. In the Configured Client Routes table, to the right of the route that is out-of-date, click the D[...]

Page 369

Virtual Private Networking Using SSL Connections 369 ProSecure Unified Thr eat Management (UTM) Appliance Use Network R esource Objects to Simplify P olicies Network resources are g roups of IP addresses, IP address ranges, and services. By defin ing resource object s, you can more quickly create and config ure network policies. Y ou do not need to[...]

Page 370

Virtual Private Networ king Using SSL Connections 370 ProSecure Unified Thr eat Management (UTM) Appliance  T o delete one or more network resources: 1. Select the check box to the left of each network re source that you want to delete, or click the Select All table button to select all network re sources. 2. Click the Delete table button. Edit [...]

Page 371

Virtual Private Networking Using SSL Connections 371 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The new configuration is added to the Defined Resource Addresses table. T o delete a configuration from the Defined Resource Addresses table, click the Delete table button to the right of the configuration [...]

Page 372

Virtual Private Networ king Using SSL Connections 372 ProSecure Unified Thr eat Management (UTM) Appliance For example, assume the follow ing global p olicy configuration: • Policy 1. A Deny rule has been configured to block all services to the IP address range 10.0.0.0–10.0.0.255. • Policy 2. A Deny rule has been configured to block FTP acce[...]

Page 373

Virtual Private Networking Using SSL Connections 373 ProSecure Unified Thr eat Management (UTM) Appliance View P olicies  T o view the existing policies: 1. Select VPN > SSL VPN . The SSL VPN submenu tabs display , with the Policies screen in view . (The following figure shows some examples.) Figure 223. 2. Make your selection from the follow[...]

Page 374

Virtual Private Networ king Using SSL Connections 374 ProSecure Unified Thr eat Management (UTM) Appliance . Figure 22 4. 3. Select the radio buttons, complete the fields, and make your selection from the drop-down lists as explained in the following table: T able 97. Add SSL VPN Policy screen settin gs Setting Description Policy For Select one of [...]

Page 375

Virtual Private Networking Using SSL Connections 375 ProSecure Unified Thr eat Management (UTM) Appliance Apply Policy For (continued) Network Resource Policy N ame A descrip tive name of the SSL VPN policy for identification and management purpose s. Defined Resources From the drop-down list, select a network resou rce that you have defined on the[...]

Page 376

Virtual Private Networ king Using SSL Connections 376 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click App ly to save your settings. The policy is ad ded to the List of SSL VPN Policie s table on the Policies screen. The new policy goes into effect immediately . Note: If you have configured SSL VPN user policies, ensure that HTTPS remo[...]

Page 377

Virtual Private Networking Using SSL Connections 377 ProSecure Unified Thr eat Management (UTM) Appliance  T o delete one or more SSL VPN policies: 1. On the Policies screen (see Figure 223 on page 373), select the check box to the left of each SSL VPN policy that you want to delete, or click the Select All t able button to select all policies. [...]

Page 378

378 9 9. Manage Us er s , A ut hen tica tion , an d VPN Cert i f icates This chapter describes how to manage users, aut henticat ion, and security certificates for IPSec VPN and SSL VPN. This chapter cont ains the following sections: • Authentication Process and Options • Configure Authentication Domains, Groups, and Users • Manage Digital Ce[...]

Page 379

Manage Users, Authentica tion, and VPN Certificates 379 ProSecure Unified Thr eat Management (UTM) Appliance The UTM support s security policies that are based on an Active Directory with single sign-on (SSO) through the use of the DC agent and a dditi onal Lightweigh t Directory Access Protocol (LDAP) configuration options (see Configure Authentic[...]

Page 380

Manage Users, Authentication, and VPN Certificates 380 ProSecure Unified Thr eat Management (UTM) Appliance Configure Authentication Do mains, Groups, and Users • Login Portals • Active Directories and LDAP Configurations • Configure Domains • Configure Groups • Configure Custom Groups • Configure User Account s • Set User Login Polic[...]

Page 381

Manage Users, Authentica tion, and VPN Certificates 381 ProSecure Unified Thr eat Management (UTM) Appliance Figure 225. Users with Special A ccess Privileges Users who have a computer behind the UTM a nd who are assigned access policies that diffe r from the UTM’s default email and web access policies (see Set Exception Rules for Web a nd Applic[...]

Page 382

Manage Users, Authentication, and VPN Certificates 382 ProSecure Unified Thr eat Management (UTM) Appliance Figure 22 6. The User Portal Login screen displays three links: • Download CA certificate . The first time that a user remotely conn ects to a UTM with a browser through an SSL connection, he or she might get a warning message about the SSL[...]

Page 383

Manage Users, Authentica tion, and VPN Certificates 383 ProSecure Unified Thr eat Management (UTM) Appliance Figure 227. If you do not use the DC agent in your configuration (see DC Agent on p age 409), after completing a session, a user needs to log out manually by following these step s: 1. Return to the User Portal Log in screen (see Figure 226 [...]

Page 384

Manage Users, Authentication, and VPN Certificates 384 ProSecure Unified Thr eat Management (UTM) Appliance For information about how to configure and modi fy accounts for users wit h special access privileges, see the following sections: • Configure User Account s • Set User Login Policies • Change Passwords and Other User Setting s Unauthen[...]

Page 385

Manage Users, Authentica tion, and VPN Certificates 385 ProSecure Unified Thr eat Management (UTM) Appliance • An OU is created in the root node (for e xample, dc=compan yname, dc=com) of the hierarchy . In a company AD, an OU often represent s a regional office or dep artment. • A group is created under cn=users. • A user is created under ea[...]

Page 386

Manage Users, Authentication, and VPN Certificates 386 ProSecure Unified Thr eat Management (UTM) Appliance Figure 22 8. 4. T o verify Jamie Hanson’s user login name, click the Account tab. The account properties for Jamie Hanson display . Figure 22 9. 5. Log in to the UTM.[...]

Page 387

Manage Users, Authentica tion, and VPN Certificates 387 ProSecure Unified Thr eat Management (UTM) Appliance 6. Select Users > Domains . 7. Click Add . The Add Domain screen displays. 8. Enter testAD.com in the Domain Name field. 9. From the Authentication T ype drop -down list, select Active Directory . 10. Select a previously configured portal[...]

Page 388

Manage Users, Authentication, and VPN Certificates 388 ProSecure Unified Thr eat Management (UTM) Appliance Figure 23 1. 14. Complete the remaining fields and drop-down list as needed. 15. Click Apply to save your settings. Configure Domains The domain determines the authen tication method to be used f or associated users. For SSL connections, the [...]

Page 389

Manage Users, Authentica tion, and VPN Certificates 389 ProSecure Unified Thr eat Management (UTM) Appliance The List of Domains t able displays the domains with the following fields: • Check box . Allows you to select the d omain in the table. • Domain Name . The name of the domain. The default domain name (geardomain) is appended by an asteri[...]

Page 390

Manage Users, Authentication, and VPN Certificates 390 ProSecure Unified Thr eat Management (UTM) Appliance 3. Enter the settings as explained in the following table: T able 99. Add Domain screen settings Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identi fication and management purposes. Authentication T ype[...]

Page 391

Manage Users, Authentica tion, and VPN Certificates 391 ProSecure Unified Thr eat Management (UTM) Appliance Authentication T ype (continued) Note: If you select any type of RADIUS authenticati on, make sure that one or more RADIUS servers are config ured (s ee RADIUS Client and Server Configuration on page 310). • MIAS-P AP . Microso ft Internet[...]

Page 392

Manage Users, Authentication, and VPN Certificates 392 ProSecure Unified Thr eat Management (UTM) Appliance Authentication Secret All RADIUS, WiKID, and MIAS authentication types The authentication secret or password that is required to access the authentication se rver for RADIUS, WiKID, or MIAS authentication. Workgroup NT Domain only The workg r[...]

Page 393

Manage Users, Authentica tion, and VPN Certificates 393 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The domain is added to the List of Domains table. 5. If you use local authentication, make sure that it is not disabled: in the Local Aut hentication section of the Domain screen (see Figure 232 on page [...]

Page 394

Manage Users, Authentication, and VPN Certificates 394 ProSecure Unified Thr eat Management (UTM) Appliance  T o delete one or more domains: 1. In the List of Domains t able, select the check box to the left of each domain that you want to delete, or click the Select All t able button to select all domains. Y ou cannot delete a default domain. 2[...]

Page 395

Manage Users, Authentica tion, and VPN Certificates 395 ProSecure Unified Thr eat Management (UTM) Appliance Create and Delete Groups  T o create a VPN group: 1. Select Users > Groups . The Group s screen displays. (The following figure shows the UTM’s default grou p—geardomain—and, as an example, several other group s in the List of Gr[...]

Page 396

Manage Users, Authentication, and VPN Certificates 396 ProSecure Unified Thr eat Management (UTM) Appliance 2. In the Add New Group section of th e screen, enter the sett ings a s explaine d in the following table: 3. Click the Add table button. The new group is added to the List of Groups t able.  T o delete one or more group s: 1. In the List [...]

Page 397

Manage Users, Authentica tion, and VPN Certificates 397 ProSecure Unified Thr eat Management (UTM) Appliance Figure 235. Except for group s that are associated with domains that u se the LDAP authentication method, you can modify only the idle time-out settings. Y ou can never modify the Group Name and Group’ s Auth T ype fields. 3. Modify the id[...]

Page 398

Manage Users, Authentication, and VPN Certificates 398 ProSecure Unified Thr eat Management (UTM) Appliance Figure 23 6. 2. Under the Custom Groups table, click the Add table button to specify a custom group. The Add Custom Group screen displays: Figure 23 7.[...]

Page 399

Manage Users, Authentica tion, and VPN Certificates 399 ProSecure Unified Thr eat Management (UTM) Appliance 3. Complete the fields and make your selections from the drop-down lists as explained in the following table: T able 101. Add Custom Group screen settings Setting Description Name A na me of the custom group for identification and management[...]

Page 400

Manage Users, Authentication, and VPN Certificates 400 ProSecure Unified Thr eat Management (UTM) Appliance 4. After you have specified all members o f the custom group, click Appl y to save your sett ings. The new custom group is added to the Custom Groups table. T o return to the Custom Groups screen without adding the group, click Cancel .  T[...]

Page 401

Manage Users, Authentica tion, and VPN Certificates 401 ProSecure Unified Thr eat Management (UTM) Appliance Configure User Accounts The UTM support s both unauthenticated and a uthenticated users: • Unauthenticated users . Anonymous users who do not log in to the UTM a nd to which the UTM’ s default email and web access policies apply . • Au[...]

Page 402

Manage Users, Authentication, and VPN Certificates 402 ProSecure Unified Thr eat Management (UTM) Appliance Figure 23 8. The List of Users t able displays th e users and has the following fields: • Check box . Allows you to select the user in th e table. • Name . The name of the user . If the user name is appended by an asterisk, the user is a [...]

Page 403

Manage Users, Authentica tion, and VPN Certificates 403 ProSecure Unified Thr eat Management (UTM) Appliance 3. Enter the settings as explained in the followin g t able: 4. Click Apply to save your settings. The user is added to the List of Users table.  T o delete one or more user account s: 1. In the List of User s table, select the check box [...]

Page 404

Manage Users, Authentication, and VPN Certificates 404 ProSecure Unified Thr eat Management (UTM) Appliance Set User Login P olicies Y ou can restrict the ability of defined users to log in to the UTM’ s web manage ment interface. Y ou can also require or prohibit logging in from certain IP addresses or from p articular browsers. Note: User logon[...]

Page 405

Manage Users, Authentica tion, and VPN Certificates 405 ProSecure Unified Thr eat Management (UTM) Appliance Configure L ogin Restrictio ns Based on IP Address  T o restrict logging in based on IP addre ss: 1. Select Users > Users . The Users screen displays (see Figure 238 on page 402). 2. In the Action column of the List of Users table, cli[...]

Page 406

Manage Users, Authentication, and VPN Certificates 406 ProSecure Unified Thr eat Management (UTM) Appliance 6. In the Add Defined Addresses section of the screen, add an address to the Defined Addresses table by entering the settings as explained in the following table: 7. Click the Add table button. The address is added to the Defined Addresses ta[...]

Page 407

Manage Users, Authentica tion, and VPN Certificates 407 ProSecure Unified Thr eat Management (UTM) Appliance Figure 242. 4. In the Defined Browsers S tatus section of the screen, select one of the following radio buttons: • Deny Login from Defined Browsers . Deny logg ing in from the browsers in the Defined Browsers table. • Allow Login only fr[...]

Page 408

Manage Users, Authentication, and VPN Certificates 408 ProSecure Unified Thr eat Management (UTM) Appliance Change P asswords and Other User Settings For any user , you can change the p assword, user type, and idle time-o ut settings. Only administrators have read/write access. All o ther users have read-only access. Note: The default administrator[...]

Page 409

Manage Users, Authentica tion, and VPN Certificates 409 ProSecure Unified Thr eat Management (UTM) Appliance 3. Modify the settings as explained in the following t able: 4. Click Apply to save your settings. DC Agent If you set up an open ne twork, you would want to allow unauthenticated users to surf anonymously . For a secure network, you would u[...]

Page 410

Manage Users, Authentication, and VPN Certificates 410 ProSecure Unified Thr eat Management (UTM) Appliance Note: The DC agent does not function with LDAP domain users. The DC agent monitors all Windows login even ts (that is, all AD domain use r authentications) on the DC server , and provides a mapping of Windows user names and IP addresses to th[...]

Page 411

Manage Users, Authentica tion, and VPN Certificates 41 1 ProSecure Unified Thr eat Management (UTM) Appliance  T o download ProSecure DC Agent sof tware and add a DC agent: 1. Select Users > DC Agent . The DC Agen t screen displays: Figure 244. 2. Under the List of DC Agents t able, click the Download/Install link to download the ProSecure DC[...]

Page 412

Manage Users, Authentication, and VPN Certificates 412 ProSecure Unified Thr eat Management (UTM) Appliance 4. On the DC Agent screen (see F igure 244 on page 41 1), complete the fields and make your selections from the drop-down lists as explained in the following table: 5. T o add the newly configured DC agent to the List of DC Agent(s) table, cl[...]

Page 413

Manage Users, Authentica tion, and VPN Certificates 413 ProSecure Unified Thr eat Management (UTM) Appliance b. Click the Add table button to add a domain. The Add Domain screen displays: Figure 246. c. Enter the following settings: • In the Domain Name field, enter T est_Domain . • From the Authentication T ype drop-down list, select Active Di[...]

Page 414

Manage Users, Authentication, and VPN Certificates 414 ProSecure Unified Thr eat Management (UTM) Appliance 2. Add a DC agent on the UTM50: a. Select Users > DC Agent . The DC Agent screen displays: Figure 24 7. b. In the Domain field, enter T est_Domain . c. In the Action column, click Add . 3. Add the IP address of the UTM50 on t he ProSecure [...]

Page 415

Manage Users, Authentica tion, and VPN Certificates 415 ProSecure Unified Thr eat Management (UTM) Appliance Configure RADIUS VLANs Y ou can use a RADIUS virtual LAN (VLAN) to set web access exceptions and provide a n added layer of security .  T o do so, follow this procedure: 1. S pecify a RADIUS server (see RADIUS Client and Server Configurat[...]

Page 416

Manage Users, Authentication, and VPN Certificates 416 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click the Add table button. The new VLAN is added to the List of VLAN t able. T o delete a user from the List of VLAN t able, click the Delete t able button in the Action column for the VLAN that you want to delete. Configure Global User S[...]

Page 417

Manage Users, Authentica tion, and VPN Certificates 417 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save the session settings. 5. Locate the Users Portal Login Settings section on screen. S pecify the defau lt domain settings: • From the Default Domain drop-down list , select a domain that you previously configured on t[...]

Page 418

Manage Users, Authentication, and VPN Certificates 418 ProSecure Unified Thr eat Management (UTM) Appliance  T o view all or selected users: 1. On the Active Users screen (s ee the previous figure), select one of the following radio buttons: • Vie w A l l . This selection returns all active us ers after you click the Search button. • Search [...]

Page 419

Manage Users, Authentica tion, and VPN Certificates 419 ProSecure Unified Thr eat Management (UTM) Appliance The List of Users t able di splays the following fields: • IP Addre ss . The IP address that is associated with the user . • Domain . The domain to which the user belong s. • User . The user name. • Group s . The group s to which the[...]

Page 420

Manage Users, Authentication, and VPN Certificates 420 ProSecure Unified Thr eat Management (UTM) Appliance On the UTM, the uploaded digit al certificate is checked for validity and purpose. The digit al certificate is accepted when it p asses the vali dity test and the purpose matches its use. Th e check for the purpose needs to correspond to its [...]

Page 421

Manage Users, Authentica tion, and VPN Certificates 421 ProSecure Unified Thr eat Management (UTM) Appliance • Active Self Certificates t able . Contains the self-signed certificates that were issued b y CAs and that you uploaded (see Manage Self -Signed Certificates on p age 422). • Self Certificate Request s t able . Contains t he self-signed[...]

Page 422

Manage Users, Authentication, and VPN Certificates 422 ProSecure Unified Thr eat Management (UTM) Appliance  T o upload a digit al certificate of a trusted CA on the UTM: 1. Download a digital ce rtificate file from a trusted CA and store it on your computer . 2. In the Upload T rusted Certificates section of the screen, click the Browse button [...]

Page 423

Manage Users, Authentica tion, and VPN Certificates 423 ProSecure Unified Thr eat Management (UTM) Appliance Generate a CSR and Obtain a Se lf -Signed Certificate from a CA T o use a self-signed certificate, you first need to request the certificate from a CA, and then download and activate the certificate on the UTM. T o request a self-signed cert[...]

Page 424

Manage Users, Authentication, and VPN Certificates 424 ProSecure Unified Thr eat Management (UTM) Appliance 2. In the Generate Self Certificate Request section of the screen, enter the settings a s explained in the following table: 3. Click the Generate table button. A new SCR is created and added to the Self Certificate Requests t able. 4. In the [...]

Page 425

Manage Users, Authentica tion, and VPN Certificates 425 ProSecure Unified Thr eat Management (UTM) Appliance Figure 256. 5. Copy the contents of the Data to supply to CA text field into a text file, including all of the data cont ained from “-----BEGIN CERTIFICA TE REQUEST -----” to “-----END CERTIFICA TE REQUEST -----.” 6. Submit your SCR [...]

Page 426

Manage Users, Authentication, and VPN Certificates 426 ProSecure Unified Thr eat Management (UTM) Appliance  T o delete one or more SCRs: 1. In the Self Certificate Requests table, select the check box to the lef t of each SCR that you want to delete, or click the Se lect All table button to select all SCRs. 2. Click the Delete table button. Vie[...]

Page 427

Manage Users, Authentica tion, and VPN Certificates 427 ProSecure Unified Thr eat Management (UTM) Appliance The Certificate Revocation List s (CRL) t able li st s the active CAs and their critical release dates: • CA Identity . The official name of the CA that issued the CRL. • Last Up date . The date when the CRL was released. • Next Up dat[...]

Page 428

428 10 10. Net w or k and S y stem Managemen t This chapter describes the tools for managing th e network traf fic to optimize its performance and the system management features of the UTM. This chapter cont ains the following sections: • Performance Manageme nt • System Management • Connect to a ReadyNAS and Configure Qu arantine Settings P [...]

Page 429

Network and System Management 429 ProSecure Unified Thr eat Management (UTM) Appliance - Auto-rollover mode (multiple W AN port models only). 1000 Mbps (one active W AN port at 1000 Mbps). - Primary W AN mode (single W AN port models and multiple W AN port models). 1000 Mbps (one active W AN port at 1000 Mbps). In practice, the W AN-side bandwid th[...]

Page 430

Network and System Management 430 ProSecure Unified Thr eat Management (UTM) Appliance The following section summarizes the various criteria that you can app ly to outbound rules in order to reduce traf fic. For more information about outbound rules, see Outbound Rules (Service Blocking) on page 129. For detailed procedures on how to co nfigure out[...]

Page 431

Network and System Management 431 ProSecure Unified Thr eat Management (UTM) Appliance • QoS profile . Y ou can define QoS profiles and then apply them to outbound ru les to regulate the priority of traf fic. For inform ation about how to define QoS profiles, see Create Quality of Service Profiles on p age 169. • T raffic Meter profile . Y ou c[...]

Page 432

Network and System Management 432 ProSecure Unified Thr eat Management (UTM) Appliance - Web services blocking . Y ou can block web services such as instant messaging, peer-to-peer and media applications, and tools. For more information , see Customize Web Protocol Sca n Settings on page 210. - Web ob ject blocki ng . Y ou can block the following w[...]

Page 433

Network and System Management 433 ProSecure Unified Thr eat Management (UTM) Appliance Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always • ALLOW alway s The following section summarizes the various cr iteria tha t you can apply to inbound rules and that might increase traffic. For more informa[...]

Page 434

Network and System Management 434 ProSecure Unified Thr eat Management (UTM) Appliance • Users allowed . Y ou can specify that the rule applies to individual users in the network, groups in the network, or b oth. T o configure users accounts, see Configure User Accounts o n page 401. T o configure groups, see Configure Gro ups on p age 394 and Co[...]

Page 435

Network and System Management 435 ProSecure Unified Thr eat Management (UTM) Appliance Configure Exposed Hosts S pecifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined . For an example of how to set up an exposed host, see LAN W A N or DMZ W A N Inbo[...]

Page 436

Network and System Management 436 ProSecure Unified Thr eat Management (UTM) Appliance Monitoring T ools for T raffic Management The UTM includes several tools that can be used to monitor the traf fic conditions of the firewall and content-filtering engine and to monitor the users’ access to th e Internet and the types of traf fic that they are a[...]

Page 437

Network and System Management 437 ProSecure Unified Thr eat Management (UTM) Appliance 2. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit User screen displays: Figure 259. 3. Select the Check to Edit Password check box. The password fields become available. 4. Enter the old pas[...]

Page 438

Network and System Management 438 ProSecure Unified Thr eat Management (UTM) Appliance Note: For enhanced security , restrict access to as few external IP addresses as practical. • Deny or allow login access from specific browsers. By defa ul t, the administrator can log in from any browser . In general, these policy settings work well fo r an ad[...]

Page 439

Network and System Management 439 ProSecure Unified Thr eat Management (UTM) Appliance 2. Select one of the following radio buttons: • Ye s . Enable HTTPS remote management. This is the default setting. • No . Disable HTTPS remote management. W ARNING: If you are remotely connected to the UTM and yo u select the No radio button, you and all oth[...]

Page 440

Network and System Management 440 ProSecure Unified Thr eat Management (UTM) Appliance Note: If you are unable to connect remotely to the UTM af ter enabling HTTPS remote management, check if other user policie s, such as the default user policy , are preventing access. For access to the UTM’s web management interface, check if administrative acc[...]

Page 441

Network and System Management 441 ProSecure Unified Thr eat Management (UTM) Appliance Figure 261.[...]

Page 442

Network and System Management 442 ProSecure Unified Thr eat Management (UTM) Appliance 2. Enter the settings as explained in the following table: 3. Click Apply to save your settings. T able 108. Global SNMP settings and SNMPv1/v2c settings Setting Description SNMP Global Settings Do Y ou W ant to Enable SNMP? Select one of the following radio butt[...]

Page 443

Network and System Management 443 ProSecure Unified Thr eat Management (UTM) Appliance  T o configure the SNMPv3 settings: 1. Select Administration > SNMP . The SNMP screen displays (see Figure 261 on page 441). 2. In the SNMPv3 Settings section of the screen, click the Add table button to configure a new SNMPv3 user profile. The Add/Edit Use[...]

Page 444

Network and System Management 444 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The SNMPv3 user profile is added to the SNMPv3 Settings table on the SNMP screen. If the global SNMP settings are enabled, the SNMPv3 user profiles in the SNMPv3 Settings table are also enabled. Auth Algorithm T ype From the [...]

Page 445

Network and System Management 445 ProSecure Unified Thr eat Management (UTM) Appliance Th e SNMPv3 Settings table shows the following columns: • User Name . The SNMPv3 user name. • Security Level . The level of security that indicates whethe r authentication and encryption are enabled: - NoAuth, NoPrivate . Both authentication and encryption ar[...]

Page 446

Network and System Management 446 ProSecure Unified Thr eat Management (UTM) Appliance Figure 26 3. Back Up Settings The backup feature saves all UTM settings to a file. These settings include: • Network settings . IP address, subnet ma sk, gateway , and so on. • Scan settings . Services to scan, primary and seconda ry actions, and so on. • U[...]

Page 447

Network and System Management 447 ProSecure Unified Thr eat Management (UTM) Appliance R estore Settings W ARNING: Restore only settings that were backed up from th e same soft ware version. Restoring settings from a di fferent sof tware version can corrupt your backup file o r the UTM system sof tware.  T o restore settings from a backup file: [...]

Page 448

Network and System Management 448 ProSecure Unified Thr eat Management (UTM) Appliance W ARNING: When you press the hardware Factory De fault s reset button or click the sof tware Default button, the UTM settings are erased. All firewall rules, VPN policies, LAN/W AN settings, and other settings are lost. Back up your settings if you i ntend on usi[...]

Page 449

Network and System Management 449 ProSecure Unified Thr eat Management (UTM) Appliance Figure 264. Firmware screen, available versions The Firmware Reboot section shows the following information fields for bot h the active and secondary (that is, nonactive) firmware: • T ype . Active or secondary firmware. • Ve r s i o n . The firmwa re version[...]

Page 450

Network and System Management 450 ProSecure Unified Thr eat Management (UTM) Appliance  T o upgrade the UTM’ s firmware directly from an update server and reboot the UTM: 1. In the Firmware Download section of the Firmware screen, click Query to displ ay the available firmware versions. 2. Select the radio button that corresponds to the firmwa[...]

Page 451

Network and System Management 451 ProSecure Unified Thr eat Management (UTM) Appliance The UTM reboot s automatically . During the reboot process, the Firmware screen remains visible. The reboot process is complete after several minutes when the T est LED on the front panel goes of f and the Firmware screen disappears. W ARNING: Af ter you have st [...]

Page 452

Network and System Management 452 ProSecure Unified Thr eat Management (UTM) Appliance  T o upgrade the UTM’ s firmware from a downloaded file and reboot the UTM: 1. In the Firmware Upload section of the Firmware screen, click Browse to locate and select the previously saved firmware upgrade file (for example, UTM50-Firmware-V3.3.0-17.pkg). No[...]

Page 453

Network and System Management 453 ProSecure Unified Thr eat Management (UTM) Appliance 3. (Optional) T o install the new firmware version and reboot the UTM with the new firmware version as the active firmware, select the Switch to new firm ware automatically after inst allation check box. 4. Click Install Uploaded Firmware . (If you decide that yo[...]

Page 454

Network and System Management 454 ProSecure Unified Thr eat Management (UTM) Appliance Reboot without Changing the F irmware  T o reboot the UTM without changing the firmware: 1. In the Firmware Reboot section of the Firmware screen (see the previo us figure), select the active firmware version by selecting the Activation radio button for the fi[...]

Page 455

Network and System Management 455 ProSecure Unified Thr eat Management (UTM) Appliance Figure 267. The Info section onscreen shows the following information fields for the scan engine firmware and pattern file: • Current V ersion . The version of the files. • Last Up dated . The date of the most recent update. T o update the scan engine firmwar[...]

Page 456

Network and System Management 456 ProSecure Unified Thr eat Management (UTM) Appliance Configure A utomatic Update and Frequency Settings  T o configure the up date settings and frequency settings for automatic downloading o f the scan engine firmware and p attern file: 1. Locate the Update Settings, Frequency Settings, and HTTPS Proxy Settings [...]

Page 457

Network and System Management 457 ProSecure Unified Thr eat Management (UTM) Appliance  T o set time, date, and NTP servers: 1. Select Administration > System Date & T ime . The System Date & Time scree n displays : Figure 268. The bottom of the screen displa ys the current weekday , date, time, time zone, and year (in the example in [...]

Page 458

Network and System Management 458 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. Note: If you select the default NTP servers or if you enter a custom server FQDN, the UTM determines the IP address of the NTP se rver by performing a DNS lookup. Before the UTM ca n perform this lookup, you need to configure[...]

Page 459

Network and System Management 459 ProSecure Unified Thr eat Management (UTM) Appliance Log Storage After you have integra ted a ReadyNAS with the UTM—whether or not yo u have configured the quarantine settings—all logs tha t are norm ally stored on the UTM are now st ored on the ReadyNAS. That is, all logs that you can specify on the Email and [...]

Page 460

Network and System Management 460 ProSecure Unified Thr eat Management (UTM) Appliance Figure 26 9. 2. T o connect to the ReadyNAS, select the Ye s radio button. 3. Enter the settings as explained in the following table: 1. Click Apply to save you r settings. Note: For additional information about how to set u p a UTM with a ReadyNAS, see Appendix [...]

Page 461

Network and System Management 461 ProSecure Unified Thr eat Management (UTM) Appliance Figure 270. 2. T o enable the UT M to quarantine files, select the Ye s radio butt on. 3. Enter the settings as explained in the followin g t able: 4. Click Apply to save your settings. T a ble 1 13. Q uarantine s ettings Setting Description Allow anonymous users[...]

Page 462

462 11 11 . Mon it or S y st em A cce ss a n d Pe r f o r m a n c e This chapter describes the system-monitoring features of the UTM. Y ou can be alerted to important event s such as a W A N port rollover , WAN traffic limit s reac hed, login failures, and attacks. Y ou can also view status information about the firewall, W AN ports, LAN port s, ac[...]

Page 463

Monitor System Access and Performance 463 ProSecure Unified Thr eat Management (UTM) Appliance  T o monitor traffic limit s on each of the W AN ports, and for the UTM9S and UTM25S, also on the xDSL (SLOT -1 or SLOT -2) and USB port s: 1. Select Network Config > W AN Metering . On the multiple W AN port models, the W AN Metering tabs display ,[...]

Page 464

Monitor System Access and Performance 464 ProSecure Unified Thr eat Management (UTM) Appliance T able 1 14. W AN traffic meter s ett ings Setting Description Enable T raffic Meter Do you want to enable Traffic Metering on W AN1? (multiple W AN port models) or Do you want to enable Traffic Metering on W AN? (single W AN port models) Select one of th[...]

Page 465

Monitor System Access and Performance 465 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. 4. For the multiple W AN port models only , click the W AN2 T raffic Meter , W AN3 T raffic Meter (UTM150 only), or W AN4 T raffic Meter (UTM150 only) submenu tab to display the corresponding W AN T raffic Meter scree[...]

Page 466

Monitor System Access and Performance 466 ProSecure Unified Thr eat Management (UTM) Appliance Configure Logging , Alerts , and Event Notifications • Configure the Email Notification Server • Configure and Activate System, Email, and Syslog Logs • How to Send Syslogs over a VPN T unnel between Sites • Configure and Activate Up date Failure [...]

Page 467

Monitor System Access and Performance 467 ProSecure Unified Thr eat Management (UTM) Appliance Figure 273. 6. Enter the settings as explained in the followin g t able: 7. Click Te s t to ensure that the connection to the server and email address succeeds. 8. Click Apply to save your settings. Configure and Activate System, Email, and Syslog Logs Y [...]

Page 468

Monitor System Access and Performance 468 ProSecure Unified Thr eat Management (UTM) Appliance  T o configure and activate logs: 1. Select Monitoring > Logs & Reports . The Logs & Reports subme nu tabs display , with the Email and Syslog screen in view: Figure 27 4.[...]

Page 469

Monitor System Access and Performance 469 ProSecure Unified Thr eat Management (UTM) Appliance 2. Enter the settings as explained in the followin g t able: T able 1 16. Email and Syslog screen settings Setting Description System Lo gs Option Select the check boxes to spec ify which system events are logged: • Change of Time by NTP . L ogs a messa[...]

Page 470

Monitor System Access and Performance 470 ProSecure Unified Thr eat Management (UTM) Appliance Enable (continued) Select Lo gs to Send (continued) • Service Logs . All events that are related to the status of scanning and filtering services that you access fr om the Application Security main navigation menu. These events include update success me[...]

Page 471

Monitor System Access and Performance 471 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings, or click Clear L og Informa tion to clear t he sele cted logs. How to Send Syslogs over a VPN T unnel between Sites  T o send syslogs from one site to another over a gate way-to-gateway VPN tunnel: 1. At Site 1, se[...]

Page 472

Monitor System Access and Performance 472 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save the settings.  T o change the remote IP address in the VPN policy: 1. Select VPN > IPSec VPN > VPN Policies . The VPN Policy screen displays. 2. Next to the policy name for the Gateway 1–to–Gateway 2 autopolicy , click [...]

Page 473

Monitor System Access and Performance 473 ProSecure Unified Thr eat Management (UTM) Appliance  T o specify the syslog server that is connected to Gate way 1: 1. Select Monitoring > Logs & Report s > Email and Syslog to display the Email and Syslog screen) 2. Enable the syslog server and specify its IP address at Site 1. Enter 192.168.[...]

Page 474

Monitor System Access and Performance 474 ProSecure Unified Thr eat Management (UTM) Appliance Figure 27 5. 2. Enter the settings as explained in the following table: T able 1 17. Alert s screen settings Setting Description Enable T raffic Meter Limit Alerts Select this ch eck box to enable traffic meter limit alerts. This check box is cleared by d[...]

Page 475

Monitor System Access and Performance 475 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. Enable Malware Alerts Select this check box to enable malware alerts, and fill in the Subject and Message fields. This check box is cleared by default. Subject Enter the subje ct line for the email al ert. Th e defaul[...]

Page 476

Monitor System Access and Performance 476 ProSecure Unified Thr eat Management (UTM) Appliance Configure and Activate Firewall Logs Y ou can configure the logging options for eac h network segment. For example, the UTM can log accepted pa ckets for LAN-to-W AN traffic, dropped p ackets for W AN-to-DMZ traffic, and so on. Y ou can also configure log[...]

Page 477

Monitor System Access and Performance 477 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click Apply to save your settings. Monitor R eal- Time T raffic, Security , and Statistics The Dashboard screen le ts you mon itor the real-time security scanning st atus with detected network threat s, detected network traf fic, and se rvice statist i[...]

Page 478

Monitor System Access and Performance 478 ProSecure Unified Thr eat Management (UTM) Appliance Figure 277. Dashboard, screen 1 of 3 T o clear the st atistics, click Clea r St atistics .[...]

Page 479

Monitor System Access and Performance 479 ProSecure Unified Thr eat Management (UTM) Appliance  T o set the poll interval: 1. Click the Sto p button. 2. From the Poll Interval drop-down list, select a new interval. The minimum is 5 seconds; the maximum is 5 minutes. 3. Click the Set Interval button. The following ta ble explains the fields of th[...]

Page 480

Monitor System Access and Performance 480 ProSecure Unified Thr eat Management (UTM) Appliance Figure 278. Dashboard, screen 2 of 3 Threats (Count s) This is a graphic that shows the relative number of threats and access violations over the last week, using different colors for the various components, most of which are self-explanatory: Email Filte[...]

Page 481

Monitor System Access and Performance 481 ProSecure Unified Thr eat Management (UTM) Appliance The following ta ble explains the fields of the Most Recent 5 and T op 5 sections of the Dashboard screen: T able 120. Dashboard screen: most recen t 5 th reat s and top 5 threats inf ormation Category Most recent 5 threats description T o p 5 threats des[...]

Page 482

Monitor System Access and Performance 482 ProSecure Unified Thr eat Management (UTM) Appliance Figure 279. Dashboard, screen 3 of 3 The following t able explains the fields of the Service S tatistics section of the Dashboard screen: T able 121. Dashboard screen: service st atistics information Item Description For each of the six supported protocol[...]

Page 483

Monitor System Access and Performance 483 ProSecure Unified Thr eat Management (UTM) Appliance Monitor Application Use in R eal Time If you have enabled a pplication session monitoring (see Enable Application Session Monitoring on page 521), the Application Dashboard screen let s you monitor the use of applications and protocols in real time. T o d[...]

Page 484

Monitor System Access and Performance 484 ProSecure Unified Thr eat Management (UTM) Appliance Figure 28 0. Line chart icon Pie chart icon[...]

Page 485

Monitor System Access and Performance 485 ProSecure Unified Thr eat Management (UTM) Appliance  T o set the poll interval: 1. Click the Sto p button. 2. From the Poll Interval drop-down list , select a new interval. The minimum is 30 seconds; the maximum is 20 minutes. 3. Click the Set Interval button.  T o set the monitoring period: From the[...]

Page 486

Monitor System Access and Performance 486 ProSecure Unified Thr eat Management (UTM) Appliance View Status Screens • View t he System S tatus • View the Active VPN Users • View t he VPN T unnel Connection S tatus • View the Active PPTP an d L2TP Users • View t he Port T riggering S tatu s • View the W AN, xDSL, or USB Port S tatus • V[...]

Page 487

Monitor System Access and Performance 487 ProSecure Unified Thr eat Management (UTM) Appliance View the System Status Screen T o view the System S tatus screen, select Monitoring > System S tatus . The Syste m S tatus tabs display , with the System S tatus screen in view: Figure 281. The following ta ble explains the fields of the System S tatus[...]

Page 488

Monitor System Access and Performance 488 ProSecure Unified Thr eat Management (UTM) Appliance View the Network Status Screen T o view the Network S tatus screen, select Monitoring > System S tatus > Network S tatus . The Network S tatus scree n displays. (The follo wing figure shows t he Ne twork S tatus screen of the UTM50. The Network S ta[...]

Page 489

Monitor System Access and Performance 489 ProSecure Unified Thr eat Management (UTM) Appliance available wireless access point, and has a Wireless S tatistics op tion arrow in the upper right of the screen.) Figure 282. The UTM9S and UTM25S also show a t able with available access point s at the bottom of the Network S tatus screen: Figure 283. The[...]

Page 490

Monitor System Access and Performance 490 ProSecure Unified Thr eat Management (UTM) Appliance View the Router Statistics Screen  T o view the Router St atistics screen: 1. Select Monitoring > System S tatus > Netwo rk St atus . The Network S tat us screen displays. 2. Click the Show St atistics option arrow in t he upper right of the Netw[...]

Page 491

Monitor System Access and Performance 491 ProSecure Unified Thr eat Management (UTM) Appliance T o change the poll interval period, enter a new value in the Poll I nterval field, and then click Set interval . T o stop polling, click Sto p . View the Wireless Statistics Sc reen (UTM9S and UTM25S Only)  T o view the Wireless S t atistics screen: 1[...]

Page 492

Monitor System Access and Performance 492 ProSecure Unified Thr eat Management (UTM) Appliance The following t able explains the fields of the Wireless S tatistics screen. T o change the poll interval period, ente r a new value in the Poll Interval field , and then click Set interval . T o stop polling, click Sto p . Note: For information about cli[...]

Page 493

Monitor System Access and Performance 493 ProSecure Unified Thr eat Management (UTM) Appliance View the Detailed Status Screen T o view the Detailed S tatus screen, select Monitoring > System St atus > Det ailed St atus . The Detailed S tatus screen displays. (The follo wing figure shows the Detailed S tatus screen of the UTM50.) Figure 286. [...]

Page 494

Monitor System Access and Performance 494 ProSecure Unified Thr eat Management (UTM) Appliance Figure 287. Det ailed St atus screen sectio ns that are specific to the UTM9S and UTM25S[...]

Page 495

Monitor System Access and Performance 495 ProSecure Unified Thr eat Management (UTM) Appliance The following ta ble explains the fields of the Det ailed S tatus screen: T a ble 127. D et ailed St atus screen fields Item Description LAN Port Configuration The following fields are shown for ea ch of the LAN ports. VLAN Profile The name of the VLAN pr[...]

Page 496

Monitor System Access and Performance 496 ProSecure Unified Thr eat Management (UTM) Appliance Firmware V ersion (UTM9 S and UTM25S only) The firmware on the xDSL network mo dule. W AN S tate The WAN st ate can be either UP or DOWN, depending on whether the port is connected to the Internet and whether the port is enabled. For information about con[...]

Page 497

Monitor System Access and Performance 497 ProSecure Unified Thr eat Management (UTM) Appliance MAC Address For the WAN or xDSL ports, this field displays the default MAC address or the MAC address that you have specified on the Advanced Options screen . For the USB port, this field displays the detected MAC address. For information about configurin[...]

Page 498

Monitor System Access and Performance 498 ProSecure Unified Thr eat Management (UTM) Appliance View the VLAN Status Screen The VLAN S tatus scre en displays information about the VLANs (both enab led and disabled) that are configured on the UTM. For informa tion about configuring VLAN profiles, see Configure a VLAN Profile on p age 103 . For inform[...]

Page 499

Monitor System Access and Performance 499 ProSecure Unified Thr eat Management (UTM) Appliance View the xDSL Statistics Sc reen (UTM9S and UTM25S Only) T o view the xDSL S tatistics screen, select Monitoring > System S t atus > xDSL S t atistics . The xDSL S tatistics screen displa ys: Figure 289. View the Active VPN Users The Active Users sc[...]

Page 500

Monitor System Access and Performance 500 ProSecure Unified Thr eat Management (UTM) Appliance View the VPN T unnel Connection Status T o review the status o f current IPSec VPN tunnels, select Monitori ng > Active Users & VPNs > IPSec VPN Connection St atus . The IPSec VPN Connection S tatus screen displays: Figure 29 1. The Active IPSec[...]

Page 501

Monitor System Access and Performance 501 ProSecure Unified Thr eat Management (UTM) Appliance Figure 292. The active user ’s user name, gro up, and IP addre ss are listed in the t able with a time stamp indicating the time and date that the user conne cted. T o disconnect an active user , click the Disconnect table button to the right of the use[...]

Page 502

Monitor System Access and Performance 502 ProSecure Unified Thr eat Management (UTM) Appliance The default poll interval is 5 seconds. T o change the poll interval period, enter a new value in the Poll Interval field, and then click the Set Interval b utton. T o stop polling, click the Stop button. T o view the active L2TP tunnel users, se lect Mon[...]

Page 503

Monitor System Access and Performance 503 ProSecure Unified Thr eat Management (UTM) Appliance Figure 295. 2. Select the Statu s option arrow in the upper right of the Port Triggering screen. The Port T riggering S tatus screen displays in a pop-up screen. Figure 296. The Port T riggering S tatus screen displays the in formation that is described i[...]

Page 504

Monitor System Access and Performance 504 ProSecure Unified Thr eat Management (UTM) Appliance View the WA N , xDSL, or USB P ort Status Y ou can view the status of the W AN connections, the DNS servers, and the DHCP servers. For the UTM9S and UTM25S, you can also view the status of the xDSL and USB port s.  T o view the st atus of a W AN, xDSL,[...]

Page 505

Monitor System Access and Performance 505 ProSecure Unified Thr eat Management (UTM) Appliance Depending on the type of connections, any o f the following buttons might display on the Connection S tatus screen: • Renew . Click to renew the DHCP lease. • Release . Click to disconnect the DHCP connection. • Disconnect . Click to disconnect th e[...]

Page 506

Monitor System Access and Performance 506 ProSecure Unified Thr eat Management (UTM) Appliance Figure 29 8. 2. Select the LAN Groups submenu t ab. The LAN Groups screen displays. (The following figure shows some examples in the Known PCs and Devices table.) Figure 29 9. The Known PCs and Devices table cont ains a list of all known computers an d ne[...]

Page 507

Monitor System Access and Performance 507 ProSecure Unified Thr eat Management (UTM) Appliance manually to add a meaningful name). If the compute r or device was assigned an IP address by the DHCP server , then the name is appended by an asterisk. • IP Addre ss . The current IP address of the computer or device. For DHCP client s of the UTM, this[...]

Page 508

Monitor System Access and Performance 508 ProSecure Unified Thr eat Management (UTM) Appliance Overview of the Logs The UTM generates logs that provide det ailed information about malware th reats and traf fic activities on the network. Y ou can view these logs through the web management in terface or save the log records in CSV or HTML fo rmat and[...]

Page 509

Monitor System Access and Performance 509 ProSecure Unified Thr eat Management (UTM) Appliance Y ou can query and generate each type of log separately and filter the informa tion based on a number of criteria. For example, you can filter the malware logs using the following criteria (other log types have similar filtering criteria) : • S tart dat[...]

Page 510

Monitor System Access and Performance 510 ProSecure Unified Thr eat Management (UTM) Appliance 2. Enter the settings as explained in the following table: T able 134. Logs Query screen settings Setting Description Log T ype Select one of the follow ing log types from the drop-dow n list: • Tr a f f i c . All scanned incoming and outg oing traffic.[...]

Page 511

Monitor System Access and Performance 51 1 ProSecure Unified Thr eat Management (UTM) Appliance View All Select on e of the following radio buttons: • Vie w A l l . Display or download the entire selected log . • Search Criteria . Query the selected log by confi guring the search criteria th at are available for the selected log . Search Criter[...]

Page 512

Monitor System Access and Performance 512 ProSecure Unified Thr eat Management (UTM) Appliance Search Crit eria (continued) Category or Categories From the drop-down list, select a category that is queried. Y ou can select th e following from the drop-down list: • For the IPS log: an attack. • For the Application log: an instant messaging, peer[...]

Page 513

Monitor System Access and Performance 513 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click one of the following action buttons: • Search . Query the log according to the search criteria th at you specified, and view the log through the we b management interface, that is, onscreen. • Download . Query the log according to the search [...]

Page 514

Monitor System Access and Performance 514 ProSecure Unified Thr eat Management (UTM) Appliance Log Management Generated logs t ake up sp ace and resources on the UTM internal disk. T o ensure that there is always sufficient sp ace to save newer logs, the UTM automatically deletes older logs whenever the total log size reaches 50 percent of the allo[...]

Page 515

Monitor System Access and Performance 515 ProSecure Unified Thr eat Management (UTM) Appliance Query the Quarantined Logs  T o query the quarantine logs: 1. Select Monitoring > Quarantine . The Quarantine screen displays. (The following figure shows the S pam log information settings as an example.) Depending on the selection that you make fr[...]

Page 516

Monitor System Access and Performance 516 ProSecure Unified Thr eat Management (UTM) Appliance 2. Enter the settings as explained in the following table: 3. Click Search . The log is queried according to the search crite ria that you specified, and the search results are displayed onscreen. T able 135. Quarantine screen settings Setting Description[...]

Page 517

Monitor System Access and Performance 517 ProSecure Unified Thr eat Management (UTM) Appliance View and Manage the Quarantined Spam T able When you query the sp am quarantine file, the Quarantine screen wit h the Quarantined S pam table displays: Figure 303. The Quarantined S pam t able has the following columns (not all columns are shown in the pr[...]

Page 518

Monitor System Access and Performance 518 ProSecure Unified Thr eat Management (UTM) Appliance After you have selected one or more t able entries, take one of the following action s (or click the return link to return to the previous screen): • Send as S p am . The selected spam email files are t agged as spam for distributed sp am analysis, and [...]

Page 519

Monitor System Access and Performance 519 ProSecure Unified Thr eat Management (UTM) Appliance • Client IP . The client IP address from whic h the spyware or virus originated. • Server IP . The server IP address from which the spyware or virus originated. • From . The email address of the sender . • To . The email address of the recipient. [...]

Page 520

Monitor System Access and Performance 520 ProSecure Unified Thr eat Management (UTM) Appliance 2. Click the Check your qu arantined mail link. The following screen displays: Figure 30 6. 3. From the drop-down lists, specify the start date, start time, end date, and end time for the spam report. 4. In the Send to fie ld, enter an email address. 5. C[...]

Page 521

Monitor System Access and Performance 521 ProSecure Unified Thr eat Management (UTM) Appliance Y ou can view the reports onscreen, download them to your computer , and configure the UTM to send them to one or more email addresses. The UTM provides preconfigured rep ort templates. As an option, you can apply filtering options to narrow down and spec[...]

Page 522

Monitor System Access and Performance 522 ProSecure Unified Thr eat Management (UTM) Appliance 2. Select the Enable Application Session Monitori ng check box. By default, this check box is cleared. 3. Click Apply to save your chan ges. R eport Filtering Options Before you generate report s to view onscreen or schedule report s to be emailed, you mi[...]

Page 523

Monitor System Access and Performance 523 ProSecure Unified Thr eat Management (UTM) Appliance 2. Enter the settings as explained in the followin g t able: T able 136. Report screen: filtering options set tings Setting Description T ime Range Note: Even if you click Apply to save the filtering options, when you leave the Report screen and then retu[...]

Page 524

Monitor System Access and Performance 524 ProSecure Unified Thr eat Management (UTM) Appliance 3. The next step depends on whether you want to view the report on screen or schedule it to be emailed: • Viewing onscree n . T o view a filtered report onscreen, sel ec t a r eport by clicking Vi ew next to the report. (For more information, see the fo[...]

Page 525

Monitor System Access and Performance 525 ProSecure Unified Thr eat Management (UTM) Appliance Figure 309. Report, screen 2 of 4 Note: For information abou t setting a time range an d other filtering options for a report, see the previous section. 2. Select a report by clicking Vi ew next to the report to display the selected report onscreen. The f[...]

Page 526

Monitor System Access and Performance 526 ProSecure Unified Thr eat Management (UTM) Appliance URL Filtering by T ime For the HTTPS and HTTP pr otocols separately , a chart and a table with the number of blocked attempts to a ccess URLs that are on the blacklist. File Blocked by T ime For each of the three web server protocols separately , a chart [...]

Page 527

Monitor System Access and Performance 527 ProSecure Unified Thr eat Management (UTM) Appliance T o p n Catego ries By Request For all web server pr otocols combined, a chart and a table with the web categories that were requested most often, including the number of times that they were requested, an d drill-do wn links to the users who requested th[...]

Page 528

Monitor System Access and Performance 528 ProSecure Unified Thr eat Management (UTM) Appliance T op n Applications by Bandwidth A chart and a table with the applications for w hich most bandwidth was consumed and the size of the bandwid th consumed (expressed in bytes), and drill-down links to the users who accessed the applications. When you click[...]

Page 529

Monitor System Access and Performance 529 ProSecure Unified Thr eat Management (UTM) Appliance Schedule, Email, and Manage R eports  T o schedule automatic generation and emailing of report s: 1. Select Monitoring > Logs & Report s > Report . The Report screen displays. (The following two figures show onl y the Schedule Report s and Re[...]

Page 530

Monitor System Access and Performance 530 ProSecure Unified Thr eat Management (UTM) Appliance 2. Enter the settings in the Schedule Reports section as explained in the following table: 3. Optional step: T o send the reports immediately to the email addresses that are specified in the Email Recipients field, click Send Now . (These emailed reports [...]

Page 531

Monitor System Access and Performance 531 ProSecure Unified Thr eat Management (UTM) Appliance Figure 31 1. Report, screen 4 of 4 The Report History se ction shows the generated and emailed repo rts with their report dat e and lets you perform the following actions. • Sp ecify the number of report s to keep . T o manage the number of report s tha[...]

Page 532

Monitor System Access and Performance 532 ProSecure Unified Thr eat Management (UTM) Appliance T o display the Diagnostics screen, select Monitoring > Diagnos tics . T o facilitate the explanation of the tools, the Diagnostics scree n is divided and presented in this ma nual in three figures. Use the Network Diagnostic T ools This section discus[...]

Page 533

Monitor System Access and Performance 533 ProSecure Unified Thr eat Management (UTM) Appliance T race a Route A traceroute list s all routers between the s ource (the UTM) and the destination IP address.  T o send a traceroute: 1. Locate the Network Diagnostics section on th e Diagnostics screen. In the IP Address field, enter the IP address for[...]

Page 534

Monitor System Access and Performance 534 ProSecure Unified Thr eat Management (UTM) Appliance out which applications are using the most bandwid th, which users use the most bandwid th, how long users are connected, and othe r information.  T o use the real-time traffic diagnostics tool: 1. Locate the Realtime T raffic Diagnostics secti on on th[...]

Page 535

Monitor System Access and Performance 535 ProSecure Unified Thr eat Management (UTM) Appliance Figure 314. Diagnostics, sc reen 3 of 4 Gather Important Lo g Information  T o gather log information about your UTM: 1. Locate the Gather Import ant Log Information section on the Diagnost ics screen. Click Download Now . Y ou are prompted to save the[...]

Page 536

Monitor System Access and Performance 536 ProSecure Unified Thr eat Management (UTM) Appliance P erform Maintenance on the USB Device, R eboot the UTM, or Shut Down the UTM Note: The USB Device Maintenance section applies to the UTM9S and UMT25S only . This section discusses the USB Device Mainten ance section and System Maintenance section of the [...]

Page 537

Monitor System Access and Performance 537 ProSecure Unified Thr eat Management (UTM) Appliance Note: Rebooting breaks any existing con nections either to the UTM (such as your management session) or through th e UTM (for example, LAN users accessing the Internet). Ho wever , when the reboot process is complete, connections to the Internet are autom[...]

Page 538

538 12 12. T r oubleshoot and Use Onl ine S upport This chapter provides trouble shooting tips an d information for the UTM. Afte r each problem description, instructions are provided to he lp you diagnose and solve the problem. For the common problems listed, go to the section in dicated. • Is the UTM on? Go to Basic Functioning on p age 539. ?[...]

Page 539

T roubleshoot and Use Online Support 539 ProSecure Unified Thr eat Management (UTM) Appliance Basic F unctioning • V erify the Correct Sequence of Events a t S tartup • Power LED No t On • T est LED Never T urns Off • LAN or WAN Port LEDs Not On Note: For descriptions of all LEDs, see LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150 [...]

Page 540

T roubleshoot and Use Online Support 540 ProSecure Unified Thr eat Management (UTM) Appliance  If all LEDs are still on more than several minutes minute af ter power-up, do the following: • T urn off the power , and then turn it on again to see if the UTM recovers. • Reset the UTM’s con figuration to factory default settings. Doin g so set[...]

Page 541

T roubleshoot and Use Online Support 541 ProSecure Unified Thr eat Management (UTM) Appliance • Make sure that you ar e using the correct login information. The factory default login name is admin, and the p assword is password. Make sure that Caps Lock is of f when entering this information. • If your computer’s IP address is shown as 169.25[...]

Page 542

T roubleshoot and Use Online Support 542 ProSecure Unified Thr eat Management (UTM) Appliance  T o check the W AN IP address: 1. Launch your browser and navigate to an ex ternal site su ch as www .netgear .com. 2. Access the web management interface of the UTM’s configuration at https://192.168.1.1. 3. Select Network Config > W AN Settings [...]

Page 543

T roubleshoot and Use Online Support 543 ProSecure Unified Thr eat Management (UTM) Appliance If your UTM can obt ain an IP address, but an attached computer is u nable to load any web pages fro m the Internet: • Y our computer might not recognize any DNS server addresse s. A DNS server is a host on the Internet that translates Internet names (su[...]

Page 544

T roubleshoot and Use Online Support 544 ProSecure Unified Thr eat Management (UTM) Appliance - Check that the corresponding Link LEDs are on for your network interface card and for the hub port s (if any) that are connected to your workstation and UTM. • Wrong network co nfiguration: - V erify that the Ethernet card driver software and TCP/IP so[...]

Page 545

T roubleshoot and Use Online Support 545 ProSecure Unified Thr eat Management (UTM) Appliance R estore the Default Configuration and P assword T o reset the UTM to the original factory default settings, you ca n use one of the following two methods: • Press the Factory Default s reset button on the rear panel of t he UTM (see Rear Panel UTM5, UTM[...]

Page 546

T roubleshoot and Use Online Support 546 ProSecure Unified Thr eat Management (UTM) Appliance P roblems with Date and Time The System Date & T ime screen displays the current date and time of day (see Configure Date and Time Service o n page 456). The UTM uses the Network T ime Protocol (NTP) to obtain the curre nt time from one of several netw[...]

Page 547

T roubleshoot and Use Online Support 547 ProSecure Unified Thr eat Management (UTM) Appliance Figure 317. 2. In the Support Key field, enter the support key that was given to you by NETGEAR. 3. Click Connect . When the tunnel is established, the tunnel st a tus field displays ON. T o terminate the tunnel, click Disconnect . Th e tunnel status field[...]

Page 548

T roubleshoot and Use Online Support 548 ProSecure Unified Thr eat Management (UTM) Appliance Figure 31 8. 2. Enter the settings as explained in the following table: 3. Click Submit . Access the Knowledge Base and Documentation T o access NETGEAR’s kno wledge base for the UTM, select Support > Knowledge Base . T o access NETGEAR’s documentat[...]

Page 549

549 A A. xD SL Netw or k Module f o r th e UTM9S and UTM2 5S This appendix describe s how to configure the DSL interfaces of the NMSDSLA a nd NMSDSLB network modules that you can inst all in a UTM9S or UTM25S. This appendix includes the following sections: • xDSL Network Module Configuration T asks • Configure the xDSL Se ttings • Automatical[...]

Page 550

xDSL Network Module fo r the UTM9S and UTM25S 550 ProSecure Unified Thr eat Management (UTM) Appliance xDSL Network Module Configuration T asks Generally , six steps, four of which are optional , are required to complete t he DSL Internet connection of your UTM9S or UTM25S.  Complete these step s: 1. Configure the xDSL settings . Before yo u can[...]

Page 551

xDSL Network Module fo r the UTM9S and UTM25S 551 ProSecure Unified Th reat Management (UTM) Ap pliance  T o configure the xDSL settings: 1. Select Network Config > W AN Settings . The W AN screen displays: Figure 319. Note: For more information about the W AN screen, see Automatically Detecting and Connecting the xDSL Internet Connection on [...]

Page 552

xDSL Network Module fo r the UTM9S and UTM25S 552 ProSecure Unified Thr eat Management (UTM) Appliance Figure 32 1. 4. Either click Auto Detect or , if you have the correct settings, enter the settings as explained in the following table: T able 140. xDSL settings Setting Description xDSL Settings DSL T ransfer Mode Select one of the following DSL [...]

Page 553

xDSL Network Module fo r the UTM9S and UTM25S 553 ProSecure Unified Th reat Management (UTM) Ap pliance 5. Click Apply to save your settings. Automatically Detecting and Connecting the xDSL Internet Connection T o set up your UTM9S or UTM25S for secu re Internet connections, the web management interface provides the option to detect the net work co[...]

Page 554

xDSL Network Module fo r the UTM9S and UTM25S 554 ProSecure Unified Thr eat Management (UTM) Appliance Y ou can set the failure detection method for the DSL in terface on the corresponding W AN Advanced Options screen (see Configure Auto-Ro llover Mode and the Failure Detection Method on page 563). • Action . The Edit button in the Action column [...]

Page 555

xDSL Network Module fo r the UTM9S and UTM25S 555 ProSecure Unified Th reat Management (UTM) Ap pliance 3. Click the Auto Detect button at the bottom of the screen. The autodetect process probes the W AN port for a range of connection methods and suggests one that your ISP is most likely to support. The autodetect process returns one of th e follow[...]

Page 556

xDSL Network Module fo r the UTM9S and UTM25S 556 ProSecure Unified Thr eat Management (UTM) Appliance Figure 32 4. Note: The Connection S tatus screen should show a valid IP address and gateway . For more information about the Connection S tatus screen, see V iew the WAN, xDSL, or USB Port S tatus on p age 504. What to do next: • If the automati[...]

Page 557

xDSL Network Module fo r the UTM9S and UTM25S 557 ProSecure Unified Th reat Management (UTM) Ap pliance Figure 325. 2. Click the Edit button in the Action column of the SLOT -x interface. The SLOT -x ISP Set tings screen displays (see Figure 323 on page 554). 3. Locate the ISP Login section onscreen: Figure 326. In the ISP Login section, select one[...]

Page 558

xDSL Network Module fo r the UTM9S and UTM25S 558 ProSecure Unified Thr eat Management (UTM) Appliance 6. If your connection is Point-to-Point Protocol over Ethe rnet (PPPoE) or Point-to-Point Protocol over A TM (PPPoA), your ISP require s an initial login. Enter the settings as explained in the following table: 7. In the Internet (I P) Address sec[...]

Page 559

xDSL Network Module fo r the UTM9S and UTM25S 559 ProSecure Unified Th reat Management (UTM) Ap pliance 8. In the Domain Name Server (DNS) Servers section of the screen (se e the following figure), specify the DNS settin gs as explained in the following table. Figure 328. T able 143. Internet IP address settings Setting Description Get Dynamically [...]

Page 560

xDSL Network Module fo r the UTM9S and UTM25S 560 ProSecure Unified Thr eat Management (UTM) Appliance 9. Click Apply to save any changes to the SLOT -x ISP settings. (Or click Reset to discard any changes and revert to the previous settings.) 10. Click T est to evaluate your entries. The UTM9S or UTM25S attempts to make a connection according to t[...]

Page 561

xDSL Network Module fo r the UTM9S and UTM25S 561 ProSecure Unified Th reat Management (UTM) Ap pliance What to do next: • If the manual ISP configuration is successful : Y ou are connected to the Internet through the DSL interface that you just configured. Continue with Configure the W A N Mode on page 561. • If the manual ISP configuration fa[...]

Page 562

xDSL Network Module fo r the UTM9S and UTM25S 562 ProSecure Unified Thr eat Management (UTM) Appliance • Primary W AN mode . The DSL interface (or a W AN interface or the USB interface) is made the primary interface. The other interf aces are disabled. • Auto-rollover mode . A DSL or W AN inte rface is defined as the primary link, a nd another [...]

Page 563

xDSL Network Module fo r the UTM9S and UTM25S 563 ProSecure Unified Th reat Management (UTM) Ap pliance W ARNING: Changing the W AN mode from classical routing to NA T causes all LAN W AN and DMZ W AN inbound rules to re vert to default settings.  T o configure NA T : 1. Select Network Config > W AN Settings > W A N Mode . The W AN Mode sc[...]

Page 564

xDSL Network Module fo r the UTM9S and UTM25S 564 ProSecure Unified Thr eat Management (UTM) Appliance When the UTM9S or UTM25S is configured in a uto-rollover mode, it uses the selected W AN failure detection method to detect t he status of t he primary link connection at regular intervals. Link failure is detec ted in on e of the following ways: [...]

Page 565

xDSL Network Module fo r the UTM9S and UTM25S 565 ProSecure Unified Th reat Management (UTM) Ap pliance d. From the corresponding drop-do wn list on the right, select a W AN interface, the USB interface, or the DSL interface to function as the backup interface. Note: Ensure that the backup interface is configured be fore enabling auto-rollover mode[...]

Page 566

xDSL Network Module fo r the UTM9S and UTM25S 566 ProSecure Unified Thr eat Management (UTM) Appliance Note: After the primary in terface fails, the default time to roll over is 2 minutes. The minimum test period is 30 seconds, an d the minimum numbe r of tests is 4. 5. Click Apply to save your settings. Note: Y ou can configure the UTM to generate[...]

Page 567

xDSL Network Module fo r the UTM9S and UTM25S 567 ProSecure Unified Th reat Management (UTM) Ap pliance • Continuity of source IP address for secure connections. Some services, particularly HTTPS, cease to re spond when a client’ s source IP address changes shortly after a se ssion has been est ablished. Configure Load Balancing  T o configu[...]

Page 568

xDSL Network Module fo r the UTM9S and UTM25S 568 ProSecure Unified Thr eat Management (UTM) Appliance • Round-robin . With round-robin load balancing, new traffic conn ections are sent over a DSL, USB, or W AN link in a serial method irrespective of bandwid th or link speed. For example if the DSL , W AN1, and W AN2 interfaces are active in roun[...]

Page 569

xDSL Network Module fo r the UTM9S and UTM25S 569 ProSecure Unified Th reat Management (UTM) Ap pliance Figure 334. 3. Configure the protocol binding settings as explained in the following table: T able 146. Add Protocol Binding screen settings Setting Description Service From the drop-down list, select a service or application to be cove red by th[...]

Page 570

xDSL Network Module fo r the UTM9S and UTM25S 570 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The protocol binding rule is added to the Protocol Bindings table. The rule is automatically enabled, which is indicated by the ! status icon, a green circle.  T o edit a protocol binding: 1. On the Protoco[...]

Page 571

xDSL Network Module fo r the UTM9S and UTM25S 571 ProSecure Unified Th reat Management (UTM) Ap pliance For more information about firewall rules, se e Overview of Rules to Block or Allow Specific Kinds of T raffic on pag e 128). It is import ant that you ensure that any secondary DSL addresses are dif ferent from the primary DSL, W AN, LAN, and DM[...]

Page 572

xDSL Network Module fo r the UTM9S and UTM25S 572 ProSecure Unified Thr eat Management (UTM) Appliance • Subnet Mask . Enter the subnet ma sk for the secondary IP address. 5. Click the Add table button in the rightmost column to add the secondary IP address to the List of Secondary W AN addresses table. Repeat step 4 and step 5 for each secondary[...]

Page 573

xDSL Network Module fo r the UTM9S and UTM25S 573 ProSecure Unified Th reat Management (UTM) Ap pliance  T o configure DDNS: 1. Select Network Config > Dynamic DNS . The Dynamic DNS screen displays (see the following figure). The W AN Mode section onscreen reports the currently configured W AN mode (for example, Single Port W AN1, Load Balanc[...]

Page 574

xDSL Network Module fo r the UTM9S and UTM25S 574 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click the Information option arrow in the upper right of a DNS screen for registration information. Figure 33 7. 4. Access the website of the DDNS service p rovi der , and register for an account (fo r example, for DynDNS.org, go t o http://www[...]

Page 575

xDSL Network Module fo r the UTM9S and UTM25S 575 ProSecure Unified Th reat Management (UTM) Ap pliance Note: Y ou can also configure the failure detection met hod for the auto-rollover mode on the Advanced Op tions screen for the DSL interface. This procedure is discussed in Configure the Failure Detection Method on p age 565. IMPORT ANT : Each co[...]

Page 576

xDSL Network Module fo r the UTM9S and UTM25S 576 ProSecure Unified Thr eat Management (UTM) Appliance 4. Enter the settings as explained in the following table: 5. Click Apply to save your changes. W ARNING: Depending on the changes that you made, when you click Apply , the UTM9S or UTM25S rest arts, or services such as HTT P and SMTP might rest a[...]

Page 577

xDSL Network Module fo r the UTM9S and UTM25S 577 ProSecure Unified Th reat Management (UTM) Ap pliance Additional W A N-R elated Configuration T asks • If you have not already do ne so, conf igure t he Ethernet W AN interfaces of the UTM9S or UTM25S (see Chapter 3, Manually Configure Internet an d WAN Settings ). • If you want the ability to m[...]

Page 578

578 B B. W ir eless Net w or k Mo dule f or the UTM9S and UTM2 5S This appendix describe s how to configure the wireless fea tures of the NMSWLSN wireless network module that you can inst all in a UTM9S or UTM25S. This appendix includes the following sections: • Overview of the Wire less Network Module • Configure the Basic Ra dio Settings • [...]

Page 579

Wireless Network Module for the UTM9S and UTM25S 579 ProSecure Unified Th reat Management (UTM) Ap pliance Overview of the Wireless Network Module • Configuration Order • Wireless Equipment Pla cement and Range Guidelines The wireless network module is a wireless access point that provides connectivity to multiple wireless network devices withi[...]

Page 580

Wireless Network Module for the UTM9S and UTM25S 580 ProSecure Unified Thr eat Management (UTM) Appliance Note: Failure to follow these guidelines c an result in significant performance degradation or inability to connect to the wireless network module. For complete performance specifications, see th e data sheet on the ProSecure UTM series home pa[...]

Page 581

Wireless Network Module for the UTM9S and UTM25S 581 ProSecure Unified Th reat Management (UTM) Ap pliance Figure 339. 2. S pecify the settings as explained the following table: T able 149. Radio Settings screen settings Field Descriptions Region This is a preconfigu red field that you canno t cha nge. Country S pecify a country by makin g a select[...]

Page 582

Wireless Network Module for the UTM9S and UTM25S 582 ProSecure Unified Thr eat Management (UTM) Appliance Mode The wireless modes that you can se lect depend on the radio’s operating frequency that you select. 2.4 GHz S pecify the wireless mode in the 2 .4-GHz band by making a selection from the drop-down list: • g and b . This is the defau lt [...]

Page 583

Wireless Network Module for the UTM9S and UTM25S 583 ProSecure Unified Th reat Management (UTM) Ap pliance W ARNING: When you have changed the country setting s, the wireless ne twork module ( not the UTM9S or UTM25S) will reboot when you c lick Apply . 3. Click Apply to save your settings. Operating F requency (Channel) Guidelines Y ou should not [...]

Page 584

Wireless Network Module for the UTM9S and UTM25S 584 ProSecure Unified Thr eat Management (UTM) Appliance • In infrastructure mode, wirele ss devices norma lly scan all channels, lo oking for a wireless access point. If more than one wireless access point can be used, the one with the strongest signal is used. This can happen only when the wirele[...]

Page 585

Wireless Network Module for the UTM9S and UTM25S 585 ProSecure Unified Th reat Management (UTM) Ap pliance Note: On the UTM9S or UTM25S, WEP is no t supported when the radio functions in 802.1 1n wireless mode (802.1 1n, 802.1 1ng, 802,1 1na, or Greenfield). For information about how to configure WEP , see Configure and Enable Wireless Pro files on[...]

Page 586

Wireless Network Module for the UTM9S and UTM25S 586 ProSecure Unified Thr eat Management (UTM) Appliance Wireless security profiles, hereaf ter referred to as wireless profiles, let you configure unique security settings for each SSI D on the UTM9S or UTM25S. The UTM9S and UTM25S support up to four wireless profiles (BSSIDs ) that you can configur[...]

Page 587

Wireless Network Module for the UTM9S and UTM25S 587 ProSecure Unified Th reat Management (UTM) Ap pliance Before Y ou Change the SSID , WEP , and WP A Settings For a new wireless profile, prin t or copy t he following form and fill in the set tings. ______________________ __________________________ _________________________ S tore this information[...]

Page 588

Wireless Network Module for the UTM9S and UTM25S 588 ProSecure Unified Thr eat Management (UTM) Appliance Configure and Enable Wireless P rofiles  T o add a wireless profile: 1. Select Network Config > Wireles s Settings > W i reless Profiles . The W ireless Profile s screen displays: Figure 34 1. The following t able explains the fields o[...]

Page 589

Wireless Network Module for the UTM9S and UTM25S 589 ProSecure Unified Th reat Management (UTM) Ap pliance Figure 342. 3. S pecify the settings as explained in the following table: T able 151. Add Wireless Profiles screen sett ings Field Description Profile Co nfigurati on Profile Name The name for the wireless prof ile . Fo r the UTM9S, t he name [...]

Page 590

Wireless Network Module for the UTM9S and UTM25S 590 ProSecure Unified Thr eat Management (UTM) Appliance SSID The wireless network name (SSID) for the wireless profile. The default SSID name is netgear-1 . Y ou can cha nge this name by entering up to 32 alphanume ric characters. Make sure that additional SSID s have uniq ue names. Broadcast SSID S[...]

Page 591

Wireless Network Module for the UTM9S and UTM25S 591 ProSecure Unified Th reat Management (UTM) Ap pliance Encryp tion Note: WPA, WPA2, and WPA+WPA2 only. The encryption that you can select depends on the type of WP A security that you have selected: • WP A . Y ou can select the following types of encryptio n from the drop-down list: - TKIP - TKI[...]

Page 592

Wireless Network Module for the UTM9S and UTM25S 592 ProSecure Unified Thr eat Management (UTM) Appliance 4. Click Apply to save your settings. The profile is updated in the List Of Wireless Profiles table. W ARNING: If you use a wireless computer to configure wireless security settings, you will be disconnected when you click Apply . Reconfigure y[...]

Page 593

Wireless Network Module for the UTM9S and UTM25S 593 ProSecure Unified Th reat Management (UTM) Ap pliance  T o edit a wireless profile: 1. On the Wireless Profiles screen (see Figure 341 on page 588), click the Edit button in the Action column for the wireless profile that you want to modify . The Edit Wireless Profile screen displays. This scr[...]

Page 594

Wireless Network Module for the UTM9S and UTM25S 594 ProSecure Unified Thr eat Management (UTM) Appliance Figure 34 3. Note: The default wireless profile with pr ofile name UTM9S or UTM2 5S is referred to as virtual access point zero (V AP0). If you add more wireless profiles, they are referred to as V AP1, V AP2, and V AP3. 3. In the MAC Filter Co[...]

Page 595

Wireless Network Module for the UTM9S and UTM25S 595 ProSecure Unified Th reat Management (UTM) Ap pliance W ARNING: If you configure the wireless network module in the UTM9S or UTM25S from a wireless computer whose MAC ad dress is not in the access control list, and if the ACL policy st atus is set to deny access, you lose your wireless connec tio[...]

Page 596

Wireless Network Module for the UTM9S and UTM25S 596 ProSecure Unified Thr eat Management (UTM) Appliance The following t able explains the fields of the A cce ss P oi nt S t at us screen. Configure a Wireless Distribution System The UTM9S or UTM25S can function as a st ation (peer) in a Wireless Distribution System (WDS). WDS enables expansion of [...]

Page 597

Wireless Network Module for the UTM9S and UTM25S 597 ProSecure Unified Th reat Management (UTM) Ap pliance mixed encryption (TKIP+AES, which is supporte d in WP A and WP A+WP A2 security modes), WDS uses AES because it is the stronger encryption method. T o configure WDS, you need to know the MA C addre sses of the wireless peers, an d you need to [...]

Page 598

Wireless Network Module for the UTM9S and UTM25S 598 ProSecure Unified Thr eat Management (UTM) Appliance  T o configure WDS on a peer: 1. Configure the same wireless security that you have configured on the UTM9S or UTM25S. 2. Enter the MAC address of the UTM9S’s or UTM25S’s access point, which is displayed on the WDS Configuration screen o[...]

Page 599

Wireless Network Module for the UTM9S and UTM25S 599 ProSecure Unified Th reat Management (UTM) Ap pliance 3. S pecify the settings as explained in the following table: 4. Click Apply to save your settings. T able 153. Advanced Wirele ss screen settin gs Setting Description Beacon Interval Enter an interval between 20 ms and 100 ms for each beacon [...]

Page 600

Wireless Network Module for the UTM9S and UTM25S 600 ProSecure Unified Thr eat Management (UTM) Appliance Configure WMM QoS P riority Settings Wi-Fi Multimedia (WMM) is a subset of the 802.1 1e standard. WMM allows wireless traf fic to have a range of priorities, depending on th e type of data. T ime-dependent information, such as video or audio, h[...]

Page 601

Wireless Network Module for the UTM9S and UTM25S 601 ProSecure Unified Th reat Management (UTM) Ap pliance Figure 347. 3. Select the Enable WMM check box. 4. Click Apply to save your settings. 5. In the DSCP to Queue table, from the drop-down lists, select a WMM queue for each DSCP value that you want to use in a QoS profile: • 4 . The highest pr[...]

Page 602

Wireless Network Module for the UTM9S and UTM25S 602 ProSecure Unified Thr eat Management (UTM) Appliance T est Basic Wireless Connectivity After you have configured the wireless network module as exp lained in the previous sections, test your wirele ss client s for connectivity be fore you place the UTM9S or UTM25S at it s permanent position.  [...]

Page 603

603 C C. 3G/4G Dongl es f or th e UTM9S and UTM2 5S This appendix describe s how to configure the wireless fea tures of a mobile broadband USB adapter (3G/4G dongle) that you can install in a UTM9S or UTM25S. This appendix includes the following sections: • 3G/4G Dongle Con figuration T asks • Manually Configure the USB Internet Connection • [...]

Page 604

3G/4G Dongles for the UTM9S and UTM25S 604 ProSecure Unified Thr eat Management (UTM) Appliance  Complete these step s: 1. Insert the 3G/4G dongle and configure the Internet c onnection to your ISP . During this phase, you connect to your wireless IS P , and, only if necessary , modify the 3G/4G settings. See Manually Configure the USB Int ernet[...]

Page 605

3G/4G Dongles for the UTM9S and UTM25S 605 ProSecure Unified Th reat Management (UTM) Ap pliance  T o configure the W AN ISP settings for the USB i nterface: 1. Select Network Config > W AN Settings . The W AN screen displays: Figure 348. 2. Select W AN Mode 3. Click the Edit button in the Action column of the USB interface. The USB ISP Setti[...]

Page 606

3G/4G Dongles for the UTM9S and UTM25S 606 ProSecure Unified Thr eat Management (UTM) Appliance 4. Configure the settings as explained in th e following table: T able 154. USB ISP settings Setting Description 3G Dongle Det ails Card T ype The card type is a fixed field that states 3G/4G . Enable 3G Service Select the Enable 3G Service check box to [...]

Page 607

3G/4G Dongles for the UTM9S and UTM25S 607 ProSecure Unified Th reat Management (UTM) Ap pliance 5. Click Apply to save any changes to the USB ISP settings. (Or click Reset to discard any changes and revert to the previous settings.) 6. T o verify the connection: a. Return to the W AN screen by selecting Network Config > W AN Settings . b. Click[...]

Page 608

3G/4G Dongles for the UTM9S and UTM25S 608 ProSecure Unified Thr eat Management (UTM) Appliance Configure the 3G/4G Settings The 3G/4G settings are automatically detected. M odifying these settings is required only if you cannot connect to your ISP . For example, if your ISP provides you informat ion about a pay plan fo r the 3G/4G service, you mig[...]

Page 609

3G/4G Dongles for the UTM9S and UTM25S 609 ProSecure Unified Th reat Management (UTM) Ap pliance 4. The information in the 3G S tatus section and SIM Card st ate section of the screen is automatically detected. If necessary , configure the connection settings as explained in the following table. T able 155. 3G/4G settings Setting Description 3GSt a[...]

Page 610

3G/4G Dongles for the UTM9S and UTM25S 610 ProSecure Unified Thr eat Management (UTM) Appliance 5. Click Apply to save your settings. Note: If you are connected to the Inter net over a PPP connection (that is, the PDP type is PPP) and you change the connection settings, the settings do not t ake ef fe ct until you disco nnect from the Intern et and[...]

Page 611

3G/4G Dongles for the UTM9S and UTM25S 61 1 ProSecure Unified Th reat Management (UTM) Ap pliance Overview of the W AN Modes Y ou cannot configure failure detection settings for the USB interface, but you can configure the USB interface to p articipate in load balancing or function as a rollover interfa ce in case the primary W AN interface goes do[...]

Page 612

3G/4G Dongles for the UTM9S and UTM25S 612 ProSecure Unified Thr eat Management (UTM) Appliance For information about how to configure the USB interface as a rollover link, see the following sections: • T o configure the USB interface as the rollover link for a W AN interface, see Configure Load Balancing (Multiple W AN Port Models) on page 86. ?[...]

Page 613

3G/4G Dongles for the UTM9S and UTM25S 613 ProSecure Unified Th reat Management (UTM) Ap pliance Figure 352. 2. In the NA T (Network Address Translation) section of the screen, select the NA T radio button. 3. Click Apply to save your settings. Configure Classical R outing In classical routing mode, the UTM9S and UTM25 S perform routing, but withou[...]

Page 614

3G/4G Dongles for the UTM9S and UTM25S 614 ProSecure Unified Thr eat Management (UTM) Appliance Configure Load Balancing and Optional P rotocol Binding T o use multiple ISP links simultaneously , configure load balancing. In load balancing mode, the USB interface, DSL interface, or any W AN interface carries any outbound protocol unless protocol bi[...]

Page 615

3G/4G Dongles for the UTM9S and UTM25S 615 ProSecure Unified Th reat Management (UTM) Ap pliance b. From the corresponding drop-do wn list on the right, select one of the following load balancing meth ods: • Weighte d LB . With weighted load balancing, balance weights are calculated based on DSL, USB, or W AN link s peed and available DSL, USB, o[...]

Page 616

3G/4G Dongles for the UTM9S and UTM25S 616 ProSecure Unified Thr eat Management (UTM) Appliance • Destination Network . The Internet loca tions (based on their IP address) that are covered by the protocol binding ru le. • Action . The Edit button provides access to th e Edit Protocol Binding screen for the corresponding service. 2. Click the Ad[...]

Page 617

3G/4G Dongles for the UTM9S and UTM25S 617 ProSecure Unified Th reat Management (UTM) Ap pliance 4. Click Apply to save your settings. The protocol binding rule is added to the Protocol Bindings table. The rule is automatically enabled, which is indicated by the ! status icon, a green circle.  T o edit a protocol binding: 1. On the Protocol Bind[...]

Page 618

3G/4G Dongles for the UTM9S and UTM25S 618 ProSecure Unified Thr eat Management (UTM) Appliance Configure Dynamic DNS Dynamic DNS (DDNS) is an Internet service that allows devices with varying public IP addresses to be located using In ternet domain names. T o use DDNS, you need to set up an account with a DDNS provider such as DynD NS.org, TZO.com[...]

Page 619

3G/4G Dongles for the UTM9S and UTM25S 619 ProSecure Unified Th reat Management (UTM) Ap pliance Figure 356. The W AN Mode section onscreen reports the currently configured W AN mode (for example, Single Port W AN1, Load Balancing, or Auto Rollover). Only those option s that match the configured W AN m ode are accessible onscreen. 2. Click the subm[...]

Page 620

3G/4G Dongles for the UTM9S and UTM25S 620 ProSecure Unified Thr eat Management (UTM) Appliance 3. Click the Information option arrow in the upper right of a DNS screen for registration information. Figure 35 7. 4. Access the website of the DDNS service p rovi der , and register for an account (fo r example, for DynDNS.org, go t o http://www .dyndn[...]

Page 621

3G/4G Dongles for the UTM9S and UTM25S 621 ProSecure Unified Th reat Management (UTM) Ap pliance Additional W A N-R elated Configuration T asks • If you have not already do ne so, conf igure t he Ethernet W AN interfaces of the UTM9S or UTM25S (see Chapter 3, Manually Configure Internet an d WAN Settings ). • If you want the ability to manage t[...]

Page 622

622 D D. Netw or k P lanning f or Dual W AN P orts (Multiple W AN P ort Models Onl y ) This appendix describes the factors to conside r when planning a network using a firewall that has dual W AN ports. This appendix does not apply to single W AN port models. This appendix cont ains the following sections: • What to Consider Before Y ou Begin •[...]

Page 623

Network Planning for Dual W AN Port s (Multiple W AN Port Models Only) 623 ProSecure Unified Th reat Management (UTM) Ap pliance Y our decision has the following implications: • Fully qualified domain name (FQDN) - For auto-rollover mode, you will need an FQ DN t o implement features such as exposed host s and virtual private networks. - For load[...]

Page 624

Network Planning for Dual W AN P ort s (Multiple W AN Port Models Only) 624 ProSecure Unified Thr eat Management (UTM) Appliance 4. Prepare to connect the UTM physically to your cable or DSL modems and a computer . Instructions for connecting the UTM are in th e ProSecure Unifie d Threat Management UTM Installation Guide . Cabling and Computer Hard[...]

Page 625

Network Planning for Dual W AN Port s (Multiple W AN Port Models Only) 625 ProSecure Unified Th reat Management (UTM) Ap pliance - For Windows 2000/XP/V ista, open the Local Area Network Connection, select the TCP/IP entry for the Ethernet adapter , and click Properties . Record all the settings for each tab. - For Macintosh computers, op en the TC[...]

Page 626

Network Planning for Dual W AN P ort s (Multiple W AN Port Models Only) 626 ProSecure Unified Thr eat Management (UTM) Appliance • Fully qualified domain name : So me organizations use a fully qualified d omain name (FQDN) from a Dynamic DNS service provider for their IP addresses. Dynamic DNS service provider: _________________ _____ FQDN: _____[...]

Page 627

Network Planning for Dual W AN Port s (Multiple W AN Port Models Only) 627 ProSecure Unified Th reat Management (UTM) Ap pliance Figure 359. Features such as multiple exposed host s are not supported in auto-rollover mode because the IP address of ea ch W AN port needs to be in the identical range of fixed addresses. • Dual W AN port s in load ba[...]

Page 628

Network Planning for Dual W AN P ort s (Multiple W AN Port Models Only) 628 ProSecure Unified Thr eat Management (UTM) Appliance Inbound T raffic to a Single WAN P ort System The Internet IP address of the UTM’ s WAN port needs to be known to the public so that the public can send incoming traf fic to the exposed host when this feature is support[...]

Page 629

Network Planning for Dual W AN Port s (Multiple W AN Port Models Only) 629 ProSecure Unified Th reat Management (UTM) Ap pliance Note: Load balancing is imp lemented for outgoing traf fic and not for incoming traf fic. Consider making one of the W AN port Internet addresses public and keeping the other one private in o rder to maintain better co nt[...]

Page 630

Network Planning for Dual W AN P ort s (Multiple W AN Port Models Only) 630 ProSecure Unified Thr eat Management (UTM) Appliance For a single W AN gateway configuration, use an FQDN when the IP address is dynamic and either an FQDN or the IP address itself when the IP address is fixed. The situation is dif ferent in dual W AN port gateway configura[...]

Page 631

Network Planning for Dual W AN Port s (Multiple W AN Port Models Only) 631 ProSecure Unified Th reat Management (UTM) Ap pliance VPN Road W arrior: Single- Gateway W AN P ort (Reference Case) In a single W AN port gateway configuration, the remote VPN client initiates the VPN tunnel because the IP address of the remote VPN client is not known in ad[...]

Page 632

Network Planning for Dual W AN P ort s (Multiple W AN Port Models Only) 632 ProSecure Unified Thr eat Management (UTM) Appliance Figure 36 8. The purpose of the FQDN in this case is to toggle the domain name of the ga teway firewall between the IP addresses of the active W AN port (that is, W AN1 and W AN2) so that the remote VPN client can determi[...]

Page 633

Network Planning for Dual W AN Port s (Multiple W AN Port Models Only) 633 ProSecure Unified Th reat Management (UTM) Ap pliance VPN Gateway -to - Gateway The following situations exemplify the require me nts for a gateway VPN firewall su ch as an UTM to establish a VPN tu nnel with another gateway VPN firewall: • Single-gateway W AN ports • Re[...]

Page 634

Network Planning for Dual W AN P ort s (Multiple W AN Port Models Only) 634 ProSecure Unified Thr eat Management (UTM) Appliance Figure 37 1. The IP addresses of the gateway W AN ports can be either fixed or dynamic, but you a lways need to use an FQDN because the active W AN ports could be either W AN_A1, W AN_A2, W AN_B1, or W AN_B2 (that is, the[...]

Page 635

Network Planning for Dual W AN Port s (Multiple W AN Port Models Only) 635 ProSecure Unified Th reat Management (UTM) Ap pliance Figure 373. The IP addresses of the gateway W AN ports can be either fixed or dynamic. If an IP a ddress is dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional. VPN T elecommuter (Client-to- G[...]

Page 636

Network Planning for Dual W AN P ort s (Multiple W AN Port Models Only) 636 ProSecure Unified Thr eat Management (UTM) Appliance The IP address of the gateway W AN port can be eit her fixed or dyn amic. If the IP address is dynamic, you need to use an FQDN. If the IP address is fixed, an FQDN is optional. VPN T elecommuter: Dual - Gateway W AN P or[...]

Page 637

Network Planning for Dual W AN Port s (Multiple W AN Port Models Only) 637 ProSecure Unified Th reat Management (UTM) Ap pliance VPN T elecommuter: Dual- Gateway W AN P orts for Lo ad Balancing In a dual W AN port load balancing gateway configuration, the remote VPN client initiates the VPN tunnel with the appropriate gateway W AN port (that is, po[...]

Page 638

638 E E. R e ad yNAS Integ r ation This appendix describe s how to set up a UTM with a NETGEAR Re adyNAS. This appendix includes the following sections: • Supported ReadyNAS Models • Install the UTM Add-On on th e ReadyNAS • Connect to the ReadyNAS on the UTM Note: For more information about in tegrating a ReadyNAS with a UTM, see the UTM Rea[...]

Page 639

ReadyNAS Integration 639 ProSecure Unified Th reat Management (UTM) Ap pliance Install the UTM Add- On on the R eadyNAS  T o install th e UTM add-on on the ReadyNAS: 1. S tart a web browser . 2. In the address field, enter the IP addre ss of the ReadyNAS, for example, enter http s://192.168.168.168 . The ReadyNAS web ma nagement interface displa[...]

Page 640

ReadyNAS Integration 640 ProSecure Unified Thr eat Management (UTM) Appliance Figure 37 9. 7. Click Inst all . 8. Select Add-ons > Inst alled . Figure 38 0. 9. Select the UTM Connector check box to enable the UT M connection.[...]

Page 641

ReadyNAS Integration 641 ProSecure Unified Th reat Management (UTM) Ap pliance 10. Click Save . The status indicator shows green. Figure 381. Connect to the R eadyNAS on the UTM  T o connect to the ReadyNAS on the UTM: 1. Select Administration > ReadyNAS Inte gration . The ReadyNAS Integration screen displays : Figure 382. 2. T o connect to t[...]

Page 642

ReadyNAS Integration 642 ProSecure Unified Thr eat Management (UTM) Appliance 3. Enter the settings as explained in the following table: 4. Click Apply to save your settings. 5. Select Administration > Quarantine Settings . The Quarantine Settings screen displays: Figure 38 3. 6. T o enable quarantine files to be save d to the ReadyNAS, click th[...]

Page 643

ReadyNAS Integration 643 ProSecure Unified Th reat Management (UTM) Ap pliance Figure 384.[...]

Page 644

644 F F. T w o -F act or A ut hen ti cati on This appendix provides an overview of two-factor authentication, and an example of how to implement the WiKID solution. This appendi x cont ains the fo llowing sections: • Why Do I Need T wo-Factor Authentication? • NETGEAR T wo-Factor Authentication Solutions Why Do I Need T wo -Factor Authenticatio[...]

Page 645

T wo-Factor Authentication 645 ProSecure Unified Th reat Management (UTM) Ap pliance • Proven regulatory compliance . T wo-factor authentication has been used a s a mandatory authentication process for many corporations and enterprises worldwide. What Is T wo-Factor Authentication? T wo-factor authenticatio n is a security solution that enhance s[...]

Page 646

T wo-Factor Authentication 646 ProSecure Unified Thr eat Management (UTM) Appliance Figure 38 5. 2. A one-time passcode ( something the user has ) is generated. Figure 38 6. Note: The one-time passco de is time-synchronized to the authentication server so that the OTP can be used only once and needs to be used before the expiration time. If a user [...]

Page 647

T wo-Factor Authentication 647 ProSecure Unified Th reat Management (UTM) Ap pliance Figure 387.[...]

Page 648

648 G G. Sy s t e m L o g s a n d E r ro r M e s s a g e s This appendix provides example s and explanati ons of system logs and error me ssage. When applicable, a recommended action is provided. This appendix conta ins the following sections: • System Log Messages • Service Logs • Content-Filtering and Security Logs • Routing Logs This app[...]

Page 649

System Logs and Error Messages 649 ProSecure Unified Th reat Management (UTM) Ap pliance System Log Messages • System S tartup • Reboot • NTP • Login/Logout • Firewall Restart • IPSec Restart • WAN S tatus • T raffic Metering Logs • Unicast, Multicast, and Broadcast Logs • Invalid Packet Logging This section describes log messag[...]

Page 650

System Logs an d Error Messages 650 ProSecure Unified Thr eat Management (UTM) Appliance NTP This section describes log messages generated by the NTP daemon during synchroniza tion with the NTP server . The fixed time and date before NTP synchronizes with any of the servers is Fri 1999 Dec 31 19:13:00. Login/Logout This section describes logs that [...]

Page 651

System Logs and Error Messages 651 ProSecure Unified Th reat Management (UTM) Ap pliance Firewall R estart This section describes logs that are generated when the firewall rest arts. IPSec Restart This section describes logs that are generated when IPSec rest arts. WA N St a t u s This section describes the logs tha t are generated by the W AN comp[...]

Page 652

System Logs an d Error Messages 652 ProSecure Unified Thr eat Management (UTM) Appliance This section describes the logs that are generated when the W AN mode is set to auto-rollover . Load Balancing Mode When the W AN mode is configured for load balancing, both the W AN ports are active simultaneously and th e traffic is b alanced betw een them. I[...]

Page 653

System Logs and Error Messages 653 ProSecure Unified Th reat Management (UTM) Ap pliance This section describes the logs tha t are generated when the W AN mode is set to load balanc ing. PPP Logs This section describes the W AN PPP connection logs. The PPP type can be configured through the web management int erface. For more information, see Manua[...]

Page 654

System Logs an d Error Messages 654 ProSecure Unified Thr eat Management (UTM) Appliance • PPTP Idle-T imeout logs Explanation Message 1: Establishment of the PPPoE connection start s. Message 2: A message from the PPPoE server ind icating a correct login. Message 3: The authentication for PPP suc ceeds. Message 4: The local IP address tha t is a[...]

Page 655

System Logs and Error Messages 655 ProSecure Unified Th reat Management (UTM) Ap pliance • PPP Authentication logs T raffic Metering Logs This section describes logs that are generat ed when the traf fic meter has reached a limit. Unicast, Multicast, and Broadcast Logs This section describes logs that are generated when the UTM processes unicast [...]

Page 656

System Logs an d Error Messages 656 ProSecure Unified Thr eat Management (UTM) Appliance ICMP Redirect L ogs This section describes logs that are generated wh en the UTM processes ICMP redirect messages. Multicast/Broadcast Logs This section describes logs that are gener ated when the UTM processes multicast and broadcast packet s. Invalid P acket [...]

Page 657

System Logs and Error Messages 657 ProSecure Unified Th reat Management (UTM) Ap pliance Message 2007 Oct 1 00:44:17 [UTM] [kernel] [INV ALID][ICMP_TYPE][ DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=ICMP TYPE=19 CODE=0 Explanation Invalid ICMP type. Recommended Action None. Message 2007 Oct 1 00:44:17 [UTM] [kernel] [INV ALID][TCP_FLAG_COMBINA T[...]

Page 658

System Logs an d Error Messages 658 ProSecure Unified Thr eat Management (UTM) Appliance Service Logs This section describes log messages gener ated during firmware updates and other service-related events. Content -Filtering and Security Logs • Web Filtering and Content-Filtering Logs • Spam Logs • T raffic Logs • Malware Logs • Email Fi[...]

Page 659

System Logs and Error Messages 659 ProSecure Unified Th reat Management (UTM) Ap pliance • IPS Logs • Anomaly Behavior Logs • Application Logs This section describes the log messages that are generated by the conten t-filtering and security mechanisms. W eb Filtering and Content -Filtering Logs This section describes logs that are generated w[...]

Page 660

System Logs an d Error Messages 660 ProSecure Unified Thr eat Management (UTM) Appliance Spam Logs This section describes logs that are generated when the UTM filters sp am email messages. Message 2009 -08-01 00:00:01 HTTP ldap_domain ldap_user 1 92.168.1.3 192.168 .35.165 http://192.168.35.165/testcases/files/ virus/normal/%b4%f3 %d3%da2048.rar Ke[...]

Page 661

System Logs and Error Messages 661 ProSecure Unified Th reat Management (UTM) Ap pliance Tr a f f i c L o g s This section describes logs that are genera ted when the UTM processes web and email traffic. Malware Logs This section describes logs that are generated when the UTM detects viruse s. Email Filter Logs This section describes logs that are [...]

Page 662

System Logs an d Error Messages 662 ProSecure Unified Thr eat Management (UTM) Appliance IPS Logs This section describes logs that are generated when traf fic matches IPS rules. Anomaly Behavior Logs This section describes logs that are generat ed when ports are scanned or when distributed DoS (DDoS) event s occur . T able 184. Content-filtering an[...]

Page 663

System Logs and Error Messages 663 ProSecure Unified Th reat Management (UTM) Ap pliance Application Logs This section describes logs that are generated when the UTM filters application traf fic. Ro u t i n g Lo gs • LAN-to-WAN Logs • LAN-to-DMZ Logs • DMZ-to-WAN L ogs • WAN-to-LAN Logs • DMZ-to-LAN Logs • WAN-to-DMZ L ogs This section [...]

Page 664

System Logs an d Error Messages 664 ProSecure Unified Thr eat Management (UTM) Appliance LAN-to -DMZ Logs This section describes logs that are generat ed when the UTM processes LAN-to-DMZ traf fic. DMZ -to - WAN Logs This section describes logs that are generated when the UTM processes DMZ-to-W AN traf fic. WA N-to -LAN Logs This section describes [...]

Page 665

System Logs and Error Messages 665 ProSecure Unified Th reat Management (UTM) Ap pliance DMZ -to -LAN Logs This section describes logs that are generated when the UTM processes DMZ-to-L AN traf fic. W AN-to -DMZ Logs This section describes logs that are generated when the UTM processes W AN-to-DMZ traffic. T able 191. Routing logs: DMZ to W AN Mess[...]

Page 666

666 H H. De fa ult Settings an d T echni cal Spec if ica ti ons This appendix provides the de fault settings and th e physical and technical specifica tions of the UTM in the following sections: • Default Settings • Physical and T echnical Specifications Default Settings Y ou can use the Factory Default s reset button on the rear p anel to rese[...]

Page 667

Default Settings and T echnical S pecifications 667 ProSecure Unified Th reat Management (UTM) Ap pliance W AN connections W AN MAC address Use default address W AN MTU size 1500 Port speed AutoSense Dynamic DNS Disabled Local network (L AN) LAN IP address 192.168.1.1 Subnet mask 255.255.255.0 DHCP server Enabled DHCP starting IP address 192.168.1.[...]

Page 668

Default Settings and T echnical Specifications 668 ProSecure Unified Thr eat Management (UTM) Appliance Firewall and network security Inbound LAN W AN rules (communications coming in from the Internet) All traffic is blocked, except for traffic in response to requests from the LAN. Outbound LAN W AN rules (communications from the LAN to the Interne[...]

Page 669

Default Settings and T echnical S pecifications 669 ProSecure Unified Th reat Management (UTM) Ap pliance Application secur ity SMTP Enabled on port 25 Infected ema il is blocked POP3 Enabled on port 1 10 Infected attachment is deleted IMAP Enabled on port 143 Infected attachment is deleted Email content filtering Disabled Email whitelist and black[...]

Page 670

Default Settings and T echnical Specifications 670 ProSecure Unified Thr eat Management (UTM) Appliance Blocked keywords for Web traf fic None Embedded Objects (ActiveX/Java/Flash) Al lowed Javascript Allowed Proxy Allowed Cookies Allowed URL whitelist and b lack list None Blocked applications No ne VPN IPsec Wizard: IKE policy settings for gateway[...]

Page 671

Default Settings and T echnical S pecifications 671 ProSecure Unified Th reat Management (UTM) Ap pliance Authentication algo rithm SHA-1 Authentication metho d Pre-shared Key Key group DH-Group 2 (1024 bit) Life time 8 hours VPN IPsec Wizard: VPN policy se ttings for client-to-gateway tunnels Encryption alg orithm 3DES Authentication algo rithm SH[...]

Page 672

Default Settings and T echnical Specifications 672 ProSecure Unified Thr eat Management (UTM) Appliance Wireless radio and access point settings (U TM9S and UTM25S only) Wireless radio Enabled Region Nonconfigurabl e: set for the region in which you purchased the UTM. Country The selection is limited to the countries in the region in which you purc[...]

Page 673

Default Settings and T echnical S pecifications 673 ProSecure Unified Th reat Management (UTM) Ap pliance Physical and T echnical Specifications The following ta ble shows the physical and technica l specifications for the UTM: T a ble 194. U TM physi cal and te chnical s pecificatio ns Feature Specification Network protocol and standards compatibi[...]

Page 674

Default Settings and T echnical Specifications 674 ProSecure Unified Thr eat Management (UTM) Appliance The following t able shows the IPSec VPN specificat ions for the UTM: Major regula to ry compli an c e Meets requirements of FCC Class A CE WEEE RoHS Interface specifications LAN UTM5, UTM9S, UTM25S, UTM10, UTM25, and UTM1 50 4 LAN au tosensing 1[...]

Page 675

Default Settings and T echnical S pecifications 675 ProSecure Unified Th reat Management (UTM) Ap pliance The following ta ble shows the SSL VPN specifications for th e UTM: The following t able shows the wireless spe cificat ions for the wireless network module for the UTM9S and UTM25S: T a ble 196. U TM SSL VPN speci fications Setting Specificati[...]

Page 676

Default Settings and T echnical Specifications 676 ProSecure Unified Thr eat Management (UTM) Appliance Note: For default email and web scan settings, see T able 41 on page 193. 802.1 1a/na wireless s pecifications 802.1 1a data rates 6, 9, 12, 18, 24, 36, 48, 54 Mbps, and autorate capable 802.1 1na data rates (includes Greenfield) Chann els with d[...]

Page 677

677 I I. Notif ica tion o f Com plian ce (W ir ed) NET GEAR W ir ed Pr oducts Regulatory Compliance Information This section includes user requirement s for oper ating this product in accordance with National laws for usage of radio spectrum and ope ration of radio devices. Failure of the end-user to comply with the applicable re quirements may res[...]

Page 678

Notification of Compliance (Wired) 678 ProSecure Unified Thr eat Management (UTM) Appliance FCC Radio Frequency Interference W arnings & Instructions This equipment has been tested and foun d to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. T hese limits a re designed to provide reasonable protection[...]

Page 679

Notification of Compliance (Wired) 679 ProSecure Unified Th reat Management (UTM) Ap pliance Additional Copyrights AES Copyright (c) 2001, Dr . Brian Gladman, b rg@gladman.uk.net, Worcester , UK. All rights reserved. TERMS Redistribution and use in source and binary fo rms, with or without modification, are permitted subject to the foll owing condi[...]

Page 680

Notification of Compliance (Wired) 680 ProSecure Unified Thr eat Management (UTM) Appliance MD5 Copyright (C) 1 990, RSA Data Se curity , Inc. All rights r eserved. License to copy and use this software is grant ed provided th at it is identified as the “RSA Data Security , Inc. MD5 Message-Digest Algorithm” in all material mentioning or refere[...]

Page 681

681 J J. No tif i cati on of C om pli ance (W ir ele ss) NET GEAR Dual Band - W ir eless Regulatory Compliance Information This section includes user requ irements for operating this product in a ccordance with National laws for usag e of radio spectrum and operation of radio devices. Failure of the end-user to comply with the ap p l ica ble requir[...]

Page 682

ProSecure Unified Thr eat Management (UTM) Appliance Notification of Compliance (Wireless) 682 Español [Spanish] Por medio de la presente NETGEAR Inc. declara que el Radiolan cumple con los requisitos esenciales y cualesquiera otras disposiciones aplica bles o exigibles de la Directiva 1999/5/CE. Ελληνική [Greek] ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ[...]

Page 683

ProSecure Unified Thr eat Management (UTM) Appliance Notification of Compliance (Wireless) 683 This device is a 2.4 GHz wideband transmission system (tra nsceiver), intende d for use in all EU member states and EFT A countries, except in France and Italy where restrictive use applies. In Italy the end-user should apply for a license at the nati ona[...]

Page 684

ProSecure Unified Thr eat Management (UTM) Appliance Notification of Compliance (Wireless) 684 • For product available in the USA market, only channel 1~ 1 1 can be operated. Selectio n of other channels is not possible. • This device and its antenna(s) must not be co-located or ope ration in conjunction with any other a ntenna or transmitter .[...]

Page 685

ProSecure Unified Thr eat Management (UTM) Appliance Notification of Compliance (Wireless) 685 Interference Reduction T able The following table shows the recommended minimu m distance between NETGEAR equipme nt and household appliances to reduce interference (in feet and meters). Household Ap pliance Reco mmended Minimum Distance (in feet and mete[...]

Page 686

686 Inde x Numerics 10BASE-T , 100BASE-T , and 1000BASE-T speeds 96 2.4- and 5-GHz operating frequency , radio 581 20- and 40-MHz channel spacing, radio 582 3322.org DSL settings 572 – 574 USB settings 618 – 620 W AN settings 91 – 93 3G service, enabling 606 3G/4G dongles, supported 60 3 64-, 128-, and 256-bit WEP 592 802.1 1a/b/bg/ng/n modes[...]

Page 687

687 ProSecure Unified Th reat Management (UTM) Ap pliance Apple iPhone and iPad IPSec VPN connections 336 Mac SSL VPN connection 377 Application Leve l Gateway (ALG) 161 applications custom categories 259 – 260 default security settings 669 reports 527 setting access exceptions 255 ARP (Address Re solution Protocol) broadcasting, configurin g 109[...]

Page 688

688 ProSecure Unified Thr eat Management (UTM) Appliance C CA (certification authority) 232 , 300 cache control, SSL VPN 341 , 361 card, service registration 23 Carrier Sense Multiple Access (CSMA), radio 599 categories, web content 61 Category 5 cable 624 Certific at e Re vo ca ti on List (CRL) 421 , 426 certificate signing re quest (CSR) 42 3 cer[...]

Page 689

689 ProSecure Unified Th reat Management (UTM) Ap pliance troubleshooting setting s 546 daylight savings ti me settings 55 , 457 troubleshooting setting s 546 DC (domain controller) age nt, configuring 409 – 414 DDNS (dynamic DNS), configuring DSL settings 572 USB settings 618 W AN settings 91 DDoS (distributed denial-of-service) 188 Dead Peer De[...]

Page 690

690 ProSecure Unified Thr eat Management (UTM) Appliance downloading DC agent software 410 firmware file 451 SSL certificate 382 DPD (Dead Peer Detection) 298 , 329 DSCP (Differentiated Services Code Point) 18 , 171 , 600 DSL LEDs 33 DSL network module s described 29 status, viewing 495 DSL settings advanced se ttings 576 autodetecting 555 auto-rol[...]

Page 691

691 ProSecure Unified Th reat Management (UTM) Ap pliance W AN settings 82 – 85 file extensions blocking 202 , 218 , 222 setting access exceptions 256 file names, blocking 202 filtering reports 522 firewall attack checks 157 bandwidth profiles 171 – 174 connecting to the Internet 624 custom services 163 default settings 668 inbound rules. See i[...]

Page 692

692 ProSecure Unified Thr eat Management (UTM) Appliance scanning process 228 trusted hosts 235 HTTPS Smart Block configuring 212 – 215 logs 469 , 508 – 510 settings access exceptions 256 humidity , operating and storage 673 I ICMP (Internet Contro l Message Protocol) time-out 161 type 164 idle time-out DSL connection 558 W AN connection 53 , 7[...]

Page 693

693 ProSecure Unified Th reat Management (UTM) Ap pliance port forwarding, SSL VPN 363 PPTP se rver 332 reserved 116 secondary addresses DSL settings 570 LAN settings 109 WAN settings 89 static or permanent addresses DSL settings 559 requirements 74 , 555 USB settings 606 WAN settings 54 , 78 subnet mask default 49 , 105 DMZ port 118 W AN al iases [...]

Page 694

694 ProSecure Unified Thr eat Management (UTM) Appliance ProSafe VPN Client sof tware 17 licensing, electronic 67 lifetime, quarantine 461 Lightweight Directory Access Protocol, See LDAP . limit, traffic meter (or counter) 464 limits, sessions 160 listening port, DC agent 412 LLC (Logical Link Control) encapsulation 552 load balanc ing mode DSL int[...]

Page 695

695 ProSecure Unified Th reat Management (UTM) Ap pliance record 296 models, UTM 22 modes, wireless 582 , 675 monitoring default settin gs 667 MPPE (Microsof t Point- to-Point Encryption) 333 MTU (maximum transmission unit), default 95 , 576 multicast pass-through 15 8 multihome LAN IP addresses, configuring 109 – 110 multiple WAN port s, auto-ro[...]

Page 696

696 ProSecure Unified Thr eat Management (UTM) Appliance restoring 545 patter n file 454 pay plan, 3G/4G service 610 PDP (packet data protocol) type, 3G/4G service 610 peer-to-peer (P2) applications blocked applications, recent 5 and top 5 481 logs 469 , 508 – 510 traffic st atistics 479 Perfect Forward Secrecy (PFS) 307 , 31 5 performance manage[...]

Page 697

697 ProSecure Unified Th reat Management (UTM) Ap pliance PPTP (Point-to-Point Tunneling Protocol) require ments 74 server settings 331 user accounts 401 – 403 W AN settings 52 , 76 preamble type, radio 599 pre-shared key client-to-gateway VPN tunne l 274 gateway-to-gateway VPN tunnel 269 IKE policy settings 298 WP A, WP A2, and mixed mode 591 pr[...]

Page 698

698 ProSecure Unified Thr eat Management (UTM) Appliance wired products 677 – 680 relay gateway 50 , 106 , 119 Remote Authentication Dial In User Service. See RADIUS. remote man agement access 438 troubleshooting 440 remote troublesho oting, enabling 546 remote users, assigning addresses (ModeC onfig) 312 reports administrator emailing opti ons 5[...]

Page 699

699 ProSecure Unified Th reat Management (UTM) Ap pliance service provider , 3G/4G 608 service registration card 23 session expiration length 41 6 Session Ini tiation Prot ocol (SIP) 161 session limits configuring 160 logging dropped packets 477 Setup Wizard, initi al configuration 47 severities, syslog 470 SHA-1 IKE policies 297 ModeConfig 315 sel[...]

Page 700

700 ProSecure Unified Thr eat Management (UTM) Appliance options 337 settings, configuring manuall y 359 settings, using SSL VPN Wizard 339 specifications 675 status 356 tunnel described 337 user account 401 – 403 user port al 35 4 user settings, using SSL VPN Wizard 347 SSL VPN Wizard 21 , 338 SSO (single sign-on) 384 , 412 stateful packet inspe[...]

Page 701

701 ProSecure Unified Th reat Management (UTM) Ap pliance transfer mode, DSL settings 55 2 T ransmission Control Protocol (TCP) 18 4 transmit power , radio 583 T ransport Layer Security (TLS) 345 , 392 traps, SNMP 442 trial period, service licenses 65 troubleshooting basic functioning 539 browsers 540 configuration settings, using sniffer 540 date [...]

Page 702

702 ProSecure Unified Thr eat Management (UTM) Appliance Virtual Private Network Consortium (VPNC) 21 , 266 virtual private network. See VPN tun nels. virus d atabase 454 logs. See malware, logs. protection emails 196 FTP web traffic 238 HTTP and HTT PS web traffic 216 signature files 454 VLANs advant ages 99 default 48 , 103 described 99 DHCP addr[...]

Page 703

703 ProSecure Unified Th reat Management (UTM) Ap pliance connection speed 97 connection type , view ing 496 failure detectio n method 82 – 85 load balancing mode configuring 85 – 87 DDNS 91 described 80 VPN IPSec 264 NA T , configuring 81 primary W AN mode , described 80 secondary IP addresses 89 SNMP management 442 W AN al iases 89 W AN in te[...]

Page 704

704 ProSecure Unified Thr eat Management (UTM) Appliance wireless specific ations 675 Wizards Setup Wizard 47 IPSec VPN. See IPSec VPN Wizard. SSL VPN. See SSL VPN Wizard. WMM (Wi-Fi Multimedia) power saving , radio 599 priority 600 WP A (Wi-Fi protected access), WP A2, and mixed mode configuring 590 – 592 types of encryption 584 X XAUTH configur[...]

NETGEAR STM150EW-100NAS manual

Similar user manuals

Router

Netgear R8000P - Nighthawk X6S

Router

Netgear RBK53v2

Router

Netgear C6250

Router

Netgear Nighthawk X6 AC3200 Tri-Band

Router

NETGEAR UTM5EW-100NAS

Router

Netgear genie App

Router

Netgear AirCard 810S

Router

Netgear RBK20

A good user manual

What is an instruction?

What should a perfect user manual contain?

Why don't we read the manuals?

Why one should read the manuals?

Table of contents for the manual

Page 1

Page 2

Page 3

Page 4

Page 5

Page 6

Page 7

Page 8

Page 9

Page 10

Page 11

Page 12

Page 13

Page 14

Page 15

Page 16

Page 17

Page 18

Page 19

Page 20

Page 21

Page 22

Page 23

Page 24

Page 25

Page 26

Page 27

Page 28

Page 29

Page 30

Page 31

Page 32

Page 33

Page 34

Page 35

Page 36

Page 37

Page 38

Page 39

Page 40

Page 41

Page 42

Page 43

Page 44

Page 45

Page 46

Page 47

Page 48

Page 49

Page 50

Page 51

Page 52

Page 53

Page 54

Page 55

Page 56