ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference M anua l 350 East Plumeria Drive San Jose, CA 95134 USA July 29, 2011 202-10536-02 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 © 2010–2011 NETGEAR, Inc. All rights reserved No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR.
Contents Chapter 1 Introduction What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? . . . 9 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Quad-WAN Ports for Increased Reliability and Outbound Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . . 11 A Powerful, True Firewall with Content Filtering. . . . . . . . . . . . . . . . . .
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Advanced WAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . 54 What to Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Chapter 3 LAN Configuration Manage Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . 55 Port-Based VLANs . . . . . . . . . . . . . . . . . .
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Configure Port Triggering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Chapter 5 Virtual Private Networking Using IPSec Connections Considerations for Multi-WAN Port Systems . . . . . . . . . . . . . . . . . . . . . .
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Edit Network Resources to Specify Addresses . . . . . . . . . . . . . . . . . . 209 Configure User, Group, and Global Policies . . . . . . . . . . . . . . . . . . . . . . 210 View Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Add a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Access the SSL Portal Login Screen . . . . . . . . . . . . . . . . . . .
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the WAN Port Connection Status. . . . . . . . . . . . . . . . . . . . . . . . . 285 View the Attached Devices and DHCP Log . . . . . . . . . . . . . . . . . . . . . 287 Use the Diagnostics Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Send a Ping Packet or Trace a Route . . . . . . . . . . . . . . . . . . . . . . . . . 289 Look Up a DNS Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . . 325 WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Resolved DNS Names . . . . . . . . . . . . . . . . .
1. Introduction 1 This chapter provides an overview of the features and capabilities of the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Key Features and Capabilities The VPN firewall provides the following key features and capabilities: • Four 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover protection of your Internet connection, providing increased data rate and increased system reliability.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Advanced VPN Support for Both IPSec and SSL The VPN firewall supports IPSec and SSL VPN connections. • • IPSec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer. - IPSec VPN with broad protocol support for secure connection to other IPSec gateways and clients.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Security Features The VPN firewall is equipped with several features designed to maintain security: • PCs hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN. • Port forwarding with NAT.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • DNS proxy. When DHCP is enabled and no DNS addresses are specified, the VPN firewall provides its own address as a DNS server to the attached PCs. The VPN firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN. • PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Package Contents The VPN firewall product package contains the following items: • ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 appliance • One AC power cable • Rubber feet (4) • One Category 5 (Cat5) Ethernet cable • One rack-mounting kit • ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide • Resource CD, including: - Application Notes and other helpful information - ProSafe VPN Client software (VPN01L) If any of the
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ LED Left WAN LEDs Left LAN LEDs Power LED Internet LEDs Right WAN LEDs Right LAN LEDs Test LED Figure 1. Table 1. LED descriptions LED Activity Description Power On (green) Power is supplied to the VPN firewall. Off Power is not supplied to the VPN firewall. On (amber) during startup. Test mode: the VPN firewall is initializing. After approximately 2 minutes, when the VPN firewall has completed its initialization, the Test LED goes off.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 1. LED descriptions (continued) LED Activity Description On (green) The WAN port has a valid connection with a device that provides an Internet connection. Blinking (green) Data is being transmitted or received by the WAN port. Off The WAN port has no physical link, that is, no Ethernet cable is plugged into the VPN firewall. On (green) The WAN port is operating at 1000 Mbps. On (amber) The WAN port is operating at 100 Mbps.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Bottom Panel with Product Label The product label on the bottom of the VPN firewall’s enclosure displays factory default settings, regulatory compliance, and other information. Figure 3. Choose a Location for the VPN Firewall The VPN firewall is suitable for use in an office environment where it can be free-standing (on its runner feet) or mounted into a standard 19-inch equipment rack.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Using the Rack-Mounting Kit Use the mounting kit for the VPN firewall to install the appliance in a rack. Attach the mounting brackets using the hardware that is supplied with the mounting kit. Figure 4. Before mounting the VPN firewall in a rack, verify that: • You have the correct screws (supplied with the installation kit). • The rack onto which you will mount the VPN firewall is suitably located.
2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Configure the WAN mode. Select either NAT or classical routing. Select load balancing mode, auto-rollover mode, or primary (single) WAN mode. For load balancing, you can also select any necessary protocol bindings. See Configure the WAN Mode on page 32. 5. Configure secondary WAN addresses on the WAN ports (optional). Configure aliases for each WAN port. See Configure Secondary WAN Addresses on page 41. 6.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall factory default IP address is 192.168.1.1. If you change the IP address, you need to use the IP address that you assigned to the VPN firewall to log in to the VPN firewall. Figure 5. Note: The first time that you remotely connect to the VPN firewall with a browser via an SSL connection, you might get a warning message regarding the SSL certificate. Follow the directions of your browser to accept the SSL certificate. 3.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 6. Note: After 10 minutes of inactivity (the default login time-out), you are automatically logged out.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Web Management Interface Menu Layout The following figure shows the menu at the top of the web management interface. Option arrow: Additional screen for submenu item 3rd Level: Submenu tab (blue) 2nd Level: Configuration menu link (gray) 1st Level: Main Navigation menu link (orange) Figure 7. The web management interface menu consists of the following components: • 1st Level: main navigation menu links.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Auto Detect. Enable the VPN firewall to detect the configuration automatically and suggest values for the configuration. • Next. Go to the next screen (for wizards). • Back. Go to the previous screen (for wizards). • Search. Perform a search operation. • Cancel. Cancel the operation. • Send Now. Send a file or report. When a screen includes a table, table buttons are displayed to let you configure the table entries.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Automatically Detecting and Connecting To automatically configure the WAN ports for connection to the Internet: 1. Select Network Configuration > WAN Settings. The WAN screen displays: Figure 10. The WAN Settings table displays the following fields: • WAN. The WAN interface (WAN1, WAN2, WAN3, and WAN4). • Status. The status of the WAN interface (UP or DOWN). • WAN IP. The IP address of the WAN interface. • Failure Detection Method.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 11. 3. Click the Auto Detect button at the bottom of the screen. The auto detect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support. The auto detect process returns one of the following results: • If the auto-detect process is successful, a status bar at the top of the screen displays the results (for example, DHCP service detected).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 2. Internet connection methods Connection method Manual data input required • DHCP (Dynamic IP) No data is required. PPPoE Login, Password, Account Name, Domain Name PPTP Login, Password, Account Name, My IP Address, and Server IP Address. Fixed (Static) IP IP Address, Subnet Mask, and Gateway IP Address; and related data supplied by your ISP.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For more information about the WAN Connection Status screen, see View the WAN Port Connection Status on page 285. 5. Repeat step 2, step 3, and step 4 for the other WAN interfaces that you want to configure. If your WAN ISP configuration was successful, you can skip ahead to Configure the WAN Mode on page 32.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In the ISP Login section, select one of the following options: • If your ISP requires an initial login to establish an Internet connection, select Yes. (The default is No.) • If a login is not required, select No and ignore the Login and Password fields. 4. If you selected Yes, enter the login name in the Login field and the password in the Password field. This information is provided by your ISP. 5.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 3. PPTP and PPPoE settings (continued) Setting Description Austria (PPTP) (continued) Server IP Address Other (PPPoE) If you have installed login software, then your connection type is PPPoE. Select this radio button and enter the following settings: The IP address of the PPTP server. Account Name The valid account name for the PPPoE connection. Domain Name The name of your ISP’s domain or your domain name if your ISP has assigned one.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 4. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the VPN firewall using DHCP network protocol. Use Static IP Address Client Identifier Select the Client Identifier check box if your ISP requires the Client Identifier information to assign an IP address using DHCP.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 9. Click Test to evaluate your entries. The VPN firewall attempts to make a connection according to the settings that you entered. 10. Click Apply to save any changes to the WAN ISP settings. (Or click Reset to discard any changes and revert to the previous settings.) If you want to manually configure an additional WAN interface, select another WAN interface and repeat these steps. You can configure up to four WAN interfaces.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Network Address Translation Network Address Translation (NAT) allows all PCs on your LAN to share a single public Internet IP address. From the Internet, there is only a single device (the VPN firewall) and a single IP address. PCs on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the Auto-Rollover Mode and Failure Detection Method To use a redundant ISP link for backup purposes, ensure that the backup WAN interface has already been configured. Then select the WAN interface that will act as the primary link for this mode and configure the WAN failure detection method on the WAN Mode screen to support auto-rollover.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the Load Balancing Settings section of the screen, configure the following settings: a. Select the Primary WAN Mode radio button. b. From the corresponding drop-down list on the right, select a WAN interface to function as the primary WAN interface. The other WAN interfaces become disabled. c. Select the Auto Rollover check box. d. From the corresponding drop-down list on the right, select a WAN interface to function as the backup WAN interface.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 6. Failure detection method settings Setting Description Failure Detection Method Select a failure detection method from the drop-down list: • WAN DNS. DNS queries are sent to the DNS server that is configured in the Domain Name Server (DNS) Servers section of the WAN ISP screen (see Manually Configure the Internet Connection on page 28). • Custom DNS. DNS queries are sent to a DNS server that you need to specify in the DNS Server fields. • Ping.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 routes all outbound HTTPS traffic from the computers on the LAN through the WAN1 port. All outbound FTP traffic is routed through the WAN2 port. Protocol binding addresses two issues: • Segregation of traffic between links that are not of the same speed. High-volume traffic can be routed through the WAN port connected to a high-speed link, and low-volume traffic can be routed through the WAN port connected to the low-speed link.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 then a new FTP session could start on the WAN2 interface, and then any new connection to the Internet could be made on the WAN3 interface. This load-balancing method ensures that a single WAN interface does not carry a disproportionate distribution of sessions. 3. Click Apply to save your settings. Configure Protocol Binding (Optional) To configure protocol binding and add protocol binding rules: 1. Select Network Configuration > Protocol Binding. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 21. 4. Configure the protocol binding settings as explained in the following table: Table 7. Add Protocol Binding screen settings Setting Description Service From the drop-down list, select a service or application to be covered by this rule. If the service or application does not appear in the list, you need to define it using the Services screen (see Services-Based Rules on page 83).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 7. Add Protocol Binding screen settings (continued) Setting Description Destination Network The destination network settings determine which Internet locations (based on their IP address) are covered by the rule. Select one of the following options from the drop-down list: Any All Internet IP address. Single address In the Start IP field, enter the IP address to which the rule is applied.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Secondary WAN Addresses You can set up a single WAN Ethernet port to be accessed through multiple IP addresses by adding aliases to the port. An alias is a secondary WAN address. One advantage is, for example, that you can assign different virtual IP addresses to a web server and an FTP server, even though both servers use the same physical IP address. You can add several secondary IP addresses to a single WAN port.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Click the Secondary Addresses option arrow in the upper right of the screen. The WAN Secondary Addresses screen displays for the WAN interface that you selected. (The following figure see shows the WAN1 Secondary Addresses screen as an example and includes one entry in the List of Secondary WAN addresses table.) Figure 22. The List of Secondary WAN addresses table displays the secondary LAN IP addresses added for the selected WAN interface. 4.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 23. 3. Click the Information option arrow in the upper right of a DNS screen for registration information.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 24. 4. Access the website of the DDNS service provider and register for an account (for example, for DynDNS.org, go to http://www.dyndns.com/). 5. Configure the DDNS service settings as explained in the following table: Table 8. DDNS service settings Setting Description WAN1 (Dynamic DNS Status: ...) Change DNS to Select the Yes radio button to enable the DDNS service.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure WAN QoS Profiles The VPN firewall can support multiple quality of service (QoS) profiles for each WAN interface. You can assign profiles to services such as HTTP, FTP, and DNS and to LAN groups or IP addresses. Profiles enforce either rate control with bandwidth allocation or priority queue control.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 25. 2. To enable QoS, select the Yes radio button. By default, the No radio button is selected. 3. Specify the profile type that should be active by selecting one of the following radio buttons. • Rate control. All rate control QoS profiles that you configure are active but priority QoS profiles are not. • Priority. All priority QoS profiles that you configure are active but priority rate control profiles are not. 4.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 26. 3. Enter the settings as explained in the following table: Table 9. Add QoS screen settings for a rate control profile Setting Description QoS Type Rate Control (for Priority, see Figure 27 on page 50 and Table 10 on page 50) Interface From the drop-down list, select one of the WAN interfaces. Service From the drop-down list, select a service or application to be covered by this profile.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 9. Add QoS screen settings for a rate control profile (continued) Setting Description Congestion Priority From the drop-down list, select the priority queue that determines the allocation of excess bandwidth and the classification level of the packets among other priority queues on the VPN firewall: • Default. Traffic is mapped based on the ToS field in the packet’s IP header. • High.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To add a priority QoS profile: 1. Select Network Configuration > QoS. The QoS screen displays. 2. Under the List of QoS Profiles table, click the Add table button. The Add QoS screen displays. The following figure shows settings for a priority QoS profile: Figure 27. 3. Enter the settings as explained in the following table: Table 10.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 10. Add QoS screen settings for a priority profile (continued) Setting Description Priority From the drop-down list, select the priority queue that determines the allocation of bandwidth: • Low. All services that are assigned a low priority queue share 10 percent of interface bandwidth. • High. All services that are assigned a high priority queue share 60 percent of interface bandwidth.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: You can also configure the failure detection method for the auto-rollover mode on the Advanced screen. This procedure is discussed in Configure the Failure Detection Method on page 35. To configure advanced WAN options: 1. Select Network Configuration > WAN Settings. 2. Click the Edit table button in the Action column of the WAN interface for which you want to configure the advanced options.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Enter the settings as explained in the following table: Table 11. WAN Advanced Options screen settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value. For most Ethernet networks this value is 1500 Bytes, or 1492 Bytes for PPPoE connections. Custom Select the Custom radio button and enter an MTU value in the Bytes field.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 11. WAN Advanced Options screen settings (continued) Setting Description Upload/Download Settings These settings rate-limit the traffic that is being forwarded by the VPN firewall. WAN Connection Type From the drop-down list, select the type of connection that the VPN firewall uses to connect to the Internet: DSL, ADLS, Cable Modem, T1, T3, or Other.
3. LAN Configuration 3 This chapter describes how to configure the advanced LAN features of your VPN firewall. This chapter contains the following sections: • Manage Virtual LANs and DHCP Options • Configure Multi-Home LAN IP Addresses on the Default VLAN • Manage Groups and Hosts (LAN Groups) • Configure and Enable the DMZ Port • Manage Routing Manage Virtual LANs and DHCP Options A local area network (LAN) can generally be defined as a broadcast domain.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • They are easy to manage. The addition of nodes, as well as moves and other changes, can be dealt with quickly and conveniently from a management interface rather than from the wiring closet. • They provide increased performance. VLANs free up bandwidth by limiting node-to-node and broadcast traffic throughout the network. • They ensure enhanced network security. VLANs create virtual boundaries that can be crossed only through a router.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN port are forwarded to the default VLAN with PVID 1; packets that leave the LAN port with the same default PVID 1 are untagged. Assign and Manage VLAN Profiles To assign VLAN profiles to the LAN ports and manage VLAN profiles: 1. Select Network Configuration > LAN Settings. The LAN submenu tabs display, with the LAN Setup screen in view. (The following figure shows the default VLAN profile and another VLAN profile as examples.) Figure 29.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For information about how to add and edit a VLAN profile, including its DHCP options, see Configure a VLAN Profile on page 59. VLAN DHCP Options For each VLAN, you need to specify the Dynamic Host Configuration Protocol (DHCP) options.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DNS Proxy When the DNS Proxy option is enabled for a VLAN, the VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS servers (as configured on the WAN ISP Settings screens). All DHCP clients receive the primary and secondary DNS IP addresses along with the IP address where the DNS proxy is located (that is, the VPN firewall’s LAN IP address).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Either select an entry from the VLAN Profiles table and click the corresponding Edit table button, or add a new VLAN profile by clicking the Add table button under the VLAN Profiles table. The Edit VLAN Profile screen displays: Figure 31.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following table: Table 12. Edit VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. Note: You can also change the profile name of the default VLAN. VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the same VLAN ID number. Note: You can enter VLAN IDs from 2 to 4093.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 12. Edit VLAN Profile screen settings (continued) Setting Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the VPN firewall to function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN. Enter the following settings. Domain Name This is optional. Enter the domain name of the VPN firewall. Start IP Enter the starting IP address.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 12. Edit VLAN Profile screen settings (continued) Setting Description Enable LDAP information Select the Enable LDAP information check box to enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information. Enter the following settings. Note: The LDAP settings that you specify as part of the VLAN profile are used only for SSL VPN and VPN firewall authentication, but not for web and email security.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Once you have completed the LAN setup, all outbound traffic is allowed and all inbound traffic is discarded except responses to requests from the LAN side. For information about how to change these default traffic rules, see Chapter 4, Firewall Protection. Note: For information about the DHCP log, see View the DHCP Log on page 288. To edit a VLAN profile: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To configure a VLAN to have a unique MAC address: 1. Select Network Configuration > LAN Settings. The LAN submenu tabs display, with the LAN Setup screen in view (see Figure 30 on page 59). 2. Select the Advanced option arrow in the upper right of the LAN Setup screen. The LAN Advanced screen displays: Figure 32. 3. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) 4.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 It is important that you ensure that any secondary LAN addresses are different from the primary LAN, WAN, and DMZ IP addresses and subnet addresses that are already configured on the VPN firewall.The following is an example of correctly configured IP addresses: WAN1 IP address: 10.0.0.1 with subnet 255.0.0.0 WAN2 IP address: 20.0.0.1 with subnet 255.0.0.0 DMZ IP address: 192.168.10.1 with subnet 255.255.255.0 Primary LAN IP address: 192.168.1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit a secondary LAN IP address: 1. On the LAN Multi-homing screen (see the previous screen), click the Edit button in the Action column for the secondary IP address that you want to modify. The Edit Secondary LAN IP address screen displays. 2. Modify the IP address or subnet mask, or both. 3. Click Apply to save your settings. To delete one or more secondary LAN IP addresses: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • There is no need to reserve an IP address for a PC in the DHCP server. All IP address assignments made by the DHCP server are maintained until the PC or device is removed from the network database, either by expiration (inactive for a long time) or by you. • There is no need to use a fixed IP address on a PCs.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The Known PCs and Devices table lists the entries in the network database. For each PC or device, the following fields are displayed: • Check box. Allows you to select the PC or device in the table. • Name. The name of the PC or device. For computers that do not support the NetBIOS protocol, the name is displayed as Unknown (you can edit the entry manually to add a meaningful name).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 13. Known PCs and devices settings (continued) Setting Description MAC Address Enter the MAC address of the PC or device’s network interface. The MAC address format is six colon-separated pairs of hexadecimal characters (0–9 and A–F), such as 01:23:45:67:89:AB. Group From the drop-down list, select the group to which the PC or device is assigned. (Group 1 is the default group.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Deleting PCs or Devices from the Network Database To delete one or more PCs or devices from the network database: 1. On the LAN Groups screen (see Figure 34 on page 68), select the check box to the left of the PC or device that you want to delete, or click the Select All table button to select all PCs and devices. 2. Click the Delete table button. Change Group Names in the Network Database By default, the groups are named Group1 through Group8.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set Up Address Reservation When you specify a reserved IP address for a PC or device on the LAN (based on the MAC address of the device), that PC or device always receives the same IP address each time it accesses the VPN firewall’s DHCP server. Reserved IP addresses should be assigned to servers or access points that require permanent IP address settings. The reserved IP address that you select need to be outside of the DHCP server pool.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To enable and configure the DMZ port: 1. Select Network Configuration > DMZ Setup. The DMZ Setup screen displays: Figure 37. 2. Enter the settings as explained in the following table: Table 14. DMZ Setup screen settings Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and Subnet Mask fields. • No.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 14. DMZ Setup screen settings (continued) Setting Description DHCP Disable DHCP Server If another device on your network is the DHCP server for the VLAN, or if you will manually configure the network settings of all of your computers, select the Disable DHCP Server radio button to disable the DHCP server. This is the default setting.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 14. DMZ Setup screen settings (continued) Setting Description Enable LDAP information Select the Enable LDAP information check box to enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information. Enter the following settings: LDAP Server The IP address or name of the LDAP server. Search Base The search objects that specify the location in the directory tree from which the LDAP search begin.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall automatically sets up routes between VLANs and secondary IP addresses that you have configured on the LAN Multi-homing screen (see Configure Multi-Home LAN IP Addresses on the Default VLAN on page 65). Therefore, you do not need to manually add a static route between a VLAN and a secondary IP address. Configure Static Routes To add a static route to the Static Routes table: 1. Select Network Configuration > Routing.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following table: Table 15. Add Static Route screen settings Setting Description Route Name The route name for the static route (for purposes of identification and management). Active To make the static route effective, select the Active check box. Note: A route can be added to the table and made inactive, if not needed. This allows routes to be used as needed without deleting and re-adding the entry.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Routing Information Protocol Routing Information Protocol (RIP), RFC 2453, is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). RIP enables a router to exchange its routing information automatically with other routers, to dynamically adjust its routing tables, and to adapt to changes in the network. RIP is disabled by default. To enable and configure RIP: 1. Select Network Configuration > Routing. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following table: Table 16. RIP Configuration screen settings Setting Description RIP RIP Direction From the RIP Direction drop-down list, select the direction in which the VPN firewall sends and receives RIP packets: • None. The VPN firewall neither advertises its route table, nor does it accept any RIP packets from other routers. This effectively disables RIP. • In Only.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 16. RIP Configuration screen settings (continued) Setting Description Authentication for RIP-2B/2M required? (continued) Not Valid Before The beginning of the lifetime of the MD5 key. Enter the month, date, year, hour, minute, and second. Before this date and time, the MD5 key is not valid. Not Valid After The end of the lifetime of the MD5 key. Enter the month, date, year, hour, minute, and second.
4. Firewall Protection 4 This chapter describes how to use the firewall features of the VPN firewall to protect your network.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Administrator Tips Consider the following operational items: 1. As an option, you can enable remote management if you have to manage distant sites from a central location (see Configure VPN Authentication Domains, Groups, and Users on page 219 and Configure Remote Management Access on page 250). 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 17. Number of supported firewall rule configurations (continued) Traffic rule Maximum number of outbound rules Maximum number of inbound rules Maximum number of supported rules LAN DMZ 200 200 200 Maximum Number of Supported Rules 300 300 600 The maximum number of supported outbound rules is 300, and the maximum number of supported inbound rules is 300. The total number of supported inbound and outbound rules is therefore 600.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING! Allowing inbound services opens security holes in your VPN firewall. Enable only those ports that are necessary for your network. The following table describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens (see Figure 43 on page 93, Figure 46 on page 96, and Figure 49 on page 99). The steps to configure outbound rules are described in the following sections: • Set LAN WAN Rules.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 18. Outbound rules overview (continued) Setting Description LAN Users The settings that determine which computers on your network are affected by this rule. The options are: • Any. All PCs and devices on your LAN. • Single address. Enter the required address to apply the rule to a single device on your LAN. • Address range. Enter the required addresses in the Start and End fields to apply the rule to a range of devices. • Groups.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 18. Outbound rules overview (continued) Setting Description Bandwidth Profile Bandwidth limiting determines the way in which the data is sent to and from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic, thus preventing the LAN users from consuming all the bandwidth of the Internet link. For more information, see Create Bandwidth Profiles on page 118.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 screen to keep the PC’s IP address constant (see Set Up Address Reservation on page 72). • Local PCs need to access the local server using the PCs’ local LAN address. Attempts by local PCs to access the server using the external WAN IP address will fail. Note: See Configure Port Triggering on page 130 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19. Inbound rules overview Setting Description Service The service or application to be covered by this rule. If the service or application does not appear in the list, you need to define it using the Services screen (see Add Customized Services on page 112).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19. Inbound rules overview (continued) Setting Description LAN Users The settings that determine which computers on your network are affected by this rule. The options are: • Any. All PCs and devices on your LAN. • Single address. Enter the required address to apply the rule to a single device on your LAN. • Address range. Enter the required addresses in the Start and End fields to apply the rule to a range of devices. • Groups.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 19. Inbound rules overview (continued) Setting Description Log The setting that determines whether packets covered by this rule are logged. The options are: • Always. Always log traffic considered by this rule, whether it matches or not. This is useful when you are debugging your rules. • Never. Never log traffic considered by this rule, whether it matches or not.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 41. Set LAN WAN Rules The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (outbound). This feature is also referred to as service blocking.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 42. 2. Next to Default Outbound Policy, select Block Always from the drop-down list. 3. Next to the drop-down list, click the Apply table button. To make changes to an existing outbound or inbound service rule: In the Action column to the right of the rule, click one of the following table buttons: • Edit. Allows you to make any changes to the definition of an existing rule.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN WAN Outbound Services Rules You can define rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. An outbound rule can block or allow traffic between an internal IP LAN address and any external WAN IP address according to the schedule created in the Schedule screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the Internet to the LAN) is blocked. Remember that allowing inbound services opens potential security holes in your firewall. Enable only those ports that are necessary for your network. To create a new inbound LAN WAN service rule: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set DMZ WAN Rules The firewall rules for traffic between the DMZ and the Internet are configured on the DMZ WAN Rules screen. The default outbound policy is to allow all traffic from and to the Internet to pass through. You can then apply firewall rules to block specific types of traffic from either going out from the DMZ to the Internet (outbound) or coming in from the Internet to the DMZ (inbound).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete or disable one or more rules: 1. Select the check box to the left of the rule that you want to delete or disable, or click the Select All table button to select all rules. 2. Click one of the following table buttons: • Disable. Disables the rule or rules. The “!” status icon changes from a green circle to a gray circle, indicating that the selected rule or rules are disabled.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the Internet to the DMZ) is allowed. Inbound rules that are configured on the LAN WAN Rules screen take precedence over inbound rules that are configured on the DMZ WAN Rules screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ. The default outbound and inbound policies are to allow all traffic between the local LAN and DMZ network. You can then apply firewall rules to block specific types of traffic from either going out from the LAN to the DMZ (outbound) or coming in from the DMZ to the LAN (inbound).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete or disable one or more rules: 1. Select the check box to the left of the rule that you want to delete or disable, or click the Select All table button to select all rules. 2. Click one of the following table buttons: • Disable. Disables the rule or rules. The “!” status icon changes from a green circle to a gray circle, indicating that the selected rule or rules are disabled.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN DMZ Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the LAN to the DMZ) is allowed. To create a new inbound LAN DMZ service rule: 1. In the LAN DMZ Rules screen, click the Add table button under the Inbound Services table. The Add LAN DMZ Inbound Service screen displays: Figure 50. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Inbound Rules Examples LAN WAN Inbound Rule: Hosting a Local Public Web Server If you host a public web server on your local network, you can define a rule to allow inbound web (HTTP) requests from any outside IP address to the IP address of your web server at any time of the day. Figure 51.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 52. LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping In this example, we will configure multi-NAT to support multiple public IP addresses on one WAN interface. By creating an inbound rule, we will configure the VPN firewall to host an additional public IP address and associate this address with a web server on the LAN.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses is used as the primary IP address of the router that provides Internet access to your LAN PCs through NAT. The other addresses are available to map to your servers. To configure the VPN firewall for additional IP addresses: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. From the Service drop-down list, select HTTP for a web server. 5. From the Action drop-down list, select ALLOW Always. 6. In the Send to LAN Server field, enter the local IP address of your web server PC (192.168.1.2 in this example). 7. From the WAN Destination IP Address drop-down list, select the web server. In this example, the secondary 192.168.55.10 (WAN1) address is shown.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 1. Select Any and Allow Always (or Allow by Schedule). 2. Place the rule below all other inbound rules. Figure 54. Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio, or other nonessential sites.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 55. Configure Other Firewall Features You can configure attack checks, set session limits, and manage the application level gateway (ALG) for Session Initiation Protocol (SIP) sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the DMZ, LAN, and WAN networks.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 56. 2. Enter the settings as explained in the following table: Table 20. Attack Checks screen settings Setting Description WAN Security Checks Respond to Ping on Internet Ports Select the Respond to Ping on Internet Ports check box to enable the VPN firewall to respond to a ping from the Internet. A ping can be used as a diagnostic tool.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 20. Attack Checks screen settings (continued) Setting Description LAN Security Checks. Block UDP flood Select the Block UDP flood check box to prevent the VPN firewall from accepting more than 20 simultaneous, active UDP connections from a single device on the LAN. By default, the Block UDP flood check box is cleared.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set Session Limits The session limits feature allows you to specify the total number of sessions that are allowed, per user, over an IP connection across the VPN firewall. The session limits feature is disabled by default. To enable and configure session limits: 1. Select Security > Firewall > Session Limit. The Session Limit screen displays: Figure 57. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following table: Table 21. Session Limit screen settings Setting Description Session Limit Session Limit Control From the drop-down list, select one of the following options: • When single IP exceeds. When the limit is reached, no new session is allowed from the IP address. A new session is allowed only when an existing session is terminated or times out. • Single IP Cannot Exceed.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the Application Level Gateway for SIP Sessions The application level gateway (ALG) facilitates multimedia sessions such as voice over IP (VoIP) sessions that use the Session Initiation Protocol (SIP) across the firewall and provides support for multiple SIP clients. ALG support for SIP is disabled by default. To enable ALG for SIP: 1. Select Security > Firewall > Advanced. The Advanced screen displays: Figure 58. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add Customized Services Services are functions performed by server computers at the request of client computers. You can configure up to 125 custom services. For example, web servers serve web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the Add Customer Service section of the screen, enter the settings as explained in the following table: Table 22. Services screen settings Setting Description Name A descriptive name of the service for identification and management purposes. Type From the Type drop-down list, select the Layer 3 protocol that the service uses as its transport protocol: • TCP • UDP • ICMP ICMP Type A numeric value that can range between 0 and 40.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete one or more services: 1. In the Custom Services table, select the check box to the left of the service that you want to disable, or click the Select All table button to select all services. 2. Click the Delete table button. Create IP Groups An IP group contains a collection of individual IP addresses that do not need to be within the same IP address range.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 62. 5. In the IP Address fields, type an IP address. 6. Click the Add table button to add the IP address to the IP Addresses Grouped table. 7. Repeat the previous two steps to add more IP addresses to the IP Addresses Grouped table. 8. Click the Edit table button to return to IP Groups screen. To edit an IP group: 1. In the Custom IP Groups table, click the Edit table button to the right of the IP group that you want to edit.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Create Quality of Service (QoS) Profiles A Quality of Service (QoS) profile defines the relative priority of an IP packet when multiple connections are scheduled for simultaneous transmission on the VPN firewall. A QoS profile becomes active only when it is associated with a nonblocking inbound or outbound firewall rule and traffic matching the firewall rule flows through the router.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 63. The screen displays the List of QoS Profiles table with the user-defined profiles. 2. Under the List of QoS Profiles table, click the Add table button. The Add QoS Profile screen displays: Figure 64. 3. Enter the settings as explained in the following table. Table 23. Add QoS Profile screen settings Setting Description Profile Name A descriptive name of the QoS profile for identification and management purposes.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 23. Add QoS Profile screen settings (continued) Setting Description Re-Mark (continued) QoS Value QoS Priority The QoS priority represents the classification level of the packet among the priority queues within the VPN firewall. If you select Default, packets are mapped based on the ToS bits in their IP headers.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 For example, when a new connection is established by a device, the device locates the firewall rule corresponding to the connection: • If the rule has a bandwidth profile specification, the device creates a bandwidth class in the kernel. • If multiple connections correspond to the same firewall rule, the connections all share the same bandwidth class.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 66. 3. Enter the settings as explained in the following table: Table 24. Add Bandwidth Profile screen settings Setting Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes. Direction From the Direction drop-down list, select the direction in which the bandwidth profile is applied: • Outbound Traffic. The bandwidth profile is applied only to outbound traffic.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 24. Add Bandwidth Profile screen settings (continued) Setting Description Type From the Type drop-down list, select the type for the bandwidth profile: • Group. The profile applies to all users, that is, all user share the available bandwidth. • Individual. The profile applies to an individual user, that is, each user can use the available bandwidth.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 67. 2. In the Scheduled Days section, select one of the following radio buttons: • All Days. The schedule is in effect all days of the week. • Specific Days. The schedule is active only on specific days. To the right of the radio buttons, select the check box for each day that you want the schedule to be in effect. 3. In the Scheduled Time of Day section, select one of the following radio buttons: • All Day.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Content Filtering If you want to restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s content filtering and web components filtering features. By default, these features are disabled; all requested traffic from any website is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a Blocked by NETGEAR message.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 You can apply the keywords to one or more groups. Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked. Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled. You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of trusted domains.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 68.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Enter the settings as explained in the following table: Table 25. Block Sites screen settings Setting Description Web Components Select the check boxes of any \web components that you wish to block. The web components are explained in Content Filtering on page 123. Apply Keyword Blocking to To apply keyword blocking to groups: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For additional ways of restricting outbound traffic, see Outbound Rules (Service Blocking) on page 83. To enable MAC filtering and add MAC addresses to be permitted or blocked: 1. Select Security > Address Filter. The Address Filter submenu tabs display, with the Source MAC Filter screen in view. (The following figure shows one address in the MAC Addresses table as an example.) Figure 69. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To remove one or more entries from the table: 1. Select the check box to the left of the MAC address that you want to delete, or click the Select All table button to select all entries. 2. Click the Delete table button. Set Up IP/MAC Bindings IP/MAC binding allows you to bind an IP address to a MAC address and vice versa. Some PCs or devices are configured with static addresses.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 70. 2. Enter the settings as explained in the following table: Table 26. IP/MAC Binding screen settings Setting Description Email IP/MAC Violations Do you want to Select one of the following radio buttons: enable E-mail • Yes. IP/MAC binding violations are emailed. Logs for IP/MAC • No. IP/MAC binding violations are not emailed.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit an IP/MAC binding: 1. In the IP/MAC Bindings table, click the Edit table button to the right of the IP/MAC binding that you want to edit. The Edit IP/MAC Binding screen displays. 2. Modify the settings that you wish to change (see the previous table). 3. Click Apply to save your changes. The modified IP/MAC binding is displayed in the IP/MAC Bindings table. To remove one or more IP/MAC bindings from the table: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To add a port triggering rule: 1. Select Security > Port Triggering. The Port Triggering screen displays. (See the following figure, which shows one rule in the Port Triggering Rule table as an example.) Figure 71. 2. Below Add Port Triggering Rule, enter the settings as explained in the following table: Table 27. Port Triggering screen settings Setting Description Name A descriptive name of the rule for identification and management purposes.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit a port triggering rule (for example, to enable the rule): 1. In the Port Triggering Rules table, click the Edit table button to the right of the port triggering rule that you want to edit. The Edit Port Triggering Rule screen displays. 2. Modify the settings that you wish to change (see the previous table). 3. Click Apply to save your changes. The modified port triggering rule is displayed in the Port Triggering Rules table.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 73. 2. To enable the UPnP feature, select the Yes radio button. (The feature is disabled by default.) To disable the feature, select No. 3. Configure the following fields: - Advertisement Period. Enter the period in minutes that specifies how often the VPN firewall should broadcast its UPnP information to all devices within its range. The default setting is 40 minutes. - Advertisement Time to Live.
5. Virtual Private Networking Using IPSec Connections 5 This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WAN Auto-Rollover: FQDN Required for VPN VPN Firewall WAN 1 Port Rest of VPN Firewall VPN Firewall VPN Firewall WAN Port Functions Rollover Control Functions WAN 2 Port Internet Same FQDN required for both WAN ports Figure 74.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the IPSec VPN Wizard for Client and Gateway Configurations You can use the IPSec VPN Wizard to configure multiple gateway or client VPN tunnel policies. The following section provides wizard and NETGEAR ProSafe VPN Client software configuration procedures for the following scenarios: • Using the wizard to configure a VPN tunnel between two VPN gateways. • Using the wizard to configure a VPN tunnel between a VPN gateway and a VPN client.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 77. To view the wizard default settings, click the VPN Wizard Default Values option arrow in the upper right of the screen. A popup window appears (see Figure 78 on page 138) displaying the wizard default values. After you have completed the wizard, you can modify these settings for the tunnel policy that you have set up.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 78. 2. Complete the settings as explained the following table; Table 29. IPSec VPN Wizard settings for a gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to Select the Gateway radio button. The local WAN port’s IP address or the following peers Internet name appears in the End Point Information section of the screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 29. IPSec VPN Wizard settings for a gateway-to-gateway tunnel (continued) Setting Description End Point Information a What is the Remote WAN's IP Address or Internet Name? Enter the IP address or Internet name (FQDN) of the WAN interface on the remote VPN tunnel endpoint.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 5. Activate the IPSec VPN connection: a. Select VPN > Connection Status. The VPN Connection Status submenu tabs display, with the IPSec VPN Connection Status screen in view. Figure 80. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection should become active.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the VPN Wizard Configure the Gateway for a Client Tunnel To set up a client-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays. (The following figure contains some entries as an example.) Figure 82. To display the wizard default settings, click the VPN Wizard Default Values option arrow in the upper right of the screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 30. IPSec VPN Wizard settings for a client-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to Select the VPN Client radio button. The default remote FQDN the following peers: (srx_remote.com) and the default local FQDN (srx_local.com) appear in the End Point Information section of the screen. Connection Name and Remote IP Type What is the new Connection Name? Enter a descriptive name for the connection.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 83. Note: When using FQDNs, if the dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address. If you have the option to configure the update interval, set it to an appropriately short time. 4. Optional step: Collect the information that you need to configure the VPN client.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed. To use the Configuration Wizard to set up a VPN connection between the VPN client and the VPN firewall: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays. Figure 84. 1. From the main menu on the Configuration Panel screen, select Configuration > Wizard.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 85. 2. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays. Figure 86. 3. Specify the following VPN tunnel parameters: • IP or DNS public (external) address of the remote equipment. Enter the remote IP address or DNS name of the VPN firewall. For example, enter 10.34.116.22. • Preshared key. Enter the pre-shared key that you already specified on the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 87. 5. This screen is a summary screen of the new VPN configuration. Click Finish. 6. Specify the local and remote IDs: a. In the tree list pane of the Configuration Panel screen, click Gateway (the default name given to the authentication phase). The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default. b. Click the Advanced tab in the Authentication pane. The Advanced pane displays.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 c. Specify the settings that are explained in the following table. Table 32. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the negotiation mode with the VPN firewall. NAT-T Select Automatic from the drop-down list to enable the VPN client and VPN firewall to negotiate NAT-T.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 89. b. Specify the default lifetimes in seconds: • Authentication (IKE), Default. The default lifetime value is 3600 seconds. Change this setting to 28800 seconds to match the configuration of the VPN firewall. • Encryption (IPSec), Default. The default lifetime value is 1200 seconds. Change this setting to 3600 seconds to match the configuration of the VPN firewall. 8.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the Authentication Settings (Phase 1 Settings) To create new authentication settings: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays. Figure 90. 2. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration and select New Phase 1. Figure 91. 3. Change the name of the authentication phase (the default is Gateway): a.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default. Figure 92. 4. Specify the settings that are explained in the following table. Table 33.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 5. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. 6. Click the Advanced tab in the Authentication pane. The Advanced pane displays. Figure 93. 7. Specify the settings that are explained in the following table. Table 34.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 34. VPN client advanced authentication settings (continued) Setting Description Local and Remote ID Local ID As the type of ID, select DNS from the Local ID drop-down list because you specified FQDN in the VPN firewall configuration. As the value of the ID, enter srx_remote.com as the local ID for the VPN client. Note: The remote ID on the VPN firewall is the local ID on the VPN client.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 94. 3. Specify the settings that are explained in the following table. Table 35. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that is used by the VPN client in the VPN firewall’s LAN; the computer (for which the VPN client opened a tunnel) appears in the LAN with this IP address. Address Type Select Subnet address from the drop-down list.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Configure the Global Parameters To specify the global parameters: 1. Click Global Parameters in the left column of the Configuration Panel screen. The Global Parameters pane displays in the Configuration Panel screen. Figure 95. 2. Specify the default lifetimes in seconds: • Authentication (IKE), Default. The default lifetime value is 3600 seconds.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Test the Connection and View Connection and Status Information Both the NETGEAR ProSafe VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection. Test the NETGEAR VPN Client Connection There are many ways to establish a connection.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 97. • Use the system-tray icon. Right-click the system tray icon, and click Open tunnel ‘Tunnel’. Figure 98. Whichever way you choose to open the tunnel, when the tunnel opens successfully, the Tunnel opened message displays above the system tray: Figure 99. Once launched, the VPN client displays an icon in the system tray that indicates whether or not a tunnel is opened, using a color code: Green icon: at least one VPN tunnel opened.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 101. View the VPN Firewall IPSec VPN Connection Status To review the status of current IPSec VPN tunnels: Select VPN > Connection Status. The VPN Connection Status submenu tabs display, with the IPSec VPN Connection Status screen in view. (The following figure shows an IPSec SA as an example.) Figure 102. The Active IPSec SAs table lists each active connection with the information that is described in the following table.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 36. IPSec VPN Connection Status screen information Item Description Policy Name The name of the VPN policy that is associated with this SA. Endpoint The IP address on the remote VPN endpoint. Tx (KB) The amount of data that is transmitted over this SA. Tx (Packets) The number of IP packets that are transmitted over this SA. State The current status of the SA. Phase 1 is the authentication phase and Phase 2 is key exchange phase.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage IPSec VPN Policies After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or manually add new VPN and IKE policies directly in the policy tables.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IKE Policies Screen To access the IKE Policies screen: Select VPN > IPSec VPN. The IPSec VPN submenu tabs display, with the IKE Policies screen in view (The following figure shows some examples). Figure 104. Each policy contains the data that are explained in the following table These fields are explained in more detail in Table 38 on page 162. Table 37. IKE Policies screen information Item Description Name The name that identifies the IKE policy.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Click the Delete table button. To add or edit an IKE policy, see Manually Add or Edit an IKE Policy on this page. Note: You cannot delete or edit an IKE policy for which the VPN policy is active. You first need to disable or delete the VPN policy before you can delete or edit the IKE policy. Manually Add or Edit an IKE Policy To manually add an IKE policy: 1. Select VPN > IPSec VPN.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Complete the settings as explained the following table. Table 38. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Mode Config Record? Specify whether or not the IKE policy uses a Mode Config record. For information about how to define a Mode Config record, see Mode Config Operation on page 176. Select one of the following radio buttons: • Yes. IP addresses are assigned to remote VPN clients.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38. Add IKE Policy screen settings (continued) Setting Description Local Select Local Gateway From the drop-down list, select one of the four WAN interfaces to function as the local gateway. Identifier Type From the drop-down list, select one of the following ISAKMP identifiers to be used by the VPN firewall, and then specify the identifier in the field below: • Local WAN IP. The WAN IP address of the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the VPN firewall and the remote endpoint. • RSA-Signature. Uses the active self certificate that you uploaded on the Certificates screen (see Manage Self-Signed Certificates on page 237).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 38. Add IKE Policy screen settings (continued) Setting Description XAUTH Configuration (continued) Authentication Type For an Edge Device configuration: from the drop-down list, select one of the following authentication types: • User Database. XAUTH occurs through the VPN firewall’s user database. Users need to be added through the Add User screen (see User Database Configuration on page 174). • Radius PAP.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In addition, a certification authority (CA) can also be used to perform authentication (see Manage Digital Certificates on page 234). To use a CA, each VPN gateway needs to have a certificate from the CA. For each certificate, there is both a public key and a private key. The public key is freely distributed, and is used by any sender to encrypt data intended for the receiver (the key owner).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 40 on page 169. Table 39. VPN Policies screen information Item Description ! (Status) Indicates whether the policy is enabled (green circle) or disabled (gray circle). To enable or disable a policy, select the check box adjacent to the circle and click the Enable or Disable table button, as appropriate.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manually Add or Edit a VPN Policy To manually add a VPN policy: 1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see Figure 106 on page 166). 2. Under the List of VPN Policies table, click the Add table button. The Add New VPN Policy screen displays: Figure 107.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Complete the settings as explained the following table: Table 40. Add New VPN Policy screen settings Setting Description General Policy Name A descriptive name of the VPN policy for identification and management purposes. Note: The name is not supplied to the remote VPN endpoint. Policy Type From the drop-down list, select one of the following policy types: • Auto Policy.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40. Add New VPN Policy screen settings (continued) Setting Description Traffic Selection Local IP From the drop-down list, select the address or addresses that are part of the VPN tunnel on the VPN firewall: • Any. All PCs and devices on the network. • Single. A single IP address on the network. Enter the IP address in the Start IP Address field. • Range. A range of IP addresses on the network.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40. Add New VPN Policy screen settings (continued) Setting Description SPI-Outgoing The Security Parameters Index (SPI) for the outbound policy. Enter a hexadecimal value between 3 and 8 characters (for example: 0x1234). Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 40. Add New VPN Policy screen settings (continued) Setting Description PFS Key Group Select this check box to enable Perfect Forward Secrecy (PFS), and then select a Diffie-Hellman (DH) group from the drop-down list. The DH Group sets the strength of the algorithm in bits. The higher the group, the more secure the exchange. From the drop-down list, select one of the following three strengths: • Group 1 (768 bit). • Group 2 (1024 bit).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: If a RADIUS-PAP server is enabled for authentication, XAUTH first checks the local user database for the user credentials. If the user account is not present, the VPN firewall then connects to a RADIUS server. Configure XAUTH for VPN Clients Once the XAUTH has been enabled, you need to establish user accounts in the user database to be authenticated against XAUTH, or you need to enable a RADIUS-CHAP or RADIUS-PAP server.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 41. Extended authentication settings (continued) Setting Description Authentication Type For an Edge Device configuration: from the drop-down list, select one of the following authentication types: • User Database. XAUTH occurs through the VPN firewall’s user database. You can add users on the Add User screen (see User Database Configuration on page 174). • Radius PAP. XAUTH occurs through RADIUS Password Authentication Protocol (PAP).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 108. 2. Complete the settings as explained the following table: Table 42. RADIUS Client screen settings Settings Description Primary RADIUS Server Select the Yes radio button to enable and configure the primary RADIUS server, and then enter the settings for the three fields to the right. The default setting is that the No radio button is selected. Primary Server IP Address The IP address of the primary RADIUS server.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 42. RADIUS Client screen settings (continued) Settings Description Backup Server IP Address The IP address of the backup RADIUS server. Secret Phrase A shared secret phrase to authenticate the transactions between the client and the backup RADIUS server. The same secret phrase needs to be configured on both the client and the server. Backup Server NAS Identifier The backup NAS identifier that needs to be present in a RADIUS request.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: After configuring a Mode Config record, you need to manually configure an IKE policy and select the newly created Mode Config record from the Select Mode Config Record drop-down list (see Configure Mode Config Operation on the VPN Firewall on page 177). You do not need to make changes to any VPN policy.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 110. 3. Complete the settings as explained the following table: Table 43. Add Mode Config Record screen settings Settings Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes. First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable the VPN firewall to allocate these to remote VPN clients.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 43. Add Mode Config Record screen settings (continued) Settings Description DNS Server Enter the IP address of the DNS server that is used by remote VPN clients in the Primary field. You can enter the IP address of a second DNS server in the Secondary field. Traffic Tunnel Security Level Note: Generally, the default settings work well for a Mode Config configuration.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 111. 7. On the Add IKE Policy screen, complete the settings as explained the following table.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The settings that are explained in the following table are specifically for a Mode Config configuration. Table 38 on page 162 explains the general IKE policy settings. Table 44. Add IKE Policy screen settings for a Mode Config configuration Settings Description Mode Config Record Do you want to use Mode Config Record? Select the Yes radio button.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 44. Add IKE Policy screen settings for a Mode Config configuration (continued) Settings Description Remote Identifier Type From the drop-down list, select FQDN. Note: Mode Config requires that the remote end is defined by an FQDN. Identifier Enter the FQDN for the remote end. This needs to be an FQDN that is not used in any other IKE policy. In this example, we are using client.com.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 44. Add IKE Policy screen settings for a Mode Config configuration (continued) Settings Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: Note: For more • None. XAUTH is disabled. This the default setting. information about • Edge Device.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters. Configure the Mode Config Authentication Settings (Phase 1 Settings) To create new authentication settings: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 113. 3. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane. Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Specify the settings that are explained in the following table. Table 45. VPN client authentication settings (Mode Config) Setting Description Interface Select Any from the drop-down list. Remote Gateway Enter the remote IP address or DNS name of the VPN firewall. For example, enter 10.34.116.22. Preshared Key Select the Preshared Key radio button. Enter the pre-shared key that you already specified on the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 7. Specify the settings that are explained in the following table. Table 46. VPN client advanced authentication settings (Mode Config) Setting Description Advanced features Mode Config Select this check box to enable Mode Config. Aggressive Mode Select this check box to enable aggressive mode as the negotiation mode with the VPN firewall. NAT-T Select Automatic from the drop-down list to enable the VPN client and VPN firewall to negotiate NAT-T.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The IPSec pane displays in the Configuration Panel screen, with the IPSec tab selected by default. Figure 116. 3. Specify the settings that are explained in the following table. Table 47. VPN client IPSec configuration settings (Mode Config) Setting Description VPN Client address This field is masked out because Mode Config is selected.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 47. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description ESP Encryption Select 3DES as the encryption algorithm from the drop-down list. Authentication Select SHA-1 as the authentication algorithm from the drop-down list. Mode Select Tunnel as the encapsulation mode from the drop-down list. PFS and Group Select the PFS check box, and then select the DH2 (1024) key group from the drop-down list.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Specify the following default lifetimes in seconds to match the configuration on the VPN firewall: • Authentication (IKE), Default. Enter 3600 seconds. • Encryption (IPSec), Default. Enter 3600 seconds. 3. Select the Dead Peer Detection (DPD) check box, and configure the following DPD settings to match the configuration on the VPN firewall: • Check Interval. Enter 30 seconds. • Max. number of entries. Enter 3 retries. • Delay between entries.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 120. 3. From the client PC, ping a computer on the VPN firewall LAN. Modify or Delete a Mode Config Record To edit a Mode Config record: 1. On the Mode Config screen (see Figure 109 on page 177), click the Edit table button in the Action column for the record that you want to modify. The Edit Mode Config Record screen displays. This screen is identical to the Add Mode Config Record screen (see Figure 110 on page 178). 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Keep-alives The keep-alive feature maintains the IPSec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies. To configure the keep-alive feature on a configured VPN policy: 1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see Figure 106 on page 166). 2. In the List of VPN Policies table, click the Edit table button to the right of the VPN policy that you want to edit.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 48. Keep-alive settings (continued) Setting Description Enable Keepalive (continued) Detection Period The period in seconds between the keep-alive requests. The default setting is 10 seconds. Reconnect after failure count The maximum number of keep-alive requests before the VPN firewall tears down the connection and then attempts to reconnect to the remote endpoint. The default is 3 keep-alive requests. 4. Click Apply to save your settings.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the settings as explained the following table: Table 49. Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Detection Select the Yes radio button to enable DPD. When the VPN firewall detects an IKE connection failure, it deletes the IPSec and IKE SA and forces a reestablishment of the connection.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 123. 3. Select the Enable NetBIOS check box. 4. Click Apply to save your settings.
6. Virtual Private Networking Using SSL Connections 6 The VPN firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the VPN firewall can authenticate itself to an SSL-enabled client, such as a standard web browser.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The SSL VPN client provides a point-to-point (PPP) connection between the client and the VPN firewall, and a virtual network interface is created on the user’s PC. The VPN firewall assigns the PC an IP address and DNS server IP addresses, allowing the remote PC to access network resources in the same manner as if it were connected directly to the corporate network, subject to any policy restrictions that you configure. • SSL port forwarding.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Because you need to assign a group when creating a SSL VPN user account, the user account is created after you have created the group. 3. For port forwarding, define the servers and services (Configure Applications for Port Forwarding on page 202). Create a list of servers and services that can be made available through user, group, or global policies. You can also associate fully qualified domain names (FQDNs) with these servers.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall’s default portal address is https:///portal/SSL-VPN. The default domain geardomain is attached to the SSL-VPN portal. You can define individual layouts for the SSL VPN portal. The layout configuration includes the menu layout, theme, portal pages to display, and web cache control options. The default portal layout is the SSL-VPN portal. You can add additional portal layouts.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 125. 3. Complete the settings as explained the following table: Table 50. Add Portal Layout screen settings Setting Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout. This name is part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 50. Add Portal Layout screen settings (continued) Setting Description Banner Message The text of a banner message that users see before they log in to the portal, for example, In case of login difficulty, call 123-456-7890. Enter a plain text message or include HTML and JavaScript tags. The maximum length of the login page message is 4096 characters. Note: For an example, see Figure 132 on page 217.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete one or more portal layouts: 1. On the Portal Layouts screen (see Figure 124 on page 199), select the check box to the left of the portal layout that you want to delete, or click the Select All table button to select all layouts. (You cannot delete the SSL-VPN default portal layout.) 2. Click the Delete table button.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 126. 2. In the Add New Application for Port Forwarding section of the screen, specify information in the following fields: • IP Address. The IP address of an internal server or host computer that a remote user has access to. • TCP Port. The TCP port number of the application that is accessed through the SSL VPN tunnel. The following table lists some commonly used TCP applications and port numbers: Table 51.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 51. Port-forwarding applications/TCP port numbers (continued) TCP application Port number Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 a. Users can specify the port number together with the host name or IP address. 3. Click the Add table button. The new application entry is added to the List of Configured Applications for Port Forwarding table.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete a name from the List of Configured Host Names for Port Forwarding table, select the check box to the left of the name that you want to delete, and then click the Delete table button in the Action column. Configure the SSL VPN Client The SSL VPN client on the VPN firewall assigns IP addresses to remote VPN tunnel clients.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 127. 2. Complete the settings as explained the following table: Table 52. SSL VPN client IP address range settings Setting Description Client IP Address Range Enable Full Tunnel Support Select this check box to enable full tunnel support. If you leave this check box cleared (which is the default setting), split-tunnel support is enabled, and you need to add client routes (see Add Routes for VPN Tunnel Clients on page 207).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 52. SSL VPN client IP address range settings (continued) Setting Description Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients. Client Address Range End The last IP address of the IP address range that you want to assign to the VPN tunnel clients. 3. Click Apply to save your settings.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the Configured Client Routes table, to the right of the route that is out-of-date, click the Delete table button. If an existing route is no longer needed for any reason, you can delete it. Use Network Resource Objects to Simplify Policies Network resources are groups of IP addresses, IP address ranges, and services. By defining resource objects, you can more quickly create and configure network policies.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 - Port Forwarding. The resource applies only to a port forwarding. - All. The resource applies both to a VPN tunnel and to port forwarding. 3. Click the Add table button. The new resource is added to the List of Resources table. To delete one or more network resources: 1. Select the check box to the left of the network resource that you want to delete, or click the Select All table button to select all VPN policies. 2. Click the Delete table button.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 53. Edit Resources screen settings (continued) Setting Description Object Type From the drop-down list, select one of the following options: • IP Address. The object is an IP address. You need to enter the IP address or the FQDN in the IP Address / Name field. • IP Network. The object is an IP network. You need to enter the network IP address in the Network Address field and the network mask length in the Mask Length field.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource. For example, assume the following global policy configuration: • Policy 1. A Deny rule has been configured to block all services to the IP address range 10.0.0.0 – 10.0.0.255. • Policy 2. A Deny rule has been configured to block FTP access to 10.0.1.2–10.0.1.10. • Policy 3.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 130. 2. Make your selection from the following Query options: • Click Global to view all global policies. • Click Group to view group policies, and choose the relevant group’s name from the drop-down list. • Click User to view user policies, and choose the relevant user’s name from the drop-down list. 3. Click the Display action button. The List of SSL VPN Policies table displays the list for your selected Query option.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 131. 3. Complete the settings as explained the following table: Table 54. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy: • Global. The new policy is global and excludes all groups and users. • Group. The new policy is limited to a single group. From the drop-down list, select a group name. • User. The new policy is limited to a single user.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 54. Add SSL VPN Policy screen settings (continued) Setting Description Add SSL VPN Policies Apply Policy For Select one of the following radio buttons to specify how the policy is applied: • Network Resource. The policy is applied to a network resource that you have defined on the Resources screen (see Use Network Resource Objects to Simplify Policies on page 208).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 54. Add SSL VPN Policy screen settings (continued) Setting Description Apply Policy For (continued) IP Network Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. IP Address The network IP address to which the SSL VPN policy is applied. Subnet Mask The network subnet mask to which the SSL VPN policy is applied.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: If you have configured SSL VPN user policies, ensure that HTTPS remote management is enabled (see Configure Remote Management Access on page 250). If HTTPS remote management is not enabled, all SSL VPN user connections are disabled. To edit an SSL VPN policy: 1. On the Policies screen (see Figure 130 on page 212), click the Edit button in the Action column for the SSL VPN policy that you want to modify. The Edit SSL VPN Policy screen displays.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 132. 3. Enter a user name and password that are associated with the SSL portal and the domain (see Configure VPN Authentication Domains, Groups, and Users on page 219). 4. Click Login. The default User Portal screen displays: Figure 133. The default User Portal screen displays a simple menu that provides the SSL user with the following menu selections: • VPN Tunnel. Provides full network connectivity. • Port Forwarding.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Change Password. Allows the user to change their password. • Support. Provides access to the NETGEAR website. View the SSL VPN Connection Status and SSL VPN Logs To review the status of current SSL VPN tunnels: Select VPN > Connection Status > SSL VPN Connection Status. The SSL VPN Connection Status screen displays: Figure 134.
7. Managing Users, Authentication, and Certificates 7 This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. This chapter contains the following sections: • Configure VPN Authentication Domains, Groups, and Users • Manage Digital Certificates Configure VPN Authentication Domains, Groups, and Users Users are assigned to a group, and a group is assigned to a domain. Therefore, you should first create any domains, then groups, then user accounts.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 determines the network resources to which the associated users have access. The default domain of the VPN firewall is named geardomain. You cannot delete the default domain. The following table summarizes the authentication protocols and methods that the VPN firewall supports: Table 55.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 136. The List of Domains table displays the domains with the following fields: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain. The default domain name (geardomain) is appended by an asterisk. • Authentication Type. The authentication method that is assigned to the domain. • Portal Layout Name. The SSL portal layout that is assigned to the domain. • Action.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following table: Table 56. Add Domain screen settings Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Authentication Type From the drop-down list, select the authentication method that the VPN firewall applies to the domain. The screen adjusts to display the fields that require configuration. • Local User Database (default).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The domain is added to the List of Domains table. 5. If you use local authentication, make sure that it is not disabled: Select the No radio button in the Local Authentication section of the Domain screen (see Figure 136 on page 221). Note: A combination of local and external authentication is supported.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Groups for VPN Policies The use of groups simplifies the configuration of VPN policies when different sets of users have different restrictions and access controls. Like the default domain of the VPN firewall, the default group is also named geardomain. The default group geardomain is assigned to the default domain geardomain. You cannot delete the default domain geardomain, nor its associated default group geardomain.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 138. The List of Groups table displays the VPN groups with the following fields: • Check box. Allows you to select the group in the table. • Name. The name of the group. If the group name is appended by an asterisk, the group was created by default when you created the domain with the identical name as the default group.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 default group; you can only delete the domain with the identical name as the default group (see Configure Domains on page 219), which causes the default group to be deleted. 2. Click the Delete table button. Note: You can delete only groups that you created on the Groups screen. Groups that were automatically created when you created a domain cannot be deleted on the Groups screen. See the Important note at the beginning of this section.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure User Accounts When you create a user account, you need to assign the user to a user group. When you create a group, you need to assign the group to a domain that specifies the authentication method. Therefore, you should first create any domains, then groups, and then user accounts. You can create different types of user accounts by applying predefined user types: • Administrator.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Click the Add table button. The Add User screen displays: Figure 141. 3. Enter the settings as explained in the following table: Table 58. Add User screen settings Setting Description User Name A descriptive (alphanumeric) name of the user for identification and management purposes. User Type From the drop-down list, select one of the predefined user types that determines the access credentials: • Administrator.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete one or more user accounts: 1. In the List of Users table, select the check box to the left of the user account that you want to delete, or click the Select All table button to select all accounts. You cannot delete a default user account. 2. Click the Delete table button. Note: You cannot delete the default admin or guest user.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For security reasons, the Deny Login from WAN Interface check box is selected by default for guests and administrators. The Disable Login check box is disabled (masked out) for administrators. 4. Click Apply to save your settings. Configure Login Restrictions Based on IP Address To restrict logging in based on IP address: 1. Select Users > Users. The Users screen displays (see Figure 140 on page 227). 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 6. In the Add Defined Addresses section of the screen, add an address to the Defined Addresses table by entering the settings as explained in the following table: Table 59. Defined addresses settings Setting Description Source Address Type Select the type of address from the drop-down list: • IP Address. A single IP address. • IP Network. A subnet of IP addresses. You need to enter a netmask length in the Mask Length field.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 144. 4. In the Defined Browsers Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Browsers. Deny logging in from the browsers in the Defined Browsers table. • Allow Login only from Defined Browsers. Allow logging in from the browsers in the Defined Browsers table. 5. Click Apply to save your settings. 6.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Change Passwords and Other User Settings For any user, you can change the password, user type, and idle time-out settings. Only administrators have read/write access. All other users have read-only access. Note: The default password for the administrator and for a guest to access the VPN firewall’s web management interface is password. To modify user settings: 1. Select Users > Users. The Users screen displays (see Figure 140 on page 227). 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 60. Edit User screen settings (continued) Setting Description Check to Edit Password Select this check box to make the password fields accessible to modify the password. Idle Timeout Enter Your Password Enter the old password. New Password Enter the new password. Confirm New Password Reenter the new password for confirmation. The period after which an idle user is automatically logged out of the web management interface.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 You can obtain a digital certificate from a well-known commercial certification authority (CA) such as Verisign or Thawte, or you can generate and sign your own digital certificate. Because a commercial CA takes steps to verify the identity of an applicant, a digital certificate from a commercial CA provides a strong assurance of the server’s identity.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage CA Certificates To view and upload trusted certificates: Select VPN > Certificates. The Certificates screen displays. The following figure shows the top section of the screen with the trusted certificate information and one example certificate in the Trusted Certificates (CA Certificate) table. Figure 146.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage Self-Signed Certificates Instead of obtaining a digital certificate from a CA, you can generate and sign your own digital certificate. However, a self-signed certificate triggers a warning from most browsers because it provides no protection against identity theft of the server. The following figure shows an image of a browser security alert.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 148. Certificates, screen 2 of 3 2. In the Generate Self Certificate Request section of the screen, enter the settings as explained in the following table: Table 61. Generate self-certificate request settings Setting Description Name A descriptive name of the domain for identification and management purposes. Subject The name that other organizations see as the holder (owner) of the certificate.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 61. Generate self-certificate request settings (continued) Setting Description Signature Key Length From the drop-down list, select one of the following signature key lengths in bits: • 512 • 1024 • 2048 Note: Larger key sizes might improve security, but might also decrease performance. Optional Fields IP Address Enter your fixed (static) IP address. If your IP address is dynamic, leave this field blank.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 c. When prompted for the requested data, copy the data from your saved text file (including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”). d. Submit the CA form. If no problems ensue, the digital certificate is issued by the CA. 7. Download the digital certificate file from the CA and store it on your computer. 8. Return to the Certificates screen (see Figure 148 on page 238) and locate the Self Certificate Requests section.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the Certificate Revocation List A Certificate Revocation List (CRL) file shows digital certificates that have been revoked and are no longer valid. Each CA issues its own CRLs. It is important that you keep your CRLs up-to-date. You should obtain the CRL for each CA regularly. To view the currently loaded CRLs and upload a new CRL: 1. Select VPN > Certificates. The Certificates screen displays.
8. Network and System Management 8 This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Using four WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall, but there is no backup in case one of the WAN ports fails. When such a failure occurs, the traffic that would have been sent on the failed WAN port is diverted to another WAN port that is still working, thus increasing its load. However, there is one exception: Traffic that is bound by protocol to the WAN port that failed is not diverted.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 on the Services screen (see Services-Based Rules on page 83 and Add Customized Services on page 112). • • LAN users. You can specify which computers on your network are affected by an outbound rule. There are several options: - Any. The rule applies to all PCs and devices on your LAN. - Single address. The rule applies to the address of a particular PC. - Address range. The rule applies to a range of addresses. - Groups.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on the LAN, you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses. By default, this feature is disabled; all traffic received from PCs with any MAC address is allowed. See Enable Source MAC Filtering on page 126 for the procedure on how to use this feature.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 When you define inbound firewall rules, you can further refine their application according to the following criteria: • Services. You can specify the services or applications to be covered by an inbound rule. If the desired service or application does not appear in the list, you need to define it on the Services screen (see Services-Based Rules on page 83 and Add Customized Services on page 112). • WAN destination IP address.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 request rather than a response to a requests from the LAN network. As such, it would be handled in accordance with the inbound port forwarding rules, and most likely would be blocked. For the procedure on how to configure port triggering, see Configure Port Triggering on page 130. DMZ Port The demilitarized zone (DMZ) is a network that, by default, has fewer firewall restrictions when compared to the LAN.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 QoS profile to firewall rules. The QoS is set individually for each service. You can change the mix of traffic through the WAN ports by granting some services a higher priority than others: • You can accept the default priority defined by the service itself by not changing its QoS setting. • You can change the priority to a higher or lower value than its default setting to give the service higher or lower priority than it otherwise would have.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To modify the administrator user account settings, including the password: 1. Select Users > Users. The Users screen displays. The following figure shows the VPN firewall’s default users—admin and guest—and, as an example, one other user in the List of Users table. Figure 151. 2. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit User screen displays: Figure 152. 3.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 5. As an option, you can change the idle time-out for an administrator login session. Enter a new number of minutes in the Idle Timeout field. (The default setting is 5 minutes.) 6. Click Apply to save your settings. 7. Repeat step 1 through step 6 for the user with the name guest. Note: After a factory default reset, the password and time-out value are changed back to password and 5 minutes, respectively.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To configure the VPN firewall for remote management: 1. Select Administration > Remote Management. The Remote Management screen displays: Figure 153.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as explained in the following table: Table 62. Remote Management screen settings Setting Description Secure HTTP Management Allow Secure HTTP Management? Select the Yes radio button to enable HTTPS remote management (which is the default setting) and specify the IP address settings and port number settings. Select the No radio button to disable HTTPS remote management.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: For enhanced security, and if practical, restrict remote management access to a single IP address or a small range of IP addresses. Note: To maintain security, the VPN firewall rejects a login that uses http://address rather than the SSL https://address. Note: The first time that you remotely connect to the VPN firewall with a browser via an SSL connection, you might get a warning message regarding the SSL certificate.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To access the CLI: 1. From your computer’s command-line prompt, enter the following command: telnet 192.168.1.1 2. Enter admin and password when prompted for the login and password information (or enter guest and password to log in as a read-only guest). 3. Enter exit to end the CLI session. Any configuration changes made via the CLI are not preserved after a reboot or power cycle unless you issue the CLI save command after making the changes.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the Create New SNMP Configuration Entry section of the screen, enter the settings as explained in the following table: Table 63. SNMP screen settings Setting Description IP Address The IP addresses of the SNMP management station that is allowed to receive the VPN firewall’s SNMP traps. Subnet Mask The subnet mask of the SNMP management station that is allowed to receive the VPN firewall’s SNMP traps.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the VPN Firewall’s SNMP System Information The following VPN firewall identification information is available to an SNMP manager: system contact, system location, and system name. To modify the SNMP identification information: 1. Select Administration > SNMP. The SNMP screen displays (see Figure 154 on page 254). 2. Click the SNMP System Info option arrow in the upper right of the screen link.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To display the Settings Backup and Firmware Upgrade screen: Select Administration > Settings Backup and Firmware Upgrade. Figure 157. Back Up Settings The backup feature saves all VPN firewall settings to a file. These settings include the IP addresses, subnet masks, gateway addresses, and so on. Back up your VPN firewall settings periodically, and store the backup file in a safe place.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Restore Settings WARNING! Restore only settings that were backed up from the same software version. Restoring settings from a different software version can corrupt your backup file or the VPN firewall system software. To restore settings from a backup file: 1. On the Settings Backup and Firmware Upgrade screen (see the previous screen), next to Restore saved settings from file, click Browse. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING! When you push the hardware reset button or click the software Default button, the VPN firewall settings are erased. All firewall rules, VPN policies, LAN/WAN settings, and other settings are lost. Back up your settings if you intend on using them. Note: After rebooting with factory default settings, the VPN firewall’s password is password and the LAN IP address is 192.168.1.1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING! Do not try to go online, turn off the VPN firewall, shut down the computer or do anything else to the VPN firewall until the VPN firewall finishes the upgrade! When the Test light turns off, wait a few more seconds before doing anything. 7.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The bottom of the screen displays the current weekday, date, time, time zone, and year (in the example in the previous figure: Current Time: Wed Jul 2015:24:51 GMT-0800 2011). 2. Enter the settings as explained in the following table: Table 64. Time Zone screen settings Setting Description Date/Time From the drop-down list, select the local time zone in which the VPN firewall operates.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 64. Time Zone screen settings (continued) Setting Description NTP Server (default or custom) From the drop-down list, select an NTP server: • Use Default NTP Servers. The VPN firewall’s RTC is updated regularly by contacting a default NETGEAR NTP server on the Internet. • Use Custom NTP Servers.
9. Monitoring System Access and Performance 9 This chapter describes the system monitoring features of the VPN firewall. You can be alerted to important events such as changes in WAN port status, WAN traffic limits reached, hacker probes and login attempts, dropped packets, and more. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more. In addition, the diagnostics utilities are described.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 159. 2. Enter the settings for the WAN1 port as explained in the following table: Table 65. WAN Traffic Meter screen settings Setting Description Enable Traffic Meter Do you want to Select one of the following radio buttons to configure traffic metering: enable Traffic • Yes. Traffic metering is enabled, and the traffic meter records the volume of Metering on WAN1? Internet traffic passing through the WAN1 interface.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 65. WAN Traffic Meter screen settings (continued) Setting Description Do you want to enable Traffic Metering on WAN1? (continued) Select one of the following radio buttons to specify if or how the VPN firewall applies restrictions when the traffic limit is reached: • No Limit. No restrictions are applied when the traffic limit is reached. • Download only. Restrictions are applied to incoming traffic when the traffic limit is reached.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The contents of the WAN2 Traffic Meter, WAN3 Traffic Meter, and WAN4 Traffic Meter screens are identical to the WAN1 TrafficMeter screen with the exception of WAN interface number. To display a report of the Internet traffic by type for the WAN1 interface: Click the Traffic by Protocol option arrow in the upper right of the WAN1 Traffic Meter screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 161. The LAN Traffic Meter table show the following columns, all of which are explained in detail in the following table: • LAN IP Address. The LAN IP address that is subject to the traffic meter. • Direction. The direction for which traffic is measured. • Limit(MB). The traffic limit in MB. • Traffic(MB). The traffic usage in MB. • State. The state that indicates whether traffic to and from the IP address is allowed or blocked.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 5. Enter the settings as explained in the following table: Table 66. Add LAN Traffic Meter Account screen settings Setting Description Add LAN Traffic Meter Account LAN IP Address The LAN IP address for the account. Direction From the Direction drop-down list, select the direction in which traffic is measured: • Inbound traffic. Restrictions are applied to incoming traffic when the traffic limit is reached. • Both directions.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 163. To edit a LAN traffic meter account: 1. In the LAN Traffic Meter table, click the Edit table button to the right of the account that you want to edit. The Edit LAN Traffic Meter Account screen displays. This screen shows the same fields as the Add LAN Traffic Meter Account screen (see Figure 162 on page 267). 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 164.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as explained in the following table: Table 67. Firewall Logs & E-mail screen settings Setting Description Log Options Log Identifier Enter the name of the log in the Log Identifier field. The Log Identifier is a mandatory field used to identify which device sent the log messages. The identifier is appended to the log messages. The default identifier is SRX5308.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 67. Firewall Logs & E-mail screen settings (continued) Setting Description Enable E-Mail Logs Do you want logs to Select the Yes radio button to enable the VPN firewall to send logs to an email be emailed to you? address. Complete the fields that are shown on the right side of the screen (see explanations later in this table). Select the No radio button to disable the VPN firewall to send logs to an email address, which is the default setting.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 67. Firewall Logs & E-mail screen settings (continued) Setting Description Enable SysLogs Enable Select one of the following radio buttons to configure the syslog server: Yes. The VPN firewall sends a log file to a syslog server. Complete the SysLog Server and SysLog Severity fields that are shown on the right side of the screen (see explanations later in this table). • No.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 165. You can refresh the logs, clear the logs, or send the logs to an email address.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the System (Router) Status and Statistics The Router Status screen, Detailed Status screen, and Router Statistics screen provide real-time information about the following important components of the VPN firewall: • Firmware versions that are loaded on the VPN firewall • WAN and LAN port information • Interface statistics View the Router Status Screen To view the Router Status screen: Select Monitoring > Router Status.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 166. View the Detailed Status Screen To view the Detailed Status screen: 1. Select Monitoring > Router Status > Detailed Status. The Detailed Status screen displays. (Because of the large size of the screen and to avoid duplication of information, the following figure shows parts of the screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 167. The following table explains the fields of the Detailed Status screen: Table 69. Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the four LAN port. VLAN Profile The name of the VLAN profile that you assigned to this port on the LAN Setup screen (see Assign and Manage VLAN Profiles on page 57).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 69. Detailed Status screen information (continued) Item Description VLAN ID The VLAN ID that you assigned to this port on the Add VLAN Profile screen (see Configure a VLAN Profile on page 59). If the default VLAN profile is used, the VLAN ID is 1, which means that all tagged and untagged traffic can pass on this port. MAC Address The MAC address of this port. All LAN ports share the same MAC address (00:00:00:00:00:01).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 69. Detailed Status screen information (continued) Item Description IP Address The IP address of the WAN port. Subnet Mask The subnet mask of the WAN port. Gateway The IP address of the gateway. Primary DNS Server The IP address of the primary DNS server. Secondary DNS Server The IP address of the secondary DNS server.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table explains the fields of the Router Statistics screen: Table 70. Router Statistics screen information Item Description System up Time: the period since the last time that the VPN firewall was started up. Router Statistics For each of the four WAN interfaces and for all LAN interfaces combined, the following statistics are displayed: Tx Pkts The number of transmitted packets on the port in bytes.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To view the VLAN Status screen: Select Monitoring > Router Status > VLAN Status. The VLAN Status screen displays: Figure 168. The following table explains the fields of the VLAN Status screen: Table 71. VLAN Status screen information Item Description Profile Name The unique name for the VLAN that you have assigned on the Add VLAN Profile screen (see Configure a VLAN Profile on page 59).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 169. The active user’s user name, group, and IP address are listed in the table with a timestamp indicating the time and date that the user logged in. To disconnect an active user, click the Disconnect table button to the right of the user’s table entry. View the VPN Tunnel Connection Status To view the status of current IPSec VPN tunnels: Select VPN > Connection Status.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 72. IPSec VPN Connection Status screen information (continued) Item Description Tx (KB) The amount of data that is transmitted over this SA. Tx (Packets) The number of IP packets that are transmitted over this SA. State The current status of the SA. Phase 1 is the authentication phase, and Phase 2 is the key exchange phase. If there is no connection, the status is IPSec SA Not Established.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 172. To view the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays: Figure 173.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the Port Triggering Status To view the status of the port triggering feature: 1. Select Security > Port Triggering. The Port Triggering screen displays (see Figure 71 on page 131). 2. Click the Status option arrow in the upper right of the Port Triggering screen. The Port Triggering Status screen appears in a popup window: Figure 174. The Port Triggering Status screen displays the information that is described in the following table: Table 73.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 175. The Connection Status screen displays the information that is described in the following table. The information that is shown on the Connection Status screen depends on the nature of the connection—static IP address or dynamically assigned IP address. Therefore, not all information that is described in the following table might be shown. Table 74.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the Attached Devices and DHCP Log The LAN Groups screen shows the network database, which is the Known PCs and Devices table that contains all IP devices that the VPN firewall has discovered on the local network. The LAN Setup screen lets you access the DHCP log. View Attached Devices To view the network database: Select Network Configuration > LAN Settings > LAN Groups. The LAN Groups screen displays.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 drop-down list in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen (see Figure 35 on page 70). • Profile Name. The VLAN to which the PC or device is assigned. • Action. The Edit table button that provides access to the Edit Groups and Hosts screen. Note: If the VPN firewall is rebooted, the data in the Known PCs and Devices table is lost until the VPN firewall rediscovers the devices.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the Diagnostics Utilities From the Diagnostics screen you can perform diagnostics that are discussed in the following sections: • Send a Ping Packet or Trace a Route • Look Up a DNS Address • Display the Routing Table • Reboot the VPN Firewall • Capture Packets Note: For normal operation, diagnostics are not required. To view the Diagnostics screen: Select Monitoring > Diagnostics. The Diagnostics screen displays: Figure 178.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Send a ping packet request to trace the route and to show the various hops between the VPN firewall and a specific IP address. The trace-route results are displayed on the Trace Route screen. Select Monitoring > Diagnostics to return to the Diagnostics screen. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 appears as a popup window. (The IP addresses that are shown in the following figure do not relate to other figures and examples in this manual.) Figure 179. Reboot the VPN Firewall You can perform a remote reboot (restart), for example, when the VPN firewall seems to have become unstable or is not operating normally.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 180. 2. From the Select Network drop-down list, select a WAN interface, DMZ interface (if enabled), or VLAN. 3. Click the Start button to start capturing the traffic flow. The following text appears in the popup window: Packet tracing started. Click “stop” when done. 4. When you want to stop capturing the traffic flow, click the Stop button. The following text appears in the popup window: Packet tracing stopped.
10. Troubleshooting and Using Online Support 10 This chapter provides troubleshooting tips and information for the VPN firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the VPN firewall on? Go to Basic Functioning on page 294. • Have I connected the VPN firewall correctly? Go to Basic Functioning on page 294. • I cannot access the VPN firewall’s web management interface.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Basic Functioning After you turn on power to the VPN firewall, the following sequence of events should occur: 1. When power is first applied, verify that the Power LED is on. 2. After approximately 2 minutes, verify that: a. The Test LED is no longer lit. b. The left LAN port LEDs are lit for any local ports that are connected. c. The left WAN port LEDs are lit for any WAN ports that are connected.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the VPN firewall and at the hub, router, or workstation. • Make sure that power is turned on to the connected hub, router, or workstation.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Make sure that your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure that the Java applet is loaded. • Try quitting the browser and launching it again. • Make sure that you are using the correct login information. The factory default login name is admin, and the password is password. Make sure that Caps Lock is off when entering this information.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Click the Status button in the Action column of the WAN interface for which you want to view the connection status. The Connection Status screen appears in a popup window. (For more information, see View the WAN Port Connection Status on page 285.) 5. Check that an IP address is shown for the WAN port. If 0.0.0.0 is shown, your VPN firewall has not obtained an IP address from your ISP.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Troubleshoot a TCP/IP Network Using the Ping Utility Most TCP/IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device. The device then responds with an echo reply. You can easily troubleshoot a TCP/IP network by using the ping utility in your PC or workstation.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Test the Path from Your PC to a Remote Device After verifying that the LAN path works correctly, test the path from your PC to a remote device. From the Windows run menu, type: ping -n 10 where is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 181. The VPN firewall reboots. During the reboot process, the Settings Backup and Firmware Upgrade screen might remain visible. The reboot process is complete after several minutes when the Test LED on the front panel goes off. WARNING! When you push the hardware reset button or click the software Default button, the VPN firewall settings are erased. All firewall rules, VPN policies, LAN/WAN settings, and other settings are lost.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Time is off by 1 hour. Cause: The VPN firewall does not automatically sense daylight savings time. Go to the Time Zone screen, and select or clear the Automatically Adjust for Daylight Savings Time check box. Access the Knowledge Base and Documentation To access NETGEAR’s knowledge base for the VPN firewall, select Web Support > Knowledgebase. To access NETGEAR’s documentation library for the VPN firewall, select Web Support > Documentation.
A. Default Settings and Technical Specifications A You can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset (for more information, see Revert to Factory Default Settings on page 258). • To perform a hard reset, press and hold the reset button for approximately 8 seconds (until the Test LED blinks rapidly). The VPN firewall returns to the factory configuration settings that are shown in the following table.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 75. VPN firewall default configuration settings (continued) Feature Default behavior (continued) RIP authentication Disabled DHCP server Enabled DHCP starting IP address 192.168.1.2 DHCP starting IP address 192.168.1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 76.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table shows the SSL VPN specifications for the VPN firewall: Table 78. VPN firewall SSL VPN specifications Setting Specification Network Management Web-based configuration and status monitoring Number of concurrent users supported 50 SSL versions SSLv3, TLS1.
B. Network Planning for Multiple WAN Ports B This appendix describes the factors to consider when planning a network using a firewall that has more than one WAN port. This appendix contains the following sections: • What to Consider Before You Begin • Overview of the Planning Process • Inbound Traffic • Virtual Private Networks What to Consider Before You Begin The VPN firewall is a powerful and versatile solution for your networking needs.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Set up your accounts. a. Obtain active Internet services such a DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information. • In this manual, the WAN side of the network is presumed to be provisioned as shown in the following figure, with two ISPs connected to the VPN firewall through separate physical facilities.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Computer Network Configuration Requirements The VPN firewall integrates a web management interface. To access the configuration screens on the VPN firewall, you need to use a Java-enabled web browser that supports HTTP uploads such as Microsoft Internet Explorer 6 or later, Mozilla Firefox 3 or later, or Apple Safari 3 or later with JavaScript, cookies, and SSL enabled. Free browsers are readily available for Windows, Macintosh, and UNIX/Linux.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Internet Connection Information Print this page with the Internet connection information. Fill in the configuration settings that are provided to you by ISP. _________________________________________________________________________ • ISP Login Name: The login name and password are case-sensitive and need to be entered exactly as given by your ISP. For AOL customers, the login name is their primary screen name.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Overview of the Planning Process The areas that require planning when you use a firewall that has multiple WAN ports such as the VPN firewall include the following: • Inbound traffic (port forwarding, port triggering) • Outbound traffic (protocol binding) • Virtual private networks (VPNs) Two WAN ports can be configured on a mutually exclusive basis to either of the following: • auto-rollover for increased reliability • load balance for outgoing tr
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 183. Features such as multiple exposed hosts are not supported in auto-rollover mode because the IP addresses of each WAN port needs to be in the identical range of fixed addresses. • Dual WAN ports in load balancing mode. Load balancing for a VPN firewall with dual WAN ports is similar to a single WAN gateway configuration when you specify the IP address.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Inbound Traffic to a Single WAN Port System The Internet IP address of the VPN firewall’s WAN port needs to be known to the public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled. In the single WAN case, the WAN’s Internet address is either fixed IP or an FQDN if the IP address is dynamic. Figure 185.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port traffic. Figure 187. Virtual Private Networks When implementing virtual private network (VPN) tunnels, you need to use a mechanism for determining the IP addresses of the tunnel endpoints.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Dual WAN ports in auto-rollover mode. A dual WAN port auto-rollover gateway configuration is different from a single WAN port gateway configuration when you specify the IP address of the VPN tunnel endpoint. Only one WAN port is active at a time, and when it rolls over, the IP address of the active WAN port always changes. Therefore, the use of an FQDN is always required, even when the IP address of each WAN port is fixed.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Road Warrior: Single Gateway WAN Port (Reference Case) In a single WAN port gateway configuration, the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway WAN port needs to act as the responder. Figure 190. The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, an FQDN needs to be used.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 192. The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (that is, WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or reestablish a VPN tunnel.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Dual-gateway WAN ports for load balancing VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case) In a configuration with two single WAN port gateways, either gateway WAN port can initiate the VPN tunnel with the other gateway WAN port because the IP addresses are known in advance. Figure 194. The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you need to use an FQDN.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 After a rollover of a gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN_A2 in the following figure), and one of the gateways needs to reestablish the VPN tunnel. Figure 196.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Telecommuter (Client-to-Gateway through a NAT Router) Note: The telecommuter case presumes the home office has a dynamic IP address and NAT router.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 199. The IP addresses of the gateway WAN ports can be either fixed or dynamic, but you always need to use an FQDN because the active WAN port could be either WAN1 or WAN2 (that is, the IP address of the active WAN port is not known in advance). After a rollover of the WAN port has occurred, the previously inactive gateway WAN port becomes the active port (port WAN2 in the following figure) and the remote PC needs to reestablish the VPN tunnel.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 201. The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional.
C. System Logs and Error Messages C This appendix provides examples and explanations of system logs and error message. When applicable, a recommended action is provided. This appendix contains the following sections: • System Log Messages • Routing Logs • Other Event Logs • DHCP Logs This appendix uses the following log message terms. Table 81. Log message terms Term Description [SRX5308] System identifier. [kernel] Message from the kernel. CODE Protocol code (e.g.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 System Log Messages This section describes log messages that belong to one of the following categories: • Logs generated by traffic that is meant for the VPN firewall. • Logs generated by traffic that is routed or forwarded through the VPN firewall. • Logs generated by system daemons; the NTP daemon, the WAN daemon, and others daemons. To select many of these logs, see Activate Notification of Events, Alerts, and Syslogs on page 269.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Login/Logout This section describes logs generated by the administrative interfaces of the device. Table 83. System logs: login/logout Message Nov 28 14:45:42 [SRX5308] [login] Login succeeded: user admin from 192.168.10.10 Explanation Login of user admin from host with IP address 192.168.10.10.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Firewall Restart This section describes logs that are generated when the VPN firewall restarts. Table 86. System logs: VPN firewall restart Message Jan 23 16:20:44 [SRX5308] [wand] [FW] Firewall Restarted Explanation Log generated when the VPN firewall is restarted. This message is logged when the VPN firewall restarts after any changes in the configuration are applied.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 ICMP Redirect Logs Table 89. System logs: unicast, redirect Message Feb 2007 22 14:36:07 [SRX5308] [kernel] [LOG_PACKET] SRC=192.168.1.49 DST=192.168.1.124 PROTO=ICMP TYPE=5 CODE=1 Explanation • This packet is an ICMP redirect message sent to the device by another device. • For other settings, see Table 81 on page 322.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 This section describes the logs generated when the WAN mode is set to load balancing. Table 91.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 92. System logs: WAN status, auto-rollover (continued) Explanation The logs suggest that the failover was detected after 5 attempts instead of 3. However, the reason that the messages appear in the log is because of the WAN state transition logic, which is part of the failover algorithm. These logs can be interpreted as follows: The primary link failure is correctly detected after the 3rd attempt.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 93. System logs: WAN status, PPPoE idle time-out (continued) • Explanation Message 1: PPPoE connection started. Message 2: Message from PPPoE server for correct login. Message 3: Authentication for PPP succeeded. Message 4: Local IP address assigned by the server. Message 5: Server side IP address. Message 6: The primary DNS server that is configured on the WAN ISP Settings screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • PPP Authentication Logs Table 95. System logs: WAN status, PPP authentication Message Nov 29 11:29:26 [SRX5308] [pppd] Starting link Nov 29 11:29:29 [SRX5308] [pppd] Remote message: Login incorrect Nov 29 11:29:29 [SRX5308] [pppd] PAP authentication failed Nov 29 11:29:29 [SRX5308] [pppd] Connection terminated.WAN2(DOWN)_ Explanation Starting link: Starting PPPoE connection process.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 97.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 98. System logs: IPSec VPN tunnel, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN tunnel is reestablished Message 1 2000 Jan 1 04:32:25 [SRX5308] [IKE] Sending Informational Exchange: delete payload[]_ Messages 2 through 6 2000 Jan 1 04:32:25 [SRX5308] [IKE] purged IPSec-SA proto_id=ESP spi= 181708762._ 2000 Jan 1 04:32:25 [SRX5308] [IKE] purged IPSec-SA proto_id=ESP spi= 153677140.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 99. System logs: IPSec VPN tunnel, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN tunnel not reestablished Message 2000 Jan 1 04:52:33 [SRX5308] [IKE] Using IPSec SA configuration: 192.168.11.0/24<->192.168.10.0/24_ 2000 Jan 1 04:52:33 [SRX5308] [IKE] Configuration found for 20.0.0.1._ 2000 Jan 1 04:52:59 [SRX5308] [IKE] Phase 1 negotiation failed due to time up for 20.0.0.1[500].
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 101. System logs: IPSec VPN tunnel, Dead Peer Detection and keep-alive (default 30 sec), VPN tunnel torn down Message 1 Message 2 Message 3 2000 Jan 1 06:01:18 [SRX5308] [VPNKA] Keep alive to peer 192.168.10.2 failed 3 consecutive times and 5 times cumulative_ 2000 Jan 1 06:01:19 [SRX5308] [IKE] DPD R-U-THERE sent to "20.0.0.1[500]"_ 2000 Jan 1 06:01:19 [SRX5308] [IKE] DPD R-U-THERE-ACK received from "20.0.0.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 103. System logs: IPSec VPN tunnel, client policy behind a NAT device Message 3 Message 6 2000 Jan 1 01:54:21 [SRX5308] [IKE] Floating ports for NAT-T with peer 20.0.0.1[4500]_ 2000 Jan 1 01:54:21 [SRX5308] [IKE] NAT-D payload matches for 20.0.0.2[4500]_ 2000 Jan 1 01:54:21 [SRX5308] [IKE] NAT-D payload does not match for 20.0.0.1[4500]_ 2000 Jan 1 01:54:21 [SRX5308] [IKE] Ignore REPLAY-STATUS notification from 20.0.0.1[4500].
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 106. System logs: VPN log messages, port forwarding, LAN host and interface Message 2000 Jan 1 01:35:41 [SRX5308] [portforwarding] id=SRX5308 time="2000-1-1 1:35:41" fw=192.168.11.1 pri=6 rule=access-policy proto="Virtual Transport (Java)" src=192.168.11.2 user=sai dst=192.168.11.1 arg= "" op="" result="" rcvd="" msg="Virtual Transport (Java)" Explanation A SSL VPN tunnel through port forwarding is established for ID SRX5308 from the LAN host 192.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN to DMZ Logs Table 109. Routing Logs: LAN to DMZ Message Nov 29 09:44:06 [SRX5308] [kernel] LAN2DMZ[ACCEPT] IN=LAN OUT=DMZ SRC=192.168.10.10 DST=192.168.20.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to DMZ has been allowed by the firewall. • For other settings, see Table 81 on page 322. Recommended Action None DMZ to WAN Logs Table 110.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WAN to DMZ Logs Table 113. Routing Logs: WAN to DMZ Message Nov 29 09:19:43 [SRX5308] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=DMZ SRC=192.168.1.214 DST=192.168.20.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from WAN to DMZ has been allowed by the firewall. • For other settings, see Table 81 on page 322.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Bandwidth Limit Logs Table 116. Other Event Logs: Bandwidth Limit, Outbound Bandwidth Profile Message 2000 Jan 1 00:10:36 [SRX5308] [kernel] [BW_LIMIT_DROP] IN=LAN OUT=WAN SRC=192.168.100.2 DST=22.0.0.2 PROTO=ICMP TYPE=144 CODE=145 TC_INDEX=10 CLASSID=10:5 Explanation This log is generated when an outbound packet is dropped because the packet size exceeds the specified bandwidth limit.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 118. DHCP Logs (continued) Explanation Message 1: The DHCP server is listening on eth0.1. Message 2: Release of the currently assigned IP address from the host by the DHCP server. Message 3: DHCP broadcast by the host is discovered by the DHCP server. Message 4: The DHCP server offers a new IP address to the host’s current network interface. Message 5: Two new leases are written to the lease file.
D. Two-Factor Authentication D This appendix provides an overview of Two-Factor Authentication, and an example of how to implement the WiKID solution.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products. • Proven regulatory compliance. Two-Factor Authentication has been used as a mandatory authentication process for many corporations and enterprises worldwide.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To use WiKID (for end users): 1. Launch the WiKID token software, enter the PIN that has been provided (something the user knows), and then click Continue to receive the OTP from the WiKID authentication server: Figure 202. 2. A one-time passcode (something the user has) is generated. Figure 203.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 204.
E. Notification of Compliance N ETGE A R Wire d P ro d uct s E Regulatory Compliance Information This section includes user requirements for operating this product in accordance with National laws for usage of radio spectrum and operation of radio devices. Failure of the end-user to comply with the applicable requirements may result in unlawful operation and adverse action against the end-user by the applicable National regulatory authority.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 FCC Radio Frequency Interference Warnings & Instructions This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Index Numerics for IPSec VPN pre-shared key 138, 142, 164 RSA signature 164 See also RADIUS, MIAS, WiKID, NT Domain, Active Directory, LDAP.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 on LAN port 108 proxy (server) 123 sessions 110 sites to reduce traffic 244 traffic scheduling of 121 when reaching LAN limit 268 when reaching WAN limit 265 web components 123, 126 browsers user login policies 232 web management interface 20 browsing access, blocking 124 button, reset 16 buttons (web management interface) 23 counter LAN traffic 266 WAN traffic 263 critical messages, syslog 273 CRL (Certificate Revocation List) 235, 241 crossover cable 12,
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Differentiated Services Code Point (DSCP) 46, 117 Diffie-Hellman (DH) group 164, 172, 179 DiffServ (Differentiated Services) LAN QoS 117 WAN QoS 46 digital certificates. See certificates.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 increasing WAN traffic limit 265 info messages, syslog 273 Installation Guide 19 instant messaging, blocking applications 105 interface specifications 304 Interior Gateway Protocol (IGP) 78 Internet blocking sites 123 configuration requirements 308 connection auto-detecting 25 default settings 302 manually configuring 28 filtering content 123 form to save connection information 309 Internet Group Management Protocol (IGMP) 108 Internet Key Exchange.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 search base, search objects 63, 75 server, DHCP 63, 75 VLANs 59 LEDs explanation of 14–16 troubleshooting 294–295 licenses, ProSafe VPN Client software 11 limits monthly LAN traffic volume 268 monthly WAN traffic volume 265 number of sessions 109 load balancing mode bandwidth capacity 242 configuring 36–38 DDNS 43 description 32 VPN IPSec 134 local area network. See LAN.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 NT Domain 220–222 NTP (Network Time Protocol) modes and servers 261 troubleshooting 300 maximum transmission unit (MTU) 53 MD5 (Message-Digest algorithm 5) IKE polices 163 ModeConfig 179 RIP-2 79 self certificate requests 238 VPN policies 171 Media Access Control. See MAC addresses. membership, ports, VLAN 61, 281 Message-Digest algorithm 5. See MD5.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 pinging auto-rollover 34 responding on Internet ports 107 responding on LAN ports 108 troubleshooting TCP/IP 298 using the ping utility 289 pinouts, console port 16 placement, location of the VPN firewall 17 plug and play, configuring 132 policies IKE managing 159–165 ModeConfig operation, configuring 179 IPSec VPN automatically generated 165 groups, configuring 224 managing 159 manually generated 165 SSL VPN, managing 210–215 policy hierarchy 210 pools, Mo
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 requirements, hardware 307 reserved IP addresses 72 reset button 16 restarting the traffic meter (or counter) LAN traffic 268 WAN traffic 265 restoring the configuration file 258 retry interval, DNS lookup or ping 36 reverting to factory defaults 258 RFC 1349 116 RFC 1700 112 RFC 2865 174 RIP (Routing Information Protocol), configuring 78–80 Road Warrior (client-to-gateway) 314 round-robin load balancing 37 routes active and private 77 tracing 290 Routing I
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 status 218 tunnel description 196 user account 227–228 user portal 217 viewing logs 283 stateful packet inspection (SPI) 11, 81, 170 static IP address 27, 31 static routes configuring 75–77 example 80 statistics, viewing 279 status screens, viewing 274 stealth mode 107 stratum, NTP servers 261 submenu tabs (web management interface) 23 subnet masks default 61 DMZ port 73 SYN flood 107 syslog and syslog server, configuring 269–273 system date and time settin
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 UPnP (Universal Plug and Play), configuring 132 user accounts, configuring 227 user database 172 user name, default 21 user portal 217 user types 228, 233 users active VPN users 281 administrator (admin), settings 248–250 assigned groups 228 login policies 229–232 passwords and login time-out, changing 233 users policies, SSL VPN 210–215 load balancing 318 single WAN port mode 317 using IPSec VPN Wizard 136 IKE policies managing 159–165 ModeConfig 179 incr
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN IPSec 134 mode status, viewing 278 NAT mode 33 secondary IP addresses 41 single port mode 32 WAN aliases 41 WAN inbound rules DMZ WAN 97 LAN WAN 94 WAN interfaces, primary and backup 34 WAN LEDs 16, 295 WAN outbound rules DMZ WAN 96 LAN WAN 93 WAN ports connection status 286 description 10, 14 WAN profiles, QoS 46–51 WAN settings auto-detecting 26 manually configuring 28 WAN status 27, 285, 297 WAN traffic meter (or counter) 263, 264 warning messages, s
