Instruction/ maintenance manual of the product SRX5308-100NAS NETGEAR
Go to page of 460
350 East Plumeria Drive San Jose, CA 95134 USA July , 2012 202-10536-04 v1.0 Pr oSaf e Gi ga bit Qu ad W AN S SL VPN F ir e w all SRX5 308 Refe ren c e M a nu a l.
2 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX53 08 © 2010–2012 NETGEAR, Inc. Al l rights reserved. No part of this publication may be re produced, transmitted, tran scribed, stored in a retrie val system, or translated into any langu age in any form or by any means without the written permission of NETGEAR, Inc.
3 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 202-10536-02 1.0 July 201 1 Added new features that are documented in the followi ng sections: • Configure WAN QoS Profiles • Inbound Rules (Po.
4 Contents Chapter 1 Introduction What Is the ProSafe Gigabit Qua d WAN SSL VPN Firewall SRX5308? . . 11 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Quad-WAN Ports for Increase d Reliability and Load Balancing .
5 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure a Static IPv6 Internet Connec tion. . . . . . . . . . . . . . . . . . . . . . 57 Configure a PPPoE IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . . 60 Configure 6to4 Automatic Tunneling .
6 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Order of Precedence for Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Create LAN WAN Out bound Service Rules .
7 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 RADIUS Client and Server C onfiguration . . . . . . . . . . . . . . . . . . . . . . . 241 Assign IPv4 Addresses to Remote Users (M ode Config) .
8 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 VPN Certificates Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Manage VPN CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Manage VPN Self-Signed Certificates .
9 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 When You Enter a URL or IP Address, a Time-Out Erro r Occurs . . . . . . 387 Troubleshoot the ISP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Troubleshooting the IPv6 Connection .
10 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 DMZ to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11 1 1. Intr odu cti on This chapter provides an ove rview of the features and cap abilities of the ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 and explains how to log in to the device and use it s web management interface.
Introduction 12 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The VPN firewall is a security solution that prot ects yo ur network from attacks a nd intrusions. For example, the VPN firewall provides support fo r stateful packet inspection (SPI), denial of service (DoS) attack protection, an d multi-NA T support.
Introduction 13 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 • One console port for local management. • SNMP support with SNMPv1, SNMPv2c, and SNMPv3, and mana gement optimized for the NETGEAR ProSafe Network Management So ftware (NMS200) over a LANJ connection.
Introduction 14 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 - Allows browser-based, platform-indepe ndent remote access through a number of popular browsers, such as Microsoft Intern et Explorer , Mozilla Firefox, and Apple Safari. - Provides granular access to corporat e resources based on user type or group membership.
Introduction 15 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 network, a 1000-Mbps Gigabit Ethernet network, or a combinat ion of these networks. All LAN and W AN interfaces are autosensing and cap able of full-duplex or half-duplex operation. The VPN firewall incorporates Auto Uplink TM tech nology .
Introduction 16 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • Auto-detection of ISP . The VPN firewall automatically senses the type of Internet connection, asking you only for the information required for you r type of ISP account. • IPSec VPN W izard .
Introduction 17 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Hardware Features • Front Panel • Rear Panel • Bottom Panel with Product Label The front pa nel port s and LEDs, rear p anel port s, and bottom label of the VPN firewall are d escribed in the following section s.
Introduction 18 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 1. LED descriptions LED Activity Description Power On (green) Power is suppli ed to the VPN firewall. Off Power is not supplied to the VPN fire wall. T est On (amber) during startup.
Introduction 19 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Re ar P a ne l The rear p anel of the VPN firewa ll includes a console port, a Factory Defaults Reset button, a cable lock receptacle, a n AC pow er connection, and a power switch. Figure 2.
Introduction 20 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Choose a Location for the VPN Firewall The VPN firewall is suitable for use in an of fi ce environment where it can be freestanding (on its runner fe et) or mounted into a stan dard 19 -inch equipment rack.
Introduction 21 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Log In to the VPN Firewall Note: T o connect the VPN firewall physically to your network, connect the cables and restart you r network according to the instructions in the ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Installation Guide .
Introduction 22 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: The first time that you remotely conn ect to the VPN firewall with a browser through an SSL connection, yo u might get a warning message regarding the SSL certificate. Follow the directions of your browser to accept the SSL certificate.
Introduction 23 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 W eb Management Interface Menu Layout The following figure shows the menu at the top the web management interface: Figure 7. The web management interface menu consists of the following component s: • 1 st level: Main navigation me nu links .
Introduction 24 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 - The IPv6 button is operational but the IPv4 button is disabled . Y ou can configure the feature o nscreen for IPv6 functionality only . - Both buttons are disabled . IP functionality does not apply .
Introduction 25 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 R equirements for Ente ring IP Addresses T o connect to the VPN firewall, your computer needs to be configured to obtain an IP address automatically from the VPN firewall, either an IPv4 address throug h DHCP or an IPv6 address through DHCPv6, or both.
26 2 2. IPv4 and IPv6 In ter net an d W AN Setting s This chapter explains how to configure the IPv4 and IPv6 Intern et and W AN settings. The chapter conta ins the following sections: • Internet an.
IPv4 and IPv6 Internet and W AN Settings 27 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T asks to Set Up IPv4 Intern et Connections to Y our ISP s Complete these t asks: 1. Confi gure the IPv4 routing mode . Select either NA T or classical routing: see Configure the IPv4 W AN Mode on page 28 .
IPv4 and IPv6 Internet and W AN Settings 28 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Configure the IPv6 tunnels . Enable 6to4 tunnels and configu re ISA T AP tunnels: See Configure 6to4 Automa tic T unneling on page 63 and Configure ISA T AP Automatic T unneling on p age 64 .
IPv4 and IPv6 Internet and W AN Settings 29 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note the following about NA T : • The VPN firewall uses NA T to select the correct computer (on your LAN) to rece ive any incoming dat a. • I f you have only a single public Intern et IP address, you need to use NA T (the default setting).
IPv4 and IPv6 Internet and W AN Settings 30 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. In the NA T (Network Address T ra nslation) section of the screen, select the NA T radio button or the Classical Routing radio button. W ARNING: Changing the W AN mode causes all LAN W AN and DMZ W AN inbound rules to revert to default settings.
IPv4 and IPv6 Internet and W AN Settings 31 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Y ou can set the failure detection method for each W AN interface on its correspon ding W AN Advanced Options screen (see Configure the Auto-Rollo ver Mode and Failure Detection Method o n p age 44 ).
IPv4 and IPv6 Internet and W AN Settings 32 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • If the autodetect process senses a connect ion method th at requires input fro m you, it prompts you for the inf ormation.
IPv4 and IPv6 Internet and W AN Settings 33 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 13. The Connection S tatus screen should show a valid IP addr ess and gat eway , and you are connected to the Internet.
IPv4 and IPv6 Internet and W AN Settings 34 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The IPv4 W AN Settings table displays the following fields: • WA N . The W AN interface (W AN1, W AN2, WAN3, an d W AN4). • St atu s . The status of the W AN interface (UP or DOWN).
IPv4 and IPv6 Internet and W AN Settings 35 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 16. 6. If your connection is PPTP or PPPoE, your ISP r equires an initial login.
IPv4 and IPv6 Internet and W AN Settings 36 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 7. In the Internet (IP) Address sect ion of the screen (see th e following figure), configure the IP address settings as explained in the following table. Click the Curren t IP Address link to see the currently assigned IP address.
IPv4 and IPv6 Internet and W AN Settings 37 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 8. In the Domain Name Server (DNS) Servers section of the screen (se e the following figure), specify the DNS settin gs as explained in the following table.
IPv4 and IPv6 Internet and W AN Settings 38 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 9. Click Apply to save your changes. 10. Click Te s t to evaluate your entries. The VPN firewall attempts to make a connection according to the settings that you entered.
IPv4 and IPv6 Internet and W AN Settings 39 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Configure Load Balancing or Auto -R ollover The VPN firewall can be configured on a mutually exclusive basis for either auto -rollo ver (for increased system reliability) or load bala ncing (for maximum bandwid th efficiency).
IPv4 and IPv6 Internet and W AN Settings 40 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Protocol binding addre sses two issues: • Segregation of traf fic between links that are not of the same speed.
IPv4 and IPv6 Internet and W AN Settings 41 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 connection to the Internet could be ma de on the WAN3 in terface. This load balancing method ensures that a single WAN interfa c e does n ot carry a d isproportionate distribution o f sessions.
IPv4 and IPv6 Internet and W AN Settings 42 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 22. 4. Configure the protocol binding settings as explained in the following table: T able 6. Add Protocol Binding screen settings Setting Description Service From the drop-down list, select a service or application to be covered by this rule.
IPv4 and IPv6 Internet and W AN Settings 43 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your sett ings. The protocol binding rule is added to the Protocol Binding table. The rule is automatically enabled, which is indicated by the ! status icon that displays a green circle.
IPv4 and IPv6 Internet and W AN Settings 44 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure the A uto-Rollover Mode and F ailure Detection Method T o use a redundant ISP link for backup purposes, ensure that th e backup W AN interface has already been configured.
IPv4 and IPv6 Internet and W AN Settings 45 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. In the Load Balancing Settings section of the screen, configure the following settings: a.
IPv4 and IPv6 Internet and W AN Settings 46 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: The default time to roll over af ter the primary W AN interface fails is 2 minutes. The minimum test period is 3 0 seconds, and the minimum numbe r of tests is 2.
IPv4 and IPv6 Internet and W AN Settings 47 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 After you have configured secondary W AN add resses, these addresse s are displayed on the following fir.
IPv4 and IPv6 Internet and W AN Settings 48 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 24. The List of Secondary W AN addresses t able displays the secondary LAN IP ad dresses added for the selected W AN interface. 4. In the Add W AN Secondary Addresses section of the screen, enter the following settings: • IP Address .
IPv4 and IPv6 Internet and W AN Settings 49 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 domain, and restores DNS request s for the resulting fully qualified domain name (FQDN) to your frequently changing I P address.
IPv4 and IPv6 Internet and W AN Settings 50 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 25. 3. Click the Inf ormation option arrow in the upper right of a DNS screen for registration information (for example, DynDNS Information). Figure 26.
IPv4 and IPv6 Internet and W AN Settings 51 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Configure the DDNS service settings as explained in the following table: 6.
IPv4 and IPv6 Internet and W AN Settings 52 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: Y ou can configure only o ne WAN interface for IPv6. This restriction might be lifted in a later release. Y ou can configure the other three W AN interfaces for IPv4.
IPv4 and IPv6 Internet and W AN Settings 53 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 These are the options: • IPv4-only mode . The VPN f irewall communicates only with devices that have IPv4 addresses. • I Pv4/IPv6 mode . The VPN firewall communicates with both devices that have IPv4 addresses and devices that have IPv6 ad dresses.
IPv4 and IPv6 Internet and W AN Settings 54 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 W ARNING: Changing the IP routing mode causes the VPN fi rewall to reboot.
IPv4 and IPv6 Internet and W AN Settings 55 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The IPv6 W AN Settings table displays the following fields: • WA N . The W AN interface (W AN1, W AN2, W AN3, and W AN4). • S t atus . The status o f the WAN interface (UP or DOWN).
IPv4 and IPv6 Internet and W AN Settings 56 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. As an optional step: If you have selected the S tateless Address Auto Configurat ion radio button, you can select the Prefix Delegation check box: • Pre fix delegation check box is se lected .
IPv4 and IPv6 Internet and W AN Settings 57 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Configure a Static IPv6 Internet Connection T o configure a static IPv6 or PPPoE I Pv6 Internet connection, you need to enter the I Pv6 address information that you should have received from yo ur ISP .
IPv4 and IPv6 Internet and W AN Settings 58 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 32. 4. In the Internet Address section of the screen, from the IPv6 drop-down list, select Sta ti c IPv6 . 5. In the S tatic IP Address section of the screen, en ter the settings as explained in the following table.
IPv4 and IPv6 Internet and W AN Settings 59 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 6. Click Apply to save your changes. 7. V erif y the connection: a. Select Ne twork Configuration > W AN Settings > W AN Setup . b. In the upper right of the screen, select the IPv6 ra di o b utt on .
IPv4 and IPv6 Internet and W AN Settings 60 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure a PPP oE IPv6 Internet Connection T o configure a PPPoE IPv6 Internet connection, yo u need to enter the PPPoE IPv6 information that you sho uld have received from your ISP .
IPv4 and IPv6 Internet and W AN Settings 61 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 35. 4. In the Internet Address section of the screen, from the IPv6 drop-down list, select PPPoE . 5. In the PPPoE IPv6 section of the screen, enter the settings as explained in the following table.
IPv4 and IPv6 Internet and W AN Settings 62 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. Click Apply to save your changes. 7. V erify the connection: a. Select Network Configuration > W AN Settings > W AN Setup . b. In the upper right of the screen, select the IPv6 rad io b ut to n.
IPv4 and IPv6 Internet and W AN Settings 63 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: If your ISP requires MAC authentication and anothe r MAC address has been previously registered wi.
IPv4 and IPv6 Internet and W AN Settings 64 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 36. 2. Select the Enable Automatic T unneling check box.
IPv4 and IPv6 Internet and W AN Settings 65 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T o configure an ISA T AP tunnel: 1. Select Network Configuration > W AN Settings > ISA T AP T unnels . The ISA T AP T unnels screen displays. (The followi ng figure shows some examples.
IPv4 and IPv6 Internet and W AN Settings 66 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o edit an ISA T AP tunnel: 1. On the ISA T AP T unnels screen, click the Edit button in the Action column for th e tunnel that you want to modify . The Edit ISA T AP T unnel screen displays.
IPv4 and IPv6 Internet and W AN Settings 67 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 SIIT functions with IPv4-translated ad dresses, which are addresses of the format 0::ff ff:0:0:0/96 for IPv6 -enabled devices. Y ou can substitute an IPv4 address in the format a.
IPv4 and IPv6 Internet and W AN Settings 68 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o configure advanced W AN options: 1. Select Network Configuration > W AN Settings > W AN Setup . In the upper right of the screen, the IPv4 radio butt on is selected by default.
IPv4 and IPv6 Internet and W AN Settings 69 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click the Advanced op tion arrow in the upper right of the screen. The W AN Advanced Options screen displays for the WAN interface that you selected. (The following figure sh ows the W AN2 Advanced Options screen as an example.
IPv4 and IPv6 Internet and W AN Settings 70 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Spee d In most cases, the VPN firewall can automatically det ermine the connection speed of the W AN port of the device (modem, dish, or rou ter) that provides the W AN connection.
IPv4 and IPv6 Internet and W AN Settings 71 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your changes. W ARNING: Depending on the changes that you made, when you click Apply , the VPN firewall might rest art, or services such as HTTP and SMTP might rest art.
IPv4 and IPv6 Internet and W AN Settings 72 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 If you want to configure the advanced settings for an a dditional WAN interface, sele ct another W AN interface and repeat these step s.
IPv4 and IPv6 Internet and W AN Settings 73 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 44. 2. T o enable QoS, select the Ye s radio button. By default, the No radio button is select ed. 3. S pecify the profile type that should be active by selecting one of the following radio buttons: • Rate con trol .
IPv4 and IPv6 Internet and W AN Settings 74 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 45. 3. Enter the settings as explained in the following t able: T able 13. Add QoS screen settings for a rate control profile Setting Description QoS T ype Rate Control (for Priority , see Figure 46 on page 76 and T able 14 on page 76).
IPv4 and IPv6 Internet and W AN Settings 75 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Congestion Priority F rom the drop-down list, select the priority queue that de termi nes the allocation of excess bandwidth and the classification level of the packets among other priority queues on the VPN firewall: • Defa ult .
IPv4 and IPv6 Internet and W AN Settings 76 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The profile is added to the List of QoS Profiles table on the QoS screen. T o add a priority queue QoS profile: 1.
IPv4 and IPv6 Internet and W AN Settings 77 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The p rofile is added to the L ist of QoS Profiles table on the QoS screen. Service From the drop-down list, select a serv ice or app licatio n to be covered by this profile.
IPv4 and IPv6 Internet and W AN Settings 78 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o edit a QoS profile: 1. In the List of QoS Pr ofiles t able, click the Edit t able button to the right of the profile that you want to edit. The Edit QoS screen displays.
79 3 3. L AN Co nfigu r at io n This chapter describes how to configure the LAN features o f your VPN firewall. The chapter contains the following sections: • Manage IPv4 Virtual LANs and DHCP Optio.
LAN Configuration 80 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 a single VLAN, they can share resources and bandwidth as if they were connected to the same segment.
LAN Configuration 81 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 packet s. Untagged packet s that enter these LAN ports are assigned to the default PVID 1; packet s that leave these LAN ports with the same default PVID 1 are unt agged.
LAN Configuration 82 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 For each VLAN profile, the following fields displa y in the VLAN Profiles table: • Check box . Allows you to select the VLAN profile in the table. • St atus icon . Indicates the statu s of the VLAN profile: - Green circle .
LAN Configuration 83 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 DHCP Re lay DHCP relay options allow you to make the VPN firewall a DHCP relay agent for a VLAN. The DHCP relay agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of th ese types of messages.
LAN Configuration 84 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 48. 2. Click the Add t able butt on under the VLAN Profiles t able. The Add VLAN Profile screen displays: Figure 49.
LAN Configuration 85 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Enter the settings as explained in the followin g t able: T able 15. Add VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile.
LAN Configuration 86 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Enable DHCP Server Select the Enable DHCP Server radio button to enable the VPN firewall to function as a Dynamic Host Configurat ion Protocol (DHCP) server , providing TCP/IP configuration for al l computers co nnected to th e VLAN.
LAN Configuration 87 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. Note: Once you have completed the LAN setup, a ll outbound traf fic is allowed and all inbound traf fic is discarded except responses to requests from the LAN side.
LAN Configuration 88 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o edit a VLAN profile: 1. On the LAN Se tup screen for IPv4 (see Figure 48 on page 84 ), click the Edit button in the Action column for the VLAN profile that yo u want to modify .
LAN Configuration 89 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 50. 3. From the MAC Address for VLANs drop-down list, select Unique . (The default is Sa me.) 4. As an option, you can disable the broadcast of ARP packet s for the default VLAN by clearing the Enable ARP Broadcast check box.
LAN Configuration 90 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The following is an example of correctly configured I Pv4 addresses: • W AN IP address. 10.0.0.1 with subnet 255.0.0.0 • DMZ IP a ddress. 176.16.2.1 with subnet 255.2 55.255.0 • Primary LAN IP ad dress.
LAN Configuration 91 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T o edit a secondary LAN IP address: 1. On the LAN Multi-homing screen for IPv4 (see the previous figure), click the Edit button in the Action column for the secondary IP address that you want to modify .
LAN Configuration 92 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 These are some advantages of th e network database: • Generally , you do not need to en ter an IP address or a MAC address. Instead, you can select the name of the desire d computer or device.
LAN Configuration 93 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 52. The Known PCs and Devices t able lists the ent ries in the network database. For each computer or device, the following fields display: • Check box . Allows you to select the comp uter or device in the ta ble.
LAN Configuration 94 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Add C omputers or Devices to the Network Database T o add computers or devices manually to the n etwork dat abase: 1. In t he Add Known PCs and Devices section of the LAN Group s screen (see the previous figure), enter the settings as explained in the following t able: 2.
LAN Configuration 95 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Edit Computers or Device s in the Network Database T o edit computers or devices manually i n the network dat abase: 1. I n the Known PCs and Devices t able of the LAN Groups screen (see Figure 52 on pag e 93 ), click the Ed it t able button of a t able entry .
LAN Configuration 96 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o edit the name of one of the eight availab le group s: 1. Select Network Configuration > LAN Settings > LAN Group s . The LAN Groups screen displays (see Figure 52 on page 93 , which sho ws some examples in the Known PCs and Devices table).
LAN Configuration 97 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: The reserved address is not assigned until the n ext time the computer or device cont acts the VPN firewall’ s DHCP server . Reboot the computer or device, or access it s IP configuration and force a DHCP release and renew .
LAN Configuration 98 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 DHCPv6 Server Options The IPv6 clients in the LAN ca n autoconfigure their own IPv6 address or obtain a n IPv6 address through a DHCPv6 server .
LAN Configuration 99 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Stateful DHCPv6 Server The IPv6 clients in the LAN obt ain an interface IP address, configuration information such as DNS server information, and other parameters from the DHCPv6 server .
LAN Configuration 100 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following t able. The IPv6 address pools and prefixes for prefix delegation are explained in the sections following the table. T able 17.
LAN Configuration 101 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your changes. IPv6 LAN A ddress P ools If you configure a stateful DHCPv6 server for the LAN, you need to add local DHCP IPv6 address pools so the DHCPv6 server can contro l the allocation of IPv6 addresses in the LAN.
LAN Configuration 102 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 56. 2. Enter the settings as explained in the following t able: 3. Click Apply to save your changes a nd add the new IPv6 address po ol to the L is t o f I P v6 Address Pools table on the LAN Setup scree n for IPv6.
LAN Configuration 103 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 IPv6 LAN Pr efixes for Pr efix Delegation If you configure a stateless DHCPv6 se rver for the LAN and select the Prefix Delega.
LAN Configuration 104 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure the IPv6 R outer Advertisement Daemon and Advertisement P refixes for the LAN Note: If you do not configure stateful DHCPv6 for the LAN but use stateless DHCPv6, you need to conf igure the Router Advertisement Deamon (RADVD) and advertisement prefixes.
LAN Configuration 105 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T o configure the Router Advertiseme nt Daemon for the LAN: 1. Select Network Configuration > LAN Settings . 2. In the uppe r right of the screen, select the IPv6 radio button.
LAN Configuration 106 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 5. Click Apply to save your changes. Advertisement Prefixes for the LAN Y ou need to configure the prefixes that are adv ertised in the LAN RAs. For a 6to4 address, you need to specify only t he site level aggregation identifier (SLA ID) and the pr efix lifetime.
LAN Configuration 107 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 59. 2. Enter the settings as explained in the followin g t able: 3. Click App ly to save your changes and add the new IPv6 address pool to the Li s t of Prefixes to Advertise t able on the RADVD screen for the LAN.
LAN Configuration 108 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. T o delete one or more advertisement prefixes: 1.
LAN Configuration 109 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. In the Add Secondary LAN IP Address section of the screen, enter the following settings: • I Pv6 Address . Enter the secondary add ress that you want to assign to the LAN port s.
LAN Configuration 11 0 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 By default, the DMZ port and both inb ound and outbound DMZ traf fic are disabled. Enabling the DMZ port and allowing traf fic to and from the DMZ increases the traf fic through the W AN ports.
LAN Configuration 111 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 61. 2. Enter the settings as explained in the followin g t able: T able 22. DMZ Setup screen settings for IPv4 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Ye s .
LAN Configuration 11 2 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 DHCP for DMZ Connected Computers Disable DHCP Server If another device on your networ k is th e DHCP server for the VLAN, or i.
LAN Configuration 11 3 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click Apply to save your settings. DMZ P ort for IPv6 T raffic The DMZ Setup (IPv6) screen lets you set up the DMZ port for IPv6 traffic.
LAN Configuration 11 4 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • St ateful DHCPv6 server . The IPv6 clients in the DMZ obt ain an interface IP address, configuration informat ion such as DNS server informa tion, and other p arameters from the DHCPv6 server .
LAN Configuration 11 5 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Enter the settings as explained in the followin g t able: T able 23. DMZ Setup screen settings for IPv6 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Ye s .
LAN Configuration 11 6 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. IPv6 DMZ A ddress P ools If you configure a sta teful DHCPv6 server for the DMZ, you n eed to add local DHCP IPv6 address pools so the DHCPv6 server can control the allocation of IPv6 addresses in the DMZ.
LAN Configuration 11 7 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. Enter the settings as explained in the followin g t able: 3. Click App ly to save your changes and add the new IPv6 address pool to the Li s t of IP v6 Address Pools table on the DMZ Setup (IPv6) screen.
LAN Configuration 11 8 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Hosts and rou ters in the LAN use NDP to de termine the link-layer addresses and relate d information of neighbors in the LAN that can forward p ackets on their behalf.
LAN Configuration 11 9 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 64. 4. Enter the settings as explained in the followin g t able: T able 26 . RADVD screen settings for the DMZ Setting Description RADVD S tatus S pecify the RADVD status by ma king a selection from the drop-down list: • Enable .
LAN Configuration 120 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 5. Click Apply to save your changes. Advertisement Prefixes for the DMZ Y ou need to configure the prefixes that are adv ertised in the DMZ RAs. For a 6to4 address, you need to specify only t he site level aggregation identifier (SLA ID) and the pr efix lifetime.
LAN Configuration 121 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 65. 2. Enter the settings as explained in the followin g t able: 3. Click App ly to save your changes and add the new IPv6 address pool to the Li s t of Prefixes to Advertise t able on the RADVD screen for the DMZ.
LAN Configuration 122 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. T o delete one or more advertisement prefixes: 1.
LAN Configuration 123 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 66. 2. Click the Add table button under the S tatic Routes table. The Add S tatic Route screen displays: Figure 67. 3. Enter the settings as explained in the followin g t able: T able 28.
LAN Configuration 124 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The new static route is added to the S tatic Routes t able.
LAN Configuration 125 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 68. 3. Enter the settings as explained in the followin g t able: T able 29.
LAN Configuration 126 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. RIP V ersion By default, the RIP version is set to Disab led. From the RIP V ersion drop-down list, select the version: • RIP-1 . Cl assful routing that does not include subnet information.
LAN Configuration 127 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 IPv4 Static R oute Example In this example, we assume the following: • T he VPN firewall’ s primary Internet access is through a cable modem to an ISP . • T he VPN firewall is on a local LAN with IP address 192.
LAN Configuration 128 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 69. 3. Click the Add t able butt on under the S tatic Routes t able. The Add IPv6 S tatic Routing screen displays: Figure 70. 4. Enter the settings as explained in the following t able: T able 30.
LAN Configuration 129 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The n ew static route is added to the List of IPv6 S tatic Routes table.
130 4 4. F i rewa l l P ro te c t io n This chapter describes how to use the fire wall fe atures of the VPN firewall to protect your network. The chapter contains t he following sections: • About Fi.
Firewall Protection 131 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 incoming p acket is in response to an outgoing request, but true st ateful packet inspection goes far beyond NA T .
Firewall Protection 132 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 A firewall has two default rules, one for inbound traffic a nd one for outbound. The default rules of the VPN firewall are: • Inbound . Block all access from out side except responses to requests from the LAN side.
Firewall Protection 133 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Outbound R ules (Service Blocking) The VPN firewall allows you to block the use of cert ain Internet services by computers on your network. This is called service blocking or p o rt filterin g.
Firewall Protection 134 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 LAN Users The settings that determine which computers on your network are affected by this rule. The options are: • Any . All computers and de vices on your LAN. • Si ngle addres s .
Firewall Protection 135 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Inbound R ules (P ort Forwarding) If you have enabled Network Address T ranslation (NA T), your network present s one IP address only to the Internet, and outside users cannot directly access any of your local computers (LAN users).
Firewall Protection 136 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Whether or not DHCP is enabled, how the computer accesses the server ’ s LAN address impact s the inbound rules.
Firewall Protection 137 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T able 33. Inbound rules overview Setting Description Inbound Rule s Service The servi ce or appli cation to be covered by this rule.
Firewall Protection 138 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 LAN Users These settings ap ply to a LAN WAN inbound rule when the WA N mode is classical routing, an d determine which computers on your network ar e af fected by this rule. The op ti o ns a re: • Any .
Firewall Protection 139 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: Some residential broadband ISP account s do not allow you to run any server processes (such as a web or FT P server) from your location. Y our ISP might periodically check for servers and might suspend your account if it discovers any active servers at your location.
Firewall Protection 140 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 71. For any traf fic attempting to pass through the firewall, the p acket information is subjected to the rules in the order shown in the Ou tbound Services and Inbound Services tables, beginning at the top of each table and proceeding to the bottom of each table.
Firewall Protection 141 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 72. 2. From the Default Outbound Policy drop-down list, select Block Always . (By default, Allow Always is selected.) 3. Next to th e drop-down list, click the Apply table button.
Firewall Protection 142 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 73. 3. From the Default Outbound Policy drop-down list, select Block Always . (By default, Allow Always is selected.) 4. Next to the dro p-down list, click the Apply table button.
Firewall Protection 143 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Create LAN W A N Outbound Service R ules Y ou can def ine rules that specify exceptions to the default rules. By adding custom rules, yo u can block or allow access base d on the service or application, source or de stination IP addresses, and time of day .
Firewall Protection 144 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Un le ss y ou r se le ct io n fr om t he Actio n drop-down list is BLOCK always, you also need to ma k e s e l e c t i o n s .
Firewall Protection 145 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Create LAN W A N Inbound Service R ules The Inbound Services t able lists all e x isting rules for inbound traffic. If you have not defined any rules, no rules are listed. By de fault, all inbound traf fic (from the Internet to the LAN) is blocked.
Firewall Protection 146 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. Enter the settings as explained in T able 33 on p age 137 . In addition to selections from the Service, Action, and Log dr.
Firewall Protection 147 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Enter the settings as explained in T able 33 on page 137 . In addition to selections from the Service, Action, and Log dr.
Firewall Protection 148 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 78. T o change an existing outbound or inbo und service rule, in the Action column to the right of the rule, click one of the following t able buttons: • Up . Mo ves the rule up one posit ion in the table ran k.
Firewall Protection 149 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 79. T o change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following t able buttons: • Up . Moves the rule up one position in the t able rank.
Firewall Protection 150 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 IPv4 DMZ WAN Outbou nd Service Rules T o create a new IPv4 DMZ W AN outbound rule: 1. In the upper right of the DMZ W AN Rules screen, the IPv4 radio button is selected by default.
Firewall Protection 151 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 IPv6 DMZ WAN Outbound Service R ules T o create a new IPv6 DMZ W AN outbound rule: 1. In the upper right of the DMZ W AN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 79 on p age 149 ).
Firewall Protection 152 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 IPv4 DMZ WAN Inbound Service R ules T o create a new IPv4 DMZ W AN inbound rule: 1. In the upper right of the DMZ W AN Rules screen, the IPv4 radio button is selected by default.
Firewall Protection 153 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 IPv6 DMZ WAN Inbound Service R ules T o create a new IPv6 DMZ W AN inbound rule: 1. In the upper right of the DMZ W AN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 79 on p age 149 ).
Firewall Protection 154 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 There is no drop-down list that let s you set the default outbound policy as there is on the LAN W AN Rules screen. Y ou can change the def ault outbound policy by allowing all outbound traffic and then blocking specific services from passing through th e VPN firewall.
Firewall Protection 155 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 85. T o change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following t able buttons: • Up . Moves the rule up one position in the t able rank.
Firewall Protection 156 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 IPv4 LAN DMZ Outbou nd Service Rules T o create a new IPv4 LAN DMZ outbound rule: 1. In the upper right of the LAN DMZ Rules screen, the IPv4 radio button is selected by default.
Firewall Protection 157 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 87. 3. Enter the settings as explained in T able 32 on page 133 . In addition to selections from the Service, Action,.
Firewall Protection 158 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 88. 2. Enter the settings as explained in T able 33 on p age 137 . In addition to selections from the Service, Action,.
Firewall Protection 159 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 89. 3. Enter the settings as explained in T able 33 on page 137 . In addition to selections from the Service, Action,.
Firewall Protection 160 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 90. IPv4 LAN W AN Inbound R u le: Allow a Videoconfere nce from Restricted Addresses If you want to allow incoming vid.
Firewall Protection 161 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 91. IPv4 LAN W AN or IPv4 DMZ WAN Inbound R ule: Set Up One -to- One NA T Mapping In this example, multi-NA T is configured to support multiple pub lic IP addresses on one W AN interface.
Firewall Protection 162 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Tip: If you arrange with your ISP to have more than one pub lic IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ.
Firewall Protection 163 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 this address on the W AN2 Secondary Addresses screen (see Configure Secondary WAN Addresses on page 46 ) before you can select it from the W AN Destination IP Address drop-down list.
Firewall Protection 164 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 W ARNING: For security , NETGEAR strongly recommends that you a void creating an exposed host. When a compu ter is designated as the exposed host, it loses much of the prote ction of the firewall and is exposed to many exploit s from the Internet.
Firewall Protection 165 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 95. IPv6 DMZ W AN Outbound Rule: Allow a Group of DMZ User to Access an FTP Site on the Internet If you want to allow.
Firewall Protection 166 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure Other Firewall Features • Attack Checks • Set Limits for IPv4 Sessions • Manage the Application Level Ga teway for SIP Sessions Y ou can co nfigure attack checks, set session limit s, and manage the application level gateway (ALG) for SIP sessions.
Firewall Protection 167 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. Enter the settings as explained in the followin g t able: T able 34 . Attack Checks screen se tt in g s fo r IPv4 Setting.
Firewall Protection 168 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. IPv6 Attack Checks T o enable IPv6 att ack checks for your network environment: 1. Select Security > Firewall > Att ack Checks .
Firewall Protection 169 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 address. A ping can be used as a diagnostic tool. Keep this check box cleared unless you have a specific reason to enable the VPN firewall to respond to a ping from the Internet.
Firewall Protection 170 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following t able: 4. Click Apply to save your settings.
Firewall Protection 171 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Manage the Application Level Gateway for SIP Sessions The application level gateway (ALG) fa cilitates multimedia sessions s.
Firewall Protection 172 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: A schedule narrows down the period during which a firewall rule is applied. For information about specifying sche dules, see Set a Schedule to Block or Allow Specific T raffic on p age 185 .
Firewall Protection 173 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 101. 2. In the Add Customer Service section of the screen, enter the settings as explained in the following table: 3. Click Appl y to save your settings. The new custom service is added to the Custom Services tab le .
Firewall Protection 174 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 10 2. 2. Modify the settings that you wish to change (see the previous t able). 3. Click Ap ply to save your changes. The modified service is displayed in the Custom Services table.
Firewall Protection 175 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. In the Add New Custom IP Group section of the screen, do the following: • I n t he IP Gr ou p N am e f i e l d, enter a name for the group. • From the IP Group T ype drop-down list, select LAN Group or W AN Group .
Firewall Protection 176 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o delete an IP group: 1. In the C us tom I P Gro up s t a bl e, select the che c k box to the lef t of the IP group that you want to delete, or click the Select All t able button to select all group s.
Firewall Protection 177 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 105. 2. Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwid t h Profile screen displays: Figure 106. 3. Enter the settings as explained in the followin g t able: T able 37.
Firewall Protection 178 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The new bandwidth profile is added to the List of Bandwidth Profiles table. 5. In the Bandwidth Profiles section of the screen, sele ct the Ye s radio button under Enable Bandwidth Profiles? (By default the No radio button is selected.
Firewall Protection 179 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Create Quality of Service P rofiles for IPv4 Firewall R u les A Quality of Service (QoS) profile defines the rela tive priority of an IP p acket when multiple connections are scheduled for simult aneo us tr ansmission on the VPN fire wall.
Firewall Protection 180 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 10 8. 3. Enter the settings as explained in the following t able. 4. Click Appl y to save your settings. The new QoS prof ile is added to the List of QoS Profiles table.
Firewall Protection 181 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T o edit a QoS profile: 1. In the List of QoS Profiles table, click the Edit table button to the right of th e QoS profile that you want to edit. The Edit QoS Profile screen displays.
Firewall Protection 182 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Several types of blocking are available: • Web compon ent blocking . Y ou can block the following web component types: proxy , Java, ActiveX, and cookies.
Firewall Protection 183 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 • If the keyword “.com” is specified, o nly w ebsites with other domain suf fixes (such as .edu, .org, or .gov) can be vie wed. • I f you wish to block all Internet browsing access, enter .
Firewall Protection 184 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. In the W eb Components section of the screen, select the components that you want to block (by default, none of these components are blocked, that is, none of these check boxes are selected): • Proxy .
Firewall Protection 185 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Set a Schedule to Block or Allow Specific T raffic Schedules define the time frame s under which firewall rules can be applie d. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these wh en defining firewall ru les.
Firewall Protection 186 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Enable Source MA C Filtering The Source MAC Filter screen enables you to permit or block traf fic coming from certain known computers or d evices. By default, the source MAC address filter is disabled.
Firewall Protection 187 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The MAC Address field in the Add Source MAC Ad dress section of the screen now becomes available. 5. Build your list of source MAC addresses to be permitted or blocked by entering the first MAC address in the MAC Address field.
Firewall Protection 188 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 There are three possible scenarios in relation to the ad dresses in the IP/MAC Bindings t able: • Host 1 has not changed it s IP and MAC addresse s. A p acket coming from Host 1 has IP and MAC addresses that match those in the IP/MAC Bindings table.
Firewall Protection 189 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click Apply to save your changes. 4. In the IP/MAC Bindings sections of the screen, enter the settings as explained in the following table: 5. Click the Ad d table button. The new IP/MAC rule is added to the IP/MAC Bindings table.
Firewall Protection 190 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. Click the Stop button. W ait until the Poll Interval field becomes available. 3. Enter new poll interva l in seconds. 4. Click the Set Inter val button. W ait for the confirmation that the operat ion has succeeded before you close the window .
Firewall Protection 191 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. In the IP/MAC Bindings sections of the screen, enter the settings as explained in the following table: 6. Click the Ad d table button. The new IP/MAC rule is added to the IP/MAC Bindings table.
Firewall Protection 192 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click the Set Interval button. W ait for the confirmation that the operat ion has succeeded before you close the window .
Firewall Protection 193 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 1 16. 2. In the Add Port T riggering Rule section, enter th e settings as explained in the following table: 3. Click the Add table button. The new port triggering rule is added to the Port T riggering Rules tab le .
Firewall Protection 194 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o remove one or more port triggering rules from the table: 1. Select the check box to the lef t of each port triggering rule th at you want to delete, or click the Select All table button to select all rules.
Firewall Protection 195 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The UPnP Portmap T able in the lower p art of the screen shows the IP addresse s and other settings of UPnP devices that h ave accessed the VPN firewall and that ha ve been automatically detected by the VPN firewall: • Active .
196 5 5. Vi r t u a l P r iva t e N e t work i ng Us in g IP Se c an d L2TP Co nnecti ons This chapter describes how to use the IP se cu rity (IPSec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypte d communications between your local network and a remote network or computer .
Virtual Private Networking Us ing IPSec and L2TP Connections 197 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The following diagrams and t able show how the W AN mode selection relates to VPN configuration.
Virtual Private Networking Usin g IPSec and L2TP Connections 198 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Use the IPSec VPN Wizard for Client and Gateway Configurations Y ou can use the I P Sec VPN Wizard to confi gure multiple gateway or client VPN tunnel policies.
Virtual Private Networking Us ing IPSec and L2TP Connections 199 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 following screen cont ains some examples that do not relate to other examples in this manual.) Figure 122. T o view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen.
Virtual Private Networking Usin g IPSec and L2TP Connections 200 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 12 3. 2. Complete the settings as explained in the following t able: T able 4 3.
Virtual Private Networking Us ing IPSec and L2TP Connections 201 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Tip: T o ensure that tunnels st ay active, af ter completing the wizard, manually e.
Virtual Private Networking Usin g IPSec and L2TP Connections 202 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 12 4. 4. Configure a VPN policy on the remote gateway that allows connection to the VPN firewall. 5. Activate the IPSec VPN conn ection: a.
Virtual Private Networking Us ing IPSec and L2TP Connections 203 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Create an IPv6 Gateway -to - Gateway VPN T unnel with the Wizard Figure 126. T o set up an IPv6 gateway-to-gateway VPN tunnel using the VPN Wizard: 1.
Virtual Private Networking Usin g IPSec and L2TP Connections 204 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o view the wizard default settings, click the VPN Wizard default va lues option arrow in the upper right of the screen. A pop-u p screen displays (see the following figure), showing the wizard default values.
Virtual Private Networking Us ing IPSec and L2TP Connections 205 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Tip: T o ensure that tunnels st ay active, af ter completing the wizard, manually e.
Virtual Private Networking Usin g IPSec and L2TP Connections 206 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. Activate the IPSec VPN connection: a. Select VPN > Connection St atus . Th e Connection S tatus submenu t abs d isplay with the IPSec VPN Connection S tatus screen in view: Figure 13 0.
Virtual Private Networking Us ing IPSec and L2TP Connections 207 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Use the VPN Wizard to Configure the Gateway for a Client T unnel T o set up a client-to-gateway VPN tunnel using the VPN Wizard: 1.
Virtual Private Networking Usin g IPSec and L2TP Connections 208 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. The IPSec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen for IPv4.
Virtual Private Networking Us ing IPSec and L2TP Connections 209 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 133. Note: When you are using FQDNs, if the Dy namic DNS service is slow to update its servers when your DHCP W A N address changes, the VPN tunnel will fail because th e FQDNs do not resolve to your new address.
Virtual Private Networking Usin g IPSec and L2TP Connections 210 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: Perform these t asks from a computer that ha s the NETGEAR ProSafe VPN Client installed. The VPN Client support s IPv4 only; an upcoming release of the VPN Client will support IPv6.
Virtual Private Networking Us ing IPSec and L2TP Connections 21 1 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 135. 3. Select the A router or a VP N gatew a y radio button, and click Next . The VPN tunnel paramete rs wizard screen (screen 2 of 3) displays: Figure 136.
Virtual Private Networking Usin g IPSec and L2TP Connections 212 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 13 7. 6. This screen is a summary screen of the new VPN configuration.
Virtual Private Networking Us ing IPSec and L2TP Connections 213 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 c. S pecify the settings that are explained in the following table. 8. Conf igure the global parameters: a. Click Gl obal Parameters in the lef t column of the Configuration Panel screen.
Virtual Private Networking Usin g IPSec and L2TP Connections 214 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 13 9. b. S pecify the default lifetimes in seconds: • Authentica tion (IKE) , Default . The default lifetime va lue is 3600 seconds.
Virtual Private Networking Us ing IPSec and L2TP Connections 215 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Configure the Authentication Settings (Pha se 1 Settings) T o create new authentication settings: 1. Right-click the VPN client icon in yo ur Windows system tray , and select Configura tion Panel .
Virtual Private Networking Usin g IPSec and L2TP Connections 216 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: This is the name for the authentication ph ase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane.
Virtual Private Networking Us ing IPSec and L2TP Connections 217 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to use the new settings imme diately , and click Save to keep the settings for future use. 6. Click the Advan ced tab in the Authentication p ane.
Virtual Private Networking Usin g IPSec and L2TP Connections 218 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 8. Click Apply to use the n ew settings immediately , and click Save to keep th e settings for future use.
Virtual Private Networking Us ing IPSec and L2TP Connections 219 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 144. 3. S pecify the settings that are explained in the following table. T able 50. VPN client IP Sec configuration settings Setting Description VPN Client addre ss Either ente r 0.
Virtual Private Networking Usin g IPSec and L2TP Connections 220 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to use the n ew settings immediately , and click Save to keep th e settings for future use. Configure the Global Parameters T o specify the global p arameters: 1.
Virtual Private Networking Us ing IPSec and L2TP Connections 221 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T est the Connection and View Connection and Status Information • T est th e NETG.
Virtual Private Networking Usin g IPSec and L2TP Connections 222 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 14 7. • Use the system-tray icon .
Virtual Private Networking Us ing IPSec and L2TP Connections 223 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 NETGEAR VPN Client Status and Log Information T o view det ailed negotiation and error information on the NETGEAR VPN c lient: Right-click the VPN client icon in the system tray , and select Co nsole .
Virtual Private Networking Usin g IPSec and L2TP Connections 224 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 interval period, enter a new value in t he Poll Interval field, and then click the Set Interval button. T o stop polling, click the Stop button.
Virtual Private Networking Us ing IPSec and L2TP Connections 225 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Manage IPSec VPN P olicies • Manage IKE Policies • Manage VPN Policies After you have used th e VPN Wiza rd to se t up a VPN tunnel, a VPN policy and an IKE policy are stored in sep arate policy tables.
Virtual Private Networking Usin g IPSec and L2TP Connections 226 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 examples.) T o display the IPv6 settings on th e IKE Policies screen, select the IPv6 radio button. Figure 15 4. Each policy contains t he data that are e x plained in t he following table.
Virtual Private Networking Us ing IPSec and L2TP Connections 227 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: Y ou ca nnot delete or edit an IKE policy for which the VPN policy is active without first disabling or de leting the VPN policy .
Virtual Private Networking Usin g IPSec and L2TP Connections 228 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Complete the settings as explained in the following t able: T able 53.
Virtual Private Networking Us ing IPSec and L2TP Connections 229 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Identifier From the drop-down list, sele ct one of th e following ISAKMP identi fiers to be used by the VPN firewall, and then specify t he identifi er in the Identifier field: • Lo cal W an IP .
Virtual Private Networking Usin g IPSec and L2TP Connections 230 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Authentication Method Select one of the foll owing radio butt ons to specify the authentica ti on method: • Pre-shared key . A secret that is shared between the VPN firewall and the remote endpoint.
Virtual Private Networking Us ing IPSec and L2TP Connections 231 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The IKE po licy is added to the List of IKE Policies table. T o edit an IKE policy: 1. Select VPN > IPSec VPN .
Virtual Private Networking Usin g IPSec and L2TP Connections 232 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 endpoint s (the local ID endpoint and the remo te ID endpoint). Y ou still need to manually enter all settings on the remote VPN endpoint (unless the remo te VPN e nd point also has a VPN Wizard).
Virtual Private Networking Us ing IPSec and L2TP Connections 233 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Each policy cont ains the data that are explai ned in the following t able. These fields are explained in more det ail in T able 55 on p age 235 .
Virtual Private Networking Usin g IPSec and L2TP Connections 234 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. S pecify the IP version for which you want to add a VPN policy: • IPv4 . In the upper right of the screen, the IP v4 radio butt on is already selected by default.
Virtual Private Networking Us ing IPSec and L2TP Connections 235 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 158. Add New VPN Policy screen for IPv6 4. Complete the settings as explained in the following t able. The only differences between IPv4 and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6).
Virtual Private Networking Usin g IPSec and L2TP Connections 236 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Policy T ype From the drop-down list, select one of the following policy types: • Auto Policy . Some settings (the ones i n the Manual Policy Parameters section of th e screen) for the VPN tunnel a re generated automatically .
Virtual Private Networking Us ing IPSec and L2TP Connections 237 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T raffic Selection Local IP From the drop-down list, select the addr ess or addresses that are part of the VPN tunnel on the VPN firewall: • Any .
Virtual Private Networking Usin g IPSec and L2TP Connections 238 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Key-Out The encryption key for the outbo und polic y . The length of the key depend s on the selected encryption a lgorithm: • 3D ES .
Virtual Private Networking Us ing IPSec and L2TP Connections 239 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The VPN policy is added to the List of VPN Policies table. T o edit a VPN policy: 1. Select VPN > IPSec VPN > VPN Policies .
Virtual Private Networking Usin g IPSec and L2TP Connections 240 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 requesting individual authenticat ion inf ormation from the user .
Virtual Private Networking Us ing IPSec and L2TP Connections 241 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. In the Extended Authentication sect ion on the screen , complete th e settings as explained in the following table: 5. Click App ly to save your settings.
Virtual Private Networking Usin g IPSec and L2TP Connections 242 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 user name and p assword information.
Virtual Private Networking Us ing IPSec and L2TP Connections 243 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click Apply to save your settings. Note: Y ou ca n select the RADIUS authentica tion protocol (P AP or CHAP) on the Edit IKE Policy scr een or Add IKE Policy screen (see Configure XAUTH for VPN Clients on p age 240 ).
Virtual Private Networking Usin g IPSec and L2TP Connections 244 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Assign IPv4 Addresses to R emote Users (Mode Config) • Mode Config Operation • C.
Virtual Private Networking Us ing IPSec and L2TP Connections 245 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T o configure Mode Config on the VPN firewall: 1. Select VPN > IPSec VPN > Mode Config . The Mode Config screen displa ys: Figure 160.
Virtual Private Networking Usin g IPSec and L2TP Connections 246 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Complete the settings as explained in the following t able: T able 58.
Virtual Private Networking Us ing IPSec and L2TP Connections 247 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The new Mode Config record is added to the List of Mode Config Records table. Continue the Mode Config configuration procedu re by configuring an IKE policy .
Virtual Private Networking Usin g IPSec and L2TP Connections 248 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 16 2. 8. On the Add IKE Policy screen, complete the settings as explained in the following table. Note: The IKE policy settings that are explained i n the f ol lo wi ng t a bl e are specifically for a Mode Config configuration.
Virtual Private Networking Us ing IPSec and L2TP Connections 249 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T able 59. Add IKE Policy screen settings for a Mode Config configuration Setting Description Mode Config Reco rd Do you want to use Mo de Config Record? Select the Ye s radio button.
Virtual Private Networking Usin g IPSec and L2TP Connections 250 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 IKE SA Parameters Note: Generally, the default settings wo rk we l l for a Mode Config configuration. Encryption Algorithm T o ne gotiate the security association ( SA), from t he drop-down list, select the 3DES algorithm.
Virtual Private Networking Us ing IPSec and L2TP Connections 251 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 9. Click Apply to save your settings.
Virtual Private Networking Usin g IPSec and L2TP Connections 252 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Note: Perform these t asks from a computer that ha s the NETGEAR ProSafe VPN Client inst alled.
Virtual Private Networking Us ing IPSec and L2TP Connections 253 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Change the name of the authentication phase (the def ault is Gateway): a. R i gh t- cl ic k t he authentication phase na m e . b. Select Rename .
Virtual Private Networking Usin g IPSec and L2TP Connections 254 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 5. Click Apply to use the n ew settings immediately , and click Save to keep th e settings for future use. 6. Click the Adv anced tab in the Authentication pane.
Virtual Private Networking Us ing IPSec and L2TP Connections 255 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 8. Click Apply to use the new settings imme diately , and click Save to keep the settings for future use.
Virtual Private Networking Usin g IPSec and L2TP Connections 256 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 16 7. 3. S pecify the sett ings that are explained in the following table.
Virtual Private Networking Us ing IPSec and L2TP Connections 257 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to use the new settings imme diately , and click Save to keep the settings for future use. Configure the Mode Config Global Parameters T o specify the global p arameters: 1.
Virtual Private Networking Usin g IPSec and L2TP Connections 258 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. S pecify the follo wing default lifetimes in seconds to ma tc h t he co n fi gu r at io n o n t he VP N firewall: • Authentica tion (IKE) , Default .
Virtual Private Networking Us ing IPSec and L2TP Connections 259 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 171. 3. From the client computer , ping a computer on the VPN firewall LAN. Modify or Delete a Mode Config R e cord Note: Before you modify or delete a Mode Config record, make sure that it is not used in an IKE policy .
Virtual Private Networking Usin g IPSec and L2TP Connections 260 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 For DPD to function, the peer VPN device on the other end o f the tunnel also needs to support DPD. Keep-alive, though less reliable than DPD, does not require any support from the peer device.
Virtual Private Networking Us ing IPSec and L2TP Connections 261 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Enter the settings as explained in the followin g t able: 5.
Virtual Private Networking Usin g IPSec and L2TP Connections 262 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 17 3. 4. In th e IKE SA Parameters section o f the screen, locate the DPD fields, and complete the settings as explained the following table: 5.
Virtual Private Networking Us ing IPSec and L2TP Connections 263 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. S pecify the IP version for which you want to edit a VPN policy: • IP v4 . In the upper right of the screen, the IPv4 radio button is already selected by default.
Virtual Private Networking Usin g IPSec and L2TP Connections 264 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o enable the PPTP server and configure the PPTP server po ol, authentication, and encryption: 1. Select VPN > PPTP Server . The PPTP Server screen displays.
Virtual Private Networking Us ing IPSec and L2TP Connections 265 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The List of PPTP Active Users t able lists each active connection with the information that is described in the following t able. The default poll interval is 5 second s.
Virtual Private Networking Usin g IPSec and L2TP Connections 266 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 17 7. 2. Enter the settings as explained in the following table: 3.
Virtual Private Networking Us ing IPSec and L2TP Connections 267 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The List of L2TP Active Users table list s each ac tive connection with the information that is described in the following t able. T able 68.
268 6 6. Vi r t u a l P r iva t e N e t work i ng Us in g SS L Con ne ction s The VPN firewall provides a hardware-based SSL VPN solution designed specifically to provid e remote access for mobile users to their corporate resou rces, bypassing the need for a preinstalled VPN client o n their computers.
Virtual Private Networking Using SSL Connections 269 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The SSL VPN client provides a point-to- point (PPP) connection between the client and the VPN firewall, and a virtual network interface is created on the user ’ s computer .
Virtual P rivate Networking Using SSL Connections 270 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Because you need to assign a group when creating an SSL VPN user account, the user account is created af ter you have created the group.
Virtual Private Networking Using SSL Connections 271 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Y ou can define individual layouts for the SSL VPN port al. The layout configuration includes the menu layout, theme, port al pages to displa y , and web cache control options.
Virtual P rivate Networking Using SSL Connections 272 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • Port al URL: - Port al URL (IPv4) . The IPv4 URL at which the portal can be accessed. T he IPv4 address in the URL is the public W A N address of the VPN firewall (see Configure the IPv4 Internet Connection and W AN Settings o n page 28 ).
Virtual Private Networking Using SSL Connections 273 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Complete the settings as explained in the following table: T able 69 . Add Port al Layout screen settings Setting Description Port al La yo ut a nd Th eme Name Portal Layout Name A descriptive name for the portal layout.
Virtual P rivate Networking Using SSL Connections 274 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The new portal layout is added to the List of Layouts table. For information about how to display the new portal layout, see Access the New SSL Portal Login Screen on p age 290 .
Virtual Private Networking Using SSL Connections 275 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 access policies. When you create a group, you need to specify a domain. Therefore, you should create any domains first, then group s, and then user accounts.
Virtual P rivate Networking Using SSL Connections 276 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. In the Add New Application for Po rt Forwarding section of the screen, specify info rmation in the following fields: • IP Address . The IP address of an intern al server or host computer that a remo te user has access to.
Virtual Private Networking Using SSL Connections 277 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T o add servers and host names for c lient name resolution: 1. Select VPN > SSL VPN > Port Forwarding . The Port Forwarding screen displays (see Figure 182 on p age 275 ).
Virtual P rivate Networking Using SSL Connections 278 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • Select whether you want to enable full-tunn el or split-tunnel support based on your bandwidth: - A full tunn el sends all of the cli ent’ s traf fic across the VPN tunnel.
Virtual Private Networking Using SSL Connections 279 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 184. SSL VPN Client screen for IPv6 3. Complete the settings as explained in the following table: T able 71 .
Virtual P rivate Networking Using SSL Connections 280 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. VPN tunnel clients are now able to connect to the VPN firewall and receive a virtual IP address in the client address range.
Virtual Private Networking Using SSL Connections 281 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 If VPN tunnel client s are already con nected, disconnect and the n reconnect the client s on the SSL VPN Connection S tatus screen (see V iew the SSL VPN Connection S tatus and SSL VPN Log on p age 292 ).
Virtual P rivate Networking Using SSL Connections 282 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 18 5. 2. In the Add New Re source section of the screen, specify information in the following fields: • Resource Nam e . A descriptive name of the resource for identification and management purposes.
Virtual Private Networking Using SSL Connections 283 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 IPv6, this screen is identical to the screen for IPv4 (see the next figure, which shows some examples). Figure 186. 4. Complete the settings as explained in the following table: T able 72.
Virtual P rivate Networking Using SSL Connections 284 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The new configurat ion is added to the Defined Resource Addresses table.
Virtual Private Networking Using SSL Connections 285 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Assuming that no conflicting user or group pol icies have been configure d, if a user attempted to access FTP servers at the followin g addresses, the actions listed would occu r: • 1 0.
Virtual P rivate Networking Using SSL Connections 286 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click the Dis play action button. The List of SSL VPN Policies t able displays the list for your selected Query option. Add an IPv4 or IPv6 SSL VPN P olicy T o add an SSL VPN policy: 1.
Virtual Private Networking Using SSL Connections 287 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 . Figure 189. Add SSL VPN Policy screen for IPv6 4.
Virtual P rivate Networking Using SSL Connections 288 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Apply Policy to? (continued) IP Address Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. IP Address The IPv4 or IPv6 address to which the SSL VPN policy is ap plied.
Virtual Private Networking Using SSL Connections 289 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 5. Click Apply to save your settings. The policy is added to the List of SSL VPN Policies t a ble on the Policies screen. The new policy goes into effect immediately .
Virtual P rivate Networking Using SSL Connections 290 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Access the New SSL P ortal Login Screen All screens that you can access from the SSL VPN menu of the web management interface display a user port al link in the upper right of the scr een, above the menu b ars ( ).
Virtual Private Networking Using SSL Connections 291 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 192. 4. Enter a user name and password that are associated with a domain, that, in turn, is associated with the portal.
Virtual P rivate Networking Using SSL Connections 292 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 19 4. The User Portal screen displa ys a simple menu that, depending on the resources allocated, provides the SSL user with th e following menu selections: • VPN T unnel .
Virtual Private Networking Using SSL Connections 293 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 195. The active user ’ s name, group, and IP address are listed in the t able with a time stamp indicating the time and date that the user conne cted.
294 7 7. M anage User s, Authenti c ation , and VPN Cer tif icates This chapter describes how to manage users, aut henticat ion, and security certificates for IPSec VPN and SSL VPN.
Manage Users, Authenticat ion, and VPN Certificates 295 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Except in the case of IPSec VPN users, when you create a user account, you need to specify a group. When you create a grou p, you need to specify a doma i n.
Manage Users, Authentication, and VPN Certificates 296 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Configure Authentication Do mains, Groups, and Users • Configure Domains • Configure Group.
Manage Users, Authenticat ion, and VPN Certificates 297 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The List of Domains t able displays the domains with the following fields: • Che ck box . Allows you to select the d omain in the table. • Domain Name .
Manage Users, Authentication, and VPN Certificates 298 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Authentication T ype (continued) Note: If you select an y type of RADIUS authentication, make sure that one or more RADIUS servers are configured (see RADIUS Client and Server Configuration on page 241 ).
Manage Users, Authenticat ion, and VPN Certificates 299 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The domain is added to the List of Domains table.
Manage Users, Authentication, and VPN Certificates 300 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Edit Domains T o edit a domain: 1. Select Users > Domains .
Manage Users, Authenticat ion, and VPN Certificates 301 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Create Groups T o create a VPN group: 1.
Manage Users, Authentication, and VPN Certificates 302 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Complete the settings as explained in the following table: 4. Click Apply to save your changes. The new group is added to the List of Groups t able.
Manage Users, Authenticat ion, and VPN Certificates 303 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Configure User Accounts When you create a user account, you n eed to assign the user to a user group. When you create a group, you need to assign the group to a domain that specifies the authentication method.
Manage Users, Authentication, and VPN Certificates 304 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 20 1. The List of Users t able displays th e users and has the following fields: • Check b ox . Allows you to select the user in th e table.
Manage Users, Authenticat ion, and VPN Certificates 305 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Enter the settings as explained in the followin g t able: 4. Click App ly to save your settings. The user is added to the List of Users table.
Manage Users, Authentication, and VPN Certificates 306 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Set User Login P olicies Y ou can restrict the ab ility of defined users to log in to the VPN firewall’ s web management interface. Y ou can also require or prohibit logging in from certain IP addresses or from particular browsers.
Manage Users, Authenticat ion, and VPN Certificates 307 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Configure L ogin Rest rictions Based on IPv4 Addresses T o restrict logging in based on IPv4 addresses: 1. Select Us ers > Users . The Users screen displays (see Figure 201 on p age 304 ).
Manage Users, Authentication, and VPN Certificates 308 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. In the Add Defined Ad dresses section of the screen, add an address to the Defined Addresses table by entering the settings as explained in the following table: 7.
Manage Users, Authenticat ion, and VPN Certificates 309 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 205. 5. In the Defined Addresses S tatus section of the screen, select one of the following radio buttons: • Den y Login from Defined Addresses .
Manage Users, Authentication, and VPN Certificates 310 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o delete one or more IPv6 addresses: 1. In the Defined Addresses table, select the check box to the left of each address that you want to delete, or click the Select All table button to select all addresses.
Manage Users, Authenticat ion, and VPN Certificates 31 1 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 6. In the Add Defined Browser section of the screen, add a browser to the Defined Browsers table by selecting one of the following browsers from the drop-down list: • I nternet Explorer .
Manage Users, Authentication, and VPN Certificates 312 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o modify user settings, including p asswords: 1.
Manage Users, Authenticat ion, and VPN Certificates 313 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 4. Click Apply to save your settings. Manage Digital Certific ates for VPN Connections • V.
Manage Users, Authentication, and VPN Certificates 314 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 both the IPSec VPN certificate repository and the SSL VPN certificate repository . However , if the defined purpose is for IPSec VPN only , the certif icate is uploaded only to the IPSec VPN certificate repository .
Manage Users, Authenticat ion, and VPN Certificates 315 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 • Self Certificate Request s t able . Contains the self-signed certificate request s that you generated.
Manage Users, Authentication, and VPN Certificates 316 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. In the Upload Trusted Certificates section of the screen, click the Browse button and navigate to the trusted digital certificate file that you downloaded on your computer .
Manage Users, Authenticat ion, and VPN Certificates 317 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 VPN firewall. The CSR is a file that cont ains information about your comp any and about the device that holds the certificate . Refer to th e CA for guidelines abou t the information t hat you need to include in your CSR.
Manage Users, Authentication, and VPN Certificates 318 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click the Generate table button. A new SCR is created and added to the Self Certificate Requests t able. 4. In the Self Certificate Requ est s table, click the View t able button in the Act ion column to view the new SCR.
Manage Users, Authenticat ion, and VPN Certificates 319 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 6. Submit your SCR to a CA: a. Con nect to the website of th e CA.
Manage Users, Authentication, and VPN Certificates 320 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Manage the VPN Certificate R evocation List A Certificate Revocation List (CRL) file sh ows digital certificates that have been revoked an d are no longer valid.
321 8 8. Net w or k and S y stem Managemen t This chapter describes the tools for managing th e network traf fic to optimize its performance and the system management features of the VPN fi rewall.
Network and System Management 322 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 In practice, the W AN-side bandwidth cap acity is much lower when DSL or cable modems are used to connect to t he Internet. At 1.5 Mbps, the W AN ports support th e following traf fic rates: • Lo ad balancing mode.
Network and System Management 323 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The following section summarizes the various crit eria that you can ap ply to outbound rules in order to reduce traf fic. For more information about outbound rules, see Outbou nd Rules (Service Blocking) on page 133 .
Network and System Management 324 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 For information about how to define bandwid th profiles, see Create Bandwidth Profiles on page 176 .
Network and System Management 325 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 ON the LAN W AN screen, if you have not defined any rules, only the default rule is listed. The default LAN W AN inbound rule blocks all access from outs ide except responses to request s from the LAN side.
Network and System Management 326 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 addresses to group s. For more information, see Create IP Group s on page 174 . (LAN IP groups do not apply to DMZ W AN inbound rules.) • W AN users . Y ou can specify which Internet locations are covered by an inbound rule, based on their IP address: - Any .
Network and System Management 327 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Exposed Hosts S pecifying an exposed host allows you to set up a comp uter or server that is available to anyone on the Internet for services that you have not yet defined.
Network and System Management 328 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 method for allocating and limiting traf fic, thus allocating LAN users suf ficient bandwidth while preventing them from consuming all the bandwid th on your W A N links.
Network and System Management 329 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 213. 2. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit Users screen displays: Figure 214.
Network and System Management 330 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. Click Apply to save your settings. 7. Repeat St e p 1 through St ep 6 for the user with the name guest. Note: After a factory defa ults reset, t he password and time-out value are changed back to p assword and 5 minutes, respectively .
Network and System Management 331 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 misuse it in many ways, NETGEAR highly recommends that you change the admin and guest default p asswords before continuing (see Change Passwords and Administra tor and Guest Settings on pag e 328 ).
Network and System Management 332 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 216. Remote Management sc reen for IPv6 3. Enter the settings as explained in the following table: T able 82.
Network and System Management 333 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 W ARNING: If you are remotely connected to the VPN firewall and y ou select the No radio button to disable secure HTTP management, you and all other SSL VPN users are disconnected when you click Apply .
Network and System Management 334 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Tip: If you are using a Dynamic DNS service such as TZO, you can identify the W AN IP address of your VPN firewall by running tracert from the Windows Run menu option.
Network and System Management 335 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T o configure the SNMP settings: 1. Select Administration > SNMP . The SNMP screen displays. (The following figure contains an example.) Figure 217. The SNMPv3 Users ta ble includes the default SNMPv3 users that are preconfigured on the VPN firewall.
Network and System Management 336 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 2. T o specify a new SNMP configuration, in the Create New SNMP Configu ration Entry section of the screen, configure the settings as explained in the following table: 3.
Network and System Management 337 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T o delete one or more SNMP configurations: 1. On the SNMP sc reen (see Figure 217 on p age 335 ), select the check box to the lef t of each SNMP configuration tha t you want to delete, or click the Se lect All table button to select all SNMP configurations.
Network and System Management 338 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your changes. T o configure the SNMP system information: 1. On the SNMP screen (see Figure 217 on page 335 ), click the SNMP System Info option arrow in the upper righ t of the screen.
Network and System Management 339 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Manage the Configuration File The configuration set tings of the VPN firewall are stored in a configuration file on the VPN firewall.
Network and System Management 340 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Back Up Settings The backup feature saves all VPN firewall settings to a file.
Network and System Management 341 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 W ARNING: Once you st art restoring settings, do not inte rrupt the process. Do not try to go online, turn off the VPN firewall, shut d own the computer , or do anything else to the VPN firewall until the settings have been fully rest ored.
Network and System Management 342 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Upgrade the Firmware Y ou can inst all a different version of the VPN firewall firmware from the Settings Backup and Firmware Upgrade screen. T o view the current vers ion of the firmware that the VPN firewall is running, from the main menu, select Monitoring .
Network and System Management 343 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Select the Firmware and R eboot the VPN Firewall After you have u pgraded the firmware, the newly installed firmware is t he active firmware, and the previously insta lled firmware has beco me the secondary firmware.
Network and System Management 344 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o set time, date, and NTP servers: 1. Select Administrati on > Time Zone .
Network and System Management 345 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Select NTP Mode In all three NTP modes, the VPN firewall functions both as a client and a server . The VPN firewall synchronizes its clo ck with the specified NTP server or servers and provid es time service to clie nts.
Network and System Management 346 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. Note: If you select the default NTP servers or if you enter a cust om server FQDN, the VPN firewall determines th e IP address of the NTP server by performing a DNS lookup.
347 9 9. M on i tor S ystem Ac ce ss and P er f orma nc e This chapter describes the system-monitoring featur es of the VPN firewall. Y ou can be alerted to important event s such W A N traffic limits reach ed, login failures, and attacks.
Monitor System Access and Performance 348 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 22 3. 2. Enter the settings for th e W AN1 interface as explained in the following table. If you want to configure the settings for another W AN interface, first select the associated tab for that interface.
Monitor System Access and Performance 349 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click Apply to save your settings. 4. If you want to enable the traffic meter for another W AN interface, click the associated W AN T raffic Meter tab for that interface, an d repeat St e p 2 and St e p 3 for that W AN interface.
Monitor System Access and Performance 350 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 screen displays the traf fic meter ’s start an d end dates.
Monitor System Access and Performance 351 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click the LAN T ra ffic Meter tab. The LAN T raffic Meter screen displays. (Th e f ol lo wi n g figure shows some examples in the LAN T raffic Met er T able.
Monitor System Access and Performance 352 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 6. Click Apply to save your settings. The new account is added to the LAN T raffic Meter T a bl e on the LAN T raffic Meter screen.
Monitor System Access and Performance 353 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 228. T o edit a LAN traffic meter account: 1. I n the LAN T raffic Meter T able, click the Edit table button to the right of the account that you want to edit.
Monitor System Access and Performance 354 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 22 9..
Monitor System Access and Performance 355 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 2. Enter the settings as explained in the followin g t able: T able 89. Firewall Logs & E-mail screen se ttings Setting Description Log Options Log Identifier Enter the name o f the log identifier .
Monitor System Access and Performance 356 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Enable E-mail Logs Do you want logs to be emailed to you? Select the Ye s radio button to enable the VPN firewall to email logs to a specified email address. Complete the fields that are shown on the rig ht side of the screen.
Monitor System Access and Performance 357 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 3. Click Apply to save your settings. Note: Enabling routing and other event logs might gen erate a significant volume of log messages. NETGEAR recommend s that you enable firewall logs for debugging p urposes only .
Monitor System Access and Performance 358 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 23 0. Y ou can refresh the logs, clear the logs, or send the logs to an email address. T o view the DNS logs onscreen: 1. Select Mon itoring > Firewall Logs & E-mail .
Monitor System Access and Performance 359 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 How to Send Syslogs over a VPN T unnel between Sites T o send syslogs from one site to anothe r over a gateway-to-gateway VPN tunnel: 1. At Site 1, se t up a syslog server that is connected to Gateway 1.
Monitor System Access and Performance 360 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 4. In the Traf fic Selector section of the screen, make the following changes: • From the Remote IP d rop-down list, select Single . • In the S tart IP fields, type 10.
Monitor System Access and Performance 361 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 View Status Screens • V iew the System S tatus • V iew the VPN Connection S tatus, L2TP Users, an d PP.
Monitor System Access and Performance 362 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Router Status Screen T o view the Router St atus screen: Select Monitoring > Route r St atus . The Router S tatus screen displays: Figure 23 2. The following t able explains the fiel ds of the Router S tatus screen: T able 90.
Monitor System Access and Performance 363 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 LAN (VLAN) IPv4 Information For each of the four LAN ports, the screen shows t he IPv4 LAN address and subnet mask. For more detailed information, see T able 92 on p age 366 .
Monitor System Access and Performance 364 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Ro ute r S ta t ist ic s S cr ee n T o view the Router St atistics screen: 1. Select Mon itoring > Router S tatus . The Router S tatus screen displays (see the previous figure).
Monitor System Access and Performance 365 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Detailed Status Screen T o view the Detailed S tatus screen, select Monitoring > Ro uter St atus > Det ailed St atus . The Detailed S tatus screen displays: Figure 234.
Monitor System Access and Performance 366 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The following t able explains the fiel ds of the Detailed S tatus screen: T able 92. Det ailed Stat us screen information Item Description LAN Port Configuration The following fields are shown for each of the LAN ports.
Monitor System Access and Performance 367 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 DMZ IPv6 Config ura tion IPv6 Address T he IPv6 address and pref ix length for the DMZ. For informa tio n about configuring the IPv6 DMZ, see DMZ Port for IPv6 T raffic on page 1 13.
Monitor System Access and Performance 368 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 VLAN Status Screen The VLAN S tatus scre en displays information about the VLANs that are enabled. Disabled VLANs are not displayed. For informat ion about enabling and disabling VLANs, see Assign and Manage VLAN Profiles o n p age 81 .
Monitor System Access and Performance 369 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 The following ta ble explains the fields of the VLAN S tatus screen: T unnel Status Screen The IPv6 T unnel S tatus screen displays the sta t us o f all active 6 to4 and ISA T AP tunnels and their IPv6 addresses.
Monitor System Access and Performance 370 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The IPv6 T unnel S tatus t able shows the following fields: • T unnel Name .
Monitor System Access and Performance 371 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 238. The active user ’ s user name, group, and IP addre ss are listed in the t able with a time stamp indicating the time and date that the user conne cted.
Monitor System Access and Performance 372 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 24 0. The List of PPTP Active Users t able lists each ac tive connection with the info rmation that is described in the following t able. View the VPN Logs T o display the IPSec VPN log: Select Monitoring > VPN Logs .
Monitor System Access and Performance 373 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T o display the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs . The SSL VPN Logs screen displays: Figure 242. View the P ort T riggering Status T o view the st atus of the port triggering feature : 1.
Monitor System Access and Performance 374 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 24 4. The Port T riggering S tatus screen displays t he information that is described in t he following tab le: View the WA N P ort Status Y ou can view the st atus of the IPv4 and IPv6 W AN connections, the DNS servers, and the DHCP servers.
Monitor System Access and Performance 375 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 245. 2. In the Action column, click the Sta tu s button of the WAN interface for which you want to display the Connection S tatus pop-up screen. (The following figure shows a static IP address configuration.
Monitor System Access and Performance 376 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Click Disconnect to disconnect the connection ; click Connect to establish the connection. IPv6 WAN P o rt Status T o view the IPv6 st atus of the W AN port: 1.
Monitor System Access and Performance 377 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 248. The type of connection determines th e inform ation that is displayed on the Connection S tatus screen.
Monitor System Access and Performance 378 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 View the A ttached Devices T o view the att ached devices on the LAN Group s screen: Select Network Configuration > LAN Settings > L AN G rou p s . The LAN Group s screen displays.
Monitor System Access and Performance 379 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: If the VPN firewall is rebooted, the data in the Known PCs and Devices table is lost until th e VPN firewall rediscovers the devices. View the DHCP L og T o review the most recent entries in the DHCP log: 1.
Monitor System Access and Performance 380 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Diagnostics Utilities • Send a Ping Packet • T race a Route • Look Up a DNS Address • Display the R.
Monitor System Access and Performance 381 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 252. The various t asks that you can perform on the Diagnostics screen are explained in the following sections.
Monitor System Access and Performance 382 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T o send a traceroute: 1. On the Diagnostics screen for IPv4, in the IP Address / Domain Na m e field o.
Monitor System Access and Performance 383 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 253. 2. From the Select Network drop-down list, select the physical or virtual interface for which you want to capture packets. 3. Click St ar t . After a few seconds, the packet-tracing process start s, which is indicated by a message onscreen.
384 10 10. Tr o u b l e s h o o t i n g This chapter provides trouble shooting tips an d information for the VPN firewall. Af ter each problem description, instructions are provi ded to help you diagnose and solve the problem. For the common problems listed, go to the section indicated.
T roubleshooting 385 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Note: The VPN firewall’ s diagnostic tools are explained in Diagnostics Utilities on p age 380 .
T roubleshooting 386 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 If all LEDs are still on more than several minutes minute after power-up, do the following: • T urn off the power , and then turn it on again to see if th e VPN firewall recovers.
T roubleshooting 387 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 • Make sure that you are using the SSL http s:// address login rather than the http:// address login. • Make sure that your browser has Java, JavaScript, or ActiveX enab led.
T roubleshooting 388 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T roubleshoot the ISP Connection If your VPN firewall is unable to access the Internet, you should first determine whether the VPN firewall is able to obt ain a W AN IP address from the ISP .
T roubleshooting 389 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 assigned domain name or workgro up name in the Domain Name field, and you might have to enter additional in formation. For more information, see Manually Configure an IPv4 Internet Connection on p age 33 .
T roubleshooting 390 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 - Windows Server 2008 R2, all versions - Wind ows Server 2003, all versions - Wind ows Server 2003 R2, all versions - Lin ux and other UNIX-based systems with a correctly configured kernel - MAC OS X • Make sure tha t IPv6 is enabled on the co mputer .
T roubleshooting 391 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 c. Click or double-click Vie w st atus of this connection . The Local Area Conn ection S tatus screen displa ys: Figure 255. d. Make sure that Internet access shows for th e IPv6 connection.
T roubleshooting 392 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 f. Make sure that an IPv6 address shows. The previous figure does not show an IPv6 address for the computer but only a link-l ocal IPv6 address and an IPv6 default gateway address, both of which start , in this case, with FE80.
T roubleshooting 393 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 T est the P ath from Y our Co mputer to a R emote Device After verifying that the LAN p ath works correctly , test the path from your computer to a remote device.
T roubleshooting 394 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 25 7. b. In the Backup / Restore Settings section of the screen , click the Default button.
T roubleshooting 395 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Address P r oblems with Date and Time The System Date & T ime screen displays the current date and t ime of day (see Configure Date and Time Service on p age 343 ).
396 A A. De fa ult Settings and T echni cal Sp ecificat ion s This appendix provides the de fault settings and th e physical and technical specifications of the VPN firewall in the following sections:.
Default Settings and T echnical S pecifications 397 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 W AN settings W AN IPv4 mode (all WAN interfaces) NA T W AN IPv4 load balancing settings (all W A.
Default Settings and T echnical Specifications 398 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 DMZ DHCP IPv4 starting address 176.16.2.100 DMZ DHCP IPv4 ending address 176.
Default Settings and T echnical S pecifications 399 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Session limits Disabled TCP time-out 1200 seconds UDP time-out 180 seconds ICMP time-out 8 second.
Default Settings and T echnical Specifications 400 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Authentication method Pre-shared Key Key group DH-Group 2 (1 024 bit) Life time 8 hours VPN IPsec .
Default Settings and T echnical S pecifications 401 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 RADIUS settings Primary RADIUS server Disabled and none configured Secondary RADIUS server Disabled and none configured RADIUS time-out period 30 seconds RADIUS maximum retry count 4 SSL VPN se t tings SSL VPN IPv4 client address range 192.
Default Settings and T echnical Specifications 402 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Physical and T echnical Specifications The following t able shows the physical and techni cal specifications for the VPN firewall: T able 100.
Default Settings and T echnical S pecifications 403 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The following ta ble shows the IPSec VPN specifications for the VPN firewall: The following ta ble shows the SSL VPN specifications for th e VPN firewall: T able 101.
404 B B. Ne t w or k P lanning f or Multipl e W AN P orts (IPv4 Onl y) This appendix describes the factors to co nsider when planning a network using a f irewall that has more than one W AN port.
Network Planning for Multiple W AN Ports (IPv4 Only) 405 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 • Protocol binding. - F or auto-rollover mode, protocol b inding does not apply . - F or load balancing mode, decide wh ich protocols should be bound to a specific W AN port.
Network Planning for Multiple W AN Ports (IPv4 Only) 406 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Cabling and Computer Hardware R equirements For you to use the VPN firewall in your network, each computer needs to have an Ethernet network interface card (NIC) inst alled and needs to be equipped with an Ethernet cab le.
Network Planning for Multiple W AN Ports (IPv4 Only) 407 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 After you have loca ted your Internet configurat ion information, you might want to record the information in the following section. Internet Connection Information Print this page with the Internet connection inform ation.
Network Planning for Multiple W AN Ports (IPv4 Only) 408 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Overview of the Planning P rocess The areas that require planning when you use a fire wall t.
Network Planning for Multiple W AN Ports (IPv4 Only) 409 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Features such as multiple exposed host s are not supported in auto-rollover mode because the IP addresses o f each W AN port need to be in the identical range o f fixed addresses.
Network Planning for Multiple W AN Ports (IPv4 Only) 410 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 26 1. Inbound T raffic to a Dual WAN P ort System The IP address range of the VPN fir.
Network Planning for Multiple W AN Ports (IPv4 Only) 41 1 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 263. Virtual P rivate Networks • VPN Road Warrior (Clie nt-to-Gateway) • VPN Ga.
Network Planning for Multiple W AN Ports (IPv4 Only) 412 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • Dual W AN port s in auto-rollover mode .
Network Planning for Multiple W AN Ports (IPv4 Only) 413 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 VPN Road W arrior: Single - Gateway WAN P ort (Reference Case) In a single W AN port gateway configuration, th e remo te computer client initiates the VPN tunnel because the IP address of the remote co mp uter client is not known in advance.
Network Planning for Multiple W AN Ports (IPv4 Only) 414 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 26 8. The purpose of the FQDN in this case is to toggle the domain name of the ga tew.
Network Planning for Multiple W AN Ports (IPv4 Only) 415 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 VPN Gateway -to - Gateway The following situations exemplify the requirement s for a gatewa.
Network Planning for Multiple W AN Ports (IPv4 Only) 416 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Figure 27 1. The IP addresses of the gateway W AN ports can be eithe r fixed or dynamic, but.
Network Planning for Multiple W AN Ports (IPv4 Only) 417 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 Figure 273. The IP addresses of the gateway W AN ports can be either fixed or dynamic. If an IP a ddress is dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional.
Network Planning for Multiple W AN Ports (IPv4 Only) 418 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 The IP address of the gateway W AN port can be eit her fixed or dynamic. If the IP address is dynamic, you need to use an FQDN. If the IP address is fixed, an FQDN is optional.
Network Planning for Multiple W AN Ports (IPv4 Only) 419 ProSafe Gigabit Quad W A N SSL VPN Firewall SRX5308 VPN T elecommuter: Dual- Gateway WAN P orts for Load Balancing In a gateway configuration w.
420 C C. Sy s t e m L o g s a n d E r ro r M e s s a g e s This appendix provides example s and explana ti ons of system logs and error message. When applicable, a recommended action is provided.
System Logs and Error Messages 421 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 System Log Messages • NTP • Login/Logout • System S tartup • Reboot • Firewall Restart • IPSec Restart.
System Logs an d Error Messages 422 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Login/Logout This section describes logs generated by th e administrative interfaces of the device. System Startup This section describes the log mess age generated during system st artup.
System Logs and Error Messages 423 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 R eboot This section describes the log message generated during system reboo t. Firewall R estart This section describes logs that are genera ted when the VPN firewall restarts.
System Logs an d Error Messages 424 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 ICMP Redirect L ogs Multicast/Broadcast Logs WAN St at us This section describes the logs generate d by the W AN component.
System Logs and Error Messages 425 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Aut o-R oll ove r When the W AN mode is configured for auto-rollover , the primary link is active, and the secondary link acts only as a backup. Wh en the primary link goes down, the second ary link becomes active only until the primary link comes back up.
System Logs an d Error Messages 426 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 PPP Logs This section describes the W AN PPP connecti on logs. The PPP type can be configured from the web management interface (see Ma nually Configure an IPv4 Internet Connectio n on page 33).
System Logs and Error Messages 427 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • PPTP Idle T imeout Logs Explanation Message 1: PPPoE connection started. Message 2: Message from PPPoE server for correct login. Message 3: Authentication for PPP succeeded.
System Logs an d Error Messages 428 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • PPP Authentication Logs R esolved DNS Names This section describes the logs of DNS n ame resolution messages. VPN Log Messages This section explains logs that are generat ed by IPSec VPN a nd SSL VPN policies.
System Logs and Error Messages 429 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 121. System logs: IPSec VPN tunnel, tunnel e st ablishment Messages 1 through 5 Messages 6 and 7 Messages 8.
System Logs an d Error Messages 430 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 122. System logs: IPSec VPN tunnel, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN tunnel is re.
System Logs and Error Messages 431 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 123. System logs : IPSec VPN tunn el, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN tunnel not reest ablished Message 2000 Jan 1 04:52:33 [SRX5308] [IKE] Using IPSec SA configuration: 192.
System Logs an d Error Messages 432 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 125. System logs: IPSec VPN tunnel, Dead Pee r De tection and ke ep-alive (def ault 30 sec), VPN tunn el torn down Message 1 Message 2 Message 3 2000 Jan 1 06:01:18 [SRX530 8] [VPNKA] Keep alive to peer 192.
System Logs and Error Messages 433 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 SSL VPN Logs This section describes the log messages that are generated by SSL VPN policies.
System Logs an d Error Messages 434 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T raffic Meter Logs R outing Logs • LAN to WAN Logs • LAN to DMZ Logs • DMZ to WAN Logs • WAN to LAN Logs.
System Logs and Error Messages 435 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 LAN to W A N Logs LAN to DMZ Logs DMZ to W A N Logs W AN to LAN Logs T able 132. Routing logs: LAN to W AN Message Nov 29 09:19 :43 [SRX5308] [kerne l] LAN2W AN[AC CEPT] IN=LAN OUT=W AN SRC=192.
System Logs an d Error Messages 436 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 DMZ to LAN Logs WAN to DM Z L o gs Other Event Logs • Session Limit Logs • Source MAC Filter Logs • Bandwid.
System Logs and Error Messages 437 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Source MA C Filter Logs Bandwidth Limit Logs DHCP Logs This section explains the log message s that are generated when a host is assigned a dynamic IP address. These messa ges are disp layed on the DHCP Lo g screen (see V iew the DHCP Log on page 3 79).
System Logs an d Error Messages 438 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 T able 142. DHCP logs Message 1 Message 2 Message 3 Message 4 Message 5 Message 6 Message 7 2000 Jan 1 07:27:28 [SRX5 308] [d hcpd] Listening on LPF/eth0.1/00:1 1:22:78 :8 9:90/192.
439 D D. T w o -F ac tor A ut henti cati on This appendix provides an overview of two-factor authentication, and an example of how to implement the WiKID solution.
T wo-Factor Authentication 440 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 • Quick to deploy and manag e . The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall p roducts.
T wo-Factor Authentication 441 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Here is an example of how WiKID works: T o use WiKID (for end users): 1.
T wo-Factor Authentication 442 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 3. Proceed to the 2 Factor Authentication login scr een, and enter the on e-time passcode as the login password.
443 E E. No tif ica tion o f Co m pli ance (W ir ed) NET GEAR W ir ed Pr oducts Regulatory Compliance Information This section includes user requirement s for oper ating this p roduct in accordance with National laws for usage of radio spectrum and ope ration of radio devices.
Notification of Compliance (Wired) 444 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 FCC Radio Frequency Interference W arnings & Instructions This equipment has been tested and foun d to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules.
Notification of Compliance (Wired) 445 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Additional Copyrights AES Copyright (c) 2001, Dr . Brian Gladma n, brg@gladman.
Notification of Compliance (Wired) 446 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 MD5 Copyright (C) 1990, RSA Data Secu rity , Inc. All rights r eserved. License to copy and use this software is grant ed provided that it is identified as the “RSA Data Security , Inc.
447 Inde x Numerics 10BASE-T , 100BASE-T , and 1000BASE-T speeds 70 3322.org 48 – 51 6to4 tunnels configuring globally 63 DMZ, configuring for 121 LAN, configuring for 107 A AAA (authentication, aut.
448 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 B backing up configurati on fi le 340 bandwidth allocation, W AN traffic 72 – 76 bandwidth cap acity 321 bandwidth limits, logging dropped pack.
449 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 firewall rules 132 group, users 300 idle time-out peri ods groups 302 L2TP server 266 PPTP se rver 264 users 305 IPSec VPN Wizard 199 IPv4 gatewa.
450 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 Domain Name Se rver . Se e DNS. domain name, PPTP an d PPPoE connections 35 domains for authenti cation 296 , 304 DoS (denial of service) attack .
451 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 H hardware front panel ports 17 rear panel components 19 require ments 406 Help button (web ma nagement interface) 24 hosts exposed, increasing t.
452 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 resources, configuring 283 static or permanent 32 , 37 subnet mask, default 85 subnet mask, DMZ port 111 VPN tunnels 201 , 208 , 229 , 237 IPv4 D.
453 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 bandwidth capacity 321 default port MAC addresses 366 default settings 398 groups, assigning and managing 93 – 96 IPv4 settings, configuring 81.
454 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 metric static IPv4 routes 12 4 static IPv6 routes 12 9 MIAS (Microsoft Internet Authentication Service) described 295 MIAS-CHAP and MIAS-P AP 298.
455 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 WiKID pass-through, multicast 168 passwords changing 311 , 328 default 22 restoring 393 Perfect Forward Secrecy (PFS) 239 , 246 performance manag.
456 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 LAN advertiseme nt s 107 prefixes, IPv6 6to4 tunnel 63 DMZ advertisements 121 ISA T AP tunnel 65 LAN advertiseme nt s 107 pre-shared key client-t.
457 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 IPv6 (IPv4-only and IPv4/I Pv6) 52 routing table adding static IPv4 routes 122 adding static IPv6 routes 127 displaying 382 RSA signatures 230 rules See inbound rules.
458 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 stateless and stateful IPv6 addresses, autoconfiguration 54 , 100 , 115 S tateless IP/ICMP Translation (SIIT) 66 static addresses IPv4 address 32.
459 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 U UDP (User Datagram Protocol) 193 UDP flood , bl o cki ng 167 UDP time-out 170 unicast packet s, IPv6 DMZ, configurin g for 119 LAN, configuring.
460 ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308 pre-shared key client-to-gateway tunnel 208 gateway-to-g ateway tu nnel 200 , 204 IKE policy settings 230 Road W arrior auto-rollover 413 load bala nci n g 414 single WAN port mod e 413 rollover See auto-rollover mode.
An important point after buying a device NETGEAR SRX5308-100NAS (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought NETGEAR SRX5308-100NAS yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data NETGEAR SRX5308-100NAS - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, NETGEAR SRX5308-100NAS you will learn all the available features of the product, as well as information on its operation. The information that you get NETGEAR SRX5308-100NAS will certainly help you make a decision on the purchase.
If you already are a holder of NETGEAR SRX5308-100NAS, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime NETGEAR SRX5308-100NAS.
However, one of the most important roles played by the user manual is to help in solving problems with NETGEAR SRX5308-100NAS. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device NETGEAR SRX5308-100NAS along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center
