manualshive.com logo in svg

NETGEAR ProSecure, Appliance Reference Manual

Share
Download
NETGEAR ProSecure Appliance Reference Manual Download Page 375

ProSecure Unified Threat Management (UTM) Appliance Reference Manual

Monitoring System Access and Performance

11-13

v1.0, January 2010

Configuring and Activating Firewall Logs

You can configure the logging options for each network segment. For example, the UTM can log 
accepted packets for LAN-to-WAN traffic, dropped packets for WAN-to-DMZ traffic, and so on. 
You can also configure logging of packets from MAC addresses that match the source MAC 
address filter settings (see 

“Enabling Source MAC Filtering” on page 5-42

), and packets that are 

dropped because the session limit (see 

“Setting Session Limits” on page 5-30

), bandwidth limit 

(see 

“Creating Bandwidth Profiles” on page 5-38

), or both, have been exceeded.

To configure and activate firewall logs:

1.

Select 

Monitoring 

>

 Logs & Reports 

from the menu. The Logs & Reports submenu tabs 

appear, with the Email and Syslog screen in view.

2.

Click the 

Firewall Logs 

submenu tab.

 

The Firewall Logs screen displays (see 

Figure 11-6

).

3.

Enter the settings as explained in 

Table 11-5 on page 11-14

.

Note: 

Enabling firewall logs might generate a significant volume of log messages. 

NETGEAR recommends that you enable firewall logs for debugging purposes 
only.

Figure 11-6

Summary of Contents for ProSecure

Page 1: ...202 10482 02 January 2010 v1 0 NETGEAR Inc 350 East Plumeria Drive San Jose CA 95134 ProSecure Unified Threat Management UTM Appliance Reference Manual ...

Page 2: ...red to correct the interference at his own expense Changes or modifications not expressly approved by NETGEAR could void the user s authority to operate the equipment EU Regulatory Compliance Statement The ProSecure Unified Threat Management UTM Appliance is compliant with the following EU Council Directives EMC Directive 2004 108 EC and Low Voltage Directive 2006 95 EC Compliance is verified by t...

Page 3: ...terference Read instructions for correct handling Additional Copyrights AES Copyright c 2001 Dr Brian Gladman brg gladman uk net Worcester UK All rights reserved TERMS Redistribution and use in source and binary forms with or without modification are permitted subject to the following conditions 1 Redistributions of source code must retain the above copyright notice this list of conditions and the...

Page 4: ...D OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUS...

Page 5: ...ll the authors be held liable for any damages arising from the use of this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this sof...

Page 6: ...v1 0 January 2010 vi ...

Page 7: ... or Outbound Load Balancing 1 3 Advanced VPN Support for Both IPsec and SSL 1 3 A Powerful True Firewall 1 4 Stream Scanning for Content Filtering 1 4 Security Features 1 5 Autosensing Ethernet Connections with Auto Uplink 1 5 Extensive Protocol Support 1 6 Easy Installation and Management 1 6 Maintenance and Support 1 7 Model Comparison 1 7 Service Registration Card with License Keys 1 8 Package ...

Page 8: ...o Be Blocked 2 21 Setup Wizard Step 8 of 10 Email Notification 2 23 Setup Wizard Step 9 of 10 Signatures Engine 2 24 Setup Wizard Step 10 of 10 Saving the Configuration 2 25 Verifying Proper Installation 2 26 Testing Connectivity 2 26 Testing HTTP Scanning 2 26 Registering the UTM with NETGEAR 2 26 What to Do Next 2 28 Chapter 3 Manually Configuring Internet and WAN Settings Understanding the Inte...

Page 9: ...ng the Network Database 4 13 Changing Group Names in the Network Database 4 16 Setting Up Address Reservation 4 17 Configuring and Enabling the DMZ Port 4 18 Managing Routing 4 22 Configuring Static Routes 4 23 Configuring Routing Information Protocol RIP 4 24 Static Route Example 4 27 Chapter 5 Firewall Protection About Firewall Protection 5 1 Administrator Tips 5 2 Using Rules to Block or Allow ...

Page 10: ...tings 6 2 Configuring E mail Protection 6 3 Customizing E mail Protocol Scan Settings 6 4 Customizing E mail Anti Virus and Notification Settings 6 5 E mail Content Filtering 6 8 Protecting Against E mail Spam 6 11 Configuring Web and Services Protection 6 19 Customizing Web Protocol Scan Settings and Services 6 19 Configuring Web Malware Scans 6 21 Configuring Web Content Filtering 6 23 Configuri...

Page 11: ...Users Mode Config 7 43 Mode Config Operation 7 43 Configuring Mode Config Operation on the UTM 7 43 Configuring the ProSafe VPN Client for Mode Config Operation 7 50 Testing the Mode Config Connection 7 55 Configuring Keepalives and Dead Peer Detection 7 55 Configuring Keepalives 7 56 Configuring Dead Peer Connection 7 57 Configuring NetBIOS Bridging with IPsec VPN 7 59 Chapter 8 Virtual Private N...

Page 12: ... 1 Configuring Domains 9 2 Configuring Groups for VPN Policies 9 6 Configuring User Accounts 9 9 Setting User Login Policies 9 12 Changing Passwords and Other User Settings 9 16 Managing Digital Certificates 9 17 Managing CA Certificates 9 19 Managing Self Certificates 9 20 Managing the Certificate Revocation List 9 25 Chapter 10 Network and System Management Performance Management 10 1 Bandwidth ...

Page 13: ...ing System Status 11 20 Viewing Active VPN Users 11 24 Viewing VPN Tunnel Connection Status 11 24 Viewing Port Triggering Status 11 26 Viewing the WAN Ports Status 11 27 Viewing Attached Devices and the DHCP Log 11 29 Querying Logs and Generating Reports 11 32 Querying the Logs 11 32 Scheduling and Generating Reports 11 39 Using Diagnostics Utilities 11 43 Using the Network Diagnostic Tools 11 44 ...

Page 14: ...ix A Default Settings and Technical Specifications Appendix B Network Planning for Dual WAN Ports Dual WAN Port Models Only What to Consider Before You Begin B 1 Cabling and Computer Hardware Requirements B 3 Computer Network Configuration Requirements B 3 Internet Configuration Requirements B 3 Overview of the Planning Process B 5 Inbound Traffic B 7 Inbound Traffic to a Single WAN Port System B ...

Page 15: ...Logs C 14 Virus Logs C 14 E mail Filter Logs C 14 IPS Logs C 15 Port Scan Logs C 15 Instant Messaging Peer to Peer Logs C 15 Routing Logs C 16 LAN to WAN Logs C 16 LAN to DMZ Logs C 16 DMZ to WAN Logs C 16 WAN to LAN Logs C 17 DMZ to LAN Logs C 17 WAN to DMZ Logs C 17 Appendix D Two Factor Authentication Why do I need Two Factor Authentication D 1 What are the benefits of Two Factor Authentication...

Page 16: ...ProSecure Unified Threat Management UTM Appliance Reference Manual xvi v1 0 January 2010 ...

Page 17: ... Typographical conventions This manual uses the following typographical conventions Formats This manual uses the following formats to highlight special messages Italic Emphasis books CDs Bold User input IP addresses GUI screen text Fixed Command prompt CLI text code italic URL links Note This format is used to highlight information of importance or special interest Tip This format is used to highl...

Page 18: ...TM Appliance Manual Publication Date January 2010 Note Product updates are available on the NETGEAR website at http prosecure netgear com or http kb netgear com app home Note Go to http prosecure netgear com community forum php for information about the ProSecure forum and to become part of the ProSecure community Tip If your printer supports printing two pages on a single sheet of paper you can s...

Page 19: ...nal broadband access devices such as cable modems or DSL modems Dual wide area network WAN ports allow you to increase effective throughput to the Internet by utilizing both WAN ports to carry session traffic or to maintain a backup connection in case of failure of your primary Internet connection As a complete security solution the UTM combines a powerful flexible firewall with a content scan eng...

Page 20: ... license of the NETGEAR ProSafe VPN Client software VPN01L Advanced stateful packet inspection SPI firewall with multi NAT support Patent pending Stream Scanning technology that enables scanning of real time protocols such as HTTP Comprehensive Web and email security covering six major network protocols HTTP HTTPS FTP SMTP POP3 and IMAP Malware database containing hundreds of thousands of signatur...

Page 21: ... IPsec and SSL The UTM supports IPsec and SSL virtual private network VPN connections IPsec VPN delivers full network access between a central office and branch offices or between a central office and telecommuters Remote access by telecommuters requires the installation of VPN client software on the remote computer IPsec VPN with broad protocol support for secure connection to other IPsec gateway...

Page 22: ...nters the network As soon as a number of bytes are available scanning starts The scan engine continues to scan more bytes as they become available while at the same time another thread starts to deliver the bytes that have been scanned This multithreaded approach in which the receiving scanning and delivering processes occur concurrently ensures that network performance remains unimpeded The resul...

Page 23: ...ed on the service port number of the incoming request You can specify forwarding of single ports or ranges of ports DMZ port Incoming traffic from the Internet is normally discarded by the UTM unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule Instead of discarding this traffic you can use the dedicated De Militarized Zone DMZ...

Page 24: ...ctual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN PPP over Ethernet PPPoE PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial up connection Quality of Service QoS The UTM supports QoS including traffic prioritization and traffic classification with Type Of Service ToS and Differentiated Services Co...

Page 25: ...the Internet For security you can limit remote management access to a specified remote IP address or range of addresses Visual monitoring The UTM s front panel LEDs provide an easy way to monitor its status and activity Maintenance and Support NETGEAR offers the following features to help you maximize your use of the UTM Flash memory for firmware upgrade Technical support seven days a week 24 hour...

Page 26: ... secure location You do need these keys to activate your product during the initial setup USB ports 1 1 1 Console ports RS232 1 1 1 Flash Memory RAM 2 GB 512 MB 2 GB 512 MB 2 GB 1 GB Deployment VLAN Support Yes Yes Yes Dual WAN auto rollover mode No No Yes Dual WAN load balancing mode No No Yes Single WAN mode Yes Yes Yes Figure 1 1 Table 1 1 Differences Between the UTM Models continued Feature UT...

Page 27: ...incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the product for repair Note When you reset the UTM to the original factory default settings after you have entered the license keys to activate the UTM see Registering the UTM with NETGEAR on page 2 26 the license keys are erased The license keys and the diff...

Page 28: ...ents The port is currently not operable on the UTM LAN Ethernet ports four switched N way automatic speed negotiating Auto MDI MDIX Gigabit Ethernet ports with RJ 45 connectors WAN Ethernet ports one single WAN port models or two dual WAN port models independent N way automatic speed negotiating Auto MDI MDIX Gigabit Ethernet ports with RJ 45 connectors The front panel also contains three groups o...

Page 29: ...sh memory during upgrading or resetting to defaults Off The system has booted successfully LAN Ports Left LED Off The LAN port has no link On Green The LAN port has detected a link with a connected Ethernet device Blink Green Data is being transmitted or received by the LAN port Right LED Off The LAN port is operating at 10 Mbps On Amber The LAN port is operating at 100 Mbps On Green The LAN port ...

Page 30: ...utton for about eight seconds until the front panel Test light flashes to reset the UTM to factory default settings All configuration settings are lost and the default password is restored 4 AC power receptacle Universal AC input 100 240 VAC 50 60 Hz Bottom Panel With Product Label The product label on the bottom of the UTM s enclosure displays factory default regulatory compliance and other infor...

Page 31: ...Unified Threat Management UTM Appliance Reference Manual Introduction 1 13 v1 0 January 2010 Figure 1 4 shows the product label for the UTM5 Figure 1 5 shows the product label for the UTM10 Figure 1 4 Figure 1 5 ...

Page 32: ...nt room A rack mounting kit containing two mounting brackets and four screws is provided in the package for the dual WAN port models Consider the following when deciding where to position the UTM The unit is accessible and cables can be connected easily Cabling is away from sources of electrical noise These include lift shafts microwave ovens and air conditioning units Water or moisture cannot ent...

Page 33: ...e Appendix A Default Settings and Technical Specifications Using the Rack Mounting Kit Use the mounting kit for the UTM to install the appliance in a rack A mounting kit is provided in the package for the dual WAN port models Attach the mounting brackets using the hardware that is supplied with the mounting kit Before mounting the UTM in a rack verify that You have the correct screws supplied with...

Page 34: ...ProSecure Unified Threat Management UTM Appliance Reference Manual 1 16 Introduction v1 0 January 2010 ...

Page 35: ... http prosecure netgear com or http kb netgear com app home 2 Log in to the UTM After logging in you are ready to set up and configure your UTM See Logging In to the UTM on page 2 2 3 Use the Setup Wizard to configure basic connections and security During this phase you connect the UTM to one or more ISPs more than one ISP applies to dual WAN port models only See Using the Setup Wizard to Perform ...

Page 36: ...only required for the SSL VPN portal not for the Web Management Interface Logging In to the UTM To connect to the UTM your computer needs to be configured to obtain an IP address automatically from the UTM via DHCP For instructions on how to configure your computer for DHCP see the document that you can access from Preparing Your Network in Appendix E To connect and log in to the UTM 1 Start any o...

Page 37: ... first time that you remotely connect to the UTM with a browser via an SSL connection you might get a warning message regarding the SSL certificate You can follow to directions of your browser to accept the SSL certificate or you can import the UTM s root certificate by clicking the hyperlink at the he bottom of the NETGEAR Configuration Manager Login screen Note The UTM user name and password are...

Page 38: ...2010 5 Click Login The Web Management Interface appears displaying the System Status screen Figure 2 2 on page 2 4 shows the top part of a dual WAN port model screen For information about this screen see Viewing System Status on page 11 20 Note After 5 minutes of inactivity the default login time out you are automatically logged out Figure 2 2 ...

Page 39: ...lect a main navigation menu link the letters are displayed in white against an orange background 2nd Level Configuration menu links The configuration menu links in the gray bar immediately below the main navigation menu bar change according to the main navigation menu link that you select When you select a configuration menu link the letters are displayed in white against a grey background 3rd Lev...

Page 40: ...n automatically and suggest values for the configuration Next Go to the next screen for wizards Back Go to the previous screen for wizards Search Perform a search operation Cancel Cancel the operation Send Now Send a file or report When a screen includes a table table buttons are displayed to let you configure the table entries The nature of the screen determines which table buttons are shown Figu...

Page 41: ...er to perform the initial WAN setup manually see Chapter 3 Manually Configuring Internet and WAN Settings To start the Setup Wizard 1 Select Wizards from the main navigation menu The Welcome to the Netgear Configuration Wizard screen displays 2 Select the Setup Wizard radio button 3 Click Next The first Setup Wizard screen displays The following sections explain the nine configuration screens of t...

Page 42: ... to go the following screen Figure 2 7 Note In this first step you are actually configuring the LAN settings for the UTM s default VLAN For more information about VLANs see Managing Virtual LANs and DHCP Options on page 4 1 Note After you have completed the steps in the Setup Wizard you can make changes to the LAN settings by selecting Network Config LAN Settings Edit LAN Profile For more informat...

Page 43: ...HCP Server If another device on your network is the DHCP server for the default VLAN or if you will manually configure the network settings of all of your computers select the Disable DHCP Server radio button to disable the DHCP server This is the default setting Enable DHCP Server Select the Enable DHCP Server radio button to enable the UTM to function as a Dynamic Host Configuration Protocol DHC...

Page 44: ...n your network Enter the following setting Relay Gateway The IP address of the DHCP server for which the UTM serves as a relay Enable LDAP information Select the Enable LDAP information checkbox to enable the DHCP server to provide Lightweight Directory Access Protocol LDAP server information Enter the settings below Note The LDAP settings that you specify as part of the VLAN profile are used only...

Page 45: ... DNS Proxy This is optional Select the Enable DNS Proxy radio button to enable the UTM to provide a LAN IP address for DNS address name resolution This setting is enabled by default Note When you deselect the Enable DNS Proxy radio button the UTM still services DNS requests that are sent to its LAN IP address unless you disable DNS Proxy in the firewall settings see Attack Checks on page 5 27 Figu...

Page 46: ... select the Yes radio button Otherwise select the No radio button which is the default setting and skip the ISP Type section below If you select Yes enter the following settings Login The login name that your ISP has assigned to you Password The password that your ISP has assigned to you ISP Type What type of ISP connection do you use If your connection is PPPoE or PPTP then you must log in Select...

Page 47: ...ep the connection always on To log out after the connection is idle for a period of time select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in Internet IP Address Click the Current IP Address link to see the currently assigned IP address Get Dynamically f...

Page 48: ...tton Ensure that you fill in valid DNS server IP addresses in the fields Incorrect DNS entries might cause connectivity issues Primary DNS Server The IP address of the primary DNS server Secondary DNS Serve The IP address of the secondary DNS server Figure 2 9 Note After you have completed the steps in the Setup Wizard you can make changes to the date and time by selecting Administration System Da...

Page 49: ...ly Adjust for Daylight Savings Time checkbox NTP Server default or custom From the pull down menu select an NTP server Use Default NTP Servers The UTM s RTC is updated regularly by contacting a default Netgear NTP server on the Internet Use Custom NTP Servers The UTM s RTC is updated regularly by contacting one of the two NTP servers primary and backup both of which you must specify in the fields ...

Page 50: ...explained in Table 2 4 on page 2 17 then click Next to go the following screen Figure 2 10 Note After you have completed the steps in the Setup Wizard you can make changes to the security services by selecting Application Security Services For more information about these settings see Customizing E mail Protocol Scan Settings on page 6 4 and Customizing Web Protocol Scan Settings and Services on p...

Page 51: ...er port in the corresponding Ports to Scan field HTTPS HTTPS scanning is disabled by default To enable HTTPS scanning select the corresponding checkbox You can change the standard service port port 443 or add another port in the corresponding Ports to Scan field FTP FTP scanning is enabled by default on standard service port 21 To disable FTP scanning deselect the corresponding checkbox You can ch...

Page 52: ...n page 6 5 Table 2 5 Setup Wizard Step 5 Email Security Settings Setting Description or Subfield and Description Action SMTP From the SMTP pull down menu specify one of the following actions when an infected e mail is detected Block infected email This is the default setting The e mail is blocked and a log entry is created Delete attachment The e mail is not blocked but the attachment is deleted a...

Page 53: ...ly a log entry is created The e mail is not blocked and the attachment is not deleted Scan Exceptions The default maximum file or message size that is scanned is 2048 KB but you can define a maximum size of up to 10240 KB However setting the maximum size to a high value might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following a...

Page 54: ... the HTTPS pull down menu specify one of the following actions when an infected Web file or object is detected Delete file This is the default setting The Web file or object is deleted and a log entry is created Log only Only a log entry is created The Web file or object is not deleted Select the Streaming checkbox to enable streaming of partially downloaded and scanned HTTPS file parts to the use...

Page 55: ...re Unified Threat Management UTM Appliance Reference Manual Using the Setup Wizard to Provision the UTM in Your Network 2 21 v1 0 January 2010 Setup Wizard Step 7 of 10 Web Categories to Be Blocked Figure 2 13 ...

Page 56: ...ns at the top of the section in the following way Allow All All Web categories are allowed Block All All Web categories are blocked Set to Defaults Blocking and allowing of Web categories are returned to their default settings See Table 6 1 on page 6 2 for information about the Web categories that are blocked by default Categories that are preceded by a green rectangular are allowed by default cat...

Page 57: ...escription or Subfield and Description Administrator Email Notification Settings Show as mail sender A descriptive name of the sender for e mail identification purposes For example enter UTM_Notifications netgear com SMTP server The IP address and port number or Internet name and port number of your ISP s outgoing e mail SMTP server The default port number is 25 Note If you leave this field blank ...

Page 58: ...he settings as explained in Table 2 9 on page 2 25 then click Next to go the following screen Figure 2 15 Note After you have completed the steps in the Setup Wizard you can make changes to the signatures and engine settings by selecting Administration System Update Signatures and Engine For more information about these settings see Updating the Scan Signatures and Scan Engine Firmware on page 10 ...

Page 59: ...Default update server Files are updated from the default NETGEAR update server Server address Files are updated from the server that you specify enter the IP address or host name of the update server Update Frequency Specify the frequency with which the UTM checks for file updates Weekly From the pull down menus select the weekday hour and minutes that the updates occur Daily From the pull down me...

Page 60: ...le is a legitimate DoS program and is safe to use because it is not a malware threat and does not include any fragments of malware code The test file is provided by EICAR an organization that unites efforts against computer crime fraud and misuse of computers or networks Verify that the UTM properly scans HTTP traffic 1 Log in to the UTM Web Management Interface and then verify that HTTP scanning ...

Page 61: ...icense key in the Registration Key field 3 Fill out the customer and VAR fields 4 Click Register Note Activating the service licenses initiates their terms of use Activate the licenses only when you are ready to start using this unit If your unit has never been registered before you can use the 30 day trial period for all 3 types of licenses to perform the initial testing and configuration To use ...

Page 62: ...u might want to address before you deploy the UTM in your network are listed below Configuring the WAN Mode Required for Dual WAN Port Models Only on page 3 9 Configuring VPN Authentication Domains Groups and Users on page 9 1 Managing Digital Certificates on page 9 17 Using the IPsec VPN Wizard for Client and Gateway Configurations on page 7 3 Using the SSL VPN Wizard for Client Configurations on...

Page 63: ...e Configuring the Internet Connections on page 3 2 2 Configure the WAN mode required for operation of the dual WAN port models For all models select either NAT or classical routing For the dual WAN port models only select either dedicated single WAN mode auto rollover mode or load balancing mode For load balancing you can also select any necessary protocol bindings See Configuring the WAN Mode Req...

Page 64: ... The Web Configuration Manager offers two connection configuration options Automatic detection and configuration of the network connection Manual configuration of the network connection Each option is detailed in the sections following Automatically Detecting and Connecting To automatically configure the WAN ports for connection to the Internet 1 Select Network Config WAN Settings from the menu On...

Page 65: ...k the Auto Detect action button at the bottom of the menu The auto detect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support Figure 3 2 shows a dual WAN port model s screen A single WAN port model s screen shows only a single WAN ISP Settings submenu tab Figure 3 1 Figure 3 2 ...

Page 66: ...ompted to either check the physical connection between your UTM and the cable or DSL line or to check your UTM s MAC address For more information see Configuring the WAN Mode Required for Dual WAN Port Models Only on page 3 9 and Troubleshooting the ISP Connection on page 12 5 3 To verify the connection click the WAN Status option arrow at the top right of the screen A popup window appears display...

Page 67: ...network has a unique 48 bit local Ethernet address This is also referred to as the computer s Media Access Control MAC address The default is set to Use Default Address If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP then you must enter that address Setting the UTM s MAC address is controlled through the Advanced options on the single WA...

Page 68: ...on WAN Settings WAN ISP Settings The WAN ISP Settings screen displays Figure 3 4 shows the ISP Login section of the screen 2 In the ISP Login section of the screen select one of the following options If your ISP requires an initial login to establish an Internet connection click Yes this is the default If a login is not required click No and ignore the Login and Password fields 3 If you clicked Ye...

Page 69: ...always on To log out after the connection is idle for a period of time select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in My IP Address The IP address assigned by the ISP to make the connection with the ISP server Server IP Address The IP address of th...

Page 70: ...Subfield and Description Get Dynamically from ISP If your ISP has not assigned you a static IP address select the Get dynamically from ISP radio button The ISP automatically assigns an IP address to the UTM using DHCP network protocol Use Static IP Address If your ISP has assigned you a fixed static or permanent IP address select the Use Static IP Address radio button and enter the following setti...

Page 71: ... a mutually exclusive basis for either auto rollover for increased system reliability or load balancing for maximum bandwidth efficiency or one port can be disabled Auto Rollover Mode The selected WAN interface is defined as the primary link and the other interface is defined as the rollover link As long as the primary link is up all traffic is sent over the primary link When the primary link goes...

Page 72: ...ingle IP address PCs on your LAN can use any private IP address range and these IP addresses are not visible from the Internet The UTM uses NAT to select the correct PC on your LAN to receive any incoming data If you only have a single public Internet IP address you must use NAT the default setting If your ISP has provided you with multiple public IP addresses you can use one address as the primar...

Page 73: ...nfiguring Auto Rollover Mode Dual WAN Port Models Only For the dual WAN port models only to use a redundant ISP link for backup purposes ensure that the backup WAN interface has already been configured Then select the WAN interface that will act as the primary link for this mode and configure the WAN failure detection method on the WAN Mode screen to support auto rollover When the UTM is configure...

Page 74: ...N Mode screen displays 2 Enter the settings as explained in Table 3 5 Figure 3 8 Table 3 5 Auto Rollover Mode Settings Dual WAN Port Models Only Setting Description or Subfield and Description Port Mode Auto Rollover using WAN port Select the Auto Rollover using WAN port radio button Then from the pull down menu select the WAN port that must function as the as the primary link for this mode Note E...

Page 75: ...nk is considered down after the configured number of queries have failed to elicit a reply The backup link is brought up after this has occurred The failover default is 4 failures Ping these IP addresses A public IP address that does not reject the ping request and does not consider ping traffic to be abusive Queries are sent to this server through the WAN interface that is being monitored The ret...

Page 76: ...nd HTTPS traffic from the computers on the LAN through the WAN1 port All outbound FTP traffic is routed through the WAN2 port Protocol binding addresses two issues Segregation of traffic between links that are not of the same speed High volume traffic can be routed through the WAN port connected to a high speed link and low volume traffic can be routed through the WAN port connected to the low spe...

Page 77: ...l down menu select a service or application to be covered by this rule If the service or application does not appear in the list you must define it using the Services menu see Services Based Rules on page 5 3 Source Network The source network settings determine which computers on your network are affected by this rule Select one of the following options from the pull down menu Any All devices on y...

Page 78: ...AN Mode screen by selecting Network Config WAN Settings from the menu and clicking the WAN Mode tab 4 Click Apply to save your settings Source Network continued Group 1 Group 8 If this option is selected the rule is applied to the devices that are assigned to the selected group Note You may also assign a customized name to a group see Changing Group Names in the Network Database on page 4 16 Desti...

Page 79: ...s Add LAN WAN Inbound Service screen Add DMZ WAN Inbound Service screen In the NAT IP pull down menus of the following outbound firewall rule screens Add LAN WAN Outbound Service screen Add DMZ WAN Outbound Service screen For more information about firewall rules see Using Rules to Block or Allow Specific Kinds of Traffic on page 5 3 It is important that you ensure that any secondary WAN addresses...

Page 80: ...resses table On a a single WAN port model the WAN Secondary Addresses screen displays The List of Secondary WAN addresses table displays the secondary LAN IP addresses added to the UTM 3 In the Add WAN1 Secondary Addresses section dual WAN port models or Add WAN Secondary Addresses section of the screen single WAN port models enter the following settings IP Address Enter the secondary address that...

Page 81: ...your IP address will be and the address can change frequently hence the need for a commercial DDNS service which allows you to register an extension to its domain and restores DNS requests for the resulting FQDN to your frequently changing IP address After you have configured your account information on the UTM when your ISP assigned IP address changes your UTM automatically contacts your DDNS ser...

Page 82: ...red WAN mode For the dual WAN port models for example Single Port WAN1 Load Balancing or Auto Rollover Only those options that match the configured WAN Mode are accessible on screen 3 Select the submenu tab for your DDNS service provider Dynamic DNS submenu tab which is shown in Figure 3 11 for DynDNS org or DYNDNS com DNS TZO submenu tab for TZO com DNS Oray submenu tab for Oray net Figure 3 11 ...

Page 83: ...on to enable the DDNS service The service that displays on screen depends on the submenu tab for the DDNS service provider that you have selected Enter the following settings Host and Domain Name The host and domain name for the DDNS service User Name The user name for DDNS server authentication Password The password that is used for DDNS server authentication Use wildcards If your DDNS provider a...

Page 84: ...s and setting a rate limit on the traffic that is being forwarded by the UTM To configure advanced WAN options 1 Select Network Config WAN Settings from the menu On a dual WAN port model the WAN Settings tabs appear with the WAN1 ISP Settings screen screen in view On a single WAN port model the WAN ISP Settings screen displays 2 Click the Advanced option arrow On a dual WAN port model the WAN1 Adv...

Page 85: ...ht need to manually select the port speed If you know the Ethernet port speed of the modem or router select it from the pull down menu Use the half duplex settings only of the full duplex settings do not function properly Select one of the following speeds from the pull down menu AutoSense Speed autosensing This is the default setting which can sense 1000BaseT speed at full duplex 10BaseT Half_Dup...

Page 86: ...s These settings rate limit the traffic that is being forwarded by the UTM WAN Connection Type From the pull down menu select the type of connection that the UTM uses to connect to the Internet DSL ADLS Cable Modem T1 T3 or Other WAN Connection Speed Upload From the pull down menu select the maximum upload speed that is provided by your ISP You can select from 56 Kbps to 1 Gbps or you can select C...

Page 87: ...a local area network with a definition that maps workstations on some basis other than geographic location for example by department type of user or primary application To enable traffic to flow between VLANs traffic must go through a router just as if the VLANs were on two separate LANs A VLAN is a group of PCs servers and other network resources that behave as if they were connected to a single ...

Page 88: ...t based VLANs help to confine broadcast traffic to the LAN ports Even though a LAN port can be a member of more than one VLAN the port can have only one VLAN ID as its Port VLAN Identifier PVID By default all four LAN ports of the UTM are assigned to the default VLAN or VLAN 1 Therefore by default all four LAN ports have default PVID 1 However you can assign another PVID to a LAN port by selecting...

Page 89: ...he IP phone to the UTM LAN port are tagged Packets passing through the IP phone from the connected device to the UTM LAN port are untagged When you assign the UTM LAN port to a VLAN packets entering and leaving the port are tagged with the VLAN ID However untagged packets entering the UTM LAN port are forwarded to the default VLAN with PVID 1 packets that leave the LAN port with the same default P...

Page 90: ...s 3 Click Apply to save your settings VLAN DHCP Options For each VLAN you must specify the Dynamic Host Configuration Protocol DHCP options The configuration of the DHCP options for the UTM s default VLAN or VLAN 1 are explained in Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network This section provides further information about the DHCP options DHCP Server The default VLAN VLAN...

Page 91: ...u must configure the DHCP Relay Agent on the subnet that contains the remote clients so that the DHCP Relay Agent can relay DHCP broadcast messages to your DHCP server DNS Proxy When the DNS Proxy option is enabled for a VLAN the UTM acts as a proxy for all DNS requests and communicates with the ISP s DNS servers as configured on the WAN ISP Settings screens All DHCP clients receive the primary an...

Page 92: ... that defines the location in the directory that is the directory tree from which the LDAP search begins Configuring a VLAN Profile For each VLAN on the UTM you can configure its profile port membership LAN TCP IP settings DHCP options and DNS server To add or edit a VLAN profile 1 Select Network Config LAN Settings from the menu The LAN submenu tabs appear with the LAN Setup screen in view see Fi...

Page 93: ...tion 4 7 v1 0 January 2010 2 Either select an entry from the VLAN Profiles table by clicking the corresponding Edit table button or add a new VLAN profile by clicking the Add table button under the VLAN Profiles table The Edit VLAN Profile screen displays see Figure 4 3 Figure 4 3 ...

Page 94: ...s Note If you change the LAN IP address of the VLAN while being connected through the browser to the VLAN you will be disconnected You must then open a new connection to the new IP address and log in again For example if you change the default IP address 192 168 1 1 to 10 0 0 1 you must now enter https 10 0 0 1 in your browser to reconnect to the Web Management Interface Subnet Mask Enter the IP s...

Page 95: ...er IP address If no address is specified the UTM uses the VLAN IP address as the primary DNS server IP address Secondary DNS Server This is optional If an IP address is specified the UTM provides this address as the secondary DNS server IP address WINS Server This is optional Enter a WINS server IP address to specify the Windows NetBios server if one is present in your network Lease Time Enter a l...

Page 96: ...address name resolution This setting is disabled by default Note When you deselect the Enable DNS Proxy radio button the UTM still services DNS requests that are sent to its LAN IP address unless you disable DNS Proxy in the firewall settings see Attack Checks on page 5 27 Inter VLAN Routing Enable Inter VLAN Routing This is optional Select the Enable Inter VLAN Routing radio button to ensure that...

Page 97: ...LAN Settings submenu tabs appear with the LAN Setup screen in view 2 Click the LAN Multi homing submenu tab The LAN Multi homing screen displays The Available Secondary LAN IPs table displays the secondary LAN IP addresses added to the UTM It is important that you ensure that any secondary LAN addresses are different from the primary LAN WAN and DMZ IP addresses and subnet addresses that are alrea...

Page 98: ...er means Collectively these entries make up the Network Database The Network Database is updated by these methods DHCP Client Requests When the DHCP server is enabled it accepts and responds to DHCP client requests from PCs and other network devices These requests also generate an entry in the Network Database This is an advantage of enabling the DHCP Server feature Scanning the Network The local ...

Page 99: ...iduals You can assign PCs to groups see Managing the Network Database on this page and apply restrictions outbound rules and inbound rules to each group see Using Rules to Block or Allow Specific Kinds of Traffic on page 5 3 You can select groups that are allowed access to applications Web categories and URLs that you have blocked for all other users or the other way around block access to applica...

Page 100: ... DHCP server then the name is appended by an asterisk IP Address The current IP address of the PC or device For DHCP clients of the UTM this IP address does not change If a PC or device is assigned a static IP address you need to update this entry manually after the IP address on the PC or device has changed MAC Address The MAC address of the PC or device s network interface Group Each PC or devic...

Page 101: ...device receives it IP address Fixed set on PC The IP address is statically assigned on the PC or device Reserved DHCP Client Directs the UTM s DHCP server to always assign the specified IP address to this client during the DHCP negotiation see Setting Up Address Reservation on page 4 17 Note When assigning a reserved IP address to a client the IP address selected must be outside the range of addre...

Page 102: ...l down menus as explained in step 1 of the previous section Adding PCs or Devices to the Network Database on page 4 15 3 Click Apply to save your settings in the Known PCs and Devices table Changing Group Names in the Network Database By default the groups are named Group1 through Group8 You can rename these group names to be more descriptive such as GlobalMarketing and GlobalSales To edit the nam...

Page 103: ... characters is 15 spaces and double quotes are not allowed 6 Repeat step 4 and step 5 for any other group names 7 Click Apply to save your settings Setting Up Address Reservation When you specify a reserved IP address for a PC or device on the LAN based on the MAC address of the device that PC or device always receives the same IP address each time it accesses the UTM s DHCP server Reserved IP add...

Page 104: ...t and both inbound and outbound DMZ traffic are disabled Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports Using a DMZ port is also helpful with online games and videoconferencing applications that are incompatible with NAT The UTM is programmed to recognize some of these applications and to work properly with them but there are other applic...

Page 105: ...nce Reference Manual LAN Configuration 4 19 v1 0 January 2010 To enable and configure the DMZ port 1 Select Network Config DMZ Setup from the menu The DMZ Setup screen displays 2 Enter the settings as explained in Table 4 3 on page 4 20 Figure 4 8 ...

Page 106: ...he Disable DHCP Server radio button to disable the DHCP server This is the default setting Enable DHCP Server Select the Enable DHCP Server radio button to enable the UTM to function as a Dynamic Host Configuration Protocol DHCP server providing TCP IP configuration for all computers connected to the VLAN Enter the following settings Domain Name This is optional Enter the domain name of the UTM St...

Page 107: ... UTM as a DHCP relay agent for a DHCP server somewhere else on your network Enter the following setting Relay Gateway The IP address of the DHCP server for which the UTM serves as a relay Enable LDAP information Select the Enable LDAP information checkbox to enable the DHCP server to provide Lightweight Directory Access Protocol LDAP server information Enter the following settings LDAP Server The ...

Page 108: ...work DNS Proxy Enable DNS Proxy This is optional Select the Enable DNS Proxy radio button to enable the UTM to provide a LAN IP address for DNS address name resolution This setting is enabled by default Note The UTM still services DNS requests sent to its LAN IP address unless you disable DNS Proxy in the firewall settings see Attack Checks on page 5 27 Note The DMZ LED next to LAN port 4 see Fron...

Page 109: ... 23 v1 0 January 2010 Configuring Static Routes To add a static route to the Static Route table 1 Select Network Config Routing from the menu The Routing screen displays 2 Click the Add table button under the Static Routes table The Add Static Route screen displays Figure 4 9 Figure 4 10 ...

Page 110: ...field and Description Route Name The route name for the static route for purposes of identification and management Active To make the static route effective select the Active checkbox Note A route can be added to the table and made inactive if not needed This allows routes to be used as needed without deleting and re adding the entry an inactive route is not advertised if RIP is enabled Private If...

Page 111: ...v1 0 January 2010 To enable and configure RIP 1 Select Network Configuration Routing from the menu 2 Click the RIP Configuration option arrow at the right of the Routing submenu tab The RIP Configuration screen displays 3 Enter the settings as explained in Table 4 5 on page 4 26 Figure 4 11 ...

Page 112: ...ports subnet information Both RIP 2B and RIP 2M send the routing data in RIP 2 format RIP 2B Sends the routing data in RIP 2 format and uses subnet broadcasting RIP 2M Sends the routing data in RIP 2 format and uses multicasting Authentication for RIP 2B 2M Authentication for RIP 2B 2M required Authentication for RP 2B or RIP 2M is disabled by default that is the No radio button is selected To ena...

Page 113: ...rk s firewall In this case you must define a static route informing the UTM that the 134 177 0 0 IP address should be accessed through the local LAN IP address 192 168 1 100 The static route on the UTM must be defined as follows The destination IP address and IP subnet mask must specify that the static route applies to all 134 177 x x IP addresses The gateway IP address must specify that all traff...

Page 114: ...ProSecure Unified Threat Management UTM Appliance Reference Manual 4 28 LAN Configuration v1 0 January 2010 ...

Page 115: ...ion A firewall protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication between the two You can further segment keyword blocking to certain known groups To set up LAN Groups see Managing Groups and Hosts LAN Groups on page 4 12 A firewall incorporates the functions of a Network Address Translation NAT router prot...

Page 116: ...c Traffic on page 5 41 Allow or block sites and applications see Setting Web Access Exception Rules on page 6 41 Source MAC filtering see Enabling Source MAC Filtering on page 5 42 Port triggering see Configuring Port Triggering on page 5 46 3 Content filtering is a firewall component The UTM provides such extensive content filtering options that an entire chapter is dedicated to this subject see ...

Page 117: ...locking and allowing traffic on the UTM can be applied to LAN WAN traffic DMZ WAN traffic and LAN DMZ traffic Services Based Rules The rules to block traffic are based on the traffic s category of service Outbound Rules service blocking Outbound traffic is normally allowed unless the firewall is configured to disallow it Inbound Rules port forwarding Inbound traffic is normally blocked by the fire...

Page 118: ...led service blocking or port filtering Table 5 2 on page 5 5 describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens see Figure 5 3 on page 5 14 Figure 5 6 on page 5 17 and Figure 5 9 on page 5 20 The steps to configure outbound rules are described in the following sections Setting LAN WAN Rules on page 5 12 Setting DMZ WAN Rules on page...

Page 119: ...figure the time schedules see Setting a Schedule to Block or Allow Specific Traffic on page 5 41 LAN Users The settings that determine which computers on your network are affected by this rule The options are Any All PCs and devices on your LAN Single address Enter the required address to apply the rule to a single device on your LAN Address range Enter the required addresses in the Start and Fini...

Page 120: ...iting determines the way in which the data is sent to and from your host The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic thus preventing the LAN users from consuming all the bandwidth of the Internet link Bandwidth limiting occurs in the following ways For outbound traffic on the available WAN interface in the single WAN port mode and auto ...

Page 121: ...dress will fail Table 5 3 on page 5 8 describes the fields that define the rules for inbound traffic and that are common to most Inbound Service screens see Figure 5 4 on page 5 15 Figure 5 7 on page 5 18 and Figure 5 10 on page 5 21 The steps to configure inbound rules are described in the following sections Setting LAN WAN Rules on page 5 12 Setting DMZ WAN Rules on page 5 15 Setting LAN DMZ Rul...

Page 122: ...schedule screen to configure the time schedules see Setting a Schedule to Block or Allow Specific Traffic on page 5 41 Send to LAN Server The LAN server address determines which computer on your network is hosting this service rule You can also translate this address to a port number Send to DMZ Server The DMZ server address determines which computer on your network is hosting this service rule Yo...

Page 123: ...s DMZ Users The settings that determine which DMZ computers on the DMZ network are affected by this rule The options are Any All PCs and devices on your DMZ network Single address Enter the required address to apply the rule to a single PC on the DMZ network Address range Enter the required addresses in the Start and Finish fields to apply the rule to a range of DMZ computers Note This field is no...

Page 124: ...eventing the LAN users from consuming all the bandwidth of the Internet link Bandwidth limiting occurs in the following ways For outbound traffic on the available WAN interface in the single WAN port mode and auto rollover mode and on the selected interface in load balancing mode For inbound traffic on the LAN interface for all WAN modes Note Bandwidth Limiting does not apply to the DMZ interface ...

Page 125: ...to pass through the firewall the packet information is subjected to the rules in the order shown in the Rules table beginning at the top and proceeding to the bottom In some cases the order of precedence of two or more rules might be important in determining the disposition of a packet For example you should place the most strict rules at the top those with the most specific services or addresses ...

Page 126: ...und This feature is also referred to as service blocking You can change the default policy of Allow Always to Block Always to block all outbound traffic which then allows you to enable only specific services to pass through the UTM To change the default outbound policy 1 Select Network Security Firewall from the menu The Firewall submenu tabs appear with the LAN WAN Rules screen in view 2 Next to ...

Page 127: ...o select all rules 2 Click one of the following table buttons Enable Enables the rule or rules The status icon changes from a grey circle to a green circle indicating that the rule is or rules are enabled By default when a rule is added to the table it is automatically enabled Disable Disables the rule or rules The status icon changes from a green circle to a grey circle indicating that the rule i...

Page 128: ... as explained in Table 5 2 on page 5 5 3 Click Apply to save your changes The new rule is now added to the Outbound Services table LAN WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic If you have not defined any rules no rules are listed By default all inbound traffic from the Internet to the LAN is blocked Remember that allowing inbound services o...

Page 129: ...een the DMZ and the Internet are configured on the DMZ WAN Rules screen The default outbound policy is to allow all traffic from and to the Internet to pass through You can then apply firewall rules to block specific types of traffic from either going out from the DMZ to the Internet outbound or coming in from the Internet to the DMZ inbound There is no pull down menu that lets you set the default...

Page 130: ...f to the rule click on of the following table buttons Edit Allows you to make any changes to the rule definition of an existing rule Depending on your selection either the Edit DMZ WAN Outbound Service screen identical to Figure 5 6 on page 5 17 or Edit DMZ WAN Inbound Service screen identical to Figure 5 7 on page 5 18 displays containing the data for the selected rule Up Moves the rule up one po...

Page 131: ...at specify exceptions to the default outbound policy By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day An outbound rule may block or allow traffic between the DMZ and any external WAN IP address according to the schedule created in the Schedule menu To create a new outbound DMZ WAN service rule 1 In the DMZ W...

Page 132: ...s screen take precedence over inbound rules that are configured on the DMZ WAN Rules screen As a result if an inbound packet matches an inbound rule on the LAN WAN Rules screen it is not matched against the inbound rules on the DMZ WAN Rules screen To create a new inbound DMZ WAN service rule 1 In the DMZ WAN Rules screen click the Add table button under the Inbound Services table The Add DMZ WAN ...

Page 133: ... policy by blocking all outbound traffic and then enabling only specific services to pass through the UTM You do so by adding outbound services rules see LAN DMZ Outbound Services Rules on page 5 20 To access the LAN DMZ Rules screen 1 Select Network Security Firewall from the menu The Firewall submenu tabs appear 2 Click the LAN DMZ Rules submenu tab The LAN DMZ Rules screen displays To make chan...

Page 134: ...is or rules are disabled By default when a rule is added to the table it is automatically enabled Delete Deletes the rule or rules LAN DMZ Outbound Services Rules You may change the default outbound policy or define rules that specify exceptions to the default outbound policy By adding custom rules you can block or allow access based on the service or application source or destination IP addresses...

Page 135: ...vices table lists all existing rules for inbound traffic If you have not defined any rules no rules are listed By default all inbound traffic from the LAN to the DMZ is allowed To create a new inbound LAN DMZ service rule 1 In the LAN DMZ Rules screen click the Add table button under the Inbound Services table The Add LAN DMZ Inbound Service screen displays 2 Enter the settings as explained in Tab...

Page 136: ...HTTP requests from any outside IP address to the IP address of your Web server at any time of the day LAN WAN Inbound Rule Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule see Figure 5 11 on page 5 22 In the example CU SeeMe c...

Page 137: ...to host an additional public IP address and associate this address with a Web server on the LAN The following addressing scheme is used to illustrate this procedure Netgear UTM WAN1 IP address dual WAN port models or WAN IP address single WAN port models 10 1 0 118 LAN IP address subnet 192 168 1 1 subnet 255 255 255 0 DMZ IP address subnet 192 168 10 1 subnet 255 255 255 0 Web server PC on the UT...

Page 138: ...es submenu tab 3 Click the Add table button under the Inbound Services table The Add LAN WAN Inbound Service screen displays 4 From the Service pull down menu select HTTP for a Web server 5 From the Action pull down menu select ALLOW Always Tip If you arrange with your ISP to have more than one public IP address for your use you can use the additional public IP addresses to map to servers on your ...

Page 139: ...creen To test the connection from a PC on the Internet type http IP_address where IP_address is the public IP address that you have mapped to your Web server You should see the home page of your Web server LAN WAN or DMZ WAN Inbound Rule Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you ...

Page 140: ...r If you want to block Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu See an example in Figure 5 15 on page 5 27 You can also enable the UTM log any attempt to use Instant Messenger during that blocked period ...

Page 141: ... SIP sessions Attack Checks The Attack Checks screen allows you to specify whether or not the UTM should be protected against common attacks in the DMZ LAN and WAN networks The various types of attack checks are listed on the Attack Checks screen and defined in Table 5 4 on page 5 28 To enable the appropriate attack checks for your network environment 1 Select Network Security Firewall from the me...

Page 142: ...on to enable the UTM to respond to a ping from the Internet Enable Stealth Mode Select the Enable Stealth Mode checkbox which is the default setting to prevent the UTM from responding to port scans from the WAN thus making it less susceptible to discovery and attacks Block TCP Flood Select the Block TCP Flood checkbox to enable the UTM to drop all invalid TCP packets and to protect the UTM from a ...

Page 143: ...work location anonymous Disable Ping Reply on LAN Ports Select the Disable Ping Reply on LAN Ports checkbox to prevent the UTM from responding to a ping on a LAN port A ping can be used as a diagnostic tool Keep this checkbox deselected unless you have a specific reason to prevent the UTM from responding to a ping on a LAN port VPN Pass through IPSec PPTP L2TP When the UTM functions in NAT mode al...

Page 144: ...r an IP connection across the UTM The Session Limit feature is disabled by default To enable and configure the Session Limit feature 1 Select Network Security Firewall from the menu The Firewall submenu tabs appear 2 Click the Session Limit submenu tab The Session Limit screen displays 3 Click the Yes radio button under Do you want to enable Session Limit 4 Enter the settings as explained in Table...

Page 145: ... capacity of the UTM Number of Sessions An absolute number of maximum sessions User Limit Enter a number to indicate the user limit If the User Limit Parameter is set to Percentage of Max Sessions the number specifies the maximum number of sessions that are allowed from a single source device as a percentage of the total session connection capacity of the UTM The session limit is per device based ...

Page 146: ...service QoS profile defines the relative priority of an IP packet for traffic that matches the firewall rule For information about creating QoS profiles see Creating Quality of Service QoS Profiles on page 5 35 Bandwidth Profiles A bandwidth profile allocates and limits traffic bandwidth for the LAN users to which a firewall rule is applied For information about creating bandwidth profiles see Cre...

Page 147: ...en from the range 1024 to 65535 by the authors of the application Although the UTM already holds a list of many service port numbers you are not limited to these choices Use the Services screen to add additional services and applications to the list for use in defining firewall rules The Services menu shows a list of services that you have defined as shown in Figure 5 19 To define a new service fi...

Page 148: ...ication and management purposes Type From the Type pull down menu select the Layer 3 protocol that the service uses as its transport protocol TCP UDP ICMP ICMP Type A numeric value that can range between 0 and 40 For a list of ICMP types see http www iana org assignments icmp parameters This field is enabled only when you select ICMP from the Type pull down menu Start Port The first TCP or UDP por...

Page 149: ...orities are defined by the Type of Service ToS in the Internet Protocol Suite standards RFC 1349 There is no default QoS profile on the UTM Following are examples of QoS profiles that you could create Normal service profile used when no special priority is given to the traffic You would typically mark the IP packets for services with this priority with a ToS value of 0 Minimize cost profile used w...

Page 150: ... Services screen in view 2 Click the QoS Profiles submenu tab The QoS Profiles screen displays Figure 5 21 shows some profiles in the List of QoS Profiles table as an example The screen displays the List of QoS Profiles table with the user defined profiles 3 Under the List of QoS Profiles table click the Add table button The Add QoS Profile screen displays 4 Enter the settings as explained in Tabl...

Page 151: ...re the QoS type IP Precedence or DHCP and QoS value and to set only the QoS priority Add DiffServ Mark Select the Add DiffServ Mark radio button to set the differentiated services DiffServ mark in the Type of Service ToS byte of an IP header by specifying the QoS type IP Precedence or DHCP and QoS value QoS Type From the QoS pull down menu select one of the following traffic classification methods...

Page 152: ...idth profile specification the device creates a bandwidth class in the kernel If multiple connections correspond to the same firewall rule the connections all share the same bandwidth class An exception occurs for an individual bandwidth profile if the classes are per source IP address classes The source IP address is the IP address of the first packet that is transmitted for the connection So for...

Page 153: ...January 2010 The screen displays the List of Bandwidth Profiles table with the user defined profiles 3 Under the List of Bandwidth Profiles table click the Add table button The Add Bandwidth Profile screen displays 4 Enter the settings as explained in Table 5 8 on page 5 40 Figure 5 23 Figure 5 24 ...

Page 154: ...r Subfield and Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes Minimum Bandwidth The minimum allocated bandwidth in Kbps The default setting is 0 Kbps Maximum Bandwidth The maximum allowed bandwidth in Kbps The default setting and minimum setting is 100 Kbps the maximum allowable bandwidth is 100000 Kbps Type From the Type pull down m...

Page 155: ...Objects from the menu The Firewall Objects submenu tabs appear with the Services screen in view 2 Click the Schedule 1 submenu tab The Schedule 1 screen displays 3 In the Scheduled Days section select one of the following radio buttons All Days The schedule is in effect all days of the week Specific Days The schedule is active only on specific days To the right of the radio buttons select the chec...

Page 156: ... certain known PCs or devices By default the source MAC address filter is disabled All the traffic received from PCs with any MAC address is allowed When the source MAC address filter is enabled depending on the selected policy traffic is either permitted or blocked if it comes from any PCs or devices whose MAC addresses are listed in MAC Addresses table To enable MAC filtering and add MAC address...

Page 157: ...ed 4 Below Add Source MAC Address build your list of source MAC addresses to be permitted or blocked by entering the first MAC address in the MAC Address field A MAC address must be entered in the form xx xx xx xx xx xx where x is a numeric 0 to 9 or a letter between and a and f inclusive for example aa 11 bb 22 cc 03 5 Click the Add table button The MAC address is added to the MAC Addresses table...

Page 158: ...0 Host2 MAC address 00 01 02 03 04 06 and IP address 192 168 10 11 Host3 MAC address 00 01 02 03 04 07 and IP address 192 168 10 12 If all of the above host entry examples are added to the IP MAC Binding table the following scenarios indicate the possible outcome Host1 Matching IP MAC address in IP MAC Table Host2 Matching IP but inconsistent MAC address in IP MAC Table Host3 Matching MAC but inco...

Page 159: ... Binding Violation Select one of the following radio buttons Yes IP MAC binding violations are e mailed No IP MAC binding violations are not e mailed Note Click the Firewall Logs E mail page hyperlink to ensure that e mailing of logs is enabled on the Email and Syslog screen see Configuring Logging Alerts and Event Notifications on page 11 5 IP MAC Bindings Name A descriptive name of the binding f...

Page 160: ...as follows 1 A PC makes an outgoing connection using a port number that is defined in the Port Triggering Rules table 2 The UTM records this connection opens the additional incoming port or ports that are associated with the rule in the port triggering table and associates them with the PC 3 The remote system receives the PCs request and responds using the incoming port or ports that are associate...

Page 161: ...ication can be used by another PC This time out period is required so the UTM can determine that the application has terminated To add a port triggering rule 1 Select Network Security Port Triggering from the menu The Port Triggering screen displays Figure 5 28 shows a rule in the Port Triggering Rule table as an example 2 Below Add Port Triggering Rule enter the settings as explained in Table 5 1...

Page 162: ...een A popup window appears displaying the status of the port triggering rules Table 5 10 Port Triggering Settings Setting Description or Subfield and Description Name A descriptive name of the rule for identification and management purposes Enable From the pull down menu select Yes to enable the rule You can define a rule but not enable it The default setting is No Protocol From the pull down menu...

Page 163: ...IPS also allows you to configure port scan detection to adjust it to your needs and to protect the network from unwanted port scans that could compromise the network security The IPS is disabled by default To enable intrusion prevention and configure port scan detection 1 Select Network Security IPS from the menu The IPS submenu tabs appear with the Global IPS screen in view 2 To enable the IPS se...

Page 164: ...or each section either select the actions for individual attacks by making selections from the pull down menus to the right of the names or select a global action for all attacks for that category by making a selection from the pull down menu to the right of All web attacks Some of the less familiar Web and miscellaneous attacks are explained in Table 5 11 on page 5 52 The pull down menus let you ...

Page 165: ...ProSecure Unified Threat Management UTM Appliance Reference Manual Firewall Protection 5 51 v1 0 January 2010 Figure 5 31 ...

Page 166: ...ced under other Web categories such as DoS and overflow attacks against specific Web services These Web services include IMail Web Calendaring ZixForum ScozNet ScozNews and other services inappropriate Detect the behavior about visiting pornographic Web sites Misc policy Detects traffic that violates common policies such as traffic that flows because of certain network installer applications and t...

Page 167: ...ptions and instant alerts via e mail You can establish restricted Web access policies that are based on the time of day Web addresses and Web address keywords You can also block Internet access by applications and services such as instant messaging and peer to peer file sharing clients Note Traffic that passes on the UTM s VLANs and on the secondary IP addresses that you have configured on the LAN...

Page 168: ... Protocols SMTP Enabled Block infected e mail POP3 Enabled Delete attachment if infected IMAP Enabled Delete attachment if infected Web Server Protocols a HTTP Enabled Delete file if malware threat detected HTTPS Disabled No action scan disabled FTP Enabled Delete file if malware threat detected Instant Messaging Services Google Talk Jabber Allowed mIRC Allowed MSN Messenger Allowed Yahoo Messenge...

Page 169: ...s that are filtered to block objectionable or high risk content Customer notifications and e mail alerts that are sent when events are detected Rules and policies for spam detection Education Allowed with the exception of School Cheating Gaming Blocked Inactive Sites Allowed Internet Communication and Search Allowed with the exception of Anonymizers Leisure and News Allowed Malicious Blocked Polit...

Page 170: ...ransfer Protocol SMTP scanning is enabled by default on port 25 POP3 Post Office Protocol 3 POP3 scanning is enabled by default on port 110 IMAP Internet Message Access Protocol IMAP scanning is enabled by default on port 143 3 Click Apply to save your settings Figure 6 1 Note If a protocol uses a port other than the standard service port for example port 25 for SMTP enter this non standard port i...

Page 171: ...ettings Whether or not the UTM detects an e mail virus you can configure it to take a variety of actions some of the default actions are listed in Table 6 1 on page 6 2 and send notifications e mails or both to the end users To configure the e mail anti virus settings 1 Select Application Security Email Anti Virus from the menu The Email Anti Virus screen displays Figure 6 2 ...

Page 172: ...he following actions when an infected e mail is detected Delete attachment This is the default setting The e mail is not blocked but the attachment is deleted and a log entry is created Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted Scan Exceptions The default maximum file or message size that is scanned is 2048 KB but you can define a maximum size...

Page 173: ... infected with a default warning message The warning message informs the end user about the name of the malware threat You can change the default message to include the action that the UTM has taken see example below By default this checkbox is selected and a warning message replaces an infected e mail Note Make sure that you keep the VIRUSINFO meta word in a message to enable the UTM to insert th...

Page 174: ...ck e mails based on the extensions of attached files Such files can include executable files audio and video files and compressed files File name blocking You can block e mails based on the names of attached files Such names can include for example names of known malware threat such as the Netsky worm which normally arrives as netsky exe Subject The default subject line for the notification e mail...

Page 175: ...nt UTM Appliance Reference Manual Content Filtering and Optimizing Scans 6 9 v1 0 January 2010 To configure e mail content filtering 1 Select Application Security Email Filters from the menu The Email Filters screen displays Figure 6 3 ...

Page 176: ...log entry is created The e mail is not blocked Filter by Password Protected Attachments ZIP RAR etc Action SMTP From the SMTP pull down menu specify one of the following actions when a password protected attachment to an e mail is detected Block email The e mail is blocked and a log entry is created Delete attachment The e mail is not blocked but the attachment is deleted and a log entry is create...

Page 177: ...e extensions are added to the File Extension field This is the default setting Executables Executable file extensions exe com dll so lib scr bat and cmd are added to the File Extension field Audio Video Audio and video file extensions wav mp3 avi rm rmvb wma wmv mpg mp4 and aac are added to the File Extension field Compressed Files Compressed file extensions zip rar gz tar and bz2 added to the Fil...

Page 178: ...ist You can specify e mails that are accepted or blocked based on the originating IP address domain and e mail address by setting up the whitelist and blacklist You can also specify e mails that are accepted based on the destination domain and e mail address The whitelist ensures that e mail from listed that is trusted sources and recipients are not mistakenly tagged as spam E mails going to and f...

Page 179: ...ence Manual Content Filtering and Optimizing Scans 6 13 v1 0 January 2010 To configure the whitelist and blacklist 1 Select Application Security Anti Spam from the menu The Anti Spam submenu tabs appear with the Whitelist Blacklist screen in view Figure 6 4 ...

Page 180: ... can be trusted Blacklist Enter the sender e mail domains from which e mails are blocked Click Apply to save your settings or click Reset to clear all entries from these fields Sender Email Address Whitelist Enter the e mail addresses from which e mails can be trusted Blacklist Enter the e mail addresses from which e mails are blocked Click Apply to save your settings or click Reset to clear all e...

Page 181: ...st 1 Select Application Security Anti Spam from the menu The Anti Spam submenu tabs appear with the Whitelist Blacklist screen in view 2 Click the Real time Blacklist submenu tab The Real time Blacklist screen displays 3 Select the Enable checkbox enable the Real Time Blacklist function 4 Select the Active checkboxes to the left of the default blacklist providers Spamhaus and Spamcop that you want...

Page 182: ...message format or encoding type Message patterns can be divided into distribution patterns and structure patterns Distribution patterns determine if the message is legitimate or a potential threat by analyzing the way it is distributed to the recipients while structure patterns determine the volume of the distribution The UTM uses a Distributed Spam Analysis architecture to determine whether or no...

Page 183: ...uted Spam Analysis Settings Setting Description or Subfield and Description Distributed Spam Analysis SMTP Select the SMTP checkbox to enable Distributed Spam Analysis for the SMTP protocol You can enable Distributed Spam Analysis for both SMTP and POP3 POP3 Select the POP3 checkbox to enable Distributed Spam Analysis for the POP3 protocol You can enable Distributed Spam Analysis for both SMTP and...

Page 184: ...n is to block spam e mail Tag Add tag to mail subject When the option Tag spam email is selected from the Action pull down menu see above select this checkbox to add a tag to the e mail subject line The default tag is SPAM but you can customize this tag The default setting is to add the default tag to the subject line Add tag X NETGEAR SPAM to mail header When the option Tag spam email is selected...

Page 185: ... are detected Schedules that determine when content filtering is active Customizing Web Protocol Scan Settings and Services You can specify the Web protocols HTTP HTTPS and FTP that are scanned for malware threats and the instant messaging and peer to peer applications that are allowed or blocked Scanning all protocols enhances network security but might affect the performance of the UTM For an op...

Page 186: ...ription or Subfield and Description Web HTTP Select the HTTP checkbox to enable Hypertext Transfer Protocol HTTP scanning This service is enabled by default and uses default port 80 HTTPS Select the HTTPS checkbox to enable Hypertext Transfer Protocol over Secure Socket Layer HTTPS This service is disabled by default The default port is 443 FTP Select the FTP checkbox to enable File Transfer Proto...

Page 187: ... example port 80 for HTTP enter this non standard port in the Ports to Scan field For example if the HTTP service on your network uses both port 80 and port 8080 enter both port numbers in the Ports to Scan field and separate them by a comma Instant Messaging Google Talk Jabber Select the corresponding checkboxes to block any of these common instant messaging services all of which are allowed by d...

Page 188: ...PS pull down menu specify one of the following actions when an infected Web file or object is detected Delete file This is the default setting The Web file or object is deleted and a log entry is created Log only Only a log entry is created The Web file or object is not deleted Streaming Select the Streaming checkbox to enable streaming of partially downloaded and scanned HTTP or HTTPS file parts ...

Page 189: ...UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions when the file or message exceeds the maximum size Skip The file is not scanned but skipped leaving the end user vulnerable This is the default setting Block The file is blocked and does reach the end user HTML Scan Scan HTML Files elect this checkbox to enable scanning of HyperTex...

Page 190: ...oups for which keyword blocking has not been enabled Web object blocking You can block the following Web objects embedded objects ActiveX Java Flash proxies and cookies and you can disable Java scripts Even sites on the whitelist see Configuring Web URL Filtering on page 6 30 are subject to Web object blocking when the blocking of a particular Web object is enabled Web category blocking You can bl...

Page 191: ...en displays Because of the large size of this screen it is presented in this manual in three figures Figure 6 9 on this page Figure 6 10 on page 6 26 and Figure 6 11 on page 6 27 Note You can bypass any type of Web blocking for trusted URLs by adding the URLs to the whitelist see Configuring Web URL Filtering on page 6 30 Access to the URLs on the whitelist is allowed for PCs in the groups for whi...

Page 192: ...ProSecure Unified Threat Management UTM Appliance Reference Manual 6 26 Content Filtering and Optimizing Scans v1 0 January 2010 Figure 6 10 Content Filtering screen 2 of 3 ...

Page 193: ...ed Threat Management UTM Appliance Reference Manual Content Filtering and Optimizing Scans 6 27 v1 0 January 2010 3 Enter the settings as explained in Table 6 8 on page 6 28 Figure 6 11 Content Filtering screen 3 of 3 ...

Page 194: ...dded to the File Extension field This is the default setting Executables Executable file extensions exe com dll so lib scr bat and cmd are added to the File Extension field Audio Video Audio and video file extensions wav mp3 avi rm rmvb wma wmv mpg mp4 and aac are added to the File Extension field Compressed Files Compressed file extensions zip rar gz tar and bz2 added to the File Extension field ...

Page 195: ...he right of the radio buttons select the checkbox for each day that you want the schedule to be in effect Blocked Categories Time of Day Select one of the following radio buttons All Day The schedule is in effect all hours of the selected day or days Specific Times The schedule is active only on specific hours of the selected day or days To the right of the radio buttons specify the Start Time and...

Page 196: ...GEAR for analysis select the category in which you think that the URL must be categorized from the pull down menu Then enter the Submit button Note When the UTM blocks access to a link of a certain blocked Web category the UTM displays an HTML warning screen that includes a hyperlink to submit a URL misclassifiation To submit a misclassified or uncategorized URL to NETGEAR for analysis click on th...

Page 197: ...Scans 6 31 v1 0 January 2010 To configure Web URL filtering 1 Select Application Security HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear with the Malware Scan screen in view 2 Click the URL Filtering submenu tab The URL Filtering screen displays Figure 6 12 shows some examples Figure 6 12 ...

Page 198: ...s are supported For example if you enter www net com in the URL field any URL that begins with www net is allowed and any URL that ends with com is allowed Delete To delete one or more URLs highlight the URLs and click the Delete table button Export To export the URLs click the Export table button and follow the instructions of your browser Add URL Type or copy a URL in the Add URL field Then clic...

Page 199: ...RL in the Add URL field Then click the Add table button to add the URL to the URL field Import from File To import a list with URLs into the URL field click the Browse button and navigate to a file in txt format that contains line delimited URLs that is one URL per line Then click the Upload table button to add the URLs to the URL field Note Any existing URLs in the URL field are overwritten when ...

Page 200: ...n an HTTPS server and an HTTP client in two parts A connection between the HTTPS client and the UTM A connection between the UTM and the HTTPS server The UTM simulates the HTTPS server communication to the HTTPS client including the SSL negotiation certificate exchange and certificate authentication In effect the UTM functions as the HTTPS server for the HTTPS client The UTM simulates the HTTPS cl...

Page 201: ... UTM s Manager Login screen see Figure 2 1 on page 2 3 If client authentication is required the UTM might not be able to scan the HTTPS traffic because of the nature of SSL SSL has two parts client and server authentication HTTPS server authentication occurs with every HTTPS request but HTTPS client authentication is not mandatory and rarely occurs Therefore it is of less importance whether the HT...

Page 202: ...uary 2010 To configure the HTTPS scan settings 1 Select Application Security HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear with the Malware Scan screen in view 2 Click the HTTPS Settings submenu tab The HTTPS Settings screen displays 3 Enter the settings as explained in Table 6 10 on page 6 37 Figure 6 15 ...

Page 203: ...vice on the Services screen see Customizing Web Protocol Scan Settings and Services on page 6 19 HTTPS 3rd Party Website Certificate Handling Select the Allow the UTM to present the website to the client checkbox to allow a Secure Sockets Layer SSL connection with a valid certificate that is not signed by a trusted certificate authority CA The default setting is to block such as a connection HTTPS...

Page 204: ...ver2 example com imageserver example com To completely bypass the scanning of the https example com site you must add all three hosts to the trusted hosts list because different files from these three hosts are also downloaded when a user attempts to access the https example com site To specify trusted hosts 1 Select Application Security HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear ...

Page 205: ... are listed in the Host field Hosts This field contains the trusted hosts for which scanning is bypassed To add a host to this field use the Add Host field or the Import from File tool see below You can add a maximum of 200 URLs Delete To delete one or more hosts highlight the hosts and click the Delete table button Export To export the hosts click the Export table button and follow the instructio...

Page 206: ...nter the settings as explained in Table 6 12 Figure 6 17 Table 6 12 FTP Scan Settings Setting Description or Subfield and Description Action FTP Action From the FTP pull down menu specify one of the following actions when an infected FTP file or object is detected Delete file This is the default setting The FTP file or object is deleted and a log entry is created Log only Only a log entry is creat...

Page 207: ...alue might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions when the file or message exceeds the maximum size Skip The file is not scanned but skipped leaving the end user vulnerable This is the default setting Block The file is blocked and does not reach the end user Block Files with the Following Extensions By defau...

Page 208: ...ceptions from the menu The Block Accept Exceptions screen displays This screen shows the Exceptions table which is empty if you have not specified any exception rules Figure 6 18 shows three exception rules in the Exceptions table as an example 2 Under the Exceptions table click the Add table button to specify an exception rule The Add or Edit Block Accept Exceptions screen displays Figure 6 18 Fi...

Page 209: ...s LAN Groups on page 4 12 Start Time The time in 24 hour format hours and minutes when the action starts If you leave these fields empty the action applies continuously End TIme The time in 24 hour format hours and minutes when the action ends If you leave these fields empty the action applies continuously Category From the pull down menu select the category to which the action applies URL Filteri...

Page 210: ...ule in the Exceptions table determines the order in which the rule is applied To change the position of the rules in the table click the following table buttons Up Moves the rule up one position in the table rank Down Moves the rule down one position in the table rank Setting Scanning Exclusions To save resources you can configure scanning exclusions for IP addresses and ports that you know are se...

Page 211: ... Interface on other screens you do not need to click any other button to disable the rule To delete an exclusion rule from the Scanning Exclusions table click the Delete table button in the Action column to the right of the rule that you want to delete Figure 6 20 Table 6 14 Add Scanning Exclusion Settings Setting Description or Subfield and Description Client IP The client IP address and optional...

Page 212: ...ProSecure Unified Threat Management UTM Appliance Reference Manual 6 46 Content Filtering and Optimizing Scans v1 0 January 2010 ...

Page 213: ...g on page 7 43 Configuring Keepalives and Dead Peer Detection on page 7 55 Configuring NetBIOS Bridging with IPsec VPN on page 7 59 Considerations for Dual WAN Port Systems Dual WAN Port Models Only On the dual WAN port models only if both of the WAN ports are configured you can enable either auto rollover mode for increased system reliability or load balancing mode for optimum bandwidth efficienc...

Page 214: ...iguration Table 7 1 summarizes the WAN addressing requirements FQDN or IP address for a VPN tunnel in either dual WAN mode Figure 7 1 Figure 7 2 Table 7 1 IP Addressing for VPNs in Dual WAN Port Systems Configuration and WAN IP address Rollover Modea Load Balancing Mode VPN Road Warrior client to gateway Fixed FQDN required FQDN Allowed optional Dynamic FQDN required FQDN required Rest of UTM Func...

Page 215: ...nting task The VPN Wizard efficiently guides you through the setup procedure with a series of questions that determine the IPsec keys and VPN policies it sets up The VPN Wizard also configures the settings for the network connection security association SA traffic selectors authentication algorithm and encryption The settings that are used by the VPN wizard are based on the recommendations of the ...

Page 216: ... the VPN Wizard 1 Select VPN IPsec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Wizard submenu tab The VPN Wizard screen displays see Figure 7 4 on page 7 5 which contains some examples for the dual WAN port models The WAN1 and WAN2 radio buttons are shown on the VPN Wizard screen for the dual WAN port models but not on the VPN Wizard scr...

Page 217: ...uary 2010 To view the wizard default settings click the VPN Wizard Default Values option arrow at the top right of the screen A popup window appears see Figure 7 5 on page 7 6 displaying the wizard default values After you have completed the wizard you can modify these settings for the tunnel policy that you have set up Figure 7 4 ...

Page 218: ...ect to the following peers Select the Gateway radio button The local WAN port s IP address or Internet name appears in the End Point Information section of the screen Connection Name and Remote IP Type What is the new Connection Name Enter a descriptive name for the connection This name is used to help you to manage the VPN settings the name is not supplied to the remote VPN endpoint What is the p...

Page 219: ...ecure Connection Remote Accessibility What is the remote LAN IP Address Enter the LAN IP address of the remote gateway Note The remote LAN IP address must be in a different subnet than the local LAN IP address For example if the local subnet is 192 168 1 x then the remote subnet could be 192 168 10 x but could not be 192 168 1 x If this information is incorrect the tunnel will fail to connect What...

Page 220: ...y is enabled 5 Configure a VPN policy on the remote gateway that allows connection to the UTM 6 Activate the IPsec VPN connection a Select Monitoring Active Users VPNs from the menu The Active Users VPNs submenu tabs appear with the Active Users screen in view b Click the IPSec VPN Connection Status submenu tab The IPSec VPN Connection Status screen displays c Locate the policy in the table and cl...

Page 221: ...ing the VPN Wizard 1 Select VPN IPsec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Wizard submenu tab The VPN Wizard screen displays see Figure 7 9 on page 7 10 which contains some examples for a dual WAN port model The WAN1 and WAN2 radio buttons are shown on the VPN Wizard screen for the dual WAN port models but not on the VPN Wizard sc...

Page 222: ...ary 2010 To display the wizard default settings click the VPN Wizard Default Values option arrow at the top right of the screen A popup window appears see Figure 7 5 on page 7 6 displaying the wizard default values After you have completed the wizard you can modify these settings for the tunnel policy that you have set up Figure 7 9 ...

Page 223: ...l WAN Interface dual WAN port models only For the dual WAN port models only select one of the two radio buttons WAN1 or WAN2 to specify which local WAN interface the VPN tunnel uses as the local endpoint Note If a dual WAN port model is configured to function in WAN auto rollover mode after completing the wizard you must manually update the VPN policy to enable VPN rollover For more information se...

Page 224: ...th the NETGEAR ProSafe VPN Client installed configure a VPN client policy to connect to the UTM 1 Right click on the VPN client icon in your Windows toolbar select Security Policy Editor Then select Options Secure and verify that the Specified Connections selection is enabled see Figure 7 11 on page 7 13 Figure 7 10 Note When using FQDNs if the dynamic DNS service is slow to update their servers w...

Page 225: ...te Networking Using IPsec Connections 7 13 v1 0 January 2010 2 In the upper left of the Policy Editor window click the New Connection icon the first icon on the left to open a new connection Give the new connection a name in this example we are using UTM_SJ Figure 7 11 Figure 7 12 ...

Page 226: ... Mask Enter the LAN IP subnet mask of the UTM that is displayed on the UTM s VPN Policies screen see Figure 7 10 on page 7 12 In this example the subnet mask is 255 255 255 0 Protocol From the pull down menu select All Use Select the Use checkbox Then from the pull down menu select Secure Gateway Tunnel ID Type Left pull down menu From the left pull down menu select Domain Name Then below enter th...

Page 227: ...Table 7 5 Figure 7 13 Table 7 5 Security Policy Editor My Identity Settings Setting Description or Subfield and Description Select Certificate From the pull down menu select None The Pre Shared Key window appears Pre Shared Key Enter the same pre shared key that you specified on the UTM s VPN Wizard screen see Figure 7 9 on page 7 10 In this example the pre shared key is 111122223333 However the p...

Page 228: ... menu select Domain Name Then below enter the remote FQDN that you entered on the UTM s VPN Wizard screen see Figure 7 9 on page 7 10 In this example the domain name is utm_remote com Secure Interface Configuration Leave the default setting which is the Disabled selection from the Virtual Adapter pull down menu Internet Interface Leave the default setting which is the Any selection from the Name p...

Page 229: ...nnection from your PC right click on the VPN client icon in your Windows toolbar and then select the VPN connection that you want to test In the example that is shown in Figure 7 15 on page 7 18 select Connect My Connections UTM_SJ Table 7 6 Security Policy Editor Security Policy Settings Setting Description or Subfield and Description Select Phase 1 Negotiation Mode Select the Aggressive Mode rad...

Page 230: ... receive the message Successfully connected to My Connections UTM_SJ within 30 seconds The VPN client icon in the system tray should say On NETGEAR VPN Client Status and Log Information To view more detailed additional status and troubleshooting information from the NETGEAR VPN client Right click the VPN Client icon in the system tray and select Log Viewer see Figure 7 2 on page 7 2 Figure 7 15 ...

Page 231: ...at Management UTM Appliance Reference Manual Virtual Private Networking Using IPsec Connections 7 19 v1 0 January 2010 Right click the VPN Client icon in the system tray and select Connection Monitor Figure 7 16 Figure 7 17 ...

Page 232: ...ing Active Users VPNs from the main menu The Active Users VPN submenu tabs appear with the Active Users screen in views 2 Click the IPSec VPN Connection Status submenu tab The IPSec VPN Connection Status screen displays Figure 7 18 shows an IPSec SA as an example Table 7 7 Status Indications for the VPN Client System Tray Icon System Tray Icon Status The client policy is deactivated The client pol...

Page 233: ...ick the Logs Query submenu tab The Logs Query screen displays 3 From the Log Type pull down menu select IPSEC VPN The IPsec VPN logs display see Figure 7 19 on page 7 22 Table 7 8 IPsec VPN Connection Status Information Item Description or Subfield and Description Policy Name The name of the VPN policy that is associated with this SA Endpoint The IP address on the remote VPN endpoint Tx KB The amo...

Page 234: ...ter you have used the VPN Wizard to set up a VPN tunnel a VPN policy and an IKE policy are stored in separate policy tables The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy You can edit existing policies or manually add new VPN and IKE policies directly in the policy tables Figure 7 19 ...

Page 235: ...settings that are specified in the Manual Policy Parameters section of the Add VPN Policy screen see Figure 7 23 on page 7 34 are accessed and the first matching IKE policy is used to start negotiations with the remote VPN gateway If negotiations fail the next matching IKE policy is used If none of the matching IKE policies are acceptable to the remote VPN gateway then a VPN tunnel cannot be estab...

Page 236: ... the VPN Wizard to set up a VPN policy an accompanying IKE policy is automatically created with the same name that you select for the VPN policy Note The name is not supplied to the remote VPN endpoint Mode The exchange mode Main or Aggressive Local ID The IKE ISAKMP identifier of the UTM The remote endpoint must have this value as its remote ID Remote ID The IKE ISAKMP identifier of the remote en...

Page 237: ...le click the Add table button The Add IKE Policy screen displays see Figure 7 21 on page 7 26 which shows a dual WAN port model screen The WAN1 and WAN2 radio buttons next to Select Local Gateway are shown on the Add IKE Policy screen for the dual WAN port models but not on the Add IKE Policy screen for the single WAN port models Note You cannot delete or edit an IKE policy for which the VPN polic...

Page 238: ...ProSecure Unified Threat Management UTM Appliance Reference Manual 7 26 Virtual Private Networking Using IPsec Connections v1 0 January 2010 Figure 7 21 ...

Page 239: ...refore disabled too For more information about XAUTH see Configuring Extended Authentication XAUTH on page 7 38 Select Mode Config Record From the pull down menu select one of the Mode Config records that you defined on the Add Mode Config Record screen see Configuring Mode Config Operation on the UTM on page 7 43 Note Click the View Selected button to open the Selected Mode Config Record Details ...

Page 240: ...te Identifier Type From the pull down menu select one of the following ISAKMP identifiers to be used by the remote endpoint and then specify the identifier in the field below Local WAN IP The WAN IP address of the remote endpoint When you select this option the Identifier field automatically shows the IP address of the selected WAN interface FQDN The FQDN for a remote gateway User FQDN The e mail ...

Page 241: ... menu select one of the following three strengths Group 1 768 bit Group 2 1024 bit This is the default setting Group 5 1536 bit Note Ensure that the DH Group is configured identically on both sides SA Lifetime sec The period in seconds for which the IKE SA is valid When the period times out the next rekeying must occur The default is 28800 seconds 8 hours Enable Dead Peer Detection Note See also C...

Page 242: ...the default setting Edge Device The UTM functions as a VPN concentrator on which one or more gateway tunnels terminate The authentication mode that is available for this configuration is User Database RADIUS PAP or RADIUS CHAP IPSec Host The UTM functions as a VPN client of the remote gateway In this configuration the UTM is authenticated by a remote gateway with a user name and password combinati...

Page 243: ...CA For each certificate there is both a public key and a private key The public key is freely distributed and is used by any sender to encrypt data intended for the receiver the key owner The receiver then uses its private key to decrypt the data without the private key decryption is impossible The use of certificates for authentication reduces the amount of data entry that is required on each VPN...

Page 244: ... you use the VPN Wizard to create a VPN policy the name of the VPN policy and of the automatically created accompanying IKE policy is the Connection Name Type Auto or Manual as described previously Auto is used during VPN Wizard configuration Local IP address either a single address range of address or subnet address on your local LAN Traffic must be from or to these addresses to be covered by thi...

Page 245: ...page Manually Adding or Editing a VPN Policy To manually add a VPN policy 1 Select VPN IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 24 2 Click the VPN Policies submenu tab The VPN Policies screen displays see Figure 7 22 on page 7 32 3 Under the List of VPN Policies table click the Add table button The Add VPN Policy scree...

Page 246: ...ProSecure Unified Threat Management UTM Appliance Reference Manual 7 34 Virtual Private Networking Using IPsec Connections v1 0 January 2010 Figure 7 23 ...

Page 247: ...dio button FQDN Enter the FQDN of the remote endpoint in the field to the right of the radio button Enable NetBIOS Select this checkbox to allow NetBIOS broadcasts to travel over the VPN tunnel For more information about NetBIOS see Configuring NetBIOS Bridging with IPsec VPN on page 7 59 This feature is disabled by default Enable RollOver Select this checkbox to allow the VPN tunnel to roll over ...

Page 248: ... type When you specify the settings for the fields in this section a security association SA is created SPI Incoming The Security Parameters Index SPI for the inbound policy Enter a hexadecimal value between 3 and 8 characters for example 0x1234 Encryption Algorithm From the pull down menu select one of the following five algorithms to negotiate the security association SA DES Data Encryption Stan...

Page 249: ...ion SA is the period or the amount of transmitted data after which the SA becomes invalid and must be renegotiated From the pull down menu select how the SA lifetime is specified Seconds In the SA Lifetime field enter a period in seconds The minimum value is 300 seconds The default value is 3600 seconds KBytes In the SA Lifetime field enter a number of kilobytes The minimum value is 1920000 KB Enc...

Page 250: ...se a unique user authentication method beyond relying on a single common pre shared key for all clients Although you could configure a unique VPN policy for each user it is more efficient to authenticate users from a stored list of user accounts XAUTH provides the mechanism for requesting individual authentication information from the user and a local user database or an external authentication se...

Page 251: ...stablish user accounts on the User Database to be authenticated against XAUTH or you must enable a RADIUS CHAP or RADIUS PAP server To enable and configure XAUTH 1 Select VPN IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 24 2 In the List of IKE Policies table click the Edit table button to the right of the IKE policy for wh...

Page 252: ...cify whether or not Extended Authentication XAUTH is enabled and if enabled which device is used to verify user account information None XAUTH is disabled This the default setting Edge Device The UTM functions as a VPN concentrator on which one or more gateway tunnels terminate The authentication mode that is available for this configuration is User Database RADIUS PAP or RADIUS CHAP IPSec Host Th...

Page 253: ...ication information such as a user name and password or some encrypted response using his user name and password information The gateway then attempts to verify this information first against a local user database if RADIUS PAP is enabled and then by relaying the information to a central authentication server such as a RADIUS server To configure primary and backup RADIUS servers 1 Select VPN IPSec...

Page 254: ...after verification of their authentication information In a RADIUS transaction the NAS must provide some NAS identifier information to the RADIUS server Depending on the configuration of the RADIUS server the UTM s IP address might be sufficient as an identifier or the server might require a name which you must enter in this field Backup RADIUS Server Select the Yes radio button to enable and conf...

Page 255: ... policy using the information that is specified in the Traffic Tunnel Security Level section of the Mode Config record on the Add Mode Config Record screen that is shown in Figure 7 26 on page 7 45 Configuring Mode Config Operation on the UTM To configure Mode Config on the UTM you first must create a Mode Config record and then select the Mode Config record for an IKE policy 1 Select VPN IPSec VP...

Page 256: ... Sales and NA Sales For EMEA Sales a first pool 172 169 100 1 through 172 169 100 99 and second pool 182 183 200 1 through 172 183 200 99 are shown For NA Sales a first pool 172 173 100 50 through 172 173 100 90 a second pool 182 185 210 1 through 182 185 210 99 and a third pool 172 210 220 80 through 172 210 220 99 are shown 3 Under the List of Mode Config Records table click the Add table button...

Page 257: ...ive name of the Mode Config record for identification and management purposes First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable the UTM to allocate these to remote VPN clients The Second Pool and Third Pool fields are options To specify any client pool enter the starting IP address for the pool in the Starting IP field and enter the ending IP address for ...

Page 258: ...invalid and must be renegotiated From the pull down menu select how the SA lifetime is specified Seconds In the SA Lifetime field enter a period in seconds The minimum value is 300 seconds The default value is 3600 seconds KBytes In the SA Lifetime field enter a number of kilobytes The minimum value is 1920000 KB Encryption Algorithm From the pull down menu select one of the following five algorit...

Page 259: ...E policy 6 Select VPN IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 24 7 Under the List of IKE Policies table click the Add table button The Add IKE Policy screen displays Figure 7 27 shows the upper part only of a dual WAN port model screen The WAN1 and WAN2 radio buttons next to Select Local Gateway are shown on the Add I...

Page 260: ...es that both the local and remote ends are defined by their FQDNs Select Mode Config Record From the pull down menu select the Mode Config record that you created in step 5 above In this example we are using NA Sales General Policy Name A descriptive name of the IKE policy for identification and management purposes Note The name is not supplied to the remote VPN endpoint Direction Type Responder i...

Page 261: ...the pull down menu select Group 2 1024 bit SA Lifetime sec The period in seconds for which the IKE SA is valid When the period times out the next rekeying must occur The default is 28800 seconds 8 hours However for a Mode Config configuration NETGEAR recommends 3600 seconds 1 hour Enable Dead Peer Detection Note See also Configuring Keepalives and Dead Peer Detection on page 7 55 Select a radio bu...

Page 262: ...s as a VPN concentrator on which one or more gateway tunnels terminate The authentication mode that is available for this configuration is User Database RADIUS PAP or RADIUS CHAP IPSec Host The UTM functions as a VPN client of the remote gateway In this configuration the UTM is authenticated by a remote gateway with a user name and password combination Authentication Type For an Edge Device config...

Page 263: ...iption Connection Security Select the Secure radio button If you want to connect manually only select the Only Connect Manually checkbox ID Type From the pull down menu select IP Subnet Subnet Enter the LAN IP subnet address that you specified on the Add Mode Config Record in the Local IP Address field If you left the Local IP Address field blank enter the UTM s default IP subnet address In this e...

Page 264: ...hat you specified in the UTM s Mode Config IKE policy In this example we are using utm25_local com Right pull down menu From the right pull down menu select Gateway IP Address Then below enter the IP address of the WAN interface that you selected on the UTM s VPN Wizard screen see Figure 7 9 on page 7 10 In this example the WAN IP address is 192 168 50 61 Note You can find the WAN IP address on th...

Page 265: ...7 18 Figure 7 29 Table 7 18 Security Policy Editor My Identity Mode Config Settings Setting Description or Subfield and Description Select Certificate From the pull down menu select None The Pre Shared Key window appears Pre Shared Key Enter the same pre shared key that you specified on the UTM s VPN Wizard screen see Figure 7 9 on page 7 10 In this example the pre shared key is 12345678910 Howeve...

Page 266: ... ID Type From the pull down menu select Domain Name Then below enter the remote FQDN that you specified in the UTM s Mode Config IKE policy In this example we are using utm25_remote com Secure Interface Configuration Select Preferred from the Virtual Adapter pull down menu Internet Interface Leave the default setting which is the Any selection from the Name pull down menu Figure 7 30 Table 7 18 Se...

Page 267: ...n In some cases you might not want a VPN tunnel to be disconnected when traffic is idle for example when client server applications over the tunnel cannot tolerate the tunnel establishment time If you require a VPN tunnel to remain connected you can use the Keepalive and Dead Peer Detection DPD features to prevent the tunnel from being disconnected and to force a reconnection if the tunnel disconn...

Page 268: ...onfigure the Keepalive feature on a configured VPN policy 1 Select VPN IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Policies submenu tab The VPN Policies screen displays see Figure 7 22 on page 7 32 3 In the List of VPN Policies table click the Edit table button to the right of the VPN policy that you want to edit The Edit VPN Polic...

Page 269: ...Edit IKE Policy screen displays Figure 7 31 on page 7 56 shows only the top part of the screen with the General section Table 7 20 Keepalive Settings Item Description or Subfield and Description General Enable Keepalive Select the Yes radio button to enable the Keepalive feature Periodically the UTM sends ping packets to the remote endpoint to keep the tunnel alive You must enter the ping IP addre...

Page 270: ...s radio button to enable DPD When the UTM detects an IKE connection failure it deletes the IPsec and IKE SA and forces a reestablishment of the connection You must enter the detection period and the maximum number of times that the UTM attempts to reconnect see below Detection Period The period in seconds between consecutive DPD R U THERE messages which are sent only when the IPsec traffic is idle...

Page 271: ...ection To solve this problem you can configure the UTM to bridge NetBIOS traffic over the VPN tunnel To enable NetBIOS bridging on a configured VPN tunnel 1 Select VPN IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Policies submenu tab The VPN Policies screen displays see Figure 7 22 on page 7 32 3 In the List of VPN Policies table cl...

Page 272: ...ProSecure Unified Threat Management UTM Appliance Reference Manual 7 60 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ...

Page 273: ...this page Using the SSL VPN Wizard for Client Configurations on page 8 2 Manually Configuring and Editing SSL Connections on page 8 17 Understanding the SSL VPN Portal Options The UTM s SSL VPN portal can provide two levels of SSL service to the remote user SSL VPN Tunnel The UTM can provide the full network connectivity of a VPN tunnel using the remote user s browser instead of a traditional IPse...

Page 274: ...arding offers more fine grained management than an SSL VPN tunnel You define individual applications and resources that are available to remote users The SSL VPN portal can present the remote user with one or both of these SSL service levels depending on how you set up the configuration Using the SSL VPN Wizard for Client Configurations The SSL VPN Wizard facilitates the configuration of the SSL V...

Page 275: ...e SSL VPN Wizard screens Additional information about the settings in the SSL VPN Wizard screens is provided in Manually Configuring and Editing SSL Connections on page 8 17 or in other chapters each section below provides a specific link to a section in Manually Configuring and Editing SSL Connections on page 8 17 or to a section in another chapter SSL VPN Wizard Step 1 of 6 Portal Settings Note ...

Page 276: ...re accessed at a different URL than the default portal For example if your SSL VPN portal is hosted at https vpn company com and you create a portal layout named CustomerSupport then users access the sub site at https vpn company com portal CustomerSupport Note Only alphanumeric characters hyphens and underscores _ are accepted in the Portal Layout Name field If you enter other types of characters...

Page 277: ...cache cleaner Select this checkbox to enable ActiveX cache control to be loaded when users log in to the SSL VPN portal The Web cache cleaner prompts the user to delete all temporary Internet files cookies and browser history when the user logs out or closes the Web browser window The ActiveX Web cache control is ignored by Web browsers that do not support ActiveX SSL VPN Portal Pages to Display V...

Page 278: ... pull down menu select the authentication method that the UTM applies Local User Database default Users are authenticated locally on the UTM This is the default setting You do not need to complete any other fields on this screen Radius PAP RADIUS Password Authentication Protocol PAP Complete the Authentication Server and Authentication Secret fields Radius CHAP RADIUS Challenge Handshake Authentic...

Page 279: ...hentication other than authentication through the local user database Authentication Secret The authentication secret or password that is required to access the authentication server for RADIUS WIKID or MIAS authentication Workgroup The workgroup that is required for Microsoft NT Domain authentication LDAP Base DN The LDAP base distinguished name DN that is required for LDAP authentication Active ...

Page 280: ...izard the user type always is SSL VPN User You cannot change the user type on this screen the user type is displayed for information only Group When you create a new domain on the second SSL VPN Wizard screen a group with the same name is automatically created A user must belong to a group and a group must belong to a domain You cannot change the group on this screen the group is displayed for inf...

Page 281: ... go the following screen Figure 8 5 Note Do not enter an existing route for a VPN tunnel client in the Destination Network and Subnet Mask fields otherwise the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration Note After you have completed the steps in the SSL VPN Wizard you can make changes to the client IP address range and routes by selecting VPN SSL VPN SSL VPN Clie...

Page 282: ...his is an option Primary DNS Server The IP address of the primary DNS server that is assigned to the VPN tunnel clients This is an option Note If you do not assign a DNS server the DNS settings remain unchanged in the VPN client after a VPN tunnel has been established Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients This is an option Client...

Page 283: ...se in the TCP Port NumberAction field otherwise the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration Note After you have completed the steps in the SSL VPN Wizard you can make changes to the client IP address range and routes by selecting VPN SSL VPN Port Forwarding For more information about port forwarding settings see Configuring Applications for Port Forwarding on ...

Page 284: ...ng 5900 or 5800 Add New Host Name for Port Forwarding Local Server IP Address The IP address of an internal server or host computer that you want to name Note Both Local Server IP Address fields on this screen that is the one in the Add New Application for Port Forwarding section and the one in the Add New Host Name for Port Forwarding section must contain the same IP address Fully Qualified Domai...

Page 285: ...oSecure Unified Threat Management UTM Appliance Reference Manual Virtual Private Networking Using SSL Connections 8 13 v1 0 January 2010 SSL VPN Wizard Step 6 of 6 Verify and Save Your Settings Figure 8 7 ...

Page 286: ...om the SSL VPN menu of the Web Management Interface display a user portal link at the right upper corner above the menu bars When you click on the user portal link the SSL VPN default portal opens see Figure 8 9 on page 8 15 This user portal is not the same as the new SSL portal login screen that you defined with the help of the SSL VPN Wizard To open the new SSL portal login screen 1 Select VPN S...

Page 287: ...erence Manual Virtual Private Networking Using SSL Connections 8 15 v1 0 January 2010 4 Enter the user name and password that you just created with the help of the SSL VPN Wizard 5 Click Login The default User Portal screen displays Figure 8 8 Figure 8 9 ...

Page 288: ... To review the status of current SSL VPN tunnels 1 Select Monitoring Active Users VPNs from the main menu The Active Users VPN submenu tabs appear with the Active Users screen in views 2 Click the SSL VPN Connection Status submenu tab The SSL VPN Connection Status screen displays The active user s user name group and IP address are listed in the table with a timestamp indicating the time and date ...

Page 289: ...n customize to present the resources and functions that you choose to make available 2 Create authentication domains user groups and user accounts see Configuring Domains Groups and Users on page 8 22 a Create one or more authentication domains for authentication of SSL VPN users When remote users log in to the UTM they must specify a domain to which their login account belongs The domain determin...

Page 290: ... functions as if it were on the local network Configure the portal s SSL VPN client to define a pool of local IP addresses to be issued to remote clients as well as DNS addresses Declare static routes or grant full access to the local network subject to additional policies 5 To simplify policies define network resource objects see Using Network Resource Objects to Simplify Policies on page 8 28 Ne...

Page 291: ... The layout configuration includes the menu layout theme portal pages to display and Web cache control options The default portal layout is the SSL VPN portal You can add additional portal layouts You can also make any portal the default portal for the SSL UTM by clicking the default button in the Action column of the List of Layouts to the right of the desired portal layout To create a new SSL VP...

Page 292: ...scription The banner message that is displayed at the top of the portal see Figure 8 8 on page 8 15 Use Count The number of remote users that are currently using the portal Portal URL The URL at which the portal can be accessed Action The table buttons that allow you to edit or delete the portal layout 3 Under the List of Layouts table click the Add table button The Add Portal Layout screen displa...

Page 293: ...pany Customer Support Banner Title The banner title of a banner message that users see before they log in to the portal For example Welcome to Customer Support Note For an example see Figure 8 8 on page 8 15 The banner title text is displayed in the orange header bar Banner Message The text of a banner message that users see before they log in to the portal For example In case of login difficulty ...

Page 294: ...ns Groups and Users on page 9 1 Configuring Applications for Port Forwarding Port forwarding provides access to specific defined network services To define these services you must specify the internal server addresses and port numbers for TCP applications that are intercepted by the port forwarding client on the user s PC This client reroutes the traffic to the UTM ActiveX web cache cleaner Select...

Page 295: ... from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the Port Forwarding submenu tab The Port Forwarding screen displays Figure 8 14 shows some examples 3 In the Add New Application for Port Forwarding section of the screen specify information in the following fields IP Address The IP address of an internal server or host computer that a remote user has access ...

Page 296: ...applications that are available to remote users you then can also specify host name to IP address resolution for the network servers as a convenience for users Host name resolution allows users to access TCP applications at familiar addresses such as mail example com or ftp customer com rather than by IP addresses To add servers and host names for client name resolution 1 Select VPN SSL VPN from t...

Page 297: ...N tunnel client does not conflict with addresses on the local network configure an IP address range that does not directly overlap with addresses on your local network For example if 192 168 1 1 through 192 168 1 100 are currently assigned to devices on the local network then start the client address range at 192 168 1 101 or choose an entirely different subnet altogether The VPN tunnel client can...

Page 298: ...network you must add a client route to ensure that a VPN tunnel client connects to the local network over the VPN tunnel Configuring the Client IP Address Range First determine the address range to be assigned to VPN tunnel clients then define the address range To define the client IP address range 1 Select VPN SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in vie...

Page 299: ...ent IP Address Range Settings Item Description or Subfield and Description Client IP Address Range Enable Full Tunnel Support Select this checkbox to enable full tunnel support If you leave this checkbox deselected which is the default setting split tunnel support is enabled and you must add client routes see Adding Routes for VPN Tunnel Clients on page 8 27 Note When full tunnel support is enable...

Page 300: ...e the specifications of an existing route and to delete an old route 1 Add a new route to the Configured Client Routes table 2 In the Configured Client Routes table to the right of the route that is out of date click the Delete table button If an existing route is no longer needed for any reason you can delete it Using Network Resource Objects to Simplify Policies Network resources are groups of I...

Page 301: ...n the following fields Resource Name A descriptive name of the resource for identification and management purposes Service From the Service pull down menu select the type of service to which the resource applies VPN Tunnel The resource applies only to a VPN tunnel Port Forwarding The resource applies only to a port forwarding All The resource applies both to a VPN tunnel and to port forwarding 4 C...

Page 302: ...right of the new resource in the Action column click the Edit table button A new screen displays Figure 8 17 shows some examples 4 Complete the fields and make your selection from the pull down menu as explained Table 8 8 Figure 8 17 Table 8 9 Add Resource Addresses Settings Item Description or Subfield and Description Add Resource Addresses Resource Name The unique identifier for the resource You...

Page 303: ...ject Type From the pull down menu select one of the following options IP Address The object is an IP address You must enter the IP address or the FQDN in the IP Address Name field IP Network The object is an IP network You must enter the network IP address in the Network Address field and the network mask length in the Mask Length field IP Address Name Applicable only when you select IP Address as...

Page 304: ...t rule has been configured to allow FTP access to the predefined network resource with the name FTP Servers The FTP Servers network resource includes the following addresses 10 0 0 5 10 0 0 20 and the FQDN ftp company com which resolves to 10 0 1 3 Assuming that no conflicting user or group policies have been configured if a user would attempt to access an FTP server at 10 0 0 1 the user would be ...

Page 305: ...ck User to view group policies and choose the relevant user s name from the pull down menu 3 Click the Display action button The List of SSL VPN Policies table displays the list for your selected Query option Adding a Policy To add an SSL VPN policy 1 Select VPN SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view see Figure 8 18 which shows some examples 2 Unde...

Page 306: ...Policy For Select one of the following radio buttons to specify the type of SSL VPN policy Global The new policy is global and excludes all groups and users Group The new policy must be limited to a single group From the pull down menu select a group name Note For information about how to create groups see Configuring Groups for VPN Policies on page 9 6 User The new policy must be limited to a sin...

Page 307: ...agement purposes Defined Resources From the pull down menu select the network resource that you have defined on the Resources screen see Using Network Resource Objects to Simplify Policies on page 8 28 Permission From the pull down menu select whether the policy permits PERMIT or denies DENY access IP Address Policy Name A descriptive name of the SSL VPN policy for identification and management pu...

Page 308: ...The policy is applied only to port forwarding All The policy is applied both to a VPN tunnel and to port forwarding Permission From the pull down menu select whether the policy permits PERMIT or denies DENY access All Addresses Policy Name A descriptive name of the SSL VPN policy for identification and management purposes Port Range Port Number A port enter in the Begin field or a range of ports e...

Page 309: ...ave your settings The policy is added to the List of SSL VPN Policies table on the Policies screen The new policy goes into effect immediately Note In addition to configuring SSL VPN user policies ensure that HTTPS remote management is enabled see Configuring Remote Management Access on page 10 12 If it not enabled all SSL VPN user connections are disabled ...

Page 310: ...ProSecure Unified Threat Management UTM Appliance Reference Manual 8 38 Virtual Private Networking Using SSL Connections v1 0 January 2010 ...

Page 311: ...ncludes administrators and SSL VPN clients Accounts for IPsec VPN clients are required only if you have enabled Extended Authentication XAUTH in your IPsec VPN configuration Users connecting to the UTM must be authenticated before being allowed to access the UTM or the VPN protected network The login window that is presented to the user requires three items a user name a password and a domain sele...

Page 312: ...l In User Service RADIUS MIAS A network validated PAP or CHAP password based authentication method that functions with Microsoft Internet Authentication Service MIAS which is a component of Microsoft Windows 2003 Server WiKID WiKID Systems is a PAP or CHAP key based two factor authentication method that functions with public key cryptography The client sends an encrypted PIN to the WiKID server an...

Page 313: ...isk Authentication Type The authentication method that is assigned to the domain Portal Layout Name The SSL portal layout that is assigned to the domain Action The Edit table button that provides access to the Edit Domain screen LDAP A network validated domain based authentication method that functions with a Lightweight Directory Access Protocol LDAP authentication server LDAP is a standard for q...

Page 314: ...n on page 7 40 From the pull down menu select the authentication method that the UTM applies Local User Database default Users are authenticated locally on the UTM This is the default setting You do not need to complete any other fields on this screen Radius PAP RADIUS Password Authentication Protocol PAP Complete the Authentication Server and Authentication Secret fields Radius CHAP RADIUS Challe...

Page 315: ... the Authentication Server and LDAP Base DN fields Select Portal The pull down menu shows the SSL portals that are listed on the Portal Layout screen From the pull down menu select the SSL portal with which the domain is associated For information about how to configure SSL portals see Creating the Portal Layout on page 8 18 Authentication Server The server IP address or server name of the authent...

Page 316: ...ctions and access controls Like the default domain of the UTM the default group is also named geardomain The default group geardomain is assigned to the default domain geardomain You cannot delete the default group In addition when you create a new domain on the second SSL VPN Wizard screen see SSL VPN Wizard Step 2 of 6 Domain Settings on page 8 5 a default group with the same name as the domain ...

Page 317: ...ollowing fields Checkbox Allows you to select the group in the table Name The name of the group If the group name is appended by an asterisk the group was created by default when you created the domain with the identical name as the default group You cannot delete a default group you can only delete the domain with the identical name which causes the default group to be deleted Domain The name of ...

Page 318: ...een displays see Figure 9 4 on page 9 9 With the exception of groups that are associated with domains that use the LDAP authentication method you can only modify the idle timeout settings Table 9 3 VPN Group Settings Setting Description or Subfield and Description Name A descriptive alphanumeric name of the group for identification and management purposes Domain The pull down menu shows the domain...

Page 319: ...r group When you create a group you must assign the group to a domain that specifies the authentication method Therefore you should first create any domains then groups then user accounts You can create different types of user accounts by applying pre defined user types Administrator A user who has full access and the capacity to change the UTM configuration that is read write access SSL VPN User ...

Page 320: ...box Allows you to select the user in the table Name The name of the user If the user name is appended by an asterisk the user is a default user that came pre configured with the UTM and cannot be deleted Group The group to which the user is assigned Type The type of access credentials that are assigned to the user Authentication Domain The authentication domain to which the user is assigned Action...

Page 321: ...ction via a NETGEAR ProSafe VPN Client and only when the XAUTH feature is enabled see Configuring Extended Authentication XAUTH on page 7 38 Guest User User who can only view the UTM configuration that is read only access Select Group The pull down menu shows the groups that are listed on the Group screen From the pull down menu select the group to which the user is assigned For information about ...

Page 322: ... also require or prohibit logging in from certain IP addresses or from particular browsers Configuring Login Policies To configure user login policies 1 Select Users Users from the menu The Users screen displays see Figure 9 5 on page 9 10 2 In the Action column of the List of Users table click the Policies table button for the user for which you want to set login policies The Policies submenu tab...

Page 323: ...e Action column of the List of Users table click the Policies table button for the user for which you want to set login policies The Policies submenu tabs appear with the Login Policies screen in view 3 Click the by Source IP Address submenu tab The by Source IP Address screen displays Figure 9 8 shows an IP address in the Defined Addresses table as an example Note For security reasons the Deny Lo...

Page 324: ... to the left of the address that you want to delete or click the Select All table button to select all addresses 2 Click the Delete table button Configuring Login Restrictions Based on Web Browser To restrict logging in based on the user s browser 1 Select Users Users from the menu The Users screen displays see Figure 9 5 on page 9 10 2 In the Action column of the List of Users table click the Pol...

Page 325: ...lect one of the following radio buttons Deny Login from Defined Browsers Deny logging in from the browsers in the Defined Browsers table Allow Login only from Defined Browsers Allow logging in from the browsers in the Defined Browsers table 5 Click Apply to save your settings 6 In the Add Defined Browser section of the screen add a browser to the Defined Browsers table by selecting one of the foll...

Page 326: ...table button to select all browsers 2 Click the Delete table button Changing Passwords and Other User Settings For any user you can change the password user type and idle timeout settings Only administrators have read write access All other users have read only access To modify user settings 1 Select Users Users from the menu The Users screen displays see Figure 9 5 on page 9 10 2 In the Action co...

Page 327: ...ate cannot be used for secure web management The extKeyUsage would govern the certificate acceptance criteria on the UTM when the same digital certificate is being used for secure web management Table 9 6 Edit User Settings Setting Description or Subfield and Description User Type From the pull down menu select one of the pre defined user types that determines the access credentials Administrator ...

Page 328: ...Thawte or you can generate and sign your own digital certificate Because a commercial CA takes steps to verify the identity of an applicant a digital certificate from a commercial CA provides a strong assurance of the server s identity A self signed digital certificate triggers a warning from most browsers because it provides no protection against identity theft of the server The UTM contains a se...

Page 329: ...submitted to CAs and CAs may or may not have issued digital certificates for these requests Only the digital self certificates in the Active Self Certificates table are active on the UTM see Managing Self Certificates on page 9 20 Certificate Revocation Lists CRL table Contains the lists with digital certificates that have been revoked and are no longer valid that were issued by CAs and that you u...

Page 330: ...oves the digital certificate for validity and purpose the digital certificate is added to the Trusted Certificates CA Certificates table To delete one or more digital certificates 1 In the Trusted Certificates CA Certificates table select the checkbox to the left of the digital certificate that you want to delete or click the Select All table button to select all digital certificates 2 Click the D...

Page 331: ...t generate a Certificate Signing Request CSR for and on the UTM The CSR is a file that contains information about your company and about the device that holds the certificate Refer to the CA for guidelines about the information that you must include in your CSR To generate a new CSR file obtain a digital certificate from a CA and upload it to the UTM 1 Select VPN Certificates from the menu The Cer...

Page 332: ...ificates screen 2 of 3 Table 9 7 Generate Self Certificate Request Settings Setting Description or Subfield and Description Name A descriptive name of the domain for identification and management purposes Subject The name that other organizations see as the holder owner of the certificate In general use your registered business name or official company name for this purpose Note Generally all of y...

Page 333: ... 160 bit 20 byte message digest slightly stronger than MD5 Signature Algorithm Although this seems to be a pull down menu the only possible selection is RSA In other words RSA is the default to generate a CSR Signature Key Length From the pull down menu select one of the following signature key lengths in bits 512 1024 2048 Note Larger key sizes might improve security but might also decrease perfo...

Page 334: ... the website of the CA b Start the SCR procedure c When prompted for the requested data copy the data from your saved text file including BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST d Submit the CA form If no problems ensue the digital certificate is issued by the CA 7 Download the digital certificate file from the CA and store it on your computer 8 Return to the Certificates screen see ...

Page 335: ...rtificate the table lists the following information Name The name that you used to identify this digital certificate Subject Name The name that you used for your company and that other organizations see as the holder owner of the certificate Serial Number This is a serial number maintained by the CA It is used to identify the digital certificate with in the CA Issuer Name The name of the CA that i...

Page 336: ...hat issued the CRL Last Update The date when the CRL was released Next Update The date when the next CRL will be released 2 In the Upload CRL section click Browse and navigate to the CLR file that you previously downloaded from a CA 3 Click the Upload table button If the verification process on the UTM approves the CRL the CRL is added to the Certificate Revocation Lists CRL table To delete one or...

Page 337: ...s the necessary features and tools to help the network manager accomplish these goals Bandwidth Capacity The maximum bandwidth capacity of the UTM in each direction is as follows LAN side single WAN port models and dual WAN port models 2000 Mbps two LAN ports at 1000 Mbps each WAN side Load balancing mode dual WAN port models only 2000 Mbps two WAN ports at 1000 Mbps each Auto rollover mode dual W...

Page 338: ...ort that failed is not diverted Features That Reduce Traffic You can adjust the following features of the UTM in such a way that the traffic load on the WAN side decreases LAN WAN outbound rules also referred to as service blocking DMZ WAN outbound rules also referred to as service blocking Content filtering Source MAC filtering LAN WAN Outbound Rules and DMZ WAN Outbound Rules Service Blocking Yo...

Page 339: ... Single address The rule is applied to the address of a particular PC Address range The rule is applied to a range of addresses Groups The rule is applied to a group of PCs You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules The Known PCs and Devices table is an automatically maintained list of all known PCs and network devices and is generally referred to as the...

Page 340: ... Setting the size of e mail files to be scanned Scanning large e mail files requires network resources and might slow down traffic You can specify the maximum file or message size that is scanned and if files that exceed the maximum size are skipped which might compromise security or blocked For more information see Customizing E mail Anti Virus and Notification Settings on page 6 5 Keyword file e...

Page 341: ...ecurity or blocked For more information see Configuring Web Malware Scans on page 6 21 For these features with the exception of Web object blocking and setting the size of files to be scanned you can set schedules to specify when Web content is filtered see Configuring Web Content Filtering on page 6 23 and configure exceptions for groups see Setting Web Access Exception Rules on page 6 41 Source ...

Page 342: ... to configure inbound rules see Setting LAN WAN Rules on page 5 12 and Setting DMZ WAN Rules on page 5 15 When you define inbound firewall rules you can further refine their application according to the following criteria Services You can specify the services or applications to be covered by an inbound rule If the desired service or application does not appear in the list you must define it using ...

Page 343: ...d time of day for each schedule For more information see Setting a Schedule to Block or Allow Specific Traffic on page 5 41 QoS Profile You can define QoS profiles and then apply them to inbound rules to regulate the priority of traffic To define QoS profiles see Creating Quality of Service QoS Profiles on page 5 35 Bandwidth Profile You can define bandwidth profiles and then apply them to inbound...

Page 344: ...o 25 site to site IPsec VPN tunnels and up to 13 dedicated SSL VPN tunnels Each tunnel requires extensive processing for encryption and authentication thereby increasing traffic through the WAN ports For information about IPsec VPN tunnels see Chapter 7 Virtual Private Networking Using IPsec Connections For information about SSL VPN tunnels see Chapter 8 Virtual Private Networking Using SSL Connec...

Page 345: ...be used to monitor the traffic conditions of the firewall and content filtering engine and to monitor the users access to the Internet and the types of traffic that they are allowed to have See Monitoring System Access and Performance on page 11 1 for a description of these tools System Management System management tasks are described in the following sections Changing Passwords and Administrator ...

Page 346: ... including the password 1 Select Users Users from the menu The Users screen displays Figure 10 1 shows the UTM s default users admin and guest and as an example several other users in the List of Users table 2 In the Action column of the List of Users table click the Edit table button for the user with the name admin The Edit User screen displays Figure 10 1 Figure 10 2 ...

Page 347: ...ault the administrator can log in from a WAN interface Deny or allow login access from specific IP addresses By default the administrator can log in from any IP address Deny or allow login access from specific browsers By default the administrator can log in from any browser In general these policy settings work well for an administrator However if you need to change any of these policy settings s...

Page 348: ...emote management 3 As an option you can change the default HTTPS port The default port number is 443 Note When remote management is enabled and administrative access through a WAN interface is granted see Configuring Login Policies on page 9 12 the UTM s Web Management Interface is accessible to anyone who knows its IP address and default password Because a malicious WAN user can reconfigure the U...

Page 349: ... https address Note The first time that you remotely connect to the UTM with a browser via an SSL connection you might get a warning message regarding the SSL certificate If you are using a Windows computer with Internet Explorer 5 5 or higher simply click Yes to accept the certificate Note If you are unable to remotely connect to the UTM after enabling HTTPS remote management check if other user ...

Page 350: ...r conditions that warrant administrative attention SNMP exposes management data in the form of variables on the managed systems which describe the system configuration These variables can then be queried and sometimes set by managing applications SNMP lets you monitor and manage your UTM from an SNMP manager It provides a remote means to monitor and control network devices and to manage configurat...

Page 351: ...ty The community string to allow an SNMP manager access to the MIB objects of the UTM for the purpose of reading only The default setting is public Set Community The community string to allow an SNMP manager access to the MIB objects of the UTM for the purpose of reading and writing The default setting is private Contact The SNMP system contact information that is available to the SNMP manager Thi...

Page 352: ... to scan primary and secondary actions and so on Update settings Update source update frequency and so on Anti spam settings Whitelist blacklist content filtering settings and so on Back up your UTM settings periodically and store the backup file in a safe place To backup settings 1 On the Backup Restore Settings screen see Figure 10 5 next to Save a copy of current settings click the backup butto...

Page 353: ...re 10 5 on page 10 16 next to Restore save settings from file click Browse 2 Locate and select the previously saved backup file by default backup pkg 3 When you have located the file click the restore button A warning screen might appear and you might have to confirm that you want to restore the configuration The UTM reboots During the reboot process the Backup Restore Settings screen remains visi...

Page 354: ...e Backup Restore Settings screen remains visible during the reboot process The reboot process is complete after several minutes when the Test LED on the front panel goes off Updating the Firmware The UTM can automatically detect any new firmware version from NETGEAR The firmware upgrade process for the UTM consists of the following stages that are explained in detail in the sections below 1 Queryi...

Page 355: ...are versions 1 Select Administration System Update from the menu The System Update submenu tabs appear with the Signatures Engine screen in view 2 Click the Firmware submenu tab The Firmware screen displays The Firmware Reboot section shows the following information fields for both the active and secondary that is non active firmware Type Active or secondary firmware Version The firmware version S...

Page 356: ...led firmware should be the secondary firmware and not the active firmware Select the Activation radio button for he secondary firmware that is the newly installed firmware 6 Click the Reboot button the UTM reboots automatically During the reboot process the Firmware screen remains visible The reboot process is complete after several minutes when the Test LED on the front panel goes off 7 After the...

Page 357: ...t LED on the front panel goes off Updating the Scan Signatures and Scan Engine Firmware To scan and detect viruses spyware and other malware threats the UTM s scan engine requires two components A pattern file that contains the virus signature files and virus database Firmware that functions in conjunction with the pattern file Because new virus threats can appear any hour of the day it is very im...

Page 358: ... 2010 The Info section shows the following information fields for the scan engine firmware and pattern file Current Version The version of the files Last Updated The date of the most recent update To immediately update the scan engine firmware and pattern file click Update Now at the bottom of the screen Figure 10 7 ...

Page 359: ...he Update Frequency settings below Update From Set the update source server by selecting one of the following radio buttons Default update server Files are updated from the default NETGEAR update server Server address Files are updated from the server that you specify enter the IP address or host name of the update server Update Frequency Specify the frequency with which the UTM checks for file up...

Page 360: ...re accurate To set time date and NTP servers 1 Select Administration System Date Time from the menu The System Date Time screen displays The bottom of the screen displays the current weekday date time time zone and year in the example in Figure 10 8 Current Time Thu May 21 01 37 18 GMT 2009 2 Enter the settings as explained in Table 10 2 Figure 10 8 Table 10 3 System Date Time Settings Setting Des...

Page 361: ...th of which you must specify in the fields that become available with this menu selection Note If you select this option but leave either the Server 1 or Server 2 field blank both fields are set to the default Netgear NTP servers Note A list of public NTP servers is available at http ntp isc org bin view Servers WebHome Server 1 Name IP Address Enter the IP address or host name the primary NTP ser...

Page 362: ...ProSecure Unified Threat Management UTM Appliance Reference Manual 10 26 Network and System Management v1 0 January 2010 ...

Page 363: ...ing Logs and Generating Reports on page 11 32 Using Diagnostics Utilities on page 11 43 Enabling the WAN Traffic Meter If your ISP charges by traffic volume over a given period of time or if you want to study traffic types over a period of time you can activate the traffic meter for one or both WAN ports To monitor traffic limits on each of the WAN ports 1 Select Network Config WAN Metering from t...

Page 364: ...formance v1 0 January 2010 The Internet Traffic Statistics section in the lower part of the screen displays statistics on Internet traffic via the WAN port If you have not enabled the traffic meter these statistics are not available 2 Enter the settings as explained in Table 11 1 on page 11 3 Figure 11 1 ...

Page 365: ...ic limit is reached Complete the monthly limit field below Monthly Limit Enter the monthly traffic volume limit in MB The default setting is 0 MB Increase this month limit by Select this checkbox to temporarily increase a previously specified monthly traffic volume limit and enter the additional allowed volume in MB The default setting is 0 MB Note When you click Apply to save these settings this ...

Page 366: ... incoming and outgoing volume of traffic for each protocol and the total volume of traffic is displayed Traffic counters are updated in MBs the counter starts only when traffic passed is at least 1 MB In addition the popup screen displays the traffic meter s start end dates When Limit is reached Block traffic Select one of the following radio buttons to specify what action the UTM performs when th...

Page 367: ... notification server must be configured and e mail notification must be enabled If the e mail notification server is not configured or e mail notification is disabled you can still query the logs and generate log reports that you then can view on the Web Management Interface screen or save in CSV format For more information about logs see Querying Logs and Generating Reports on page 11 32 Configur...

Page 368: ... the menu The Logs Reports submenu tabs appear with the Email and Syslog screen in view see Figure 11 4 on page 11 7 Table 11 2 E mail Notification Settings Setting Description or Subfield and Description Show as mail sender A descriptive name of the sender for e mail identification purposes For example enter UTMnotification netgear com SMTP server The IP address and port number or Internet name a...

Page 369: ...ProSecure Unified Threat Management UTM Appliance Reference Manual Monitoring System Access and Performance 11 7 v1 0 January 2010 Figure 11 4 ...

Page 370: ...file to an e mail address Send to The e mail address of the recipient of the log file Click Send Now to immediately send the logs that you first must have specified below Frequency Select a radio button to specify how often the log file is sent When the space is full Logs are sent when the storage space that is assigned to the logs is full Daily Logs are sent daily at the time that you specify fro...

Page 371: ...pecify the maximum size of each file in MB Send Logs via Syslog Enable Select this checkbox to enable the UTM to send a log file to a syslog server SysLog Server The IP address or name of the syslog server Enable continued SysLog Severity All the logs with a severity that is equal to and above the severity that you specify are logged on the specified syslog server For example if you select LOG_CRI...

Page 372: ...eria are based on the number of malware threats detected within a specified period of time IPS Alert Sent when the UTM detects an attack IPS Outbreak Alert Sent when the IPS outbreak criteria that you have configured are reached or exceeded Outbreak criteria are based on the number of IPS attacks detected within a specified period of time To configure and activate the e mail alerts 1 Select Monito...

Page 373: ...able 11 4 Alerts Settings Setting Description or Subfield and Description Enable Update Failure Alerts Select this checkbox to enable update failure alerts Enable License Expiration Alerts Select this checkbox to enable license expiration alerts This checkbox is enabled by default Enable Malware Alerts Select this checkbox to enable malware alerts and configure the Subject and Message fields ...

Page 374: ...are detected Note When the specified number of detected malware threats is reached within the time threshold the UTM sends a malware outbreak alert Protocol Select the checkbox or checkboxes to specify the protocols SMTP POP3 IMAP HTTP FTP and HTTPS for which malware threats are detected Subject Enter the subject line for the e mail alert The default text is Outbreak alert Enable IPS Outbreak Aler...

Page 375: ...Filtering on page 5 42 and packets that are dropped because the session limit see Setting Session Limits on page 5 30 bandwidth limit see Creating Bandwidth Profiles on page 5 38 or both have been exceeded To configure and activate firewall logs 1 Select Monitoring Logs Reports from the menu The Logs Reports submenu tabs appear with the Email and Syslog screen in view 2 Click the Firewall Logs sub...

Page 376: ...of the size of the Dashboard screen it is divided and presented in this manual in three figures Figure 11 7 on page 11 15 Figure 11 8 on page 11 17 and Figure 11 9 on page 11 19 each with its own table that explains the fields Except for setting the poll interval and clearing the statistics you cannot configure the fields on the Dashboard screen Any changes must be made on other screens Table 11 5...

Page 377: ...ProSecure Unified Threat Management UTM Appliance Reference Manual Monitoring System Access and Performance 11 15 v1 0 January 2010 Figure 11 7 Dashboard screen 1 of 3 ...

Page 378: ...ti Virus and Notification Settings on page 6 5 E mails that matched filters to configure see E mail Content Filtering on page 6 8 Spam to configure see Protecting Against E mail Spam on page 6 11 Web Displays the total number of Files scanned Malware detected to configure see Configuring Web Malware Scans on page 6 21 Files blocked to configure see Configuring Web Content Filtering on page 6 23 UR...

Page 379: ...r the various applications Note IMBlock stands for instant messaging applications blocked P2PBlock stands for peer to peer applications blocked IPSSisMatch stands for IPS signatures matched Total Traffic Bytes This is a graphic that shows the relative number of traffic in bytes over the last week Figure 11 8 Dashboard screen 2 of 3 Table 11 6 Dashboard Total Threats Threats Counts and Total Traffi...

Page 380: ... attack Count The number of times that the attack was detected Percentage The percentage that the attack represents in relation to the total number of detected attacks IM Peer to Peer Application The name of the application that was blocked Category Instant messaging or peer to peer Date and Time The date and time that the application request was blocked Application The name of the application tha...

Page 381: ...of detected viruses and attacks Total Files Blocked The total number of downloaded files that were blocked Total URLs Blocked The total number of URL requests that were blocked These statistics are applicable only to HTTP and HTTPS Total Spam Emails The total number of spam messages that were blocked These statistics are applicable only to SMTP and POP3 Blacklist The total number of e mails that w...

Page 382: ...of the UTM CPU memory and hard disk status and the number of active connections per protocol Firmware versions and update information of the UTM software versions and update information of the components license expiration dates for each type of license and hardware serial number WAN and LAN port information Interface statistics To view the System Status screen click Monitoring System Status Becau...

Page 383: ...us screen Figure 11 10 System Status screen 1 of 3 Table 11 9 System Status Status and System Information Setting Description or Subfield and Description Status System The current CPU memory and hard disk usage When usage is within safe limits the status bars show green Services The protocols that are being scanned for malware threats ON or OFF stated next to the protocol and the number of active ...

Page 384: ...on States system up time since last reboot Firmware Information The firmware version and most recent download for the active and secondary firmware of the UTM and for the scan engine pattern file and firewall License Expiration Date The license expiration dates for the e mail protection Web protection and maintenance licenses Note When a license has expired the license expiration date is displayed...

Page 385: ...figuration WAN2 Configuration Dual WAN Port Models or WAN Configuration Single WAN Port Models WAN Mode Single Port Load Balancing or Auto Rollover WAN State UP or DOWN NAT Enabled or Disabled Connection Type Static IP DHCP PPPoE or PPTP Connection State Connected or Not Connected IP Address These fields are self explanatory Subnet Mask Gateway Primary DNS Secondary DNS MAC Address LAN Port MAC Ad...

Page 386: ...r logged in To disconnect an active user click the Disconnect table button to the right of the user s table entry Viewing VPN Tunnel Connection Status To review the status of current IPsec VPN tunnels 1 Select Monitoring Active Users VPNs from the main menu The Active Users VPN submenu tabs appear with the Active Users screen in views Table 11 11 System Status Interface Statistics Setting Descript...

Page 387: ...toring Active Users VPNs from the main menu The Active Users VPN submenu tabs appear with the Active Users screen in views Figure 11 14 Table 11 12 IPsec VPN Connection Status Information Item Description or Subfield and Description Policy Name The name of the VPN policy that is associated with this SA Endpoint The IP address on the remote VPN endpoint Tx KB The amount of data that is transmitted ...

Page 388: ...ess are listed in the table with a timestamp indicating the time and date that the user connected To disconnect an active user click the Disconnect table button to the right of the user s table entry Viewing Port Triggering Status To view the status of the Port Triggering feature 1 Select Network Security Port Triggering from the menu The Port Triggering screen displays Figure 11 16 shows one rule...

Page 389: ...els the WAN Settings submenu tabs appear with the WAN1 ISP Settings screen in view see Figure 11 18 on page 11 28 On the single WAN port models the WAN ISP Settings screen displays Figure 11 17 Table 11 13 Port Triggering Status Information Item Description or Subfield and Description The sequence number of the rule on screen Rule The name of the port triggering rule that is associated with this e...

Page 390: ...System Access and Performance v1 0 January 2010 2 Click the WAN Status option arrow at the top right of the WAN1 ISP Settings screen dual WAN port models or WAN1 ISP Settings screen single WAN port models The Connection Status screen appears in a popup window Figure 11 18 Figure 11 19 ...

Page 391: ...ect Network Config LAN Settings from the menu The LAN Settings submenu tabs appear with the LAN Setup screen in view see Figure 11 20 on page 11 30 which contains some profiles in the VLAN Profiles table as an example Table 11 14 WAN1 Dual WAN Port Models or WAN Single WAN Port Models Port Status Informations Item Description or Subfield and Description Connection Time The period that the UTM has ...

Page 392: ...ance Reference Manual 11 30 Monitoring System Access and Performance v1 0 January 2010 2 Click the LAN Groups submenu tab The LAN Groups screen displays Figure 11 21 shows some examples in the Known PCs and Devices table Figure 11 20 Figure 11 21 ...

Page 393: ...evice is assigned a static IP address you need to update this entry manually after the IP address on the PC or device has changed MAC Address The MAC address of the PC or device s network interface Group Each PC or device can be assigned to a single LAN group By default a PC or device is assigned to Group 1 You can select a different LAN group from the Group pull down menu in the Add Known PCs and...

Page 394: ...system reports and e mailing these reports to specified recipients For information about e mailing logs and sending logs to a syslog server see Configuring and Activating System E mail and Syslog Logs on page 11 6 Querying the Logs The UTM generates logs that provide detailed information about malware threats and traffic activities on the network You can view these logs through the Web Management ...

Page 395: ...eer to Peer Logs All instant messaging and peer to peer access violations Firewall Logs The firewall logs that you have specified on the Firewall Logs screen see Configuring and Activating Firewall Logs on page 11 13 on page 11 14 IPSEC VPN Logs All IPsec VPN events SSL VPN Logs All SSL VPN events You can query and generate each type of log separately and filter the information based on a number o...

Page 396: ...15 Logs Query Settings Setting Description or Subfield and Description Log Type Select one of the following log types from the pull down menu Traffic All scanned incoming and outgoing traffic Spam All intercepted spam System The system event logs that you have specified in the System Logs Options section at the top of the screen However by default many more types of events are logged in the system...

Page 397: ...vents View All Select one of the following radio buttons View All Display or download the entire selected log Search Criteria Query the selected log by configuring the search criteria that are available for the selected log Search Criteria Start Date Time From the pull down menus select the year month day hours and minutes for the start date and time This field is available for the following logs ...

Page 398: ...mail filters log keyword file type file name password and size limit For the Content filters log URL file type and size limit Spam Found By This field is available only for the Spam log Select a checkbox to specify the method by which Spam is detected Blacklist or Heuristic Scan Note Heuristic Scan refers to Distributed Spam Analysis Malware Name The name of the malware threat that is queried This...

Page 399: ... that are queried This field is available only for the Traffic log Event The type of event that is queried These events are the same events that are used for syslog server severity indications EMERG ALERT CRITICAL ERROR WARNING NOTICE INFO and DEBUG This field is available only for the Service log URL The URL that is queried This field is available only for the Content filters log Display The maxi...

Page 400: ...nation IP address on a regular basis If you find a client exhibiting this behavior you can run a query on that client s HTTP traffic activities to get more information Do so by running the same HTTP traffic query and entering the client IP address in the Client IP field Log Management Generated logs take up space and resources on the UTM internal disk To ensure that there is always sufficient spac...

Page 401: ...each protocol HTTP HTTPS and FTP the report shows the following information per day both in tables and graphics Number of connections Traffic amount in MB Number of malware incidents Number of files blocked Number of URLs blocked not applicable to FTP System Reports The report shows IPS application and malware incidents The following IPS incident are shown per day both in tables and graphics Numbe...

Page 402: ...graphics The number of SMPT POP3 and IMAP incidents the top 10 e mail malware threats by count and the top 10 infected e mail clients by count The number of HTTP HTTPS and FTP incidents the top 10 Web malware threats by count and the top 10 infected Web clients by count The reports that you select are generated as both Microsoft Office Comma Separated Values CSV and MHTML files The CSV files do no...

Page 403: ...ing its Download table button The reports download as a zipped file that contains both CSV and HTML files Figure 11 24 Table 11 16 Generate Report Settings Setting Description or Subfield and Description Time From From the pull down menus specify the start year month day hour and minutes for the report Time To From the pull down menus specify the end year month day hour and minutes for the report ...

Page 404: ...k the Schedule Reports submenu tab The Schedule Reports screen displays 3 Enter the settings as explained in Table 11 17 Figure 11 25 Table 11 17 Schedule Report Settings Setting Description or Subfield and Description Report Settings Frequency Select one of the following checkboxes to specify the frequency with which the reports are generated and e mailed Daily The report is generated daily at 3 ...

Page 405: ...toring Diagnostics from the menu To facilitate the explanation of the tools the Diagnostics screen is divided and presented in this manual in three figures Figure 11 26 on page 11 44 Figure 11 27 on page 11 46 and Figure 11 28 on page 11 47 Reports Select one or more checkboxes to specify the reports that are generated Email Reports Web Reports System Reports Note You can select all three checkbox...

Page 406: ...t usually means that the destination is unreachable However some network devices can be configured not to respond to a ping The ping results are displayed on a new screen click Back on the Windows menu bar to return to the Diagnostics screen To send a ping 1 Locate the Network Diagnostics section on the Diagnostics screen 2 In the IP Address field enter the IP address that you want to ping 3 If th...

Page 407: ...t NETGEAR Technical Support to diagnose routing problems To display the routing table 1 Locate the Network Diagnostics section on the Diagnostics screen 2 Next to Display the Routing Table click the Display button The routing table is displayed in the Route Display screen that appears as a popup window Looking up a DNS Address A DNS Domain Name Server converts the Internet name for example www net...

Page 408: ... Diagnostics section on the Diagnostics screen 2 In the Source IP address field enter the IP address of source of the traffic stream that you want to analyze 3 In Destination IP address enter the IP address of the destination of the traffic stream that you want to analyze 4 Click Start You are prompted to save the downloaded traffic information file to your computer however do not save the file un...

Page 409: ...thering Important Log Information To gather log information about your UTM 1 Locate the Gather Important Log Information section on the Diagnostics screen 2 Click Download Now You are prompted to save the downloaded log information file to your computer The default file name is importantlog gpg 3 When the download is complete browse to the download location you specified and verify that the file h...

Page 410: ...t the UTM 1 Locate the Reboot the System section on the Diagnostics screen 2 Click the Reboot button The UTM reboots If you can see the unit the reboot process is complete when the Test LED on the front panel goes off To shut down the UTM 1 Locate the Reboot the System section on the Diagnostics screen 2 Click the Shutdown button The UTM shuts down Note Rebooting breaks any existing connections ei...

Page 411: ...g the Web Management Interface on page 12 3 A time out occurs Go to When You Enter a URL or IP Address a Time out Error Occurs on page 12 4 I cannot access the Internet or the LAN Troubleshooting the ISP Connection on page 12 5 I have problems with the LAN connection Go to Troubleshooting a TCP IP Network Using a Ping Utility on page 12 7 I want to clear the configuration and start over again Go t...

Page 412: ... see the appropriate following section Power LED Not On If the Power and other LEDs are off when your UTM is turned on make sure that the power cord is properly connected to your UTM and that the power supply adapter is properly connected to a functioning power outlet If the error persists you have a hardware problem and should contact NETGEAR Technical Support Test LED Never Turns Off When the UT...

Page 413: ... a standard straight through Ethernet cables or an Ethernet crossover cables Troubleshooting the Web Management Interface If you are unable to access the UTM s Web Management Interface from a PC on your local network check the following Check the Ethernet connection between the PC and the UTM as described in the previous section LAN or WAN Port LEDs Not On Make sure your PC s IP address is on the ...

Page 414: ...Web Configuration Interface check the following When entering configuration settings be sure to click the Apply button before moving to another menu or tab or your changes are lost Click the Refresh or Reload button in the Web browser The changes might have occurred but the Web browser might be caching the old configuration When You Enter a URL or IP Address a Time out Error Occurs A number of thi...

Page 415: ...2 Access the Web Management Interface of the UTM s configuration at https 192 168 1 1 3 Select Network Security WAN Settings from the menu The WAN1 ISP Settings screen dual WAN port models or WAN ISP Settings screen single WAN port models displays For dual WAN port models only to display the WAN2 ISP Settings screen click WAN2 ISP Settings 4 Click the WAN Status option arrow at the top right of th...

Page 416: ...ternet Connection on page 3 5 Your ISP allows only one Ethernet MAC address to connect to the Internet and might check for your PC s MAC address In this case Inform your ISP that you have bought a new network device and ask them to use the UTM s MAC address or Configure your UTM to spoof your PC s MAC address You can do this in the Router s MAC Address section of the WAN1 Advanced Options or WAN2 ...

Page 417: ...for example ping 192 168 1 1 3 Click OK A message similar to the following should display Pinging IP address with 32 bytes of data If the path is working you will see this message Reply from IP address bytes 32 time NN ms TTL xxx If the path is not working you will see this message Request timed out If the path is not functioning correctly you could have one of the following problems Wrong physica...

Page 418: ...P assigned a host name system name or account name to your PC enter that name in the Account Name field on the WAN1 ISP Settings or WAN2 ISP Settings screen of the dual WAN port models or in the Account Name field on the WAN ISP Settings screen of the single WAN port models You might also have to enter the assigned domain name or workgroup name in the Domain Name field and you might have to enter ...

Page 419: ...up Restore Settings screen see Figure 12 1 next to Revert to factory default settings click the Default button a To display the Backup Restore Settings screen select Administration Backup Restore Settings from the menu see Figure 12 1 on page 12 9 b Click the Default button The UTM reboots During the reboot process the Backup Restore Settings screen remains visible The reboot process is complete a...

Page 420: ...inutes and check the date and time again Time is off by one hour Cause The UTM does not automatically sense Daylight Savings Time Go to the System Date Time screen and select or deselect the checkbox marked Automatically Adjust for Daylight Savings Time Using Online Support The UTM includes online support tools that allow NETGEAR Technical Support to securely perform diagnostics of the UTM and tha...

Page 421: ...nel is established the tunnel status field displays ON To terminate the tunnel click Disconnect The tunnel status field displays OFF If NETGEAR Technical Support cannot access the UTM remotely they might ask you to save a log file to your computer and then e mail it to NETGEAR for analysis see Gathering Important Log Information on page 11 47 Sending Suspicious Files to NETGEAR for Analysis You ca...

Page 422: ... documentation library for your UTM model select Support Documentation from the menu Figure 12 3 Table 12 1 Malware Analysis Settings Setting Description or Subfield and Description Email Address The e mail address of the submitter to enable NETGEAR to contact the submitter if needed File Location Click Browse to navigate to the file that you want to submit to NETGEAR Source Product Model Specify ...

Page 423: ...hat are shown in Table A 1 below Pressing the Reset button for a shorter period of time simply causes the UTM to reboot Table A 1 shows the default configuration settings for the UTM Table A 1 UTM Default Configuration Settings Feature Default behavior Router Login User login URL https 192 168 1 1 Administrator user name case sensitive admin Administrator login password case sensitive password Gue...

Page 424: ...ng in from the Internet All communication denied Outbound communications from the LAN to the Internet All communication allowed Source MAC filtering Disabled Stealth mode Enabled Respond to ping on Internet ports Disabled Table A 2 UTM Physical and Technical Specifications Feature Specification Network Protocol and Standards Compatibility Data and Routing Protocols TCP IP RIP 1 RIP 2 DHCP PPP over...

Page 425: ... configurable DMZ interface AutoSense 10 100 1000BASE T RJ 45 Dual WAN port models 2 WAN Single WAN port models 1 WAN AutoSense 10 100 1000BASE T RJ 45 1 administrative console port RS 232 1 USB non functioning included for future management enhancements Table A 3 UTM IPsec VPN Specifications Setting Specification Network Management Web based configuration and status monitoring Number of concurren...

Page 426: ...urrent users supported The number of supported dedicated SSL VPN tunnels depends on the model see NETGEAR s marketing documentation at http prosecure netgear com SSL versions SSLv3 TLS1 0 SSL encryption algorithm DES 3DES ARC4 AES 128 AES 192 AES 256 SSL message integrity MD5 SHA 1 MAC MD5 SHA 1 HMAC MD5 SHA 1 SSL authentication types Local User database RADIUS PAP RADIUS CHAP RADIUS MSCHAP RADIUS...

Page 427: ...easier and to understand all of the choices that are available to you consider the following before you begin 1 Plan your network a Determine whether you will use one or both WAN ports For one WAN port you might need a fully qualified domain name either for convenience or to remotely access a dynamic WAN IP address b If you intend to use both WAN ports determine whether you will use them in auto r...

Page 428: ...cted to the UTM through separate physical facilities Each WAN port must be configured separately whether you are using a separate ISP for each WAN port or you are using the same ISP to route the traffic of both WAN ports If your ISP charges by the volume of data traffic each month consider enabling the UTM s traffic meter to monitor or limit your traffic b Contact a Dynamic DNS service and registe...

Page 429: ...nts The UTM integrates a Web Management Interface To access the configuration menus on the UTM your must use a Java enabled Web browser that supports HTTP uploads such as Microsoft Internet Explorer 6 or higher Mozilla Firefox 3 or higher or Apple Safari 3 or higher with JavaScript cookies and you must have SSL enabled Free browsers are readily available for Windows Macintosh or UNIX Linux For the...

Page 430: ...Record all the settings for each tab page For Macintosh computers open the TCP IP or Network control panel Record all the settings for each section After you have located your Internet configuration information you might want to record the information in the following section Internet Connection Information Print these pages with the Internet connection information Fill in the configuration settin...

Page 431: ... this your account user host computer or system name If your ISP s mail server is mail xxx yyy com then use xxx yyy com as the domain name ISP Host Name _______________________ ISP Domain Name _______________________ Fully Qualified Domain Name Some organizations use a fully qualified domain name FQDN from a dynamic DNS service provider for their IP addresses Dynamic DSN Service Provider _________...

Page 432: ...st one of the tunnel endpoints must be known in advance in order for the other tunnel end point to establish or re establish the VPN tunnel Dual WAN Ports in Auto Rollover Mode Rollover for an UTM with dual WAN ports is different from a single WAN port gateway configuration when you specify the IP address Only one WAN port is active at a time and when it rolls over the IP address of the active WAN...

Page 433: ...e for which you have configured an inbound rule Instead of discarding this traffic you can configure the UTM to forward it to one or more LAN hosts on your network The addressing of the UTM s dual WAN port depends on the configuration being implemented Inbound Traffic to a Single WAN Port System The Internet IP address of the UTM s WAN port must be known to the public so that the public can send i...

Page 434: ...roved Reliability In a dual WAN port auto rollover configuration the WAN port s IP address will always change when a rollover occurs You must use a FQDN that toggles between the IP addresses of the WAN ports that is WAN1 or WAN2 Inbound Traffic Dual WAN Ports for Load Balancing In a dual WAN port load balancing configuration the Internet address of each WAN port is either fixed if the IP address i...

Page 435: ...ystems Configuration and WAN IP address Single WAN Port Configurations Reference Cases Dual WAN Port Configurations Rollover Modea a All tunnels must be re established after a rollover using the new WAN IP address Load Balancing Mode VPN Road Warrior Client to Gateway Fixed Allowed FQDN optional FQDN required Allowed FQDN optional Dynamic FQDN required FQDN required FQDN required VPN Gateway to Ga...

Page 436: ...active at a time and when it rolls over the IP address of the active WAN port always changes Therefore the use of an FQDN is always required even when the IP address of each WAN port is fixed Dual WAN Ports in Load Balancing Mode A dual WAN port load balancing gateway configuration is the same as a single WAN port configuration when you specify the IP address of the VPN tunnel endpoint Each IP add...

Page 437: ...Reference Case In a single WAN port gateway configuration the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance The gateway WAN port must act as the responder The IP address of the gateway WAN port can be either fixed or dynamic If the IP address is dynamic a FQDN must be used If the IP address is fixed a FQDN is optional VPN Road Warr...

Page 438: ... not known in advance After a rollover of the WAN port has occurred the previously inactive gateway WAN port becomes the active port port WAN2 in Figure B 11 and the remote PC client must re establish the VPN tunnel The gateway WAN port must act as the responder The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port...

Page 439: ...esses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you must use a FQDN If an IP address is fixed an FQDN is optional VPN Gateway to Gateway The following situations exemplify the requirements for a gateway VPN firewall such as an UTM to establish a VPN tunnel with another gateway VPN firewall Single gateway WAN ports Redundant dual gateway WAN ports for incre...

Page 440: ...either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance In this example see Figure B 14 port WAN_A1 is active and port WAN_A2 is inactive at Gateway A port WAN_B1 is active and port WAN_B2 is inactive at Gate...

Page 441: ...e other end of the tunnel has a known gateway IP address to establish or re establish a VPN tunnel VPN Gateway to Gateway Dual Gateway WAN Ports for Load Balancing In a configuration with two dual WAN port VPN gateways that function in load balancing mode either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the ...

Page 442: ...dundant dual gateway WAN ports for increased reliability before and after rollover Dual gateway WAN ports for load balancing VPN Telecommuter Single Gateway WAN Port Reference Case In a single WAN port gateway configuration the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance The gateway WAN port must act as the res...

Page 443: ...address of the remote NAT router is not known in advance The gateway WAN port must act as the responder The IP addresses of the gateway WAN ports can be either fixed or dynamic but you must always use a FQDN because the active WAN port could be either WAN1 or WAN2 that is the IP address of the active WAN port is not known in advance After a rollover of the WAN port has occurred the previously inac...

Page 444: ...el VPN Telecommuter Dual Gateway WAN Ports for Load Balancing In a dual WAN port load balancing gateway configuration the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port that is port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports because the IP address of the remote NAT router is not known in advance The selected gateway WAN port must ac...

Page 445: ...C 16 This appendix uses the following log message terms Table C 1 Log Message Terms Term Description or Subfield and Description UTM System identifier kernel Message from the kernel CODE Protocol code e g protocol is ICMP type 8 and CODE 0 means successful reply DEST Destination IP Address of the machine to which the packet is destined DPT Destination port IN Incoming interface for packet OUT Outg...

Page 446: ...m daemons NTP the WAN daemon and others System Startup This section describes log messages generated during system startup Reboot This section describes log messages generated during a system reboot Table C 2 System Logs System Startup Message Jan 1 15 22 28 UTM ledTog SYSTEM START UP System Started Explanation Logs that are generated when the system is started Recommended Action None Table C 3 Sy...

Page 447: ...Table C 5 System Logs NTP Message 1 Message 2 Message 3 Message 4 Message 5 Message 6 Example Nov 28 12 31 13 UTM ntpdate Looking Up time f netgear com Nov 28 12 31 13 UTM ntpdate Requesting time from time f netgear com Nov 28 12 31 14 UTM ntpdate adjust time server 69 25 106 19 offset 0 140254 sec Nov 28 12 31 14 UTM ntpdate Synchronized time with time f netgear com Nov 28 12 31 16 UTM ntpdate Da...

Page 448: ...ction None Message Nov 28 14 55 09 UTM seclogin Logout succeeded for user admin Nov 28 14 55 13 UTM seclogin Login succeeded user admin from 192 168 1 214 Explanation Secure login logout of user admin from host with IP address 192 168 1 214 Recommended Action None Table C 7 System Logs Firewall Restart Message Jan 23 16 20 44 UTM wand FW Firewall Restarted Explanation Logs that are generated when ...

Page 449: ...e Detection method This section describes the logs that are generated when the WAN mode is set to auto rollover System Logs WAN Status Auto Rollover Message Nov 17 09 59 09 UTM wand LBFO WAN1 Test Failed 1 of 3 times_ Nov 17 09 59 39 UTM wand LBFO WAN1 Test Failed 2 of 3 times_ Nov 17 10 00 09 UTM wand LBFO WAN1 Test Failed 3 of 3 times_ Nov 17 10 01 01 UTM wand LBFO WAN1 Test Failed 4 of 3 times_...

Page 450: ...secondary link is active have the same timestamp and so they happen in the same algorithm state machine cycle So although it appears that the failover did not happen immediately after three failures internally the failover process is triggered after the 3rd failure and transition to secondary link is completed by the 5th failure The primary link is also restarted every three failures till it is fu...

Page 451: ...13 12 49 UTM pppd secondary DNS address 202 153 32 3 Nov 29 11 29 26 UTM pppd Terminating connection due to lack of activity Nov 29 11 29 28 UTM pppd Connect time 8 2 minutes Nov 29 11 29 28 UTM pppd Sent 1408 bytes received 0 bytes Nov 29 11 29 29 UTM pppd Connection terminated Explanation Message 1 PPPoE connection establishment started Message 2 Message from PPPoE server for correct login Messa...

Page 452: ... Starting PPP connection process Message 2 Message from server for authentication success Message 3 Local IP address assigned by the server Message 4 Server side IP address Message 5 primary DNS configured in WAN status page Message 6 secondary DNS configured in WAN status page Message 7 Sensing idle link Message 8 Data sent and received at the LAN side while the link was up Message 9 PPP connecti...

Page 453: ... Traffic Meter screen see Enabling the WAN Traffic Meter on page 11 1 all the incoming and outgoing traffic might be stopped Note For WAN2 interface see the settings on the WAN2 Traffic Meter screen Recommended Action To start the traffic restart the traffic counter in the Traffic Counter section on the WAN1 Traffic Meter screen Note For WAN2 interface see the settings on the WAN2 Traffic Meter sc...

Page 454: ...le C 1 Recommended Action None Table C 17 System Logs Invalid Packets Message 2007 Oct 1 00 44 17 UTM kernel INVALID NO_CONNTRACK_ENTRY DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation No connection tracking entry exists Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID RST_PACKET DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 ...

Page 455: ...7 UTM kernel INVALID SHORT_PACKET DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Short packet Recommended Action None Message INVALID INVALID_STATE DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Packet with invalid state Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID REOPEN_CLOSE_CONN DROP SRC 192 168 20 10 DST...

Page 456: ... shows the date and time protocol client IP address server IP address URL reason for the action and action that is taken Recommended Action None Message 2009 08 01 00 00 01 HTTP 192 168 1 3 192 168 35 165 http 192 168 35 165 testcases files virus normal b4 f3 d3 da2048 rar URL Block Explanation Logs that are generated when Web content is blocked because it violates a blocked Web category The messa...

Page 457: ...ocol client IP address server IP address URL reason for the action and action that is taken Recommended Action None Table C 19 Content Filtering and Security Logs Spam Message 2009 02 28 23 59 59 SMTP 192 168 1 2 192 168 35 165 xlzimap test com xlzpop3 test com Blocked by customized blacklist 0 RBL Block Explanation Logs that are generated when spam messages are blocked by the RBL The message show...

Page 458: ...ddress server IP address sender recipient and Web URL or e mail subject line Recommended Action None Table C 21 Content Filtering and Security Logs Virus Message 2008 02 29 23 59 00 POP3 OF97 Jerk Delete cleanvirus zip 192 168 1 2 192 168 35 166 xlzimap test com xlzimap test com MALWARE INFECTED Fw cleanvirus Explanation Virus logs for all services The message shows the date and time protocol viru...

Page 459: ...otocol client IP address client port number server IP address server port number IPS category and reason for the action Recommended Action None Table C 24 Content Filtering and Security Logs Port Scan Message 2008 12 31 23 59 12 192 168 1 10 192 168 35 160 5 10 1 18 188 UDP Portscan Explanation Logs that are generated when port scans are detected The message shows the date and time client IP addre...

Page 460: ...essage Nov 29 09 19 43 UTM kernel LAN2WAN ACCEPT IN LAN OUT WAN SRC 192 168 10 10 DST 72 14 207 99 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the LAN to the WAN has been allowed by the firewall For other settings see Table C 1 Recommended Action None Table C 27 Routing Logs LAN to DMZ Message Nov 29 09 44 06 UTM kernel LAN2DMZ ACCEPT IN LAN OUT DMZ SRC 192 168 10 10 DST 192 168 20 10 PR...

Page 461: ...8 10 10 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the LAN to the WAN has been allowed by the firewall For other settings see Table C 1 Recommended Action None Table C 30 Routing Logs DMZ to WAN Message Nov 29 09 44 06 UTM kernel DMZ2LAN DROP IN DMZ OUT LAN SRC 192 168 20 10 DST 192 168 10 10 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the DMZ to the LAN has been dropped by th...

Page 462: ...ProSecure Unified Threat Management UTM Appliance Reference Manual C 18 System Logs and Error Messages v1 0 January 2010 ...

Page 463: ...ords and the presence of firewalls are no longer enough to protect the networks from being compromised IT professionals and security experts have recognized the need to go beyond the traditional authentication process by introducing and requiring additional factors to the authentication process NETGEAR has also recognized the need to provide more than just a firewall to protect the networks As par...

Page 464: ...something you have This new security method can be viewed as a two tiered authentication approach because it typically relies on what you know and what you have A common example of two factor authentication is a bank ATM card that has been issued by a bank institute The PIN to access your account is something you know The ATM card is something you have You must have both of these factors to gain a...

Page 465: ...on by end users dramatically reducing implementation and maintenance costs Here is an example of how WiKID works 1 The user launches the WiKID token software enter the PIN that has been given to them something they know and then press continue to receive the OTP from the WiKID authentication server 2 A one time passcode something they have is generated for this user Figure D 1 Figure D 2 ...

Page 466: ...ogin page and enters the generated one time passcode as the login password Note The one time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time If a user does not use this passcode before it is expired the user must go through the request process again to generate a new OTP Figure D 3 ...

Page 467: ...ink TCP IP Networking Basics http documentation netgear com reference enu tcpip index htm Wireless Networking Basics http documentation netgear com reference enu wireless index htm Preparing Your Network http documentation netgear com reference enu wsdhcp index htm Virtual Private Networking Basics http documentation netgear com reference enu vpn index htm Glossary http documentation netgear com r...

Page 468: ...ProSecure Unified Threat Management UTM Appliance Reference Manual E 2 Related Documents v1 0 January 2010 ...

Page 469: ...fying alerts to send via e mail 11 10 ALG 5 31 allowing applications services 6 21 e mails 6 14 URLs 6 32 Web categories 2 22 application services protection 6 19 6 21 Application Level Gateway See ALG ARP requests 4 12 arrow Web Management Interface 2 5 attached devices monitoring with SNMP 10 14 viewing 11 29 attacks alerts 11 10 checks 5 27 IPS categories 5 50 audio and video files e mail filte...

Page 470: ...ers user login policies 9 15 Web Management Interface 2 2 button Reset 1 12 buttons Web Management Interface action 2 6 help 2 7 table 2 6 C CA 7 31 cache control SSL VPN 8 5 8 21 card service registration 1 8 categories Web content 2 22 category 5 cable B 3 Certificate Authority See CA Certificate Revocation List See CRL Certificate Signing Request See CSR certificates 3rd party Web site 6 37 aut...

Page 471: ...ildcards 3 21 Dead Peer Detection See DPD debug logs 11 47 defaults configuration settings A 1 configuration restoring 12 9 content filtering settings 6 2 factory 10 18 12 9 IPsec VPN Wizard 7 5 login time out 2 4 MTU 3 23 password 2 3 12 9 PVID 4 2 user name 2 3 UTM IP address 2 9 4 8 UTM subnet mask 2 9 4 8 VLAN 2 8 de militarized zone See DMZ denial of service See DoS deployment testing connect...

Page 472: ...7 2 B 1 B 9 load balancing 3 9 3 10 B 7 B 8 B 10 network planning B 1 overview 1 3 duplex half and full 3 23 Dynamic DNS See DDNS Dynamic Host Configuration Protocol See DHCP 1 6 DynDNS org 3 19 3 21 E e commerce 8 1 edge device 7 39 7 40 eDonkey 2 17 6 21 EICAR 2 26 e mail notification server configuring manually 11 5 settings using the Setup Wizard 2 23 SMTP server 2 23 e mails audio and video f...

Page 473: ...10 20 versions 10 19 11 22 Flash objects 6 24 6 28 FQDNs auto rollover mode dual WAN port models 3 19 dual WAN ports dual WAN port models 7 1 7 2 B 1 B 9 load balancing mode dual WAN port models 3 19 SSL VPN port forwarding 8 18 VPN tunnels 7 2 front panel LEDs 1 11 ports 1 10 FTP action infected Web file or object 2 20 6 40 audio and video files filtering 6 41 compressed files filtering 6 41 defa...

Page 474: ... of precedence 5 11 overview 5 6 settings 5 8 increasing traffic DMZ port 10 7 exposed hosts 10 8 overview 10 5 port forwarding 5 7 10 6 port triggering 10 7 VPN tunnels 10 8 initial configuration Setup Wizard 2 7 initial connection 2 1 Installation Guide 2 1 installation verifying 2 26 Instant Messaging blocked applications recent 5 and top 5 11 18 blocking applications 5 26 6 21 logs 11 8 11 33 ...

Page 475: ...dwidth capacity 10 1 configuration 4 1 default settings A 1 groups 4 16 assigning 4 14 managing 4 12 hosts managing 4 12 Known PCs and Devices table 4 14 4 15 LEDs 1 11 12 3 network database 4 12 4 13 ports 1 2 1 10 secondary IP addresses 4 11 security checks 5 29 settings using the Setup Wizard 2 8 testing the LAN path 12 7 LDAP 8 6 9 3 9 5 server DHCP 2 10 4 9 4 21 VLANs 4 6 LEDs explanation of ...

Page 476: ...ection 6 5 6 21 recent 5 and top 5 11 18 management default settings A 2 maximum transmission unit See MTU MD5 IKE polices 7 29 ModeConfig 7 46 RIP 2 4 26 self certificate requests 9 23 VPN policies 7 37 Media Access Control See MAC memory usage 11 21 Message Digest algorithm 5 See MD5 meter WAN traffic 11 1 metric static routes 4 24 MIAS description 9 2 MIAS CHAP 8 6 9 5 MIAS PAP 8 6 9 5 Microsof...

Page 477: ...ce blocking 5 4 settings 5 5 outbreak IPS defining 11 12 malware defining 11 12 P package contents UTM 1 9 packets accepted and dropped 11 14 PAP See also RADIUS PAP MIAS PAP or WiKID PAP 9 2 Password Authentication Protocol See PAP password protected attachments 6 8 passwords changing 9 16 10 9 default 2 3 restoring 12 9 pattern file 10 21 Peer to Peer P2P blocked applications recent 5 and top 5 ...

Page 478: ...tifier See PVID portals SSL VPN 8 1 8 14 8 18 ports console 1 12 explanation of WAN and LAN 1 11 front panel 1 10 LAN 1 10 numbers 5 33 5 46 numbers for SSL VPN port forwarding 8 12 8 24 USB non functioning 1 10 WAN 1 10 portscan logs 11 9 11 33 11 35 Post Office Protocol 3 See POP3 power receptacle 1 12 specifications adapter A 2 Power LED 1 11 12 2 PPP connection 8 1 PPP over Ethernet See PPPoE ...

Page 479: ... 4 9 4 21 Remote Authentication Dial In User Service See RADIUS remote management access 10 12 troubleshooting 10 13 remote troubleshooting enabling 12 10 remote users assigning addresses via ModeConfig 7 43 reports administrator e mailing options 11 43 e mail address for sending reports 2 23 11 6 generating 11 40 scheduling 11 42 types of 11 39 requirements hardware B 3 reserved IP addresses conf...

Page 480: ... configuring 5 30 logging dropped packets 11 14 Setup Wizard initial configuration 2 7 severities syslog 11 9 SHA 1 IKE policies 7 29 ModeConfig 7 46 self certificate requests 9 23 VPN policies 7 37 shutting down 11 48 signature key length 9 23 signatures engine settings HTTP proxy 2 25 update frequency 2 25 update settings using the Setup Wizard 2 24 Simple Mail Transfer Protocol See SMTP Simple ...

Page 481: ... 11 35 manual configuration steps 8 17 network resources 8 28 overview 1 3 policies managing 8 31 settings 8 34 port forwarding description 8 2 host names 8 24 IP addresses 8 23 port numbers 8 12 8 24 using SSL VPN Wizard 8 11 portal accessing 8 14 options 8 1 settings configuring manually 8 18 settings using SSL VPN Wizard 8 3 specifications A 4 status 8 16 tunnel description 8 1 user account 9 9...

Page 482: ...l in bytes 11 17 volume by protocol 11 4 traps SNMP 10 15 trial period service licenses 2 27 troubleshooting basic functioning 12 2 browsers 12 4 configuration settings using sniffer 12 4 date and time 12 10 defaults 12 4 ISP connection 12 5 LEDs 12 2 12 3 NTP 12 10 remote management 10 13 remotely 12 10 testing your setup 12 8 time out error 12 4 Web Management Interface 12 3 trusted certificates...

Page 483: ...amples gateway to gateway dual WAN ports auto rollover B 14 gateway to gateway dual WAN ports load balancing B 15 gateway to gateway single WAN port mode B 13 Road Warrior dual WAN mode auto rollover B 11 Road Warrior dual WAN mode load balancing B 13 Road Warrior single WAN port mode B 11 VPN Telecommuter dual WAN ports auto rollover B 17 VPN Telecommuter dual WAN ports load balancing B 18 VPN Te...

Page 484: ...al WAN port models 3 10 status 3 4 11 23 11 28 traffic meter or counter 11 1 warning SSL certificate 2 3 Web audio and video files filtering 6 28 categories blocked recent 5 and top 5 11 18 blocking 2 22 6 24 6 29 compressed files filtering 6 28 executable files filtering 6 28 objects blocking 6 24 6 28 reports 11 39 security settings using the Setup Wizard 2 19 statistics 11 16 Web Management Int...

Reviews:

No comments

Brands by name

Popular brands

Load more brands