ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference M anua l 350 East Plumeria Drive San Jose, CA 95134 USA July, 2012 202-10536-04 v1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 © 2010–2012 NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 202-10536-02 1.
Contents Chapter 1 Introduction What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? . . 11 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Quad-WAN Ports for Increased Reliability and Load Balancing. . . . . . . 13 Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . . 13 A Powerful, True Firewall with Content Filtering. . . . . . . . . . . . . . . . . . . 14 Security Features . . . . . . . . . . . . . . . . . . . . . .
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure a Static IPv6 Internet Connection. . . . . . . . . . . . . . . . . . . . . . 57 Configure a PPPoE IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . . 60 Configure 6to4 Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Configure ISATAP Automatic Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . 64 View the Tunnel Status and IPv6 Addresses . . . . . . . . . . . . . . . . . . . . .
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Create LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . . 143 Create LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . . 145 Configure DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 RADIUS Client and Server Configuration . . . . . . . . . . . . . . . . . . . . . . . 241 Assign IPv4 Addresses to Remote Users (Mode Config). . . . . . . . . . . . . 244 Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Configure Mode Config Operation on the VPN Firewall . . . . . . . . . . . .
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Manage VPN CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 316 Manage the VPN Certificate Revocation List . . . . . . . . . . . . . . . . . . . . 320 Chapter 8 Network and System Management Performance Management. . . . . . . . . . . . . .
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . . 387 Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . . 392 Test the LAN Path to Your VPN Firewall . . . . . . . . . . . . . . . . . . . . . . .
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Other Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Session Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Source MAC Filter Logs . . . . . . . . . . . . .
1. Introduction 1 This chapter provides an overview of the features and capabilities of the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 and explains how to log in to the device and use its web management interface.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The VPN firewall is a security solution that protects your network from attacks and intrusions. For example, the VPN firewall provides support for stateful packet inspection (SPI), denial of service (DoS) attack protection, and multi-NAT support. The VPN firewall supports multiple web content filtering options, plus browsing activity reporting and instant alerts—both through email.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • One console port for local management. • SNMP support with SNMPv1, SNMPv2c, and SNMPv3, and management optimized for the NETGEAR ProSafe Network Management Software (NMS200) over a LANJ connection. • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. • Internal universal switching power supply. • Rack-mounting kit for 1U rackmounting.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 - Allows browser-based, platform-independent remote access through a number of popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari. - Provides granular access to corporate resources based on user type or group membership. A Powerful, True Firewall with Content Filtering Unlike simple NAT routers, the VPN firewall is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 network, a 1000-Mbps Gigabit Ethernet network, or a combination of these networks. All LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation. The VPN firewall incorporates Auto UplinkTM technology. Each Ethernet port automatically senses whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection such as to a switch or hub.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Auto-detection of ISP. The VPN firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account. • IPSec VPN Wizard. The VPN firewall includes the NETGEAR IPSec VPN Wizard so you can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Hardware Features • Front Panel • Rear Panel • Bottom Panel with Product Label The front panel ports and LEDs, rear panel ports, and bottom label of the VPN firewall are described in the following sections. Front Panel Viewed from left to right, the VPN firewall front panel contains the following ports (see the following figure). • LAN Ethernet ports.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 1. LED descriptions LED Activity Description Power On (green) Power is supplied to the VPN firewall. Off Power is not supplied to the VPN firewall. On (amber) during startup. Test mode: The VPN firewall is initializing. After approximately 2 minutes, when the VPN firewall has completed its initialization, the Test LED goes off. On (amber) during any other time The initialization has failed, or a hardware failure has occurred.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Rear Panel The rear panel of the VPN firewall includes a console port, a Factory Defaults Reset button, a cable lock receptacle, an AC power connection, and a power switch. Power switch Factory Defaults Reset button Security lock Console port receptacle AC power receptacle Figure 2. Viewed from left to right, the rear panel contains the following components: 1. Cable security lock receptacle. 2. Console port.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Choose a Location for the VPN Firewall The VPN firewall is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can rack-mount the VPN firewall in a wiring closet or equipment room. Consider the following when deciding where to position the VPN firewall: • The unit is accessible, and cables can be connected easily.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Log In to the VPN Firewall Note: To connect the VPN firewall physically to your network, connect the cables and restart your network according to the instructions in the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide. A PDF of this guide is on the NETGEAR support website at http://kb.netgear.com/app/products/model/a_id/13568. To configure the VPN firewall, you need to use a web browser such as Microsoft Internet Explorer 7.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The first time that you remotely connect to the VPN firewall with a browser through an SSL connection, you might get a warning message regarding the SSL certificate. Follow the directions of your browser to accept the SSL certificate. 3. In the User Name field, type admin. Use lowercase letters. 4. In the Password / Passcode field, type password. Here, too, use lowercase letters.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Web Management Interface Menu Layout The following figure shows the menu at the top the web management interface: IP radio buttons 3rd level: Submenu tab (blue) 2nd level: Configuration menu link (gray) Option arrows: Additional screen for submenu item 1st level: Main navigation menu link (orange) Figure 7. The web management interface menu consists of the following components: • 1st level: Main navigation menu links.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 - The IPv6 button is operational but the IPv4 button is disabled. can configure the feature onscreen for IPv6 functionality only. - Both buttons are disabled. You IP functionality does not apply. The bottom of each screen provides action buttons. The nature of the screen determines which action buttons are shown. The following figure shows an example: Figure 8.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Requirements for Entering IP Addresses To connect to the VPN firewall, your computer needs to be configured to obtain an IP address automatically from the VPN firewall, either an IPv4 address through DHCP or an IPv6 address through DHCPv6, or both. IPv4 The fourth octet of an IP address needs to be between 0 and 255 (both inclusive). This requirement applies to any IP address that you enter on a screen of the web management interface.
2. IPv4 and IPv6 Internet and WAN Settings 2 This chapter explains how to configure the IPv4 and IPv6 Internet and WAN settings.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Tasks to Set Up IPv4 Internet Connections to Your ISPs Complete these tasks: 1. Configure the IPv4 routing mode. Select either NAT or classical routing: see Configure the IPv4 WAN Mode on page 28. 2. Configure the IPv4 Internet connections to your ISPs.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Configure the IPv6 tunnels. Enable 6to4 tunnels and configure ISATAP tunnels: See Configure 6to4 Automatic Tunneling on page 63 and Configure ISATAP Automatic Tunneling on page 64. 4. (Optional) Configure Stateless IP/ICMP Translation (SIIT). Enable IPv6 devices that do not have permanently assigned IPv4 addresses to communicate with IPv4-only devices: See Configure Stateless IP/ICMP Translation on page 66. 5. (Optional) Configure the WAN options.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note the following about NAT: • The VPN firewall uses NAT to select the correct computer (on your LAN) to receive any incoming data. • If you have only a single public Internet IP address, you need to use NAT (the default setting).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the NAT (Network Address Translation) section of the screen, select the NAT radio button or the Classical Routing radio button. WARNING: Changing the WAN mode causes all LAN WAN and DMZ WAN inbound rules to revert to default settings. 3. Click Apply to save your settings. These settings apply to all WAN ports.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 You can set the failure detection method for each WAN interface on its corresponding WAN Advanced Options screen (see Configure the Auto-Rollover Mode and Failure Detection Method on page 44). • Action. The Edit table button provides access to the WAN IPv4 ISP Settings screen (see Step 2) for the corresponding WAN interface; the Status button provides access to the Connection Status screen (see Step 4) for the corresponding WAN interface. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • If the autodetect process senses a connection method that requires input from you, it prompts you for the information. The following table explains the settings that you might have to enter: Table 2. IPv4 Internet connection methods Connection Method Manual Data Input Required • DHCP (Dynamic IP) No manual data input is required.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 13. The Connection Status screen should show a valid IP address and gateway, and you are connected to the Internet. If the configuration was not successful, skip ahead to Manually Configure an IPv4 Internet Connection on page 33, or see Troubleshoot the ISP Connection on page 388. Note: For more information about the Connection Status screen, see View the WAN Port Status on page 374.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The IPv4 WAN Settings table displays the following fields: • WAN. The WAN interface (WAN1, WAN2, WAN3, and WAN4). • Status. The status of the WAN interface (UP or DOWN). • WAN IP. The IPv4 address of the WAN interface. • Failure Detection Method. The failure detection method that is active for the WAN interface.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 16. 6. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as explained in the following table: Table 3. PPTP and PPPoE settings Setting Description Austria (PPTP) If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this radio button, and enter the following settings: Account Name Note: For login and password information, see Step 3 and Step 4.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 3. PPTP and PPPoE settings (continued) Setting Description Other (PPPoE) If you have installed login software, then your connection type is PPPoE. Select this radio button, and enter the following settings: Note: For login Account Name and password information, see Step 3 and Step 4. Domain Name The valid account name for the PPPoE connection. The name of your ISP’s domain or your domain name if your ISP has assigned one.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 4. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the VPN firewall using DHCP network protocol.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 9. Click Apply to save your changes. 10. Click Test to evaluate your entries. The VPN firewall attempts to make a connection according to the settings that you entered. 11. Verify the connection: a. Select Network Configuration > WAN Settings > WAN Setup. The WAN Setup screen displays the IPv4 settings (see Figure 14 on page 33). b.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Load Balancing or Auto-Rollover The VPN firewall can be configured on a mutually exclusive basis for either auto-rollover (for increased system reliability) or load balancing (for maximum bandwidth efficiency). If you do not select load balancing, you need to specify one WAN interface as the primary interface. • Load balancing mode. The VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Protocol binding addresses two issues: • Segregation of traffic between links that are not of the same speed. High-volume traffic can be routed through the WAN port connected to a high-speed link, and low-volume traffic can be routed through the WAN port connected to the low-speed link. • Continuity of source IP address for secure connections.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 connection to the Internet could be made on the WAN3 interface. This load balancing method ensures that a single WAN interface does not carry a disproportionate distribution of sessions. 3. Click Apply to save your settings. Configure Protocol Binding (Optional) To configure protocol binding and add protocol binding rules: 1. Select Network Configuration > Protocol Binding. 2. Select the Load Balancing radio button. The Protocol Bindings screen displays.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 22. 4. Configure the protocol binding settings as explained in the following table: Table 6. Add Protocol Binding screen settings Setting Description Service From the drop-down list, select a service or application to be covered by this rule. If the service or application does not appear in the list, you need to define it using the Services screen (see Add Customized Services on page 172).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 6. Add Protocol Binding screen settings (continued) Setting Description Destination Network The destination network settings determine which Internet locations (based on their IP address) are covered by the rule. Select one of the following options from the drop-down list: Any All Internet IP address. Single address In the Start IP field, enter the IP address to which the rule is applied.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the Auto-Rollover Mode and Failure Detection Method To use a redundant ISP link for backup purposes, ensure that the backup WAN interface has already been configured. Then select the WAN interface that will act as the primary link for this mode, and configure the WAN failure detection method on the WAN Mode screen to support auto-rollover.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the Load Balancing Settings section of the screen, configure the following settings: a. Select the Primary WAN Mode radio button. b. From the corresponding drop-down list on the right, select a WAN interface to function as the primary WAN interface. The other WAN interfaces become disabled. c. Select the Auto Rollover check box. d. From the corresponding drop-down list on the right, select a WAN interface to function as the backup WAN interface.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 7. Failure detection method settings Setting Description Failure Detection Method Select a failure detection method from the drop-down list: • WAN DNS. DNS queries are sent to the DNS server that is configured in the Domain Name Server (DNS) Servers section of the WAN ISP screen (see Manually Configure an IPv4 Internet Connection on page 33). • Custom DNS. DNS queries are sent to a DNS server that you need to specify in the DNS Server fields.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 After you have configured secondary WAN addresses, these addresses are displayed on the following firewall rule screens: • • In the WAN Destination IP Address drop-down lists of the following inbound firewall rule screens: - Add LAN WAN Inbound Service screen - Add DMZ WAN Inbound Service screen In the NAT IP drop-down lists of the following outbound firewall rule screens: - Add LAN WAN Outbound Service screen - Add DMZ WAN Outbound Service screen
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 24. The List of Secondary WAN addresses table displays the secondary LAN IP addresses added for the selected WAN interface. 4. In the Add WAN Secondary Addresses section of the screen, enter the following settings: • IP Address. Enter the secondary address that you want to assign to the WAN port. • Subnet Mask. Enter the subnet mask for the secondary IP address. 5.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 domain, and restores DNS requests for the resulting fully qualified domain name (FQDN) to your frequently changing IP address. After you have configured your account information on the VPN firewall, when your ISP-assigned IP address changes, your VPN firewall automatically contacts your DDNS service provider, logs in to your account, and registers your new IP address.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 25. 3. Click the Information option arrow in the upper right of a DNS screen for registration information (for example, DynDNS Information). Figure 26. 4. Access the website of the DDNS service provider, and register for an account (for example, for DynDNS.org, go to http://www.dyndns.com/).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 5. Configure the DDNS service settings as explained in the following table: Table 8. DDNS service settings Setting Description WAN1 (... Status: ...) Select the Yes radio button to enable the DDNS service. The fields that display on the screen depend on the DDNS service provider that you have selected. Enter the following settings: Host and Domain Name The host and domain name for the DDNS service.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: You can configure only one WAN interface for IPv6. This restriction might be lifted in a later release. You can configure the other three WAN interfaces for IPv4. The nature of your IPv6 network determines how you need to configure the IPv6 Internet connections: • Native IPv6 network. Your network is a native IPv6 network if the VPN firewall has an IPv6 address and is connected to an IPv6 ISP and if your network consists of IPv6-only devices.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 These are the options: • IPv4-only mode. The VPN firewall communicates only with devices that have IPv4 addresses. • IPv4/IPv6 mode. The VPN firewall communicates with both devices that have IPv4 addresses and devices that have IPv6 addresses. Note: IPv6 always functions in classical routing mode between the WAN interface and the LAN interfaces; NAT does not apply to IPv6.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING: Changing the IP routing mode causes the VPN firewall to reboot. 3. Click Apply to save your changes. Use a DHCPv6 Server to Configure an IPv6 Internet Connection The VPN firewall can autoconfigure its ISP settings through a DHCPv6 server by using either stateless or stateful address autoconfiguration: • Stateless address autoconfiguration.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The IPv6 WAN Settings table displays the following fields: • WAN. The WAN interface (WAN1, WAN2, WAN3, and WAN4). • Status. The status of the WAN interface (UP or DOWN). • WAN IP. The IPv6 address of the WAN interface. • Action.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 6. As an optional step: If you have selected the Stateless Address Auto Configuration radio button, you can select the Prefix Delegation check box: • Prefix delegation check box is selected. A prefix is assigned by the ISP’s stateful DHCPv6 server through prefix delegation, for example, 2001:db8:: /64. The VPN firewall’s own stateless DHCPv6 server can assign this prefix to its IPv6 LAN clients.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure a Static IPv6 Internet Connection To configure a static IPv6 or PPPoE IPv6 Internet connection, you need to enter the IPv6 address information that you should have received from your ISP. To configure static IPv6 ISP settings for a WAN interface: 1. Select Network Configuration > WAN Settings > WAN Setup. 2. In the upper right of the screen, select the IPv6 radio button. The WAN Setup screen displays the IPv6 settings: Figure 31.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 32. 4. In the Internet Address section of the screen, from the IPv6 drop-down list, select Static IPv6. 5. In the Static IP Address section of the screen, enter the settings as explained in the following table. You should have received static IPv6 address information from your IPv6 ISP: Table 9. WAN ISP IPv6 Settings screen settings for a static IPv6 address Setting Description IPv6 Address The IP address that your ISP assigned to you.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 6. Click Apply to save your changes. 7. Verify the connection: a. Select Network Configuration > WAN Settings > WAN Setup. b. In the upper right of the screen, select the IPv6 radio button. The WAN Setup screen displays the IPv6 settings (see Figure 31 on page 57). c. In the Action column, click the Status button of the WAN interface for which you want to display the Connection Status pop-up screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure a PPPoE IPv6 Internet Connection To configure a PPPoE IPv6 Internet connection, you need to enter the PPPoE IPv6 information that you should have received from your ISP. To configure PPPoE IPv6 ISP settings for a WAN interface: 1. Select Network Configuration > WAN Settings > WAN Setup. 2. In the upper right of the screen, select the IPv6 radio button. The WAN Setup screen displays the IPv6 settings: Figure 34.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 35. 4. In the Internet Address section of the screen, from the IPv6 drop-down list, select PPPoE. 5. In the PPPoE IPv6 section of the screen, enter the settings as explained in the following table. You should have received PPPoE IPv6 information from your ISP: Table 10. WAN IPv6 ISP Settings screen settings for a PPPoE IPv6 connection Setting Description User Name The PPPoE user name that is provided by your ISP.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 10. WAN IPv6 ISP Settings screen settings for a PPPoE IPv6 connection (continued) Setting Description DHCPv6 Option From the DHCPv6 Option drop-down list, select one of the following DHCPv6 server options, as directed by your ISP: • Disable-DHCPv6. DHCPv6 is disabled. You need to specify the DNS servers in the Primary DNS Server and Secondary DNS Server fields in order to receive an IP address from the ISP. • DHCPv6 StatelessMode.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, then you need to enter that address on the WAN Advanced Options screen for the corresponding WAN interface (see Configure Advanced WAN Options and Other Tasks on page 67).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 36. 2. Select the Enable Automatic Tunneling check box. 3. Click Apply to save your changes. Configure ISATAP Automatic Tunneling If your network is an IPv4 network or IPv6 network that consists of both IPv4 and IPv6 devices, you need to make sure that the IPv6 packets can travel over the IPv4 intranet by enabling and configuring Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunneling.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To configure an ISATAP tunnel: 1. Select Network Configuration > WAN Settings > ISATAP Tunnels. The ISATAP Tunnels screen displays. (The following figure shows some examples.) Figure 37. 2. Click the Add table button under the List of Available ISATAP Tunnels table. The Add ISATAP Tunnel screen displays: Figure 38. 3. Specify the tunnel settings as explained in the following table. Table 11.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit an ISATAP tunnel: 1. On the ISATAP Tunnels screen, click the Edit button in the Action column for the tunnel that you want to modify. The Edit ISATAP Tunnel screen displays. This screen is identical to the Add ISATAP Tunnel screen. 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings. To delete one or more tunnels: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 SIIT functions with IPv4-translated addresses, which are addresses of the format 0::ffff:0:0:0/96 for IPv6-enabled devices. You can substitute an IPv4 address in the format a.b.c.d for part of the IPv6 address so that the IPv4-translated address becomes 0::ffff:0:a.b.c.d/96. For SIIT to function, the routing mode needs to be IPv4 / IPv6. NETGEAR’s implementation of SIIT lets you enter a single IPv4 address on the SIIT screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To configure advanced WAN options: 1. Select Network Configuration > WAN Settings > WAN Setup. In the upper right of the screen, the IPv4 radio button is selected by default. The WAN Setup screen displays the IPv4 settings: Figure 41. 2. Click the Edit table button in the Action column of the WAN interface for which you want to configure the advanced WAN options. The WAN IPv4 ISP Settings screen displays.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Click the Advanced option arrow in the upper right of the screen. The WAN Advanced Options screen displays for the WAN interface that you selected. (The following figure shows the WAN2 Advanced Options screen as an example.) Figure 43. 4. Enter the settings as explained in the following table: Table 12.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 12. WAN Advanced Options screen settings (continued) Setting Description Speed In most cases, the VPN firewall can automatically determine the connection speed of the WAN port of the device (modem, dish, or router) that provides the WAN connection. If you cannot establish an Internet connection, you might need to manually select the port speed. If you know the Ethernet port speed of the modem, dish, or router, select it from the drop-down list.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 12. WAN Advanced Options screen settings (continued) Setting Description Failure Detection Method Failure Detection Method Select a failure detection method from the drop-down list: • WAN DNS. DNS queries are sent to the DNS server that is configured in the Domain Name Server (DNS) Servers section of the WAN ISP screen (see Manually Configure an IPv4 Internet Connection on page 33). • Custom DNS.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 If you want to configure the advanced settings for an additional WAN interface, select another WAN interface and repeat these steps. Configure WAN QoS Profiles The VPN firewall can support multiple Quality of Service (QoS) profiles for each WAN interface. You can assign profiles to services such as HTTP, FTP, and DNS and to LAN groups or IP addresses. Profiles enforce either rate control with bandwidth allocation or priority queue control.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 44. 2. To enable QoS, select the Yes radio button. By default, the No radio button is selected. 3. Specify the profile type that should be active by selecting one of the following radio buttons: • Rate control. All rate control QoS profiles that you configure are active, but priority QoS profiles are not. • Priority. All priority QoS profiles that you configure are active, but rate control QoS profiles are not. 4.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 45. 3. Enter the settings as explained in the following table: Table 13. Add QoS screen settings for a rate control profile Setting Description QoS Type Rate Control (for Priority, see Figure 46 on page 76 and Table 14 on page 76). Interface From the drop-down list, select one of the WAN interfaces. Service From the drop-down list, select a service or application to be covered by this profile.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 13. Add QoS screen settings for a rate control profile (continued) Setting Description Congestion Priority From the drop-down list, select the priority queue that determines the allocation of excess bandwidth and the classification level of the packets among other priority queues on the VPN firewall: • Default. Traffic is mapped based on the ToS field in the packet’s IP header. • High.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 13. Add QoS screen settings for a rate control profile (continued) Setting Description Inbound Maximum Bandwidth Enter the inbound maximum bandwidth in Kbps that is allocated to the host. Diffserv QoS Remark Enter a DSCP value in the range of 0 through 63. Packets are marked with this value. Leave this field blank to disable packet marking. 4. Click Apply to save your settings.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 14. Add QoS screen settings for a priority profile (continued) Setting Description Service From the drop-down list, select a service or application to be covered by this profile. If the service or application does not appear in the list, you need to define it using the Services screen (see Add Customized Services on page 172). Direction From the drop-down list, select the direction to which the priority queue is applied: • Outbound Traffic.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit a QoS profile: 1. In the List of QoS Profiles table, click the Edit table button to the right of the profile that you want to edit. The Edit QoS screen displays. This screen shows the same fields as the Add QoS screen (see the previous two figures). 2. Modify the settings as explained in the previous two tables. 3. Click Apply to save your settings. To delete a QoS profile: 1.
3. LAN Configuration 3 This chapter describes how to configure the LAN features of your VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 a single VLAN, they can share resources and bandwidth as if they were connected to the same segment. The resources of other departments can be invisible to the marketing VLAN members, accessible to all, or accessible only to specified individuals, depending on how the IT manager has set up the VLANs. VLANs have a number of advantages: • It is easy to set up network segmentation.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 packets. Untagged packets that enter these LAN ports are assigned to the default PVID 1; packets that leave these LAN ports with the same default PVID 1 are untagged. All other packets are tagged according to the VLAN ID that you assigned to the VLAN when you created the VLAN profile.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 For each VLAN profile, the following fields display in the VLAN Profiles table: • Check box. Allows you to select the VLAN profile in the table. • Status icon. Indicates the status of the VLAN profile: - Green circle. The VLAN profile is enabled. - Gray circle. The VLAN profile is disabled. • Profile Name. The unique name assigned to the VLAN profile. • VLAN ID. The unique ID (or tag) assigned to the VLAN profile. • Subnet IP.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DHCP Relay DHCP relay options allow you to make the VPN firewall a DHCP relay agent for a VLAN. The DHCP relay agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP relay agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 48. 2. Click the Add table button under the VLAN Profiles table. The Add VLAN Profile screen displays: Figure 49.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following table: Table 15. Add VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the same VLAN ID number. Note: You can enter VLAN IDs from 2 to 4089. VLAN ID 1 is reserved for the default VLAN; VLAN ID 4094 is reserved for the DMZ interface.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 15. Add VLAN Profile screen settings (continued) Setting Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the VPN firewall to function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN. (For the default VLAN, the DHCP server is enabled by default.) Enter the following settings: DHCP Relay Domain Name This setting is optional.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 15. Add VLAN Profile screen settings (continued) Setting Description Enable LDAP information To enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information, select the Enable LDAP information check box. Enter the following settings. LDAP Server The IP address or name of the LDAP server. Search Base The search objects that specify the location in the directory tree from which the LDAP search begins.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit a VLAN profile: 1. On the LAN Setup screen for IPv4 (see Figure 48 on page 84), click the Edit button in the Action column for the VLAN profile that you want to modify. The Edit VLAN Profile screen displays. This screen is identical to the Add VLAN Profile screen (see Figure 49 on page 84). 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 50. 3. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) 4. As an option, you can disable the broadcast of ARP packets for the default VLAN by clearing the Enable ARP Broadcast check box. (The broadcast of ARP packets is enabled by default for the default VLAN.) 5. Click Apply to save your settings.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following is an example of correctly configured IPv4 addresses: • WAN IP address. 10.0.0.1 with subnet 255.0.0.0 • DMZ IP address. 176.16.2.1 with subnet 255.255.255.0 • Primary LAN IP address. 192.168.1.1 with subnet 255.255.255.0 • Secondary LAN IP address. 192.168.20.1 with subnet 255.255.255.0 To add a secondary LAN IPv4 address: 1. Select Network Configuration > LAN Settings > LAN Multi-homing.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit a secondary LAN IP address: 1. On the LAN Multi-homing screen for IPv4 (see the previous figure), click the Edit button in the Action column for the secondary IP address that you want to modify. The Edit LAN Multi-homing screen displays. 2. Modify the IP address or subnet mask, or both. 3. Click Apply to save your settings. To delete one or more secondary LAN IP addresses: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 These are some advantages of the network database: • Generally, you do not need to enter an IP address or a MAC address. Instead, you can select the name of the desired computer or device. • There is no need to reserve an IP address for a computer in the DHCP server.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 52. The Known PCs and Devices table lists the entries in the network database. For each computer or device, the following fields display: • Check box. Allows you to select the computer or device in the table. • Name. The name of the computer or device. For computers that do not support the NetBIOS protocol, the name is displayed as Unknown (you can edit the entry manually to add a meaningful name).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Add Computers or Devices to the Network Database To add computers or devices manually to the network database: 1. In the Add Known PCs and Devices section of the LAN Groups screen (see the previous figure), enter the settings as explained in the following table: Table 16. Add Known PCs and Devices section settings Setting Description Name Enter the name of the computer or device.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Edit Computers or Devices in the Network Database To edit computers or devices manually in the network database: 1. In the Known PCs and Devices table of the LAN Groups screen (see Figure 52 on page 93), click the Edit table button of a table entry. The Edit LAN Groups screen displays (see the following figure, which contains an example). Figure 53. 2. Modify the settings as explained in Table 16 on page 94. 3.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit the name of one of the eight available groups: 1. Select Network Configuration > LAN Settings > LAN Groups. The LAN Groups screen displays (see Figure 52 on page 93, which shows some examples in the Known PCs and Devices table). 2. Click the Edit Group Names option arrow to the right of the LAN submenu tabs. The Network Database Group Names screen displays. (The following figure shows some examples.) Figure 54. 3.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The reserved address is not assigned until the next time the computer or device contacts the VPN firewall’s DHCP server. Reboot the computer or device, or access its IP configuration and force a DHCP release and renew. Note: The saved binding is also displayed on the IP/MAC Binding screen (see Figure 112 on page 188).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DHCPv6 Server Options The IPv6 clients in the LAN can autoconfigure their own IPv6 address or obtain an IPv6 address through a DHCPv6 server. For the LAN, there are three DHCPv6 options: Stateless DHCPv6 Server The IPv6 clients in the LAN generate their own IP address by using a combination of locally available information and router advertisements, but receive DNS server information from the DHCPv6 server.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Stateful DHCPv6 Server The IPv6 clients in the LAN obtain an interface IP address, configuration information such as DNS server information, and other parameters from the DHCPv6 server. The IP address is a dynamic address. For stateful DHCPv6, you need to configure IPv6 address pools (see IPv6 LAN Address Pools on page 101). Configure the IPv6 LAN To configure the IPv6 LAN settings: 1. Select Network Configuration > LAN Settings. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following table. The IPv6 address pools and prefixes for prefix delegation are explained in the sections following the table. Table 17. LAN Setup screen settings for IPv6 Setting Description IPv6 LAN Setup IPv6 Address Enter the LAN IPv6 address. The default address is fec0::1.(For more information, see the introduction to this section, Manage the IPv6 LAN.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 17. LAN Setup screen settings for IPv6 (continued) Setting Description DHCP Status (continued) Server Preference Enter the DHCP server preference value. The possible values are 0–255, with 255 as the default setting. This is an optional setting that specifies the server’s preference value in a server advertise message. The client selects the server with the highest preference value as the preferred server.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 56. 2. Enter the settings as explained in the following table: Table 18. LAN IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCPv6 client joining the LAN is assigned an IP address between this address and the end IP address. End IPv6 Address Enter the end IP address.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv6 LAN Prefixes for Prefix Delegation If you configure a stateless DHCPv6 server for the LAN and select the Prefix Delegation check box (both on the ISP IPv6 WAN Settings screen and on the LAN Setup screen for IPv6, a prefix delegation pool is automatically added to the List of Prefixes for Prefix Delegation table.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN Note: If you do not configure stateful DHCPv6 for the LAN but use stateless DHCPv6, you need to configure the Router Advertisement Deamon (RADVD) and advertisement prefixes. The RADVD is an application that uses the Neighbor Discovery Protocol (NDP) to collect link-local advertisements of IPv6 addresses and IPv6 prefixes in the LAN.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To configure the Router Advertisement Daemon for the LAN: 1. Select Network Configuration > LAN Settings. 2. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings (see Figure 55 on page 99.) 3. To the right of the LAN Setup tab, click the RADVD option arrow. The RADVD screen for the LAN displays. (The following figure contains some examples.) Figure 58. 4.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 20. RADVD screen settings for the LAN (continued) Setting Description RA Flags Specify what type of information the DHCPv6 server provides in the LAN by making a selection from the drop-down list: • Managed. The DHCPv6 server is used for autoconfiguration of the IP address. • Other.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 59. 2. Enter the settings as explained in the following table: Table 21. Add Advertise Prefixes screen settings for the LAN Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: • 6to4. The prefix is for a 6to4 address. You need to select a WAN interface from the 6to4Interface drop-down list, and complete the SLA ID field and Prefix Lifetime field. The other fields are masked out.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. To delete one or more advertisement prefixes: 1. On the RADVD screen for the LAN (see Figure 58 on page 105), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes. 2. Click the Delete table button.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. In the Add Secondary LAN IP Address section of the screen, enter the following settings: • IPv6 Address. Enter the secondary address that you want to assign to the LAN ports. • Prefix Length. Enter the prefix length for the secondary IP address. 4. Click the Add table button in the rightmost column to add the secondary IP address to the Available Secondary LAN IPs table.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 By default, the DMZ port and both inbound and outbound DMZ traffic are disabled. Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports. Using a DMZ port is also helpful with online games and videoconferencing applications that are incompatible with NAT.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 61. 2. Enter the settings as explained in the following table: Table 22. DMZ Setup screen settings for IPv4 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and Subnet Mask fields. • No. Allows you to disable the DMZ port after you have configured it. IP Address Enter the IP address of the DMZ port.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 22. DMZ Setup screen settings for IPv4 (continued) Setting Description DHCP for DMZ Connected Computers Disable DHCP Server If another device on your network is the DHCP server for the VLAN, or if you will manually configure the network settings of all of your computers, select the Disable DHCP Server radio button to disable the DHCP server. This is the default setting.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 22. DMZ Setup screen settings for IPv4 (continued) Setting Description Enable LDAP information To enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information, select the Enable LDAP information check box. Enter the following settings. LDAP Server The IP address or name of the LDAP server. Search Base The search objects that specify the location in the directory tree from which the LDAP search begins.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Stateful DHCPv6 server. The IPv6 clients in the DMZ obtain an interface IP address, configuration information such as DNS server information, and other parameters from the DHCPv6 server. The IP address is a dynamic address. For stateful DHCPv6, you need to configure IPv6 address pools (see IPv6 DMZ Address Pools on page 116). To enable and configure the DMZ port for IPv6 traffic: 1. Select Network Configuration > DMZ Setup. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following table: Table 23. DMZ Setup screen settings for IPv6 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and Subnet Mask fields. • No. Allows you to disable the DMZ port after you have configured it. IPv6 Address Enter the IP address of the DMZ port.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 23. DMZ Setup screen settings for IPv6 (continued) Setting Description DHCP Status (continued) DNS Server Select one of the DNS server options from the drop-down lists: • Use DNS Proxy. The VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS servers that you configured on the WAN IPv6 ISP Settings screen (see Configure a Static IPv6 Internet Connection on page 57). • Use DNS from ISP.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as explained in the following table: Table 24. DMZ IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCPv6 client joining the DMZ is assigned an IP address between this address and the end IP address. End IPv6 Address Enter the end IP address.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Hosts and routers in the LAN use NDP to determine the link-layer addresses and related information of neighbors in the LAN that can forward packets on their behalf. The VPN firewall periodically distributes router advertisements (RAs) throughout the DMZ to provide such information to the hosts and routers in the DMZ. RAs include IPv6 addresses, types of prefixes, prefix addresses, prefix lifetimes, the maximum transmission unit (MTU), and so on.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 64. 4. Enter the settings as explained in the following table: Table 26. RADVD screen settings for the DMZ Setting Description RADVD Status Specify the RADVD status by making a selection from the drop-down list: • Enable. The RADVD is enabled, and the RADVD fields become available for you to configure. • Disable. The RADVD is disabled, and the RADVD fields are masked out. This is the default setting.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 26. RADVD screen settings for the DMZ (continued) Setting Description RA Flags Specify what type of information the DHCPv6 server provides in the DMZ by making a selection from the drop-down list: • Managed. The DHCPv6 server is used for autoconfiguration of the IP address. • Other.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 65. 2. Enter the settings as explained in the following table: Table 27. Add Advertisement Prefix screen settings for the DMZ Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: • 6to4. The prefix is for a 6to4 address. You need to select a WAN interface from the 6to4Interface drop-down list, and complete the SLA ID field and Prefix Lifetime field. The other fields are masked out.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Click Apply to save your settings. To delete one or more advertisement prefixes: 1. On the RADVD screen for the DMZ screen (see Figure 64 on page 119), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes. 2. Click the Delete table button.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 66. 2. Click the Add table button under the Static Routes table. The Add Static Route screen displays: Figure 67. 3. Enter the settings as explained in the following table: Table 28. Add Static Route screen settings for IPv4 Setting Description Route Name The route name for the static route (for purposes of identification and management). Active To make the static route effective, select the Active check box.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 28. Add Static Route screen settings for IPv4 (continued) Setting Description Gateway IP Address The gateway IP address through which the destination host or network can be reached. Metric The priority of the route. Select a value between 2 and 15. If multiple routes to the same destination exist, the route with the lowest metric is used. 4. Click Apply to save your settings. The new static route is added to the Static Routes table.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 68. 3. Enter the settings as explained in the following table: Table 29. RIP Configuration screen settings Setting Description RIP RIP Direction From the RIP Direction drop-down list, select the direction in which the VPN firewall sends and receives RIP packets: • None. The VPN firewall neither advertises its route table, nor accepts any RIP packets from other routers. This effectively disables RIP, and is the default setting. • In Only.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 29. RIP Configuration screen settings (continued) Setting Description RIP Version By default, the RIP version is set to Disabled. From the RIP Version drop-down list, select the version: • RIP-1. Classful routing that does not include subnet information. This is the most commonly supported version. • RIP-2. Routing that supports subnet information. Both RIP-2B and RIP-2M send the routing data in RIP-2 format: - RIP-2B.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv4 Static Route Example In this example, we assume the following: • The VPN firewall’s primary Internet access is through a cable modem to an ISP. • The VPN firewall is on a local LAN with IP address 192.168.1.100. • The VPN firewall connects to a remote network where you need to access a device. • The LAN IP address of the remote network is 134.177.0.0.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 69. 3. Click the Add table button under the Static Routes table. The Add IPv6 Static Routing screen displays: Figure 70. 4. Enter the settings as explained in the following table: Table 30. Add IPv6 Static Routing screen settings Setting Description Route Name The route name for the static route (for purposes of identification and management). Active To make the static route effective, select the Active check box.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 30. Add IPv6 Static Routing screen settings (continued) Setting Description IPv6 Gateway The gateway IPv6 address through which the destination host or network can be reached. Metric The priority of the route. Select a value between 2 and 15. If multiple routes to the same destination exist, the route with the lowest metric is used. 5. Click Apply to save your settings. The new static route is added to the List of IPv6 Static Routes table.
4. Firewall Protection 4 This chapter describes how to use the firewall features of the VPN firewall to protect your network.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 incoming packet is in response to an outgoing request, but true stateful packet inspection goes far beyond NAT. For IPv6, which in itself provides stronger security than IPv4, a firewall in particular controls the exchange of traffic between the Internet, DMZ, and LAN. Administrator Tips Consider the following operational items: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the VPN firewall are: • Inbound. Block all access from outside except responses to requests from the LAN side. • Outbound. Allow all access from the LAN side to the outside. The firewall rules for blocking and allowing traffic on the VPN firewall can be applied to LAN WAN traffic, DMZ WAN traffic, and LAN DMZ traffic. Table 31.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Outbound Rules (Service Blocking) The VPN firewall allows you to block the use of certain Internet services by computers on your network. This is called service blocking or port filtering. Note: See Enable Source MAC Filtering on page 186 for yet another way to block outbound traffic from selected computers that would otherwise be allowed by the firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 32. Outbound rules overview (continued) Setting Description Outbound Rules LAN Users The settings that determine which computers on your network are LAN WAN rules affected by this rule. The options are: LAN DMZ rules • Any. All computers and devices on your LAN. • Single address. Enter the required address in the Start field to apply the rule to a single device on your LAN. • Address range.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 32. Outbound rules overview (continued) Setting Description Outbound Rules Bandwidth Profile Bandwidth limiting determines how the data is sent to and from IPv4 LAN WAN rules your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic, thus preventing the LAN users from consuming all the bandwidth of the Internet link. For more information, see Create Bandwidth Profiles on page 176.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Whether or not DHCP is enabled, how the computer accesses the server’s LAN address impacts the inbound rules. For example: • If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP address might change periodically as the DHCP lease expires. Consider using Dynamic DNS so that external users can always find your network (see Configure Dynamic DNS on page 48).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 33. Inbound rules overview Setting Description Inbound Rules Service The service or application to be covered by this rule. If the service or application does not display in the list, you need to define it using the Services screen (see Add Customized Services on page 172).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 33. Inbound rules overview (continued) Setting Description Inbound Rules LAN Users These settings apply to a LAN WAN inbound rule when the WAN LAN WAN rules mode is classical routing, and determine which computers on LAN DMZ rules your network are affected by this rule. The options are: • Any. All computers and devices on your LAN. • Single address. Enter the required address in the Start field to apply the rule to a single device on your LAN.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 33. Inbound rules overview (continued) Setting Description Inbound Rules QoS Profile The priority assigned to IP packets of this service. The priorities IPv4 LAN WAN rules are defined by Type of Service in the Internet Protocol Suite IPv4 DMZ WAN rules standards, RFC 1349. The QoS profile determines the priority of a service, which, in turn, determines the quality of that service for the traffic passing through the firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 71. For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Outbound Services and Inbound Services tables, beginning at the top of each table and proceeding to the bottom of each table. In some cases, the order of precedence of two or more rules might be important in determining the disposition of a packet.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 72. 2. From the Default Outbound Policy drop-down list, select Block Always. (By default, Allow Always is selected.) 3. Next to the drop-down list, click the Apply table button. To change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. • Down. Moves the rule down one position in the table rank.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 73. 3. From the Default Outbound Policy drop-down list, select Block Always. (By default, Allow Always is selected.) 4. Next to the drop-down list, click the Apply table button. To change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. • Down. Moves the rule down one position in the table rank.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Create LAN WAN Outbound Service Rules You can define rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. An outbound rule can block or allow traffic between an internal IP LAN address and any external WAN IP address according to the schedule created on the Schedule screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Unless your selection from the Action drop-down list is BLOCK always, you also need to make selections from the following drop-down lists: • Select Schedule • QoS Profile • Bandwidth Profile • NAT IP (This drop-down list is available only when the WAN mode is NAT.) 3. Click Apply to save your changes. The new rule is now added to the Outbound Services table. IPv6 LAN WAN Outbound Rules To create a new IPv6 LAN WAN outbound rule: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Create LAN WAN Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the Internet to the LAN) is blocked. Remember that allowing inbound services opens potential security holes in your firewall. Enable only those ports that are necessary for your network.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as explained in Table 33 on page 137. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • WAN Destination IP Address • LAN Users (This drop-down list is available only when the WAN mode is Classical Routing. When the WAN mode is NAT, your network presents only one IP address to the Internet.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as explained in Table 33 on page 137. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • LAN Users • WAN Users Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule 4. Click Apply to save your changes.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 78. To change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. • Down. Moves the rule down one position in the table rank. • Edit. Allows you to make any changes to the definition of an existing rule.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 79. To change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. • Down. Moves the rule down one position in the table rank. • Edit. Allows you to make any changes to the definition of an existing rule.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv4 DMZ WAN Outbound Service Rules To create a new IPv4 DMZ WAN outbound rule: 1. In the upper right of the DMZ WAN Rules screen, the IPv4 radio button is selected by default. The screen displays the IPv4 settings (see Figure 78 on page 148). Click the Add table button under the Outbound Services table. The Add DMZ WAN Outbound Service screen for IPv4 displays: Figure 80. 2. Enter the settings as explained in Table 32 on page 133.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv6 DMZ WAN Outbound Service Rules To create a new IPv6 DMZ WAN outbound rule: 1. In the upper right of the DMZ WAN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 79 on page 149). 2. Click the Add table button under the Outbound Services table. The Add DMZ WAN Outbound Service screen for IPv6 displays: Figure 81. 3. Enter the settings as explained in Table 32 on page 133.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv4 DMZ WAN Inbound Service Rules To create a new IPv4 DMZ WAN inbound rule: 1. In the upper right of the DMZ WAN Rules screen, the IPv4 radio button is selected by default. The screen displays the IPv4 settings (see Figure 78 on page 148). Click the Add table button under the Inbound Services table. The Add DMZ WAN Inbound Service screen for IPv4 displays: Figure 82. 2. Enter the settings as explained in Table 33 on page 137.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv6 DMZ WAN Inbound Service Rules To create a new IPv6 DMZ WAN inbound rule: 1. In the upper right of the DMZ WAN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 79 on page 149). 2. Click the Add table button under the Inbound Services table. The Add DMZ WAN Inbound Service screen for IPv6 displays: Figure 83. 3. Enter the settings as explained in Table 33 on page 137.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 There is no drop-down list that lets you set the default outbound policy as there is on the LAN WAN Rules screen. You can change the default outbound policy by allowing all outbound traffic and then blocking specific services from passing through the VPN firewall. You do so by adding outbound service rules (see Create LAN DMZ Outbound Service Rules on page 155).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 85. To change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. • Down. Moves the rule down one position in the table rank. • Edit. Allows you to make any changes to the definition of an existing rule.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv4 LAN DMZ Outbound Service Rules To create a new IPv4 LAN DMZ outbound rule: 1. In the upper right of the LAN DMZ Rules screen, the IPv4 radio button is selected by default. The screen displays the IPv4 settings (see Figure 84 on page 154). Click the Add table button under the Outbound Services table. The Add LAN DMZ Outbound Service screen for IPv4 displays: Figure 86. 2. Enter the settings as explained in Table 32 on page 133.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 87. 3. Enter the settings as explained in Table 32 on page 133. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • LAN Users • DMZ Users Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule 4. Click Apply.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 88. 2. Enter the settings as explained in Table 33 on page 137. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • LAN Users • DMZ Users Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule 3. Click Apply to save your changes.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 89. 3. Enter the settings as explained in Table 33 on page 137. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • LAN Users • DMZ Users Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule 4. Click Apply to save your changes.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 90. IPv4 LAN WAN Inbound Rule: Allow a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule (see the following figure). In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 91. IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Set Up One-to-One NAT Mapping In this example, multi-NAT is configured to support multiple public IP addresses on one WAN interface. An inbound rule configures the VPN firewall to host an additional public IP address and associate this address with a web server on the LAN. The following addressing scheme is used to illustrate this procedure: • • NETGEAR VPN firewall: - WAN IP address. 10.1.0.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses is used as the primary IP address of the router that provides Internet access to your LAN computers through NAT. The other addresses are available to map to your servers. To configure the VPN firewall for additional IP addresses: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 this address on the WAN2 Secondary Addresses screen (see Configure Secondary WAN Addresses on page 46) before you can select it from the WAN Destination IP Address drop-down list. 8. Click Apply to save your settings. The rule is now added to the Inbound Services table of the LAN WAN Rules screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 95. IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an FTP Site on the Internet If you want to allow a group of DMZ users to access a particular FTP site on the Internet during working hours, you can create an outbound rule to allow such traffic by specifying the IPv6 DMZ start and finish addresses and the IPv6 WAN address. On the Schedule screen, create a schedule that specifies working hours, and assign it to the rule.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Other Firewall Features • Attack Checks • Set Limits for IPv4 Sessions • Manage the Application Level Gateway for SIP Sessions You can configure attack checks, set session limits, and manage the application level gateway (ALG) for SIP sessions. Attack Checks The Attack Checks screen allows you to specify whether the VPN firewall should be protected against common attacks in the DMZ, LAN, and WAN networks.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as explained in the following table: Table 34. Attack Checks screen settings for IPv4 Setting Description WAN Security Checks Respond to Ping on Internet Ports Select the Respond to Ping on Internet Ports check box to enable the VPN firewall to respond to a ping from the Internet to its IPv4 address. A ping can be used as a diagnostic tool.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 34. Attack Checks screen settings for IPv4 (continued) Setting Description VPN Pass through IPSec PPTP L2TP When the VPN firewall functions in NAT mode, all packets going to the remote VPN gateway are first filtered through NAT and then encrypted according to the VPN policy.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 address. A ping can be used as a diagnostic tool. Keep this check box cleared unless you have a specific reason to enable the VPN firewall to respond to a ping from the Internet. • IPsec. Select the IPsec check box to enable IPSec VPN traffic that is initiated from the LAN to reach the WAN, irrespective of the default firewall outbound policy and custom firewall rules. 4. Click Apply to save your settings.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following table: Table 35. Session Limit screen settings Setting Description Session Limit Session Limit Control From the drop-down list, select one of the following options: • When single IP exceeds. When the limit is reached, no new session is allowed from the IP address. A new session is allowed only when an existing session is terminated or times out. • Single IP Cannot Exceed.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the Application Level Gateway for SIP Sessions The application level gateway (ALG) facilitates multimedia sessions such as voice over IP (VoIP) sessions that use the Session Initiation Protocol (SIP) across the firewall and provides support for multiple SIP clients. SIP support for the ALG, which is an IPv4 feature, is disabled by default. To enable ALG for SIP: 1. Select Security > Firewall > Advanced. The Advanced screen displays: Figure 100.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: A schedule narrows down the period during which a firewall rule is applied. For information about specifying schedules, see Set a Schedule to Block or Allow Specific Traffic on page 185. Add Customized Services Services are functions performed by server computers at the request of client computers. You can configure up to 124 custom services.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 101. 2. In the Add Customer Service section of the screen, enter the settings as explained in the following table: Table 36. Services screen settings Setting Description Name A descriptive name of the service for identification and management purposes.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 102. 2. Modify the settings that you wish to change (see the previous table). 3. Click Apply to save your changes. The modified service is displayed in the Custom Services table. To delete one or more services: 1. In the Custom Services table, select the check box to the left of each service that you want to delete, or click the Select All table button to select all services. 2. Click the Delete table button.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the Add New Custom IP Group section of the screen, do the following: • In the IP Group Name field, enter a name for the group. • From the IP Group Type drop-down list, select LAN Group or WAN Group. 3. Click Apply to save your changes. The new IP group is displayed in the Custom IP Groups Table. 4. In the Custom IP Groups Table, click the Edit table button to the right of the IP group that you just created. The Edit IP Group screen displays.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete an IP group: 1. In the Custom IP Groups table, select the check box to the left of the IP group that you want to delete, or click the Select All table button to select all groups. 2. Click the Delete table button. Create Bandwidth Profiles Bandwidth profiles determine the way in which data is communicated with the hosts.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 105. 2. Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwidth Profile screen displays: Figure 106. 3. Enter the settings as explained in the following table: Table 37. Add Bandwidth Profile screen settings Setting Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 37. Add Bandwidth Profile screen settings (continued) Setting Description Inbound Minimum Bandwidth The inbound minimum allocated bandwidth in Kbps. There is no default setting. Inbound Maximum Bandwidth The inbound maximum allowed bandwidth in Kbps. The maximum allowable bandwidth is 100,000 Kbps, and you cannot configure less than 100 Kbps. There is no default setting.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Create Quality of Service Profiles for IPv4 Firewall Rules A Quality of Service (QoS) profile defines the relative priority of an IP packet when multiple connections are scheduled for simultaneous transmission on the VPN firewall. A QoS profile becomes active only when it is associated with a nonblocking inbound or outbound firewall rule or service, and traffic matching the firewall rule or service is processed by the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 108. 3. Enter the settings as explained in the following table. Table 38. Add QoS Profile screen settings Setting Description Profile Name A descriptive name of the QoS profile for identification and management purposes. Re-Mark Select the Re-Mark check box to set the Differentiated Services (DiffServ) mark in the Type of Service (ToS) byte of an IP header by specifying the QoS type (IP precedence or DHCP) and QoS value.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To edit a QoS profile: 1. In the List of QoS Profiles table, click the Edit table button to the right of the QoS profile that you want to edit. The Edit QoS Profile screen displays. 2. Modify the settings that you wish to change (see the previous table). 3. Click Apply to save your changes. The modified QoS profile is displayed in the List of QoS Profiles table. To delete a QoS profile: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Several types of blocking are available: • Web component blocking. You can block the following web component types: proxy, Java, ActiveX, and cookies. Even sites that are listed in the Trusted Domains table are subject to web component blocking when the blocking of a particular web component is enabled. - Proxy.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • If the keyword “.com” is specified, only websites with other domain suffixes (such as .edu, .org, or .gov) can be viewed. • If you wish to block all Internet browsing access, enter . (period) as the keyword. To enable and configure content filtering: 1. Select Security > Content Filtering. The Block Sites screen displays. (The following figure shows some examples.) Figure 109. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. In the Web Components section of the screen, select the components that you want to block (by default, none of these components are blocked, that is, none of these check boxes are selected): • Proxy. Blocks proxy servers. • Java. Blocks Java applets from being downloaded. • ActiveX. Blocks ActiveX applets from being downloaded. • Cookies. Blocks cookies from being created by a website.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set a Schedule to Block or Allow Specific Traffic Schedules define the time frames under which firewall rules can be applied. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these when defining firewall rules. To set a schedule: 1. Select Security > Services > Schedule 1. The Schedule 1 screen displays: Figure 110. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Enable Source MAC Filtering The Source MAC Filter screen enables you to permit or block traffic coming from certain known computers or devices. By default, the source MAC address filter is disabled. All the traffic received from computers with any MAC address is allowed.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Click Apply to save your settings. The MAC Address field in the Add Source MAC Address section of the screen now becomes available. 5. Build your list of source MAC addresses to be permitted or blocked by entering the first MAC address in the MAC Address field. A MAC address needs to be entered in the format xx:xx:xx:xx:xx:xx, in which x is a numeric (0 to 9) or a letter between a and f (inclusive), for example: aa:11:bb:22:cc:33.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 There are three possible scenarios in relation to the addresses in the IP/MAC Bindings table: • Host 1 has not changed its IP and MAC addresses. A packet coming from Host 1 has IP and MAC addresses that match those in the IP/MAC Bindings table. • Host 2 has changed its MAC address to 00:01:02:03:04:09.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Click Apply to save your changes. 4. In the IP/MAC Bindings sections of the screen, enter the settings as explained in the following table: Table 39. IP/MAC Binding screen settings for IPv4 Setting Description Name A descriptive name of the binding for identification and management purposes. MAC Address The MAC address of the computer or device that is bound to the IP address.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Click the Stop button. Wait until the Poll Interval field becomes available. 3. Enter new poll interval in seconds. 4. Click the Set Interval button. Wait for the confirmation that the operation has succeeded before you close the window. IPv6/MAC Bindings To set up a binding between a MAC address and an IPv6 address: 1. Select Security > Address Filter > IP/MAC Binding. 2. In the upper right of the screen, select the IPv6 radio button.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 5. In the IP/MAC Bindings sections of the screen, enter the settings as explained in the following table: Table 40. IP/MAC Binding screen settings for IPv6 Setting Description Name A descriptive name of the binding for identification and management purposes. MAC Address The MAC address of the computer or device that is bound to the IP address. IP Address The IPv6 address of the computer or device that is bound to the MAC address.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Click the Set Interval button. Wait for the confirmation that the operation has succeeded before you close the window. Configure Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using the port triggering feature requires that you know the port numbers used by the application.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 116. 2. In the Add Port Triggering Rule section, enter the settings as explained in the following table: Table 41. Port Triggering screen settings Setting Description Name A descriptive name of the rule for identification and management purposes. Enable From the drop-down list, select Yes to enable the rule. (You can define a rule but not enable it.) The default setting is No.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To remove one or more port triggering rules from the table: 1. Select the check box to the left of each port triggering rule that you want to delete, or click the Select All table button to select all rules. 2. Click the Delete table button. To display the status of the port triggering rules: Click the Status option arrow in the upper right of the Port Triggering screen. A pop-up screen displays, showing the status of the port triggering rules.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The UPnP Portmap Table in the lower part of the screen shows the IP addresses and other settings of UPnP devices that have accessed the VPN firewall and that have been automatically detected by the VPN firewall: • Active. A Yes or No indicates if the UPnP device port that established a connection is currently active. • Protocol. Indicates the network protocol such as HTTP or FTP that is used by the device to connect to the VPN firewall. • Int. Port.
5. Virtual Private Networking Using IPSec and L2TP Connections 5 This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following diagrams and table show how the WAN mode selection relates to VPN configuration. WAN auto-rollover: FQDN required for VPN Multiple WAN Port Model WAN 1 port Rest of VPN firewall functions VPN firewall WAN port functions VPN firewall rollover control WAN 2 port Internet Same FQDN required for both WAN ports Figure 119.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the IPSec VPN Wizard for Client and Gateway Configurations You can use the IPSec VPN Wizard to configure multiple gateway or client VPN tunnel policies.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 following screen contains some examples that do not relate to other examples in this manual.) Figure 122. To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 123. 2. Complete the settings as explained in the following table: Table 43. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to the following peers Select the Gateway radio button. The local WAN port’s IP address or Internet name displays in the End Point Information section of the screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 43. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel (continued) Setting Description This VPN tunnel will use the following local WAN Interface Select a WAN interface from the drop-down list to specify which local WAN interface the VPN tunnel uses as the local endpoint.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 124. 4. Configure a VPN policy on the remote gateway that allows connection to the VPN firewall. 5. Activate the IPSec VPN connection: a. Select VPN > Connection Status. The Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view: Figure 125. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection becomes active.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard Figure 126. To set up an IPv6 gateway-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN Wizard. 2. In the upper right of the screen, select the IPv6 radio button. The VPN Wizard screen displays the IPv6 settings. (The following screen contains some examples that do not relate to other examples in this manual.) Figure 127.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6. Figure 128. 3. Complete the settings as explained in the following table: Table 44.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 44. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel (continued) Setting Description End Point Informationa What is the Remote WAN’s IP Enter the IPv6 address or Internet name (FQDN) of the WAN interface on Address or Internet Name? the remote VPN tunnel endpoint.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 6. Activate the IPSec VPN connection: a. Select VPN > Connection Status. The Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view: Figure 130. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection becomes active.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Use the VPN Wizard to Configure the Gateway for a Client Tunnel To set up a client-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN Wizard. In the upper right of the screen, the IPv4 radio button is selected by default. The VPN Wizard screen displays the IPv4 settings. (The following figure contains an example.) Figure 132.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 45. IPSec VPN Wizard settings for a client-to-gateway tunnel (continued) Setting Description Connection Name and Remote IP Type What is the new Connection Name? Enter a descriptive name for the connection. This name is used to help you to manage the VPN settings; the name is not supplied to the VPN client. What is the pre-shared key? Enter a pre-shared key.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 133. Note: When you are using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address. If you have the option to configure the update interval, set it to an appropriately short time. 4. Optional step: Collect the information that you need to configure the VPN client.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. The VPN Client supports IPv4 only; an upcoming release of the VPN Client will support IPv6. To use the Configuration Wizard to set up a VPN connection between the VPN client and the VPN firewall: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays: Figure 134. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 135. 3. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays: Figure 136. 4. Specify the following VPN tunnel parameters: • IP or DNS public (external) address of the remote equipment. Enter the remote IP address or DNS name of the VPN firewall. For example, enter 192.168.15.175. • Preshared key. Enter the pre-shared key that you already specified on the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 137. 6. This screen is a summary screen of the new VPN configuration. Click Finish. 7. Specify the local and remote IDs: a. In the tree list pane of the Configuration Panel screen, click Gateway (the default name given to the authentication phase). The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default. b. Click the Advanced tab in the Authentication pane.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 c. Specify the settings that are explained in the following table. Table 47. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the VPN firewall. NAT-T Select Automatic from the drop-down list to enable the VPN client and VPN firewall to negotiate NAT-T.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 139. b. Specify the default lifetimes in seconds: • Authentication (IKE), Default. The default lifetime value is 3600 seconds. Change this setting to 28800 seconds to match the configuration of the VPN firewall. • Encryption (IPSec), Default. The default lifetime value is 1200 seconds. Change this setting to 3600 seconds to match the configuration of the VPN firewall. 9.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure the Authentication Settings (Phase 1 Settings) To create new authentication settings: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays: Figure 140. 2. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and select New Phase 1. Figure 141. 3. Change the name of the authentication phase (the default is Gateway): a.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default. Figure 142. 4. Specify the settings that are explained in the following table. Table 48.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 5. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. 6. Click the Advanced tab in the Authentication pane. The Advanced pane displays: Figure 143. 7. Specify the settings that are explained in the following table. Table 49.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 49. VPN client advanced authentication settings (continued) Setting Description Remote ID As the type of ID, select DNS from the Remote ID drop-down list because you specified an FQDN in the VPN firewall configuration. As the value of the ID, enter local.com as the remote ID for the VPN firewall. Note: The local ID on the VPN firewall is the remote ID on the VPN client. It might be less confusing to configure an FQDN such as router.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 144. 3. Specify the settings that are explained in the following table. Table 50. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that is used by the VPN client in the VPN firewall’s LAN; the computer (for which the VPN client opened a tunnel) appears in the LAN with this IP address. Address Type Select Subnet address from the drop-down list.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Configure the Global Parameters To specify the global parameters: 1. Click Global Parameters in the left column of the Configuration Panel screen. The Global Parameters pane displays in the Configuration Panel screen: Figure 145. 2. Specify the default lifetimes in seconds: • Authentication (IKE), Default. The default lifetime value is 3600 seconds.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Test the Connection and View Connection and Status Information • Test the NETGEAR VPN Client Connection • NETGEAR VPN Client Status and Log Information • View the VPN Firewall IPSec VPN Connection Status • View the VPN Firewall IPSec VPN Log Both the NETGEAR ProSafe VPN Client and the VPN firewall provide VPN connection and status information.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 147. • Use the system-tray icon. Right-click the system tray icon, and select Open tunnel ‘Tunnel’. Figure 148. Whichever way you choose to open the tunnel, when the tunnel opens successfully, the Tunnel opened message displays above the system tray: Figure 149.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 NETGEAR VPN Client Status and Log Information To view detailed negotiation and error information on the NETGEAR VPN client: Right-click the VPN client icon in the system tray, and select Console. The VPN Client Console Active screen displays: Figure 151. View the VPN Firewall IPSec VPN Connection Status To view the status of current IPSec VPN tunnels, select VPN > Connection Status.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 interval period, enter a new value in the Poll Interval field, and then click the Set Interval button. To stop polling, click the Stop button. Table 51. IPSec VPN Connection Status screen information Item Description Policy Name The name of the VPN policy that is associated with this SA. Endpoint The IP address on the remote VPN endpoint. Tx (KB) The amount of data that is transmitted over this SA.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage IPSec VPN Policies • Manage IKE Policies • Manage VPN Policies After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or manually add new VPN and IKE policies directly in the policy tables.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 examples.) To display the IPv6 settings on the IKE Policies screen, select the IPv6 radio button. Figure 154. Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 53 on page 228. Table 52. IKE Policies screen information for IPv4 and IPv6 Item Description Name The name that identifies the IKE policy.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: You cannot delete or edit an IKE policy for which the VPN policy is active without first disabling or deleting the VPN policy. Manually Add or Edit an IKE Policy To manually add an IKE policy for IPv4 or IPv6: 1. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen for IPv4 in view (see Figure 154 on page 226). 2. Under the List of IKE Policies table, click the Add table button.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Complete the settings as explained in the following table: Table 53. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Mode Config Record? Specify whether the IKE policy uses a Mode Config record. For information about how to define a Mode Config record, see Mode Config Operation on page 244. Select one of the following radio buttons: • Yes. IP addresses are assigned to remote VPN clients.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 53. Add IKE Policy screen settings (continued) Setting Description Identifier From the drop-down list, select one of the following ISAKMP identifiers to be used by the VPN firewall, and then specify the identifier in the Identifier field: • Local Wan IP. The WAN IP address of the VPN firewall. When you select this option, the Identifier field automatically shows the IP address of the selected WAN interface. • FQDN.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 53. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the VPN firewall and the remote endpoint. • RSA-Signature. Uses the active self-signed certificate that you uploaded on the Certificates screen (see Manage VPN Self-Signed Certificates on page 316).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 53. Add IKE Policy screen settings (continued) Setting Description XAUTH Configuration (continued) Authentication Type For an Edge Device configuration, from the drop-down list, select one of the following authentication types: • User Database. XAUTH occurs through the VPN firewall’s user database. You can add users on the Add User screen (see User Database Configuration on page 241). • Radius PAP.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 endpoints (the local ID endpoint and the remote ID endpoint). You still need to manually enter all settings on the remote VPN endpoint (unless the remote VPN endpoint also has a VPN Wizard). In addition, a certification authority (CA) can also be used to perform authentication (see Manage Digital Certificates for VPN Connections on page 313). For gateways to use a CA to perform authentication, each VPN gateway needs to have a certificate from the CA.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 55 on page 235. Table 54. VPN Policies screen information for IPv4 and IPv6 Item Description ! (Status) Indicates whether the policy is enabled (green circle) or disabled (gray circle). To enable or disable a policy, select the check box to the left of the circle, and click the Enable or Disable table button, as appropriate.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Specify the IP version for which you want to add a VPN policy: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step 4. • IPv6. Select the IPv6 radio button. The Add New VPN Policy screen for IPv6 displays (see Figure 158 on page 235). Figure 157.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 158. Add New VPN Policy screen for IPv6 4. Complete the settings as explained in the following table. The only differences between IPv4 and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6). Table 55. Add New VPN Policy screen settings for IPv4 and IPv6 Setting Description General Policy Name A descriptive name of the VPN policy for identification and management purposes. Note: The name is not supplied to the remote VPN endpoint.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 55. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Policy Type From the drop-down list, select one of the following policy types: • Auto Policy. Some settings (the ones in the Manual Policy Parameters section of the screen) for the VPN tunnel are generated automatically. • Manual Policy. All settings need to be specified manually, including the ones in the Manual Policy Parameters section of the screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 55. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Traffic Selection Local IP From the drop-down list, select the address or addresses that are part of the VPN tunnel on the VPN firewall: • Any. All computers and devices on the network. Note that you cannot select Any for both the VPN firewall and the remote endpoint. • Single. A single IP address on the network.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 55. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Key-Out The encryption key for the outbound policy. The length of the key depends on the selected encryption algorithm: • 3DES. Enter does is not apply. • DES. Enter 8 characters. • AES-128. Enter 16 characters. • AES-192. Enter 24 characters. • AES-256. Enter 32 characters. SPI-Outgoing The Security Parameters Index (SPI) for the outbound policy.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 55. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 requesting individual authentication information from the user. A local user database or an external authentication server, such as a RADIUS server, provides a method for storing the authentication information centrally in the local network. You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH are available: • Edge Device. The VPN firewall is used as a VPN concentrator on which one or more gateway tunnels terminate.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. In the Extended Authentication section on the screen, complete the settings as explained in the following table: Table 56. Extended authentication settings for IPv4 and IPv6 Setting Description Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. • Edge Device.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 user name and password information. The gateway then attempts to verify this information first against a local user database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server. Note: Even though you can configure RADIUS servers with IPv4 addresses only, the servers can be used for authentication, authorization, and accounting of both IPv4 and IPv6 users.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 57. RADIUS Client screen settings (continued) Setting Description Primary Server NAS Identifier The primary Network Access Server (NAS) identifier that needs to be present in a RADIUS request. Note: The VPN firewall functions as an NAS, allowing network access to external users after verification of their authentication information. In a RADIUS transaction, the NAS needs to provide some NAS identifier information to the RADIUS server.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Assign IPv4 Addresses to Remote Users (Mode Config) • Mode Config Operation • Configure Mode Config Operation on the VPN Firewall • Configure the ProSafe VPN Client for Mode Config Operation • Test the Mode Config Connection • Modify or Delete a Mode Config Record To simplify the process of connecting remote VPN clients to the VPN firewall, use the Mode Config feature to automatically assign IPv4 addresses to remote users, including a network acce
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To configure Mode Config on the VPN firewall: 1. Select VPN > IPSec VPN > Mode Config. The Mode Config screen displays: Figure 160. As an example, the screen shows two Mode Config records with the names EMEA Sales and NA Sales: • For EMEA Sales, a first pool (172.16.100.1 through 172.16.100.99) and second pool (172.16.200.1 through 172.16.200.99) are shown. • For Americas Sales, a first pool (172.25.100.50 through 172.25.100.99), a second pool (172.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Complete the settings as explained in the following table: Table 58. Add Mode Config Record screen settings Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes. First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable the VPN firewall to allocate these to remote VPN clients. The Second Pool and Third Pool fields are optional.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 58. Add Mode Config Record screen settings (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest. Local IP Address The local IP address to which remote VPN clients have access.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 162. 8. On the Add IKE Policy screen, complete the settings as explained in the following table. Note: The IKE policy settings that are explained in the following table are specifically for a Mode Config configuration. Table 53 on page 228 explains the general IKE policy settings.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 59. Add IKE Policy screen settings for a Mode Config configuration Setting Description Mode Config Record Do you want to use Mode Config Record? Select the Yes radio button. Note: Because Mode Config functions only in Aggressive mode, selecting the Yes radio button sets the tunnel exchange mode to Aggressive mode. Mode Config also requires that both the local and remote endpoints are defined by their FQDNs.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 59. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description IKE SA Parameters Note: Generally, the default settings work well for a Mode Config configuration. Encryption Algorithm To negotiate the security association (SA), from the drop-down list, select the 3DES algorithm.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 59. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description Extended Authentication Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: Note: For more • None. XAUTH is disabled. This the default setting. information about • Edge Device.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters. Configure the Mode Config Authentication Settings (Phase 1 Settings) To create new authentication settings: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane. Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 60. VPN client authentication settings (Mode Config) (continued) Setting Description IKE Encryption Select the 3DES encryption algorithm from the drop-down list. Authentication Select the SHA1 authentication algorithm from the drop-down list. Key Group Select the DH2 (1024) key group from the drop-down list. Note: On the VPN firewall, this key group is referred to as Diffie-Hellman Group 2 (1024 bit). 5.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 61. VPN client advanced authentication settings (Mode Config) (continued) Setting Description NAT-T Select Automatic from the drop-down list to enable the VPN client and VPN firewall to negotiate NAT-T. Local and Remote ID As the type of ID, select DNS from the Local ID drop-down list because you specified FQDN in the VPN firewall configuration. As the value of the ID, enter client.com as the local ID for the VPN client.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 167. 3. Specify the settings that are explained in the following table. Table 62. VPN client IPSec configuration settings (Mode Config) Setting Description VPN Client address This field is masked out because Mode Config is selected. After an IPSec connection is established, the IP address that is issued by the VPN firewall displays in this field (see Figure 172 on page 260). Address Type Select Subnet address from the drop-down list.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 62. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description ESP Encryption Select 3DES as the encryption algorithm from the drop-down list. Authentication Select SHA-1 as the authentication algorithm from the drop-down list. Mode Select Tunnel as the encapsulation mode from the drop-down list. PFS and Group Select the PFS check box, and then select the DH2 (1024) key group from the drop-down list.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Specify the following default lifetimes in seconds to match the configuration on the VPN firewall: • Authentication (IKE), Default. Enter 3600 seconds. Note: The default setting is 28800 seconds (8 hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour). • Encryption (IPSec), Default. Enter 3600 seconds. 3.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 171. 3. From the client computer, ping a computer on the VPN firewall LAN. Modify or Delete a Mode Config Record Note: Before you modify or delete a Mode Config record, make sure that it is not used in an IKE policy. To edit a Mode Config record: 1. On the Mode Config screen (see Figure 160 on page 245), click the Edit button in the Action column for the record that you want to modify. The Edit Mode Config Record screen displays.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 For DPD to function, the peer VPN device on the other end of the tunnel also needs to support DPD. Keep-alive, though less reliable than DPD, does not require any support from the peer device. Configure Keep-Alives The keep-alive feature maintains the IPSec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies. To configure the keep-alive feature on a configured VPN policy: 1. Select VPN > IPSec VPN > VPN Policies.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Enter the settings as explained in the following table: Table 63. Keep-alive settings Setting Description General Enable Keepalive Select the Yes radio button to enable the keep-alive feature. Periodically, the VPN firewall sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 173. 4. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the settings as explained the following table: Table 64. Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Detection Select the Yes radio button to enable DPD. When the VPN firewall detects an IKE connection failure, it deletes the IPSec and IKE SA and forces a reestablishment of the connection.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Specify the IP version for which you want to edit a VPN policy: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step 3. • IPv6. Select the IPv6 radio button. The VPN Policies screen for IPv6 displays. 3. In the List of VPN Policies table, click the Edit table button to the right of the VPN policy that you want to edit. The Edit VPN Policy screen displays.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To enable the PPTP server and configure the PPTP server pool, authentication, and encryption: 1. Select VPN > PPTP Server. The PPTP Server screen displays. (The following figure contains an example.) Figure 175. 2. Enter the settings as explained in the following table: Table 65. PPTP Server screen settings Setting Description Enable To enable the PPTP server, select the Enable check box.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The List of PPTP Active Users table lists each active connection with the information that is described in the following table. Table 66. PPTP Active Users screen information Item Description Username The name of the PPTP user that you have defined (see Configure User Accounts on page 303). Remote IP The remote client’s IP address. PPTP IP The IP address that is assigned by the PPTP server on the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 177. 2. Enter the settings as explained in the following table: Table 67. L2TP Server screen settings Setting Description Enable To enable the L2TP server, select the Enable check box. Starting IP Address The first IP address of the pool. This address is used for distribution to the VPN firewall. Ending IP Address The last IP address of the pool. A maximum of 26 contiguous addresses is supported.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The List of L2TP Active Users table lists each active connection with the information that is described in the following table. Table 68. L2TP Active Users screen information Item Description Username The name of the L2TP user that you have defined (see Configure User Accounts on page 303). Remote IP The client’s IP address on the remote L2TP Access Concentrator (LAC). L2TP IP The IP address that is assigned by the L2TP server on the VPN firewall.
6. Virtual Private Networking Using SSL Connections 6 The VPN firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the VPN firewall can authenticate itself to an SSL-enabled client, such as a standard web browser.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The SSL VPN client provides a point-to-point (PPP) connection between the client and the VPN firewall, and a virtual network interface is created on the user’s computer. The VPN firewall assigns the computer an IP address and DNS server IP addresses, allowing the remote computer to access network resources in the same manner as if it were connected directly to the corporate network, subject to any policy restrictions that you configure.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Because you need to assign a group when creating an SSL VPN user account, the user account is created after you have created the group. 3. For port forwarding, define the servers and services (see Configure Applications for Port Forwarding on page 275). Create a list of servers and services that can be made available through user, group, or global policies. You can also associate fully qualified domain names (FQDNs) with these servers.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 You can define individual layouts for the SSL VPN portal. The layout configuration includes the menu layout, theme, portal pages to display, and web cache control options. The default portal layout is the SSL-VPN portal. You can add additional portal layouts. You can also make any portal the default portal for the VPN firewall by clicking the Default button in the Action column of the List of Layouts table, to the right of the desired portal layout.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • • Portal URL: - Portal URL (IPv4). The IPv4 URL at which the portal can be accessed. The IPv4 address in the URL is the public WAN address of the VPN firewall (see Configure the IPv4 Internet Connection and WAN Settings on page 28). Both the IPv4 URL and the IPv6 URL can be active simultaneously. - Portal URL (IPv6). The IPv6 URL at which the portal can be accessed.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. Complete the settings as explained in the following table: Table 69. Add Portal Layout screen settings Setting Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout. This name is part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 69. Add Portal Layout screen settings (continued) Setting Description ActiveX web cache cleaner Select this check box to enable ActiveX cache control to be loaded when users log in to the SSL VPN portal. The web cache cleaner prompts the user to delete all temporary Internet files, cookies, and browser history when the user logs out or closes the web browser window.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 access policies. When you create a group, you need to specify a domain. Therefore, you should create any domains first, then groups, and then user accounts. For information about how to configure domains, groups, and users, see Configure Authentication Domains, Groups, and Users on page 296.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the Add New Application for Port Forwarding section of the screen, specify information in the following fields: • IP Address. The IP address of an internal server or host computer that a remote user has access to. • TCP Port. The TCP port number of the application that is accessed through the SSL VPN tunnel. The following table lists some commonly used TCP applications and port numbers. Table 70.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To add servers and host names for client name resolution: 1. Select VPN > SSL VPN > Port Forwarding. The Port Forwarding screen displays (see Figure 182 on page 275). 2. In the Add New Host Name for Port Forwarding section of the screen, specify information in the following fields: • Local Server IP Address. The IP address of an internal server or host computer that you want to name. • Fully Qualified Domain Name. The full server name.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • • Select whether you want to enable full-tunnel or split-tunnel support based on your bandwidth: - A full tunnel sends all of the client’s traffic across the VPN tunnel. - A split tunnel sends only traffic that is destined for the local network based on the specified client routes. All other traffic is sent to the Internet. A split tunnel allows you to manage bandwidth by reserving the VPN tunnel for local traffic only.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 184. SSL VPN Client screen for IPv6 3. Complete the settings as explained in the following table: Table 71. SSL VPN Client screen settings for IPv4 and IPv6 Setting Description Client IP Address Range Enable Full Tunnel Support Select this check box to enable full-tunnel support.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 71. SSL VPN Client screen settings for IPv4 and IPv6 (continued) Setting Description IPv4 screen only (continued) Client Address Range End The last IP address of the IPv4 address range that you want to assign to the VPN tunnel clients. By default, the last IPv4 address is 192.168.251.254. Client IPv6 Address Range Begin The first IP address of the IPv6 address range that you want to assign to the VPN tunnel clients.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 If VPN tunnel clients are already connected, disconnect and then reconnect the clients on the SSL VPN Connection Status screen (see View the SSL VPN Connection Status and SSL VPN Log on page 292). Doing so allows the clients to receive new addresses and routes. To change the specifications of an existing route and to delete an old route: 1. Add a new route to the Configured Client Routes table. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 185. 2. In the Add New Resource section of the screen, specify information in the following fields: • Resource Name. A descriptive name of the resource for identification and management purposes. • Service. From the Service drop-down list, select the type of service to which the resource applies: - VPN Tunnel. The resource applies only to a VPN tunnel. - Port Forwarding. The resource applies only to port forwarding. - All.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv6, this screen is identical to the screen for IPv4 (see the next figure, which shows some examples). Figure 186. 4. Complete the settings as explained in the following table: Table 72. Resources screen settings to edit a resource Setting Description Add Resource Addresses Resource Name The unique identifier for the resource. You cannot modify the resource name after you have created it on the first Resources screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 72. Resources screen settings to edit a resource (continued) Setting Description Object Type (continued) IPv6 screen only: Prefix Length Enter the prefix length for the locations that are permitted to use this resource. Port Range / Port Number A port or a range of ports (0–65535) to apply the policy to. The policy is applied to all TCP and UDP traffic that passes on those ports. Leave the fields blank to apply the policy to all traffic. 5.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Assuming that no conflicting user or group policies have been configured, if a user attempted to access FTP servers at the following addresses, the actions listed would occur: • 10.0.0.1. The user would be blocked by Policy 1. • 10.0.1.5. The user would be blocked by Policy 2. • 10.0.0.10. The user would be granted access by Policy 3. The IP address range 10.0.0.5–10.0.0.20 is more specific than the IP address range that is defined in Policy 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Click the Display action button. The List of SSL VPN Policies table displays the list for your selected Query option. Add an IPv4 or IPv6 SSL VPN Policy To add an SSL VPN policy: 1. Select VPN > SSL VPN. The SSL VPN submenu tabs display, with the Policies screen in view (see the previous figure). 2. Under the List of SSL VPN Policies table, click the Add table button. The Add SSL VPN Policy screen displays the IPv4 settings (see the next figure). 3.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 . Figure 189. Add SSL VPN Policy screen for IPv6 4. Complete the settings as explained in the following table: Table 73. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy: • Global. The new policy is global and includes all groups and users. • Group. The new policy needs to be limited to a single group. From the drop-down list, select a group name.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 73. Add SSL VPN Policy screen settings (continued) Setting Description Apply Policy to? (continued) IP Address IP Network Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. IP Address The IPv4 or IPv6 address to which the SSL VPN policy is applied.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 73. Add SSL VPN Policy screen settings (continued) Setting Description Apply Policy to? (continued) All Addresses Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. Port Range / Port Number A port (fill in the Begin field) or a range of ports (fill in the Begin and End fields) to which the SSL VPN policy is applied. Ports can be 0 through 65535.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Access the New SSL Portal Login Screen All screens that you can access from the SSL VPN menu of the web management interface display a user portal link in the upper right of the screen, above the menu bars ( ). When you click the User Portal link, the SSL VPN default portal opens (see Figure 193 on page 291). This user portal is not the same as the new SSL portal login screen that you defined in Create the Portal Layout on page 270.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 192. 4. Enter a user name and password that are associated with a domain, that, in turn, is associated with the portal. For information about creating login credentials to access a portal, see Configure Domains, Groups, and Users on page 274. 5. Click Login. The User Portal screen displays.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 194. The User Portal screen displays a simple menu that, depending on the resources allocated, provides the SSL user with the following menu selections: • VPN Tunnel. Provides full network connectivity. • Port Forwarding. Provides access to the network services that you defined as described in Configure Applications for Port Forwarding on page 275. • Change Password. Allows the user to change his or her password. • Support.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 195. The active user’s name, group, and IP address are listed in the table with a time stamp indicating the time and date that the user connected. To disconnect an active user, click the Disconnect table button to the right of the user’s table entry. To display the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays: Figure 196.
7. Manage Users, Authentication, and VPN Certificates 7 This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. The chapter contains the following sections: • The VPN Firewall’s Authentication Process and Options • Configure Authentication Domains, Groups, and Users • Manage Digital Certificates for VPN Connections The VPN Firewall’s Authentication Process and Options Users are assigned to a group, and a group is assigned to a domain.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Except in the case of IPSec VPN users, when you create a user account, you need to specify a group. When you create a group, you need to specify a domain. The following table summarizes the external authentication protocols and methods that the VPN firewall supports. Table 74.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Authentication Domains, Groups, and Users • Configure Domains • Configure Groups • Configure User Accounts • Set User Login Policies • Change Passwords and Other User Settings Configure Domains The domain determines the authentication method to be used for associated users.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The List of Domains table displays the domains with the following fields: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain. The name of the default domain (geardomain) to which the default SSL-VPN portal is assigned is appended by an asterisk. • Authentication Type. The authentication method that is assigned to the domain. • Portal Layout Name. The SSL portal layout that is assigned to the domain.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 75. Add Domain screen settings (continued) Setting Description Authentication Type (continued) • Radius-CHAP. RADIUS Challenge Handshake Authentication Protocol (CHAP). Complete the following fields: - Authentication Server Note: If you select - Authentication Secret any type of RADIUS • Radius-MSCHAP. RADIUS Microsoft CHAP.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 75. Add Domain screen settings (continued) Setting Description LDAP Base DN The LDAP distinguished name (DN) that is required to access the LDAP authentication server. This should be a user in the LDAP directory who has read access to all the users that you would like to import into the VPN firewall. The Bind DN field accepts two formats: • A display name in the DN format. For example: cn=Jamie Hanson,cn=users,dc=test,dc=com.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Edit Domains To edit a domain: 1. Select Users > Domains. The Domains screen displays (see Figure 197 on page 296). 2. In the Action column of the List of Domains table, click the Edit table button for the domain that you want to edit. The Edit Domains screen displays. This screen is very similar to the Add Domains screen (see the previous figure). 3. Modify the settings as explained in the previous table.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Create Groups To create a VPN group: 1. Select Users > Groups. The Groups screen displays. (The following figure shows the VPN firewall’s default group—geardomain—and, as an example, several other groups in the List of Groups table.) Figure 199. The List of Groups table displays the VPN groups with the following fields: • Check box. Allows you to select the group in the table. • Name. The name of the group.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Complete the settings as explained in the following table: Table 76. Add Group screen settings Setting Description Name A descriptive (alphanumeric) name of the group for identification and management purposes. Domain The drop-down list shows the domains that are listed on the Domain screen. From the drop-down list, select the domain with which the group is associated.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure User Accounts When you create a user account, you need to assign the user to a user group. When you create a group, you need to assign the group to a domain that specifies the authentication method. Therefore, you should first create any domains, then groups, and then user accounts. Note: IPSec VPN, L2TP, and PPTP users do not belong to a domain and are not assigned to a group.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 201. The List of Users table displays the users and has the following fields: • Check box. Allows you to select the user in the table. • Name. The name of the user. If the user name is appended by an asterisk, the user is a default user that came preconfigured with the VPN firewall and cannot be deleted. • Group. The group to which the user is assigned. • Type. The type of access credentials that are assigned to the user.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Enter the settings as explained in the following table: Table 77. Add Users screen settings Setting Description User Name A descriptive (alphanumeric) name of the user for identification and management purposes. User Type From the drop-down list, select one of the predefined user types that determines the access credentials: • SSL VPN User. A user who can log in only to the SSL VPN portal. • Administrator.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Set User Login Policies You can restrict the ability of defined users to log in to the VPN firewall’s web management interface. You can also require or prohibit logging in from certain IP addresses or from particular browsers.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure Login Restrictions Based on IPv4 Addresses To restrict logging in based on IPv4 addresses: 1. Select Users > Users. The Users screen displays (see Figure 201 on page 304). 2. In the Action column of the List of Users table, click the Policies table button for the user for which you want to set login policies. The policies submenu tabs display, with the Login Policies screen in view. 3. Click the By Source IP Address submenu tab.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 6. In the Add Defined Addresses section of the screen, add an address to the Defined Addresses table by entering the settings as explained in the following table: Table 78. Defined addresses settings for IPv4 Setting Description Source Address Type Select the type of address from the drop-down list: • IP Address. A single IPv4 address. • IP Network. A subnet of IPv4 addresses. You need to enter a netmask length in the Mask Length field.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 205. 5. In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table. • Allow Login only from Defined Addresses. Allow logging in from the IP addresses in the Defined Addresses table. 6. Click Apply to save your settings. 7.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete one or more IPv6 addresses: 1. In the Defined Addresses table, select the check box to the left of each address that you want to delete, or click the Select All table button to select all addresses. 2. Click the Delete table button. Configure Login Restrictions Based on Web Browser To restrict logging in based on the user’s browser: 1. Select Users > Users. The Users screen displays (see Figure 201 on page 304). 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 6. In the Add Defined Browser section of the screen, add a browser to the Defined Browsers table by selecting one of the following browsers from the drop-down list: • Internet Explorer. • Opera. • Netscape Navigator. • Firefox. Mozilla Firefox. • Mozilla. Other Mozilla browsers. 7. Click the Add table button. The browser is added to the Defined Browsers table. 8.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To modify user settings, including passwords: 1. Select Users > Users. The Users screen displays (see Figure 201 on page 304). 2. In the Action column of the List of Users table, click the Edit table button for the user for which you want to modify the settings. The Edit Users screen displays: Figure 207. 3. Change the settings as explained in the following table: Note: Once established, you cannot change the user name or the group.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 80. Edit User screen settings (continued) Setting Description Check to Edit Password Select this check box to make the password fields accessible to modify the password. Idle Timeout Enter Your Password Enter the password with which you have logged in. New Password Enter the new password. Confirm New Password Reenter the new password for confirmation.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 both the IPSec VPN certificate repository and the SSL VPN certificate repository. However, if the defined purpose is for IPSec VPN only, the certificate is uploaded only to the IPSec VPN certificate repository. The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients, and to be authenticated by remote entities.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Self Certificate Requests table. Contains the self-signed certificate requests that you generated. These requests might or might not have been submitted to CAs, and CAs might or might not have issued digital certificates for these requests. Only the self-signed certificates in the Active Self Certificates table are active on the VPN firewall (see Manage VPN Self-Signed Certificates on page 316). • Certificate Revocation Lists (CRL) table.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. In the Upload Trusted Certificates section of the screen, click the Browse button and navigate to the trusted digital certificate file that you downloaded on your computer. 3. Click the Upload table button. If the verification process on the VPN firewall approves the digital certificate for validity and purpose, the digital certificate is added to the Trusted Certificates (CA Certificates) table. To delete one or more digital certificates: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN firewall. The CSR is a file that contains information about your company and about the device that holds the certificate. Refer to the CA for guidelines about the information that you need to include in your CSR. To generate a new CSR file, obtain a digital certificate from a CA, and upload it to the VPN firewall: 1. Select VPN > Certificates. The Certificates screen displays.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 81. Generate self-signed certificate request settings (continued) Setting Description Signature Algorithm Although this seems to be a drop-down list, the only possible selection is RSA. In other words, RSA is the default to generate a CSR. Signature Key Length From the drop-down list, select one of the following signature key lengths in bits: • 512 • 1024 • 2048 Note: Larger key sizes might improve security, but might also decrease performance.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 6. Submit your SCR to a CA: a. Connect to the website of the CA. b. Start the SCR procedure. c. When prompted for the requested data, copy the data from your saved text file (including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”). d. Submit the CA form. If no problems ensue, the digital certificate is issued by the CA. 7. Download the digital certificate file from the CA, and store it on your computer. 8.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the VPN Certificate Revocation List A Certificate Revocation List (CRL) file shows digital certificates that have been revoked and are no longer valid. Each CA issues its own CRLs. It is important that you keep your CRLs up-to-date. You should obtain the CRL for each CA regularly. To view the currently loaded CRLs and upload a new CRL: 1. Select VPN > Certificates. The Certificates screen displays.
8. Network and System Management 8 This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In practice, the WAN-side bandwidth capacity is much lower when DSL or cable modems are used to connect to the Internet. At 1.5 Mbps, the WAN ports support the following traffic rates: • Load balancing mode. 6 Mbps (four WAN ports at 1.5 Mbps each) • Auto-rollover mode. 1.5 Mbps (one active WAN port at 1.5 Mbps) • Single WAN port mode. 1.5 Mbps (one active WAN port at 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following section summarizes the various criteria that you can apply to outbound rules in order to reduce traffic. For more information about outbound rules, see Outbound Rules (Service Blocking) on page 133. For detailed procedures on how to configure outbound rules, see Configure LAN WAN Rules on page 140 and Configure DMZ WAN Rules on page 147.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 For information about how to define bandwidth profiles, see Create Bandwidth Profiles on page 176. Content Filtering If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall’s content-filtering feature. By default, this feature is disabled; all requested traffic from any website is allowed.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 ON the LAN WAN screen, if you have not defined any rules, only the default rule is listed. The default LAN WAN inbound rule blocks all access from outside except responses to requests from the LAN side. WARNING: Incorrect configuration of inbound firewall rules can cause serious connection problems.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 addresses to groups. For more information, see Create IP Groups on page 174. (LAN IP groups do not apply to DMZ WAN inbound rules.) • WAN users. You can specify which Internet locations are covered by an inbound rule, based on their IP address: - Any. The rule applies to all Internet IP address. - Single address. The rule applies to a single Internet IP address. - Address range. The rule applies to a range of Internet IP addresses. - IP Groups.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Exposed Hosts Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined. For an example of how to set up an exposed host, see IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Specifying an Exposed Host on page 163. VPN, L2TP, and PPTP Tunnels The VPN firewall supports site-to-site IPSec VPN tunnels, dedicated SSL VPN tunnels, L2TP tunnels, and PPTP tunnels.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 method for allocating and limiting traffic, thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN links. For more information about bandwidth profiles, see Create Bandwidth Profiles on page 176.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 213. 2. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit Users screen displays: Figure 214. You cannot modify the administrator user name, user type, or group assignment. 3. Select the Check to Edit Password check box. The password fields become available. 4. Enter the old password, enter the new password, and then confirm the new password.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 6. Click Apply to save your settings. 7. Repeat Step 1 through Step 6 for the user with the name guest. Note: After a factory defaults reset, the password and time-out value are changed back to password and 5 minutes, respectively. You can also change the administrator login policies: • Disable login. Deny login access. Note: You obviously do not want to deny login access to yourself if you are logged in as an administrator.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 misuse it in many ways, NETGEAR highly recommends that you change the admin and guest default passwords before continuing (see Change Passwords and Administrator and Guest Settings on page 328). To configure the VPN firewall for remote management: 1. Select Administration > Remote Management. The Remote Management screen displays the IPv4 settings (see the next figure). 2. Specify the IP version for which you want to configure remote management: • IPv4.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 216. Remote Management screen for IPv6 3. Enter the settings as explained in the following table: Table 82. Remote Management screen settings for IPv4 and IPv6 Setting Description Secure HTTP Management Allow Secure HTTP To enable secure HTTP management, select the Yes radio button, which is the default setting. To disable secure HTTP management, select the No radio button. Management? Note: The selected setting applies to all WAN interfaces.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 82. Remote Management screen settings for IPv4 and IPv6 (continued) Setting Description Telnet Management Allow Telnet Management? To enable Telnet management, select the Yes radio button. To disable Telnet management, select the No radio button, which is the default setting. Specify the addresses through which access is allowed by selecting one of the following radio buttons: • Everyone. There are no IP address restrictions. • IP address range.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Tip: If you are using a Dynamic DNS service such as TZO, you can identify the WAN IP address of your VPN firewall by running tracert from the Windows Run menu option. Trace the route to your registered FQDN. For example, enter tracert VPN firewall.mynetgear.net, and the WAN IP address that your ISP assigned to the VPN firewall is displayed.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To configure the SNMP settings: 1. Select Administration > SNMP. The SNMP screen displays. (The following figure contains an example.) Figure 217. The SNMPv3 Users table includes the default SNMPv3 users that are preconfigured on the VPN firewall. The SNMPv3 Users table shows the following columns: • Username. The default user names (admin or guest). • Access Type. Read-write user (RWUSER) or read-only user (ROUSER).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. To specify a new SNMP configuration, in the Create New SNMP Configuration Entry section of the screen, configure the settings as explained in the following table: Table 83. SNMP screen settings Setting Description IP Address Enter the IP address of the new SNMP manager. Subnet Mask Enter the subnet mask of the new SNMP manager.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To delete one or more SNMP configurations: 1. On the SNMP screen (see Figure 217 on page 335), select the check box to the left of each SNMP configuration that you want to delete, or click the Select All table button to select all SNMP configurations. 2. Click the Delete table button. To edit the SNMPv3 default users: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 84. Edit User screen settings for SNMPv3 users (continued) Setting Description Authentication Password The authentication password that an SNMPv3 user needs to enter to be granted access to the SNMP agent that collects the MIB objects from the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Manage the Configuration File The configuration settings of the VPN firewall are stored in a configuration file on the VPN firewall. This file can be saved (backed up) to a computer, retrieved (restored) from the computer, cleared to factory default settings, or upgraded to a new version. Once the VPN firewall is installed and works correctly, make a backup of the configuration file to a computer.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Back Up Settings The backup feature saves all VPN firewall settings to a file. Back up your settings periodically, and store the backup file in a safe place. Tip: You can use a backup file to export all settings to another VPN firewall that has the same language and management software versions. Remember to change the IP address of the second VPN firewall before deploying it to eliminate IP address conflicts on the network. To back up settings: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WARNING: Once you start restoring settings, do not interrupt the process. Do not try to go online, turn off the VPN firewall, shut down the computer, or do anything else to the VPN firewall until the settings have been fully restored.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Upgrade the Firmware You can install a different version of the VPN firewall firmware from the Settings Backup and Firmware Upgrade screen. To view the current version of the firmware that the VPN firewall is running, from the main menu, select Monitoring. The Router Status screen displays, showing the firmware version in the System Info section of the screen. After you have upgraded the firmware, the new firmware version is displayed.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Select the Firmware and Reboot the VPN Firewall After you have upgraded the firmware, the newly installed firmware is the active firmware, and the previously installed firmware has become the secondary firmware. However, you can still revert to the secondary firmware.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To set time, date, and NTP servers: 1. Select Administration > Time Zone. The Time Zone screen displays: Figure 222. The bottom of the screen display the current weekday, date, time, time zone, and year (in the example in the previous figure: Current Time: Wednesday, June 20, 2012, 16:48:47 (GMT -0800). 2. Enter the settings as explained in the following table: Table 86.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 86. Time Zone screen settings (continued) Setting Description Select NTP Mode In all three NTP modes, the VPN firewall functions both as a client and a server. The VPN firewall synchronizes its clock with the specified NTP server or servers and provides time service to clients. From the drop-down list, select the NTP mode: • Authoritative Mode. The VPN firewall synchronizes its clock with the specified NTP server or servers on the Internet.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 86. Time Zone screen settings (continued) Setting Description NTP Servers (custom) Server 1 Name / IP Address Enter the IP address or host name of the primary NTP server. Server 2 Name / IP Address Enter the IP address or host name of the backup NTP server. 3. Click Apply to save your settings.
9. Monitor System Access and Performance 9 This chapter describes the system-monitoring features of the VPN firewall. You can be alerted to important events such WAN traffic limits reached, login failures, and attacks. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more. In addition, the diagnostics utilities are described.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 223. 2. Enter the settings for the WAN1 interface as explained in the following table. If you want to configure the settings for another WAN interface, first select the associated tab for that interface. Table 87. WAN1 Traffic Meter screen settings Setting Description Enable Traffic Meter Do you want to enable Traffic Metering on WAN1? Select one of the following radio buttons to configure traffic metering: • Yes.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 87. WAN1 Traffic Meter screen settings (continued) Setting Description Do you want to enable Traffic Metering on WAN1? (continued) Monthly Limit Enter the monthly traffic volume limit in MB. The default setting is 0 MB. Increase this month limit by Select this check box to temporarily increase a previously specified monthly traffic volume limit, and enter the additional allowed volume in MB. The default setting is 0 MB.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 screen displays the traffic meter’s start and end dates. If you did not configure the traffic meter, the start date is blank. Figure 224. Configure and Enable the LAN Traffic Meter If your ISP charges by traffic volume over a period and you need to charge the costs to individual accounts, or if you want to study the traffic volume that is requested or sent over a LAN IP address over a period, activate the traffic meter for individual LAN IP addresses.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Click the LAN Traffic Meter tab. The LAN Traffic Meter screen displays. (The following figure shows some examples in the LAN Traffic Meter Table.) Figure 226. The LAN Traffic Meter Table shows the following columns, all of which are explained in detail in the table that follows the next figure: • LAN IP Address. The LAN IP address that is subject to the traffic meter. • Direction. The direction for which traffic is measured. • Limit (MB).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 88. Add LAN Traffic Meter Account screen settings Setting Description Add LAN Traffic Meter Account LAN IP Address The LAN IP address for the account. Direction From the Direction drop-down list, select the direction in which traffic is measured: • Inbound traffic. Restrictions are applied to incoming traffic when the traffic limit is reached. • Both directions.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 228. To edit a LAN traffic meter account: 1. In the LAN Traffic Meter Table, click the Edit table button to the right of the account that you want to edit. The Edit LAN Traffic Meter Account screen displays. This screen shows the same fields as the Add LAN Traffic Meter Account screen (see Figure 227 on page 351). 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 229.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 2. Enter the settings as explained in the following table: Table 89. Firewall Logs & E-mail screen settings Setting Description Log Options Log Identifier Enter the name of the log identifier. The identifier is appended to log messages to identify the device that sent the log messages. The default identifier is SRX5308.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 89. Firewall Logs & E-mail screen settings (continued) Setting Description Enable E-mail Logs Do you want logs to be emailed to you? Select the Yes radio button to enable the VPN firewall to email logs to a specified email address. Complete the fields that are shown on the right side of the screen. Select the No radio button to prevent the logs from being emailed, which is the default setting.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 89. Firewall Logs & E-mail screen settings (continued) Setting Description Enable SysLogs Do you want to enable syslog? To enable the VPN firewall to send logs to a specified syslog server, select the Yes radio button. Complete the fields that are shown on the right side of the screen. To prevent the logs from being sent, select the No radio button, which is the default setting. SysLog Server The IP address or FQDN of the syslog server.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 230. You can refresh the logs, clear the logs, or send the logs to an email address. To view the DNS logs onscreen: 1. Select Monitoring > Firewall Logs & E-mail. The Firewall Logs & E-mail screen displays. 2. Click the DNS Logs option arrow in the upper right of the Firewall Logs & E-mail screen. The DNS Logs screen displays: Figure 231. You can refresh the logs or clear the logs.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 How to Send Syslogs over a VPN Tunnel between Sites To send syslogs from one site to another over a gateway-to-gateway VPN tunnel: 1. At Site 1, set up a syslog server that is connected to Gateway 1. 2. Set up a VPN tunnel between Gateway 1 at Site 1 and Gateway 2 at Site 2. 3. Change the remote IP address in the VPN policy on Gateway 1 to the WAN IP address of Gateway 2. 4.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 4. In the Traffic Selector section of the screen, make the following changes: • From the Remote IP drop-down list, select Single. • In the Start IP fields, type 10.0.0.2, which is the WAN IP address of Gateway 2. 5. Click Apply to save the settings. Configure Gateway 2 at Site 2 To create a gateway-to-gateway VPN tunnel to Gateway 1, using the IPSec VPN wizard: 1. Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View Status Screens • View the System Status • View the VPN Connection Status, L2TP Users, and PPTP Users • View the VPN Logs • View the Port Triggering Status • View the WAN Port Status • View the Attached Devices and the DHCP Log View the System Status When you start up the VPN firewall, the default screen that displays is the Router Status screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Router Status Screen To view the Router Status screen: Select Monitoring > Router Status. The Router Status screen displays: Figure 232. The following table explains the fields of the Router Status screen: Table 90. Router Status screen information Item Description System Info System Name The NETGEAR system name. Firmware Version The currently installed firmware version. Secondary Firmware Version The secondary software version.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 90. Router Status screen information (continued) Item Description LAN (VLAN) IPv4 Information For each of the four LAN ports, the screen shows the IPv4 LAN address and subnet mask. For more detailed information, see Table 92 on page 366. LAN IPv6 Information MAC Address The MAC address of the VPN firewall. IPv6 Address The IPv6 LAN address that is assigned to the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Router Statistics Screen To view the Router Statistics screen: 1. Select Monitoring > Router Status. The Router Status screen displays (see the previous figure). 2. Click the Show Statistics option arrow in the upper right of the Router Status screen. The Router Statistics screen displays: Figure 233. The following table explains the fields of the Router Statistics screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Detailed Status Screen To view the Detailed Status screen, select Monitoring > Router Status > Detailed Status. The Detailed Status screen displays: Figure 234.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table explains the fields of the Detailed Status screen: Table 92. Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the LAN ports. VLAN Profile The name of the VLAN profile that you assigned to the LAN port on the LAN Setup screen (see Assign and Manage VLAN Profiles on page 81).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 92. Detailed Status screen information (continued) Item Description DMZ IPv6 Configuration IPv6 Address The IPv6 address and prefix length for the DMZ. DHCP Status The status of the DHCPv6 server for the DMZ (Enabled or Disabled). Primary DNS Server For information about configuring the IPv6 DMZ, see DMZ Port for The IPv6 address of the primary DNS server for IPv6 Traffic on page 113. the DMZ.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 92. Detailed Status screen information (continued) Item Description IP Address The IPv4 address of the WAN port. For information about configuring the IPv4 address of the WAN port, see Configure the IPv4 Internet Connection and WAN Settings on page 28. IPv6 Address The IPv6 address and prefix length of the WAN port.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table explains the fields of the VLAN Status screen: Table 93. VLAN Status screen information Item Description Profile Name The unique name for the VLAN that you have assigned on the Add VLAN Profile screen. VLAN ID The identifier for the VLAN that you have assigned on the Add VLAN Profile screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The IPv6 Tunnel Status table shows the following fields: • Tunnel Name. The tunnel name for the 6to4 tunnel is always sit0-WAN1 (SIT stands for simple Internet transition); the tunnel name for an ISATAP tunnel is isatapx-LAN, in which x is an integer. • IPv6 Address. The IPv6 address of the local tunnel endpoint.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 238. The active user’s user name, group, and IP address are listed in the table with a time stamp indicating the time and date that the user connected. To disconnect an active connection, click the Disconnect table button to the right of the policy’s table entry. To view the active L2TP tunnel users: Select VPN > Connection Status > L2TP Active Users. The L2TP Active Users screen displays. (The following figure does not show any active users.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 240. The List of PPTP Active Users table lists each active connection with the information that is described in the following table. Table 95. PPTP Active Users screen information Item Description Username The name of the PPTP user that you have defined (see Configure User Accounts on page 303). Remote IP The remote client’s IP address. PPTP IP The IP address that is assigned by the PPTP server on the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To display the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays: Figure 242. View the Port Triggering Status To view the status of the port triggering feature: 1. Select Security > Port Triggering. The Port Triggering screen displays. (The following figure shows one rule in the Port Triggering Rules table as an example.) Figure 243. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 244. The Port Triggering Status screen displays the information that is described in the following table: Table 96. Port Triggering Status screen information Item Description # The sequence number of the rule onscreen. Rule The name of the port triggering rule that is associated with this entry. LAN IP Address The IP address of the computer or device that is currently using this rule.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 245. 2. In the Action column, click the Status button of the WAN interface for which you want to display the Connection Status pop-up screen. (The following figure shows a static IP address configuration.) Figure 246. The type of connection determines the information that is displayed on the Connection Status screen. The screen can display the information that is described in the following table: Table 97.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 97. Connection Status screen information for an IPv4 connection (continued) Item Description DHCP Server DHCP only. The DHCP server that was automatically detected. This field displays only if your ISP does not require a login and the IP address is acquired dynamically from your ISP. You have configured these ISP settings on the WAN IPv4 ISP Settings screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 248. The type of connection determines the information that is displayed on the Connection Status screen. The screen can display the information that is described in the following table: Table 98. Connection Status screen information for an IPv6 connection Item Description Connection Time The period that the VPN firewall has been connected through the WAN port.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 View the Attached Devices To view the attached devices on the LAN Groups screen: Select Network Configuration > LAN Settings > LAN Groups. The LAN Groups screen displays. (The following figure shows some examples in the Known PCs and Devices table.) Figure 249.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: If the VPN firewall is rebooted, the data in the Known PCs and Devices table is lost until the VPN firewall rediscovers the devices. View the DHCP Log To review the most recent entries in the DHCP log: 1. Select Network Configuration > LAN Settings. The LAN Setup screen displays the IPv4 settings. (see Figure 48 on page 84). 2. Click the DHCP Log option arrow to the right of the LAN Setup tab. The DHCP Log screen displays: Figure 250.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Diagnostics Utilities • Send a Ping Packet • Trace a Route • Look Up a DNS Address • Display the Routing Tables • Capture Packets in Real Time • Reboot the VPN Firewall Remotely The VPN firewall provides diagnostic tools that help you analyze the status of the network and traffic conditions. Two types of tools are available: • Network diagnostic tools.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 252. The various tasks that you can perform on the Diagnostics screen are explained in the following sections. Send a Ping Packet Use the ping utility to send a ping packet request in order to check the connection between the VPN firewall and a specific IP address or FQDN. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 To send a traceroute: 1. On the Diagnostics screen for IPv4, in the IP Address / Domain Name field of the Ping or Trace an IP Address section, enter the IP address or domain name that you want to trace; on the Diagnostics screen for IPv6, in the Domain Name field, enter the domain name that you want to trace (you cannot enter an IP address). 2. Click the Traceroute button. The results of the traceroute are displayed in a new screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 253. 2. From the Select Network drop-down list, select the physical or virtual interface for which you want to capture packets. 3. Click Start. After a few seconds, the packet-tracing process starts, which is indicated by a message onscreen. 4. When you want to stop the packet-tracing process, click Stop. After a few seconds, the packet-tracing process stops, which is indicated by a message onscreen. 5. Click Download.
10. Troubleshooting 10 This chapter provides troubleshooting tips and information for the VPN firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the VPN firewall on? Go to Basic Functioning on page 385. • Have I connected the VPN firewall correctly? Go to Basic Functioning on page 385. • I cannot access the VPN firewall’s web management interface.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN firewall’s diagnostic tools are explained in Diagnostics Utilities on page 380. Basic Functioning • Power LED Not On • Test LED Never Turns Off • LAN or WAN Port LEDs Not On After you turn on power to the VPN firewall, verify that the following sequence of events occurs: 1. When power is first applied, verify that the Power LED is on. 2. After approximately 2 minutes, verify that: a. The Test LED is no longer lit. b.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 If all LEDs are still on more than several minutes minute after power-up, do the following: • Turn off the power, and then turn it on again to see if the VPN firewall recovers. • Reset the VPN firewall’s configuration to factory default settings. Doing so sets the VPN firewall’s IP address to 192.168.1.1. This procedure is explained in Restore the Default Configuration and Password on page 393.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Make sure that you are using the SSL https://address login rather than the http://address login. • Make sure that your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure that the Java applet is loaded. • Try quitting the browser and launching it again. • Clear the browser’s cache. • Make sure that you are using the correct login information.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Troubleshoot the ISP Connection If your VPN firewall is unable to access the Internet, you should first determine whether the VPN firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your VPN firewall requests an IP address from the ISP. You can determine whether the request was successful using the web management interface. To check the WAN IP address: 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 assigned domain name or workgroup name in the Domain Name field, and you might have to enter additional information. For more information, see Manually Configure an IPv4 Internet Connection on page 33. • Your ISP allows only one Ethernet MAC address to connect to the Internet, and might check for your computer’s MAC address.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • - Windows Server 2008 R2, all versions - Windows Server 2003, all versions - Windows Server 2003 R2, all versions - Linux and other UNIX-based systems with a correctly configured kernel - MAC OS X Make sure that IPv6 is enabled on the computer. On a computer that runs a Windows-based operating system, do the following (note that the steps might differ on the various Windows operating systems): a.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 c. Click or double-click View status of this connection. The Local Area Connection Status screen displays: Figure 255. d. Make sure that Internet access shows for the IPv6 connection. (The previous figure shows that there is no Internet access.) e. Click Details. The Network Connection Details screen displays: Figure 256.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 f. Make sure that an IPv6 address shows. The previous figure does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which start, in this case, with FE80.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Test the Path from Your Computer to a Remote Device After verifying that the LAN path works correctly, test the path from your computer to a remote device. From the Windows Run dialog box, type: ping -n 10 in which is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 257. b. In the Backup / Restore Settings section of the screen, click the Default button. The VPN firewall reboots. During the reboot process, the Settings Backup and Firmware Upgrade screen might remain visible, or a status message with a counter might show the number of seconds left until the reboot process is complete. The reboot process takes about 160 seconds.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Address Problems with Date and Time The System Date & Time screen displays the current date and time of day (see Configure Date and Time Service on page 343). The VPN firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several network time servers on the Internet. Each entry in the log is stamped with the date and time of day. Problems with the date and time function can include: • Date shown is January 1, 2000.
A. Default Settings and Technical Specifications A This appendix provides the default settings and the physical and technical specifications of the VPN firewall in the following sections: • Factory Default Settings • Physical and Technical Specifications Factory Default Settings You can use the factory default Reset button located on the rear panel to reset all settings to their factory defaults.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 99. VPN firewall factory default configuration settings (continued) Feature Default Behavior WAN settings WAN IPv4 mode (all WAN interfaces) NAT WAN IPv4 load balancing settings (all WAN interfaces) Primary WAN mode WAN IPv6 mode (all WAN interfaces) IPv4 only mode Stateless IP/ICMP Translation (SIIT) Disabled WAN MAC address (all WAN interfaces) Use default MAC addresses of the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 99. VPN firewall factory default configuration settings (continued) Feature Default Behavior DMZ DHCP IPv4 starting address 176.16.2.100 DMZ DHCP IPv4 ending address 176.16.2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 99.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 99.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 99. VPN firewall factory default configuration settings (continued) Feature Default Behavior RADIUS settings Primary RADIUS server Disabled and none configured Secondary RADIUS server Disabled and none configured RADIUS time-out period 30 seconds RADIUS maximum retry count 4 SSL VPN settings SSL VPN IPv4 client address range 192.168.251.1–192.168.251.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Physical and Technical Specifications The following table shows the physical and technical specifications for the VPN firewall: Table 100. VPN firewall physical and technical specifications Feature Specification Network protocol and standards compatibility Data and Routing Protocols TCP/IP, RIP-1, RIP-2, PPP over Ethernet (PPPoE), DHCP, DHCPv6 Power adaptor Universal input 100–240V, AC/50–60 Hz, 1.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The following table shows the IPSec VPN specifications for the VPN firewall: Table 101. VPN firewall IPSec VPN specifications Setting Specification Network Management Web-based configuration and status monitoring Number of concurrent users supported 125 IPSec authentication algorithm SHA-1, MD5 IPSec encryption algorithm DES, 3DES, AES-128, AES-192, AES-256 IPSec key exchange IKE, manual key, pre-shared key, X.
B. Network Planning for Multiple WAN Ports (IPv4 Only) B This appendix describes the factors to consider when planning a network using a firewall that has more than one WAN port.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Protocol binding. - For auto-rollover mode, protocol binding does not apply. - For load balancing mode, decide which protocols should be bound to a specific WAN port. - You can also add your own service protocols to the list. 2. Set up your accounts. a. Obtain active Internet services such as DSL broadband accounts, and locate the Internet service provider (ISP) configuration information.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Cabling and Computer Hardware Requirements For you to use the VPN firewall in your network, each computer needs to have an Ethernet network interface card (NIC) installed and needs to be equipped with an Ethernet cable. If the computer will connect to your network at 100 Mbps or higher speeds, you need to use a Category 5 (Cat 5) cable. Computer Network Configuration Requirements The VPN firewall integrates a web management interface.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 After you have located your Internet configuration information, you might want to record the information in the following section. Internet Connection Information Print this page with the Internet connection information. Fill in the configuration settings that are provided to you by ISP. _________________________________________________________________________ • ISP login name.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Overview of the Planning Process The areas that require planning when you use a firewall that has multiple WAN ports such as the VPN firewall include the following: • Inbound traffic (port forwarding, port triggering) • Outbound traffic (protocol binding) • Virtual private networks (VPNs) Two WAN ports can be configured on a mutually exclusive basis to do either of the following: • Auto-rollover for increased reliability • Load balance for outgoing
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Features such as multiple exposed hosts are not supported in auto-rollover mode because the IP addresses of each WAN port need to be in the identical range of fixed addresses. • Dual WAN ports in load balancing mode. Load balancing for a VPN firewall with dual WAN ports is similar to a single WAN gateway configuration when you specify the IP address.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 261. Inbound Traffic to a Dual WAN Port System The IP address range of the VPN firewall’s WAN port needs to be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled. Inbound Traffic: Dual WAN Ports for Improved Reliability In a dual WAN port auto-rollover configuration, the WAN port’s IP address always changes when a rollover occurs.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 263. Virtual Private Networks • VPN Road Warrior (Client-to-Gateway) • VPN Gateway-to-Gateway • VPN Telecommuter (Client-to-Gateway through a NAT Router) When implementing virtual private network (VPN) tunnels, you need to use a mechanism for determining the IP addresses of the tunnel endpoints.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Dual WAN ports in auto-rollover mode. A gateway configuration with dual WAN ports that function in auto-rollover mode is different from a gateway configuration with a single WAN port when you specify the IP address of the VPN tunnel endpoint. Only one WAN port is active at a time, and when it rolls over, the IP address of the active WAN port always changes.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Road Warrior: Single-Gateway WAN Port (Reference Case) In a single WAN port gateway configuration, the remote computer client initiates the VPN tunnel because the IP address of the remote computer client is not known in advance. The gateway WAN port needs to act as the responder. Figure 266. The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, an FQDN needs to be used.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 268. The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (that is, WAN1 and WAN2) so that the remote computer client can determine the gateway IP address to establish or reestablish a VPN tunnel.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Gateway-to-Gateway The following situations exemplify the requirements for a gateway VPN firewall to establish a VPN tunnel with another gateway VPN firewall: • Single-gateway WAN ports • Redundant dual-gateway WAN ports for increased reliability (before and after rollover) • Dual-gateway WAN ports for load balancing VPN Gateway-to-Gateway: Single-Gateway WAN Ports (Reference Case) In a configuration with two single WAN port gateways, either gatew
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 271. The IP addresses of the gateway WAN ports can be either fixed or dynamic, but you always need to use an FQDN because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (that is, the IP address of the active WAN ports is not known in advance).
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Figure 273. The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional. VPN Telecommuter (Client-to-Gateway through a NAT Router) Note: The telecommuter case presumes the home office has a dynamic IP address and NAT router.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, you need to use an FQDN. If the IP address is fixed, an FQDN is optional.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Telecommuter: Dual-Gateway WAN Ports for Load Balancing In a gateway configuration with dual WAN ports that function in load balancing mode, the remote computer client initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance. The selected gateway WAN port needs to act as the responder.
C. System Logs and Error Messages C This appendix provides examples and explanations of system logs and error message. When applicable, a recommended action is provided. This appendix contains the following sections: • System Log Messages • Routing Logs • Other Event Logs • DHCP Logs This appendix uses the following log message terms. Table 105. Log message terms Term Description [SRX5308] System identifier. [kernel] Message from the kernel.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 System Log Messages • NTP • Login/Logout • System Startup • Reboot • Firewall Restart • IPSec Restart • Unicast, Multicast, and Broadcast Logs • WAN Status • Resolved DNS Names • VPN Log Messages • Traffic Meter Logs This section describes log messages that belong to one of the following categories: • Logs generated by traffic that is meant for the VPN firewall.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 106. System logs: NTP (continued) Explanation Message 1: DNS resolution for the NTP server (time-f.netgear.com). Message 2: Request for NTP update from the time server. Message 3: Adjust time by re-setting system time. Message 4: Display date and time before synchronization, that is, when resynchronization started. Message 5: Display the new updated date and time. Message 6: Next synchronization will be after the specified time.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reboot This section describes the log message generated during system reboot. Table 109. System logs: reboot Message Nov 25 19:42:57 [SRX5308] [reboot] Rebooting in 3 seconds Explanation Log generated when the system is rebooted from the web management interface. Recommended action None Firewall Restart This section describes logs that are generated when the VPN firewall restarts. Table 110.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 ICMP Redirect Logs Table 113. System logs: unicast, redirect Message Feb 2007 22 14:36:07 [SRX5308] [kernel] [LOG_PACKET] SRC=192.168.1.49 DST=192.168.1.124 PROTO=ICMP TYPE=5 CODE=1 Explanation • This packet is an ICMP redirect message sent to the device by another device. • For other settings, see Table 105 on page 420.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 115. System logs: WAN status, load balancing (continued) Explanation Message 1 and Message 2 indicate that both the WANs are restarted. Message 3: This message shows that both the WANs are up and the traffic is balanced between the two WAN interfaces. Messages 4, 5, and 6: These messages show that one of the WAN links is down, and that restarting the WAN link does not resolve the situation.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 116. System logs: WAN status, auto-rollover (continued) Explanation The logs suggest that the failover was detected after 5 attempts instead of 3. However, the reason that the messages appear in the log is because of the WAN state transition logic, which is part of the failover algorithm. These logs can be interpreted as follows: The primary link failure is correctly detected after the 3rd attempt.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 117. System logs: WAN status, PPPoE idle time-out (continued) • Explanation Message 1: PPPoE connection started. Message 2: Message from PPPoE server for correct login. Message 3: Authentication for PPP succeeded. Message 4: Local IP address assigned by the server. Message 5: Server side IP address. Message 6: The primary DNS server that is configured on the WAN ISP Settings screen.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • PPP Authentication Logs Table 119. System logs: WAN status, PPP authentication Message Nov 29 11:29:26 [SRX5308] [pppd] Starting link Nov 29 11:29:29 [SRX5308] [pppd] Remote message: Login incorrect Nov 29 11:29:29 [SRX5308] [pppd] PAP authentication failed Nov 29 11:29:29 [SRX5308] [pppd] Connection terminated.WAN2(DOWN)_ Explanation Starting link: Starting PPPoE connection process.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 121.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 122. System logs: IPSec VPN tunnel, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN tunnel is reestablished Message 1 2000 Jan 1 04:32:25 [SRX5308] [IKE] Sending Informational Exchange: delete payload[]_ Messages 2 through 6 2000 Jan 1 04:32:25 [SRX5308] [IKE] purged IPSec-SA proto_id=ESP spi= 181708762._ 2000 Jan 1 04:32:25 [SRX5308] [IKE] purged IPSec-SA proto_id=ESP spi= 153677140.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 123. System logs: IPSec VPN tunnel, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN tunnel not reestablished Message 2000 Jan 1 04:52:33 [SRX5308] [IKE] Using IPSec SA configuration: 192.168.11.0/24<->192.168.10.0/24_ 2000 Jan 1 04:52:33 [SRX5308] [IKE] Configuration found for 20.0.0.1._ 2000 Jan 1 04:52:59 [SRX5308] [IKE] Phase 1 negotiation failed due to time up for 20.0.0.1[500].
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 125. System logs: IPSec VPN tunnel, Dead Peer Detection and keep-alive (default 30 sec), VPN tunnel torn down Message 1 Message 2 Message 3 2000 Jan 1 06:01:18 [SRX5308] [VPNKA] Keep alive to peer 192.168.10.2 failed 3 consecutive times and 5 times cumulative_ 2000 Jan 1 06:01:19 [SRX5308] [IKE] DPD R-U-THERE sent to "20.0.0.1[500]"_ 2000 Jan 1 06:01:19 [SRX5308] [IKE] DPD R-U-THERE-ACK received from "20.0.0.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 127. System logs: IPSec VPN tunnel, client policy behind a NAT device Message 3 Message 6 2000 Jan 1 01:54:21 [SRX5308] [IKE] Floating ports for NAT-T with peer 20.0.0.1[4500]_ 2000 Jan 1 01:54:21 [SRX5308] [IKE] NAT-D payload matches for 20.0.0.2[4500]_ 2000 Jan 1 01:54:21 [SRX5308] [IKE] NAT-D payload does not match for 20.0.0.1[4500]_ 2000 Jan 1 01:54:21 [SRX5308] [IKE] Ignore REPLAY-STATUS notification from 20.0.0.1[4500].
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 130. System logs: VPN log messages, port forwarding, LAN host and interface Message 2000 Jan 1 01:35:41 [SRX5308] [portforwarding] id=SRX5308 time="2000-1-1 1:35:41" fw=192.168.11.1 pri=6 rule=access-policy proto="Virtual Transport (Java)" src=192.168.11.2 user=sai dst=192.168.11.1 arg= "" op="" result="" rcvd="" msg="Virtual Transport (Java)" Explanation A SSL VPN tunnel through port forwarding is established for ID SRX5308 from the LAN host 192.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 LAN to WAN Logs Table 132. Routing logs: LAN to WAN Message Nov 29 09:19:43 [SRX5308] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to WAN has been allowed by the firewall. • For other settings, see Table 105 on page 420. Recommended action None LAN to DMZ Logs Table 133.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ to LAN Logs Table 136. Routing logs: DMZ to WAN Message Nov 29 09:44:06 [SRX5308] [kernel] DMZ2LAN[DROP] IN=DMZ OUT=LAN SRC= 192.168.20.10 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from DMZ to LAN has been dropped by the firewall. • For other settings, see Table 105 on page 420. Recommended action None WAN to DMZ Logs Table 137.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Source MAC Filter Logs Table 139. Other event logs: source MAC filter logs Message 2000 Jan 1 06:40:10 [SRX5308] [kernel] SRC_MAC_MATCH[DROP] SRC MAC = 00:12:3f:34:41:14 IN=LAN OUT=WAN SRC=192.168.11.3 DST=209.85.153.103 PROTO=ICMP TYPE=8 CODE=0 Explanation Because MAC address 00:12:3f:34:41:14 of LAN host with IP address 192.168.11.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 142. DHCP logs Message 1 Message 2 Message 3 Message 4 Message 5 Message 6 Message 7 2000 Jan 1 07:27:28 [SRX5308] [dhcpd] Listening on LPF/eth0.1/00:11:22:78:89:90/192.168.11/24 2000 Jan 1 07:27:37 [SRX5308] [dhcpd] DHCPRELEASE of 192.168.10.2 from 00:0f:1f:8f:7c:4a via eth0.1 (not found) 2000 Jan 1 07:27:47 [SRX5308] [dhcpd] DHCPDISCOVER from 00:0f:1f:8f:7c:4a via eth0.1 2000 Jan 1 07:27:48 [SRX5308] [dhcpd] DHCPOFFER on 192.168.11.
D. Two-Factor Authentication D This appendix provides an overview of two-factor authentication, and an example of how to implement the WiKID solution.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products. • Proven regulatory compliance. Two-factor authentication has been used as a mandatory authentication process for many corporations and enterprises worldwide.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Here is an example of how WiKID works: To use WiKID (for end users): 1. Launch the WiKID token software, enter the PIN that has been provided (something the user knows), and then click Continue to receive the OTP from the WiKID authentication server: Figure 278. 2. A one-time passcode (something the user has) is generated. Figure 279.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 3. Proceed to the 2 Factor Authentication login screen, and enter the one-time passcode as the login password. Figure 280.
E. Notification of Compliance (Wired) N ETGE A R Wire d P ro d uct s E Regulatory Compliance Information This section includes user requirements for operating this product in accordance with National laws for usage of radio spectrum and operation of radio devices. Failure of the end-user to comply with the applicable requirements may result in unlawful operation and adverse action against the end-user by the applicable National regulatory authority.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 FCC Radio Frequency Interference Warnings & Instructions This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Additional Copyrights AES Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK. All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. 2.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc.
Index Numerics AES (Advanced Encryption Standard) IKE policy settings 229 Mode Config settings 246 SNMPv3 user settings 338 VPN policy settings 237–238 application level gateway (ALG) 171 ARP (Address Resolution Protocol) broadcasting, configuring 89 requests 91 arrows, option (web management interface) 23 attached devices monitoring with SNMP 334 viewing 378 attack checks 166–169 authentication for IPSec VPN pre-shared key 200, 204, 208, 230 RSA signature 230 for SSL VPN 298 See also AD (Active Directory)
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 B client identifier 37 command-line interface (CLI) 19, 334 community strings, SNMP 336 compatibility, protocols and standards 402 compliance, regulatory 443–446 concatenating IPv6 addresses 64 configuration file, managing 339–341 configuration manager (web management interface) login 21 menu 23 configuration settings, defaults 396–401 congestion priority, WAN QoS profile 75 connection reset, PPPoE broadband connection 36 connection type and state (WAN), v
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 firewall rules 132 group, users 300 idle time-out periods groups 302 L2TP server 266 PPTP server 264 users 305 IPSec VPN Wizard 199 IPv4 gateway 37 IPv4 routing mode 28 IPv6 gateway 58 IPv6 routing mode 52 LAN group 93 LAN IPv6 address 100 LAN IPv6 prefix length 100 load balancing method 40 login time-out 22 MAC address setting 70 MAC address sharing 88 MTU 69 NTP servers 345 password 22, 393 port number LDAP server 87 port speed 70 portal address, SSL VPN
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 failure detection method 44–46 fe80 and fec0 IPv6 addresses 97 firewall attack checks 166–169 bandwidth profiles 176–178 custom services 172 default settings 398 inbound rules. See inbound rules. outbound rules. See outbound rules. overview 14 QoS LAN profiles 179–181 rules See also inbound rules. See also outbound rules.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 H Interior Gateway Protocol (IGP) 124 Internet configuration requirements 406 form to save connection information 407 Internet connection configuring 26 default settings 397 Internet connectivity, testing 78 Internet Control Message Protocol (ICMP) time-out 170 type 173 Internet Key Exchange. See IKE policies.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ advertisements 121 DMZ DHCPv6 address pools 117 IPSec VPN policies 237 ISP address 58 LAN address 100 LAN advertisements 107 LAN DHCPv6 address pools 102 LAN prefix delegation 103 secondary LAN IP address 109 SSL VPN policies 288 static routes 128 IPv6 prefix lifetimes DMZ advertisements 121 LAN advertisements 107 IPv6 prefixes 6to4 tunnel 63 DMZ advertisements 121 ISATAP tunnels 65 LAN advertisements 107 IPv6 tunnel status and addresses, viewing 66 IPv
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 bandwidth capacity 321 default port MAC addresses 366 default settings 398 groups, assigning and managing 93–96 IPv4 settings, configuring 81 IPv6 settings, configuring 99 Known PCs and Devices table 93–94 network database 91–95 port status, viewing 366 prefix delegation (IPv6) 98, 103 secondary IPv4 addresses 89–91 secondary IPv6 addresses 108–109 testing the LAN path 392 LAN groups, keyword blocking 184 LAN LEDs 18, 386 LAN ports, described 17 LAN profile
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 metric static IPv4 routes 124 static IPv6 routes 129 MIAS (Microsoft Internet Authentication Service) described 295 MIAS-CHAP and MIAS-PAP 298 Mode Config operation configuring 244–251 record 228 monitoring default settings 401 MTU (maximum transmission unit) default 69 IPv6 DMZ packets 120 IPv6 LAN packets 106 multicast pass-through 168 multihome LAN addresses IPv4, configuring 89–91 IPv6, configuring 108–109 multiple WAN ports auto-rollover and load balan
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WiKID pass-through, multicast 168 passwords changing 311, 328 default 22 restoring 393 Perfect Forward Secrecy (PFS) 239, 246 performance management 321 permanent addresses IPv4 address 32, 37 IPv6 address 58 PFS (Perfect Forward Secrecy) 239, 246 physical specifications 402 pinging auto-rollover 44 checking connections 381 responding on Internet ports 167 responding on LAN ports 167 troubleshooting TCP/IP 392 using the ping utility 381 pinouts, console por
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 described 295 MSCHAP(v2), domain authentication 298 RADIUS servers configuring 242–243 edge devices 241 RADVD (Router Advertisement Deamon) DMZ, configuring for 117 LAN, configuring for 104 RAs (router advertisements) DMZ, configuring for 119 LAN, configuring for 105 rate control profile, WAN traffic 72–76 rate-limiting, forwarded traffic 71 read-only and read-write access 303 rebooting with different firmware 343 with same firmware 383 reducing traffic 322
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv6 (IPv4-only and IPv4/IPv6) 52 routing table adding static IPv4 routes 122 adding static IPv6 routes 127 displaying 382 RSA signatures 230 rules See inbound rules. See outbound rules.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 stateless and stateful IPv6 addresses, autoconfiguration 54, 100, 115 Stateless IP/ICMP Translation (SIIT) 66 static addresses IPv4 address 32, 37 IPv6 address 58 static routes IPv4 routes configuring 122–127 routing table 122 IPv6 routes configuring 127–129 routing table 127 statistics, viewing 364 status screens 361–379 stealth mode 167 stratum, NTP servers 345 submenu tabs (web management interface) 23 SYN flood 167 syslog server 357 system date and time
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 U viewing 369 port-based 80 profiles, configuring 83–88 VoIP (voice over IP) sessions 171 VPN client Configuration Wizard, using 210 configuring manually 214 Mode Config tunnel, opening 258 Mode Config, configuring 251 tunnel, opening 221 VPN IPSec Wizard. See IPSec VPN Wizard.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 pre-shared key client-to-gateway tunnel 208 gateway-to-gateway tunnel 200, 204 IKE policy settings 230 Road Warrior auto-rollover 413 load balancing 414 single WAN port mode 413 rollover See auto-rollover mode.
