ProSecure Unified Threat Management (UTM) Appliance Reference M anua l 350 East Plumeria Drive San Jose, CA 95134 USA September 2011 202-10780-01 1.
ProSecure Unified Threat Management (UTM) Appliance © 2009–2011 NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR.
ProSecure Unified Threat Management (UTM) Appliance 202-10674-02 1.0 March 2011 • Addition of the UTM150. • Removal of platform-specific chapters and sections because the UTM5, UTM10, and UTM25 now support the same web management interface menu layout that was already supported on the UTM50.
Contents Chapter 1 Introduction What Is the ProSecure Unified Threat Management (UTM) Appliance? . . 13 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Wireless Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 DSL Features . . . . . . . . . . . . . . . . . . . .
ProSecure Unified Threat Management (UTM) Appliance Web Management Interface Menu Layout . . . . . . . . . . . . . . . . . . . . . . . 40 Use the Setup Wizard to Perform the Initial Configuration . . . . . . . . . . . . . 42 Setup Wizard Step 1 of 10: LAN Settings. . . . . . . . . . . . . . . . . . . . . . . . 43 Setup Wizard Step 2 of 10: WAN Settings . . . . . . . . . . . . . . . . . . . . . . . 46 Setup Wizard Step 3 of 10: System Date and Time . . . . . . . . . . . . . . . .
ProSecure Unified Threat Management (UTM) Appliance Configure and Enable the DMZ Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Manage Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Configure Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Configure Routing Information Protocol . . . . . . . . . . . . . . . . . . . . . . . . 118 Static Route Example . . . . . . . . . . . . . . . . . . . . . . .
ProSecure Unified Threat Management (UTM) Appliance Configure Web Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Configure Web URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 HTTPS Scan Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Manage Digital Certificates for HTTPS Scans . . . . . . . . . . . . . . . . . . . 213 Specify Trusted Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSecure Unified Threat Management (UTM) Appliance Chapter 8 Virtual Private Networking Using SSL Connections SSL VPN Portal Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Use the SSL VPN Wizard for Client Configurations . . . . . . . . . . . . . . . . . 307 SSL VPN Wizard Step 1 of 6 (Portal Settings) . . . . . . . . . . . . . . . . . . . 308 SSL VPN Wizard Step 2 of 6 (Domain Settings) . . . . . . . . . . . . . . . . .
ProSecure Unified Threat Management (UTM) Appliance Use QoS and Bandwidth Assignments to Shift the Traffic Mix . . . . . . . 396 Monitoring Tools for Traffic Management . . . . . . . . . . . . . . . . . . . . . . . 396 System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Change Passwords and Administrator and Guest Settings . . . . . . . . . 397 Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . .
ProSecure Unified Threat Management (UTM) Appliance (All UTM Models Except the UTM9S). . . . . . . . . . . . . . . . . . . . . . . . . . 483 Use the Network Diagnostic Tools (UTM9S) . . . . . . . . . . . . . . . . . . . . 484 Use the Real-Time Traffic Diagnostics Tool (All UTM Models Except the UTM9S). . . . . . . . . . . . . . . . . . . . . . . . . . 486 Use the Real-Time Traffic Diagnostics Tool (UTM9S) . . . . . . . . . . . . .
ProSecure Unified Threat Management (UTM) Appliance Configure the Basic Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 Operating Frequency (Channel) Guidelines . . . . . . . . . . . . . . . . . . . . . 534 Wireless Data Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Wireless Security Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 Before You Change the SSID, WEP, and WPA Settings . . . . . . . . . . .
ProSecure Unified Threat Management (UTM) Appliance Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583 Service Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583 NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584 Login/Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584 Firewall Restart. . . . . .
1. Introduction 1 This chapter provides an overview of the features and capabilities of the NETGEAR ProSecure™ Unified Threat Management (UTM) Appliance.
ProSecure Unified Threat Management (UTM) Appliance The UTM provides advanced IPSec and SSL VPN technologies for secure and simple remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures extremely high data transfer speeds. The UTM is a plug-and-play device that can be installed and configured within minutes. Key Features and Capabilities The UTM provides the following key features and capabilities: • For the single WAN port models, a single 10/100/1000 Mbps Gigabit Ethernet WAN port.
ProSecure Unified Threat Management (UTM) Appliance Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing The UTM product line offers models with two broadband WAN ports. The second WAN port allows you to connect a second broadband Internet line that can be configured on a mutually exclusive basis to: • Provide backup and rollover if one line is inoperable, ensuring that you are never disconnected. • Load balance, or use both Internet lines simultaneously for outgoing traffic.
ProSecure Unified Threat Management (UTM) Appliance Advanced VPN Support for Both IPSec and SSL The UTM supports IPSec and SSL virtual private network (VPN) connections. • • IPSec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer. - IPSec VPN with broad protocol support for secure connection to other IPSec gateways and clients.
ProSecure Unified Threat Management (UTM) Appliance This multithreaded approach, in which the receiving, scanning, and delivering processes occur concurrently, ensures that network performance remains unimpeded. The result is that file scanning is up to five times faster than with traditional antivirus solutions—a performance advantage that you will notice. Stream Scanning also enables organizations to withstand massive spikes in traffic, as in the event of a malware outbreak.
ProSecure Unified Threat Management (UTM) Appliance Ethernet network. The four LAN and one or two WAN interfaces are autosensing and capable of full-duplex or half-duplex operation. The UTM incorporates Auto UplinkTM technology. Each Ethernet port automatically senses whether the Ethernet cable plugged into the port should have a normal connection such as to a PC or an uplink connection such as to a switch or hub. That port then configures itself correctly.
ProSecure Unified Threat Management (UTM) Appliance • IPSec VPN Wizard. The UTM includes the NETGEAR IPSec VPN Wizard so you can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients. • SSL VPN Wizard.
ProSecure Unified Threat Management (UTM) Appliance Table 1.
ProSecure Unified Threat Management (UTM) Appliance Figure 1. Note: When you reset the UTM to the original factory default settings after you have entered the license keys to activate the UTM (see Register the UTM with NETGEAR on page 62), the license keys are erased. The license keys and the different types of licenses that are available for the UTM are no longer displayed on the Registration screen.
ProSecure Unified Threat Management (UTM) Appliance • • Resource CD, including: - Application Notes and other helpful information - ProSafe VPN Client software (VPN01L) (depends on the UTM model) Service Registration Card with license key(s) If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair.
ProSecure Unified Threat Management (UTM) Appliance Power LED USB port Test LED DMZ LED Left LAN LEDs Left WAN LED Right WAN LED Right LAN LEDs Figure 2. Front panel UTM5 and UTM10 Front Panel UTM25 Viewed from left to right, the UTM25 front panel contains the following ports: • One nonfunctioning USB port. This port is included for future management enhancements. The port is currently not operable on the UTM. • LAN Ethernet ports.
ProSecure Unified Threat Management (UTM) Appliance Front Panel UTM50 Viewed from left to right, the UTM front panel contains the following ports (see the following figure, which shows a multiple WAN port model, the UTM25): • One nonfunctioning USB port. This port is included for future management enhancements. The port is currently not operable on the UTM. • LAN Ethernet ports. Six switched N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
ProSecure Unified Threat Management (UTM) Appliance Power LED Left WAN LEDs Left LAN LEDs USB port DMZ LED Active WAN LEDs Test LED Right WAN LEDs Right LAN LEDs Figure 5. Front panel UTM150 Front Panel UTM9S and Modules Viewed from left to right, the UTM9S front panel contains the following ports and slots: • One nonfunctioning USB port. This port is included for future management enhancements. The port is currently not operable on the UTM9S. • LAN Ethernet ports.
ProSecure Unified Threat Management (UTM) Appliance Slot 1 Left WAN LEDs Power LED Slot 2 Left LAN LEDs USB port DMZ LED Test LED USB LED Right LAN LEDs Active WAN LEDs Right WAN LEDs Figure 6. Front panel UTM9S UTM9SDSL xDSL Module The following xDSL modules are available for insertion in one of the UTM9S slots: • UTM9SDSLA. VDSL/ADSL2+ module, Annex A. • UTM9SDSLB. VDSL/ADSL2+ module, Annex B. The xDLS module provides one RJ-11 port for connection to a telephone line.
ProSecure Unified Threat Management (UTM) Appliance Figure 8. UTM9SWLSN wireless module LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150 The following table describes the function of each LED. Table 2. LED descriptions UTM5, UTM10, UTM25, UTM50, and UTM150 LED Activity Description Power LED On (green) Power is supplied to the UTM. Off Power is not supplied to the UTM. Test LED On (amber) during Test mode. The UTM is initializing.
ProSecure Unified Threat Management (UTM) Appliance Table 2. LED descriptions UTM5, UTM10, UTM25, UTM50, and UTM150 (continued) LED Activity Description Off The LAN port has no link. On (green) The LAN port has detected a link with a connected Ethernet device. Blinking (green) Data is being transmitted or received by the LAN port. Off The LAN port is operating at 10 Mbps. On (amber) The LAN port is operating at 100 Mbps. On (green) The LAN port is operating at 1000 Mbps.
ProSecure Unified Threat Management (UTM) Appliance Table 3. LED descriptions UTM9S (continued) LED Activity Description Test LED On (amber) during Test mode. The UTM is initializing. After approximately 2 minutes, when the startup UTM has completed its initialization, the Test LED goes off. On (amber) during The initialization has failed, or a hardware failure has occurred. any other time USB LED Blinking (amber) The UTM is writing to flash memory (during upgrading or resetting to defaults).
ProSecure Unified Threat Management (UTM) Appliance Table 3. LED descriptions UTM9S (continued) LED Activity Description Wireless Link LED Off The wireless access point is not enabled. On (green) The wireless access point is enabled in 2.4-GHz operating mode. Blinking (green) There is wireless activity in 2.4-GHz operating mode. On (yellow) The wireless access point is enabled in 5-GHz operating mode. Blinking (yellow) There is wireless activity in 5-GHz operating mode.
ProSecure Unified Threat Management (UTM) Appliance Rear Panel UTM50 and UTM150 The rear panel of the UTM includes a cable lock receptacle, a console port, a factory default Reset button, and an AC power connection. Console port Factory Defaults reset button Security lock receptacle AC power receptacle Figure 10. Rear panel of the UTM50 and UTM150 Viewed from left to right, the rear panel of the UTM50 and UTM150 contains the following components: 1. Console port.
ProSecure Unified Threat Management (UTM) Appliance Viewed from left to right, the rear panel of the UTM9S contains the following components: 1. Cable security lock receptacle. 2. Factory default Reset button. Using a sharp object, press and hold this button for about 8 seconds until the front panel Test LED flashes to reset the UTM to factory default settings. Configuration changes are lost, and the default password is restored. 3.
ProSecure Unified Threat Management (UTM) Appliance The following figure shows the product label for the UTM10: Figure 13. The following figure shows the product label for the UTM25: Figure 14.
ProSecure Unified Threat Management (UTM) Appliance The following figure shows the product label for the UTM50: Figure 15. The following figure shows the product label for the UTM150: Figure 16.
ProSecure Unified Threat Management (UTM) Appliance The following figure shows the product label for the UTM9S: Figure 17. Choose a Location for the UTM The UTM is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can rack-mount the UTM in a wiring closet or equipment room.
ProSecure Unified Threat Management (UTM) Appliance Use the Rack-Mounting Kit Use the mounting kit for the UTM to install the appliance in a rack. (A mounting kit is provided in the package for the multiple WAN port models.) Attach the mounting brackets using the hardware that is supplied with the mounting kit. Figure 18. Before mounting the UTM in a rack, verify that: • You have the correct screws (supplied with the installation kit). • The rack onto which you will mount the UTM is suitably located.
2. Using the Setup Wizard to Provision the UTM in Your Network 2 This chapter explains how to log in to the UTM and use the web management interface, how to use the Setup Wizard to provision the UTM in your network, and how to register the UTM with NETGEAR.
ProSecure Unified Threat Management (UTM) Appliance Each of these tasks is described separately in this chapter. The configuration of the WAN mode (required for multiple WAN port models), Dynamic DNS, and other WAN options is described in Chapter 3, Manually Configuring Internet and WAN Settings. The configuration of LAN, firewall, scanning, VPN, management, and monitoring features is described in later chapters.
ProSecure Unified Threat Management (UTM) Appliance Figure 19. 3. In the User Name field, type admin. Use lowercase letters. 4. In the Password / Passcode field, type password. Here, too, use lowercase letters. Note: The UTM user name and password are not the same as any user name or password you might use to log in to your Internet connection. 5. Click Login. The web management interface displays, showing the System Status screen.
ProSecure Unified Threat Management (UTM) Appliance Figure 20. Web Management Interface Menu Layout The following figure shows the menu at the top the UTM50 web management interface as an example. 3rd level: Submenu tab (blue) 2nd level: Configuration menu link (gray) 1st level: Main navigation menu link (orange) Figure 21.
ProSecure Unified Threat Management (UTM) Appliance The web management interface menu consists of the following components: • 1st level: Main navigation menu links. The main navigation menu in the orange bar across the top of the web management interface provides access to all the configuration functions of the UTM, and remains constant. When you select a main navigation menu link, the letters are displayed in white against an orange background. • 2nd level: Configuration menu links.
ProSecure Unified Threat Management (UTM) Appliance Any of the following table buttons might display on screen: • Select All. Select all entries in the table. • Delete. Delete the selected entry or entries from the table. • Enable. Enable the selected entry or entries in the table. • Disable. Disable the selected entry or entries in the table. • Add. Add an entry to the table. • Edit. Edit the selected entry. • Up. Move the selected entry up in the table. • Down.
ProSecure Unified Threat Management (UTM) Appliance Setup Wizard Step 1 of 10: LAN Settings Figure 25. Enter the settings as explained in the following table, and then click Next to go the following screen. Note: In this first step, you are actually configuring the LAN settings for the UTM’s default VLAN. For more information about VLANs, see Manage Virtual LANs and DHCP Options on page 93.
ProSecure Unified Threat Management (UTM) Appliance Table 4. Setup Wizard Step 1: LAN Settings screen settings Setting Description LAN TCP/IP Setup IP Address Enter the IP address of the UTM’s default VLAN (the factory default address is 192.168.1.1). Note: Always make sure that the LAN port IP address and DMZ port IP address are in different subnets. Note: If you change the LAN IP address of the UTM’s default VLAN while being connected through the browser, you are disconnected.
ProSecure Unified Threat Management (UTM) Appliance Table 4. Setup Wizard Step 1: LAN Settings screen settings (continued) Setting Description Enable DHCP Server (continued) Primary DNS Server This setting is optional. If an IP address is specified, the UTM provides this address as the primary DNS server IP address. If no address is specified, the UTM provides its own LAN IP address as the primary DNS server IP address. Secondary DNS This setting is optional.
ProSecure Unified Threat Management (UTM) Appliance Table 4. Setup Wizard Step 1: LAN Settings screen settings (continued) Setting Description Inter VLAN Routing Enable Inter VLAN Routing This setting is optional. To ensure that traffic is routed only to VLANs for which inter-VLAN routing is enabled, select the Enable Inter VLAN Routing check box. This setting is disabled by default.
ProSecure Unified Threat Management (UTM) Appliance Enter the settings as explained in the following table, and then click Next to go the following screen. Note: Instead of manually entering the settings, you can also click the Auto Detect action button at the bottom of the screen. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support. Table 5.
ProSecure Unified Threat Management (UTM) Appliance Table 5. Setup Wizard Step 2: WAN Settings screen settings (continued) Setting Description Other (PPPoE) If you have installed login software such as WinPoET or Enternet, then your connection type is PPPoE. Select this radio button and enter the following settings: Account Name The valid account name for the PPPoE connection. Domain Name The name of your ISP’s domain or your domain name if your ISP has assigned one. You can leave this field blank.
ProSecure Unified Threat Management (UTM) Appliance Table 5. Setup Wizard Step 2: WAN Settings screen settings (continued) Setting Description Use Static IP Address If your ISP has assigned you a fixed (static or permanent) IP address, select the Use Static IP Address radio button and enter the following settings. IP Address The static IP address assigned to you. This address identifies the UTM to your ISP. Subnet Mask The subnet mask, which is usually provided by your ISP.
ProSecure Unified Threat Management (UTM) Appliance Enter the settings as explained in the following table, and then click Next to go the following screen. Table 6. Setup Wizard Step 3: System Date and Time screen settings Setting Description Set Time, Date, and NTP Servers Date/Time From the drop-down list, select the local time zone in which the UTM operates. The correct time zone is required in order for scheduling to work correctly.
ProSecure Unified Threat Management (UTM) Appliance Setup Wizard Step 4 of 10: Services Figure 28. Enter the settings as explained in the following table, and then click Next to go the following screen. Table 7. Setup Wizard Step 4: Services screen settings Setting Description Email SMTP POP3 IMAP SMTP scanning is enabled by default on standard service port 25. To disable any of these services, clear the corresponding check box.
ProSecure Unified Threat Management (UTM) Appliance Table 7. Setup Wizard Step 4: Services screen settings (continued) Setting Description Web HTTP HTTP scanning is enabled by default To disable HTTP scanning, clear the on standard service port 80. corresponding check box. You can change the standard service port or add another port in the corresponding Ports to Scan field. HTTPS HTTPS scanning is disabled by default. To enable HTTPS scanning, select the corresponding check box.
ProSecure Unified Threat Management (UTM) Appliance Table 7. Setup Wizard Step 4: Services screen settings (continued) Setting Description SSL Handshaking to Websites Note: SSL handshaking is supported only on the UTM9S. Facebook Scanning of Facebook is disabled by default. To enable it, select the corresponding check box. (This option is not shown in the previous figure, but it is shown in Figure 110 on page 195.) Tools Alexa Toolbar GoToMyPC Weatherbug Scanning of these tools is disabled by default.
ProSecure Unified Threat Management (UTM) Appliance Enter the settings as explained in the following table, and then click Next to go the following screen. Table 8. Setup Wizard Step 5: Email Security screen settings Setting Description Action SMTP From the SMTP drop-down list, select one of the following actions to be taken when an infected email is detected: • Block infected email. This is the default setting. The email is blocked, and a log entry is created. • Delete attachment.
ProSecure Unified Threat Management (UTM) Appliance After you have completed the steps in the Setup Wizard, you can make changes to the email security settings by selecting Application Security > Email Anti-Virus. The Email Anti-Virus screen also lets you specify notification settings and email alert settings. For more information about these settings, see Customize Email Antivirus and Notification Settings on page 179. Setup Wizard Step 6 of 10: Web Security Figure 30.
ProSecure Unified Threat Management (UTM) Appliance Table 9. Setup Wizard Step 6: Web Security screen settings (continued) Setting Description HTTPS From the HTTPS drop-down list, select one of the following actions to be taken when an infected web file or object is detected: • Delete file. This is the default setting. The web file or object is deleted, and a log entry is created. • Log only. Only a log entry is created. The web file or object is not deleted. • Quarantine file (UTM9S only).
ProSecure Unified Threat Management (UTM) Appliance Setup Wizard Step 7 of 10: Web Categories to Be Blocked Figure 31.
ProSecure Unified Threat Management (UTM) Appliance Enter the settings as explained in the following table, and then click Next to go the following screen. Table 10. Setup Wizard Step 7: Web Categories to be blocked screen settings Setting Description Blocked Web Categories Select the Enable Blocking check box to enable blocking of web categories. (By default, this check box is selected.) Select the check boxes of any web categories that you want to block.
ProSecure Unified Threat Management (UTM) Appliance Setup Wizard Step 8 of 10: Email Notification Figure 32. Enter the settings as explained in the following table, and then click Next to go the following screen. Table 11. Setup Wizard Step 8: Email Notification screen settings Setting Description Administrator Email Notification Settings Show as mail sender A descriptive name of the sender for email identification purposes. For example, enter UTM_Notifications@netgear.com.
ProSecure Unified Threat Management (UTM) Appliance Setup Wizard Step 9 of 10: Signatures & Engine Figure 33. Enter the settings as explained in the following table, and then click Next to go the following screen. Table 12. Setup Wizard Step 9: Signatures & Engine screen settings Setting Description Update Settings Update From the drop-down list, select one of the following options: • Never. The pattern and firmware files are never automatically updated. • Scan engine and Signatures.
ProSecure Unified Threat Management (UTM) Appliance Table 12. Setup Wizard Step 9: Signatures & Engine screen settings (continued) Setting Description Update Frequency Specify the frequency with which the UTM checks for file updates: • Weekly. From the drop-down lists, select the weekday, hour, and minutes that the updates occur. • Daily. From the drop-down lists, select the hour and minutes that the updates occur. • Every. From the drop-down list, select the frequency with which the updates occur.
ProSecure Unified Threat Management (UTM) Appliance Test Connectivity Verify that network traffic can pass through the UTM: 1. Ping an Internet URL. 2. Ping the IP address of a device on either side of the UTM. Test HTTP Scanning If client computers have direct access to the Internet through your LAN, try to download the eicar.com test file from http://www.eicar.org/download/eicar.com. The eicar.
ProSecure Unified Threat Management (UTM) Appliance If your UTM is connected to the Internet, you can activate the service licenses: 1. Select Support > Registration. The Registration screen displays: Figure 35. 2. Enter the license key in the Registration Key field. 3. Fill out the customer and value-added reseller (VAR) fields. 4. Click Register. WARNING! To activate the 30-day trial period for a license, do not click Register but click Trial instead. 5.
ProSecure Unified Threat Management (UTM) Appliance Note: The 30-day trial licenses are revoked once you activate the purchased service license keys. The purchased service license keys offer 1 year or 3 years of service. Note: When you reset the UTM to the original factory default settings after you have entered the license keys to activate the UTM (see Register the UTM with NETGEAR on page 62), the license keys are erased.
ProSecure Unified Threat Management (UTM) Appliance The UTM is ready for use. However, the following sections describe important tasks that you might want to address before you deploy the UTM in your network: • Configure the WAN Mode (required for the multiple WAN port models).
3.
ProSecure Unified Threat Management (UTM) Appliance Internet and WAN Configuration Tasks Note: For information about configuring the DSL interface of the UTM9S, see Appendix A, xDSL Module for the UTM9S. The information in this chapter does also apply to the WAN interfaces of the UTM9S. Generally, five steps are required to complete the WAN Internet connection of your UTM. Complete these steps: 1. Configure the Internet connections to your ISPs. During this phase, you connect to your ISPs.
ProSecure Unified Threat Management (UTM) Appliance To automatically configure the WAN ports for connection to the Internet: 1. Select Network Config > WAN Settings. The WAN screen displays. (The following figure shows the UTM50.) Figure 36. The UTM5 and UTM10 screens show one WAN interface; the UTM25 and UTM50 screens show two WAN interfaces; the UTM150 screen shows four WAN interfaces; the UTM9S screen shows two WAN interfaces and a slot (SLOT-1 or SLOT-2), in which the xDSL module is installed.
ProSecure Unified Threat Management (UTM) Appliance Figure 37. 3. Click the Auto Detect button at the bottom of the screen. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support. The autodetect process returns one of the following results: • If the autodetect process is successful, a status bar at the top of the screen displays the results (for example, DHCP service detected).
ProSecure Unified Threat Management (UTM) Appliance Table 13. Internet connection methods Connection method Manual data input required • DHCP (Dynamic IP) No data is required. PPPoE Login, password, account name, and domain name. PPTP Login, password, account name, your IP address, and the server IP address. Fixed (Static) IP IP address, subnet mask, and gateway IP address, and related data supplied by your ISP.
ProSecure Unified Threat Management (UTM) Appliance Note: If the configuration process was successful, you are connected to the Internet through the WAN that you just configured. For the multiple WAN port models, continue with the configuration process for the other WAN interfaces. Note: For more information about the WAN Connection Status screen, see View the WAN Ports Status on page 456. 5.
ProSecure Unified Threat Management (UTM) Appliance Figure 39. In the ISP Login section, select one of the following options: • If your ISP requires an initial login to establish an Internet connection, select Yes. (The default is No.) • If a login is not required, select No, and ignore the Login and Password fields. 4. If you selected Yes, enter the login name in the Login field and the password in the Password field. This information is provided by your ISP. 5.
ProSecure Unified Threat Management (UTM) Appliance 6. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as explained in the following table: Table 14. PPTP and PPPoE settings Setting Description Austria (PPTP) If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this radio button, and enter the following settings: Other (PPPoE) Account Name The account name is also known as the host name or system name.
ProSecure Unified Threat Management (UTM) Appliance Table 14. PPTP and PPPoE settings (continued) Setting Description Other (PPPoE) (continued) Connection Reset Select the Connection Reset check box to specify a time when the PPPoE WAN connection is reset, that is, the connection is disconnected momentarily and then reestablished. Then, specify the disconnect time and delay. Disconnect Time Specify the hour and minutes when the connection should be disconnected.
ProSecure Unified Threat Management (UTM) Appliance 8. In the Domain Name Server (DNS) Servers section of the screen (see the following figure), specify the DNS settings as explained in the following table. Figure 42. Table 16. DNS server settings Setting Description Get Automatically from ISP If your ISP has not assigned any Domain Name Server (DNS) addresses, select the Get Automatically from ISP radio button.
ProSecure Unified Threat Management (UTM) Appliance Note: For the UTM9S only, you can also use a DSL interface for any of the following modes (see Appendix A, xDSL Module for the UTM9S). • Load balancing mode. The UTM distributes the outbound traffic equally among the WAN interfaces that are functional. Depending on the UTM model, you can configure up to four WAN interfaces.
ProSecure Unified Threat Management (UTM) Appliance Configure Network Address Translation (All Models) Network Address Translation (NAT) allows all PCs on your LAN to share a single public Internet IP address. From the Internet, there is only a single device (the UTM) and a single IP address. PCs on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet.
ProSecure Unified Threat Management (UTM) Appliance To configure classical routing: 1. Select Network Config > WAN Settings > WAN Mode. The WAN Mode screen displays (see Figure 43 on page 79). 2. In the NAT (Network Address Translation) section of the screen, select the Classical Routing radio button. 3. Click Apply to save your settings.
ProSecure Unified Threat Management (UTM) Appliance Figure 43. 2. In the Load Balancing Settings section of the screen, configure the following settings: a. Select the Primary WAN Mode radio button. b. From the corresponding drop-down list on the right, select a WAN interface to function as the primary WAN interface. The other WAN interface or interfaces become disabled. c. Select the Auto Rollover check box. d.
ProSecure Unified Threat Management (UTM) Appliance 4. Locate the Failure Detection Method section on the screen (see the following figure). Enter the settings as explained in the following table. Figure 44. Table 17. Failure detection method settings Setting Description WAN Failure Detection Method Select a failure detection method from the drop-down list. DNS queries or pings are sent through the WAN interface that is being monitored.
ProSecure Unified Threat Management (UTM) Appliance Note: You can configure the UTM to generate a WAN status log and email this log to a specified address (see Configure Logging, Alerts, and Event Notifications on page 422). Configure Load Balancing and Optional Protocol Binding To use multiple ISP links simultaneously, configure load balancing. In load balancing mode, any WAN port carries any outbound protocol unless protocol binding is configured.
ProSecure Unified Threat Management (UTM) Appliance Figure 45. Note: You cannot configure load balancing when you use a PPPoE connection and have selected the Idle Timeout radio button on the WAN ISP Settings screen (single WAN port models) or on one of the WAN ISP Settings screens (multiple WAN port models); to use load balancing on a PPPoE connection, select the Keep Connected radio button. For more information, see Figure 40 on page 72 and the accompanying PPPoE information in Table 14 on page 73. 2.
ProSecure Unified Threat Management (UTM) Appliance Configure Protocol Binding (Optional) To configure protocol binding and add protocol binding rules: 1. Select Network Config > Protocol Binding. The Protocol Bindings screen displays. (The following figure shows two examples in the Protocol Bindings table.) Figure 46. The Protocol Bindings table displays the following fields: • Check box. Allows you to select the protocol binding rule in the table. • Status icon.
ProSecure Unified Threat Management (UTM) Appliance Figure 47. 3. Configure the protocol binding settings as explained in the following table: Table 18. Add Protocol Binding screen settings Setting Description Service From the drop-down list, select a service or application to be covered by this rule. If the service or application does not appear in the list, you need to define it using the Services screen (see Service-Based Rules on page 123).
ProSecure Unified Threat Management (UTM) Appliance 4. Click Apply to save your settings. The protocol binding rule is added to the Protocol Bindings table. The rule is automatically enabled, which is indicated by the ! status icon, a green circle. To edit a protocol binding: 1. On the Protocol Bindings screen (see Figure 46 on page 83), in the Protocol Bindings table, click the Edit table button to the right of the binding that you want to edit. The Edit Protocol Binding screen displays.
ProSecure Unified Threat Management (UTM) Appliance It is important that you ensure that any secondary WAN addresses are different from the primary WAN, LAN, and DMZ IP addresses that are already configured on the UTM. However, primary and secondary WAN addresses can be in the same subnet. The following is an example of correctly configured IP addresses on a multiple WAN port model: • Primary WAN1 IP address. 10.121.0.1 with subnet 255.255.255.0 • Secondary WAN1 IP address. 10.121.26.
ProSecure Unified Threat Management (UTM) Appliance 5. Click the Add table button in the rightmost column to add the secondary IP address to the List of Secondary WAN addresses table. Repeat step 4 and step 5 for each secondary IP address that you want to add to the List of Secondary WAN addresses table. To delete one or more secondary addresses: 1.
ProSecure Unified Threat Management (UTM) Appliance To configure DDNS: 1. Select Network Config > Dynamic DNS. The Dynamic DNS screen displays (see the following figure). The WAN Mode section on the screen reports the currently configured WAN mode (for example, Single Port WAN1, Load Balancing, or Auto Rollover). Only those options that match the configured WAN mode are accessible on the screen. 2. Click the submenu tab for your DDNS service provider: • Dynamic DNS for DynDNS.
ProSecure Unified Threat Management (UTM) Appliance Figure 50. 4. Access the website of the DDNS service provider, and register for an account (for example, for DynDNS.org, go to http://www.dyndns.com/). 5. Configure the DDNS service settings as explained in the following table: Table 19. DNS service settings Setting Description WAN (Dynamic DNS Status: ...) or WAN1 (Dynamic DNS Status: ...) Change DNS to Select the Yes radio button to enable the DDNS service.
ProSecure Unified Threat Management (UTM) Appliance Configure Advanced WAN Options The advanced options include configuring the maximum transmission unit (MTU) size, the port speed, and the UTM’s MAC address, and setting a rate limit on the traffic that is being forwarded by the UTM. Note: You can also configure the failure detection method for the auto-rollover mode on the Advanced screen. This procedure is discussed in Configure the Failure Detection Method on page 79.
ProSecure Unified Threat Management (UTM) Appliance 4. Enter the settings as explained in the following table: Table 20. Advanced WAN settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value. For most Ethernet networks this value is 1500 bytes, or 1492 bytes for PPPoE connections. Custom Select the Custom radio button, and enter an MTU value in the Bytes field.
ProSecure Unified Threat Management (UTM) Appliance Table 20. Advanced WAN settings (continued) Setting Description Upload/Download Settings These settings rate-limit the traffic that is being forwarded by the UTM. WAN Connection Type From the drop-down list, select the type of connection that the UTM uses to connect to the Internet: DSL, ADLS, Cable Modem, T1, T3, or Other. WAN Connection Speed Upload From the drop-down list, select the maximum upload speed that is provided by your ISP.
4. LAN Configuration 4 This chapter describes how to configure the advanced LAN features of your UTM. This chapter contains the following sections: • Manage Virtual LANs and DHCP Options • Configure Multihome LAN IPs on the Default VLAN • Manage Groups and Hosts (LAN Groups) • Configure and Enable the DMZ Port • Manage Routing Note: The initial LAN configuration of the UTM’s default VLAN 1 is described in Chapter 2, Using the Setup Wizard to Provision the UTM in Your Network.
ProSecure Unified Threat Management (UTM) Appliance A virtual LAN (VLAN) is a local area network with a definition that maps workstations on some basis other than geographic location (for example, by department, type of user, or primary application). To enable traffic to flow between VLANs, traffic needs to go through a router, just as if the VLANs were on two separate LANs.
ProSecure Unified Threat Management (UTM) Appliance • When a port receives an untagged packet, this packet is forwarded to a VLAN based on the PVID. • When a port receives a tagged packet, this packet is forwarded to a VLAN based on the ID that is extracted from the tagged packet. When you create a VLAN profile, assign LAN ports to the VLAN, and enable the VLAN, the LAN ports that are members of the VLAN can send and receive both tagged and untagged packets.
ProSecure Unified Threat Management (UTM) Appliance Figure 52. For each VLAN profile, the following fields display in the VLAN Profiles table: • Check box. Allows you to select the VLAN profile in the table. • Status icon. Indicates the status of the VLAN profile: - Green circle. The VLAN profile is enabled. - Gray circle. The VLAN profile is disabled. • Profile Name. The unique name assigned to the VLAN profile. • VLAN ID. The unique ID (or tag) assigned to the VLAN profile. • Subnet IP.
ProSecure Unified Threat Management (UTM) Appliance DHCP Server The default VLAN (VLAN 1) has the DHCP server option enabled by default, allowing the UTM to assign IP, DNS server, WINS server, and default gateway addresses to all computers connected to the UTM’s LAN. The assigned default gateway address is the LAN address of the UTM. IP addresses are assigned to the attached computers from a pool of addresses that you need to specify.
ProSecure Unified Threat Management (UTM) Appliance configuration in auto-rollover mode with route diversity (that is, with two different ISPs) and you cannot ensure that the DNS server is available after a rollover has occurred. LDAP Server A Lightweight Directory Access Protocol (LDAP) server allows a user to query and modify directory services that run over TCP/IP. For example, clients can query email addresses, contact information, and other service information using an LDAP server.
ProSecure Unified Threat Management (UTM) Appliance 2. Either select an entry from the VLAN Profiles table and click the corresponding Edit table button, or add a new VLAN profile by clicking the Add table button under the VLAN Profiles table. The Edit VLAN Profile screen displays. The following figure shows the Edit VLAN Profile screen for the UTM with four ports in the Port Membership section.
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table: Table 21. Edit VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. Note: You can also change the profile name of the default VLAN. VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the same VLAN ID number. Note: You can enter VLAN IDs from 2 to 4093.
ProSecure Unified Threat Management (UTM) Appliance Table 21. Edit VLAN Profile screen settings (continued) Setting Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the UTM to function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN. Enter the following settings: Domain Name This setting is optional. Enter the domain name of the UTM. Starting IP Address Enter the starting IP address.
ProSecure Unified Threat Management (UTM) Appliance Table 21. Edit VLAN Profile screen settings (continued) Setting Description Enable LDAP information To enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information, select the Enable LDAP information check box. Enter the following settings. Note: The LDAP settings that you specify as part of the VLAN profile are used only for SSL VPN and UTM authentication, but not for web and email security.
ProSecure Unified Threat Management (UTM) Appliance Note: When you have completed the LAN setup, all outbound traffic is allowed and all inbound traffic is discarded except responses to requests from the LAN side. For information about how to change these default traffic rules, see Chapter 5, Firewall Protection. To edit a VLAN profile: 1. On the LAN Setup screen (see Figure 53 on page 98), click the Edit button in the Action column for the VLAN profile that you want to modify.
ProSecure Unified Threat Management (UTM) Appliance Figure 55. 3. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) 4. As an option, you can disable the broadcast of ARP packets for the default VLAN by clearing the Enable ARP Broadcast check box. (The broadcast of ARP packets is enabled by default for the default VLAN.) If you choose to keep the broadcast of ARP enabled, you can enter an ARP refresh rate in the Set Refresh Rate field. The default setting is 180 seconds.
ProSecure Unified Threat Management (UTM) Appliance The following is an example of correctly configured IP addresses on a multiple WAN port model: • WAN1 IP address. 10.0.0.1 with subnet 255.0.0.0 • WAN2 IP address. 20.0.0.1 with subnet 255.0.0.0 • DMZ IP address. 192.168.10.1 with subnet 255.255.255.0 • Primary LAN IP address. 192.168.1.1 with subnet 255.255.255.0 • Secondary LAN IP address. 192.168.20.1 with subnet 255.255.255.0 To add a secondary LAN IP address: 1.
ProSecure Unified Threat Management (UTM) Appliance To edit a secondary LAN IP address: 1. On the LAN Multi-homing screen (see the previous screen), click the Edit button in the Action column for the secondary IP address that you want to modify. The Edit Secondary LAN IP address screen displays. 2. Modify the IP address or subnet mask, or both. 3. Click Apply to save your settings. To delete one or more secondary LAN IP addresses: 1.
ProSecure Unified Threat Management (UTM) Appliance These are some advantages of the network database: • Generally, you do not need to enter an IP address or a MAC address. Instead, you can just select the name of the desired PC or device. • There is no need to reserve an IP address for a PC in the DHCP server. All IP address assignments made by the DHCP server are maintained until the PC or device is removed from the network database, either by expiration (inactive for a long time) or by you.
ProSecure Unified Threat Management (UTM) Appliance Figure 57. The Known PCs and Devices table lists the entries in the network database. For each PC or device, the following fields display: • Check box. Allows you to select the PC or device in the table. • Name. The name of the PC or device. For computers that do not support the NetBIOS protocol, the name is displayed as Unknown (you can edit the entry manually to add a meaningful name).
ProSecure Unified Threat Management (UTM) Appliance Add PCs or Devices to the Network Database To add PCs or devices manually to the network database: 1. In the Add Known PCs and Devices section of the LAN Groups screen (see the previous figure), enter the settings as explained in the following table: Table 22. Known PCs and devices settings Setting Description Name Enter the name of the PC or device.
ProSecure Unified Threat Management (UTM) Appliance Figure 58. 2. Modify the settings as explained in Table 22 on page 109. 3. Click Apply to save your settings in the Known PCs and Devices table. Deleting PCs or Devices from the Network Database To delete one or more PCs or devices from the network database: 1.
ProSecure Unified Threat Management (UTM) Appliance Figure 59. 3. Select the radio button next to the group name that you want to edit. 4. Type a new name in the field. The maximum number of characters is 15; spaces and double quotes (") are not allowed. 5. Repeat step 3 and step 4 for any other group names. 6. Click Apply to save your settings.
ProSecure Unified Threat Management (UTM) Appliance Configure and Enable the DMZ Port The demilitarized zone (DMZ) is a network that, by default, has fewer firewall restrictions than the LAN. The DMZ can be used to host servers (such as a web server, FTP server, or email server) and provide public access to them. The rightmost LAN port on the UTM can be dedicated as a hardware DMZ port to safely provide services to the Internet without compromising security on your LAN.
ProSecure Unified Threat Management (UTM) Appliance Figure 60. 2. Enter the settings as explained in the following table: Table 23. DMZ Setup screen settings Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and Subnet Mask fields. • No. Allows you to disable the DMZ port after you have configured it. IP Address Enter the IP address of the DMZ port.
ProSecure Unified Threat Management (UTM) Appliance Table 23. DMZ Setup screen settings (continued) Setting Description DHCP Disable DHCP Server If another device on your network is the DHCP server for the VLAN, or if you will manually configure the network settings of all of your computers, select the Disable DHCP Server radio button to disable the DHCP server. By default, this radio button is not selected, and the DHCP server is enabled.
ProSecure Unified Threat Management (UTM) Appliance Table 23. DMZ Setup screen settings (continued) Setting Description Enable LDAP information To enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information, select the Enable LDAP information check box. Enter the following settings: LDAP Server The IP address or name of the LDAP server. Search Base The search objects that specify the location in the directory tree from which the LDAP search begins.
ProSecure Unified Threat Management (UTM) Appliance Internet access, and you do not need to configure additional static routes. You should configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network. Note: The UTM automatically sets up routes between VLANs and secondary IP addresses that you have configured on the LAN Multi-homing screen (see Configure Multihome LAN IPs on the Default VLAN on page 104).
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table: Table 24. Add Static Route screen settings Setting Description Route Name The route name for the static route (for purposes of identification and management). Active To make the static route effective, select the Active check box. Note: A route can be added to the table and made inactive if not needed. This allows you to use routes as needed without deleting and re-adding the entry.
ProSecure Unified Threat Management (UTM) Appliance Configure Routing Information Protocol Routing Information Protocol (RIP), RFC 2453, is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). RIP enables a router to exchange its routing information automatically with other routers, to dynamically adjust its routing tables, and to adapt to changes in the network. RIP is disabled by default. To enable and configure RIP: 1. Select Network Config > Routing. 2.
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table: Table 25. RIP Configuration screen settings Setting Description RIP RIP Direction From the RIP Direction drop-down list, select the direction in which the UTM sends and receives RIP packets: • None. The UTM neither advertises its route table, nor accepts any RIP packets from other routers. This effectively disables RIP, and is the default setting. • In Only.
ProSecure Unified Threat Management (UTM) Appliance Table 25. RIP Configuration screen settings (continued) Setting Description Authentication for RIP-2B/2M required? (continued) Not Valid Before The beginning of the lifetime of the MD5 key. Enter the month, date, year, hour, minute, and second. Before this date and time, the MD5 key is not valid. Not Valid After The end of the lifetime of the MD5 key. Enter the month, date, year, hour, minute, and second.
5. Firewall Protection 5 This chapter describes how to use the firewall features of the UTM to protect your network.
ProSecure Unified Threat Management (UTM) Appliance Administrator Tips Consider the following operational items: 1. As an option, you can enable remote management if you have to manage distant sites from a central location (see Configure Authentication Domains, Groups, and Users on page 345 and Configure Remote Management Access on page 399). 2.
ProSecure Unified Threat Management (UTM) Appliance The firewall rules for blocking and allowing traffic on the UTM can be applied to LAN WAN traffic, DMZ WAN traffic, and LAN DMZ traffic. Table 26.
ProSecure Unified Threat Management (UTM) Appliance The following table describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens (see Figure 66 on page 132, Figure 69 on page 135, and Figure 72 on page 138). The steps to configure outbound rules are described in the following sections: • Set LAN WAN Rules • Set DMZ WAN Rules • Set LAN DMZ Rules Table 27.
ProSecure Unified Threat Management (UTM) Appliance Table 27. Outbound rules overview (continued) Setting Description WAN Users The settings that determine which Internet locations are covered by the rule, based on their IP address. The options are: • Any. All Internet IP address are covered by this rule. • Single address. Enter the required address in the Start field. • Address range. Enter the required addresses the Start and End fields. • IP Group. Select the IP group to which the rule applies.
ProSecure Unified Threat Management (UTM) Appliance Table 27. Outbound rules overview (continued) Setting Description Log The setting that determines whether packets covered by this rule are logged. The options are: • Always. Always log traffic considered by this rule, whether it matches or not. This is useful when you are debugging your rules. • Never. Never log traffic considered by this rule, whether it matches or not.
ProSecure Unified Threat Management (UTM) Appliance Note: The UTM always blocks denial of service (DoS) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you cannot use it (that is, the service becomes unavailable).
ProSecure Unified Threat Management (UTM) Appliance Table 28. Inbound rules overview (continued) Setting Description Select Schedule The time schedule (that is, Schedule1, Schedule2, or Schedule3) that is used by this rule. • This drop-down list is activated only when BLOCK by schedule, otherwise allow or ALLOW by schedule, otherwise block is selected as the action. • Use the Schedule screen to configure the time schedules (see Set a Schedule to Block or Allow Specific Traffic on page 163).
ProSecure Unified Threat Management (UTM) Appliance Table 28. Inbound rules overview (continued) Setting Description DMZ Users The settings that determine which DMZ computers on the DMZ network are affected by this rule. The options are: • Any. All PCs and devices on your DMZ network. • Single address. Enter the required address in the Start field to apply the rule to a single PC on the DMZ network. • Address range.
ProSecure Unified Threat Management (UTM) Appliance Order of Precedence for Rules As you define a new rule, it is added to a table in a Rules screen as the last item in the list, as shown in the LAN WAN Rules screen example in the following figure: Figure 64. For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules table, beginning at the top and proceeding to the bottom.
ProSecure Unified Threat Management (UTM) Appliance 3. Next to the drop-down list, click the Apply table button. Figure 65. To make changes to an existing outbound or inbound service rule, in the Action column to the right of to the rule, click one of the following table buttons: • Edit. Allows you to make any changes to the definition of an existing rule.
ProSecure Unified Threat Management (UTM) Appliance LAN WAN Outbound Service Rules You can define rules that specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. An outbound rule can block or allow traffic between an internal IP LAN address and any external WAN IP address according to the schedule created in the Schedule screen.
ProSecure Unified Threat Management (UTM) Appliance To create a new inbound LAN WAN service rule: 1. In the LAN WAN Rules screen, click the Add table button under the Inbound Services table. The Add LAN WAN Inbound Service screen displays: Figure 67. 2. Enter the settings as explained in Table 28 on page 127. 3. Click Apply to save your changes. The new rule is now added to the Inbound Services table.
ProSecure Unified Threat Management (UTM) Appliance To access the DMZ WAN Rules screen, select Network Security > Firewall > DMZ WAN Rules. The DMZ WAN Rules screen displays. (The following figure shows a rule in the Outbound Services table as an example.) Figure 68. To make changes to an existing outbound or inbound service rule: In the Action column to the right of to the rule, click one of the following table buttons: • Edit. Allows you to make any changes to the definition of an existing rule.
ProSecure Unified Threat Management (UTM) Appliance can block or allow traffic between the DMZ and any external WAN IP address according to the schedule created in the Schedule screen. To create a new outbound DMZ WAN service rule: 1. In the DMZ WAN Rules screen, click the Add table button under the Outbound Services table. The Add DMZ WAN Outbound Service screen displays: Figure 69. 2. Enter the settings as explained in Table 27 on page 124. 3. Click Apply.
ProSecure Unified Threat Management (UTM) Appliance Figure 70. 2. Enter the settings as explained in Table 28 on page 127. 3. Click Apply to save your changes. The new rule is now added to the Inbound Services table. Set LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ. The default outbound and inbound policies are to block all traffic between the local LAN and DMZ network.
ProSecure Unified Threat Management (UTM) Appliance Figure 71. In the Action column to the right of to the rule, click one of the following table buttons: • Edit. Allows you to make any changes to the rule definition of an existing rule. Depending on your selection, either the Edit LAN DMZ Outbound Service screen (identical to Figure 72 on page 138) or the Edit LAN DMZ Inbound Service screen (identical to Figure 73 on page 138) displays, containing the data for the selected rule. • Up.
ProSecure Unified Threat Management (UTM) Appliance Figure 72. 2. Enter the settings as explained in Table 27 on page 124. 3. Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled. LAN DMZ Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the LAN to the DMZ) is blocked.
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in Table 28 on page 127. 3. Click Apply to save your changes. The new rule is now added to the Inbound Services table. Inbound Rule Examples LAN WAN Inbound Rule: Host a Local Public Web Server If you host a public web server on your local network, you can define a rule to allow inbound web (HTTP) requests from any outside IP address to the IP address of your web server at any time of the day. Figure 74.
ProSecure Unified Threat Management (UTM) Appliance Figure 75. LAN WAN or DMZ WAN Inbound Rule: Set Up One-to-One NAT Mapping In this example, multi-NAT is configured to support multiple public IP addresses on one WAN interface. An inbound rule configures the UTM to host an additional public IP address and associate this address with a web server on the LAN. The following addressing scheme is used to illustrate this procedure: • • NETGEAR UTM: - WAN IP address. 10.1.0.118 - LAN IP address subnet.
ProSecure Unified Threat Management (UTM) Appliance Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses is used as the primary IP address of the router that provides Internet access to your LAN PCs through NAT. The other addresses are available to map to your servers. To configure the UTM for additional IP addresses: 1.
ProSecure Unified Threat Management (UTM) Appliance 7. For the multiple WAN port models only: From the WAN Destination IP Address drop-down list, select the web server (the simulated 10.1.0.52 address in this example) that you have defined on a WAN Secondary Addresses screen (see Configure Secondary WAN Addresses on page 85). Note: For the single WAN port models: The WAN Destination IP Address field is a fixed field. 8. Click Apply to save your settings.
ProSecure Unified Threat Management (UTM) Appliance WARNING! For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network. Outbound Rule Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio, or other nonessential sites.
ProSecure Unified Threat Management (UTM) Appliance Configure Other Firewall Features You can configure global VLAN rules and attack checks, set session limits, and manage the application level gateway (ALG) for SIP sessions. VLAN Rules The VLAN Rules screen allows you to specify inter-VLAN firewall rules (that is, firewall rules for VLANs that are created on the UTM) when inter-VLAN routing is not enabled (see Configure a VLAN Profile on page 98). For example, you can create one VLAN with IP address 192.
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table. Table 29. Add VLAN-VLAN Service screen settings Setting Description Service The service or application to be covered by this rule. If the service or application does not display in the list, you need to define it using the Services screen (see Add Customized Services on page 152).
ProSecure Unified Threat Management (UTM) Appliance To delete or disable one or more VLAN rules: 1. Select the check box to the left of each VLAN rule that you want to delete or disable, or click the Select All table button to select all VLAN rules. 2. Click one of the following table buttons: • Disable. Disables the selected VLAN rule or rules. The ! status icon changes from a green circle to a gray circle, indicating that the selected VLAN rule is or rules are disabled.
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in the following table: Table 30. Attack Checks screen settings Setting Description WAN Security Checks Respond to Ping on Internet Ports Select the Respond to Ping on Internet Ports check box to enable the UTM to respond to a ping from the Internet. A ping can be used as a diagnostic tool. Keep this check box cleared unless you have a specific reason to enable the UTM to respond to a ping from the Internet.
ProSecure Unified Threat Management (UTM) Appliance Table 30. Attack Checks screen settings (continued) Setting Description VPN Pass through IPSec PPTP L2TP When the UTM functions in NAT mode, all packets going to the remote VPN gateway are first filtered through NAT and then encrypted according to the VPN policy.
ProSecure Unified Threat Management (UTM) Appliance Figure 82. 2. In the Multicast Pass through section of the screen, select the Yes radio button to enable multicast pass-through. (By default the Yes radio button is enabled.) When you enable multicast pass-through, an Internet Group Management Protocol (IGMP) proxy is enabled for the upstream (WAN) and downstream (LAN) interfaces.
ProSecure Unified Threat Management (UTM) Appliance To delete one or more multicast source addresses: 1. In the Alternate Networks table, select the check box to the left of each address that you want to delete, or click the Select All table button to select all addresses. 2. Click the Delete table button. Set Session Limits The session limits feature allows you to specify the total number of sessions that are allowed, per user, over an IP connection across the UTM.
ProSecure Unified Threat Management (UTM) Appliance Table 31. Session Limit screen settings (continued) Setting Description User Limit Enter a number to indicate the user limit. If the User Limit Parameter is set to Percentage of Max Sessions, the number specifies the maximum number of sessions that are allowed from a single-source device as a percentage of the total session connection capacity of the UTM. (The session limit is per-device based.
ProSecure Unified Threat Management (UTM) Appliance Create Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, service groups, IP groups (LAN and WAN groups), QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: • Services. A service narrows down the firewall rule to an application and a port number. You can also narrow down the firewall rule to a group of services.
ProSecure Unified Threat Management (UTM) Appliance To define a new service, you need to determine first which port number or range of numbers is used by the application. You can usually determine this information by contacting the publisher of the application, user groups, or newsgroups. When you have the port number information, you can enter it on the Services screen. To add a customized service: 1. Select Network Security > Services. The Services screen displays.
ProSecure Unified Threat Management (UTM) Appliance Table 32. Services screen settings (continued) Setting Description Start Port The first TCP or UDP port of a range that the service uses. Note: This field is enabled only when you select TCP or UDP from the Type drop-down list. End Port The last TCP or UDP port of a range that the service uses. If the service uses only a single port number, enter the same number in the Start Port and End Port fields.
ProSecure Unified Threat Management (UTM) Appliance One advantage of a service group is that you can create a single firewall object with multiple noncontiguous ports (for example ports 3000, 4000, and 5000) and apply the object in a single firewall rule.
ProSecure Unified Threat Management (UTM) Appliance To edit a service group: 1. In the Custom Services Group table, click the Edit table button to the right of the service group that you want to edit. The Edit Service group screen displays. 2. Modify the settings that you wish to change (see step 3 and step 4 in the previous procedure). 3. Click Apply to save your changes. The modified service group is displayed in the Custom Services Group table.
ProSecure Unified Threat Management (UTM) Appliance Figure 90. 5. In the IP Address fields, type an IP address. 6. Click the Add table button to add the IP address to the IP Addresses Grouped table. 7. Repeat the previous two steps to add more IP addresses to the IP Addresses Grouped table. 8. Click the Edit table button to return to IP Groups screen. To edit a service group: 1. In the Custom IP Groups table, click the Edit table button to the right of the IP group that you want to edit.
ProSecure Unified Threat Management (UTM) Appliance Create Quality of Service Profiles A Quality of Service (QoS) profile defines the relative priority of an IP packet when multiple connections are scheduled for simultaneous transmission on the UTM. A QoS profile becomes active only when it is associated with a nonblocking inbound or outbound firewall rule, and traffic matching the firewall rule is processed by the UTM.
ProSecure Unified Threat Management (UTM) Appliance Figure 91. The screen displays the List of QoS Profiles table with the user-defined profiles. 2. Under the List of QoS Profiles table, click the Add table button. The Add QoS Profile screen displays: Figure 92. 3. Enter the settings as explained in the following table. Note: This document assumes that you are familiar with QoS concepts such QoS priority queues, IP precedence, DHCP, and their values. Table 33.
ProSecure Unified Threat Management (UTM) Appliance Table 33. Add QoS Profile screen settings (continued) Setting Description QoS From the QoS drop-down list, select one of the following traffic classification methods: • IP Precedence. A legacy method that sets the priority in the ToS byte of an IP header. • DSCP. A method that sets the Differentiated Services Code Point (DSCP) in the Differentiated Services (DS) field (which is the same as the ToS byte) of an IP header.
ProSecure Unified Threat Management (UTM) Appliance interface that you specify. For inbound traffic, you can apply bandwidth profiles to a LAN interface for all WAN modes. Bandwidth profiles do not apply to the DMZ interface. When a new connection is established by a device, the device locates the firewall rule corresponding to the connection. • If the rule has a bandwidth profile specification, the device creates a bandwidth class in the kernel.
ProSecure Unified Threat Management (UTM) Appliance Figure 94. 3. Enter the settings as explained in the following table: Table 34. Add Bandwidth Profile screen settings Setting Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes. Direction From the Direction drop-down list, select the traffic direction for the bandwidth profile: • Outbound Traffic. The bandwidth profile is applied only to outbound traffic.
ProSecure Unified Threat Management (UTM) Appliance Table 34. Add Bandwidth Profile screen settings (continued) Setting Description Type From the Type drop-down list, select the type for the bandwidth profile: • Group. The profile applies to all users, that is, all users share the available bandwidth. • Individual. The profile applies to an individual user, that is, each user can use the available bandwidth.
ProSecure Unified Threat Management (UTM) Appliance Figure 95. 2. In the Scheduled Days section, select one of the following radio buttons: • All Days. The schedule is in effect all days of the week. • Specific Days. The schedule is in effect only on specific days. To the right of the radio buttons, select the check box for each day that you want the schedule to be in effect. 3. In the Scheduled Time of Day section, select one of the following radio buttons: • All Day.
ProSecure Unified Threat Management (UTM) Appliance Note: For additional ways of restricting outbound traffic, see Outbound Rules (Service Blocking) on page 123. To enable MAC filtering and add MAC addresses to be permitted or blocked: 1. Select Network Security > Address Filter. The Address Filter submenu tabs display, with the Source MAC Filter screen in view. (The following figure shows one address in the MAC Addresses table as an example.) Figure 96. 2.
ProSecure Unified Threat Management (UTM) Appliance To remove one or more entries from the table: 1. Select the check box to the left of each MAC address that you want to delete, or click the Select All table button to select all entries. 2. Click the Delete table button. Set Up IP/MAC Bindings IP/MAC binding allows you to bind an IP address to a MAC address and the other way around. Some PCs or devices are configured with static addresses.
ProSecure Unified Threat Management (UTM) Appliance To set up IP/MAC bindings: 1. Select Network Security > Address Filter > IP/MAC Binding. The IP/MAC Binding screen displays. (The following figure shows some bindings in the IP/MAC Binding table as an example.) Figure 97. 2. Enter the settings as explained in the following table: Table 35. IP/MAC Binding screen settings Setting Description Email IP/MAC Violations Do you want to Select one of the following radio buttons: enable E-mail Logs • Yes.
ProSecure Unified Threat Management (UTM) Appliance Table 35. IP/MAC Binding screen settings (continued) Setting Description IP Address The IP address of the PC or device that is bound to the MAC address. Log Dropped Packets To log the dropped packets, select Enable from the drop-down list. The default setting is Disable. 3. Click the Add table button. The new IP/MAC rule is added to the IP/MAC Bindings table. 4. Click Apply to save your changes. To edit an IP/MAC binding: 1.
ProSecure Unified Threat Management (UTM) Appliance Note these restrictions on port triggering: • Only one PC can use a port-triggering application at any time. • After a PC has finished using a port-triggering application, there is a short time-out period before the application can be used by another PC. This time-out period is required so the UTM can determine that the application has terminated. Note: For additional ways of allowing inbound traffic, see Inbound Rules (Port Forwarding) on page 126.
ProSecure Unified Threat Management (UTM) Appliance Table 36. Port Triggering screen settings (continued) Setting Description Outgoing (Trigger) Port Range Start Port The start port (1–65534) of the range for triggering. End Port The end port (1–65534) of the range for triggering. Incoming (Response) Start Port Port Range End Port The start port (1–65534) of the range for responding. The end port (1–65534) of the range for responding. 3. Click the Add table button.
ProSecure Unified Threat Management (UTM) Appliance Configure Universal Plug and Play The Universal Plug and Play (UPnP) feature enables the UTM to automatically discover and configure devices when it searches the LAN and WAN. 1. Select Security > UPnP. The UPnP screen displays: Figure 100. The UPnP Portmap Table in the lower part of the screen shows the IP addresses and other settings of UPnP devices that have accessed the UTM and that have been automatically detected by the UTM: • Active.
ProSecure Unified Threat Management (UTM) Appliance Use the Intrusion Prevention System The Intrusion Prevention System (IPS) of the UTM monitors all network traffic to detect, in real time, network attacks and port scans and to protect your network from such intrusions. You can set up alerts, block source IP addresses from which port scans are initiated, and drop traffic that carries attacks.
ProSecure Unified Threat Management (UTM) Appliance When you enable the IPS, the default IPS configuration goes into effect. The default IPS configuration is the configuration that the Advanced screen returns to when you click the factory default reset button. To modify the default IPS configuration: 1. Select Network Security > IPS > Advanced. The Advanced screen displays. This screen displays sections for the different categories of attacks such as Web, Mail, Databases, and so on.
ProSecure Unified Threat Management (UTM) Appliance 2. In the Enabled column for each section, either select individual attacks by selecting the check boxes to the left of the names, or select all attacks for that category by selecting the top leftmost check box to the left of All web attacks. 3.
6. Content Filtering and Optimizing Scans 6 This chapter describes how to apply the content-filtering features of the UTM and how to optimize scans to protect your network.
ProSecure Unified Threat Management (UTM) Appliance Note: The UTM9S can quarantine spam and malware only if you have integrated a ReadyNAS (see Connect to a ReadyNAS on page 415) and configured the quarantine settings (see Configure the Quarantine Settings on page 416). Default Email and Web Scan Settings For most network environments, the default scan settings and actions that are shown in the following table work well, but you can adjust these to the needs of your specific environment. Table 38.
ProSecure Unified Threat Management (UTM) Appliance Table 38.
ProSecure Unified Threat Management (UTM) Appliance Table 38. Default email and web scan settings (continued) Scan type Default scan setting Politics and Religion Allowed Sexual Content Blocked Technology Allowed Default action (if applicable) a. Files or messages that are larger than 2048 KB are skipped by default.
ProSecure Unified Threat Management (UTM) Appliance 2. In the Email section of the screen, select the protocols to scan by selecting the Enable check boxes, and enter the port numbers if different from the default port numbers: • SMTP. Simple Mail Transfer Protocol (SMTP) scanning is enabled by default on port 25. • POP3. Post Office Protocol 3 (POP3) scanning is enabled by default on port 110. • IMAP. Internet Message Access Protocol (IMAP) scanning is enabled by default on port 143. 3.
ProSecure Unified Threat Management (UTM) Appliance Figure 104.
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in the following table: Table 39. Email Anti-Virus screen settings Setting Description Action SMTP From the SMTP drop-down list, select one of the following actions to be taken when an infected email is detected: • Block infected email. This is the default setting. The email is blocked, and a log entry is created. • Delete attachment. The email is not blocked, but the attachment is deleted, and a log entry is created.
ProSecure Unified Threat Management (UTM) Appliance Table 39. Email Anti-Virus screen settings (continued) Setting Description Notification Settings Insert Warning into Email Subject (SMTP) For SMTP email messages, select this check box to insert a warning into the email subject line: • Malware Found. If a malware threat is found, a [MALWARE INFECTED] message is inserted. You can change this default message. • No Malware Found. If no malware threat is found, a [MALWARE FREE] message is inserted.
ProSecure Unified Threat Management (UTM) Appliance Table 39. Email Anti-Virus screen settings (continued) Setting Description Subject The default subject line for the notification email is Malware detected! You can change this subject line. Message The warning message informs the sender, the recipient, or both about the name of the malware threat. You can change the default message to include more information.
ProSecure Unified Threat Management (UTM) Appliance Figure 105. 2. Enter the settings as explained in the following table: Table 40. Email Filters screen settings Setting Description Filter by Subject Keywords Keywords Enter keywords that should be detected in the email subject line. Use commas to separate different keywords. The total maximum length of this field is 2048 characters, excluding duplicate words and delimiter commas.
ProSecure Unified Threat Management (UTM) Appliance Table 40. Email Filters screen settings (continued) Setting Description Action SMTP From the SMTP drop-down list, select one of the following actions when a keyword that is defined in the Keywords field is detected: • Block email. The email is blocked, and a log entry is created. • Log only. This is the default setting. Only a log entry is created. The email is not blocked.
ProSecure Unified Threat Management (UTM) Appliance Table 40. Email Filters screen settings (continued) Setting Description Action SMTP POP3 IMAP From the drop-down list, select an action to be taken when an email attachment with a file extension that is defined in the File Extension field is detected. The drop-down list selections and defaults are the same as the ones for the Filter by Password-Protected Attachments (ZIP, RAR, etc.) section that is described earlier in this table.
ProSecure Unified Threat Management (UTM) Appliance Note: Emails that are processed through the UTM over an authenticated email connection between a client and a mail server are not checked for spam. Note: An email that has been checked for spam by the UTM contains an X-STM-SMTP (for SMTP emails) or X-STM-POP3 (for POP-3 emails) tag in its header.
ProSecure Unified Threat Management (UTM) Appliance Figure 106.
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in the following table: Table 41. Whitelist/Blacklist screen settings Setting Description Sender IP Address (SMTP Only) Whitelist Enter the source IP addresses from which emails can be trusted. Blacklist Enter the source IP addresses from which emails are blocked. Click Apply to save your settings, or click Reset to clear all entries from these fields.
ProSecure Unified Threat Management (UTM) Appliance By default, the UTM comes with three pre-defined blacklist providers: Dsbl, Spamhaus, and Spamcop. There is no limit to the number of blacklist providers that you can add to the RBL sources. To enable the real-time blacklist: 1. Select Application Security > Anti-Spam > Real-time Blacklist. The Real-Time Blacklist screen displays: Figure 107. 2. To enable the Real-Time Blacklist function, select the Enable check box. 3.
ProSecure Unified Threat Management (UTM) Appliance Configure Distributed Spam Analysis Spam, phishing, and other email-borne threats consist of millions of messages intentionally composed differently to evade commonly used filters. Nonetheless, all messages within the same outbreak share at least one unique, identifiable value that can be used to distinguish the outbreak.
ProSecure Unified Threat Management (UTM) Appliance Figure 108. The UTM9S also has a Send Quarantine Spam Report section at the bottom of the Distributed Spam Analysis screen: Figure 109. 2. Enter the settings as explained in the following table: Table 42. Distributed Spam Analysis screen settings Setting Description Distributed Spam Analysis SMTP Select the SMTP check box to enable distributed spam analysis for the SMTP protocol. (You can enable distributed spam analysis for both SMTP and POP3.
ProSecure Unified Threat Management (UTM) Appliance Table 42. Distributed Spam Analysis screen settings (continued) Setting Description POP3 Select the POP3 check box to enable distributed spam analysis for the POP3 protocol. (You can enable distributed spam analysis for both SMTP and POP3.) Sensitivity From the Sensitivity drop-down list, select the level of sensitivity for the antispam engine that performs the analysis: Low. Medium-Low. Medium. Medium High. This is the default setting. High.
ProSecure Unified Threat Management (UTM) Appliance Table 42. Distributed Spam Analysis screen settings (continued) Setting Description Send Quarantine Spam Report Note: This option is supported on the UTM9S only (see the Note on page 176). Enable To enable the UTM9S to automatically email a spam report, select the Enable check box, and specify when the reports should be sent. Specify when the reports should be sent by selecting one of the following radio buttons: • Weekly.
ProSecure Unified Threat Management (UTM) Appliance HTTP, but not HTTPS (if this last protocol is not often used). For more information about performance, see Performance Management on page 389. To configure the web protocols, ports, and applications to scan: 1. Select Application Security > Services. The Services screen displays: Figure 110. 2. Enter the settings as explained in the following table.
ProSecure Unified Threat Management (UTM) Appliance Note: For information about email protocols and ports, see Customize Email Protocol Scan Settings on page 178. Table 43. Services screen settings Setting Description Web HTTP Select the HTTP check box to enable Hypertext Transfer Protocol (HTTP) scanning. This service is enabled by default and uses default port 80. HTTPS Select the HTTPS check box to enable Hypertext Transfer Protocol over Secure Socket Layer (HTTPS).
ProSecure Unified Threat Management (UTM) Appliance Table 43. Services screen settings (continued) Setting Description Media Applications iTunes (Music Store, update) QuickTime (Update) Scanning of these media applications is disabled by default. To enable any of these applications, select the corresponding check box. Real Player (Guide) Rhapsody (Guide, Music Store) Winamp (Internet Radio/TV) SSL Handshaking to Websites Note: SSL handshaking is supported on the UTM9S only.
ProSecure Unified Threat Management (UTM) Appliance Figure 111. 2. Enter the settings as explained in the following table: Table 44. Malware Scan screen settings Setting Description Action HTTP and HTTPS Action From the HTTP or HTTPS drop-down list, specify one of the following actions to be taken when an infected web file or object is detected: • Delete file. This is the default setting. The web file or object is deleted, and a log entry is created. • Log only. Only a log entry is created.
ProSecure Unified Threat Management (UTM) Appliance Table 44. Malware Scan screen settings (continued) Setting Description Scan Exception The default maximum size of the file or object that is scanned is 2048 KB, but you can define a maximum size of up to 10240 KB. However, setting the maximum size to a high value might affect the UTM’s performance (see Performance Management on page 389).
ProSecure Unified Threat Management (UTM) Appliance The following are keyword blocking examples: - If the keyword XXX is specified, the URL www.zzyyqq.com/xxx.html is blocked, as is the newsgroup alt.pictures.XXX. - If the keyword .com is specified, only websites with other domain suffixes (such as .edu or .gov) can be viewed. - If a period (.) is specified as the keyword, all Internet browsing access is blocked. Note: Wildcards (*) are supported. For example, if www.net*.
ProSecure Unified Threat Management (UTM) Appliance Note: You can bypass any type of web blocking for trusted URLs by adding the URLs to the whitelist (see Configure Web URL Filtering on page 206). Access to the URLs on the whitelist is allowed for PCs in the groups for which file extension, keyword, object, or category blocking, or a combination of these types of web blocking has been enabled. To configure web content filtering: 1. Select Application Security > HTTP/HTTPS > Content Filtering.
ProSecure Unified Threat Management (UTM) Appliance Figure 113.
ProSecure Unified Threat Management (UTM) Appliance Figure 114. Content filtering, screen 3 of 3 2. Enter the settings as explained in the following table: Table 45. Content Filtering screen settings Setting Description Content Filtering Log HTTP Traffic Select this check box to log HTTP traffic. For information about how to view the logged traffic, see Query the Logs on page 460. By default, HTTP traffic is logged.
ProSecure Unified Threat Management (UTM) Appliance Table 45. Content Filtering screen settings (continued) Setting Description Block Files with the Following Extensions By default, the File Extension field lists the most common file extensions. You can manually add or delete extensions. Use commas to separate different extensions. You can enter a maximum of 40 file extensions. The maximum total length of this field, excluding the delimiter commas, is 160 characters.
ProSecure Unified Threat Management (UTM) Appliance Table 45. Content Filtering screen settings (continued) Setting Description Select the Web Categories You Wish to Block Select the Enable Blocking check box to enable blocking of web categories. (By default, this check box is selected.) Select the check boxes of any web categories that you want to block. Use the action buttons at the top of the section in the following way: • Allow All. All web categories are allowed. • Block All.
ProSecure Unified Threat Management (UTM) Appliance Table 45. Content Filtering screen settings (continued) Setting Description Web Category Lookup URL Enter a URL to find out if it has been categorized, and if so, in which category. Then click the lookup button. If the URL has been categorized, the category displays next to Lookup Results. If the URL appears to be uncategorized, you can submit it to NETGEAR for analysis.
ProSecure Unified Threat Management (UTM) Appliance To configure web URL filtering: 1. Select Application Security > HTTP/HTTPS > URL Filtering. The URL Filtering screen displays. The following figure shows some URLs as examples: Figure 115.
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in the following table: Table 46. URL Filtering screen settings Setting Description Whitelist Enable Select this check box to bypass scanning of the URLs that are listed in the URL field. Users are allowed to access the URLs that are listed in the URL field. URL This field contains the URLs for which scanning is bypassed.
ProSecure Unified Threat Management (UTM) Appliance Table 46. URL Filtering screen settings (continued) Setting Description URL (continued) Delete To delete one or more URLs, highlight the URLs, and click the Delete table button. Export To export the URLs, click the Export table button, and follow the instructions of your browser. Add URL Type or copy a URL in the Add URL field. Then click the Add table button to add the URL to the URL field. Note: Start the URL with http:// or https://.
ProSecure Unified Threat Management (UTM) Appliance Figure 116. The HTTPS scanning process functions with the following principles: • The UTM breaks up an SSL connection between an HTTPS server and an HTTP client in two parts: - A connection between the HTTPS client and the UTM - A connection between the UTM and the HTTPS server • The UTM simulates the HTTPS server communication to the HTTPS client, including the SSL negotiation, certificate exchange, and certificate authentication.
ProSecure Unified Threat Management (UTM) Appliance Figure 117. However, even when a certificate is trusted or still valid, or when the name of a certificate does match the name of the website, a security alert message still displays when a user who is connected to the UTM visits an HTTPS site. The appearance of this security alert message is expected behavior because the HTTPS client receives a certificate from the UTM instead of directly from the HTTPS server.
ProSecure Unified Threat Management (UTM) Appliance Figure 118. 2. Enter the settings as explained in the following table: Table 47. HTTPS Settings screen settings Setting Description HTTP Tunneling Select this check box to allow scanning of HTTPS connections through an HTTP proxy, which is disabled by default. Traffic from trusted hosts is not scanned (see Specify Trusted Hosts on page 218).
ProSecure Unified Threat Management (UTM) Appliance Table 47. HTTPS Settings screen settings (continued) Setting Description HTTPS SSL Settings Select the Allow the UTM to handle HTTPS connections using SSLv2 check box to allow HTTPS connections using SSLv2, SSLv3, or TLSv1. If this check box is cleared, the UTM allows HTTPS connections using SSLv3 or TLSv1, but not using SSLv2.
ProSecure Unified Threat Management (UTM) Appliance Figure 119. The UTM contains a self-signed certificate from NETGEAR. This certificate can be downloaded from the UTM login screen or from the Certificate Management screen for browser import.
ProSecure Unified Threat Management (UTM) Appliance Figure 120. Certificate management, screen 1 of 3 The top part of the Certificate Used for HTTPS Scans section displays information about the current certificate that is used for HTTPS scans. Note: For information about the HTTPS scanning process, see HTTPS Scan Settings on page 209. To download the current certificate into your browser: 1. Click Download for Browser Import. 2. Follow the instructions of your browser to save the RootCA.
ProSecure Unified Threat Management (UTM) Appliance 5. Click the Upload button. Note: If the certificate file is not in the pkcs12 format, the upload fails. Importing a new certificate overwrites any previously imported certificates. 6. Click Apply to save your settings. Manage Trusted HTTPS Certificates To manage trusted certificates, select Web Security > Certificate Management. The Certificate Management screen displays.
ProSecure Unified Threat Management (UTM) Appliance To view details of a trusted certificate: 1. From the Trusted Certificates table, select the certificate. 2. Click View Details. A new screen opens that displays the details of the certificate. To delete a trusted certificate: 1. From the Trusted Certificates table, select the certificate. 2. Click Delete Selected. Manage Untrusted HTTPS Certificates To manage untrusted certificates, select Web Security > Certificate Management.
ProSecure Unified Threat Management (UTM) Appliance Specify Trusted Hosts You can specify trusted hosts for which the UTM bypasses HTTPS traffic scanning and security certificate authentication. The security certificate is sent directly to the client for authentication, which means that the user does not receive a security alert for trusted hosts. For more information about security alerts, see Manage Self-Signed Certificates on page 384. Note that certain sites contain elements from different HTTPS hosts.
ProSecure Unified Threat Management (UTM) Appliance Table 48. Trusted Hosts screen settings (continued) Setting Description Hosts This field contains the trusted hosts for which scanning is bypassed. To add a host to this field, use the Add Host field or the Import from File tool (see the explanation later in this table). You can add a maximum of 200 URLs. Add Host Delete To delete one or more hosts, highlight the hosts, and click the Delete table button.
ProSecure Unified Threat Management (UTM) Appliance Figure 124. 2. Enter the settings as explained in the following table: Table 49. FTP screen settings Setting Description Action FTP Action From the FTP drop-down list, select one of the following actions to be taken when an infected FTP file or object is detected: • Delete file. This is the default setting. The FTP file or object is deleted, and a log entry is created. • Log only. Only a log entry is created. The FTP file or object is not deleted.
ProSecure Unified Threat Management (UTM) Appliance Table 49. FTP screen settings (continued) Setting Description Block Files with the Following Extensions By default, the File Extension field lists the most common file extensions. You can manually add or delete extensions. Use commas to separate different extensions. You can enter a maximum of 40 file extensions. The maximum total length of this field, excluding the delimiter commas, is 160 characters.
ProSecure Unified Threat Management (UTM) Appliance Note: Users and groups to which access exception rules apply are not the same as LAN groups. For information about how to specify members of a LAN group and to customize LAN group names, see Configure Authentication Domains, Groups, and Users on page 345.
ProSecure Unified Threat Management (UTM) Appliance Figure 125. 2. Under the Exceptions table, click the Add table button to specify an exception rule. The Add or Edit or Block/Accept Exceptions screen displays: Figure 126.
ProSecure Unified Threat Management (UTM) Appliance 3. Complete the fields and make your selections from the drop-down lists as explained in the following table: Table 50. Edit or Block/Accept Exceptions screen settings Setting Description Action From the drop-down list, select the action that the UTM applies: • Allow. The exception allows access to an application, web category, or URL that is otherwise blocked. • Block.
ProSecure Unified Threat Management (UTM) Appliance Table 50. Edit or Block/Accept Exceptions screen settings (continued) Setting Description Domain User/Group (continued) Unauthenticated Click the Apply button to apply the exception to all unauthenticated users. These are users who have not actively logged in to the UTM. By default, these users are assigned the account name anonymous. Local Groups Do the following: 1. From the Name drop-down list, select a local group. 2.
ProSecure Unified Threat Management (UTM) Appliance Table 50. Edit or Block/Accept Exceptions screen settings (continued) Setting Description Domain User/Group (continued) Custom Groups Do the following: 1. From the Name drop-down list, select a custom group. 2. Click the Apply button to apply the exception to the selected group. You can specify custom groups on the Custom Groups screen (see Create Custom Groups for Web Access Exceptions on page 228).
ProSecure Unified Threat Management (UTM) Appliance Table 50. Edit or Block/Accept Exceptions screen settings (continued) Setting Description Category (and related information) (continued) URL Filtering The action applies to a URL. The following radio buttons, field, and drop-down list display onscreen. Select a radio button to either enter a URL expression or select a custom URL list. • Expression. Select the upper radio button, and enter a URL or URL expression such as *video* or *chat*.
ProSecure Unified Threat Management (UTM) Appliance • Enable. Enables the rule or rules. The ! status icon changes from a gray circle to a green circle, indicating that the rule is or rules are enabled. • Delete. Deletes the rule or rules. The table rank of the exception rule in the Exceptions table determines the order in which the rule is applied (from the top down). To change the position of the rules in the table, select one or more a rules, and then click one of the following table buttons: • Up.
ProSecure Unified Threat Management (UTM) Appliance Figure 128. 3. Complete the fields and make your selections from the drop-down lists as explained in the following table: Table 51. Custom Groups screen settings Setting Description Name A name of the custom group for identification and management purposes. Brief Description A description of the custom group for identification and management purposes.
ProSecure Unified Threat Management (UTM) Appliance Table 51. Custom Groups screen settings (continued) Setting Description Add Local Groups Users/Groups to this group Do the following: 1. From the Name drop-down list, select a local group. 2. Click the Add button to add the selected local group to the custom group. Repeat this step to add more local groups to the custom group. You can specify local groups on the Groups screen (see Create and Delete Groups on page 359.
ProSecure Unified Threat Management (UTM) Appliance Table 51. Custom Groups screen settings (continued) Setting Description Add RADIUS User Users/Groups to this group (continued) Do the following: 1. From the Domain drop-down list, select a RADIUS domain. 2. From the VLAN ID/Name drop-down list, select a VLAN ID or VLAN name. 3. Click the Add button to add the selected VLAN ID or VLAN name to the custom group. Repeat this step to add more VLAN IDs or VLAN names to the custom group.
ProSecure Unified Threat Management (UTM) Appliance Figure 129. 2. Under the Custom Categories table, click the Add table button to specify a custom category. The Add Custom Category screen displays. The nature of the screen depends on your selection from the Category Type drop-down list, which is set by default to Applications (this selection is shown in the following figure). The URL Filtering and web Categories settings are shown in Figure 131 on page 233 and Figure 132 on page 233 respectively.
ProSecure Unified Threat Management (UTM) Appliance Figure 131. Custom categories: URL filtering Figure 132.
ProSecure Unified Threat Management (UTM) Appliance 3. Complete the fields and make your selections from the drop-down lists as explained in the following table: Table 52. Custom Categories screen settings Setting Description Name A name of the custom category for identification and management purposes. Brief Description A description of the category group for identification and management purposes.
ProSecure Unified Threat Management (UTM) Appliance Table 52. Custom Categories screen settings (continued) Setting Description Category Type URL Filtering (continued) (continued) Import from File field: To import a list with URLs into the URLs in this Category field, click the Browse button and navigate to a file in .txt format that contains line-delimited URLs (that is, one URL per line). Then click the Upload table button to add the URLs to the URLs in this Category field.
ProSecure Unified Threat Management (UTM) Appliance server do not need to be scanned. To prevent the UTM from scanning these files, you can configure a scanning exclusion for your web server. To configure scanning exclusion rules: 1. Select Application Security > Scanning Exclusions. The Scanning Exclusions screen displays. This screen shows the Scanning Exclusions table, which is empty if you have not specified any exclusions. (The following figure shows one exclusion rule in the table as an example.
7. Virtual Private Networking Using IPSec Connections 7 This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the UTM to provide secure, encrypted communications between your local network and a remote network or computer.
ProSecure Unified Threat Management (UTM) Appliance The use of fully qualified domain names (FQDNs) in VPN policies is mandatory when the WAN ports function in auto-rollover mode or load balancing mode, and is also required for VPN tunnel failover. When the WAN ports function in load balancing mode, you cannot configure VPN tunnel failover. An FQDN is optional when the WAN ports function in load balancing mode if the IP addresses are static, but mandatory if the WAN IP addresses are dynamic.
ProSecure Unified Threat Management (UTM) Appliance Table 54. IP addressing for VPNs in dual WAN port systems (continued) Configuration and WAN IP address Rollover modea Load balancing mode VPN Gateway-to-Gateway (gateway to gateway) Fixed FQDN required FQDN Allowed (optional) Dynamic FQDN required FQDN required Fixed FQDN required FQDN Allowed (optional) Dynamic FQDN required FQDN required VPN Telecommuter (client to gateway through a NAT router) a.
ProSecure Unified Threat Management (UTM) Appliance To set up a gateway-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays (see the following figure, which shows the VPN Wizard screen for the UTM50, and contains an example). The Connection Name and Remote IP Type section of the VPN Wizard screen shows the following minor differences for the various UTM models: • Single WAN port models. No WAN selection drop-down list.
ProSecure Unified Threat Management (UTM) Appliance Figure 138. 2. Select the radio buttons and complete the fields and as explained in the following table: Table 55. IPSec VPN Wizard settings for a gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to the following peers Select the Gateway radio button. The local WAN port’s IP address or Internet name displays in the End Point Information section of the screen.
ProSecure Unified Threat Management (UTM) Appliance Table 55. IPSec VPN Wizard settings for a gateway-to-gateway tunnel (continued) Setting Description End Point Informationa What is the Remote WAN’s IP Enter the IP address or Internet name (FQDN) of the WAN interface on the Address or Internet Name? remote VPN tunnel endpoint.
ProSecure Unified Threat Management (UTM) Appliance 4. Configure a VPN policy on the remote gateway that allows connection to the UTM. 5. Activate the IPSec VPN connection: a. Select Monitoring > Active Users & VPNs > IPSec VPN Connection Status. The IPSec VPN Connection Status screen displays. (The UTM9S also shows the PPTP Active Users and L2TP Active Users tabs.) Figure 140. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection becomes active.
ProSecure Unified Threat Management (UTM) Appliance To configure a VPN client tunnel, follow the steps in the following sections: • Use the VPN Wizard to Configure the Gateway for a Client Tunnel on page 244. • Use the NETGEAR VPN Client Wizard to Create a Secure Connection on page 246 or Manually Create a Secure Connection Using the NETGEAR VPN Client on page 251. Use the VPN Wizard to Configure the Gateway for a Client Tunnel To set up a client-to-gateway VPN tunnel using the VPN Wizard: 1.
ProSecure Unified Threat Management (UTM) Appliance 2. Select the radio buttons and complete the fields and as explained in the following table: Table 56. IPSec VPN Wizard settings for a client-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect Select the VPN Client radio button. The default remote FQDN to the following peers (utm_remote.com) and the default local FQDN (utm_local.com) display in the End Point Information section of the screen.
ProSecure Unified Threat Management (UTM) Appliance Figure 143. Note: When you are using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address. If you have the option to configure the update interval, set it to an appropriately short time. 4. Optional step: Collect the information that you need to configure the VPN client.
ProSecure Unified Threat Management (UTM) Appliance Note: Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed. To use the Configuration Wizard to set up a VPN connection between the VPN client and the UTM: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays. Figure 144. 1. From the main menu on the Configuration Panel screen, select Configuration > Wizard.
ProSecure Unified Threat Management (UTM) Appliance Figure 145. 2. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays. Figure 146. 3. Specify the following VPN tunnel parameters: • IP or DNS public (external) address of the remote equipment. Enter the remote IP address or DNS name of the UTM. For example, enter 10.34.116.22. • Preshared key. Enter the pre-shared key that you already specified on the UTM.
ProSecure Unified Threat Management (UTM) Appliance 4. Click Next. The Configuration Summary wizard screen (screen 3 of 3) displays. Figure 147. 5. This screen is a summary screen of the new VPN configuration. Click Finish. 6. Specify the local and remote IDs: a. In the tree list pane of the Configuration Panel screen, click Gateway (the default name given to the authentication phase). The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default. b.
ProSecure Unified Threat Management (UTM) Appliance c. Specify the settings that are explained in the following table. Table 58. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the UTM. NAT-T Select Automatic from the drop-down list to enable the VPN client and UTM to negotiate NAT-T.
ProSecure Unified Threat Management (UTM) Appliance Figure 149. b. Specify the default lifetimes in seconds: • Authentication (IKE), Default. The default lifetime value is 3600 seconds. Change this setting to 28800 seconds to match the configuration of the UTM. • Encryption (IPSec), Default. The default lifetime value is 1200 seconds. Change this setting to 3600 seconds to match the configuration of the UTM. 8.
ProSecure Unified Threat Management (UTM) Appliance Configure the Authentication Settings (Phase 1 Settings) To create new authentication settings: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays. Figure 150. 2. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and select New Phase 1. Figure 151. 3. Change the name of the authentication phase (the default is Gateway): a.
ProSecure Unified Threat Management (UTM) Appliance Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default. Figure 152. 4. Specify the settings that are explained in the following table. Table 59.
ProSecure Unified Threat Management (UTM) Appliance 5. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. 6. Click the Advanced tab in the Authentication pane. The Advanced pane displays. Figure 153. 7. Specify the settings that are explained in the following table. Table 60.
ProSecure Unified Threat Management (UTM) Appliance Table 60. VPN client advanced authentication settings (continued) Setting Description Local and Remote ID Local ID As the type of ID, select DNS from the Local ID drop-down list because you specified FQDN in the UTM configuration. As the value of the ID, enter utm_remote.com as the local ID for the VPN client. Note: The remote ID on the UTM is the local ID on the VPN client. It might be less confusing to configure an FQDN such as client.
ProSecure Unified Threat Management (UTM) Appliance Figure 154. 3. Specify the settings that are explained in the following table. Table 61. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that is used by the VPN client in the UTM’s LAN; the computer (for which the VPN client opened a tunnel) appears in the LAN with this IP address. Address Type Select Subnet address from the drop-down list.
ProSecure Unified Threat Management (UTM) Appliance Table 61. VPN client IPSec configuration settings (continued) Setting Description ESP Encryption Select 3DES as the encryption algorithm from the drop-down list. Authentication Select SHA-1 as the authentication algorithm from the drop-down list. Mode Select Tunnel as the encapsulation mode from the drop-down list. PFS and Group Select the PFS check box, and then select the DH2 (1024) key group from the drop-down list.
ProSecure Unified Threat Management (UTM) Appliance 2. Specify the default lifetimes in seconds: • Authentication (IKE), Default. The default lifetime value is 3600 seconds. Change this setting to 28800 seconds to match the configuration of the UTM. • Encryption (IPSec), Default. The default lifetime value is 1200 seconds. Change this setting to 3600 seconds to match the configuration of the UTM. 3. Click Apply to use the new settings immediately, and click Save to keep the settings for future use.
ProSecure Unified Threat Management (UTM) Appliance • Use the Connection Panel screen. On the main menu of the Configuration Panel screen, select Tools > Connection Panel to open the Connection Panel screen. Perform one of the following tasks: - Double-click Gateway-Tunnel. - Right-click Gateway-Tunnel, and select Open tunnel. - Click Gateway-Tunnel, and press Ctrl+O. Figure 157. • Use the system-tray icon. Right-click the system tray icon, and select Open tunnel ‘Tunnel’. Figure 158.
ProSecure Unified Threat Management (UTM) Appliance NETGEAR VPN Client Status and Log Information To view detailed negotiation and error information on the NETGEAR VPN client: Right-click the VPN client icon in the system tray, and select Console. The VPN Client Console Active screen displays. Figure 161. View the UTM IPSec VPN Connection Status To review the status of current IPSec VPN tunnels, select Monitoring > Active Users & VPNs > IPSec VPN Connection Status.
ProSecure Unified Threat Management (UTM) Appliance The Active IPSec SA(s) table lists each active connection with the information that is described in the following table. The default poll interval is 5 seconds. To change the poll interval period, enter a new value in the Poll Interval field, and then click the Set Interval button. To stop polling, click the Stop button. Table 62.
ProSecure Unified Threat Management (UTM) Appliance Manage IPSec VPN Policies After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or manually add new VPN and IKE policies directly in the policy tables.
ProSecure Unified Threat Management (UTM) Appliance IKE Policies Screen To access the IKE Policies screen: Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen in view. (The following figure shows some examples.) Figure 164. Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 64 on page 266. Table 63.
ProSecure Unified Threat Management (UTM) Appliance To delete one or more IKE polices: 1. Select the check box to the left of each policy that you want to delete, or click the Select All table button to select all IKE policies. 2. Click the Delete table button. For information about how to add or edit an IKE policy, see Manually Add or Edit an IKE Policy on page 264. Note: You can delete or edit an IKE policy for which the VPN policy is active without first disabling or deleting the VPN policy.
ProSecure Unified Threat Management (UTM) Appliance Figure 165.
ProSecure Unified Threat Management (UTM) Appliance 3. Complete the fields, select the radio buttons, and make your selections from the drop-down lists as explained in the following table: Table 64. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Mode Config Record? Specify whether or not the IKE policy uses a Mode Config record. For information about how to define a Mode Config record, see Mode Config Operation on page 281.
ProSecure Unified Threat Management (UTM) Appliance Table 64. Add IKE Policy screen settings (continued) Setting Description Identifier Type From the drop-down list, select one of the following ISAKMP identifiers to be used by the UTM, and then specify the identifier in the Identifier field: • Local WAN IP. The WAN IP address of the UTM. When you select this option, the Identifier field automatically shows the IP address of the selected WAN interface. • FQDN. The Internet address for the UTM.
ProSecure Unified Threat Management (UTM) Appliance Table 64. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the UTM and the remote endpoint. • RSA-Signature. Uses the active self-signed certificate that you uploaded on the Certificates screen (see Manage Self-Signed Certificates on page 384).
ProSecure Unified Threat Management (UTM) Appliance Table 64. Add IKE Policy screen settings (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: Note: For more • None. XAUTH is disabled. This the default setting. information about • Edge Device.
ProSecure Unified Threat Management (UTM) Appliance • Manual. You manually enter all settings (including the keys) for the VPN tunnel on the UTM and on the remote VPN endpoint. No third-party server or organization is involved. • Auto. Some settings for the VPN tunnel are generated automatically through the use of the IKE (Internet Key Exchange) Protocol to perform negotiations between the two VPN endpoints (the local ID endpoint and the remote ID endpoint).
ProSecure Unified Threat Management (UTM) Appliance Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 66 on page 273. Table 65. List of VPN Policies table information Setting Description ! (Status) Indicates whether the policy is enabled (green circle) or disabled (gray circle). To enable or disable a policy, select the check box adjacent to the circle, and click the Enable or Disable table button, as appropriate.
ProSecure Unified Threat Management (UTM) Appliance Manually Add or Edit a VPN Policy To manually add a VPN policy: 1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see Figure 166 on page 270). 2. Under the List of VPN Policies table, click the Add table button. The Add VPN Policy screen displays (see the following figure, which shows the UTM50 screen).
ProSecure Unified Threat Management (UTM) Appliance 3. Complete the fields, select the radio buttons and check boxes, and make your selections from the drop-down lists as explained in the following table: Table 66. Add New VPN Policy screen settings Setting Description General Policy Name A descriptive name of the VPN policy for identification and management purposes. Note: The name is not supplied to the remote VPN endpoint.
ProSecure Unified Threat Management (UTM) Appliance Table 66. Add New VPN Policy screen settings (continued) Setting Description Enable Keepalive Select a radio button to specify if keep-alive is enabled: • Yes. This feature is enabled: Periodically, the UTM sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive.
ProSecure Unified Threat Management (UTM) Appliance Table 66. Add New VPN Policy screen settings (continued) Setting Description Encryption Algorithm From the drop-down list, select one of the following five algorithms to negotiate the security association (SA): • DES. Data Encryption Standard (DES). • 3DES. Triple DES. This is the default algorithm. • AES-128. Advanced Encryption Standard (AES) with a 128-bit key size. • AES-192. AES with a 192-bit key size. • AES-256. AES with a 256-bit key size.
ProSecure Unified Threat Management (UTM) Appliance Table 66. Add New VPN Policy screen settings (continued) Setting Description Auto Policy Parameters Note: These fields apply only when you select Auto Policy as the policy type. SA Lifetime The lifetime of the security association (SA) is the period or the amount of transmitted data after which the SA becomes invalid and needs to be renegotiated. From the drop-down list, select how the SA lifetime is specified: • Seconds.
ProSecure Unified Threat Management (UTM) Appliance 2. In the List of VPN Policies table, click the Edit table button to the right of the VPN policy that you want to edit. The Edit VPN Policy screen displays. This screen shows the same fields as the Add VPN Policy screen (see Figure 167 on page 272). 3. Modify the settings that you wish to change (see the previous table). 4. Click Apply to save your changes. The modified VPN policy is displayed in the List of VPN Policies table.
ProSecure Unified Threat Management (UTM) Appliance To enable and configure XAUTH: 1. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen in view (see Figure 164 on page 263). 2. In the List of IKE Policies table, click the Edit table button to the right of the IKE policy for which you want to enable and configure XAUTH. The Edit IKE Policy screen displays. This screen shows the same fields as the Add IKE Policy screen (see Figure 165 on page 265). 3.
ProSecure Unified Threat Management (UTM) Appliance RADIUS Client Configuration Remote Authentication Dial In User Service (RADIUS, RFC 2865) is a protocol for managing authentication, authorization, and accounting (AAA) of multiple users in a network. A RADIUS server stores a database of user information and can validate a user at the request of a gateway or server in the network when a user requests access to network resources.
ProSecure Unified Threat Management (UTM) Appliance Table 68. RADIUS Client screen settings (continued) Setting Description Secret Phrase A shared secret phrase to authenticate the transactions between the client and the primary RADIUS server. The same secret phrase needs to be configured on both the client and the server. Primary Server NAS Identifier The primary Network Access Server (NAS) identifier that needs to be present in a RADIUS request.
ProSecure Unified Threat Management (UTM) Appliance Assign IP Addresses to Remote Users (Mode Config) To simplify the process of connecting remote VPN clients to the UTM, use the Mode Config feature to automatically assign IP addresses to remote users, including a network access IP address, subnet mask, WINS server, and DNS address. Remote users are given IP addresses available in a secured network space so that remote users appear as seamless extensions of the network.
ProSecure Unified Threat Management (UTM) Appliance Figure 169. As an example, the screen shows two Mode Config records with the names EMEA Sales and NA Sales: • For EMEA Sales, a first pool (172.16.100.1 through 172.16.100.99) and second pool (172.16.200.1 through 172.16.200.99) are shown. • For NA Sales, a first pool (172.25.100.50 through 172.25.100.99), a second pool (172.25.210.1 through 172.25.210.99), and a third pool (172.25.220.80 through 172.25.220.99) are shown. 2.
ProSecure Unified Threat Management (UTM) Appliance Figure 170. 3. Complete the fields, select the check box, and make your selections from the drop-down lists as explained in the following table: Table 69. Add Mode Config Record screen settings Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes.
ProSecure Unified Threat Management (UTM) Appliance Table 69. Add Mode Config Record screen settings (continued) Setting Description WINS Server If there is a WINS server on the local network, enter its IP address in the Primary field. You can enter the IP address of a second WINS server in the Secondary field. DNS Server Enter the IP address of the DNS server that is used by remote VPN clients in the Primary field. You can enter the IP address of a second DNS server in the Secondary field.
ProSecure Unified Threat Management (UTM) Appliance 5. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen in view (see Figure 164 on page 263). 6. Under the List of IKE Policies table, click the Add table button. The Add IKE Policy screen displays. (The following figure shows the upper part only of a multiple WAN port model screen.
ProSecure Unified Threat Management (UTM) Appliance Note: The IKE policy settings that are explained in the following table are specifically for a Mode Config configuration. Table 64 on page 266 explains the general IKE policy settings. Table 70. IKE policy settings for a Mode Config configuration Setting Description Mode Config Record Do you want to use Mode Config Record? Select the Yes radio button.
ProSecure Unified Threat Management (UTM) Appliance Table 70. IKE policy settings for a Mode Config configuration (continued) Setting Description Remote Identifier Type From the drop-down list, select FQDN. Note: Mode Config requires that the remote endpoint is defined by an FQDN. Identifier Enter the FQDN for the remote endpoint. This needs to be an FQDN that is not used in any other IKE policy. This example uses client.com.
ProSecure Unified Threat Management (UTM) Appliance Table 70. IKE policy settings for a Mode Config configuration (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: Note: For more • None. XAUTH is disabled. This the default setting. information about • Edge Device.
ProSecure Unified Threat Management (UTM) Appliance Note: Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters. Configure the Mode Config Authentication Settings (Phase 1 Settings) To create new authentication settings: 1.
ProSecure Unified Threat Management (UTM) Appliance Figure 173. 3. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane. Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
ProSecure Unified Threat Management (UTM) Appliance 4. Specify the settings that are explained in the following table. Table 71. VPN client authentication settings (Mode Config) Setting Description Interface Select Any from the drop-down list. Remote Gateway Enter the remote IP address or DNS name of the UTM. For example, enter 10.34.116.22. Preshared Key Select the Preshared Key radio button. Enter the pre-shared key that you already specified on the UTM. For example, enter H8!spsf3#JYK2!.
ProSecure Unified Threat Management (UTM) Appliance 7. Specify the settings that are explained in the following table. Table 72. VPN client advanced authentication settings (Mode Config) Setting Description Advanced features Mode Config Select this check box to enable Mode Config. Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the UTM. NAT-T Select Automatic from the drop-down list to enable the VPN client and UTM to negotiate NAT-T.
ProSecure Unified Threat Management (UTM) Appliance Note: This is the name for the IPSec configuration that is used only for the VPN client, not during IPSec negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The IPSec pane displays in the Configuration Panel screen, with the IPSec tab selected by default. Figure 176. 3. Specify the settings that are explained in the following table. Table 73.
ProSecure Unified Threat Management (UTM) Appliance Table 73. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description Subnet mask Enter 255.255.255.0 as the remote subnet mask of the UTM that opens the VPN tunnel. This is the LAN IP subnet mask that you specified in the Local Subnet Mask field on the Add Mode Config Record screen of the UTM. If you left the Local Subnet Mask field blank, enter the UTM’s default IP subnet mask.
ProSecure Unified Threat Management (UTM) Appliance 2. Specify the following default lifetimes in seconds to match the configuration on the UTM: • Authentication (IKE), Default. Enter 3600 seconds. • Encryption (IPSec), Default. Enter 3600 seconds. 3. Select the Dead Peer Detection (DPD) check box, and configure the following DPD settings to match the configuration on the UTM: • Check Interval. Enter 30 seconds. • Max. number of entries. Enter 3 retries. • Delay between entries.
ProSecure Unified Threat Management (UTM) Appliance Figure 180. 3. From the client PC, ping a computer on the UTM LAN. Modify or Delete a Mode Config Record Note: Before you modify or delete a Mode Config record, make sure it is not used in an IKE policy. To edit a Mode Config record: 1. On the Mode Config screen (see Figure 169 on page 282), click the Edit button in the Action column for the record that you want to modify. The Edit Mode Config Record screen displays.
ProSecure Unified Threat Management (UTM) Appliance Configure Keep-Alives and Dead Peer Detection In some cases, you might not want a VPN tunnel to be disconnected when traffic is idle, for example, when client-server applications over the tunnel cannot tolerate the tunnel establishment time.
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table: Table 74. Keep-alive settings Setting Description General Enable Keepalive Select the Yes radio button to enable the keep-alive feature. Periodically, the UTM sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive.
ProSecure Unified Threat Management (UTM) Appliance Figure 182. 3. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the fields as explained the following table: Table 75. Dead peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Detection Select the Yes radio button to enable DPD. When the UTM detects an IKE connection failure, it deletes the IPSec and IKE SA and forces a reestablishment of the connection.
ProSecure Unified Threat Management (UTM) Appliance 2. In the List of VPN Policies table, click the Edit table button to the right of the VPN policy that you want to edit. The Edit VPN Policy screen displays. (The following figure shows only the top part of a UTM50 screen with the General section). Figure 183. 3. Select the Enable NetBIOS check box. 4. Click Apply to save your settings.
ProSecure Unified Threat Management (UTM) Appliance Figure 184. 2. Enter the settings as explained in the following table: Table 76. PPTP Server screen settings Setting Description PPTP Server Enable PPTP Server To enable the PPTP server, select the Enable check box. Complete the following fields: Start IP Address Type the first IP address of the address pool. End IP Address Type the last IP address of the address pool. User time out Enter the time-out period in seconds.
ProSecure Unified Threat Management (UTM) Appliance Table 76. PPTP Server screen settings (continued) Setting Description Encryption If the authentication is MSCHAP or MSCHAPv2, the PPTP server can support Microsoft Point-to-Point Encryption (MPPE). Select one or more of the following types of MPPE: • MPPE-40. MPPE 40-bit encryption. • MPPE-128. MPPE 128-bit encryption. This is the most secure type of MPPE encryption. • MPPE-stateful. Stateful MPPE encryption.
ProSecure Unified Threat Management (UTM) Appliance Configure the L2TP Server (UTM9S Only) As an alternate solution to IPSec VPN and PPTP tunnels, you can configure a Layer 2 Tunneling Protocol (L2TP) server on the UTM9S to allow users to access L2TP clients over L2TP tunnels. An L2TP Access Concentrator (LAC) typically initiates a tunnel to fullfil a connection request from an L2TP user; the L2TP server accommodates the tunnel request and assigns an IP address to the user.
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in the following table: Table 78. L2TP Server screen settings Setting Description L2TP Server Enable L2TP Server To enable the L2TP server, select the Enable check box. Complete the following fields: Start IP Address Type the first IP address of the address pool. End IP Address Type the last IP address of the address pool. User time out Enter the time-out period in seconds.
ProSecure Unified Threat Management (UTM) Appliance The List of L2TP Active Users table lists each active connection with the information that is described in the following table. Table 79. L2TP Active Users screen information Item Description Username The name of the L2TP user that you have defined (see Configure User Accounts on page 362). Remote IP The client’s IP address on the remote LAC. L2TP IP The IP address that is assigned by the L2TP server on the UTM9S.
8. Virtual Private Networking Using SSL Connections 8 The UTM provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the UTM can authenticate itself to an SSL-enabled client, such as a standard web browser.
ProSecure Unified Threat Management (UTM) Appliance • SSL port forwarding. Like an SSL VPN tunnel, port forwarding is a web-based client that is installed transparently and then creates a virtual, encrypted tunnel to the remote network. However, port forwarding differs from an SSL VPN tunnel in several ways: - Port forwarding supports only TCP connections, not UDP connections or connections using other IP protocols.
ProSecure Unified Threat Management (UTM) Appliance SSL VPN Wizard Step 1 of 6 (Portal Settings) Figure 189. Note that the previous figure contains a layout example. Enter the settings as explained in the following table, and then click Next to go the following screen. Note: If you leave the Portal Layout Name field blank, the SSL VPN Wizard uses the default portal layout.
ProSecure Unified Threat Management (UTM) Appliance Table 80. SSL VPN Wizard Step 1 of 6 screen settings (portal settings) Setting Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout. This name is part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.
ProSecure Unified Threat Management (UTM) Appliance Table 80. SSL VPN Wizard Step 1 of 6 screen settings (portal settings) (continued) Setting Description SSL VPN Portal Pages to Display VPN Tunnel page To provide full network connectivity, select this check box. Port Forwarding To provide access to specific defined network services, select this check box.
ProSecure Unified Threat Management (UTM) Appliance Note: If you leave the Domain Name field blank, the SSL VPN Wizard uses the default domain name geardomain. You need to enter a name other than geardomain in the Domain Name field to enable the SSL VPN Wizard to create a new domain. Do not enter an existing domain name in the Domain Name field; otherwise, the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration. Table 81.
ProSecure Unified Threat Management (UTM) Appliance Table 81. SSL VPN Wizard Step 2 of 6 screen settings (domain settings) (continued) Setting Description Authentication Type (continued) • WIKID-CHAP. WiKID Systems CHAP. Complete the following fields: - Authentication Server - Authentication Secret - Radius Port - Repeat - Timeout • MIAS-PAP. Microsoft Internet Authentication Service (MIAS) PAP.
ProSecure Unified Threat Management (UTM) Appliance Table 81. SSL VPN Wizard Step 2 of 6 screen settings (domain settings) (continued) Setting Description Portal The portal that you selected on the first SSL VPN Wizard screen. You cannot change the portal on this screen; the portal is displayed for information only. Authentication Server The server IP address or server name of the authentication server for any type of authentication other than authentication through the local user database.
ProSecure Unified Threat Management (UTM) Appliance Table 81. SSL VPN Wizard Step 2 of 6 screen settings (domain settings) (continued) Setting Description Group Members Attribute This field is optional. The attribute that is used to identify the members of a group. For an Active Directory, enter member. For OpenLDAP, you can enter a customized attribute to identify the members of a group. Additional Filter This field is optional.
ProSecure Unified Threat Management (UTM) Appliance Note: Do not enter an existing user name in the User Name field; otherwise, the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration. Table 82. SSL VPN Wizard Step 3 of 6 screen settings (user settings) Setting Description User Name A descriptive (alphanumeric) name of the user for identification and management purposes. User Type When you use the SSL VPN Wizard, the user type is always SSL VPN User.
ProSecure Unified Threat Management (UTM) Appliance SSL VPN Wizard Step 4 of 6 (Client Addresses and Routes) Figure 192. Note that the previous figure contains an example. Enter the settings as explained in the following table, and then click Next to go the following screen. Note: Do not enter an existing route for a VPN tunnel client in the Destination Network and Subnet Mask fields; otherwise, the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration. Table 83.
ProSecure Unified Threat Management (UTM) Appliance Table 83. SSL VPN Wizard Step 4 of 6 screen settings (client addresses and routes) (continued) Setting Description Primary DNS Server The IP address of the primary DNS server that is assigned to the VPN tunnel clients. This setting is optional. Note: If you do not assign a DNS server, the DNS settings remain unchanged in the VPN client after a VPN tunnel has been established.
ProSecure Unified Threat Management (UTM) Appliance Note: Do not enter an IP address that is already in use in the upper Local Server IP Address field or a port number that is already in use in the TCP Port Number field; otherwise, the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration. Table 84.
ProSecure Unified Threat Management (UTM) Appliance For more information about port-forwarding settings, see Configure Applications for Port Forwarding on page 328. SSL VPN Wizard Step 6 of 6 (Verify and Save Your Settings) Verify your settings; if you need to make any changes, click the Back action button (if necessary several times) to return to the screen on which you want to make changes. Figure 194.
ProSecure Unified Threat Management (UTM) Appliance Click Apply to save your settings. If the settings are accepted by the UTM, a message Operation Succeeded displays at the top of the screen, and the Welcome to the Netgear Configuration Wizard screen displays again (see Figure 188 on page 307).
ProSecure Unified Threat Management (UTM) Appliance 4. Click Login. The default User Portal screen displays. The format of the User Portal screen depends on the settings that you selected on the first screen of the SSL VPN Wizard (see SSL VPN Wizard Step 1 of 6 (Portal Settings) on page 308): • Figure 196 shows the User Portal screen with both a VPN Tunnel and a Port Forwarding menu option. • Figure 197 shows the User Portal screen with a Port Forwarding menu option only.
ProSecure Unified Threat Management (UTM) Appliance The default User Portal screen displays a simple menu that provides the SSL user with the following menu selections: • VPN Tunnel. Provides full network connectivity. • Port Forwarding. Provides access to the network services that you defined as described in SSL VPN Wizard Step 5 of 6 (Port Forwarding) on page 317. • Change Password. Allows the user to change his or her password. • Support. Provides access to the NETGEAR website.
ProSecure Unified Threat Management (UTM) Appliance Figure 199. Manually Configure and Edit SSL Connections To manually configure and activate SSL connections, perform the following six basic steps in the order that they are presented: 1. Edit the existing SSL portal or create a new one (see Create the Portal Layout on page 324). When remote users log in to the UTM, they see a portal page that you can customize to present the resources and functions that you choose to make available. 2.
ProSecure Unified Threat Management (UTM) Appliance Create a list of servers and services that can be made available through user, group, or global policies. You can also associate fully qualified domain names (FQDNs) with these servers. The UTM resolves the names to the servers using the list you have created. 4. For SSL VPN tunnel service, configure the virtual network adapter (see Configure the SSL VPN Client on page 331).
ProSecure Unified Threat Management (UTM) Appliance any portal the default portal for the UTM by clicking the Default button in the Action column of the List of Layouts table, to the right of the desired portal layout. To create a new SSL VPN portal layout: 1. Select VPN > SSL VPN > Portal Layouts. The Portal Layouts screen displays. (The following figure shows layouts in the List of Layouts table as an example.
ProSecure Unified Threat Management (UTM) Appliance Figure 201. 3. Complete the fields and select the check boxes as explained in the following table: Table 85. Add Portal Layout screen settings Setting Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout. This name is part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.
ProSecure Unified Threat Management (UTM) Appliance Table 85. Add Portal Layout screen settings (continued) Setting Description Banner Title The banner title of a banner message that users see before they log in to the portal, for example, Welcome to Customer Support. Note: For an example, see Figure 195 on page 320. The banner title text is displayed in the orange header bar.
ProSecure Unified Threat Management (UTM) Appliance To edit a portal layout: 1. On the Portal Layouts screen (see Figure 200 on page 325), click the Edit button in the Action column for the portal layout that you want to modify. The Edit Portal Layout screen displays. This screen is identical to the Add Portal Layout screen (see the previous figure). 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings. To delete one or more portal layouts: 1.
ProSecure Unified Threat Management (UTM) Appliance Figure 202. 2. In the Add New Application for Port Forwarding section of the screen, specify information in the following fields: • IP Address. The IP address of an internal server or host computer that a remote user has access to. • TCP Port. The TCP port number of the application that is accessed through the SSL VPN tunnel. The following table lists some commonly used TCP applications and port numbers. Table 86.
ProSecure Unified Threat Management (UTM) Appliance a. Users can specify the port number together with the host name or IP address. 3. Click the Add table button. The new application entry is added to the List of Configured Applications for Port Forwarding table. Remote users can now securely access network applications once they have logged in to the SSL VPN portal and launched port forwarding. To delete an application from the List of Configured Applications for Port Forwarding table: 1.
ProSecure Unified Threat Management (UTM) Appliance Configure the SSL VPN Client The SSL VPN client on the UTM assigns IP addresses to remote VPN tunnel clients. Because the VPN tunnel connection is a point-to-point connection, you can assign IP addresses from the local subnet to the remote VPN tunnel clients.
ProSecure Unified Threat Management (UTM) Appliance Figure 203. 2. Select the check box and complete the fields as explained in the following table: Table 87. SSL VPN Client screen settings Setting Description Client IP Address Range Enable Full Tunnel Support Select this check box to enable full-tunnel support.
ProSecure Unified Threat Management (UTM) Appliance Table 87. SSL VPN Client screen settings (continued) Setting Description Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients. Client Address Range End The last IP address of the IP address range that you want to assign to the VPN tunnel clients. 3. Click Apply to save your settings.
ProSecure Unified Threat Management (UTM) Appliance Use Network Resource Objects to Simplify Policies Network resources are groups of IP addresses, IP address ranges, and services. By defining resource objects, you can more quickly create and configure network policies. You do not need to redefine the same set of IP addresses or address ranges when you configure the same access policies for multiple users.
ProSecure Unified Threat Management (UTM) Appliance To delete one or more network resources: 1. Select the check box to the left of each network resource that you want to delete, or click the Select All table button to select all network resources. 2. Click the Delete table button. Edit Network Resources to Specify Addresses To edit network resources: 1. Select VPN > SSL VPN > Resources. The Resources screen displays (see the previous figure, which shows some examples). 2.
ProSecure Unified Threat Management (UTM) Appliance Table 88. Resources screen settings to edit a resource (continued) Setting Description Service The SSL service that is assigned to the resource. You cannot modify the service after you have assigned it to the resource on the first Resources screen. Object Type From the drop-down list, select one of the following options: • IP Address. The object is an IP address. You need to enter the IP address or the FQDN in the IP Address / Name field.
ProSecure Unified Threat Management (UTM) Appliance IP address ranges are configured, then the smallest address range takes precedence. Host names are treated the same as individual IP addresses. Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource. For example, assume the following global policy configuration: • Policy 1.
ProSecure Unified Threat Management (UTM) Appliance Figure 206. 2. Make your selection from the following Query options: • To view all global policies, select the Global radio button. • To view group policies, select the Group radio button, and select the relevant group’s name from the drop-down list. • To view user policies, select the User radio button, and select the relevant user’s name from the drop-down list. 3. Click the Display action button.
ProSecure Unified Threat Management (UTM) Appliance . Figure 207. 3. Select the radio buttons, complete the fields, and make your selection from the drop-down lists as explained in the following table: Table 89. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy: • Global. The new policy is global and includes all groups and users. • Group. The new policy needs to be limited to a single group.
ProSecure Unified Threat Management (UTM) Appliance Table 89. Add SSL VPN Policy screen settings (continued) Setting Description Apply Policy For (continued) Network Resource IP Address IP Network Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. Defined Resources From the drop-down list, select a network resource that you have defined on the Resources screen (see Use Network Resource Objects to Simplify Policies on page 334).
ProSecure Unified Threat Management (UTM) Appliance Table 89. Add SSL VPN Policy screen settings (continued) Setting Description Apply Policy For (continued) IP Network (continued) All Addresses Service From the drop-down list, select the service to which the SSL VPN policy is applied: • VPN Tunnel. The policy is applied only to a VPN tunnel. • Port Forwarding. The policy is applied only to port forwarding. • All. The policy is applied both to a VPN tunnel and to port forwarding.
ProSecure Unified Threat Management (UTM) Appliance To delete one or more SSL VPN policies: 1. On the Policies screen (see Figure 206 on page 338), select the check box to the left of each SSL VPN policy that you want to delete, or click the Select All table button to select all policies. 2. Click the Delete table button.
9. Managing Users, Authentication, and VPN Certificates 9 This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. This chapter contains the following sections: • Authentication Process and Options • Configure Authentication Domains, Groups, and Users • Manage Digital Certificates for VPN Connections Authentication Process and Options Users are assigned to a group, and a group is assigned to a domain.
ProSecure Unified Threat Management (UTM) Appliance Except in the case of IPSec VPN users, when you create a user account, you need to specify a group. When you create a group, you need to specify a domain. The UTM support security policies that are based on an Active Directory with single sign-on (SSO) through the use of the DC agent and additional Lightweight Directory Access Protocol (LDAP) configuration options (see Configure Authentication Domains, Groups, and Users on page 345).
ProSecure Unified Threat Management (UTM) Appliance Table 90. External authentication protocols and methods (continued) Authentication Description protocol or method LDAP A network-validated domain-based authentication method that functions with a Lightweight Directory Access Protocol (LDAP) authentication server. LDAP is a standard for querying and updating a directory.
ProSecure Unified Threat Management (UTM) Appliance For information about how to configure and modify accounts for administrative users and users with guest privileges, see Configure User Accounts on page 362 and Change Passwords and Other User Settings on page 369. Figure 208.
ProSecure Unified Threat Management (UTM) Appliance Figure 209. Note: The first time that a user remotely connects to a UTM with a browser through an SSL connection, he or she might get a warning message about the SSL certificate. The user can follow the directions of his or her browser to accept the SSL certificate, or import the UTM’s root certificate by selecting the link at the bottom of the User Portal Login screen.
ProSecure Unified Threat Management (UTM) Appliance If you do not use the DC agent in your configuration (see DC Agent on page 370), after completing a session, a user needs to log out manually by following these steps: 1. Return to the User Portal Login screen (see Figure 209 on page 347). Note: The user needs to know how to return to the User Portal Login screen. The administrator needs to provide the User Portal Login URL: https:///~common/cgi-bin/user_login.
ProSecure Unified Threat Management (UTM) Appliance Active Directories and LDAP Configurations Note: For an overview of the authentication options that the UTM supports, see Authentication Process and Options on page 343. The UTM supports security policies that are based on an Active Directory with single sign-on (SSO) through the use of the DC agent (see DC Agent on page 370) and additional LDAP configuration options.
ProSecure Unified Threat Management (UTM) Appliance Another workaround is to use a specific search name or a name with a wildcard in the lookup process, so that the subset of the entire list is returned in the lookup result. How to Bind a DN in an Active Directory Configuration Understanding how to bind a distinguished name (DN) in an Active Directory (AD) configuration might be of help when you are specifying the settings for the AD domains on the UTM. In this example, the AD domain name is testAD.
ProSecure Unified Threat Management (UTM) Appliance Figure 212. 5. Log in to the UTM. 6. Select Users > Domains. 7. Click Add. The Add Domain screen displays. 8. Enter testAD.com in the Domain Name field. 9. From the Authentication Type drop-down list, select Active Directory. 10. Select a previously configured portal from the Select Portal drop-down list. 11. Enter 192.168.35.115 in the Authentication Server field. 12.
ProSecure Unified Threat Management (UTM) Appliance Figure 213. • The Windows account name in email format such as jhanson@testAD.com. (The following figure shows only the Bind DN field.) Figure 214. 14. Complete the remaining fields and drop-down list as needed. 15. Click Apply to save your settings.
ProSecure Unified Threat Management (UTM) Appliance Configure Domains The domain determines the authentication method to be used for associated users. For SSL connections, the domain also determines the portal layout that is presented, which in turn determines the network resources to which the associated users have access. The default domain of the UTM is named geardomain. You cannot delete the default domain. Create and Delete Domains To create a domain: 1. Select Users > Domains.
ProSecure Unified Threat Management (UTM) Appliance Figure 216. 3. Enter the settings as explained in the following table: Table 91. Add Domain screen settings Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Authentication Type From the drop-down list, select the authentication method that the UTM applies: • Local User Database (default). Users are authenticated locally on the UTM. This is the default setting.
ProSecure Unified Threat Management (UTM) Appliance Table 91. Add Domain screen settings (continued) Setting Description Authentication Type (continued) • Radius-CHAP. RADIUS Challenge Handshake Authentication Protocol (CHAP). Complete the following fields: - Authentication Server Note: If you select - Authentication Secret any type of RADIUS - Radius Port authentication, make - Repeat sure that one or more - Timeout RADIUS servers are configured (see • Radius-MSCHAP. RADIUS Microsoft CHAP.
ProSecure Unified Threat Management (UTM) Appliance Table 91. Add Domain screen settings (continued) Setting Description Authentication Type (continued) • NT Domain. Microsoft Windows NT Domain. Complete the following fields: - Authentication Server - Workgroup • Active Directory. Microsoft Active Directory.
ProSecure Unified Threat Management (UTM) Appliance Table 91. Add Domain screen settings (continued) Setting Description Bind DN The LDAP or Active Directory DN that is required to access the LDAP or Active Directory authentication server. This should be a user in the LDAP or Active Directory directory who has read access to all the users that you would like to import into the UTM. The Bind DN field accepts two formats: • A display name in the DN format.
ProSecure Unified Threat Management (UTM) Appliance Table 91. Add Domain screen settings (continued) Setting Description Repeat The period in seconds that the UTM waits for a response from a RADIUS server. Timeout The maximum number of times that the UTM attempts to connect to a RADIUS server. 4. Click Apply to save your settings. The domain is added to the List of Domains table. 5.
ProSecure Unified Threat Management (UTM) Appliance Configure Groups The use of groups simplifies the configuration of VPN policies when different sets of users have different restrictions and access controls. It also simplifies the configuration of web access exception rules. Like the default domain of the UTM, the default group is also named geardomain. The default group geardomain is assigned to the default domain geardomain.
ProSecure Unified Threat Management (UTM) Appliance Figure 217. 2. In the Add New Group section of the screen, enter the settings as explained in the following table: Table 92. Groups screen settings Setting Description Name A descriptive (alphanumeric) name of the group for identification and management purposes. Domain The drop-down list shows the domains that are listed on the Domain screen. From the drop-down list, select the domain with which the group is associated.
ProSecure Unified Threat Management (UTM) Appliance Note: You cannot delete a default group such as one that was automatically created when you specified a new domain on the second SSL VPN Wizard screen (see SSL VPN Wizard Step 2 of 6 (Domain Settings) on page 310). You can delete only the domain with which the default group is associated and that has an identical name as the default group (see Configure Domains on page 353). Deleting the domain causes the default group to be removed.
ProSecure Unified Threat Management (UTM) Appliance Configure User Accounts The UTM supports both unauthenticated and authenticated users: • Unauthenticated users. Anonymous users who do not log in to the UTM and to which the UTM’s default email and web access policies apply. • Authenticated users. Users who have a computer behind the UTM, who log in to the UTM with a user name and password, and who are assigned an access policy that usually differs from the UTM’s default email and web access policies.
ProSecure Unified Threat Management (UTM) Appliance Figure 219. The List of Users table displays the users and has the following fields: • Check box. Allows you to select the user in the table. • Name. The name of the user. If the user name is appended by an asterisk, the user is a default user that came preconfigured with the UTM and cannot be deleted. • Group. The group to which the user is assigned. • Type. The type of access credentials that are assigned to the user. • Authentication Domain.
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table: Table 93. Add User screen settings Setting Description User Name A descriptive (alphanumeric) name of the user for identification and management purposes. User Type From the drop-down list, select one of the predefined user types that determines the access credentials: • Administrator. User who has full access and the capacity to change the UTM configuration (that is, read/write access).
ProSecure Unified Threat Management (UTM) Appliance Set User Login Policies You can restrict the ability of defined users to log in to the UTM’s web management interface. You can also require or prohibit logging in from certain IP addresses or from particular browsers. Note: User logon policies are not applicable to PPTP and L2TP users. Configure Login Policies To configure user login policies: 1. Select Users > Users. The Users screen displays (see Figure 219 on page 363). 2.
ProSecure Unified Threat Management (UTM) Appliance Configure Login Restrictions Based on IP Address To restrict logging in based on IP address: 1. Select Users > Users. The Users screen displays (see Figure 219 on page 363). 2. In the Action column of the List of Users table, click the Policies table button for the user for which you want to set login policies. The policies submenu tabs display, with the Login Policies screen in view. 3. Click the By Source IP Address submenu tab.
ProSecure Unified Threat Management (UTM) Appliance 6. In the Add Defined Addresses section of the screen, add an address to the Defined Addresses table by entering the settings as explained in the following table: Table 94. By Source IP Address screen settings Setting Description Source Address Type Select the type of address from the drop-down list: • IP Address. A single IP address. • IP Network. A subnet of IP addresses. You need to enter a netmask length in the Mask Length field.
ProSecure Unified Threat Management (UTM) Appliance Figure 223. 4. In the Defined Browsers Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Browsers. Deny logging in from the browsers in the Defined Browsers table. • Allow Login only from Defined Browsers. Allow logging in from the browsers in the Defined Browsers table. 5. Click Apply to save your settings. 6.
ProSecure Unified Threat Management (UTM) Appliance Change Passwords and Other User Settings For any user, you can change the password, user type, and idle time-out settings. Only administrators have read/write access. All other users have read-only access. Note: The default administrator and default guest passwords for the web management interface are both password.
ProSecure Unified Threat Management (UTM) Appliance 3. Modify the settings as explained in the following table: Table 95. Edit User screen settings Setting Description Select User Type From the drop-down list, select one of the predefined user types that determines the access credentials: • Administrator. User who has full access and the capacity to change the UTM configuration (that is, read/write access). • SSL VPN User. User who can log in only to the SSL VPN portal. • IPSEC VPN User.
ProSecure Unified Threat Management (UTM) Appliance Note: The DC agent does not function with LDAP domain users. The DC agent monitors all Windows login events (that is, all AD domain user authentications) on the DC server, and provides a mapping of Windows user names and IP addresses to the UTM, enabling the UTM to transparently apply user policies.
ProSecure Unified Threat Management (UTM) Appliance To download ProSecure DC Agent software and add a DC agent: 1. Select Users > DC Agent. The DC Agent screen displays: Figure 225. 2. Under the List of DC Agents table, click the Download/Install link to download the ProSecure DC Agent software (that is, the dc_agent.mis file). Follow the instructions of your browser to save the software file to your computer. 3.
ProSecure Unified Threat Management (UTM) Appliance 4. On the DC Agent screen (see Figure 225 on page 372), complete the fields and make your selections from the drop-down lists as explained in the following table: Table 96. DC Agent screen settings Setting Description Domain From the Domain drop-down list, select an Active Directory (AD) domain to bind with the DC agent. For information about configuring AD domains, see Configure Domains on page 353.
ProSecure Unified Threat Management (UTM) Appliance b. Click the Add table button to add a new domain. The Add Domain screen displays: Figure 227. c. Enter the following settings: • In the Domain Name field, enter Test_Domain. • From the Authentication Type drop-down list, select Active Directory. • From the Select Portal drop-down list, select a portal. (In this example, the default portal is SSL-VPN.) • In the Authentication Server field, enter 12.18.39.27.
ProSecure Unified Threat Management (UTM) Appliance 2. Add a new DC agent on the UTM50: a. Select Users > DC Agent. The DC Agent screen displays: Figure 228. b. In the Domain field, enter Test_Domain. c. In the Action column, click Add. 3. Add the IP address of the UTM50 on the ProSecure DC Agent control panel: a. Click Add. b. In the Add a client pop-up screen, enter 90.49.145.18. c. Click OK. The IP address of the UTM50 displays in the Allowed Client IPs field: Figure 229. 4.
ProSecure Unified Threat Management (UTM) Appliance Configure RADIUS VLANs You can use a RADIUS virtual LAN (VLAN) to set web access exceptions and provide an added layer of security. To do so, follow this procedure: 1. Specify a RADIUS server (see RADIUS Client Configuration on page 279). 2. Create a RADIUS domain (see Configure Domains on page 353). 3. Add a RADIUS virtual LAN (VLAN) (see the information in this section).
ProSecure Unified Threat Management (UTM) Appliance c. In the Brief Description field, enter a description of the VLAN. This field is optional. 3. Click the Add table button. The new VLAN is added to the List of VLAN table. To delete a user from the List of VLAN table, click the Delete table button in the Action column for the VLAN that you want to delete. Configure Global User Settings You can globally set the user session settings for authenticated users.
ProSecure Unified Threat Management (UTM) Appliance for the minutes or hours. The idle time period cannot exceed the session expiration length. By default, the idle time period is 8 hours. 3. Click Apply to save the session settings. 4. Locate the Users Portal Login Settings section on screen. Specify the default domain settings: • From the Default Domain drop-down list, select a domain that you previously configured on the Domain screen (see Configure Domains on page 353).
ProSecure Unified Threat Management (UTM) Appliance To view all or selected users: 1. On the Active Users screen (see the previous figure), select one of the following radio buttons: • View All. This selection returns all active users after you click the Search button. • Search Criteria. Enter one or more search criteria as explained in the following table: Table 97.
ProSecure Unified Threat Management (UTM) Appliance Figure 233. The List of Users table displays the following fields: • IP Address. The IP address that is associated with the user. • Domain. The domain to which the user belongs. • User. The user name. • Groups. The groups to which the user belongs, if any. • Last Seen. The most recent time that scanned traffic associated with the user (that is, IP address) passed through the UTM. • Login Type.
ProSecure Unified Threat Management (UTM) Appliance Manage Digital Certificates for VPN Connections Note: For information about digital certificates for HTTPS scans, see Manage Digital Certificates for HTTPS Scans on page 213. The UTM uses digital certificates (also known as X509 certificates) during the Internet Key Exchange (IKE) authentication phase to authenticate connecting IPSec VPN gateways or clients, or to be authenticated by remote entities.
ProSecure Unified Threat Management (UTM) Appliance VPN Certificates Screen To display the Certificates screen, select VPN > Certificates. Because of the large size of this screen, and because of the way the information is presented, the Certificates screen is divided and presented in this manual in three figures (Figure 234 on page 383, Figure 236 on page 385, and Figure 238 on page 388).
ProSecure Unified Threat Management (UTM) Appliance Figure 234. Certificates, screen 1 of 3 The Trusted Certificates (CA Certificate) table lists the digital certificates of CAs and contains the following fields: • CA Identity (Subject Name). The organization or person to whom the digital certificate is issued. • Issuer Name. The name of the CA that issued the digital certificate. • Expiry Time. The date after which the digital certificate becomes invalid.
ProSecure Unified Threat Management (UTM) Appliance Manage Self-Signed Certificates Instead of obtaining a digital certificate from a CA, you can generate and sign your own digital certificate. However, a self-signed certificate triggers a warning from most browsers because it provides no protection against identity theft of the server. (The following figure shows an image of a browser security alert.
ProSecure Unified Threat Management (UTM) Appliance Figure 236. Certificates, screen 2 of 3 2. In the Generate Self Certificate Request section of the screen, enter the settings as explained in the following table: Table 98. Generate self-signed certificate request settings Setting Description Name A descriptive name of the domain for identification and management purposes. Subject The name that other organizations see as the holder (owner) of the certificate.
ProSecure Unified Threat Management (UTM) Appliance Table 98. Generate self-signed certificate request settings (continued) Setting Description Signature Key Length From the drop-down list, select one of the following signature key lengths in bits: • 512 • 1024 • 2048 Note: Larger key sizes might improve security, but might also decrease performance. Optional Fields IP Address Enter your fixed (static) IP address. If your IP address is dynamic, leave this field blank.
ProSecure Unified Threat Management (UTM) Appliance 6. Submit your SCR to a CA: a. Connect to the website of the CA. b. Start the SCR procedure. c. When prompted for the requested data, copy the data from your saved text file (including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”). d. Submit the CA form. If no problems ensue, the digital certificate is issued by the CA. 7. Download the digital certificate file from the CA, and store it on your computer. 8.
ProSecure Unified Threat Management (UTM) Appliance Manage the Certificate Revocation List A Certificate Revocation List (CRL) file shows digital certificates that have been revoked and are no longer valid. Each CA issues its own CRLs. It is important that you keep your CRLs up-to-date. You should obtain the CRL for each CA regularly. To view the currently loaded CRLs and upload a new CRL: 1. Select VPN > Certificates. The Certificates screen displays.
10. Network and System Management 10 This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the UTM. This chapter contains the following sections: • Performance Management • System Management • Connect to a ReadyNAS and Configure Quarantine Settings (UTM9S Only) Note: The ReadyNAS Integration configuration menu shows on the UTM9S only.
ProSecure Unified Threat Management (UTM) Appliance In practice, the WAN-side bandwidth capacity is much lower when DSL or cable modems are used to connect to the Internet. At 1.5 Mbps, the WAN ports support the following traffic rates: • Load balancing mode (multiple WAN port models only). 3 Mbps (two WAN ports at 1.5 Mbps each), except for the UTM150, which has four WAN ports and therefore supports up to 6 Mbps. • Auto-rollover mode (multiple WAN port models only). 1.5 Mbps (one active WAN port at 1.
ProSecure Unified Threat Management (UTM) Appliance Each rule lets you specify the desired action for the connections that are covered by the rule: • BLOCK always • BLOCK by schedule, otherwise allow • ALLOW always • ALLOW by schedule, otherwise block The following section summarizes the various criteria that you can apply to outbound rules in order to reduce traffic. For more information about outbound rules, see Outbound Rules (Service Blocking) on page 123.
ProSecure Unified Threat Management (UTM) Appliance days of the week and time of day for each schedule. For more information, see Set a Schedule to Block or Allow Specific Traffic on page 163. • QoS profile. You can define QoS profiles and then apply them to outbound rules to regulate the priority of traffic. For information about how to define QoS profiles, see Create Quality of Service Profiles on page 158. • Bandwidth profile.
ProSecure Unified Threat Management (UTM) Appliance - Web object blocking. You can block the following web component types: embedded objects (ActiveX, Java, Flash), proxies, and cookies; and you can disable JavaScripts. For more information, see Configure Web Content Filtering on page 199. - Setting the size of Web files to be scanned. Scanning large web files requires network resources and might slow down traffic.
ProSecure Unified Threat Management (UTM) Appliance Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always • BLOCK by schedule, otherwise allow • ALLOW always • ALLOW by schedule, otherwise block The following section summarizes the various criteria that you can apply to inbound rules and that might increase traffic. For more information about inbound rules, see Inbound Rules (Port Forwarding) on page 126.
ProSecure Unified Threat Management (UTM) Appliance - IP Groups. The rule applies to a group of individual WAN IP addresses. Use the IP Groups screen (under the Network Security main navigation menu) to assign IP addresses to groups. For more information, see Create IP Groups on page 156. • Schedule. You can configure three different schedules to specify when a rule is applied. Once a schedule is configured, it affects all rules that use this schedule.
ProSecure Unified Threat Management (UTM) Appliance Configure VPN Tunnels The UTM supports site-to-site IPSec VPN tunnels and dedicated SSL VPN tunnels. Each tunnel requires extensive processing for encryption and authentication, thereby increasing traffic through the WAN ports. For information about IPSec VPN tunnels, see Chapter 7, Virtual Private Networking Using IPSec Connections. For information about SSL VPN tunnels, see Chapter 8, Virtual Private Networking Using SSL Connections.
ProSecure Unified Threat Management (UTM) Appliance System Management System management tasks are described in the following sections: • Change Passwords and Administrator and Guest Settings • Configure Remote Management Access • Use a Simple Network Management Protocol Manager • Manage the Configuration File • Update the Firmware • Update the Scan Signatures and Scan Engine Firmware • Configure Date and Time Service Change Passwords and Administrator and Guest Settings The default administra
ProSecure Unified Threat Management (UTM) Appliance Figure 240. 3. Select the Check to Edit Password check box. The password fields become available. 4. Enter the old password, enter the new password, and then confirm the new password. Note: The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both uppercase and lowercase), numbers, and symbols. Your password can be up to 30 characters. 5.
ProSecure Unified Threat Management (UTM) Appliance Note: For enhanced security, restrict access to as few external IP addresses as practical. • Deny or allow login access from specific browsers. By default, the administrator can log in from any browser. In general, these policy settings work well for an administrator. However, if you need to change any of these policy settings, see Set User Login Policies on page 365.
ProSecure Unified Threat Management (UTM) Appliance WARNING! If you are remotely connected to the UTM and you select the No radio button, you and all other SSL VPN users are disconnected when you click Apply. 3. As an option, you can change the default HTTPS port. The default port number is 443. 4. Click Apply to save your changes. When remote management is enabled, you need to use an SSL connection to access the UTM from the Internet.
ProSecure Unified Threat Management (UTM) Appliance Note: If you disable HTTPS remote management, all SSL VPN user connections are also disabled. Tip: If you are using a Dynamic DNS service such as TZO, you can identify the WAN IP address of your UTM by running tracert from the Windows Run menu option. Trace the route to your registered FQDN. For example, enter tracert UTM.mynetgear.net, and the WAN IP address that your ISP assigned to the UTM is displayed.
ProSecure Unified Threat Management (UTM) Appliance Figure 242. 2. Enter the settings as explained in the following table: Table 99. SNMP screen settings Setting Description Settings Do You Want to Enable SNMP? Select one of the following radio buttons: • Yes. Enable SNMP. • No. Disable SNMP. This is the default setting. Read Community The community string to allow an SNMP manager access to the MIB objects of the UTM for the purpose of reading only. The default setting is public.
ProSecure Unified Threat Management (UTM) Appliance Table 99. SNMP screen settings (continued) Setting Description Enable Access From WAN Select the Enable Access From WAN check box to allow SNMP management over a WAN connection. This check box is cleared by default, allowing SNMP management only over a LAN connection. Trusted SNMP Hosts Enter the IP addresses of the computers and devices to which you want to grant read-only (GET) or write (SET) privileges on the UTM. Separate IP addresses by a comma.
ProSecure Unified Threat Management (UTM) Appliance Back Up Settings The backup feature saves all UTM settings to a file. These settings include: • Network settings. IP address, subnet mask, gateway, and so on. • Scan settings. Services to scan, primary and secondary actions, and so on. • Update settings. Update source, update frequency, and so on. • Antispam settings. Whitelist, blacklist, content-filtering settings, and so on.
ProSecure Unified Threat Management (UTM) Appliance The UTM reboots. During the reboot process, the Backup & Restore Settings screen remains visible. The reboot process is complete after several minutes when the Test LED on the front panel goes off. WARNING! Once you start restoring settings, do not interrupt the process. Do not try to go online, turn off the UTM, shut down the computer, or do anything else to the UTM until the settings have been fully restored.
ProSecure Unified Threat Management (UTM) Appliance 3. Installing the downloaded firmware version. 4. Rebooting the UTM with the new firmware version. These stages are explained in detail in the following sections. View the Available Firmware Versions To view the current version of the firmware that your UTM is running and the other available firmware versions: 1. Select Administration > System Update > Firmware. The Firmware screen displays: Figure 244.
ProSecure Unified Threat Management (UTM) Appliance Upgrade the Firmware from an Update Server and Reboot the UTM When the UTM is online, you can let the UTM connect to a remote update server to query new firmware versions. You can then decide whether or not you want to download new firmware, and whether or not you want to install new firmware. Note: Upgrading the UTM firmware from an update server is also referred to as an online upgrade.
ProSecure Unified Threat Management (UTM) Appliance 6. Click the Reboot button at the bottom of the screen to start the reboot process. The UTM reboots automatically. During the reboot process, the Firmware screen remains visible. The reboot process is complete after several minutes when the Test LED on the front panel goes off and the Firmware screen disappears. WARNING! After you have started the firmware installation process, do not interrupt the process.
ProSecure Unified Threat Management (UTM) Appliance 2. When the product support page displays, click the Download tab to view the available firmware versions. 3. Follow the instructions onscreen to download the firmware to your computer. To upgrade the UTM’s firmware from a downloaded file and reboot the UTM: 1. In the Firmware Upload section of the Firmware screen, click Browse to locate and select the previously saved firmware upgrade file (for example, UTM50-Firmware-1.3.4.0.pkg). 2. Click Upload.
ProSecure Unified Threat Management (UTM) Appliance 3. Click Install Uploaded Firmware. (If you decide that you do not want to install the uploaded firmware, you can click Remove to remove the uploaded firmware.) Note: The license is verified during the firmware installation process, and the Install status bar shows the progress of the installation process. 4. After the firmware installation process is complete, the newly installed firmware is the secondary firmware and not the active firmware.
ProSecure Unified Threat Management (UTM) Appliance Because new virus threats can appear any hour of the day, it is very important to keep both the pattern file and scan engine firmware current. The UTM can automatically check for updates, as often as every 15 minutes, to ensure that your network protection is current. To view the current versions and most recent updates of the pattern file and scan engine firmware that your UTM is running, select Administration > System Update.
ProSecure Unified Threat Management (UTM) Appliance Configure Automatic Update and Frequency Settings To configure the update settings and frequency settings for automatic downloading of the scan engine firmware and pattern file: 1. Locate the Update Settings, Frequency Settings, and HTTPS Proxy Settings sections on the Signatures & Engine screen (see the previous figure), and enter the settings as explained in the following table: Table 100.
ProSecure Unified Threat Management (UTM) Appliance To set time, date, and NTP servers: 1. Select Administration > System Date & Time. The System Date & Time screen displays: Figure 248. The bottom of the screen displays the current weekday, date, time, time zone, and year (in the example in the previous figure: Current Time: Thu May 21 01:37:18 GMT 2009). 2. Enter the settings as explained in the following table: Table 101.
ProSecure Unified Threat Management (UTM) Appliance Table 101. System Date & Time screen settings (continued) Setting Description NTP Server (default or custom) (continued) Server 1 Name / IP Address Enter the IP address or host name of the primary NTP server. Server 2 Name / IP Address Enter the IP address or host name of the backup NTP server. 3. Click Apply to save your settings.
ProSecure Unified Threat Management (UTM) Appliance on the Log Query screen and view onscreen (see Query the Quarantine Logs (UTM9S Only) on page 467) are stored on the ReadyNAS. However, after you have integrated a ReadyNAS with the UTM9S, logs can no longer be sent to an email address (see the Email Logs to Administrator section on the Email and Syslog screen). If you have enabled a syslog server on the Email and Syslog screen, logs are still send to the syslog server.
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table: Table 102. ReadyNAS Integration screen settings Setting Description ReadyNAS Server The IP address of the ReadyNAS server. ReadyNAS Username The user name to access the ReadyNAS. By default, the user name is admin. ReadyNAS Password The password to access the ReadyNAS. By default, the password is netgear1. 1. Click Apply to save your settings.
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table: Table 103. Quarantine settings Setting Description Allow anonymous users to check quarantined mails Select this check box to allow anonymous users to view their quarantined emails. Anonymous users do not log in to the UTM: the UTM’s default email and web access policies apply to them.
11. Monitoring System Access and Performance 11 This chapter describes the system-monitoring features of the UTM. You can be alerted to important events such as a WAN port rollover, WAN traffic limits reached, login failures, and attacks. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more. In addition, the diagnostics utilities are described.
ProSecure Unified Threat Management (UTM) Appliance Enable the WAN Traffic Meter If your ISP charges by traffic volume over a given period of time, or if you want to study traffic types over a period of time, you can activate the traffic meter for one or more WAN ports. To monitor traffic limits on each of the WAN ports: 1. Select Network Config > WAN Metering.
ProSecure Unified Threat Management (UTM) Appliance Table 104. WAN traffic meter settings Setting Description Enable Traffic Meter Do you want to enable Traffic Metering on WAN1? (multiple WAN port models) Select one of the following radio buttons to configure traffic metering: • Yes. Traffic metering is enabled, and the traffic meter records the volume of Internet traffic passing through the WAN1 interface (multiple WAN port models) or WAN interface (single WAN port models).
ProSecure Unified Threat Management (UTM) Appliance Table 104. WAN traffic meter settings (continued) Setting Description When Limit is reached Block Traffic Select one of the following radio buttons to specify which action the UTM performs when the traffic limit has been reached: • Block All Traffic. All incoming and outgoing Internet and email traffic is blocked. • Block All Traffic Except E-Mail.
ProSecure Unified Threat Management (UTM) Appliance Configure Logging, Alerts, and Event Notifications By default, the UTM logs security-related events such as accepted and dropped packets on different segments of your LAN, denied incoming and outgoing service requests, hacker probes and login attempts, content-filtering events such as attempts to access blocked sites and URLs, unwanted email content, spam attempts, and many other types of events.
ProSecure Unified Threat Management (UTM) Appliance Figure 253. 2. Enter the settings as explained in the following table: Table 105. Email Notification screen settings Setting Description Show as Mail Sender A descriptive name of the sender for email identification purposes. For example, enter UTMnotification@netgear.com. SMTP Server The IP address and port number or Internet name and port number of your ISP’s outgoing email SMTP server. The default port number is 25.
ProSecure Unified Threat Management (UTM) Appliance To configure and activate logs: 1. Select Monitoring > Logs & Reports. The Logs & Reports submenu tabs display, with the Email and Syslog screen in view: Figure 254.
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in the following table: Table 106. Email and Syslog screen settings Setting Description System Logs Option Select the check boxes to specify which system events are logged: • Change of Time by NTP. Logs a message when the system time changes after a request from an NTP server. • Secure Login Attempts. Logs a message when a secure login is attempted. Both successful and failed login attempts are logged. • Reboots.
ProSecure Unified Threat Management (UTM) Appliance Table 106. Email and Syslog screen settings (continued) Setting Description Enable (continued) Select Logs to Send (continued) • • • • • Format Select a radio button to specify the format in which the log file is sent: • Plain text. The log file is sent as a plain text file. • CSV. The log file is sent as a comma-separated values (CSV) file. IPS Logs. All IPS events. SSL VPN Logs. All SSL VPN events. IPSEC VPN Logs. All IPSec VPN events.
ProSecure Unified Threat Management (UTM) Appliance 3. Click Apply to save your settings, or click Clear Log Information to clear the selected logs. How to Send Syslogs over a VPN Tunnel between Sites To send syslogs from one site to another over a gateway-to-gateway VPN tunnel: 1. At Site 1, set up a syslog server that is connected to Gateway 1. 2. Set up a VPN tunnel between Gateway 1 at Site 1 and Gateway 2 at Site 2. 3.
ProSecure Unified Threat Management (UTM) Appliance 3. In the General section of the screen, clear the Enable NetBIOS check box. 4. In the Traffic Selector section of the screen, make the following changes: • From the Remote IP drop-down list, select Single. • In the Start IP fields, type 10.0.0.2, which is the WAN IP address of Gateway 2. 5. Click Apply to save the settings. Configure Gateway 2 at Site 2 To create a gateway-to-gateway VPN tunnel to Gateway 1, using the IPSec VPN wizard: 1.
ProSecure Unified Threat Management (UTM) Appliance Note: The VPN tunnel should be established automatically, and the syslogs should be sent to the syslog server at Site 1. You can use the IPSec VPN Connection Status screen to verify the connection. Configure and Activate Update Failure and Attack Alerts You can configure the UTM to send an email alert when a failure, malware attack, malware outbreak attack, Intrusion Prevention System (IPS) attack, or IPS outbreak attack occurs.
ProSecure Unified Threat Management (UTM) Appliance Figure 255. 2. Enter the settings as explained in the following table: Table 107. Alerts screen settings Setting Description Enable Update Failure Alerts Select this check box to enable update failure alerts. Enable License Expiration Alerts Select this check box to enable license expiration alerts. This check box is selected by default. Enable ReadyNAS Select this check box to enable ReadyNAS failure alerts.
ProSecure Unified Threat Management (UTM) Appliance Table 107. Alerts screen settings (continued) Setting Description Enable Malware Alerts Select this check box to enable malware alerts, and fill in the Subject and Message fields. Subject Enter the subject line for the email alert. The default text is [Malware alert]. Message Enter the content for the email alert.
ProSecure Unified Threat Management (UTM) Appliance Configure and Activate Firewall Logs You can configure the logging options for each network segment. For example, the UTM can log accepted packets for LAN-to-WAN traffic, dropped packets for WAN-to-DMZ traffic, and so on.
ProSecure Unified Threat Management (UTM) Appliance Table 108. Firewall Logs screen settings Setting Description Routing Logs In the Accepted Packets and Dropped Packets columns, select check boxes to specify which traffic is logged: • LAN to WAN • LAN to DMZ • DMZ to WAN • WAN to LAN • DMZ to LAN • WAN to DMZ • VLAN to VLAN Other Event Logs Source MAC Filter Select this check box to log packets from MAC addresses that match the source MAC address filter settings.
ProSecure Unified Threat Management (UTM) Appliance Figure 257. Dashboard, screen 1 of 3 To clear the statistics, click Clear Statistics.
ProSecure Unified Threat Management (UTM) Appliance To set the poll interval: 1. Click the Stop button. 2. From the Poll Interval drop-down list, select a new interval. The minimum is 5 seconds; the maximum is 5 minutes. 3. Click the Set Interval button. The following table explains the fields of the Total Threats, Threats (Counts), and Total Traffic (Bytes) sections of the Dashboard screen: Table 109.
ProSecure Unified Threat Management (UTM) Appliance Table 109. Dashboard screen: threats and traffic information (continued) Item Description Network Displays the total number of: • IPS attack signatures matched. • Port scans detected. For information about how to configure these settings, see Use the Intrusion Prevention System on page 172.
ProSecure Unified Threat Management (UTM) Appliance The following table explains the fields of the Most Recent 5 and Top 5 sections of the Dashboard screen: Table 110. Dashboard screen: most recent 5 threats and top 5 threats information Category Most recent 5 threats description Top 5 threats description • Malware Name. The name of the malware threat. • Protocol. The protocol in which the malware threat was detected. • Date and Time. The date and time that the malware threat was detected.
ProSecure Unified Threat Management (UTM) Appliance Figure 259. Dashboard, screen 3 of 3 The following table explains the fields of the Service Statistics section of the Dashboard screen: Table 111. Dashboard screen: service statistics information Item Description For each of the six supported protocols (HTTP, HTTPS, FTP, SMTP, POP3, and IMAP), this section provides the following statistics: Total Scanned Traffic (MB) The total quantity of scanned traffic in MB.
ProSecure Unified Threat Management (UTM) Appliance Table 111. Dashboard screen: service statistics information (continued) Item Description Total Spam Emails The total number of spam messages that were blocked. These statistics are applicable only to SMTP and POP3. Blacklist The total number of emails that were detected from sources on the spam blacklist (see Set Up the Whitelist and Blacklist on page 187). These statistics are applicable only to SMTP and POP3.
ProSecure Unified Threat Management (UTM) Appliance • WAN and LAN port information • Interface statistics • VLAN status, including port memberships • xDSL statistics These status screens are described in the following sections: • View the System Status Screen • View the Network Status Screen • View the Router Statistics Screen • View the Wireless Statistics Screen (UTM9S Only) • View the Detailed Status Screen • View the VLAN Status Screen • View the xDSL Statistics Screen (UTM9S Only)
ProSecure Unified Threat Management (UTM) Appliance The following table explains the fields of the System Status screen: Table 112. System Status screen fields Item Description Status System The current CPU, memory, and hard disk usage. When usage is within safe limits, the status bars show green. ReadyNAS Status UTM9S only (information is not shown on the previous screen). The status of the ReadyNAS connection (ON or OFF).
ProSecure Unified Threat Management (UTM) Appliance Figure 261. The following table explains the fields of the Network Status screen: Table 113. Network Status screen fields Item Description LAN (VLAN) Information For each of the LAN ports, the screen shows the IP address and subnet mask. For more detailed information, see Table 116 on page 447. WAN Information For each of the WAN ports, the screen shows the IP address, subnet mask, and status of the port (UP or DOWN).
ProSecure Unified Threat Management (UTM) Appliance Figure 262. The following table explains the fields of the Router Statistics screen. To change the poll interval period, enter a new value in the Poll Interval field, and then click Set interval. To stop polling, click Stop. Table 114. Router Statistics screen fields Item Description System up Time. The period since the last time that the UTM was started up.
ProSecure Unified Threat Management (UTM) Appliance View the Wireless Statistics Screen (UTM9S Only) To view the Wireless Statistics screen: 1. Select Monitoring > System Status > Network Status. The Network Status screen displays. 2. Click the Wireless Statistics option arrow in the upper right of the Network Status screen. The Wireless Statistics screen displays: Figure 263. The following table explains the fields of the Wireless Statistics screen.
ProSecure Unified Threat Management (UTM) Appliance Table 115. Wireless Statistics screen fields (continued) Item Description AP Statistics AP Name The name for the virtual access point (VAP) is ap1. Packets The number of received (Rx) and transmitted (Tx) packets on the access point in bytes. Bytes The number of received (Rx) and transmitted (Tx) bytes on the access point. Errors The number of received (Rx) and transmitted (Tx) errors on the access point.
ProSecure Unified Threat Management (UTM) Appliance Figure 264.
ProSecure Unified Threat Management (UTM) Appliance Figure 265. SLOT-1 Info and SLOT-2 Info sections (UTM9S only) The following table explains the fields of the Detailed Status screen: Table 116. Detailed Status screen fields Item Description LAN Port Configuration The following fields are shown for each of the LAN ports. VLAN Profile The name of the VLAN profile that you assigned to this port on the LAN Setup screen (see Assign and Manage VLAN Profiles on page 95).
ProSecure Unified Threat Management (UTM) Appliance Table 116. Detailed Status screen fields (continued) Item Description Subnet Mask The subnet mask for this port. If the VLAN is not enabled on this port, the subnet mask is the default LAN IP subnet mask (255.255.255.0). For information about configuring VLAN profiles, see Configure a VLAN Profile on page 98. DHCP Status The status can be either DHCP Enabled or DHCP Disabled.
ProSecure Unified Threat Management (UTM) Appliance Table 116. Detailed Status screen fields (continued) Item Description IP Address The IP address of the WAN port. Subnet Mask The subnet mask of the WAN port. Gateway The IP address of the gateway. Primary DNS Server The IP address of the primary DNS server. These settings are either obtained dynamically from your ISP or specified by you on the WAN ISP Settings screen for this port (see Manually Configure the Internet Connection on page 71).
ProSecure Unified Threat Management (UTM) Appliance View the VLAN Status Screen The VLAN Status screen displays information about the VLANs (both enabled and disabled) that are configured on the UTM. For information about configuring VLAN profiles, see Configure a VLAN Profile on page 98. For information about enabling and disabling VLAN profiles, see Assign and Manage VLAN Profiles on page 95. To view the VLAN Status screen, select Monitoring > System Status > VLAN Status. The VLAN Status screen displays.
ProSecure Unified Threat Management (UTM) Appliance View the xDSL Statistics Screen (UTM9S Only) To view the xDSL Statistics screen, select Monitoring > System Status > xDSL Statistics. The xDSL Statistics screen displays: Figure 267. View the Active VPN Users The Active Users screen displays a list of administrators, IPSec VPN users, and SSL VPN users that are currently logged in to the UTM. To display the list of active VPN users, select Monitoring > Active Users & VPNs.
ProSecure Unified Threat Management (UTM) Appliance View the VPN Tunnel Connection Status To review the status of current IPSec VPN tunnels, select Monitoring > Active Users & VPNs > IPSec VPN Connection Status. The IPSec VPN Connection Status screen displays: Figure 269. The Active IPSec SA(s) table lists each active connection with the information that is described in the following table. The default poll interval is 5 seconds.
ProSecure Unified Threat Management (UTM) Appliance Figure 270. The active user’s user name, group, and IP address are listed in the table with a time stamp indicating the time and date that the user connected. To disconnect an active user, click the Disconnect table button to the right of the user’s table entry. View the PPTP and L2TP Server Status (UTM9S Only) To view the active PPTP tunnel users, select Monitoring > Active Users & VPNs > PPTP Active Users.
ProSecure Unified Threat Management (UTM) Appliance To view the active L2TP tunnel users, select Monitoring > Active Users & VPNs > L2TP Active Users. The L2TP Active Users screen displays: Figure 271. The List of L2TP Active Users table lists each active connection with the information that is described in the following table. Table 120. L2TP Active Users screen information Item Description Username The name of the L2TP user that you have defined (see Configure User Accounts on page 362).
ProSecure Unified Threat Management (UTM) Appliance Figure 272. 2. Select the Status option arrow in the upper right of the Port Triggering screen. The Port Triggering Status screen displays in a pop-up screen. Figure 273. The Port Triggering Status screen displays the information that is described in the following table: Table 121. Port Triggering Status pop-up screen information Item Description # The sequence number of the rule on screen.
ProSecure Unified Threat Management (UTM) Appliance View the WAN Ports Status You can view the status of both of the WAN connections, the DNS servers, and the DHCP servers. To view the status of the WAN1 port (multiple WAN port models) or WAN port (single WAN port models): 1. Select Network Config > WAN Settings. The WAN screen displays (see Figure 36 on page 68). 2. Click the Status button in the Action column for the WAN interface for which you want to view the status.
ProSecure Unified Threat Management (UTM) Appliance Table 122. Connection Status pop-up screen information (continued) Item Description DHCP Server The DHCP server that was automatically detected. This field displays only if your ISP does not require a login and the IP address is acquired dynamically from your ISP. You have configured these ISP settings on the WAN ISP Settings screen (single WAN port models) or on one of the WAN ISP Settings screens (multiple WAN port models).
ProSecure Unified Threat Management (UTM) Appliance Figure 275. 2. Select the LAN Groups submenu tab. The LAN Groups screen displays. (The following figure shows some examples in the Known PCs and Devices table.) Figure 276. The Known PCs and Devices table contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the UTM, or have been discovered by other means. Collectively, these entries make up the network database.
ProSecure Unified Threat Management (UTM) Appliance meaningful name). If the PC or device was assigned an IP address by the DHCP server, then the name is appended by an asterisk. • IP Address. The current IP address of the PC or device. For DHCP clients of the UTM, this IP address does not change. If a PC or device is assigned a static IP address, you need to update this entry manually after the IP address on the PC or device has changed. • MAC Address.
ProSecure Unified Threat Management (UTM) Appliance To view the most recent entries, click Refresh. To delete all the existing log entries, click Clear Log. Query the Logs The UTM generates logs that provide detailed information about malware threats and traffic activities on the network. You can view these logs through the web management interface or save the log records in CSV or HTML format and download them to a computer (the downloading option is not available for all logs).
ProSecure Unified Threat Management (UTM) Appliance • Firewall. The firewall logs that you have specified on the Firewall Logs screen (see Configure and Activate Firewall Logs on page 432). • IPSec VPN. All IPSec VPN events. • SSL VPN. All SSL VPN events. You can query and generate each type of log separately and filter the information based on a number of criteria.
ProSecure Unified Threat Management (UTM) Appliance Figure 278. 2. Enter the settings as explained in the following table: Table 123. Logs Query screen settings Setting Description Log Type Select one of the following log types from the drop-down list: • Traffic. All scanned incoming and outgoing traffic. • Spam. All intercepted spam. • System. The system event logs that you have specified on the Email and Syslog screen (see Configure and Activate System, Email, and Syslog Logs on page 423).
ProSecure Unified Threat Management (UTM) Appliance Table 123. Logs Query screen settings (continued) Setting Description Log Type (continued) • Port Scan. All port scan events. • Application. All instant messaging, peer-to-peer and media application, and tools access violations. • Firewall. The firewall logs that you have specified on the Firewall Logs screen (see Configure and Activate Firewall Logs on page 432).
ProSecure Unified Threat Management (UTM) Appliance Table 123. Logs Query screen settings (continued) Setting Description Search Criteria (continued) User The user name that is queried. This field is available for the following logs: Traffic, Spam, Malware, Email filters, Content filters, and Application. Client IP The client IP address that is queried. This field is available for the following logs: Traffic, Spam, Malware, Content filters, Port Scan, IPS, Application.
ProSecure Unified Threat Management (UTM) Appliance Table 123. Logs Query screen settings (continued) Setting Description Search Criteria (continued) Recipient Email The recipient’s email address that is queried. This field is available for the following logs: Traffic, Spam, Malware, and Email filters. Message The email message text that is queried. This field is available for the following logs: Port Scan, IPS, and Application. Subject The email subject line that is queried.
ProSecure Unified Threat Management (UTM) Appliance Example: Use the Logs to Identify Infected Clients You can use the UTM logs to help identify potentially infected clients on the network. For example, clients that are generating abnormally high volumes of HTTP traffic might be infected with spyware or other malware threats. To identify infected clients that are sending spyware in outbound traffic, query the UTM malware logs and see if any of your internal IP addresses are the source of spyware.
ProSecure Unified Threat Management (UTM) Appliance Query the Quarantine Logs (UTM9S Only) The UTM9S can quarantine spam and malware files. Before you can query the Spam and Malware logs, you need to have done the following: 1. You have integrated a ReadyNAS (see Connect to a ReadyNAS on page 415). 2. You have configured the quarantine settings (see Configure the Quarantine Settings on page 416). 3.
ProSecure Unified Threat Management (UTM) Appliance Figure 279. 2. Enter the settings as explained in the following table: Table 124. Quarantine screen settings Setting Description File Type Select one of the following file types from the drop-down list: • Spam. All intercepted spam. • Malware. All intercepted viruses, spyware, and other malware threats. View All Select one of the following radio buttons: • View All. Display or download the entire selected log. • Search Criteria.
ProSecure Unified Threat Management (UTM) Appliance Table 124. Quarantine screen settings (continued) Setting Description Search Criteria (continued) Protocols For the Malware log only, select one or more check boxes to specify the protocols that are queried: SMTP, POP3, IMAP, HTTP, FTP, and HTTPS. Domain The domain name that is queried. This field is available for both the Spam and Malware logs. User The user name that is queried. This field is available for both the Spam and Malware logs.
ProSecure Unified Threat Management (UTM) Appliance View and Manage the Quarantined Spam Table When you query the spam quarantine file, the Quarantine screen with the Quarantined Spam table displays: Figure 280. The Quarantined Spam table has the following columns (not all columns are shown in the previous figure): • Check box. Lets you select the table entry. • Date. The date that the email was received. • Protocol. The protocol (SMTP) in which the spam was found. • Domain.
ProSecure Unified Threat Management (UTM) Appliance After you have selected one or more table entries, take one of the following actions (or click the return link to return to the previous screen): • Send as Spam. The selected spam email files are tagged as spam for distributed spam analysis, and are sent to the intended recipients. • Send as Ham. The selected spam email files are not tagged as spam for distributed spam analysis, are removed from quarantine, and are sent to the intended recipients.
ProSecure Unified Threat Management (UTM) Appliance • Client IP. The client IP address from which the spyware or virus originated. • Server IP. The server IP address from which the spyware or virus originated. • From. The email address of the sender. • To. The email address of the recipient. • URL/Subject. The URL or subject that is associated with the spyware or virus. • Size (Bytes). The size of the virus or spyware file in bytes.
ProSecure Unified Threat Management (UTM) Appliance 2. Click the here link in the Check your quarantined mail here section. The following screen displays: Figure 283. 3. From the drop-down lists, specify the start date, start time, end date, and end time for the spam report. 4. In the Send to field, enter an email address. 5. Click Send Report. Note: The spam report contains only spam messages that were sent to the email address that is specified in the Send to field.
ProSecure Unified Threat Management (UTM) Appliance The UTM provides preconfigured report templates. As an option, you can apply filtering options to narrow down and specify the following options: • The period that is covered in the report • The categories and domains to be included in the report • The number of entries per report (for example, how many entries—from 1 to 10—are included in reports that show the “top number.
ProSecure Unified Threat Management (UTM) Appliance 2. Enter the settings as explained in the following table: Table 125. Report screen: filtering options settings Setting Description Time Range From Note: Even if you click Apply to save the filtering options, when you leave the Report screen and then return to it, the From To and To drop-down lists are reset to their defaults. You cannot save these settings.
ProSecure Unified Threat Management (UTM) Appliance 3. The next steps depends on whether you want to view the report on screen or schedule it to be emailed: • Viewing onscreen. To view a filtered report onscreen, select a report by clicking View next to the report. (For more information, see the following section.) To save the configured filtering options for future use, click Apply at the bottom of the Report screen. • Scheduling to be emailed.
ProSecure Unified Threat Management (UTM) Appliance Figure 285. Report, screen 2 of 4 Note: For information about setting a time range and other filtering options for a report, see the previous section. 2. Select a report by clicking View next to the report to display the selected report onscreen. The following table explains the contents of the reports. Table 126.
ProSecure Unified Threat Management (UTM) Appliance Table 126. Report screen: report template information (continued) Report template Information reported for the specified time range URL Filtering by Time For the HTTPS and HTTP protocols separately, a chart and a table with the number of blocked attempts to access URLs that are on the blacklist.
ProSecure Unified Threat Management (UTM) Appliance Table 126. Report screen: report template information (continued) Report template Information reported for the specified time range Top n Categories By Request For all web server protocols combined, a chart and a table with the web categories that were requested most often, including the number of times that they were requested, and drill-down links to the users who requested them.
ProSecure Unified Threat Management (UTM) Appliance Table 126. Report screen: report template information (continued) Report template Information reported for the specified time range File Blocked By Time For each of the three email server protocols separately, a chart and a table with the number of blocked files (attachments). Spams By Time For the POP3 and SMTP protocols separately, a chart and a table with the number of spam emails that are detected by distributed spam analysis.
ProSecure Unified Threat Management (UTM) Appliance Figure 286. Report, screen 3 of 4 2. Enter the settings in the Schedule Reports section as explained in the following table: Table 127. Report screen: schedule report settings Setting Description Schedule Reports Email Recipients Specify the email addresses of the report recipients, using commas to separate the email addresses.
ProSecure Unified Threat Management (UTM) Appliance Managing Saved Reports After the scheduled report has been generated and emailed, the record of the report is displayed in the Report History section of the Report screen: Figure 287. Report, screen 4 of 4 The Report History section shows the generated and emailed reports with their report date and lets you perform the following actions. • Specify the number of reports to keep.
ProSecure Unified Threat Management (UTM) Appliance • Use the Real-Time Traffic Diagnostics Tool (UTM9S) • Gather Important Log Information and Generate a Network Statistics Report (All Models) To display the Diagnostics screen, select Monitoring > Diagnostics. To facilitate the explanation of the tools, the Diagnostics screen is divided and presented in this manual in three figures.
ProSecure Unified Threat Management (UTM) Appliance Trace a Route A traceroute lists all routers between the source (the UTM) and the destination IP address. To send a traceroute: 1. Locate the Network Diagnostics section on the Diagnostics screen. In the IP Address field, enter the IP address for which you want trace the route. 2. Click the Traceroute button. The results of the traceroute are displayed in a new screen. To return to the Diagnostics screen, click Back on the browser menu bar.
ProSecure Unified Threat Management (UTM) Appliance Figure 289. Diagnostics, screen 1b of 3 Send a Ping Packet Use the ping utility to send a ping packet request in order to check the connection between the UTM9S and a specific IP address. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
ProSecure Unified Threat Management (UTM) Appliance 2. Click the Traceroute button. The results of the traceroute are displayed in a new screen. To return to the Diagnostics screen, click Back on the browser menu bar. Display the Routing Table Displaying the internal routing table can assist NETGEAR technical support in diagnosing routing problems. To display the routing table, locate the Network Diagnostics section on the Diagnostics screen. Next to Display the Routing Table, click the Display button.
ProSecure Unified Threat Management (UTM) Appliance To use the real-time traffic diagnostics tool: 1. Locate the Realtime Traffic Diagnostics section on the Diagnostics screen. In the Source IP Address field, enter the IP address of the source of the traffic stream that you want to analyze. 2. In the Destination IP Address field, enter the IP address of the destination of the traffic stream that you want to analyze. 3. Click Start.
ProSecure Unified Threat Management (UTM) Appliance 3. From the Select Network drop-down list, select one of the following components: • All (that is, all interfaces, the slot in which the xDSL module is installed, and all VLANs and WLANs) • A single WAN interface • The slot in which the xDSL module is installed (SLOT-1 or SLOT-2) • A single VLAN or WLAN 4. Specify how the output is saved by selecting either the Store on your desktop radio button or the Store on the UTM radio button. 5. Click Start.
ProSecure Unified Threat Management (UTM) Appliance Figure 292. Diagnostics, screen 3 of 3 Gather Important Log Information To gather log information about your UTM: 1. Locate the Gather Important Log Information section on the Diagnostics screen. Click Download Now. You are prompted to save the downloaded log information file to your computer. The default file name is importantlog.gpg. 2.
ProSecure Unified Threat Management (UTM) Appliance Note: Rebooting breaks any existing connections either to the UTM (such as your management session) or through the UTM (for example, LAN users accessing the Internet). However, when the reboot process is complete, connections to the Internet are automatically reestablished when possible. To reboot the UTM, locate the Reboot the System section on the Diagnostics screen. Click the Reboot button. The UTM reboots.
12. Troubleshooting and Using Online Support 12 This chapter provides troubleshooting tips and information for the UTM. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the UTM on? Go to Basic Functioning on page 492. • Have I connected the UTM correctly? Go to Basic Functioning on page 492. • I cannot access the UTM’s web management interface.
ProSecure Unified Threat Management (UTM) Appliance Basic Functioning Note: For descriptions of all LEDs, see LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150 on page 27 or LED Descriptions, UTM9S and Modules on page 28. After you turn on power to the UTM, verify that the following sequence of events occurs: 1. When power is first applied, verify that the Power LED is on. 2. After approximately 2 minutes, verify that: a. The Test LED is no longer lit. b.
ProSecure Unified Threat Management (UTM) Appliance If the error persists, you might have a hardware problem and should contact NETGEAR technical support. LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the UTM and at the hub, router, or workstation. • Make sure that power is turned on to the connected hub, router, or workstation.
ProSecure Unified Threat Management (UTM) Appliance • Make sure that you are using the SSL https://address login rather than the http://address login. • Make sure that your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure that the Java applet is loaded. • Try quitting the browser and launching it again. • Make sure that you are using the correct login information. The factory default login name is admin, and the password is password.
ProSecure Unified Threat Management (UTM) Appliance To check the WAN IP address: 1. Launch your browser and navigate to an external site such as www.netgear.com. 2. Access the web management interface of the UTM’s configuration at https://192.168.1.1. 3. Select Network Config > WAN Settings. The WAN Settings screen displays. 4. In the Action column for the interface for which you want to open the Connection Status screen, click the Status button.
ProSecure Unified Threat Management (UTM) Appliance If your UTM can obtain an IP address, but an attached PC is unable to load any web pages from the Internet: • Your PC might not recognize any DNS server addresses. A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP provides the addresses of one or two DNS servers for your use.
ProSecure Unified Threat Management (UTM) Appliance • Wrong network configuration - Verify that the Ethernet card driver software and TCP/IP software are both installed and configured on your PC or workstation. - Verify that the IP address for your UTM and your workstation are correct and that the addresses are on the same subnet. Test the Path from Your PC to a Remote Device After verifying that the LAN path works correctly, test the path from your PC to a remote device.
ProSecure Unified Threat Management (UTM) Appliance Restore the Default Configuration and Password To reset the UTM to the original factory default settings, you can use one of the following two methods: • Press the factory default reset button on the rear panel of the UTM (see Rear Panel UTM5, UTM10, and UTM25 on page 30, Rear Panel UTM50 and UTM150 on page 31, or Rear Panel UTM9S on page 31) and hold the button for about 8 seconds until the Test LED turns on and begins to blink (about 30 seconds).
ProSecure Unified Threat Management (UTM) Appliance Problems with Date and Time The System Date & Time screen displays the current date and time of day (see Configure Date and Time Service on page 412). The UTM uses the Network Time Protocol (NTP) to obtain the current time from one of several network time servers on the Internet. Each entry in the log is stamped with the date and time of day. Problems with the date and time function can include: • Date shown is January 1, 2000.
ProSecure Unified Threat Management (UTM) Appliance Figure 294. 2. In the Support Key field, enter the support key that was given to you by NETGEAR. 3. Click Connect. When the tunnel is established, the tunnel status field displays ON. To terminate the tunnel, click Disconnect. The tunnel status field displays OFF.
ProSecure Unified Threat Management (UTM) Appliance Figure 295. 2. Enter the settings as explained in the following table: Table 128. Malware Analysis screen settings Setting Description Email Address The email address of the submitter to enable NETGEAR to contact the submitter if needed. File Location Click Browse to navigate to the file that you want to submit to NETGEAR.
A. xDSL Module for the UTM9S A This appendix describes how to configure the DSL interface of the UTM9SDSL xDSL module that installs in an UTM9S.
ProSecure Unified Threat Management (UTM) Appliance 4. Configure secondary WAN addresses on the WAN port (optional). Configure aliases for the WAN port. See Configure Secondary WAN Addresses on page 521. 5. Configure Dynamic DNS on the WAN port (optional). Configure your fully qualified domain names during this phase (if required). See Configure Dynamic DNS on page 523. 6. Configure the WAN options (optional).
ProSecure Unified Threat Management (UTM) Appliance Figure 296. 4. Either click Auto Detect or, if you have the correct settings, enter the settings as explained in the following table: Table 129. xDSL settings Setting Description DSL Transfer Mode Select one of the following DSL transfer methods: • PTM. Packet Transfer Mode (PTM) has a functionality that is similar to packet-switched networking and does not use multiplexing. • ATM.
ProSecure Unified Threat Management (UTM) Appliance Automatically Detecting and Connecting the Internet Connection To set up your UTM9S for secure Internet connections, the web management interface provides the option to automatically detect the network connection and configure the xDSL port. You can also manually configure the Internet connection and port (see Manually Configure the Internet Connection on page 508). To automatically configure the WAN port for connection to the Internet: 1.
ProSecure Unified Threat Management (UTM) Appliance 2. Click the Edit button in the Action column of the SLOT-x entry to automatically configure the connection to the Internet. The SLOT-x ISP Settings screen displays. (The following figure shows the SLOT-2 ISP Settings screen.) Figure 298. 3. Click the Auto Detect button at the bottom of the screen. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support.
ProSecure Unified Threat Management (UTM) Appliance • If the autodetect process senses a connection method that requires input from you, it prompts you for the information. All methods with their required settings are explained in the following table: Table 130. Internet connection methods Connection method Manual data input required DHCP (Dynamic IP) No data is required. PPPoA Login, password, account name, and domain name. Note: PPPoA is supported on the UTM9S only.
ProSecure Unified Threat Management (UTM) Appliance Note: For more information about the WAN Connection Status screen, see View the WAN Ports Status on page 456. If the automatic ISP configuration is successful, you can skip ahead to Configure the WAN Mode on page 512. If the automatic ISP configuration fails, you can attempt a manual configuration as described in Manually Configure the Internet Connection on this page, or see Troubleshoot the ISP Connection on page 494.
ProSecure Unified Threat Management (UTM) Appliance 3. Locate the ISP Login section on the screen: Figure 301. In the ISP Login section, select one of the following options: • If your ISP requires an initial login to establish an Internet connection, select Yes. (The default is No.) • If a login is not required, select No, and ignore the Login and Password fields. 4. If you selected Yes, enter the login name in the Login field and the password in the Password field.
ProSecure Unified Threat Management (UTM) Appliance Table 131. PPPoE and PPPoA settings (continued) Setting Description PPPoE (continued) Idle Timeout Select the Keep Connected radio button to keep the connection always on. To log out after the connection is idle for a period of time, select the Idle Timeout radio button and, in the time-out field, enter the number of minutes to wait before disconnecting. This is useful if your ISP charges you based on the period that you have logged in.
ProSecure Unified Threat Management (UTM) Appliance Table 132. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the UTM9S using DHCP network protocol.
ProSecure Unified Threat Management (UTM) Appliance Table 133. DNS server settings (continued) Setting Description Use These DNS Servers If your ISP has assigned DNS addresses, select the Use These DNS Servers radio button. Make sure that you fill in valid DNS server IP addresses in the fields. Incorrect DNS entries might cause connectivity issues. Primary DNS Server The IP address of the primary DNS server. Secondary DNS Server The IP address of the secondary DNS server. 9.
ProSecure Unified Threat Management (UTM) Appliance interfaces on the UTM9S (one DSL and two WAN interfaces), the one remaining interface is disabled. As long as the primary link is up, all traffic is sent over the primary link. When the primary link goes down, the rollover link is brought up to send the traffic. When the primary link comes back up, traffic automatically rolls back to the original primary link.
ProSecure Unified Threat Management (UTM) Appliance To configure NAT: 1. Select Network Config > WAN Settings > WAN Mode. The WAN Mode screen displays (see Figure 304 on page 515). 2. In the NAT (Network Address Translation) section of the screen, select the NAT radio button. 3. Click Apply to save your settings. Configure Classical Routing In classical routing mode, the UTM9S performs routing, but without NAT.
ProSecure Unified Threat Management (UTM) Appliance • None (no failure detection is performed) From the primary interface, DNS queries or ping requests are sent to the specified IP address. If replies are not received after a specified number of retries, the primary interface is considered down, and a rollover to the backup interface occurs. When the primary interface comes back up, another rollover occurs from the backup interface back to the primary interface.
ProSecure Unified Threat Management (UTM) Appliance Configure the Failure Detection Method To configure the failure detection method: 1. Select Network Config > WAN Settings. The WAN screen displays (see Figure 297 on page 505). 2. Click the Edit button in the Action column of the interface that you selected as the primary interface (see Figure 298 on page 506, which shows the SLOT-2 ISP Settings screen as an example). 3. Click the Advanced option arrow at the upper right of the screen.
ProSecure Unified Threat Management (UTM) Appliance Table 134. Failure detection method settings (continued) Setting Description Retry Interval is The retry interval in seconds. The DNS query or ping is sent periodically after every test period. The default test period is 30 seconds. Failover after The number of failover attempts. The primary WAN interface is considered down after the specified number of queries have failed to elicit a reply.
ProSecure Unified Threat Management (UTM) Appliance Configure Load Balancing To configure load balancing: 1. Select Network Config > WAN Settings > WAN Mode. The WAN Mode screen displays: Figure 306.
ProSecure Unified Threat Management (UTM) Appliance then a new FTP session could start on the WAN1 interface, and then any new connection to the Internet could be made on the WAN2 interface. This load-balancing method ensures that a single interface does not carry a disproportionate distribution of sessions. 3. Click Apply to save your settings. Configure Protocol Binding (Optional) To configure protocol binding and add protocol binding rules: 1. Select Network Config > Protocol Binding.
ProSecure Unified Threat Management (UTM) Appliance Figure 308. 3. Configure the protocol binding settings as explained in the following table: Table 135. Add Protocol Binding screen settings Setting Description Service From the drop-down list, select a service or application to be covered by this rule. If the service or application does not appear in the list, you need to define it using the Services screen (see Service-Based Rules on page 123).
ProSecure Unified Threat Management (UTM) Appliance 4. Click Apply to save your settings. The protocol binding rule is added to the Protocol Bindings table. The rule is automatically enabled, which is indicated by the ! status icon, a green circle. To edit a protocol binding: 1. On the Protocol Bindings screen (see Figure 307 on page 519), in the Protocol Bindings table, click the Edit table button to the right of the binding that you want to edit. The Edit Protocol Binding screen displays.
ProSecure Unified Threat Management (UTM) Appliance For more information about firewall rules, see Use Rules to Block or Allow Specific Kinds of Traffic on page 122). It is important that you ensure that any secondary DSL addresses are different from the primary DSL, WAN, LAN, and DMZ IP addresses that are already configured on the UTM9S. However, primary and secondary DSL addresses can be in the same subnet. The following is an example of correctly configured IP addresses: • Primary DSL IP address.
ProSecure Unified Threat Management (UTM) Appliance 4. In the Add SLOT-x Secondary Addresses section of the screen, enter the following settings: • IP Address. Enter the secondary address that you want to assign to the DSL interface. • Subnet Mask. Enter the subnet mask for the secondary IP address. 5. Click the Add table button in the rightmost column to add the secondary IP address to the List of Secondary WAN addresses table.
ProSecure Unified Threat Management (UTM) Appliance Consider the following: • For auto-rollover mode, you need an FQDN to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address. • For load balancing mode, you might still need an FQDN either for convenience or if you have a dynamic IP address. Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.
ProSecure Unified Threat Management (UTM) Appliance Figure 310. 3. Click the Information option arrow in the upper right of a DNS screen for registration information. Figure 311. 4. Access the website of the DDNS service provider, and register for an account (for example, for DynDNS.org, go to http://www.dyndns.com/).
ProSecure Unified Threat Management (UTM) Appliance 5. Configure the DDNS service settings for the DSL interface as explained in the following table: Table 136. DNS service settings Setting Description SLOT-x (Dynamic DNS Status: ...) Change DNS to Select the Yes radio button to enable the DDNS service. The fields that display on the (DynDNS, TZO, screen depend on the DDNS service provider that you have selected.
ProSecure Unified Threat Management (UTM) Appliance 3. Click the Advanced option arrow in the upper right of the screen. The SLOT-x Advanced Options screen displays. (The following figure shows the SLOT-2 Advanced Options screen as an example.) Figure 312. 4. Enter the settings as explained in the following table: Table 137. Advanced DSL settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value.
ProSecure Unified Threat Management (UTM) Appliance Table 137. Advanced DSL settings (continued) Setting Description Use this MAC Address Select the Use this MAC Address radio button, and manually enter the MAC address in the field next to the radio button. You would typically enter the MAC address that your ISP is requiring for MAC authentication. Note: The format for the MAC address is 01:23:45:67:89:AB (numbers 0–9 and either uppercase or lowercase letters A–F).
B. Wireless Module for the UTM9S B This appendix describes how to configure the wireless features of the UTM9SWLSN wireless module that is installed in a UTM9S.
ProSecure Unified Threat Management (UTM) Appliance a maximum connectivity area of about a 500-foot radius. The wireless module can support a small group of wireless users—typically 5 to 20 users. The wireless module integrates a 2.4-GHz radio and a 5-GHz radio. One radio can be active to provide wireless connectivity between wired Ethernet networks and radio-equipped wireless notebook systems, desktop systems, print servers, and other devices. The 2.4-GHz radio supports 802.
ProSecure Unified Threat Management (UTM) Appliance • Away from large metal surfaces or water. • Placing the antennas in a vertical position provides the best side-to-side coverage. Placing the antennas in a horizontal position provides the best up-and-down coverage. • If you are using multiple wireless access points, it is better if the wireless module and an adjacent wireless access point use different radio frequency channels to reduce interference.
ProSecure Unified Threat Management (UTM) Appliance 2. Specify the settings as explained the following table: Table 138. Radio Settings screen settings Field Descriptions Region This is a preconfigured field that you cannot change. Country Specify a country by making a selection from the drop-down list. Operating Frequency Specify the radio’s operating frequency by making a selection from the drop-down list: • 2.
ProSecure Unified Threat Management (UTM) Appliance Table 138. Radio Settings screen settings (continued) Field Descriptions Channel Spacing For the na, ng, and Greenfield modes only, specify the channel spacing by making a selection from the drop-down list: Note: na, ng, and • 20/40MHz. Select this option to improve the performance. Some legacy Greenfield modes only. devices (that is, devices that function only in a, b, or g mode) can operate only This is a fixed field for a, in 20 MHz. b, and g modes.
ProSecure Unified Threat Management (UTM) Appliance WARNING! When you have changed the country settings, the wireless module (not the UTM9S) will reboot when you click Apply. 3. Click Apply to save your settings. Operating Frequency (Channel) Guidelines You should not need to change the operating frequency (channel) unless you notice interference problems, or are setting up the UTM9S near another wireless access point. Observe the following guidelines: • Wireless access points use a fixed channel.
ProSecure Unified Threat Management (UTM) Appliance Figure 314. There are several ways you can enhance the security of your wireless network: • Restrict access based by MAC address. You can allow only trusted PCs to connect so that unknown PCs cannot wirelessly connect to the wireless module. Restricting access by MAC address adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed.
ProSecure Unified Threat Management (UTM) Appliance For more information about how to configure WPA, see Configure and Enable Wireless Security Profiles on page 538. • WPA2. Wi-Fi Protected Access version 2 (WPA2) data encryption provides strong data security with AES encryption. WPA2 provides the most reliable security. Use WPA2 only if all clients in your network support WPA2. The wireless module supports WPA2 with PSK, RADIUS, or a combination of PSK and RADIUS.
ProSecure Unified Threat Management (UTM) Appliance encryption settings are explained in Configure and Enable Wireless Security Profiles on page 538. Here are some concepts and guidelines regarding the SSID: • A basic service set (BSS) is a group of wireless devices and a single wireless access point, all using the same security profile or service set identifier (BSSID). The actual identifier in the BSSID is the MAC address of the wireless radio.
ProSecure Unified Threat Management (UTM) Appliance Record the WPA2-PSK passphrase: WPA2-PSK passphrase: ________________________________ • WPA RADIUS settings For WPA, record the following settings for the primary and secondary RADIUS servers: Server name/IP address: Primary ________________ Secondary _________________ Port: ___________________________________ Shared secret: ___________________________________ • WPA2 RADIUS settings For WPA2, record the following settings for the primary and secondary
ProSecure Unified Threat Management (UTM) Appliance Table 139. Profiles screen settings (continued) Field Description Broadcast Indicates whether or not the SSID is broadcast. A green circle indicates that the SSID is broadcast; a gray circle indicates that it is not. Security The configured security method for the security profile. Encryption The configured encryption method for the security profile. Authentication The configured authentication method for the security profile. 2.
ProSecure Unified Threat Management (UTM) Appliance 3. Specify the settings as explained in the following table: Table 140. Edit Profile screen settings Field Description Profile Configuration Profile Name The name for the wireless security profile is UTM9S. You cannot change this name. SSID The wireless network name (SSID) for the wireless security profile. There is no default SSID name.
ProSecure Unified Threat Management (UTM) Appliance Table 140. Edit Profile screen settings (continued) Field Description Security (continued) • WPA+WPA2. To configure WPA, select the encryption and authentication. The remaining configuration depends on the selected authentication: - For WPA+WPA2 with PSK, select a password. - For WPA+WPA2 with RADIUS, configure the RADIUS server settings. - For WPA+WPA2 with PSK+RADIUS, select a password and configure the RADIUS server settings.
ProSecure Unified Threat Management (UTM) Appliance Table 140. Edit Profile screen settings (continued) Field Description WEP Index and Keys Authentication Specify the authentication by making a selection from the drop-down list: • Open System. Select this option to use WEP encryption without authentication. • Shared Key. Select this option to use WEP authentication and encryption with a shared key (passphrase).
ProSecure Unified Threat Management (UTM) Appliance To configure the wireless access point: 1. Select Network Config > Wireless Settings > Access Point. The Access Point screen displays. (The following figure shows some examples.) Figure 317. The following table explains the fields of the Access Point screen: Table 141. Access Point screen settings Item Description Status The status of the access point (Enabled or Disabled). Virtual AP The name for the virtual access point (VAP) is ap1.
ProSecure Unified Threat Management (UTM) Appliance Figure 318. 3. Specify the settings as explained in the following table: Table 142. Edit Access Point screen settings Settings Description AP Name The name for the access point is ap1. You cannot change this name. Profile Name The name for the profile is UTM9S. You cannot change this name. Schedule To enable the timer, select the Schedule check box. When the timer is enabled, the access point is turned off from the start time until the stop time.
ProSecure Unified Threat Management (UTM) Appliance 2. Click one of the following table buttons: • Enable. Enables the access point and allows wireless clients to make a connection. • Disable. Disables the access point and prevents wireless clients from making a connection. Restrict Wireless Access by MAC Address For increased security, you can restrict access to an SSID by allowing access to only specific computers or wireless stations based on their MAC addresses.
ProSecure Unified Threat Management (UTM) Appliance 4. Enter a MAC address in the MAC Address field. 5. Click Apply to add the MAC address to the MAC Address table on the MAC Address Filtering screen. 6. Repeat step 4 and step 5 for any other MAC addresses that you want to add to the MAC Address table. 7. From the ACL Policy Status drop-down list, select if access control is enabled, and if so, how the MAC addresses in the MAC Address table are treated: • Open. Access control is disabled.
ProSecure Unified Threat Management (UTM) Appliance Figure 320. The following table explains the fields of the Access Point Status screen. To change the poll interval period, enter a new value in the Poll Interval field, and then click Set interval. To stop polling, click Stop. Table 143. Access Point Status screen fields Item Description AP Statistics AP Name The name for the virtual access point (VAP) is ap1.
ProSecure Unified Threat Management (UTM) Appliance Table 143. Access Point Status screen fields (continued) Item Description Authentication The type of encryption that the client is using (Open, PSK, RADIUS, or PSK+RADIUS). Time Connected The period in minutes since the connection was established between the access point and the client.. Configure a Wireless Distribution System The UTM9S can function as a station (peer) in a Wireless Distribution System (WDS).
ProSecure Unified Threat Management (UTM) Appliance 2. Select the Enable WDS check box. 3. In the WPA Password field, enter a password between 8 and 63 characters. 4. Click Apply to save your settings. 5. Enter a MAC address of a peer in the MAC Address field. 6. Click Apply to add the MAC address to the WDS Peers table. 7. Repeat step 5 and step 6 for any other MAC addresses that you want to add to the MAC Address table. To configure WDS on a peer: 1.
ProSecure Unified Threat Management (UTM) Appliance Figure 322. 3. Specify the settings as explained in the following table: Table 144. Advanced Wireless screen settings Setting Description Beacon Interval Enter an interval between 40 ms and 3500 ms for each beacon transmission, which allows the wireless module to synchronize the wireless network. The default setting is 100 ms.
ProSecure Unified Threat Management (UTM) Appliance Table 144. Advanced Wireless screen settings (continued) Setting Description Preamble Mode Specify the preamble mode by making a selection from the drop-down list: • Long. A long transmit preamble might provide a more reliable connection or a slightly longer range. This is the default mode. • Short. A short transmit preamble gives better performance.
ProSecure Unified Threat Management (UTM) Appliance Figure 323. 3. Specify the advanced profile settings as explained the following table: Table 145. Advanced profile settings Field Descriptions Profile Name The name for the wireless security profile is UTM9S. You cannot change this name. Group Key Refresh Interval Note: This field applies only if you have configured the profile for WPA or WPA2 security. Specify the time-out interval in seconds (1–36000) after which group keys are generated.
ProSecure Unified Threat Management (UTM) Appliance WMM QoS Priority Settings Wi-Fi Multimedia (WMM) is a subset of the 802.11e standard. WMM allows wireless traffic to have a range of priorities, depending on the type of data. Time-dependent information, such as video or audio, has a higher priority than normal traffic. For WMM to function correctly, wireless clients also need to support WMM.
ProSecure Unified Threat Management (UTM) Appliance Figure 324. 3. Select the Enable WMM check box. 4. Click Apply to save your settings. 5. In the DSCP to Queue table, from the drop-down lists, select a WMM queue for each DSCP value that you want to use in a QoS profile. 6. Click Apply to save your settings.
ProSecure Unified Threat Management (UTM) Appliance To test for wireless connectivity: 1. Configure the 802.11b/g/n or 802.11a/n wireless clients so that they all have the same SSID that you have configured on the wireless access point. Make sure that the wireless mode on the wireless access point supports the wireless capacity of the wireless clients. (For example, 802.11b-compliant devices cannot connect to the wireless access point if the wireless mode is set to ng.) 2.
C. Network Planning for Dual WAN Ports (Multiple WAN Port Models Only) C This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports. This appendix does not apply to single WAN port models.
ProSecure Unified Threat Management (UTM) Appliance - For load balancing mode, decide which protocols should be bound to a specific WAN port. - You can also add your own service protocols to the list. 2. Set up your accounts. a. Obtain active Internet services such as cable or DSL broadband accounts, and locate the Internet service provider (ISP) configuration information.
ProSecure Unified Threat Management (UTM) Appliance computer will connect to your network at 100 Mbps or higher speeds, you need to use a Category 5 (Cat 5) cable. Computer Network Configuration Requirements The UTM integrates a web management interface.
ProSecure Unified Threat Management (UTM) Appliance Internet Connection Information Print these pages with the Internet connection information. Fill in the configuration settings that are provided to you by ISP. _________________________________________________________________________ • ISP login name: The login name and password are case-sensitive and need to be entered exactly as given by your ISP. For AOL customers, the login name is the primary screen name.
ProSecure Unified Threat Management (UTM) Appliance Overview of the Planning Process The areas that require planning when you use a firewall that has dual WAN ports such as the UTM include the following: • Inbound traffic (port forwarding, port triggering) • Outbound traffic (protocol binding) • Virtual private networks (VPNs) The two WAN ports can be configured on a mutually exclusive basis to either of the following: • Auto-rollover for increased reliability • Load balance for outgoing traffic
ProSecure Unified Threat Management (UTM) Appliance Figure 326. Features such as multiple exposed hosts are not supported in auto-rollover mode because the IP address of each WAN port needs to be in the identical range of fixed addresses. • Dual WAN ports in load balancing mode. Load balancing for a UTM with dual WAN ports is similar to a single WAN gateway configuration when you specify the IP address.
ProSecure Unified Threat Management (UTM) Appliance Inbound Traffic to a Single WAN Port System The Internet IP address of the UTM’s WAN port needs to be known to the public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled. In the single WAN case, the WAN’s Internet address is either fixed IP or an FQDN if the IP address is dynamic. Figure 328.
ProSecure Unified Threat Management (UTM) Appliance Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port traffic. Figure 330. Virtual Private Networks When implementing virtual private network (VPN) tunnels, you need to use a mechanism for determining the IP addresses of the tunnel endpoints.
ProSecure Unified Threat Management (UTM) Appliance the IP address of the VPN tunnel endpoint. Only one WAN port is active at a time, and when it rolls over, the IP address of the active WAN port always changes. Therefore, the use of an FQDN is always required, even when the IP address of each WAN port is fixed. Note: When the UTM’s WAN port rolls over, the VPN tunnel collapses and need to be reestablished using the new WAN IP address.
ProSecure Unified Threat Management (UTM) Appliance VPN Road Warrior: Single-Gateway WAN Port (Reference Case) In a single WAN port gateway configuration, the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway WAN port needs to function as the responder. Figure 333. The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, an FQDN needs to be used.
ProSecure Unified Threat Management (UTM) Appliance Figure 335. The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (that is, WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or reestablish a VPN tunnel.
ProSecure Unified Threat Management (UTM) Appliance VPN Gateway-to-Gateway The following situations exemplify the requirements for a gateway VPN firewall such as an UTM to establish a VPN tunnel with another gateway VPN firewall: • Single-gateway WAN ports • Redundant dual-gateway WAN ports for increased reliability (before and after rollover) • Dual-gateway WAN ports for load balancing VPN Gateway-to-Gateway: Single-Gateway WAN Ports (Reference Case) In a configuration with two single WAN port gatew
ProSecure Unified Threat Management (UTM) Appliance Figure 338. The IP addresses of the gateway WAN ports can be either fixed or dynamic, but you always need to use an FQDN because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (that is, the IP address of the active WAN ports is not known in advance).
ProSecure Unified Threat Management (UTM) Appliance Figure 340. The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you need to use an FQDN. If an IP address is fixed, an FQDN is optional. VPN Telecommuter (Client-to-Gateway through a NAT Router) Note: The telecommuter case assumes that the home office has a dynamic IP address and NAT router.
ProSecure Unified Threat Management (UTM) Appliance The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, you need to use an FQDN. If the IP address is fixed, an FQDN is optional.
ProSecure Unified Threat Management (UTM) Appliance VPN Telecommuter: Dual-Gateway WAN Ports for Load Balancing In a dual WAN port load balancing gateway configuration, the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance. The selected gateway WAN port needs to function as the responder. Figure 344.
D. ReadyNAS Integration D This appendix describes how to set up a UTM9S with a NETGEAR ReadyNAS.
ProSecure Unified Threat Management (UTM) Appliance Install the UTM9S Add-On on the ReadyNAS To install the UTM9S add-on on the ReadyNAS: 1. Start a web browser. 2. In the address field, enter the IP address of the ReadyNAS, for example, enter https://192.168.168.168. The ReadyNAS web management interface displays. 3. In the User Name field, type admin; in the Password field, type netgear1. 4. Select Add-ons > Add New. Figure 345. 5. Click Browse. Navigate to and select the UTM9S add-on image. 6.
ProSecure Unified Threat Management (UTM) Appliance Figure 346. 7. Click Install. 8. Select Add-ons > Installed. Figure 347. 9. Select the UTM Connector check box to enable the UTM connection.
ProSecure Unified Threat Management (UTM) Appliance 10. Click Save. The status indicator shows green. Figure 348. Connect to the ReadyNAS on the UTM9S To connect to the ReadyNAS on the UTM9S: 1. Select Administration > ReadyNAS Integration. The ReadyNAS Integration screen displays: Figure 349. 2. To connect to the ReadyNAS, click the Yes radio button.
ProSecure Unified Threat Management (UTM) Appliance 3. Enter the settings as explained in the following table: Table 148. ReadyNAS Integration screen settings Setting Description ReadyNAS Server The IP address of the ReadyNAS server. ReadyNAS Username The user name to access the ReadyNAS. By default, the user name is admin. ReadyNAS Password The password to access the ReadyNAS. By default, the password is netgear1. 4. Click Apply to save your settings. 5.
ProSecure Unified Threat Management (UTM) Appliance Figure 351.
E. Two-Factor Authentication E This appendix provides an overview of two-factor authentication, and an example of how to implement the WiKID solution.
ProSecure Unified Threat Management (UTM) Appliance What Is Two-Factor Authentication? Two-factor authentication is a security solution that enhances and strengthens security by implementing multiple factors of the authentication process that challenge and confirm the users’ identities before they can gain access to the network. There are several factors that are used to validate the users to make sure that you are who you say you are.
ProSecure Unified Threat Management (UTM) Appliance Figure 352. 2. A one-time passcode (something the user has) is generated. Figure 353. Note: The one-time passcode is time-synchronized to the authentication server so that the OTP can be used only once and needs to be used before the expiration time. If a user does not use this passcode before it expires, the user needs to go through the request process again to generate a new OTP. 3.
ProSecure Unified Threat Management (UTM) Appliance Figure 354.
F. System Logs and Error Messages F This appendix provides examples and explanations of system logs and error message. When applicable, a recommended action is provided. This appendix contains the following sections: • System Log Messages • Content-Filtering and Security Logs • Routing Logs This appendix uses the log message terms that are described in the following table: Table 149. Log message terms Term Description [UTM] System identifier. [kernel] Message from the kernel.
ProSecure Unified Threat Management (UTM) Appliance System Log Messages This section describes log messages that belong to one of the following categories: • Logs that are generated by traffic that is meant for the UTM. • Logs that are generated by traffic that is routed or forwarded through the UTM. • Logs that are generated by system daemons: the NTP daemon, the WAN daemon, and others daemons. System Startup This section describes log messages generated during system startup. Table 150.
ProSecure Unified Threat Management (UTM) Appliance NTP This section describes log messages generated by the NTP daemon during synchronization with the NTP server. The fixed time and date before NTP synchronizes with any of the servers is Fri 1999 Dec 31 19:13:00. Table 153. System logs: NTP Message 1 Message 2 Message 3 Message 4 Message 5 Message 6 Example Nov 28 12:31:13 [UTM] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [UTM] [ntpdate] Requesting time from time-f.netgear.
ProSecure Unified Threat Management (UTM) Appliance Firewall Restart This section describes logs that are generated when the firewall restarts. Table 155. System logs: firewall restart Message Jan 23 16:20:44 [UTM] [wand] [FW] Firewall Restarted Explanation Logs that are generated when the firewall is restarted. This message is logged when the VPN firewall restarts after any changes in the configuration are applied. Recommended Action None.
ProSecure Unified Threat Management (UTM) Appliance This section describes the logs that are generated when the WAN mode is set to auto-rollover. Table 157.
ProSecure Unified Threat Management (UTM) Appliance Load Balancing Mode When the WAN mode is configured for load balancing, both the WAN ports are active simultaneously and the traffic is balanced between them. If one WAN link goes down, all the traffic is diverted to the WAN link that is active. This section describes the logs that are generated when the WAN mode is set to load balancing. Table 158.
ProSecure Unified Threat Management (UTM) Appliance Table 159. System logs: WAN status, PPPoE idle timeout (continued) Explanation Message 1: Establishment of the PPPoE connection starts. Message 2: A message from the PPPoE server indicating a correct login. Message 3: The authentication for PPP succeeds. Message 4: The local IP address that is assigned by the server. Message 5: The server’s side IP address. Message 6: The primary DNS server that is configured on a WAN Settings screen.
ProSecure Unified Threat Management (UTM) Appliance • PPP Authentication logs Table 161. System logs: WAN status, PPP authentication Message 1 Message 2 Message 3 Message 4 Nov 29 11:29:26 [UTM] [pppd] Starting link Nov 29 11:29:29 [UTM] [pppd] Remote message: Login incorrect Nov 29 11:29:29 [UTM] [pppd] PAP authentication failed Nov 29 11:29:29 [UTM] [pppd] Connection terminated. WAN2(DOWN)_ Explanation Message 1: The PPPoE connection process starts.
ProSecure Unified Threat Management (UTM) Appliance ICMP Redirect Logs This section describes logs that are generated when the UTM processes ICMP redirect messages. Table 164. System logs: unicast, redirect Message Feb 2007 22 14:36:07 [UTM] [kernel] [LOG_PACKET] SRC=192.168.1.49 DST= 192.168.1.124 PROTO=ICMP TYPE=5 CODE=1 Explanation • This packet is an ICMP redirect message sent to the device by another device. • For other settings, see Table 149 on page 582. Recommended Action None.
ProSecure Unified Threat Management (UTM) Appliance Table 166. System logs: invalid packets (continued) Message 2007 Oct 1 00:44:17 [UTM] [kernel] [INVALID][ICMP_TYPE][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=ICMP TYPE=19 CODE=0 Explanation Invalid ICMP type. Recommended Action None. Message 2007 Oct 1 00:44:17 [UTM] [kernel] [INVALID][TCP_FLAG_COMBINATION][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation Invalid TCP flag combination. Recommended Action None.
ProSecure Unified Threat Management (UTM) Appliance Table 166. System logs: invalid packets (continued) Message 2007 Oct 1 00:44:17 [UTM] [kernel] [INVALID][REOPEN_CLOSE_CONN][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation Attempt to reopen or close a session. Recommended Action None. Message 2007 Oct 1 00:44:17 [UTM] [kernel] [INVALID][OUT_OF_WINDOW][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation Packet not in TCP window.
ProSecure Unified Threat Management (UTM) Appliance Table 167. Content-filtering and security logs: web filtering and content filtering (continued) Message 2009-08-01 00:00:01 HTTP ldap_domain ldap_user 192.168.1.3 192.168.35.165 http://192.168.35.165/testcases/files/virus/normal/%b4%f3%d3%da2048.rar URL Block Explanation Logs that are generated when web content is blocked because an access violation of a blocked web category occurs.
ProSecure Unified Threat Management (UTM) Appliance Spam Logs This section describes logs that are generated when the UTM filters spam email messages. Table 168. Content-filtering and security logs: spam Message 2009-02-28 23:59:59 SMTP radius_domain radius_user1 192.168.1.2 192.168.35.165 xlzimap@test.com xlzpop3@test.com Blocked by list.dsbl.org 0 RBL Block Explanation Logs that are generated when spam messages are blocked by the RBL.
ProSecure Unified Threat Management (UTM) Appliance Traffic Logs This section describes logs that are generated when the UTM processes web and email traffic. Table 169. Content-filtering and security logs: traffic Message 2009-02-28 23:59:59 HTTP 99 radius_domain radius_user1 192.168.1.2 192.168.33.8 xlzimap@test.com xlzpop3@test.com [MALWARE INFECTED] Fw: cleanvirus Explanation Web and email traffic logs for HTTP, SMTP, POP3, IMAP, HTTPS, and FTP traffic.
ProSecure Unified Threat Management (UTM) Appliance IPS Logs This section describes logs that are generated when traffic matches IPS rules. Table 172. Content-filtering and security logs: IPS Message 2008-12-31 23:59:37 drop TCP 192.168.1.2 3496 192.168.35.165 8081 WEB-CGI Trend Micro OfficeScan CGI password decryption buffer overflow attempt Explanation Logs that are generated when traffic matches IPS rules.
ProSecure Unified Threat Management (UTM) Appliance Routing Logs This section explains the logging messages for each network segment such as LAN-to-WAN for debugging purposes. These logs might generate a significant volume of messages. LAN-to-WAN Logs This section describes logs that are generated when the UTM processes LAN-to-WAN traffic. Table 175. Routing logs: LAN to WAN Message Nov 29 09:19:43 [UTM] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC= 192.168.10.10 DST=72.14.207.
ProSecure Unified Threat Management (UTM) Appliance WAN-to-LAN Logs This section describes logs that are generated when the UTM processes WAN-to-LAN traffic. Table 178. Routing logs: WAN to LAN Message Nov 29 10:05:15 [UTM] [kernel] WAN2LAN[ACCEPT] IN=WAN OUT=LAN SRC= 192.168.1.214 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from the LAN to the WAN has been allowed by the firewall. • For other settings, see Table 149 on page 582. Recommended Action None.
G. Default Settings and Technical Specifications G This appendix provides the default settings and the physical and technical specifications of the UTM in the following sections: • Default Settings • Physical and Technical Specifications Default Settings You can use the factory default reset button located on the rear panel to reset all settings to their factory defaults.
ProSecure Unified Threat Management (UTM) Appliance Table 181. UTM default configuration settings (continued) Feature Default behavior Internet connection WAN MAC address Use default address WAN MTU size 1500 Port speed AutoSense Local network (LAN) LAN IP address 192.168.1.1 Subnet mask 255.255.255.0 RIP direction None RIP version Disabled RIP authentication Disabled DHCP server Enabled DHCP starting IP address 192.168.1.2 DHCP starting IP address 192.168.1.
ProSecure Unified Threat Management (UTM) Appliance Physical and Technical Specifications The following table shows the physical and technical specifications for the UTM: Table 182. UTM physical and technical specifications Feature Specification Network protocol and standards compatibility Data and Routing Protocols TCP/IP, RIP-1, RIP-2, DHCP, PPPoA (UTM9S only), PPPoE, PPTP Power adapter UTM5, UTM10, and UTM25 100–240V, AC/50–60 Hz, Universal Input, 1.
ProSecure Unified Threat Management (UTM) Appliance Table 182.
ProSecure Unified Threat Management (UTM) Appliance The following table shows the SSL VPN specifications for the UTM: Table 184. UTM SSL VPN specifications Setting Specification Network Management Web-based configuration and status monitoring Number of concurrent users supported The number of supported dedicated SSL VPN tunnels depends on the model (see NETGEAR’s documentation at http://prosecure.netgear.com). SSL versions SSLv3, TLS1.
ProSecure Unified Threat Management (UTM) Appliance Table 185. Wireless specifications UTM9S wireless module (continued) Feature Description 802.11a/na wireless specifications 802.11a data rates 6, 9, 12, 18, 24, 36, 48, 54 Mbps, and autorate capable 802.11na data rates (includes Greenfield) Channels with data rates for a 20-MHz channel spacing (width): 0 / 7.2 Mbps, 1 / 14.4 Mbps, 2 / 21.7 Mbps, 3 / 28.9 Mbps, 4 / 43.3 Mbps, 5 / 57.8 Mbps, 6 / 65 Mbps, 7 / 72.2 Mbps, 8 / 14.44 Mbps, 9 / 28.
H. Notification of Compliance (Wired) N ETGE A R Wire d P ro d uct s H Regulatory Compliance Information This section includes user requirements for operating this product in accordance with National laws for usage of radio spectrum and operation of radio devices. Failure of the end-user to comply with the applicable requirements may result in unlawful operation and adverse action against the end-user by the applicable National regulatory authority.
ProSecure Unified Threat Management (UTM) Appliance FCC Radio Frequency Interference Warnings & Instructions This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
ProSecure Unified Threat Management (UTM) Appliance Additional Copyrights AES Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK. All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. 2.
ProSecure Unified Threat Management (UTM) Appliance MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc.
I. Notification of Compliance (Wireless) NETG EAR Wireless Routers, G ateways, APs I Regulatory Compliance Information Note: This section includes user requirements for operating this product in accordance with National laws for usage of radio spectrum and operation of radio devices. Failure of the end-user to comply with the applicable requirements may result in unlawful operation and adverse action against the end-user by the applicable National regulatory authority.
ProSecure Unified Threat Management (UTM) Appliance Español [Spanish] Por medio de la presente NETGEAR Inc. declara que el Radiolan cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Ελληνική [Greek] ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ NETGEAR Inc. ΔΗΛΩΝΕΙ ΟΤΙ Radiolan ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ΤΙΣ ΟΥΣΙΩΔΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ ΛΟΙΠΕΣ ΣΧΕΤΙΚΕΣ ΔΙΑΤΑΞΕΙΣ ΤΗΣ ΟΔΗΓΙΑΣ 1999/5/ΕΚ. Français [French] Par la présente NETGEAR Inc.
ProSecure Unified Threat Management (UTM) Appliance Íslenska [Icelandic] Hér með lýsir NETGEAR Inc. yfir því að Radiolan er í samræmi við grunnkröfur og aðrar kröfur, sem gerðar eru í tilskipun 1999/5/EC. Norsk [Norwegian] NETGEAR Inc. erklærer herved at utstyret Radiolan er i samsvar med de grunnleggende krav og øvrige relevante krav i direktiv 1999/5/EF. This device is a 2.
ProSecure Unified Threat Management (UTM) Appliance • For product available in the USA market, only channel 1~11 can be operated. Selection of other channels is not possible. • This device and its antenna(s) must not be co-located or operation in conjunction with any other antenna or transmitter.
ProSecure Unified Threat Management (UTM) Appliance Household Appliance Recommended Minimum Distance (in feet and meters) Cordless phone - Digital 30 feet / 9 meters Bluetooth devices 20 feet / 6 meters ZigBee 20 feet / 6 meters Notification of Compliance (Wireless) 613
Index Numerics user account 364 ADSL (asymmetric digital subscriber line) 15 advertisement, UPnP information 171 AES (Advanced Encryption Standard) IKE policy settings 267 Mode Config settings 284 VPN policy settings 275–276 wireless security 535, 541 alerts configuring 430 email address for sending alerts 59, 423 specifying alerts to send via email 429 Alexa Toolbar 53, 197 ALG (Application Level Gateway) 151 allowing applications 52, 196 emails 183–194 URLs 208 web access exceptions 224 web categories 58
ProSecure Unified Threat Management (UTM) Appliance IPS categories 173 audio and video files email filtering 185 FTP filtering 221 web filtering 204, 226 authenticated users 224 authentication domain 363 authentication, authorization, and accounting (AAA) 279 authentication, for IPSec VPN pre-shared key 241, 245, 268 RSA signature 268 L2TP server 304 PPTP server 301 SSL VPN 311, 355 wireless network 536 See also AD (Active Directory) LDAP MIAS (Microsoft Internet Authentication Service) NT Domain RADIUS Wi
ProSecure Unified Threat Management (UTM) Appliance connection speed, WAN 92 console port 30–32 content filtering executable, audio, video, and compressed files 204, 226 log messages 592 logs 426, 460, 463 scheduling 58 settings, using the Setup Wizard 57 web categories 58 control side band, radio 533 cookies 200, 204 counter, WAN traffic 420 country, radio 532 CPU usage 441 CRL (Certificate Revocation List) 382, 388 crossover cable 18, 493 CSMA (Carrier Sense Multiple Access), radio 550 CSR (certificate s
ProSecure Unified Threat Management (UTM) Appliance UTM IP address and subnet mask 44, 100 VLAN 43, 98 WLAN 98 demilitarized zone. See DMZ. denial of service. See DoS.
ProSecure Unified Threat Management (UTM) Appliance duplex, half and full 91 dynamic DNS (DDNS), configuring 87, 523 Dynamic Host Configuration Protocol. See DHCP. dynamically assigned IP addresses DSL settings 511 WAN settings 74 DynDNS.org 87–89, 523–526 extension channels, radio 533 F Facebook, blocking 53, 197 factory default settings reverting to 405 service licenses, automatic retrieval 64 failover attempts, configuring number of 80, 517 failover protection. See auto-rollover mode.
ProSecure Unified Threat Management (UTM) Appliance enabling scanning 52, 196 filtering files 221 traffic, WMM QoS 553 fully qualified domain names. See FQDNs.
ProSecure Unified Threat Management (UTM) Appliance inbound traffic, bandwidth 162 increasing traffic overview 393–396 port forwarding 127 infected clients, identifying 466 infrastructure mode, wireless access point 534 initial configuration, Setup Wizard 42 initial connection 37 Installation Guide 37 installation, verifying 61 instant messaging applications blocked applications, recent 5 and top 5 437 blocking applications 143 logs 425, 460–463 traffic statistics 435 inter VLAN routing 46, 102 interface s
ProSecure Unified Threat Management (UTM) Appliance WAN settings 47, 72 iTunes 52, 197 expiration dates 441 keys 20 ProSafe VPN Client software 14 licensing, electronic 64 lifetime, quarantine 417 Lightweight Directory Access Protocol, See LDAP.
ProSecure Unified Threat Management (UTM) Appliance MSN Messenger 52, 196 MTU (maximum transmission unit), default 91, 527 multicast pass-through 148 multihome LAN IP addresses, configuring 104–105 multiple WAN ports, auto-rollover 560–563 multiplexing method, DSL settings 504 lower side band, radio 533 M MAC addresses blocked, adding 165 configuring 71, 91, 508, 527 format 91, 165, 528 IP binding 166 restricting wireless access by 535, 545 spoofing 495 VLANs, unique 103 main navigation menu (web managem
ProSecure Unified Threat Management (UTM) Appliance operating frequencies, radio 532, 603 option arrow (web management interface) 41 Oray.
ProSecure Unified Threat Management (UTM) Appliance SSL VPN port forwarding 318, 329 port ranges port triggering 170 SSL VPN policies 340–341 SSL VPN resources 336 port triggering configuring 168–170 increasing traffic 395 status monitoring 170, 454 Port VLAN Identifier (PVID) 94 portals, SSL VPN 306, 320, 324 ports console 30–32 front panel 22–27 LAN and WAN and their LEDs 22–25 listening port, DC agent 373 rear panel 30–32 speed 91 USB, nonfunctioning 22–25 viewing VLAN membership 450 portscan logs 426,
ProSecure Unified Threat Management (UTM) Appliance restricting wireless access by MAC address 535 retry interval, DNS lookup or ping 80, 517 RFC 1349 158 RFC 1700 152 RFC 2865 279 Rhapsody 52, 197 RIP (Routing Information Protocol), configuring 118–120 RJ-11 port, DSL module 26 Road Warrior (client-to-gateway) 564 roaming 537 round-robin load balancing 82, 518 Routing Information Protocol (RIP), configuring 118–120 routing log messages 597 routing table adding static routes 116 displaying 484, 486 RSA sig
ProSecure Unified Threat Management (UTM) Appliance services settings, using the Setup Wizard 51 security alerts, trusted or untrusted hosts 213 security association. See SA.
ProSecure Unified Threat Management (UTM) Appliance SSL VPN ActiveX web cache cleaner 309, 327 ActiveX-based client 306 authentication 311, 355 cache control 309, 327 client IP address range and routes 316, 331–333 domain settings, using SSL VPN Wizard 310 encryption for LDAP 313, 357 FQDNs, port forwarding 324 logs 322, 426, 461–463 manual configuration steps 323 network resources 334 overview 16 policies managing 336 settings 339 port forwarding configuring 328–330 description 307 port number 318 using S
ProSecure Unified Threat Management (UTM) Appliance tracert, using with DDNS 401 tracing a route (traceroute) 484, 485 trademarks 2 traffic action when reaching limit 421 bandwidth 160–163 diagnostic tools 482, 486 inbound (dual-WAN port models, planning) 560 increasing 393–396 rate-limiting 92 real-time diagnostics 486, 487 reducing 390–393 total scanned, in MB 438 total, in bytes 436 volume by protocol 421 WMM QoS 553 traffic logs 425, 460–462 traffic management 389 traffic meter (or counter) 419 transfe
ProSecure Unified Threat Management (UTM) Appliance versions, firmware 406, 441 video traffic, WMM QoS 553 videoconferencing DMZ port 112 from restricted address 139 Virtual Channel Identifier (VCI) 504 virtual circuit (VC) 504 virtual LAN. See VLAN. Virtual Path Identifier (VPI) 504 Virtual Private Network Consortium (VPNC) 19, 239 virtual private network. See VPN tunnels. virus database 410 logs. See malware, logs.
ProSecure Unified Threat Management (UTM) Appliance bandwidth capacity 389 classical routing mode 77, 514 connection speed 92 connection type, viewing 448 failure detection method 78–80 load balancing mode configuring 81–82 DDNS 87 description 76 VPN IPSec 238 NAT, configuring 77, 513 primary WAN mode, description 76 secondary IP addresses 85 SNMP management 403 WAN aliases 85 WAN interfaces, primary and backup 78 WAN LEDs 28–29, 493 WAN mode status, viewing 448 WAN ports 14, 22–25 WAN settings autodetecti
ProSecure Unified Threat Management (UTM) Appliance WLAN, default 98 WMM (Wi-Fi Multimedia) power saving, radio 551 priority 553 WPA (Wi-Fi protected access), WPA2, and mixed mode configuring 540–542 types of encryption 535 X XAUTH configuring 277 edge device 277, 278 IKE policies 269 IPSec host 277–278 Y Yahoo Messenger 52, 196 Yahoo Toolbar 53, 197 631
