Netgear SRX5308 Reference Guide

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Reference Manual

April 2013 202-10536-05

350 East Plumeria Drive San Jose, CA 95134 USA

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Support

Thank you for selecting NETGEAR products. After installing your device, locate the serial number on the label of your product and use it to register your product

at https://my.netgear.com. You must register your product before you can use NETGEAR telephone support. NETGEAR recommends registering your product through the NETGEAR website. For product updates and web support, visit http://support.netgear.com.

Phone (US & Canada only): 1-888-NETGEAR. Phone (Other Countries): Check the list of phone numbers at

http://support.netgear.com/general/contact/default.aspx.

Trademarks

NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice. © NETGEAR, Inc. All rights reserved.

Revision History

Publication Part Number

202-10536-05 – April 2013 Added the following features:

202-10536-04 1.0 July 2012 A major revision. Added the following features:

Version Publish Date Comments

• Auto-rollover support with failure detection for IPv6 WAN interfaces (see Configure Auto-Rollover for IPv6 Interfaces and Create an IPv6 Gateway-to-Gateway VPN Tunnel with

the Wizard)

• Multicast pass-through with alternate networks (see Configure

Multicast Pass-Through for IPv4 Traffic)

• SNMP access from the WAN and SNMP trap events (see Use

a Simple Network Management Protocol Manager)

• Option to define what constitutes a UCP flood attack (see

Attack Checks)

• Authentication and encryption for the PPTP server (see

Configure the PPTP Server)

• Authentication for the L2TP server (see Configure the L2TP

Server)

• Option to select a gateway when you ping or send a trace packet and option to select a VPN policy when you ping or send a trace packet through a VPN tunnel (see Send a Ping

Packet and Trace a Route)

• Support for IPv6 with multiple IPv6 features, including a new general menu structure that provides both IPv4 and IPv6 radio buttons (very extensive revisions throughout the manual)

• IPSec VPN autoinitiate support (see Manually Add or Edit a

VPN Policy)

• SNMPv3 support (see Use a Simple Network Management

Protocol Manager)

• Option to reboot with a different firmware version (see Select

the Firmware and Reboot the VPN Firewall)

• Extensive list of factory default settings (see Appendix A,

Default Settings and Technical Specifications)

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

202-10536-03 1.0 November 2011 Incorporated nontechnical edits only (there are no feature

changes).

202-10536-02 1.0 July 2011 Added new features that are documented in the following

sections:

• Configure WAN QoS Profiles

• Inbound Rules (Port Forwarding) and Create LAN WAN

Inbound Service Rules

• Attack Checks

• Set Limits for IPv4 Sessions

• Create IP Groups

• Use the NETGEAR VPN Client Wizard to Create a Secure

Connection

• Manually Create a Secure Connection Using the NETGEAR

VPN Client

• Configure the ProSafe VPN Client for Mode Config Operation

• Configure Date and Time Service

• Configure and Enable the LAN Traffic Meter

202-10536-01 1.0 April 2010 Initial publication of this reference manual.

Chapter 1 Introduction

What Is the ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308? .12

Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Quad-WAN Ports for Increased Reliability and Load Balancing. . . . . . .13

Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . .14

A Powerful, True Firewall with Content Filtering. . . . . . . . . . . . . . . . . . .14

Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Autosensing Ethernet Connections with Auto Uplink . . . . . . . . . . . . . . .15

Extensive Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Easy Installation and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Bottom Panel with Product Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Choose a Location for the VPN Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . .20

Use the Rack-Mounting Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Web Management Interface Menu Layout . . . . . . . . . . . . . . . . . . . . . . . . .23

Requirements for Entering IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . .25

IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Chapter 2 IPv4 and IPv6 Internet and WAN Settings

Internet and WAN Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Roadmap to Setting Up IPv4 Internet Connections to Your ISPs. . . . . .27

Roadmap to Setting Up IPv6 Internet Connections to Your ISPs. . . . . .28

Configure the IPv4 Internet Connection and WAN Settings. . . . . . . . . . . .29

Configure the IPv4 WAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Let the VPN Firewall Automatically Detect and

Configure an IPv4 Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . .31

Manually Configure an IPv4 Internet Connection. . . . . . . . . . . . . . . . . .34

Configure Load Balancing or Auto-Rollover for IPv4 Interfaces. . . . . . .40

Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . .47

Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Configure the IPv6 Internet Connection and WAN Settings. . . . . . . . . . . .52

Configure the IPv6 Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Use a DHCPv6 Server to Configure an IPv6 Internet Connection . . . . .55

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Configure a Static IPv6 Internet Connection. . . . . . . . . . . . . . . . . . . . . .58

Configure a PPPoE IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . .61

Configure 6to4 Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . .64

Configure ISATAP Automatic Tunneling. . . . . . . . . . . . . . . . . . . . . . . . .65

View the Tunnel Status and IPv6 Addresses . . . . . . . . . . . . . . . . . . . . .67

Configure Stateless IP/ICMP Translation. . . . . . . . . . . . . . . . . . . . . . . .67

Configure Auto-Rollover for IPv6 Interfaces. . . . . . . . . . . . . . . . . . . . . .68

Configure Advanced WAN Options and Other Tasks. . . . . . . . . . . . . . . . .71

Configure WAN QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . .82

Verify the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Chapter 3 LAN Configuration

Manage IPv4 Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . .84

Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Assign and Manage VLAN Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

VLAN DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

Configure a VLAN Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Configure VLAN MAC Addresses and LAN Advanced Settings. . . . . . .93

Configure IPv4 Multihome LAN IP Addresses on the Default VLAN . . . . .94

Manage IPv4 Groups and Hosts (IPv4 LAN Groups). . . . . . . . . . . . . . . . .96

Manage the Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Change Group Names in the Network Database . . . . . . . . . . . . . . . . .100

Set Up DHCP Address Reservation. . . . . . . . . . . . . . . . . . . . . . . . . . .101

Manage the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

DHCPv6 Server Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Configure the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

Configure the IPv6 Router Advertisement Daemon and

Advertisement Prefixes for the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . .109

Configure IPv6 Multihome LAN IP Addresses on the Default VLAN . . . .113

Enable and Configure the DMZ Port for IPv4 and IPv6 Traffic. . . . . . . . .114

DMZ Port for IPv4 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115

DMZ Port for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Configure the IPv6 Router Advertisement Daemon and

Advertisement Prefixes for the DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . .122

Manage Static IPv4 Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Configure Static IPv4 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Configure the Routing Information Protocol . . . . . . . . . . . . . . . . . . . . .129

IPv4 Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

Manage Static IPv6 Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

Chapter 4 Firewall Protection

About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

Overview of Rules to Block or Allow Specific Kinds of Traffic . . . . . . . . .136

Outbound Rules (Service Blocking) . . . . . . . . . . . . . . . . . . . . . . . . . . .137

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Inbound Rules (Port Forwarding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Create LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .147

Create LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .149

Configure DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

Create DMZ WAN Outbound Service Rules. . . . . . . . . . . . . . . . . . . . .154

Create DMZ WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .156

Configure LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

Create LAN DMZ Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .160

Create LAN DMZ Inbound Service Rules. . . . . . . . . . . . . . . . . . . . . . .162

Examples of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Examples of Inbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . .164

Examples of Outbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . .168

Configure Other Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Attack Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Set Limits for IPv4 Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173

Configure Multicast Pass-Through for IPv4 Traffic. . . . . . . . . . . . . . . .174

Manage the Application Level Gateway for SIP Sessions . . . . . . . . . .176

Services, Bandwidth Profiles, and QoS Profiles. . . . . . . . . . . . . . . . . . . .176

Add Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177

Create IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181

Create Quality of Service Profiles for IPv4 Firewall Rules . . . . . . . . . .184

Quality of Service Priorities for IPv6 Firewall Rules . . . . . . . . . . . . . . .186

Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186

Set a Schedule to Block or Allow Specific Traffic. . . . . . . . . . . . . . . . . . .189

Enable Source MAC Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

Configure Port Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Chapter 5 Virtual Private Networking Using

IPSec and L2TP Connections

Considerations for Dual WAN Port Systems . . . . . . . . . . . . . . . . . . . . . .202

Use the IPSec VPN Wizard for Client and Gateway Configurations . . . .203

Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard. . .204

Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard. . .208

Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard . . . . .212

Test the Connection and View Connection and Status Information. . . . .227

Test the NETGEAR VPN Client Connection . . . . . . . . . . . . . . . . . . . .227

NETGEAR VPN Client Status and Log Information . . . . . . . . . . . . . . .229

View the VPN Firewall IPSec VPN Connection Status. . . . . . . . . . . . .229

View the VPN Firewall IPSec VPN Log . . . . . . . . . . . . . . . . . . . . . . . .230

Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Manage IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Manage VPN Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .245

Configure XAUTH for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .246

User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247

RADIUS Client and Server Configuration. . . . . . . . . . . . . . . . . . . . . . .247

Assign IPv4 Addresses to Remote Users (Mode Config). . . . . . . . . . . . .250

Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Configure Mode Config Operation on the VPN Firewall. . . . . . . . . . . .250

Configure the ProSafe VPN Client for Mode Config Operation . . . . . .257

Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .264

Modify or Delete a Mode Config Record. . . . . . . . . . . . . . . . . . . . . . . .265

Configure Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . .265

Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267

Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . .268

Configure the PPTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269

View the Active PPTP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271

Configure the L2TP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272

View the Active L2TP Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273

Chapter 6 Virtual Private Networking Using

SSL Connections

SSL VPN Portal Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276

Overview of the SSL Configuration Process . . . . . . . . . . . . . . . . . . . . . .276

Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277

Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . . . .281

Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . . . .282

Add Servers and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282

Add a New Host Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283

Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284

Configure the Client IP Address Range . . . . . . . . . . . . . . . . . . . . . . . .285

Add Routes for VPN Tunnel Clients . . . . . . . . . . . . . . . . . . . . . . . . . . .287

Use Network Resource Objects to Simplify Policies . . . . . . . . . . . . . . . .288

Add New Network Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

Edit Network Resources to Specify Addresses . . . . . . . . . . . . . . . . . .289

Configure User, Group, and Global Policies. . . . . . . . . . . . . . . . . . . . . . .291

View Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Add an IPv4 or IPv6 SSL VPN Policy. . . . . . . . . . . . . . . . . . . . . . . . . .293

Access the New SSL Portal Login Screen . . . . . . . . . . . . . . . . . . . . . . . .297

View the SSL VPN Connection Status and SSL VPN Log. . . . . . . . . . . .299

Chapter 7 Manage Users, Authentication, and VPN Certificates

The VPN Firewall’s Authentication Process and Options. . . . . . . . . . . . .302

Configure Authentication Domains, Groups, and Users. . . . . . . . . . . . . .303

Configure Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303

Configure Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

Set User Login Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . .318

Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . .320

VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321

Manage VPN CA Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322

Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . .323

Manage the VPN Certificate Revocation List . . . . . . . . . . . . . . . . . . . .326

Chapter 8 Network and System Management

Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329

Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329

Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

Features That Increase Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332

Use QoS and Bandwidth Assignment to Shift the Traffic Mix. . . . . . . .335

Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . .336

System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Change Passwords and Administrator and Guest Settings . . . . . . . . .336

Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . .338

Use the Command-Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . .342

Use a Simple Network Management Protocol Manager. . . . . . . . . . . .342

Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347

Configure Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . .352

Chapter 9 Monitor System Access and Performance

Configure and Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . .356

Configure and Enable the LAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . .359

Configure Logging, Alerts, and Event Notifications . . . . . . . . . . . . . . . . .362

How to Send Syslogs over a VPN Tunnel between Sites . . . . . . . . . .367

View Status Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369

View the System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369

View the VPN Connection Status, L2TP Users, and PPTP Users. . . .378

View the VPN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380

View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

View the WAN Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382

View the Attached Devices and the DHCP Log . . . . . . . . . . . . . . . . . .385

Diagnostics Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388

Send a Ping Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389

Trace a Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Look Up a DNS Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Display the Routing Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Capture Packets in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391

Reboot the VPN Firewall Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . .391

Chapter 10 Troubleshooting

Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

Power LED Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394

Troubleshoot the Web Management Interface. . . . . . . . . . . . . . . . . . . . .394

When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .395

Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .397

Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . .400

Test the LAN Path to Your VPN Firewall . . . . . . . . . . . . . . . . . . . . . . .400

Test the Path from Your Computer to a Remote Device . . . . . . . . . . .401

Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . .401

Address Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . .403

Access the Knowledge Base and Documentation . . . . . . . . . . . . . . . . . .403

Appendix A Default Settings and Technical Specifications

Factory Default Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405

Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . .410

Appendix B Network Planning for Multiple WAN Ports

What to Consider Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . .414

Cabling and Computer Hardware Requirements . . . . . . . . . . . . . . . . .415

Computer Network Configuration Requirements . . . . . . . . . . . . . . . . .415

Internet Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .416

Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418

Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419

Inbound Traffic to a Single WAN Port System . . . . . . . . . . . . . . . . . . .419

Inbound Traffic to a Dual WAN Port System . . . . . . . . . . . . . . . . . . . .420

Virtual Private Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421

VPN Road Warrior (Client-to-Gateway) . . . . . . . . . . . . . . . . . . . . . . . .422

VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425

VPN Telecommuter (Client-to-Gateway through a NAT Router) . . . . .427

Appendix C System Logs and Error Messages

Log Message Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431

System Log Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431

NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432

System Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . .434

WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435

Resolved DNS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438

VPN Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439

Traffic Meter Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444

Routing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444

LAN to WAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

LAN to DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

DMZ to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

WAN to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

DMZ to LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Other Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Session Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Source MAC Filter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

Bandwidth Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

DHCP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

Appendix D Two-Factor Authentication

Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . .450

What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . .450

What Is Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . . . . . .450

NETGEAR Two-Factor Authentication Solutions. . . . . . . . . . . . . . . . . . .451

Appendix E Notification of Compliance Index

1. Introduction

This chapter provides an overview of the features and capabilities of the ProSAFE Gigabit Quad

WAN SSL VPN Firewall SRX5308 and explains how to log in to the device and use its web management interface. The chapter contains the following sections:

• What Is the ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308?

• Key Features and Capabilities

• Package Contents

• Hardware Features

• Choose a Location for the VPN Firewall

• Log In to the VPN Firewall

• Web Management Interface Menu Layout

• Requirements for Entering IP Addresses

Note: For more information about the topics covered in this manual, visit

the support website at http://support.netgear.com.

Note: Firmware updates with new features and bug fixes are made

available from time to time on downloadcenter.netgear.com. Some products can regularly check the site and download new firmware, or you can check for and download new firmware manually features or behavior of your product do not match what is described in this guide, you might need to update your firmware.

. If the

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

What Is the ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308?

The ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308, hereafter referred to as the VPN firewall, connects your local area network (LAN) to the Internet through up to four external broadband access devices such as cable or DSL modems or satellite or wireless Internet dishes. Four wide area network (WAN) ports allow you to increase effective data rate to the Internet by utilizing all WAN ports to carry session traffic or to maintain backup connections in case of failure of your primary Internet connection.

The VPN firewall routes both IPv4 and IPv6 traffic. A powerful, flexible firewall protects your IPv4 and IPv6 networks from denial of service (DoS) attacks, unwanted traf objectionable content. IPv6 traffic is supported through 6to4 and Intra-Site Automatic Tunnel

Addressing Protocol (ISATAP) tunnels.

The VPN firewall is a security solution that protects your network from attacks and intrusions. For example, the VPN firewall provides support for stateful packet inspection (SPI), denial of service (DoS) attack protection, and multi-NAT support. web content filtering options, plus browsing activity reporting and instant alerts—both through email. Network administrators can establish restricted access policies based on time of day, website addresses, and address keywords.

The VPN firewall supports multiple

fic, and traf

fic with

The VPN firewall provides advanced IPSec and SSL VPN technologies for secure and simple remote connections. transfer speeds.

The VPN firewall is a plug-and-play device that can be installed and configured within minutes.

The use of Gigabit Ethernet LAN and W

AN ports ensures high data

Key Features and Capabilities

• Quad-WAN Ports for Increased Reliability and Load Balancing

• Advanced VPN Support for Both IPSec and SSL

• A Powerful, True Firewall with Content Filtering

• Security Features

• Autosensing Ethernet Connections with Auto Uplink

• Extensive Protocol Support

• Easy Installation and Management

• Maintenance and Support

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

The VPN firewall provides the following key features and capabilities:

• Four 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover

protection of your Internet connection, providing increased data rate and increased system reliability.

• Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for fast data transfer

between local network resources and support for up to 200,000 internal or external connections.

• Both IPv4 and IPv6 support

• Advanced IPSec VPN and SSL VPN support with support for up to 125 concurrent IPSec

VPN tunnels and up to 50 concurrent SSL VPN tunnels.

• Bundled with a single-user license of the NETGEAR ProSafe VPN Client software

(VPN01L).

• L2TP tunnel and PPTP tunnel support

• Advanced stateful packet inspection (SPI) firewall with multi-NA

• Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and

multimedia.

• Extensive protocol support.

• One console port for local management.

• SNMP support with SNMPv1, SNMPv2c, and SNMPv3, and management optimized for

the NETGEAR ProSafe Network Management Software (NMS200) over a LAN connection.

• Front panel LEDs for easy monitoring of status and activity

• Flash memory for firmware upgrade.

• Internal universal switching power supply

• Rack-mounting kit for 1U rackmounting.

T support.

Quad-WAN Ports for Increased Reliability and Load Balancing

The VPN firewall provides four broadband WAN ports. These WAN ports allow you to connect additional broadband Internet lines that can be configured to:

• Load-balance outbound traffic between up to four lines for maximum bandwidth

efficiency.

• Provide backup and rollover if one line is inoperable, ensuring that you are never

disconnected.

See Appendix B, Network Planning for Multiple WAN Ports for the planning factors to consider when implementing the following capabilities with multiple WAN port gateways:

• Single or multiple exposed hosts.

• V

irtual private networks (VPNs).

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Advanced VPN Support for Both IPSec and SSL

The VPN firewall supports IPSec and SSL virtual private network (VPN) connections:

• IPSec VPN delivers full network access between a central office and branch of

between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer.

- IPSec VPN with broad protocol support for secure connection to other IPSec

gateways and clients.

- Up to 125 simultaneous IPSec VPN connections.

- Bundled with a 30-day trial license for the ProSafe VPN Client software (VPN01L).

• SSL VPN provides remote access for mobile users to selected corporate resources

without requiring a preinstalled VPN client on their computers.

- Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for

e-commerce transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories.

- Up to 50 simultaneous SSL VPN connections.

- Allows browser-based, platform-independent remote access through a number of

popular browsers, such as Microsoft Internet Explorer Safari.

- Provides granular access to corporate resources based on user type or group

membership.

, Mozilla Firefox, and

fices, or

Apple

A Powerful, True Firewall with Content Filtering

Unlike simple NA T routers, the VPN firewall is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks. Its firewall features have the following capabilities:

• DoS protection. Automatically detects and thwarts denial of service (DoS) attacks such

as Ping of Death and SYN flood.

• Secure firewall. Blocks unwanted traffic from the Internet to your LAN.

• Content filtering

can control access to Internet content by screening for web services, web addresses, and keywords within web addresses.

• Schedule policies. Permits scheduling of firewall policies by day and time.

• Logs security incidents. Logs security events such as logins and secure logins.

configure the firewall to email the log to you at specified intervals. You can also configure the VPN firewall to send immediate alert messages to your email address or email pager when a significant event occurs.

. Prevents objectionable content from reaching your computers. Y

ou can

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Security Features

The VPN firewall is equipped with several features designed to maintain security:

• Computers hidden by NAT. NA

originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN.

• Port forwarding with NA

accessing the computers on the LAN, the VPN firewall allows you to direct incoming traffic to specific computers based on the service port number of the incoming request.

• DMZ port. Incoming traffic from the Internet is usually discarded by the VPN firewall

unless the traf have configured an inbound rule. Instead of discarding this traffic, you can use the dedicated demilitarized zone (DMZ) port to forward the traffic to one computer on your network.

fic is a response to one of your local computers or a service for which you

T opens a temporary path to the Internet for requests

Although NAT prevents Internet locations from directly

Autosensing Ethernet Connections with Auto Uplink

With its internal four-port 10/100/1000 Mbps switch and four 10/100/1000 WAN ports, the VPN firewall can connect to a 10-Mbps standard Ethernet network, a 100-Mbps Fast Ethernet network, a 1000-Mbps Gigabit Ethernet network, or a combination of these networks. All LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.

The VPN firewall incorporates Auto Uplink senses whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection such as to a switch or hub. That port then configures itself correctly. This feature eliminates the need for you to think about crossover cables, as Auto Uplink accommodates either type of cable to make the right connection.

technology. Each Ethernet port automatically

Extensive Protocol Support

The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). The VPN firewall provides the following protocol support:

• IP address sharing by NAT. The VPN firewall allows many networked computers to

share an Internet account using only a single IP address, which might be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as Network Address Translation (NAT), allows the use of an inexpensive single-user ISP account.

• Automatic configuration of attached computers by DHCP.

dynamically assigns network configuration information, including IP Domain Name Server (DNS) addresses, to attached computers on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on your local network.

Introduction

The VPN firewall

, gateway, and

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

• DNS proxy. When DHCP is enabled and no DNS addresses are specified, the VPN

firewall provides its own address as a DNS server to the attached computers. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.

• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the

Internet over a DSL connection by simulating a dial-up connection.

• Quality of Service (QoS).

and traffic classification with Type of Service (ToS) and Differentiated Services Code Point (DSCP) marking.

• Layer 2 Tunneling Protocol (L2TP)

private networks (VPNs).

• Point to Point Tunneling Protocol (PPTP).

support VPNs.

The VPN firewall supports QoS, including traf

. A tunneling protocol that is used to support virtual

Another tunneling protocol that is used to

fic prioritization

Easy Installation and Management

You can install, configure, and operate the VPN firewall within minutes after connecting it to the network. The following features simplify installation and management tasks:

• Browser-based management. Browser-based configuration allows you to easily

configure the VPN firewall from almost any type of operating system, such as Windows, Macintosh, or Linux. Online help documentation is built into the browser-based web management interface.

• Auto-detection of ISP.

connection, asking you only for the information required for your type of ISP account.

• IPSec VPN Wizard

can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.

• SNMP.

let you monitor and manage log resources from an SNMP-compliant system manager The SNMP system configuration lets you change the system variables for MIB2.

• Diagnostic functions. The VPN firewall incorporates built-in diagnostic functions such

as ping, traceroute, DNS lookup, and remote reboot.

• Remote management

interface from a remote location on the Internet. For security management access to a specified remote IP address or range of addresses.

• Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor

its status and activity

The VPN firewall supports the Simple Network Management Protocol (SNMP) to

The VPN firewall automatically senses the type of Internet

. The VPN firewall includes the NETGEAR IPSec VPN Wizard so you

. The VPN firewall allows you to log in to the web management

, you can limit remote

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the VPN firewall:

• Flash memory for firmware upgrades.

• T

echnical support seven days a week, 24 hours a day. Information about support is

available on the NETGEAR website at

http://support.netgear

.com/app/answers/detail/a_id/212.

Package Contents

The VPN firewall product package contains the following items:

• ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

• One

• One Category 5 (Cat 5) Ethernet cable

• One rack-mounting kit

• ProSAFE Gigabit Quad W

• Resource CD, including:

AC power cable

AN SSL VPN Firewall SRX5308 Installation Guide

- Application Notes and other helpful information

- ProSafe VPN Client software (VPN01L)

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair

Hardware Features

• Front Panel

• Rear Panel

• Bottom Panel with Product Label

The front panel ports and LEDs, rear panel ports, and bottom label of the VPN firewall are described in the following sections.

Front Panel

Viewed from left to right, the VPN firewall front panel contains the following ports (see the following figure).

• LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,

Gigabit Ethernet ports with RJ-45 connectors

• WAN Ethernet ports. Four independent N-way automatic speed negotiating, Auto

MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are described in the following table.

DMZ LED

Power LED

Left LAN LEDs

Left WAN LEDs

Internet

LEDs

Test LED

Right LAN LEDs

Right WAN LEDs

Figure 1.

Table 1. LED descriptions

LED Activity Description

Power On (green) Power is supplied to the VPN firewall.

Off Power is not supplied to the VPN firewall.

est On (amber) during

startup.

On (amber) during any other time

Blinking (amber) The VPN firewall is writing to flash memory (during upgrading or resetting

Off The system has booted successfully.

LAN Ports

Left LED On (green) The LAN port has detected a link with a connected Ethernet device.

Test mode: The VPN firewall is initializing. After approximately 2 minutes, when the VPN firewall has completed its initialization, the Test LED goes off.

The initialization has failed, or a hardware failure has occurred.

to defaults).

Blinking (green) Of

f The LAN port has no link.

Right LED On (green) The LAN port operates at 1000 Mbps.

On (amber) The LAN port operates at 100 Mbps. Off The LAN port operates at 10 Mbps.

The LAN port receives or transmits data.

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 1. LED descriptions (continued)

LED Activity Description

DMZ LED On (green) Port 4 operates as a dedicated hardware DMZ port.

Off Port 4 operates as a normal LAN port.

WAN Ports

Left LED On (green) The WAN port has a valid connection with a device that provides an

Internet connection. Blinking (green) The WAN port receives or transmits data. Off The WAN port has no physical link, that is, no Ethernet cable is plugged

into the VPN firewall.

Right LED On (green) The WAN port operates at 1000 Mbps.

On (amber) The WAN port operates at 100 Mbps. Off The WAN port operates at 10 Mbps.

Internet LED On (green) The WAN port has a valid Internet connection.

Off The WAN port is either not enabled or has no link to the Internet.

Rear Panel

The rear panel of the VPN firewall includes a console port, a Factory Defaults Reset button, a cable lock receptacle, an AC power connection, and a power switch.

Factory Defaults

Reset button

Console port

Figure 2.

Security lock

receptacle

AC power receptacle

Viewed from left to right, the rear panel contains the following components:

• Cable security lock receptacle.

• Console port. Port for connecting to an optional console terminal.

male connector

. The default baud rate is 1 15200 K. The pinouts are (2) Tx, (3) Rx, (5) and

The port has a DB9

(7) Gnd. For information about accessing the command-line interface (CLI) using the console port, see Use the Command-Line Interface on page 342.

Power switch

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

• Factory Defaults Reset button. Using a sharp object, press and hold this button for about

8 seconds until the front panel Test LED flashes to reset the VPN firewall to factory default settings. All configuration settings are lost, and the default password is restored.

• AC power receptacle. Universal AC input (100–240 V

• A power on/off switch.

AC, 50–60 Hz).

Bottom Panel with Product Label

The product label on the bottom of the VPN firewall’s enclosure displays factory default settings, regulatory compliance, and other information.

Figure 3.

Choose a Location for the VPN Firewall

The VPN firewall is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can rack-mount the VPN firewall in a wiring closet or equipment room.

Consider the following when deciding where to position the VPN firewall:

• The unit is accessible, and cables can be connected easily.

• Cabling is away from sources of electrical noise. These include lift shafts, microwave

ovens, and air-conditioning units.

• Water or moisture cannot enter the case of the unit.

• Airflow around the unit and through the vents in the side of the case is not restricted.

Provide a minimum of 25 mm or 1-inch clearance.

• The air is as free of dust as possible.

• T

emperature operating limits are not likely to be exceeded. Install the unit in a clean, air-conditioned environment. For information about the recommended operating temperatures for the VPN firewall, see

Specifications.

Appendix A, Default Settings and Technical

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Use the Rack-Mounting Kit

Use the mounting kit for the VPN firewall to install the appliance in a rack. Attach the mounting brackets using the hardware that is supplied with the mounting kit.

Figure 4.

Before mounting the VPN firewall in a rack, verify that:

• You have the correct screws (supplied with the installation kit).

• The rack onto which you plan to mount the VPN firewall is suitably located.

Log In to the VPN Firewall

Note: To connect the VPN firewall physically to your network, connect the

cables and restart your network according to the instructions in the

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide. A PDF of this guide is on the NETGEAR support

website at http://kb.netgear.com/app/products/model/a_id/13568.

To configure the VPN firewall, you need to use a web browser such as Microsoft Internet Explorer 7.0 or later, Mozilla Firefox 4.0 or later, or Apple Safari 3.0 or later with JavaScript, cookies, and SSL enabled.

Although these web browsers are qualified for use with the VPN firewall’s web management interface, SSL VPN users should choose a browser that supports JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications. Note that Java is required only for the SSL VPN portal, not for the web management interface.

 To log in to the VPN firewall:

1. Start any of the qualified web browsers.

2. In the address field, enter https://192.168.1.1. The

screen displays in the browser.

NETGEAR

Configuration Manager Login

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Note: The VPN firewall factory default IP address is 192.168.1.1. If you

change the IP address, you need to use the IP address that you assigned to the VPN firewall to log in to the VPN firewall.

Figure 5.

Note: The first time that you remotely connect to the VPN firewall with a

browser through an SSL connection, you might get a warning message regarding the SSL certificate. Follow the directions of your browser to accept the SSL certificate.

3. In the User Name field, type admin. Use lowercase letters.

4. In the Password / Passcode field, type password. Here, too, use lowercase letters.

Note: The VPN firewall user name and password are not the same as any

user name or password you might use to log in to your Internet connection.

Note: Leave the domain as it is (geardomain).

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

5. Click Login. The web management interface displays, showing the Router Status screen.

The following figure shows the top part of the Router Status screen. For more information, see View the System Status on page 369.

Note: After 5 minutes of inactivity (the default login time-out), you are

automatically logged out.

Figure 6.

Web Management Interface Menu Layout

The following figure shows the menu at the top the web management interface:

3rd level: Submenu tab (blue)

2nd level: Configuration menu link (gray)

1st level: Main navigation menu link (orange)

Figure 7.

Option arrows: Additional screen for submenu item

IP radio buttons

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

The web management interface menu consists of the following components:

• 1st level: Main navigation menu links. The main navigation menu in the orange bar

across the top of the web management interface provides access to all the configuration functions of the VPN firewall, and remains constant. When you select a main navigation menu link, the letters are displayed in white against an orange background.

• 2nd level: Configuration menu links.

The configuration menu links in the gray bar (immediately below the main navigation menu bar) change according to the main navigation menu link that you select. When you select a configuration menu link, the letters are displayed in white against a gray background.

• 3rd level: Submenu tabs. Each configuration menu item has one or more submenu tabs

that are listed below the gray menu bar

. When you select a submenu tab, the text is

displayed in white against a blue background.

• Option arrows. If there are additional screens for the submenu item, links to the screens

display on the right side in blue letters against a white background, preceded by a white arrow in a blue circle.

• IP radio buttons

feature to be configured onscreen.

. The IPv4 and IPv6 radio buttons let you select the IP version for the

There are four options:

- Both buttons are operational. You can configure the feature onscreen

for IPv4 functionality or for IPv6 functionality. After you have correctly configured the feature for both IP versions, the feature can function with both IP versions simultaneously.

- The IPv4 button is operational but the IPv6 button is disabled

. You

can configure the feature onscreen for IPv4 functionality only.

- The IPv6 button is operational but the IPv4 button is disabled. You

can configure the feature onscreen for IPv6 functionality only.

- Both buttons are disabled. IP functionality does not apply.

The bottom of each screen provides action buttons. The nature of the screen determines which action buttons are shown.

Figure 8.

The following figure shows an example:

Any of the following action buttons might display onscreen (this list might not be complete):

• Apply. Save and apply the configuration.

• Reset. Reset the configuration to the previously saved configuration.

• T

est.

Test the configuration.

• Auto Detect. Enable the VPN firewall to detect the configuration automatically and

suggest values for the configuration.

• Cancel. Cancel the operation.

Introduction

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

When a screen includes a table, table buttons display to let you configure the table entries. The nature of the screen determines which table buttons are shown. The following figure shows an example:

Figure 9.

Any of the following table buttons might display onscreen:

• Select All. Select all entries in the table.

• Delete. Delete the selected entry or entries from the table.

• Enable. Enable the selected entry or entries in the table.

• Disable. Disable the selected entry or entries in the table.

• Add.

• Edit. Edit the selected entry.

• Up. Move the selected entry up in the table.

• Down. Move the selected entry down in the table.

• Apply.

Add an entry to the table.

Apply the selected entry.

Almost all screens and sections of screens have an accompanying help screen. help screen, click the (question mark) icon.

To open the

Requirements for Entering IP Addresses

To connect to the VPN firewall, your computer needs to be configured to obtain an IP address automatically from the VPN firewall, either an IPv4 address through DHCP or an IPv6 address through DHCPv6, or both.

IPv4

The fourth octet of an IP address needs to be between 0 and 255 (both inclusive). This requirement applies to any IP address that you enter on a screen of the web management interface.

IPv6

IPv6 addresses are denoted by eight groups of hexadecimal quartets that are separated by colons. Any four-digit group of zeroes within an IPv6 address can be reduced to a single zero or altogether omitted.

The following errors invalidate an IPv6 address:

• More than eight groups of hexadecimal quartets

• More than four hexadecimal characters in a quartet

• More than two colons in a row

Introduction

2. IPv4 and IPv6 Internet and WAN

Settings

This chapter explains how to configure the IPv4 and IPv6 Internet and WAN settings. The

chapter contains the following sections:

• Internet and WAN Configuration Tasks

• Configure the IPv4 Internet Connection and WAN Settings

• Configure the IPv6 Internet Connection and WAN Settings

• Configure Advanced WAN Options and Other Tasks

• Configure WAN QoS Profiles

• Additional WAN-Related Configuration Tasks

• What to Do Next

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Internet and WAN Configuration Tasks

• Roadmap to Setting Up IPv4 Internet Connections to Your ISPs

• Roadmap to Setting Up IPv6 Internet Connections to Your ISPs

Typically, the VPN firewall is installed as a network gateway to function as a combined LAN switch and firewall to protect the network from incoming threats and provide secure connections. gateway security appliance such as a NETGEAR ProSecure STM appliance.

The tasks that are required to complete the Internet connection of your VPN firewall depend on whether you use an IPv4 connection, an IPv6 connection, or both to your Internet service provider (ISP).

Note: The VPN firewall supports simultaneous IPv4 and IPv6 connections.

o complement the firewall protection, NETGEAR advises that you use a

Roadmap to Setting Up IPv4 Internet Connections to Your ISPs

Setting up IPv4 Internet connections to your ISP or ISPs includes seven tasks, five of which are optional.

 Complete these tasks:

1. Configure the IPv4 routing mode. Select either NAT or classical routing.

This task is described in

2. Configure the IPv4 Internet connections to your ISPs. Connect to one or more ISPs by

configuring up to four WAN interfaces. Y

ou have two configuration options. These tasks are described in the following sections:

• Let the VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection

on page 31

• Manually Configure an IPv4 Internet Connection on page 34

3. (Optional) Configure either load balancing or auto-rollover.

interfaces are configured for primary (single) WAN mode. You can select load balancing or auto-rollover and a failure detection method. If you configure load balancing, you can also configure protocol binding.

This task is described in Configure Load Balancing or Auto-Rollover for IPv4 Interfaces on page 40.

Configure the IPv4 WAN Mode on page 29.

By default, the WAN

4. (Optional) Configure secondary WAN addresses on the WAN interfaces. Configure

aliases for each WAN interface. This task is described in Configure Secondary WAN Addresses on page 47.

IPv4 and IPv6 Internet and WAN Settings

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

5. (Optional) Configure Dynamic DNS on the WAN interfaces. If necessary, configure your

fully qualified domain names. This task is described in Configure Dynamic DNS on page 49.

6. (Optional) Configure the WAN options. If necessary

port speed, and MAC address of the VPN firewall. These are advanced features, and you usually do not need to change the settings.

This task is described in Configure Advanced WAN Options and Other Tasks on page 71.

7. (Optional) Configure the WAN traffic meters.

This task is described in

Configure and Enable the WAN Traffic Meter on page 356.

, change the factory default MTU size,

Roadmap to Setting Up IPv6 Internet Connections to Your ISPs

Setting up IPv6 Internet connections to your ISP or ISPs includes six tasks, four of which are optional.

 Complete these tasks:

1. Configure the IPv6 routing mode. Configure the VPN firewall to support both devices

with IPv4 addresses and devices with IPv6 addresses. This task is described in Configure the IPv6 Routing Mode on page 53.

2. Configure the IPv6 Internet connections to your ISPs. Connect to an ISP by configuring

a W

AN interface.

ou have three configuration options. These tasks are described in the following sections:

• Use a DHCPv6 Server to Configure an IPv6 Internet Connection on page 55

• Configure a Static IPv6 Internet Connection on page 58

• Configure a PPPoE IPv6 Internet Connection on page 61

3. (Optional) Configure the IPv6 tunnels. Enable 6to4 tunnels and configure ISA

These tasks are described in the following sections:

• Configure 6to4 Automatic Tunneling on page 64

• Configure ISATAP Automatic Tunneling on page 65

4. (Optional) Configure Stateless IP/ICMP T

not have permanently assigned IPv4 addresses to communicate with IPv4-only devices. This task is described in

5. (Optional) Configure auto-rollover. By default, the WAN interfaces are configured for

primary (single) W settings.

These tasks are described in Configure Auto-Rollover for IPv6 Interfaces on page 68.

AN mode. You can enable auto-rollover and configure the failure detection

Configure Stateless IP/ICMP Translation on page 67.

ranslation (SIIT). Enable IPv6 devices that do

AP tunnels.

IPv4 and IPv6 Internet and WAN Settings

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

6. (Optional) Configure the WAN options. If necessary , change the factory default MTU size,

port speed, and MAC address of the VPN firewall. These are advanced features, and you usually do not need to change the settings.

These tasks are described in Configure Advanced WAN Options and Other Tasks on page 71.

Configure the IPv4 Internet Connection and WAN Settings

• Configure the IPv4 WAN Mode

• Let the VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection

• Manually Configure an IPv4 Internet Connection

• Configure Load Balancing or Auto-Rollover for IPv4 Interfaces

• Configure Secondary WAN Addresses

• Configure Dynamic DNS

To set up your VPN firewall for secure IPv4 Internet connections, you need to determine the IPv4 W your ISP on the W configuration options, described in the following sections:

• Let the VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection on

• Manually Configure an IPv4 Internet Connection on page 34

AN mode (see the next section) and then configure the IPv4 Internet connection to

AN port. The web management interface offers two connection

page 31

Configure the IPv4 WAN Mode

By default, IPv4 is supported and functions in NAT mode but can also function in classical routing mode. IPv4 functions the same way in IPv4-only mode that it does in IPv4 / IPv6 mode. The latter mode adds IPv6 functionality (see Configure the IPv6 Routing Mode on page 53).

Network Address Translation

Network Address T ranslation (NA T) allows all computers on your LAN to share a single public Internet IP address. From the Internet, there is only a single device (the VPN firewall) and a single IP address. Computers on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet.

Note the following about NAT:

• The VPN firewall uses NAT to select the correct computer (on your LAN) to receive any

incoming data.

• If you have only a single public Internet IP address, you need to use NAT (the default

setting).

IPv4 and IPv6 Internet and WAN Settings

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

• If your ISP has provided you with multiple public IP addresses, you can use one address

as the primary shared address for Internet access by your computers, and you can map incoming traffic on the other public IP addresses to specific computers on your LAN. This one-to-one inbound mapping is configured using an inbound firewall rule.

Classical Routing

In classical routing mode, the VPN firewall performs routing, but without NA T. To gain Internet access, each computer on your LAN needs to have a valid static Internet IP address.

If your ISP has allocated a number of static IP addresses to you, and you have assigned one of these addresses to each computer, you can choose classical routing. Or you can use classical routing for routing private IP addresses within a campus environment.

To view the status of the WAN ports, you can view the Router Status screen (see View the

System Status on page 369).

Configure the IPv4 Routing Mode

 To configure the IPv4 routing mode:

1. Select Network Configuration > WAN Settings > W

displays:

Figure 10.

AN Mode. The WAN Mode screen

2. In the NAT (Network Address Translation) section of the screen, select the NAT radio button

or the Classical Routing radio button.

WARNING:

Changing the WAN mode causes all LAN WAN and DMZ WAN inbound rules to revert to default settings.

IPv4 and IPv6 Internet and WAN Settings

+ 439 hidden pages

Netgear SRX5308 Reference Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Contents

1. Introduction

What Is the ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308?

Key Features and Capabilities

Quad-WAN Ports for Increased Reliability and Load Balancing

Advanced VPN Support for Both IPSec and SSL

A Powerful, True Firewall with Content Filtering

Security Features

Autosensing Ethernet Connections with Auto Uplink

Extensive Protocol Support

Easy Installation and Management

Maintenance and Support

Package Contents

Hardware Features

Front Panel

Rear Panel

Bottom Panel with Product Label

Choose a Location for the VPN Firewall

Use the Rack-Mounting Kit

Log In to the VPN Firewall

Web Management Interface Menu Layout

Requirements for Entering IP Addresses

IPv4

IPv6

Internet and WAN Configuration Tasks

Roadmap to Setting Up IPv4 Internet Connections to Your ISPs

Roadmap to Setting Up IPv6 Internet Connections to Your ISPs

Configure the IPv4 Internet Connection and WAN Settings

Configure the IPv4 WAN Mode