NETGEAR SRX5308-100NAS User Manual
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Reference Manual
350 East Plumeria Drive
San Jose, CA 95134
USA
July, 2012
202-10536-04
v1.0
ProSafe Gigabit Quad W AN SSL VPN Firewall SRX5308
© 2010–2012 NETGEAR, Inc. All rights reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated
into any language in any form or by any means without the written permission of NETGEAR, Inc.
Technical Support
Thank you for choosing NETGEAR. T o register your product, get the latest product updates, get support online, or
for more information about the topics covered in this manual, visit the Support website at
http://support.netgear.com.
Phone (US & Canada only): 1-888-NETGEAR
Phone (Other Countries): Check the li
http://support.netgear.com/app
st of phone numbers at
/answers/detail/a_id/984.
Trademarks
NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of
NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change
without notice. Other brand and product names are registered trademarks or trademarks of their respective
holders. © 2010–2012 NETGEAR, Inc. All rights reserved.
Statement of Conditions
To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes
to the products described in this document without notice. NETGEAR does not assume any liability that may occur
due to the use, or application of, the product(s) or circuit layout(s) described herein.
Revision History
Publication
Part Number
202-10536-04 1.0 July 2012 A major revision. Added the following features:
202-10536-03 1.0 November 2011 Incorporated nontechnical edits only (there are no feature
Version Publish Date Comments
• Support for IPv6 with multiple IPv6 features, including a new
general menu structure that provides both IPv4 and IPv6 radio
buttons (very extensive revisions throughout the manual)
• IPSec VPN autoinitia
VPN Policy)
• SNMPv3 support (see Use a Simple Network Management
Protocol Manager)
• Option to reboot with a different firmware version (see Select
the Firmware and Reboot the VPN Firewall )
• Extensive list of factory d
Default Settings and Technical Specifications)
chan
ges).
te support (see Manually Add or Edit a
efault settings (see Appendix A,
2
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
202-10536-02 1.0 July 2011 Added new features that are documented in the following
sections:
• Configure WAN QoS Profiles
• Inbound Rules (Port Forwarding) and Create LAN WAN Inbound
Service Rules
• Attack Checks
• Set Limits for IPv4 Sessions
• Create IP Groups
• Use the NETGEAR VPN Client Wizard to Create a Secure
Connection
• Manually Create a Secure Conne
VPN Client
• Configure the ProSafe VPN Client for Mode Config Operation
• Configure Date and Time Service
• Configure and Enable the LAN Traffic Meter
202-10536-01 1.0 April 2010 Initial publication of this reference manual.
ction Using the NETGEAR
3
Contents
Chapter 1 Introduction
What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? . .11
Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Quad-WAN Ports for Increased Reliability and
Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . .13
A Powerful, True Firewall with Content Filtering
Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Autosensing Ethernet Connections with Auto Uplink
Extensive Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Easy Installation and Management . . . . . . .
Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Bottom Panel with Product Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Choose a Location for the VPN Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . .20
Use the Rack-Mounting Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Log In to the VPN Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Web Management Interface Menu Layout . . . . . . . . . . . . . . . . . . . . . . . . .23
Requirements for Entering IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . .25
IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Load Balancing. . . . . . .13
. . . . . . . . . . . . . . . . . . .14
. . . . . . . . . . . . . . .14
. . . . . . . . . . . . . . . . . . . . .15
Chapter 2 IPv4 and IPv6 Internet and WAN Settings
Internet and WAN Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Tasks to Set Up IPv4 Internet Connections
Tasks to Set Up an IPv6 Internet
Configure the IPv4 Internet Connection and W
Configure the IPv4 WAN Mode . .
Let the VPN Firewall Automatically Detect and
Configure an IPv4 Internet Connection
Manually Configure an IPv4 Internet
Configure Load Balancing or Auto-Rollover . . . . . . . . . . . . . . . . . . . . . .39
Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . .46
Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Configure the IPv6 Internet Connection and W
Configure the IPv6 Routing Mode . . . . . . . .
Use a DHCPv6 Server to Configure an IPv6 Internet Connection . . . . .54
4
Connection to Your ISPs . . . . . . . . . .27
. . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Connection. . . . . . . . . . . . . . . . . .33
to Your ISPs . . . . . . . . . . .27
AN Settings. . . . . . . . . . . .28
. . . . . . . . . . . . . . . . . . . . . . . . .30
AN Settings. . . . . . . . . . . .51
. . . . . . . . . . . . . . . . . . . . .52
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Configure a Static IPv6 Internet Connection. . . . . . . . . . . . . . . . . . . . . .57
Configure a PPPoE IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . .60
Configure 6to4 Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Configure ISATAP Automatic Tunneling. . . . . . . . . . . . . . . . . . . . . . . . .64
View the Tunnel Status and IPv6 Addresses . . . . . . . . . . . . . . . . . . . . .66
Configure Stateless IP/ICMP Translation. . . . . . . . . . . . . . . . . . . . . . . .66
Configure Advanced WAN Options and Other Task
Configure WAN QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . .78
Verify the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
s. . . . . . . . . . . . . . . . .67
Chapter 3 LAN Configuration
Manage IPv4 Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . .79
Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Assign and Manage VLAN Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
VLAN DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Configure a VLAN Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Configure VLAN MAC Addresses and LAN Advanced Settings. . . . . . .88
Configure IPv4 Multihome LAN IP Addresses on the Default VLAN . . . . .89
Manage IPv4 Groups and Hosts (IPv4 LAN Groups). . . . . . . . . . . . . . . . .91
Manage the Network Database . . . . . . . . . .
Change Group Names in the Network Database . . . . . . . . . . . . . . . . . .95
Set Up DHCP Address Reservation. . . . . . .
Manage the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
DHCPv6 Server Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Configure the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Configure the IPv6 Router Advertisement Daemon and
Advertisement Prefixes for the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Configure IPv6 Multihome LAN IP Addresses on the Default VLAN . . . .108
Enable and Configure the DMZ Port for IPv4 and IPv6 Traffic. . . . . . . . .109
DMZ Port for IPv4 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110
DMZ Port for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Configure the IPv6 Router Advertisement Daemon and
Advertisement Prefixes for the DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . .117
Manage Static IPv4 Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Configure Static IPv4 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Configure the Routing Information Protocol . . . . . . . . . . . . . . . . . . . . .124
IPv4 Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Manage Static IPv6 Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
. . . . . . . . . . . . . . . . . . . . .92
. . . . . . . . . . . . . . . . . . . . .96
Chapter 4 Firewall Protection
About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Overview of Rules to Block or Allow Specific K
Outbound Rules (Service Blocking) . . . . . . .
Inbound Rules (Port Forwarding) .
. . . . . . . . . . . . . . . . . . . . . . . . . . . .135
5
inds of Traffic . . . . . . . . .131
. . . . . . . . . . . . . . . . . . . .133
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Create LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .143
Create LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .145
Configure DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Create DMZ WAN Outbound Service Rules. . . . . . . . . . . . . . . . . . . . .149
Create DMZ WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . . 151
Configure LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Create LAN DMZ Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .155
Create LAN DMZ Inbound Service Rules. . . . . . . . . . . . . . . . . . . . . . .157
Examples of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Examples of Inbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . .159
Examples of Outbound Firewall Rules . . . . .
Configure Other Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Attack Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Set Limits for IPv4 Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Manage the Application Level Gateway for S
Services, Bandwidth Profiles, and Q
Add Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Create IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Create Quality of Service Profiles for IPv4 Firewall Rules . . . . . . . . . .179
Quality of Service Priorities for IPv6 Firewall Rules . . . . . . . . . . . . . . .181
Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Set a Schedule to Block or Allow Specific Traffic
Enable Source MAC Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Configure Port Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
oS Profiles. . . . . . . . . . . . . . . . . . . .171
. . . . . . . . . . . . . . . . . . . .164
IP Sessions . . . . . . . . . . 171
. . . . . . . . . . . . . . . . . . .185
Chapter 5 Virtual Private Networking
Using IPSec and L2TP Connections
Considerations for Dual WAN Port Systems (IPv4 Only). . . . . . . . . . . . .196
Use the IPSec VPN Wizard for Client and Gateway
Create an IPv4 Gateway-to-Gateway VPN Tun ne l with th e Wiza rd. . .198
Create an IPv6 Gateway-to-Gateway VPN Tun ne l with th e Wiza rd. . .203
Create an IPv4 Client-to-Gateway VPN
Test the Connection and View Connection and Status Information. . . . .221
Test the NETGEAR VPN Client Connection . . . . . . . . . . . . . . . . . . . .221
NETGEAR VPN Client Status and Log Information
View the VPN Firewall IPSec VPN Connection Status. . . . . . . . . . . . .223
View the VPN Firewall IPSec VPN Log . . . . . . . . . . . . . . . . . . . . . . . . 224
Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Manage IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Manage VPN Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .239
Configure XAUTH for VPN Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . .240
6
Tunnel with the Wizard . . . . .206
Configurations . . . .198
. . . . . . . . . . . . . . .223
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
RADIUS Client and Server Configuration. . . . . . . . . . . . . . . . . . . . . . .241
Assign IPv4 Addresses to Remote Users (Mode Config)
Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Configure Mode Config Operation on the VPN Firewall. . . . . . . . . . . .244
Configure the ProSafe VPN Client for Mode
Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .258
Modify or Delete a Mode Config Record. . . .
Configure Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . .259
Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260
Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . .262
Configure the PPTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
View the Active PPTP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Configure the L2TP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
View the Active L2TP Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266
Config Operation . . . . . .251
. . . . . . . . . . . . . . . . . . . .259
. . . . . . . . . . . . .244
Chapter 6 Virtual Private Networking
Using SSL Connections
SSL VPN Portal Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Overview of the SSL Configuration Process . .
Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . . . .274
Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . . . .275
Add Servers and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Add a New Host Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
Configure the Client IP Address Range . . . . . . . . . . . . . . . . . . . . . . . .278
Add Routes for VPN Tunnel Clients . . . . . . . . . . . . . . . . . . . . . . . . . . .280
Use Network Resource Objects to Simplify Policies
Add New Network Resources. . . . . . . . . . . .
Edit Network Resources to Specify Addresses
Configure User, Group, and Global Policies. . . . . . . . . . . . . . . . . . . . . . .284
View Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Add an IPv4 or IPv6 SSL VPN Policy. . . . . . . . . . . . . . . . . . . . . . . . . .286
Access the New SSL Portal Login Screen . . . .
View the SSL VPN Connection Status and SSL VPN Log. . . . . . . . . . . .292
. . . . . . . . . . . . . . . . . . . .269
. . . . . . . . . . . . . . . .281
. . . . . . . . . . . . . . . . . . . .281
. . . . . . . . . . . . . . . . . .282
. . . . . . . . . . . . . . . . . . . .290
Chapter 7 Manage Users, Authentication, and VPN Certificates
The VPN Firewall’s Authentication Process and Options. . . . . . . . . . . . .294
Configure Authentication Domains, Groups, and
Configure Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Configure Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Set User Login Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . .311
Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . .313
Users. . . . . . . . . . . . . .296
7
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314
Manage VPN CA Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315
Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . .316
Manage the VPN Certificate Revocation List . . . . . . . . . . . . . . . . . . . .320
Chapter 8 Network and System Management
Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Features That Reduce Traffic. . . . . . . . . .
Features That Increase Traffic
Use QoS and Bandwidth Assignment to Shift the Traffic Mix. . . . . . . . 327
Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . .328
System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Change Passwords and Administrator and Guest Settings . . . . . . . . . 328
Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . .330
Use the Command-Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
Use a Simple Network Management Protocol Manager. . . . . . . . . . . .334
Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339
Configure Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324
. . . . . . . . . . . . . . . . . . . . . .322
Chapter 9 Monitor System Access and Performance
Configure and Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . .347
Configure and Enable the LAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . . 350
Configure Logging, Alerts, and Event Notifications . . . . . . . . . . . . . . . . .353
How to Send Syslogs over a VPN Tunnel between Sites . . . . . . . . . .359
View Status Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
View the System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361
View the VPN Connection Status, L2TP Users, and PPTP Users. . . .370
View the VPN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372
View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373
View the WAN Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374
View the Attached Devices and the DHCP Log . . . . . . . . . . . . . . . . . .377
Diagnostics Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Send a Ping Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Trace a Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Look Up a DNS Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Display the Routing Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Capture Packets in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Reboot the VPN Firewall Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Chapter 10 Troubleshooting
Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385
Power LED Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385
Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385
LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386
Troubleshoot the Web Management Interface. . .
. . . . . . . . . . . . . . . . . . 386
8
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .387
Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Troubleshoot a TCP/IP Network Using a Ping Utility
Test the LAN Path to Your VPN Firewall
Test the Path from Your C
Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . .393
Address Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . .395
Access the Knowledge Base and Documentation
omputer to a Remote Device . . . . . . . . . . .393
. . . . . . . . . . . . . . . . . . . . . . .392
. . . . . . . . . . . . . . . .392
. . . . . . . . . . . . . . . . . .395
Appendix A Default Settings and Technical Specifications
Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . .402
Appendix B Network Planning for Multiple WAN Ports (IPv4 Only)
What to Consider Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . .404
Cabling and Computer Hardware
Computer Network Configuration R
Internet Configuration Requirements
Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408
Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Inbound Traffic to a Single WAN Port System . . . . . . . . . . . . . . . . . . .409
Inbound Traffic to a Dual WAN Port System . .
Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411
VPN Road Warrior (Client-to-Gatew
VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
VPN Telecommuter (Client-to-Gatew
Requirements . . . . . . . . . . . . . . . . .406
equirements . . . . . . . . . . . . . . . . .406
. . . . . . . . . . . . . . . . . . . . . . . . . .406
. . . . . . . . . . . . . . . . . .410
ay) . . . . . . . . . . . . . . . . . . . . . . . .412
ay through a NAT Router) . . . . .417
Appendix C System Logs and Error Messages
System Log Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Login/Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
System Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . .423
WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424
Resolved DNS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
VPN Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
Traffic Meter Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Routing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
LAN to WAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
LAN to DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
DMZ to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
WAN to LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
9
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
DMZ to LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436
WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Other Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Session Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436
Source MAC Filter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
Bandwidth Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
DHCP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437
Appendix D Two-Factor Authentication
Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . .439
What Are the Benefits of Two-Factor Authentication?
What Is Two-Factor Authentic
NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . .440
ation? . . . . . . . . . . . . . . . . . . . . . . . . . . 440
. . . . . . . . . . . . . 439
Appendix E Notification of Compliance (Wired)
Index
10
1. Introduction
This chapter provides an overview of the features and capabilities of the ProSafe Gigabit Quad
WAN SSL VPN Firewall SRX5308 and explains how to log in to the device and use its web
management interface. The chapter contains the following sections:
• What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308?
• Key Features and Capabilities
• Package Contents
• Hardware Features
• Choose a Location for the VPN Firewall
• Log In to the VPN Firewall
• Web Management Interface Menu Layout
• Requirements for Entering IP Addresses
1
Note: For more information about the topics covered in this manual, visit
the SRX5308 support website at http://support.netgear.com.
What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308?
The ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308, hereafter referred to as the
VPN firewall, connects your local area network (LAN) to the Internet through up to four
external broadband access devices such as cable or DSL modems or satellite or wireless
Internet dishes. Four wide area network (WAN) ports allow you to increase ef fective data rate
to the Internet by utilizing all WAN ports to carry session traffic or to maintain backup
connections in case of failure of your primary Internet connection.
The VPN firewall routes both IPv4 and IPv6 traffic. A powerful, flexible firewall protects your
IPv4 and IPv6 networks from denial of service (DoS) attacks, unwanted traffic, and traffic
with objectionable content. IPv6 traffic is supported through 6to4 and Intra-Site Automatic
Tunnel Addressing Protocol (ISATAP) tunnels.
11
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
The VPN firewall is a security solution that protects your network from attacks and intrusions.
For example, the VPN firewall provides support for stateful packet inspection (SPI), denial of
service (DoS) attack protection, and multi-NAT support. The VPN firewall supports multiple
web content filtering options, plus browsing activity reporting and instant alerts—both through
email. Network administrators can establish restricted access policies based on time of day,
website addresses, and address keywords.
The VPN firewall provides advanced IPSec and SSL VPN technologies for secure and simple
remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures high data
transfer speeds.
The VPN firewall is a plug-and-play device that can be installed and configured within
minutes.
Key Features and Capabilities
• Quad-WAN Ports for Increased Reliability and Load Balancing
• Advanced VPN Support for Both IPSec and SSL
• A Powerful, True Firewall with Content Filtering
• Security Features
• Autosensing Ethernet Connections with Auto Uplink
• Extensive Protocol Support
• Easy Installation and Management
• Maintenance and Support
The VPN firewall provides the following key features and capabilities:
• Four 1
protection of your Internet connection, providing increased data rate and increased
system reliability.
• Built-in fo
between local network resources and support for up to 200,000 internal or external
connections.
• Both IPv4 and
• Adva
VPN tunnels and up to 50 concurrent SSL VPN tunnels.
• Bundled with
(VPN01L).
0/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover
ur-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for fast data transfer
IPv6 support
nced IPSec VPN and SSL VPN support with support for up to 125 concurrent IPSec
a single-user license of the NETGEAR ProSafe VPN Client software
• L2TP tu
• Adva
• Qu
• Exten
nced stateful packet inspection (SPI) firewall with multi-NAT support.
ality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and
multimedia.
sive protocol support.
nnel and PPTP tunnel support
Introduction
12
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
• One console port for local management.
• SNMP
the NETGEAR ProSafe Network Management Software (NMS200) over a LANJ
connection.
• F
• F
• I
nternal universal switching power supply.
• Rack-mounting kit fo
support with SNMPv1, SNMPv2c, and SNMPv3, and management optimized for
ront panel LEDs for easy monitoring of status and activity.
lash memory for firmware upgrade.
r 1U rackmounting.
Quad-WAN Ports for Increased Reliability and Load Balancing
The VPN firewall provides four broadband WAN ports. These WAN ports allow you to
connect additional broadband Internet lines that can be configured to:
• L
oad-balance outbound traffic between up to four lines for maximum bandwidth
efficiency.
• Pro
See Append
factors to consider when implementing the following capabilities with multiple WAN port
gateways:
vide backup and rollover if one line is inoperable, ensuring that you are never
disconnected.
ix B, Network Planning for Multiple WAN Ports (IPv4 Only) for the planning
• Single
• V
or multiple exposed hosts.
irtual private networks (VPNs).
Advanced VPN Support for Both IPSec and SSL
The VPN firewall supports IPSec and SSL virtual private network (VPN) connections:
• I
PSec VPN delivers full network access between a central office and branch offices, or
between a central office and telecommuters. Remote access by telecommuters requires
the installation of VPN client software on the remote computer.
- I
PSec VPN with broad protocol support for secure connection to other IPSec
gateways and clients.
- Up
- Bun
• SSL VPN provide
without requiring a preinstalled VPN client on their computers.
- Uses th
- Up
to 125 simultaneous IPSec VPN connections.
dled with a 30-day trial license for the ProSafe VPN Client software (VPN01L).
s remote access for mobile users to selected corporate resources
e familiar Secure Sockets Layer (SSL) protocol, commonly used for
e-commerce transactions, to provide client-free access with customizable user
portals and support for a wide variety of user repositories.
to 50 simultaneous SSL VPN connections.
Introduction
13
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
- Allows browser-based, platform-independent remote access through a number of
popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple
Safari.
- Provides granular access to
membership.
corporate resources based on user type or group
A Powerful, True Firewall with Content Filtering
Unlike simple NAT routers, the VPN firewall is a true firewall, using stateful packet inspection
(SPI) to defend against hacker attacks. Its firewall features have the following capabilities:
• DoS protection.
as Ping of Death and SYN flood.
• Secure firewall. Blocks un
• Content fil
can control access to Internet content by screening for web services, web addresses, and
keywords within web addresses.
• Schedul
• Logs security incident
configure the firewall to email the log to you at specified intervals. You can also configure
the VPN firewall to send immediate alert messages to your email address or email pager
when a significant event occurs.
e policies. Permits scheduling of firewall policies by day and time.
Automatically detects and thwarts denial of service (DoS) attacks such
wanted traffic from the Internet to your LAN.
tering. Prevents objectionable content from reaching your computers. You
s. Logs security events such as logins and secure logins. You can
Security Features
The VPN firewall is equipped with several features designed to maintain security:
• Computers h
originating from the local network. Requests originating from outside the LAN are
discarded, preventing users outside the LAN from finding and directly accessing the
computers on the LAN.
• Port forwarding
accessing the computers on the LAN, the VPN firewall allows you to direct incoming
traffic to specific computers based on the service port number of the incoming request.
• DMZ po
unless the traffic is a response to one of your local computers or a service for which you
have configured an inbound rule. Instead of discarding this traffic, you can use the
dedicated demilitarized zone (DMZ) port to forward the traffic to one computer on your
network.
idden by NAT. NAT opens a temporary path to the Internet for requests
with NAT. Although NAT prevents Internet locations from directly
rt. Incoming traffic from the Internet is usually discarded by the VPN firewall
Autosensing Ethernet Connections with Auto Uplink
With its internal four-port 10/100/1000 Mbps switch and four 10/100/1000 WAN ports, the
VPN firewall can connect to a 10-Mbps standard Etherne t network, a 100-Mbps Fast Ethernet
Introduction
14
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
network, a 1000-Mbps Gigabit Ethernet network, or a combination of these networks. All LAN
and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.
TM
The VPN firewall incorporates Auto Uplink
senses whether the Ethernet cable plugged into the port should have a normal connection
such as to a computer or an uplink connection such as to a switch or hub. That port then
configures itself correctly. This feature eliminates the need for you to think about crossover
cables, as Auto Uplink accommodates either type of cable to make the right connection.
technology. Each Ethernet port automatically
Extensive Protocol Support
The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and
Routing Information Protocol (RIP). The VPN firewall provides the following protocol support:
P address sharing by NAT. The VPN firewall allows many networked computers to
• I
share an Internet account using only a single IP address, which might be statically or
dynamically assigned by your Internet service provider (ISP). This technique, known as
Network Address Translation (NAT), allows the use of an inexpensive single-user ISP
account.
• Automatic configuration of att
dynamically assigns network configuration information, including IP, gateway, and
Domain Name Server (DNS) addresses, to attached computers on the LAN using the
Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies
configuration of computers on your local network.
• DNS proxy. Whe
firewall provides its own address as a DNS server to the attached compute rs. The firewall
obtains actual DNS addresses from the ISP during connection setup and forwards DNS
requests from the LAN.
• PPP over Ethernet (PPP
Internet over a DSL connection by simulating a dial-up connection.
• Qualit
and traffic classification with Type of Service (ToS) and Differentiated Services Code
Point (DSCP) marking.
y of Service (QoS). The VPN firewall supports QoS, including traffic prioritization
n DHCP is enabled and no DNS addresses are specified, the VPN
oE). PPPoE is a protocol for connecting remote hosts to the
ached computers by DHCP. The VPN firewall
• L
ayer 2 Tunneling Protocol (L2TP). A tunneling protocol that is used to support virtual
private networks (VPNs).
• Poi
nt to Point Tunneling Protocol (PPTP). Another tunneling protocol that is used to
support VPNs.
Easy Installation and Management
You can install, configure, and operate the VPN firewall within minutes after connecting it to
the network. The following features simplify installation and management tasks:
• Browser-base
configure the VPN firewall from almost any type of operating system, such as Windows,
Macintosh, or Linux. Online help documentation is built into the browser-based web
management interface.
d management. Browser-based configuration allows you to easily
Introduction
15
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
• Auto-detection of ISP. The VPN firewall automatically senses the type of Internet
connection, asking you only for the information required for your type of ISP account.
• IPSec VPN W
can easily configure IPSec VPN tunnels according to the recommendations of the Virtu al
Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are
interoperable with other VPNC-compliant VPN routers and clients.
• SNMP. The
let you monitor and manage log resources from an SNMP-compliant system manager.
The SNMP system configuration lets you change the system variables for MIB2.
• Diagnosti
as ping, traceroute, DNS lookup, and remote reboot.
• Remote m
interface from a remote location on the Internet. For security, you can limit remote
management access to a specified remote IP address or range of addresses.
• V
isual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor
its status and activity.
izard. The VPN firewall includes the NETGEAR IPSec VPN Wizard so you
VPN firewall supports the Simple Network Management Protocol (SNMP) to
c functions. The VPN firewall incorporates built-in diagnostic functions such
anagement. The VPN firewall allows you to log in to the web management
Maintenance and Support
NETGEAR offers the following features to help you maximize your use of the VPN firewall:
• Flash memo
echnical support seven days a week, 24 hours a day. Information about support is
• T
available on the NETGEAR website at
http://support.netgear.com/app/answers/detail/a_id/212.
ry for firmware upgrades.
Package Contents
The VPN firewall product package contains the following items:
• ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
• On
• On
• On
• ProSafe Giga
• Resou
e AC power cable
e Category 5 (Cat 5) Ethernet cable
e rack-mounting kit
bit Quad WAN SSL VPN Firewall SRX5308 Installation Guide
rce CD, including:
- Application Note
- ProSafe VPN Clie
s and other helpful information
nt software (VPN01L)
If any of the parts are incorrect, missing, o
the carton, including the original packing materials, in case you need to return the product for
repair.
r damaged, contact your NETGEAR dealer. Keep
Introduction
16
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
LEDs
Internet
Hardware Features
• Front Panel
• Rear Panel
• Bottom Panel with Product Label
The front panel ports and LEDs, rear panel ports, and bottom label of the VPN firewall are
d
escribed in the following sections.
Front Panel
Viewed from left to right, the VPN firewall front panel contains the following ports (see the
following figure).
AN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
• L
Gigabit Ethernet ports with RJ-45 connectors
• W
AN Ethernet ports. Four independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors
The front panel also contains three groups of
including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in the
following table.
Figure 1.
status indicator light-emitting diodes (LEDs),
Introduction
17
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 1. LED descriptions
LED Activity Description
Power On (green) Power is supplied to the VPN firewall.
Off Power is not supplied to the VPN firewall.
Test On (amber) during
startup.
On (amber) during
any other time
Blinking (amber) The VPN firewall is writing to flash memory (during upgrading or resetting
Off The system has booted successfully.
LAN Ports
Left LED On (green) The LAN port has detected a link with a connected Ethernet device.
Blinking (green) The LAN port receives or transmits data.
Off The LAN port has no link.
Right LED On (green) The LAN port operates at 1000 Mbps.
On (amber) The LAN port operates at 100 Mbps.
Off The LAN port operates at 10 Mbps.
DMZ LED On (green) Port 4 operates as a dedicated hardware DMZ port.
Off Port 4 operates as a normal LAN port.
T e st mode: The VPN firewall is initializing. After approximately 2 minutes,
when the VPN firewall has completed its initialization, the Test LED goes
off.
The initialization has failed, or a hardware failure has occurred.
to defaults).
WAN Ports
Left LED On (green) The WAN port has a valid connection with a device that provides an
Internet connection.
Blinking (green) The WAN port receives or transmits data.
Off The WAN port has no physical link, that is, no Ethernet cable is plugged
into the VPN firewall.
Right LED On (green) The WAN port operates at 1000 Mbps.
On (amber) The WAN port operates at 100 Mbps.
Off The WAN port operates at 10 Mbps.
Internet LED On (green) The WAN port has a valid Internet connection.
Off The WAN port is either not enabled or has no link to the Internet.
Introduction
18
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Security lock
receptacle
Console port
Factory Defaults
AC power
receptacle
Power
switch
Reset button
Rear Panel
The rear panel of the VPN firewall includes a console port, a Factory Default s Reset button, a
cable lock receptacle, an AC power connection, and a power switch.
Figure 2.
Viewed from left to right, the rear panel contains the following components:
1. Cab
2. Console
3. Factory
4. AC po
5. A power on/of
le security lock receptacle.
port. Port for connecting to an optional console terminal. The port has a DB9 male
connector. The default baud rate is 115200 K. The pinouts are (2) Tx, (3) Rx, (5) and (7)
Gnd. For information about accessing the command-line interface (CLI) using the console
port, see Use the Command-Line Interface on p
Defaults Reset button. Using a sharp object, press and hold this button for about
8 seconds until the front panel Test LED flashes to reset the VPN fi re w al l to factory defa ult
ttings. All configuration settings are lost, and the default password is restored.
se
wer receptacle. Universal AC input (100–240 VAC, 50–60 Hz).
f switch.
age 334.
Bottom Panel with Product Label
The product label on the bottom of the VPN firewall’s enclosure displays factory default
settings, regulatory compliance, and other information.
Figure 3.
Introduction
19
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Choose a Location for the VPN Firewall
The VPN firewall is suitable for use in an office environment where it can be freestanding (on
its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can
rack-mount the VPN firewall in a wiring closet or equipment room.
Consider the following when deciding where to position the VPN firewall:
• The u
• Cabling is away from sources of electrical noise. Th
• W
• Airflow
• The a
• T
nit is accessible, and cables can be connected easily.
ese include lift shafts, microwave
ovens, and air-conditioning units.
ater or moisture cannot enter the case of the unit.
around the unit and through the vents in the side of the case is not restricted.
Provide a minimum of 25 mm or 1-inch clearance.
ir is as free of dust as possible.
emperature operating limits are not likely to be exceeded. Install the unit in a clean,
air-conditioned environment. For information about the recommended operating
temperatures for the VPN firewall, see Appendix A, Default Settings and Technical
Specifications.
Use the Rack-Mounting Kit
Use the mounting kit for the VPN firewall to install the appliance in a rack. Attach the
mounting brackets using the hardware that is supplied with the mounting kit.
Figure 4.
Before mounting the VPN firewall in a rack, verify that:
ou have the correct screws (supplied with the installation kit).
• Y
• The ra
ck onto which you plan to mount the VPN firewall is suitably located.
Introduction
20
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Log In to the VPN Firewall
Note: To connect the VPN firewall physically to your network, connect the
cables and restart your network according to the instructions in the
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation
Guide. A PDF of this guide is on the NETGEAR support website at
http://kb.netgear.com/app/products/model/a_id/13568.
To configure the VPN firewall, you need to use a web browser such as Microsoft Internet
Explor
cookies, and SSL enabled. (Google Chrome is not supported at this time.)
Although these web browsers are qualified for use with the VPN firewall’s web management
interface, SSL VPN users should choose a browser that supports JavaScript, Java, cookies,
SSL, and ActiveX to take advantage o f the full suite of applications. Note that Java is required
only for the SSL VPN portal, not for the web management interface.
er 7.0 or later, Mozilla Firefox 4.0 or later, or Apple Safari 3.0 or later with JavaScript,
To log in to the VPN firewall:
1. S
tart any of the qualified web browsers.
2. In the
address field, enter https://192.168.1.1. The NETGEAR Configuration Manager Login
screen displays in the browser.
Note: The VPN firewall factory default IP address is 192.168.1.1. If you
change the IP address, you need to use the IP address that you
assigned to the VPN firewall to log in to the VPN firewall.
Figure 5.
Introduction
21
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Note: The first time that you remotely connect to the VPN firewall with a
browser through an SSL connection, you might get a warning
message regarding the SSL certificate. Follow the directions of your
browser to accept the SSL certificate.
3. In the User Name field, type admin. Use lowercase letters.
4. In
the Password / Passcode field, type password. Here, too, use lowercase letters.
Note: The VPN firewall user name and password are not the same as any
user name or password you might use to log in to your Internet
connection.
Note: Leave the domain as it is (geardomain).
5. Click Login. The web management interface displays, showing the Router Status screen.
The following figure shows the top part of the Router Status screen. For more information,
see View the System Status o
n page 361.
Note: After 5 minutes of inactivity (the default login time-out), you are
automatically logged out.
Figure 6.
Introduction
22
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
1st level: Main navigation menu link (orange)
2nd level: Configuration menu link (gray)
3rd level: Submenu tab (blue)
Option arrows: Additional screen for submenu item
IP radio buttons
Web Management Interface Menu Layout
The following figure shows the menu at the top the web management interface:
Figure 7.
The web management interface menu consists of the following components:
st level: Main navigation menu links. The main navigation menu in the orange bar
• 1
across the top of the web management interface provides access to all the configuration
functions of the VPN firewall, and remains constant. When you select a main navigation
menu link, the letters are displayed in white against an orange background.
nd level: Configuration menu links. The configuration menu links in the gray bar
• 2
(immediately below the main navigation menu bar) change according to the main
navigation menu link that you select. When you select a configuration menu link, the
letters are displayed in white against a gray background.
• 3
rd level: Submenu tabs. Each configuration menu item has one or more submenu tabs
that are listed below the gray menu bar. When you select a submenu tab, the text is
displayed in white against a blue background.
• Option arrows. If there
are additional screens for the submenu item, links to the screens
display on the right side in blue letters against a white background, preceded by a white
arrow in a blue circle.
• I
P radio buttons. The IPv4 and IPv6 radio buttons let you select the IP version for the
feature to be configured onscreen. There are four options:
- Both
buttons are operational. You can configure the feature onscreen
for IPv4 functionality or for IPv6 functionality
. After you have correctly configured the
feature for both IP versions, the feature can function with both IP versions
simultaneously.
- T
he IPv4 button is operational but the IPv6 button is disabled. You
can configure the feature onscreen for IPv4 functionality only.
Introduction
23
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
- The IPv6 button is operational but the IPv4 button is disabled. You
can configure the feature onscreen for IPv6 functionality only.
- Both buttons
are disabled. IP functionality does not apply.
The bottom of each screen provides action buttons. The nature of the screen determines
which action b
Figure 8.
uttons are shown. The following figure shows an example:
Any of the following action buttons might display onscreen (this list might not be complete):
• Apply. Save
• Reset. Reset the
st. Test the configuration.
• Te
• Auto Detect.
and apply the configuration.
configuration to the previously saved configuration.
Enable the VPN firewall to detect the configuration automatically and
suggest values for the configuration.
• Cancel.
When a screen includes a table, table buttons display to
Cancel the operation.
let you configure the table entries.
The nature of the screen determines which table buttons are shown. The following figure
shows an example:
Figure 9.
Any of the following table buttons might display onscreen:
• Select All.
• Delete. Delete th
• Enable.
• Disable.
Select all entries in the table.
e selected entry or entries from the table.
Enable the selected entry or entries in the table.
Disable the selected entry or entries in the table.
• Add. Add a
• Edit. Edit the selected e
• Up. Mo
• Down.
• Apply. Apply the
n entry to the table.
ntry.
ve the selected entry up in the table.
Move the selected entry down in the table.
selected entry.
Almost all screens and sections of screens have an a
help screen, click the (question mark) icon.
Introduction
24
ccompanying help screen. To open the
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Requirements for Entering IP Addresses
To connect to the VPN firewall, your computer needs to be configured to obtain an IP address
automatically from the VPN firewall, either an IPv4 address through DHCP or an IPv6
address through DHCPv6, or both.
IPv4
The fourth octet of an IP address needs to be between 0 and 255 (both inclusive). This
requirement applies to any IP address that you enter on a screen of the web management
interface.
IPv6
IPv6 addresses are denoted by eight groups of hexadecimal quartets that are separated by
colons. Any four-digit group of zeroes within an IPv6 address can b e reduced to a single zero
or altogether omitted.
The following errors invalidate an IPv6 address:
• More t
• More t
• More t
han eight groups of hexadecimal quartets
han four hexadecimal characters in a quartet
han two colons in a row
Introduction
25
2. IPv4 and IPv6 Internet and WAN Settings
This chapter explains how to configure the IPv4 and IPv6 Internet and WAN settings. The
chapter contains the following sections:
• Internet and WAN Configuration Tasks
• Configure the IPv4 Internet Connection and WAN Settings
• Configure the IPv6 Internet Connection and WAN Settings
• Configure Advanced WAN Options and Other Tasks
• Configure WAN QoS Profiles
• Additional WAN-Related Configuration Tasks
• What to Do Next
Internet and WAN Configuration Tasks
2
• Tasks to Set Up IPv4 Internet Connections to Your ISPs
• Tasks to Set Up an IPv6 Internet Connection to Your ISPs
Typically, the VPN firewall is installed as a network gateway to function as a combined LAN
switch and firewall to protect the network from incoming threats and provide secure
connections. To complement the firewall protection, NETGEAR advises that you use a
gateway security appliance such as a NETGEAR ProSecure STM appliance.
The tasks that are required to complete the Internet connection of your VPN firewall depend
on whether you use an IPv4 connection, an IPv6 connection, or both to your Internet service
provider (ISP).
Note: The VPN firewall supports simultaneous IPv4 and IPv6 connections.
26
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Tasks to Set Up IPv4 Internet Connections to Your ISPs
Complete these tasks:
1. Confi
2. Con
3. (Optio
4. (Optio
5. (Optio
6. (Optio
gure the IPv4 routing mode. Select either NAT or classical routing: see
Configure the IPv4 WAN Mode on
figure the IPv4 Internet connections to your ISPs. Connect to one or more ISPs by
configuring up to four WAN interfaces: See one of the following sections:
• Let the VPN Firewall Automatically Detect and Configure a
on page 30
• Manually Configure an IPv4 Internet Connection o
As an option, you can program the WAN traffic meter: See Configure and Enable the
WAN Traffic Meter on p
nal) Configure either load balancing or auto-rollover. Select load balancing or
auto-rollover and a failure detection method: See Configure Load Balancing or
Auto-Rollover on p
(single) WAN mode. If you configure load balancing, yo
nal) Configure secondary WAN addresses on the WAN interfaces. Configure
aliases for each WAN interface: See Configure Secondary WAN Addresses o
nal) Configure Dynamic DNS on the WAN interfaces. If required, configure your
fully qualified domain names: See Configure Dynamic DNS on p
nal) Configure the WAN options. If required, change the factory default MTU size,
port speed, and MAC address of the VPN firewall: See Configure Advanced WAN Options
and Other Tasks on p
change the settings.
age 347.
age 39. By default, the WAN interfaces are configured for primary
age 67. These are advanced features, and you usually do not need to
page 28.
n IPv4 Internet Connection
n page 33
u can also configure protocol binding.
n page 46.
age 48.
Tasks to Set Up an IPv6 Internet Connection to Your ISPs
Note: You can configure one WAN interface only for IPv6. This restriction
might be lifted in a later release.
Complete these tasks:
1. Confi
2. Con
gure the IPv6 routing mode. Configure the VPN firewall to support both devices
with IPv4 addresses and devices with IPv6 addresses: See Configure the IPv6 Routing
Mode on
a WAN interface: See one of the following sections:
• Use a DHCPv6 Server to Configure an IPv6 Internet Connection on p
• Configure a Static IPv6 Internet Connection o
• Configure a PPPoE IPv6 Internet Connection on p
page 52.
figure the IPv6 Internet connections to your ISPs. Connect to an ISP by configuring
n page 57
age 60
IPv4 and IPv6 Internet and WAN Settings
age 54
27
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
3. Configure the IPv6 tunnels. Enable 6to4 tunnels and configure ISATAP tunnels: See
Configure 6to4 Automatic Tunneling on
Tunneling on p
4. (Op
5. (
tional) Configure Stateless IP/ICMP Translation (SIIT). Enable IPv6 d ev ice s th at do
not have permanently assigned IPv4 addresses to communicate with IPv4-only devices:
See Configure Stateless IP/ICMP Translation on p
Optional) Configure the WAN options. If required, change the factory default MTU size,
port speed, and MAC address of the VPN firewall: See Configure Advanced WAN Options
and Other Tasks on p
change the settings.
age 64.
age 67. These are advanced features, and you usually do not need to
page 63 and Configure ISATAP Automatic
age 66.
Configure the IPv4 Internet Connection and WAN Settings
• Configure the IPv4 WAN Mode
• Let the VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection
• Manually Configure an IPv4 Internet Connection
• Configure Load Balancing or Auto-Rollover
• Configure Secondary WAN Addresses
• Configure Dynamic DNS
To set up your VPN firewall for secure IPv4 Internet connections, you need to determine the
IPv4
WAN mode (see the next section) and then configure the IPv4 Internet connection to
your ISP on the WAN port. The web management interface offers two connection
configuration options, discussed in the following sections:
• Let the VPN Firewall Automatically Detect and
page 30
• Manually Configure an IPv4 Internet Connection on p
Configure an IPv4 Internet Connection on
age 33
Configure the IPv4 WAN Mode
By default, IPv4 is supported and functions in NAT mode but can also function in classical
routing mode. IPv4 functions the same way in IPv4-only mode that it does in IPv4 / IPv6
mode. The latter mode adds IPv6 functionality (see Configure the IPv6 Routing Mode on
page 52).
Network Address Translation
Network Address Translation (NAT) allows all computers on your LAN to share a single public
Internet IP address. From the Internet, there is only a single device (the VPN firewall) and a
single IP address. Computers on your LAN can use any private IP address range, and these
IP addresses are not visible from the Internet.
IPv4 and IPv6 Internet and WAN Settings
28
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Note the following about NAT:
• The VPN firewall uses NAT to select the correct computer (on your LAN) to receive any
incoming data.
• I
f you have only a single public Internet IP address, you need to use NAT (the default
setting).
• I
f your ISP has provided you with multiple public IP addresses, you can use one address
as the primary shared address for Internet access by your computers, and you can map
incoming traffic on the other public IP addresses to specific computers on your LAN. This
one-to-one inbound mapping is configured using an inbound firewall rule.
Classical Routing
In classical routing mode, the VPN firewall performs routing, but without NAT. T o gain Internet
access, each computer on your LAN needs to have a valid static Internet IP address.
If your ISP has allocated a number of static IP addresses to yo u, and you have assigned one
of these addresses to each computer, you can choose classical routing. Or you can use
classical routing for routing private IP addresses within a campus environment.
To view the status of the WAN ports, you can view the Router Status screen (see View the
System Status on page 361).
Configure the IPv4 Routing Mode
To configure the IPv4 routing mode:
1. Select Network Configu
displays:
ration > WAN Settings > WAN Mode. The WAN Mode screen
Figure 10.
IPv4 and IPv6 Internet and WAN Settings
29
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
WARNING:
2. In the NAT (Network Address Translation) section of the screen, select the NAT radio button
or the Classical Routing radio button.
Changing the WAN mode causes all LAN WAN and DMZ WAN
inbound rules to revert to default settings.
3. Click Apply to save your settings. These settings apply to all WAN ports.
Let the VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection
To automatically configure a WAN port for an IPv4 connection to the Internet:
1. Select Network
screen, the IPv4 radio button is selected by default. The WAN Setup screen displays the
IPv4 settings:
Figure 11.
The IPv4 WAN Settings table displays the following fields:
• WA
• St
• W
• Fa
N. The WAN interface (WAN1, WAN2, WAN3, and WAN4).
atus. The status of the WAN interface (UP or DOWN).
AN IP. The IPv4 address of the WAN interface.
ilure Detection Method. The failure detection method that is active for the WAN
interface. The following methods can be displayed:
- None
Configuration > WAN Settings > WAN Setup. In the upper right of the
- DNS Lookup (W
- DNS Lookup (th
- PING (the configured I
AN DNS Servers)
e configured IP address is displayed)
IPv4 and IPv6 Internet and WAN Settings
P address is displayed)
30
Loading...