How it Works
NETGEAR
Loading...
STM150EW-100NAS
User Manual
704 pgs34.1 Mb0
Table of contents
Loading...

NETGEAR UTM5EW-100NAS, STM150EW-100NAS User Manual

ProSecure Unified Threat Management (UTM) Appliance

Reference Manual
350 East Plumeria Drive San Jose, CA 95134 USA
October 2012 202-10780-03 v1.0
ProSecure Unified Threat Management (UTM) Appliance
Support
Thank you for choosing NETGEAR. After installing your device, locate the serial number on the label of your product and use it to register your product
at https://my.netgear.com. You must register your product before you can use NETGEAR telephone support. NETGEAR recommends registering your product through the UTM’s Registration screen (see Register the UTM
with NETGEAR on page 65). You can also register your product through the NETGEAR website. For product
updates and web support, visit http://support.netgear.com. Phone (US & Canada only): 1-888-NETGEAR. Phone (Other Countries): Check the list of phone numbers at
http://support.netgear.com/general/contact/default.aspx.
NETGEAR recommends that you use only the official NETGEAR support resources.
Trademarks
NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice. Other brand and product names are registered trademarks or trademarks of their respective holders. © NETGEAR, Inc. All rights reserved.
ProSecure Product Updates
Product updates are available on the NETGEAR website at http://prosecure.netgear.com or
http://support.netgear.com.
ProSecure Forum
Visit http://prosecure.netgear.com/community/forum.php for information about the ProSecure forum and to become part of the ProSecure community.
Revision History
Publication Part Number
202-10780-03 1.0 October 2012 Added the UTM25S, which supports the same features as
Version Publish Date Comments
the UTM9S.
Stated support for the NETGEAR Network Management System NMS200.
Updated the figures and menu paths in Chapter 6, Content
Filtering and Optimizing Scans, because the Application
Security configuration menu of the web management interface was revised and several minor features were added.
Added Configure HTTPS Smart Block.
•Revised Use a Simple Network Management Protocol
Manager because new SNMP features, including support
for SNMPv3, were added.
•Revised Chapter 11, Monitor System Access and
Performance because several minor features were added.
Updated Appendix B, Wireless Network Module for the
UTM9S and UTM25S, because the wireless network
module now supports four wireless security profiles and the Wireless Settings configuration menu of the web management interface was revised.
2
ProSecure Unified Threat Management (UTM) Appliance
202-10780-03 (continued)
202-10780-02 2.0 May 2012 Updated the main navigatio n menus and configuration
202-10780-02 1.0 April 2012 Added new features for all UTM models:
1.0 (continued)
October 2012 (continued)
(continued)
Added Appendix C, 3G/4G Dongles for the UTM9S and
UTM25S.
Added many more default values to Appendix H, Default
Settings and Technical Specifications.
menus for many figures in the manual to show consistency in the presentation of the web management interface (GUI).
Updated the outbound rules overview (see Table 27) and inbound rules overview (Table 28).
Updated Features That Reduce Traffic and Features That
Increase Traffic.
- Application control (see Configure Application Control)
- Traffic metering for LAN usage (see Create Traffic
Meter Profiles)
- The use of custom user groups in firewall rules (see
Overview of Rules to Block or Allow Specific Kinds of Traffic and VLAN Rules)
Application control and traffic metering also affect the way that firewall rules are implemented (see Overview of Rules
to Block or Allow Specific Kinds of Traffic)
Added support of the following features for all UTM models (these features were previously supported on the UTM9S only):
- ReadyNAS integration, quarantine options, and
quarantine logs (see Connect to a ReadyNAS and
Configure Quarantine Settings, Query and Manage the Quarantine Logs, and Appendix E, ReadyNAS Integration)
- PPTP server (see Configure the PPTP Server)
- L2TP server (see Configure the L2TP Server)
Revised the following existing features:
- Firewall scheduling (see Set a Schedule to Block or
Allow Specific Traffic and Overview of Rules to Block or Allow Specific Kinds of Traffic)
- IPS (see Enable and Configure the Intrusion
Prevention System)
- System status, dashboard, and report functions (see
Chapter 11, Monitor System Access and Performance)
- Diagnostics (see Use Diagnostics Utilities)
Reorganized the web managem en t in terface (GUI) menus (for example, the Email Notification configuration menu link has been moved to the Monitoring main menu; the Custom Groups configuration menu link has been moved to the Users main menu)
3
ProSecure Unified Threat Management (UTM) Appliance
202-10780-01 1.0 September 2011 • Added the UTM9S with the foll owing major new features:
- xDSL module (see Chapter 1, Introduction and Chapter
3, Manually Configure Internet and WAN Settings)
- Wireless module (see Chapter 1, Introduction and
Appendix B, Wireless Network Module for the UTM9S and UTM25S)
- ReadyNAS integration, quarantine options, and
quarantine logs (see Connect to a ReadyNAS and
Configure Quarantine Settings, Query and Manage the Quarantine Logs, and Appendix E, ReadyNAS Integration)
- PPTP server (see Configure the PPTP Server)
- L2TP server (see Configure the L2TP Server)
Updated the VPN client sections with the new VPN client (see Chapter 7, Virtual Private Networking
Using IPSec, PPTP, or L2TP Connections)
202-10674-02 1.0 March 2011 Added the UTM150.
Removed the platform-specific chapters and sections because the UTM5, UTM10, and UTM25 now support the same web management interface menu layout that was already supported on the UTM50. The major cha nges for the UTM5, UTM10, and UTM25 are documented in
Chapter 3, Manually Configure Internet and WAN Settings,
and in the following sections:
- Set Exception Rules for Web and Application Access
- Configure Authentication Domains, Groups, and Users
Added new features (for all UTM models). The major new features are documented in the following sections:
- Electronic Licensing
- VLAN Rules
- Create Service Groups
- Create IP Groups
- Manage SSL Certificates for HTTPS Scanning
- Update the Firmware
- View, Schedule, and Generate Reports
202-10674-01 1.0 September 2010 • Added the UTM50 and UTM5 0-specific chapters and
sections.
Revised the DMZ WAN and LAN DMZ default policies.
202-10482-03 1.0 May 2010 Applied numerous nontechnical edits.
Added the Requirements for Entering IP Addresses section.
Added a note about the processing of normal email traffic in the Configure Distributed Spam Analysis section.
Updated the NTP section.
202-10482-02 1.0 January 2010 Updated the web management interface screens, made the
manual platform-independent, added a model comparison table, and removed performance specifications (see marketing documentation for such specifications).
202-10482-01 1.0 September 2009 Initial publication of this reference manual.
4

Contents

Chapter 1 Introduction
What Is the ProSecure Unified Threat Management (UTM) Appliance? . .15
Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Multiple WAN Port Models for Increased Reliability or
Outbound Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Wireless Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
DSL Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . .18
A Powerful, True Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Stream Scanning for Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . .19
Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Autosensing Ethernet Connections with Auto Uplink . . . . . . . . . . . . . . .20
Extensive Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Easy Installation and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Model Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Service Registration Card with License Keys. . . . . . . . . . . . . . . . . . . . . . .23
Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Front Panel UTM5 and UTM10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Front Panel UTM25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Front Panel UTM50 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Front Panel UTM150 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Front Panel UTM9S and UTM25S and Network Modules . . . . . . . . . . .28
LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150 . . . .30
LED Descriptions, UTM9S, UTM25S, and their Network Modules. . . . .32
Rear Panel UTM5, UTM10, and UTM25 . . . . . . . . . . . . . . . . . . . . . . . .33
Rear Panel UTM50 and UTM150. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Rear Panel UTM9S and UTM25S . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Bottom Panels with Product Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Choose a Location for the UTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Use the Rack-Mounting Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Chapter 2 Use the Setup Wizard to Provision the UTM in Your
Network
Steps for Initial Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Qualified Web Browsers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Requirements for Entering IP Addresses . . . . . . . . . . . . . . . . . . . . . . . .42
Log In to the UTM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
5
ProSecure Unified Threat Management (UTM) Appliance
Web Management Interface Menu Layout. . . . . . . . . . . . . . . . . . . . . . . . . 44
Use the Setup Wizard to Perform the Initial Configuration. . . . . . . . . . . . . 47
Setup Wizard Step 1 of 10: LAN Settings. . . . . . . . . . . . . . . . . . . . . . . .48
Setup Wizard Step 2 of 10: WAN Settings . . . . . . . . . . . . . . . . . . . . . . . 51
Setup Wizard Step 3 of 10: System Date and Time. . . . . . . . . . . . . . . .54
Setup Wizard Step 4 of 10: Services . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Setup Wizard Step 5 of 10: Email Security. . . . . . . . . . . . . . . . . . . . . . .57
Setup Wizard Step 6 of 10: Web Security . . . . . . . . . . . . . . . . . . . . . . . 58
Setup Wizard Step 7 of 10: Web Categories to Be Blocked. . . . . . . . . .60
Setup Wizard Step 8 of 10: Email Notification . . . . . . . . . . . . . . . . . . . .62
Setup Wizard Step 9 of 10: Signatures & Engine. . . . . . . . . . . . . . . . . .63
Setup Wizard Step 10 of 10: Saving the Configuration . . . . . . . . . . . . .64
Register the UTM with NETGEAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Use the Web Management Interface to Activate Licenses. . . . . . . . . . .65
Electronic Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Automatic Retrieval of Licenses after a Factory Default Reset . . . . . . .67
Verify Correct Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Test Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Test HTTP Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Chapter 3 Manually Configure Internet and WAN Settings
Internet and WAN Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Automatically Detecting and Connecting the Internet Connections . . . . . . 71
Manually Configure the Internet Connection . . . . . . . . . . . . . . . . . . . . . . .75
Configure the WAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Overview of the WAN Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Configure Network Address Translation (All Models). . . . . . . . . . . . . . .81
Configure Classical Routing (All Models). . . . . . . . . . . . . . . . . . . . . . . .82
Configure Auto-Rollover Mode and the Failure Detection
Method (Multiple WAN Port Models) . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configure Load Balancing and Optional Protocol Binding
(Multiple WAN Port Models). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Set the UTM’s MAC Address and Configure Advanced WAN Options . . .94
Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . 97
Chapter 4 LAN Configuration
Manage Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . .98
Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Assign and Manage VLAN Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . .100
VLAN DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Configure a VLAN Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Configure VLAN MAC Addresses and Advanced LAN Settings. . . . . .108
Configure Multihome LAN IP Addresses on the Default VLAN . . . . . . . .109
Manage Groups and Hosts (LAN Groups) . . . . . . . . . . . . . . . . . . . . . . . . 111
6
ProSecure Unified Threat Management (UTM) Appliance
Manage the Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Change Group Names in the Network Database . . . . . . . . . . . . . . . . .115
Set Up Address Reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Configure and Enable the DMZ Port . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Manage Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Configure Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Configure Routing Information Protocol . . . . . . . . . . . . . . . . . . . . . . . .123
Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Chapter 5 Firewall Protection
About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Overview of Rules to Block or Allow Specific Kinds of Traffic . . . . . . . . .128
Outbound Rules (Service Blocking) . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Inbound Rules (Port Forwarding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138
Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Create LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .140
Create LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .141
Configure DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Create DMZ WAN Outbound Service Rules. . . . . . . . . . . . . . . . . . . . .144
Create DMZ WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .144
Configure LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145
Create LAN DMZ Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .147
Create LAN DMZ Inbound Service Rules. . . . . . . . . . . . . . . . . . . . . . .147
Examples of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Inbound Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148
Outbound Rule Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Configure Other Firewall Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
VLAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Attack Checks, VPN Pass-through, and Multicast Pass-through . . . . .157
Set Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160
Manage the Application Level Gateway for SIP Sessions and
VPN Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Create Services, QoS Profiles, Bandwidth Profiles, and
Traffic Meter Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Add Customized Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Create Service Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Create IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Create Quality of Service Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Create Traffic Meter Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Set a Schedule to Block or Allow Specific Traffic. . . . . . . . . . . . . . . . . . .177
Enable Source MAC Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
Configure Port Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Enable and Configure the Intrusion Prevention System. . . . . . . . . . . . . .187
7
ProSecure Unified Threat Management (UTM) Appliance
Chapter 6 Content Filtering and Optimizing Scans
About Content Filtering and Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Default Email and Web Scan Settings . . . . . . . . . . . . . . . . . . . . . . . . .193
Configure Email Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Customize Email Protocol Scan Settings . . . . . . . . . . . . . . . . . . . . . . .194
Customize Email Antivirus and Notification Settings . . . . . . . . . . . . . . 196
Email Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Protect Against Email Spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202
Configure Web and Services Protection . . . . . . . . . . . . . . . . . . . . . . . . .210
Customize Web Protocol Scan Settings. . . . . . . . . . . . . . . . . . . . . . . .210
Configure HTTPS Smart Block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
Configure Web Malware or Antivirus Scans. . . . . . . . . . . . . . . . . . . . .216
Configure Web Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Configure Web URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224
Configure HTTPS Scanning and SSL Certificates . . . . . . . . . . . . . . . . . . 228
How HTTPS Scanning Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Configure the HTTPS Scan Settings . . . . . . . . . . . . . . . . . . . . . . . . . .230
Manage SSL Certificates for HTTPS Scanning . . . . . . . . . . . . . . . . . . 231
Specify Trusted Hosts for HTTPS Scanning . . . . . . . . . . . . . . . . . . . .235
Configure the SSL Settings for HTTPS Scanning . . . . . . . . . . . . . . . .237
Configure FTP Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Customize FTP Antivirus Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .238
Configure FTP Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239
Configure Application Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Set Exception Rules for Web and Application Access . . . . . . . . . . . . . . . 248
Create Custom Categories for Exceptions for Web and
Application Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Set Scanning Exclusions for IP Addresses and Ports . . . . . . . . . . . . . . .262
Chapter 7 Virtual Private Networking
Using IPSec, PPTP, or L2TP Connections
Considerations for Dual WAN Port Systems
(Multiple WAN Port Models Only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Use the IPSec VPN Wizard for Client and Gateway Configurations . . . .266
Create Gateway-to-Gateway VPN Tunnels with the Wizard . . . . . . . . 266
Create a Client-to-Gateway VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . . 271
Test the Connection and View Connection and Status Information. . . . . 287
Test the NETGEAR VPN Client Connection . . . . . . . . . . . . . . . . . . . .287
NETGEAR VPN Client Status and Log Information . . . . . . . . . . . . . . .289
View the UTM IPSec VPN Connection Status . . . . . . . . . . . . . . . . . . .289
View the UTM IPSec VPN Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Manage IPSec VPN and IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Manage IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Manage VPN Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .308
Configure XAUTH for VPN Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . .309
User Database Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
8
ProSecure Unified Threat Management (UTM) Appliance
RADIUS Client and Server Configuration. . . . . . . . . . . . . . . . . . . . . . .310
Assign IP Addresses to Remote Users (Mode Config). . . . . . . . . . . . . . .312
Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Configure Mode Config Operation on the UTM . . . . . . . . . . . . . . . . . .312
Configure the ProSafe VPN Client for Mode Config Operation . . . . . .319
Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Modify or Delete a Mode Config Record. . . . . . . . . . . . . . . . . . . . . . . .327
Configure Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . .328
Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328
Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329
Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . .330
Configure the PPTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
View the Active PPTP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .333
Configure the L2TP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334
View the Active L2TP Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
For More IPSec VPN Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336
Chapter 8 Virtual Private Networking
Using SSL Connections
SSL VPN Portal Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Build a Portal Using the SSL VPN Wizard . . . . . . . . . . . . . . . . . . . . . . . .338
SSL VPN Wizard Step 1 of 6 (Portal Settings). . . . . . . . . . . . . . . . . . .339
SSL VPN Wizard Step 2 of 6 (Domain Settings) . . . . . . . . . . . . . . . . .342
SSL VPN Wizard Step 3 of 6 (User Settings). . . . . . . . . . . . . . . . . . . .347
SSL VPN Wizard Step 4 of 6 (Client IP Addresses and Routes) . . . . .348
SSL VPN Wizard Step 5 of 6 (Port Forwarding). . . . . . . . . . . . . . . . . .350
SSL VPN Wizard Step 6 of 6 (Verify and Save Your Settings). . . . . . .351
Access the New SSL VPN Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
View the UTM SSL VPN Connection Status. . . . . . . . . . . . . . . . . . . . .356
View the UTM SSL VPN Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .357
Manually Configure and Modify SSL Portals . . . . . . . . . . . . . . . . . . . . . .357
Manually Create or Modify the Portal Layout . . . . . . . . . . . . . . . . . . . .359
Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . .362
Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . .363
Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Use Network Resource Objects to Simplify Policies. . . . . . . . . . . . . . .369
Configure User, Group, and Global Policies. . . . . . . . . . . . . . . . . . . . .371
For More SSL VPN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377
Chapter 9 Manage Users, Authentication, and VPN Certificates
Authentication Process and Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Configure Authentication Domains, Groups, and Users. . . . . . . . . . . . . .380
Login Portals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380
Active Directories and LDAP Configurations . . . . . . . . . . . . . . . . . . . .384
Configure Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388
Configure Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394
Configure Custom Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
9
ProSecure Unified Threat Management (UTM) Appliance
Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Set User Login Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . . 408
DC Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Configure RADIUS VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415
Configure Global User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
View and Log Out Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .417
Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . .419
VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .420
Manage CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Manage Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Manage the Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . .426
Chapter 10 Network and System Management
Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428
Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
Features That Increase Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432
Use QoS and Bandwidth Assignments to Shift the Traffic Mix . . . . . . . 435
Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . .436
System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Change Passwords and Administrator and Guest Settings . . . . . . . . . 436
Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . .438
Use a Simple Network Management Protocol Manager. . . . . . . . . . . .440
Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445
Update the Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .448
Update the Scan Signatures and Scan Engine Firmware . . . . . . . . . .454
Configure Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . .456
Connect to a ReadyNAS and Configure Quarantine Settings . . . . . . . . .458
Log Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
Connect to a ReadyNAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459
Configure the Quarantine Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Chapter 11 Monitor System Access and Performance
Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Configure Logging, Alerts, and Event Notifications . . . . . . . . . . . . . . . . .466
Configure the Email Notification Server . . . . . . . . . . . . . . . . . . . . . . . .466
Configure and Activate System, Email, and Syslog Logs. . . . . . . . . . .467
How to Send Syslogs over a VPN Tunnel between Sites . . . . . . . . . . 471
Configure and Activate Update Failure and Attack Alerts . . . . . . . . . .473
Configure and Activate Firewall Logs. . . . . . . . . . . . . . . . . . . . . . . . . .476
Monitor Real-Time Traffic, Security, and Statistics . . . . . . . . . . . . . . . . . 477
Monitor Application Use in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . .483
View Status Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486
View the System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .486
View the Active VPN Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
View the VPN Tunnel Connection Status. . . . . . . . . . . . . . . . . . . . . . .500
10
ProSecure Unified Threat Management (UTM) Appliance
View the Active PPTP and L2TP Users . . . . . . . . . . . . . . . . . . . . . . . .501
View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502
View the WAN, xDSL, or USB Port Status . . . . . . . . . . . . . . . . . . . . . .504
View Attached Devices and the DHCP Leases . . . . . . . . . . . . . . . . . .505
Query and Manage the Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507
Overview of the Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .508
Query and Download Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509
Example: Use the Logs to Identify Infected Clients . . . . . . . . . . . . . . .513
Log Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514
Query and Manage the Quarantine Logs . . . . . . . . . . . . . . . . . . . . . . . . .514
Query the Quarantined Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .515
View and Manage the Quarantined Spam Table . . . . . . . . . . . . . . . . .517
View and Manage the Quarantined Infected Files Table . . . . . . . . . . .518
Spam Reports for End Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519
View, Schedule, and Generate Reports. . . . . . . . . . . . . . . . . . . . . . . . . .520
Enable Application Session Monitoring . . . . . . . . . . . . . . . . . . . . . . . .521
Report Filtering Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .522
Use Report Templates and View Reports Onscreen . . . . . . . . . . . . . .524
Schedule, Email, and Manage Reports . . . . . . . . . . . . . . . . . . . . . . . .529
Use Diagnostics Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531
Use the Network Diagnostic Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . .532
Use the Real-Time Traffic Diagnostics Tool. . . . . . . . . . . . . . . . . . . . .533
Gather Important Log Information and Generate a
Network Statistics Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
Perform Maintenance on the USB Device, Reboot the UTM,
or Shut Down the UTM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536
Chapter 12 Troubleshoot and Use Online Support
Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539
Verify the Correct Sequence of Events at Startup . . . . . . . . . . . . . . . .539
Power LED Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539
Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539
LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .540
Troubleshoot the Web Management Interface . . . . . . . . . . . . . . . . . . . . .540
When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .541
Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .541
Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . .543
Test the LAN Path to Your UTM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .543
Test the Path from Your Computer to a Remote Device . . . . . . . . . . .544
Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . .545
Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546
Use Online Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546
Enable Remote Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . .546
Send Suspicious Files to NETGEAR for Analysis . . . . . . . . . . . . . . . .547
Access the Knowledge Base and Documentation . . . . . . . . . . . . . . . .548
11
ProSecure Unified Threat Management (UTM) Appliance
Appendix A xDSL Network Module for the UTM9S and UTM25S
xDSL Network Module Configuration Tasks. . . . . . . . . . . . . . . . . . . . . . . 550
Configure the xDSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .550
Automatically Detecting and Connecting the xDSL Internet Connection.553
Manually Configure the xDSL Internet Connection . . . . . . . . . . . . . . . . .556
Configure the WAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Overview of the WAN Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .561
Configure Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . 562
Configure Classical Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Configure Auto-Rollover Mode and the Failure Detection Method. . . .563
Configure Load Balancing and Optional Protocol Binding . . . . . . . . . .566
Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .572
Set the UTM’s MAC Address and Configure Advanced WAN Options . .574
Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . 577
Appendix B Wireless Network Module for the UTM9S and UTM25S
Overview of the Wireless Network Module. . . . . . . . . . . . . . . . . . . . . . . . 579
Configuration Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .579
Wireless Equipment Placement and Range Guidelines. . . . . . . . . . . .579
Configure the Basic Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
Operating Frequency (Channel) Guidelines. . . . . . . . . . . . . . . . . . . . . 583
Wireless Data Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Wireless Security Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585
Before You Change the SSID, WEP, and WPA Settings . . . . . . . . . . .587
Configure and Enable Wireless Profiles. . . . . . . . . . . . . . . . . . . . . . . .588
Restrict Wireless Access by MAC Address . . . . . . . . . . . . . . . . . . . . .593
View the Access Point Status and Connected Clients
for a Wireless Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595
Configure a Wireless Distribution System . . . . . . . . . . . . . . . . . . . . . . . .596
Configure Advanced Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
Configure WMM QoS Priority Settings. . . . . . . . . . . . . . . . . . . . . . . . . . .600
Test Basic Wireless Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .602
For More Information About Wireless Configurations . . . . . . . . . . . . . . . 602
Appendix C 3G/4G Dongles for the UTM9S and UTM25S
3G/4G Dongle Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .603
Manually Configure the USB Internet Connection . . . . . . . . . . . . . . . . . .604
Configure the 3G/4G Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .608
Configure the WAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
Overview of the WAN Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .611
Configure Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . 612
Configure Classical Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
Configure Load Balancing and Optional Protocol Binding . . . . . . . . . .614
Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .618
Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . 621
12
ProSecure Unified Threat Management (UTM) Appliance
Appendix D Network Planning for Dual WAN Ports
(Multiple WAN Port Models Only)
What to Consider Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . .622
Plan Your Network and Network Management and Set Up Accounts .622
Cabling and Computer Hardware Requirements . . . . . . . . . . . . . . . . .624
Computer Network Configuration Requirements . . . . . . . . . . . . . . . . .624
Internet Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .624
Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .626
Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627
Inbound Traffic to a Single WAN Port System . . . . . . . . . . . . . . . . . . .628
Inbound Traffic to a Dual WAN Port System . . . . . . . . . . . . . . . . . . . .628
Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629
VPN Road Warrior (Client-to-Gateway) . . . . . . . . . . . . . . . . . . . . . . . .630
VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .633
VPN Telecommuter (Client-to-Gateway through a NAT Router) . . . . .635
Appendix E ReadyNAS Integration
Supported ReadyNAS Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .638
Install the UTM Add-On on the ReadyNAS . . . . . . . . . . . . . . . . . . . . . . .639
Connect to the ReadyNAS on the UTM . . . . . . . . . . . . . . . . . . . . . . . . . .641
Appendix F Two-Factor Authentication
Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . .644
What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . .644
What Is Two-Factor Authentication?. . . . . . . . . . . . . . . . . . . . . . . . . . .645
NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . .645
Appendix G System Logs and Error Messages
System Log Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .649
System Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .649
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .649
NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .650
Login/Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .650
Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651
IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651
WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .651
Traffic Metering Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . .655
Invalid Packet Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656
Service Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .658
Content-Filtering and Security Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . .658
Web Filtering and Content-Filtering Logs. . . . . . . . . . . . . . . . . . . . . . .659
Spam Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .660
Traffic Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .661
Malware Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .661
13
ProSecure Unified Threat Management (UTM) Appliance
Email Filter Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .661
IPS Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .662
Anomaly Behavior Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
Application Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663
Routing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663
LAN-to-WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663
LAN-to-DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .664
DMZ-to-WAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .664
WAN-to-LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .664
DMZ-to-LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665
WAN-to-DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
Appendix H Default Settings and Technical Specifications
Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .666
Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . .673
Appendix I Notification of Compliance (Wired) Appendix J Notification of Compliance (Wireless) Index
14

1. Introduction

This chapter provides an overview of the features and capabilities of the NETGEAR ProSecure® Unified Threat Management (UTM) Appliance. This chapter contains the following sections:
What Is the ProSecure Unified Threat Management (UTM) Appliance?
Key Features and Capabilities
Service Registration Card with License Keys
Package Contents
Hardware Features
Choose a Location for the UTM
Note: For more information about the topics covered in this manual, visit the
Support website at http://support.netgear.com.
1
Note: Firmware updates with new features and bug fixes are made
available from time to time at downloadcenter.netgear.com. Some products can regularly check the site and download new firmware, or you can check for and download new firmware manually. If the features or behavior of your product do not match what is described in this guide, you might need to update your firmware.

What Is the ProSecure Unified Threat Management (UTM) Appliance?

The ProSecure Unified Threat Management (UTM) Appliance, hereafter referred to as the UTM, connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable modems, DSL modems, satellite dishes, or wireless ISP radio antennas, or a combination of those. Dual wide area network (WAN) port s allow you to increase the effective data rate to the Internet by utilizing both WAN ports to
15
ProSecure Unified Threat Management (UTM) Appliance
carry session traffic, or to maintain a backup connection in case of failure of your primary Internet connection.
As a complete security solution, the UTM combines a powerful, flexib le firewall with a content scan engine that uses NETGEAR Stream Scanning technology to protect your network from denial of service (DoS) attacks or distributed DoS (DDoS) attacks, unwanted traffic, traffic with objectionable content, spam, phishing, and web-borne threats such as spyware, viruses, and other malware threats.
The UTM provides advanced IPSec and SSL VPN technologies for secure and simple remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures high data transfer speeds.
The UTM is a plug-and-play device that can be installed and configured within minutes.

Key Features and Capabilities

Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing
Wireless Features
DSL Features
Advanced VPN Support for Both IPSec and SSL
A Powerful, True Firewall
Stream Scanning for Content Filtering
Security Features
Autosensing Ethernet Connections with Auto Uplink
Extensive Protocol Support
Easy Installation and Management
Maintenance and Support
Model Comparison
The UTM provides the following key features and capabilities:
For the single WAN port models, a single 10/100/1000 Mbps Gigabit Ethernet WAN port.
For the multiple WAN port models, dual or quad 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing or failover protection of your Internet connection, providing increased system reliability or increased data rate.
Built-in four- or six-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for fast data
transfer between local network resources.
Wireless network module (UTM9S and UTM25S only) for either 2.4-GHz or 5-GHz
wireless modes.
xDSL network module (UTM9S and UTM25S only) for ADSL and VDSL.
3G/4G dongle (UTM9S and UTM25S only) for wireless connection to an ISP.
Advanced IPSec VPN and SSL VPN support.
Introduction
16
ProSecure Unified Threat Management (UTM) Appliance
Depending on the model, bundled with a one-user license of the NETGEAR ProSafe
VPN Client software (VPN01L).
Advanced stateful packet inspection (SPI) firewall with multi-NAT support.
Patent-pending S tream Scanning technology that enables scanning of real-t ime protocols
such as HTTP.
Comprehensive web and email security, covering six major network protocols: HTTP,
HTTPS, FTP, SMTP, POP3, and IMAP.
Malware database containing hundreds of thousands of signatures of spyware, viruses,
and other malware threats.
Very frequently updated malware signatures, hourly if necessary. The UTM can
automatically check for new malware signatures as frequently as every 15 minutes.
Multiple antispam technologies to provide extensive protection against unwanted mail.
Application control for multiple categories of applications and individual applications to
safeguard data, protect users, and enhance productivity.
Easy, web-based wizard setup for installation and management.
SNMP manageable with support for SNMPv1, SNMPv2, and SNMPv3.
Support for the NETGEAR Network Management System NMS200.
Front panel LEDs for easy monitoring of status and activity.
Flash memory for firmware upgrade.
Internal universal switching power supply.

Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing

The UTM product line offers models with two broadband WAN ports. The second WAN port allows you to connect a second broadband Internet line that can be configured on a mutually exclusive basis to:
Provide backup and rollover if one line is inoperable, ensuring that you are never
disconnected.
Load balance, or use both Internet lines simultaneously for outgoing traffic. A UTM with
dual WAN port s balances users between the two line s f or maximum bandwidth efficiency.
See Appendix D, Network Planning for Dual WAN Port s (Multiple W AN Port Models Only) for the planning factors to consider when implementing the following capabilities with dual WAN port gateways:
Single or multiple exposed hosts
Virtual private networks
Introduction
17
ProSecure Unified Threat Management (UTM) Appliance

Wireless Features

Wireless client connections are supported on the UTM9S and UTM25S with an NMWLSN wireless network module installed. The UTM9S and UTM25S support the following wireless features:
2.4-GHz radio and 5-GHz radio. Either 2.4-GHz band support with 802.11b/g/n/ wireless
modes or 5-GHz band support with 802.11a/n wireless modes.
Wireless security profiles. Support for up to four wireless security profiles, each with it s
own SSID.
WMM QoS priority. Wi-Fi Multimedia (WMM) Quality of Service (QoS) priority settings to
map one of four queues to each Differentiated Services Code Point (DSCP) value.
Wireless Distribution System (WDS). WDS enables expansion of a wireless network
through two or more access points that are interconnected.
Access control. The Media Access Control (MAC) address filtering feature can ensure
that only trusted wireless stations can use the UTM to gain access to your LAN.
Hidden mode. The SSID is not broadcast, assuring that only clients configured with the
correct SSID can connect.
Secure and economical operation. Adjustable power output allows more secure or
economical operation.
3G/4G dongle. Mobile broadband USB adapter for a wireless connection to an ISP.

DSL Features

DSL is supported on the UTM9S and UTM25S with an NMVDSLA or NMVDSLB DSL network module installed. The UTM9S and UTM25S support the following types of DSL connections:
ADSL, ADSL2, and ADSL2+
VDSL and VDSL2
Annex A, Annex B, and Annex M are supported to accommodate PPPoE, PPPoA, and IPoA ISP connections.

Advanced VPN Support for Both IPSec and SSL

The UTM supports IPSec and SSL virtual private network (VPN) connections.
IPSec VPN delivers full network access between a central office and branch offices, or
between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer.
- IPSec VPN with broad protocol support for secure connection to other IPSec
gateways and clients.
- Depending on the model, bundled with a one-user license of the NETGEAR ProSafe
VPN Client software (VPN01L).
Introduction
18
ProSecure Unified Threat Management (UTM) Appliance
SSL VPN provides remote access for mobile users to selected corporate resources
without requiring a preinstalled VPN client on their computers.
- Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for
e-commerce transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories.
- Allows browser-based, platform-independent remote access through a number of
popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari.
- Provides granular access to corporate resources based on user type or group
membership.

A Powerful, True Firewall

Unlike simple NA T routers, the UTM is a true firewall, using st ateful packet inspection (SPI) to defend against hacker attacks. Its firewall features have the following capabilities:
DoS protection. Automatically detects and thwarts (distributed) denial of service (DoS)
attacks such as Ping of Death and SYN flood.
Secure firewall. Blocks unwanted traffic from the Internet to your LAN.
Schedule policies. Permits scheduling of firewall policies by day and time.
Logs security incidents. Logs security events such as blocked incoming traffic, port
scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.

Stream Scanning for Content Filtering

Stream Scanning is based on the simple observation that network traffic travels in streams. The UTM scan engine starts receiving and analyzing traf fic as the stream enters the network. As soon as a number of bytes are available, scanning starts. The scan engine continues to scan more bytes as they become available, while at the same time another thread starts to deliver the bytes that have been scanned.
This multithreaded approach, in which the receiving, scanning, and delivering processes occur concurrently, ensures that network performance remains unimpeded. The result is that file scanning is up to five times faster than with traditional antivirus solutions—a performance advantage that you really notice.
Stream Scanning also enables organizations to withstand massive spikes in traffic, as in the event of a malware outbreak. The scan engine has the following capabilities:
Real-time protection. The patent-pending Stream Scanning technology enables
scanning of previously undefended real-time protocols, such as HTTP. Network activities susceptible to latency (for example, web browsing) are no longer brought to a standstill.
Comprehensive protection. Provides both web and email security, covering six major
network protocols: HTTP, HTTPS, FTP, SMTP, POP3, and IMAP. The UTM uses enterprise-class scan engines employing both signature-based and distributed spam
Introduction
19
ProSecure Unified Threat Management (UTM) Appliance
analysis to stop both known and unknown threats. The malware database contains hundreds of thousands of signatures of spyware, viruses, and other malware.
Objectionable traffic protection. The UTM prevents objectionable content from
reaching your computers. You can control access to the Internet content by screening for web services, web addresses, and keywords within web addresses. You can log and report attempts to access objectionable Internet sites.
Application control. The UTM provides application control for entire categories of
applications, individual applications, or a combination of both. You can either globally allow or block applications or configure custom application control profiles for groups of users, individual users, or a combination of both. The UTM supports multiple applications.
Automatic signature updates. Malware signatures are updated as frequently as every
hour, and the UTM can check automatically for new signatures as frequently as every 15 minutes.

Security Features

The UTM is equipped with several features designed to maintain security:
Computers hidden by NAT. NAT opens a temporary path to the Internet for requests
originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN.
Port forwarding with NAT. Although NAT prevents Internet locations from directly
accessing the computers on the LAN, the UTM allows you to direct incoming traffic to specific computers based on the service port number of the incoming request. You can specify forwarding of single ports or ranges of ports.
DMZ port. Incoming traffic from the Internet is usually discarded by the UTM unless the
traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you can use the dedicated demilitarized zone (DMZ) port to forward the traffic to one computer on your network.

Autosensing Ethernet Connections with Auto Uplink

With its internal four- or six-port 10/100/1000 Mbps switch and single or dual (model-dependant) 10/100/1000 WAN ports, the UTM can connect to either a 10-Mbps standard Ethernet network, a 100-Mbps Fast Ethernet network, or a 1000-Mbps Gigabit Ethernet network. The four LAN and one or two WAN interface s are autosensing and capable of full-duplex or half-duplex operation.
TM
The UTM incorporates Auto Uplink whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection such as to a switch or hub. Tha t port then configures it self correctly. This feature eliminates the need for you to think about crossover cables, as Auto Uplink accommodates either type of cable to make the right connection.
technology. Each Ethernet port automatically senses
Introduction
20
ProSecure Unified Threat Management (UTM) Appliance

Extensive Protocol Support

The UTM supports the T ransmission Control Protocol/Internet Proto col (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, see Internet Configuration
Requirements on page 624. The UTM provides the following protocol support:
IP address sharing by NAT. The UTM allows many networked computers to share an
Internet account using only a single IP address, which might be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as Network Address Translation (NAT), allows the use of an inexpensive single-user ISP account.
Automatic configuration of attached computers by DHCP. The UTM dynamically
assigns network configuration information, including IP, gateway, and Domain Name Server (DNS) addresses, to attached computers on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on your local network.
DNS proxy. When DHCP is enabled and no DNS addresses are specified, the firewall
provides its own address as a DNS server to the attached computers. The firewall obt ains actual DNS addresses from the ISP during connection setup and forwards DNS request s from the LAN.
PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the
Internet over a DSL connection by simulating a dial-up connection.
Quality of Service (QoS). The UTM supports QoS, including traffic prioritization and
traffic classification with Type of Service (ToS) and Differentiated Services Code Point (DSCP) marking.

Easy Installation and Management

You can install, configure, and operate the UTM within minutes after connecting it to the network. The following features simplify installation and management tasks:
Browser-based management. Browser-based configuration allows you to easily
configure the UTM from almost any type of operating system, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided, and online help documentation is built into the browser-based web management interface.
Autodetection of ISP. The UTM automatically senses the type of Internet connection,
asking you only for the information required for your type of ISP account.
IPSec VPN Wizard. The UTM includes the NETGEAR IPSec VPN Wizard so you can
easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
SSL VPN Wizard. The UTM includes the NETGEAR SSL VPN Wizard so you can easily
configure SSL connections over VPN according to the recommendations of the VPNC. This ensures that the SSL connections are interoperable with other VPNC-compliant VPN routers and clients.
Introduction
21
ProSecure Unified Threat Management (UTM) Appliance
SNMP. The UTM supports the Simple Network Management Protocol (SNMP) to let you
monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2.
Diagnostic functions. The UTM incorporates built-in diagnostic functions such as ping,
traceroute, DNS lookup, and remote reboot.
Remote management. The UTM allows you to log in to the web management interface
from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses.
Visual monitoring. The UTM’s front panel LEDs provide an easy way to monitor its
status and activity.

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the UTM:
Flash memory for firmware upgrades.
Technical support seven days a week, 24 hours a day. Information about support is
available on the NETGEAR ProSecure website at
http://prosecure.netgear.com/support/index.php.

Model Comparison

The following table compares the UTM models to show the differences. For performance specifications and sizing guidelines, see NETGEAR’s marketing documentation at
http://prosecure.netgear.com.
Table 1. UTM model comparison
Feature UTM5 UTM9S UTM10 UTM25 UTM25S UTM50 UTM150 IPSec VPN tunnels
Number of supported site-to-site IPSec VPN tunnels (from which the model derives its model number, with the exception of the UTM9S)
Hardware
LAN ports (Gigabit RJ-45) 4444464 WAN ports (Gigabit RJ-45) 1212224 DMZ interfaces (configurable)1111111 USB ports 1111111 Console ports (RS232) 1111111
5 1010252550150
Flash memory RAM
2 GB 512 MB
2 GB 512 MB
Introduction
22
2 GB 512 MB
2 GB 1 GB
2 GB 1 GB
2 GB 1 GB
2 GB 1 GB
ProSecure Unified Threat Management (UTM) Appliance
Table 1. UTM model comparison (continued)
Feature UTM5 UTM9S UTM10 UTM25 UTM25S UTM50 UTM150 Network Modules and Broadband Adapters
xDSL network module with RJ11 port Wireless network module 3G/4G USB dongle
Deployment
VLAN support Dual WAN auto-rollover mode Dual WAN load balancing mode Single WAN mode








Service Registration Card with License Keys

Be sure to store the license key card that came with your UTM (see a sample card in the following figure) in a secure location. If you do not use electronic licensing (see Electronic
Licensing on page 67), you need these service license keys to activate your product during
the initial setup. The service license keys are assigned to the serial number of your product.
Figure 1.
Introduction
23
ProSecure Unified Threat Management (UTM) Appliance
Note: When you reset the UTM to the original factory default settings after
you have entered the license keys to activate the UTM (se e Register
the UTM with NETGEAR on page 65), the license keys are erased.
The license keys and the different types of licenses that are available for the UTM are no longer displayed on the Registration screen. However, af ter you have reconfigured the UTM to connect to the Internet and to the NETGEAR registration server, the UTM retrieves and restores all registration information based on its MAC address and hardware serial number . You do not need to reenter the license keys and reactivate the UTM.

Package Contents

The UTM product package contains the following items:
ProSecure Unified Threat Management (UTM) Appliance
One AC power cable
Rubber feet (4)
One rack-mounting kit (depends on UTM model)
ProSecure Unified Threat Management UTM Installation Guide
resource CD, including:
- Application Notes and other helpful information
- ProSafe VPN Client software (VPN01L) (depends on the UTM model)
Service Registration Card with license keys
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair.

Hardware Features

Front Panel UTM5 and UTM10
Front Panel UTM25
Front Panel UTM50
Front Panel UTM150
Front Panel UTM9S and UTM25S and Network Modules
LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150
LED Descriptions, UTM9S, UTM25S, and their Network Modules
Rear Panel UTM5, UTM10, and UTM25
Introduction
24
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LED
Right WAN LED
USB port
Rear Panel UTM50 and UTM150
Rear Panel UTM9S and UTM25S
Bottom Panels with Product Labels
The front panels contain ports an d LEDs; the rear panels contain port s, connectors, and other components; and the bottom panels contain product labels.

Front Panel UTM5 and UTM10

Viewed from left to right, the UTM5 and UTM10 front panel contains the following ports:
One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet port. One independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in Table 2 on page 30. In addition, the front panel provides some LED explanation to the left of the LAN ports.
Figure 2. Front panel UTM5 and UTM10
Introduction
25
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active WAN
USB port
LEDs

Front Panel UTM25

Viewed from left to right, the UTM25 front panel contains the following ports:
One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three groups of st atus indicator LEDs, including Powe r and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in Table 2 on page 30. In addition, the front panel provides some LED explanation to the left of the LAN ports.
Figure 3. Front panel UTM25

Front Panel UTM50

Viewed from left to right, the UTM50 front panel contains the following ports:
One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
LAN Ethernet ports. Six switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three groups of st atus indicator LEDs, including Powe r and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in Table 2 on page 30. In addition, the front panel provides some LED explanation to the right of the WAN ports.
Introduction
26
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active WAN
USB port
LEDs
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active WAN LEDs
USB port
Figure 4. Front panel UTM50

Front Panel UTM150

Viewed from left to right, the UTM150 front panel contains the following ports:
One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet ports. Four independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three group s of status indicator LEDs, including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in d et a il in Table 2 on page 30. In addition, the front panel provides some LED explanation to the right of the WAN ports.
Figure 5. Front panel UTM150
Introduction
27
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active WAN LEDs
USB port
USB LED
Slot 1
Slot 2

Front Panel UTM9S and UTM25S and Network Modules

Viewed from left to right, the UTM9S and UTM25S front panel contains the following ports and slots:
One USB port that can accept a 3G/4G dongle for wireless connectivity to an ISP. The
port is currently operable on the UTM9S and UTM25S only.
LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three groups of st atus indicator LEDs, including Powe r and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in Table 3 on page 32. Some LED explanation is provided on the front panel below the LAN and WAN ports.
Figure 6. Front panel UTM9S and UTM25S
Introduction
28
ProSecure Unified Threat Management (UTM) Appliance
xDSL Network Modules
The following xDSL network modules are available for insertion in one of the UTM9S or UTM25S slots:
NMSDSLA. VDSL/ADSL2+ network module, Annex A.
NMSDSLB. VDSL/ADSL2+ network module, Annex B.
Note: In previous releases for the UTM9S, these network modules were
referred to as the UTM9SDSLA and UTM9SDSLB. The UTM9SDSLA is identical to the NMSDSLA, and the UTM9SDSLB is identical to the NMSDSLB.
The xDSL network module provides one RJ-11 port for connection to a telephone line. The two LEDs are explained in Table 3 on page 32.
Figure 7. xDSL network module
Wireless Network Modules
The wireless network module (NMSWLSN) can be inserted in one of the UTM9S and UTM25S slots. The wireless network module does not provide any ports. The antennas are detachable. The two LEDs are explained in Table 3 on page 32.
Note: In previous releases for the UTM9S, this network module was referred to
as the UTM9SWLSN. The UTM9SWLSN is identical to the NMSWLSN.
Introduction
29
ProSecure Unified Threat Management (UTM) Appliance
Figure 8. Wireless network module

LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150

The following table describes the function of each LED.
Table 2. LED descriptions UTM5, UTM10, UTM25, UTM50, and UTM150
LED Activity Description
Power LED On (green) Power is supplied to the UTM.
Off Power is not supplied to the UTM.
Test LED On (amber) during
startup On (amber) during
any other time Blinking (amber) The UTM is writing to flash memory (during upgrading or resetting to
Off The UTM has booted successfully.
Test mode. The UTM is initializing. After approximately 2 minutes, when the UTM has completed its initialization, the Test LED goes off.
The initialization has failed, or a hardware failure has occurred.
defaults).
Introduction
30
Loading...
+ 674 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use