How it Works
NETGEAR
Loading...
UTM10EW-100NAS
User Manual
480 pgs6.58 Mb0
Table of contents
Loading...

NETGEAR UTM25-100NAS, UTM25EW-100NAS, UTM10EW-100NAS User Manual

ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual

NETGEAR, Inc.
350 East Plumeria Drive San Jose, CA 95134
202-10482-01 September 2009 v1.0
© 2009 by NETGEAR, Inc. All rights reserved.
Trademarks
NETGEAR and the NETGEAR logo are registered trademarks and ProSecure and ProSafe are trademarks of NETGEAR, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful inte rferenc e to radio communications. Operation of this equipment in a residential area is likely to cause harmful interfere nc e in which case the user will be required to correct the interference at his own expense.
Changes or modifications not expressly approved by NETGEAR could void the user’s authority to operate the equipment.
EU Regulatory Compliance Statement
The ProSecure Unified Threat Management Appliance UTM10 or UTM25 is compliant with the following EU Council Directives: EMC Directive 2004/108/EC and Low Voltage Directive 2006/95/EC. Compliance is verified by testing to the following standards: EN55022, EN55024, and EN60950-1.
For the EU Declaration of Conformity, please visit:
http://kb.netgear.com/app/answers/detail/a_id/11621/sno/0.
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß das ProSecure Unified Threat Management Appliance UTM10 or UTM25 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Certificate of the Manufacturer/Importer
It is hereby certified that the ProSecure Unified Threat Management Appliance UTM10 or UTM25 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions.
ii
v1.0, September 2009
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference. Read instructions for correct handling.
Additional Copyrights
AES Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK.
All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions:
1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The copyright holder’s name must not be used to endorse or promote any products derived from this software without his specific prior written permission.
This software is provided “as is” with no express or implied warranties of correctness or fitness for purpose.
v1.0, September 2009
iii
Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Tool kit (
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS,” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD5 Message­Digest Algorithm” in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software.
http://www.openssl.org/).”
http://www.openssl.org/).”
iv
v1.0, September 2009
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved.
Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University. The name of the University may not be used to endor se or promote products derive d from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Zlib zlib.h. Interface of the zlib general purpose compression library version 1.1.4, March 11th,
2002. Copyright (C) 1995–2002 Jean-loup Gailly and Mark Adler.
This software is provided “as is,” without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alu mni.caltech.edu. The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files format), and rfc1952.txt (gzip format).
ftp://ds.internic.net/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate
Product and Publication Details
Model Number: UTM Publication Date: September 2009 Product Family: UTM Product Name: ProSecure Unified Threat Management Appliance UTM10 or UTM25 Home or Business Product: Business Language: English Publication Part Number: 202-10482-01 Publication Version Number 1.0
v1.0, September 2009
v
vi
v1.0, September 2009

Contents

ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
About This Manual
Conventions, Formats, and Scope .................................................................................xvii
How to Print This Manual ..............................................................................................xviii
Revision History ..................... ... ....................................... ... ... ....................................... .xviii
Chapter 1 Introduction
What Is the ProSecure Unified Threat Management Appliance UTM10 or UTM25? .....1-1
Key Features and Capabilities ........................................................................................1-2
Dual WAN Ports for Increased Reliability or
Outbound Load Balancing (UTM25 Only) .......... .... ... ... ... .... ... ... ....... ... ... ... ... .... ... ... ..1-3
Advanced VPN Support for Both IPsec and SSL .....................................................1-3
A Powerful, True Firewall .........................................................................................1-4
Stream Scanning for Content Filtering ...................... ... ... .... ... ... ... .... ... ... ... ... ....... ... ..1-4
Security Features .....................................................................................................1-5
Autosensing Ethernet Connections with Auto Uplink ...............................................1-5
Extensive Protocol Support ......................................................................................1-6
Easy Installation and Management ..........................................................................1-6
Maintenance and Support .................. .... ... ... ... ... .... ... ... ... .... ... ...... .... ... ... ... ... .... ... ... ..1-7
Service Registration Card with License Keys ..................... ... ....... ... ... .... ... ... ... ... .... ... ... ..1-8
Package Contents ..........................................................................................................1-9
Hardware Features .........................................................................................................1-9
Front Panel ...............................................................................................................1-9
Rear Panel .............................................................................................................1-12
Bottom Panel With Product Label ..........................................................................1-12
Choosing a Location for the UTM .................................................................................1-14
Using the Rack-Mounting Kit ..................................................................................1-14
v1.0, September 2009
vii
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network
Understanding the Steps for Initial Connection ..............................................................2-1
Qualified Web Browsers ...........................................................................................2-2
Logging In to the UTM ....................................................................................................2-2
Understanding the Web Management Interface Menu Layout ............ ... ... ... ............2-5
Using the Setup Wizard to Perform the Initial Configuration ..........................................2-7
Setup Wizard Step 1 of 10: LAN Settings ................................................................2-8
Setup Wizard Step 2 of 10: WAN Settings .............................................................2-11
Setup Wizard Step 3 of 10: System Date and Time ...............................................2-14
Setup Wizard Step 4 of 10: Security Services ........................................................2-16
Setup Wizard Step 5 of 10: Email Security ............................................................2-18
Setup Wizard Step 6 of 10: Web Security ..............................................................2-19
Setup Wizard Step 7 of 10: Web Categories to Be Blocked ..................................2-21
Setup Wizard Step 8 of 10: Administrator Email Notification Settings ...................2-23
Setup Wizard Step 9 of 10: Security Subscription Update Settings ....................... 2-24
Setup Wizard Step 10 of 10: Saving the Configuration .......................................... 2-26
Verifying Proper Installation ..........................................................................................2-26
Testing Connectivity ...............................................................................................2-26
Testing HTTP Scanning .........................................................................................2-26
Registering the UTM with NETGEAR ...........................................................................2-27
What to Do Next ...........................................................................................................2-29
Chapter 3 Manually Configuring Internet and WAN Settings
Understanding the Internet and WAN Configuration Tasks ............................................3-1
Configuring the Internet Connections ............................................................................. 3-2
Automatically Detecting and Connecting ............................ ... ... ... .... ... ... ... ...............3-2
Setting the UTM’s MAC Address .............................................................................3-5
Manually Configuring the Internet Connection ... ....................................... ... ............3-5
Configuring the WAN Mode (Required for the UTM25’s Dual WAN Mode) ....................3-9
Network Address Translation (UTM10 and UTM25) .............................................. 3-10
Classical Routing (UTM10 and UTM25) ................................................................3-10
Configuring Auto-Rollover Mode (UTM25 Only) ....................................................3-11
Configuring Load Balancing and Optional Protocol Binding (UTM25 Only) ...........3-14
Configuring Secondary WAN Addresses ......................................................................3-17
viii
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Configuring Dynamic DNS ............................................................................................3-19
Configuring Advanced WAN Options ............................................................................3-22
Additional WAN-Related Configuration Tasks ........................................................3-24
Chapter 4 LAN Configuration
Managing Virtual LANs and DHCP Options ....... ... ... .... ...... ... .... ... ... ... .... ... ... ... ... .... ... ... ..4-1
Managing the UTM’s Port-Based VLANs .................................................................4-2
VLAN DHCP Options ...............................................................................................4-4
Configuring a VLAN Profile ......................................................................................4-6
Configuring Multi-Home LAN IPs on the Default VLAN ................................................4-11
Managing Groups and Hosts (LAN Groups) .................................................................4-12
Managing the Network Database . ... ... .... ...................................... .... ... ...................4-13
Changing Group Names in the Network Database ................................................ 4-16
Setting Up Address Reservation .................. .......................................................... 4-17
Configuring and Enabling the DMZ Port .......................................................................4-18
Managing Routing .............................. ... ....................................... ... .............................4-22
Configuring Static Routes .......................................................................................4-23
Configuring Routing Information Protocol (RIP) . .... ... ... ... .... ...... ... .... ... ... ... ... .... ... ...4-24
Static Route Example .............................................................................................4-27
Chapter 5 Firewall Protection
About Firewall Protection ................................................................................................5-1
Administrator Tips ....................................................................................................5-2
Using Rules to Block or Allow Specific Kinds of Traffic ..................................................5-3
Services-Based Rules .. ...................................... .... ...................................... .... ... ..... 5-3
Order of Precedence for Rules ..............................................................................5-10
Setting LAN WAN Rules ................................. ... .... ...................................... .... ......5-11
Setting DMZ WAN Rules ................................. ... .... ...................................... .... ......5-14
Setting LAN DMZ Rules .........................................................................................5-18
Attack Checks ................. ... ... ....................................... ... .......................................5-20
Setting Session Limits .. ...................................... .... ...................................... .... ... ...5-23
Managing the Application Level Gateway for SIP Sessions ..................................5-24
Inbound Rules Examples .......................................................................................5-25
Outbound Rules Example ......................... ... ... ... ....................................... ... ..........5-29
Creating Services, QoS Profiles, and Bandwidth Profiles ............................................5-30
v1.0, September 2009
ix
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Adding Customized Services .................................................................................5-30
Creating Quality of Service (QoS) Profiles .............................................................5-33
Creating Bandwidth Profiles ...... ... ... ... ....................................................................5-36
Setting a Schedule to Block or Allow Specific Traffic ................................. ... ... ... .... ......5-39
Enabling Source MAC Filtering ....................................................................................5-40
Setting up IP/MAC Bindings .........................................................................................5-42
Configuring Port Triggering ...........................................................................................5-44
Using the Intrusion Prevention System ........................................................................5-47
Chapter 6 Content Filtering and Optimizing Scans
About Content Filtering and Scans .................................................................................6-1
Default E-mail and Web Scan Settings ....................................................................6-2
Configuring E-mail Protection .........................................................................................6-3
Customizing E-mail Protocol Scan Settings .............................................................6-4
Customizing E-mail Anti-Virus and Notification Settings ..........................................6-5
E-mail Content Filtering ............................................................................................6-8
Protecting Against E-mail Spam .............................................................................6-11
Configuring Web and Services Protection ....................................................................6-19
Customizing Web Protocol Scan Settings and Services ........................................6-19
Configuring Web Malware Scans ...........................................................................6-21
Configuring Web Content Filtering .........................................................................6-23
Configuring Web URL Filtering ..............................................................................6-30
HTTPS Scan Settings ............................................................................................6-34
Specifying Trusted Hosts ................ ... .... ...................................... .... ......................6-37
Configuring FTP Scans ..........................................................................................6-39
Setting Web Access Exceptions and Scanning Exclusions ..........................................6-41
Setting Web Access Exception Rules ....... .............................................................6-41
Setting Scanning Exclusions . .... ... ... ... .... ... ....................................... ... ...................6-44
Chapter 7 Virtual Private Networking Using IPsec Connections
Considerations for Dual WAN Port Systems (UTM25 Only) ...........................................7-1
Using the IPsec VPN Wizard for Client and Gateway Configurations ................ .... ... ... ..7-3
Creating Gateway-to-Gateway VPN Tunnels with the Wizard .................................7-3
Creating a Client to Gateway VPN Tunnel ...............................................................7-8
x
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Testing the Connections and Viewing Status Information ....................................... ...... 7-16
Testing the VPN Connection ........................................... .......................................7-16
NETGEAR VPN Client Status and Log Information ............................................... 7-17
Viewing the UTM IPsec VPN Connection Status ...................................................7-19
Viewing the UTM IPsec VPN Log ..........................................................................7-20
Managing IPsec VPN Policies .. ... .... ... ... ... .... ................................................................7-21
Managing IKE Policies .................... ... .... ... ....................................... ... ...................7-22
Managing VPN Policies ...................................... ....................................... ... ..........7-30
Configuring Extended Authentication (XAUTH) ............................................................7-37
Configuring XAUTH for VPN Clients ......................................................................7-38
User Database Configuration .... ... ... ....................................... ... .............................7-39
RADIUS Client Configuration .................................................................................7-39
Assigning IP Addresses to Remote Users (Mode Config) ............................................7-42
Mode Config Operation ... ... ... .... ... ....................................... ... ................................7-42
Configuring Mode Config Operation on the UTM ................... ................................7-42
Configuring the ProSafe VPN Client for Mode Config Operation ...........................7-49
Testing the Mode Config Connection ..................................................... ... ... .... ... ...7-54
Configuring Keepalives and Dead Peer Detection .......................................................7-54
Configuring Keepalives ..........................................................................................7-55
Configuring Dead Peer Connection .......................................................................7-56
Configuring NetBIOS Bridging with IPsec VPN ............................................................7-58
Chapter 8 Virtual Private Networking Using SSL Connections
Understanding the SSL VPN Portal Options ..................................................................8-1
Using the SSL VPN Wizard for Client Configurations ....................................................8-2
SSL VPN Wizard Step 1 of 6: Portal Settings ..........................................................8-3
SSL VPN Wizard Step 2 of 6: Domain Settings ..... ... ... ....... ... ... ... .... ... ... ... ... .... ... ... ..8-5
SSL VPN Wizard Step 3 of 6: User Settings .......................................... ..................8-7
SSL VPN Wizard Step 4 of 6: Client IP Address Range and Routes .......................8-9
SSL VPN Wizard Step 5 of 6: Port Forwarding ......................................... ............. 8-11
SSL VPN Wizard Step 6 of 6: Verify and Save Your Settings ................................8-13
Accessing the New SSL Portal Login Screen ........................ ... ... .... ...... ... ... .... ... ...8-14
Viewing the UTM SSL VPN Connection Status .....................................................8-16
Viewing the UTM SSL VPN Log .............................................................................8-16
v1.0, September 2009
xi
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Manually Configuring and Editing SSL Connections .............................................. ... ...8-17
Creating the Portal Layout .....................................................................................8-18
Configuring Domains, Groups, and Users .............................................................8-22
Configuring Applications for Port Forwarding ............................... ..........................8-22
Configuring the SSL VPN Client ............................................................................8-25
Using Network Resource Objects to Simplify Policies ...........................................8-28
Configuring User, Group, and Global Policies ........................................................8-31
Chapter 9 Managing Users, Authentication, and Certificates
Configuring VPN Authentication Domains, Groups, and Users ......................................9-1
Configuring Domains ................................................................................................9-2
Configuring Groups for VPN Policies .......................................................................9-6
Configuring User Accounts ......................................................................................9-9
Setting User Login Policies ....................... ... ... ... ....................................... ... ..........9-12
Changing Passwords and Other User Settings ......................... ....... ...... ...... ....... ...9-16
Managing Digital Certificates ........................ ... ... ... ... .... ...................................... .... ......9-17
Managing CA Certificates .................................. .... ... ... ....................................... ...9-19
Managing Self Certificates ..................... ... ... ... ....................................... ... .............9-20
Managing the Certificate Revocation List ..................... ... .... ... ... ... .... ......................9-25
Chapter 10 Network and System Management
Performance Management ................................. ... ... .... ...................................... .... ...... 10-1
Bandwidth Capacity .................................................................. ... ..........................10-1
Features That Reduce Traffic .................................................................................10-2
Features That Increase Traffic ...............................................................................10-5
Using QoS and Bandwidth Assignment to Shift the Traffic Mix ..............................10-8
Monitoring Tools for Traffic Management ...............................................................10-9
System Management ....................................................................................................10-9
Changing Passwords and Administrator Settings ..................................................10-9
Configuring Remote Management Access ...........................................................10-12
Using an SNMP Manager ....................................................................................10-14
Managing the Configuration File ..........................................................................10-15
Updating the Firmware .... ... ... .... ... ... ... .... ... ...........................................................10-18
Updating the Scan Signatures and Scan Engine Firmware .................................10-21
Configuring Date and Time Service .....................................................................10-24
xii
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Chapter 11 Monitoring System Access and Performance
Enabling the WAN Traffic Meter ...................................................................................11-1
Configuring Logging, Alerts, and Event Notifications ...................................................11-5
Configuring the E-mail Notification Server .............................................................11-5
Configuring and Activating System, E-mail, and Syslog Logs ...............................11-6
Configuring and Activating Update Failure and Attack Alerts ..............................11-10
Configuring and Activating Firewall Logs .............................................................11-13
Monitoring Real-Time Traffic, Security, and Statistics ................................... ..............11-14
Viewing Status Screens ..............................................................................................11-20
Viewing System Status .........................................................................................11-20
Viewing Active VPN Users ...................................................................................11-24
Viewing VPN Tunnel Connection Status ..............................................................11-24
Viewing Port Triggering Status .............................................................................11-26
Viewing the WAN Ports Status .............................................................................11-27
Viewing Attached Devices and the DHCP Log .................................................... 11-29
Querying Logs and Generating Reports .....................................................................11-32
Querying the Logs ................................................................................................11-32
Scheduling and Generating Reports ....................................................................11-39
Using Diagnostics Utilities ..........................................................................................11-43
Using the Network Diagnostic Tools .....................................................................11-44
Using the Realtime Traffic Diagnostics Tool ................................. ........................11-46
Gathering Important Log Information and
Generating a Network Statistics Report ...............................................................11-47
Rebooting and Shutting Down the UTM ...............................................................11-48
Chapter 12 Troubleshooting and Using Online Support
Basic Functioning .........................................................................................................12-2
Power LED Not On .................................................................................................12-2
Test LED Never Turns Off ......................................................................................12-2
LAN or WAN Port LEDs Not On .............................................................................12-3
Troubleshooting the Web Management Interface .........................................................12-3
When You Enter a URL or IP Address a Time-out Error Occurs ..................................12-4
Troubleshooting the ISP Connection ............................................................................12-5
Troubleshooting a TCP/IP Network Using a Ping Utility ...............................................12-6
v1.0, September 2009
xiii
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Testing the LAN Path to Your UTM ........................................................................12-7
Testing the Path from Your PC to a Remote Device ..............................................12-7
Restoring the Default Configuration and Password ............ ... .... ... ... .............................12-8
Problems with Date and Time .......................................................................................12-9
Using Online Support .................................................................................................12-10
Enabling Remote Troubleshooting .......................................................................12-10
Sending Suspicious Files to NETGEAR for Analysis ...........................................12-11
Accessing the Knowledge Base and Documentation ...........................................12-12
Appendix A Default Settings and Technical Specifications
Appendix B Network Planning for Dual WAN Ports (UTM25 Only)
What to Consider Before You Begin .............................................................................. B-1
Cabling and Computer Hardware Requirements .................................................... B-3
Computer Network Configuration Requirements ...................................... ... .... ... ... . B-3
Internet Configuration Requirements ...................................................................... B-3
Overview of the Planning Process ................................................................................. B-5
Inbound Traffic ............................................................................................................... B-7
Inbound Traffic to a Single WAN Port System ........................................................ B-7
Inbound Traffic to a Dual WAN Port System ........................................................... B-8
Virtual Private Networks (VPNs) .................................................................................... B-9
VPN Road Warrior (Client-to-Gateway) .................................................................B-11
VPN Gateway-to-Gateway ........... ... ... .... ... ... ... ... ....... ... ... .... ... ... ... .... ... ... ... ... .... ... .. B-13
VPN Telecommuter (Client-to-Gateway Through a NAT Router) .......................... B-16
Appendix C System Logs and Error Messages
System Log Messages .................................................................................................. C-2
System Startup ............................. ... ... .... ... ....................................... ... ... .................C-2
Reboot ....................................... ...................................... .... .................................... C-2
Service Logs ................................ ... ... .... ... ... ... ....................................... ... ... ...........C-3
NTP .................................... ................................................................. .................... C-3
Login/Logout ........................................................................................................... C-4
Firewall Restart .......................................................................................................C-4
IPsec Restart ................................ ....................................... ... ................................. C-4
xiv
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
WAN Status ............................................................... ... ....................................... ... . C-5
Traffic Metering Logs ................................................................. ... .... ... ... ... ... ...........C-9
Unicast Logs .......................................................................... ... ... ........................... C-9
Invalid Packet Logging ....... ... .... ...................................... .... ... ............................... C-10
Content Filtering and Security Logs ............................................................................ C-12
Web Filtering and Content Filtering Logs .............................................................. C-12
Spam Logs ............................................................................................................ C-13
Traffic Logs ................................................................ ... ... .... ... ............................... C-14
Virus Logs .................... ... ... ... .... ... ... ....................................... ... ............................ C-14
E-mail Filter Logs ..................................................................................................C-14
IPS Logs ....................................... ....................................... ... ............................... C-15
Port Scan Logs ................................... ....................................... ... ......................... C-15
Instant Messaging/Peer-to-Peer Logs ................................................................... C-15
Routing Logs ...............................................................................................................C-16
LAN to WAN Logs ................................................................................................. C-16
LAN to DMZ Logs ..................................................................................................C-16
DMZ to WAN Logs ................................................................................................C-16
WAN to LAN Logs ................................................................................................. C-17
DMZ to LAN Logs .................................................................................................. C-17
WAN to DMZ Logs ................................................................................................C-17
Appendix D Two Factor Authentication
Why do I need Two-Factor Authentication? ...................................................................D-1
What are the benefits of Two-Factor Authentication? ............................................. D-1
What is Two-Factor Authentication ......................................................................... D-2
NETGEAR Two-Factor Authentication Solutions ....................................................... .... D-2
Appendix E Related Documents
Index
v1.0, September 2009
xv
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
xvi
v1.0, September 2009

About This Manual

The NETGEAR® ProSecure™ Unified Threat Management UTM10 or UTM25 Reference Manual describes how to install, configure, and troubleshoot a ProSecure Unified Threat Management Appliance UTM10 or UTM25. The information in this manual is intended for readers with intermediate computer and networking skills.

Conventions, Formats, and Scope

The conventions, formats, and scope of this manual are described in the following paragraphs:
Typographical conventions. This manual uses the following typographical conventions:
Italic Emphasis, books, CDs
Bold User input, IP addresses, GUI screen text
Fixed Command prompt, CLI text, code
italic URL links
Formats. This manual uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
Tip: This format is used to highlight a procedure that will save time or resources.
Warning: Ignoring this type of note might result in a malfunction or damage to the
equipment.
v1.0, September 2009
xvii
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Danger: This is a safety warning. Failure to take heed of this notice might result in
personal injury or death.
Scope. This manual is written for the UTM according to these specifications:
Product Version ProSecure Unified Threat Management Appliance UTM10 or UTM25 Manual Publication Date September 2009
For more information about network, Internet, firewall, and VPN technologies, click the links to the NETGEAR Website in Appendix E, “Related Documents.”
Note: Product updates are available on the NETGEAR website at
http://prosecure.netgear.com or http://kb.netgear.com/app/home.
Note: Go to http://prosecure.netgear.com/community/forum.php for information about
the ProSecure™ forum and to become part of the ProSecure™ community.

How to Print This Manual

T o print this manual, your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe Web site at
http://www.adobe.com.
Tip: If your printer supports printing two pages on a single sheet of paper, you can
save paper and printer ink by selecting this feature.

Revision History

Part Number
202-10482-01 1.0 September 2009 Initial publication of this reference manual.
xviii
Version Number
Date Description
v1.0, September 2009
Chapter 1
Introduction
This chapter provides an overview of the features and capabilities of the ProSecure Unified Threat Management Appliance UTM10 or UTM25. This chapter contains the following sections:
“What Is the ProSecure Unified Threat Management Appliance UTM10 or UTM25?” on this page.
“Key Features and Capabilities” on page 1-2.
“Service Registration Card with License Keys” on page 1-8.
“Package Contents” on page 1-9.
“Hardware Features” on page 1-9.
“Choosing a Location for the UTM” on page 1-14.

What Is the ProSecure Unified Threat Management Appliance UTM10 or UTM25?

The ProSecure Unified Threat Management Appliance UTM10 or UTM25, hereafter referred to as the UTM, connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable modems or DSL modems. Dual wide area network (W AN) ports allow you to increase effective throughput to the Internet by utilizing both WAN ports to carry session traffic, or to maintain a backup connection in case of failure of your primary Internet connection.
As a complete security solution, the UTM combines a powerful, flexible firewall with a content scan engine that uses NETGEAR Stream Scanning technology to protect your network from denial of service (DoS) attacks, unwanted traffic, traffic with objectionable content, spam, phishing, and Web-borne threats such as spyware, viruses, and other malware threats.
The UTM provides advanced IPsec and SSL VPN technologies for secure and simple remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures extremely high data transfer speeds.
The UTM is a plug-and-play device that can be installed and configured within minutes.
1-1
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual

Key Features and Capabilities

The UTM provides the following key features and capabilities:
For the UTM10, a single 10/100/1000 Mbps Gigabit Ethernet WAN port. For the UTM25, dual 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing or failover protection of your Internet connection, providing increased system reliability or increased throughput.
Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data transfer between local network resources.
Support for up to 15 (UTM10) or 30 (UTM25) concurrent users and up to 12,000 (UTM10) or 27,000 (UTM25) concurrent sessions.
Advanced IPsec VPN and SSL VPN support with support for up to 10 (UTM10) or 25 (UTM25) site-to-site IPsec VPN tunnels and up to 5 (UTM10) or 13 (UTM25) dedicated SSL VPN tunnels.
Bundled with a 1-user license of the NETGEAR ProSafe VPN Client software (VPN01L).
Advanced stateful packet inspection (SPI) firewall with multi-NAT support.
Patent-pending Stream Scanning technology that enables scanning of real-time protocols such as HTTP.
Comprehensive Web and email security, covering six major network protocols: HTTP, HTTPS, FTP, SMTP, POP3, and IMAP.
Malware database containing hundreds of thousands of signatures of spyware, viruses, and other malware threats.
Very frequently updated malware signatures, hourly if required. The UTM can automatically check for new malware signatures as frequently as every 15 minutes.
Multiple anti-spam technologies to provide extensive protection against unwanted mail.
Easy, Web-based wizard setup for installation and management.
SNMP-manageable.
Front panel LEDs for easy monitoring of status and activity.
Flash memory for firmware upgrade.
Internal universal switching power supply.
1-2 Introduction
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Dual WAN Ports for Increased Reliability or Outbound Load Balancing (UTM25 Only)
The UTM25 has two broadband WAN ports. The second WAN port allows you to connect a second broadband Internet line that can be configured on a mutually-exclusive basis to:
Provide backup and rollover if one line is inoperable, ensuring you are never disconnected.
Load balance, or use both Internet lines simultaneously for outgoing traffic. The UTM25 balances users between the two lines for maximum bandwidth efficiency.
See “Network Planning for Dual WAN Ports (UTM25 Only)” on page B-1 for the planning factors to consider when implementing the following capabilities with dual WAN port gateways:
Single or multiple exposed hosts.
V irtual private networks.
Advanced VPN Support for Both IPsec and SSL
The UTM supports IPsec and SSL virtual private network (VPN) connections.
IPsec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer.
IPsec VPN with broad protocol support for secure connection to other IPsec gateways and
clients. – Bundled with a 1-user license of the NETGEAR ProSafe VPN Client software (VPN01L). – Supports up to 10 (UTM10) or 25 (UTM25) site-to-site IPsec VPN tunnels.
SSL VPN provides remote access for mobile users to selected corporate resources without requiring a pre-installed VPN client on their computers.
Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce
transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories.
Browser based, platform-independent, remote access through a number of popular
browsers, such as Microsoft Internet Explorer, Mozilla Firefox, or Apple Safari.
Provides granular access to corporate resources based upon user type or group
membership.
Supports up to 5 (UTM10) or 13 (UTM25) dedicated SSL VPN tunnels.
Introduction 1-3
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
A Powerful, True Firewall
Unlike simple Internet sharing NAT routers, the UTM is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks. Its firewall features have the following capabilities:
DoS protection. Automatically detects and thwarts denial of service (DoS) attacks such as Ping of Death and SYN Flood.
Secure firewall. Blocks unwanted traffic from the Internet to your LAN.
Schedule policies. Permits scheduling of firewall policies by day and time.
Logs security incidents. Logs security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.
Stream Scanning for Content Filtering
Stream Scanning is based on the simple observation that network traffic travels in streams. The UTM scan engine starts receiving and analyzing traffic as the stream enters the network. As soon as a number of bytes are available, scanning starts. The scan engine continues to scan more bytes as they become available, while at the same time another thread starts to deliver the bytes that have been scanned.
This multithreaded approach, in which the receiving, scanning, and delivering processes occur concurrently, ensures that network performance remains unimpeded. The result is file scanning is up to five times faster than with traditional antivirus solutions—a performance advantage that you will notice.
Stream Scanning also enables organizations to withstand massive spikes in traffic, as in the event of a malware outbreak. The scan engine has the following capabilities:
Real-time protection. The patent-pending Stream Scanning technology enables scanning of previously undefended real-time protocols, such as HTTP. Network activities susceptible to latency (for example, Web browsing) are no longer brought to a standstill.
Comprehensive protection. Provides both Web and e-mail security, covering six major network protocols: HTTP, HTTPS, FTP, SMTP, POP3, and IMAP. The UTM uses enterprise­class scan engines employing both signature-based and Distributed Spam Analysis to stop both known and unknown threats. The malware database cont ains hundreds of thousands of signatures of spyware, viruses, and other malware.
1-4 Introduction
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Objectionable traffic protection. The UTM prevents objectionable content from reaching your computers. You can control access to the Internet content by screening for Web services, W eb addresses, and keywords within Web addresses. Y ou can log and report attempts to access objectionable Internet sites.
Automatic signature updates. Malware signatures are updated as frequently as every hour, and the UTM can check automatically for new signatures as frequently as every 15 minutes.
Security Features
The UTM is equipped with several features designed to maintain security:
PCs hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN.
Port forwarding with NAT. Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the UTM allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request. You can specify forwarding of single ports or ranges of ports.
DMZ port. Incoming traffic from the Internet is normally discarded by the UTM unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you can use the dedicated De-Militarized Zone (DMZ) port to forward the traffic to one PC on your network.
Autosensing Ethernet Connections with Auto Uplink
With its internal 4-port 10/100/1000 Mbps switch and single (UTM10) or dual (UTM25) 10/100/1000 WAN ports, the UTM can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit Ethernet network. The four LAN and one or two WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.
The UTM incorporates Auto Uplink whether the Ethernet cable plugged into the port should have a “normal” connection such as to a PC or an “uplink” connection such as to a switch or hub. That port then configures itself to the correct configuration. This feature eliminates the need to think about crossover cables, as Auto Uplink accommodates either type of cable to make the right connection.
Introduction 1-5
TM
technology. Each Ethernet port automatically senses
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Extensive Protocol Support
The UTM supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol
Requirements” on page B-3. The UTM provides the following protocol support:
IP address sharing by NAT. The UTM allows many networked PCs to share an Internet account using only a single IP address, which might be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account.
Automatic configuration of attached PCs by DHCP. The UTM dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network.
DNS proxy. When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.
PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection.
Quality of Service (QoS). The UTM supports QoS, including traffic prioritization and traffic classification with Type Of Service (ToS) and Differentiated Services Code Point (DSCP) marking.
(RIP). For further information about TCP/IP, see “Internet Configuration
Easy Installation and Management
You can install, configure, and operate the UTM within minutes after connecting it to the network. The following features simplify installation and management tasks:
Browser-based management. Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface.
Auto detection of ISP. The UTM automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.
IPsec VPN Wizard. The UTM includes the NETGEAR IPSec VPN Wizard to easily configure IPsec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the IPsec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
1-6 Introduction
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
SSL VPN Wizard. The UTM includes the NETGEAR SSL VPN Wizard to easily configure SSL connections over VPN according to the recommendations of the VPNC to ensure the SSL connections are interoperable with other VPNC-compliant VPN routers and clients.
SNMP. The UTM supports the Simple Network Management Protocol (SNMP) to let yo u monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2.
Diagnostic functions. The UTMl incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot.
Remote management. The UTM allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses.
Visual monitoring. The UTM’s front panel LEDs provide an easy way to monitor its status and activity.
Maintenance and Support
NETGEAR offers the following features to help you maximize your use of the UTM:
Flash memory for firmware upgrade.
Technical support seven days a week, 24 hours a day, according to the terms identified in the Warranty and Support information card provided with your product.
Introduction 1-7
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual

Service Registration Card with License Keys

Be sure to store the license key card that came with your UTM in a secure location. You do need these keys to activate your product during the initial setup.
Figure 1-1
Note: When you reset the UTM to the original factory default settings after you have
entered the license keys to activate the UTM (see “Registering the UTM with
NETGEAR” on page 2-27), the license keys are erased. The license keys and the
different types of licenses that are available for the UTM are no longer displayed on the Registration screen. However, after you have reconfigured the UTM to connect to the Internet and to the NETGEAR registration server, the UTM retrieves and restores all registration information based on its MAC address and hardware serial number. You do not need to re-enter the license keys and reactivate the UTM.
1-8 Introduction
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual

Package Contents

The UTM product package contains the following items:
ProSecure Unified Threat Management Appliance UTM10 or UTM25.
One AC power cable.
Rubber feet (4).
One rack-mounting kit (UTM25 only).
ProSecure Unified Threat Management UTM10 or UTM25 Installation Guide.
Resource CD, including: – Application Notes and other helpful information. – ProSafe VPN Client Software (VPN01L)
Service Registration Card with License Key(s).
Warranty and Support Information Card.
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair.

Hardware Features

The front panel ports and LEDs, rear panel ports, and bottom label of the UTM are described below.
Front Panel
Viewed from left to right, the UTM front panel contains the following ports (see Figure 1-2 on
page 1-10, which shows the UTM25):
One non-functioning USB port: this port is included for future management enhancements. The port is currently not operable on the UTM.
LAN Ethernet ports: four switched N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet ports: one (UTM10) or two (UTM25) independent N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
Introduction 1-9
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active WAN
LEDs
USB port
The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in
Table 1-1.
Figure 1-2
Note: Figure 1-2 shows the UTM25 with two W AN ports. The UTM10 has a single WAN
port (the left WAN port that is shown in Figure 1-2) and no Active WAN LEDs.
The function of each LED is described in Table 1-1.
Table 1-1. LED Descriptions
Object Activity Description
Power On (Green) Power is supplied to the UTM.
Off Power is not supplied to the UTM.
Test On (Amber) during
startup. On (Amber) during
any other time Blinking (Amber) Writing to flash memory (during upgrading or resetting to defaults). Off The system has booted successfully.
1-10 Introduction
Test mode: The UTM is initializing. After approximately 2 minutes, when the UTM has completed its initialization, the Test LED goes off.
The initialization has failed or a hardware failure has occurred.
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Table 1-1. LED Descriptions (continued)
Object Activity Description LAN Ports
Left LED Off The LAN port has no link.
On (Green) The LAN port has detected a link with a connected Ethernet device. Blink (Green) Data is being transmitted or received by the LAN port.
Right LED Off The LAN port is operating at 10 Mbps.
On (Amber) The LAN port is operating at 100 Mbps. On (Green) The LAN port is operating at 1000 Mbps.
DMZ LED Of f Port 4 is operating as a normal LAN port.
On (Green) Port 4 is operating as a dedicated hardware DMZ port.
WAN Ports
Left LED Off The WAN port has no physical link, that is, no Ethernet cable is
plugged into the UTM.
On (Green) The WAN port has a valid connection with a device that provides an
Internet connection.
Blink (Green) Data is being transmitted or received by the WAN port.
Right LED Off The WAN port is operating at 10 Mbps.
On (Amber) The WAN port is operating at 100 Mbps. On (Green) The WAN port is operating at 1000 Mbps.
Active LED (UTM25 only)
Off The WAN port is either not enabled or has no link to the Internet. On (Green) The WAN port has a valid Internet connection.
Introduction 1-11
v1.0, September 2009
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
Security lock receptacle
Console port
Reset button
AC power
receptacle
Rear Panel
The rear panel of the UTM includes a cable lock receptacle, a console port, a reset button, and an AC power connection.
Figure 1-3
Viewed from left to right, the rear panel contains the following components:
1. Cable security lock receptacle.
2. Console port. Port for connecting to an optional console terminal. The ports has a DB9 male
connector. The default baud rate is 9600 K. The pinouts are: (2) Tx, (3) Rx, (5) and (7) Gnd.
3. Factory default Reset button. Using a sharp object, press and hold this button for about eight seconds until the front panel Test light flashes to reset the UTM to factory default settings. All configuration settings are lost and the default password is restored.
4. AC power receptacle. Universal AC input (100-240 VAC, 50-60 Hz).
Bottom Panel With Product Label
The product label on the bottom of the UTM’s enclosure displays factory default, regulatory compliance, and other information (see Figure 1-4 and Figure 1-5 on page 1-13).
1-12 Introduction
v1.0, September 2009
Loading...
+ 450 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use