Netgear UTM9S, UTM25, UTM5, UTM10, UTM50 Reference Guide

ProSecure Unified Threat Management (UTM) Appliance

Reference Manual
350 East Plumeria Drive San Jose, CA 95134 USA
September 2011 202-10780-01
1.0
ProSecure Unified Threat Management (UTM) Appliance
© 2009–2011 NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated
into any language in any form or by any means without the written permission of NETGEAR, Inc.
Technical Support
Thank you for choosing NETGEAR. T o register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at visit us at
http://support.netgear.com.
Phone (US & Canada only): 1-888-NETGEAR Phone (Other Countries): Check the list of phone numbers at
http://support.netgear.com/app/answers/detail/a_id/984.
Product Updates
Product updates are available on the NETGEAR website at http://prosecure.netgear.com or
http://kb.netgear.com/app/home.
ProSecure Forum
Go to http://prosecure.netgear.com/community/forum.php for information about the ProSecure forum and to become part of the ProSecure community.
Trademarks
NETGEAR, the NETGEAR logo, ReadyNAS, ProSafe, ProSecure, Smart Wizard, Auto Uplink, X-RAID2, and NeoTV are trademarks or registered trademarks of NETGEAR, Inc. Microsoft, Windows, Windows NT, and Vista are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use, or application of, the product(s) or circuit layout(s) described herein.
Revision History
Publication Part Number
202-10780-01 1.0 September 2011 • Addition of the UTM9 S with the following major new features:
Version Publish Date Comments
- xDSL module (see Chapter 1, Introduction and Chapter 3,
Manually Configuring Internet and WAN Settings)
- Wireless module (see Chapter 1, Introduction and
Appendix B, Wireless Module for the UTM9S)
- ReadyNAS integration, quarantine options, and quarantine logs (see Connect to a ReadyNAS and Configure
Quarantine Settings (UTM9S Only), Query the Quarantine Logs (UTM9S Only), and Appendix D, ReadyNAS Integration
- PPTP server (see Configure the PPTP Server (UTM9S
Only))
- L2TP server (see Configure the L2TP Server (UTM9S
Only))
• Update of the VPN client sections with the new VPN client (see
Chapter 7, Virtual Private Networking Using IPSec Connections)
2
ProSecure Unified Threat Management (UTM) Appliance
202-10674-02 1.0 March 2011 • Addition of the UTM150.
• Removal of platform-specific chapters and sections because the UTM5, UTM10, and UTM25 now support the same web management interface menu layout that was already supported on the UTM50. The major changes for the UTM5, UTM10, and UTM25 are documented in Chapter 3, Manually Configuring
Internet and WAN Settings, and in the following sections:
- Set Web Access Exception Rules
- Configure Authentication Domains, Groups, and Users
• Added new features (for all UTM models). The major new features are documented in the following sections:
- Electronic Licensing
- VLAN Rules
- Create Service Groups
- Create IP Groups
- Manage Digital Certificates for HTTPS Scans
- Update the Firmware
- View, Schedule, and Generate Reports
202-10674-01 1.0 September 2010 • Addition of the UTM50 and UTM50-specific chapters and
sections.
• Revision of DMZ WAN and LAN DMZ default policies.
202-10482-03 1.0 May 2010 • Applied numerous nontechnical edits.
• Added the Requirements for Entering IP Addresses section.
• Added a note about the processing of normal email traffic in the
Configure Distributed Spam Analysis section.
• Updated the NTP section.
202-10482-02 1.0 January 2010 Updated the web management interface screens, made the
manual platform-independent, added a model comparison table, and removed performance specifications (see marketing documentation for such specifications).
202-10482-01 1.0 September 2009 Initial publication of this reference manual.
3

Contents

Chapter 1 Introduction
What Is the ProSecure Unified Threat Management (UTM) Appliance? . .13
Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Multiple WAN Port Models for Increased Reliability or
Outbound Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Wireless Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
DSL Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . .16
A Powerful, True Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Stream Scanning for Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . .16
Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Autosensing Ethernet Connections with Auto Uplink . . . . . . . . . . . . . . .17
Extensive Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Easy Installation and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Model Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Service Registration Card with License Keys. . . . . . . . . . . . . . . . . . . . . . .20
Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Front Panel UTM5 and UTM10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Front Panel UTM25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Front Panel UTM50 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Front Panel UTM150 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Front Panel UTM9S and Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150 . . . .27
LED Descriptions, UTM9S and Modules . . . . . . . . . . . . . . . . . . . . . . . .28
Rear Panel UTM5, UTM10, and UTM25 . . . . . . . . . . . . . . . . . . . . . . . .30
Rear Panel UTM50 and UTM150. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Rear Panel UTM9S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Bottom Panels with Product Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Choose a Location for the UTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Use the Rack-Mounting Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Chapter 2 Using the Setup Wizard to Provision the UTM in Your
Network
Steps for Initial Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Qualified Web Browsers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Requirements for Entering IP Addresses . . . . . . . . . . . . . . . . . . . . . . . .38
Log In to the UTM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
4
ProSecure Unified Threat Management (UTM) Appliance
Web Management Interface Menu Layout . . . . . . . . . . . . . . . . . . . . . . .40
Use the Setup Wizard to Perform the Initial Configuration. . . . . . . . . . . . .42
Setup Wizard Step 1 of 10: LAN Settings. . . . . . . . . . . . . . . . . . . . . . . .43
Setup Wizard Step 2 of 10: WAN Settings . . . . . . . . . . . . . . . . . . . . . . .46
Setup Wizard Step 3 of 10: System Date and Time . . . . . . . . . . . . . . . .49
Setup Wizard Step 4 of 10: Services . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Setup Wizard Step 5 of 10: Email Security. . . . . . . . . . . . . . . . . . . . . . .53
Setup Wizard Step 6 of 10: Web Security . . . . . . . . . . . . . . . . . . . . . . .55
Setup Wizard Step 7 of 10: Web Categories to Be Blocked. . . . . . . . . .57
Setup Wizard Step 8 of 10: Email Notification . . . . . . . . . . . . . . . . . . . .59
Setup Wizard Step 9 of 10: Signatures & Engine. . . . . . . . . . . . . . . . . .60
Setup Wizard Step 10 of 10: Saving the Configuration . . . . . . . . . . . . .61
Verify Correct Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Test Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Test HTTP Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Register the UTM with NETGEAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Electronic Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Chapter 3 Manually Configuring Internet and WAN Settings
Internet and WAN Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Automatically Detecting and Connecting the Internet Connections . . . . . .67
Set the UTM’s MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Manually Configure the Internet Connection . . . . . . . . . . . . . . . . . . . . . . .71
Configure the WAN Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Configure Network Address Translation (All Models). . . . . . . . . . . . . . .77
Configure Classical Routing (All Models) . . . . . . . . . . . . . . . . . . . . . . . .77
Configure Auto-Rollover Mode and the Failure Detection
Method (Multiple WAN Port Models) . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Configure Load Balancing and Optional Protocol Binding . . . . . . . . . . .81
Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Configure Advanced WAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . .92
Chapter 4 LAN Configuration
Manage Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . .93
Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Assign and Manage VLAN Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
VLAN DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Configure a VLAN Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Configure VLAN MAC Addresses and Advanced LAN Settings. . . . . .103
Configure Multihome LAN IPs on the Default VLAN . . . . . . . . . . . . . . . .104
Manage Groups and Hosts (LAN Groups) . . . . . . . . . . . . . . . . . . . . . . . .106
Manage the Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Change Group Names in the Network Database . . . . . . . . . . . . . . . . .110
Set Up Address Reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
5
ProSecure Unified Threat Management (UTM) Appliance
Configure and Enable the DMZ Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Manage Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Configure Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Configure Routing Information Protocol . . . . . . . . . . . . . . . . . . . . . . . . 118
Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Chapter 5 Firewall Protection
About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Use Rules to Block or Allow Specific Kinds of Traffic. . . . . . . . . . . . . . . .122
Service-Based Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Set LAN WAN Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Set DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Set LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Inbound Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Outbound Rule Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Configure Other Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
VLAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Attack Checks, VPN Pass-through, and Multicast Pass-through. . . . .146
Set Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Manage the Application Level Gateway for SIP Sessions . . . . . . . . . . 151
Create Services, QoS Profiles, and Bandwidth Profiles. . . . . . . . . . . . . .152
Add Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Create Service Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Create IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Create Quality of Service Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Set a Schedule to Block or Allow Specific Traffic. . . . . . . . . . . . . . . . . . .163
Enable Source MAC Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Configure Port Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Use the Intrusion Prevention System. . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Chapter 6 Content Filtering and Optimizing Scans
About Content Filtering and Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Default Email and Web Scan Settings . . . . . . . . . . . . . . . . . . . . . . . . .176
Configure Email Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Customize Email Protocol Scan Settings . . . . . . . . . . . . . . . . . . . . . . .178
Customize Email Antivirus and Notification Settings . . . . . . . . . . . . . . 179
Email Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Protect Against Email Spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Configure Web and Services Protection . . . . . . . . . . . . . . . . . . . . . . . . .194
Customize Web Protocol Scan Settings and
Services (Web Applications). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Configure Web Malware Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
6
ProSecure Unified Threat Management (UTM) Appliance
Configure Web Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Configure Web URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
HTTPS Scan Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Manage Digital Certificates for HTTPS Scans . . . . . . . . . . . . . . . . . . .213
Specify Trusted Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Configure FTP Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Set Web Access Exception Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Create Custom Groups for Web Access Exceptions . . . . . . . . . . . . . .228
Create Custom Categories for Web Access Exceptions . . . . . . . . . . .231
Set Scanning Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
Chapter 7 Virtual Private Networking
Using IPSec Connections
Considerations for Dual WAN Port Systems
(Multiple WAN Port Models Only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Use the IPSec VPN Wizard for Client and Gateway Configurations . . . .239
Create Gateway-to-Gateway VPN Tunnels with the Wizard . . . . . . . .239
Create a Client-to-Gateway VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . .243
Test the Connection and View Connection and Status Information. . . . .258
Test the NETGEAR VPN Client Connection. . . . . . . . . . . . . . . . . . . . .258
NETGEAR VPN Client Status and Log Information . . . . . . . . . . . . . . .260
View the UTM IPSec VPN Connection Status . . . . . . . . . . . . . . . . . . .260
View the UTM IPSec VPN Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Manage IKE Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Manage VPN Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .277
Configure XAUTH for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
RADIUS Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Assign IP Addresses to Remote Users (Mode Config). . . . . . . . . . . . . . .281
Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Configure Mode Config Operation on the UTM . . . . . . . . . . . . . . . . . .281
Configure the ProSafe VPN Client for Mode Config Operation . . . . . .288
Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Modify or Delete a Mode Config Record. . . . . . . . . . . . . . . . . . . . . . . .296
Configure Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . .297
Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . .299
Configure the PPTP Server (UTM9S Only) . . . . . . . . . . . . . . . . . . . . . . .300
View the Active PPTP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Configure the L2TP Server (UTM9S Only). . . . . . . . . . . . . . . . . . . . . . . .303
View the Active L2TP Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
7
ProSecure Unified Threat Management (UTM) Appliance
Chapter 8 Virtual Private Networking
Using SSL Connections
SSL VPN Portal Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Use the SSL VPN Wizard for Client Configurations. . . . . . . . . . . . . . . . . 307
SSL VPN Wizard Step 1 of 6 (Portal Settings). . . . . . . . . . . . . . . . . . .308
SSL VPN Wizard Step 2 of 6 (Domain Settings) . . . . . . . . . . . . . . . . .310
SSL VPN Wizard Step 3 of 6 (User Settings). . . . . . . . . . . . . . . . . . . . 314
SSL VPN Wizard Step 4 of 6 (Client Addresses and Routes) . . . . . . .316
SSL VPN Wizard Step 5 of 6 (Port Forwarding). . . . . . . . . . . . . . . . . . 317
SSL VPN Wizard Step 6 of 6 (Verify and Save Your Settings) . . . . . .319
Access the New SSL Portal Login Screen . . . . . . . . . . . . . . . . . . . . . .320
View the UTM SSL VPN Connection Status . . . . . . . . . . . . . . . . . . . . 322
View the UTM SSL VPN Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Manually Configure and Edit SSL Connections . . . . . . . . . . . . . . . . . . . .323
Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . .328
Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . .328
Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Use Network Resource Objects to Simplify Policies . . . . . . . . . . . . . . 334
Configure User, Group, and Global Policies. . . . . . . . . . . . . . . . . . . . .336
Chapter 9 Managing Users, Authentication, and VPN Certificates
Authentication Process and Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Configure Authentication Domains, Groups, and Users. . . . . . . . . . . . . .345
Login Portals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Active Directories and LDAP Configurations . . . . . . . . . . . . . . . . . . . .349
Configure Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Configure Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Set User Login Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . . 369
DC Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Configure RADIUS VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Configure Global User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
View and Log Out Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . .381
VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Manage CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Manage Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Manage the Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . .388
Chapter 10 Network and System Management
Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
Features That Increase Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
8
ProSecure Unified Threat Management (UTM) Appliance
Use QoS and Bandwidth Assignments to Shift the Traffic Mix. . . . . . .396
Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . .396
System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Change Passwords and Administrator and Guest Settings . . . . . . . . .397
Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . .399
Use a Simple Network Management Protocol Manager. . . . . . . . . . . .401
Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
Update the Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Update the Scan Signatures and Scan Engine Firmware . . . . . . . . . .410
Configure Date and Time Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Connect to a ReadyNAS and Configure Quarantine
Settings (UTM9S Only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Log Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Connect to a ReadyNAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Configure the Quarantine Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .416
Chapter 11 Monitoring System Access and Performance
Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
Configure Logging, Alerts, and Event Notifications . . . . . . . . . . . . . . . . .422
Configure the Email Notification Server . . . . . . . . . . . . . . . . . . . . . . . .422
Configure and Activate System, Email, and Syslog Logs. . . . . . . . . . .423
How to Send Syslogs over a VPN Tunnel between Sites. . . . . . . . . . .427
Configure and Activate Update Failure and Attack Alerts. . . . . . . . . . .429
Configure and Activate Firewall Logs. . . . . . . . . . . . . . . . . . . . . . . . . .432
Monitor Real-Time Traffic, Security, and Statistics. . . . . . . . . . . . . . . . . .433
View Status Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439
View the System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439
View the Active VPN Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451
View the VPN Tunnel Connection Status. . . . . . . . . . . . . . . . . . . . . . .452
View the PPTP and L2TP Server Status (UTM9S Only) . . . . . . . . . . .453
View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454
View the WAN Ports Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456
View Attached Devices and the DHCP Log . . . . . . . . . . . . . . . . . . . . .457
Query the Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Query and Download Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461
Example: Use the Logs to Identify Infected Clients . . . . . . . . . . . . . . .466
Log Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466
Query the Quarantine Logs (UTM9S Only) . . . . . . . . . . . . . . . . . . . . . . .467
Query the Quarantined Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467
View and Manage the Quarantined Spam Table . . . . . . . . . . . . . . . . .470
View and Manage the Quarantined Infected Files Table . . . . . . . . . . .471
Spam Reports for End Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
View, Schedule, and Generate Reports. . . . . . . . . . . . . . . . . . . . . . . . . .473
Report Filtering Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474
Use Report Templates and View Reports Onscreen . . . . . . . . . . . . . .476
Schedule, Email, and Manage Reports . . . . . . . . . . . . . . . . . . . . . . . .480
Use Diagnostics Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482
Use the Network Diagnostic Tools
9
ProSecure Unified Threat Management (UTM) Appliance
(All UTM Models Except the UTM9S). . . . . . . . . . . . . . . . . . . . . . . . . .483
Use the Network Diagnostic Tools (UTM9S) . . . . . . . . . . . . . . . . . . . .484
Use the Real-Time Traffic Diagnostics Tool
(All UTM Models Except the UTM9S). . . . . . . . . . . . . . . . . . . . . . . . . .486
Use the Real-Time Traffic Diagnostics Tool (UTM9S) . . . . . . . . . . . . . 487
Gather Important Log Information and Generate a
Network Statistics Report (All Models) . . . . . . . . . . . . . . . . . . . . . . . . . 488
Chapter 12 Troubleshooting and Using Online Support
Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
Power LED Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493
Troubleshoot the Web Management Interface. . . . . . . . . . . . . . . . . . . . .493
When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .494
Troubleshoot the ISP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494
Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . . 496
Test the LAN Path to Your UTM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496
Test the Path from Your PC to a Remote Device. . . . . . . . . . . . . . . . .497
Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . .498
Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Use Online Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Enable Remote Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Send Suspicious Files to NETGEAR for Analysis . . . . . . . . . . . . . . . .500
Access the Knowledge Base and Documentation . . . . . . . . . . . . . . . .501
Appendix A xDSL Module for the UTM9S
xDSL Module Configuration Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502
Configure the xDSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Automatically Detecting and Connecting the Internet Connection. . . . . . 505
Set the UTM’s MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Manually Configure the Internet Connection . . . . . . . . . . . . . . . . . . . . . .508
Configure the WAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512
Configure Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . 513
Configure Classical Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Configure Auto-Rollover Mode and the Failure Detection Method. . . .514
Configure Load Balancing and Optional Protocol Binding . . . . . . . . . .517
Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523
Configure Advanced WAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .526
Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . .528
Appendix B Wireless Module for the UTM9S
Overview of the Wireless Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .529
Configuration Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
Wireless Equipment Placement and Range Guidelines. . . . . . . . . . . .530
10
ProSecure Unified Threat Management (UTM) Appliance
Configure the Basic Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531
Operating Frequency (Channel) Guidelines. . . . . . . . . . . . . . . . . . . . .534
Wireless Data Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
Wireless Security Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536
Before You Change the SSID, WEP, and WPA Settings. . . . . . . . . . .537
Configure and Enable Wireless Security Profiles. . . . . . . . . . . . . . . . .538
Configure the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .542
Restrict Wireless Access by MAC Address . . . . . . . . . . . . . . . . . . . . .545
View the Access Point Status and Connected Clients . . . . . . . . . . . . .546
Configure a Wireless Distribution System . . . . . . . . . . . . . . . . . . . . . . . .548
Configure Advanced Radio Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . .549
Configure Advanced Profile and WMM QoS Priority Settings . . . . . . . . .551
Advanced Profile Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .551
WMM QoS Priority Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .553
Test Basic Wireless Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .554
Appendix C Network Planning for Dual WAN Ports
(Multiple WAN Port Models Only)
What to Consider Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . .556
Cabling and Computer Hardware Requirements . . . . . . . . . . . . . . . . .557
Computer Network Configuration Requirements . . . . . . . . . . . . . . . . .558
Internet Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .558
Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .560
Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .561
Inbound Traffic to a Single WAN Port System . . . . . . . . . . . . . . . . . . .562
Inbound Traffic to a Dual WAN Port System . . . . . . . . . . . . . . . . . . . .562
Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563
VPN Road Warrior (Client-to-Gateway) . . . . . . . . . . . . . . . . . . . . . . . .564
VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
VPN Telecommuter (Client-to-Gateway through a NAT Router) . . . . .569
Appendix D ReadyNAS Integration
Supported ReadyNAS Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .572
Install the UTM9S Add-On on the ReadyNAS . . . . . . . . . . . . . . . . . . . . .573
Connect to the ReadyNAS on the UTM9S . . . . . . . . . . . . . . . . . . . . . . . .575
Appendix E Two-Factor Authentication
Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . .578
What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . .578
What Is Two-Factor Authentication?. . . . . . . . . . . . . . . . . . . . . . . . . . .579
NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . .579
Appendix F System Logs and Error Messages
System Log Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
System Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
11
ProSecure Unified Threat Management (UTM) Appliance
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
Service Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Login/Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585
IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585
Traffic Metering Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .589
Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . .589
Invalid Packet Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590
Content-Filtering and Security Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Web Filtering and Content-Filtering Logs. . . . . . . . . . . . . . . . . . . . . . .592
Spam Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Traffic Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Virus Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595
Email Filter Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595
IPS Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
Port Scan Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
Application Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
Routing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
LAN-to-WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
LAN-to-DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
DMZ-to-WAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
WAN-to-LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
DMZ-to-LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
WAN-to-DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Appendix G Default Settings and Technical Specifications
Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . .601
Appendix H Notification of Compliance (Wired) Appendix I Notification of Compliance (Wireless) Index
12

1. Introduction

This chapter provides an overview of the features and capabilities of the NETGEAR ProSecure™ Unified Threat Management (UTM) Appliance. This chapter contains the following sections:
What Is the ProSecure Unified Threat Management (UTM) Appliance?
Key Features and Capabilities
Service Registration Card with License Keys
Package Contents
Hardware Features
Choose a Location for the UTM
Note: For more information about the topics covered in this manual, visit
the NETGEAR support website at http://support.netgear.com.
1

What Is the ProSecure Unified Threat Management (UTM) Appliance?

The ProSecure Unified Threat Management (UTM) Appliance, hereafter referred to as the UTM, connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable modems, DSL modems, satellite dishes, or wireless ISP radio antennas, or a combination of those. Dual wide area network (WAN) port s allow you to increase the effective data rate to the Internet by utilizing both WAN ports to carry session traffic, or to maintain a backup connection in case of failure of your primary Internet connection.
As a complete security solution, the UTM combines a powerful, fle xible firewall with a content scan engine that uses NETGEAR Stream Scan ning technology to protect your network from denial of service (DoS) attacks, unwanted traffic, traffic with objectionable content, spam, phishing, and web-borne threats such as spyware, viruses, and other malware threats.
13
ProSecure Unified Threat Management (UTM) Appliance
The UTM provides advanced IPSec and SSL VPN technologies for secure and simple remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures extremely high data transfer speeds.
The UTM is a plug-and-play device that can be installed and configured within minutes.

Key Features and Capabilities

The UTM provides the following key features and capabilities:
For the single WAN port models, a single 10/100/1000 Mbps Gigabit Ethernet WAN port.
For the multiple WAN port models, dual or quad 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing or failover protection of your Internet connection, providing increased system reliability or increased data rate.
Built-in four- or six-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast
data transfer between local network resources.
Wireless module (UTM9S only) for either 2.4-GHz or 5-GHz wireless modes.
xDLS module (UTM9S only) for ADSL and VDSL.
Advanced IPSec VPN and SSL VPN support.
Depending on the model, bundled with a one-user license of the NETGEAR ProSafe VPN
Client software (VPN01L).
Advanced Stateful Packet Inspection (SPI) firewall with multi-NAT support.
Patent-pending Strea m Scanning technology that enables scanning of real-time pro tocols
such as HTTP.
Comprehensive web and email security, covering six major network protocols: HTTP,
HTTPS, FTP, SMTP, POP3, and IMAP.
Malware database containing hundreds of thousands of signatures of spyware, viruses,
and other malware threats.
Very frequently updated malware signatures, hourly if required. The UTM can
automatically check for new malware signatures as frequently as every 15 minutes.
Multiple antispam technologies to provide extensive protection against unwanted mail.
Easy, web-based wizard setup for installation and management.
SNMP manageable.
Front panel LEDs for easy monitoring of status and activity.
Flash memory for firmware upgrade.
Internal universal switching power supply.
Introduction
14
ProSecure Unified Threat Management (UTM) Appliance

Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing

The UTM product line offers models with two broadband WAN ports. The second WAN port allows you to connect a second broadband Internet line that can be configured on a mutually exclusive basis to:
Provide backup and rollover if one line is inoperable, ensuring that you are never
disconnected.
Load balance, or use both Internet lines simultaneously for outgoing traffic. A UTM with
dual WAN port s balances users between the two line s f or maximum bandwidth efficiency.
See Appendix C, Network Planning for Dual WAN Port s (Multiple W AN Port Models Only) for the planning factors to consider when implementing the following capabilities with dual WAN port gateways:
Single or multiple exposed hosts
Virtual private networks

Wireless Features

Wireless client connections are supported on the UTM9S with a UTM9SWLSN wireless module installed. The UTM9S supports the following wireless features:
2.4-GHz radio and 5-GHz radio. Either 2.4-GHz band support with 802.11b/g/n/ wireless
modes or 5-GHz band support with 802.11a/n wireless modes.
WMM QoS priority . Wi-Fi Mult imedia (WMM) Quality of Service (QoS) priority settings to
map one of four queues to each Differentiated Services Code Point (DSCP) value.
Wireless Distribution System (WDS). WDS enables expansion of a wireless network
through two or more access points that are interconnected.
Access control. The Media Access Control (MAC) address filtering feature can ensure
that only trusted wireless stations can use the UTM to gain access to your LAN.
Hidden mode. The SSID is not broadcast, assuring that only clients configured with the
correct SSID can connect.
Secure and economical operation. Adjustable power output allows more secure or
economical operation.

DSL Features

DSL is supported on the UTM9S with a UTM9SDSL xDSL module installed. The UTM9S automatically detects the following types of DSL connections:
ADSL, ADSL2, and ADLS2+
VDSL and VDSL2
Annex A, Annex B, and Annex M are supported to accommodate PPPoE, PPPoA, and IPoA ISP connections.
Introduction
15
ProSecure Unified Threat Management (UTM) Appliance

Advanced VPN Support for Both IPSec and SSL

The UTM supports IPSec and SSL virtual private network (VPN) connections.
IPSec VPN delivers full network access between a central office and branch offices, or
between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer.
- IPSec VPN with broad protocol support for secure connection to other IPSec
gateways and clients.
- Depending on the model, bundled with a one-user license of the NETGEAR ProSafe
VPN Client software (VPN01L).
SSL VPN provides remote access for mobile users to selected corporate resources
without requiring a preinstalled VPN client on their computers.
- Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for
e-commerce transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories.
- Allows browser-based, platform-independent remote access through a number of
popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari.
- Provides granular access to corporate resources based on user type or group
membership.

A Powerful, True Firewall

Unlike simple NAT routers, the UTM is a true firewall, using Stateful Packet Inspection (SPI) to defend against hacker attacks. Its firewall features have the following capabilities:
DoS protection. Automatically detects and thwarts denial of service (DoS) attacks such
as Ping of Death and SYN flood.
Secure firewall. Blocks unwanted traffic from the Internet to your LAN.
Schedule policies. Permits scheduling of firewall policies by day and time.
Logs security incidents. Logs security events such as blocked incoming traffic, port
scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.

Stream Scanning for Content Filtering

Stream Scanning is based on the simple observation that network traffic travels in streams. The UTM scan engine starts receiving and analyzing traf fic as the stream enters the network. As soon as a number of bytes are available, scanning starts. The scan engine continues to scan more bytes as they become available, while at the same time another thread starts to deliver the bytes that have been scanned.
Introduction
16
ProSecure Unified Threat Management (UTM) Appliance
This multithreaded approach, in which the receiving, scanning, and delivering processes occur concurrently, ensures that network performance remains unimpeded. The result is that file scanning is up to five times faster than with traditional antivirus solutions—a performance advantage that you will notice.
Stream Scanning also enables organizations to withstand massive spikes in traffic, as in the event of a malware outbreak. The scan engine has the following capabilities:
Real-time protection. The patent-pending Stream Scanning technology enables
scanning of previously undefended real-time protocols, such as HTTP. Network a ctivities susceptible to latency (for example, web browsing) are no longer brought to a standstill.
Comprehensive protection. Provides both web and email security, covering six major
network protocols: HTTP, HTTPS, FTP, SMTP, POP3, and IMAP. The UTM uses enterprise-class scan engines employing both signature-based and distributed spam analysis to stop both known and unknown threats. The malware database contains hundreds of thousands of signatures of spyware, viruses, and other malware.
Objectionable traffic protection. The UTM prevents objectionable content from
reaching your computers. You can control access to the Internet content by screening for web services, web addresses, and keywords within web addresses. You can log and report attempts to access objectionable Internet sites.
Automatic signature updates. Malware signatures are updated as frequently as every
hour, a nd the UTM can check automatically for new signatures as frequently as every 15 minutes.

Security Features

The UTM is equipped with several features designed to maintain security:
PCs hidden by NAT . NAT opens a temporary path to the Internet for requests originating
from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN.
Port forwarding with NAT. Although NAT prevents Internet locations from directly
accessing the PCs on the LAN, the UTM allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request. You can specify forwarding of single ports or ranges of ports.
DMZ port. Incoming traffic from the Internet is usually discarded by the UTM unless the
traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you can use the dedicated demilitarized zone (DMZ) port to forward the traffic to one PC on your network.

Autosensing Ethernet Connections with Auto Uplink

With its internal four- or six-port 10/100/1000 Mbps switch and single or dual (model-dependant) 10/100/1000 WAN ports, the UTM can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit
Introduction
17
ProSecure Unified Threat Management (UTM) Appliance
Ethernet network. The four LAN and one or two WAN interface s are autosensing and capable of full-duplex or half-duplex operation.
TM
The UTM incorporates Auto Uplink whether the Ethernet cable plugged into the port should have a normal connection such as to a PC or an uplink connection such as to a switch or hub. That port then configures itself correctly. This feature eliminates the need for you to think about crossover cables, as Auto Uplink accommodates either type of cable to make the right connection.
technology. Each Ethernet port automatically senses

Extensive Protocol Support

The UTM supports the Transmissio n Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, see Internet Configuration
Requirements on page 558. The UTM provides the following protocol support:
IP address sharing by NAT. The UTM allows many networked PCs to share an Internet
account using only a single IP address, which might be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as Network Address Translation (NAT), allows the use of an inexpensive single-user ISP account.
Automatic configuration of attached PCs by DHCP. The UTM dynamically assigns
network configuration information, including IP, gateway, and Domain Name Server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network.
DNS proxy. When DHCP is enabled and no DNS addresses are specified, the firewall
provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.
PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the
Internet over a DSL connection by simulating a dial-up connection.
Quality of Service (QoS). The UTM supports QoS, including traffic prioritization and
traffic classification with Type of Service (ToS) and Differentiated Services Code Point (DSCP) marking.

Easy Installation and Management

You can install, configure, and operate the UTM within minutes after connecting it to the network. The following features simplify installation and management tasks:
Browser-based management. Browser-based configuration allows you to easily
configure the UTM from almost any type of operating system, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided, and online help documentation is built into the browser-based web management interface.
Autodetection of ISP. The UTM automatically senses the type of Internet connection,
asking you only for the information required for your type of ISP account.
Introduction
18
ProSecure Unified Threat Management (UTM) Appliance
IPSec VPN Wizard. The UTM includes the NETGEAR IPSec VPN Wizard so you can
easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
SSL VPN Wizard. The UTM includes the NETGEAR SSL VPN Wizard so you can easily
configure SSL connections over VPN according to the recommendations of the VPNC. This ensures that the SSL connections are interoperable with other VPNC-compliant VPN routers and clients.
SNMP. The UTM supports the Simple Network Management Protocol (SNMP) to let you
monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2.
Diagnostic functions. The UTM incorporates built-in diagnostic functions such as ping,
traceroute, DNS lookup, and remote reboot.
Remote management. The UTM allows you to log in to the web management interface
from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses.
Visual monitoring. The UTM’s front panel LEDs provide an easy way to monitor its
status and activity.

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the UTM:
Flash memory for firmware upgrades.
Technical support seven days a week, 24 hours a day. Information about support is
available on the NETGEAR ProSecure website at
http://prosecure.netgear.com/support/index.php.

Model Comparison

The following table compares the UTM models to show the differences. For performance specifications and sizing guidelines, see NETGEAR’s marketing documentation at
http://prosecure.netgear.com.
Ta bl e 1. Differences between the UTM models
Feature UTM5 UTM9S UTM10 UTM25 UTM50 UTM150 IPSec VPN tunnels
Number of supported site-to-site IPSec VPN tunnels (from which the model derives its model number, with the exception of the UTM9S)
5 10102550150
Hardware
LAN ports (Gigabit RJ-45) 4 4 4 4 6 4
Introduction
19
ProSecure Unified Threat Management (UTM) Appliance
Table 1. Differences between the UTM models (continued)
Feature UTM5 UTM9S UTM10 UTM25 UTM50 UTM150
WAN ports (Gigabit RJ-45) 1 2 1 2 2 4 DMZ interfaces (configurable) 1 1 1 1 1 1 USB ports 111111 Console ports (RS232) 1 1 1 1 1 1 Flash memory
RAM
Modules
xDSL module with RJ11 port No Yes No No No No Wireless module No Yes No No No No
Deployment
VLAN support Yes Yes Yes Yes Yes Yes Dual WAN auto-rollover mode No Yes No Yes Yes Y es Dual WAN load balancing mode No Yes No Yes Yes Yes Single WAN mode Yes Yes Yes Yes Yes Yes
2 GB 512 MB
2 GB 512 MB
2 GB 512 MB
2 GB 1 GB
2 GB 1 GB

Service Registration Card with License Keys

Be sure to store the license key card that came with your UTM (see a sample card in the following figure) in a secure location. If you do not use electronic licensing (see Electronic
Licensing on page 64), you need these service license keys to activate your product during
the initial setup.
2 GB 1 GB
Introduction
20
ProSecure Unified Threat Management (UTM) Appliance
Figure 1.
Note: When you reset the UTM to the original factory default settings after
you have entered the license keys to activate the UTM (see Register
the UTM with NETGEAR on page 62), the license keys are erased.
The license keys and the different types of licenses that are available for the UTM are no longer displayed on the Registration screen. However , after you have reconfigured the UTM to connect to the Internet and to the NETGEAR registration server, the UTM retrieves and restores all registration information based on its MAC address and hardware serial number . You do not need to reenter the license keys and reactivate the UTM.

Package Contents

The UTM product package contains the following items:
ProSecure Unified Threat Management (UTM) Appliance
One AC power cable
Rubber feet (4)
One rack-mounting kit (depends on UTM model)
ProSecure Unified Threat Management UTM Installation Guide
Introduction
21
ProSecure Unified Threat Management (UTM) Appliance
Resource CD, including:
- Application Notes and other helpful information
- ProSafe VPN Client software (VPN01L) (depends on the UTM model)
Service Registration Card with license key(s)
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair.

Hardware Features

The front panel ports and LEDs, rear panel ports, and bottom labels of the UTM models are described in the following sections:
Front Panel UTM5 and UTM10
Front Panel UTM25
Front Panel UTM50
Front Panel UTM150
Front Panel UTM9S and Modules
LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150
LED Descriptions, UTM9S and Modules
Rear Panel UTM5, UTM10, and UTM25
Rear Panel UTM50 and UTM150
Rear Panel UTM9S
Bottom Panels with Product Labels

Front Panel UTM5 and UTM10

Viewed from left to right, the UTM5 and UTM10 front panel contains the following ports:
One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet port. One independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in Table 2 on page 27. In addition, the front panel provides some LED explanation to the left of the LAN ports.
Introduction
22
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LED
Right WAN LED
USB port
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active WAN
USB port
LEDs
Figure 2. Front panel UTM5 and UTM10

Front Panel UTM25

Viewed from left to right, the UTM25 front panel contains the following ports:
One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three group s of status indicator LEDs, including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in the Table 2 on page 27. In addition, the front panel provides some LED explanation to the left of the LAN ports.
Figure 3. Front panel UTM25
Introduction
23
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active WAN
USB port
LEDs

Front Panel UTM50

Viewed from left to right, the UTM front panel contains the following ports (see the following figure, which shows a multiple WAN port model, the UTM25):
One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
LAN Ethernet ports. Six switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three groups of st atus indicator LEDs, including Powe r and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in Table 2 on page 27. In addition, the front panel provides some LED explanation to the right of the WAN ports.
Figure 4. Front panel UTM50

Front Panel UTM150

Viewed from left to right, the UTM150 front panel contains the following ports:
One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet ports. Four independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three groups of st atus indicator LEDs, including Powe r and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail inTable 2 on page 27. In addition, the front panel provides some LED explanation to the right of the WAN ports.
Introduction
24
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active WAN LEDs
USB port
Figure 5. Front panel UTM150

Front Panel UTM9S and Modules

Viewed from left to right, the UTM9S front panel contains the following ports and slots:
One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM9S.
LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three group s of status indicator LEDs, including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in d et a il in Table 3 on page 28. Some LED explanation is provided on the front panel below the LAN and WAN ports.
Introduction
25
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active WAN LEDs
USB port
USB LED
Slot 1
Slot 2
Figure 6. Front panel UTM9S
UTM9SDSL xDSL Module
The following xDSL modules are available for insertion in one of the UTM9S slots:
UTM9SDSLA. VDSL/ADSL2+ module, Annex A.
UTM9SDSLB. VDSL/ADSL2+ module, Annex B.
The xDLS module provides one RJ-11 port for connection to a telephone line. The two LEDs are explained in Table 3 on page 28.
Figure 7. UTM9SDSL xDSL module
UTM9SWLSN Wireless Module
The wireless module (UTM9SWLSN) can be inserted in one of the UTM9S slots. The wireless module does not provide any ports. The antennas are detachable. The t wo LEDs are explained in Table 3 on page 28.
Introduction
26
ProSecure Unified Threat Management (UTM) Appliance
Figure 8. UTM9SWLSN wireless module

LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150

The following table describes the function of each LED.
Table 2. LED descriptions UTM5, UTM10, UTM25, UTM50, and UTM150
LED Activity Description
Power LED On (green) Power is supplied to the UTM.
Off Power is not supplied to the UTM.
Test LED On (amber) during
startup On (amber) during
any other time Blinking (amber) The UTM is writing to flash memory (during upgrading or resetting to
Off The UTM has booted successfully.
Test mode. The UTM is initializing. After approximately 2 minutes, when the UTM has completed its initialization, the Test LED goes off.
The initialization has failed, or a hardware failure has occurred.
defaults).
Introduction
27
ProSecure Unified Threat Management (UTM) Appliance
Table 2. LED descriptions UTM5, UTM10, UTM25, UTM50, and UTM150 (continued)
LED Activity Description LAN ports
Left LED Off The LAN port has no link.
On (green) The LAN port has detected a link with a connected Ethernet device. Blinking (green) Data is being transmitted or received by the LAN port.
Right LED Off The LAN port is operating at 10 Mbps.
On (amber) The LAN port is operating at 100 Mbps. On (green) The LAN port is operating at 1000 Mbps.
DMZ LED Off Port 4 (UTM5, UTM9S, UTM10, UTM25, and UTM150) or port 6 (UTM50) is
operating as a normal LAN port.
On (green) Port 4 (UTM5, UTM9S, UTM10, UTM25, and UTM150) or port 6 (UTM50) is
operating as a dedicated hardware DMZ port.
WAN ports
Left LED Off The WAN port has no physical link, that is, no Ethernet cable is plugged into
the UTM.
On (green) The WAN port has a valid connection with a device that provides an Internet
connection.
Blinking (green) Data is being transmitted or received by the WAN port.
Right LED Off The WAN port is operating at 10 Mbps.
On (amber) The WAN port is operating at 100 Mbps. On (green) The WAN port is operating at 1000 Mbps.
Active LED (multiple WAN port models only)
Off The WAN port either is not enabled or has no link to the Internet. On (green) The WAN port has a valid Internet connection.

LED Descriptions, UTM9S and Modules

The following table describes the function of each LED on the UTM9S and the modules.
Table 3. LED descriptions UTM9S
LED Activity Description
Power LED On (green) Power is supplied to the UTM.
Off Power is not supplied to the UTM.
Introduction
28
ProSecure Unified Threat Management (UTM) Appliance
Table 3. LED descriptions UTM9S (continued)
LED Activity Description
Test LED On (amber) during
startup On (amber) during
any other time Blinking (amber) The UTM is writing to flash memory (during upgrading or resetting to
Off The UTM has booted successfully.
USB LED Nonfunctioning The USB port is currently not operable on the UTM9S.
LAN ports
Left LED Off The LAN port ha s no link.
On (green) The LAN port has detected a link with a connected Ethernet device. Blinking (green) Data is being transmitted or received by the LAN port.
Right LED Off The LAN port is operating at 10 Mbps.
On (amber) The LAN port is operating at 100 Mbps. On (green) The LAN port is operating at 1000 Mbps.
DMZ LED Off Port 4 is operating as a normal LAN port.
Test mode. The UTM is initializing. After approximately 2 minutes, when the UTM has completed its initialization, the Test LED goes off.
The initialization has failed, or a hardware failure has occurred.
defaults).
On (green) Port 4 is operating as a dedicated hardware DMZ port.
WAN ports
Left LED Off The WAN port has no physical link, that is, no Ethernet cable is plugged into
the UTM.
On (green) The WAN port has a valid connection with a device that provides an Internet
connection.
Blinking (green) Data is being transmitted or received by the WAN port.
Right LED Off The WAN port is operating at 10 Mbps.
On (amber) The WAN port is operating at 100 Mbps. On (green) The WAN port is operating at 1000 Mbps.
Active LED Off The WAN port either is not enabled or has no link to the Internet.
On (green) The WA N port has a valid Internet connection.
Wireless module
Module Status LED
Off The module is not enabled. On (green) The module is enabled.
Introduction
29
ProSecure Unified Threat Management (UTM) Appliance
Security lock receptacle
Console port
Factory Defaults
AC power
receptacle
reset button
Table 3. LED descriptions UTM9S (continued)
LED Activity Description
Wireless Link LED
xDSL module
Module Stat us LED
Link LED Off The xDLS port has no Internet connection.
Off The wireless access point is not enabled. On (green) The wireless access point is enabled in 2.4-GHz operating mode. Blinking (green) There is wireless activity in 2.4-GHz operating mode. On (yellow) The wireless access point is enabled in 5-GHz operating mode. Blinking (yellow) There is wireless activity in 5-GHz operating mode.
Off The module is enabled or has a link the the telephone line. On (green) The module either is not enabled or has no link to the telephone line.
On (green) The xDSL port functions in ADSL mode. On (yellow) The xDSL port functions in VDSL mode.

Rear Panel UTM5, UTM10, and UTM25

The rear panel of the UTM includes a cable lock receptacle, a console port, a factory default Reset button, and an AC power connection.
Figure 9. Rear panel of the UTM5, UTM10, and UTM25
Viewed from left to right, the rear panel of the UTM5, UTM10, and UTM25 contains the following components:
1. Cable security lock receptacle.
2. Console port. Port for connecting to an optional console terminal. The port has a DB9 male
connector. The default baud rate is 9600 K. The pinouts are (2) Tx, (3) Rx, (5) and (7) Gnd.
3. Factory default Reset button. Using a sharp object, press and ho ld this button for about
8 seconds until the front panel Test LED flashes to re se t the UT M to f actory d efault settings. Configuration changes are lost, and the default password is restored.
4. AC power receptacle. Universal AC input (100–240 VAC, 50–60 Hz).
Introduction
30
ProSecure Unified Threat Management (UTM) Appliance
Security lock
receptacle
Console port
Factory Defaults
AC power
receptacle
reset button
Security lock
receptacle
Console port
Factory Defaults
AC power receptacle
reset button
Console switch
Power switch

Rear Panel UTM50 and UTM150

The rear panel of the UTM includes a cable lock receptacle, a console port, a factory default Reset button, and an AC power connection.
Figure 10. Rear panel of the UTM50 and UTM150
Viewed from left to right, the rear panel of the UTM50 and UTM150 contains the following components:
1. Console port. Port for connecting to an optional console terminal. The port has a DB9
male connector. The default baud rate is 9600 K. The pinouts are (2) Tx, (3) Rx, (5) and (7) Gnd.
2. Factory default Reset button. Using a sharp object, press and hold this button for about
8 seconds until the front panel Test LED flashes to reset the UTM to factory default settings. Configuration changes are lost, and the default password is restored.
3. Cable security lock receptacle.
4. AC power receptacle. Universal AC input (100–240 VAC, 50–60 Hz).

Rear Panel UTM9S

Figure 11. Rear panel of the UTM9S
Introduction
31
ProSecure Unified Threat Management (UTM) Appliance
Viewed from left to right, the rear panel of the UTM9S contains the following components:
1. Cable security lock receptacle.
2. Factory default Reset button. Using a sharp object, press and ho ld this button for about
8 seconds until the front panel Test LED flashes to re se t the UT M to f actory d efault settings. Configuration changes are lost, and the default password is restored.
3. Console switch to select the console connection: Main Board (left position), Slot 1 (middle
position), or Slot 2 (right position).
4. Console port (9600,N,8,1). Port for connecting to an optional console terminal. The port has
a DB9 male connector. The default baud rate is 9600 K. The pinouts are (2) Tx, (3) Rx, (5) and (7) Gnd.
5. AC power receptacle. Universal AC input (100–240 VAC, 50–60 Hz).
6. Power On/Off switch.

Bottom Panels with Product Labels

The product label on the bottom of the UTM’s enclosure displays factory defaults settings, regulatory compliance, and other information.
The following figure shows the product label for the UTM5:
Figure 12.
Introduction
32
ProSecure Unified Threat Management (UTM) Appliance
The following figure shows the product label for the UTM10:
Figure 13.
The following figure shows the product label for the UTM25:
Figure 14.
Introduction
33
ProSecure Unified Threat Management (UTM) Appliance
The following figure shows the product label for the UTM50:
Figure 15.
The following figure shows the product label for the UTM150:
Figure 16.
Introduction
34
ProSecure Unified Threat Management (UTM) Appliance
The following figure shows the product label for the UTM9S:
Figure 17.

Choose a Location for the UTM

The UTM is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can rack-mount the UTM in a wiring closet or equipment room. A rack-mounting kit, containing two mounting brackets and four screws, is provided in th e p ackage for the multiple WAN port models.
Consider the following when deciding where to position the UTM:
The unit is accessible, and cables can be connected easily.
Cabling is away from sources of electrical noise. These include lift shafts, microwave
ovens, and air-conditioning units.
Water or moisture cannot enter the case of the unit.
Airflow around the unit and through the vents in the side of the case is not restricted.
Provide a minimum of 25 mm or 1 inch clearance.
The air is as free of dust as possible.
Temperature operating limits are not likely to be exceeded. Install the unit in a clean,
air-conditioned environment. For information about the recommended operating temperatures for the UTM, see Appendix G, Default Settings and Technical
Specifications.
Note: For the UTM9S, see also Wireless Equipment Placement and
Range Guidelines on page 530.
Introduction
35
ProSecure Unified Threat Management (UTM) Appliance

Use the Rack-Mounting Kit

Use the mounting kit for the UTM to install the appliance in a rack. (A mounting kit is provided in the package for the multiple WAN port models.) Attach the mounting brackets using the hardware that is supplied with the mounting kit.
Figure 18.
Before mounting the UTM in a rack, verify that:
You have the correct screws (supplied with the installation kit).
The rack onto which you will mount the UTM is suitably located.
Introduction
36
2. Using the Setup Wizard to Provision the
UTM in Your Network
This chapter explains how to log in to the UTM and use the web management interface, how to use the Setup Wizard to provision the UTM in your network, and how to register the UTM with NETGEAR. The chapter contains the following sections:
Steps for Initial Connection
Log In to the UTM
Use the Setup Wizard to Perform the Initial Configuration
Verify Correct Installation
Register the UTM with NETGEAR
What to Do Next
2

Steps for Initial Connection

Typically, the UTM is installed as a network gateway to function as a combined LAN switch, firewall, and content scan engine to protect the network from all incoming and outgoing malware threats.
Generally, five steps are required to complete the basic and security configuration of your UTM:
1. Connect the UTM physically to your network. Connect the cables and restart your
network according to the instructions in the Installation Guide. See the ProSecure
Unified Threat Management UTM Installation Guide for complete steps. A PDF of the Installation Guide is on the NETGEAR website at
http://www.prosecure.netgear.com/resources/document-library.php.
2. Log in to the UTM. After logging in, you are ready to se t up and configure your UTM. See
Log In to the UTM on page 38.
3. Use the Setup Wizard to configure basic connections an d security. During this phase,
you connect the UTM to one or more ISPs (more than one ISP applies to multiple WAN port models only). See Use the Setup Wizard to Perform the Initial Configuration on page 42.
4. Verify the installation. See Verify Correct Installation on page 61.
5. Register the UT M. See Register the UTM with NETGEAR on page 62.
37
ProSecure Unified Threat Management (UTM) Appliance
Each of these tasks is described separately in this chapter. The configuration of the WAN mode (required for multiple WAN port models), Dynamic DNS, and other WAN options is described in Chapter 3, Manually Configuring Internet and WAN Settings.
The configuration of LAN, firewall, scanning, VPN, management, and monitoring features is described in later chapters.

Qualified Web Browsers

To configure the UTM, you need to use a web browser such as Microsoft Internet Explorer 6 or later, Mo zilla Firefox 3 or later, or Apple Safari 3 or later with JavaScript, cookies, and SSL enabled.
Although these web browsers are qualified for use with the UTM’s web management interface, SSL VPN users should choose a browser that supports JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applicatio ns. Note that Java is required only for the SSL VPN portal, not for the web management interface.

Requirements for Entering IP Addresses

The fourth octet of an IP address needs to be between 1 and 254 (both inclusive). This requirement applies to any IP address that you enter on a screen of the web management interface.

Log In to the UTM

To connect to the UTM, your computer needs to be configured to obtain an IP address automatically from the UTM through DHCP.
To connect and log in to the UTM:
1. Start any of the qualified web browsers, as explained in the previous section, Qualified
Web Browsers.
2. In the address field, enter https://192.168.1.1. The NETGEAR Configuration Manager Login
screen displays in the browser. (The following figure shows the screen for the UTM50.) This screen also provides the User Portal Login Link. For general information about the User Portal Login Link, see Access the New SSL Portal Login Screen on page 320; for platform-specific information, see Login Portals on page 345.
Note: The UTM factory default IP address is 192.168.1.1. If you change
the IP address, you need to use the IP address that you assigned to the UTM to log in to the UTM.
Using the Setup Wizard to Provision the UTM in Y our Network
38
ProSecure Unified Threat Management (UTM) Appliance
Figure 19.
3. In the User Name field, type admin. Use lowercase letters.
4. In the Password / Passcode field, type password. Here, too, use lowercase letters.
Note: The UTM user name and password are not the same as any user
name or password you might use to log in to your Internet connection.
5. Click Login. The web management interface displays, showing the System Status screen.
The following figure shows the top part of the UTM50 System Status screen. Fo r more information, see View the System Status on page43 9.
Note: After 5 minutes of inactivity (the default login time-out), you are
automatically logged out.
Using the Setup Wizard to Provision the UTM in Y our Network
39
ProSecure Unified Threat Management (UTM) Appliance
1st level: Main navigation menu link (orange)
2nd level: Configuration menu link (gray)
3rd level: Submenu tab (blue)
Option arrow: Additional screen for submenu item
Figure 20.

Web Management Interface Menu Layout

The following figure shows the menu at the top the UTM50 web management interface as an example.
Figure 21.
Using the Setup Wizard to Provision the UTM in Y our Network
40
ProSecure Unified Threat Management (UTM) Appliance
The web management interface menu consists of the following components:
1st level: Main navigation menu links. The main navigation menu in the orange bar
across the top of the web management interface provides access to all the configuration functions of the UTM, and remains constant. When you select a main navigation menu link, the letters are displayed in white against an orange background.
2nd level: Configuration menu links. The configuration menu links in the gray bar
(immediately below the main navigation menu bar) change according to the main navigation menu link that you select. When you select a configuration menu link, the letters are displayed in white against a gray background.
3rd level: Submenu tabs. Each configuration menu ite m has one or more sub menu tabs
that are listed below the gray menu bar. When you select a submenu tab, the text is displayed in white against a blue background.
Option arrows. If there are additional screens for the submenu item, links to the screens
display on the right side in blue letters against a white background, preceded by a white arrow in a blue circle.
The bottom of each screen provides action buttons. The nature of the screen determines which action buttons are shown. The following figure shows an example:
Figure 22.
Any of the following action buttons might display on screen (this list might not be complete):
Apply. Save and apply the configuration.
Reset. Cancel the changes and reset the configuration to the current values.
Test. Test the configuration before you decide whether or not to save and apply the
configuration.
Auto Detect. Enable the UTM to detect the configuration automatically and suggest
values for the configuration.
Next. Go to the next screen (for wizards).
Back. Go to the previous screen (for wizards).
Search. Perform a search operation.
Cancel. Cancel the operation.
Send Now. Send a file or report.
When a screen includes a table, table buttons display to let you configure the table entries. The nature of the screen determines which table buttons are shown. The following figure shows an example:
Figure 23.
Using the Setup Wizard to Provision the UTM in Y our Network
41
ProSecure Unified Threat Management (UTM) Appliance
Any of the following table buttons might display on screen:
Select All. Select all entries in the table.
Delete. Delete the selected entry or entries from the table.
Enable. Enable the selected entry or entries in the table.
Disable. Disable the selected entry or entries in the table.
Add. Add an entry to the table.
Edit. Edit the selected entry.
Up. Move the selected entry up in the table.
Down. Move the selected entry down in the table.
Apply. Apply the selected entry.
Almost all screens and sections of screens have an accompanying help screen. To open the help screen, click the (question mark) icon.

Use the Setup Wizard to Perform the Initial Configuration

The Setup Wizard facilitates the initial configuration of the UTM by taking you through 10 screens, the last of which allows you to save the configuration. If you prefer to perform the initial WAN setup manually, see Chapter 3, Manually Configuring Internet and WAN Settings.
To start the Setup Wizard:
1. Select Wizards from the main navigation menu. The Welcome to the Netgear
Configuration Wizard screen displays:
Figure 24.
2. Select the Setup Wizard radio button.
3. Click Next. The first Setup Wizard screen displays.
The following sections explain the 9 configuration screens of the Setup Wizard. On the 10th screen, you can save your configuration.
The tables in the following sections explain the buttons and fields of the Setup Wizard screens. Additional information about the settings in the Setup Wizard screens is provided in other chapters that explain manual configuration; each of the following sections provides a specific link to a section in another chapter.
Using the Setup Wizard to Provision the UTM in Y our Network
42
ProSecure Unified Threat Management (UTM) Appliance

Setup Wizard Step 1 of 10: LAN Settings

Figure 25.
Enter the settings as explained in the following table, and then click Next to go the following screen.
Note: In this first step, you are actually configuring the LAN settings for the
UTM’s default VLAN. For more information about VLANs, see
Manage Virtual LANs and DHCP Options on page 93.
Using the Setup Wizard to Provision the UTM in Y our Network
43
ProSecure Unified Threat Management (UTM) Appliance
Table 4. Setup Wizard Step 1: LAN Settings screen settings
Setting Description LAN TCP/IP Setup
IP Address Enter the IP address of the UTM’s default VLAN (the factory default address is
192.168.1.1).
Note: Always make sure that the LAN port IP address and DMZ port IP address are in
different subnets.
Note: If you change the LAN IP address of the UTM’s default VLAN while being
connected through the browser, you are disconnected. You then need to open a new connection to the new IP address and log in again. For example, if you change the default IP address from 192.168.1.1 to 10.0.0.1, you now need to enter https://10.0.0.1 in your browser to reconnect to the web management interface.
Subnet Mask Enter the IP subnet mask. The subnet mask specifies the network number portion of an
IP address. The UTM automatically calculates the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask (computed by the UTM).
DHCP
Disable DHCP Server If another device on your network is the DHCP server for the default VLAN, or if you will
manually configure the network settings of all of your computers, select the Disable DHCP Server radio button to disable the DHCP server. By default, this radio button is not selected, and the DHCP server is enabled.
Enable DHCP Server Select the Enable DHCP Server radio button to enable the UTM to function as a
Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the default VLAN. Enter the following settings.
Domain Name This setting is optional. Enter the domain name of the UTM. Starting IP
Address
Ending IP Address
Enter the starting IP address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN is assigned an IP address between this address and the ending IP address. The IP address 192.168.1.2 is the default starting address.
Enter the ending IP address. This address specifies the last of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN is assigned an IP address between the starting IP address and this IP address. The IP address 192.168.1.100 is the default ending address.
Note: The starting and ending DHCP IP addresses should be in the
same network as the LAN TCP/IP address of the UTM (that is, the IP address in the LAN TCP/IP Setup section as described earlier in this table).
Using the Setup Wizard to Provision the UTM in Y our Network
44
ProSecure Unified Threat Management (UTM) Appliance
Table 4. Setup Wizard Step 1: LAN Settings screen settings (continued)
Setting Description
Enable DHCP Server (continued)
DHCP Relay Select the DHCP Relay radio button to use the UTM as a DHCP relay agent for a
Enable LDAP information
Primary DNS Server
Secondary DNS Server
WINS Server This setting is optional. Enter a WINS server IP address to specify
Lease Time Enter a lease time. This specifies the duration for which IP addresses
DHCP server somewhere else on your network. Enter the following setting: Relay Gateway The IP address of the DHCP server for which the UTM serves as a
Select the Enable LDAP information check box to enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information. Enter the following settings.
Note: The LDAP settings that you specify as part of the VLAN profile are used only for
SSL VPN and UTM authentication, but not for web and email security.
LDAP Server The IP address or name of the LDAP server.
This setting is optional. If an IP address is specified, the UTM provides this address as the primary DNS server IP address. If no address is specified, the UTM provides its own LAN IP address as the primary DNS server IP address.
This setting is optional. If an IP address is specified, the UTM provides this address as the secondary DNS server IP address.
the Windows NetBIOS server, if one is present in your network.
are leased to clients.
relay.
Search Base The search objects that specify the location in the directory tree from
which the LDAP search begins. You can specify multiple search objects, separated by commas. The search objects include:
• CN (for common name)
• OU (for organizational unit)
• O (for organization)
• C (for country)
• DC (for domain) For example, to search the Netgear.net domain for all last names of
Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net
Port The port number for the LDAP server. The default setting is 0 (zero).
DNS Proxy
Enable DNS Proxy This setting is optional. Select the Enable DNS Proxy radio button to enable the UTM
to provide a LAN IP address for DNS address name resolution. This radio button is selected by default.
Note: When the DNS Proxy option is disabled, all DHCP clients receive the DNS IP
addresses of the ISP but without the DNS proxy IP address.
Using the Setup Wizard to Provision the UTM in Y our Network
45
ProSecure Unified Threat Management (UTM) Appliance
Table 4. Setup Wizard Step 1: LAN Settings screen settings (continued)
Setting Description Inter VLAN Routing
Enable Inter VLAN Routing
This setting is optional. To ensure that traffic is routed only to VLANs for which inter-VLAN routing is enabled, select the Enable Inter VLAN Routing check box. This setting is disabled by default. When the Enable Inter VLAN Routing check box is not selected, traffic from this VLAN is not routed to other VLANs, and traffic from other VLANs is not routed to this VLAN.
Note: For information about inter-VLAN firewall rules, see VLAN Rules on page 144.
After you have completed the steps in the Setup Wizard, you can make changes to the LAN settings by selecting Network Config > LAN Settings > Edit LAN Profile. For more information about these LAN settings, see VLAN DHCP Options on page 96.

Setup Wizard Step 2 of 10: WAN Settings

Figure 26.
Using the Setup Wizard to Provision the UTM in Y our Network
46
ProSecure Unified Threat Management (UTM) Appliance
Enter the settings as explained in the following table, and then click Next to go the following screen.
Note: Instead of manually entering the settings, you can also click the
Auto Detect action button at the bottom of the screen. The
autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support.
Table 5. Setup Wizard Step 2: WAN Settings screen settings
Setting Description ISP Login
Does your Internet connection require a login?
ISP Type
What type of ISP connection do you use?
Austria (PPTP) If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this
If you need to enter login information every time you connect to the Internet through your ISP, select the Yes radio button. Otherwise, select the No radio button, which is the default setting, and skip the ISP Type section. If you select the Yes radio button, enter the following settings.
Login The login name that your ISP has assigned to you. Password The password that your ISP has assigned to you.
If your connection is PPPoE or PPTP, then you need to log in. Select the Yes radio button. Based on the connection that you select, the text fields that require data entry are highlighted. If your ISP has not assigned any login information, then select the No radio button and skip this section. If you select the Yes radio button, enter the following settings.
radio button and enter the following settings: Account Name The account name is also known as the host name or system
name. Enter the valid account name for the PPTP connection (usually your email ID assigned by your ISP). Some ISPs require you to enter your full email address here.
Domain Name Your domain name or workgroup name assigned by your ISP,
or your ISP’s domain name. You can leave this field blank.
Idle Timeout Select the Keep Connected radio button to keep the
connection always on. To log out after the connection is idle for a period of time, select the Idle Timeout radio button and, in the time-out field, enter the number of minutes to wait before disconnecting. This is useful if your ISP charges you based on the period that you have logged in.
My IP Address The IP address assigned by the ISP to make the connection
with the ISP server.
Server IP Address The IP address of the PPTP server.
Using the Setup Wizard to Provision the UTM in Y our Network
47
ProSecure Unified Threat Management (UTM) Appliance
Table 5. Setup Wizard Step 2: WAN Settings screen settings (continued)
Setting Description
Other (PPPoE) If you have installed login sof tware such as WinPoET or Enternet, then your connection
type is PPPoE. Select this radio button and enter the following settings: Account Name The valid account name for the PPPoE connection. Domain Name The name of your ISP’s domain or your domain name if your
ISP has assigned one. You can leave this fie ld blank.
Idle Timeout Select the Keep Connected radio button to keep the
connection always on. To log out after the connection is idle for a period of time, select the Idle Timeout radio button and, in the time-out field, enter the number of minutes to wait before disconnecting. This is useful if your ISP charges you based on the period that you have logged in.
Note: When you use a PPPoE connection and select the Idle
Timeout radio button, you cannot configure load balancing (see Configure Load Balancing (Multiple WAN Port Models) on page 81). To use load balancing on a PPPoE connection, select the Keep Connected radio button.
Connection Reset Select the Connection Reset check box to specify a time
when the PPPoE WAN connection is reset, that is, the connection is disconnected momentarily and then reestablished. Then, specify the disconnect time and delay.
Disconnect Time Specify the hour and minutes when the connection should be
disconnected.
Delay Specify the period in seconds after which the connection
should be reestablished.
Internet (IP) Address
Click the Current IP Address link to see the currently assigned IP address. Get Dynamically from
ISP
If your ISP has not assigned you a static IP address, select the Get dynamically from ISP radio button. The ISP automatically assigns an IP address to the UTM using DHCP network protocol.
Client Identifier Select the Client Identifier check box if your ISP requires the
client identifier information to assign an IP address using DHCP.
Vendor Class Identifier Select the Vendor Class Identifier check box if your ISP
requires the vendor class identifier information to assign an IP address using DHCP.
Using the Setup Wizard to Provision the UTM in Y our Network
48
ProSecure Unified Threat Management (UTM) Appliance
Table 5. Setup Wizard Step 2: WAN Settings screen settings (continued)
Setting Description Use Static IP Address If your ISP has assigned you a fixed (static or permanent) IP address, select the Use
Static IP Address radio button and enter the following settings.
IP Address The static IP address assigned to you. This address identifies
the UTM to your ISP. Subnet Mask The subnet mask, which is usually provided by your ISP. Gateway IP Address The IP address of the ISP’s gateway, which is usually
provided by your ISP.
Domain Name Server (DNS) Servers
Get Automatically from ISP
Use These DNS Servers
If your ISP has not assigned any Domain Name Servers (DNS) addresses, select the Get Automatically from ISP radio button.
If your ISP has assigned DNS addresses to you, select the Use these DNS Servers radio button. Make sure that you fill in valid DNS server IP addresses in the fields. Incorrect DNS entries might cause connectivity issues.
Primary DNS Server The IP address of the primary DNS server. Secondary DNS Serve The IP address of the secondary DNS server.
After you have completed the steps in the Setup Wizard, you can make changes to the W AN settings by selecting Network Config > WAN Settings. Then click the Edit button in the Action column of the WAN interface for which you want to change the settings.
For more information about these WAN settings, see Manually Configure the Internet
Connection on page 71.

Setup Wizard Step 3 of 10: System Date and Time

Figure 27.
Using the Setup Wizard to Provision the UTM in Y our Network
49
ProSecure Unified Threat Management (UTM) Appliance
Enter the settings as explained in the following table, and then click Next to go the following screen.
Table 6. Setup Wizard Step 3: System Date and Time screen settings
Setting Description Set Time, Date, and NTP Servers
Date/Time From the drop-down list, select the local time zone in which the UTM operates. The
correct time zone is required in order for scheduling to work correctly. The UTM includes a real-time clock (RTC), which it uses for scheduling.
Automatically Adjust for Daylight Savings Time
NTP Server (default or custom)
If daylight savings time is supported in your region, select the Automatically Adjust for Daylight Savings Time check box.
From the drop-down list, select an NTP server:
Use Default NTP Servers. The UTM’s RTC is updated regularly by contacting a default NETGEAR NTP server on the Internet.
Use Custom NTP Servers. The UTM’s RTC is updated regularly by contacting one of the two NTP servers (primary and backup), both of which you need to specify in the fields that become available with this selection.
Note: If you select this option but leave either the Server 1 or Server 2 field blank, both
fields are set to the default NETGEAR NTP servers.
Note: A list of public NTP servers is available at
http://support.ntp.org/bin/view/Servers/WebHome.
Server 1 Name / IP Address
Server 2 Name / IP Address
Enter the IP address or host name of the primary NTP server.
Enter the IP address or host name of the backup NTP server.
After you have completed the steps in the Setup Wizard, you can make changes to the date and time by selecting Administration > System Date & Time. For more information about these settings, see Configure Date and Time Service on page 412.
Using the Setup Wizard to Provision the UTM in Y our Network
50
ProSecure Unified Threat Management (UTM) Appliance

Setup Wizard Step 4 of 10: Services

Figure 28.
Enter the settings as explained in the following table, and then click Next to go the following screen.
Table 7. Setup Wizard Step 4: Services screen settings
Setting Description Email
SMTP SMTP scanning is enabled by
default on standard service port 25.
POP3 POP3 scanning is enabled by default
on standard service port 110.
IMAP IMAP scanning is enabled by default
on standard service port 143.
Using the Setup Wizard to Provision the UTM in Y our Network
51
To disable any of these services, clear the corresponding check box. You can change the standard service port or add another port in the corresponding Ports to Scan field.
ProSecure Unified Threat Management (UTM) Appliance
Table 7. Setup Wizard Step 4: Services screen settings (co ntinued)
Setting Description Web
HTTP HTTP scanning is enabled by default
on standard service port 80.
HTTPS HTTPS scanning is disabled by
default.
FTP FTP scanning is enabled by default
on standard service port 21.
Instant Messaging
Google Talk ICQ mIRC MSN Messenger QQ
Scanning of these instant messaging services is disabled by default. To enable any of these services, select the corresponding check box.
Note: For instant messaging services, the following services can be blocked:
logging in, sharing files, sharing video, sharing audio, and text messaging.
To disable HTTP scanning, clear the corresponding check box. You can change the standard service port or add another port in the corresponding Ports to Scan field.
To enable HTTPS scanning, select the corresponding check box. You can change the standard service port (443) or add another port in the corresponding Ports to Scan field.
To disable FTP scanning, clear the corresponding check box. You cannot change the standard service port in the corresponding Ports to Scan field.
Yahoo Messenger
Peer-to-Peer (P2P)
BitTorrent eDonkey Gnutella
Media Applications
iTunes (Music Store, update) QuickTime (Update) Real Player (Guide) Rhapsody (Guide, Music Store) Winamp (Internet Radio/TV)
Using the Setup Wizard to Provision the UTM in Y our Network
Scanning of these file-sharing applications is disabled by default. To enable any of these services, select the corresponding check box.
Scanning of these media applications is disabled by default. To enable any of these applications, select the corresponding check box.
52
ProSecure Unified Threat Management (UTM) Appliance
Table 7. Setup Wizard Step 4: Services screen settings (continued)
Setting Description SSL Handshaking to Websites
Note: SSL handshaking is supported only on the UTM9S.
Facebook
Tools
Alexa Toolbar
Scanning of Facebook is disabled by default. To enable it, select the corresponding check box. (This option is not shown in the previous figure, but it is shown in Figure 110 on page 195.)
GoToMyPC Weatherbug Y ahoo Toolbar
Scanning of these tools is disabled by default. To enable any of these tools, select the corresponding check box.
After you have completed the steps in the Setup Wizard, you can make changes to the security services by selecting Application Security > Services. For more informat ion about these settings, see Customize Email Protocol Scan Settings on page 178 and Customize
Web Protocol Scan Settings and Services (Web Applications) on page 194.

Setup Wizard Step 5 of 10: Email Security

Figure 29.
Using the Setup Wizard to Provision the UTM in Y our Network
53
ProSecure Unified Threat Management (UTM) Appliance
Enter the settings as explained in the following table, and then click Next to go the following screen.
Table 8. Setup Wizard Step 5: Email Security screen settings
Setting Description Action
SMTP From the SMTP drop-down list, select one of the following actions to be taken when
an infected email is detected:
Block infected email. This is the default setting. The email is blocked , and a log entry is created.
Delete attachment. The email is not blocked, but the attachment is deleted, and a log entry is created.
Log only. Only a log entry is created. The email is not blocked, a nd the attachment is not deleted.
Quarantine attachment (UTM9S only). Th e email is not blocked, but the attachment is quarantined on a ReadyNAS, and a log entry is created (see the Note on page 176).
Quarantine infected email (UTM9S only). The email is quaran tined on a ReadyNAS, and a log entry is created (see the Note on page 17 6).
POP3 From the POP3 drop-down list, select one of the following actions to be taken when
an infected email is detected:
Delete attachment. This is the default setting. The email is n ot blocked, but the attachment is deleted, and a log entry is created.
Log only. Only a log entry is created. The email is not blocked, a nd the attachment is not deleted.
Quarantine attachment (UTM9S only). Th e email is not blocked, but the attachment is quarantined on a ReadyNAS, and a log entry is created (see the Note on page 176).
IMAP From the IMAP drop-down list, select one of the following actions to be taken when
an infected email is detected:
Delete attachment. This is the default setting. The email is n ot blocked, but the attachment is deleted, and a log entry is created.
Log only. Only a log entry is created. The email is not blocked, a nd the attachment is not deleted.
Quarantine attachment (UTM9S only). Th e email is not blocked, but the attachment is quarantined on a ReadyNAS, and a log entry is created (see the Note on page 176).
Scan Exceptions
The default maximum size of the file or message that is scanned is 2048 KB, but you can define a maximum size of up to 10240 KB. However, setting the maximum size to a high value might affect the UTM’s performance (see Performance Management on page 389).
From the drop-down list, select one of the following actions to be taken when the file or message exceeds the maximum size:
Skip. The file is not scanned but ski pped, leaving the end user vulnerable. This is the default setting.
Block. The file is blocked and does not reach the end user.
Using the Setup Wizard to Provision the UTM in Y our Network
54
ProSecure Unified Threat Management (UTM) Appliance
After you have completed the steps in the Setup Wizard, you can make changes to the email security settings by selecting Application Security > Email Anti-Virus. The Email Anti-Virus screen also lets you specify notification settings and email alert settings. For more information about these settings, see Customize Email Antivirus and Notification Settings on page 179.

Setup Wizard Step 6 of 10: Web Security

Figure 30.
Enter the settings as explained in the following table, and then click Next to go the following screen.
Table 9. Setup Wizard Step 6: Web Security screen settings
Setting Description Action
HTTP From the HTTP drop-down list, select one of the following actions to be taken when
an infected web file or object is detected:
Delete file. This is the default setting. The web file or object is deleted, and a log entry is created.
Log only. Only a log entry is created. The web file or object is not deleted.
Quarantine file (UT M9S only). The web file or object is quarantined, and a log entry is created (see the Note on page 176).
Select the Streaming check box to enable streaming of partially downloaded and scanned HTTP file parts to the user. This method allows the user to experience more transparent web downloading. Streaming is enabled by default.
Using the Setup Wizard to Provision the UTM in Y our Network
55
ProSecure Unified Threat Management (UTM) Appliance
Table 9. Setup Wizard Step 6: Web Security screen settings (continued)
Setting Description
HTTPS From the HTTPS drop-down list, select one of the following actions to be taken
when an infected web file or object is detected:
Delete file. This is the default setting. The web file or object is dele ted, an d a log entry is created.
Log only. Only a log entry is created. The web file or object is not deleted.
Qu arantine file (UTM9S only). The web file or object is quarantined, and a log entry is created (see the Note on page 176).
Select the Streaming check box to enable streaming of partially downloaded and scanned HTTPS file parts to the user. This method allows the user to experience more transparent web downloading. Streaming is enabled by default.
FTP From the FTP drop-down list, select one of the following actions to be taken when
an infected web file or object is detected:
Delete file. This is the default setting. The FTP file or object is deleted, and a log entry is created.
Log only. Only a log entry is created. The FTP file or object is not deleted.
Quarantine file (UTM9S only). The FTP file or object is quarantined, and a l og entry is created (see the Note on page 176).
Scan Exceptions
The default maximum size of the file or object that is scanned is 2048 KB, but you can define a maximum size of up to 10240 KB. However, setting the maximum size to a high value might affect the UTM’s performance (see
Performance Management on page 389).
From the drop-down list, select one of the following actions to be taken when the file or message exceeds the maximum size:
Skip. The file is not scanned but ski pped, leaving the end user vulnerable. This is the default setting.
Block. The file is bl ocked and does reach the end user.
After you have completed the steps in the Setup Wizard, you can make changes to the web security settings by selecting Application Security > HTTP/HTTPS > Malware Scan. The Malware Scan screen also lets you specify HTML scanning and notification settings. For more information about these settings, see Configure Web Malware Scans on page 197.
Using the Setup Wizard to Provision the UTM in Y our Network
56
ProSecure Unified Threat Management (UTM) Appliance

Setup Wizard Step 7 of 10: Web Categories to Be Blocked

Figure 31.
Using the Setup Wizard to Provision the UTM in Y our Network
57
ProSecure Unified Threat Management (UTM) Appliance
Enter the settings as explained in the following table, and then click Next to go the following screen.
Table 10. Setup Wizard Step 7: Web Categories to be blocked screen settings
Setting Description Blocked Web Categories
Select the Enable Blocking check box to enable blocking of web categories. (By default, this check box is selected.)
Select the check boxes of any web categories that you want to block. Use the action buttons at the top of the section in the following way:
Allow All. All web categories are allowed.
Block All. All web categories are b locked.
Set to Defaults. Blocking and allowing of web categories are returned to their default settings. See Table 38 on page 176 for information about the web categories that are blocked by default. Categories that are preceded by a green square are allowed by defa ult; categories that are preceded by a pink square are blocked by default.
Blocked Categories Scheduled Days
Make one of the following selections:
• Select the All Days radio button to enable content filtering to be active all days of the week.
• Select the Specific Days radio button to enable content filtering to be active on the days that are sp ecified by the check boxes.
Blocked Categories Time of Day
Make one of the following selections:
• Select the All Day radio button to enable content filtering to be active all 24 hours of each selected day.
• Select the Specific Times radio button to enable content filtering to be active during the time that is specified by the Start Time and End Time fields for each day that content filtering is active.
After you have completed the steps in the Setup Wizard, you can make changes to the content-filtering settings by selecting Application Security > HTTP/HTTPS > Content Filtering. The Content Filtering screen lets you specify additional filtering tasks and notification settings. For more information about these settings, see Configure Web Content
Filtering on page 199.
Using the Setup Wizard to Provision the UTM in Y our Network
58
ProSecure Unified Threat Management (UTM) Appliance

Setup Wizard Step 8 of 10: Email Notification

Figure 32.
Enter the settings as explained in the following table, and then click Next to go the following screen.
Table 11. Setup Wizard Step 8: Email Notification screen settings
Setting Description Administrator Email Notification Settings
Show as mail sender A descriptive name of the sender for email identification purposes. For example,
enter UTM_Notifications@netgear.com.
SMTP server The IP address and port number or Internet name and port number of your ISP’s
outgoing email SMTP server. The default port number is 25.
Note: If you leave this field blank, the UTM cannot send email notifications.
This server requires authentication
Send notifications to The email address to which the notifications should be sent. Typically, this is the
If the SMTP server requires authentication, select the This server requires authentication check box, and enter the user name and password.
User name The user name for SMTP server authentication. Password The password for SMTP server authentication.
email address of the administrator.
After you have completed the steps in the Setup Wizard, you can make changes to the administrator email notification settings by selecting Network Config > Email Notification. For more information about these settings, see Configure the Email Notification Server on page 422.
Using the Setup Wizard to Provision the UTM in Y our Network
59
ProSecure Unified Threat Management (UTM) Appliance

Setup Wizard Step 9 of 10: Signatures & Engine

Figure 33.
Enter the settings as explained in the following table, and then click Next to go the following screen.
Table 12. Setup Wizard Step 9: Signatures & Engine screen settings
Setting Description Update Settings
Update From the drop-down list, select one of the following options:
Never. The pattern and firmware files are never automatically updated.
Scan engine and Signatures. The pattern and firmware files are automatically updated according to the settings in the Update Fre quency section on the screen (see explanations later in this table).
Update From Set the update source server by selecting one of the following radio buttons:
Default update server. Fil es are updated from the default NETGEAR update server.
Server address. Files are updated from the server that you specify. Enter the IP address or host name of the update server in the Server address field.
Using the Setup Wizard to Provision the UTM in Y our Network
60
ProSecure Unified Threat Management (UTM) Appliance
Table 12. Setup Wizard Step 9: Signatures & Engine screen settings (continued)
Setting Description Update Frequency
Specify the frequency with which the UTM checks for file updates:
Weekly. From the drop-down lists, select the weekday, hour, and minutes that the updates occur.
Daily. From the drop-down lists, select the hour and minutes that the updates occur.
Every. From the drop-down list, select the frequency with which the updates occur. The range is from 15 minutes to 12 hours.
HTTPS Proxy Settings
Enable If computers on the network connect to the Internet through a proxy server, select
the Enable check box to specify and enable a proxy server. Enter the following settings.
Proxy server The IP address and port number of the proxy server. User name The user name for proxy server authentication. Password The password for proxy server authentication.
After you have completed the steps in the Setup Wizard, you can make changes to the signatures and engine settings by selecting Administration > System Up date > Si gnatures & Engine. For more information about these settings, see Update the Scan Signatures and
Scan Engine Firmware on page 410.

Setup Wizard Step 10 of 10: Saving the Configuration

Figure 34.
Click Apply to save your settings and automatically restart the system.

Verify Correct Installation

Test the UTM before deploying it in a live production environment. The following instructions walk you through a couple of quick tests that are designed to ensure that your UTM is functioning correctly.
Using the Setup Wizard to Provision the UTM in Y our Network
61
ProSecure Unified Threat Management (UTM) Appliance

Test Connectivity

Verify that network traffic can pass through the UTM:
1. Ping an Internet URL.
2. Ping the IP address of a device on either side of the UTM.

Test HTTP Scanning

If client computers have direct access to the Internet through your LAN, try to download the eicar.com test file from http://www.eicar.org/download/eicar.com.
The eicar.com test file is a legitimate denial of service (DoS) attack and is safe to use because it is not a malware threat and does not include any fragments of malware code . The test file is provided by EICAR, an organization that unites efforts against computer crime, fraud, and misuse of computers or networks.
Verify that the UTM scans HTTP traffic correctly:
1. Log in to the UTM web management interface, and then verify that HTTP scanning is
enabled. For information about how to enable HTTP scanning, see Customize Web
Protocol Scan Settings and Services (Web Applications) on page 194 and Configure Web Malware Scans on page 197.
2. Check the downloaded eicar.com test file, and note the attached malware information file.

Register the UTM with NETGEAR

To receive threat management component updates and technical support, you need to register your UTM with NETGEAR. The UTM is bundled with three 30-day trial licenses:
Web scanning
Email scanning
Support and maintenance
The service license keys are provided with the product package (see Service Registration
Card with License Keys on page 20). For electronic licensing, you do not need the service
license keys (see Electronic Licensing on page 64).
Note: Activating the service licenses initiates their terms of use. Activate
the licenses only when you are ready to start using this unit. If your unit has never been registered before, you can use the 30-day trial period for all three types of licenses to perform the initial testing an d configuration. To use the trial period, do not click Register in step 4 of the following procedure, but click Trial instead.
Using the Setup Wizard to Provision the UTM in Y our Network
62
ProSecure Unified Threat Management (UTM) Appliance
WARNING!
If your UTM is connected to the Internet, you can activate the service licenses:
1. Select Support > Registration. The Registration screen displays:
Figure 35.
2. Enter the license key in the Registration Key field.
3. Fill out the customer and val u e- a d de d r e s el l er ( VAR) fields.
4. Click Register.
To activate the 30-day trial period for a license, do not click Register but click Trial instead.
5. Repeat step 2 and step 4 for additional license keys.
The UTM activates the licenses and registers the unit with the NETGEAR registration server.
Using the Setup Wizard to Provision the UTM in Y our Network
63
ProSecure Unified Threat Management (UTM) Appliance
Note: The 30-day trial licenses are revoked once you activate the
purchased service license keys. The purchased service license keys offer 1 year or 3 years of service.
Note: When you reset the UTM to the original factory default settings after
you have entered the license keys to activate the UTM (se e Register
the UTM with NETGEAR on page 62), the license keys are erased.
The license keys and the different types of licenses that are available for the UTM are no longer displayed on the Registration screen. However, af ter you have reconfigured the UTM to connect to the Internet and to the NETGEAR registration server, the UTM retrieves and restores all registration information based on its MAC address and hardware serial number . You do not need to reenter the license keys and reactivate the UTM.

Electronic Licensing

If you have purchased the UTM bundled together with a 1- or 3-year license bundle, you ca n use the electronic licensing option. When the UTM is connected to the Internet, you need to enter only your customer information and optional value-added reseller (VAR) information on the Register screen but do not need to enter the license numbers. When you click Register, the UTM automatically downloads and activates the license keys because the serial number of the UTM is linked to the license bundle.
If you have purchased licenses from a VAR (either directly or over the web) after purchase of the UTM, the VAR should email you the license keys or provide them to you in another way. To register and activate the license keys, follow the regular registration procedure that is explained in the previous section.

What to Do Next

You have completed setting up the UTM to the network. The UTM is now ready to scan the protocols and services that you specified and perform automatic updates based on the update source and frequency that you specified.
If you need to change the settings, or to view reports or logs, log in to the UTM web management interface, using the default IP address or the IP address that you assigned to the UTM in Setup Wizard Step 1 of 10: LAN Settings on page 43.
Using the Setup Wizard to Provision the UTM in Y our Network
64
ProSecure Unified Threat Management (UTM) Appliance
The UTM is ready for use. However, the following sections describe important tasks that you might want to address before you deploy the UTM in your network:
Configure the WAN Mode (required for the multiple WAN port models).
Configure Authentication Domains, Groups, and Users
Manage Digital Certificates for VPN Connections
Use the IPSec VPN Wizard for Client and Gateway Configurations
Use the SSL VPN Wizard for Client Configurations
Using the Setup Wizard to Provision the UTM in Y our Network
65
3. Manually Configuring Internet and
WAN Settings
This chapter contains the following sections:
Internet and WAN Configuration Tasks
Automatically Detecting and Connecting the Internet Connections
Manually Configure the Internet Connection
Configure the WAN Mode
Configure Secondary WAN Addresses
Configure Dynamic DNS
Configure Advanced WAN Options
Note: The initial Internet configuration of the UTM is described in
Chapter 2, Using the Setup Wizard to Provision the UTM in Your Network. If you used the Setup Wizard to configure your Internet
settings, you need this chapter only to configure WAN features such as multiple WAN connections (not applicable to the single WAN port models) and dynamic DNS, and to configure secondary WAN addresses and advanced WAN options.
3
Note: The Wireless Settings configuration menu is shown on the UTM9S
only, accessible under the Network Config main navigation menu.
Note: On the UTM9S, the Email Notification configuration menu is
accessible under the Monitoring main navigation menu instead of the Network Config main navigation menu.
66
ProSecure Unified Threat Management (UTM) Appliance

Internet and WAN Configuration Tasks

Note: For information about configuring the DSL interface of the UTM9S,
see Appendix A, xDSL Module for the UTM9S. The information in this chapter does also apply to the WAN interfaces of the UTM9S.
Generally, five steps are required to complete the WAN Internet connection of your UTM.
Complete these steps:
1. Configure the Internet connections to your ISPs. During this phase, you connect to
your ISPs. See Automatically Detecting and Connecting the Internet Connections on page 67 or Manually Configure the Internet Connection on page 71.
2. Configure the WAN mode (required for multiple WAN port models). For all models,
select either NAT or classical routing. For the multiple WAN port models, select dedicated (single WAN) mode, auto-rollover mode, or load balancing mode. For load balancing, you can also select any necessary protocol bindings. See Configure the WAN Mode on page 75.
3. Configure secondary WAN addresses on the WAN ports (optional). Configure aliases
for each WAN port. See Configure Secondary WAN Addresses on page 85.
4. Configure Dynamic DNS on the WAN ports (optional). Configure your fully qualified
domain names during this phase (if required). See Configure Dynamic DNS on page 87.
5. Configure the WAN options (optional). Optionally, you can enable each WAN port to
respond to a ping, and you can change the factory default MTU size and port speed. However, these are advanced features, and changing them is not usually required. See
Configure Advanced WAN Options on page 90.
Each of these tasks is detailed separately in this chapter.
Note: For information about how to configure the WAN meters, see Enable
the WAN Traffic Meter on page 419.

Automatically Detecting and Connecting the Internet Connections

To set up your UTM for secure Internet connections, the web management interface provides the option to automatically detect the network connections and configure the WAN port or ports. You can also manually configure the Internet connections and ports (see Manually
Configure the Internet Connection on page 71).
Manually Configuring Internet and W AN Settings
67
ProSecure Unified Threat Management (UTM) Appliance
To automatically configure the WAN ports for connection to the Internet:
1. Select Network Config > WAN Settings. The WAN screen displays. (The following
figure shows the UTM50.)
Figure 36.
The UTM5 and UTM10 screens show one WAN interface; the UTM25 and UTM50 screens show two WAN interfaces; the UTM150 screen shows four WAN interfaces; the UTM9S screen shows two WAN interfaces and a slot (SLOT-1 or SLOT-2), in which the xDSL module is installed.
The WAN Settings table displays the following fields:
WAN. The WAN interface.
Status. The status of the WAN interface (UP or DOWN).
WAN IP. The IP address of the WAN interface.
Failure Detection Method. The failure detection method that is active for the WAN
interface. The following methods can be displayed:
- None
- DNS Lookup (WAN DNS Servers)
- DNS Lookup (the configured IP address is displayed)
- PING (the configured IP address is displayed)
You can set the failure detection method for each WAN interface on its correspo nding WAN Advanced Options screen (see Configure Auto-Rollover Mode and the Failure
Detection Method (Multiple WAN Port Models) on page 78).
Action. The Edit button provides access to the W AN ISP Settings screen (see step 2)
for the corresponding WAN interface; the Status button provides access to the Connection Status screen (see step 4) for the corresponding WAN interface.
2. Click the Edit button in the Action column of the WAN interface or slot for which you want to
automatically configure the connection to the Internet. The WAN ISP Settings screen displays.
The following figure shows the WAN1 ISP Settings screen of the UTM50 as an example
Manually Configuring Internet and W AN Settings
68
ProSecure Unified Threat Management (UTM) Appliance
Figure 37.
3. Click the Auto Detect button at the bottom of the screen. The autodetect process probes
the WAN port for a range of connection methods and suggests one that your ISP is most likely to support.
The autodetect process returns one of the following results:
If the autodetect process is successful, a status bar at the top of the screen displays
the results (for example, DHCP service detected).
If the autodetect process senses a connection method that requires input from you, it
prompts you for the information. All methods with their required settings are e xplained in the following table:
Manually Configuring Internet and W AN Settings
69
ProSecure Unified Threat Management (UTM) Appliance
Table 13. Internet connection methods
Connection method Manual data input required
DHCP (Dynamic IP) No data is required. PPPoE Login, password, account name, and domain name. PPTP Login, password, account name, your IP address, and the server IP address. Fixed (Static) IP IP address, subnet mask, and gateway IP address, and related data supplied
by your ISP.
If the autodetect process does not find a connection, you are prompted either to check
the physical connection between your UTM and the cable, DSL line, satellite dish, or wireless ISP radio antenna to check your UTM’s MAC address. For more information, see Configure Advanced WAN Options on page 90 and Troubleshoot the ISP
Connection on page 494.
4. To verify the connection:
a. Return to the WAN screen by selecting Network Config > WAN Settings. b. Click the Status button in the Action column for the WAN interface that you just
configured to display the Connection Status pop-up screen.
Figure 38.
The Connection Status screen should show a valid IP address and gateway. If the configuration was not successful, skip ahead to Manually Configure the Internet
Connection on page 71, or see Troubleshoot the ISP Connection on page 494.
Manually Configuring Internet and W AN Settings
70
ProSecure Unified Threat Management (UTM) Appliance
Note: If the configuration process was successful, you are connected to
the Internet through the WAN that you just configured. For the multiple WAN port models, continue with the configuration process for the other WAN interfaces.
Note: For more information about the W AN Connection S t atus screen, see
View the WAN Ports Status on page 456.
5. For the multiple WAN port models, repeat step 2, step 3, and step 4 for any other WAN
interface that you want to configure.
If the automatic WAN ISP configuration is successful, you can skip ahead to Configure the
WAN Mode on page 75.
If the automatic WAN ISP configuration fails, you can attempt a manual configuration as described in Manually Configure the Internet Connection on this page, or see Troubleshoot
the ISP Connection on page 494.

Set the UTM’s MAC Address

Each computer or router on your network has a unique 48-bit local Ethernet address. This is also referred to as the computer’s Media Access Control (MAC) address. The default is set to Use Default Address on the WAN Advanced Options screens. If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, then you need to enter that address on the WAN Advanced Options screen for the corresponding WAN interface (see Configure Advanced WAN Options on page 90).

Manually Configure the Internet Connection

Unless your ISP automatically assigns your configuration through DHCP, you need to obtain configuration parameters from your ISP to manually establish an Internet connection. The necessary parameters for various connection types are listed in Table 13 on page 70.
To manually configure the WAN ISP settings for an interface:
1. Select Network Config > WAN Settings. The WAN screen displays (see Figure 36 on
page 68, which shows the UTM50).
2. Click the Edit button in the Action column of the WAN interface for which you want to
configure the connection to the Internet. The WAN ISP Settings screen displays (see
Figure 37 on page 69, which shows the WAN1 ISP Settings screen as an example).
3. Locate the ISP Login section on the screen:
Manually Configuring Internet and W AN Settings
71
ProSecure Unified Threat Management (UTM) Appliance
Figure 39.
In the ISP Login section, select one of the following options:
If your ISP requires an initial login to establish an Internet connection, select Yes.
(The default is No.)
If a login is not required, select No, and ignore the Login and Password fields.
4. If you selected Yes, enter the login name in the Login field and the password in the
Password field. This information is provided by your ISP.
5. In the ISP Type section of the screen, select the type of ISP connection that you use from
the two listed options. By default, Other (PPPoE) is selected, as shown in the following figure:
Figure 40.
Manually Configuring Internet and W AN Settings
72
ProSecure Unified Threat Management (UTM) Appliance
6. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as
explained in the following table:
Ta ble 14. PPTP and PPPoE settings
Setting Description
Austria (PPTP) If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this radio
button, and enter the following settings: Account Name The account name is also known as the host name or system name.
Enter the account name for the PPTP connection (usually your email ID assigned by your ISP). Some ISPs require you to enter your full email address here.
Domain Name Your domain name or workgroup name assigned by your ISP, or your
ISP’s domain name. You can leave this field blank.
Idle Timeout Select the Keep Connected radio button to keep the connection always
on. To log out after the connection is idle for a period of time, select the Idle Timeout radio button and, in the time-out field, enter the number of minutes to wait before disconnecting. This is useful if your ISP charges you based on the period that you have logged in.
My IP Address The IP address assigned by the ISP to make the connection with the
ISP server.
Server IP Address
Other (PPPoE) If you have installed login software, then your connection type is PPPoE. Select this radio
button, and enter the following settings: Account Name The account name for the PPPoE connection. Domain Name The name of your ISP’s domain or your domain name if your ISP has
Idle Timeout Select the Keep Connected radio button to keep the connection always
The IP address of the PPTP server.
you assigned one. You can leave this field blank.
on. To log out after the connection is idle for a period of time, select the Idle Timeout radio button and, in the time-out field, enter the number of minutes to wait before disconnecting. This is useful if your ISP charges you based on the period that you have logged in.
Note: When you use a PPPoE connection and select the Idle Timeout
radio button, you cannot configure load balancing (see Configure Load
Balancing (Multiple WAN Port Models) on page 81). To use load
balancing on a PPPoE connection, select the Keep Connected radio button. When you have configured load balancing, the Idle Timeout radio button and time-out field are masked out.
Manually Configuring Internet and W AN Settings
73
ProSecure Unified Threat Management (UTM) Appliance
Table 14. PPTP and PPPoE settings (continued)
Setting Description
Other (PPPoE) (continued)
Connection Reset
Select the Connection Reset check box to specify a time when the PPPoE WAN connection is reset, that is, the connection is disconnected momentarily and then reestablished. Then, specify the disconnect time and delay.
Disconnect Time
Delay Specify the period in seconds after which the connection
Specify the hour and minutes when the connection should be disconnected.
should be reestablished.
7. In the Internet (IP) Address section of the screen (see th e following figure), configure the IP
address settings as explained in the following table. Click the Current IP Address link to see the currently assigned IP address.
Figure 41. Table 15. Internet IP address settings
Setting Description
Get Dynamically from ISP
Use Static IP Address
If your ISP has not assigned you a static IP address, select the Get Dynamically from ISP radio button. The ISP automatically assigns an IP address to the UTM using DHCP network protocol.
Client Identifier If your ISP requires the client identifier information to assign an
Vendor Class Identifier If your ISP requires the vendor class identifier information to
If your ISP has assigned you a fixed (static or permanent) IP address, select the Use Static IP Address radio button, and enter the following settings:
IP Address Static IP address assigned to you. This address identifies the
Subnet Mask The subnet mask is usually provided by your ISP. Gateway IP Address The IP address of the ISP’s gateway is usually provided by
IP address using DHCP, select the Client Identifier check box.
assign an IP address using DHCP, select the Vendor Class Identifier check box.
UTM to your ISP.
your ISP.
Manually Configuring Internet and W AN Settings
74
ProSecure Unified Threat Management (UTM) Appliance
8. In the Domain Name Server (DNS) Servers section of the screen (see the following figure),
specify the DNS settings as explained in the following table.
Figure 42. Ta bl e 16 . DNS serve r setti ng s
Setting Description
Get Automatically from ISP
Use These DNS Servers
If your ISP has not assigned any Domain Name Server (DNS) addresses, select the Get Automatically from ISP radio button.
If your ISP has assigned DNS addresses, select the Use These DNS Servers radio button. Make sure that you fill in valid DNS server IP addresses in the fields. Incorrect DNS entries might cause connectivity issues.
Primary DNS Server The IP address of the primary DNS server. Secondary DNS Server The IP address of the secondary DNS server.
9. Click Test to evaluate your entries. The UTM attempts to make a connection according to
the settings that you entered.
10. Click Apply to save any changes to the WAN ISP settings. (Or click Reset to discard any
changes and revert to the previous settings.)
For the multiple WAN port models, if you want to manually configure an additional WAN interface, select another WAN interface and repeat these step s. You can configure up to four WAN interfaces.
When you are finished, click the Logout link in the upper right of the web management interface, or proceed to additional setup and management tasks.

Configure the WAN Mode

For the multiple WAN port models, the UTM can be configure d on a mu tually exclusive basis for either auto-rollover (for increased system reliability) or load balancing (for maximum bandwidth efficiency). If you do not select load balancing, you need to specify one WAN interface as the primary interface.
Manually Configuring Internet and W AN Settings
75
ProSecure Unified Threat Management (UTM) Appliance
WARNING!
Note: For the UTM9S only , you can also use a DSL interface for any of the
following modes (see Appendix A, xDSL Module for the UTM9S).
Load balancing mode. The UTM distributes the outbound traffic equally among the W AN
interfaces that are functional. Depending on the UTM model, you can configure up to four WAN interfaces. The UTM supports weighted load balancing and round-robin load balancing (see Configure Load Balancing and Optional Protocol Binding on page 81).
Note: Scenarios could arise when load balancing needs to be bypassed
for certain traffic or applications. If cert ain traffic needs to travel on a specific WAN interface, configure protocol binding rules for that WAN interface. The rule should match the desired traffic.
Primary WAN mode. The selected WAN interface is made the primary interface. The
other interfaces are disabled.
Auto-rollover mode. The selected WAN interface is defined as the primary link, and
another interface needs to be defined as the rollover link. If the UTM model has more than two WAN interfaces, the remaining interfaces are disabled. As long as the primary link is up, all traffic is sent over the primary link. When the primary link goes down, the rollover link is brought up to send the traffic. W hen the primary lin k comes back up, traffic automatically rolls back to the original primary link.
If you want to use a redundant ISP link for backup purposes, select the WAN interface that needs to function as the primary link for this mode. Ensure that the backup WAN interface has also been configured and that you configure the WAN failure detection method on the WAN Advanced Options screen to support auto-rollover (see Configure
Auto-Rollover Mode and the Failure Detection Method (Multiple WAN Port Models) on
page 78).
Whichever WAN mode you select for the multiple WAN port models, you also need to select either NAT or classical routing, as explained in the following sections.
Note: NAT and classical routing also apply to the single WAN port models.
When you change the WAN mode, the UTM restarts. If you change from primary W AN mode to load balancing mode, or the other way around, the interface through which you can access the UTM might change. Take note of the IP addresses of the interfaces before you change the WAN mode.
Manually Configuring Internet and W AN Settings
76
ProSecure Unified Threat Management (UTM) Appliance
WARNING!
WARNING!

Configure Network Address Translation (All Models)

Network Address Translation (NAT) allows all PCs on your LAN to share a single public Internet IP address. From the Internet, there is only a single device (the UTM) and a single IP address. PCs on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet.
Note the following about NAT:
The UTM uses NA T to select the correct PC (on your LAN) to receive any incoming dat a.
If you have only a single public Internet IP address, you need to use NAT (the default
setting).
If your ISP has provided you with multiple public IP addresses, you can use one address
as the primary shared address for Internet access by your PCs, and you can map incoming traffic on the other public IP addresses to specific PCs on your LAN. This one-to-one inbound mapping is configured using an inbound firewall rule.
Changing the WA N mod e from classical routing to NAT causes all LAN WAN and DMZ WAN inbound rules to revert to default settings.
To configure NAT:
1. Select Network Config > WAN Settings > WAN Mode. The WAN Mode screen
displays (see Figure 43 on page 79).
2. In the NAT (Network Address Translation) section of the screen, select the NAT radio button.
3. Click Apply to save your settings.

Configure Classical Routing (All Models)

In classical routing mode, the UTM performs routing, but without NAT. To gain Internet access, each PC on your LAN needs to have a valid static Internet IP address.
If your ISP has allocated a number of static IP addresses to yo u, and you have assigned one of these addresses to each PC, you can choose classical routing. Or, you can use classical routing for routing private IP addresses within a campus environment.
To view the status of the WAN ports, you can view the Router Status screen (see View the
System Status on page 439).
Changing the WA N mod e from NAT to classical routing causes all LAN WAN and DMZ WAN inbound rules to revert to default settings.
Manually Configuring Internet and W AN Settings
77
ProSecure Unified Threat Management (UTM) Appliance
To configure classical routing:
1. Select Network Config > WAN Settings > WAN Mode. The WAN Mode screen
displays (see Figure 43 on page 79).
2. In the NAT (Network Address Translation) section of the screen, select the Classical
Routing radio button.
3. Click Apply to save your settings.

Configure Auto-Rollover Mode and the Failure Detection Method (Multiple WAN Port Models)

To use a redundant ISP link for backup purposes, ensure that the backup W AN interface has already been configured. Then select the WAN interface that should function as the primary link for this mode, and configure the W AN failu re detection method on the W AN Mode screen to support auto-rollover.
When the UTM is configured in auto-rollover mode, it uses the selected WAN failure detection method to detect the status of the primary link connection at regular intervals. Link failure is detected in one of the following ways:
DNS queries sent to a DNS server
Ping request sent to an IP address
None (no failure detection is performed)
From the primary WAN interface, DNS queries or ping requests are sent to the specified IP address. If replies are not received after a specified number of retries, the primary WAN interface is considered down, and a rollover to the backup WAN interface occurs. When the primary WAN interface comes back up, another rollover occurs from the backup WAN interface back to the primary WAN interface. The WAN failure detection method that you select applies only to the primary WAN interface, that is, it monitors the primary link only.
Configure Auto-Rollover Mode
To configure auto-rollover mode:
1. Select Network Config > WAN Settings > WAN Mode. The WAN Mode screen
displays:
Manually Configuring Internet and W AN Settings
78
Figure 43.
ProSecure Unified Threat Management (UTM) Appliance
2. In the Load Balancing Settings section of the screen, configure the following settings:
a. Select the Primary WAN Mode radio button. b. From the corresponding drop-down list on the right, select a WAN interface to
function as the primary WAN interface. The other WAN interface or interfaces become disabled.
c. Select the Auto Rollover check box. d. From the corresponding drop-down list on the right, select a WAN interface to
function as the backup WAN interface.
Note: Ensure that the backup WAN interface is configured before enabling
auto-rollover mode.
3. Click Apply to save your settings.
Configure the Failure Detection Method
To configure the failure detection method:
1. Select Network Config > WAN Settings. The WAN screen displays (see Figure 36 on
page 68).
2. Click the Edit button in the Action column of the WAN interface that you selected as the
primary WAN interface. The WAN ISP Settings screen displays (see Figure 37 on page 69, which shows the WAN1 ISP Settings screen as an example).
3. Click the Advanced option arrow at the upper right of the screen. The WAN Advanced
Options screen displays for the WAN interface that you selected. (For an image of the entire screen, see Figure 51 on page 90.)
Manually Configuring Internet and W AN Settings
79
ProSecure Unified Threat Management (UTM) Appliance
4. Locate the Failure Detection Method section on the screen (see the following figure). Enter
the settings as explained in the following table.
Figure 44. Table 17. Failure detection method settings
Setting Description WAN Failure Detection Method
Select a failure detection method from the drop-down list. DNS queries or pings are sent through the WAN interface that is being monitored. The retry interval and number of failover attempts determine how quickly the UTM switches from the primary link to the backup link in case the primary link fails, or when the primary link comes back up, switches back from the backup link to the primary link.
WAN DNS DNS queries are sent to the DNS server that is configured in the Domain Name
Server (DNS) Servers section of the WAN ISP screen (see Manually Configure the
Internet Connection on page 71).
Custom DNS DNS queries are sent to the specified DNS server.
DNS Server The IP address of the DNS server.
Ping Pings are sent to a server with a public IP address. This server should not reject the
ping request and should not consider ping traffic to be abusive. IP Address The IP address of the ping server.
Retry Interval is The retry interval in seconds. The DNS query or ping is sent periodically after every
test period. The default test period is 30 seconds.
Failover after The number of failover attempts. The primary WAN interface is considered down
after the specified number of queries have failed to elicit a reply. The backup interface is brought up after this situation has occurred. The failover default is 4 failures.
Note: The default time to roll over after the primary WAN interface fails is
2 minutes. The minimum test period is 30 seconds, and the minimum number of tests is 4.
5. Click Apply to save your settings.
Manually Configuring Internet and W AN Settings
80
ProSecure Unified Threat Management (UTM) Appliance
Note: You can configure the UTM to generate a WAN status log and email
this log to a specified address (see Configure Logging, Alerts, and
Event Notifications on page 422).

Configure Load Balancing and Optional Protocol Binding

To use multiple ISP links simultaneously, configure load balancing. In load balancing mode, any WAN port carries any outbound protocol unless protocol binding is configured.
When a protocol is bound to a particular WAN port, all outgoing traffic of that protocol is directed to the bound WAN port. For example, if the HTTPS protocol is bound to the WAN1 port and the FTP protocol is bound to the WAN2 port, then the UTM automatically routes all outbound HTTPS traffic from the computers on the LAN through the W AN1 port. All outbound FTP traffic is routed through the WAN2 port.
Protocol binding addresses two issues:
Segregation of traffic between links that are not of the same speed.
High-volume traffic can be routed through the WAN port connected to a high-speed link, and low-volume traffic can be routed through the WAN port connected to the low-speed link.
Continuity of source IP address for secure connections.
Some services, particularly HTTPS, cease to respond when a client’s source IP address changes shortly after a session has been established.
Configure Load Balancing (Multiple WAN Port Models)
To configure load balancing:
1. Select Network Config > WAN Settings > WAN Mode. The WAN Mode screen
displays:
Manually Configuring Internet and W AN Settings
81
Figure 45.
ProSecure Unified Threat Management (UTM) Appliance
Note: You cannot configure load balancing when you use a PPPoE
connection and have selected the Idle Timeout radio button on the WAN ISP Settings screen (single WA N port models) or on one of the WAN ISP Settings screens (multiple W AN port models); to use load balancing on a PPPoE connection, select the Keep Connected radio button. For more information, see Figure 40 on page 72 and the accompanying PPPoE information in Table 14 on page 73.
2. In the Load Balancing Settings section of the screen, con figure the following settings:
a. Select the Load Balancing Mode radio button. b. From the corresponding drop-down list on the right, select one of the following load
balancing methods:
Weighted LB. With weighted load balancing, balance weights are calculated
based on WAN link speed and available WAN bandwidth. This is the default setting and the most efficient load-balancing algorithm.
Round-robin. With round-robin load balancing, new traffic connections are sent
over a WAN link in a serial method irrespective of bandwidth or link speed. For example on a UTM150, if the WAN1, WAN2, and WAN3 interfaces are active in round-robin load balancing mode, an HTTP request could first be sent over the WAN1 interface, then a new FTP session could start on the WAN2 interface, and then any new connection to the Internet could be made on the WAN3 interface. This load-balancing method ensures that a single WAN interface does not carry a disproportionate distribution of sessions.
3. Click Apply to save your settings.
Manually Configuring Internet and W AN Settings
82
ProSecure Unified Threat Management (UTM) Appliance
Configure Protocol Binding (Optional)
To configure protocol binding and add protocol binding rules:
1. Select Network Config > Protocol Binding. The Protocol Bindings screen displays.
(The following figure shows two examples in the Protocol Bindings table.)
Figure 46.
The Protocol Bindings table displays the following fields:
Check box. Allows you to select the protocol binding rule in the table.
Status icon. Indicates the status of the protocol binding rule:
- Green circle. The protocol binding rule is enabled.
- Gray circle. The protocol binding rule is disabled.
Service. The service or protocol for which the protocol binding rule is set up.
Local Gateway. The WAN interface to which the service or protocol is bound.
Source Network. The computers on your network that are affected by the protocol
binding rule.
Destination Network. The Internet locations (based on their IP address) that are
covered by the protocol binding rule.
Action. The Edit button provides access to the Edit Protocol Binding screen for the
corresponding service.
2. Click the Add table button below the Protocol Bindings table. The Add Protocol Binding
screen displays:
Manually Configuring Internet and W AN Settings
83
ProSecure Unified Threat Management (UTM) Appliance
Figure 47.
3. Configure the protocol binding settings as explained in the following table:
Table 18. Add Protocol Binding screen settings
Setting Description
Service From the drop-down list, select a service or application to be covered by this rule. If the
service or application does not appear in the list, you need to define it using the Services
screen (see Service-Based Rules on page 123). Local Gateway From the drop-down list, select one of the WAN interfaces. Source Network The source network settings determine which computers on your network are affected by
this rule. Select one of the following options from the drop-down list:
Any All devices on your LAN.
Single address In the Start IP field, enter the IP address to which the rule is applied.
Address Range In the Start IP field and End IP field, enter the IP addresses for the
range to which the rule is applied.
Group 1–Group 8 If this option is selected, the rule is applie d to the devices that are
assigned to the selected group.
Note: You can also assign a customized name to a group (see
Change Group Names in the Network Database on page 110).
Destination Network
The destination network settings determine which Internet locations (based on their IP
address) are covered by the rule. Select one of the following options from the drop-down
list:
Any All Internet IP address.
Single address In the Start IP field, enter the IP address to which the rule is applied.
Address range In the Start IP field and End IP field, enter the IP addresses for the
range to which the rule is applied.
Manually Configuring Internet and W AN Settings
84
ProSecure Unified Threat Management (UTM) Appliance
4. Click Apply to save your settings. The protocol binding rule is added to the Protocol
Bindings table. The rule is automatically enabled, which is indicated by the ! status icon, a green circle.
To edit a protocol binding:
1. On the Protocol Bindings screen (see Figure 46 on page 83), in the Protocol Bindings
table, click the Edit table button to the right of the binding that you want to edit. The Edit Protocol Binding screen displays. This screen shows the same fields as the Add Protoc o l Bind i ng scre en (see the previous figure).
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.
To enable, disable, or delete one or more protocol bindings:
1. On the Protocol Bindings screen (see Figure 46 on page 83), select the check box to the
left of each protocol binding that you want to enable, disable, or delete, or click the
Select All table button to select all bindings.
2. Click one of the following table buttons:
Enable. Enables the binding or bindings. The ! status icon changes from a gray circle
to a green circle, indicating that the selected binding or bindings are enabled. (By default, when a binding is added to the table, it is automatically enabled.)
Disable. Disables the binding or bindings. The ! status icon changes from a green
circle to a gray circle, indicating that the selected binding or bindings are disabled.
Delete. Deletes the binding or bindings.

Configure Secondary WAN Addresses

You can set up a single WAN port to be accessed through multiple IP addresses by adding aliases to the port. An alias is a secondary WAN address. One advantage is, for example, that you can assign different virtual IP addresses to a web server and an FTP server, even though both servers use the same physical IP address. You can add several secondary IP addresses to a single WAN port.
After you have configured secondary W AN addresses, t hese addresses are displayed o n the following firewall rule screens:
In the WAN Destination IP Address drop-down lists of the following inbound firewall rule
screens:
- Add LAN WAN Inbound Service screen
- Add DMZ WAN Inbound Service screen
In the NAT IP drop-down lists of the following outbound firewall rule screens:
- Add LAN WAN Outbound Service screen
- Add DMZ WAN Outbound Service screen
For more information about firewall rules, see Use Rules to Block or Allow Specific Kinds of
Traffic on page 122).
Manually Configuring Internet and W AN Settings
85
ProSecure Unified Threat Management (UTM) Appliance
It is important that you ensure that any secondary WAN addresses are different from the primary WAN, LAN, and DMZ IP addresses that are already configured on the UTM. However, primary and secondary WAN addresses can be in the same subnet. The following is an example of correctly configured IP addresses on a multiple WAN port model:
Primary WAN1 IP address. 10.121.0.1 with subnet 255.255.255.0
Secondary WAN1 IP address. 10.121.26.1 with subnet 255.255.255.0
Primary WAN2 IP address. 10.216.75.1 with subnet 255.255.255.0
Secondary WAN2 IP address. 10.216.82.1 with subnet 255.255.255.0
DMZ IP address. 192.168.10.1 with subnet 255.255.255.0
Primary LAN IP address. 192.168.1.1 with subnet 255.255.255.0
Secondary LAN IP address. 192.168.2.1 with subnet 255.255.255.0
To add a secondary WAN address to a WAN interface:
1. Select Network Config > WAN Settings. The WAN screen displays (see Figure 36 on
page 68).
2. Click the Edit button in the Action column of the WAN interface for which you want to add a
secondary address. The WAN ISP Settings screen displays (see Figure 36 on page 68, which shows the WAN1 ISP Settings screen as an example).
3. Click the Secondary Addresses option arrow at the upper right of the screen. The WAN
Secondary Addresses screen displays for the WAN interface that you selected (see the following figure, which shows the WAN1 Secondary Addresses screen as an example, and which includes one entry in the List of Secondary WAN addresses table).
Figure 48.
The List of Secondary WAN addresses table displays the secondary LAN IP addresses added for the selected WAN interface.
4. In the Add WAN Secondary Addresses section of the screen, enter the following settings:
IP Address. Enter the secondary address that you want to assign to the WAN
interface.
Subnet Mask. Enter the subnet mask for the secondary IP address.
Manually Configuring Internet and W AN Settings
86
ProSecure Unified Threat Management (UTM) Appliance
5. Click the Add table button in the rightmost column to add the secondary IP address to the
List of Secondary WAN addresses table. Repeat step 4 and step 5 for each secondary IP address that you want to add to the List
of Secondary WAN addresses table.
To delete one or more secondary addresses:
1. In the List of Secondary WAN addresses table, select the check box to the left of each
address that you want to delete, or click the Select All table button to select all addresses.
2. Click the Delete table button.

Configure Dynamic DNS

Dynamic DNS (DDNS) is an Internet service that allows devices with varying public IP addresses to be located using Internet domain names. To use DDNS, you need to set up an account with a DDNS provider such as DynDNS.org, TZO.com, Oray .net, or 3322.org. (Links to DynDNS, TZO, Oray, and 3322 are provided for your convenience as option arrows on the DDNS configuration screens.) The UTM firmware includes software that notifies DDNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet.
If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Inte rnet account uses a dynamically assign ed IP address, you will no t know in advance what your IP address will be, and the address can change frequently—hence, the need for a commercial DDNS service, which allows you to register an extension to its domain, and restores DNS requests for the resulting fully qualified domain name (FQDN) to your frequently changing IP address.
After you have configured your account information on the UTM, when your ISP-assigned IP address changes, your UTM automatically contacts your DDNS service provider, logs in to your account, and registers your new IP address.
Consider the following:
For auto-rollover mode, you need an FQDN to implement features such as exposed host s
and virtual private networks regardless of whether you have a fixed or dynamic IP address.
For load balancing mode, you might still need an FQDN either for convenience or if you
have a dynamic IP address.
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x
or 10.x.x.x, the DDNS service does not work because private addresses are not routed on the Internet.
Manually Configuring Internet and W AN Settings
87
ProSecure Unified Threat Management (UTM) Appliance
To configure DDNS:
1. Select Network Config > Dynamic DNS. The Dynamic DNS screen displays (see the
following figure). The WAN Mode section on the screen reports the currently configured WAN mode (for
example, Single Port WAN1, Load Balancing, or Auto Rollover). Only those options that match the configured WAN mode are accessible on the screen.
2. Click the submenu tab for your DDNS service provider:
Dynamic DNS for DynDNS.org (which is shown in the following figure)
DNS TZO for TZO.com
DNS Oray for Oray.net
3322 DDNS for 3322.org
Figure 49.
3. Click the Information option arrow in the upper right of a DNS screen for registration
information.
Manually Configuring Internet and W AN Settings
88
ProSecure Unified Threat Management (UTM) Appliance
Figure 50.
4. Access the website of the DDNS service provider, and register for an account (for example,
for DynDNS.org, go to http://www .dyndns.com/).
5. Configure the DDNS service settings as explained in the following table:
Ta bl e 19 . DNS servi ce se tti n gs
Setting Description WAN (Dynamic DNS Status: ...)
or WAN1 (Dynamic DNS Status: ...)
Change DNS to (DynDNS, TZO, Oray, or 3322)
WAN2 (Dynamic DNS Status: ...)
or
WAN3 (Dynamic DNS Status: ...)
or
WAN4 (Dynamic DNS Status: ...)
Select the Yes radio button to enable the DDNS service. The fields that display on the screen depend on the DDNS service provider that you have selected. Enter the following settings:
Host and Domain Name The host and domain name for the DDNS service. Username or
User Email Address Password or User Key The password that is used for DDNS server authentication. Use wildcards If your DDNS provider allows the use of wildcards in resolving
Update every 30 days If your WAN IP address does not change often, you might
The user name or email address for DDNS server authentication.
your URL, you can select the Use wildcards check box to activate this feature. For example, the wildcard feature causes *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org.
need to force a periodic update to the DDNS service to prevent your account from expiring. If the Update every 30 days check box displays, select it to enable a periodic update.
See the information for WAN or WAN1 about how to enter the settings. You can select different DDNS services for different WAN interfaces.
6. Click Apply to save your configuration.
Manually Configuring Internet and W AN Settings
89
ProSecure Unified Threat Management (UTM) Appliance

Configure Advanced WAN Options

The advanced options include configuring the maximum transmission unit (MTU) size, the port speed, and the UTM’s MAC address, and setting a rate limit on the traffic that is being forwarded by the UTM.
Note: You can also configure the failure detection method for the
auto-rollover mode on the Advanced screen. This procedure is discussed in Configure the Failure Detection Method on page 79.
To configure advanced WAN options:
1. Select Network Config > WAN Settings.
2. Click the Edit button in the Action column of the WAN interface for which you want to
configure the advanced options. The WAN ISP Settings screen displays (see Figure 37 on page 69, which shows the WAN1 ISP Settings screen of the UTM50 as an example).
3. Click the Advanced optio n arrow in the upper right of the screen. The WAN Advanced
Options screen displays for the WAN interface that you selected. (The following figure shows the WAN1 Advanced Options screen of the UTM50 as an example.)
Figure 51.
Manually Configuring Internet and W AN Settings
90
ProSecure Unified Threat Management (UTM) Appliance
4. Enter the settings as explained in the following table:
Table 20. Advanced WAN settings
Setting Description MTU Size
Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU)
value. For most Ethernet networks this value is 1500 bytes, or 1492 bytes for PPPoE connections.
Custom Select the Custom radio button, and enter an MTU value in the Bytes field. For
some ISPs, you might need to reduce the MTU. This is rarely required, and should not be done unless you are sure it is necessary for your ISP connection.
Speed
In most cases, the UTM can automatically determine the connection speed of the WAN port of the device (modem or router) that provides the WAN connection. If you cannot establish an Internet connection, you might need to manually select the port speed. If you know the Ethernet port speed of the modem or router, select it from the drop-down list. Use the half-duplex settings only if the full-duplex settings do not function correctly.
Select one of the following speeds from the drop-down list:
AutoSense. Speed autosensing. This is the default setting, This is the default setting, wh ich can sense all Ethernet speeds and duplex modes, including 1000BASE-T speed at full duplex.
10BaseT Half_Duplex. Ethernet speed at half duplex.
10BaseT Full_Duplex. Ethernet speed at full duplex.
100BaseT Half_Dup lex. Fast Ethernet speed at half duplex.
100BaseT Full_Duplex. Fast Ethernet speed at full duplex.
1000BaseT Full_Duplex . Gigabit Ethernet.
Router’s MAC Address
Make one of the following selections: Use Default Address Each computer or router on your network has a unique 32-bit local Ethernet
address. This is also referred to as the computer’s Media Access Control (MAC) address. To use the UTM’s own MAC address, select the Use Default Address radio button.
Use this computer’s MAC Address
Use this MAC Address Select the Use this MAC Address radio button, and manually enter the MAC
Failure Detection Method
See Configure the Failure Detection Method on page 79, including Table 17 on page 80.
Select the Use this computer’s MAC Address radio button to allow the UTM to use the MAC address of the computer you are now using to access the web management interface. This setting is useful if your ISP requires MAC authentication.
address in the field next to the radio button. You would typically enter the MAC address that your ISP is requiring for MAC authentication.
Note: The format for the MAC address is 01:23:45:67:89:AB (numbers
0–9 and either uppercase or lowercase letters A–F). If you enter a MAC address, the existing entry is overwritten.
Manually Configuring Internet and W AN Settings
91
ProSecure Unified Threat Management (UTM) Appliance
WARNING!
Table 20. Advanced WAN settings (continued)
Setting Description Upload/Download Settings
These settings rate-limit the traffic that is being forwarded by the UTM. WAN Connection Type From the drop-down list, select the type of connection that the UTM uses to
connect to the Internet: DSL, ADLS, Cable Modem, T1, T3, or Other.
WAN Connection Speed Upload
WAN Connection Speed Download
From the drop-down list, select the maximum upload speed that is provided by your ISP. You can select from 56 Kbps to 1 Gbps, or you can select Custom and enter the speed in Kbps in the field below the drop-down list.
From the drop-down list, select the maximum download speed that is provided by your ISP. You can select from 56 Kbps to 1 Gbps, or you can select Custom and enter the speed in Kbps in the field below the drop-down list.
5. Click Apply to save your changes.
Depending on the changes that you made, when you click Apply, the UTM restarts, or services such as HTTP and SMTP might restart.
If you want to configure the advanced settings for an additional W AN interface, select another WAN interface and repeat these steps.

Additional WAN-Related Configuration Tasks

If you want the ability to manage the UTM remotely, enable remote management (see
Configure Remote Management Access on page 399). If you enable remote
management, NETGEAR strongly recommend that you change your password (see
Change Passwords and Administrator and Guest Settings on page 397).
You can set up the traffic meter for each WAN, if you wish. See Enable the WAN Traffic
Meter on page 419.
Manually Configuring Internet and W AN Settings
92

4. LAN Configuration

This chapter describes how to configure the advanced LAN features of your UTM. This chapter contains the following sections:
Manage Virtual LANs and DHCP Options
Configure Multihome LAN IPs on the Default VLAN
Manage Groups and Hosts (LAN Groups)
Configure and Enable the DMZ Port
Manage Routing
Note: The initial LAN configuration of the UTM’s default VLAN 1 is
described in Chapter 2, Using the Setup Wizard to Provision the
UTM in Your Network.
4
Note: The Wireless Settings configuration menu is shown on the UTM9S
only, accessible under the Network Config main navigation menu.
Note: On the UTM9S, the Email Notification configuration menu is
accessible under the Monitoring main navigation menu instead of the Network Config main navigation menu.

Manage Virtual LANs and DHCP Options

A local area network (LAN) can generally be defined as a broadcast domain. Hubs, bridges, or switches in the same physical segment or segments connect all end node devices. Endpoints can communicate with each other without the need for a router. Routers connect LANs together, routing the traffic to the appropriate port.
93
ProSecure Unified Threat Management (UTM) Appliance
A virtual LAN (VLAN) is a local area network with a definition that maps workstations on some basis other than geographic location (for example, by department, type of user, or primary application). To enable traffic to flow between VLANs, traffic needs to go through a router , just as if the VLANs were on two separate LANs.
A VLAN is a group of PCs, servers, and other network resources that behave as if they were connected to a single network segment—even though they might not be. For example, all marketing personnel might be spread throughout a building. Yet if they are all assigned to a single VLAN, they can share resources and bandwidth as if they were connected to the same segment. The resources of other departments can be invisible to the marketing VLAN members, accessible to all, or accessible only to specified individuals, depending on how the IT manager has set up the VLANs.
VLANs have a number of advantages:
It is easy to set up network segmentation. Users who communicate most frequently with
each other can be grouped into common VLANs, regardless of physical location. Each group’s traffic is contained largely within the VLAN, reducing extraneous traffic and improving the efficiency of the whole network.
They are easy to manage. The addition of nodes, as well as moves and other changes,
can be dealt with quickly and conveniently from a management interface rather than from the wiring closet.
They provide increased performance. VLANs free up bandwidth by limiting node-to-no de
and broadcast traffic throughout the network.
They ensure enhanced network security. VLANs create virtual boundaries that can be
crossed only through a router . So st andard, router-based security me asures can be used to restrict access to each VLAN.

Port-Based VLANs

The UTM supports port-based VLANs. Port-based VLANs help to confine broadcast traf fic to the LAN ports. Even though a LAN port can be a member of more than one VLAN, the port can have only one VLAN ID as its port VLAN identifier (PVID). By default, all four LAN ports of the UTM are assigned to the default VLAN, or VLAN 1. Therefore, by default, all four LAN ports have the default PVID 1. However, you can assign another PVID to a LAN port by selecting a VLAN profile from the drop-down list on the LAN Setup screen.
After you have created a VLAN profile and assigned one or more ports to the profile, you need to enable the profile to activate it.
The UTM’s default VLAN cannot be delete d. All untagged traffic is routed through the default VLAN (VLAN1), which you need to assign to at least one LAN port.
Note the following about VLANs and PVIDs:
One physical port is assigned to at least one VLAN.
One physical port can be assigned to multiple VLANs.
When one port is assigned to multiple VLANs, the port is used as a trunk port to connect
to another switch or router.
LAN Configuration
94
ProSecure Unified Threat Management (UTM) Appliance
When a port receives an untagged packet, this packet is forwarded to a VLAN based on
the PVID.
When a port receives a tagged packet, this packet is forwarded to a VLAN based on the
ID that is extracted from the tagged packet.
When you create a VLAN profile, assign LAN ports to the VLAN, and enable the VLAN, the LAN ports that are members of the VLAN can send and receive both tagged and untagged packets. Untagged packets that enter these LAN ports are assigned to the default PVID 1; packets that leave these LAN ports with the same default PVID 1 are untagged. All other packets are tagged according to the VLAN ID that you assigned to the VLAN when you created the VLAN profile.
This is a typical scenario for a configuration with an IP phone that has two Ethernet ports, one of which is connected to the UTM, the other one to another device:
Packets coming from the IP phone to the UTM LAN port are t agged. Packets passing through the IP phone from the connected device to the UTM LAN port are untagged. When you assign the UTM LAN port to a VLAN, packets entering and leaving the port are tagged with the VLAN ID. However, untagged packets entering the UTM LAN port are forwarded to the default VLAN with PVID 1; packets that leave the LAN port with the same default PVID 1 are untagged.
Note: The configuration of the DHCP options for the default VLAN are
explained in Chapter 2, Using the Setup Wizard to Provision the
UTM in Your Network. For information about how to add and edit a
VLAN profile, including its DHCP options, see Configure a VLAN
Profile on page 98.

Assign and Manage VLAN Profiles

To assign VLAN profiles to the LAN ports and manage VLAN profiles:
1. Select Network Config > LAN Settings. The LAN submenu tabs display, with the LAN
Setup screen in view. The following figure shows the LAN Setup screen for the UTM50 with six LAN ports, and the default VLAN profile and another VLAN profile as examples. Note that the screens for all other UTM models (not shown in this manual) have four LAN ports in the Default VLAN section.
LAN Configuration
95
Figure 52.
ProSecure Unified Threat Management (UTM) Appliance
For each VLAN profile, the following fields display in the VLAN Profiles table:
Check box. Allows you to select the VLAN profile in the table.
Status icon. Indicates the status of the VLAN profile:
- Green circle. The VLAN profile is enabled.
- Gray circle. The VLAN profile is disabled.
Profile Name. The unique name assigned to the VLAN profile.
VLAN ID. The unique ID (or tag) assigned to the VLAN profile.
Subnet IP. The subnet IP address for the VLAN profile.
DHCP Status. The DHCP server status for the VLAN profile, which can be either
DHCP Enabled or DHCP Disabled.
Action. The Edit table button, which provides access to the Edit VLAN Profile scr een.
2. Assign a VLAN profile to a LAN port (For the UTM5, UTM10, UTM25, and UTM150: Port 1,
Port 2, Port 3, or Port 4/DMZ; for the UTM50: Port 1, Port 2, Port 3, Port 4, Port 5, or Port 6/DMZ) by selecting a VLAN profile from the drop-down list. Both enabled and disabled VLAN profiles are displayed in the drop-down lists.
3. Click Apply to save your settings.

VLAN DHCP Options

For each VLAN, you need to specify the Dynamic Host Configuration Protocol (DHCP) options (see Configure a VLAN Profile on page 98). The configuration of the DHCP options for the UTM’s default VLAN, or VLAN 1, is explained in Chapter 3, Manually Configuring
Internet and WAN Settings. This section provides further information about the DHCP
options.
LAN Configuration
96
ProSecure Unified Threat Management (UTM) Appliance
DHCP Server
The default VLAN (VLAN 1) has the DHCP server option enabled by default, allowing the UTM to assign IP, DNS server, WINS server, and default gateway addresses to all computers connected to the UTM’s LAN. The assigned default gateway address is the LAN address of the UTM. IP addresses are assigned to the attached computers from a pool of addresses that you need to specify. Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN. When you create a new VLAN, the DHCP server option is disabled by default.
For most applications, the default DHCP server and TCP/IP settings of the UTM are satisfactory.
The UTM delivers the following settings to any LAN device that requests DHCP:
An IP address from the range that you have defined
Subnet mask
Gateway IP address (the UTM’s LAN IP address)
Primary DNS server (the UTM’s LAN IP address)
WINS server (if you entered a WINS server address in the DHCP Setup screen)
Lease time (the date obtained and the duration of the lease).
DHCP Relay
DHCP relay options allow you to make the UTM a DHCP relay agent for a VLAN. The DHCP relay agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP relay agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet. If you do not configure a DHCP relay agent for a VLAN, its clients can obtain IP addresses only from a DHCP server that is on the same subnet. To enable clients to obtain IP addresses from a DHCP server on a remote subnet, you need to configure the DHCP relay agent on the subnet that contains the remote clients, so that the DHCP relay agent can relay DHCP broadcast messages to your DHCP server.
DNS Proxy
When the DNS proxy option is enabled for a VLAN, the UTM acts as a proxy for all DNS requests and communicates with the ISP’s DNS servers (as configured on the WAN ISP Settings screens). All DHCP clients receive the primary and secondary DNS IP addresses along with the IP address where the DNS proxy is located (that is, the UTM’s LAN IP address). When the DNS proxy option is disabled for a VLAN, all DHCP clients receive the DNS IP addresses of the ISP but without the DNS proxy IP address. A DNS proxy is particularly useful in auto-rollover mode. For example, if the DNS servers for each WAN connection are different servers, then a link failure might render the DNS servers inaccessible. However, when the DNS proxy option is enabled, the DHCP clients can make requests to the UTM, which, in turn, can send those request s to the DNS servers of the active WAN connection. However, disable the DNS proxy if you are using a multiple WAN
LAN Configuration
97
ProSecure Unified Threat Management (UTM) Appliance
configuration in auto-rollover mode with route diversity (that is, with two different ISPs) and you cannot ensure that the DNS server is available after a rollover has occurred.
LDAP Server
A Lightweight Directory Access Protocol (LDAP) server allows a user to query and modify directory services that run over TCP/IP. For example, clients can query email addresses, contact information, and other service information using an LDAP server. For each VLAN, you can specify an LDAP server and a search base that defines the location in the directory (that is, the directory tree) from which the LDAP search begins.

Configure a VLAN Profile

For each VLAN on the UTM, you can configure its profile, port membership, LAN TCP/IP settings, DHCP options, DNS server, and inter-VLAN routing capability.
The preconfigured default VLAN is called defaultVLAN. A UTM9S in which a wireless module is installed also has a default WLAN with the name defaultWLAN.
To add or edit a VLAN profile:
1. Select Network Config > LAN Settings. The LAN submenu tabs display, with the LAN
Setup screen in view. The following figure shows the LAN Setup screen for the UTM50 with six LAN ports, and the default VLAN profile and another VLAN profile as examples. Note that the screens for all other UTM models (not shown in this manual) have four LAN ports in the Default VLAN section.
Note: For information about how to manage VLANs, see Port-Based
VLANs on page 94. The following information describes how to
configure a VLAN profile.
Figure 53.
LAN Configuration
98
ProSecure Unified Threat Management (UTM) Appliance
2. Either select an entry from the VLAN Profiles table and click the corresponding Edit table
button, or add a new VLAN profile by clicking the Add table button under the VLAN Profiles table. The Edit VLAN Profile screen displays. The following figure shows the Edit VLAN Profile screen for the UTM with four ports in the Port Membership section. Note that the Edit VLAN Profile screens for the UTM50 (not shown in this manual) has six ports in the Port Membership section.
Figure 54.
LAN Configuration
99
ProSecure Unified Threat Management (UTM) Appliance
3. Enter the settings as explained in the following table:
Table 21. Edit VLAN Profile screen settings
Setting Description VLAN Profile
Profile Name Enter a unique name for the VLAN profile.
Note: You can also change the profile name of the default VLAN.
VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the
same VLAN ID number.
Note: You can enter VLAN IDs from 2 to 4093. VLAN ID 1 is reserved for the
default VLAN; VLAN ID 4094 is reserved for the DMZ interface.
Port Membership
UTM5, UTM9S, UTM10, UTM25, and UTM150:
Port 1, Port 2, Port 3, and Port 4 / DMZ
Select one, several, or all port check boxes to make the ports members of this VLAN.
UTM50: Port 1, Port 2, Port 3,
Port 4, Port 5, and Port 6 / DMZ
LAN TCP/IP Setup
IP Address Enter the IP address of the UTM (the factor y default address is 192.168.1.1).
Subnet Mask Enter the IP subnet mask. The subnet mask specifies the network number
DHCP
Disable DHCP Server If another device on your network is the DHCP server for the VLAN, or if you will
Note: A port that is defined as a member of a VLAN profile can send and receive
data frames that are tagged with the VLAN ID.
Note: Always make sure that the LAN port IP address and DMZ port IP address
are in different subnets.
Note: If you change the LAN IP address of the VLAN while being connected
through the browser to the VLAN, you are disconnected. You then need to open a new connection to the new IP address and log in again. For example, if you change the default IP address 192.168.1.1 to 10.0.0.1, you now need to enter https://10.0.0.1 in your browser to reconnect to the web management interface.
portion of an IP address. Based on the IP address that you assign, the UTM automatically calculates the subnet mask. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask (computed by the UTM).
manually configure the network settings of all of your computers, select the Disable DHCP Server radio button to disable the DHCP server. By default, this radio button is not selected, and the DHCP server is enabled.
LAN Configuration
100
Loading...