ProSecure Unified Threat Management (UTM) Appliance
Reference Manual
350 East Plumeria Drive
San Jose, CA 95134
USA
September 2011
202-10780-01
1.0
ProSecure Unified Threat Management (UTM) Appliance
© 2009–2011 NETGEAR, Inc. All rights reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated
into any language in any form or by any means without the written permission of NETGEAR, Inc.
Technical Support
Thank you for choosing NETGEAR. T o register your product, get the latest product updates, get support online, or
for more information about the topics covered in this manual, visit the Support website at visit us at
http://support.netgear.com.
Phone (US & Canada only): 1-888-NETGEAR
Phone (Other Countries): Check the list of phone numbers at
http://support.netgear.com/app/answers/detail/a_id/984.
Product Updates
Product updates are available on the NETGEAR website at http://prosecure.netgear.com or
http://kb.netgear.com/app/home.
ProSecure Forum
Go to http://prosecure.netgear.com/community/forum.php for information about the ProSecure forum and to
become part of the ProSecure community.
Trademarks
NETGEAR, the NETGEAR logo, ReadyNAS, ProSafe, ProSecure, Smart Wizard, Auto Uplink, X-RAID2, and
NeoTV are trademarks or registered trademarks of NETGEAR, Inc. Microsoft, Windows, Windows NT, and Vista
are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or
trademarks of their respective holders.
Statement of Conditions
To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes
to the products described in this document without notice. NETGEAR does not assume any liability that may occur
due to the use, or application of, the product(s) or circuit layout(s) described herein.
Revision History
Publication
Part Number
202-10780-01 1.0 September 2011 • Addition of the UTM9 S with the following major new features:
Version Publish Date Comments
- xDSL module (see Chapter 1, Introduction and Chapter 3,
Manually Configuring Internet and WAN Settings)
- Wireless module (see Chapter 1, Introduction and
Appendix B, Wireless Module for the UTM9S)
- ReadyNAS integration, quarantine options, and quarantine
logs (see Connect to a ReadyNAS and Configure
Quarantine Settings (UTM9S Only), Query the Quarantine
Logs (UTM9S Only), and Appendix D, ReadyNAS
Integration
- PPTP server (see Configure the PPTP Server (UTM9S
Only))
- L2TP server (see Configure the L2TP Server (UTM9S
Only))
• Update of the VPN client sections with the new VPN client (see
Chapter 7, Virtual Private Networking Using IPSec Connections)
2
ProSecure Unified Threat Management (UTM) Appliance
202-10674-02 1.0 March 2011 • Addition of the UTM150.
• Removal of platform-specific chapters and sections because the
UTM5, UTM10, and UTM25 now support the same web
management interface menu layout that was already supported
on the UTM50. The major changes for the UTM5, UTM10, and
UTM25 are documented in Chapter 3, Manually Configuring
Internet and WAN Settings, and in the following sections:
- Set Web Access Exception Rules
- Configure Authentication Domains, Groups, and Users
• Added new features (for all UTM models). The major new
features are documented in the following sections:
- Electronic Licensing
- VLAN Rules
- Create Service Groups
- Create IP Groups
- Manage Digital Certificates for HTTPS Scans
- Update the Firmware
- View, Schedule, and Generate Reports
202-10674-01 1.0 September 2010 • Addition of the UTM50 and UTM50-specific chapters and
sections.
• Revision of DMZ WAN and LAN DMZ default policies.
202-10482-03 1.0 May 2010 • Applied numerous nontechnical edits.
• Added the Requirements for Entering IP Addresses section.
• Added a note about the processing of normal email traffic in the
Configure Distributed Spam Analysis section.
• Updated the NTP section.
202-10482-02 1.0 January 2010 Updated the web management interface screens, made the
manual platform-independent, added a model comparison table,
and removed performance specifications (see marketing
documentation for such specifications).
202-10482-01 1.0 September 2009 Initial publication of this reference manual.
3
Contents
Chapter 1 Introduction
What Is the ProSecure Unified Threat Management (UTM) Appliance? . .13
Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Multiple WAN Port Models for Increased Reliability or
Outbound Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Wireless Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
DSL Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . .16
A Powerful, True Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Stream Scanning for Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . .16
Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Autosensing Ethernet Connections with Auto Uplink . . . . . . . . . . . . . . .17
Extensive Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Easy Installation and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Model Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Service Registration Card with License Keys. . . . . . . . . . . . . . . . . . . . . . .20
Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Front Panel UTM5 and UTM10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Front Panel UTM25 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Front Panel UTM50 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Front Panel UTM150 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Front Panel UTM9S and Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150 . . . .27
LED Descriptions, UTM9S and Modules . . . . . . . . . . . . . . . . . . . . . . . .28
Rear Panel UTM5, UTM10, and UTM25 . . . . . . . . . . . . . . . . . . . . . . . .30
Rear Panel UTM50 and UTM150. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Rear Panel UTM9S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Bottom Panels with Product Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Choose a Location for the UTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Use the Rack-Mounting Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Chapter 2 Using the Setup Wizard to Provision the UTM in Your
Network
Steps for Initial Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Qualified Web Browsers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Requirements for Entering IP Addresses . . . . . . . . . . . . . . . . . . . . . . . .38
Log In to the UTM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
4
ProSecure Unified Threat Management (UTM) Appliance
Web Management Interface Menu Layout . . . . . . . . . . . . . . . . . . . . . . .40
Use the Setup Wizard to Perform the Initial Configuration. . . . . . . . . . . . .42
Setup Wizard Step 1 of 10: LAN Settings. . . . . . . . . . . . . . . . . . . . . . . .43
Setup Wizard Step 2 of 10: WAN Settings . . . . . . . . . . . . . . . . . . . . . . .46
Setup Wizard Step 3 of 10: System Date and Time . . . . . . . . . . . . . . . .49
Setup Wizard Step 4 of 10: Services . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Setup Wizard Step 5 of 10: Email Security. . . . . . . . . . . . . . . . . . . . . . .53
Setup Wizard Step 6 of 10: Web Security . . . . . . . . . . . . . . . . . . . . . . .55
Setup Wizard Step 7 of 10: Web Categories to Be Blocked. . . . . . . . . .57
Setup Wizard Step 8 of 10: Email Notification . . . . . . . . . . . . . . . . . . . .59
Setup Wizard Step 9 of 10: Signatures & Engine. . . . . . . . . . . . . . . . . .60
Setup Wizard Step 10 of 10: Saving the Configuration . . . . . . . . . . . . .61
Verify Correct Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Test Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Test HTTP Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Register the UTM with NETGEAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Electronic Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Chapter 3 Manually Configuring Internet and WAN Settings
Internet and WAN Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Automatically Detecting and Connecting the Internet Connections . . . . . .67
Set the UTM’s MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Manually Configure the Internet Connection . . . . . . . . . . . . . . . . . . . . . . .71
Configure the WAN Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Configure Network Address Translation (All Models). . . . . . . . . . . . . . .77
Configure Classical Routing (All Models) . . . . . . . . . . . . . . . . . . . . . . . .77
Configure Auto-Rollover Mode and the Failure Detection
Method (Multiple WAN Port Models) . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Configure Load Balancing and Optional Protocol Binding . . . . . . . . . . .81
Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Configure Advanced WAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . .92
Chapter 4 LAN Configuration
Manage Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . .93
Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Assign and Manage VLAN Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
VLAN DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Configure a VLAN Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Configure VLAN MAC Addresses and Advanced LAN Settings. . . . . .103
Configure Multihome LAN IPs on the Default VLAN . . . . . . . . . . . . . . . .104
Manage Groups and Hosts (LAN Groups) . . . . . . . . . . . . . . . . . . . . . . . .106
Manage the Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Change Group Names in the Network Database . . . . . . . . . . . . . . . . .110
Set Up Address Reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
5
ProSecure Unified Threat Management (UTM) Appliance
Configure and Enable the DMZ Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Manage Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Configure Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Configure Routing Information Protocol . . . . . . . . . . . . . . . . . . . . . . . . 118
Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Chapter 5 Firewall Protection
About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Use Rules to Block or Allow Specific Kinds of Traffic. . . . . . . . . . . . . . . .122
Service-Based Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Set LAN WAN Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Set DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Set LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Inbound Rule Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139
Outbound Rule Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Configure Other Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
VLAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144
Attack Checks, VPN Pass-through, and Multicast Pass-through. . . . .146
Set Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Manage the Application Level Gateway for SIP Sessions . . . . . . . . . . 151
Create Services, QoS Profiles, and Bandwidth Profiles. . . . . . . . . . . . . .152
Add Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152
Create Service Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Create IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Create Quality of Service Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Set a Schedule to Block or Allow Specific Traffic. . . . . . . . . . . . . . . . . . .163
Enable Source MAC Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Configure Port Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Use the Intrusion Prevention System. . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Chapter 6 Content Filtering and Optimizing Scans
About Content Filtering and Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Default Email and Web Scan Settings . . . . . . . . . . . . . . . . . . . . . . . . .176
Configure Email Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Customize Email Protocol Scan Settings . . . . . . . . . . . . . . . . . . . . . . .178
Customize Email Antivirus and Notification Settings . . . . . . . . . . . . . . 179
Email Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Protect Against Email Spam. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Configure Web and Services Protection . . . . . . . . . . . . . . . . . . . . . . . . .194
Customize Web Protocol Scan Settings and
Services (Web Applications). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194
Configure Web Malware Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
6
ProSecure Unified Threat Management (UTM) Appliance
Configure Web Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Configure Web URL Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206
HTTPS Scan Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Manage Digital Certificates for HTTPS Scans . . . . . . . . . . . . . . . . . . .213
Specify Trusted Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Configure FTP Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219
Set Web Access Exception Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Create Custom Groups for Web Access Exceptions . . . . . . . . . . . . . .228
Create Custom Categories for Web Access Exceptions . . . . . . . . . . .231
Set Scanning Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235
Chapter 7 Virtual Private Networking
Using IPSec Connections
Considerations for Dual WAN Port Systems
(Multiple WAN Port Models Only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237
Use the IPSec VPN Wizard for Client and Gateway Configurations . . . .239
Create Gateway-to-Gateway VPN Tunnels with the Wizard . . . . . . . .239
Create a Client-to-Gateway VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . .243
Test the Connection and View Connection and Status Information. . . . .258
Test the NETGEAR VPN Client Connection. . . . . . . . . . . . . . . . . . . . .258
NETGEAR VPN Client Status and Log Information . . . . . . . . . . . . . . .260
View the UTM IPSec VPN Connection Status . . . . . . . . . . . . . . . . . . .260
View the UTM IPSec VPN Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Manage IKE Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262
Manage VPN Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269
Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .277
Configure XAUTH for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
RADIUS Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Assign IP Addresses to Remote Users (Mode Config). . . . . . . . . . . . . . .281
Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .281
Configure Mode Config Operation on the UTM . . . . . . . . . . . . . . . . . .281
Configure the ProSafe VPN Client for Mode Config Operation . . . . . .288
Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Modify or Delete a Mode Config Record. . . . . . . . . . . . . . . . . . . . . . . .296
Configure Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . .297
Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297
Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . .299
Configure the PPTP Server (UTM9S Only) . . . . . . . . . . . . . . . . . . . . . . .300
View the Active PPTP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .302
Configure the L2TP Server (UTM9S Only). . . . . . . . . . . . . . . . . . . . . . . .303
View the Active L2TP Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
7
ProSecure Unified Threat Management (UTM) Appliance
Chapter 8 Virtual Private Networking
Using SSL Connections
SSL VPN Portal Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Use the SSL VPN Wizard for Client Configurations. . . . . . . . . . . . . . . . . 307
SSL VPN Wizard Step 1 of 6 (Portal Settings). . . . . . . . . . . . . . . . . . .308
SSL VPN Wizard Step 2 of 6 (Domain Settings) . . . . . . . . . . . . . . . . .310
SSL VPN Wizard Step 3 of 6 (User Settings). . . . . . . . . . . . . . . . . . . . 314
SSL VPN Wizard Step 4 of 6 (Client Addresses and Routes) . . . . . . .316
SSL VPN Wizard Step 5 of 6 (Port Forwarding). . . . . . . . . . . . . . . . . . 317
SSL VPN Wizard Step 6 of 6 (Verify and Save Your Settings) . . . . . .319
Access the New SSL Portal Login Screen . . . . . . . . . . . . . . . . . . . . . .320
View the UTM SSL VPN Connection Status . . . . . . . . . . . . . . . . . . . . 322
View the UTM SSL VPN Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Manually Configure and Edit SSL Connections . . . . . . . . . . . . . . . . . . . .323
Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . .328
Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . .328
Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331
Use Network Resource Objects to Simplify Policies . . . . . . . . . . . . . . 334
Configure User, Group, and Global Policies. . . . . . . . . . . . . . . . . . . . .336
Chapter 9 Managing Users, Authentication, and VPN Certificates
Authentication Process and Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .343
Configure Authentication Domains, Groups, and Users. . . . . . . . . . . . . .345
Login Portals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345
Active Directories and LDAP Configurations . . . . . . . . . . . . . . . . . . . .349
Configure Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
Configure Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Set User Login Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365
Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . . 369
DC Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Configure RADIUS VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
Configure Global User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
View and Log Out Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . .381
VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Manage CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382
Manage Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Manage the Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . .388
Chapter 10 Network and System Management
Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389
Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390
Features That Increase Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
8
ProSecure Unified Threat Management (UTM) Appliance
Use QoS and Bandwidth Assignments to Shift the Traffic Mix. . . . . . .396
Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . .396
System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .397
Change Passwords and Administrator and Guest Settings . . . . . . . . .397
Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . .399
Use a Simple Network Management Protocol Manager. . . . . . . . . . . .401
Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
Update the Firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405
Update the Scan Signatures and Scan Engine Firmware . . . . . . . . . .410
Configure Date and Time Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
Connect to a ReadyNAS and Configure Quarantine
Settings (UTM9S Only). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Log Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .414
Connect to a ReadyNAS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415
Configure the Quarantine Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .416
Chapter 11 Monitoring System Access and Performance
Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419
Configure Logging, Alerts, and Event Notifications . . . . . . . . . . . . . . . . .422
Configure the Email Notification Server . . . . . . . . . . . . . . . . . . . . . . . .422
Configure and Activate System, Email, and Syslog Logs. . . . . . . . . . .423
How to Send Syslogs over a VPN Tunnel between Sites. . . . . . . . . . .427
Configure and Activate Update Failure and Attack Alerts. . . . . . . . . . .429
Configure and Activate Firewall Logs. . . . . . . . . . . . . . . . . . . . . . . . . .432
Monitor Real-Time Traffic, Security, and Statistics. . . . . . . . . . . . . . . . . .433
View Status Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439
View the System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439
View the Active VPN Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .451
View the VPN Tunnel Connection Status. . . . . . . . . . . . . . . . . . . . . . .452
View the PPTP and L2TP Server Status (UTM9S Only) . . . . . . . . . . .453
View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454
View the WAN Ports Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456
View Attached Devices and the DHCP Log . . . . . . . . . . . . . . . . . . . . .457
Query the Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Query and Download Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461
Example: Use the Logs to Identify Infected Clients . . . . . . . . . . . . . . .466
Log Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466
Query the Quarantine Logs (UTM9S Only) . . . . . . . . . . . . . . . . . . . . . . .467
Query the Quarantined Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467
View and Manage the Quarantined Spam Table . . . . . . . . . . . . . . . . .470
View and Manage the Quarantined Infected Files Table . . . . . . . . . . .471
Spam Reports for End Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .472
View, Schedule, and Generate Reports. . . . . . . . . . . . . . . . . . . . . . . . . .473
Report Filtering Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .474
Use Report Templates and View Reports Onscreen . . . . . . . . . . . . . .476
Schedule, Email, and Manage Reports . . . . . . . . . . . . . . . . . . . . . . . .480
Use Diagnostics Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482
Use the Network Diagnostic Tools
9
ProSecure Unified Threat Management (UTM) Appliance
(All UTM Models Except the UTM9S). . . . . . . . . . . . . . . . . . . . . . . . . .483
Use the Network Diagnostic Tools (UTM9S) . . . . . . . . . . . . . . . . . . . .484
Use the Real-Time Traffic Diagnostics Tool
(All UTM Models Except the UTM9S). . . . . . . . . . . . . . . . . . . . . . . . . .486
Use the Real-Time Traffic Diagnostics Tool (UTM9S) . . . . . . . . . . . . . 487
Gather Important Log Information and Generate a
Network Statistics Report (All Models) . . . . . . . . . . . . . . . . . . . . . . . . . 488
Chapter 12 Troubleshooting and Using Online Support
Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
Power LED Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .493
Troubleshoot the Web Management Interface. . . . . . . . . . . . . . . . . . . . .493
When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .494
Troubleshoot the ISP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .494
Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . . 496
Test the LAN Path to Your UTM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .496
Test the Path from Your PC to a Remote Device. . . . . . . . . . . . . . . . .497
Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . .498
Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Use Online Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Enable Remote Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Send Suspicious Files to NETGEAR for Analysis . . . . . . . . . . . . . . . .500
Access the Knowledge Base and Documentation . . . . . . . . . . . . . . . .501
Appendix A xDSL Module for the UTM9S
xDSL Module Configuration Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .502
Configure the xDSL Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Automatically Detecting and Connecting the Internet Connection. . . . . . 505
Set the UTM’s MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Manually Configure the Internet Connection . . . . . . . . . . . . . . . . . . . . . .508
Configure the WAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .512
Configure Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . 513
Configure Classical Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Configure Auto-Rollover Mode and the Failure Detection Method. . . .514
Configure Load Balancing and Optional Protocol Binding . . . . . . . . . .517
Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .523
Configure Advanced WAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .526
Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . .528
Appendix B Wireless Module for the UTM9S
Overview of the Wireless Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .529
Configuration Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .530
Wireless Equipment Placement and Range Guidelines. . . . . . . . . . . .530
10
ProSecure Unified Threat Management (UTM) Appliance
Configure the Basic Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531
Operating Frequency (Channel) Guidelines. . . . . . . . . . . . . . . . . . . . .534
Wireless Data Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534
Wireless Security Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .536
Before You Change the SSID, WEP, and WPA Settings. . . . . . . . . . .537
Configure and Enable Wireless Security Profiles. . . . . . . . . . . . . . . . .538
Configure the Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .542
Restrict Wireless Access by MAC Address . . . . . . . . . . . . . . . . . . . . .545
View the Access Point Status and Connected Clients . . . . . . . . . . . . .546
Configure a Wireless Distribution System . . . . . . . . . . . . . . . . . . . . . . . .548
Configure Advanced Radio Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . .549
Configure Advanced Profile and WMM QoS Priority Settings . . . . . . . . .551
Advanced Profile Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .551
WMM QoS Priority Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .553
Test Basic Wireless Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .554
Appendix C Network Planning for Dual WAN Ports
(Multiple WAN Port Models Only)
What to Consider Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . .556
Cabling and Computer Hardware Requirements . . . . . . . . . . . . . . . . .557
Computer Network Configuration Requirements . . . . . . . . . . . . . . . . .558
Internet Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .558
Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .560
Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .561
Inbound Traffic to a Single WAN Port System . . . . . . . . . . . . . . . . . . .562
Inbound Traffic to a Dual WAN Port System . . . . . . . . . . . . . . . . . . . .562
Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .563
VPN Road Warrior (Client-to-Gateway) . . . . . . . . . . . . . . . . . . . . . . . .564
VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .567
VPN Telecommuter (Client-to-Gateway through a NAT Router) . . . . .569
Appendix D ReadyNAS Integration
Supported ReadyNAS Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .572
Install the UTM9S Add-On on the ReadyNAS . . . . . . . . . . . . . . . . . . . . .573
Connect to the ReadyNAS on the UTM9S . . . . . . . . . . . . . . . . . . . . . . . .575
Appendix E Two-Factor Authentication
Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . .578
What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . .578
What Is Two-Factor Authentication?. . . . . . . . . . . . . . . . . . . . . . . . . . .579
NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . .579
Appendix F System Logs and Error Messages
System Log Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
System Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
11
ProSecure Unified Threat Management (UTM) Appliance
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
Service Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .583
NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Login/Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .584
Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585
IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .585
Traffic Metering Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .589
Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . .589
Invalid Packet Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .590
Content-Filtering and Security Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
Web Filtering and Content-Filtering Logs. . . . . . . . . . . . . . . . . . . . . . .592
Spam Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Traffic Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
Virus Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595
Email Filter Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .595
IPS Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
Port Scan Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
Application Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .596
Routing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
LAN-to-WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
LAN-to-DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
DMZ-to-WAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .597
WAN-to-LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
DMZ-to-LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .598
WAN-to-DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 598
Appendix G Default Settings and Technical Specifications
Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .599
Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . .601
Appendix H Notification of Compliance (Wired)
Appendix I Notification of Compliance (Wireless)
Index
12
1. Introduction
This chapter provides an overview of the features and capabilities of the NETGEAR
ProSecure™ Unified Threat Management (UTM) Appliance. This chapter contains the following
sections:
• What Is the ProSecure Unified Threat Management (UTM) Appliance?
• Key Features and Capabilities
• Service Registration Card with License Keys
• Package Contents
• Hardware Features
• Choose a Location for the UTM
Note: For more information about the topics covered in this manual, visit
the NETGEAR support website at http://support.netgear.com.
1
What Is the ProSecure Unified Threat Management (UTM) Appliance?
The ProSecure Unified Threat Management (UTM) Appliance, hereafter referred to as the
UTM, connects your local area network (LAN) to the Internet through one or two external
broadband access devices such as cable modems, DSL modems, satellite dishes, or
wireless ISP radio antennas, or a combination of those. Dual wide area network (WAN) port s
allow you to increase the effective data rate to the Internet by utilizing both WAN ports to
carry session traffic, or to maintain a backup connection in case of failure of your primary
Internet connection.
As a complete security solution, the UTM combines a powerful, fle xible firewall with a content
scan engine that uses NETGEAR Stream Scan ning technology to protect your network from
denial of service (DoS) attacks, unwanted traffic, traffic with objectionable content, spam,
phishing, and web-borne threats such as spyware, viruses, and other malware threats.
13
ProSecure Unified Threat Management (UTM) Appliance
The UTM provides advanced IPSec and SSL VPN technologies for secure and simple
remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures extremely
high data transfer speeds.
The UTM is a plug-and-play device that can be installed and configured within minutes.
Key Features and Capabilities
The UTM provides the following key features and capabilities:
• For the single WAN port models, a single 10/100/1000 Mbps Gigabit Ethernet WAN port.
For the multiple WAN port models, dual or quad 10/100/1000 Mbps Gigabit Ethernet
WAN ports for load balancing or failover protection of your Internet connection, providing
increased system reliability or increased data rate.
• Built-in four- or six-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast
data transfer between local network resources.
• Wireless module (UTM9S only) for either 2.4-GHz or 5-GHz wireless modes.
• xDLS module (UTM9S only) for ADSL and VDSL.
• Advanced IPSec VPN and SSL VPN support.
• Depending on the model, bundled with a one-user license of the NETGEAR ProSafe VPN
Client software (VPN01L).
• Advanced Stateful Packet Inspection (SPI) firewall with multi-NAT support.
• Patent-pending Strea m Scanning technology that enables scanning of real-time pro tocols
such as HTTP.
• Comprehensive web and email security, covering six major network protocols: HTTP,
HTTPS, FTP, SMTP, POP3, and IMAP.
• Malware database containing hundreds of thousands of signatures of spyware, viruses,
and other malware threats.
• Very frequently updated malware signatures, hourly if required. The UTM can
automatically check for new malware signatures as frequently as every 15 minutes.
• Multiple antispam technologies to provide extensive protection against unwanted mail.
• Easy, web-based wizard setup for installation and management.
• SNMP manageable.
• Front panel LEDs for easy monitoring of status and activity.
• Flash memory for firmware upgrade.
• Internal universal switching power supply.
Introduction
14
ProSecure Unified Threat Management (UTM) Appliance
Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing
The UTM product line offers models with two broadband WAN ports. The second WAN port
allows you to connect a second broadband Internet line that can be configured on a mutually
exclusive basis to:
• Provide backup and rollover if one line is inoperable, ensuring that you are never
disconnected.
• Load balance, or use both Internet lines simultaneously for outgoing traffic. A UTM with
dual WAN port s balances users between the two line s f or maximum bandwidth efficiency.
See Appendix C, Network Planning for Dual WAN Port s (Multiple W AN Port Models Only) for
the planning factors to consider when implementing the following capabilities with dual WAN
port gateways:
• Single or multiple exposed hosts
• Virtual private networks
Wireless Features
Wireless client connections are supported on the UTM9S with a UTM9SWLSN wireless
module installed. The UTM9S supports the following wireless features:
• 2.4-GHz radio and 5-GHz radio. Either 2.4-GHz band support with 802.11b/g/n/ wireless
modes or 5-GHz band support with 802.11a/n wireless modes.
• WMM QoS priority . Wi-Fi Mult imedia (WMM) Quality of Service (QoS) priority settings to
map one of four queues to each Differentiated Services Code Point (DSCP) value.
• Wireless Distribution System (WDS). WDS enables expansion of a wireless network
through two or more access points that are interconnected.
• Access control. The Media Access Control (MAC) address filtering feature can ensure
that only trusted wireless stations can use the UTM to gain access to your LAN.
• Hidden mode. The SSID is not broadcast, assuring that only clients configured with the
correct SSID can connect.
• Secure and economical operation. Adjustable power output allows more secure or
economical operation.
DSL Features
DSL is supported on the UTM9S with a UTM9SDSL xDSL module installed. The UTM9S
automatically detects the following types of DSL connections:
• ADSL, ADSL2, and ADLS2+
• VDSL and VDSL2
Annex A, Annex B, and Annex M are supported to accommodate PPPoE, PPPoA, and IPoA
ISP connections.
Introduction
15
ProSecure Unified Threat Management (UTM) Appliance
Advanced VPN Support for Both IPSec and SSL
The UTM supports IPSec and SSL virtual private network (VPN) connections.
• IPSec VPN delivers full network access between a central office and branch offices, or
between a central office and telecommuters. Remote access by telecommuters requires
the installation of VPN client software on the remote computer.
- IPSec VPN with broad protocol support for secure connection to other IPSec
gateways and clients.
- Depending on the model, bundled with a one-user license of the NETGEAR ProSafe
VPN Client software (VPN01L).
• SSL VPN provides remote access for mobile users to selected corporate resources
without requiring a preinstalled VPN client on their computers.
- Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for
e-commerce transactions, to provide client-free access with customizable user portals
and support for a wide variety of user repositories.
- Allows browser-based, platform-independent remote access through a number of
popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple
Safari.
- Provides granular access to corporate resources based on user type or group
membership.
A Powerful, True Firewall
Unlike simple NAT routers, the UTM is a true firewall, using Stateful Packet Inspection (SPI)
to defend against hacker attacks. Its firewall features have the following capabilities:
• DoS protection. Automatically detects and thwarts denial of service (DoS) attacks such
as Ping of Death and SYN flood.
• Secure firewall. Blocks unwanted traffic from the Internet to your LAN.
• Schedule policies. Permits scheduling of firewall policies by day and time.
• Logs security incidents. Logs security events such as blocked incoming traffic, port
scans, attacks, and administrator logins. You can configure the firewall to email the log to
you at specified intervals. You can also configure the firewall to send immediate alert
messages to your email address or email pager whenever a significant event occurs.
Stream Scanning for Content Filtering
Stream Scanning is based on the simple observation that network traffic travels in streams.
The UTM scan engine starts receiving and analyzing traf fic as the stream enters the network.
As soon as a number of bytes are available, scanning starts. The scan engine continues to
scan more bytes as they become available, while at the same time another thread starts to
deliver the bytes that have been scanned.
Introduction
16
ProSecure Unified Threat Management (UTM) Appliance
This multithreaded approach, in which the receiving, scanning, and delivering processes
occur concurrently, ensures that network performance remains unimpeded. The result is that
file scanning is up to five times faster than with traditional antivirus solutions—a performance
advantage that you will notice.
Stream Scanning also enables organizations to withstand massive spikes in traffic, as in the
event of a malware outbreak. The scan engine has the following capabilities:
• Real-time protection. The patent-pending Stream Scanning technology enables
scanning of previously undefended real-time protocols, such as HTTP. Network a ctivities
susceptible to latency (for example, web browsing) are no longer brought to a standstill.
• Comprehensive protection. Provides both web and email security, covering six major
network protocols: HTTP, HTTPS, FTP, SMTP, POP3, and IMAP. The UTM uses
enterprise-class scan engines employing both signature-based and distributed spam
analysis to stop both known and unknown threats. The malware database contains
hundreds of thousands of signatures of spyware, viruses, and other malware.
• Objectionable traffic protection. The UTM prevents objectionable content from
reaching your computers. You can control access to the Internet content by screening for
web services, web addresses, and keywords within web addresses. You can log and
report attempts to access objectionable Internet sites.
• Automatic signature updates. Malware signatures are updated as frequently as every
hour, a nd the UTM can check automatically for new signatures as frequently as every 15
minutes.
Security Features
The UTM is equipped with several features designed to maintain security:
• PCs hidden by NAT . NAT opens a temporary path to the Internet for requests originating
from the local network. Requests originating from outside the LAN are discarded,
preventing users outside the LAN from finding and directly accessing the computers on
the LAN.
• Port forwarding with NAT. Although NAT prevents Internet locations from directly
accessing the PCs on the LAN, the UTM allows you to direct incoming traffic to specific
PCs based on the service port number of the incoming request. You can specify
forwarding of single ports or ranges of ports.
• DMZ port. Incoming traffic from the Internet is usually discarded by the UTM unless the
traffic is a response to one of your local computers or a service for which you have
configured an inbound rule. Instead of discarding this traffic, you can use the dedicated
demilitarized zone (DMZ) port to forward the traffic to one PC on your network.
Autosensing Ethernet Connections with Auto Uplink
With its internal four- or six-port 10/100/1000 Mbps switch and single or dual
(model-dependant) 10/100/1000 WAN ports, the UTM can connect to either a 10 Mbps
standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit
Introduction
17
ProSecure Unified Threat Management (UTM) Appliance
Ethernet network. The four LAN and one or two WAN interface s are autosensing and capable
of full-duplex or half-duplex operation.
TM
The UTM incorporates Auto Uplink
whether the Ethernet cable plugged into the port should have a normal connection such as to
a PC or an uplink connection such as to a switch or hub. That port then configures itself
correctly. This feature eliminates the need for you to think about crossover cables, as Auto
Uplink accommodates either type of cable to make the right connection.
technology. Each Ethernet port automatically senses
Extensive Protocol Support
The UTM supports the Transmissio n Control Protocol/Internet Protocol (TCP/IP) and Routing
Information Protocol (RIP). For further information about TCP/IP, see Internet Configuration
Requirements on page 558. The UTM provides the following protocol support:
• IP address sharing by NAT. The UTM allows many networked PCs to share an Internet
account using only a single IP address, which might be statically or dynamically assigned
by your Internet service provider (ISP). This technique, known as Network Address
Translation (NAT), allows the use of an inexpensive single-user ISP account.
• Automatic configuration of attached PCs by DHCP. The UTM dynamically assigns
network configuration information, including IP, gateway, and Domain Name Server
(DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration
Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local
network.
• DNS proxy. When DHCP is enabled and no DNS addresses are specified, the firewall
provides its own address as a DNS server to the attached PCs. The firewall obtains
actual DNS addresses from the ISP during connection setup and forwards DNS requests
from the LAN.
• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the
Internet over a DSL connection by simulating a dial-up connection.
• Quality of Service (QoS). The UTM supports QoS, including traffic prioritization and
traffic classification with Type of Service (ToS) and Differentiated Services Code Point
(DSCP) marking.
Easy Installation and Management
You can install, configure, and operate the UTM within minutes after connecting it to the
network. The following features simplify installation and management tasks:
• Browser-based management. Browser-based configuration allows you to easily
configure the UTM from almost any type of operating system, such as Windows,
Macintosh, or Linux. A user-friendly Setup Wizard is provided, and online help
documentation is built into the browser-based web management interface.
• Autodetection of ISP. The UTM automatically senses the type of Internet connection,
asking you only for the information required for your type of ISP account.
Introduction
18
ProSecure Unified Threat Management (UTM) Appliance
• IPSec VPN Wizard. The UTM includes the NETGEAR IPSec VPN Wizard so you can
easily configure IPSec VPN tunnels according to the recommendations of the Virtual
Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are
interoperable with other VPNC-compliant VPN routers and clients.
• SSL VPN Wizard. The UTM includes the NETGEAR SSL VPN Wizard so you can easily
configure SSL connections over VPN according to the recommendations of the VPNC.
This ensures that the SSL connections are interoperable with other VPNC-compliant
VPN routers and clients.
• SNMP. The UTM supports the Simple Network Management Protocol (SNMP) to let you
monitor and manage log resources from an SNMP-compliant system manager. The
SNMP system configuration lets you change the system variables for MIB2.
• Diagnostic functions. The UTM incorporates built-in diagnostic functions such as ping,
traceroute, DNS lookup, and remote reboot.
• Remote management. The UTM allows you to log in to the web management interface
from a remote location on the Internet. For security, you can limit remote management
access to a specified remote IP address or range of addresses.
• Visual monitoring. The UTM’s front panel LEDs provide an easy way to monitor its
status and activity.
Maintenance and Support
NETGEAR offers the following features to help you maximize your use of the UTM:
• Flash memory for firmware upgrades.
• Technical support seven days a week, 24 hours a day. Information about support is
available on the NETGEAR ProSecure website at
http://prosecure.netgear.com/support/index.php.
Model Comparison
The following table compares the UTM models to show the differences. For performance
specifications and sizing guidelines, see NETGEAR’s marketing documentation at
http://prosecure.netgear.com.
Ta bl e 1. Differences between the UTM models
Feature UTM5 UTM9S UTM10 UTM25 UTM50 UTM150
IPSec VPN tunnels
Number of supported site-to-site
IPSec VPN tunnels (from which the
model derives its model number,
with the exception of the UTM9S)
5 10102550150
Hardware
LAN ports (Gigabit RJ-45) 4 4 4 4 6 4
Introduction
19
ProSecure Unified Threat Management (UTM) Appliance
Table 1. Differences between the UTM models (continued)
Feature UTM5 UTM9S UTM10 UTM25 UTM50 UTM150
WAN ports (Gigabit RJ-45) 1 2 1 2 2 4
DMZ interfaces (configurable) 1 1 1 1 1 1
USB ports 111111
Console ports (RS232) 1 1 1 1 1 1
Flash memory
RAM
Modules
xDSL module with RJ11 port No Yes No No No No
Wireless module No Yes No No No No
Deployment
VLAN support Yes Yes Yes Yes Yes Yes
Dual WAN auto-rollover mode No Yes No Yes Yes Y es
Dual WAN load balancing mode No Yes No Yes Yes Yes
Single WAN mode Yes Yes Yes Yes Yes Yes
2 GB
512 MB
2 GB
512 MB
2 GB
512 MB
2 GB
1 GB
2 GB
1 GB
Service Registration Card with License Keys
Be sure to store the license key card that came with your UTM (see a sample card in the
following figure) in a secure location. If you do not use electronic licensing (see Electronic
Licensing on page 64), you need these service license keys to activate your product during
the initial setup.
2 GB
1 GB
Introduction
20
ProSecure Unified Threat Management (UTM) Appliance
Figure 1.
Note: When you reset the UTM to the original factory default settings after
you have entered the license keys to activate the UTM (see Register
the UTM with NETGEAR on page 62), the license keys are erased.
The license keys and the different types of licenses that are
available for the UTM are no longer displayed on the Registration
screen. However , after you have reconfigured the UTM to connect to
the Internet and to the NETGEAR registration server, the UTM
retrieves and restores all registration information based on its MAC
address and hardware serial number . You do not need to reenter the
license keys and reactivate the UTM.
Package Contents
The UTM product package contains the following items:
• ProSecure Unified Threat Management (UTM) Appliance
• One AC power cable
• Rubber feet (4)
• One rack-mounting kit (depends on UTM model)
• ProSecure Unified Threat Management UTM Installation Guide
Introduction
21
ProSecure Unified Threat Management (UTM) Appliance
• Resource CD, including:
- Application Notes and other helpful information
- ProSafe VPN Client software (VPN01L) (depends on the UTM model)
• Service Registration Card with license key(s)
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep
the carton, including the original packing materials, in case you need to return the product for
repair.
Hardware Features
The front panel ports and LEDs, rear panel ports, and bottom labels of the UTM models are
described in the following sections:
• Front Panel UTM5 and UTM10
• Front Panel UTM25
• Front Panel UTM50
• Front Panel UTM150
• Front Panel UTM9S and Modules
• LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150
• LED Descriptions, UTM9S and Modules
• Rear Panel UTM5, UTM10, and UTM25
• Rear Panel UTM50 and UTM150
• Rear Panel UTM9S
• Bottom Panels with Product Labels
Front Panel UTM5 and UTM10
Viewed from left to right, the UTM5 and UTM10 front panel contains the following ports:
• One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
• LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
• WAN Ethernet port. One independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three groups of status indicator light-emitting diodes (LEDs),
including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in
detail in Table 2 on page 27. In addition, the front panel provides some LED explanation to
the left of the LAN ports.
Introduction
22
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LED
Right WAN LED
USB port
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active
WAN
USB port
LEDs
Figure 2. Front panel UTM5 and UTM10
Front Panel UTM25
Viewed from left to right, the UTM25 front panel contains the following ports:
• One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
• LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
• WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three group s of status indicator LEDs, including Power and Test
LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in the Table 2 on
page 27. In addition, the front panel provides some LED explanation to the left of the LAN
ports.
Figure 3. Front panel UTM25
Introduction
23
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active
WAN
USB port
LEDs
Front Panel UTM50
Viewed from left to right, the UTM front panel contains the following ports (see the following
figure, which shows a multiple WAN port model, the UTM25):
• One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
• LAN Ethernet ports. Six switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
• WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three groups of st atus indicator LEDs, including Powe r and Test
LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in Table 2 on page 27.
In addition, the front panel provides some LED explanation to the right of the WAN ports.
Figure 4. Front panel UTM50
Front Panel UTM150
Viewed from left to right, the UTM150 front panel contains the following ports:
• One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM.
• LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
• WAN Ethernet ports. Four independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three groups of st atus indicator LEDs, including Powe r and Test
LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail inTable 2 on page 27.
In addition, the front panel provides some LED explanation to the right of the WAN ports.
Introduction
24
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active WAN LEDs
USB port
Figure 5. Front panel UTM150
Front Panel UTM9S and Modules
Viewed from left to right, the UTM9S front panel contains the following ports and slots:
• One nonfunctioning USB port. This port is included for future management
enhancements. The port is currently not operable on the UTM9S.
• LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
• WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The front panel also contains three group s of status indicator LEDs, including Power and Test
LEDs, LAN LEDs, and WAN LEDs, all of which are explained in d et a il in Table 3 on page 28.
Some LED explanation is provided on the front panel below the LAN and WAN ports.
Introduction
25
ProSecure Unified Threat Management (UTM) Appliance
Power LED
Test LED
Left LAN LEDs
Right LAN LEDs
DMZ LED
Left WAN LEDs
Right WAN LEDs
Active WAN LEDs
USB port
USB LED
Slot 1
Slot 2
Figure 6. Front panel UTM9S
UTM9SDSL xDSL Module
The following xDSL modules are available for insertion in one of the UTM9S slots:
• UTM9SDSLA. VDSL/ADSL2+ module, Annex A.
• UTM9SDSLB. VDSL/ADSL2+ module, Annex B.
The xDLS module provides one RJ-11 port for connection to a telephone line. The two LEDs
are explained in Table 3 on page 28.
Figure 7. UTM9SDSL xDSL module
UTM9SWLSN Wireless Module
The wireless module (UTM9SWLSN) can be inserted in one of the UTM9S slots. The
wireless module does not provide any ports. The antennas are detachable. The t wo LEDs are
explained in Table 3 on page 28.
Introduction
26
ProSecure Unified Threat Management (UTM) Appliance
Figure 8. UTM9SWLSN wireless module
LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150
The following table describes the function of each LED.
Table 2. LED descriptions UTM5, UTM10, UTM25, UTM50, and UTM150
LED Activity Description
Power LED On (green) Power is supplied to the UTM.
Off Power is not supplied to the UTM.
Test LED On (amber) during
startup
On (amber) during
any other time
Blinking (amber) The UTM is writing to flash memory (during upgrading or resetting to
Off The UTM has booted successfully.
Test mode. The UTM is initializing. After approximately 2 minutes, when the
UTM has completed its initialization, the Test LED goes off.
The initialization has failed, or a hardware failure has occurred.
defaults).
Introduction
27
ProSecure Unified Threat Management (UTM) Appliance
Table 2. LED descriptions UTM5, UTM10, UTM25, UTM50, and UTM150 (continued)
LED Activity Description
LAN ports
Left LED Off The LAN port has no link.
On (green) The LAN port has detected a link with a connected Ethernet device.
Blinking (green) Data is being transmitted or received by the LAN port.
Right LED Off The LAN port is operating at 10 Mbps.
On (amber) The LAN port is operating at 100 Mbps.
On (green) The LAN port is operating at 1000 Mbps.
DMZ LED Off Port 4 (UTM5, UTM9S, UTM10, UTM25, and UTM150) or port 6 (UTM50) is
operating as a normal LAN port.
On (green) Port 4 (UTM5, UTM9S, UTM10, UTM25, and UTM150) or port 6 (UTM50) is
operating as a dedicated hardware DMZ port.
WAN ports
Left LED Off The WAN port has no physical link, that is, no Ethernet cable is plugged into
the UTM.
On (green) The WAN port has a valid connection with a device that provides an Internet
connection.
Blinking (green) Data is being transmitted or received by the WAN port.
Right LED Off The WAN port is operating at 10 Mbps.
On (amber) The WAN port is operating at 100 Mbps.
On (green) The WAN port is operating at 1000 Mbps.
Active LED
(multiple
WAN port
models only)
Off The WAN port either is not enabled or has no link to the Internet.
On (green) The WAN port has a valid Internet connection.
LED Descriptions, UTM9S and Modules
The following table describes the function of each LED on the UTM9S and the modules.
Table 3. LED descriptions UTM9S
LED Activity Description
Power LED On (green) Power is supplied to the UTM.
Off Power is not supplied to the UTM.
Introduction
28
ProSecure Unified Threat Management (UTM) Appliance
Table 3. LED descriptions UTM9S (continued)
LED Activity Description
Test LED On (amber) during
startup
On (amber) during
any other time
Blinking (amber) The UTM is writing to flash memory (during upgrading or resetting to
Off The UTM has booted successfully.
USB LED Nonfunctioning The USB port is currently not operable on the UTM9S.
LAN ports
Left LED Off The LAN port ha s no link.
On (green) The LAN port has detected a link with a connected Ethernet device.
Blinking (green) Data is being transmitted or received by the LAN port.
Right LED Off The LAN port is operating at 10 Mbps.
On (amber) The LAN port is operating at 100 Mbps.
On (green) The LAN port is operating at 1000 Mbps.
DMZ LED Off Port 4 is operating as a normal LAN port.
Test mode. The UTM is initializing. After approximately 2 minutes, when the
UTM has completed its initialization, the Test LED goes off.
The initialization has failed, or a hardware failure has occurred.
defaults).
On (green) Port 4 is operating as a dedicated hardware DMZ port.
WAN ports
Left LED Off The WAN port has no physical link, that is, no Ethernet cable is plugged into
the UTM.
On (green) The WAN port has a valid connection with a device that provides an Internet
connection.
Blinking (green) Data is being transmitted or received by the WAN port.
Right LED Off The WAN port is operating at 10 Mbps.
On (amber) The WAN port is operating at 100 Mbps.
On (green) The WAN port is operating at 1000 Mbps.
Active LED Off The WAN port either is not enabled or has no link to the Internet.
On (green) The WA N port has a valid Internet connection.
Wireless module
Module
Status LED
Off The module is not enabled.
On (green) The module is enabled.
Introduction
29
ProSecure Unified Threat Management (UTM) Appliance
Security lock
receptacle
Console port
Factory Defaults
AC power
receptacle
reset button
Table 3. LED descriptions UTM9S (continued)
LED Activity Description
Wireless
Link LED
xDSL module
Module
Stat us LED
Link LED Off The xDLS port has no Internet connection.
Off The wireless access point is not enabled.
On (green) The wireless access point is enabled in 2.4-GHz operating mode.
Blinking (green) There is wireless activity in 2.4-GHz operating mode.
On (yellow) The wireless access point is enabled in 5-GHz operating mode.
Blinking (yellow) There is wireless activity in 5-GHz operating mode.
Off The module is enabled or has a link the the telephone line.
On (green) The module either is not enabled or has no link to the telephone line.
On (green) The xDSL port functions in ADSL mode.
On (yellow) The xDSL port functions in VDSL mode.
Rear Panel UTM5, UTM10, and UTM25
The rear panel of the UTM includes a cable lock receptacle, a console port, a factory default
Reset button, and an AC power connection.
Figure 9. Rear panel of the UTM5, UTM10, and UTM25
Viewed from left to right, the rear panel of the UTM5, UTM10, and UTM25 contains the
following components:
1. Cable security lock receptacle.
2. Console port. Port for connecting to an optional console terminal. The port has a DB9 male
connector. The default baud rate is 9600 K. The pinouts are (2) Tx, (3) Rx, (5) and (7) Gnd.
3. Factory default Reset button. Using a sharp object, press and ho ld this button for about
8 seconds until the front panel Test LED flashes to re se t the UT M to f actory d efault settings.
Configuration changes are lost, and the default password is restored.
4. AC power receptacle. Universal AC input (100–240 VAC, 50–60 Hz).
Introduction
30
ProSecure Unified Threat Management (UTM) Appliance
Security lock
receptacle
Console port
Factory Defaults
AC power
receptacle
reset button
Security lock
receptacle
Console port
Factory Defaults
AC power
receptacle
reset button
Console switch
Power
switch
Rear Panel UTM50 and UTM150
The rear panel of the UTM includes a cable lock receptacle, a console port, a factory default
Reset button, and an AC power connection.
Figure 10. Rear panel of the UTM50 and UTM150
Viewed from left to right, the rear panel of the UTM50 and UTM150 contains the following
components:
1. Console port. Port for connecting to an optional console terminal. The port has a DB9
male connector. The default baud rate is 9600 K. The pinouts are (2) Tx, (3) Rx, (5) and
(7) Gnd.
2. Factory default Reset button. Using a sharp object, press and hold this button for about
8 seconds until the front panel Test LED flashes to reset the UTM to factory default settings.
Configuration changes are lost, and the default password is restored.
3. Cable security lock receptacle.
4. AC power receptacle. Universal AC input (100–240 VAC, 50–60 Hz).
Rear Panel UTM9S
Figure 11. Rear panel of the UTM9S
Introduction
31
ProSecure Unified Threat Management (UTM) Appliance
Viewed from left to right, the rear panel of the UTM9S contains the following components:
1. Cable security lock receptacle.
2. Factory default Reset button. Using a sharp object, press and ho ld this button for about
8 seconds until the front panel Test LED flashes to re se t the UT M to f actory d efault settings.
Configuration changes are lost, and the default password is restored.
3. Console switch to select the console connection: Main Board (left position), Slot 1 (middle
position), or Slot 2 (right position).
4. Console port (9600,N,8,1). Port for connecting to an optional console terminal. The port has
a DB9 male connector. The default baud rate is 9600 K. The pinouts are (2) Tx, (3) Rx, (5)
and (7) Gnd.
5. AC power receptacle. Universal AC input (100–240 VAC, 50–60 Hz).
6. Power On/Off switch.
Bottom Panels with Product Labels
The product label on the bottom of the UTM’s enclosure displays factory defaults settings,
regulatory compliance, and other information.
The following figure shows the product label for the UTM5:
Figure 12.
Introduction
32
ProSecure Unified Threat Management (UTM) Appliance
The following figure shows the product label for the UTM10:
Figure 13.
The following figure shows the product label for the UTM25:
Figure 14.
Introduction
33
ProSecure Unified Threat Management (UTM) Appliance
The following figure shows the product label for the UTM50:
Figure 15.
The following figure shows the product label for the UTM150:
Figure 16.
Introduction
34
ProSecure Unified Threat Management (UTM) Appliance
The following figure shows the product label for the UTM9S:
Figure 17.
Choose a Location for the UTM
The UTM is suitable for use in an office environment where it can be freestanding (on its
runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can
rack-mount the UTM in a wiring closet or equipment room. A rack-mounting kit, containing
two mounting brackets and four screws, is provided in th e p ackage for the multiple WAN port
models.
Consider the following when deciding where to position the UTM:
• The unit is accessible, and cables can be connected easily.
• Cabling is away from sources of electrical noise. These include lift shafts, microwave
ovens, and air-conditioning units.
• Water or moisture cannot enter the case of the unit.
• Airflow around the unit and through the vents in the side of the case is not restricted.
Provide a minimum of 25 mm or 1 inch clearance.
• The air is as free of dust as possible.
• Temperature operating limits are not likely to be exceeded. Install the unit in a clean,
air-conditioned environment. For information about the recommended operating
temperatures for the UTM, see Appendix G, Default Settings and Technical
Specifications.
Note: For the UTM9S, see also Wireless Equipment Placement and
Range Guidelines on page 530.
Introduction
35
ProSecure Unified Threat Management (UTM) Appliance
Use the Rack-Mounting Kit
Use the mounting kit for the UTM to install the appliance in a rack. (A mounting kit is provided
in the package for the multiple WAN port models.) Attach the mounting brackets using the
hardware that is supplied with the mounting kit.
Figure 18.
Before mounting the UTM in a rack, verify that:
• You have the correct screws (supplied with the installation kit).
• The rack onto which you will mount the UTM is suitably located.
Introduction
36
2. Using the Setup Wizard to Provision the
UTM in Your Network
This chapter explains how to log in to the UTM and use the web management interface, how to
use the Setup Wizard to provision the UTM in your network, and how to register the UTM with
NETGEAR. The chapter contains the following sections:
• Steps for Initial Connection
• Log In to the UTM
• Use the Setup Wizard to Perform the Initial Configuration
• Verify Correct Installation
• Register the UTM with NETGEAR
• What to Do Next
2
Steps for Initial Connection
Typically, the UTM is installed as a network gateway to function as a combined LAN switch,
firewall, and content scan engine to protect the network from all incoming and outgoing
malware threats.
Generally, five steps are required to complete the basic and security configuration of your
UTM:
1. Connect the UTM physically to your network. Connect the cables and restart your
network according to the instructions in the Installation Guide. See the ProSecure
Unified Threat Management UTM Installation Guide for complete steps. A PDF of the
Installation Guide is on the NETGEAR website at
http://www.prosecure.netgear.com/resources/document-library.php.
2. Log in to the UTM. After logging in, you are ready to se t up and configure your UTM. See
Log In to the UTM on page 38.
3. Use the Setup Wizard to configure basic connections an d security. During this phase,
you connect the UTM to one or more ISPs (more than one ISP applies to multiple WAN port
models only). See Use the Setup Wizard to Perform the Initial Configuration on page 42.
4. Verify the installation. See Verify Correct Installation on page 61.
5. Register the UT M. See Register the UTM with NETGEAR on page 62.
37
ProSecure Unified Threat Management (UTM) Appliance
Each of these tasks is described separately in this chapter. The configuration of the WAN
mode (required for multiple WAN port models), Dynamic DNS, and other WAN options is
described in Chapter 3, Manually Configuring Internet and WAN Settings.
The configuration of LAN, firewall, scanning, VPN, management, and monitoring features is
described in later chapters.
Qualified Web Browsers
To configure the UTM, you need to use a web browser such as Microsoft Internet Explorer 6
or later, Mo zilla Firefox 3 or later, or Apple Safari 3 or later with JavaScript, cookies, and SSL
enabled.
Although these web browsers are qualified for use with the UTM’s web management
interface, SSL VPN users should choose a browser that supports JavaScript, Java, cookies,
SSL, and ActiveX to take advantage of the full suite of applicatio ns. Note that Java is required
only for the SSL VPN portal, not for the web management interface.
Requirements for Entering IP Addresses
The fourth octet of an IP address needs to be between 1 and 254 (both inclusive). This
requirement applies to any IP address that you enter on a screen of the web management
interface.
Log In to the UTM
To connect to the UTM, your computer needs to be configured to obtain an IP address
automatically from the UTM through DHCP.
To connect and log in to the UTM:
1. Start any of the qualified web browsers, as explained in the previous section, Qualified
Web Browsers.
2. In the address field, enter https://192.168.1.1. The NETGEAR Configuration Manager Login
screen displays in the browser. (The following figure shows the screen for the UTM50.) This
screen also provides the User Portal Login Link. For general information about the User
Portal Login Link, see Access the New SSL Portal Login Screen on page 320; for
platform-specific information, see Login Portals on page 345.
Note: The UTM factory default IP address is 192.168.1.1. If you change
the IP address, you need to use the IP address that you assigned to
the UTM to log in to the UTM.
Using the Setup Wizard to Provision the UTM in Y our Network
38
ProSecure Unified Threat Management (UTM) Appliance
Figure 19.
3. In the User Name field, type admin. Use lowercase letters.
4. In the Password / Passcode field, type password. Here, too, use lowercase letters.
Note: The UTM user name and password are not the same as any user
name or password you might use to log in to your Internet
connection.
5. Click Login. The web management interface displays, showing the System Status screen.
The following figure shows the top part of the UTM50 System Status screen. Fo r more
information, see View the System Status on page43 9.
Note: After 5 minutes of inactivity (the default login time-out), you are
automatically logged out.
Using the Setup Wizard to Provision the UTM in Y our Network
39
ProSecure Unified Threat Management (UTM) Appliance
1st level: Main navigation menu link (orange)
2nd level: Configuration menu link (gray)
3rd level: Submenu tab (blue)
Option arrow: Additional screen for submenu item
Figure 20.
Web Management Interface Menu Layout
The following figure shows the menu at the top the UTM50 web management interface as an
example.
Figure 21.
Using the Setup Wizard to Provision the UTM in Y our Network
40
ProSecure Unified Threat Management (UTM) Appliance
The web management interface menu consists of the following components:
• 1st level: Main navigation menu links. The main navigation menu in the orange bar
across the top of the web management interface provides access to all the configuration
functions of the UTM, and remains constant. When you select a main navigation menu
link, the letters are displayed in white against an orange background.
• 2nd level: Configuration menu links. The configuration menu links in the gray bar
(immediately below the main navigation menu bar) change according to the main
navigation menu link that you select. When you select a configuration menu link, the
letters are displayed in white against a gray background.
• 3rd level: Submenu tabs. Each configuration menu ite m has one or more sub menu tabs
that are listed below the gray menu bar. When you select a submenu tab, the text is
displayed in white against a blue background.
• Option arrows. If there are additional screens for the submenu item, links to the screens
display on the right side in blue letters against a white background, preceded by a white
arrow in a blue circle.
The bottom of each screen provides action buttons. The nature of the screen determines
which action buttons are shown. The following figure shows an example:
Figure 22.
Any of the following action buttons might display on screen (this list might not be complete):
• Apply. Save and apply the configuration.
• Reset. Cancel the changes and reset the configuration to the current values.
• Test. Test the configuration before you decide whether or not to save and apply the
configuration.
• Auto Detect. Enable the UTM to detect the configuration automatically and suggest
values for the configuration.
• Next. Go to the next screen (for wizards).
• Back. Go to the previous screen (for wizards).
• Search. Perform a search operation.
• Cancel. Cancel the operation.
• Send Now. Send a file or report.
When a screen includes a table, table buttons display to let you configure the table entries.
The nature of the screen determines which table buttons are shown. The following figure
shows an example:
Figure 23.
Using the Setup Wizard to Provision the UTM in Y our Network
41
ProSecure Unified Threat Management (UTM) Appliance
Any of the following table buttons might display on screen:
• Select All. Select all entries in the table.
• Delete. Delete the selected entry or entries from the table.
• Enable. Enable the selected entry or entries in the table.
• Disable. Disable the selected entry or entries in the table.
• Add. Add an entry to the table.
• Edit. Edit the selected entry.
• Up. Move the selected entry up in the table.
• Down. Move the selected entry down in the table.
• Apply. Apply the selected entry.
Almost all screens and sections of screens have an accompanying help screen. To open the
help screen, click the (question mark) icon.
Use the Setup Wizard to Perform the Initial Configuration
The Setup Wizard facilitates the initial configuration of the UTM by taking you through 10
screens, the last of which allows you to save the configuration. If you prefer to perform the
initial WAN setup manually, see Chapter 3, Manually Configuring Internet and WAN Settings.
To start the Setup Wizard:
1. Select Wizards from the main navigation menu. The Welcome to the Netgear
Configuration Wizard screen displays:
Figure 24.
2. Select the Setup Wizard radio button.
3. Click Next. The first Setup Wizard screen displays.
The following sections explain the 9 configuration screens of the Setup Wizard. On the 10th
screen, you can save your configuration.
The tables in the following sections explain the buttons and fields of the Setup Wizard
screens. Additional information about the settings in the Setup Wizard screens is provided in
other chapters that explain manual configuration; each of the following sections provides a
specific link to a section in another chapter.
Using the Setup Wizard to Provision the UTM in Y our Network
42
ProSecure Unified Threat Management (UTM) Appliance
Setup Wizard Step 1 of 10: LAN Settings
Figure 25.
Enter the settings as explained in the following table, and then click Next to go the following
screen.
Note: In this first step, you are actually configuring the LAN settings for the
UTM’s default VLAN. For more information about VLANs, see
Manage Virtual LANs and DHCP Options on page 93.
Using the Setup Wizard to Provision the UTM in Y our Network
43
ProSecure Unified Threat Management (UTM) Appliance
Table 4. Setup Wizard Step 1: LAN Settings screen settings
Setting Description
LAN TCP/IP Setup
IP Address Enter the IP address of the UTM’s default VLAN (the factory default address is
192.168.1.1).
Note: Always make sure that the LAN port IP address and DMZ port IP address are in
different subnets.
Note: If you change the LAN IP address of the UTM’s default VLAN while being
connected through the browser, you are disconnected. You then need to open a new
connection to the new IP address and log in again. For example, if you change the
default IP address from 192.168.1.1 to 10.0.0.1, you now need to enter https://10.0.0.1
in your browser to reconnect to the web management interface.
Subnet Mask Enter the IP subnet mask. The subnet mask specifies the network number portion of an
IP address. The UTM automatically calculates the subnet mask based on the IP
address that you assign. Unless you are implementing subnetting, use 255.255.255.0
as the subnet mask (computed by the UTM).
DHCP
Disable DHCP Server If another device on your network is the DHCP server for the default VLAN, or if you will
manually configure the network settings of all of your computers, select the Disable
DHCP Server radio button to disable the DHCP server. By default, this radio button is
not selected, and the DHCP server is enabled.
Enable DHCP Server Select the Enable DHCP Server radio button to enable the UTM to function as a
Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration
for all computers connected to the default VLAN. Enter the following settings.
Domain Name This setting is optional. Enter the domain name of the UTM.
Starting IP
Address
Ending IP
Address
Enter the starting IP address. This address specifies the first of the
contiguous addresses in the IP address pool. Any new DHCP client
joining the LAN is assigned an IP address between this address and
the ending IP address. The IP address 192.168.1.2 is the default
starting address.
Enter the ending IP address. This address specifies the last of the
contiguous addresses in the IP address pool. Any new DHCP client
joining the LAN is assigned an IP address between the starting IP
address and this IP address. The IP address 192.168.1.100 is the
default ending address.
Note: The starting and ending DHCP IP addresses should be in the
same network as the LAN TCP/IP address of the UTM (that is, the IP
address in the LAN TCP/IP Setup section as described earlier in this
table).
Using the Setup Wizard to Provision the UTM in Y our Network
44
ProSecure Unified Threat Management (UTM) Appliance
Table 4. Setup Wizard Step 1: LAN Settings screen settings (continued)
Setting Description
Enable DHCP Server
(continued)
DHCP Relay Select the DHCP Relay radio button to use the UTM as a DHCP relay agent for a
Enable LDAP
information
Primary DNS
Server
Secondary DNS
Server
WINS Server This setting is optional. Enter a WINS server IP address to specify
Lease Time Enter a lease time. This specifies the duration for which IP addresses
DHCP server somewhere else on your network. Enter the following setting:
Relay Gateway The IP address of the DHCP server for which the UTM serves as a
Select the Enable LDAP information check box to enable the DHCP server to provide
Lightweight Directory Access Protocol (LDAP) server information. Enter the following
settings.
Note: The LDAP settings that you specify as part of the VLAN profile are used only for
SSL VPN and UTM authentication, but not for web and email security.
LDAP Server The IP address or name of the LDAP server.
This setting is optional. If an IP address is specified, the UTM
provides this address as the primary DNS server IP address. If no
address is specified, the UTM provides its own LAN IP address as
the primary DNS server IP address.
This setting is optional. If an IP address is specified, the UTM
provides this address as the secondary DNS server IP address.
the Windows NetBIOS server, if one is present in your network.
are leased to clients.
relay.
Search Base The search objects that specify the location in the directory tree from
which the LDAP search begins. You can specify multiple search
objects, separated by commas. The search objects include:
• CN (for common name)
• OU (for organizational unit)
• O (for organization)
• C (for country)
• DC (for domain)
For example, to search the Netgear.net domain for all last names of
Johnson, you would enter:
cn=Johnson,dc=Netgear,dc=net
Port The port number for the LDAP server. The default setting is 0 (zero).
DNS Proxy
Enable DNS Proxy This setting is optional. Select the Enable DNS Proxy radio button to enable the UTM
to provide a LAN IP address for DNS address name resolution. This radio button is
selected by default.
Note: When the DNS Proxy option is disabled, all DHCP clients receive the DNS IP
addresses of the ISP but without the DNS proxy IP address.
Using the Setup Wizard to Provision the UTM in Y our Network
45
ProSecure Unified Threat Management (UTM) Appliance
Table 4. Setup Wizard Step 1: LAN Settings screen settings (continued)
Setting Description
Inter VLAN Routing
Enable Inter VLAN
Routing
This setting is optional. To ensure that traffic is routed only to VLANs for which
inter-VLAN routing is enabled, select the Enable Inter VLAN Routing check box. This
setting is disabled by default. When the Enable Inter VLAN Routing check box is not
selected, traffic from this VLAN is not routed to other VLANs, and traffic from other
VLANs is not routed to this VLAN.
Note: For information about inter-VLAN firewall rules, see VLAN Rules on page 144.
After you have completed the steps in the Setup Wizard, you can make changes to the LAN
settings by selecting Network Config > LAN Settings > Edit LAN Profile. For more
information about these LAN settings, see VLAN DHCP Options on page 96.
Setup Wizard Step 2 of 10: WAN Settings
Figure 26.
Using the Setup Wizard to Provision the UTM in Y our Network
46
ProSecure Unified Threat Management (UTM) Appliance
Enter the settings as explained in the following table, and then click Next to go the following
screen.
Note: Instead of manually entering the settings, you can also click the
Auto Detect action button at the bottom of the screen. The
autodetect process probes the WAN port for a range of connection
methods and suggests one that your ISP is most likely to support.
Table 5. Setup Wizard Step 2: WAN Settings screen settings
Setting Description
ISP Login
Does your Internet
connection require a
login?
ISP Type
What type of ISP
connection do you
use?
Austria (PPTP) If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this
If you need to enter login information every time you connect to the Internet through
your ISP, select the Yes radio button. Otherwise, select the No radio button, which is
the default setting, and skip the ISP Type section. If you select the Yes radio button,
enter the following settings.
Login The login name that your ISP has assigned to you.
Password The password that your ISP has assigned to you.
If your connection is PPPoE or PPTP, then you need to log in. Select the Yes radio
button. Based on the connection that you select, the text fields that require data entry
are highlighted. If your ISP has not assigned any login information, then select the No
radio button and skip this section. If you select the Yes radio button, enter the following
settings.
radio button and enter the following settings:
Account Name The account name is also known as the host name or system
name. Enter the valid account name for the PPTP connection
(usually your email ID assigned by your ISP). Some ISPs
require you to enter your full email address here.
Domain Name Your domain name or workgroup name assigned by your ISP,
or your ISP’s domain name. You can leave this field blank.
Idle Timeout Select the Keep Connected radio button to keep the
connection always on. To log out after the connection is idle
for a period of time, select the Idle Timeout radio button and,
in the time-out field, enter the number of minutes to wait
before disconnecting. This is useful if your ISP charges you
based on the period that you have logged in.
My IP Address The IP address assigned by the ISP to make the connection
with the ISP server.
Server IP Address The IP address of the PPTP server.
Using the Setup Wizard to Provision the UTM in Y our Network
47
ProSecure Unified Threat Management (UTM) Appliance
Table 5. Setup Wizard Step 2: WAN Settings screen settings (continued)
Setting Description
Other (PPPoE) If you have installed login sof tware such as WinPoET or Enternet, then your connection
type is PPPoE. Select this radio button and enter the following settings:
Account Name The valid account name for the PPPoE connection.
Domain Name The name of your ISP’s domain or your domain name if your
ISP has assigned one. You can leave this fie ld blank.
Idle Timeout Select the Keep Connected radio button to keep the
connection always on. To log out after the connection is idle
for a period of time, select the Idle Timeout radio button and,
in the time-out field, enter the number of minutes to wait
before disconnecting. This is useful if your ISP charges you
based on the period that you have logged in.
Note: When you use a PPPoE connection and select the Idle
Timeout radio button, you cannot configure load balancing
(see Configure Load Balancing (Multiple WAN Port Models)
on page 81). To use load balancing on a PPPoE connection,
select the Keep Connected radio button.
Connection Reset Select the Connection Reset check box to specify a time
when the PPPoE WAN connection is reset, that is, the
connection is disconnected momentarily and then
reestablished. Then, specify the disconnect time and delay.
Disconnect Time Specify the hour and minutes when the connection should be
disconnected.
Delay Specify the period in seconds after which the connection
should be reestablished.
Internet (IP) Address
Click the Current IP Address link to see the currently assigned IP address.
Get Dynamically from
ISP
If your ISP has not assigned you a static IP address, select the Get dynamically from
ISP radio button. The ISP automatically assigns an IP address to the UTM using DHCP
network protocol.
Client Identifier Select the Client Identifier check box if your ISP requires the
client identifier information to assign an IP address using
DHCP.
Vendor Class Identifier Select the Vendor Class Identifier check box if your ISP
requires the vendor class identifier information to assign an IP
address using DHCP.
Using the Setup Wizard to Provision the UTM in Y our Network
48
ProSecure Unified Threat Management (UTM) Appliance
Table 5. Setup Wizard Step 2: WAN Settings screen settings (continued)
Setting Description
Use Static IP Address If your ISP has assigned you a fixed (static or permanent) IP address, select the Use
Static IP Address radio button and enter the following settings.
IP Address The static IP address assigned to you. This address identifies
the UTM to your ISP.
Subnet Mask The subnet mask, which is usually provided by your ISP.
Gateway IP Address The IP address of the ISP’s gateway, which is usually
provided by your ISP.
Domain Name Server (DNS) Servers
Get Automatically from
ISP
Use These DNS
Servers
If your ISP has not assigned any Domain Name Servers (DNS) addresses, select the
Get Automatically from ISP radio button.
If your ISP has assigned DNS addresses to you, select the Use these DNS Servers
radio button. Make sure that you fill in valid DNS server IP addresses in the fields.
Incorrect DNS entries might cause connectivity issues.
Primary DNS Server The IP address of the primary DNS server.
Secondary DNS Serve The IP address of the secondary DNS server.
After you have completed the steps in the Setup Wizard, you can make changes to the W AN
settings by selecting Network Config > WAN Settings. Then click the Edit button in the
Action column of the WAN interface for which you want to change the settings.
For more information about these WAN settings, see Manually Configure the Internet
Connection on page 71.
Setup Wizard Step 3 of 10: System Date and Time
Figure 27.
Using the Setup Wizard to Provision the UTM in Y our Network
49
ProSecure Unified Threat Management (UTM) Appliance
Enter the settings as explained in the following table, and then click Next to go the following
screen.
Table 6. Setup Wizard Step 3: System Date and Time screen settings
Setting Description
Set Time, Date, and NTP Servers
Date/Time From the drop-down list, select the local time zone in which the UTM operates. The
correct time zone is required in order for scheduling to work correctly. The UTM
includes a real-time clock (RTC), which it uses for scheduling.
Automatically Adjust for
Daylight Savings Time
NTP Server (default or
custom)
If daylight savings time is supported in your region, select the Automatically Adjust
for Daylight Savings Time check box.
From the drop-down list, select an NTP server:
• Use Default NTP Servers. The UTM’s RTC is updated regularly by contacting a
default NETGEAR NTP server on the Internet.
• Use Custom NTP Servers. The UTM’s RTC is updated regularly by contacting one
of the two NTP servers (primary and backup), both of which you need to specify in
the fields that become available with this selection.
Note: If you select this option but leave either the Server 1 or Server 2 field blank, both
fields are set to the default NETGEAR NTP servers.
Note: A list of public NTP servers is available at
http://support.ntp.org/bin/view/Servers/WebHome.
Server 1 Name / IP
Address
Server 2 Name / IP
Address
Enter the IP address or host name of the primary NTP server.
Enter the IP address or host name of the backup NTP server.
After you have completed the steps in the Setup Wizard, you can make changes to the date
and time by selecting Administration > System Date & Time. For more information about
these settings, see Configure Date and Time Service on page 412.
Using the Setup Wizard to Provision the UTM in Y our Network
50
ProSecure Unified Threat Management (UTM) Appliance
Setup Wizard Step 4 of 10: Services
Figure 28.
Enter the settings as explained in the following table, and then click Next to go the following
screen.
Table 7. Setup Wizard Step 4: Services screen settings
Setting Description
Email
SMTP SMTP scanning is enabled by
default on standard service port 25.
POP3 POP3 scanning is enabled by default
on standard service port 110.
IMAP IMAP scanning is enabled by default
on standard service port 143.
Using the Setup Wizard to Provision the UTM in Y our Network
51
To disable any of these services, clear
the corresponding check box. You can
change the standard service port or
add another port in the corresponding
Ports to Scan field.
ProSecure Unified Threat Management (UTM) Appliance
Table 7. Setup Wizard Step 4: Services screen settings (co ntinued)
Setting Description
Web
HTTP HTTP scanning is enabled by default
on standard service port 80.
HTTPS HTTPS scanning is disabled by
default.
FTP FTP scanning is enabled by default
on standard service port 21.
Instant Messaging
Google Talk
ICQ
mIRC
MSN Messenger
QQ
Scanning of these instant messaging services is disabled by default. To
enable any of these services, select the corresponding check box.
Note: For instant messaging services, the following services can be blocked:
logging in, sharing files, sharing video, sharing audio, and text messaging.
To disable HTTP scanning, clear the
corresponding check box. You can
change the standard service port or
add another port in the corresponding
Ports to Scan field.
To enable HTTPS scanning, select the
corresponding check box. You can
change the standard service port (443)
or add another port in the
corresponding Ports to Scan field.
To disable FTP scanning, clear the
corresponding check box. You cannot
change the standard service port in the
corresponding Ports to Scan field.
Yahoo Messenger
Peer-to-Peer (P2P)
BitTorrent
eDonkey
Gnutella
Media Applications
iTunes (Music Store, update)
QuickTime (Update)
Real Player (Guide)
Rhapsody (Guide, Music Store)
Winamp (Internet Radio/TV)
Using the Setup Wizard to Provision the UTM in Y our Network
Scanning of these file-sharing applications is disabled by default. To enable
any of these services, select the corresponding check box.
Scanning of these media applications is disabled by default. To enable any of
these applications, select the corresponding check box.
52
ProSecure Unified Threat Management (UTM) Appliance
Table 7. Setup Wizard Step 4: Services screen settings (continued)
Setting Description
SSL Handshaking to Websites
Note: SSL handshaking is supported only on the UTM9S.
Facebook
Tools
Alexa Toolbar
Scanning of Facebook is disabled by default. To enable it, select the
corresponding check box. (This option is not shown in the previous figure, but
it is shown in Figure 110 on page 195.)
GoToMyPC
Weatherbug
Y ahoo Toolbar
Scanning of these tools is disabled by default. To enable any of these tools,
select the corresponding check box.
After you have completed the steps in the Setup Wizard, you can make changes to the
security services by selecting Application Security > Services. For more informat ion about
these settings, see Customize Email Protocol Scan Settings on page 178 and Customize
Web Protocol Scan Settings and Services (Web Applications) on page 194.
Setup Wizard Step 5 of 10: Email Security
Figure 29.
Using the Setup Wizard to Provision the UTM in Y our Network
53
ProSecure Unified Threat Management (UTM) Appliance
Enter the settings as explained in the following table, and then click Next to go the following
screen.
Table 8. Setup Wizard Step 5: Email Security screen settings
Setting Description
Action
SMTP From the SMTP drop-down list, select one of the following actions to be taken when
an infected email is detected:
• Block infected email. This is the default setting. The email is blocked , and a log
entry is created.
• Delete attachment. The email is not blocked, but the attachment is deleted, and
a log entry is created.
• Log only. Only a log entry is created. The email is not blocked, a nd the
attachment is not deleted.
• Quarantine attachment (UTM9S only). Th e email is not blocked, but the
attachment is quarantined on a ReadyNAS, and a log entry is created (see the
Note on page 176).
• Quarantine infected email (UTM9S only). The email is quaran tined on a
ReadyNAS, and a log entry is created (see the Note on page 17 6).
POP3 From the POP3 drop-down list, select one of the following actions to be taken when
an infected email is detected:
• Delete attachment. This is the default setting. The email is n ot blocked, but the
attachment is deleted, and a log entry is created.
• Log only. Only a log entry is created. The email is not blocked, a nd the
attachment is not deleted.
• Quarantine attachment (UTM9S only). Th e email is not blocked, but the
attachment is quarantined on a ReadyNAS, and a log entry is created (see the
Note on page 176).
IMAP From the IMAP drop-down list, select one of the following actions to be taken when
an infected email is detected:
• Delete attachment. This is the default setting. The email is n ot blocked, but the
attachment is deleted, and a log entry is created.
• Log only. Only a log entry is created. The email is not blocked, a nd the
attachment is not deleted.
• Quarantine attachment (UTM9S only). Th e email is not blocked, but the
attachment is quarantined on a ReadyNAS, and a log entry is created (see the
Note on page 176).
Scan Exceptions
The default maximum size of the file or message that is scanned is 2048 KB, but you can define a maximum
size of up to 10240 KB. However, setting the maximum size to a high value might affect the UTM’s performance
(see Performance Management on page 389).
From the drop-down list, select one of the following actions to be taken when the file or message exceeds the
maximum size:
• Skip. The file is not scanned but ski pped, leaving the end user vulnerable. This is the default setting.
• Block. The file is blocked and does not reach the end user.
Using the Setup Wizard to Provision the UTM in Y our Network
54
ProSecure Unified Threat Management (UTM) Appliance
After you have completed the steps in the Setup Wizard, you can make changes to the email
security settings by selecting Application Security > Email Anti-Virus. The Email Anti-Virus
screen also lets you specify notification settings and email alert settings. For more
information about these settings, see Customize Email Antivirus and Notification Settings on
page 179.
Setup Wizard Step 6 of 10: Web Security
Figure 30.
Enter the settings as explained in the following table, and then click Next to go the following
screen.
Table 9. Setup Wizard Step 6: Web Security screen settings
Setting Description
Action
HTTP From the HTTP drop-down list, select one of the following actions to be taken when
an infected web file or object is detected:
• Delete file. This is the default setting. The web file or object is deleted, and a log
entry is created.
• Log only. Only a log entry is created. The web file or object is not deleted.
• Quarantine file (UT M9S only). The web file or object is quarantined, and a log
entry is created (see the Note on page 176).
Select the Streaming check box to enable streaming of partially downloaded and
scanned HTTP file parts to the user. This method allows the user to experience
more transparent web downloading. Streaming is enabled by default.
Using the Setup Wizard to Provision the UTM in Y our Network
55
ProSecure Unified Threat Management (UTM) Appliance
Table 9. Setup Wizard Step 6: Web Security screen settings (continued)
Setting Description
HTTPS From the HTTPS drop-down list, select one of the following actions to be taken
when an infected web file or object is detected:
• Delete file. This is the default setting. The web file or object is dele ted, an d a log
entry is created.
• Log only. Only a log entry is created. The web file or object is not deleted.
• Qu arantine file (UTM9S only). The web file or object is quarantined, and a log
entry is created (see the Note on page 176).
Select the Streaming check box to enable streaming of partially downloaded and
scanned HTTPS file parts to the user. This method allows the user to experience
more transparent web downloading. Streaming is enabled by default.
FTP From the FTP drop-down list, select one of the following actions to be taken when
an infected web file or object is detected:
• Delete file. This is the default setting. The FTP file or object is deleted, and a log
entry is created.
• Log only. Only a log entry is created. The FTP file or object is not deleted.
• Quarantine file (UTM9S only). The FTP file or object is quarantined, and a l og
entry is created (see the Note on page 176).
Scan Exceptions
The default maximum size of the file or object that is scanned is 2048 KB, but you can define a maximum size of
up to 10240 KB. However, setting the maximum size to a high value might affect the UTM’s performance (see
Performance Management on page 389).
From the drop-down list, select one of the following actions to be taken when the file or message exceeds the
maximum size:
• Skip. The file is not scanned but ski pped, leaving the end user vulnerable. This is the default setting.
• Block. The file is bl ocked and does reach the end user.
After you have completed the steps in the Setup Wizard, you can make changes to the web
security settings by selecting Application Security > HTTP/HTTPS > Malware Scan. The
Malware Scan screen also lets you specify HTML scanning and notification settings. For
more information about these settings, see Configure Web Malware Scans on page 197.
Using the Setup Wizard to Provision the UTM in Y our Network
56
ProSecure Unified Threat Management (UTM) Appliance
Setup Wizard Step 7 of 10: Web Categories to Be Blocked
Figure 31.
Using the Setup Wizard to Provision the UTM in Y our Network
57
ProSecure Unified Threat Management (UTM) Appliance
Enter the settings as explained in the following table, and then click Next to go the following
screen.
Table 10. Setup Wizard Step 7: Web Categories to be blocked screen settings
Setting Description
Blocked Web Categories
Select the Enable Blocking check box to enable blocking of web categories. (By default, this check box is
selected.)
Select the check boxes of any web categories that you want to block. Use the action buttons at the top of the
section in the following way:
• Allow All. All web categories are allowed.
• Block All. All web categories are b locked.
• Set to Defaults. Blocking and allowing of web categories are returned to their default settings. See Table 38
on page 176 for information about the web categories that are blocked by default. Categories that are
preceded by a green square are allowed by defa ult; categories that are preceded by a pink square are
blocked by default.
Blocked Categories Scheduled Days
Make one of the following selections:
• Select the All Days radio button to enable content filtering to be active all days of the week.
• Select the Specific Days radio button to enable content filtering to be active on the days that are sp ecified
by the check boxes.
Blocked Categories Time of Day
Make one of the following selections:
• Select the All Day radio button to enable content filtering to be active all 24 hours of each selected day.
• Select the Specific Times radio button to enable content filtering to be active during the time that is specified
by the Start Time and End Time fields for each day that content filtering is active.
After you have completed the steps in the Setup Wizard, you can make changes to the
content-filtering settings by selecting Application Security > HTTP/HTTPS > Content
Filtering. The Content Filtering screen lets you specify additional filtering tasks and
notification settings. For more information about these settings, see Configure Web Content
Filtering on page 199.
Using the Setup Wizard to Provision the UTM in Y our Network
58
ProSecure Unified Threat Management (UTM) Appliance
Setup Wizard Step 8 of 10: Email Notification
Figure 32.
Enter the settings as explained in the following table, and then click Next to go the following
screen.
Table 11. Setup Wizard Step 8: Email Notification screen settings
Setting Description
Administrator Email Notification Settings
Show as mail sender A descriptive name of the sender for email identification purposes. For example,
enter UTM_Notifications@netgear.com.
SMTP server The IP address and port number or Internet name and port number of your ISP’s
outgoing email SMTP server. The default port number is 25.
Note: If you leave this field blank, the UTM cannot send email notifications.
This server requires
authentication
Send notifications to The email address to which the notifications should be sent. Typically, this is the
If the SMTP server requires authentication, select the This server requires
authentication check box, and enter the user name and password.
User name The user name for SMTP server authentication.
Password The password for SMTP server authentication.
email address of the administrator.
After you have completed the steps in the Setup Wizard, you can make changes to the
administrator email notification settings by selecting Network Config > Email Notification.
For more information about these settings, see Configure the Email Notification Server on
page 422.
Using the Setup Wizard to Provision the UTM in Y our Network
59
ProSecure Unified Threat Management (UTM) Appliance
Setup Wizard Step 9 of 10: Signatures & Engine
Figure 33.
Enter the settings as explained in the following table, and then click Next to go the following
screen.
Table 12. Setup Wizard Step 9: Signatures & Engine screen settings
Setting Description
Update Settings
Update From the drop-down list, select one of the following options:
• Never. The pattern and firmware files are never automatically updated.
• Scan engine and Signatures. The pattern and firmware files are automatically
updated according to the settings in the Update Fre quency section on the
screen (see explanations later in this table).
Update From Set the update source server by selecting one of the following radio buttons:
• Default update server. Fil es are updated from the default NETGEAR update
server.
• Server address. Files are updated from the server that you specify. Enter the IP
address or host name of the update server in the Server address field.
Using the Setup Wizard to Provision the UTM in Y our Network
60
ProSecure Unified Threat Management (UTM) Appliance
Table 12. Setup Wizard Step 9: Signatures & Engine screen settings (continued)
Setting Description
Update Frequency
Specify the frequency with which the UTM checks for file updates:
• Weekly. From the drop-down lists, select the weekday, hour, and minutes that the updates occur.
• Daily. From the drop-down lists, select the hour and minutes that the updates occur.
• Every. From the drop-down list, select the frequency with which the updates occur. The range is from 15
minutes to 12 hours.
HTTPS Proxy Settings
Enable If computers on the network connect to the Internet through a proxy server, select
the Enable check box to specify and enable a proxy server. Enter the following
settings.
Proxy server The IP address and port number of the proxy server.
User name The user name for proxy server authentication.
Password The password for proxy server authentication.
After you have completed the steps in the Setup Wizard, you can make changes to the
signatures and engine settings by selecting Administration > System Up date > Si gnatures
& Engine. For more information about these settings, see Update the Scan Signatures and
Scan Engine Firmware on page 410.
Setup Wizard Step 10 of 10: Saving the Configuration
Figure 34.
Click Apply to save your settings and automatically restart the system.
Verify Correct Installation
Test the UTM before deploying it in a live production environment. The following instructions
walk you through a couple of quick tests that are designed to ensure that your UTM is
functioning correctly.
Using the Setup Wizard to Provision the UTM in Y our Network
61
ProSecure Unified Threat Management (UTM) Appliance
Test Connectivity
Verify that network traffic can pass through the UTM:
1. Ping an Internet URL.
2. Ping the IP address of a device on either side of the UTM.
Test HTTP Scanning
If client computers have direct access to the Internet through your LAN, try to download the
eicar.com test file from http://www.eicar.org/download/eicar.com.
The eicar.com test file is a legitimate denial of service (DoS) attack and is safe to use
because it is not a malware threat and does not include any fragments of malware code . The
test file is provided by EICAR, an organization that unites efforts against computer crime,
fraud, and misuse of computers or networks.
Verify that the UTM scans HTTP traffic correctly:
1. Log in to the UTM web management interface, and then verify that HTTP scanning is
enabled. For information about how to enable HTTP scanning, see Customize Web
Protocol Scan Settings and Services (Web Applications) on page 194 and Configure
Web Malware Scans on page 197.
2. Check the downloaded eicar.com test file, and note the attached malware information file.
Register the UTM with NETGEAR
To receive threat management component updates and technical support, you need to
register your UTM with NETGEAR. The UTM is bundled with three 30-day trial licenses:
• Web scanning
• Email scanning
• Support and maintenance
The service license keys are provided with the product package (see Service Registration
Card with License Keys on page 20). For electronic licensing, you do not need the service
license keys (see Electronic Licensing on page 64).
Note: Activating the service licenses initiates their terms of use. Activate
the licenses only when you are ready to start using this unit. If your
unit has never been registered before, you can use the 30-day trial
period for all three types of licenses to perform the initial testing an d
configuration. To use the trial period, do not click Register in step 4
of the following procedure, but click Trial instead.
Using the Setup Wizard to Provision the UTM in Y our Network
62
ProSecure Unified Threat Management (UTM) Appliance
WARNING!
If your UTM is connected to the Internet, you can activate the service licenses:
1. Select Support > Registration. The Registration screen displays:
Figure 35.
2. Enter the license key in the Registration Key field.
3. Fill out the customer and val u e- a d de d r e s el l er ( VAR) fields.
4. Click Register.
To activate the 30-day trial period for a license, do not click
Register but click Trial instead.
5. Repeat step 2 and step 4 for additional license keys.
The UTM activates the licenses and registers the unit with the NETGEAR registration server.
Using the Setup Wizard to Provision the UTM in Y our Network
63
ProSecure Unified Threat Management (UTM) Appliance
Note: The 30-day trial licenses are revoked once you activate the
purchased service license keys. The purchased service license keys
offer 1 year or 3 years of service.
Note: When you reset the UTM to the original factory default settings after
you have entered the license keys to activate the UTM (se e Register
the UTM with NETGEAR on page 62), the license keys are erased.
The license keys and the different types of licenses that are
available for the UTM are no longer displayed on the Registration
screen. However, af ter you have reconfigured the UTM to connect to
the Internet and to the NETGEAR registration server, the UTM
retrieves and restores all registration information based on its MAC
address and hardware serial number . You do not need to reenter the
license keys and reactivate the UTM.
Electronic Licensing
If you have purchased the UTM bundled together with a 1- or 3-year license bundle, you ca n
use the electronic licensing option. When the UTM is connected to the Internet, you need to
enter only your customer information and optional value-added reseller (VAR) information on
the Register screen but do not need to enter the license numbers. When you click Register,
the UTM automatically downloads and activates the license keys because the serial number
of the UTM is linked to the license bundle.
If you have purchased licenses from a VAR (either directly or over the web) after purchase of
the UTM, the VAR should email you the license keys or provide them to you in another way.
To register and activate the license keys, follow the regular registration procedure that is
explained in the previous section.
What to Do Next
You have completed setting up the UTM to the network. The UTM is now ready to scan the
protocols and services that you specified and perform automatic updates based on the
update source and frequency that you specified.
If you need to change the settings, or to view reports or logs, log in to the UTM web
management interface, using the default IP address or the IP address that you assigned to
the UTM in Setup Wizard Step 1 of 10: LAN Settings on page 43.
Using the Setup Wizard to Provision the UTM in Y our Network
64
ProSecure Unified Threat Management (UTM) Appliance
The UTM is ready for use. However, the following sections describe important tasks that you
might want to address before you deploy the UTM in your network:
• Configure the WAN Mode (required for the multiple WAN port models).
• Configure Authentication Domains, Groups, and Users
• Manage Digital Certificates for VPN Connections
• Use the IPSec VPN Wizard for Client and Gateway Configurations
• Use the SSL VPN Wizard for Client Configurations
Using the Setup Wizard to Provision the UTM in Y our Network
65
3. Manually Configuring Internet and
WAN Settings
This chapter contains the following sections:
• Internet and WAN Configuration Tasks
• Automatically Detecting and Connecting the Internet Connections
• Manually Configure the Internet Connection
• Configure the WAN Mode
• Configure Secondary WAN Addresses
• Configure Dynamic DNS
• Configure Advanced WAN Options
Note: The initial Internet configuration of the UTM is described in
Chapter 2, Using the Setup Wizard to Provision the UTM in Your
Network. If you used the Setup Wizard to configure your Internet
settings, you need this chapter only to configure WAN features such
as multiple WAN connections (not applicable to the single WAN port
models) and dynamic DNS, and to configure secondary WAN
addresses and advanced WAN options.
3
Note: The Wireless Settings configuration menu is shown on the UTM9S
only, accessible under the Network Config main navigation menu.
Note: On the UTM9S, the Email Notification configuration menu is
accessible under the Monitoring main navigation menu instead of
the Network Config main navigation menu.
66
ProSecure Unified Threat Management (UTM) Appliance
Internet and WAN Configuration Tasks
Note: For information about configuring the DSL interface of the UTM9S,
see Appendix A, xDSL Module for the UTM9S. The information in
this chapter does also apply to the WAN interfaces of the UTM9S.
Generally, five steps are required to complete the WAN Internet connection of your UTM.
Complete these steps:
1. Configure the Internet connections to your ISPs. During this phase, you connect to
your ISPs. See Automatically Detecting and Connecting the Internet Connections on
page 67 or Manually Configure the Internet Connection on page 71.
2. Configure the WAN mode (required for multiple WAN port models). For all models,
select either NAT or classical routing. For the multiple WAN port models, select dedicated
(single WAN) mode, auto-rollover mode, or load balancing mode. For load balancing, you
can also select any necessary protocol bindings. See Configure the WAN Mode on page 75.
3. Configure secondary WAN addresses on the WAN ports (optional). Configure aliases
for each WAN port. See Configure Secondary WAN Addresses on page 85.
4. Configure Dynamic DNS on the WAN ports (optional). Configure your fully qualified
domain names during this phase (if required). See Configure Dynamic DNS on page 87.
5. Configure the WAN options (optional). Optionally, you can enable each WAN port to
respond to a ping, and you can change the factory default MTU size and port speed.
However, these are advanced features, and changing them is not usually required. See
Configure Advanced WAN Options on page 90.
Each of these tasks is detailed separately in this chapter.
Note: For information about how to configure the WAN meters, see Enable
the WAN Traffic Meter on page 419.
Automatically Detecting and Connecting the Internet Connections
To set up your UTM for secure Internet connections, the web management interface provides
the option to automatically detect the network connections and configure the WAN port or
ports. You can also manually configure the Internet connections and ports (see Manually
Configure the Internet Connection on page 71).
Manually Configuring Internet and W AN Settings
67
ProSecure Unified Threat Management (UTM) Appliance
To automatically configure the WAN ports for connection to the Internet:
1. Select Network Config > WAN Settings. The WAN screen displays. (The following
figure shows the UTM50.)
Figure 36.
The UTM5 and UTM10 screens show one WAN interface; the UTM25 and UTM50
screens show two WAN interfaces; the UTM150 screen shows four WAN interfaces; the
UTM9S screen shows two WAN interfaces and a slot (SLOT-1 or SLOT-2), in which the
xDSL module is installed.
The WAN Settings table displays the following fields:
• WAN. The WAN interface.
• Status. The status of the WAN interface (UP or DOWN).
• WAN IP. The IP address of the WAN interface.
• Failure Detection Method. The failure detection method that is active for the WAN
interface. The following methods can be displayed:
- None
- DNS Lookup (WAN DNS Servers)
- DNS Lookup (the configured IP address is displayed)
- PING (the configured IP address is displayed)
You can set the failure detection method for each WAN interface on its correspo nding
WAN Advanced Options screen (see Configure Auto-Rollover Mode and the Failure
Detection Method (Multiple WAN Port Models) on page 78).
• Action. The Edit button provides access to the W AN ISP Settings screen (see step 2)
for the corresponding WAN interface; the Status button provides access to the
Connection Status screen (see step 4) for the corresponding WAN interface.
2. Click the Edit button in the Action column of the WAN interface or slot for which you want to
automatically configure the connection to the Internet. The WAN ISP Settings screen
displays.
The following figure shows the WAN1 ISP Settings screen of the UTM50 as an example
Manually Configuring Internet and W AN Settings
68
ProSecure Unified Threat Management (UTM) Appliance
Figure 37.
3. Click the Auto Detect button at the bottom of the screen. The autodetect process probes
the WAN port for a range of connection methods and suggests one that your ISP is most
likely to support.
The autodetect process returns one of the following results:
• If the autodetect process is successful, a status bar at the top of the screen displays
the results (for example, DHCP service detected).
• If the autodetect process senses a connection method that requires input from you, it
prompts you for the information. All methods with their required settings are e xplained
in the following table:
Manually Configuring Internet and W AN Settings
69
ProSecure Unified Threat Management (UTM) Appliance
Table 13. Internet connection methods
Connection method Manual data input required
DHCP (Dynamic IP) No data is required.
PPPoE Login, password, account name, and domain name.
PPTP Login, password, account name, your IP address, and the server IP address.
Fixed (Static) IP IP address, subnet mask, and gateway IP address, and related data supplied
by your ISP.
• If the autodetect process does not find a connection, you are prompted either to check
the physical connection between your UTM and the cable, DSL line, satellite dish, or
wireless ISP radio antenna to check your UTM’s MAC address. For more information,
see Configure Advanced WAN Options on page 90 and Troubleshoot the ISP
Connection on page 494.
4. To verify the connection:
a. Return to the WAN screen by selecting Network Config > WAN Settings.
b. Click the Status button in the Action column for the WAN interface that you just
configured to display the Connection Status pop-up screen.
Figure 38.
The Connection Status screen should show a valid IP address and gateway. If the
configuration was not successful, skip ahead to Manually Configure the Internet
Connection on page 71, or see Troubleshoot the ISP Connection on page 494.
Manually Configuring Internet and W AN Settings
70
ProSecure Unified Threat Management (UTM) Appliance
Note: If the configuration process was successful, you are connected to
the Internet through the WAN that you just configured. For the
multiple WAN port models, continue with the configuration process
for the other WAN interfaces.
Note: For more information about the W AN Connection S t atus screen, see
View the WAN Ports Status on page 456.
5. For the multiple WAN port models, repeat step 2, step 3, and step 4 for any other WAN
interface that you want to configure.
If the automatic WAN ISP configuration is successful, you can skip ahead to Configure the
WAN Mode on page 75.
If the automatic WAN ISP configuration fails, you can attempt a manual configuration as
described in Manually Configure the Internet Connection on this page, or see Troubleshoot
the ISP Connection on page 494.
Set the UTM’s MAC Address
Each computer or router on your network has a unique 48-bit local Ethernet address. This is
also referred to as the computer’s Media Access Control (MAC) address. The default is set to
Use Default Address on the WAN Advanced Options screens. If your ISP requires MAC
authentication and another MAC address has been previously registered with your ISP, then
you need to enter that address on the WAN Advanced Options screen for the corresponding
WAN interface (see Configure Advanced WAN Options on page 90).
Manually Configure the Internet Connection
Unless your ISP automatically assigns your configuration through DHCP, you need to obtain
configuration parameters from your ISP to manually establish an Internet connection. The
necessary parameters for various connection types are listed in Table 13 on page 70.
To manually configure the WAN ISP settings for an interface:
1. Select Network Config > WAN Settings. The WAN screen displays (see Figure 36 on
page 68, which shows the UTM50).
2. Click the Edit button in the Action column of the WAN interface for which you want to
configure the connection to the Internet. The WAN ISP Settings screen displays (see
Figure 37 on page 69, which shows the WAN1 ISP Settings screen as an example).
3. Locate the ISP Login section on the screen:
Manually Configuring Internet and W AN Settings
71
ProSecure Unified Threat Management (UTM) Appliance
Figure 39.
In the ISP Login section, select one of the following options:
• If your ISP requires an initial login to establish an Internet connection, select Yes.
(The default is No.)
• If a login is not required, select No, and ignore the Login and Password fields.
4. If you selected Yes, enter the login name in the Login field and the password in the
Password field. This information is provided by your ISP.
5. In the ISP Type section of the screen, select the type of ISP connection that you use from
the two listed options. By default, Other (PPPoE) is selected, as shown in the following
figure:
Figure 40.
Manually Configuring Internet and W AN Settings
72
ProSecure Unified Threat Management (UTM) Appliance
6. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as
explained in the following table:
Ta ble 14. PPTP and PPPoE settings
Setting Description
Austria (PPTP) If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this radio
button, and enter the following settings:
Account Name The account name is also known as the host name or system name.
Enter the account name for the PPTP connection (usually your email ID
assigned by your ISP). Some ISPs require you to enter your full email
address here.
Domain Name Your domain name or workgroup name assigned by your ISP, or your
ISP’s domain name. You can leave this field blank.
Idle Timeout Select the Keep Connected radio button to keep the connection always
on. To log out after the connection is idle for a period of time, select the
Idle Timeout radio button and, in the time-out field, enter the number of
minutes to wait before disconnecting. This is useful if your ISP charges
you based on the period that you have logged in.
My IP Address The IP address assigned by the ISP to make the connection with the
ISP server.
Server IP
Address
Other (PPPoE) If you have installed login software, then your connection type is PPPoE. Select this radio
button, and enter the following settings:
Account Name The account name for the PPPoE connection.
Domain Name The name of your ISP’s domain or your domain name if your ISP has
Idle Timeout Select the Keep Connected radio button to keep the connection always
The IP address of the PPTP server.
you assigned one. You can leave this field blank.
on. To log out after the connection is idle for a period of time, select the
Idle Timeout radio button and, in the time-out field, enter the number of
minutes to wait before disconnecting. This is useful if your ISP charges
you based on the period that you have logged in.
Note: When you use a PPPoE connection and select the Idle Timeout
radio button, you cannot configure load balancing (see Configure Load
Balancing (Multiple WAN Port Models) on page 81). To use load
balancing on a PPPoE connection, select the Keep Connected radio
button. When you have configured load balancing, the Idle Timeout
radio button and time-out field are masked out.
Manually Configuring Internet and W AN Settings
73
ProSecure Unified Threat Management (UTM) Appliance
Table 14. PPTP and PPPoE settings (continued)
Setting Description
Other (PPPoE)
(continued)
Connection
Reset
Select the Connection Reset check box to specify a time when the
PPPoE WAN connection is reset, that is, the connection is disconnected
momentarily and then reestablished. Then, specify the disconnect time
and delay.
Disconnect
Time
Delay Specify the period in seconds after which the connection
Specify the hour and minutes when the connection should
be disconnected.
should be reestablished.
7. In the Internet (IP) Address section of the screen (see th e following figure), configure the IP
address settings as explained in the following table. Click the Current IP Address link to
see the currently assigned IP address.
Figure 41.
Table 15. Internet IP address settings
Setting Description
Get Dynamically
from ISP
Use Static IP
Address
If your ISP has not assigned you a static IP address, select the Get Dynamically from
ISP radio button. The ISP automatically assigns an IP address to the UTM using DHCP
network protocol.
Client Identifier If your ISP requires the client identifier information to assign an
Vendor Class Identifier If your ISP requires the vendor class identifier information to
If your ISP has assigned you a fixed (static or permanent) IP address, select the Use
Static IP Address radio button, and enter the following settings:
IP Address Static IP address assigned to you. This address identifies the
Subnet Mask The subnet mask is usually provided by your ISP.
Gateway IP Address The IP address of the ISP’s gateway is usually provided by
IP address using DHCP, select the Client Identifier check box.
assign an IP address using DHCP, select the Vendor Class
Identifier check box.
UTM to your ISP.
your ISP.
Manually Configuring Internet and W AN Settings
74
ProSecure Unified Threat Management (UTM) Appliance
8. In the Domain Name Server (DNS) Servers section of the screen (see the following figure),
specify the DNS settings as explained in the following table.
Figure 42.
Ta bl e 16 . DNS serve r setti ng s
Setting Description
Get Automatically
from ISP
Use These DNS
Servers
If your ISP has not assigned any Domain Name Server (DNS) addresses, select the
Get Automatically from ISP radio button.
If your ISP has assigned DNS addresses, select the Use These DNS Servers radio
button. Make sure that you fill in valid DNS server IP addresses in the fields. Incorrect
DNS entries might cause connectivity issues.
Primary DNS Server The IP address of the primary DNS server.
Secondary DNS Server The IP address of the secondary DNS server.
9. Click Test to evaluate your entries. The UTM attempts to make a connection according to
the settings that you entered.
10. Click Apply to save any changes to the WAN ISP settings. (Or click Reset to discard any
changes and revert to the previous settings.)
For the multiple WAN port models, if you want to manually configure an additional WAN
interface, select another WAN interface and repeat these step s. You can configure up to four
WAN interfaces.
When you are finished, click the Logout link in the upper right of the web management
interface, or proceed to additional setup and management tasks.
Configure the WAN Mode
For the multiple WAN port models, the UTM can be configure d on a mu tually exclusive basis
for either auto-rollover (for increased system reliability) or load balancing (for maximum
bandwidth efficiency). If you do not select load balancing, you need to specify one WAN
interface as the primary interface.
Manually Configuring Internet and W AN Settings
75
ProSecure Unified Threat Management (UTM) Appliance
WARNING!
Note: For the UTM9S only , you can also use a DSL interface for any of the
following modes (see Appendix A, xDSL Module for the UTM9S).
• Load balancing mode. The UTM distributes the outbound traffic equally among the W AN
interfaces that are functional. Depending on the UTM model, you can configure up to four
WAN interfaces. The UTM supports weighted load balancing and round-robin load
balancing (see Configure Load Balancing and Optional Protocol Binding on page 81).
Note: Scenarios could arise when load balancing needs to be bypassed
for certain traffic or applications. If cert ain traffic needs to travel on a
specific WAN interface, configure protocol binding rules for that
WAN interface. The rule should match the desired traffic.
• Primary WAN mode. The selected WAN interface is made the primary interface. The
other interfaces are disabled.
• Auto-rollover mode. The selected WAN interface is defined as the primary link, and
another interface needs to be defined as the rollover link. If the UTM model has more
than two WAN interfaces, the remaining interfaces are disabled. As long as the primary
link is up, all traffic is sent over the primary link. When the primary link goes down, the
rollover link is brought up to send the traffic. W hen the primary lin k comes back up, traffic
automatically rolls back to the original primary link.
If you want to use a redundant ISP link for backup purposes, select the WAN interface
that needs to function as the primary link for this mode. Ensure that the backup WAN
interface has also been configured and that you configure the WAN failure detection
method on the WAN Advanced Options screen to support auto-rollover (see Configure
Auto-Rollover Mode and the Failure Detection Method (Multiple WAN Port Models) on
page 78).
Whichever WAN mode you select for the multiple WAN port models, you also need to select
either NAT or classical routing, as explained in the following sections.
Note: NAT and classical routing also apply to the single WAN port models.
When you change the WAN mode, the UTM restarts. If you change
from primary W AN mode to load balancing mode, or the other way
around, the interface through which you can access the UTM
might change. Take note of the IP addresses of the interfaces
before you change the WAN mode.
Manually Configuring Internet and W AN Settings
76
ProSecure Unified Threat Management (UTM) Appliance
WARNING!
WARNING!
Configure Network Address Translation (All Models)
Network Address Translation (NAT) allows all PCs on your LAN to share a single public
Internet IP address. From the Internet, there is only a single device (the UTM) and a single IP
address. PCs on your LAN can use any private IP address range, and these IP addresses
are not visible from the Internet.
Note the following about NAT:
• The UTM uses NA T to select the correct PC (on your LAN) to receive any incoming dat a.
• If you have only a single public Internet IP address, you need to use NAT (the default
setting).
• If your ISP has provided you with multiple public IP addresses, you can use one address
as the primary shared address for Internet access by your PCs, and you can map
incoming traffic on the other public IP addresses to specific PCs on your LAN. This
one-to-one inbound mapping is configured using an inbound firewall rule.
Changing the WA N mod e from classical routing to NAT causes all
LAN WAN and DMZ WAN inbound rules to revert to default
settings.
To configure NAT:
1. Select Network Config > WAN Settings > WAN Mode. The WAN Mode screen
displays (see Figure 43 on page 79).
2. In the NAT (Network Address Translation) section of the screen, select the NAT radio button.
3. Click Apply to save your settings.
Configure Classical Routing (All Models)
In classical routing mode, the UTM performs routing, but without NAT. To gain Internet
access, each PC on your LAN needs to have a valid static Internet IP address.
If your ISP has allocated a number of static IP addresses to yo u, and you have assigned one
of these addresses to each PC, you can choose classical routing. Or, you can use classical
routing for routing private IP addresses within a campus environment.
To view the status of the WAN ports, you can view the Router Status screen (see View the
System Status on page 439).
Changing the WA N mod e from NAT to classical routing causes all
LAN WAN and DMZ WAN inbound rules to revert to default
settings.
Manually Configuring Internet and W AN Settings
77
ProSecure Unified Threat Management (UTM) Appliance
To configure classical routing:
1. Select Network Config > WAN Settings > WAN Mode. The WAN Mode screen
displays (see Figure 43 on page 79).
2. In the NAT (Network Address Translation) section of the screen, select the Classical
Routing radio button.
3. Click Apply to save your settings.
Configure Auto-Rollover Mode and the Failure Detection Method (Multiple WAN Port Models)
To use a redundant ISP link for backup purposes, ensure that the backup W AN interface has
already been configured. Then select the WAN interface that should function as the primary
link for this mode, and configure the W AN failu re detection method on the W AN Mode screen
to support auto-rollover.
When the UTM is configured in auto-rollover mode, it uses the selected WAN failure
detection method to detect the status of the primary link connection at regular intervals. Link
failure is detected in one of the following ways:
• DNS queries sent to a DNS server
• Ping request sent to an IP address
• None (no failure detection is performed)
From the primary WAN interface, DNS queries or ping requests are sent to the specified IP
address. If replies are not received after a specified number of retries, the primary WAN
interface is considered down, and a rollover to the backup WAN interface occurs. When the
primary WAN interface comes back up, another rollover occurs from the backup WAN
interface back to the primary WAN interface. The WAN failure detection method that you
select applies only to the primary WAN interface, that is, it monitors the primary link only.
Configure Auto-Rollover Mode
To configure auto-rollover mode:
1. Select Network Config > WAN Settings > WAN Mode. The WAN Mode screen
displays:
Manually Configuring Internet and W AN Settings
78
Figure 43.
ProSecure Unified Threat Management (UTM) Appliance
2. In the Load Balancing Settings section of the screen, configure the following settings:
a. Select the Primary WAN Mode radio button.
b. From the corresponding drop-down list on the right, select a WAN interface to
function as the primary WAN interface. The other WAN interface or interfaces
become disabled.
c. Select the Auto Rollover check box.
d. From the corresponding drop-down list on the right, select a WAN interface to
function as the backup WAN interface.
Note: Ensure that the backup WAN interface is configured before enabling
auto-rollover mode.
3. Click Apply to save your settings.
Configure the Failure Detection Method
To configure the failure detection method:
1. Select Network Config > WAN Settings. The WAN screen displays (see Figure 36 on
page 68).
2. Click the Edit button in the Action column of the WAN interface that you selected as the
primary WAN interface. The WAN ISP Settings screen displays (see Figure 37 on page 69,
which shows the WAN1 ISP Settings screen as an example).
3. Click the Advanced option arrow at the upper right of the screen. The WAN Advanced
Options screen displays for the WAN interface that you selected. (For an image of the entire
screen, see Figure 51 on page 90.)
Manually Configuring Internet and W AN Settings
79
ProSecure Unified Threat Management (UTM) Appliance
4. Locate the Failure Detection Method section on the screen (see the following figure). Enter
the settings as explained in the following table.
Figure 44.
Table 17. Failure detection method settings
Setting Description
WAN Failure Detection Method
Select a failure detection method from the drop-down list. DNS queries or pings are sent through the WAN
interface that is being monitored. The retry interval and number of failover attempts determine how quickly
the UTM switches from the primary link to the backup link in case the primary link fails, or when the primary
link comes back up, switches back from the backup link to the primary link.
WAN DNS DNS queries are sent to the DNS server that is configured in the Domain Name
Server (DNS) Servers section of the WAN ISP screen (see Manually Configure the
Internet Connection on page 71).
Custom DNS DNS queries are sent to the specified DNS server.
DNS Server The IP address of the DNS server.
Ping Pings are sent to a server with a public IP address. This server should not reject the
ping request and should not consider ping traffic to be abusive.
IP Address The IP address of the ping server.
Retry Interval is The retry interval in seconds. The DNS query or ping is sent periodically after every
test period. The default test period is 30 seconds.
Failover after The number of failover attempts. The primary WAN interface is considered down
after the specified number of queries have failed to elicit a reply. The backup
interface is brought up after this situation has occurred. The failover default is
4 failures.
Note: The default time to roll over after the primary WAN interface fails is
2 minutes. The minimum test period is 30 seconds, and the
minimum number of tests is 4.
5. Click Apply to save your settings.
Manually Configuring Internet and W AN Settings
80
ProSecure Unified Threat Management (UTM) Appliance
Note: You can configure the UTM to generate a WAN status log and email
this log to a specified address (see Configure Logging, Alerts, and
Event Notifications on page 422).
Configure Load Balancing and Optional Protocol Binding
To use multiple ISP links simultaneously, configure load balancing. In load balancing mode,
any WAN port carries any outbound protocol unless protocol binding is configured.
When a protocol is bound to a particular WAN port, all outgoing traffic of that protocol is
directed to the bound WAN port. For example, if the HTTPS protocol is bound to the WAN1
port and the FTP protocol is bound to the WAN2 port, then the UTM automatically routes all
outbound HTTPS traffic from the computers on the LAN through the W AN1 port. All outbound
FTP traffic is routed through the WAN2 port.
Protocol binding addresses two issues:
• Segregation of traffic between links that are not of the same speed.
High-volume traffic can be routed through the WAN port connected to a high-speed link,
and low-volume traffic can be routed through the WAN port connected to the low-speed
link.
• Continuity of source IP address for secure connections.
Some services, particularly HTTPS, cease to respond when a client’s source IP address
changes shortly after a session has been established.
Configure Load Balancing (Multiple WAN Port Models)
To configure load balancing:
1. Select Network Config > WAN Settings > WAN Mode. The WAN Mode screen
displays:
Manually Configuring Internet and W AN Settings
81
Figure 45.
ProSecure Unified Threat Management (UTM) Appliance
Note: You cannot configure load balancing when you use a PPPoE
connection and have selected the Idle Timeout radio button on the
WAN ISP Settings screen (single WA N port models) or on one of the
WAN ISP Settings screens (multiple W AN port models); to use load
balancing on a PPPoE connection, select the Keep Connected
radio button. For more information, see Figure 40 on page 72 and
the accompanying PPPoE information in Table 14 on page 73.
2. In the Load Balancing Settings section of the screen, con figure the following settings:
a. Select the Load Balancing Mode radio button.
b. From the corresponding drop-down list on the right, select one of the following load
balancing methods:
• Weighted LB. With weighted load balancing, balance weights are calculated
based on WAN link speed and available WAN bandwidth. This is the default
setting and the most efficient load-balancing algorithm.
• Round-robin. With round-robin load balancing, new traffic connections are sent
over a WAN link in a serial method irrespective of bandwidth or link speed. For
example on a UTM150, if the WAN1, WAN2, and WAN3 interfaces are active in
round-robin load balancing mode, an HTTP request could first be sent over the
WAN1 interface, then a new FTP session could start on the WAN2 interface, and
then any new connection to the Internet could be made on the WAN3 interface.
This load-balancing method ensures that a single WAN interface does not carry a
disproportionate distribution of sessions.
3. Click Apply to save your settings.
Manually Configuring Internet and W AN Settings
82
ProSecure Unified Threat Management (UTM) Appliance
Configure Protocol Binding (Optional)
To configure protocol binding and add protocol binding rules:
1. Select Network Config > Protocol Binding. The Protocol Bindings screen displays.
(The following figure shows two examples in the Protocol Bindings table.)
Figure 46.
The Protocol Bindings table displays the following fields:
• Check box. Allows you to select the protocol binding rule in the table.
• Status icon. Indicates the status of the protocol binding rule:
- Green circle. The protocol binding rule is enabled.
- Gray circle. The protocol binding rule is disabled.
• Service. The service or protocol for which the protocol binding rule is set up.
• Local Gateway. The WAN interface to which the service or protocol is bound.
• Source Network. The computers on your network that are affected by the protocol
binding rule.
• Destination Network. The Internet locations (based on their IP address) that are
covered by the protocol binding rule.
• Action. The Edit button provides access to the Edit Protocol Binding screen for the
corresponding service.
2. Click the Add table button below the Protocol Bindings table. The Add Protocol Binding
screen displays:
Manually Configuring Internet and W AN Settings
83
ProSecure Unified Threat Management (UTM) Appliance
Figure 47.
3. Configure the protocol binding settings as explained in the following table:
Table 18. Add Protocol Binding screen settings
Setting Description
Service From the drop-down list, select a service or application to be covered by this rule. If the
service or application does not appear in the list, you need to define it using the Services
screen (see Service-Based Rules on page 123).
Local Gateway From the drop-down list, select one of the WAN interfaces.
Source Network The source network settings determine which computers on your network are affected by
this rule. Select one of the following options from the drop-down list:
Any All devices on your LAN.
Single address In the Start IP field, enter the IP address to which the rule is applied.
Address Range In the Start IP field and End IP field, enter the IP addresses for the
range to which the rule is applied.
Group 1–Group 8 If this option is selected, the rule is applie d to the devices that are
assigned to the selected group.
Note: You can also assign a customized name to a group (see
Change Group Names in the Network Database on page 110).
Destination
Network
The destination network settings determine which Internet locations (based on their IP
address) are covered by the rule. Select one of the following options from the drop-down
list:
Any All Internet IP address.
Single address In the Start IP field, enter the IP address to which the rule is applied.
Address range In the Start IP field and End IP field, enter the IP addresses for the
range to which the rule is applied.
Manually Configuring Internet and W AN Settings
84
ProSecure Unified Threat Management (UTM) Appliance
4. Click Apply to save your settings. The protocol binding rule is added to the Protocol
Bindings table. The rule is automatically enabled, which is indicated by the ! status icon, a
green circle.
To edit a protocol binding:
1. On the Protocol Bindings screen (see Figure 46 on page 83), in the Protocol Bindings
table, click the Edit table button to the right of the binding that you want to edit. The Edit
Protocol Binding screen displays. This screen shows the same fields as the Add Protoc o l
Bind i ng scre en (see the previous figure).
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.
To enable, disable, or delete one or more protocol bindings:
1. On the Protocol Bindings screen (see Figure 46 on page 83), select the check box to the
left of each protocol binding that you want to enable, disable, or delete, or click the
Select All table button to select all bindings.
2. Click one of the following table buttons:
• Enable. Enables the binding or bindings. The ! status icon changes from a gray circle
to a green circle, indicating that the selected binding or bindings are enabled. (By
default, when a binding is added to the table, it is automatically enabled.)
• Disable. Disables the binding or bindings. The ! status icon changes from a green
circle to a gray circle, indicating that the selected binding or bindings are disabled.
• Delete. Deletes the binding or bindings.
Configure Secondary WAN Addresses
You can set up a single WAN port to be accessed through multiple IP addresses by adding
aliases to the port. An alias is a secondary WAN address. One advantage is, for example,
that you can assign different virtual IP addresses to a web server and an FTP server, even
though both servers use the same physical IP address. You can add several secondary IP
addresses to a single WAN port.
After you have configured secondary W AN addresses, t hese addresses are displayed o n the
following firewall rule screens:
• In the WAN Destination IP Address drop-down lists of the following inbound firewall rule
screens:
- Add LAN WAN Inbound Service screen
- Add DMZ WAN Inbound Service screen
• In the NAT IP drop-down lists of the following outbound firewall rule screens:
- Add LAN WAN Outbound Service screen
- Add DMZ WAN Outbound Service screen
For more information about firewall rules, see Use Rules to Block or Allow Specific Kinds of
Traffic on page 122).
Manually Configuring Internet and W AN Settings
85
ProSecure Unified Threat Management (UTM) Appliance
It is important that you ensure that any secondary WAN addresses are different from the
primary WAN, LAN, and DMZ IP addresses that are already configured on the UTM.
However, primary and secondary WAN addresses can be in the same subnet. The following
is an example of correctly configured IP addresses on a multiple WAN port model:
• Primary WAN1 IP address. 10.121.0.1 with subnet 255.255.255.0
• Secondary WAN1 IP address. 10.121.26.1 with subnet 255.255.255.0
• Primary WAN2 IP address. 10.216.75.1 with subnet 255.255.255.0
• Secondary WAN2 IP address. 10.216.82.1 with subnet 255.255.255.0
• DMZ IP address. 192.168.10.1 with subnet 255.255.255.0
• Primary LAN IP address. 192.168.1.1 with subnet 255.255.255.0
• Secondary LAN IP address. 192.168.2.1 with subnet 255.255.255.0
To add a secondary WAN address to a WAN interface:
1. Select Network Config > WAN Settings. The WAN screen displays (see Figure 36 on
page 68).
2. Click the Edit button in the Action column of the WAN interface for which you want to add a
secondary address. The WAN ISP Settings screen displays (see Figure 36 on page 68,
which shows the WAN1 ISP Settings screen as an example).
3. Click the Secondary Addresses option arrow at the upper right of the screen. The WAN
Secondary Addresses screen displays for the WAN interface that you selected (see the
following figure, which shows the WAN1 Secondary Addresses screen as an example, and
which includes one entry in the List of Secondary WAN addresses table).
Figure 48.
The List of Secondary WAN addresses table displays the secondary LAN IP addresses
added for the selected WAN interface.
4. In the Add WAN Secondary Addresses section of the screen, enter the following settings:
• IP Address. Enter the secondary address that you want to assign to the WAN
interface.
• Subnet Mask. Enter the subnet mask for the secondary IP address.
Manually Configuring Internet and W AN Settings
86
ProSecure Unified Threat Management (UTM) Appliance
5. Click the Add table button in the rightmost column to add the secondary IP address to the
List of Secondary WAN addresses table.
Repeat step 4 and step 5 for each secondary IP address that you want to add to the List
of Secondary WAN addresses table.
To delete one or more secondary addresses:
1. In the List of Secondary WAN addresses table, select the check box to the left of each
address that you want to delete, or click the Select All table button to select all
addresses.
2. Click the Delete table button.
Configure Dynamic DNS
Dynamic DNS (DDNS) is an Internet service that allows devices with varying public IP
addresses to be located using Internet domain names. To use DDNS, you need to set up an
account with a DDNS provider such as DynDNS.org, TZO.com, Oray .net, or 3322.org. (Links
to DynDNS, TZO, Oray, and 3322 are provided for your convenience as option arrows on the
DDNS configuration screens.) The UTM firmware includes software that notifies DDNS
servers of changes in the WAN IP address, so that the services running on this network can
be accessed by others on the Internet.
If your network has a permanently assigned IP address, you can register a domain name and
have that name linked with your IP address by public Domain Name Servers (DNS).
However, if your Inte rnet account uses a dynamically assign ed IP address, you will no t know
in advance what your IP address will be, and the address can change frequently—hence, the
need for a commercial DDNS service, which allows you to register an extension to its
domain, and restores DNS requests for the resulting fully qualified domain name (FQDN) to
your frequently changing IP address.
After you have configured your account information on the UTM, when your ISP-assigned IP
address changes, your UTM automatically contacts your DDNS service provider, logs in to
your account, and registers your new IP address.
Consider the following:
• For auto-rollover mode, you need an FQDN to implement features such as exposed host s
and virtual private networks regardless of whether you have a fixed or dynamic IP
address.
• For load balancing mode, you might still need an FQDN either for convenience or if you
have a dynamic IP address.
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x
or 10.x.x.x, the DDNS service does not work because private
addresses are not routed on the Internet.
Manually Configuring Internet and W AN Settings
87
ProSecure Unified Threat Management (UTM) Appliance
To configure DDNS:
1. Select Network Config > Dynamic DNS. The Dynamic DNS screen displays (see the
following figure).
The WAN Mode section on the screen reports the currently configured WAN mode (for
example, Single Port WAN1, Load Balancing, or Auto Rollover). Only those options that
match the configured WAN mode are accessible on the screen.
2. Click the submenu tab for your DDNS service provider:
• Dynamic DNS for DynDNS.org (which is shown in the following figure)
• DNS TZO for TZO.com
• DNS Oray for Oray.net
• 3322 DDNS for 3322.org
Figure 49.
3. Click the Information option arrow in the upper right of a DNS screen for registration
information.
Manually Configuring Internet and W AN Settings
88
ProSecure Unified Threat Management (UTM) Appliance
Figure 50.
4. Access the website of the DDNS service provider, and register for an account (for example,
for DynDNS.org, go to http://www .dyndns.com/).
5. Configure the DDNS service settings as explained in the following table:
Ta bl e 19 . DNS servi ce se tti n gs
Setting Description
WAN (Dynamic DNS Status: ...)
or
WAN1 (Dynamic DNS Status: ...)
Change DNS to
(DynDNS, TZO,
Oray, or 3322)
WAN2 (Dynamic DNS Status: ...)
or
WAN3 (Dynamic DNS Status: ...)
or
WAN4 (Dynamic DNS Status: ...)
Select the Yes radio button to enable the DDNS service. The fields that display on the
screen depend on the DDNS service provider that you have selected. Enter the following
settings:
Host and Domain Name The host and domain name for the DDNS service.
Username or
User Email Address
Password or User Key The password that is used for DDNS server authentication.
Use wildcards If your DDNS provider allows the use of wildcards in resolving
Update every 30 days If your WAN IP address does not change often, you might
The user name or email address for DDNS server
authentication.
your URL, you can select the Use wildcards check box to
activate this feature. For example, the wildcard feature
causes *.yourhost.dyndns.org to be aliased to the same IP
address as yourhost.dyndns.org.
need to force a periodic update to the DDNS service to
prevent your account from expiring. If the Update every 30
days check box displays, select it to enable a periodic
update.
See the information for WAN or WAN1 about how to enter the settings. You can select different DDNS
services for different WAN interfaces.
6. Click Apply to save your configuration.
Manually Configuring Internet and W AN Settings
89
ProSecure Unified Threat Management (UTM) Appliance
Configure Advanced WAN Options
The advanced options include configuring the maximum transmission unit (MTU) size, the
port speed, and the UTM’s MAC address, and setting a rate limit on the traffic that is being
forwarded by the UTM.
Note: You can also configure the failure detection method for the
auto-rollover mode on the Advanced screen. This procedure is
discussed in Configure the Failure Detection Method on page 79.
To configure advanced WAN options:
1. Select Network Config > WAN Settings.
2. Click the Edit button in the Action column of the WAN interface for which you want to
configure the advanced options. The WAN ISP Settings screen displays (see Figure 37 on
page 69, which shows the WAN1 ISP Settings screen of the UTM50 as an example).
3. Click the Advanced optio n arrow in the upper right of the screen. The WAN Advanced
Options screen displays for the WAN interface that you selected. (The following figure shows
the WAN1 Advanced Options screen of the UTM50 as an example.)
Figure 51.
Manually Configuring Internet and W AN Settings
90
ProSecure Unified Threat Management (UTM) Appliance
4. Enter the settings as explained in the following table:
Table 20. Advanced WAN settings
Setting Description
MTU Size
Make one of the following selections:
Default Select the Default radio button for the normal maximum transmit unit (MTU)
value. For most Ethernet networks this value is 1500 bytes, or 1492 bytes for
PPPoE connections.
Custom Select the Custom radio button, and enter an MTU value in the Bytes field. For
some ISPs, you might need to reduce the MTU. This is rarely required, and
should not be done unless you are sure it is necessary for your ISP connection.
Speed
In most cases, the UTM can automatically determine the connection speed of the WAN port of the device
(modem or router) that provides the WAN connection. If you cannot establish an Internet connection, you
might need to manually select the port speed. If you know the Ethernet port speed of the modem or router,
select it from the drop-down list. Use the half-duplex settings only if the full-duplex settings do not function
correctly.
Select one of the following speeds from the drop-down list:
• AutoSense. Speed autosensing. This is the default setting, This is the default setting, wh ich can sense
all Ethernet speeds and duplex modes, including 1000BASE-T speed at full duplex.
• 10BaseT Half_Duplex. Ethernet speed at half duplex.
• 10BaseT Full_Duplex. Ethernet speed at full duplex.
• 100BaseT Half_Dup lex. Fast Ethernet speed at half duplex.
• 100BaseT Full_Duplex. Fast Ethernet speed at full duplex.
• 1000BaseT Full_Duplex . Gigabit Ethernet.
Router’s MAC Address
Make one of the following selections:
Use Default Address Each computer or router on your network has a unique 32-bit local Ethernet
address. This is also referred to as the computer’s Media Access Control (MAC)
address. To use the UTM’s own MAC address, select the Use Default Address
radio button.
Use this computer’s MAC
Address
Use this MAC Address Select the Use this MAC Address radio button, and manually enter the MAC
Failure Detection Method
See Configure the Failure Detection Method on page 79, including Table 17 on page 80.
Select the Use this computer’s MAC Address radio button to allow the UTM to
use the MAC address of the computer you are now using to access the web
management interface. This setting is useful if your ISP requires MAC
authentication.
address in the field next to the radio button. You would typically enter the MAC
address that your ISP is requiring for MAC authentication.
Note: The format for the MAC address is 01:23:45:67:89:AB (numbers
0–9 and either uppercase or lowercase letters A–F). If you enter a MAC
address, the existing entry is overwritten.
Manually Configuring Internet and W AN Settings
91
ProSecure Unified Threat Management (UTM) Appliance
WARNING!
Table 20. Advanced WAN settings (continued)
Setting Description
Upload/Download Settings
These settings rate-limit the traffic that is being forwarded by the UTM.
WAN Connection Type From the drop-down list, select the type of connection that the UTM uses to
connect to the Internet: DSL, ADLS, Cable Modem, T1, T3, or Other.
WAN Connection Speed
Upload
WAN Connection Speed
Download
From the drop-down list, select the maximum upload speed that is provided by
your ISP. You can select from 56 Kbps to 1 Gbps, or you can select Custom
and enter the speed in Kbps in the field below the drop-down list.
From the drop-down list, select the maximum download speed that is provided
by your ISP. You can select from 56 Kbps to 1 Gbps, or you can select Custom
and enter the speed in Kbps in the field below the drop-down list.
5. Click Apply to save your changes.
Depending on the changes that you made, when you click Apply,
the UTM restarts, or services such as HTTP and SMTP might
restart.
If you want to configure the advanced settings for an additional W AN interface, select another
WAN interface and repeat these steps.
Additional WAN-Related Configuration Tasks
• If you want the ability to manage the UTM remotely, enable remote management (see
Configure Remote Management Access on page 399). If you enable remote
management, NETGEAR strongly recommend that you change your password (see
Change Passwords and Administrator and Guest Settings on page 397).
• You can set up the traffic meter for each WAN, if you wish. See Enable the WAN Traffic
Meter on page 419.
Manually Configuring Internet and W AN Settings
92
4. LAN Configuration
This chapter describes how to configure the advanced LAN features of your UTM. This chapter
contains the following sections:
• Manage Virtual LANs and DHCP Options
• Configure Multihome LAN IPs on the Default VLAN
• Manage Groups and Hosts (LAN Groups)
• Configure and Enable the DMZ Port
• Manage Routing
Note: The initial LAN configuration of the UTM’s default VLAN 1 is
described in Chapter 2, Using the Setup Wizard to Provision the
UTM in Your Network.
4
Note: The Wireless Settings configuration menu is shown on the UTM9S
only, accessible under the Network Config main navigation menu.
Note: On the UTM9S, the Email Notification configuration menu is
accessible under the Monitoring main navigation menu instead of
the Network Config main navigation menu.
Manage Virtual LANs and DHCP Options
A local area network (LAN) can generally be defined as a broadcast domain. Hubs, bridges,
or switches in the same physical segment or segments connect all end node devices.
Endpoints can communicate with each other without the need for a router. Routers connect
LANs together, routing the traffic to the appropriate port.
93
ProSecure Unified Threat Management (UTM) Appliance
A virtual LAN (VLAN) is a local area network with a definition that maps workstations on some
basis other than geographic location (for example, by department, type of user, or primary
application). To enable traffic to flow between VLANs, traffic needs to go through a router , just
as if the VLANs were on two separate LANs.
A VLAN is a group of PCs, servers, and other network resources that behave as if they were
connected to a single network segment—even though they might not be. For example, all
marketing personnel might be spread throughout a building. Yet if they are all assigned to a
single VLAN, they can share resources and bandwidth as if they were connected to the same
segment. The resources of other departments can be invisible to the marketing VLAN
members, accessible to all, or accessible only to specified individuals, depending on how the
IT manager has set up the VLANs.
VLANs have a number of advantages:
• It is easy to set up network segmentation. Users who communicate most frequently with
each other can be grouped into common VLANs, regardless of physical location. Each
group’s traffic is contained largely within the VLAN, reducing extraneous traffic and
improving the efficiency of the whole network.
• They are easy to manage. The addition of nodes, as well as moves and other changes,
can be dealt with quickly and conveniently from a management interface rather than from
the wiring closet.
• They provide increased performance. VLANs free up bandwidth by limiting node-to-no de
and broadcast traffic throughout the network.
• They ensure enhanced network security. VLANs create virtual boundaries that can be
crossed only through a router . So st andard, router-based security me asures can be used
to restrict access to each VLAN.
Port-Based VLANs
The UTM supports port-based VLANs. Port-based VLANs help to confine broadcast traf fic to
the LAN ports. Even though a LAN port can be a member of more than one VLAN, the port
can have only one VLAN ID as its port VLAN identifier (PVID). By default, all four LAN ports
of the UTM are assigned to the default VLAN, or VLAN 1. Therefore, by default, all four LAN
ports have the default PVID 1. However, you can assign another PVID to a LAN port by
selecting a VLAN profile from the drop-down list on the LAN Setup screen.
After you have created a VLAN profile and assigned one or more ports to the profile, you
need to enable the profile to activate it.
The UTM’s default VLAN cannot be delete d. All untagged traffic is routed through the default
VLAN (VLAN1), which you need to assign to at least one LAN port.
Note the following about VLANs and PVIDs:
• One physical port is assigned to at least one VLAN.
• One physical port can be assigned to multiple VLANs.
• When one port is assigned to multiple VLANs, the port is used as a trunk port to connect
to another switch or router.
LAN Configuration
94
ProSecure Unified Threat Management (UTM) Appliance
• When a port receives an untagged packet, this packet is forwarded to a VLAN based on
the PVID.
• When a port receives a tagged packet, this packet is forwarded to a VLAN based on the
ID that is extracted from the tagged packet.
When you create a VLAN profile, assign LAN ports to the VLAN, and enable the VLAN, the
LAN ports that are members of the VLAN can send and receive both tagged and untagged
packets. Untagged packets that enter these LAN ports are assigned to the default PVID 1;
packets that leave these LAN ports with the same default PVID 1 are untagged. All other
packets are tagged according to the VLAN ID that you assigned to the VLAN when you
created the VLAN profile.
This is a typical scenario for a configuration with an IP phone that has two Ethernet ports, one
of which is connected to the UTM, the other one to another device:
Packets coming from the IP phone to the UTM LAN port are t agged. Packets passing through
the IP phone from the connected device to the UTM LAN port are untagged. When you
assign the UTM LAN port to a VLAN, packets entering and leaving the port are tagged with
the VLAN ID. However, untagged packets entering the UTM LAN port are forwarded to the
default VLAN with PVID 1; packets that leave the LAN port with the same default PVID 1 are
untagged.
Note: The configuration of the DHCP options for the default VLAN are
explained in Chapter 2, Using the Setup Wizard to Provision the
UTM in Your Network. For information about how to add and edit a
VLAN profile, including its DHCP options, see Configure a VLAN
Profile on page 98.
Assign and Manage VLAN Profiles
To assign VLAN profiles to the LAN ports and manage VLAN profiles:
1. Select Network Config > LAN Settings. The LAN submenu tabs display, with the LAN
Setup screen in view. The following figure shows the LAN Setup screen for the UTM50
with six LAN ports, and the default VLAN profile and another VLAN profile as examples.
Note that the screens for all other UTM models (not shown in this manual) have four
LAN ports in the Default VLAN section.
LAN Configuration
95
Figure 52.
ProSecure Unified Threat Management (UTM) Appliance
For each VLAN profile, the following fields display in the VLAN Profiles table:
• Check box. Allows you to select the VLAN profile in the table.
• Status icon. Indicates the status of the VLAN profile:
- Green circle. The VLAN profile is enabled.
- Gray circle. The VLAN profile is disabled.
• Profile Name. The unique name assigned to the VLAN profile.
• VLAN ID. The unique ID (or tag) assigned to the VLAN profile.
• Subnet IP. The subnet IP address for the VLAN profile.
• DHCP Status. The DHCP server status for the VLAN profile, which can be either
DHCP Enabled or DHCP Disabled.
• Action. The Edit table button, which provides access to the Edit VLAN Profile scr een.
2. Assign a VLAN profile to a LAN port (For the UTM5, UTM10, UTM25, and UTM150: Port 1,
Port 2, Port 3, or Port 4/DMZ; for the UTM50: Port 1, Port 2, Port 3, Port 4, Port 5, or Port
6/DMZ) by selecting a VLAN profile from the drop-down list. Both enabled and disabled
VLAN profiles are displayed in the drop-down lists.
3. Click Apply to save your settings.
VLAN DHCP Options
For each VLAN, you need to specify the Dynamic Host Configuration Protocol (DHCP)
options (see Configure a VLAN Profile on page 98). The configuration of the DHCP options
for the UTM’s default VLAN, or VLAN 1, is explained in Chapter 3, Manually Configuring
Internet and WAN Settings. This section provides further information about the DHCP
options.
LAN Configuration
96
ProSecure Unified Threat Management (UTM) Appliance
DHCP Server
The default VLAN (VLAN 1) has the DHCP server option enabled by default, allowing the
UTM to assign IP, DNS server, WINS server, and default gateway addresses to all computers
connected to the UTM’s LAN. The assigned default gateway address is the LAN address of
the UTM. IP addresses are assigned to the attached computers from a pool of addresses that
you need to specify. Each pool address is tested before it is assigned to avoid duplicate
addresses on the LAN. When you create a new VLAN, the DHCP server option is disabled by
default.
For most applications, the default DHCP server and TCP/IP settings of the UTM are
satisfactory.
The UTM delivers the following settings to any LAN device that requests DHCP:
• An IP address from the range that you have defined
• Subnet mask
• Gateway IP address (the UTM’s LAN IP address)
• Primary DNS server (the UTM’s LAN IP address)
• WINS server (if you entered a WINS server address in the DHCP Setup screen)
• Lease time (the date obtained and the duration of the lease).
DHCP Relay
DHCP relay options allow you to make the UTM a DHCP relay agent for a VLAN. The DHCP
relay agent makes it possible for DHCP broadcast messages to be sent over routers that do
not support forwarding of these types of messages. The DHCP relay agent is therefore the
routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a
remote subnet. If you do not configure a DHCP relay agent for a VLAN, its clients can obtain
IP addresses only from a DHCP server that is on the same subnet. To enable clients to obtain
IP addresses from a DHCP server on a remote subnet, you need to configure the DHCP
relay agent on the subnet that contains the remote clients, so that the DHCP relay agent can
relay DHCP broadcast messages to your DHCP server.
DNS Proxy
When the DNS proxy option is enabled for a VLAN, the UTM acts as a proxy for all DNS
requests and communicates with the ISP’s DNS servers (as configured on the WAN ISP
Settings screens). All DHCP clients receive the primary and secondary DNS IP addresses
along with the IP address where the DNS proxy is located (that is, the UTM’s LAN IP
address). When the DNS proxy option is disabled for a VLAN, all DHCP clients receive the
DNS IP addresses of the ISP but without the DNS proxy IP address. A DNS proxy is
particularly useful in auto-rollover mode. For example, if the DNS servers for each WAN
connection are different servers, then a link failure might render the DNS servers
inaccessible. However, when the DNS proxy option is enabled, the DHCP clients can make
requests to the UTM, which, in turn, can send those request s to the DNS servers of the active
WAN connection. However, disable the DNS proxy if you are using a multiple WAN
LAN Configuration
97
ProSecure Unified Threat Management (UTM) Appliance
configuration in auto-rollover mode with route diversity (that is, with two different ISPs) and
you cannot ensure that the DNS server is available after a rollover has occurred.
LDAP Server
A Lightweight Directory Access Protocol (LDAP) server allows a user to query and modify
directory services that run over TCP/IP. For example, clients can query email addresses,
contact information, and other service information using an LDAP server. For each VLAN,
you can specify an LDAP server and a search base that defines the location in the directory
(that is, the directory tree) from which the LDAP search begins.
Configure a VLAN Profile
For each VLAN on the UTM, you can configure its profile, port membership, LAN TCP/IP
settings, DHCP options, DNS server, and inter-VLAN routing capability.
The preconfigured default VLAN is called defaultVLAN. A UTM9S in which a wireless module
is installed also has a default WLAN with the name defaultWLAN.
To add or edit a VLAN profile:
1. Select Network Config > LAN Settings. The LAN submenu tabs display, with the LAN
Setup screen in view. The following figure shows the LAN Setup screen for the UTM50
with six LAN ports, and the default VLAN profile and another VLAN profile as examples.
Note that the screens for all other UTM models (not shown in this manual) have four
LAN ports in the Default VLAN section.
Note: For information about how to manage VLANs, see Port-Based
VLANs on page 94. The following information describes how to
configure a VLAN profile.
Figure 53.
LAN Configuration
98
ProSecure Unified Threat Management (UTM) Appliance
2. Either select an entry from the VLAN Profiles table and click the corresponding Edit table
button, or add a new VLAN profile by clicking the Add table button under the VLAN Profiles
table. The Edit VLAN Profile screen displays. The following figure shows the Edit VLAN
Profile screen for the UTM with four ports in the Port Membership section. Note that the Edit
VLAN Profile screens for the UTM50 (not shown in this manual) has six ports in the Port
Membership section.
Figure 54.
LAN Configuration
99
ProSecure Unified Threat Management (UTM) Appliance
3. Enter the settings as explained in the following table:
Table 21. Edit VLAN Profile screen settings
Setting Description
VLAN Profile
Profile Name Enter a unique name for the VLAN profile.
Note: You can also change the profile name of the default VLAN.
VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the
same VLAN ID number.
Note: You can enter VLAN IDs from 2 to 4093. VLAN ID 1 is reserved for the
default VLAN; VLAN ID 4094 is reserved for the DMZ interface.
Port Membership
UTM5, UTM9S, UTM10,
UTM25, and UTM150:
Port 1, Port 2, Port 3,
and Port 4 / DMZ
Select one, several, or all port check boxes to make the ports members of this
VLAN.
UTM50:
Port 1, Port 2, Port 3,
Port 4, Port 5, and
Port 6 / DMZ
LAN TCP/IP Setup
IP Address Enter the IP address of the UTM (the factor y default address is 192.168.1.1).
Subnet Mask Enter the IP subnet mask. The subnet mask specifies the network number
DHCP
Disable DHCP Server If another device on your network is the DHCP server for the VLAN, or if you will
Note: A port that is defined as a member of a VLAN profile can send and receive
data frames that are tagged with the VLAN ID.
Note: Always make sure that the LAN port IP address and DMZ port IP address
are in different subnets.
Note: If you change the LAN IP address of the VLAN while being connected
through the browser to the VLAN, you are disconnected. You then need to open
a new connection to the new IP address and log in again. For example, if you
change the default IP address 192.168.1.1 to 10.0.0.1, you now need to enter
https://10.0.0.1 in your browser to reconnect to the web management interface.
portion of an IP address. Based on the IP address that you assign, the UTM
automatically calculates the subnet mask. Unless you are implementing
subnetting, use 255.255.255.0 as the subnet mask (computed by the UTM).
manually configure the network settings of all of your computers, select the
Disable DHCP Server radio button to disable the DHCP server. By default, this
radio button is not selected, and the DHCP server is enabled.
LAN Configuration
100
Loading...