Netgear ProSAFE SRX5308 Specification

350 East Plumeria Drive

San Jose, CA 95134

USA

July 29, 2011

202-10536-02

1.0

ProSafe Gigabit Quad WAN

SSL VPN Firewall SRX5308

Reference Manual

2

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated

into any language in any form or by any means without the written permission of NETGEAR, Inc.

Technical Support

Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or

for more information about the topics covered in this manual, visit the Support website at

http://support.netgear.com.

Phone (US & Canada only): 1-888-NETGEAR

Phone (Other Countries): Check the list of phone numbers at

http://support.netgear.com/app/answers/detail/a_id/984.

Trademarks

NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of

NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change

without notice. Other brand and product names are registered trademarks or trademarks of their respective

Statement of Conditions

To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes

to the products described in this document without notice. NETGEAR does not assume any liability that may occur

due to the use, or application of, the product(s) or circuit layout(s) described herein.

Revision History

Publication

Part Number

Version Publish Date Comments

202-10536-02 1.0 July 2011 Added new features that are documented in the following sections:

• Configure WAN QoS Profiles

• Inbound Rules (Port Forwarding) and LAN WAN Inbound

Services Rules

• Attack Checks

• Set Session Limits

• Create IP Groups

• Use the NETGEAR VPN Client Wizard to Create a Secure

Connection

• Manually Create a Secure Connection Using the NETGEAR VPN

Client

• Configure the NETGEAR VPN Client for Mode Config Operation

• Configure Date and Time Service

• Enable the LAN Traffic Meter

202-10536-01 1.0 April 2010 Initial publication of this reference manual.

3

Contents

Chapter 1 Introduction

What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? . . .9

Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Quad-WAN Ports for Increased Reliability and

Outbound Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . .11

A Powerful, True Firewall with Content Filtering. . . . . . . . . . . . . . . . . . .11

Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Autosensing Ethernet Connections with Auto Uplink . . . . . . . . . . . . . . .12

Extensive Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Easy Installation and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Bottom Panel with Product Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Choose a Location for the VPN Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . .17

Using the Rack-Mounting Kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18

Chapter 2 Connecting the VPN Firewall to the Internet

Internet and WAN Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Qualified Web Browsers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Log In to the VPN Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Web Management Interface Menu Layout . . . . . . . . . . . . . . . . . . . . . . .23

Configure the Internet Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

Automatically Detecting and Connecting . . . . . . . . . . . . . . . . . . . . . . . .25

Set the VPN Firewall’s MAC Address. . . . . . . . . . . . . . . . . . . . . . . . . . .28

Manually Configure the Internet Connection . . . . . . . . . . . . . . . . . . . . .28

Configure the WAN Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

Configure Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . .33

Configure Classical Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Configure the Auto-Rollover Mode and Failure Detection Method. . . . .34

Configure Load Balancing and Optional Protocol Binding . . . . . . . . . . .36

Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Configure WAN QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

4

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Configure Advanced WAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . .54

What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

Chapter 3 LAN Configuration

Manage Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . .55

Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56

Assign and Manage VLAN Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . .57

VLAN DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

Configure a VLAN Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Configure VLAN MAC Addresses and LAN Advanced Settings. . . . . . .64

Configure Multi-Home LAN IP Addresses on the Default VLAN . . . . . . . .65

Manage Groups and Hosts (LAN Groups). . . . . . . . . . . . . . . . . . . . . . . . .67

Manage the Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Change Group Names in the Network Database. . . . . . . . . . . . . . . . . .71

Set Up Address Reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Configure and Enable the DMZ Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Manage Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Configure Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Configure Routing Information Protocol . . . . . . . . . . . . . . . . . . . . . . . . .78

Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

Chapter 4 Firewall Protection

About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Use Rules to Block or Allow Specific Kinds of Traffic. . . . . . . . . . . . . . . . .82

Services-Based Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90

Set LAN WAN Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Set DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95

Set LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Inbound Rules Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

Outbound Rules Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

Configure Other Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Attack Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106

Set Session Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

Manage the Application Level Gateway for SIP Sessions . . . . . . . . . .111

Create Services, QoS Profiles, and Bandwidth Profiles. . . . . . . . . . . . . .111

Add Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112

Create IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

Create Quality of Service (QoS) Profiles . . . . . . . . . . . . . . . . . . . . . . .116

Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Set a Schedule to Block or Allow Specific Traffic. . . . . . . . . . . . . . . . . . .121

Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Enable and Configure Content Filtering. . . . . . . . . . . . . . . . . . . . . . . .124

Enable Source MAC Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

5

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128

Configure Port Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

Chapter 5 Virtual Private Networking

Using IPSec Connections

Considerations for Multi-WAN Port Systems . . . . . . . . . . . . . . . . . . . . . .134

Use the IPSec VPN Wizard for Client and Gateway Configurations . . . .136

Create Gateway-to-Gateway VPN Tunnels with the Wizard . . . . . . . .136

Create a Client to Gateway VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . .140

Test the Connection and View Connection and Status Information. . . . .155

Test the NETGEAR VPN Client Connection. . . . . . . . . . . . . . . . . . . . .155

NETGEAR VPN Client Status and Log Information . . . . . . . . . . . . . . .156

View the VPN Firewall IPSec VPN Connection Status. . . . . . . . . . . . .157

View the VPN Firewall IPSec VPN Logs . . . . . . . . . . . . . . . . . . . . . . .158

Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

Configure IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

Configure VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165

Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .172

Configure XAUTH for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .173

User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174

RADIUS Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174

Assign IP Addresses to Remote Users (Mode Config). . . . . . . . . . . . . . .176

Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176

Configure Mode Config Operation on the VPN Firewall. . . . . . . . . . . .177

Configure the NETGEAR VPN Client for Mode Config Operation . . . .183

Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

Modify or Delete a Mode Config Record. . . . . . . . . . . . . . . . . . . . . . . .191

Configure Keep-alives and Dead Peer Detection. . . . . . . . . . . . . . . . . . .191

Configure Keep-alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193

Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . .194

Chapter 6 Virtual Private Networking

Using SSL Connections

SSL VPN Portal Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196

Overview of the SSL Configuration Process . . . . . . . . . . . . . . . . . . . . . .197

Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198

Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . . . .202

Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . . . .202

Add Servers and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202

Add a New Host Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204

Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205

Configure the Client IP Address Range . . . . . . . . . . . . . . . . . . . . . . . .205

Add Routes for VPN Tunnel Clients . . . . . . . . . . . . . . . . . . . . . . . . . . .207

Use Network Resource Objects to Simplify Policies . . . . . . . . . . . . . . . .208

Add New Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208

6

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Edit Network Resources to Specify Addresses . . . . . . . . . . . . . . . . . .209

Configure User, Group, and Global Policies . . . . . . . . . . . . . . . . . . . . . .210

View Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

Add a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212

Access the SSL Portal Login Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . .216

View the SSL VPN Connection Status and SSL VPN Logs. . . . . . . . . . .218

Chapter 7 Managing Users, Authentication, and Certificates

Configure VPN Authentication Domains, Groups, and Users . . . . . . . . .219

Configure Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219

Configure Groups for VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . .224

Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227

Set User Login Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229

Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . .233

Manage Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234

Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235

Manage CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236

Manage Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . .237

Manage the Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . .241

Chapter 8 Network and System Management

Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242

Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242

Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243

Features That Increase Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

Use QoS and Bandwidth Assignment to Shift the Traffic Mix. . . . . . . .247

Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . .248

System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248

Change Passwords and Administrator Settings. . . . . . . . . . . . . . . . . .248

Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . .250

Using the Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . .253

Use a Simple Network Management Protocol Manager. . . . . . . . . . . .254

Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256

Configure Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . .260

Chapter 9 Monitoring System Access and Performance

Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263

Enable the LAN Traffic Meter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

Activate Notification of Events, Alerts, and Syslogs. . . . . . . . . . . . . . . . .269

View Status and Log Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274

View the System (Router) Status and Statistics. . . . . . . . . . . . . . . . . .275

View the VLAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

View and Disconnect Active Users. . . . . . . . . . . . . . . . . . . . . . . . . . . .281

View the VPN Tunnel Connection Status. . . . . . . . . . . . . . . . . . . . . . .282

View the VPN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283

View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285

7

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

View the WAN Port Connection Status. . . . . . . . . . . . . . . . . . . . . . . . .285

View the Attached Devices and DHCP Log . . . . . . . . . . . . . . . . . . . . .287

Use the Diagnostics Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .289

Send a Ping Packet or Trace a Route . . . . . . . . . . . . . . . . . . . . . . . . .289

Look Up a DNS Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290

Display the Routing Table. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290

Reboot the VPN Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291

Capture Packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291

Chapter 10 Troubleshooting and Using Online Support

Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294

Power LED Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294

Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294

LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295

Troubleshoot the Web Management Interface. . . . . . . . . . . . . . . . . . . . .295

When You Enter a URL or IP Address a Time-Out Error Occurs. . . . . . .296

Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

Troubleshoot a TCP/IP Network Using the Ping Utility. . . . . . . . . . . . . . .298

Test the LAN Path to Your VPN Firewall . . . . . . . . . . . . . . . . . . . . . . .298

Test the Path from Your PC to a Remote Device. . . . . . . . . . . . . . . . .299

Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . .299

Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300

Access the Knowledge Base and Documentation . . . . . . . . . . . . . . . . . .301

Appendix A Default Settings and Technical Specifications

Appendix B Network Planning for Multiple WAN Ports

What to Consider Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . .306

Cabling and Computer Hardware Requirements . . . . . . . . . . . . . . . . .307

Computer Network Configuration Requirements . . . . . . . . . . . . . . . . .308

Internet Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .308

Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311

Inbound Traffic to a Single WAN Port System . . . . . . . . . . . . . . . . . . .312

Inbound Traffic to a Dual WAN Port System . . . . . . . . . . . . . . . . . . . .312

Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

VPN Road Warrior (Client-to-Gateway) . . . . . . . . . . . . . . . . . . . . . . . .314

VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .316

VPN Telecommuter (Client-to-Gateway through a NAT Router) . . . . .319

Appendix C System Logs and Error Messages

System Log Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323

NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323

Login/Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324

System Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324

Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324

8

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325

IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325

Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . .325

WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326

Resolved DNS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

VPN Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

Traffic Meter Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Routing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

LAN to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

LAN to DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337

DMZ to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337

WAN to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337

DMZ to LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337

WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

Other Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

Session Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

Source MAC Filter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338

Bandwidth Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

DHCP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

Appendix D Two-Factor Authentication

Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . .341

What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . .341

What Is Two-Factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . .342

NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . .342

Appendix E Notification of Compliance

Index

9

1

1. Introduction

This chapter provides an overview of the features and capabilities of the ProSafe Gigabit Quad

WAN SSL VPN Firewall SRX5308. This chapter contains the following sections:

• What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308?

• Key Features and Capabilities

• Package Contents

• Hardware Features

• Choose a Location for the VPN Firewall

What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall

SRX5308?

The ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308, hereafter referred to as the

VPN firewall, connects your local area network (LAN) to the Internet through up to four

external broadband access devices such as cable modems or DSL modems. Four wide area

network (WAN) ports allow you to increase effective data rate to the Internet by utilizing all

WAN ports to carry session traffic or to maintain backup connections in case of failure of your

primary Internet connection.

The VPN firewall is a complete security solution that protects your network from attacks and

intrusions. For example, the VPN firewall provides support for stateful packet inspection

(SPI), denial of service (DoS) attack protection, and multi-NAT support. The VPN firewall

supports multiple web content filtering options, plus browsing activity reporting and instant

alerts—both via email. Network administrators can establish restricted access policies based

on time of day, website addresses, and address keywords.

The VPN firewall provides advanced IPSec and SSL VPN technologies for secure and

simple remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures

extremely high data transfer speeds.

The VPN firewall is a plug-and-play device that can be installed and configured within

minutes.

Introduction

10

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Key Features and Capabilities

The VPN firewall provides the following key features and capabilities:

• Four 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover

protection of your Internet connection, providing increased data rate and increased

system reliability.

• Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data

transfer between local network resources and support for up to 200,000 internal or

external connections.

• Advanced IPSec VPN and SSL VPN support with support for up to 125 concurrent IPSec

VPN tunnels and up to 50 concurrent SSL VPN tunnels.

• Bundled with a single-user license of the NETGEAR ProSafe VPN Client software

(VPN01L).

• Advanced stateful packet inspection (SPI) firewall with multi-NAT support.

• Quality of service (QoS) and SIP 2.0 support for traffic prioritization, voice, and

multimedia.

• Extensive protocol support.

• Easy, web-based wizard setup for installation and management.

• One console port for local management.

• SNMP-manageable, optimized for the NETGEAR ProSafe Network Management

Software (NMS100).

• Front panel LEDs for easy monitoring of status and activity.

• Flash memory for firmware upgrade.

• Internal universal switching power supply.

• One U rack-mountable, using the rack-mounting kit.

Quad-WAN Ports for Increased Reliability and

Outbound Load Balancing

The VPN firewall provides four broadband WAN ports. These WAN ports allow you to

connect additional broadband Internet lines that can be configured to:

• Load-balance between up to four lines for maximum bandwidth efficiency.

• Provide backup and rollover if one line is inoperable, ensuring that you are never

disconnected.

See Network Planning for Multiple WAN Ports on page 306 for the planning factors to

consider when implementing the following capabilities with multiple WAN port gateways:

• Single or multiple exposed hosts.

• Virtual private networks (VPNs).

Introduction

11

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Advanced VPN Support for Both IPSec and SSL

The VPN firewall supports IPSec and SSL VPN connections.

• IPSec VPN delivers full network access between a central office and branch offices, or

between a central office and telecommuters. Remote access by telecommuters requires

the installation of VPN client software on the remote computer.

- IPSec VPN with broad protocol support for secure connection to other IPSec

gateways and clients.

- Bundled with a single-user license of the NETGEAR ProSafe VPN Client software

(VPN01L).

- Supports 125 concurrent IPSec VPN tunnels.

• SSL VPN provides remote access for mobile users to selected corporate resources

without requiring a pre-installed VPN client on their computers.

- Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for

e-commerce transactions, to provide client-free access with customizable user

portals and support for a wide variety of user repositories.

- Browser-based, platform-independent, remote access through a number of popular

browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari.

- Provides granular access to corporate resources based on user type or group

membership.

- Supports 50 concurrent SSL VPN sessions.

A Powerful, True Firewall with Content Filtering

Unlike simple NAT routers, the VPN firewall is a true firewall, using stateful packet inspection

(SPI) to defend against hacker attacks. Its firewall features have the following capabilities:

• DoS protection. Automatically detects and thwarts denial of service (DoS) attacks such

as Ping of Death and SYN flood.

• Secure firewall. Blocks unwanted traffic from the Internet to your LAN.

• Content filtering. Prevents objectionable content from reaching your PCs. You can

control access to Internet content by screening for web services, web addresses, and

keywords within web addresses. You can configure the VPN firewall to log and report

attempts to access objectionable Internet sites.

• Schedule policies. Permits scheduling of firewall policies by day and time.

• Logs security incidents. Logs security events such as blocked incoming traffic, port

scans, attacks, and administrator logins. You can configure the VPN firewall to email the

log to you at specified intervals. You can also configure the VPN firewall to send

immediate alert messages to your email address or email pager when a significant event

occurs.

Introduction

12

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Security Features

The VPN firewall is equipped with several features designed to maintain security:

• PCs hidden by NAT. NAT opens a temporary path to the Internet for requests originating

from the local network. Requests originating from outside the LAN are discarded,

preventing users outside the LAN from finding and directly accessing the computers on

the LAN.

• Port forwarding with NAT. Although NAT prevents Internet locations from directly

accessing the PCs on the LAN, the VPN firewall allows you to direct incoming traffic to

specific PCs based on the service port number of the incoming request. You can specify

forwarding of single ports or ranges of ports.

• DMZ port. Incoming traffic from the Internet is normally discarded by the VPN firewall

unless the traffic is a response to one of your local computers or a service for which you

have configured an inbound rule. Instead of discarding this traffic, you can use the

dedicated demilitarized zone (DMZ) port to forward the traffic to one PC on your network.

Autosensing Ethernet Connections with Auto Uplink

With its internal four-port 10/100/1000 Mbps switch and four 10/100/1000 WAN ports, the

VPN firewall can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast

Ethernet network, or a 1000 Mbps Gigabit Ethernet network. The four LAN and four WAN

interfaces are autosensing and capable of full-duplex or half-duplex operation.

The VPN firewall incorporates Auto Uplink

TM

technology. Each Ethernet port automatically

senses whether the Ethernet cable plugged into the port should have a normal connection

such as to a PC or an uplink connection such as to a switch or hub. That port then configures

itself correctly. This feature eliminates the need for you to think about crossover cables, as

Auto Uplink accommodates either type of cable to make the right connection.

Extensive Protocol Support

The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and

Routing Information Protocol (RIP). For further information about TCP/IP, see Internet

Configuration Requirements on page 308. The VPN firewall provides the following protocol

support:

• IP address sharing by NAT. The VPN firewall allows many networked PCs to share an

Internet account using only a single IP address, which might be statically or dynamically

assigned by your Internet Service Provider (ISP). This technique, known as NAT, allows

the use of an inexpensive single-user ISP account.

• Automatic configuration of attached PCs by DHCP. The VPN firewall dynamically

assigns network configuration information, including IP, gateway, and Domain Name

Server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host

Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on

your local network.

Introduction

13

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

• DNS proxy. When DHCP is enabled and no DNS addresses are specified, the VPN

firewall provides its own address as a DNS server to the attached PCs. The VPN firewall

obtains actual DNS addresses from the ISP during connection setup and forwards DNS

requests from the LAN.

• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the

Internet over a DSL connection by simulating a dial-up connection. This feature

eliminates the need to run a login program.

• Quality of Service (QoS). The VPN firewall supports QoS, including traffic prioritization

and traffic classification with Type of Service (ToS) and Differentiated Services Code

Point (DSCP) marking.

Easy Installation and Management

You can install, configure, and operate the VPN firewall within minutes after connecting it to

the network. The following features simplify installation and management tasks:

• Browser-based management. Browser-based configuration allows you to easily

configure the VPN firewall from almost any type of operating system, such as Windows,

Macintosh, or Linux. Online help documentation is built into the browser-based web

management interface.

• Auto detection of ISP. The VPN firewall automatically senses the type of Internet

connection, asking you only for the information required for your type of ISP account.

• IPSec VPN Wizard. The VPN firewall includes the NETGEAR IPSec VPN Wizard so you

can easily configure IPSec VPN tunnels according to the recommendations of the Virtual

Private Network Consortium (VPNC) to ensure that the IPSec VPN tunnels are

interoperable with other VPNC-compliant VPN routers and clients.

• SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to

let you monitor and manage log resources from an SNMP-compliant system manager.

The SNMP system configuration lets you change the system variables for MIB2.

• Diagnostic functions. The VPN firewalll incorporates built-in diagnostic functions such

as ping, traceroute, DNS lookup, and remote reboot.

• Remote management. The VPN firewall allows you to log in to the web management

interface from a remote location on the Internet. For security, you can limit remote

management access to a specified remote IP address or range of addresses.

• Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor

its status and activity.

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the VPN firewall:

• Flash memory for firmware upgrades.

• Technical support seven days a week, 24 hours a day, according to the terms that are

identified in the Warranty and Support information card provided with your product.

Introduction

14

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Package Contents

The VPN firewall product package contains the following items:

• ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 appliance

• One AC power cable

• Rubber feet (4)

• One Category 5 (Cat5) Ethernet cable

• One rack-mounting kit

• ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide

• Resource CD, including:

- Application Notes and other helpful information

- ProSafe VPN Client software (VPN01L)

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep

the carton, including the original packing materials, in case you need to return the product for

repair.

Hardware Features

The front panel ports and LEDs, rear panel ports, and bottom label of the VPN firewall are

described in the following sections.

Front Panel

Viewed from left to right, the VPN firewall front panel contains the following ports (see the

following figure).

• LAN Ethernet ports: four switched N-way automatic speed negotiating, Auto MDI/MDIX,

Gigabit Ethernet ports with RJ-45 connectors

• WAN Ethernet ports: four independent N-way automatic speed negotiating, Auto

MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors

The front panel also contains three groups of status indicator light-emitting diodes (LEDs),

including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in the

following table.

Introduction

15

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Figure 1.

Table 1. LED descriptions

LED Activity Description

Power On (green) Power is supplied to the VPN firewall.

Off Power is not supplied to the VPN firewall.

Test On (amber) during

startup.

Test mode: the VPN firewall is initializing. After approximately

2 minutes, when the VPN firewall has completed its initialization, the

Test LED goes off.

On (amber) during

any other time

The initialization has failed or a hardware failure has occurred.

Blinking (amber) The VPN firewall is writing to flash memory (during upgrading or

resetting to defaults).

Off The system has booted successfully.

LAN Ports

Left LED On (green) The LAN port has detected a link with a connected Ethernet device.

Blinking (green) Data is being transmitted or received by the LAN port.

Off The LAN port has no link.

Right LED On (green) The LAN port is operating at 1000 Mbps.

On (amber) The LAN port is operating at 100 Mbps.

Off The LAN port is operating at 10 Mbps.

DMZ LED On (green) Port 4 is operating as a dedicated hardware DMZ port.

Off Port 4 is operating as a normal LAN port.

Power LED

Test LED

Left LAN LEDs

Right LAN LEDs

DMZ LED

Left WAN LEDs

Right WAN LEDs

LEDs

Internet

Introduction

16

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Rear Panel

The rear panel of the VPN firewall includes a console port, a reset button, a cable lock

receptacle, an AC power connection, and a power switch.

Figure 2.

Viewed from left to right, the rear panel contains the following components:

1. Cable security lock receptacle.

2. Console port. Port for connecting to an optional console terminal. The ports has a DB9 male

connector. The default baud rate is 9600 K. The pinouts are: (2) Tx, (3) Rx, (5) and (7) Gnd.

For information about accessing the command line interface (CLI) using the console port,

see Using the Command-Line Interface on page 253.

3. Factory default reset button. Using a sharp object, press and hold this button for about eight

seconds until the front panel Test light flashes to reset the VPN firewall to factory default

settings. All configuration settings are lost, and the default password is restored.

4. AC power receptacle. Universal AC input (100–240 VAC, 50–60 Hz).

5. A power on/off switch.

WAN Ports

Left LED On (green) The WAN port has a valid connection with a device that provides an

Internet connection.

Blinking (green) Data is being transmitted or received by the WAN port.

Off The WAN port has no physical link, that is, no Ethernet cable is

plugged into the VPN firewall.

Right LED On (green) The WAN port is operating at 1000 Mbps.

On (amber) The WAN port is operating at 100 Mbps.

Off The WAN port is operating at 10 Mbps.

Internet LED On (green) The WAN port has a valid Internet connection.

Off The WAN port is either not enabled or has no link to the Internet.

Table 1. LED descriptions (continued)

LED Activity Description

Security lock

receptacle

Console port

Reset button

AC power

receptacle

Power

Switch

Introduction

17

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Bottom Panel with Product Label

The product label on the bottom of the VPN firewall’s enclosure displays factory default

settings, regulatory compliance, and other information.

Figure 3.

Choose a Location for the VPN Firewall

The VPN firewall is suitable for use in an office environment where it can be free-standing (on

its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can

rack-mount the VPN firewall in a wiring closet or equipment room. A rack-mounting kit,

containing two mounting brackets and four screws, is provided in the package.

Consider the following when deciding where to position the VPN firewall:

• The unit is accessible and cables can be connected easily.

• Cabling is away from sources of electrical noise. These include lift shafts, microwave

ovens, and air-conditioning units.

• Water or moisture cannot enter the case of the unit.

• Airflow around the unit and through the vents in the side of the case is not restricted.

Provide a minimum of 25 mm or 1 inch clearance.

• The air is as free of dust as possible.

• Temperature operating limits are not likely to be exceeded. Install the unit in a clean,

air-conditioned environment. For information about the recommended operating

temperatures for the VPN firewall, see Appendix A, Default Settings and Technical

Specifications.

Introduction

18

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Using the Rack-Mounting Kit

Use the mounting kit for the VPN firewall to install the appliance in a rack. Attach the

mounting brackets using the hardware that is supplied with the mounting kit.

Figure 4.

Before mounting the VPN firewall in a rack, verify that:

• You have the correct screws (supplied with the installation kit).

• The rack onto which you will mount the VPN firewall is suitably located.

19

2

2. Connecting the VPN Firewall to the

Internet

This chapter contains the following sections:

• Internet and WAN Configuration Tasks

• Log In to the VPN Firewall

• Configure the Internet Connections

• Configure the WAN Mode

• Configure Secondary WAN Addresses

• Configure Dynamic DNS

• Configure WAN QoS Profiles

• Configure Advanced WAN Options

• What to Do Next

Internet and WAN Configuration Tasks

Typically, the VPN firewall is installed as a network gateway to function as a combined LAN

switch and firewall in order to protect the network from incoming threats and provide secure

connections. To complement the firewall protection, NETGEAR advises that you use a

gateway security appliance such as a NETGEAR ProSecure STM appliance.

 Generally, seven steps are required to complete the Internet connection of your VPN

firewall:

1. Connect the VPN firewall physically to your network. Connect the cables and restart

your network according to the instructions in the installation guide. See the ProSafe

Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide for complete steps. A

PDF of the Installation Guide is on the NETGEAR website at

http://support.netgear.com/app/products/model/a_id/13568.

2. Log in to the VPN firewall. After logging in, you are ready to set up and configure your

VPN firewall. See Log In to the VPN Firewall on page 20.

3. Configure the Internet connections to your ISPs. During this phase, you connect to your

ISPs. You can also program the WAN traffic meters at this time if desired. See Configure the

Internet Connections on page 24.

Connecting the VPN Firewall to the Internet

20

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

4. Configure the WAN mode. Select either NAT or classical routing. Select load balancing

mode, auto-rollover mode, or primary (single) WAN mode. For load balancing, you can also

select any necessary protocol bindings. See Configure the WAN Mode on page 32.

5. Configure secondary WAN addresses on the WAN ports (optional). Configure aliases

for each WAN port. See Configure Secondary WAN Addresses on page 41.

6. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified

domain names. See Configure Dynamic DNS on page 42.

7. Configure the WAN options (optional). You can enable each WAN port to respond to a

ping, and you can change the factory default MTU size and port speed. However, these are

advanced features and changing them is not usually required. See Configure Advanced

WAN Options on page 51.

Each of these tasks is detailed separately in this chapter.

Note: For information about how to configure the WAN meters, see Enable

the WAN Traffic Meter on page 263.

The configuration of LAN, firewall, scanning, VPN, management, and monitoring features is

described in later chapters.

Qualified Web Browsers

To configure the VPN firewall, you need to use a web browser such as Microsoft Internet

Explorer 6 or later, Mozilla Firefox 3 or later, or Apple Safari 3 or later with JavaScript,

cookies, and SSL enabled.

Although these web browsers are qualified for use with the VPN firewall’s web management

interface, SSL VPN users should choose a browser that supports JavaScript, Java, cookies,

SSL, and ActiveX to take advantage of the full suite of applications. Note that Java is required

only for the SSL VPN portal, not for the web management interface.

Log In to the VPN Firewall

To connect to the VPN firewall, your computer needs to be configured to obtain an IP address

automatically from the VPN firewall via DHCP.

 To connect and log in to the VPN firewall:

1. Start any of the qualified web browsers, as explained in Qualified Web Browsers on

page 20.

2. Enter https://192.168.1.1 in the address field. The NETGEAR Configuration Manager Login

screen displays in the browser.

Page is loading ...

Netgear ProSAFE SRX5308, SRX5308 Specification

Related papers

Other documents