Netgear ProSAFE SRX5308 Owner's manual

350 East Plumeria Drive

San Jose, CA 95134

USA

April 2013

202-10536-05

ProSAFE Gigabit Quad WAN SSL

VPN Firewall SRX5308

Reference Manual

2

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Support

Thank you for selecting NETGEAR products.

After installing your device, locate the serial number on the label of your product and use it to register your product

at https://my.netgear.com. You must register your product before you can use NETGEAR telephone support.

NETGEAR recommends registering your product through the NETGEAR website. For product updates and web

support, visit http://support.netgear.com.

Phone (US & Canada only): 1-888-NETGEAR.

Phone (Other Countries): Check the list of phone numbers at

http://support.netgear.com/general/contact/default.aspx.

Trademarks

NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of

NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change

Revision History

Publication

Part Number

Version Publish Date Comments

202-10536-05 – April 2013 Added the following features:

• Auto-rollover support with failure detection for IPv6 WAN

interfaces (see Configure Auto-Rollover for IPv6 Interfaces

and Create an IPv6 Gateway-to-Gateway VPN Tunnel with

the Wizard)

• Multicast pass-through with alternate networks (see Configure

Multicast Pass-Through for IPv4 Traffic)

• SNMP access from the WAN and SNMP trap events (see Use

a Simple Network Management Protocol Manager)

• Option to define what constitutes a UCP flood attack (see

Attack Checks)

• Authentication and encryption for the PPTP server (see

Configure the PPTP Server)

• Authentication for the L2TP server (see Configure the L2TP

Server)

• Option to select a gateway when you ping or send a trace

packet and option to select a VPN policy when you ping or

send a trace packet through a VPN tunnel (see Send a Ping

Packet and Trace a Route)

202-10536-04 1.0 July 2012 A major revision. Added the following features:

• Support for IPv6 with multiple IPv6 features, including a new

general menu structure that provides both IPv4 and IPv6

radio buttons (very extensive revisions throughout the

manual)

• IPSec VPN autoinitiate support (see Manually Add or Edit a

VPN Policy)

• SNMPv3 support (see Use a Simple Network Management

Protocol Manager)

• Option to reboot with a different firmware version (see Select

the Firmware and Reboot the VPN Firewall)

• Extensive list of factory default settings (see Appendix A,

Default Settings and Technical Specifications)

3

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

202-10536-03 1.0 November 2011 Incorporated nontechnical edits only (there are no feature

changes).

202-10536-02 1.0 July 2011 Added new features that are documented in the following

sections:

• Configure WAN QoS Profiles

• Inbound Rules (Port Forwarding) and Create LAN WAN

Inbound Service Rules

• Attack Checks

• Set Limits for IPv4 Sessions

• Create IP Groups

• Use the NETGEAR VPN Client Wizard to Create a Secure

Connection

• Manually Create a Secure Connection Using the NETGEAR

VPN Client

• Configure the ProSafe VPN Client for Mode Config Operation

• Configure Date and Time Service

• Configure and Enable the LAN Traffic Meter

202-10536-01 1.0 April 2010 Initial publication of this reference manual.

4

Contents

Chapter 1 Introduction

What Is the ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308? .12

Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Quad-WAN Ports for Increased Reliability and Load Balancing. . . . . . .13

Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . .14

A Powerful, True Firewall with Content Filtering. . . . . . . . . . . . . . . . . . .14

Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Autosensing Ethernet Connections with Auto Uplink . . . . . . . . . . . . . . .15

Extensive Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Easy Installation and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Bottom Panel with Product Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Choose a Location for the VPN Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . .20

Use the Rack-Mounting Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Log In to the VPN Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Web Management Interface Menu Layout . . . . . . . . . . . . . . . . . . . . . . . . .23

Requirements for Entering IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . .25

IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Chapter 2 IPv4 and IPv6 Internet and WAN Settings

Internet and WAN Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Roadmap to Setting Up IPv4 Internet Connections to Your ISPs. . . . . .27

Roadmap to Setting Up IPv6 Internet Connections to Your ISPs. . . . . .28

Configure the IPv4 Internet Connection and WAN Settings. . . . . . . . . . . .29

Configure the IPv4 WAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Let the VPN Firewall Automatically Detect and

Configure an IPv4 Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . .31

Manually Configure an IPv4 Internet Connection. . . . . . . . . . . . . . . . . .34

Configure Load Balancing or Auto-Rollover for IPv4 Interfaces. . . . . . .40

Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . .47

Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

Configure the IPv6 Internet Connection and WAN Settings. . . . . . . . . . . .52

Configure the IPv6 Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Use a DHCPv6 Server to Configure an IPv6 Internet Connection . . . . .55

5

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Configure a Static IPv6 Internet Connection. . . . . . . . . . . . . . . . . . . . . .58

Configure a PPPoE IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . .61

Configure 6to4 Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . .64

Configure ISATAP Automatic Tunneling. . . . . . . . . . . . . . . . . . . . . . . . .65

View the Tunnel Status and IPv6 Addresses . . . . . . . . . . . . . . . . . . . . .67

Configure Stateless IP/ICMP Translation. . . . . . . . . . . . . . . . . . . . . . . .67

Configure Auto-Rollover for IPv6 Interfaces. . . . . . . . . . . . . . . . . . . . . .68

Configure Advanced WAN Options and Other Tasks. . . . . . . . . . . . . . . . .71

Configure WAN QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . .82

Verify the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Chapter 3 LAN Configuration

Manage IPv4 Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . .84

Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Assign and Manage VLAN Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

VLAN DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

Configure a VLAN Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Configure VLAN MAC Addresses and LAN Advanced Settings. . . . . . .93

Configure IPv4 Multihome LAN IP Addresses on the Default VLAN . . . . .94

Manage IPv4 Groups and Hosts (IPv4 LAN Groups). . . . . . . . . . . . . . . . .96

Manage the Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

Change Group Names in the Network Database . . . . . . . . . . . . . . . . .100

Set Up DHCP Address Reservation. . . . . . . . . . . . . . . . . . . . . . . . . . .101

Manage the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

DHCPv6 Server Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Configure the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104

Configure the IPv6 Router Advertisement Daemon and

Advertisement Prefixes for the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . .109

Configure IPv6 Multihome LAN IP Addresses on the Default VLAN . . . .113

Enable and Configure the DMZ Port for IPv4 and IPv6 Traffic. . . . . . . . .114

DMZ Port for IPv4 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115

DMZ Port for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118

Configure the IPv6 Router Advertisement Daemon and

Advertisement Prefixes for the DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . .122

Manage Static IPv4 Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Configure Static IPv4 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Configure the Routing Information Protocol . . . . . . . . . . . . . . . . . . . . .129

IPv4 Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

Manage Static IPv6 Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132

Chapter 4 Firewall Protection

About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135

Overview of Rules to Block or Allow Specific Kinds of Traffic . . . . . . . . .136

Outbound Rules (Service Blocking) . . . . . . . . . . . . . . . . . . . . . . . . . . .137

6

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Inbound Rules (Port Forwarding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145

Create LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .147

Create LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .149

Configure DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

Create DMZ WAN Outbound Service Rules. . . . . . . . . . . . . . . . . . . . .154

Create DMZ WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .156

Configure LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158

Create LAN DMZ Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .160

Create LAN DMZ Inbound Service Rules. . . . . . . . . . . . . . . . . . . . . . .162

Examples of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164

Examples of Inbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . .164

Examples of Outbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . .168

Configure Other Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Attack Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170

Set Limits for IPv4 Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .173

Configure Multicast Pass-Through for IPv4 Traffic. . . . . . . . . . . . . . . .174

Manage the Application Level Gateway for SIP Sessions . . . . . . . . . .176

Services, Bandwidth Profiles, and QoS Profiles. . . . . . . . . . . . . . . . . . . .176

Add Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177

Create IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179

Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181

Create Quality of Service Profiles for IPv4 Firewall Rules . . . . . . . . . .184

Quality of Service Priorities for IPv6 Firewall Rules . . . . . . . . . . . . . . .186

Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186

Set a Schedule to Block or Allow Specific Traffic. . . . . . . . . . . . . . . . . . .189

Enable Source MAC Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190

Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

Configure Port Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Chapter 5 Virtual Private Networking Using

IPSec and L2TP Connections

Considerations for Dual WAN Port Systems . . . . . . . . . . . . . . . . . . . . . .202

Use the IPSec VPN Wizard for Client and Gateway Configurations . . . .203

Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard. . .204

Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard. . .208

Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard . . . . .212

Test the Connection and View Connection and Status Information. . . . .227

Test the NETGEAR VPN Client Connection . . . . . . . . . . . . . . . . . . . .227

NETGEAR VPN Client Status and Log Information . . . . . . . . . . . . . . .229

View the VPN Firewall IPSec VPN Connection Status. . . . . . . . . . . . .229

View the VPN Firewall IPSec VPN Log . . . . . . . . . . . . . . . . . . . . . . . .230

Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Manage IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Manage VPN Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

7

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .245

Configure XAUTH for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .246

User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247

RADIUS Client and Server Configuration. . . . . . . . . . . . . . . . . . . . . . .247

Assign IPv4 Addresses to Remote Users (Mode Config). . . . . . . . . . . . .250

Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .250

Configure Mode Config Operation on the VPN Firewall. . . . . . . . . . . .250

Configure the ProSafe VPN Client for Mode Config Operation . . . . . .257

Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .264

Modify or Delete a Mode Config Record. . . . . . . . . . . . . . . . . . . . . . . .265

Configure Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . .265

Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .267

Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . .268

Configure the PPTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269

View the Active PPTP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271

Configure the L2TP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272

View the Active L2TP Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273

Chapter 6 Virtual Private Networking Using

SSL Connections

SSL VPN Portal Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276

Overview of the SSL Configuration Process . . . . . . . . . . . . . . . . . . . . . .276

Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277

Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . . . .281

Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . . . .282

Add Servers and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .282

Add a New Host Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283

Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284

Configure the Client IP Address Range . . . . . . . . . . . . . . . . . . . . . . . .285

Add Routes for VPN Tunnel Clients . . . . . . . . . . . . . . . . . . . . . . . . . . .287

Use Network Resource Objects to Simplify Policies . . . . . . . . . . . . . . . .288

Add New Network Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288

Edit Network Resources to Specify Addresses . . . . . . . . . . . . . . . . . .289

Configure User, Group, and Global Policies. . . . . . . . . . . . . . . . . . . . . . .291

View Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .292

Add an IPv4 or IPv6 SSL VPN Policy. . . . . . . . . . . . . . . . . . . . . . . . . .293

Access the New SSL Portal Login Screen . . . . . . . . . . . . . . . . . . . . . . . .297

View the SSL VPN Connection Status and SSL VPN Log. . . . . . . . . . . .299

Chapter 7 Manage Users, Authentication, and VPN Certificates

The VPN Firewall’s Authentication Process and Options. . . . . . . . . . . . .302

Configure Authentication Domains, Groups, and Users. . . . . . . . . . . . . .303

Configure Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303

Configure Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .307

Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310

Set User Login Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313

8

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . .318

Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . .320

VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321

Manage VPN CA Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322

Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . .323

Manage the VPN Certificate Revocation List . . . . . . . . . . . . . . . . . . . .326

Chapter 8 Network and System Management

Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329

Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329

Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

Features That Increase Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332

Use QoS and Bandwidth Assignment to Shift the Traffic Mix. . . . . . . .335

Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . .336

System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336

Change Passwords and Administrator and Guest Settings . . . . . . . . .336

Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . .338

Use the Command-Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . .342

Use a Simple Network Management Protocol Manager. . . . . . . . . . . .342

Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347

Configure Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . .352

Chapter 9 Monitor System Access and Performance

Configure and Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . .356

Configure and Enable the LAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . .359

Configure Logging, Alerts, and Event Notifications . . . . . . . . . . . . . . . . .362

How to Send Syslogs over a VPN Tunnel between Sites . . . . . . . . . .367

View Status Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369

View the System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369

View the VPN Connection Status, L2TP Users, and PPTP Users. . . .378

View the VPN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380

View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

View the WAN Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382

View the Attached Devices and the DHCP Log . . . . . . . . . . . . . . . . . .385

Diagnostics Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388

Send a Ping Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .389

Trace a Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Look Up a DNS Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Display the Routing Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Capture Packets in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .391

Reboot the VPN Firewall Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . .391

Chapter 10 Troubleshooting

Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

Power LED Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .393

9

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .394

Troubleshoot the Web Management Interface. . . . . . . . . . . . . . . . . . . . .394

When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .395

Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .397

Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . .400

Test the LAN Path to Your VPN Firewall . . . . . . . . . . . . . . . . . . . . . . .400

Test the Path from Your Computer to a Remote Device . . . . . . . . . . .401

Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . .401

Address Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . .403

Access the Knowledge Base and Documentation . . . . . . . . . . . . . . . . . .403

Appendix A Default Settings and Technical Specifications

Factory Default Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .405

Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . .410

Appendix B Network Planning for Multiple WAN Ports

What to Consider Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . .414

Cabling and Computer Hardware Requirements . . . . . . . . . . . . . . . . .415

Computer Network Configuration Requirements . . . . . . . . . . . . . . . . .415

Internet Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .416

Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418

Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .419

Inbound Traffic to a Single WAN Port System . . . . . . . . . . . . . . . . . . .419

Inbound Traffic to a Dual WAN Port System . . . . . . . . . . . . . . . . . . . .420

Virtual Private Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421

VPN Road Warrior (Client-to-Gateway) . . . . . . . . . . . . . . . . . . . . . . . .422

VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .425

VPN Telecommuter (Client-to-Gateway through a NAT Router) . . . . .427

Appendix C System Logs and Error Messages

Log Message Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431

System Log Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .431

NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432

Login/Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432

System Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433

IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . .434

WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435

Resolved DNS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .438

VPN Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .439

Traffic Meter Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444

Routing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444

LAN to WAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

10

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

LAN to DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

DMZ to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

WAN to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .445

DMZ to LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Other Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Session Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .446

Source MAC Filter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

Bandwidth Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

DHCP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .447

Appendix D Two-Factor Authentication

Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . .450

What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . .450

What Is Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . . . . . .450

NETGEAR Two-Factor Authentication Solutions. . . . . . . . . . . . . . . . . . .451

Appendix E Notification of Compliance

Index

11

1

1. Introduction

This chapter provides an overview of the features and capabilities of the ProSAFE Gigabit Quad

WAN SSL VPN Firewall SRX5308 and explains how to log in to the device and use its web

management interface. The chapter contains the following sections:

• What Is the ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308?

• Key Features and Capabilities

• Package Contents

• Hardware Features

• Choose a Location for the VPN Firewall

• Log In to the VPN Firewall

• Web Management Interface Menu Layout

• Requirements for Entering IP Addresses

Note: For more information about the topics covered in this manual, visit

the support website at http://support.netgear.com.

Note: Firmware updates with new features and bug fixes are made

available from time to time on downloadcenter.netgear.com. Some

products can regularly check the site and download new firmware,

or you can check for and download new firmware manually

. If the

features or behavior of your product do not match what is described

in this guide, you might need to update your firmware.

Introduction

12

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

What Is the ProSAFE Gigabit Quad WAN SSL VPN

Firewall SRX5308?

The ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308, hereafter referred to as the

VPN firewall, connects your local area network (LAN) to the Internet through up to four

external broadband access devices such as cable or DSL modems or satellite or wireless

Internet dishes. Four wide area network (WAN) ports allow you to increase effective data rate

to the Internet by utilizing all WAN ports to carry session traffic or to maintain backup

connections in case of failure of your primary Internet connection.

The VPN firewall routes both IPv4 and IPv6 traffic. A powerful, flexible firewall protects your

IPv4 and IPv6 networks from denial of service (DoS) attacks, unwanted traf

fic, and traf

fic with

objectionable content. IPv6 traffic is supported through 6to4 and Intra-Site Automatic Tunnel

Addressing Protocol (ISATAP) tunnels.

The VPN firewall is a security solution that protects your network from attacks and intrusions.

For example, the VPN firewall provides support for stateful packet inspection (SPI), denial of

service (DoS) attack protection, and multi-NAT support.

The VPN firewall supports multiple

web content filtering options, plus browsing activity reporting and instant alerts—both through

email. Network administrators can establish restricted access policies based on time of day,

website addresses, and address keywords.

The VPN firewall provides advanced IPSec and SSL VPN technologies for secure and simple

remote connections.

The use of Gigabit Ethernet LAN and W

AN ports ensures high data

transfer speeds.

The VPN firewall is a plug-and-play device that can be installed and configured within

minutes.

Key Features and Capabilities

• Quad-WAN Ports for Increased Reliability and Load Balancing

• Advanced VPN Support for Both IPSec and SSL

• A Powerful, True Firewall with Content Filtering

• Security Features

• Autosensing Ethernet Connections with Auto Uplink

• Extensive Protocol Support

• Easy Installation and Management

• Maintenance and Support

Introduction

13

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

The VPN firewall provides the following key features and capabilities:

• Four 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover

protection of your Internet connection, providing increased data rate and increased

system reliability.

• Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for fast data transfer

between local network resources and support for up to 200,000 internal or external

connections.

• Both IPv4 and IPv6 support

• Advanced IPSec VPN and SSL VPN support with support for up to 125 concurrent IPSec

VPN tunnels and up to 50 concurrent SSL VPN tunnels.

• Bundled with a single-user license of the NETGEAR ProSafe VPN Client software

(VPN01L).

• L2TP tunnel and PPTP tunnel support

• Advanced stateful packet inspection (SPI) firewall with multi-NA

T support.

• Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and

multimedia.

• Extensive protocol support.

• One console port for local management.

• SNMP support with SNMPv1, SNMPv2c, and SNMPv3, and management optimized for

the NETGEAR ProSafe Network Management Software (NMS200) over a LAN

connection.

• Front panel LEDs for easy monitoring of status and activity

.

• Flash memory for firmware upgrade.

• Internal universal switching power supply

.

• Rack-mounting kit for 1U rackmounting.

Quad-WAN Ports for Increased Reliability and Load

Balancing

The VPN firewall provides four broadband WAN ports. These WAN ports allow you to

connect additional broadband Internet lines that can be configured to:

• Load-balance outbound traffic between up to four lines for maximum bandwidth

efficiency.

• Provide backup and rollover if one line is inoperable, ensuring that you are never

disconnected.

See Appendix B, Network Planning for Multiple WAN Ports for the planning factors to

consider when implementing the following capabilities with multiple WAN port gateways:

• Single or multiple exposed hosts.

• V

irtual private networks (VPNs).

Introduction

14

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Advanced VPN Support for Both IPSec and SSL

The VPN firewall supports IPSec and SSL virtual private network (VPN) connections:

• IPSec VPN delivers full network access between a central office and branch of

fices, or

between a central office and telecommuters. Remote access by telecommuters requires

the installation of VPN client software on the remote computer.

- IPSec VPN with broad protocol support for secure connection to other IPSec

gateways and clients.

- Up to 125 simultaneous IPSec VPN connections.

- Bundled with a 30-day trial license for the ProSafe VPN Client software (VPN01L).

• SSL VPN provides remote access for mobile users to selected corporate resources

without requiring a preinstalled VPN client on their computers.

- Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for

e-commerce transactions, to provide client-free access with customizable user portals

and support for a wide variety of user repositories.

- Up to 50 simultaneous SSL VPN connections.

- Allows browser-based, platform-independent remote access through a number of

popular browsers, such as Microsoft Internet Explorer

, Mozilla Firefox, and

Apple

Safari.

- Provides granular access to corporate resources based on user type or group

membership.

A Powerful, True Firewall with Content Filtering

Unlike simple NAT routers, the VPN firewall is a true firewall, using stateful packet inspection

(SPI) to defend against hacker attacks. Its firewall features have the following capabilities:

• DoS protection. Automatically detects and thwarts denial of service (DoS) attacks such

as Ping of Death and SYN flood.

• Secure firewall. Blocks unwanted traffic from the Internet to your LAN.

• Content filtering

. Prevents objectionable content from reaching your computers. Y

ou

can control access to Internet content by screening for web services, web addresses, and

keywords within web addresses.

• Schedule policies. Permits scheduling of firewall policies by day and time.

• Logs security incidents. Logs security events such as logins and secure logins.

Y

ou can

configure the firewall to email the log to you at specified intervals. You can also configure

the VPN firewall to send immediate alert messages to your email address or email pager

when a significant event occurs.

Introduction

15

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Security Features

The VPN firewall is equipped with several features designed to maintain security:

• Computers hidden by NAT. NA

T opens a temporary path to the Internet for requests

originating from the local network. Requests originating from outside the LAN are

discarded, preventing users outside the LAN from finding and directly accessing the

computers on the LAN.

• Port forwarding with NA

T.

Although NAT prevents Internet locations from directly

accessing the computers on the LAN, the VPN firewall allows you to direct incoming

traffic to specific computers based on the service port number of the incoming request.

• DMZ port. Incoming traffic from the Internet is usually discarded by the VPN firewall

unless the traf

fic is a response to one of your local computers or a service for which you

have configured an inbound rule. Instead of discarding this traffic, you can use the

dedicated demilitarized zone (DMZ) port to forward the traffic to one computer on your

network.

Autosensing Ethernet Connections with Auto Uplink

With its internal four-port 10/100/1000 Mbps switch and four 10/100/1000 WAN ports, the

VPN firewall can connect to a 10-Mbps standard Ethernet network, a 100-Mbps Fast

Ethernet network, a 1000-Mbps Gigabit Ethernet network, or a combination of these

networks. All LAN and WAN interfaces are autosensing and capable of full-duplex or

half-duplex operation.

The VPN firewall incorporates Auto Uplink

TM

technology. Each Ethernet port automatically

senses whether the Ethernet cable plugged into the port should have a normal connection

such as to a computer or an uplink connection such as to a switch or hub. That port then

configures itself correctly. This feature eliminates the need for you to think about crossover

cables, as Auto Uplink accommodates either type of cable to make the right connection.

Extensive Protocol Support

The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and

Routing Information Protocol (RIP). The VPN firewall provides the following protocol support:

• IP address sharing by NAT. The VPN firewall allows many networked computers to

share an Internet account using only a single IP address, which might be statically or

dynamically assigned by your Internet service provider (ISP). This technique, known as

Network Address Translation (NAT), allows the use of an inexpensive single-user ISP

account.

• Automatic configuration of attached computers by DHCP.

The VPN firewall

dynamically assigns network configuration information, including IP

, gateway, and

Domain Name Server (DNS) addresses, to attached computers on the LAN using the

Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies

configuration of computers on your local network.

Introduction

16

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

• DNS proxy. When DHCP is enabled and no DNS addresses are specified, the VPN

firewall provides its own address as a DNS server to the attached computers. The firewall

obtains actual DNS addresses from the ISP during connection setup and forwards DNS

requests from the LAN.

• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the

Internet over a DSL connection by simulating a dial-up connection.

• Quality of Service (QoS).

The VPN firewall supports QoS, including traf

fic prioritization

and traffic classification with Type of Service (ToS) and Differentiated Services Code

Point (DSCP) marking.

• Layer 2 Tunneling Protocol (L2TP)

. A tunneling protocol that is used to support virtual

private networks (VPNs).

• Point to Point Tunneling Protocol (PPTP).

Another tunneling protocol that is used to

support VPNs.

Easy Installation and Management

You can install, configure, and operate the VPN firewall within minutes after connecting it to

the network. The following features simplify installation and management tasks:

• Browser-based management. Browser-based configuration allows you to easily

configure the VPN firewall from almost any type of operating system, such as Windows,

Macintosh, or Linux. Online help documentation is built into the browser-based web

management interface.

• Auto-detection of ISP.

The VPN firewall automatically senses the type of Internet

connection, asking you only for the information required for your type of ISP account.

• IPSec VPN Wizard

. The VPN firewall includes the NETGEAR IPSec VPN Wizard so you

can easily configure IPSec VPN tunnels according to the recommendations of the Virtual

Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are

interoperable with other VPNC-compliant VPN routers and clients.

• SNMP.

The VPN firewall supports the Simple Network Management Protocol (SNMP) to

let you monitor and manage log resources from an SNMP-compliant system manager

.

The SNMP system configuration lets you change the system variables for MIB2.

• Diagnostic functions. The VPN firewall incorporates built-in diagnostic functions such

as ping, traceroute, DNS lookup, and remote reboot.

• Remote management

. The VPN firewall allows you to log in to the web management

interface from a remote location on the Internet. For security

, you can limit remote

management access to a specified remote IP address or range of addresses.

• Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor

its status and activity

.

Introduction

17

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the VPN firewall:

• Flash memory for firmware upgrades.

• T

echnical support seven days a week, 24 hours a day. Information about support is

available on the NETGEAR website at

http://support.netgear

.com/app/answers/detail/a_id/212.

Package Contents

The VPN firewall product package contains the following items:

• ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

• One

AC power cable

• One Category 5 (Cat 5) Ethernet cable

• One rack-mounting kit

• ProSAFE Gigabit Quad W

AN SSL VPN Firewall SRX5308 Installation Guide

• Resource CD, including:

- Application Notes and other helpful information

- ProSafe VPN Client software (VPN01L)

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep

the carton, including the original packing materials, in case you need to return the product for

repair

.

Hardware Features

• Front Panel

• Rear Panel

• Bottom Panel with Product Label

The front panel ports and LEDs, rear panel ports, and bottom label of the VPN firewall are

described in the following sections.

Front Panel

Viewed from left to right, the VPN firewall front panel contains the following ports (see the

following figure).

• LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,

Gigabit Ethernet ports with RJ-45 connectors

• WAN Ethernet ports. Four independent N-way automatic speed negotiating, Auto

MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors

Introduction

18

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

The front panel also contains three groups of status indicator light-emitting diodes (LEDs),

including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are described in the

following table.

Figure 1.

Table 1. LED descriptions

LED Activity Description

Power On (green) Power is supplied to the VPN firewall.

Off Power is not supplied to the VPN firewall.

T

est On (amber) during

startup.

Test mode: The VPN firewall is initializing. After approximately 2 minutes,

when the VPN firewall has completed its initialization, the Test LED goes

off.

On (amber) during

any other time

The initialization has failed, or a hardware failure has occurred.

Blinking (amber) The VPN firewall is writing to flash memory (during upgrading or resetting

to defaults).

Off The system has booted successfully.

LAN Ports

Left LED On (green) The LAN port has detected a link with a connected Ethernet device.

Blinking (green)

The LAN port receives or transmits data.

Of

f The LAN port has no link.

Right LED On (green) The LAN port operates at 1000 Mbps.

On (amber) The LAN port operates at 100 Mbps.

Off The LAN port operates at 10 Mbps.

Power LED

Test LED

Left LAN LEDs

Right LAN LEDs

DMZ LED

Left WAN LEDs

Right WAN LEDs

LEDs

Internet

Introduction

19

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Rear Panel

The rear panel of the VPN firewall includes a console port, a Factory Defaults Reset button, a

cable lock receptacle, an AC power connection, and a power switch.

Figure 2.

Viewed from left to right, the rear panel contains the following components:

• Cable security lock receptacle.

• Console port. Port for connecting to an optional console terminal.

The port has a DB9

male connector

. The default baud rate is 115200 K. The pinouts are (2) Tx, (3) Rx, (5) and

(7) Gnd. For information about accessing the command-line interface (CLI) using the

console port, see Use the Command-Line Interface on page 342.

DMZ LED On (green) Port 4 operates as a dedicated hardware DMZ port.

Off Port 4 operates as a normal LAN port.

WAN Ports

Left LED On (green) The WAN port has a valid connection with a device that provides an

Internet connection.

Blinking (green) The WAN port receives or transmits data.

Off The WAN port has no physical link, that is, no Ethernet cable is plugged

into the VPN firewall.

Right LED On (green) The WAN port operates at 1000 Mbps.

On (amber) The WAN port operates at 100 Mbps.

Off The WAN port operates at 10 Mbps.

Internet LED On (green) The WAN port has a valid Internet connection.

Off The WAN port is either not enabled or has no link to the Internet.

Table 1. LED descriptions (continued)

LED Activity Description

Security lock

receptacle

Console port

Factory Defaults

AC power

receptacle

Power

switch

Reset button

Introduction

20

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

• Factory Defaults Reset button. Using a sharp object, press and hold this button for about

8 seconds until the front panel Test LED flashes to reset the VPN firewall to factory

default settings. All configuration settings are lost, and the default password is restored.

• AC power receptacle. Universal AC input (100–240 V

AC, 50–60 Hz).

• A power on/off switch.

Bottom Panel with Product Label

The product label on the bottom of the VPN firewall’s enclosure displays factory default

settings, regulatory compliance, and other information.

Figure 3.

Choose a Location for the VPN Firewall

The VPN firewall is suitable for use in an office environment where it can be freestanding (on

its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can

rack-mount the VPN firewall in a wiring closet or equipment room.

Consider the following when deciding where to position the VPN firewall:

• The unit is accessible, and cables can be connected easily.

• Cabling is away from sources of electrical noise. These include lift shafts, microwave

ovens, and air-conditioning units.

• Water or moisture cannot enter the case of the unit.

• Airflow around the unit and through the vents in the side of the case is not restricted.

Provide a minimum of 25 mm or 1-inch clearance.

• The air is as free of dust as possible.

• T

emperature operating limits are not likely to be exceeded. Install the unit in a clean,

air-conditioned environment. For information about the recommended operating

temperatures for the VPN firewall, see

Appendix A, Default Settings and Technical

Specifications.

Page is loading ...

Netgear ProSAFE SRX5308 Owner's manual

This manual is also suitable for

Netgear ProSAFE SRX5308 Owner's manual

Related papers

Other documents