Netgear SRX5308 User manual

350 East Plumeria Drive

San Jose, CA 95134

USA

July, 2012

202-10536-04

v1.0

ProSafe Gigabit Quad WAN

SSL VPN Firewall SRX5308

Reference Manual

2

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated

into any language in any form or by any means without the written permission of NETGEAR, Inc.

Technical Support

Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or

for more information about the topics covered in this manual, visit the Support website at

http://support.netgear.com.

Phone (US & Canada only): 1-888-NETGEAR

Phone (Other Countries): Check the li

st of phone numbers at

http://support.netgear.com/app

/answers/detail/a_id/984.

Trademarks

NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of

NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change

without notice. Other brand and product names are registered trademarks or trademarks of their respective

Statement of Conditions

To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes

to the products described in this document without notice. NETGEAR does not assume any liability that may occur

due to the use, or application of, the product(s) or circuit layout(s) described herein.

Revision History

Publication

Part Number

Version Publish Date Comments

202-10536-04 1.0 July 2012 A major revision. Added the following features:

• Support for IPv6 with multiple IPv6 features, including a new

general menu structure that provides both IPv4 and IPv6 radio

buttons (very extensive revisions throughout the manual)

• IPSec VPN autoinitia

te support (see Manually Add or Edit a

VPN Policy)

• SNMPv3 support (see Use a Simple Network Management

Protocol Manager)

• Option to reboot with a different firmware version (see Select

the Firmware and Reboot the VPN Firewall)

• Extensive list of factory d

efault settings (see Appendix A,

Default Settings and Technical Specifications)

202-10536-03 1.0 November 2011 Incorporated nontechnical edits only (there are no feature

chan

ges).

3

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

202-10536-02 1.0 July 2011 Added new features that are documented in the following

sections:

• Configure WAN QoS Profiles

• Inbound Rules (Port Forwarding) and Create LAN WAN Inbound

Service Rules

• Attack Checks

• Set Limits for IPv4 Sessions

• Create IP Groups

• Use the NETGEAR VPN Client Wizard to Create a Secure

Connection

• Manually Create a Secure Conne

ction Using the NETGEAR

VPN Client

• Configure the ProSafe VPN Client for Mode Config Operation

• Configure Date and Time Service

• Configure and Enable the LAN Traffic Meter

202-10536-01 1.0 April 2010 Initial publication of this reference manual.

4

Contents

Chapter 1 Introduction

What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? . .11

Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

Quad-WAN Ports for Increased Reliability and

Load Balancing. . . . . . .13

Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . .13

A Powerful, True Firewall with Content Filtering

. . . . . . . . . . . . . . . . . . .14

Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Autosensing Ethernet Connections with Auto Uplink

. . . . . . . . . . . . . . .14

Extensive Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Easy Installation and Management . . . . . . .

. . . . . . . . . . . . . . . . . . . . .15

Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Bottom Panel with Product Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Choose a Location for the VPN Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . .20

Use the Rack-Mounting Kit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Log In to the VPN Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

Web Management Interface Menu Layout . . . . . . . . . . . . . . . . . . . . . . . . .23

Requirements for Entering IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . .25

IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

Chapter 2 IPv4 and IPv6 Internet and WAN Settings

Internet and WAN Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Tasks to Set Up IPv4 Internet Connections

to Your ISPs . . . . . . . . . . .27

Tasks to Set Up an IPv6 Internet

Connection to Your ISPs . . . . . . . . . .27

Configure the IPv4 Internet Connection and W

AN Settings. . . . . . . . . . . .28

Configure the IPv4 WAN Mode . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Let the VPN Firewall Automatically Detect and

Configure an IPv4 Internet Connection

. . . . . . . . . . . . . . . . . . . . . . . . .30

Manually Configure an IPv4 Internet

Connection. . . . . . . . . . . . . . . . . .33

Configure Load Balancing or Auto-Rollover. . . . . . . . . . . . . . . . . . . . . .39

Configure Secondary WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . .46

Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

Configure the IPv6 Internet Connection and W

AN Settings. . . . . . . . . . . .51

Configure the IPv6 Routing Mode . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .52

Use a DHCPv6 Server to Configure an IPv6 Internet Connection . . . . .54

5

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Configure a Static IPv6 Internet Connection. . . . . . . . . . . . . . . . . . . . . .57

Configure a PPPoE IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . .60

Configure 6to4 Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Configure ISATAP Automatic Tunneling. . . . . . . . . . . . . . . . . . . . . . . . .64

View the Tunnel Status and IPv6 Addresses . . . . . . . . . . . . . . . . . . . . .66

Configure Stateless IP/ICMP Translation. . . . . . . . . . . . . . . . . . . . . . . .66

Configure Advanced WAN Options and Other Task

s. . . . . . . . . . . . . . . . .67

Configure WAN QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72

Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . .78

Verify the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

What to Do Next. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Chapter 3 LAN Configuration

Manage IPv4 Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . .79

Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80

Assign and Manage VLAN Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . .81

VLAN DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82

Configure a VLAN Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83

Configure VLAN MAC Addresses and LAN Advanced Settings. . . . . . .88

Configure IPv4 Multihome LAN IP Addresses on the Default VLAN . . . . .89

Manage IPv4 Groups and Hosts (IPv4 LAN Groups). . . . . . . . . . . . . . . . .91

Manage the Network Database . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .92

Change Group Names in the Network Database . . . . . . . . . . . . . . . . . .95

Set Up DHCP Address Reservation. . . . . . .

. . . . . . . . . . . . . . . . . . . . .96

Manage the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97

DHCPv6 Server Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98

Configure the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99

Configure the IPv6 Router Advertisement Daemon and

Advertisement Prefixes for the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . .104

Configure IPv6 Multihome LAN IP Addresses on the Default VLAN . . . .108

Enable and Configure the DMZ Port for IPv4 and IPv6 Traffic. . . . . . . . .109

DMZ Port for IPv4 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

DMZ Port for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113

Configure the IPv6 Router Advertisement Daemon and

Advertisement Prefixes for the DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . .117

Manage Static IPv4 Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Configure Static IPv4 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Configure the Routing Information Protocol . . . . . . . . . . . . . . . . . . . . .124

IPv4 Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Manage Static IPv6 Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127

Chapter 4 Firewall Protection

About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131

Overview of Rules to Block or Allow Specific K

inds of Traffic . . . . . . . . .131

Outbound Rules (Service Blocking) . . . . . . .

. . . . . . . . . . . . . . . . . . . .133

Inbound Rules (Port Forwarding) .

. . . . . . . . . . . . . . . . . . . . . . . . . . . .135

6

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139

Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Create LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .143

Create LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .145

Configure DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147

Create DMZ WAN Outbound Service Rules. . . . . . . . . . . . . . . . . . . . .149

Create DMZ WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . .151

Configure LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

Create LAN DMZ Outbound Service Rules . . . . . . . . . . . . . . . . . . . . .155

Create LAN DMZ Inbound Service Rules. . . . . . . . . . . . . . . . . . . . . . .157

Examples of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

Examples of Inbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . .159

Examples of Outbound Firewall Rules . . . . .

. . . . . . . . . . . . . . . . . . . .164

Configure Other Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Attack Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166

Set Limits for IPv4 Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169

Manage the Application Level Gateway for S

IP Sessions . . . . . . . . . .171

Services, Bandwidth Profiles, and Q

oS Profiles. . . . . . . . . . . . . . . . . . . .171

Add Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .172

Create IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .174

Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176

Create Quality of Service Profiles for IPv4 Firewall Rules . . . . . . . . . .179

Quality of Service Priorities for IPv6 Firewall Rules . . . . . . . . . . . . . . .181

Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181

Set a Schedule to Block or Allow Specific Traffic

. . . . . . . . . . . . . . . . . . .185

Enable Source MAC Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186

Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187

Configure Port Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194

Chapter 5 Virtual Private Networking

Using IPSec and L2TP Connections

Considerations for Dual WAN Port Systems (IPv4 Only). . . . . . . . . . . . .196

Use the IPSec VPN Wizard for Client and Gateway

Configurations . . . .198

Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard. . .198

Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard. . .203

Create an IPv4 Client-to-Gateway VPN

Tunnel with the Wizard . . . . .206

Test the Connection and View Connection and Status Information. . . . .221

Test the NETGEAR VPN Client Connection . . . . . . . . . . . . . . . . . . . .221

NETGEAR VPN Client Status and Log Information

. . . . . . . . . . . . . . .223

View the VPN Firewall IPSec VPN Connection Status. . . . . . . . . . . . .223

View the VPN Firewall IPSec VPN Log . . . . . . . . . . . . . . . . . . . . . . . .224

Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225

Manage IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225

Manage VPN Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231

Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .239

Configure XAUTH for VPN Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . .240

7

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241

RADIUS Client and Server Configuration. . . . . . . . . . . . . . . . . . . . . . .241

Assign IPv4 Addresses to Remote Users (Mode Config)

. . . . . . . . . . . . .244

Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244

Configure Mode Config Operation on the VPN Firewall. . . . . . . . . . . .244

Configure the ProSafe VPN Client for Mode

Config Operation . . . . . .251

Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .258

Modify or Delete a Mode Config Record. . . .

. . . . . . . . . . . . . . . . . . . .259

Configure Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . .259

Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260

Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261

Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . .262

Configure the PPTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263

View the Active PPTP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264

Configure the L2TP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265

View the Active L2TP Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266

Chapter 6 Virtual Private Networking

Using SSL Connections

SSL VPN Portal Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268

Overview of the SSL Configuration Process . .

. . . . . . . . . . . . . . . . . . . .269

Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270

Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . . . .274

Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . . . .275

Add Servers and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275

Add a New Host Name. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276

Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277

Configure the Client IP Address Range . . . . . . . . . . . . . . . . . . . . . . . .278

Add Routes for VPN Tunnel Clients . . . . . . . . . . . . . . . . . . . . . . . . . . .280

Use Network Resource Objects to Simplify Policies

. . . . . . . . . . . . . . . .281

Add New Network Resources. . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .281

Edit Network Resources to Specify Addresses

. . . . . . . . . . . . . . . . . .282

Configure User, Group, and Global Policies. . . . . . . . . . . . . . . . . . . . . . .284

View Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285

Add an IPv4 or IPv6 SSL VPN Policy. . . . . . . . . . . . . . . . . . . . . . . . . .286

Access the New SSL Portal Login Screen . . . .

. . . . . . . . . . . . . . . . . . . .290

View the SSL VPN Connection Status and SSL VPN Log. . . . . . . . . . . .292

Chapter 7 Manage Users, Authentication, and VPN Certificates

The VPN Firewall’s Authentication Process and Options. . . . . . . . . . . . .294

Configure Authentication Domains, Groups, and

Users. . . . . . . . . . . . . .296

Configure Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

Configure Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300

Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303

Set User Login Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306

Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . .311

Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . .313

8

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314

Manage VPN CA Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315

Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . .316

Manage the VPN Certificate Revocation List . . . . . . . . . . . . . . . . . . . .320

Chapter 8 Network and System Management

Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321

Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321

Features That Reduce Traffic. . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . .322

Features That Increase Traffic

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324

Use QoS and Bandwidth Assignment to Shift the Traffic Mix. . . . . . . .327

Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . .328

System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328

Change Passwords and Administrator and Guest Settings . . . . . . . . .328

Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . .330

Use the Command-Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . .334

Use a Simple Network Management Protocol Manager. . . . . . . . . . . .334

Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339

Configure Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . .343

Chapter 9 Monitor System Access and Performance

Configure and Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . .347

Configure and Enable the LAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . .350

Configure Logging, Alerts, and Event Notifications . . . . . . . . . . . . . . . . .353

How to Send Syslogs over a VPN Tunnel between Sites . . . . . . . . . .359

View Status Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361

View the System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .361

View the VPN Connection Status, L2TP Users, and PPTP Users. . . .370

View the VPN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372

View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373

View the WAN Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374

View the Attached Devices and the DHCP Log . . . . . . . . . . . . . . . . . .377

Diagnostics Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380

Send a Ping Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

Trace a Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

Look Up a DNS Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382

Display the Routing Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382

Capture Packets in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382

Reboot the VPN Firewall Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . .383

Chapter 10 Troubleshooting

Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385

Power LED Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385

Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385

LAN or WAN Port LEDs Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386

Troubleshoot the Web Management Interface. . .

. . . . . . . . . . . . . . . . . .386

9

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .387

Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388

Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .389

Troubleshoot a TCP/IP Network Using a Ping Utility

. . . . . . . . . . . . . . . .392

Test the LAN Path to Your VPN Firewall

. . . . . . . . . . . . . . . . . . . . . . .392

Test the Path from Your C

omputer to a Remote Device . . . . . . . . . . .393

Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . .393

Address Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . .395

Access the Knowledge Base and Documentation

. . . . . . . . . . . . . . . . . .395

Appendix A Default Settings and Technical Specifications

Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . .402

Appendix B Network Planning for Multiple WAN Ports (IPv4 Only)

What to Consider Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . .404

Cabling and Computer Hardware

Requirements . . . . . . . . . . . . . . . . .406

Computer Network Configuration R

equirements . . . . . . . . . . . . . . . . .406

Internet Configuration Requirements

. . . . . . . . . . . . . . . . . . . . . . . . . .406

Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .408

Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409

Inbound Traffic to a Single WAN Port System . . . . . . . . . . . . . . . . . . .409

Inbound Traffic to a Dual WAN Port System . .

. . . . . . . . . . . . . . . . . .410

Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411

VPN Road Warrior (Client-to-Gatew

ay) . . . . . . . . . . . . . . . . . . . . . . . .412

VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .415

VPN Telecommuter (Client-to-Gatew

ay through a NAT Router) . . . . .417

Appendix C System Logs and Error Messages

System Log Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421

NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421

Login/Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422

System Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422

Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423

Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423

IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423

Unicast, Multicast, and Broadcast Logs . . . . . . . . . . . . . . . . . . . . . . . .423

WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424

Resolved DNS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428

VPN Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .428

Traffic Meter Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

Routing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434

LAN to WAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435

LAN to DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435

DMZ to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435

WAN to LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435

10

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

DMZ to LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436

WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436

Other Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436

Session Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .436

Source MAC Filter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437

Bandwidth Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437

DHCP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437

Appendix D Two-Factor Authentication

Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . .439

What Are the Benefits of Two-Factor Authentication?

. . . . . . . . . . . . .439

What Is Two-Factor Authentic

ation? . . . . . . . . . . . . . . . . . . . . . . . . . .440

NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . .440

Appendix E Notification of Compliance (Wired)

Index

11

1

1. Introduction

This chapter provides an overview of the features and capabilities of the ProSafe Gigabit Quad

WAN SSL VPN Firewall SRX5308 and explains how to log in to the device and use its web

management interface. The chapter contains the following sections:

• What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308?

• Key Features and Capabilities

• Package Contents

• Hardware Features

• Choose a Location for the VPN Firewall

• Log In to the VPN Firewall

• Web Management Interface Menu Layout

• Requirements for Entering IP Addresses

Note: For more information about the topics covered in this manual, visit

the SRX5308 support website at http://support.netgear.com.

What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall

SRX5308?

The ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308, hereafter referred to as the

VPN firewall, connects your local area network (LAN) to the Internet through up to four

external broadband access devices such as cable or DSL modems or satellite or wireless

Internet dishes. Four wide area network (WAN) ports allow you to increase effective data rate

to the Internet by utilizing all WAN ports to carry session traffic or to maintain backup

connections in case of failure of your primary Internet connection.

The VPN firewall routes both IPv4 and IPv6 traffic. A powerful, flexible firewall protects your

IPv4 and IPv6 networks from denial of service (DoS) attacks, unwanted traffic, and traffic

with objectionable content. IPv6 traffic is supported through 6to4 and Intra-Site Automatic

Tunnel Addressing Protocol (ISATAP) tunnels.

Introduction

12

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

The VPN firewall is a security solution that protects your network from attacks and intrusions.

For example, the VPN firewall provides support for stateful packet inspection (SPI), denial of

service (DoS) attack protection, and multi-NAT support. The VPN firewall supports multiple

web content filtering options, plus browsing activity reporting and instant alerts—both through

email. Network administrators can establish restricted access policies based on time of day,

website addresses, and address keywords.

The VPN firewall provides advanced IPSec and SSL VPN technologies for secure and simple

remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures high data

transfer speeds.

The VPN firewall is a plug-and-play device that can be installed and configured within

minutes.

Key Features and Capabilities

• Quad-WAN Ports for Increased Reliability and Load Balancing

• Advanced VPN Support for Both IPSec and SSL

• A Powerful, True Firewall with Content Filtering

• Security Features

• Autosensing Ethernet Connections with Auto Uplink

• Extensive Protocol Support

• Easy Installation and Management

• Maintenance and Support

The VPN firewall provides the following key features and capabilities:

• Four 1

0/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover

protection of your Internet connection, providing increased data rate and increased

system reliability.

• Built-in fo

ur-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for fast data transfer

between local network resources and support for up to 200,000 internal or external

connections.

• Both IPv4 and

IPv6 support

• Adva

nced IPSec VPN and SSL VPN support with support for up to 125 concurrent IPSec

VPN tunnels and up to 50 concurrent SSL VPN tunnels.

• Bundled with

a single-user license of the NETGEAR ProSafe VPN Client software

(VPN01L).

• L2TP tu

nnel and PPTP tunnel support

• Adva

nced stateful packet inspection (SPI) firewall with multi-NAT support.

• Qu

ality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and

multimedia.

• Exten

sive protocol support.

Introduction

13

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

• One console port for local management.

• SNMP

support with SNMPv1, SNMPv2c, and SNMPv3, and management optimized for

the NETGEAR ProSafe Network Management Software (NMS200) over a LANJ

connection.

• F

ront panel LEDs for easy monitoring of status and activity.

• F

lash memory for firmware upgrade.

• I

nternal universal switching power supply.

• Rack-mounting kit fo

r 1U rackmounting.

Quad-WAN Ports for Increased Reliability and Load Balancing

The VPN firewall provides four broadband WAN ports. These WAN ports allow you to

connect additional broadband Internet lines that can be configured to:

• L

oad-balance outbound traffic between up to four lines for maximum bandwidth

efficiency.

• Pro

vide backup and rollover if one line is inoperable, ensuring that you are never

disconnected.

See Append

ix B, Network Planning for Multiple WAN Ports (IPv4 Only) for the planning

factors to consider when implementing the following capabilities with multiple WAN port

gateways:

• Single

or multiple exposed hosts.

• V

irtual private networks (VPNs).

Advanced VPN Support for Both IPSec and SSL

The VPN firewall supports IPSec and SSL virtual private network (VPN) connections:

• I

PSec VPN delivers full network access between a central office and branch offices, or

between a central office and telecommuters. Remote access by telecommuters requires

the installation of VPN client software on the remote computer.

- I

PSec VPN with broad protocol support for secure connection to other IPSec

gateways and clients.

- Up

to 125 simultaneous IPSec VPN connections.

- Bun

dled with a 30-day trial license for the ProSafe VPN Client software (VPN01L).

• SSL VPN provide

s remote access for mobile users to selected corporate resources

without requiring a preinstalled VPN client on their computers.

- Uses th

e familiar Secure Sockets Layer (SSL) protocol, commonly used for

e-commerce transactions, to provide client-free access with customizable user

portals and support for a wide variety of user repositories.

- Up

to 50 simultaneous SSL VPN connections.

Introduction

14

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

- Allows browser-based, platform-independent remote access through a number of

popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple

Safari.

- Provides granular access to

corporate resources based on user type or group

membership.

A Powerful, True Firewall with Content Filtering

Unlike simple NAT routers, the VPN firewall is a true firewall, using stateful packet inspection

(SPI) to defend against hacker attacks. Its firewall features have the following capabilities:

• DoS protection.

Automatically detects and thwarts denial of service (DoS) attacks such

as Ping of Death and SYN flood.

• Secure firewall. Blocks un

wanted traffic from the Internet to your LAN.

• Content fil

tering. Prevents objectionable content from reaching your computers. You

can control access to Internet content by screening for web services, web addresses, and

keywords within web addresses.

• Schedul

e policies. Permits scheduling of firewall policies by day and time.

• Logs security incident

s. Logs security events such as logins and secure logins. You can

configure the firewall to email the log to you at specified intervals. You can also configure

the VPN firewall to send immediate alert messages to your email address or email pager

when a significant event occurs.

Security Features

The VPN firewall is equipped with several features designed to maintain security:

• Computers h

idden by NAT. NAT opens a temporary path to the Internet for requests

originating from the local network. Requests originating from outside the LAN are

discarded, preventing users outside the LAN from finding and directly accessing the

computers on the LAN.

• Port forwarding

with NAT. Although NAT prevents Internet locations from directly

accessing the computers on the LAN, the VPN firewall allows you to direct incoming

traffic to specific computers based on the service port number of the incoming request.

• DMZ po

rt. Incoming traffic from the Internet is usually discarded by the VPN firewall

unless the traffic is a response to one of your local computers or a service for which you

have configured an inbound rule. Instead of discarding this traffic, you can use the

dedicated demilitarized zone (DMZ) port to forward the traffic to one computer on your

network.

Autosensing Ethernet Connections with Auto Uplink

With its internal four-port 10/100/1000 Mbps switch and four 10/100/1000 WAN ports, the

VPN firewall can connect to a 10-Mbps standard Ethernet network, a 100-Mbps Fast Ethernet

Introduction

15

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

network, a 1000-Mbps Gigabit Ethernet network, or a combination of these networks. All LAN

and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.

The VPN firewall incorporates Auto Uplink

TM

technology. Each Ethernet port automatically

senses whether the Ethernet cable plugged into the port should have a normal connection

such as to a computer or an uplink connection such as to a switch or hub. That port then

configures itself correctly. This feature eliminates the need for you to think about crossover

cables, as Auto Uplink accommodates either type of cable to make the right connection.

Extensive Protocol Support

The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and

Routing Information Protocol (RIP). The VPN firewall provides the following protocol support:

• I

P address sharing by NAT. The VPN firewall allows many networked computers to

share an Internet account using only a single IP address, which might be statically or

dynamically assigned by your Internet service provider (ISP). This technique, known as

Network Address Translation (NAT), allows the use of an inexpensive single-user ISP

account.

• Automatic configuration of att

ached computers by DHCP. The VPN firewall

dynamically assigns network configuration information, including IP, gateway, and

Domain Name Server (DNS) addresses, to attached computers on the LAN using the

Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies

configuration of computers on your local network.

• DNS proxy. Whe

n DHCP is enabled and no DNS addresses are specified, the VPN

firewall provides its own address as a DNS server to the attached computers. The firewall

obtains actual DNS addresses from the ISP during connection setup and forwards DNS

requests from the LAN.

• PPP over Ethernet (PPP

oE). PPPoE is a protocol for connecting remote hosts to the

Internet over a DSL connection by simulating a dial-up connection.

• Qualit

y of Service (QoS). The VPN firewall supports QoS, including traffic prioritization

and traffic classification with Type of Service (ToS) and Differentiated Services Code

Point (DSCP) marking.

• L

ayer 2 Tunneling Protocol (L2TP). A tunneling protocol that is used to support virtual

private networks (VPNs).

• Poi

nt to Point Tunneling Protocol (PPTP). Another tunneling protocol that is used to

support VPNs.

Easy Installation and Management

You can install, configure, and operate the VPN firewall within minutes after connecting it to

the network. The following features simplify installation and management tasks:

• Browser-base

d management. Browser-based configuration allows you to easily

configure the VPN firewall from almost any type of operating system, such as Windows,

Macintosh, or Linux. Online help documentation is built into the browser-based web

management interface.

Introduction

16

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

• Auto-detection of ISP. The VPN firewall automatically senses the type of Internet

connection, asking you only for the information required for your type of ISP account.

• IPSec VPN W

izard. The VPN firewall includes the NETGEAR IPSec VPN Wizard so you

can easily configure IPSec VPN tunnels according to the recommendations of the Virtual

Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are

interoperable with other VPNC-compliant VPN routers and clients.

• SNMP. The

VPN firewall supports the Simple Network Management Protocol (SNMP) to

let you monitor and manage log resources from an SNMP-compliant system manager.

The SNMP system configuration lets you change the system variables for MIB2.

• Diagnosti

c functions. The VPN firewall incorporates built-in diagnostic functions such

as ping, traceroute, DNS lookup, and remote reboot.

• Remote m

anagement. The VPN firewall allows you to log in to the web management

interface from a remote location on the Internet. For security, you can limit remote

management access to a specified remote IP address or range of addresses.

• V

isual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor

its status and activity.

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the VPN firewall:

• Flash memo

ry for firmware upgrades.

• T

echnical support seven days a week, 24 hours a day. Information about support is

available on the NETGEAR website at

http://support.netgear.com/app/answers/detail/a_id/212.

Package Contents

The VPN firewall product package contains the following items:

• ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

• On

e AC power cable

• On

e Category 5 (Cat 5) Ethernet cable

• On

e rack-mounting kit

• ProSafe Giga

bit Quad WAN SSL VPN Firewall SRX5308 Installation Guide

• Resou

rce CD, including:

- Application Note

s and other helpful information

- ProSafe VPN Clie

nt software (VPN01L)

If any of the parts are incorrect, missing, o

r damaged, contact your NETGEAR dealer. Keep

the carton, including the original packing materials, in case you need to return the product for

repair.

Introduction

17

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Hardware Features

• Front Panel

• Rear Panel

• Bottom Panel with Product Label

The front panel ports and LEDs, rear panel ports, and bottom label of the VPN firewall are

d

escribed in the following sections.

Front Panel

Viewed from left to right, the VPN firewall front panel contains the following ports (see the

following figure).

• L

AN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,

Gigabit Ethernet ports with RJ-45 connectors

• W

AN Ethernet ports. Four independent N-way automatic speed negotiating, Auto

MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors

The front panel also contains three groups of

status indicator light-emitting diodes (LEDs),

including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in the

following table.

Figure 1.

Power LED

Test LED

Left LAN LEDs

Right LAN LEDs

DMZ LED

Left WAN LEDs

Right WAN LEDs

LEDs

Internet

Introduction

18

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Table 1. LED descriptions

LED Activity Description

Power On (green) Power is supplied to the VPN firewall.

Off Power is not supplied to the VPN firewall.

Test On (amber) during

startup.

Test mode: The VPN firewall is initializing. After approximately 2 minutes,

when the VPN firewall has completed its initialization, the Test LED goes

off.

On (amber) during

any other time

The initialization has failed, or a hardware failure has occurred.

Blinking (amber) The VPN firewall is writing to flash memory (during upgrading or resetting

to defaults).

Off The system has booted successfully.

LAN Ports

Left LED On (green) The LAN port has detected a link with a connected Ethernet device.

Blinking (green) The LAN port receives or transmits data.

Off The LAN port has no link.

Right LED On (green) The LAN port operates at 1000 Mbps.

On (amber) The LAN port operates at 100 Mbps.

Off The LAN port operates at 10 Mbps.

DMZ LED On (green) Port 4 operates as a dedicated hardware DMZ port.

Off Port 4 operates as a normal LAN port.

WAN Ports

Left LED On (green) The WAN port has a valid connection with a device that provides an

Internet connection.

Blinking (green) The WAN port receives or transmits data.

Off The WAN port has no physical link, that is, no Ethernet cable is plugged

into the VPN firewall.

Right LED On (green) The WAN port operates at 1000 Mbps.

On (amber) The WAN port operates at 100 Mbps.

Off The WAN port operates at 10 Mbps.

Internet LED On (green) The WAN port has a valid Internet connection.

Off The WAN port is either not enabled or has no link to the Internet.

Introduction

19

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Rear Panel

The rear panel of the VPN firewall includes a console port, a Factory Defaults Reset button, a

cable lock receptacle, an AC power connection, and a power switch.

Figure 2.

Viewed from left to right, the rear panel contains the following components:

1. Cab

le security lock receptacle.

2. Console

port. Port for connecting to an optional console terminal. The port has a DB9 male

connector. The default baud rate is 115200 K. The pinouts are (2) Tx, (3) Rx, (5) and (7)

Gnd. For information about accessing the command-line interface (CLI) using the console

port, see Use the Command-Line Interface on p

age 334.

3. Factory

Defaults Reset button. Using a sharp object, press and hold this button for about

8 seconds until the front panel Test LED flashes to reset the VPN firewall to factory default

se

ttings. All configuration settings are lost, and the default password is restored.

4. AC po

wer receptacle. Universal AC input (100–240 VAC, 50–60 Hz).

5. A power on/of

f switch.

Bottom Panel with Product Label

The product label on the bottom of the VPN firewall’s enclosure displays factory default

settings, regulatory compliance, and other information.

Figure 3.

Security lock

receptacle

Console port

Factory Defaults

AC power

receptacle

Power

switch

Reset button

Introduction

20

ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

Choose a Location for the VPN Firewall

The VPN firewall is suitable for use in an office environment where it can be freestanding (on

its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can

rack-mount the VPN firewall in a wiring closet or equipment room.

Consider the following when deciding where to position the VPN firewall:

• The u

nit is accessible, and cables can be connected easily.

• Cabling is away from sources of electrical noise. Th

ese include lift shafts, microwave

ovens, and air-conditioning units.

• W

ater or moisture cannot enter the case of the unit.

• Airflow

around the unit and through the vents in the side of the case is not restricted.

Provide a minimum of 25 mm or 1-inch clearance.

• The a

ir is as free of dust as possible.

• T

emperature operating limits are not likely to be exceeded. Install the unit in a clean,

air-conditioned environment. For information about the recommended operating

temperatures for the VPN firewall, see Appendix A, Default Settings and Technical

Specifications.

Use the Rack-Mounting Kit

Use the mounting kit for the VPN firewall to install the appliance in a rack. Attach the

mounting brackets using the hardware that is supplied with the mounting kit.

Figure 4.

Before mounting the VPN firewall in a rack, verify that:

• Y

ou have the correct screws (supplied with the installation kit).

• The ra

ck onto which you plan to mount the VPN firewall is suitably located.

Page is loading ...

Netgear SRX5308, SRX5308-100NAS User manual

Related papers

Other documents