Main
Tech nica l Sup port
Trademarks
Statement of Conditions
Revision History
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Contents
Chapter 1 Introduction
Chapter 2 IPv4 and IPv6 Internet and WAN Settings
Chapter 3 LAN Configuration
Chapter 4 Firewall Protection
Chapter 5 Virtual Private Networking Using IPSec and L2TP Connections
Chapter 6 Virtual Private Networking Using SSL Connections
Chapter 7 Manage Users, Authentication, and VPN Certificates
Chapter 8 Network and System Management
Chapter 9 Monitor System Access and Performance
Chapter 10 Troubleshooting
Appendix A Default Settings and Technical Specifications
Appendix B Network Planning for Multiple WAN Ports (IPv4 Only)
Appendix C System Logs and Error Messages
Page
What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308?
Key Features and Capabilities
Quad-WAN Ports for Increased Reliability and Load Balancing
Advanced VPN Support for Both IPSec and SSL
A Powerful, True Firewall with Content Filtering
Security Features
Autosensing Ethernet Connections with Auto Uplink
Extensive Protocol Support
Easy Installation and Management
Maintenance and Support
Package Contents
Hardware Features
Front Panel
LEDs
Introduction
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 1. LED descriptions
Rear Panel
Bottom Panel with Product Label
Choose a Location for the VPN Firewall
Use the Rack-Mounting Kit
Log In to the VPN Firewall
Page
Web Management Interface Menu Layout
Page
Requirements for Entering IP Addresses
IPv4
IPv6
Internet and WAN Configuration Tasks
Tasks to Set Up IPv4 Internet Connections to Your ISPs
Tasks to Set Up an IPv6 Internet Connection to Your ISPs
Configure the IPv4 Internet Connection and WAN Settings
Configure the IPv4 WAN Mode
Network Address Translation
Classical Routing
Configure the IPv4 Routing Mode
Let the VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection
Page
Page
Manually Configure an IPv4 Internet Connection
Page
Figure 16.
Table 3. PPTP and PPPoE settings
Figure 17.
Table 3. PPTP and PPPoE settings (continued)
Figure 18.
Table 4. Internet IP address settings
Table 5. DNS server settings
Page
Configure Load Balancing or Auto-Rollover
Configure Load Balancing Mode and Optional Protocol Binding
Page
Page
Figure 22.
4. Configure the protocol binding settings as explained in the following table:
Table 6. Add Protocol Binding screen settings
Page
Configure the Auto-Rollover Mode and Failure Detection Method
Page
Configure Secondary WAN Addresses
Page
Configure Dynamic DNS
Page
Page
Configure the IPv6 Internet Connection and WAN Settings
Configure the IPv6 Routing Mode
Page
Use a DHCPv6 Server to Configure an IPv6 Internet Connection
Page
Page
Configure a Static IPv6 Internet Connection
Page
Page
Configure a PPPoE IPv6 Internet Connection
Page
Page
Configure 6to4 Automatic Tunneling
Configure ISATAP Automatic Tunneling
Page
View the Tunnel Status and IPv6 Addresses
Configure Stateless IP/ICMP Translation
Configure Advanced WAN Options and Other Tasks
Page
Page
Table 12. WAN Advanced Options screen settings (continued)
5. Click Apply to save your changes.
WARNING:
Table 12. WAN Advanced Options screen settings (continued)
Configure WAN QoS Profiles
Page
Figure 45.
Table 13. Add QoS screen settings for a rate control profile
Table 13. Add QoS screen settings for a rate control profile (continued)
Page
Table 14. Add QoS screen settings for a priority profile (continued)
Additional WAN-Related Configuration Tasks
Verify the Connection
What to Do Next
Manage IPv4 Virtual LANs and DHCP Options
Port-B ased VLAN s
Assign and Manage VLAN Profiles
VLAN DHCP Options
DHCP Server
DHCP Relay
DNS Proxy
LDAP Server
Configure a VLAN Profile
Page
Table 15. Add VLAN Profile screen settings
Table 15. Add VLAN Profile screen settings (continued)
Table 15. Add VLAN Profile screen settings (continued)
Configure VLAN MAC Addresses and LAN Advanced Settings
Configure IPv4 Multihome LAN IP Addresses on the Default VLAN
Page
Manage IPv4 Groups and Hosts (IPv4 LAN Groups)
Manage the Network Database
Page
Add Computers or Devices to the Network Database
Edit Computers or Devices in the Network Database
Deleting Computers or Devices from the Network Database
Change Group Names in the Network Database
Set Up DHCP Address Reservation
Manage the IPv6 LAN
DHCPv6 Server Options
Stateless DHCPv6 Server
Stateless DHCPv6 Server With Prefix Delegation
Stateful DHCPv6 Server
Configure the IPv6 LAN
Table 17. LAN Setup screen settings for IPv6
4. Click Apply to save your changes.
IPv6 LAN Address Pools
To add an IPv6 LAN address pool:
Table 17. LAN Setup screen settings for IPv6 (continued)
Page
IPv6 LAN Prefixes for Prefix Delegation
Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN
Page
Advertisement Prefixes for the LAN
Page
Configure IPv6 Multihome LAN IP Addresses on the Default VLAN
Enable and Configure the DMZ Port for IPv4 and IPv6 Traffic
DMZ Port for IPv4 Traffic
Figure 61.
Table 22. DMZ Setup screen settings for IPv4
Table 22. DMZ Setup screen settings for IPv4 (continued)
DMZ Port for IPv6 Traffic
Page
Table 23. DMZ Setup screen settings for IPv6
IPv6 DMZ Address Pools
Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the DMZ
Page
Figure 64.
4. Enter the settings as explained in the following table:
Table 26. RADVD screen settings for the DMZ
Advertisement Prefixes for the DMZ
Page
Manage Static IPv4 Routing
Configure Static IPv4 Routes
Figure 66.
2. Click the Add table button under the Static Routes table. The Add Static Route screen displays:
Figure 67.
3. Enter the settings as explained in the following table:
Table 28. Add Static Route screen settings for IPv4
Configure the Routing Information Protocol
Figure 68.
Table 29. RIP Configuration screen settings
Table 29. RIP Configuration screen settings (continued)
IPv4 Static Route Example
Manage Static IPv6 Routing
Figure 69.
Figure 70.
4. Enter the settings as explained in the following table:
Table 30. Add IPv6 Static Routing screen settings
Page
About Firewall Protection
Administrator Tips
Overview of Rules to Block or Allow Specific Kinds of Traffic
Page
Outbound Rules (Service Blocking)
Table 32. Outbound rules overview (continued)
Inbound Rules (Port Forwarding)
Page
Table 33. Inbound rules overview
Table 33. Inbound rules overview (continued)
Order of Precedence for Rules
Table 33. Inbound rules overview (continued)
Configure LAN WAN Rules
Page
Page
Create LAN WAN Outbound Service Rules
IPv4 LAN WAN Outbound Rules
IPv6 LAN WAN Outbound Rules
Create LAN WAN Inbound Service Rules
IPv4 LAN WAN Inbound Service Rules
IPv6 LAN WAN Inbound Rules
Configure DMZ WAN Rules
Page
Create DMZ WAN Outbound Service Rules
IPv4 DMZ WAN Outbound Service Rules
IPv6 DMZ WAN Outbound Service Rules
Create DMZ WAN Inbound Service Rules
IPv4 DMZ WAN Inbound Service Rules
IPv6 DMZ WAN Inbound Service Rules
Configure LAN DMZ Rules
Page
Create LAN DMZ Outbound Service Rules
IPv4 LAN DMZ Outbound Service Rules
IPv6 LAN DMZ Outbound Service Rules
Create LAN DMZ Inbound Service Rules
IPv4 LAN DMZ Inbound Service Rules
IPv6 LAN DMZ Inbound Service Rules
Examples of Firewall Rules
Examples of Inbound Firewall Rules
IPv4 LAN WAN Inbound Rule: Host a Local Public Web Server
Page
IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Set Up One-to-One NAT Mapping
Page
IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Specifying an Exposed Host
IPv6 LAN WAN Inbound Rule: Restrict RTelnet from a Single WAN User to a Single LAN User
Examples of Outbound Firewall Rules
IPv4 LAN WAN Outbound Rule: Block Instant Messenger
Page
Configure Other Firewall Features
Attack Checks
IPv4 Attack Checks
Table 34. Attack Checks screen settings for IPv4
IPv6 Attack Checks
Set Limits for IPv4 Sessions
Table 35. Session Limit screen settings
Manage the Application Level Gateway for SIP Sessions
Services, Bandwidth Profiles, and QoS Profiles
Add Customized Services
Page
Create IP Groups
Page
Create Bandwidth Profiles
Page
Page
Create Quality of Service Profiles for IPv4 Firewall Rules
Figure 108.
3. Enter the settings as explained in the following table.
Table 38. Add QoS Profile screen settings
Quality of Service Priorities for IPv6 Firewall Rules
Configure Content Filtering
Page
Page
Page
Set a Schedule to Block or Allow Specific Traffic
Enable Source MAC Filtering
Set Up IP/MAC Bindings
IPv4/MAC Bindings
Page
IPv6/MAC Bindings
Page
Configure Port Triggering
Page
Configure Universal Plug and Play
Page
Using IPSec and L2TP Connections
Considerations for Dual WAN Port Systems (IPv4 Only)
The following diagrams and table show how the WAN mode selection relates to VPN configuration.
Use the IPSec VPN Wizard for Client and Gateway Configurations
Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard
Page
Figure 123.
2. Complete the settings as explained in the following table:
Table 43. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel
Page
Page
Page
Figure 128.
Table 44. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel
Page
Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard
Use the VPN Wizard to Configure the Gateway for a Client Tunnel
Table 45. IPSec VPN Wizard settings for a client-to-gateway tunnel (continued)
Use the NETGEAR VPN Client Wizard to Create a Secure Connection
Page
Page
Page
c. Specify the settings that are explained in the following table.
Table 47. VPN client advanced authentication settings
Manually Create a Secure Connection Using the NETGEAR VPN Client
Page
Page
Page
Page
Figure 144.
3. Specify the settings that are explained in the following table.
Table 50. VPN client IPSec configuration settings
Page
Test the Connection and View Connection and Status Information
Test the NETGEAR VPN Client Connection
Page
NETGEAR VPN Client Status and Log Information
View the VPN Firewall IPSec VPN Connection Status
View the VPN Firewall IPSec VPN Log
Manage IPSec VPN Policies
Manage IKE Policies
IKE Policies Screen
Page
Manually Add or Edit an IKE Policy
Table 53. Add IKE Policy screen settings
Page
Table 53. Add IKE Policy screen settings (continued)
Manage VPN Policies
VPN Policies Screen
Manually Add or Edit a VPN Policy
Page
Page
Page
Page
Page
Configure Extended Authentication (XAUTH)
Configure XAUTH for VPN Clients
User Database Configuration
RADIUS Client and Server Configuration
Page
Table 57. RADIUS Client screen settings (continued)
Assign IPv4 Addresses to Remote Users (Mode Config)
Mode Config Operation
Configure Mode Config Operation on the VPN Firewall
Page
Table 58. Add Mode Config Record screen settings
Page
Page
Table 59. Add IKE Policy screen settings for a Mode Config configuration
Table 59. Add IKE Policy screen settings for a Mode Config configuration (continued)
9. Click Apply to save your settings. The IKE policy is added to the List of IKE Policies table.
Configure the ProSafe VPN Client for Mode Config Operation
Table 59. Add IKE Policy screen settings for a Mode Config configuration (continued)
Page
Page
Page
Page
Figure 167.
3. Specify the settings that are explained in the following table.
Table 62. VPN client IPSec configuration settings (Mode Config)
Page
Test the Mode Config Connection
Modify or Delete a Mode Config Record
Configure Keep-Alives and Dead Peer Detection
Configure Keep-Alives
Configure Dead Peer Detection
Configure NetBIOS Bridging with IPSec VPN
Configure the PPTP Server
View the Active PPTP Users
Configure the L2TP Server
View the Active L2TP Users
Page
Using SSL Connections
SSL VPN Portal Options
Overview of the SSL Configuration Process
Create the Portal Layout
Page
Page
Table 69. Add Portal Layout screen settings
Configure Domains, Groups, and Users
Configure Applications for Port Forwarding
Add Servers and Port Numbers
Add a New Host Name
Configure the SSL VPN Client
Configure the Client IP Address Range
Figure 184. SSL VPN Client screen for IPv6
Table 71. SSL VPN Client screen settings for IPv4 and IPv6
Add Routes for VPN Tunnel Clients
Use Network Resource Objects to Simplify Policies
Add New Network Resources
Edit Network Resources to Specify Addresses
Figure 186.
Table 72. Resources screen settings to edit a resource
Configure User, Group, and Global Policies
View Policies
Add an IPv4 or IPv6 SSL VPN Policy
Figure 189. Add SSL VPN Policy screen for IPv6
Table 73. Add SSL VPN Policy screen settings
Table 73. Add SSL VPN Policy screen settings (continued)
Page
Access the New SSL Portal Login Screen
Page
View the SSL VPN Connection Status and SSL VPN Log
Page
VPN Certificates
The VPN Firewalls Authentication Process and Options
Manage Users, Authentication, and VPN Certificates
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 74. External authentication protocols and methods
Configure Authentication Domains, Groups, and Users
Configure Domains
Create Domains
Page
Manage Users, Authentication, and VPN Certificates
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 75. Add Domain screen settings (continued)
Page
Edit Domains
Configure Groups
Create Groups
Edit Groups
Configure User Accounts
Page
Page
Set User Login Policies
Configure Login Policies
Configure Login Restrictions Based on IPv4 Addresses
Configure Login Restrictions Based on IPv6 Addresses
Page
Configure Login Restrictions Based on Web Browser
Change Passwords and Other User Settings
Page
Manage Digital Certificates for VPN Connections
VPN Certificates Screen
Manage VPN CA Certificates
Manage VPN Self-Signed Certificates
Generate a CSR and Obtain a Self-Signed Certificate from a CA
Page
Page
View and Manage Self-Signed Certificates
Manage the VPN Certificate Revocation List
Performance Management
Bandwidth Capacity
Features That Reduce Traffic
LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking)
Page
Content Filtering
Source MAC Filtering
Features That Increase Traffic
LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding)
Page
Port Trigg ering
DMZ Port
Exposed Hosts
VPN, L2TP, and PPTP Tunnels
Use QoS and Bandwidth Assignment to Shift the Traffic Mix
Set QoS Priorities
Assign Bandwidth Profiles
Monitoring Tools for Traffic Management
System Management
Change Passwords and Administrator and Guest Settings
Page
Configure Remote Management Access
Page
Network and System Management
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 216. Remote Management screen for IPv6
Table 82. Remote Management screen settings for IPv4 and IPv6
About Remote Access
Use the Command-Line Interface
Use a Simple Network Management Protocol Manager
Page
Page
Page
Page
Manage the Configuration File
Back Up Settings
Restore Settin gs
Revert to Factory Default Settings
Upgrade the Firmware
Select the Firmware and Reboot the VPN Firewall
Configure Date and Time Service
Page
Network and System Management
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 86. Time Zone screen settings (continued)
Page
Configure and Enable the WAN Traffic Meter
Figure 223.
Table 87. WAN1 Traffic Meter screen settings
Page
Configure and Enable the LAN Traffic Meter
Page
To view the LAN IP traffic meter statistics:
Table 88. Add LAN Traffic Meter Account screen settings
Configure Logging, Alerts, and Event Notifications
Page
Table 89. Firewall Logs & E-mail screen settings
Table 89. Firewall Logs & E-mail screen settings (continued)
Page
Page
How to Send Syslogs over a VPN Tunnel between Sites
Configure Gateway 1 at Site 1
Configure Gateway 2 at Site 2
View Status Screens
View the System Status
Router Status Screen
Table 90. Router Status screen information (continued)
Router Statist ics Screen
Page
The following table explains the fields of the Detailed Status screen:
Table 92. Detailed Status screen information
Table 92. Detailed Status screen information (continued)
VLAN Status Screen
Figure 235.
To view the status of the IPv4 VLANs:
Select Monitoring > Router Status > VLAN Status. The VLAN Status screen displays:
Table 92. Detailed Status screen information (continued)
Tunnel Status Screen
Figure 236.
To view the status of the tunnels and IPv6 addresses:
Select Monitoring > Router Status > Tunnel Status. The Tunnel Status screen displays:
Table 93. VLAN Status screen information
View the VPN Connection Status, L2TP Users, and PPTP Users
Page
View the VPN Logs
View the Port Triggering Status
View the WAN Port Status
IPv4 WAN Port Status
Page
IPv6 WAN Port Status
View the Attached Devices and the DHCP Log
View the Attached Devices
View the DHCP Log
Diagnostics Utilities
Send a Ping Packet
Trace a Route
Look Up a DNS Address
Display the Routing Tables
Capture Packets in Real Time
Reboot the VPN Firewall Remotely
Page
Basic Functioning
Power L ED Not On
Test LED Never Turns Off
LAN or WAN Port LEDs Not On
Troubleshoot the Web Management Interface
When You Enter a URL or IP Address, a Time-Out Error Occurs
Troubleshoot the ISP Connection
Troubleshooting the IPv6 Connection
Page
Page
Troubleshoot a TCP/IP Network Using a Ping Utility
Test the LAN Path to Your VPN Firewall
Test the Path from Your Computer to a Remote Device
Restore the Default Configuration and Password
Page
Address Problems with Date and Time
Access the Knowledge Base and Documentation
A
Specifications
Factory Default Settings
Page
Page
Page
Page
Page
Physical and Technical Specifications
The following table shows the physical and technical specifications for the VPN firewall:
Table 100. VPN firewall physical and technical specifications
The following table shows the IPSec VPN specifications for the VPN firewall:
The following table shows the SSL VPN specifications for the VPN firewall:
Table 101. VPN firewall IPSec VPN specifications
Table 102. VPN firewall SSL VPN specifications
B
Ports (IPv4 Only)
What to Consider Before You Begin
Page
Cabling and Computer Hardware Requirements
Computer Network Configuration Requirements
Internet Configuration Requirements
Where Do I Get the Internet Configuration Information?
Internet Connection Information
Overview of the Planning Process
Inbound Traffic
Inbound Traffic to a Single WAN Port System
Inbound Traffic to a Dual WAN Port System
Inbound Traffic: Dual WAN Ports for Improved Reliability
Inbound Traffic: Dual WAN Ports for Load Balancing
Virtual Private Networks
VPN Road Warrior (Client-to-Gateway)
VPN Road Warrior: Single-Gateway WAN Port (Reference Case)
VPN Road Warrior: Dual-Gateway WAN Ports for Improved Reliability
VPN Road Warrior: Dual-Gateway WAN Ports for Load Balancing
VPN Gateway-to-Gateway
VPN Gateway-to-Gateway: Single-Gateway WAN Ports (Reference Case)
VPN Gateway-to-Gateway: Dual-Gateway WAN Ports for Improved Reliability
VPN Gateway-to-Gateway: Dual-Gateway WAN Ports for Load Balancing
VPN Telecommuter (Client-to-Gateway through a NAT Router)
VPN Telecommuter: Single-Gateway WAN Port (Reference Case)
VPN Telecommuter: Dual-Gateway WAN Ports for Improved Reliability
VPN Telecommuter: Dual-Gateway WAN Ports for Load Balancing
C
System Log Messages
NTP
Login/Logout
Table 106. System logs: NTP (continued)
This section describes logs generated by the administrative interfaces of the device.
This section describes the log message generated during system startup.
System Startup
Reboot
This section describes the log message generated during system reboot.
Unicast, Multicast, and Broadcast Logs
Firewall Restart
This section describes logs that are generated when the VPN firewall restarts.
WAN Status
Load Balancing
Auto-Rollover
Table 115. System logs: WAN status, load balancing (continued)
Table 116. System logs: WAN status, auto-rollover
PPP Logs
Table 116. System logs: WAN status, auto-rollover (continued)
Table 117. System logs: WAN status, PPPoE idle time-out
PPTP Idle Timeout Logs
Table 117. System logs: WAN status, PPPoE idle time-out (continued)
Table 118. System logs: WAN status, PPTP idle time-out
Resolved DNS Names
VPN Log Messages
IPSec VPN Logs
Table 121. System logs: IPSec VPN tunnel, tunnel establishment
Page
Table 124. System logs: IPSec VPN tunnel, Dead Peer Detection and keep-alive (default 30 sec)
Page
SSL VPN Logs
This section describes the log messages that are generated by SSL VPN policies.
Table 127. System logs: IPSec VPN tunnel, client policy behind a NAT device
Table 128. System logs: SSL VPN tunnel, WAN host and interface
Table 129. System logs: VPN log messages, port forwarding, WAN host and interface
Routing Logs
LAN to WAN Logs
LAN to DMZ Logs
WAN to LAN Logs
DMZ to WAN Logs
Table 132. Routing logs: LAN to WAN
Other Event Logs
Source MAC Filter Logs
Bandwidth Limit Logs
DHCP Logs
Table 139. Other event logs: source MAC filter logs
Table 140. Other event logs: bandwidth limit, outbound bandwidth profile
Table 141. Other event logs: bandwidth limit, inbound bandwidth profile
Table 142. DHCP logs
D
Why Do I Need Two-Factor Authentication?
What Are the Benefits of Two-Factor Authentication?
What Is Two-Factor Authentication?
NETGEAR Two-Factor Authentication Solutions
Page
Page
E
NETGEAR Wired Products
Page
Notification of Compliance (Wired)
Additional Copyrights
Notification of Compliance (Wired)
Index
Numerics
A
B
C
D
Page
E
F
G
H
I
J
K
L
M
N
O
P
Page
Q
R
S
T
U
V
W
X
