Manuals / Brands / Power Tools / Router / NETGEAR / Power Tools / Router

NETGEAR UTM10EW-100NAS, UTM25-100NAS, UTM25EW-100NAS Virtual Private Networks (VPNs)

1 480

Download 480 pages, 6.28 Mb

ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual

Network Planning for Dual WAN Ports (UTM25 Only) B-9

v1.0, September 2009

Virtual Private Networks (VPNs)

When implementing virtual private network (VPN) tunnels, a mechanism must be used for

determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN

port depends on the configuration being implemented:

Figure B-6

TableB-2. IP addressing requirements for VPNs in dual WAN port systems

Configuration and WAN IP address Single WAN Port

Configurations

(Reference Cases)

Dual WAN Port Configurations

Rollover Modea

a. All tunnels must be re-established after a rollover using the new WAN IP address.

Load Balancing Mode

“VPN Road Warrior (Client-

to-Gateway)”Fixed Allowed

(FQDN optional) FQDN required Allowed

(FQDN optional)

Dynamic FQDN required FQDN required FQDN required

“VPN Gateway-to-Gateway” Fixed Allowed

(FQDN optional) FQDN required Allowed

(FQDN optional)

Dynamic FQDN required FQDN required FQDN required

“VPN Telecommuter (Client-

to-Gateway Through a NAT

Router)”

Fixed Allowed

(FQDN optional) FQDN required Allowed

(FQDN optional)

Dynamic FQDN required FQDN required FQDN required

Contents

Main Page iii Voluntary Control Council for Interference (VCCI) Statement Additional Copyrights iv Product and Publication Details v Page Contents ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Page Page Page Page Page Page Page Page Page About This Manual Conventions, Formats, and Scope How to Print This Manual Revision History Chapter 1 Introduction What Is the ProSecure Unified Threat Management Appliance UTM10 or UTM25? Key Features and Capabilities Dual WAN Ports for Increased Reliability or Outbound Load Balancing (UTM25 Only) Advanced VPN Support for Both IPsec and SSL A Powerful, True Firewall Stream Scanning for Content Filtering Security Features Autosensing Ethernet Connections with Auto Uplink Extensive Protocol Support Easy Installation and Management Maintenance and Support Service Registration Card with License Keys Package Contents Hardware Features Front Panel LEDs Introduction 1-11 Table1-1. LED Descriptions (continued) Rear Panel Bottom Panel With Product Label Page Choosing a Location for the UTM Using the Rack-Mounting Kit Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network Understanding the Steps for Initial Connection Qualified Web Browsers Logging In to the UTM Page Page Understanding the Web Management Interface Menu Layout Page Using the Setup Wizard to Perform the Initial Configuration Setup Wizard Step 1 of 10: LAN Settings Using the Setup Wizard to Provision the UTM in Your Network 2-9 Table2-1. Setup Wizard Step 1: LAN Settings 2-10 Using the Setup Wizard to Provision the UTM in Your Network Table2-1. Setup Wizard Step 1: LAN Settings (continued) Setup Wizard Step 2 of 10: WAN Settings Enter the settings as explained in Table2-2 on page 2-12, then click Next to go the following Page Using the Setup Wizard to Provision the UTM in Your Network 2-13 Table2-2. Setup Wizard Step 2: WAN Settings (continued) Setup Wizard Step 3 of 10: System Date and Time Using the Setup Wizard to Provision the UTM in Your Network 2-15 Table2-3. Setup Wizard Step 3: System Date and Time Settings http://ntp.isc.org/bin/view/Servers/WebHome. Setup Wizard Step 4 of 10: Security Services Using the Setup Wizard to Provision the UTM in Your Network 2-17 Table2-4. Setup Wizard Step 4: Security Services Settings Setup Wizard Step 5 of 10: Email Security Setup Wizard Step 6 of 10: Web Security Enter the settings as explained in Table2-6 on page 2-20, then click Next to go the following 2-20 Using the Setup Wizard to Provision the UTM in Your Network Table2-6. Setup Wizard Step 6: Web Security Settings Page Page Setup Wizard Step 8 of 10: Administrator Email Notification Settings Setup Wizard Step 9 of 10: Security Subscription Update Settings Enter the settings as explained in Table2-9 on page 2-25, then click Next to go the following Using the Setup Wizard to Provision the UTM in Your Network 2-25 Table2-9. Setup Wizard Step 9: Security Subscription Update Settings Update Settings Setup Wizard Step 10 of 10: Saving the Configuration Verifying Proper Installation Testing Connectivity Testing HTTP Scanning Registering the UTM with NETGEAR Page What to Do Next Page Chapter 3 Manually Configuring Internet and WAN Settings Understanding the Internet and WAN Configuration Tasks Configuring the Internet Connections Automatically Detecting and Connecting Page Page Setting the UTMs MAC Address Manually Configuring the Internet Connection Page Manually Configuring Internet and WAN Settings 3-7 Table3-2. PPTP and PPPoE Settings Page Configuring the WAN Mode (Required for the UTM25s Dual WAN M o de) Network Address Translation (UTM10 and UTM25) Classical Routing (UTM10 and UTM25) Configuring Auto-Rollover Mode (UTM25 Only) Page Manually Configuring Internet and WAN Settings 3-13 Table3-5. Auto-Rollover Mode Settings (UTM25 Only) (continued) Configuring Load Balancing and Optional Protocol Binding (UTM25 Only) Page Page Configuring Secondary WAN Addresses Page Configuring Dynamic DNS Page Page Configuring Advanced WAN Options Manually Configuring Internet and WAN Settings 3-23 3. Enter the default information settings as explained in Table 3 -8. Table3-8. Advanced WAN Settings Additional WAN-Related Configuration Tasks Chapter 4 LAN Configuration Managing Virtual LANs and DHCP Options Managing the UTMs Port-Based VLANs Page VLAN DHCP Options Page Configuring a VLAN Profile Page 4-8 LAN Configuration Table4-1. VLAN Profile Settings LAN Configuration 4-9 Table4-1. VLAN Profile Settings (continued) 4-10 LAN Configuration Table4-1. VLAN Profile Settings (continued) Configuring Multi-Home LAN IPs on the Default VLAN Managing Groups and Hosts (LAN Groups) Managing the Network Database Page Page Changing Group Names in the Network Database Setting Up Address Reservation Configuring and Enabling the DMZ Port Page 4-20 LAN Configuration Table4-3. DMZ Setup Settings LAN Configuration 4-21 Table4-3. DMZ Setup Settings (continued) Managing Routing Configuring Static Routes Configuring Routing Information Protocol (RIP) Page 4-26 LAN Configuration Table4-5. RIP Configuration Settings Static Route Example Page Chapter 5 Firewall Protection About Firewall Protection Administrator Tips Using Rules to Block or Allow Specific Kinds of Traffic Services-Based Rules Page Firewall Protection 5-5 Table5-2. Outbound Rules Overview 5-6 Firewall Protection Table5-2. Outbound Rules Overview (continued) Page 5-8 Firewall Protection Table5-3. Inbound Rules Overview Firewall Protection 5-9 Table5-3. Inbound Rules Overview (continued) Order of Precedence for Rules Setting LAN WAN Rules Page Page Setting DMZ WAN Rules Page Page Page Setting LAN DMZ Rules Page Attack Checks 2. Click the Attack Checks submenu tab. The Attack Checks screen displays. 3. Enter the settings as explained in Table 5 -4. 5-22 Firewall Protection Table5-4. Attack Checks Settings (continued) Setting Session Limits Managing the Application Level Gateway for SIP Sessions Inbound Rules Examples Page Page Page Outbound Rules Example Creating Services, QoS Profiles, and Bandwidth Profiles Adding Customized Services Page Page Creating Quality of Service (QoS) Profiles Page Page Creating Bandwidth Profiles Page Page Setting a Schedule to Block or Allow Specific Traffic Enabling Source MAC Filtering Page Setting up IP/MAC Bindings 3. Enter the settings as explained in Table 5 -9. Configuring Port Triggering Page Page Using the Intrusion Prevention System Page Page Page Chapter 6 Content Filtering and Optimizing Scans About Content Filtering and Scans 6-2 Content Filtering and Optimizing Scans Default E-mail and Web Scan Settings Table6-1. Default E-mail and Web Scan Settings Configuring E-mail Protection Customizing E-mail Protocol Scan Settings Customizing E-mail Anti-Virus and Notification Settings 6-6 Content Filtering and Optimizing Scans 2. Enter the settings as explained in Table 6 -2. Table6-2. E-mail Anti-Virus and Notification Settings Content Filtering and Optimizing Scans 6-7 Table6-2. E-mail Anti-Virus and Notification Settings (continued) E-mail Content Filtering Page 6-10 Content Filtering and Optimizing Scans 2. Enter the settings as explained in Table 6 -3. Table6-3. E-mail Filter Settings Content Filtering and Optimizing Scans 6-11 3. Click Apply to save your settings. Protecting Against E-mail Spam Table6-3. E-mail Filter Settings (continued) Page Page Page Page Page 3. Enter the settings as explained in Table 6 -5. 6-18 Content Filtering and Optimizing Scans Table6-5. Distributed Spam Analysis Settings (continued) Configuring Web and Services Protection Customizing Web Protocol Scan Settings and Services 2. Enter the settings as explained in Table 6 -5. Configuring Web Malware Scans 2. Enter the settings as explained in Table 6 -2. Configuring Web Content Filtering Page Page Page Page 6-28 Content Filtering and Optimizing Scans Table6-8. Content Filtering Settings Content Filtering and Optimizing Scans 6-29 Table6-8. Content Filtering Settings (continued) Configuring Web URL Filtering Page 6-32 Content Filtering and Optimizing Scans 3. Enter the settings as explained in Table 6 -9. Table6-9. URL Filtering Settings Content Filtering and Optimizing Scans 6-33 Table6-9. URL Filtering Settings (continued) HTTPS Scan Settings Page Page Specifying Trusted Hosts Page Configuring FTP Scans Page Setting Web Access Exceptions and Scanning Exclusions Setting Web Access Exception Rules Page Page Setting Scanning Exclusions Page Page Chapter 7 Virtual Private Networking Using IPsec Connections Considerations for Dual WAN Port Systems (UTM25 Only) The diagrams and table below show how the WAN mode selection relates to VPN configuration. Using the IPsec VPN Wizard for Client and Gateway Configurations Creating Gateway-to-Gateway VPN Tunnels with the Wizard Page 3. Select the radio buttons and complete the fields and as explained Table 7- 2. 7-6 Virtual Private Networking Using IPsec Connections Table7-2. (IPsec) VPN Wizard Settings for a Gateway-to-Gateway Tunnel (continued) Page Creating a Client to Gateway VPN Tunnel Page 7-10 Virtual Private Networking Using IPsec Connections 3. Select the radio buttons and complete the fields and as explained Table 7- 3. Table7-3. (IPsec) VPN Wizard Settings for a Client-to-Gateway Tunnel Page Page Virtual Private Networking Using IPsec Connections 7-13 3. Enter the settings as explained in Table 7 -4. Table7-4. Security Policy Editor: Remote Party Settings Page Page Testing the Connections and Viewing Status Information Testing the VPN Connection NETGEAR VPN Client Status and Log Information Page Viewing the UTM IPsec VPN Connection Status Viewing the UTM IPsec VPN Log Page Managing IKE Policies Page Page Page 7-26 Virtual Private Networking Using IPsec Connections Table7-10. Add IKE Policy Settings Virtual Private Networking Using IPsec Connections 7-27 7-28 Virtual Private Networking Using IPsec Connections Virtual Private Networking Using IPsec Connections 7-29 Managing VPN Policies Page Page Page 7-34 Virtual Private Networking Using IPsec Connections Table7-12. Add VPN Policy Settings Virtual Private Networking Using IPsec Connections 7-35 Table7-12. Add VPN Policy Settings (continued) 7-36 Virtual Private Networking Using IPsec Connections Table7-12. Add VPN Policy Settings (continued) Configuring Extended Authentication (XAUTH) Configuring XAUTH for VPN Clients User Database Configuration RADIUS Client Configuration Page Virtual Private Networking Using IPsec Connections 7-41 3. Complete the fields and select the radio buttons as explained Table 7 -14. Table 7-14 . RADIUS Client Settings Assigning IP Addresses to Remote Users (Mode Config) Mode Config Operation Configuring Mode Config Operation on the UTM Page Page Virtual Private Networking Using IPsec Connections 7-45 Table7-15. Add Mode Config Record Settings (continued) Page Virtual Private Networking Using IPsec Connections 7-47 Table7-16. Add IKE Policy Settings for a Mode Config Configuration 7-48 Virtual Private Networking Using IPsec Connections Table7-16. Add IKE Policy Settings for a Mode Config Configuration (continued) Virtual Private Networking Using IPsec Connections 7-49 9. Click Apply to save your settings. The IKE policy is added to the List of IKE Policies table. Configuring the ProSafe VPN Client for Mode Config Operation Table7-16. Add IKE Policy Settings for a Mode Config Configuration (continued) Page Page Page Page Testing the Mode Config Connection Configuring Keepalives and Dead Peer Detection Configuring Keepalives Configuring Dead Peer Connection 3. In the IKE SA Parameters section of the screen, locate the DPD fields. 4. Select the radio button and complete the fields as explained Table 7 -21. 5. Click Apply to save your settings. Configuring NetBIOS Bridging with IPsec VPN Chapter 8 Virtual Private Networking Using SSL Connections Understanding the SSL VPN Portal Options Using the SSL VPN Wizard for Client Configurations SSL VPN Wizard Step 1 of 6: Portal Settings 8-4 Virtual Private Networking Using SSL Connections Table8-1. SSL VPN Wizard Step 1: Portal Settings SSL VPN Wizard Step 2 of 6: Domain Settings 8-6 Virtual Private Networking Using SSL Connections Table8-2. SSL VPN Wizard Step 2: Domain Settings SSL VPN Wizard Step 3 of 6: User Settings Page SSL VPN Wizard Step 4 of 6: Client IP Address Range and Routes 8-10 Virtual Private Networking Using SSL Connections Table8-4. SSL VPN Wizard Step 4: SSL VPN Wizard Step 5 of 6: Port Forwarding 8-12 Virtual Private Networking Using SSL Connections Table8-5. SSL VPN Wizard Step 5: Port Forwarding Settings (continued) Page Accessing the New SSL Portal Login Screen Page Viewing the UTM SSL VPN Connection Status Viewing the UTM SSL VPN Log Manually Configuring and Editing SSL Connections Creating the Portal Layout Page Page Virtual Private Networking Using SSL Connections 8-21 4. Complete the fields and select the checkboxes as explained Table 8 -6. Table 8-6. Add Portal Layout Settings https://vpn.company.com/portal/CustomerSupport Configuring Domains, Groups, and Users Configuring Applications for Port Forwarding Page Page Configuring the SSL VPN Client Page Page Using Network Resource Objects to Simplify Policies Page Page Configuring User, Group, and Global Policies Page Page Page Virtual Private Networking Using SSL Connections 8-35 Table 8-10 . Add Policy Settings (continued) 8-36 Virtual Private Networking Using SSL Connections Table 8-10 . Add Policy Settings (continued) Page Page Chapter 9 Managing Users, Authentication, and Certificates Configuring VPN Authentication Domains, Groups, and Users 9-2 Managing Users, Authentication, and Certificates Configuring Domains Table9-1.Authentication Protocols and Methods Page 9-4 Managing Users, Authentication, and Certificates 2. Under the List of Domains table, click the add table button. The Add Domain screen displays. 3. Enter the settings as explained in Table 9 -2. Figure 9-2 Table9-2. Add Domain Settings Managing Users, Authentication, and Certificates 9-5 Table9-2. Add Domain Settings (continued) Configuring Groups for VPN Policies Page Page Configuring User Accounts Page 3. Enter the settings as explained in Table 9 -4. Managing Users, Authentication, and Certificates 9-11 Figure 9-6 Table9-4. Add User Settings Setting User Login Policies Page Page Page Changing Passwords and Other User Settings Managing Digital Certificates Page Managing CA Certificates Managing Self Certificates Page Page Page Page Managing the Certificate Revocation List Page Chapter 10 Network and System Management Performance Management Bandwidth Capacity Features That Reduce Traffic Page Page Features That Increase Traffic Page Page Using QoS and Bandwidth Assignment to Shift the Traffic Mix Monitoring Tools for Traffic Management System Management Changing Passwords and Administrator Settings Page Page Configuring Remote Management Access Page Using an SNMP Manager Managing the Configuration File Page Page Updating the Firmware Page Page Updating the Scan Signatures and Scan Engine Firmware Page Page Configuring Date and Time Service Page Page Chapter 11 Monitoring System Access and Performance Enabling the WAN Traffic Meter Page Monitoring System Access and Performance 11-3 Table11-1. WAN Traffic Meter Settings Page Configuring Logging, Alerts, and Event Notifications Configuring the E-mail Notification Server Configuring and Activating System, E-mail, and Syslog Logs Page 11-8 Monitoring System Access and Performance 2. Enter the settings as explained in Table 1 1-2. Table11-3. E-mail and Syslog Settings Monitoring System Access and Performance 11-9 Table11-3. E-mail and Syslog Settings (continued) Configuring and Activating Update Failure and Attack Alerts 3. Enter the settings as explained in Table 1 1-4. 11-12 Monitoring System Access and Performance Table11-4. Alerts Settings (continued) Configuring and Activating Firewall Logs Monitoring Real-Time Traffic, Security, and Statistics Page Page Page 11-18 Monitoring System Access and Performance Table11-7 explains the fields of the Most Recent 5 and Top 5 sections of the Dashboard screen. Table11-7. Dashboard: Most Recent 5 and Top 5 Information Table11-8 explains the fields of the Service Statistics section of the Dashboard screen. Viewing Status Screens Viewing System Status Page Page Table11-11 on page 11-24 explains the Interface Statistics section of the System Status screen. Viewing Active VPN Users Viewing VPN Tunnel Connection Status Page Viewing Port Triggering Status Viewing the WAN Ports Status Page Viewing Attached Devices and the DHCP Log Page Page Querying Logs and Generating Reports Querying the Logs Page 3. Enter the settings as explained in Table11-15. Monitoring System Access and Performance 11-35 Table11-15. Logs Query Settings (continued) 11-36 Monitoring System Access and Performance Table11-15. Logs Query Settings (continued) Page Page Scheduling and Generating Reports Page Page Page Using Diagnostics Utilities Using the Network Diagnostic Tools Page Using the Realtime Traffic Diagnostics Tool Gathering Important Log Information and Generating a Network Statistics Report Rebooting and Shutting Down the UTM Chapter 12 Troubleshooting and Using Online Support Basic Functioning Power LED Not On Test LED Never Turns Off LAN or WAN Port LEDs Not On Troubleshooting the Web Management Interface When You Enter a URL or IP Address a Time-out Error Occurs Troubleshooting the ISP Connection Troubleshooting a TCP/IP Network Using a Ping Utility Testing the LAN Path to Your UTM Testing the Path from Your PC to a Remote Device Restoring the Default Configuration and Password Problems with Date and Time Using Online Support Enabling Remote Troubleshooting Sending Suspicious Files to NETGEAR for Analysis Page Appendix A Default Settings and Technical Specifications Table A -2 shows the physical and technical specifications for the UTM. A-2 Default Settings and Technical Specifications TableA-2. UTM Physical and Technical Specifications TableA-1. UTM Default Configuration Settings (continued) Table A -3 shows the IPsec VPN specifications for the UTM. Default Settings and Technical Specifications A-3 TableA-3. UTM IPsec VPN Specifications TableA-2. UTM Physical and Technical Specifications (continued) Table A -4 shows the SSL VPN specifications for the UTM. Note: For default e-mail and Web scan settings, see Table6-1 on page 6-2. Appendix B Network Planning for Dual WAN Ports (UTM25 Only) What to Consider Before You Begin Page Cabling and Computer Hardware Requirements Computer Network Configuration Requirements Internet Configuration Requirements Page Overview of the Planning Process Page Inbound Traffic Inbound Traffic to a Single WAN Port System Inbound Traffic to a Dual WAN Port System Network Planning for Dual WAN Ports (UTM25 Only) B-9 Virtual Private Networks (VPNs) Figure B-6 TableB-2. IP addressing requirements for VPNs in dual WAN port systems Page VPN Road Warrior (Client-to-Gateway) Page VPN Gateway-to-Gateway Page Page VPN Telecommuter (Client-to-Gateway Through a NAT Router) Page Page Appendix C System Logs and Error Messages System Log Messages System Startup Reboot System Logs and Error Messages C-3 Service Logs NTP TableC-4. System Logs: Service TableC-5. System Logs: NTP Login/Logout This section describes logs that are generated by the administrative interfaces of the device. This section describes logs that are generated when the IPsec restarts. Firewall Restart This section describes logs that are generated when the firewall restarts. WAN Status C-6 System Logs and Error Messages System Logs: WAN Status, Auto Rollover (continued) TableC-9. System Logs: WAN Status, Load Balancing System Logs and Error Messages C-7 TableC-10. System Logs: WAN Status, PPPoE Idle-Timeout C-8 System Logs and Error Messages PPTP Idle-Timeout Logs PPP Authentication Logs TableC-11. System Logs: WAN Status, PPTP Idle-Timeout TableC-12. System Logs: WAN Status, PPP Authentication Traffic Metering Logs This section describes logs that are generated when the traffic meter has reached a limit. Unicast Logs This section describes logs that are generated when the UTM processes unicast packets. C-10 System Logs and Error Messages Invalid Packet Logging This section describes logs that are generated when the UTM processes invalid packets. TableC-16. System Logs: Multicast/Broadcast TableC-17. System Logs: Invalid Packets System Logs and Error Messages C-11 TableC-17. System Logs: Invalid Packets (continued) C-12 System Logs and Error Messages TableC-17. System Logs: Invalid Packets (continued) Content Filtering and Security Logs This section describes logs that are generated when the UTM filters Web content. Web Filtering and Content Filtering Logs TableC-18. Content Filtering and Security Logs: Web Filtering and Content Filtering System Logs and Error Messages C-13 Spam Logs This section describes logs that are generated when the UTM filters spam e-mail messages. TableC-19. Content Filtering and Security Logs: Spam C-14 System Logs and Error Messages Traffic Logs This section describes logs that are generated when the UTM processes Web and e-mail traffic. This section describes logs that are generated when the UTM filters e-mail content. Virus Logs This section describes logs that are generated when the UTM detects viruses. IPS Logs This section describes logs that are generated when traffic matches IPS rules. Port Scan Logs This section describes logs that are generated when ports are scanned. Instant Messaging/Peer-to-Peer Logs Routing Logs This section describes logs that are generated when the UTM processes DMZ to WAN traffic. LAN to WAN Logs This section describes logs that are generated when the UTM processes LAN to WAN traffic. LAN to DMZ Logs WAN to LAN Logs This section describes logs that are generated when the UTM processes WAN to LAN traffic. This section describes logs that are generated when the UTM processes WAN to DMZ traffic. DMZ to LAN Logs This section describes logs that are generated when the UTM processes DMZ to LAN traffic. Page Appendix D Two Factor Authentication Why do I need Two-Factor Authentication? What are the benefits of Two-Factor Authentication? What is Two-Factor Authentication NETGEAR Two-Factor Authentication Solutions Page Page Appendix E Related Documents Page Index-1 Index Numerics A Index-2 B C Index-3 D Index-4 E Index-5 F G H Index-6 I Index-7 J K L Index-8 M N Index-9 O P Index-10 Q Index-11 R S Index-12 Index-13 T Index-14 U V Index-15 W Index-16 X Y