Netgear UTM5 User's Manual
Contents
1. Dual WAN Port Model WAN 1 Port Rest of UTM UTM UTM WAN Port Rollover Internet Functions Functions Control WAN 2 Port Same FQDN required for both WAN ports Figure 7 1 WAN Load Balancing FQDN Optional for VPN Dual WAN Port Model WAN 1 Port Rest of UTM Load UTM WAN Port Balancing Internet Functions Functions Control ana FQDN required for dynamic IP addresses FQDN optional for static IP addresses Figure 7 2 Table 7 1 summarizes the WAN addressing requirements FQDN or IP address for a VPN tunnel in either dual WAN mode Table 7 1 IP Addressing for VPNs in Dual WAN Port Systems Configuration and WAN IP address Rollover Mode Load Balancing Mode VPN Road Warrior Fixed FQDN required FQDN Allowed optional client to gateway Dynamic FQDN required FQDN required 7 2 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 1 IP Addressing for VPNs in Dual WAN Port Systems Configuration and WAN IP address Rollover Modea Load Balancing Mode VPN Gateway to Gateway Fixed FQDN required FQDN Allowed optional Dynamic FQDN required FQDN required VPN Telecommuter Fixed FQDN required FQDN Allowed optional client to gateway through a 5 NAT router Dynam2. Message Nov 29 09 19 43 UTM kernel DMZ2WAN DROP IN DMZ OUT WAN SRC 192 168 20 10 DST 72 14 207 99 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the DMZ to the WAN has been dropped by the firewall For other settings see Table C 1 Recommended Action None C 16 System Logs and Error Messages v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual WAN to LAN Logs This section describes logs that are generated when the UTM processes WAN to LAN traffic Table C 29 Routing Logs WAN to LAN Message Nov 29 10 05 15 UTM kernel WAN2LAN ACCEPT IN WAN OUT LAN SRC 192 168 1 214 DST 192 168 10 10 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the LAN to the WAN has been allowed by the firewall For other settings see Table C 1 Recommended Action None DMZ to LAN Logs This section describes logs that are generated when the UTM processes DMZ to LAN traffic Table C 30 Routing Logs DMZ to WAN Message Nov 29 09 44 06 UTM kernel DMZ2LAN DROP IN DMZ OUT LAN SRC 192 168 20 10 DST 192 168 10 10 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the DMZ to the LAN has been dropped by the firewall e For other settings see Table C 1 Recommended Action None WAN to DMZ Logs This section describes logs that are generated when the UTM processes WAN to DMZ traffic Table C 31 Routing Log
3. 2 Click the Add table button to add the PC or device to the Known PCs and Devices table As an optional step To enable DHCP address reservation for the entry that you just added to the Known PCs and Devices table select the checkbox for the table entry and click Save Binding to bind the IP address to the MAC address for DHCP assignment LAN Configuration 4 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Editing PCs or Devices in the Network Database To edit PCs or devices manually in the Network Database 1 3 In the Known PCs and Devices table of the LAN Groups screen see Figure 4 5 on page 4 14 click the Edit table button of a table entry The Edit Groups and Hosts screen displays see Figure 4 6 which contains some examples WAN Settings Protocol Binding Dynamic DNS WAN Metering Edit Groups and Hosts Operation succeeded Name Sales EMEA IP Address Type IP Address 192 hsa a Jes MAC Address Group Profile Name Figure 4 6 In the Edit Known PC and Device section specify the fields and make selections from the pull down menus as explained in step 1 of the previous section Adding PCs or Devices to the Network Database on page 4 15 Click Apply to save your settings in the Known PCs and Devices table Changing Group Names in the Network Database By default the groups are named Group1 through Group8 You can rename these group
4. Note Some residential broadband ISP accounts do not allow you to run any server gt processes such as a Web or FTP server from your location Your ISP might periodically check for servers and might suspend your account if it discovers any active services at your location If you are unsure see the Acceptable Use Policy of your ISP Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Order of Precedence for Rules As you define new rules they are added to the tables in the Rules screen as the last item in the list as shown in the LAN WAN Rules screen example in Figure 5 1 PU ney DM2 WAN R Default Outbound Policy Apply Outbound Services wan Qos Filter LAN Users Users Profile Allow 192 168 4 1 192 168 4 99 ANY NONE oO REAL AUDIO Always Allow oe SMTP 192 168 4 35 ANY NONE NONE AlwayN Always Select an Delete Enable oO Disable Ad l i Inbound Services gos Bandwidth Profile Profile Service LAN Server IP LAN Filter WAN Users Destination Name Address Users i Allow by o TELNET schedule 1 192 169 10 20 3 200 133 0 24 192 168 80 1 NONE NONE Alway Up rown Ya Edit else block Select An Pelete Enable oO Disable Figure 5 1 For any traffic attempting to pass through the firewall the packet information is subjected
5. These fields are self explanatory Interface Status Tx KB Rx KB LAN No Link 338378 180165 WANI 1000Mbps Full duplex 256336 3178485 WAN2 No Link DMZ No Link Figure 11 12 System Status screen 3 of 3 Table 11 11 on page 11 24 explains the Interface Statistics section of the System Status screen Monitoring System Access and Performance 11 23 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 11 System Status Interface Statistics Setting Description or Subfield and Description For each interface LAN WAN1 WAN2 and DMZ for the dual WAN port models LAN WAN and DMZ for the single WAN port models the following statistics are displayed Status 10BaseT Half duplex 10BaseT Full duplex 100BaseT Half duplex 100BaseT Full duplex or No Link Tx KB The number of transmitted packets in KB Rx KB The number of received packets in KB Viewing Active VPN Users The Active Users screen displays a list of administrators Psec VPN and SSL VPN users that are currently logged into the UTM To display the list of active VPN users Select Monitoring gt Active Users amp VPNs from the main menu The Active Users amp VPN submenu tabs appear with the Active Users screen in views Dashboard Diagnostics Logs amp Reports Piaiimitteg IPSec YPN Connection Status SSL PN Connection Status G
6. 4 Click the Add table button The new IP MAC rule is added to the IP MAC Bindings table 5 Click Apply to save your changes To edit an IP MAC binding 1 Inthe IP MAC Bindings table click the Edit table button to the right of the IP MAC binding that you want to edit The Edit IP MAC Binding screen displays 2 Modify the settings that you wish to change see Table 5 9 3 Click Apply to save your changes The modified IP MAC binding is displayed in the IP MAC Bindings table Configuring Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall Using this the port triggering feature requires that you know the port numbers used by the application Once configured port triggering operates as follows 1 APC makes an outgoing connection using a port number that is defined in the Port Triggering Rules table 2 The UTM records this connection opens the additional incoming port or ports that are associated with the rule in the port triggering table and associates them with the PC 3 The remote system receives the PCs request and responds using the incoming port or ports that are associated with the rule in the port triggering table on the UTM 4 The UTM matches the response to the previous request and forwards the response to the PC Without port triggering the response from the external app
7. Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Enter the settings as explained in Table 11 2 Table 11 3 E mail and Syslog Settings Setting Description or Subfield and Description System Logs Option Select the checkboxes to specify which system events are logged Change of Time by NTP Logs a message when the system time changes after a request from an NTP server Secure Login Attempts Logs a message when a secure login is attempted Both successful and failed login attempts are logged e Reboots Logs a message when the UTM has been rebooted through the Web Management Interface No message is logged when the Reset button has been pushed to reboot the UTM All Unicast Traffic All incoming unicast packets are logged All Broadcast Multicast Traffic All incoming broadcast and multicast packets are logged WAN Status WAN link status related events are logged Resolved DNS Names All resolved DNS names are logged Email Logs to Administrator Enable Select this checkbox to enable the UTM to send a log file to an e mail address Send to The e mail address of the recipient of the log file Click Send Now to immediately send the logs that you first must have specified below Frequency Select a radio button to specify how often the log file is sent When the space is full Logs are sent when t
8. Figure 9 1 The List of Domains table displays the domains with the following fields e Checkbox Allows you to select the domain in the table e Domain Name The name of the domain The default domain name geardomain is appended by an asterisk e Authentication Type The authentication method that is assigned to the domain e Portal Layout Name The SSL portal layout that is assigned to the domain e Action The Edit table button that provides access to the Edit Domain screen Managing Users Authentication and Certificates 9 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Under the List of Domains table click the Add table button The Add Domain screen displays Add Domain Figure 9 2 DOMAIN NAME Authentication Type Radius MSCHAPv2 v Select Portal SSL VPN Authentication Server Authentication Secret Workgroup LDAP Base DN Active Directory Domain 3 Enter the settings as explained in Table 9 2 Table 9 2 Add Domain Settings Setting Description or Subfield and Description DOMAIN NAME A descriptive alphanumeric name of the domain for identification and management purposes Authentication Type Note If you select any type of RADIUS authentication make sure that one or more RADIUS servers are configured see RADIUS Client Configuration on page 7 40 From the pull do
9. Firewall Protection 5 23 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual you can use the additional public IP addresses to map to servers on your LAN or DMZ One of these public IP addresses is used as the primary IP address of the router that provides Internet access to your LAN PCs through NAT The other addresses are available to map to your servers se Tip If you arrange with your ISP to have more than one public IP address for your use To configure the UTM for additional IP addresses 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear 2 If your server is to be on your LAN select the LAN WAN Rules submenu tab This is the screen we will use in this example If your server is to be on your DMZ select DMZ WAN Rules submenu tab 3 Click the Add table button under the Inbound Services table The Add LAN WAN Inbound Service screen displays Add LAN WAN Inbound Service Operation succeeded Service HTTP Action ALLOW always Select Schedule Schedule 1 Send to LAN server 192 Jiss a Me Translate to Port Number L WAN Destination IP Address 10 1 0 52 v LAN Users Any Start Finish WAN Users Any w start DD Finish ay E lel i Qos Profile Bandwidth Profile Figure 5 13 4 From the Service pull down menu select HTTP for a Web server 5 From the Action p
10. Firewall Protection 5 31 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual IPS Firewall Objects LAN WAN Rules DMZ WAN Rules LAN DMZ Rules Attack Checks Session Limit BY Crus Enable sip O Figure 5 18 Select the Enable SIP checkbox Click Apply to save your settings Creating Services QoS Profiles and Bandwidth Profiles When you create inbound and outbound firewall rules you use firewall objects such as services QoS profiles bandwidth profiles and schedules to narrow down the firewall rules e Services A service narrows down the firewall rule to an application and a port number For information about adding services see Adding Customized Services on page 5 32 e QoS profiles A quality of service QoS profile defines the relative priority of an IP packet for traffic that matches the firewall rule For information about creating QoS profiles see Creating Quality of Service QoS Profiles on page 5 35 e Bandwidth Profiles A bandwidth profile allocates and limits traffic bandwidth for the LAN users to which a firewall rule is applied For information about creating bandwidth profiles see Creating Bandwidth Profiles on page 5 38 Note A schedule narrows down the period during which a firewall rule is applied For information about specifying schedules see Setting a Schedule to Block or Allow Specific Traffic on page 5 41 Adding Cust
11. Whitelist Blacklist Sender Email Address SMTP Only 3 Whitelist Blacklist Example admin yourdomain com E Recipients Domain SMTP Only g Whitelist Example yourdomain com Wildcards are supported Recipients Email Address SMTP Only Whitelist Example admin yourdomain com Example yourdomain com Wildcards are supported Figure 6 4 Content Filtering and Optimizing Scans 6 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Enter the settings as explained in Table 6 3 Table 6 4 Whitelist Blacklist Settings Setting Description or Subfield and Description Sender IP Address Whitelist Enter the source IP addresses from which e mails can be trusted Blacklist Enter the source IP addresses from which e mails are blocked Click Apply to save your settings or click Reset to clear all entries from these fields Sender Domain Whitelist Enter the sender e mail domains from which e mails can be trusted Blacklist Enter the sender e mail domains from which e mails are blocked Click Apply to save your settings or click Reset to clear all entries from these fields Sender Email Address Whitelist Enter the e mail addresses from which e mails can be trusted Blacklist Enter the e mail addresses from which e mails are blocked Click Ap
12. Monitoring System Access and Performance 11 43 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Using the Network Diagnostic Tools This section discusses the Network Diagnostics section and the Perform a DNS Lookup section of the Diagnostics screen System Status Active Users amp VPNs Dashboard Logs amp Reports Diagnostics Ping through PN tunnel IP Address za Sa cy te Ping Traceroute Display the Routing Table Display Domain Name Lookup Figure 11 26 Diagnostics screen 1of 3 Sending a Ping Packet Use the Ping utility to send a ping packet request in order to check the connection between the UTM and a specific IP address If the request times out no reply is received it usually means that the destination is unreachable However some network devices can be configured not to respond to a ping The ping results are displayed on a new screen click Back on the Windows menu bar to return to the Diagnostics screen To send a ping 1 Locate the Network Diagnostics section on the Diagnostics screen 2 In the IP Address field enter the IP address that you want to ping 3 If the specified address is reached through a VPN tunnel select the Ping through VPN tunnel checkbox 4 Click the Ping button The results of the ping are displayed in a new screen To return to the Diagnostics screen click Back on the Windows menu b
13. Recommended Action None C 6 System Logs and Error Messages v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual PPP Logs This section describes the WAN PPP connection logs The PPP type can be configured through the Web Management Interface see Manually Configuring the Internet Connection on page 3 5 e PPPoE Idle Timeout Logs Table C 10 System Logs WAN Status PPPoE Idle Timeout Message 1 Nov 29 13 12 46 UTM pppd Starting connection Message 2 Nov 29 13 12 49 UTM pppd Remote message Success Message 3 Nov 29 13 12 49 UTM pppd PAP authentication succeeded Message 4 Nov 29 13 12 49 UTM pppd local IP address 50 0 0 62 Message 5 Nov 29 13 12 49 UTM pppd remote IP address 50 0 0 1 Message 6 Nov 29 13 12 49 UTM pppd primary DNS address 202 153 32 3 Message 7 Nov 29 13 12 49 UTM pppd secondary DNS address 202 153 32 3 Message 8 Nov 29 11 29 26 UTM pppd Terminating connection due to lack of activity Message 9 Nov 29 11 29 28 UTM pppd Connect time 8 2 minutes Message 10 Nov 29 11 29 28 UTM pppd Sent 1408 bytes received 0 bytes Message 11 Nov 29 11 29 29 UTM pppd Connection terminated Explanation Message 1 PPPoE connection establishment started Message 2 Message from PPPoE server for correct login Message 3 Authentication for PPP succeeded Message 4 Local IP address assigned by the server Message 5 Serv
14. 2 Click the Portal Layouts submenu tab The Portal Layout screen displays see Figure 8 12 on page 8 19 3 Inthe Portal URL field of the List of Layouts table click on the URL that ends with the portal layout name that you defined with the help of the SSL VPN Wizard The new SSL portal login screen displays see Figure 8 8 on page 8 15 8 14 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual B PROSECURE ACHITECTURE SY NETGEAR difficulty call 123 456 7890 NETGEAR Configuration Manager Login Q Password Passcode Domain SSLTestDomain w When the UTM scans secure HTTPS traffic you must import root CA certificate into your browser Click to download 2009 Copyright NETGEAR Figure 8 8 4 Enter the user name and password that you just created with the help of the SSL VPN Wizard 5 Click Login The default User Portal screen displays Click the VPN Tunnel client icon to connect to the remote network Keep your browser open to maintain the connection Connect using YPN Tunnel Note If you reload your browser VPN Tunnel client will disconnect and then reconnect to the remote network Figure 8 9 Virtual Private Networking Using SSL Connections 8 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The default User Portal screen displays a simple menu th
15. If any of these conditions do not occur see the appropriate following section Power LED Not On If the Power and other LEDs are off when your UTM is turned on make sure that the power cord is properly connected to your UTM and that the power supply adapter is properly connected to a functioning power outlet If the error persists you have a hardware problem and should contact NETGEAR Technical Support Test LED Never Turns Off When the UTM is powered on the Test LED turns on for approximately 2 minutes and then turns off when the UTM has completed its initialization If the Test LED remains on there is a fault within the UTM If all LEDs are still on more than several minutes minute after power up e Turn the power off and then turn it on again to see if the UTM recovers e Clear the UTM s configuration to factory defaults Doing so sets the UTM s IP address to 192 168 1 1 This procedure is explained in Restoring the Default Configuration and Password on page 12 9 If the error persists you might have a hardware problem and should contact NETGEAR Technical Support 12 2 Troubleshooting and Using Online Support v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made check the following e Make sure that the Ethernet cable connections are secure at the UTM and
16. MD5 Key Id The identifier for the key that is used for authentication MD5 Auth Key The password that is used for MD5 authentication Not Valid Before The beginning of the lifetime of the MD5 key Enter the month date year hour minute and second Before this date and time the MD5 key is not valid Not Valid After The end of the lifetime of the MD5 key Enter the month date year hour minute and second After this date and time the MD5 key is no longer valid Second Key Parameters MD5 Key Id The identifier for the key that is used for authentication MD5 Auth Key The password that is used for MD5 authentication 4 26 LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 4 5 RIP Configuration Settings continued Setting Description or Subfield and Description Authentication for Not Valid Before The beginning of the lifetime of the MD5 key Enter the RIP 2B 2M required month date year hour minute and second Before this continued date and time the MD5 key is not valid Not Valid After The end of the lifetime of the MD5 key Enter the month date year hour minute and second After this date and time the MD5 key is no longer valid 4 Click Apply to save your settings Static Route Example In this example we assume the following e The UTM s primary Internet access is t
17. 1 Ona dual WAN port model select Network Configuration gt WAN Settings gt WAN1 ISP Settings The WAN Settings tabs appear with the WAN1 ISP Settings screen in view see Figure 3 1 on page 3 3 which shows a dual WAN port model s screen On a single WAN port model select Network Configuration gt WAN Settings gt WAN ISP Settings The WAN ISP Settings screen displays Figure 3 4 shows the ISP Login section of the screen help Does Your Internet Connection Require a Login Login Password C Yes No Figure 3 4 2 Inthe ISP Login section of the screen select one of the following options e If your ISP requires an initial login to establish an Internet connection click Yes this is the default e Ifa login is not required click No and ignore the Login and Password fields 3 Ifyou clicked Yes enter the login name in the Login field and the password in the Password field This information is provided by your ISP 4 Inthe ISP Type section on the screen select the type of ISP connection that you use from the three listed options By default Other PPPoE is selected as shown in Figure 3 5 hele Account Name Domain Name Which type of ISP connection do you use i Login Server Austria PPTP C Keep Connected Idle Time Minutes My IP Address L E i a Idle Timeout Other PPPoE Server IP Address Figure 3 5 3 6 Manually Configurin
18. Add LAN WAN Outbound Service Operation succeeded Service STRMWORKS v Action ALLOW always v Select Schedule Schedule 1 LAN Users Single Address Start Boz ies e JB Finish SSS WAN Users Any Start J J J Finish J J J QoS Profile Maximize Through Log Never_ Bandwidth Profile NONE Figure 5 3 2 Enter the settings as explained in Table 5 2 on page 5 5 3 Click Apply to save your changes The new rule is now added to the Outbound Services table LAN WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic If you have not defined any rules no rules are listed By default all inbound traffic from the Internet to the LAN is blocked Remember that allowing inbound services opens potential security holes in your firewall Only enable those ports that are necessary for your network 5 14 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To create a new inbound LAN WAN service rule 1 Inthe LAN WAN Rules screen click the Add table button under the Inbound Services table The Add LAN WAN Inbound Service screen displays Add LAN WAN Inbound Service Operation succeeded Action Select Schedule Schedule 1 Send to LAN Server Translate to Port Number C WAN Destination IP Address LAN Users Any Start Finish WAN Users Start Finish QoS Profil
19. Enadie Disable Ade Figure 5 8 To make changes to an existing outbound or inbound service rule In the Action column to the right of to the rule click on of the following table buttons e Edit Allows you to make any changes to the rule definition of an existing rule Depending on your selection either the Edit LAN DMZ Outbound Service screen identical to Figure 5 9 on page 5 20 or Edit LAN DMZ Inbound Service screen identical to Figure 5 10 on page 5 21 displays containing the data for the selected rule Firewall Protection 5 19 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Up Moves the rule up one position in the table rank e Down Moves the rule down one position in the table rank To delete or disable one or more rules 1 Select the checkbox to the left of the rule that you want to delete or disable or click the Select All table button to select all rules 2 Click one of the following table buttons coy e Disable Disables the rule or rules The status icon changes from a green circle to a grey circle indicating that the rule is or rules are disabled By default when a rule is added to the table it is automatically enabled e Delete Deletes the rule or rules LAN DMZ Outbound Services Rules You may change the default outbound policy or define rules that specify exceptions to the default outbound policy By adding custom rule
20. J Java 6 24 6 28 K keepalives VPN tunnels 7 35 7 56 keywords blocking 6 8 6 24 6 28 using wildcards 6 24 kit rack mounting 5 Knowledge Base 2 2 L label bottom panel 3 LAN bandwidth capacity 10 1 configuration 4 default settings A groups 4 6 assigning 4 14 managing 4 12 hosts managing 4 2 Known PCs and Devices table 4 4 4 15 LEDs 1 11 12 3 network database 4 12 4 13 ports 2 1 10 secondary IP addresses 4 17 security checks 5 29 settings using the Setup Wizard 2 8 testing the LAN path 12 7 LDAP 8 6 9 3 9 5 server DHCP 2 10 4 9 4 21 VLANs 4 6 LEDs explanation of 0 1 11 front panel 7 11 troubleshooting 2 2 12 3 licenses expiration dates 77 22 key 1 8 ProSafe VPN Client software 2 Lightweight Directory Access Protocol See LDAP limit traffic meter or counter 3 limits sessions 5 30 load balancing mode dual WAN port models bandwidth capacity 170 1 configuring 3 14 DDNS 3 19 description 3 0 settings 3 14 VPN IPsec 7 1 local area network See LAN local user database 8 6 9 4 location placement 4 lock security 7 12 log information diagnostics 11 47 log messages and error messages understanding C 1 logging administrator e mailing options 71 8 Index 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual configuring options 71 8 e mail address for sending logs 2 23 11 6 firewall logs co
21. Table 7 12 Add VPN Policy Settings continued Item Description or Subfield and Description Integrity Algorithm From the pull down menu select one of the following two algorithms to be used in the VPN header for the authentication process e SHA 1 Hash algorithm that produces a 160 bit digest This is the default setting MD5 Hash algorithm that produces a 128 bit digest Key In The integrity key for the inbound policy The length of the key depends on the selected integrity algorithm e MD5 enter 16 characters e SHA 1 enter 20 characters Key Out The integrity key for he outbound policy The length of the key depends on the selected integrity algorithm The required key lengths are the same as for the Key In se above Auto Policy Parameters Note These fields apply only when you select Auto Policy as the policy type SA Lifetime The lifetime of the Security Association SA is the period or the amount of transmitted data after which the SA becomes invalid and must be renegotiated From the pull down menu select how the SA lifetime is specified e Seconds In the SA Lifetime field enter a period in seconds The minimum value is 300 seconds The default value is 3600 seconds e KBytes In the SA Lifetime field enter a number of kilobytes The minimum value is 1920000 KB Encryption Algorithm From the pull down menu select one of the following five algorithms to negot
22. Use Default Address Use this computer s MAC Use this MAC Address 00 1e 2a d0 96 b4 Upload Download Settings WAN Connection Type other WAN Connection Speed Upload faoo0000 Jin Kbps WAN Connection Speed Download fin Kbps Figure 3 13 3 22 Manually Configuring Internet and WAN Settings v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Enter the default information settings as explained in Table 3 8 Table 3 8 Advanced WAN Settings Setting Description or Subfield and Description MTU Size Make one of the following selections Default Select the Default radio button for the normal Maximum Transmit Unit MTU value For most Ethernet networks this value is 1500 Bytes or 1492 Bytes for PPPoE connections Custom Select the Custom radio button and enter an MTU value in the Bytes field For some ISPs you might need to reduce the MTU This is rarely required and should not be done unless you are sure it is necessary for your ISP connection Port Speed In most cases the UTM can automatically determine the connection speed of the WAN port of the device modem or router that provides the WAN connection If you cannot establish an Internet connection you might need to manually select the port speed If you know the Ethernet port speed of the modem or router select it from the pull down menu Use the half duplex settings only of th
23. _____ Note To ensure that alerts are emailed to an administrator you must configure the e mail notification server see Configuring the E mail Notification Server on page 11 5 and the IPS alerts see Configuring and Activating Update Failure and Attack Alerts on page 11 10 Click Apply to save your settings 5 50 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual mma A wmn Y omn Y o Y m Y e Y n All database attacks oracle sql injection Name plications C All application attacks oO game i Network protocols Name is O All network protocol attacks icmp nntp sip E Malware Name alware L All other malware attacks dos bot virus Name All other misc attacks Figure 5 31 Firewall Protection 5 51 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 5 11 IPS Less Familiar Attack Names Attack Name Description or Subfield and Description Web web misc Detects some specific Web attack tools such as the fingerprinting tool and the password cracking tool web attacks Detects the Web attacks that cannot be placed under other Web categories such as DoS and overflow attacks against specific Web services Thes
24. http documentation netgear com reference enu glossary index htm Related Documents E 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual E 2 Related Documents v1 0 January 2010 Numerics 10BaseT 100BaseT and 1000BaseT 3 23 A AAA 7 40 AC input 2 12 access remote management 0 2 action buttons Web Management Interface 2 6 activating service licenses 1 8 2 27 Active Directory 8 6 9 2 9 5 Active LED dual WAN port models only 2 ActiveX 6 24 6 28 ActiveX web cache cleaner SSL VPN 8 5 8 22 address reservation 4 17 Address Resolution Protocol See ARP requests administrator default name and password 2 3 receiving alerts by e mail 77 10 receiving logs by e mail 71 8 receiving reports by e mail 43 settings admin 0 9 user account 9 9 9 Advanced Encryption Standard See AES AES 7 28 7 36 7 37 7 46 alerts configuring 1 e mail address for sending alerts 2 23 11 6 specifying alerts to send via e mail 77 10 ALG 5 31 allowing applications services 6 21 e mails 6 14 URLs 6 32 Web categories 2 22 Index application services protection 6 19 6 21 Application Level Gateway See ALG ARP requests 4 2 arrow Web Management Interface 2 5 attached devices monitoring with SNMP 10 14 viewing 11 29 attacks alerts 71 10 checks 5 27 IPS categories 5 50 audio and video files e mail filtering 6 FTP filtering 6 4
25. pattern file 70 21 Peer to Peer P2P blocked applications recent 5 and top 5 71 18 blocking applications 6 21 logs 11 8 11 33 11 35 traffic statistics 77 16 Perfect Forward Secrecy See PFS performance management 70 1 permanent IP address 2 13 3 4 3 8 PFS 7 38 7 46 phishing 6 16 physical specifications A 2 pinging auto rollover 3 11 checking connections 11 44 failover attempts 3 13 responding on Internet ports 5 28 responding on LAN ports 5 29 retry interval 3 13 troubleshooting TCP IP 12 7 using the ping utility 44 placement location 7 14 Point to Point Tunneling Protocol See PPTP policies IKE exchange mode 7 24 7 27 ISAKMP identifier 7 24 7 28 managing 7 23 ModeConfig 7 27 7 47 XAUTH 7 30 Index 9 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual IPsec VPN automatically generated auto 7 37 groups configuring 9 6 managing 7 22 manually generated manual 7 3 SSL VPN managing 8 3 settings 8 34 policy hierarchy 8 31 pools ModeConfig 7 45 POP3 action infected e mail 2 8 anti virus settings 6 6 default port 2 17 6 4 Distributed Spam Analysis 6 17 enabling scanning 2 17 file extension blocking 6 11 file name blocking 6 keyword blocking 6 10 password protected attachment blocking 6 0 port filtering See service blocking port forwarding firewall rules 5 3 5 6 increasing traffic 5 7 reducing traffic 10 6 port membership VLANs 4 8 po
26. Blacklist Enable URL http www undesiredcontent com http www blockthissite Wildcards are supported Add URL Gasa Import from eea Upload imp Coe Taves Replace the Content of a Blocked Page with the Following Text lt IDOCTYPE HTML PUBLIC W3C DTD HTML A 4 0 Transitional EN gt lt htm gt lt head gt lt title gt NETGEAR ProSecure User Notification lt title gt typo imaga igo rerscon isai vi Note aie Use URL to show the URL of the blocked page Figure 6 12 Content Filtering and Optimizing Scans 6 31 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Enter the settings as explained in Table 6 9 Table 6 9 URL Filtering Settings Setting Description or Subfield and Description Whitelist Enable Select this checkbox to bypass scanning of the URLs that are listed in the URL field Users are allowed to access the URLs that are listed in the URL field URL This field contains the URLs for which scanning is bypassed To add a URL to this field use the Add URL field or the Import from File tool see below You can add a maximum of 200 URLs Note If a URL is in both on the whitelist and blacklist then the whitelist takes precedence and URLs on the whitelist are not scanned Note Wildcards are supported For example if you enter www net com in the URL field any URL that begins with ww
27. End Date Time 2009 os i 27 Ga w s2 Protocols Osme Cleops Omar Onne Clete Cures Malware Nam SSSCSCSCSCSC id C Action C Dalete C Block emait C tog Client IP aa zy Server IP C E hy ia Recipient Email __ Display E5 entries per page Download Log zipped File Format csy Onm Search Download Figure 11 23 3 Enter the settings as explained in Table 11 15 Table 11 15 Logs Query Settings Setting Description or Subfield and Description Log Type Select one of the following log types from the pull down menu Traffic All scanned incoming and outgoing traffic Spam All intercepted spam e System The system event logs that you have specified in the System Logs Options section at the top of the screen However by default many more types of events are logged in the system logs 11 34 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 15 Logs Query Settings continued Setting Description or Subfield and Description Log Type continued Service Logs All events that are related to the status of scanning and filtering services that are part of the Application Security main navigation menu These events include update success messages update failed messages network connection errors and so on Malware All intercepted viruses spyware
28. Figure 5 6 2 Enter the settings as explained in Table 5 2 on page 5 5 3 Click Apply The new rule is now added to the Outbound Services table The rule is automatically enabled Firewall Protection 5 17 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual DMZ WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic If you have not defined any rules no rules are listed By default all inbound traffic from the Internet to the DMZ is allowed Inbound rules that are configured on the LAN WAN Rules screen take precedence over inbound rules that are configured on the DMZ WAN Rules screen As a result if an inbound packet matches an inbound rule on the LAN WAN Rules screen it is not matched against the inbound rules on the DMZ WAN Rules screen To create a new inbound DMZ WAN service rule 1 Inthe DMZ WAN Rules screen click the Add table button under the Inbound Services table The Add DMZ WAN Inbound Service screen displays Add DMZ WAN Inbound Service Operation succeeded Service ANY Action BLOCK always Select Schedule Send to DMZ Server Translate to Port Number L WAN Destination IP Address WANI v DMZ Users Start Finish WAN Users Start Finish QoS Profile Log Figure 5 7 2 Enter the settings as explained in Table 5 3 on page 5 8 3 Click Apply to save your changes The new
29. Login Policies by Source IP Address Titers by Client Browser 9 Source Address Type Network Address IP Address Mask Length oO IP Address 192 168 221 356 32 Select au Delete Add Defined Addresses Source Address Type Network Address IP Address Mask Length 0 32 Add 4 J Ors Figure 9 8 Managing Users Authentication and Certificates 9 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Inthe Defined Addresses Status section of the screen select one of the following radio buttons e Deny Login from Defined Addresses Deny logging in from the IP addresses in the Defined Addresses table e Allow Login only from Defined Addresses Allow logging in from the IP addresses in the Defined Addresses table 5 Click Apply to save your settings 6 Inthe Add Defined Addresses section of the screen add an address to the Defined Addresses table by entering the settings as explained in Table 9 5 Table 9 5 Add Defined Addresses Settings Setting Description or Subfield and Description Source Address Type Select the type of address from the pull down menu IP Address A single IP address e IP Network A subnet of IP Addresses You must enter a netmask length in the Mask Length field Network Address IP Depending on your selection of the Source Address Type pull down menu Address enter the IP address or the network address Mask Length For a n
30. Manual as described previously Auto is used during VPN Wizard configuration Local IP address either a single address range of address or subnet address on your local LAN Traffic must be from or to these addresses to be covered by this policy The subnet address is supplied as the default IP address when using the VPN Wizard Remote IP address or address range of the remote network Traffic must be to or from these addresses to be covered by this policy The VPN Wizard default requires the remote LAN IP address and subnet mask Auth The authentication algorithm that is used for the VPN tunnel This setting must match the setting on the remote endpoint Encr The encryption algorithm that is used for the VPN tunnel This setting must match the setting on the remote endpoint 7 32 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To delete one or more VPN polices 1 Select the checkbox to the left of the policy that you want to delete or click the Select All table button to select all VPN policies 2 Click the Delete table button To enable or disable one ore more VPN policies 1 Select the checkbox to the left of the policy that you want to delete or click the Select All table button to select all IKE Policies 2 Click the Enable or Disable table button To add or edit a VPN p
31. ProSecure Unified Threat Management UTM Appliance Reference Manual PROSECURE SECURITY ARCHITECTURE BY NETGEAR NETGEAR Inc 350 East Plumeria Drive San Jose CA 95134 202 10482 02 January 2010 v1 0 2009 2010 by NETGEAR Inc All rights reserved Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSecure and ProSafe are trademarks of NETGEAR Inc Microsoft Windows and Windows NT are registered trademarks of Microsoft Corporation Other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Federal Communications Commission FCC Compliance Notice Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause har
32. Sec Maximum Retry Count a Figure 7 24 Virtual Private Networking Using IPsec Connections 7 41 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Complete the fields and select the radio buttons as explained Table 7 14 Table 7 14 RADIUS Client Settings Item Description or Subfield and Description Primary RADIUS Server Select the Yes radio button to enable and configure the primary RADIUS server and then enter the settings for the three fields below The default setting is that the No radio button is selected Primary Server IP Address The IP address of the primary RADIUS server Secret Phrase The a shared secret phrase to authenticate the transactions between the client and the primary RADIUS server The same Secret Phrase must be configured on both the client and the server Primary Server NAS Identifier The primary Network Access Server NAS identifier that must be present in a RADIUS request Note The UTM functions as a NAS allowing network access to external users after verification of their authentication information In a RADIUS transaction the NAS must provide some NAS identifier information to the RADIUS server Depending on the configuration of the RADIUS server the UTM s IP address might be sufficient as an identifier or the server might require a name which you must enter in this field Backup RADIUS Server Se
33. Table C 18 Content Filtering and Security Logs Web Filtering and Content Filtering Message 2009 08 01 00 00 01 HTTP 192 168 1 3 192 168 35 165 http 192 168 35 165 testcases files virus normal b4 f3 d3 da2048 rar Proxy Block Explanation Logs that are generated when Web content is blocked because it uses a proxy The message shows the date and time protocol client IP address server IP address URL reason for the action and action that is taken Recommended Action None Message 2009 08 01 00 00 01 HTTP 192 168 1 3 192 168 35 165 http 192 168 35 165 testcases files virus normal b4 f3 d3 da2048 rar Keyword Block Explanation Logs that are generated when Web content is blocked because it violates a blocked keyword The message shows the date and time protocol client IP address server IP address URL reason for the action and action that is taken Recommended Action None Spam Logs This section describes logs that are generated when the UTM filters spam e mail messages Table C 19 Content Filtering and Security Logs Spam Message 2009 02 28 23 59 59 SMTP 192 168 1 2 192 168 35 165 xlzimap test com xlzpop3 test com Blocked by customized blacklist 0 RBL Block Explanation Logs that are generated when spam messages are blocked by the RBL The message shows the date and time protocol client IP address server IP address sender recipient subject line mechanism that detected
34. The organization or person to whom the digital certificate is issued e Issuer Name The name of the CA that issued the digital certificate e Expiry Time The date after which the digital certificate becomes invalid To upload a digital certificate of a trusted CA on the UTM 1 Download a digital certificate file from a trusted CA and store it on your computer 2 Inthe Upload Trusted Certificates section of the screen click Browse and navigate to the trusted digital certificate file that you downloaded on your computer 3 Click the Upload table button If the verification process on the UTM approves the digital certificate for validity and purpose the digital certificate is added to the Trusted Certificates CA Certificates table To delete one or more digital certificates 1 Inthe Trusted Certificates CA Certificates table select the checkbox to the left of the digital certificate that you want to delete or click the Select All table button to select all digital certificates 2 Click the Delete table button Managing Self Certificates Instead of obtaining a digital certificate from a CA you can generate and sign your own digital certificate However a self signed digital certificate triggers a warning from most browsers because it provides no protection against identity theft of the server Figure 9 12 on page 9 21 shows an image of a browser security alert There can be three reasons why a security alert is generated
35. i Trusted SNMP Hosts Q Specify IP addresses or IP address ranges that are allowed to access SNMP Example 192 168 2 1 192 168 2 0 24 192 168 2 0 255 255 255 0 Hi SNMP Traps Specify IP addresses to receive SNMP traps Example 192 168 2 1 192 168 2 2 Figure 10 4 10 14 Network and System Management v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Enter the settings as explained in Table 10 1 Table 10 1 SNMP Settings Setting Description or Subfield and Description Settings Do You Want to Enable SNMP Select one of the following radio buttons e Yes Enable SNMP e No Disable SNMP This is the default setting Read Community The community string to allow an SNMP manager access to the MIB objects of the UTM for the purpose of reading only The default setting is public Set Community The community string to allow an SNMP manager access to the MIB objects of the UTM for the purpose of reading and writing The default setting is private Contact The SNMP system contact information that is available to the SNMP manager This setting is optional Location The physical location of the UTM This setting is optional Trusted SNMP Hosts Enter the IP addresses of the computers and devices to which you want to grant read only GET or write SET privileges on the UTM Separate IP address
36. 0 00 o Poll Interval E Seconds Set Interval Stop IPsec SA Not Established Client Policy Figure 7 7 c Locate the policy in the table and click the Connect table button The IPsec VPN connection should become active 7 8 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Note When using FQDNs if the dynamic DNS service is slow to update their gt servers when your DHCP WAN address changes the VPN tunnel will fail because the FQDNs do not resolve to your new address If you have the option to configure the update interval set it to an appropriately short time Creating a Client to Gateway VPN Tunnel Road Warrior Example Single WAN Port Client B Gateway A s WAN IP LAN IP AA E o E FQDN VPN Router at employer s s main office Fully Qualified Domain Names FQDN Remote PC optional for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure 7 8 Follow the steps in the following sections to configure a VPN client tunnel e Using the VPN Wizard Configure the Gateway for a Client Tunnel on page 7 9 e Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection on page 7 12 Using the VPN Wizard Configure the Gateway for a Client Tunnel To set up a client to gateway VPN tunnel using the VPN Wizar
37. 30 0 0 1 with subnet 255 0 0 0 Primary WAN2 IP address 20 0 0 1 with subnet 255 0 0 0 Secondary WAN2 IP 40 0 0 1 with subnet 255 0 0 0 DMZ IP address 192 168 10 1 with subnet 255 255 255 0 Primary LAN IP address 192 168 1 1 with subnet 255 255 255 0 Secondary LAN IP 192 168 20 1 with subnet 255 255 255 0 gt Manually Configuring Internet and WAN Settings 3 17 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To add a secondary WAN address to a WAN port 1 Select Network Config gt WAN Settings from the menu On a dual WAN port model the WAN Settings submenu tabs appear with the WAN ISP Settings screen in view On a single WAN model the WAN Settings submenu tabs appear with the WAN ISP Settings screen in view 2 Click the Secondary Addresses option arrow On a dual WAN port model the WAN1 Secondary Addresses screen displays see Figure 3 10 which shows some examples in the List of Secondary WAN addresses table On a a single WAN port model the WAN Secondary Addresses screen displays Protocol Binding DynamicDNS WAN Metering LAN Settings DMZSetup Routing Email Notification WANI Secondary Addresses Secondary Addresses IP Address Subnet Mask 192 168 60 61 255 255 255 0 o o 192 168 80 1 255 295 235 0 Select Al Delete Add WAN1 Secondary Addresses IP Address Subnet Mask Add a a V a a ox Figure 3 10 The List of Secondary WAN addresses
38. Add IKE Policy aad New VPN Policy Do you want to use Mode Config Record licyName __ S O Yes no a eae Direction Type Both J Select Mode Config Record E Si Main _ A exchange Mode Hain 9 Select Local Gateway wAn Owan2 Identifier Type Identifier Type Identifier Od Identifier J Dn Encryption Algorithm Authentication Algorithm Authentication Method Pre shared key RSA Signature Pre shared key _ key Length 49 Char Diffie Hellman DH Group SA Lifetime sec Enable Dead Peer Detection Yes No Detection Period I0 Seconds Reconnect after failure count XAUTH Configuration a Authentication Type User Database None Username admin Password ee peeenee O Edge Device 1pSec Host Figure 7 21 7 26 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Complete the fields select the radio buttons and make your selections from the pull down menus as explained Table 7 10 Table 7 10 Add IKE Policy Settings Item Description or Subfield and Description Mode Config Record Do you want to use Mode Config Record Specify whether or not the IKE policy uses a Mode Config Record For information about how to define a Mode Config Record see Mode Config Operation on page 7 43 Select one of the following radio butto
39. Primary DNS Server Esz ice so i Secondary DNS Server CU E Ei Client Address Range Begin koz hss Mes i Client Address Range End B92 fies 2s1 Isa Note Static routes should be added to reach any secure network in SPLIT TUNNEL mode In FULL TUNNEL mode all client routes will be ineffective You can leave the Destination Network and Subnet Mask fields blank or assign a network address which has NOT been set already Otherwise the wizard will fail and the UTM will have to reboot to recover a previously working configuration Destination Network Subnet Mask Figure 8 5 Note that Figure 8 5 contains some examples Enter the settings as explained in Table 8 4 on page 8 10 then click Next to go the following screen Note Do not enter an existing route for a VPN tunnel client in the Destination Network and Subnet Mask fields otherwise the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration Note After you have completed the steps in the SSL VPN Wizard you can make changes gt to the client IP address range and routes by selecting VPN gt SSL VPN gt SSL VPN Client For more information about client IP address range and routes settings see Configuring the SSL VPN Client on page 8 25 Virtual Private Networking Using SSL Connections 8 9 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 8 4 S
40. Single WAN Ports Gateway A Gateway B LAN IP oo See ai aain J a FQDN ee VPN Router VPN Router at office A Fully Qualified Domain Names FQDN at office B optional for Fixed IP addresses required for Dynamic IP addresses Figure 7 3 To set up a gateway to gateway VPN tunnel using the VPN Wizard 1 Select VPN gt IPsec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Wizard submenu tab The VPN Wizard screen displays see Figure 7 4 on page 7 5 which contains some examples for the dual WAN port models The WAN 1 and WAN2 radio buttons are shown on the VPN Wizard screen for the dual WAN port models but not on the VPN Wizard screen for the single WAN port models 7 4 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual VPN Wizard Default Values About YPN Wizard g The Wizard sets most parameters to defaults as proposed by the VPN Consortium VPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This PN tunnel will connect to the following peers Gateway O vPN Client Connection Name and Remote IP Type What is the new Connection Name GW1 to GW2 What is the pre shared key 1234567890 Key Length 8 49 Char
41. The HTTPS Settings screen displays pam IP Petes Cert HTTP Tunneling o CO allow scanning of HTTPS connections through an HTTP proxy if used Note In order to use this you must add the HTTP proxy server port into the Ports to Scan field under Application Security Services i HTTPS 3rd Party Website Certificate Handling When the UTM is scanning HTTPS traffic the client builds trust with the UTM and the UTM builds trust with 3rd party websites If the 3rd party website s certificate is not signed by a trusted CA C allow the UTM to present the website to the client i HTTPS SSL Settings o Allow the UTM to handle HTTPS connections using SSLv2 Note If disabled UTM will only allow HTTPS connections using SSLv3 or TLSv1 i Show This Message When an SSL Connection Attempt Fails Replace the Content of a Blocked Page with the Following Text lt DOCTYPE HTML PUBLIC W3C DTD HTML 4 0 Transitional EN gt lt HTML gt lt HEAD gt lt TITLE gt NETGEAR ProSecure User Notification lt TITLE gt lt META http equiv Content Type content text html charset windows 1252 gt Note Use URL to show the URL of the blocked page Use REASON to display why a page was blocked Figure 6 15 3 Enter the settings as explained in Table 6 10 on page 6 37 6 36 Content Filtering and Optimizing Scans v1 0 January 2010 4 Click Apply to save your settings ProSecure Unified Th
42. UTM Appliance Reference Manual Table 6 6 Web Protocol Instant Messaging and Peer to Peer Settings continued Setting Description or Subfield and Description Note If a protocol uses a port other than the standard service port for example port 80 for HTTP enter this non standard port in the Ports to Scan field For example if the HTTP service on your network uses both port 80 and port 8080 enter both port numbers in the Ports to Scan field and separate them by a comma Instant Messaging Google Talk Jabber Select the corresponding checkboxes to block any of these common instant Yahoo messenger messaging services all of which are allowed by default mIRC Note For Instant Messaging services the following services can be blocked logging in sharing files sharing video sharing audio and text messaging MSN Messenger Peer to Peer P2P BitTorrent Select the corresponding checkboxes to block any of these common peer to eDonkey i peer file sharing services all of which are allowed by default Gnutella 3 Click Apply to save your settings Configuring Web Malware Scans Whether or not the UTM detects Web based malware threats you can configure it to take a variety of actions some of the default actions are listed in Table 6 1 on page 6 2 and send notifications e mails or both to the end users To configure the Web based malware settings 1 Select Appli
43. WEEE RoHS Interface Specifications 4 LAN one of which is a AutoSense 10 100 1000BASE T RJ 45 configurable DMZ interface Dual WAN port models 2 WAN AutoSense 10 100 1000BASE T RJ 45 Single WAN port models 1 WAN 1 administrative console port RS 232 non functioning included for future management 1 USB enhancements Table A 3 shows the IPsec VPN specifications for the UTM Table A 3 UTM IPsec VPN Specifications Setting Specification Network Management Web based configuration and status monitoring Number of concurrent users supported The number of supported site to site IPsec VPN tunnels depends on the model see Table 1 1 on page 1 7 IPsec encryption algorithm DES 3DES AES 128 AES 192 AES 256 IPsec authentication algorithm SHA 1 MD5 IPsec key exchange IKE Manual Key Pre Shared Key PKI X 500 Default Settings and Technical Specifications A 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table A 3 UTM IPsec VPN Specifications continued Setting Specification IPsec authentication types Local User database RADIUS PAP RADIUS CHAP IPsec certificates supported CA digital certificate Self digital certificate Table A 4 shows the SSL VPN specifications for the UTM Table A 4 UTM SSL VPN Specifications Setting Specification Network Management Web based configuration and st
44. or if you select split mode tunnel operation you must define client routes Virtual Private Networking Using SSL Connections 8 27 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To add an SSL VPN tunnel client route 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the SSL VPN Client submenu tab The SSL VPN Client screen displays see Figure 8 15 on page 8 26 3 Inthe Add Routes for VPN Tunnel Clients section of the screen specify information in the following fields Destination Network The destination network IP address of a local network or subnet For example enter 192 168 1 60 e Subnet Mask The address of the appropriate subnet mask 4 Click the Add table button The new client route is added to the Configured Client Routes table Restart the UTM if VPN tunnel clients are currently connected Restarting forces clients to reconnect and receive new addresses and routes To change the specifications of an existing route and to delete an old route 1 Add anew route to the Configured Client Routes table 2 Inthe Configured Client Routes table to the right of the route that is out of date click the Delete table button If an existing route is no longer needed for any reason you can delete it Using Network Resource Objects to Simplify Policies Network resources are groups of IP addresses IP
45. or if you will Server manually configure the network settings of all of your computers select the Disable DHCP Server radio button to disable the DHCP server This is the default setting Enable DHCP Select the Enable DHCP Server radio button to enable the UTM to function as a Server Dynamic Host Configuration Protocol DHCP server providing TCP IP configuration for all computers connected to the VLAN Enter the following settings Domain Name This is optional Enter the domain name of the UTM LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 4 1 VLAN Profile Settings continued Setting Description or Subfield and Description Enable DHCP Server continued Starting IP Address Enter the starting IP address This address specifies the first of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between this address and the Ending IP Address The IP address 192 168 1 2 is the default start address Ending IP Address Enter the ending IP address This address specifies the last of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between the Starting IP address and this IP address The IP address 192 168 1 100 is the default ending address Note The starting and ending DHCP IP addresses should be in th
46. over an IP connection across the UTM The Session Limit feature is disabled by default To enable and configure the Session Limit feature 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear 2 Click the Session Limit submenu tab The Session Limit screen displays Session Limit Do you want to enable Session Limit Yes O No User Limit Parameter Percentage of Max Sessions w User Limit Total Number of Packets Dropped due to Session Limit 0 Session Timeout TCP Timeout Seconds UDP Timeout Seconds ICMP Timeout reni Figure 5 17 3 Click the Yes radio button under Do you want to enable Session Limit 4 Enter the settings as explained in Table 5 5 on page 5 31 5 30 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 5 5 Session Limit Settings Setting Description or Subfield and Description Session Limit User Limit Parameter From the User Limit Parameter pull down menu select one of the following options Percentage of Max Sessions A percentage of the total session connection capacity of the UTM Number of Sessions An absolute number of maximum sessions User Limit Enter a number to indicate the user limit If the User Limit Parameter is set to Percentage of Max Sessions the number specifies the maximum number of sessions that are allowed from a sing
47. select one of the Type following authentication types User Database XAUTH occurs through the UTM s user database Users must be added through the Add User screen see User Database Configuration on page 7 40 e Radius PAP XAUTH occurs through RADIUS Password Authentication Protocol PAP The local user database is first checked If the user account is not present in the local user database the UTM connects to a RADIUS server For more information see RADIUS Client Configuration on page 7 40 Radius CHAP XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol CHAP For more information see RADIUS Client Configuration on page 7 40 Username The user name for XAUTH Password The password for XAUTH 5 Click Apply to save your settings User Database Configuration When XAUTH is enabled in an Edge Device configuration users must be authenticated either by a local user database account or by an external RADIUS server Whether or not you use a RADIUS server you might want some users to be authenticated locally These users must be added to the List of Users table on the Users screen as described in Configuring User Accounts on page 9 9 RADIUS Client Configuration Remote Authentication Dial In User Service RADIUS RFC 2865 is a protocol for managing authentication authorization and accounting AAA of multiple users in a network A RADIUS server stores a da
48. succession of SYN requests to a target system When the system responds the attacker does not complete the connections thus leaving the connection half open and flooding the server with SYN messages No legitimate connections can then be made By default the Block TCP Flood checkbox is deselected 5 28 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 5 4 Attack Checks Settings continued Setting Description or Subfield and Description LAN Security Checks Block UDP flood Select the Block UDP flood checkbox to prevent the UTM from accepting more than 20 simultaneous active UDP connections from a single device on the LAN By default the Block UDP flood checkbox is deselected A UDP flood is a form of denial of service attack that can be initiated when one device sends a large number of UDP packets to random ports on a remote host As a result the distant host does the following 1 Check for the application listening at that port 2 See that no application is listening at that port 3 Reply with an ICMP Destination Unreachable packet When the victimized system is flooded it is forced to send many ICMP packets eventually making it unreachable by other clients The attacker might also spoof the IP address of the UDP packets ensuring that the excessive ICMP return packets do not reach him thus making the attacker s network location a
49. you create For more information see Creating Quality of Service QoS Profiles on page 5 35 Note There is no default QoS profile on the UTM After you have created a QoS profile it can become active only when you apply it to a non blocking inbound or outbound firewall rule Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 5 3 Inbound Rules Overview continued Setting Description or Subfield and Description Log The settings that determines whether packets covered by this rule are logged The options are Always Always log traffic considered by this rule whether it matches or not This is useful when debugging your rules e Never Never log traffic considered by this rule whether it matches or not Bandwidth Profile Bandwidth limiting determines the way in which the data is sent to and from your host The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic thus preventing the LAN users from consuming all the bandwidth of the Internet link Bandwidth limiting occurs in the following ways e For outbound traffic on the available WAN interface in the single WAN port mode and auto rollover mode and on the selected interface in load balancing mode e For inbound traffic on the LAN interface for all WAN modes Note Bandwidth Limiting does not apply to the DMZ interface
50. 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 10 3 System Date amp Time Settings continued Setting Description or Subfield and Description Automatically Adjust for If daylight savings time is supported in your region select the Automatically Daylight Savings Time Adjust for Daylight Savings Time checkbox NTP Server default or From the pull down menu select an NTP server custom e Use Default NTP Servers The UTM s RTC is updated regularly by contacting a default Netgear NTP server on the Internet Use Custom NTP Servers The UTM s RTC is updated regularly by contacting one of the two NTP servers primary and backup both of which you must specify in the fields that become available with this menu selection Note If you select this option but leave either the Server 1 or Server 2 field blank both fields are set to the default Netgear NTP servers Note A list of public NTP servers is available at http ntp isc org bin view Servers WebHome Server 1 Name IP Address Enter the IP address or host name the primary NTP server Server 2 Name IP Address Enter the IP address or host name the backup NTP server 3 Click Apply to save your settings Note If you select the default NTP servers or if you enter a custom server FQDN the Es UTM determines the IP address of the NTP server by performing a DNS lookup You must configur
51. 00 01 02 03 04 06 and IP address 192 168 10 11 e Host3 MAC address 00 01 02 03 04 07 and IP address 192 168 10 12 If all of the above host entry examples are added to the IP MAC Binding table the following scenarios indicate the possible outcome e Hostl Matching IP amp MAC address in IP MAC Table e Host2 Matching IP but inconsistent MAC address in IP MAC Table e Host3 Matching MAC but inconsistent IP address in IP MAC Table In this example the UTM blocks the traffic coming from Host2 and Host3 but allows the traffic coming from Host to any external network The total count of dropped packets is displayed To set up IP MAC bindings 1 Select Network Security gt Address Filter from the menu The Address Filter submenu tabs appear with the Source MAC Filter screen in view 2 Click the IP MAC Binding submenu tab The IP MAC Binding screen displays see Figure 5 27 on page 5 45 which shows some bindings in the IP MAC Binding table as an example 5 44 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual IPS Firewall Objects Firewall Port Triggering Source MAC Filter 1P MAC Binding Binding set Poll interval Operation succeeded Do you want to enable E mail Logs for IP MAC Binding Violation O Yes No For this option SMTP server must be set in Email Notification Name MAC Addresses IP Addresses Log Dropped Packets Action Marketing a1 b
52. 100 1000 Mbps Gigabit Ethernet WAN ports for load balancing or failover protection of your Internet connection providing increased system reliability or increased throughput Built in four port 10 100 1000 Mbps Gigabit Ethernet LAN switch for extremely fast data transfer between local network resources Advanced IPsec VPN and SSL VPN support Depending on the model bundled with a 1 user license of the NETGEAR ProSafe VPN Client software VPNOIL Advanced stateful packet inspection SPD firewall with multi NAT support Patent pending Stream Scanning technology that enables scanning of real time protocols such as HTTP Comprehensive Web and email security covering six major network protocols HTTP HTTPS FTP SMTP POP3 and IMAP Malware database containing hundreds of thousands of signatures of spyware viruses and other malware threats Very frequently updated malware signatures hourly if required The UTM can automatically check for new malware signatures as frequently as every 15 minutes Multiple anti spam technologies to provide extensive protection against unwanted mail Easy Web based wizard setup for installation and management SNMP manageable Front panel LEDs for easy monitoring of status and activity Flash memory for firmware upgrade Internal universal switching power supply Introduction v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Dual WAN Port Mode
53. 2 profile name 4 8 profiles 4 3 4 6 VoIP voice over IP sessions 5 3 VPN IPsec Wizard See IPsec VPN Wizard VPN SSL Wizard See SSL VPN Wizard VPN tunnels active users 71 24 auto rollover mode 7 2 client policy creating 7 12 client to gateway using IPsec VPN Wizard 7 9 connection status 7 20 DPD 7 57 examples gateway to gateway dual WAN ports auto rollover B 14 gateway to gateway dual WAN ports load balancing B 15 gateway to gateway single WAN port mode B 13 Road Warrior dual WAN mode auto rollover B 11 Road Warrior dual WAN mode load balancing B 13 Road Warrior single WAN port mode B 11 VPN Telecommuter dual WAN ports auto rollover B 17 VPN Telecommuter dual WAN ports load balancing B 18 VPN Telecommuter single WAN port mode B 16 failover 7 35 FQDNs 7 2 B 9 gateway to gateway using IPsec VPN Wizard 7 4 IKE policies exchange mode 7 24 7 27 ISAKMP identifier 7 24 7 28 managing 7 23 ModeConfig 7 27 7 47 XAUTH 7 30 increasing traffic 70 8 IPsec VPN logs 7 21 11 9 11 33 11 35 specifications A 3 user account 9 9 9 11 IPsec VPN policies automatically generated auto 7 31 groups configuring 9 6 managing 7 22 manually generated manual 7 3 keepalives 7 35 7 56 load balancing mode 7 2 NetBIOS 7 35 7 59 pass through IPsec PPTP L2TP 5 29 planning dual WAN port models B 6 pre shared key 7 6 7 11 7 15 7 29 rollover See failover RSA signature 7 29 testing connections 7 17 tunnel co
54. 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Invalid RST packet Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID ICMP_TYPE DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO ICMP TYPE 19 CODE 0 Explanation Invalid ICMP type Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID TCP_FLAG_COMBINATION DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Invalid TCP flag combination Recommended Action None System Logs and Error Messages v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table C 17 System Logs Invalid Packets continued Message 2007 Oct 1 00 44 17 UTM kernel INVALID BAD_CHECKSUM DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Bad checksum Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID BAD_HW_CHECKSUM DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO ICMP TYPE 3 CODE 0 Explanation Bad hardware checksum for ICMP packets Recommended Action None Message INVALID MALFORMED_PACKET DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Malformed packet Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID SHORT_PACKET DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 E
55. 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual You can enable XAUTH when you manually add or edit an IKE policy Two types of XAUTH are available Edge Device The UTM is used as a VPN concentrator on which one or more gateway tunnels terminate You must specify the authentication type that must be used during verification of the credentials of the remote VPN gateways User Database RADIUS PAP or RADIUS CHAP IPsec Host Authentication by the remote gateway through a user name and password that are associated with the IKE policy The user name and password that are used to authenticate the UTM must be specified on the remote gateway Es local user database for the user credentials If the user account is not present the Note If a RADIUS PAP server is enabled for authentication XAUTH first checks the UTM then connects to a RADIUS server Configuring XAUTH for VPN Clients Once the XAUTH has been enabled you must establish user accounts on the User Database to be authenticated against XAUTH or you must enable a RADIUS CHAP or RADIUS PAP server gt in use by a VPN policy The VPN policy must be disabled before you can modify Note You cannot modify an existing IKE policy to add XAUTH while the IKE policy is the IKE policy To enable and configure XAUTH 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen i
56. 4 3 DMZ Setup Settings continued Setting Description or Subfield and Description DNS Proxy Enable DNS Proxy This is optional Select the Enable DNS Proxy radio button to enable the UTM to provide a LAN IP address for DNS address name resolution This setting is enabled by default Note The UTM still services DNS requests sent to its LAN IP address unless you disable DNS Proxy in the firewall settings see Attack Checks on page 5 27 3 Click Apply to save your settings _ Note The DMZ LED next to LAN port 4 see Front Panel on page 1 10 lights _ green to indicate that the DMZ port is enabled To define the DMZ WAN Rules and LAN DMZ Rules see Setting DMZ WAN Rules on page 5 15 and Setting LAN DMZ Rules on page 5 19 respectively Managing Routing Static Routes provide additional routing information to your UTM Under normal circumstances the has adequate routing information after it has been configured for Internet access and you do not need to configure additional static routes You should configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network Note The automatically sets up routes between VLANs and secondary IP addresses that you have configured on the LAN Multi homing screen see Configuring Multi Home LAN IPs on the Default VLAN on page 4 11 Therefore you do not need to
57. 5 firewall use with 5 mapping one to one 3 10 5 23 NetBIOS VPN tunnels 7 35 7 59 NETGEAR registration server 1 9 network configuration requirements B 3 database 4 12 4 13 11 31 diagnostic tools 43 11 44 Index 8 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual planning dual WAN ports dual WAN port models B 1 protocols supported 2 resources SSL VPN 8 28 statistics report diagnostics 11 47 traffic statistics 77 16 Network Access Server See NAS Network Address Translation See NAT Network Time Protocol See NTP newsgroups 6 24 NT Domain 8 6 9 2 9 5 NTP servers settings 2 15 10 25 troubleshooting 172 10 O objects embedded 6 28 one time passcode See OTP online documentation 72 12 support 12 10 online games DMZ port 4 18 option arrow Web Management Interface 2 5 Oray net 3 19 3 2 order of precedence firewall rules 5 77 OTP D 1 D 2 outbound rules default 5 3 DMZ to WAN 5 17 examples 5 26 LAN to DMZ 5 20 LAN to WAN 5 13 order of precedence 5 17 overview 5 4 reducing traffic 70 2 service blocking 5 4 settings 5 5 outbreak IPS defining 71 12 malware defining 71 12 P package contents UTM 1 9 packets accepted and dropped 71 14 PAP See also RADIUS PAP MIAS PAP or WiKID PAP 9 2 Password Authentication Protocol See PAP password protected attachments 6 8 passwords changing 9 16 10 9 default 2 3 restoring 12 9
58. 55 56 9e 8f DHCP Assigned IP Address defaultVlan Qselectan belete Gave Binding Add Known PCs and Devices Name IP Address Type IP Address MAC Address Group Profile Name Add Fixed set on PC 292 B Ms Groups M defaultvian vi aas Figure 11 21 11 30 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The Known PCs and Devices table contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the UTM or have been discovered by other means Collectively these entries make up the Network Database For each attached PC or device the Known PCs and Devices table displays the following fields e Checkbox Allows you to select the PC or device in the table e Name The name of the PC or device For computers that do not support the NetBIOS protocol the name is displayed as Unknown you can edit the entry manually to add a meaningful name If the PC or device was assigned an IP address by the DHCP server then the name is appended by an asterisk IP Address The current IP address of the PC or device For DHCP clients of the UTM this IP address does not change If a PC or device is assigned a static IP address you need to update this entry manually after the IP address on the PC or device has changed e MAC Address The MAC address of the PC or device s network interfac
59. 9 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual If you want to use a redundant ISP link for backup purposes select the WAN port that must act as the primary link for this mode Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method on the WAN Mode screen to support auto rollover e Load Balancing Mode The UTM distributes the outbound traffic equally among the WAN interfaces that are functional Note Scenarios could arise when load balancing needs to be bypassed for certain gt traffic or applications If certain traffic needs to travel on a specific WAN interface configure protocol binding rules for that WAN interface The rule should match the desired traffic e Single WAN Port Mode The selected WAN interface is made primary and the other is disabled For whichever WAN mode you choose you must also choose either NAT or classical routing as explained in the following sections Network Address Translation All Models Network Address Translation NAT allows all PCs on your LAN to share a single public Internet IP address From the Internet there is only a single device the UTM and a single IP address PCs on your LAN can use any private IP address range and these IP addresses are not visible from the Internet e The UTM uses NAT to select the correct PC on your LAN to receive any incoming data e Ifyo
60. Connection Type Connection State IP Address Subnet Mask Gateway Primary DNS Secondary DNS MAC Address 00 00 00 00 00 01 192 168 1 1 Enabled 255 255 255 0 Single Port DOWN Enabled DHCP Not Connected 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 00 00 00 00 00 03 Figure 11 11 System Status screen 2 of 3 Table 11 10 on page 11 23 explains the fields of the System Status screen of a dual WAN port model with the WAN1 Configuration WAN2 Configuration and LAN Port sections On the System Status screen for single WAN port models there is only a WAN Configuration and LAN Port section 11 22 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 10 System Status WAN Configuration and LAN Port Information Setting Description or Subfield and Description WAN1 Configuration WAN2 Configuration Dual WAN Port Models or WAN Configuration Single WAN Port Models WAN Mode Single Port Load Balancing or Auto Rollover WAN State UP or DOWN NAT Enabled or Disabled Connection Type Static IP DHCP PPPoE or PPTP Connection State Connected or Not Connected IP Address Subnet Mask Gateway Primary DNS Secondary DNS MAC Address LAN Port MAC Address IP Address DHCP DHCP or None IP Subnet Mask This field is self explanatory These fields are self explanatory
61. Event Notifications on page 11 5 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 1 WAN Traffic Meter Settings continued Setting Description or Subfield and Description When Limit is reached Block traffic Select one of the following radio buttons to specify what action the UTM performs when the traffic limit has been reached Block All Traffic All incoming and outgoing Internet and e mail traffic is blocked Block All Traffic Except E Mail All incoming and outgoing Internet traffic is blocked but incoming and outgoing e mail traffic is still allowed Send e mail alert An e mail alert is sent when traffic is blocked Ensure that e mailing of logs is enabled on the Email and Syslog screen see Configuring and Activating System E mail and Syslog Logs on page 11 6 Click Apply to save your settings For the dual WAN port models only click the WAN2 Traffic Meter submenu tab The WAN2 Traffic Meter screen displays This screen is identical to the WAN1 Traffic Meter screen see Figure 11 1 on page 11 2 5 For the dual WAN port models only repeat step 2 and step 3 for the WAN2 interface To display a report of the Internet traffic by type click the Traffic by Protocol option arrow at the top right of the WAN1 Traffic Meter or WAN2 Traffic Meter screen dual WAN port models or at the
62. Factor Authentication Two factor authentication is a new security solution that enhances and strengthens security by implementing multiple factors to the authentication process that challenge and confirm the users identities before they can gain access to the network There are several factors that are used to validate the users to make that you are who you said you are These factors are e Something you know for example your password or your PIN e Something you have for example a token with generated passcode that is either 6 to 8 digits in length e Something you are for example biometrics such as fingerprints or retinal This appendix focuses and discusses only the first two factors something you know and something you have This new security method can be viewed as a two tiered authentication approach because it typically relies on what you know and what you have A common example of two factor authentication is a bank ATM card that has been issued by a bank institute e The PIN to access your account is something you know e The ATM card is something you have You must have both of these factors to gain access to your bank account Similar to the ATM card access to the corporate networks and data can also be strengthen using combination of the multiple factors such as a PIN and a token hardware or software to validate the users and reduce the incidence of online identity theft NETGEAR Two Factor Authenticati
63. Figure 2 17 Enter the license key in the Registration Key field Fill out the customer and VAR fields 4 Click Register Using the Setup Wizard to Provision the UTM in Your Network 2 27 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 5 Repeat step 2 and step 4 for additional license keys The UTM activates the licenses and registers the unit with the NETGEAR registration server _____ Note When you reset the UTM to the original factory default settings after you have entered the license keys to activate the UTM see Registering the UTM with NETGEAR on page 2 26 the license keys are erased The license keys and the different types of licenses that are available for the UTM are no longer displayed on the Registration screen However after you have reconfigured the UTM to connect to the Internet and to the NETGEAR registration server the UTM retrieves and restores all registration information based on its MAC address and hardware serial number You do not need to re enter the license keys and re activate the UTM What to Do Next You have completed setting up and deploying the UTM to the network The UTM is now ready to scan the protocols and services that you specified and perform automatic updates based on the update source and frequency that you specified If you need to change the settings or to view reports or logs log in to the UTM Web Management Interfac
64. IKE Policies table To edit an IKE policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 24 2 In the List of IKE Policies table click the Edit table button to the right of the IKE policy that you want to edit The Edit IKE Policy screen displays This screen shows the same field as the Add IKE Policy screen see Figure 7 21 on page 7 26 3 Modify the settings th at you wish to change see Table 7 10 7 30 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Click Apply to save your changes The modified IKE policy is displayed in the List of IKE Policies table Managing VPN Policies You can create two types of VPN policies When you use the VPN Wizard to create a VPN policy only the Auto method is available e Manual You manually enter all settings including the keys for the VPN tunnel on the UTM and on the remote VPN endpoint No third party server or organization is involved e Auto Some settings for the VPN tunnel are generated automatically by using the IKE Internet Key Exchange protocol to perform negotiations between the two VPN endpoints the local ID endpoint and the remote ID endpoint You still must manually enter all settings on the remote VPN endpoint unless the remote VPN endpoint also has a VPN Wizard In a
65. IP packets for services with this priority with a ToS value of 2 e Maximize throughput profile used when the volume of data transferred during an interval is important even if the latency over the link is high You would typically mark the IP packets for services with this priority with a ToS value of 3 or 4 e Minimize delay profile used when the time required latency for the packet to reach the destination must be low You would typically mark the IP packets for services with this priority with a ToS value of 7 Firewall Protection 5 35 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To create a QoS profile 1 Select Network Security gt Firewall Objects from the menu The Firewall Objects submenu tabs appear with the Services screen in view Click the QoS Profiles submenu tab The QoS Profiles screen displays Figure 5 21 shows some profiles in the List of QoS Profiles table as an example Operation succeeded Profile Name QoS Type Priority Maximize_Through IP Precedence High Normal_Service oscp Medium QO select ar Delete Figure 5 21 The screen displays the List of QoS Profiles table with the user defined profiles Under the List of QoS Profiles table click the Add table button The Add QoS Profile screen displays Add QoS Profile Add Profile Profile nam o O Add DiffServ Mark Don t Change Qos IP Precedence
66. Name Servers DNS addresses select the Get Automatically from ISP radio button Using the Setup Wizard to Provision the UTM in Your Network 2 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 2 2 Setup Wizard Step 2 WAN Settings continued Setting Description or Subfield and Description Use These DNS If your ISP has assigned DNS addresses select the Use these DNS Servers radio Servers button Ensure that you fill in valid DNS server IP addresses in the fields Incorrect DNS entries might cause connectivity issues Primary DNS Server The IP address of the primary DNS server Secondary DNS Serve The IP address of the secondary DNS server Setup Wizard Step 3 of 10 System Date and Time Setup Wizard Step 3 of 10 System Date and Time Date Time GMT Greenwich Mean Time Edinburgh London v Automatically Adjust for Daylight Savings Time Use Default NTP Servers Use Custom NTP Servers Server 1 Name IP Address ltime g netgear com Server 2 Name IP Address ltime h netgear com Current Time Mon Apr 13 16 53 12 GMT 0000 2009 Figure 2 9 Enter the settings as explained in Table 2 3 on page 2 15 then click Next to go the following screen Note After you have completed the steps in the Setup Wizard you can make changes to the date and time by selecting Administration gt System Date amp
67. Note After you have completed the steps in the Setup Wizard you can make changes to the WAN settings by selecting Network Config gt WAN Settings Then for a dual WAN port model select WAN1 ISP Settings or WAN2 ISP Settings and for a single WAN port model select WAN ISP Settings For more information about these WAN settings see Configuring the Internet Connections on page 3 2 Table 2 2 Setup Wizard Step 2 WAN Settings Setting Description or Subfield and Description ISP Login Does your Internet connection require a login If you need to enter login information every time you connect to the Internet through your ISP select the Yes radio button Otherwise select the No radio button which is the default setting and skip the ISP Type section below If you select Yes enter the following settings Login The login name that your ISP has assigned to you Password The password that your ISP has assigned to you ISP Type What type of ISP connection do you use If your connection is PPPoE or PPTP then you must log in Select the Yes radio button Based on the connection that you select the text box fields that require data entry are highlighted If your ISP has not assigned any login information then select the No radio box and skip this section If you select Yes enter the following settings Austria PPTP If your ISP is Austria Telecom or any other ISP that us
68. Note After you have completed the steps in the Setup Wizard you can make changes to the administrator email notification settings by selecting Network Config gt Email Notification For more information about these settings see Configuring the E mail Notification Server on page 11 5 Table 2 8 Setup Wizard Step 8 Administrator Email Notification Settings Setting Description or Subfield and Description Administrator Email Notification Settings Show as mail sender A descriptive name of the sender for e mail identification purposes For example enter UTM_Notifications netgear com SMTP server The IP address and port number or Internet name and port number of your ISP s outgoing e mail SMTP server The default port number is 25 Note If you leave this field blank the UTM cannot send e mail notifications This server requires If the SMTP server requires authentication select the This server requires authentication authentication checkbox and enter the following settings User name The user name for SMTP server authentication Password The password for SMTP server authentication Send notifications to The email address to which the notifications should be sent Typically this is the e mail address of the administrator Using the Setup Wizard to Provision the UTM in Your Network 2 23 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Se
69. Policy Settings continued Item Description or Subfield and Description Authentication From the pull down menu select one of the following two algorithms to use in Algorithm the VPN header for the authentication process e SHA 1 Hash algorithm that produces a 160 bit digest This is the default setting MD5 Hash algorithm that produces a 128 bit digest Authentication Method Select one of the following radio buttons to specify the authentication method Pre shared key A secret that is shared between the UTM and the remote endpoint e RSA Signature Uses the active Self Certificate that you uploaded on the Certificates screen see Managing Self Certificates on page 9 20 The Pre shared key is masked out when you select the RSA Signature option Pre shared key A key with a minimum length of 8 characters no more than 49 characters Do not use a double quote in the key Diffie Hellman DH The DH Group sets the strength of the algorithm in bits The higher the group Group the more secure the exchange From the pull down menu select one of the following three strengths e Group 1 768 bit e Group 2 1024 bit This is the default setting e Group 5 1536 bit Note Ensure that the DH Group is configured identically on both sides SA Lifetime sec The period in seconds for which the IKE SA is valid When the period times out the next rekeying must occur The default is 28800 sec
70. Portal Options on this page e Using the SSL VPN Wizard for Client Configurations on page 8 2 e Manually Configuring and Editing SSL Connections on page 8 17 Understanding the SSL VPN Portal Options The UTM s SSL VPN portal can provide two levels of SSL service to the remote user e SSL VPN Tunnel The UTM can provide the full network connectivity of a VPN tunnel using the remote user s browser instead of a traditional IPsec VPN client The SSL capability of the user s browser provides authentication and encryption establishing a secure connection to the UTM Upon successful connection an ActiveX based SSL VPN client is downloaded to the remote PC to allow the remote user to virtually join the corporate network The SSL VPN client provides a point to point PPP connection between the client and the UTM and a virtual network interface is created on the user s PC The UTM assigns the PC an IP address and DNS server IP addresses allowing the remote PC to access network resources in the same manner as if it were connected directly to the corporate network subject to any policy restrictions that you configure 8 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e SSL Port Forwarding Like an SSL VPN tunnel port forwarding is a Web based client that installs transparently and then creates a virtual encrypted tunnel to the remote network However port forwarding differs
71. Ports for Improved Reliability In a dual WAN port auto rollover gateway configuration the remote PC client initiates the VPN tunnel with the active WAN port port WAN1 in Figure B 10 on page B 12 because the IP address of the remote PC client is not known in advance The gateway WAN port must act as a responder Network Planning for Dual WAN Ports Dual WAN Port Models Only B 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 10 5 6 0 24 Road Warrior Example Dual WAN Ports Before Rollover Client B WAN1 IP i Gateway A bzrouter dyndns org WAN IP 10 5 6 1 WAN2 port inactive 0 0 0 0 VPN Router WAN2 IP N A at employer s main office Fully Qualified Domain Names FQDN Remote PC required for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 10 The IP addresses of the WAN ports can be either fixed or dynamic but you must always use a FQDN because the active WAN port could be either WAN1 or WAN2 that is the IP address of the active WAN port is not known in advance After a rollover of the WAN port has occurred the previously inactive gateway WAN port becomes the active port port WAN2 in Figure B 11 and the remote PC client must re establish the VPN tunnel The gateway WAN port must act as the responder 10 5 6 0 24 Road Warrior Example Dual WAN Ports After Rollover WANT IP N A Gateway A inacti WAN por
72. Router s MAC Address section of the WAN Advanced Options screen of the single WAN port models see Configuring Advanced WAN Options on page 3 22 If your UTM can obtain an IP address but an attached PC is unable to load any Web pages from the Internet Your PC might not recognize any DNS server addresses A DNS server is a host on the Internet that translates Internet names such as www netgear com to numeric IP addresses Typically your ISP provides the addresses of one or two DNS servers for your use You may configure your PC manually with DNS addresses as explained in your operating system documentation Your PC might not have the UTM configured as its TCP IP gateway 12 6 Troubleshooting and Using Online Support v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Troubleshooting a TCP IP Network Using a Ping Utility Most TCP IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device The device then responds with an echo reply Troubleshooting a TCP IP network is made very easy by using the Ping utility in your PC or workstation Testing the LAN Path to Your UTM You can ping the UTM from your PC to verify that the LAN path to the UTM is set up correctly To ping the UTM from a PC running Windows 95 or later 1 From the Windows toolbar click Start and choose Run 2 In the field provided type ping followed
73. Server Check that your Internet access settings are configured correctly If you have just completed configuring the UTM wait at least five minutes and check the date and time again e Time is off by one hour Cause The UTM does not automatically sense Daylight Savings Time Go to the System Date amp Time screen and select or deselect the checkbox marked Automatically Adjust for Daylight Savings Time Using Online Support The UTM includes online support tools that allow NETGEAR Technical Support to securely perform diagnostics of the UTM and that lets you submit suspicious files for analysis by NETGEAR You can also access the knowledge base and documentation online Enabling Remote Troubleshooting One of the advanced features that the UTM provides is online support through a support tunnel With this feature NETGEAR Technical Support staff is able to analyze from a remote location any difficulty you might be experiencing with the UTM and to perform advanced diagnostics Make sure that ports 443 and 2222 are open on your firewall and that you have the support key that was given to you by NETGEAR 12 10 Troubleshooting and Using Online Support v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To initiate the support tunnel 1 Select Support gt Online Support from the menu The Online Support screen displays Malware Analysis Registration Knowledge Base Documentation Online
74. Server address i Update Frequency Weekly Sunday m 23 17 00 hh mm baily 01 9 00 hh mm every i HTTPS Proxy Settings CO Enable Proxy Server C_J This server requires authentication Username Password Figure 10 7 The Info section shows the following information fields for the scan engine firmware and pattern file e Current Version The version of the files e Last Updated The date of the most recent update To immediately update the scan engine firmware and pattern file click Update Now at the bottom of the screen 10 22 Network and System Management v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Automatic Update and Frequency Settings To configure the update settings and frequency settings for automatic downloading of the scan engine firmware and pattern file 1 Locate the Update Settings Frequency Settings and HTTPS Proxy Settings section on the Signatures amp Engine screen see Figure 10 7 on page 10 22 Enter the settings as explained in Table 10 2 Table 10 2 Signatures amp Scan Engine Settings Setting Description or Subfield and Description Update Settings Update From the pull down menu select one of the following options e Never The pattern and firmware files are never automatically updated Scan engine and Signatures The pattern and firmware files are automati
75. Service Filter LAN Users Name Allow go REAL AUDIO 192 166 4 1 192 160 4 99 NONE NONE Never 2r Ss Always Allow oe SMTP 192 168 4 35 ANY NONE NONE pa oo orj Always Select an Delete Enade Oo Disable Ads 8 Inbound Services Service LAN Server IP LAN Qos Bandwidth Filte log Allow by C TELNET schedule 1 192 168 10 20 3 200 133 0 24 192 168 80 1 NONE NONE Always Up Qoown Jas else block ai Name Address rotia Profile einen Qa ein To Ads Figure 5 2 5 12 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To make changes to an existing outbound or inbound service rule in the Action column to the right of to the rule click on of the following table buttons e Edit Allows you to make any changes to the rule definition of an existing rule Depending on your selection either the Edit LAN WAN Outbound Service screen identical to Figure 5 3 on page 5 14 or Edit LAN WAN Inbound Service screen identical to Figure 5 4 on page 5 15 displays containing the data for the selected rule e Up Moves the rule up one position in the table rank e Down Moves the rule down one position in the table rank To enable disable or delete one or more rules 1 Select the checkbox to the left of the rule that you want to delete or disable or click the Select All table button to
76. Service The service or application to be covered by this rule If the service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 5 32 Action Filter The action for outgoing connections covered by this rule e BLOCK always BLOCK by schedule otherwise allow ALLOW always ALLOW by schedule otherwise block Note Any outbound traffic that is not blocked by rules you create is allowed by the default rule ALLOW rules are only useful if the traffic is already covered by a BLOCK rule That is you wish to allow a subset of traffic that is currently blocked by another rule Select Schedule The time schedule that is Schedule1 Schedule2 or Schedule3 that is used by this rule e This pull down menu is activated only when BLOCK by schedule otherwise allow or ALLOW by schedule otherwise block is selected as the Action e Use the schedule screen to configure the time schedules see Setting a Schedule to Block or Allow Specific Traffic on page 5 41 LAN Users The settings that determine which computers on your network are affected by this rule The options are Any All PCs and devices on your LAN e Single address Enter the required address to apply the rule to a single device on your LAN e Address range Enter the required addresses in the Start and Finish fields to apply the rule to a range of dev
77. Setup Wizard 1 Select Wizards from the main navigation menu The Welcome to the Netgear Configuration Wizard screen displays Setup Wizard IPSec PN Wizard O SSL YPN Wizard Figure 2 6 2 Select the Setup Wizard radio button 3 Click Next The first Setup Wizard screen displays The following sections explain the nine configuration screens of the Setup Wizard On the 10th screen you can save your configuration The tables in the following sections explain the buttons and fields of the Setup Wizard screens Additional information about the settings in the Setup Wizard screens is provided in other chapters that explain manual configuration each section below provides a specific link to a section in another chapters Using the Setup Wizard to Provision the UTM in Your Network 2 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Setup Wizard Step 1 of 10 LAN Settings Setup Wizard step 1 of 10 LAN Settings i LAN TCP IP Setup IP Address Subnet Mask 255 fo E O Disable DHCP Server o l Enable DHCP Server M Enable LDAP information Domain Name LDAP Server aay Starting IP Address fisz fies fi Je Search Base LC o o Ending IP Address Esz x68 E Eo0 port fo enter 0 for default port Primary ONS Server zz a a Secondary DNS Server ie WINS Server rot ee Lease Time Hours O DHCP Relay Relay Gateway SE WS 2 DNS P
78. This VPN tunnel will use following local WAN Interface WAN1 WAN2 End Point Information What is the Remote WAN s IP Address or Internet Name 75 34 173 25 What is the Local WAN s IP Address or Internet Name 192 168 50 61 Secure Connection Remote Accessibility 9 What is the remote LAN IP Address 192 lo What is the remote LAN Subnet Mask 255 J255 2ss Jo Figure 7 4 To view the wizard default settings click the VPN Wizard Default Values option arrow at the top right of the screen A popup window appears see Figure 7 5 on page 7 6 displaying the wizard default values After you have completed the wizard you can modify these settings for the tunnel policy that you have set up Virtual Private Networking Using IPsec Connections 7 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual VPN Wizard default values Default values of IKE Policy Exchange Mode ID Type Local WAN ID Remote WAN ID Encryption Algorithm Authentication Algorithm Authentication Method Key Group Life Time Default values for PN Policy Encryption Algorithm Authentication Algorithm Life Time PFS Key Group NETBIOS Figure 7 5 Aggressive FQDN utm_local com utm_remote com 3DES SHA 1 Pre shared Key DH Group 2 1024 bit 24 hours 3DES SHA 1 8 hours DH Group 2 1024 bit Enabled 3 Select the radio buttons and complete the field
79. To enable clients to obtain IP addresses from a DHCP server on a remote subnet you must configure the DHCP Relay Agent on the subnet that contains the remote clients so that the DHCP Relay Agent can relay DHCP broadcast messages to your DHCP server DNS Proxy When the DNS Proxy option is enabled for a VLAN the UTM acts as a proxy for all DNS requests and communicates with the ISP s DNS servers as configured on the WAN ISP Settings screens All DHCP clients receive the primary and secondary DNS IP addresses along with the IP address where the DNS proxy is located that is the UTM s LAN IP address When the DNS Proxy option is disabled for a VLAN all DHCP clients receive the DNS IP addresses of the ISP but without the DNS proxy IP address A DNS proxy is particularly useful in auto rollover mode For example if the DNS servers for each WAN connection are different servers then a link failure might render the DNS servers inaccessible However when the DNS Proxy option is enabled the DHCP clients can make requests to the UTM which in turn can send those requests to the DNS servers of the active WAN connection However disable the DNS Proxy if you are using a dual WAN configuration in auto rollover mode with route diversity that is with two different ISPs and you cannot ensure that the DNS server is available after a rollover has occurred LAN Configuration 4 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Applianc
80. Traffic Volume MB Total Traffic Volume MB Average per day of Standard Limit of this Month s Limit Figure 11 1 2 Enter the settings as explained in Table 11 1 on page 11 3 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 1 WAN Traffic Meter Settings Setting Description or Subfield and Description Enable Traffic Meter Do you want to enable Traffic Metering on WAN1 dual WAN port models Select one of the following radio buttons to configure traffic metering e Yes Traffic metering is enabled and the traffic meter records the volume of Internet traffic passing through the WAN1 interface dual WAN port models or WAN interface single WAN port models Complete the fields below on the screen these fields are presented on the right e No Traffic metering is disabled This is the default setting or Do you want to enable Traffic Metering on WAN single WAN port models Select one of the following radio buttons to specify if or how the UTM applies restrictions when the traffic limit is reached e No Limit No restrictions are applied when the traffic limit is reached e Download only Restrictions are applied to incoming traffic when the traffic limit is reached Complete the monthly limit field below e Both Directions Restrictions are applied to both incoming and outgoing traffi
81. Type Auto Policy v Select Local Gateway wan1 O wanz Remote Endpoint 1P Address Foon C Enable Neta1os O Enable Rollover Enable Keepalive Yes No Ping IP Address 208 133 187 e2 Detection period Seconds Reconnect after failure count Figure 7 33 4 Select the Enable NetBIOS checkbox 5 Click Apply to save your settings Virtual Private Networking Using IPsec Connections 7 59 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 7 60 Virtual Private Networking Using IPsec Connections v1 0 January 2010 Chapter 8 Virtual Private Networking Using SSL Connections The UTM provides a hardware based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources bypassing the need for a pre installed VPN client on their computers Using the familiar Secure Sockets Layer SSL protocol commonly used for e commerce transactions the UTM can authenticate itself to an SSL enabled client such as a standard Web browser Once the authentication and negotiation of encryption information is completed the server and client can establish an encrypted connection With support for up to 13 dedicated SSL VPN tunnels users can easily access the remote network for a customizable secure user portal experience from virtually any available platform This chapter contains the following sections e Understanding the SSL VPN
82. UTM marks the Type Of Service ToS field as defined in the QoS profiles that you create For more information see Creating Quality of Service QoS Profiles on page 5 35 Note There is no default QoS profile on the UTM After you have created a QoS profile it can become active only when you apply it to a non blocking inbound or outbound firewall rule Bandwidth Profile Bandwidth limiting determines the way in which the data is sent to and from your host The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic thus preventing the LAN users from consuming all the bandwidth of the Internet link Bandwidth limiting occurs in the following ways e For outbound traffic on the available WAN interface in the single WAN port mode and auto rollover mode and on the selected interface in load balancing mode e For inbound traffic on the LAN interface for all WAN modes Note Bandwidth Limiting does not apply to the DMZ interface Log The settings that determines whether packets covered by this rule are logged The options are Always Always log traffic considered by this rule whether it matches or not This is useful when debugging your rules e Never Never log traffic considered by this rule whether it matches or not NAT IP The settings that specify whether the source address of the outgoing packets on the WAN should be assigned the address of the WAN interface or the ad
83. UTM policy hierarchy is defined as 1 User policies take precedence over all group policies 2 Group policies take precedence over all global policies 3 If two or more user group or global policies are configured the most specific policy takes precedence Virtual Private Networking Using SSL Connections 8 31 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual For example a policy that is configured for a single IP address takes precedence over a policy that is configured for a range of addresses And a policy that applies to a range of IP addresses takes precedence over a policy that is applied to all IP addresses If two or more IP address ranges are configured then the smallest address range takes precedence Host names are treated the same as individual IP addresses Network resources are prioritized just like other address ranges However the prioritization is based on the individual address or address range not the entire network resource For example assume the following global policy configuration e Policy 1 A Deny rule has been configured to block all services to the IP address range 10 0 0 0 10 0 0 255 e Policy 2 A Deny rule has been configured to block FTP access to 10 0 1 2 10 0 1 10 e Policy 3 A Permit rule has been configured to allow FTP access to the predefined network resource with the name FTP Servers The FTP Servers network resource includes the follow
84. Using IPsec Connections v1 0 January 2010 N Log Viewer ProSecure Unified Threat Management UTM Appliance Reference Manual 51 19 312 51 19 312 My Connections UTM 51 19 468 My Connections UTM 51 20 062 My Connections UTM 51 20 062 My Connections UTM 51 20 062 My Connections UTM 51 20 062 My Connections UTM 51 20 156 My Connections UTM 51 20 171 My Connections UTM 51 20 171 My Connections UTM SJ SJ 51 20 795 My Connections UTM SJ SJ SJ Su SJ SJ SJ 51 20 171 My Connections UTM_SJ 51 20 328 My Connections UTM_Su 51 20 328 My Connections UTM_SuJ 51 20 328 My Connections UTM_SJ 51 20 328 My Connections UTM_ SJ 51 20 484 My Connections UTM_Su 51 20 781 My Connections UTM_SJ SJ 51 20 796 My Connections UTM_SJ NETGEAR ProSafe VPN Client Initiating IKE Phase 1 IP ADDR 83 71 251 30 SENDING gt gt gt gt ISAKMP OAK AG SA KE NON ID VID 6x RECEIVED lt lt lt ISAKMP OAK AG SA KE NON ID HASH VID 3x NAT D 2x VID Peer is NAT T draft 02 capable NAT is detected for Client Floating to IKE non 500 post SENDING gt gt gt gt ISAKMP OAK AG HASH NAT D 2x NOTIFY STATUS_REPLAY_STA Established IKE SA MY COOKIE 28 e9 5e 70 1e 94 Sc 34 HIS COOKIE 7e 26 96 52 7e fe a f7 Initiating IKE Phase 2 with Client IDs message id C5CB4433 Initiator IP ADDR 192 168 1 4 prot 0 port 0 Responder IP SUBNET MASK 192 168 1 49 255 TN prot 0 port 0 SENDING
85. Web server 5 22 trusted SNMP 10 15 specifying 6 37 HTML files scanning 6 23 Index 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual HTTP action infected Web file or object 2 20 6 22 default port 2 17 6 20 enabling scanning 2 17 6 20 proxy for HTTPS scanning 6 34 6 37 proxy signatures amp engine settings 2 25 trusted hosts 6 37 HTTPS action infected Web file or object 2 20 6 22 default port 2 17 6 20 enabling scanning 2 17 6 20 scanning process 6 34 trusted hosts 6 37 HyperText Markup Language See HTML ICMP time out 5 31 type 5 34 IGP 4 24 IKE policies exchange mode 7 24 7 27 ISAKMP identifier 7 24 7 28 managing 7 23 ModeConfig 7 27 7 47 XAUTH 7 30 IMAP action infected e mail 2 9 anti virus settings 6 6 default port 2 17 6 4 enabling scanning 2 17 file extension blocking 6 11 file name blocking 6 password protected attachment blocking 6 0 inbound rules default 5 3 DMZ to WAN 5 18 examples 5 22 increasing traffic 70 6 LAN to DMZ 5 21 LAN to WAN 5 4 order of precedence 5 17 overview 5 6 settings 5 8 increasing traffic DMZ port 10 7 exposed hosts 0 8 overview 10 5 port forwarding 5 7 10 6 port triggering 10 7 VPN tunnels 0 8 initial configuration Setup Wizard 2 7 initial connection 2 Installation Guide 2 1 installation verifying 2 26 Instant Messaging blocked applications recent 5 and top 5 71 18 blocking applications
86. You cannot delete a default group you can only delete the domain with the identical name as the default group see Configuring Domains on page 9 2 which causes the default group to be deleted Click the Delete table button _____ Note You cannot delete a default group that was automatically created when you created a new domain on the second SSL VPN Wizard screen see SSL VPN Wizard Step 2 of 6 Domain Settings on page 8 5 You can only delete such a default group by deleting the domain for which the group was created see Configuring Domains on page 9 2 Editing Groups To edit a VPN group 1 Select Users gt Groups from the menu The Groups screen displays see Figure 9 3 on page 9 7 2 Inthe Action column of the List of Groups table click the Edit table button for the group that you want to edit The Edit Groups screen displays see Figure 9 4 on page 9 9 With the exception of groups that are associated with domains that use the LDAP authentication method you can only modify the idle timeout settings 9 8 Managing Users Authentication and Certificates v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Edit Group Operation succeeded Group Name LDAPDomain LDAP attribute _ o y O LDAP attribute 2 o y LDAP attribute 3 LDAP attribute 4 Idle Timeout Minutes Figure 9 4 3 Modify the idle timeout period in
87. a pre installed VPN client on their computers Uses the familiar Secure Sockets Layer SSL protocol commonly used for e commerce transactions to provide client free access with customizable user portals and support for a wide variety of user repositories Browser based platform independent remote access through a number of popular browsers such as Microsoft Internet Explorer Mozilla Firefox or Apple Safari Provides granular access to corporate resources based upon user type or group membership Introduction 1 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual A Powerful True Firewall Unlike simple Internet sharing NAT routers the UTM is a true firewall using stateful packet inspection SPI to defend against hacker attacks Its firewall features have the following capabilities e DoS protection Automatically detects and thwarts denial of service DoS attacks such as Ping of Death and SYN Flood e Secure firewall Blocks unwanted traffic from the Internet to your LAN e Schedule policies Permits scheduling of firewall policies by day and time e Logs security incidents Logs security events such as blocked incoming traffic port scans attacks and administrator logins You can configure the firewall to email the log to you at specified intervals You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a sign
88. action must be taken immediately e LOG CRITICAL There are critical conditions e LOG ERROR There are error conditions e LOG WARNING There are warning conditions e LOG NOTICE There are normal but significant conditions LOG INFO Informational messages e LOG DEBUG Debug level messages Logs Select the checkboxes to specify which logs are sent via the syslog server The Select Logs to Send part of the Email Logs to Administrator section of the screen see above lists the same checkboxes as the Send Logs via Syslog section of the screen Monitoring System Access and Performance 11 9 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 3 E mail and Syslog Settings continued Setting Description or Subfield and Description Clear the Following Logs Information Select the checkboxes to specify which logs are cleared The Select Logs to Send part of the Email Logs to Administrator section of the screen see above lists the same checkboxes as the Clear the Following Logs Information section of the screen 3 Click Apply to save your settings or click Clear Log Information to clear the selected logs Configuring and Activating Update Failure and Attack Alerts You can configure the UTM to send an e mail alert when a failure malware outbreak attack or Intrusion Prevention System IPS outbreak attac
89. address ranges and services By defining resource objects you can more quickly create and configure network policies You do not need to redefine the same set of IP addresses or address ranges when you configure the same access policies for multiple users Defining network resources is optional smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources But for most organizations NETGEAR recommends that you use network resources If your server or network configuration changes you can perform an update quickly by using network resources instead of individually updating all of the user and group policies 8 28 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Adding New Network Resources To define a network resource 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the Resources submenu tab The Resources screen displays Figure 8 16 shows some resources in the List of Resource s table as an example IPSec YPN Certificates Policies Resources Portal Layouts SSL YPN Client Port Forwarding Operation succeeded Resource Name Service Action o FTPServer Port Forwarding exit o RoadWarrior VPN Tunnel Enj Select All pelete Add New Resource Resource Name Service Add VPN Tunnel v
90. appear Firewall Protection 5 27 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Click the Attack Checks submenu tab The Attack Checks screen displays LAN WAN Rules DMZ WAN Rules LAN DMZ Rules Pict aaa TE Session Limit WAN Security Checks Oo Respond to Ping on Internet Ports Enable Stealth Mode C Block TCP flood LAN Security Checks C Block UDP flood Advanced YPN Pass through M IPsec PPTP L2TP g Disable Ping Reply on LAN Ports Figure 5 16 3 Enter the settings as explained in Table 5 4 Table 5 4 Attack Checks Settings Setting Description or Subfield and Description WAN Security Checks Respond To Ping On Internet Ports Enable Stealth Mode Select the Respond To Ping On Internet Ports checkbox to enable the UTM to respond to a ping from the Internet A ping can be used as a diagnostic tool Keep this checkbox deselected unless you have a specific reason to enable the UTM to respond to a ping from the Internet Select the Enable Stealth Mode checkbox which is the default setting to prevent the UTM from responding to port scans from the WAN thus making it less susceptible to discovery and attacks Block TCP Flood Select the Block TCP Flood checkbox to enable the UTM to drop all invalid TCP packets and to protect the UTM from a SYN flood attack A SYN flood is a form of denial of service attack in which an attacker sends a
91. at the hub router or workstation e Make sure that power is turned on to the connected hub router or workstation e Be sure you are using the correct cables When connecting the UTM s WAN ports to one or two devices that provide the Internet connections use the cables that are supplied with the devices These cables could be a standard straight through Ethernet cables or an Ethernet crossover cables Troubleshooting the Web Management Interface If you are unable to access the UTM s Web Management Interface from a PC on your local network check the following e Check the Ethernet connection between the PC and the UTM as described in the previous section LAN or WAN Port LEDs Not On e Make sure your PC s IP address is on the same subnet as the UTM If you are using the recommended addressing scheme your PC s address should be in the range of 192 168 1 2 to 192 168 1 254 ___ Note If your PC s IP address is shown as 169 254 x x fd Windows and MacOS generate and assign an IP address if the computer cannot reach a DHCP server These auto generated addresses are in the range of 169 254 x x If your IP address is in this range check the connection from the PC to the UTM and reboot your PC Troubleshooting and Using Online Support 12 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e If your UTM s IP address has been changed and you do not know
92. by CAs and that you uploaded Note however that the table displays only the active CAs and their critical release dates see Managing the Certificate Revocation List on page 9 25 Managing CA Certificates To view and upload trusted certificates Select VPN gt Certificates from the menu The Certificates screen displays Figure 9 11 shows the top section of the screen with the trusted certificate information and some example certificates in the Trusted Certificates CA Certificates table IPSec YPN SSL YPN Ao ooann Operation succeeded Expiry CA Identity Subject Name Issuer Name Time C US T California O NETGEAR Inc OU Netgear C US ST California O NETGEAR Inc OU Netgear Jani oO ProSecure ProSecure 00 00 00 CN NetGear emailAddress support netgear com CN NetGear emailAddress support netgear com 2037 GMT Jan7 C US O RSA Data Security Inc OUSecure Server C US O RSA Data Security Inc OU Secure Server o 23 59 59 Certification Authority Certification Authority 2010 GMT Select all Pelete Upload Trusted Certificate Trusted Certificate File Upload Figure 9 11 Certificates screen 1 of 3 Managing Users Authentication and Certificates 9 19 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The Trusted Certificates CA Certificates table lists the digital certificates of CAs and contains the following fields e CA Identity Subject Name
93. by the IP address of the UTM for example ping 192 168 1 1 3 Click OK A message similar to the following should display Pinging lt IP address gt with 32 bytes of data If the path is working you will see this message Reply from lt IP address gt bytes 32 time NN ms TTL xxx If the path is not working you will see this message Request timed out If the path is not functioning correctly you could have one of the following problems e Wrong physical connections Make sure that the LAN port LED is on If the LED is off follow the instructions in LAN or WAN Port LEDs Not On on page 12 3 Check that the corresponding Link LEDs are on for your network interface card and for the hub ports if any that are connected to your workstation and UTM e Wrong network configuration Verify that the Ethernet card driver software and TCP IP software are both installed and configured on your PC or workstation Verify that the IP address for your UTM and your workstation are correct and that the addresses are on the same subnet Troubleshooting and Using Online Support 12 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Testing the Path from Your PC to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 lt P address gt where lt P address gt is the IP ad
94. following settings Account Name The valid account name for the PPPoE connection Domain Name The name of your ISP s domain or your domain name if your ISP has assigned one You may leave this field blank Idle Timeout Select the Keep Connected radio button to keep the connection always on To log out after the connection is idle for a period of time select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in Internet IP Address Click the Current IP Address link to see the currently assigned IP address Get Dynamically from ISP If your ISP has not assigned you a static IP address select the Get dynamically from ISP radio button The ISP automatically assigns an IP address to the UTM using DHCP network protocol Use Static IP Address If your ISP has assigned you a fixed static or permanent IP address select the Use Static IP Address radio button and enter the following settings IP Address Static IP address assigned to you This address identifies the UTM to your ISP Subnet Mask The subnet mask is usually provided by your ISP Gateway IP Address The IP address of the ISP s gateway is usually provided by your ISP Domain Name Server DNS Servers Get Automatically from ISP If your ISP has not assigned any Domain
95. for a security certificate e The security certificate was issued by a company you have not chosen to trust e The date of the security certificate is invalid e The name on the security certificate is invalid or does not match the name of the site 9 20 Managing Users Authentication and Certificates v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual When a security alert is generated the user can decide whether or not to trust the host Security Alert information you exchange with this ste cannot be viewed or uf changed by others However there is a problem with the site s secumty certificate A The security certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority The security certificate date is valid The name on the securty certificate is invalid or does not match the name of the ste Do you want to proceed va We ct Figure 9 12 Generating a CSR and Obtaining a Self Certificate from a CA To use a self certificate you must first request the digital certificate from a CA and then download and activate the digital certificate on the UTM To request a self certificate from a CA you must generate a Certificate Signing Request CSR for and on the UTM The CSR is a file that contains information about your company and about the device that holds the certificate R
96. for secure connections Some services particularly HTTPS cease to respond when a client s source IP address changes shortly after a session has been established To configure the dual WAN ports for load balancing mode with optional protocol binding 1 Select Network Config gt WAN Settings from the menu then click the WAN Mode tab The WAN Mode screen displays see Figure 3 8 on page 3 12 2 Select the Load Balancing radio button Optional Next to the Load Balancing radio button click the view protocol bindings button The WAN Protocol Bindings screen displays see Figure 3 9 on page 3 15 The Web Management Interface path to this screen is Network Config gt Protocol Bindings 3 14 Manually Configuring Internet and WAN Settings v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual WAN Settings Dynamic DNS WAN Metering LAN Settings DMZ Setup Routing Email Notification WAN1 Protocol Bindings AROCO EA WAN2 Protocol Bindings Operation succeeded Service Source Network Destination Network Action oii ANY ANY ANY esit Protocol Binding is used when Load Balancing option is selected in WAN Mode Select All Pelete Enable O Disable Add Protocol Binding Service Source Network Destination Network Add Any y ANY v Start Address J J ed Start Address J A J Ada End Address J A End Address J Figure 3 9 a Figure 3 9 shows one example in the Protoc
97. from an SSL VPN tunnel in several ways Port forwarding supports only TCP connections not UDP connections or connection using other IP protocols Port forwarding detects and reroutes individual data streams on the user s PC to the port forwarding connection rather than opening up a full tunnel to the corporate network Port forwarding offers more fine grained management than an SSL VPN tunnel You define individual applications and resources that are available to remote users The SSL VPN portal can present the remote user with one or both of these SSL service levels depending on how you set up the configuration Using the SSL VPN Wizard for Client Configurations The SSL VPN Wizard facilitates the configuration of the SSL VPN client connections by taking you through six screens the last of which allows you to save the SSL VPN policy To edit policies or to manually configure policies see Manually Configuring and Editing SSL Connections on page 8 17 To start the SSL VPN Wizard 1 Select Wizards from the main navigation menu The Welcome to the Netgear Configuration Wizard screen displays Setup Wizard IPSec YPN Wizard SSL PN Wizard Figure 8 1 2 Select the SSLS VPN Wizard radio button 3 Click Next The first SSL VPN Wizard screen displays 8 2 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance R
98. inactive route is not advertised if RIP is enabled Private If you want to limit access to the LAN only select the Private checkbox Doing so prevents the static route from being advertised in RIP Destination IP Address The destination IP address to the host or network to which the route leads IP Subnet Mask The IP subnet mask to the host or network to which the route leads If the destination is a single host enter 255 255 255 255 Interface From the pull down menu select the interface that is the physical network interface WAN1 WAN2 LAN or DMZ for the dual WAN port models WAN LAN or DMZ for the single WAN port models or virtual interface VLAN profile through which the route is accessible Gateway IP Address The gateway IP address through which the destination host or network can be reached Metric The priority of the route Select a value between 2 and 15 If multiple routes to the same destination exist the route with the lowest metric is used 4 Click Apply to save your settings The new static route is added to the Static Route table To edit a static route that is in the Static Route table 1 Select its entry from the table and click the Edit table button in the Action column The Edit Static Route screen displays This screen is identical to the Add Static Route screen that is described above with the exception that you cannot change the name of the static route 2 Enter
99. it to your needs and to protect the network from unwanted port scans that could compromise the network security The IPS is disabled by default To enable intrusion prevention and configure port scan detection 1 Select Network Security gt IPS from the menu The IPS submenu tabs appear with the Global IPS screen in view Network Security ALLEI Advanced G IPS Detect Port Scans Block Source IP for Seconds Figure 5 30 2 To enable the IPS select the ON radio button The default setting is OFF Configure port scan detection by selecting one of the following radio buttons e OFF Port scan detection is disabled This is the default setting e ALERT When a port is scanned an alert is e mailed to the administrator that is specified in the Email Notification screen e Block Source IP When a port is scanned the IP address of the PC or device that scans the port is blocked for the duration that you specify in the Seconds field The default setting is 300 seconds 4 Click Apply to save your settings Firewall Protection 5 49 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual al you have configured on the LAN Multi homing screen see Configuring Multi Note Traffic that passes on the UTM s VLANs and on the secondary IP addresses that Home LAN IPs on the Default VLAN on page 4 11 is also scanned by the IPS When you enable the IPS the defau
100. manually add a static route between a VLAN and a secondary IP address 4 4 22 LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Static Routes To add a static route to the Static Route table 1 Select Network Config gt Routing from the menu The Routing screen displays gt RIP Configuration i Static Routes k n h r 7 a Nome Destinaton Gateway Interface metie Active private Action Qselectas bdelete Ass Figure 4 9 2 Click the Add table button under the Static Routes table The Add Static Route screen displays Add Static Ro Operation succeeded i Static Route 2 RouteName E M Active Private Destination IP Address _ IP Subnet msk WoW 4d Interface Gateway IP address Wf Figure 4 10 LAN Configuration 4 23 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Enter the settings as explained in Table 4 4 Table 4 4 Static Route Settings Setting Description or Subfield and Description Route Name The route name for the static route for purposes of identification and management Active To make the static route effective select the Active checkbox Note A route can be added to the table and made inactive if not needed This allows routes to be used as needed without deleting and re adding the entry an
101. minutes in the Idle Timeout field For a group that is associated with a domain that uses the LDAP authentication method configure the LDAP attributes in fields 1 through 4 as needed 4 Click Apply to save your changes The modified group is displayed in the List of Groups table Configuring User Accounts When you create a user account you must assign the user to a user group When you create a group you must assign the group to a domain that specifies the authentication method Therefore you should first create any domains then groups then user accounts You can create different types of user accounts by applying pre defined user types e Administrator A user who has full access and the capacity to change the UTM configuration that is read write access e SSL VPN User A user who can only log in to the SSL VPN portal e IPSEC VPN User A user who can only make an IPsec VPN connection via a NETGEAR ProSafe VPN Client and only when the XAUTH feature is enabled see Configuring Extended Authentication XAUTH on page 7 38 e Guest user A user who can only view the UTM configuration that is read only access Managing Users Authentication and Certificates 9 9 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To create an individual user account 1 Select Users gt Users from the menu The Users screen displays Figure 9 5 shows the UTM s default users admin and g
102. names to be more descriptive such as GlobalMarketing and GlobalSales To edit the names of any of the eight available groups 1 Select Network Config gt LAN Settings from the menu The LAN Settings submenu tabs appear with the LAN Setup screen in view 2 Click the LAN Groups submenu tab The LAN Groups screen displays see Figure 4 5 on page 4 14 which shows some examples in the Known PCs and Devices table 4 16 LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Click the Edit Group Names option arrow at the right of the LAN submenu tabs The Network Database Group Names screen displays Figure 4 7 shows some examples Network Database Group Names J GlobalMarketing Figure 4 7 4 Select the radio button next to any group name to enable editing Type a new name in the field The maximum number of characters is 15 spaces and double quotes are not allowed Repeat step 4 and step 5 for any other group names Click Apply to save your settings Setting Up Address Reservation When you specify a reserved IP address for a PC or device on the LAN based on the MAC address of the device that PC or device always receives the same IP address each time it accesses the UTM s DHCP server Reserved IP addresses should be assigned to servers or access points that require permanent IP address settings The reserved IP address that you select must be out
103. of the following stages that are explained in detail in the sections below 1 Querying the available firmware versions 2 Selecting a firmware version to download directly to the UTM that is not first to a computer and then to the UTM Installing the downloaded firmware version 4 Rebooting the UTM with the new firmware version 10 18 Network and System Management v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Viewing the Available Firmware Versions To view the current version of the firmware that your UTM is running and the other available firmware versions 1 Select Administration gt System Update from the menu The System Update submenu tabs appear with the Signatures amp Engine screen in view 2 Click the Firmware submenu tab The Firmware screen displays Administration Signatures amp Engine Firmware continue downloading i Firmware Download Firmware been Downloaded Firmware Version Last Downloaded Download Status Oo 1 0 0 14 N A Oo 1 0 0 15 N A 1 0 0 17 N A B i Firmware Reboot Activation Type Version active 1 0 0 17 ok O secondary N A corrupted Figure 10 6 The Firmware Reboot section shows the following information fields for both the active and secondary that is non active firmware e Type Active or secondary firmware e Version The firmware version e Status The status of the firmware ok
104. on page 5 39 which shows one profile in the List of Bandwidth Profiles table as an example 5 38 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Bandwidth Profile ched ule Scl sdule 2 Schedule 3 _Operation succeeded i Bandwidth Profiles c Enable Bandwidth Profiles Yes i List of Bandwidth Profiles Name Bandwidth Range kbps Direction Action o BusinessLevell 7500 25000 Outbound Traffic esit Packets Dropped due to Bandwidth Limit 0 Select an Pelete Ado Figure 5 23 The screen displays the List of Bandwidth Profiles table with the user defined profiles 3 Under the List of Bandwidth Profiles table click the Add table button The Add Bandwidth Profile screen displays Add Bandwidth Profile Bandwidth Profile Profile Name E Minimum Bandwidth BP jlo Max Bandwidth Kbps Maximum Bandwidth fico ico 100000 Kbps Type Maximum Number of Instances Direction Figure 5 24 4 Enter the settings as explained in Table 5 8 on page 5 40 Firewall Protection 5 39 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 5 8 Bandwidth Profile Settings Setting Description or Subfield and Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes Mini
105. on your WAN links For more information about bandwidth profiles see Creating Bandwidth Profiles on page 5 38 Monitoring Tools for Traffic Management The UTM includes several tools that can be used to monitor the traffic conditions of the firewall and content filtering engine and to monitor the users access to the Internet and the types of traffic that they are allowed to have See Monitoring System Access and Performance on page 11 1 for a description of these tools System Management System management tasks are described in the following sections e Changing Passwords and Administrator Settings on this page e Configuring Remote Management Access on page 10 12 e Using an SNMP Manager on page 10 14 e Managing the Configuration File on page 10 15 e Updating the Firmware on page 10 18 e Updating the Scan Signatures and Scan Engine Firmware on page 10 21 e Configuring Date and Time Service on page 10 24 Changing Passwords and Administrator Settings The default administrator and default guest passwords for the Web Management Interface are both password NETGEAR recommends that you change these passwords to more secure passwords You can also configure a separate password for the guest account Network and System Management 10 9 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To modify the administrator user account set
106. only from Defined Browsers Client Browsers o Netscape Navigator Select At Deiete Add Defined Browser Client Browser Internet Explorer Figure 9 9 4 Inthe Defined Browsers Status section of the screen select one of the following radio buttons e Deny Login from Defined Browsers Deny logging in from the browsers in the Defined Browsers table e Allow Login only from Defined Browsers Allow logging in from the browsers in the Defined Browsers table Click Apply to save your settings 6 Inthe Add Defined Browser section of the screen add a browser to the Defined Browsers table by selecting one of the following browsers from the pull down menu e Internet Explorer e Opera e Netscape Navigator e Firefox Mozilla Firefox e Mozilla Other Mozilla browsers Managing Users Authentication and Certificates 9 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 7 Click the Add table button The browser is added to the Defined Browsers table 8 Repeat step 6 and step 7 for any other browsers that you want to add to the Defined Browsers table To delete one or more browsers 1 In the Defined Browsers table select the checkbox to the left of the browser that you want to delete or click the Select All table button to select all browsers 2 Click the Delete table button Changing Passwords and Other User Settings For any user you can change th
107. out Error Occurs on page 12 4 e cannot access the Internet or the LAN Troubleshooting the ISP Connection on page 12 5 e Ihave problems with the LAN connection Go to Troubleshooting a TCP IP Network Using a Ping Utility on page 12 7 e want to clear the configuration and start over again Go to Restoring the Default Configuration and Password on page 12 9 e The date or time is not correct Go to Problems with Date and Time on page 12 10 e need help from NETGEAR Go to Using Online Support on page 12 10 gt Note The UTM s diagnostic tools are explained in Using Diagnostics Utilities on gt page 11 43 12 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Basic Functioning After you turn on power to the UTM the following sequence of events should occur 1 When power is first applied verify that the PWR LED is on 2 After approximately two minutes verify that a The Test LED is no longer lit b The LAN port Left LEDs are lit for any local ports that are connected c The WAN port Left LEDs are lit for any WAN ports that are connected If a port s Left LED is lit a link has been established to the connected device If a port is connected to a 1000 Mbps device verify that the port s Right LED is green If the port functions at 100 Mbps the Right LED is amber If the port functions at 10 Mbps the Right LED is off
108. page 5 22 In the example CU SeeMe connections are allowed only from a specified range of external IP addresses 5 22 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Add LAN WAN Inbound Service Operation succeeded Action BLOCK by schedule otherwise allow 1 Select Schedule Schedule 1 Send to LAN Server i92 hss a mi Translate to Port Number LJ WAN Destination IP Address WAN1 v LAN Users Any Start PD J Finish i WAN Users Address Range Start Finish 134 a77 Jes lesa Log Never_ Bandwidth Profile NONE Figure 5 12 LAN WAN or DMZ WAN Inbound Rule Setting Up One to One NAT Mapping In this example we will configure multi NAT to support multiple public IP addresses on one WAN interface By creating an inbound rule we will configure the UTM to host an additional public IP address and associate this address with a Web server on the LAN The following addressing scheme is used to illustrate this procedure e Netgear UTM WANT IP address dual WAN port models or WAN IP address single WAN port models 10 1 0 118 LAN IP address subnet 192 168 1 1 subnet 255 255 255 0 DMZ IP address subnet 192 168 10 1 subnet 255 255 255 0 e Web server PC on the UTM s LAN LAN IP address 192 168 1 2 DMZIP Address 192 168 10 2 Access to Web server is simulated public IP address 10 1 0 52
109. physical segment or segments connect all end node devices End nodes can communicate with each other without the need for a router Routers connect LANs together routing the traffic to the appropriate port A virtual LAN VLAN is a local area network with a definition that maps workstations on some basis other than geographic location for example by department type of user or primary application To enable traffic to flow between VLANs traffic must go through a router just as if the VLANs were on two separate LANs A VLAN is a group of PCs servers and other network resources that behave as if they were connected to a single network segment even though they might not be For example all marketing personnel might be spread throughout a building Yet if they are all assigned to a single VLAN they can share resources and bandwidth as if they were connected to the same segment The resources of other departments can be invisible to the marketing VLAN members accessible to all or accessible only to specified individuals depending on how the IT manager has set up the VLANs 4 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual VLANs have a number of advantages e Itis easy to set up network segmentation Users who communicate most frequently with each other can be grouped into common VLANs regardless of physical location Each group s traffic is contained largely within the VLAN reduc
110. port number IM P2P category and reason for the action Recommended Action None System Logs and Error Messages v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Routing Logs This section explains the logging messages for each network segment such as LAN to WAN for debugging purposes These logs might generate a significant volume of messages LAN to WAN Logs This section describes logs that are generated when the UTM processes LAN to WAN traffic Table C 26 Routing Logs LAN to WAN Message Nov 29 09 19 43 UTM kernel LAN2WAN ACCEPT IN LAN OUT WAN SRC 192 168 10 10 DST 72 14 207 99 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the LAN to the WAN has been allowed by the firewall For other settings see Table C 1 Recommended Action None LAN to DMZ Logs This section describes logs that are generated when the UTM processes LAN to DMZ traffic Table C 27 Routing Logs LAN to DMZ Message Nov 29 09 44 06 UTM kernel LAN2DMZ ACCEPT IN LAN OUT DMZ SRC 192 168 10 10 DST 192 168 20 10 PROTO ICMP TYPE 8 CODE 0 Explanation e This packet from the LAN to the DMZ has been allowed by the firewall For other settings see Table C 1 Recommended Action None DMZ to WAN Logs This section describes logs that are generated when the UTM processes DMZ to WAN traffic Table C 28 Routing Logs DMZ to WAN
111. public access to them The fourth LAN port on the UTM the rightmost LAN port can be dedicated as a hardware DMZ port to safely provide services to the Internet without compromising security on your LAN By default the DMZ port and both inbound and outbound DMZ traffic are disabled Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports For the information on how to enable the DMZ port see Configuring and Enabling the DMZ Port on page 4 18 For the procedures on how to configure DMZ traffic rules see Setting DMZ WAN Rules on page 5 15 Configuring Exposed Hosts Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined For an example on how to set up an exposed host see LAN WAN or DMZ WAN Inbound Rule Specifying an Exposed Host on page 5 25 Configuring VPN Tunnels The UTM supports up to 25 site to site Psec VPN tunnels and up to 13 dedicated SSL VPN tunnels Each tunnel requires extensive processing for encryption and authentication thereby increasing traffic through the WAN ports For information about IPsec VPN tunnels see Chapter 7 Virtual Private Networking Using IPsec Connections For information about SSL VPN tunnels see Chapter 8 Virtual Private Networking Using SSL Connections Using QoS and Bandwidth Assignment to Shift the Traffic Mix By s
112. request from the remote endpoint Exchange Mode From the pull down menu select the exchange more between the UTM and the remote VPN endpoint e Main This mode is slower than the Aggressive mode but more secure Aggressive This mode is faster than the Main mode but less secure Note If you specify either a FQDN or a User FQDN name as the local ID and or remote ID see the sections below the aggressive mode is automatically selected Virtual Private Networking Using IPsec Connections 7 27 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 10 Add IKE Policy Settings continued Item Description or Subfield and Description Local Select Local Gateway dual WAN port models only For the dual WAN port models only select a radio button to specify the WAN1 or WANZ interface Identifier Type From the pull down menu select one of the following ISAKMP identifiers to be used by the UTM and then specify the identifier in the field below e Local WAN IP The WAN IP address of the UTM When you select this option the Identifier field automatically shows the IP address of the selected WAN interface e FQDN The Internet address for the UTM e User FQDN The e mail address for a local VPN client or the UTM e DER ASN1 DN A distinguished name DN that identifies the UTM in the DER encoding and ASN 1 format Identifier Depending on th
113. rule is now added to the Inbound Services table 5 18 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Setting LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ The default outbound and inbound policies are to allow all traffic between the local LAN and DMZ network You can then apply firewall rules to block specific types of traffic from either going out from the LAN to the DMZ outbound or coming in from the DMZ to the LAN inbound There is no pull down menu that lets you set the default outbound policy as there is on the LAN WAN Rules screen You can change the default outbound policy by blocking all outbound traffic and then enabling only specific services to pass through the UTM You do so by adding outbound services rules see LAN DMZ Outbound Services Rules on page 5 20 To access the LAN DMZ Rules screen 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear 2 Click the LAN DMZ Rules submenu tab The LAN DMZ Rules screen displays IPS Firewall Objects Address Filter Port Triggering LAN WAN Rules DMZ WAN Rules LAN DMZ Rules Attack Checks Session Limit Advanced Service Name Filter LAN Users DMZ Users Log Action Select At oelete Enable Disable Aaa Service Name Filter DMZ Users LAN Users Log Action Select as Delete
114. select all rules 2 Click one of the following table buttons coy Enable Enables the rule or rules The status icon changes from a grey circle to a green circle indicating that the rule is or rules are enabled By default when a rule is added to the table it is automatically enabled coy Disable Disables the rule or rules The status icon changes from a green circle to a grey circle indicating that the rule is or rules are disabled Delete Deletes the rule or rules LAN WAN Outbound Services Rules You can define rules that specify exceptions to the default rules By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day An outbound rule may block or allow traffic between an internal IP LAN address and any external WAN IP address according to the schedule created in the Schedule menu You can also tailor these rules to your specific needs see Administrator Tips on page 5 2 gt Note This feature is for advanced administrators only Incorrect configuration might cause serious problems Firewall Protection 5 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To create a new outbound LAN WAN service rule 1 Inthe LAN WAN Rules screen click the Add table button under the Outbound Services table The Add LAN WAN Outbound Service screen displays
115. services that are scanned for malware threats e Actions that are taken when infected Web files or objects are detected e The maximum file sizes that are scanned e Web objects that are blocked e Web categories keywords and file types that are filtered to block objectionable or high risk content e Domains and URLs that are blocked for objectionable or high risk content e Customer notifications and e mail alerts that are sent when events are detected e Schedules that determine when content filtering is active Customizing Web Protocol Scan Settings and Services You can specify the Web protocols HTTP HTTPS and FTP that are scanned for malware threats and the instant messaging and peer to peer applications that are allowed or blocked Scanning all protocols enhances network security but might affect the performance of the UTM For an optimum balance between security and performance only enable scanning of the most commonly used protocols on your network For example you can scan FTP and HTTP but not HTTPS if this last protocol is not often used For more information about performance see Performance Management on page 10 1 To configure the Web protocols ports and applications to scan 1 Select Application Security gt Services from the menu The Services screen displays see Table 6 7 on page 6 20 m Note For information about e mail protocols and ports see Customizing E mail Protocol Scan Settin
116. show examples for the dual WAN port models each with its own table that explains the fields For the dual WAN port models the System Status screen shows information for both the WAN1 and WAN2 port For the single WAN port models the System Status screen shows information for the single WAN port 11 20 Monitoring System Access and Performance v1 0 January 2010 System Status System CPU il 9 Services Active Connections ProSecure Unified Threat Management UTM Appliance Reference Manual SMTP ON 0 0 Memory al 14 54 POP3 ON IMAP ON 0 Monitoring pisk Md 25 9 HTTP ON HTTPS OFF FTP ON 0 0 0 y System Information System up Time 1 Days 00 Hours 21 Minutes Q Firmware Information Type active secondary Component Scan engine Pattern file Firewall License Expiration Date Email Protection Version 1 0 2 0 1 0 0 32 Current Yersion 20090723 322 0 0 200907230322 50_3 0 5 28 Last Downloaded 2009 11 10 N A Last Update 2009 11 04 2009 11 04 2009 11 10 2009 12 10 Web Protection 2009 12 10 Maintenance 2009 12 10 Hardware Serial Number 23X1993N0001D Figure 11 10 System Status screen 1 of 3 Table 11 9 explains the fields of the Status and System Information sections of the System Status screen Table 11 9 System Status Status and System Information Setting Description or Subfield and Description Status System The curre
117. system date and time settings using the Setup Wizard 2 14 10 24 log messages C 2 logs 11 8 11 33 11 34 reports 71 39 status 77 20 updating 0 20 T table buttons Web Management Interface 2 6 Index 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual tabs submenu Web Management Interface 2 5 TCP flood blocking 5 28 TCP time out 5 31 TCP IP network troubleshooting 12 7 settings 2 9 technical specifications A 2 Test LED 12 2 testing connectivity 2 26 HTTP scanning 2 26 time daylight savings troubleshooting 12 10 settings 2 15 10 24 troubleshooting 72 10 time out error troubleshooting 2 4 sessions 5 3 tips firewall and content filtering 5 2 ToS 1 6 5 6 5 9 5 35 5 37 tracert using with DDNS 10 13 tracing a route traceroute 71 45 traffic action when reaching limit 4 diagnostic tools 43 11 46 inbound dual WAN port models planning B 6 increasing 10 5 logs 11 8 11 32 11 34 management 10 1 meter or counter 3 24 11 1 real time diagnostics 71 46 reducing 0 2 total scanned in MB 19 total in bytes 77 17 volume by protocol 11 4 traps SNMP 10 15 trial period service licenses 2 27 troubleshooting basic functioning 2 2 browsers 12 4 configuration settings using sniffer 12 4 date and time 72 10 defaults 72 4 ISP connection 2 5 LEDs 12 2 12 3 NTP 12 10 remote management 0 3 remotely 2 0 testing you
118. table button and follow the instructions of your browser Add Host Type or copy a trusted host in the Add Host field Then click the Add table button to add the host to the Host field Importfrom File To import a list with trusted hosts into the Host field click the Browse button and navigate to a file in txt format that contains line delimited hosts that is one host per line Then click the Upload table button to add the hosts to the Host field Note Any existing hosts in the Host field are overwritten when you import a list of hosts from a file 4 Click Apply to save your settings Configuring FTP Scans Some malware threats are specifically developed to spread through the FTP protocol By default the UTM scans FTP traffic but you can specify how the UTM scans FTP traffic and which action is taken when a malware threat is detected Note The UTM does not scan password protected FTP files Content Filtering and Optimizing Scans 6 39 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To configure the FTP scan settings 1 Select Application Security gt FTP from the menu The FTP screen displays Application Security Service FTP i Scan Exception c if the file or message is larger than KB Maximum 10240 KB Action Delete file v if Block Files with the Following Extensions g C Enable exe msi com bat vbx
119. table displays the secondary LAN IP addresses added to the UTM 3 Inthe Add WAN1 Secondary Addresses section dual WAN port models or Add WAN Secondary Addresses section of the screen single WAN port models enter the following settings e IP Address Enter the secondary address that you want to assign to WANI port dual WAN port models or to the single WAN port single WAN port models e Subnet Mask Enter the subnet mask for the secondary IP address 4 Click the Add table button in the rightmost column to add the secondary IP address to the List of Secondary WAN addresses table Repeat step 3 and step 4 for each secondary IP address that you want to add to the List of Secondary WAN addresses table 3 18 Manually Configuring Internet and WAN Settings v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Dynamic DNS Dynamic DNS DDNS is an Internet service that allows devices with varying public IP addresses to be located using Internet domain names To use DDNS you must set up an account with a DDNS provider such as DynDNS org TZO com or Oray net Links to DynDNS TZO and Oray are provided for your convenience as submenu tabs of the Dynamic DNS configuration menu The UTM firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address so that the services running on this network can be accessed by others on the Internet If your network
120. the LAN you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses By default this feature is disabled all traffic received from PCs with any MAC address is allowed See Enabling Source MAC Filtering on page 5 42 for the procedure on how to use this feature Features That Increase Traffic The following features of the UTM tend to increase the traffic load on the WAN side LAN WAN inbound rules also referred to as port forwarding DMZ WAN inbound rules also referred to as port forwarding Port triggering Enabling the DMZ port Configuring Exposed hosts Configuring VPN tunnels Network and System Management 10 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual LAN WAN Inbound Rules and DMZ WAN Inbound Rules Port Forwarding The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for inbound traffic from WAN to LAN and from WAN to the DMZ If you have not defined any rules only the default rule is listed The default rule blocks all access from outside except responses to requests from the LAN side Any inbound rule that you create allows additional incoming traffic and therefore increases the traffic load on the WAN side A Warning This feature is for advanced administrators only Incorrect configuration might cause serious problems Each rule lets you specify the desired action for th
121. the current IP address clear the UTM s configuration to factory defaults This sets the UTM s IP address to 192 168 1 1 This procedure is explained in Restoring the Default Configuration and Password on page 12 9 ex Tip If you do not want to revert to the factory default settings and lose your configuration settings you can reboot the UTM and use a sniffer to capture i packets sent during the reboot Look at the ARP packets to locate the UTM s LAN interface address e Make sure that you are using the SSL hAttps address login rather than the http address login e Make sure that your browser has Java JavaScript or ActiveX enabled If you are using Internet Explorer click Refresh to be sure that the Java applet is loaded e Try quitting the browser and launching it again e Make sure that you are using the correct login information The factory default login name is admin and the password is password Make sure that Caps Lock is off when entering this information If the UTM does not save changes you have made in the Web Configuration Interface check the following e When entering configuration settings be sure to click the Apply button before moving to another menu or tab or your changes are lost e Click the Refresh or Reload button in the Web browser The changes might have occurred but the Web browser might be caching the old configuration When You Enter a URL or IP Address a Time out
122. the policy to all traffic Service From the pull down menu select the service to which the SSL VPN policy is applied VPN Tunnel The policy is applied only to a VPN tunnel Port Forwarding The policy is applied only to port forwarding All The policy is applied both to a VPN tunnel and to port forwarding Permission From the pull down menu select whether the policy permits PERMIT or denies DENY access Virtual Private Networking Using SSL Connections 8 35 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 8 10 Add Policy Settings continued Item Description or Subfield and Description Apply Policy For continued IP Network Policy Name A descriptive name of the SSL VPN policy for identification and management purposes IP Address The network IP address to which the SSL VPN policy is applied Subnet Mask The network subnet mask to which the SSL VPN policy is applied Port Range Port Number A port enter in the Begin field or a range of ports enter in the Begin and End fields to which the SSL VPN policy is applied Ports can be 0 through 65535 The policy is applied to all TCP and UDP traffic that passes on those ports Leave the fields blank to apply the policy to all traffic Service From the pull down menu select the service to which the SSL VPN policy is applied e
123. the spam and action that is taken Recommended Action None Message 2009 02 28 23 59 59 SMTP 192 168 1 2 192 168 35 165 xlzimap test com xlzpop3 test com Blocked by customized blacklist 0 Heuristic Block Explanation Logs that are generated when spam messages are blocked by Distributed Spam Analysis The message shows the date and time protocol client IP address server IP address sender recipient subject line mechanism that detected the spam and action that is taken Recommended Action None System Logs and Error Messages C 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Traffic Logs This section describes logs that are generated when the UTM processes Web and e mail traffic Table C 20 Content Filtering and Security Logs Traffic 2009 02 28 23 59 59 HTTP 99 192 168 1 2 192 168 33 8 Message xlzimap test com xlzpop3 test com MALWARE INFECTED Fw cleanvirus Explanation Web and e mail traffic logs for HTTP SMTP POP3 IMAP HTTPS and FTP traffic In this example message a malware threat was cleaned from the traffic The message shows the date and time protocol size of the Web file or e mail client IP address server IP address sender recipient and Web URL or e mail subject line Recommended Action None Virus Logs This section describes logs that are generated when the UTM detects viruses Table C 2
124. v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 2 4 Setup Wizard Step 4 Services Settings Setting Description or Subfield and Description Email SMTP SMTP scanning is enabled by default on standard service port 25 To disable any of these services POP3 POPS scanning is enabled by default gee eee eee i 110 On standard service port 110 port or add another port in the IMAP IMAP scanning is enabled by default corresponding Ports to Scan field on standard service port 143 Web HTTP HTTP scanning is enabled by default To disable HTTP scanning deselect the on standard service port 80 corresponding checkbox You can change the standard service port or add another port in the corresponding Ports to Scan field HTTPS HTTPS scanning is disabled by To enable HTTPS scanning select the default corresponding checkbox You can change the standard service port port 443 or add another port in the corresponding Ports to Scan field FTP FTP scanning is enabled by default To disable FTP scanning deselect the on standard service port 21 corresponding checkbox You can change the standard service port or add another port in the corresponding Ports to Scan field Instant Messaging Google Talk Jabber Yahoo Messenger mIRC MSN Messenger Peer to Peer P2P Scanning of these instant messaging services is disabled by default To enable
125. xXxXx XX Virtual Private Networking Using IPsec Connections 7 45 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 15 Add Mode Config Record Settings continued Item Description or Subfield and Description WINS Server If there is a WINS server on the local network enter its IP address in the Primary field You can enter the IP address of a second WINS server in the Secondary field DNS Server Enter the IP address of the DNS server that is used by remote VPN clients in the Primary field You can enter the IP address of a second DNS server in the Secondary field Traffic Tunnel Securi Note Generally the d PFS Key Group ity Level efault setting work well for a Mode Config configuration Select this checkbox to enable Perfect Forward Secrecy PFS and then select a Diffie Hellman DH group from the pull down menu The DH Group sets the strength of the algorithm in bits The higher the group the more secure the exchange From the pull down menu select one of the following three strengths Group 1 768 bit Group 2 1024 bit This is the default setting e Group 5 1536 bit SA Lifetime The lifetime of the Security Association SA is the period or the amount of transmitted data after which the SA becomes invalid and must be renegotiated From the pull down menu select how the SA lifetime is specified e Seconds In the SA
126. 1 Content Filtering and Security Logs Virus 2008 02 29 23 59 00 POP3 OF97 Jerk Delete cleanvirus zip Message 192 168 1 2 192 168 35 166 xlzimap test com xlzimap test com MALWARE INFECTED Fw cleanvirus Explanation Virus logs for all services The message shows the date and time protocol virus name action that is taken file name client IP address server IP address sender recipient and Web URL or e mail subject line Recommended Action None E mail Filter Logs This section describes logs that are generated when the UTM filters e mail content Table C 22 Content Filtering and Security Logs E mail Filter Message 2009 04 31 23 59 59 SMTP 192 168 1 2 192 168 35 165 xlzimap test com xlzpop3 test com test Keyword test BlockMail Explanation Logs that are generated when e mails are blocked because of a keyword violation in the subject line The message shows the date and time protocol client IP address server IP address sender recipient e mail subject line reason for the action details and action that is taken Recommended Action None System Logs and Error Messages v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual IPS Logs This section describes logs that are generated when traffic matches IPS rules Table C 23 Content Filtering and Security Logs IPS 2008 12 31 23 59 37 drop TCP 192 168 1 2 3496 Messa
127. 1 Web filtering 6 28 authentication for IPsec VPN pre shared key 7 6 7 11 7 15 7 29 RSA signature 7 29 for SSL VPN 8 6 See also RADIUS MIAS WiKID NT Domain Active Directory or LDAP authentication domain 9 10 authentication authorization and accounting See AAA auto uplink autosensing Ethernet connections 5 auto detecting WAN settings 2 12 3 3 auto rollover mode dual WAN port models bandwidth capacity 0 2 configuring 3 11 DDNS 3 19 description 3 9 settings 3 2 VPN IPsec 7 1 auto sensing port speed 3 23 Index 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual backing up configuration file 70 16 bandwidth capacity auto rollover mode 0 2 LAN 10 1 load balancing mode 0 1 single WAN port mode 0 2 WAN 10 1 bandwidth limits logging dropped packets 71 14 bandwidth profiles assigning to firewall rule 5 38 description 5 38 direction 5 40 shifting traffic mix 170 9 type 5 40 BitTorrent 2 17 6 21 blacklist e mails 6 72 URLs 6 32 blocking applications services 6 21 e mails 6 14 file extensions 6 8 6 24 6 28 file names 6 8 Instant Messaging applications 5 26 6 21 keywords 6 8 6 24 6 28 Peer to Peer P2P applications 6 2 sites to reduce traffic 10 4 TCP flood 5 28 traffic scheduling 5 41 traffic when reaching limit 4 UDP flood 5 29 URLs 6 32 using wildcards 6 24 6 32 Web categories 2 22 6 24 6 29 Web objects 6 24 6 28 br
128. 1 11 22 1a 1b 192 168 1 15 No E g Sales a1 c1 33144 2a 2b 192 168 1 20 No Est Select An oelete Add IP MAC Binding Name MAC Address IP Address Log Dropped Packets Add Cc _J Lp J LCE UU 1 Does om Figure 5 27 3 Enter the settings as explained in Table 5 9 Table 5 9 IP MAC Binding Settings Setting Description or Subfield and Description Email IP MAC Violations Do you want to Select one of the following radio buttons enable E mail Yes IP MAC binding violations are e mailed Logs for IP MAC_ _ No IP MAC binding violations are not e mailed Binding Violation Note Click the Firewall Logs amp E mail page hyperlink to ensure that e mailing of logs is enabled on the Email and Syslog screen see Configuring Logging Alerts and Event Notifications on page 11 5 IP MAC Bindings Name A descriptive name of the binding for identification and management purposes MAC Address The MAC address of the PC or device that is bound to the IP address Firewall Protection 5 45 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 5 9 IP MAC Binding Settings continued Setting Description or Subfield and Description IP Address The IP address of the PC or device that is bound to the MAC address Log Dropped To log the dropped packets select Enable from the pull down menu The default Packets setting is Disable
129. 16 LANTO DU EOTS neoni NA C 16 EB UPAR OG ONLO Sepenirrserrter pent rect re re crer nner tree eer eetrprer rien rrr rer rrr ct eT te C 16 PANT CAN DOOS cp csasssssmpxsaiieenspnra avian ati taied weraasued nor iabak mea taloeanniaaieak peta nereS C 17 DZ O EAN LON S ante sss sl un ailleurs an la at Nile css Su assit C 17 WAN 10 DML LOUS cccrcsshcciins uipi eiaa C 17 Appendix D Two Factor Authentication Why do I need Two Factor Authentication siccciccceictscnsssatessensceuteanesonnne locas vncdeeonsevenneess D 1 What are the benefits of Two Factor Authentication ccccccccssssseeeeessseseeeees D 1 What IS Two Factor Authenlication sgaccsiesdadecnsouirensepuciid dente ieisaancntoiedddacnaseidentetecanaeues D 2 NETGEAR Two Factor Authentication Solutions cccccssccseceeeeeeceeceesesesesssneeaeees D 2 Appendix E Related Documents Index XV v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual xvi v1 0 January 2010 About This Manual The NETGEAR ProSecure Unified Threat Management UTM Appliance Reference Manual describes how to install configure and troubleshoot a ProSecure Unified Threat Management UTM Appliance The information in this manual is intended for readers with intermediate computer and networking skills Conventions Formats and Scope The conventions formats and scope of this manual are described in the following paragraphs e
130. 2 UTM IKE 2009 Jun 29 23 24 32 UTM IKE default isakmp port _ 12009 Jun 29 23 24 32 UTM IKE enabled autoconfiguring ports_ 2009 Jun 29 23 24 32 UTM configured successfully_ IKE IKE IKE IKE IKE IKE IKE IKE IKE IKE IKE IKE IKE IKE DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG INFO grabmyaddr c 345 grab_myaddrs my interface grabmyaddr c 555 autoconf _myaddrsport configuring grabmyaddr c 562 autoconf_myaddrsport NAT T is grabmyaddr c 616 autoconf myaddrsport 4 addrs are isakmp c isakmp c isakmp c isakmp c isakmp c isakmp c session c 354 1677 1677 1693 1677 1677 1693 isakmp_open 192 168 1 1 500 used as isakmp_open 192 168 1 1 4500 used as isakmp_open 192 168 1 1 4500 used for isakmp_open 127 0 0 1 500 used as tisakmp_open 127 0 0 1 4500 used as isakmp_open 127 0 0 1 4500 used for check _sigreq caught signal 15_ ptkey c 428 pftkey_dump_sadb call pfkey_send_dump_ IKE stopped_ INFO session c 215 close_ session IKE stopped_ IKE started_ racoon c 2l4 main IKE started_ DEBUG racoon c Z18 main racoom Z0001Z16 20001216 Figure 7 19 lt return gt Managing IPsec VPN Policies After you have used the VPN Wizard to set up a VPN tunnel a VPN policy and an IKE policy are stored in s
131. 2 25 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Verifying Proper Installation Test the UTM before deploying it in a live production environment The following instructions walk you through a couple of quick tests that are designed to ensure that your UTM is functioning correctly Testing Connectivity Verify that network traffic can pass through the UTM e Ping an Internet URL e Ping the IP address of a device on either side of the UTM Testing HTTP Scanning If client computers have direct access to the Internet through your LAN try to download the eicar com test file from http www eicar org download eicar com The eicar com test file is a legitimate DoS program and is safe to use because it is not a malware threat and does not include any fragments of malware code The test file is provided by EICAR an organization that unites efforts against computer crime fraud and misuse of computers or networks Verify that the UTM properly scans HTTP traffic 1 Log in to the UTM Web Management Interface and then verify that HTTP scanning is enabled For information about how to enable HTTP scanning see Customizing Web Protocol Scan Settings and Services on page 6 19 and Configuring Web Malware Scans on page 6 21 2 Check the downloaded eicar com test file and note the attached malware information file Registering the UTM with NETGEAR To receive threat management c
132. 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 7 explains the fields of the Most Recent 5 and Top 5 sections of the Dashboard screen Table 11 7 Dashboard Most Recent 5 and Top 5 Information Category Most Recent 5 Description Top 5 Description Threats Malware Name The name of the malware threat Protocol The protocol in which the malware threat was detected Date and Time The date and time that the malware threat was detected Malware Name The name of the malware threat Count The number of times that the malware threat was detected Percentage The percentage that the malware threat represents in relation to the total number of detected malware threats IPS Signatures Signature Name The name of the attack Category The category in which the attack was detected such as Web Mail Databases and so on Note For more information about categories see Using the Intrusion Prevention System on page 5 49 Date and Time The date and time that the attack was detected e e Signature Name The name of the attack Count The number of times that the attack was detected Percentage The percentage that the attack represents in relation to the total number of detected attacks e IM Peer to Peer Application The name of the application that was blocked Category Instant messaging or peer to peer Date and
133. 5 26 6 21 logs 11 8 11 33 11 35 traffic statistics 11 16 interface specifications A 3 Interior Gateway Protocol See IGP Internet configuration requirements B 3 connecting to 3 1 connection default settings A form connection information B 4 Internet Key Exchange See IKE policies Internet Message Access Protocol See IMAP Internet Service Provider See ISP Intrusion Prevention System See IPS IP addresses auto generated 2 3 default 2 9 4 8 DHCP address pool 2 9 4 9 4 20 DMZ port 4 20 DNS servers 3 9 4 9 4 2 gateway ISP 2 13 3 8 LAN multi home 4 4 2 MAC binding 5 44 port forwarding SSL VPN 8 23 reserved 4 17 secondary LAN 4 11 secondary WAN 3 17 static or permanent 2 13 3 4 3 8 subnet mask default 2 9 4 8 subnet mask DMZ port 4 20 WAN aliases 3 17 Index 6 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual IP header 5 37 IP precedence 5 37 IP security See IPsec IP MAC binding 5 44 IPS alerts 77 10 attacks categories 5 50 recent 5 and top 5 71 18 description 5 49 logs 11 9 11 33 11 35 outbreak alerts 77 10 defining 11 12 IPsec hosts XAUTH 7 39 7 40 IPsec VPN Wizard client to gateway tunnels setting up 7 9 default settings 7 5 description 6 gateway to gateway tunnels setting up 7 4 IPsec VPN See VPN tunnels ISAKMP identifier 7 24 7 28 ISP connection troubleshooting 2 5 gateway IP address 2 3 3 8 login 2 12 3 6
134. 5525 IP Network Service VPN Tunnel O All Addresses Defined Resources Permission LPERMIT 3 Select the radio buttons complete the fields and make your selection from the pull down menus as explained Table 8 10 Table 8 10 Add Policy Settings Item Description or Subfield and Description Policy For name Select one of the following radio buttons to specify the type of SSL VPN policy Global The new policy is global and excludes all groups and users Group The new policy must be limited to a single group From the pull down menu select a group Note For information about how to create groups see Configuring Groups for VPN Policies on page 9 6 User The new policy must be limited to a single user From the pull down menu select a user name Note For information about how to create user accounts see Configuring User Accounts on page 9 9 8 34 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 8 10 Add Policy Settings continued Item Description or Subfield and Description Add SSL VPN Policies Apply Select one of the following radio buttons to specify how the policy is applied Policy For Network Resource The policy is applied to a network resource that you have defined on the Resources screen see Using Network Resource Objects to Simplify P
135. 8 2 Enter the settings as explained in Table 4 3 on page 4 20 LAN Configuration 4 19 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 4 3 DMZ Setup Settings Setting Description or Subfield and Description DMZ Port Setup Do you want to enable DMZ Port Select one of the following radio buttons e Yes Enables you to configure the DMZ port settings Enter the IP address and Subnet Mask fields see below e No Allows to disable the DMZ port after you have configured it IP Address Enter the IP address of the DMZ port Make sure that the DMZ port IP address and LAN port IP address are in different subnets for example an address outside the LAN address pool such as 192 168 1 101 Subnet Mask Enter the IP subnet mask of the DMZ port The subnet mask specifies the network number portion of an IP address DHCP Disable DHCP Server If another device on your network is the DHCP server for the VLAN or if you will manually configure the network settings of all of your computers select the Disable DHCP Server radio button to disable the DHCP server This is the default setting Enable DHCP Server Select the Enable DHCP Server radio button to enable the UTM to function as a Dynamic Host Configuration Protocol DHCP server providing TCP IP configuration for all computers connected to the VLAN Enter the following settings Domain
136. A X haaha A 0 0 0 0 10 5 6 1 WANZ2 port inactive e VPN Router WAN2 IP N A NAT Router at employer s Fully Qualified Domain Names FQDN lat talacommuters Remote PC main office required for Fixed IP addresses homeoftice running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 18 The IP addresses of the gateway WAN ports can be either fixed or dynamic but you must always use a FQDN because the active WAN port could be either WAN1 or WAN 2 that is the IP address of the active WAN port is not known in advance After a rollover of the WAN port has occurred the previously inactive gateway WAN port becomes the active port port WAN2 in Figure B 19 and the remote PC must re establish the VPN tunnel The gateway WAN port must act as the responder 10 5 6 024 Telecommuter Example Dual WAN Ports After Rollover Client B WANT IP N A NAT Router B Gateway A WAN 1 port bin WAN IP LAN Py os EE 10 5 6 1 bzrouter2 dyndns org 00 0 0 Po Ad g VPN Router WAN2 IP NAT Router at employer s Fully Qualified Domain Names FQDN at telecommuter s Remote PC main office required for Fixed IP addresses home officd running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Remote PC must re establish VPN tunnel after a rollover Figure B 19 Network Planning for Dual WAN Ports Dual WAN Port Models Only B 17 v1 0 January 2010 ProSecure Unified Threat Management UTM
137. AN IP address reference case Rollover Load Balancing Inbound traffic Fixed Allowed FQDN required Allowed e Port forwarding FQDN optional FQDN optional Port triggering Dynamic FQDN required FQDN required FQDN required Inbound Traffic to a Single WAN Port System The Internet IP address of the UTM s WAN port must be known to the public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled Network Planning for Dual WAN Ports Dual WAN Port Models Only B 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual In the single WAN case the WAN s Internet address is either fixed IP or a FQDN if the IP address is dynamic Router WAN IP F e o M netgear dyndns org IP address of WAN port CJ FQDN is required for dynamic IP address and is optional for fixed IP address Figure B 4 Inbound Traffic to a Dual WAN Port System The IP address range of the UTM s WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled Inbound Traffic Dual WAN Ports for Improved Reliability In a dual WAN port auto rollover configuration the WAN port s IP address will always change when a rollover occurs You must use a FQDN that toggles between the IP addresses of the WAN ports that is WAN1 or WAN2 Dual WAN Ports Before Ro
138. AS Total Threats Since last clear at 2009 05 28 17 49 34 Scanned Malware detected Matched filters Spam Web Files scanned Malware detected File blocked URLs blocked IM Peer to Peer Instant Messaging blocked Peer to Peer blocked IPS signatures matched Port scans detected Jul 02 Jul 03 Jul 04 Julos jul 06 Jul 07 Jul 08 B EmailFilter E EmailVirus eEmailSpam IMBlock mP2PBlock IPSSigMatch WebuUrlBlock OWebMalware WebContentBlock Figure 11 7 Dashboard screen 1 of 3 Monitoring System Access and Performance 11 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To clear the statistics click Clear Statistics To set the poll interval 1 Click the Stop button 2 From the Poll Interval pull down menu select a new interval the minimum is 5 seconds the maximum is 5 minutes 3 Click the Set Interval button Table 11 6 explains the fields of the Total Threats Threats Counts and Total Traffic Bytes sections of the Dashboard screen Table 11 6 Dashboard Total Threats Threats Counts and Total Traffic Bytes Information Item Description or Subfield and Description Total Threats Emails Displays the total number of e Scanned e mails e Viruses detected to configure see Customizing E mail Anti Virus and Notification Settings on page 6 5 e E mails tha
139. Anti Virus and Notification Settings 200 E mail Conen FUNNY erosiak aaa bah told aaa Protecting Against E mail Spam ciccccscdscsiviccsesatetesasnesaaniecnssocveasseneatiadecse Configuring Web and Services Protection sesssesesesesseessseesssesssnesssrssrnsss Customizing Web Protocol Scan Settings and Services 008 Configuring Web Malware SCANS x isiccisccctssccddacncenseirasneetesetonueteadauneds Configuring Web Content Filtering ccccseeeeceeeeeceeeeeeeeeeetaeeseeneees CGontiguring Web URL Filtering cicissacosenceiagcibesdacejaemenicdetbassiadaeeceniaeene HTTPS GA SIS arrini a Speciing Trosiad GSS ensioruoneiaoi e s CGonngunng FIP SCINS rannan R Setting Web Access Exceptions and Scanning Exclusions 00005 Setting Web Access Exception Rules c ccccccesseeeeseseeeteteeeeeneees Setting Scanning EXCUSONS rioaren ai aR a Chapter 7 Virtual Private Networking Using IPsec Connections Considerations for Dual WAN Port Systems Dual WAN Port Models Only Using the IPsec VPN Wizard for Client and Gateway Configurations v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Creating Gateway to Gateway VPN Tunnels with the Wizard cccssseeeeeenees 7 4 Creating a Client to Gateway VPN Tunnel ceescceceeeeeeeeeeeeceeeeeeaaeeseeeseeaaeeene 7 9 Testing the Connections and Viewing Status Information 0 cccc
140. Appliance Reference Manual The purpose of the FQDN is to toggle the domain name of the gateway between the IP addresses of the active WAN port that is WAN1 and WAN2 so that the remote PC client can determine the gateway IP address to establish or re establish a VPN tunnel VPN Telecommuter Dual Gateway WAN Ports for Load Balancing In a dual WAN port load balancing gateway configuration the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port that is port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports because the IP address of the remote NAT router is not known in advance The selected gateway WAN port must act as the responder 10 5 6 0 24 Telecommuter Example Dual WAN Ports Load Balancing Client B WAN1 IP NAT Router B Gateway A bzrouter1 dyndns org WAN IP LAN r A o eD 0 0 0 0 10 5 6 1 bzrouter2 dyndns org lt A VPN Router WAN2 IP NAT Router at employer s Fully Qualified Domain Names FQDN attelacommitars Remote PC main office optional for Fixed IP addresses hgmeiottice running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 20 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you must use a FQDN If an IP address is fixed an FQDN is optional B 18 Network Planning for Dual WAN Ports Dual WAN Port Models Only v1 0 January 2010 Appendix C System Logs and
141. Categories Time of Day All Day Specific Times Figure 2 13 Using the Setup Wizard to Provision the UTM in Your Network 2 21 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Enter the settings as explained in Table 2 7 then click Next to go the following screen ____ Note After you have completed the steps in the Setup Wizard you can make changes to the content filtering settings by selecting Application Security gt HTTP HTTPS gt Content Filtering The Content Filtering screen lets you specify additional filtering tasks and notification settings For more information about these settings see Configuring Web Content Filtering on page 6 23 Table 2 7 Setup Wizard Step 7 Content Filtering Settings Setting Description or Subfield and Description Blocked Web Categories Select the Enable Blocking checkbox to enable blocking of Web categories By default this checkbox is deselected Select the checkboxes of any Web categories that you want to block Use the action buttons at the top of the section in the following way Allow All All Web categories are allowed Block All All Web categories are blocked Set to Defaults Blocking and allowing of Web categories are returned to their default settings See Table 6 1 on page 6 2 for information about the Web categories that are blocked by default Categories that are preceded by a gre
142. Connection Require a Login Login admin a Yes No Password 99000000000_ ii ISP Type Q Account Name Lai Domain Name L Idle Timeout Keep Connected Austria PPTP Idle Time 5 Minutes Other PPPoE 1 My IP Address J if J Server IP Addressil f el Internet IP Address d Domain Name Server DNS Servers Q Get Dynamically from ISP Get Automatically from ISP Which type of ISP connection do you use Use Static IP Address Use These DNS Servers 1P Address 0 o o A Primary DNS server o 0 oa IP Subnet masko o 0 0 Secondary DNS server o o o 0 Gateway IP Address o o D 0 Figure 11 18 2 Click the WAN Status option arrow at the top right of the WAN1 ISP Settings screen dual WAN port models or WAN1 ISP Settings screen single WAN port models The Connection Status screen appears in a popup window Connection Status Operation succeeded Connection Time 0 Days 00 23 41 Connection Type DHCP Connection State Connected IP Address 192 168 50 61 Subnet Mask 255 255 255 0 Gateway 192 168 50 1 DNS Server 192 168 50 1 DHCP Server 192 168 50 1 Tue Apr 14 16 46 03 GMT Lease Obtained 2009 Lease Duration 1 Day 00 00 00 ZF Dis connect Figure 11 19 11 28 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The Connection Status screen displays the
143. D message is inserted You can change this default message No Malware Found If no malware threat is found a MALWARE FREE message is inserted You can change this default message By default this checkbox is deselected and no warnings are inserted Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 6 2 E mail Anti Virus and Notification Settings continued Setting Description or Subfield and Description Append Safe Stamp SMTP and POP3 For SMTP and POP3 e mail messages select this checkbox to insert a default safe stamp message at the end of an e mail The safe stamp insertion serves as a security confirmation to the end user You can change the default message By default this checkbox is deselected and no safe stamp is inserted The attachment s was not scanned for malware because it exceeded the scan size limit Select this checkbox to append a default warning message to an e mail if the message or an attachment to the message exceeds the scan size limit The warning message informs the end user that the attachment was skipped and might not be safe to open You can change the default message By default this checkbox is selected and a warning message is appended to the e mail Replace Infected Attachments with the Following Warning Message Select this checkbox to replace an e mail that i
144. Database on page 4 16 Destination The destination network settings determine which Internet locations based on Network their IP address are covered by the rule Select one of the following options from the pull down menu Any All Internet IP address Single address In the Start Address field enter the IP address that is covered by the rule Address range In the Start Address field and End Address field enter the IP addresses for the range that is covered by the rule Click the Add table button in the rightmost column to add the protocol binding rule to the Protocol Binding table The rule is automatically enabled which is indicated by the status icon that displays a green circle Repeat step a and step b for each protocol binding rule that you want to add to the Protocol Binding table If not all table entries are enabled select the table entries that you want to enable or click the Select All table button Then click the Enable table button Open the WAN Protocol Bindings screen and repeat step a through step d to set protocol bindings for the WAN2 port Return to the WAN Mode screen by selecting Network Config gt WAN Settings from the menu and clicking the WAN Mode tab 4 Click Apply to save your settings 3 16 Manually Configuring Internet and WAN Settings v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Second
145. E arasinan naai daai 1 7 Model Canpan oG sinara AN 1 7 Service Registration Card with License Keys ssssessssssssssesssessssesressrisssrnnssrnsssnnsenn nent 1 8 Packe COMENS dccnscaciscosivescchienedantasbines scasansepdoasc onder E EAA OADE 1 9 Haaa SEUSS aab 1 10 FOF Ohana reer erret reer er rerr te reer rere 1 10 Rear PaNOlurasacnoniima n 1 12 Bottom Panel With Product Label siceccesssccinuts ds scones siotacts Monuieds ccmtedetoteetst atu 1 12 Choosing a Locaton tor he LUTIM siciciccossccerccacenmredconntnenviecetatnbaseimernccdsadannscdgradeeicieeante 1 14 Usmo the Rack Mounino Kii srera panier aie pana 1 15 vii v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network Understanding the Steps for Initial Connection 20 2 eeeeeeeeeeeeeeeeeeeeeeceeeeeeeneeettaeeeeeneees 2 1 Qualied Wep BEVEIRE Giit aN ty nnniane eae ea duaseses 2 2 Lora Tet Tey Whe asses ances ccceny aoe e ancy aac teumestond taut sancetauadnncenay aac cudea boat colts uiaes 2 2 Understanding the Web Management Interface Menu Layout ceceeeeeeeees 2 5 Using the Setup Wizard to Perform the Initial Configuration cccsccccseeesseeeeseeneeees 2 7 Setup Wizard Step 1 of 10 LAN Settings a ccisiscsinsasevessencsateiocsssacesagseneanausceseneatvadccnei 2 8 Setup Wizard Step 2 of 10 WAN Seinge cccsesscdeccedessrecnene cers aiina 2 11 Set
146. ESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE Zlib zlib h Interface of the zlib general purpose compression library version 1 1 4 March 11th 2002 Copyright C 1995 2002 Jean loup Gailly and Mark Adler This software is provided as is without any express or implied warranty In no event will the authors be held liable for any damages arising from the use of this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgment in the product documentation would be appreciated but is not required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution Jean loup Gailly jloup gzip org Mark Adler madler alumni caltech edu The data format used by the zlib library is described by RFCs Request for Comments 1950 to 1952 in the files ftp ds internic net rfc rfc1950 txt zlib format rfc1951 txt deflate format and rfc1952 txt gzip format Product and Publication Details Model Numbe
147. Error Occurs A number of things could be causing this situation Try the following troubleshooting steps e Check whether other computers on the LAN work properly If they do ensure that your computer s TCP IP settings are correct If you use a fixed static IP address check the subnet mask default gateway DNS and IP addresses on the WAN1 ISP Settings or WAN2 ISP Settings screen of the dual WAN port models or on the WAN ISP Settings screen of the single WAN port models see Manually Configuring the Internet Connection on page 3 5 12 4 Troubleshooting and Using Online Support v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual If the computer is configured correctly but still not working ensure that the UTM is connected and turned on Connect to the Web Management Interface and check the UTM s settings If you cannot connect to the UTM see the information in the previous section Troubleshooting the Web Management Interface on page 12 3 If the UTM is configured correctly check your Internet connection for example your modem or router to make sure that it is working correctly Troubleshooting the ISP Connection If your UTM is unable to access the Internet you should first determine whether the UTM is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your UTM requests an IP address from the ISP You can determine whether
148. Error Messages This appendix explains provides examples and explanations of system logs and error message When applicable a recommended action is provided This appendix contains the following sections e System Log Messages on page C 2 e Content Filtering and Security Logs on page C 12 e Routing Logs on page C 16 This appendix uses the following log message terms Table C 1 Log Message Terms Term Description or Subfield and Description UTM System identifier kernel Message from the kernel CODE Protocol code e g protocol is ICMP type 8 and CODE 0 means successful reply DEST Destination IP Address of the machine to which the packet is destined DPT Destination port IN Incoming interface for packet OUT Outgoing interface for packet PROTO Protocol used SELF Packet coming from the system only SPT Source port SRC Source IP Address of machine from where the packet is coming TYPE Protocol type System Logs and Error Messages C 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual System Log Messages This section describes log messages that belong to one of the following categories e Logs that are generated by traffic that is meant for the UTM e Logs that are generated by traffic that is routed or forwarded through the UTM e Logs that are generated by system daemons NTP the WAN daemon a
149. Fashion amp Beauty Onews Drestaurants amp Dining Ctransportation O Malicious m E Botnets m Miega software m spam sites O Politics and Religion Ocuts Religion O sexual content m E Child Abuse Images m E Sex Education Oo Technology C Computers amp Technology Oo UnCategorized m Muncategorized Note Allowed by Default E Blocked by Default Ochat Ditmage Photo sharing Clreer to Peer C Search engines amp Portals C Dating amp Personals Cireeting cards Onon Profits C Social Networking Otravet m E Criminal activity n El malware m Elvirus Infected Compromised C Government m Fl nudity C Download Sites C Banking Finance E iegal Drugs m El weapons m E School Cheating CForums m instant Messaging Private IP Addresses Translators CEntertainment ChLeisure amp Recreation OpPersonal Sites Ospors Ghacking m Phishing amp Fraud Dotitics m BlPornography Sexually Explicit information Security 4 Do you want this schedule to be active on all days or specific days O Specific Days All Days Sunday Tuesday Thursday Saturday Monday Wednesday Friday E Blocked Categories Scheduled Days J Do you want this schedule to be active all day or at specific times during the day Start Time 12_ Hour 60_ Minute am lt End Time 12_ Hour G0_ Minute Blocked
150. From the pull down menu select Domain Name Then below enter the remote FQDN that you specified in the UTM s Mode Config IKE policy In this example we are using utm25_remote com Secure Interface Configuration Internet Interface Select Preferred from the Virtual Adapter pull down menu Leave the default setting which is the Any selection from the Name pull down menu 7 Click on the disk icon to save the configuration or select File gt Save from the Security Policy Editor menu 8 In the left frame click Security Policy The screen adjusts Ni Security Policy Editor NETGEAR ProSafe VPN Client File Edt Options Help El Network Securty Policy LJ My Connections amp ModeContigTest My Identity Secwity Policy amp Cent to Cork Ap Other Connections Figure 7 30 NETGEAR N Security Policy Select Phase 1 Negotiation Mode Main Mode Aggressive Mode Use Manual Keys IT Enable Perfect Forward Secrecy PFS PFS Key Group Diffie Hellman Group 2 x V Enable Replay Detection 7 54 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 9 Enter the settings as explained in Table 7 19 Table 7 19 Security Policy Editor Security Policy Mode Config Settings Setting Description or Subfield and Description Select Phase 1 Negotiation Select the Aggressive M
151. IP address is 192 168 50 61 Note You can find the WAN IP address on the Connection Status screen for the selected WAN port For more information see Viewing the WAN Ports Status on page 11 27 4 Click on the disk icon to save the configuration or select File gt Save from the Security Policy Editor menu Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 5 In the left frame click My Identity The screen adjusts IN Security Policy Editor NETGEAR ProSafe VPN Client File Edt Options Help B Network Security Policy C My Connections My Identity UTM ireland Select Certificate G mHE None A Security Policy ID Type UTM_Test Domain Name X 8 FYS336G_Lab 2 Other Connections fumiemtecom Secure Interface Configuration Virtual Adapter Disabled z Internet Interface Name any x IP Add Any Pre Shared Key Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared key Figure 7 13 6 Enter the settings as explained in Table 7 5 Table 7 5 Security Policy Editor My Identity Settings Setting Description or Subfield and Description Select Certificate From the pull down menu select None The Pre Shared Key window appears Pre Shared Key Enter the same pre shared key that you specified o
152. IPS attacks are detected Note When the specified number of IPS attacks is reached within the time threshold the UTM sends a malware outbreak alert Subject Enter the subject line for the e mail alert The default text is Outbreak alert Enable IPS Alerts Select this checkbox to enable IPS alerts and configure the Subject field Subject Enter the subject line for the e mail alert The default text is IPS alert 4 Click Apply to save your settings 11 12 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring and Activating Firewall Logs You can configure the logging options for each network segment For example the UTM can log accepted packets for LAN to WAN traffic dropped packets for WAN to DMZ traffic and so on You can also configure logging of packets from MAC addresses that match the source MAC address filter settings see Enabling Source MAC Filtering on page 5 42 and packets that are dropped because the session limit see Setting Session Limits on page 5 30 bandwidth limit see Creating Bandwidth Profiles on page 5 38 or both have been exceeded Note Enabling firewall logs might generate a significant volume of log messages NETGEAR recommends that you enable firewall logs for debugging purposes only To configure and activate firewall logs 1 Select Monitoring
153. Installation on page 2 26 Register the UTM Registering the UTM with NETGEAR on page 2 26 Each of these tasks is described separately in this chapter The configuration of the WAN mode required for dual WAN port models only dynamic DNS and other WAN options is described in Chapter 3 Manually Configuring Internet and WAN Settings The configuration of LAN firewall scanning VPN management and monitoring features is described in later chapters 2 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Qualified Web Browsers To configure the UTM you must use a Web browser such as Microsoft Internet Explorer 6 or higher Mozilla Firefox 3 or higher or Apple Safari 3 or higher with JavaScript cookies and you must have SSL enabled Although these web browsers are qualified for use with the UTM s Web Management Interface SSL VPN users should choose a browser that supports JavaScript Java cookies SSL and ActiveX to take advantage of the full suite of applications Note that Java is only required for the SSL VPN portal not for the Web Management Interface Logging In to the UTM To connect to the UTM your computer needs to be configured to obtain an IP address automatically from the UTM via DHCP For instructions on how to configure your computer for DHCP see the document that you can access from Preparing Your Network in Appendix E To connect and log in to the
154. Inter VLAN Routing radio button is deselected traffic from this VLAN is not routed to other VLANs and traffic from other VLANs is not routed to this VLAN 4 Click Apply to save your settings gt Note Once you have completed the LAN setup all outbound traffic is allowed and all inbound traffic is discarded except responses to requests from the LAN side To change these default traffic rules see Chapter 5 Firewall Protection LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Multi Home LAN IPs on the Default VLAN If you have computers using different IP networks in the LAN for example 172 16 2 0 or 10 0 0 0 you can add aliases to the LAN ports and give computers on those networks access to the Internet but you can do so only for the default VLAN The IP address that is assigned as a secondary IP address must be unique and must not be assigned to the VLAN It is important that you ensure that any secondary LAN addresses are different from the primary LAN WAN and DMZ IP addresses and subnet addresses that are already configured on the UTM The following is an example of properly configured IP addresses on a dual WAN port model WANI IP address 10 0 0 1 with subnet 255 0 0 0 WAN2 IP address 20 0 0 1 with subnet 255 0 0 0 DMZ IP address 192 168 10 1 with subnet 255 255 255 0 Primary LAN IP address 192 168 1 1 wit
155. L VPN access policies to prevent access to these pages SSL VPN Wizard Step 2 of 6 Domain Settings SSL VPN Wizard Step 2 of 6 DOMAIN NAME SSLTestDomain Authentication Type Local User Database default Portal SSLTestDomain Authentication Server Authentication Secret Workgroup LDAP Base DN Active Directory Domain Note Leave the DOMAIN NAME field blank if you wi o use the system default domain geardomain without any changes If you assign it an existing domain name an ser will be created for it however the settings of the domain will NOT be changed Otherwise the wizard will attempt to create a new domain Figure 8 3 Virtual Private Networking Using SSL Connections 8 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Note that Figure 8 3 contains some examples Enter the settings as explained in Table 8 2 then click Next to go the following screen gt Note If you leave the Domain Name field blank the SSL VPN Wizard uses the default domain name geardomain You must enter a name other than geardomain in the Domain Name field so the SSL VPN Wizard can create a new domain Do not enter an existing domain name in the in the Domain Name field otherwise the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration gt Note After you have completed the steps in the SSL VPN W
156. Lifetime field enter a period in seconds The minimum value is 300 seconds The default value is 3600 seconds e KBytes In the SA Lifetime field enter a number of kilobytes The minimum value is 1920000 KB Encryption Algorithm From the pull down menu select one of the following five algorithms to negotiate the security association SA DES Data Encryption Standard DES 3DES Triple DES This is the default algorithm AES 128 Advanced Encryption Standard AES with a 128 bits key size e AES 192 AES with a 192 bits key size e AES 256 AES with a 256 bits key size Integrity Algorithm From the pull down menu select one of the following two algorithms to be used in the VPN header for the authentication process SHA 1 Hash algorithm that produces a 160 bit digest This is the default setting MD5 Hash algorithm that produces a 128 bit digest Local IP Address The local IP address to which remote VPN clients have access Typically this is the UTM s LAN subnet such as 192 168 1 0 Note If you do not specify a local IP address the UTM s default LAN subnet is used Local Subnet Mask The local subnet mask Typically this is 255 255 255 0 7 46 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 5 Click Apply to save your settings The new Mode Config record is added to the
157. List of Mode Config Records table Continue the Mode Config configuration procedure by configuring an IKE policy 6 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 24 7 Under the List of IKE Policies table click the Add table button The Add IKE Policy screen displays Figure 7 27 shows the upper part only of a dual WAN port model screen The WAN 1 and WAN2 radio buttons next to Select Local Gateway are shown on the Add IKE Policy screen for the dual WAN port models but not on the Add IKE Policy screen for the single WAN port models Add IKE Policy Add New VPN Policy Do you want to use Mode Config Record Policy Name ModeConfigNA_ Sales Yes 0 No Direction Type RA Select Mode Config Record Exchange Mode View Selected Select Local Gateway want O wanz Identifier Type Identifier Type Identifier Identifier ii IKE SA Parameters J Encryption Algorithm Authentication Algorithm Authentication Method Pre shared key ORSA Signature Pre shared key Key Length amp 49 Char Diffie Hellman DH Group SA Lifetime sec Enable Dead Peer Detection O Yes No Detection Period Seconds Reconnect after failure count i Extended Authentication Figure 7 27 Virtual Private Networking Using IPsec Connections 7 47 v1 0 January 2010 ProSecure Unified Threat Management
158. Logs Query submenu tab The Logs Query screen displays 8 16 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 From the Log Type pull down menu select SSL VPN The SSL VPN logs display System Status Active Users amp PNs Dashboard Diagnostics Email and Syslog Firewall Logs Alerts AKITETA Generate Report Scheduled Report 2009 Jun 20 00 38 51 UTM sslvpntunnel id UTM25 time 2009 6 20 0 38 51 fw prosecure homeip net pri 6 rule access policy proto SSL VPN Tunnel Java src 208 123 146 88 user techpubadmin dst prosecure homeip net arg op result revd msg SSL VPN Tunnel Java lt return gt Figure 8 11 Manually Configuring and Editing SSL Connections To manually configure and activate SSL connections perform the following six basic steps in the order that they are presented 1 Edit the existing SSL portal or create a new one see Creating the Portal Layout on page 8 18 When remote users log in to the UTM they see a portal page that you can customize to present the resources and functions that you choose to make available 2 Create authentication domains user groups and user accounts see Configuring Domains Groups and Users on page 8 22 a Create one or more authentication domains for authentication of SSL VPN users When remote users log in to the UTM they must specify a domai
159. M attempts to failure count reconnect after a DPD situation When the maximum number of times is exceeded the IPsec connection is terminated The default setting is 3 IKE connection failures 5 Click Apply to save your settings 7 58 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring NetBIOS Bridging with IPsec VPN Windows networks use the Network Basic Input Output System NetBIOS for several basic network services such as naming and neighborhood device discovery Because VPN routers do not normally pass NetBIOS traffic these network services do not function for hosts on opposite ends of a VPN connection To solve this problem you can configure the UTM to bridge NetBIOS traffic over the VPN tunnel To enable NetBIOS bridging on a configured VPN tunnel 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Policies submenu tab The VPN Policies screen displays see Figure 7 22 on page 7 32 3 Inthe List of VPN Policies table click the Edit table button to the right of the VPN policy that you want to edit The Edit VPN Policy screen displays Figure 7 31 shows only the top part of the screen with the General section IPSec YPN SSLYPN Certificates Edit YPN Policy Operation succeeded Policy Name Client to UTM Policy
160. N meta words in a message to enable the UTM to insert the proper URL information and the reason of the rejection Note For information about certificates that are used for SSL connections and HTTPS traffic see Managing Digital Certificates on page 9 17 Specifying Trusted Hosts You can specify trusted hosts for which the UTM bypasses HTTPS traffic scanning and security certificate authentication The security certificate is sent directly to the client for authentication which means that the user does not receive a security alert for trusted hosts For more information about security alerts see Managing Self Certificates on page 9 20 Content Filtering and Optimizing Scans 6 37 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Note that certain sites contain elements from different HTTPS hosts As an example assume that the https example com site contains HTTPS elements from the following three hosts e trustedhostserverl example com e trustedhostserver2 example com e imageserver example com To completely bypass the scanning of the https example com site you must add all three hosts to the trusted hosts list because different files from these three hosts are also downloaded when a user attempts to access the https example com site To specify trusted hosts 1 Select Application Security gt HTTP HTTPS from the menu The HTTP HTTPS submen
161. N Ports Dual WAN Port Models Only v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual After a rollover of a gateway WAN port the previously inactive gateway WAN port becomes the active port port WAN_A2 in Figure B 15 and one of the gateways must re establish the VPN tunnel 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0 24 Dual WAN Ports After Rollover WAN_A 1 IP N A WAN_B1 IP Gateway A WAN_A1 port inactive netgearB dyndns org dyndns org Gateway B 10 5 6 1 netgear dyndns org WAN EE port inactive VPN Router WAN_A2 IP WAN_B2IP N A VPN Router at office A Fully Qualified Domain Names FQDN at office B required for Fixed IP addresses required for Dynamic IP addresses 172 23 9 1 One of the gateway routers must re establish VPN tunnel after a rollover Figure B 15 The purpose of the FQDNs is to toggle the domain name of the rolled over gateway between the IP addresses of the active WAN port that is WAN_A1I and WAN_A2 in Figure B 15 so that the other end of the tunnel has a known gateway IP address to establish or re establish a VPN tunnel VPN Gateway to Gateway Dual Gateway WAN Ports for Load Balancing In a configuration with two dual WAN port VPN gateways that function in load balancing mode either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessar
162. NG iiss cancer cacovunders saseancay ineen a tenuous 10 2 Fears Thal oereage TAi earna 10 5 Using QoS and Bandwidth Assignment to Shift the Traffic Mix eceeeeeeees 10 8 Monitoring Tools for Traffic Management ccc 0 ccinetnnisiecitesn incest iendinan 10 9 System Mana SI aaea r ea AEE E Eaei 10 9 Changing Passwords and Administrator Settings eeeeeeseeeeeeeeeerrereeerrnreeesrens 10 9 Configuring Remote Management ACCESS 2 cccccseeeeeneeeceteeeeeaeeeeecaeeeenaeeenaes 10 12 Usmo an SNMP Manager aan er ren Pere erty peep ereee Terr rreete rere ter iee Tere yer r er 10 14 Managing the Contiguration File scocsicussniiaa asst iuuineusoadeasisieeeoautinine ues 10 15 LIANE the FRIAR ssscncciccincxoncscascieordscennietessnaenteecienenwpaisunteneisnnmieniancannmpatners 10 18 xii v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Updating the Scan Signatures and Scan Engine Firmware ccccssceeeeeeee 10 21 Configuring Date and Time Service 0 eceececceeeneeeeeeeceeeeeeeeeeeeeeeaaeeseeeeeeseaaaeesnes 10 24 Chapter 11 Monitoring System Access and Performance Enabling the WAN Traffic Motel sci sssccccueis eortanetsurce baa sacccunesiarcn send eaaa a 11 1 Configuring Logging Alerts and Event Notifications ceseceeseeeeeeeeeeeeteeeeeeeeteees 11 5 Configuring the E mail Notification Server cccccececeeeseeceeeeeeeeaeeeeeneeeeeeaeeeeeees 11 5 Configurin
163. Name This is optional Enter the domain name of the UTM Starting IP Enter the starting IP address This address specifies the first Address of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between this address and the Ending IP Address The IP address 192 168 1 2 is the default start address Ending IP Enter the ending IP address This address specifies the last Address of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between the Starting IP address and this IP address The IP address 192 168 1 100 is the default ending address Note The starting and ending DHCP IP addresses should be in the same network as the LAN TCP IP address of the UTM the IP address in LAN TCP IP section above 4 20 LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 4 3 DMZ Setup Settings continued Setting Description or Subfield and Description Enable DHCP Server Primary DNS This is optional If an IP address is specified the UTM continued Server provides this address as the primary DNS server IP address If no address is specified the UTM provides its own LAN IP address as the primary DNS server IP address Secondary DNS _ This is optional If an IP address is specified the UTM Server provides this address as the second
164. Now click the WAN2 ISP Settings tab and then the Advanced option arrow The WAN2 Advanced Options screen displays Additional WAN Related Configuration Tasks e Ifyou want the ability to manage the UTM remotely enable remote management see Configuring Remote Management Access on page 10 12 If you enable remote management NETGEAR strongly recommend that you change your password see Changing Passwords and Administrator Settings on page 10 9 e You can set up the traffic meter for each WAN if desired See Enabling the WAN Traffic Meter on page 11 1 3 24 Manually Configuring Internet and WAN Settings v1 0 January 2010 Chapter 4 LAN Configuration Note The initial LAN configuration of the UTM s default VLAN 1 is described in Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network This chapter describes how to configure the advanced LAN features of your UTM This chapter contains the following sections e Managing Virtual LANs and DHCP Options on this page e Configuring Multi Home LAN IPs on the Default VLAN on page 4 11 e Managing Groups and Hosts LAN Groups on page 4 12 e Configuring and Enabling the DMZ Port on page 4 18 e Managing Routing on page 4 22 Managing Virtual LANs and DHCP Options A local area network LAN can generally be defined as a broadcast domain Hubs bridges or switches in the same
165. O Streaming Media amp Downloads C webmail C Leisure and News E Oars m C Fashion amp Beauty Onews Restaurants amp Dining a C Transportation O malicious m M Botnets E M ilegal Software E Spam Sites O Politics and Religion cults Religion CI Sexual Content m child Abuse Images B sex Education o Technology a C Computers amp Technology o UnCategorized m uncategorized Note Allowed by Default E Blocked by Default Ochat EJ Cl image Photo Sharing peer to Peer C Search Engines amp Portals x C Dating amp Personals a C Greeting Cards Cnon Profits s C social Networking Travel m Mi Criminal Activity m V malware m Wvirus Infected Compromised C Government m V nudity C Download sites n C Banking Finance E M ilegal Drugs a M weapons m M School Cheating C Forums Cinstant Messaging Private IP Addresses CTranslators m C Entertainment Leisure amp Recreation Personal Sites O sports m E Hacking 5 M phishing amp Fraud Politics a M Pornography Sexually Explicit information Security Blocked Categories Scheduled Days J Figure 6 10 Content Filtering screen 2 of 3 6 26 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Blocked Categories Scheduled Days Sunday Monday Do you want this schedule to be acti
166. OP3 IMAP Figure 11 9 Dashboard screen 3 of 3 Table 11 8 explains the fields of the Service Statistics section of the Dashboard screen Table 11 8 Dashboard Service Statistics Information Item Description or Subfield and Description provides the following statisti For each of the six supported protocols HTTP HTTPS FTP SMTP POP3 and IMAP this section cs Total Scanned Traffic MB The total quantity of scanned traffic in MB Total Emails Files Scanned The total number of scanned e mails Total Malwares Found The total number of detected viruses and attacks Total Files Blocked The total number of downloaded files that were blocked Total URLs Blocked Total Spam Emails The total number of URL requests that were blocked These statistics are applicable only to HTTP and HTTPS The total number of spam messages that were blocked These statistics are applicable only to SMTP and POPS Blacklist The total number of e mails that were detected from sources on the spam blacklist and Real time blacklist see Setting Up the Whitelist and Blacklist on page 6 12 and Configuring the Real time Blacklist on page 6 14 These statistics are applicable only to SMTP Distributed Spam Analysis The total number of spam messages that were detected through Distributed Spam Analysis see Configuring Distributed Spam Analysis on page 6 16 These statistics
167. P3 Message Skip scanning for malware because the Imessage email is larger than scan size limit 4 Replace Infected Attachments with the Following Warning Message Message VIRUSINFO Note Insert the following meta word s to automatically include the relevant malware detection information YVIRUSINFO ss _ _ i Email Alert Settings Send Alert to mj Sender a Recipient Subject Malware detected Message Note Insert the following meta word s to automatically include the relevant malware detection information YoTIME PROTOCOL FROM TO YSUBIECT FILENAME ACTION VIRUSNAME VIRUSINFO Figure 6 2 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Enter the settings as explained in Table 6 2 Table 6 2 E mail Anti Virus and Notification Settings Setting Description or Subfield and Description Action SMTP From the SMTP pull down menu specify one of the following actions when an infected e mail is detected Block infected email This is the default setting The e mail is blocked and a log entry is created Delete attachment The e mail is not blocked but the attachment is deleted and a log entry is created Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted POP3 From the POP3 pull down menu specify one
168. PN on page 7 59 Considerations for Dual WAN Port Systems Dual WAN Port Models Only On the dual WAN port models only if both of the WAN ports are configured you can enable either auto rollover mode for increased system reliability or load balancing mode for optimum bandwidth efficiency Your WAN mode selection impacts how the VPN features must be configured The use of fully qualified domain names FQDNs in VPN policies is mandatory when the WAN ports function in auto rollover mode or load balancing mode and is also required for VPN tunnel failover When the WAN ports function in load balancing mode you cannot configure VPN tunnel failover A FQDN is optional when the WAN ports function in load balancing mode if the IP addresses are static but mandatory if the WAN IP addresses are dynamic 7 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual See Virtual Private Networks VPNs on page B 9 for more information about the IP addressing requirements for VPNs in the dual WAN modes For information about how to select and configure a dynamic DNS service for resolving FODNs see Configuring Dynamic DNS on page 3 19 For information about WAN mode configuration see Configuring the WAN Mode Required for Dual WAN Port Models Only on page 3 9 The diagrams and table below show how the WAN mode selection relates to VPN configuration WAN Auto Rollover FQDN Required for VPN
169. QoS Value For IP Precedence 1 7 0SCP 1 63 QoS Priority Default vi Figure 5 22 4 Enter the settings as explained in Table 5 7 on page 5 37 5 36 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual as Note This document assumes that you are familiar with QoS concepts such QoS priority queues IP Precedence DHCP and their values Table 5 7 QoS Profile Settings Setting Description or Subfield and Description Profile Name A descriptive name of the QoS profile for identification and management purposes Don t Change Select the Don t Change radio button to ignore the QoS type IP Precedence or DHCP and QoS value and to set only the QoS priority Add DiffServ Mark Select the Add DiffServ Mark radio button to set the differentiated services DiffServ mark in the Type of Service ToS byte of an IP header by specifying the QoS type IP Precedence or DHCP and QoS value QoS Type From the QoS pull down menu select one of the following traffic classification methods e IP Precedence A legacy method that sets the priority in the ToS byte of an IP header e DSCP A method that sets the Differentiated Services Code Point DSCP in the Differentiated Services DS field which is the same as the ToS byte of an IP header QoS Value The QoS value in the ToS or Diffserv byte of an IP header The QoS value that you enter
170. RL Note Custom portals are accessed at a different URL than the default portal For example if your SSL VPN portal is hosted at https vpn company com and you create a portal layout named CustomerSupport then users access the sub site at https vpn company com portal CustomerSupport Note Only alphanumeric characters hyphens and underscores _ are accepted in the Portal Layout Name field If you enter other types of characters or spaces the layout name is truncated before the first non alphanumeric character Note Unlike most other URLs this name is case sensitive Portal Site Title The title that appears at the top of the user s Web browser window For example Company Customer Support Banner Title The banner title of a banner message that users see before they log in to the portal For example Welcome to Customer Support Banner Message The text of a banner message that users see before they log in to the portal For example In case of login difficulty call 123 456 7890 Enter a plain text message or include HTML and Java script tags The maximum length of the login page message is 4096 characters Display banner Select this checkbox to show the banner title and banner message text on the login message on login screen as shown in Figure 8 8 on page 8 15 page 8 4 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Manag
171. Required for Dual WAN Port Models Only on page 3 9 If one or both automatic WAN ISP configurations failed you can attempt a manual configuration as described in the following section or see Troubleshooting the ISP Connection on page 12 5 Setting the UTM s MAC Address Each computer or router on your network has a unique 48 bit local Ethernet address This is also referred to as the computer s Media Access Control MAC address The default is set to Use Default Address If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP then you must enter that address Setting the UTM s MAC address is controlled through the Advanced options on the single WAN port model s WAN ISP Settings screen or the dual WAN port model s WAN1 ISP Settings and WAN2 ISP Settings screen see Configuring Advanced WAN Options on page 3 22 Manually Configuring the Internet Connection Unless your ISP automatically assigns your configuration via DHCP you need to obtain configuration parameters from your ISP in order to manually establish an Internet connection The necessary parameters for various connection types are listed in Table 3 1 on page 3 4 Manually Configuring Internet and WAN Settings 3 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To manually configure the WAN1 ISP dual WAN port models or WAN ISP single WAN port models settings
172. SEC VPN Logs All IPsec VPN events e Content Filter Logs All attempts to access blocked Web sites and URLs e Service Logs All events that are related to the status of scanning and filtering services that are part of the Application Security main navigation menu These events include update success messages update failed messages network connection errors and so on Portscan Logs All port scan events Format Select a radio button to specify the format in which the log file is sent e Plain text The log file is sent as a plain text file e CSV The log file is sent as a comma separated values CSV file Select the Zip the logs to save space checkbox to enable the UTM to compress the log file Size Select the Split logs size to checkbox to break up the log file into smaller files and specify the maximum size of each file in MB Send Logs via Syslog continued Enable Select this checkbox to enable the UTM to send a log file to a syslog server SysLog Server The IP address or name of the syslog server Enable SysLog Severity All the logs with a severity that is equal to and above the severity that you specify are logged on the specified syslog server For example if you select LOG_CRITICAL as the severity then the logs with the severities LOG_CRITICAL LOG_ALERT and LOG_EMERG are logged Select one of the following syslog severities e LOG EMERG The UTM is unusable e LOG ALERT An
173. SL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Inthe Add New Host Name for Port Forwarding section of the screen specify information in the following fields e Local Server IP Address The IP address of an internal server or host computer that you want to name Fully Qualified Domain Name The full server name Note Ifthe server or host computer that you want to name does not appear in the List of Configured Applications for Port Forwarding table you must add it before you can rename it 4 Click the Add table button The new application entry is added to the List of Configured Host Names for Port Forwarding table To delete a name from the List of Configured Host Names for Port Forwarding table select the checkbox to the left of the name that you want to delete and then click the Delete table button in the Action column Configuring the SSL VPN Client The SSL VPN client on the UTM assigns IP addresses to remote VPN tunnel clients Because the VPN tunnel connection is a point to point connection you can assign IP addresses from the local subnet to the remote VPN tunnel clients The following are some additional considerations e So that the virtual PPP interface address of a VPN tunnel client does not conflict with addresses on the local network configure an IP address range that does not directly overlap with addresses on your local network F
174. SL VPN Wizard Step 4 Client IP Address Range and Routes Settings Item Description or Subfield and Description Client IP Address Range Enable Full Tunnel Support Select this checkbox to enable full tunnel support If you leave this checkbox deselected which is the default setting split tunnel support is enabled and you must add a client route by completing the Destination Network and Subnet Mask fields Note When full tunnel support is enabled client routes are not operable DNS Suffix A DNS suffix to be appended to incomplete DNS search strings This is an option Primary DNS Server The IP address of the primary DNS server that is assigned to the VPN tunnel clients This is an option Note If you do not assign a DNS server the DNS settings remain unchanged in the VPN client after a VPN tunnel has been established Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients This is an option Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients Client Address Range End The last IP address of the IP address range that you want to assign to the VPN tunnel clients Add Routes for VPN Tunnel Clients Destination Network Leave this field blank or specify a destination network IP address of a local network or subnet that has not yet been used Subnet Mask Leave thi
175. Secret fields e WIKID CHAP WIKID Systems CHAP Complete the Authentication Server and Authentication Secret fields MIAS PAP Microsoft Internet Authentication Service MIAS PAP Complete the Authentication Server and Authentication Secret fields MIAS CHAP Microsoft Internet Authentication Service MIAS CHAP Complete the Authentication Server and Authentication Secret fields NT Domain Microsoft Windows NT Domain Complete the Authentication Server and Workgroup fields e Active Directory Microsoft Active Directory Complete the Authentication Server and Active Directory Domain fields LDAP Lightweight Directory Access Protocol LDAP Complete the Authentication Server and LDAP Base DN fields 8 6 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 8 2 SSL VPN Wizard Step 2 Domain Settings continued Setting Description or Subfield and Description Portal The portal that you selected on the first SSL VPN Wizard screen You cannot change the portal on this screen the portal is displayed for information only Authentication Server The server IP address or server name of the authentication server for any type of authentication other than authentication through the local user database Authentication Secret The authentication secret or password that is required to access the authentication server fo
176. Start IP Address Pr 5 Ea Start IP Address End IP Address pm dn End IP Address Subnet Mask J Subnet Mask SPI Incoming Hex 3 8 Chars SPI Outgoing Hex 3 8 Chars Encryption Algorithm E Integrity Algorithm Sma y Key n Key n Key out Key Out DES 8 Char amp 3DES 24 Char MD5 16 Char amp SHA 1 20 Char E SA ufetime e00 T Encryption Algorithm Integrity Algorithm Pers Key Group DH Group 2 1024 bit 1 Select IKE Policy PView Selected Figure 7 23 7 34 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Complete the fields select the radio buttons and checkboxes and make your selections from the pull down menus as explained Table 7 12 Table 7 12 Add VPN Policy Settings Item Description or Subfield and Description General Policy Name A descriptive name of the VPN policy for identification and management purposes Note The name is not supplied to the remote VPN endpoint Policy Type From the pull down menu select one of the following policy types e Auto Policy Some settings the ones in the Manual Policy Parameters section of the screen for the VPN tunnel are generated automatically e Manual Policy All settings must be specified including the ones in the Manual Policy Parameters section of the screen Select Local Gateway For the dual WAN port mo
177. Support Enter the support key issued by NETGEAR This information will enable the NETGEAR support team to troubleshoot remotely Support Key E Tunnel Status Figure 12 2 2 Inthe Support Key field enter the support key that was given to you by NETGEAR 3 Click Connect When the tunnel is established the tunnel status field displays ON To terminate the tunnel click Disconnect The tunnel status field displays OFF If NETGEAR Technical Support cannot access the UTM remotely they might ask you to save a log file to your computer and then e mail it to NETGEAR for analysis see Gathering Important Log Information on page 11 47 Sending Suspicious Files to NETGEAR for Analysis You can report any undetected malware file or malicious e mail to NETGEAR for analysis The file is compressed and password protected before it is sent Troubleshooting and Using Online Support 12 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To submit a file to NETGEAR for analysis 1 3 Select Support gt Malware Analysis from the menu The Online Support screen displays Network Security Registration Knowledge Base Documentation Malware Analysis Submit a suspicious file an infected file that was not detected or a malicious email to NETGEAR for analysis Email Address File Location Source Product Model Description Note Response and handling tim
178. T The UTM is programmed to recognize some of these applications and to work properly with them but there are other applications that might not function well In some cases local PCs can run the application properly if those PCs are used on the DMZ port gt Note A separate firewall security profile is provided for the DMZ port that is hardware independent of the standard firewall security used for the LAN The DMZ Setup screen lets you set up the DMZ port It permits you to enable or disable the hardware DMZ port LAN port 4 see Front Panel on page 1 10 and configure an IP address and subnet mask for the DMZ port 4 18 LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To enable and configure the DMZ port 1 Select Network Config gt DMZ Setup from the menu The DMZ Setup screen displays DM2 Setup i DMZ Port Setup J Do you want to enable DMZ Port b IP Address jo Ho Ho Ho Yes O No Subnet Mask 0 lo Mo MHo DHCP for DMZ Connected Computers g Disable DHCP Server Enable DHCP Server C Enable LDAP information Domain Name Be LDAP Server Starting IP Address fff Search Base Ending IP Address pa port on enter 0 for default port Primary ONS Server cw WY Secondary DNS Server Ce E WINS Server i a Lease Time Hours DHCP Relay Relay Gateway P E mE Enable DNS Proxy if Figure 4
179. TM s enclosure displays factory default regulatory compliance and other information see Figure 1 4 and Figure 1 5 on page 1 13 and Figure 1 6 on page 1 14 1 12 Introduction v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Figure 1 4 shows the product label for the UTMS FY PROSECURE SECURITY ARCHITECTURE BY NETGEAR ProSecure Unified Threat Management UTM5 This device complies with part 15 of the FCC Rules and Canada ICES 003 Operation is subject to the following two conditions 1 this device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesired operatio OMI SSAA HARMRETH CORBERRMA CHATS RABAT CEMSVET COMSKIAEREMBIAHR ARTSZKIBKENSZOLEMSVET VCCI A DEFAULT ACCESS nioeiriv2 isei c UL ususten O cE X user name admin ITE E212778 nso947 pas password password input Rating AC 100 240V 50 60Hz 0 7A max MAC SERIAL WAN MAC w Made in China 272 10973 01 Figure 1 4 Figure 1 5 shows the product label for the UTM10 FY PROSECURE SECURITY ARCHITECTURE BY NETGEAR ProSecure Unified Threat Management UTM10 This device complies with part 15 of the FCC Rules and Canada ICES 003 Operation is subject to the following two conditions 1 this device may not cause harmful interference and 2 this device must accept any interference received including interfe
180. TM Appliance Reference Manual Login Logout This section describes logs that are generated by the administrative interfaces of the device Table C 6 System Logs Login Logout Message Nov 28 14 45 42 UTM login Login succeeded user admin from 192 168 10 10 Explanation Login of user admin from host with IP address 192 168 10 10 Recommended Action None Message Nov 28 14 55 09 UTM seclogin Logout succeeded for user admin Nov 28 14 55 13 UTM seclogin Login succeeded user admin from 192 168 1 214 Explanation Secure login logout of user admin from host with IP address 192 168 1 214 Recommended Action None Firewall Restart This section describes logs that are generated when the firewall restarts Table C 7 System Logs Firewall Restart Message Jan 23 16 20 44 UTM wand FW Firewall Restarted Explanation Logs that are generated when the firewall is restarted This log is logged when firewall restarts after applying any changes in the configuration Recommended Action None IPsec Restart This section describes logs that are generated when the IPsec restarts Table C 8 System Logs IPsec Resiart Message Jan 23 16 20 44 UTM wand IPSEC IPSEC Restarted Explanation Logs that are generated when the IPsec is restarted This log is logged when IPsec restarts after applying any changes in the configuration Recommended Acti
181. Table 4 5 RIP Configuration Settings Setting Description or Subfield and Description RIP RIP Direction From the RIP Direction pull down menu select the direction in which the UTM sends and receives RIP packets e None The neither advertises its route table nor does it accept any RIP packets from other routers This effectively disables RIP e In Only The accepts RIP information from other routers but does not advertises its routing table e Out Only The advertises its routing table but does not accept RIP information from other routers e Both The advertises its routing table and also processes RIP information received from other routers RIP Version From the RIP Version pull down menu select the version e RIP 1 Classful routing that does not include subnet information This is the most commonly supported version e RIP 2 Routing that supports subnet information Both RIP 2B and RIP 2M send the routing data in RIP 2 format RIP 2B Sends the routing data in RIP 2 format and uses subnet broadcasting RIP 2M Sends the routing data in RIP 2 format and uses multicasting Authentication for RIP 2B 2M Authentication for RIP 2B 2M required Authentication for RP 2B or RIP 2M is disabled by default that is the No radio button is selected To enable authentication for RP 2B or RIP 2M select the Yes radio button and enter the settings for the fields below First Key Parameters
182. The addressing of the firewall s dual WAN port depends on the configuration being implemented Table B 2 IP addressing requirements for VPNs in dual WAN port systems Configuration and WAN IP address Single WAN Port Configurations Reference Cases Dual WAN Port Configurations Rollover Mode Load Balancing Mode VPN Road Warrior Client Fixed Allowed FQDN required Allowed to Gateway FQDN optional FQDN optional Dynamic FQDN required FQDN required FQDN required VPN Gateway to Gateway Fixed Allowed FQDN required Allowed FQDN optional FQDN optional Dynamic FQDN required FQDN required FQDN required VPN Telecommuter Client Fixed Allowed FQDN required Allowed to Gateway Through a NAT FQDN optional FQDN optional Router Dynamic FQDN required FQDN required FQDN required a All tunnels must be re established after a rollover using the new WAN IP address Network Planning for Dual WAN Ports Dual WAN Port Models Only v1 0 January 2010 B 9 ProSecure Unified Threat Management UTM Appliance Reference Manual For a single WAN gateway configuration use a FQDN when the IP address is dynamic and either an FQDN or the IP address itself when the IP address is fixed The situation is different in dual WAN port gateway configurations Dual WAN Ports in Auto Rollover Mode A dual WAN port auto rollover gateway configuration is different from a
183. The login window that is presented to the user requires three items a user name a password and a domain selection The domain determines the authentication method that is used and for SSL connections the portal layout that is presented ES Note IPsec VPN users always belong to the default domain geardomain and are not assigned to groups Except in the case of IPsec VPN users when you create a user account you must specify a group When you create a group you must specify a domain Therefore you should first create any domains then groups then user accounts 9 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Domains The domain determines the authentication method to be used for associated users For SSL connections the domain also determines the portal layout that is presented which in turn determines the network resources to which the associated users have access The default domain of the UTM is named geardomain You cannot delete the default domain Table 9 1 summarizes the authentication protocols and methods that the UTM supports Table 9 1 Authentication Protocols and Methods Authentication Protocol or Method Description or Subfield and Description PAP Password Authentication Protocol PAP is a simple protocol in which the client sends a password in clear text CHAP Challenge Handshake Authentication Protocol CHAP executes a t
184. Time For more information about these settings see Configuring Date and Time Service on page 10 24 2 14 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 2 3 Setup Wizard Step 3 System Date and Time Settings Setting Description or Subfield and Description Set Time Date and NTP Servers Date Time From the pull down menu select the local time zone in which the UTM operates The proper time zone is required in order for scheduling to work correctly The UTM includes a real time clock RTC which it uses for scheduling Automatically Adjust for If daylight savings time is supported in your region select the Automatically Daylight Savings Time Adjust for Daylight Savings Time checkbox NTP Server default or From the pull down menu select an NTP server custom e Use Default NTP Servers The UTM s RTC is updated regularly by contacting a default Netgear NTP server on the Internet e Use Custom NTP Servers The UTM s RTC is updated regularly by contacting one of the two NTP servers primary and backup both of which you must specify in the fields that become available with this menu selection Note If you select this option but leave either the Server 1 or Server 2 field blank both fields are set to the default Netgear NTP servers Note A list of public NTP servers is available at http ntp
185. Time The date and time that the application request was blocked e e Application The name of the application that was blocked Requests The total number of user requests for the blocked application Source IPs The source IP address from which the request came Web Categories Category The Web category that was Category The Web category that was blocked blocked Note For more information about Web Note For more information about Web categories see Configuring Web Content categories see Configuring Web Content Filtering on page 6 23 Filtering on page 6 23 Date and Time The date and time that Requests The total number of user the Web request was blocked requests for the blocked Web category Source IPs The source IP address from which the request came Spam Email Subject The e mail subject line in Recipient The intended recipient of the the spam message spam message Date and Time The date and time that Emails The number of spam messages the spam message was detected for the intended recipient 11 18 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Protocol Total Scanned Traffic M8 Total Emails Files Scanned Total Malwares Found Total Files Blocked Total URLs Blocked Total Spam Emails Blacklist Distributed Spam Analysis T SMTP P
186. Typographical conventions This manual uses the following typographical conventions Italic Emphasis books CDs Bold User input IP addresses GUI screen text Fixed Command prompt CLI text code italic URL links e Formats This manual uses the following formats to highlight special messages Note This format is used to highlight information of importance or special interest oO Tip This format is used to highlight a procedure that will save time or resources A Warning Ignoring this type of note might result in a malfunction or damage to the equipment A Danger This is a safety warning Failure to take heed of this notice might result in personal injury or death xvii v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Scope This manual is written for the UTM according to these specifications Product Version ProSecure Unified Threat Management UTM Appliance Manual Publication Date January 2010 For more information about network Internet firewall and VPN technologies click the links to the NETGEAR Website in Appendix E Related Documents Note Product updates are available on the NETGEAR website at http prosecure netgear com or http kb netgear com app home Note Go to hitp prosecure netgear com community forum php for information about the ProSecure forum an
187. UTM 1 Start any of the qualified Web browsers as explained in Qualified Web Browsers on this page 2 Enter https 192 168 1 1 in the address field The NETGEAR Configuration Manager Login screen displays in the browser see Figure 2 1 on page 2 3 which shows a dual WAN port model the UTM25 Note The UTM factory default IP address is 192 168 1 1 If you change the IP address you must use the IP address that you assigned to the UTM to log in to the UTM 2 2 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual A PROSECUR SECURITY ARCHITECTURE BY NETGEAR j i NETGEAR Configuration Manager Login User Name admin Password Passcode jeeeeeece Domain When the UTM scans secure HTTPS traffic you mustimport root CA certificate into your browser Click to download 2009 Copyright NETGEAR Figure 2 1 Note The first time that you remotely connect to the UTM with a browser via an SSL connection you might get a warning message regarding the SSL certificate You can follow to directions of your browser to accept the SSL certificate or you can import the UTM s root certificate by clicking the hyperlink at the he bottom of the NETGEAR Configuration Manager Login screen 3 In the User field type admin Use lower case letters 4 Inthe Password field typ
188. UTM Appliance Reference Manual 8 On the Add IKE Policy screen complete the fields select the radio buttons and make your selections from the pull down menus as explained Table 7 16 gt Note The settings that are explained in Table 7 16 are specifically for a Mode Config configuration Table 7 10 on page 7 27 explains the general IKE policy settings Table 7 16 Add IKE Policy Settings for a Mode Config Configuration Item Mode Config Record Description or Subfield and Description Do you want to use Mode Config Record Select the Yes radio button Note Because Mode Config functions only in Aggressive Mode selecting the Yes radio button sets the tunnel exchange mode to Aggressive mode and disables the Main mode Mode Config also requires that both the local and remote ends are defined by their FQDNs Select Mode Config Record From the pull down menu select the Mode Config record that you created in step 5 above In this example we are using NA Sales General Policy Name A descriptive name of the IKE policy for identification and management purposes Note The name is not supplied to the remote VPN endpoint Direction Type Responder is automatically selected when you select the Mode Config record see above This ensures that the UTM responds to an IKE request from the remote endpoint but does not initiate one Exchange Mode Aggressive Mode is automatically selected w
189. UTM5 UTM10 UTM25 USB ports 1 1 1 Console ports RS232 1 1 1 Flash Memory RAM 2 GB 512 MB 2 GB 512 MB 2 GB 1 GB Deployment VLAN Support Yes Yes Yes Dual WAN auto rollover mode No No Yes Dual WAN load balancing mode No No Yes Single WAN mode Yes Yes Yes Service Registration Card with License Keys Be sure to store the license key card that came with your UTM in a secure location You do need these keys to activate your product during the initial setup PROSECURE SECURITY ARCHITECTURE BY NETGEAR INSTRUCTIONS 1 Log in to the unit The Default Access URL user name and password are printed on the product bottom label 2 Click Support and thon Registration to view the Registration screen w Enter the first registration key customer information and then click Register a Enter the remaining registration keys one by one clicking Register to register each Save these keys If you ever reset the unit back to its factory defaults you will need to re enter these keys PROSECURE SUPPORT PHONE NUMBERS Australia 1800 555 025 Japan 0053 179 0011 Austria 0800 202314 Norway 800 57 028 Denmark 807 01109 Sweden 0201 401 122 France 0 800 302 881 Germany 0800 1015704 UK 0808 2344 027 Itoly 800 905 608 Figure 1 1 Switzerland 0800 000586 United States 877 652 1344 DO NOT DISCARD IMPORTANT KEY INFORMATION dedi els wna 1 8 v1 0 January 2010 Introduction ProSecure Uni
190. Unified Threat Management UTM Appliance Reference Manual To view the currently loaded CRLs and upload a new CRL 1 Select VPN gt Certificates from the menu The Certificates screen displays Figure 9 15 shows the bottom section of the screen with Certificate Revocation Lists CRL table There are no examples in the table that is the table is empty CA Identity Last Update Next Update Selecta Pelete Upload CRL CRL File Ga Upload Figure 9 15 Certificates screen 3 of 3 The Certificate Revocation Lists CRL table lists the active CAs and their critical release dates e CA Identify The official name of the CA that issued the CRL e Last Update The date when the CRL was released e Next Update The date when the next CRL will be released 2 Inthe Upload CRL section click Browse and navigate to the CLR file that you previously downloaded from a CA 3 Click the Upload table button If the verification process on the UTM approves the CRL the CRL is added to the Certificate Revocation Lists CRL table mr Note If the table already contains a CRL from the same CA the old CRL is deleted when you upload the new CRL To delete one or more CRLs 1 Inthe Certificate Revocation Lists CRL table select the checkbox to the left of the CRL that you want to delete or click the Select All table button to select all CRLs 2 Click the Delete table button 9 26 Managing Users Au
191. User Name IP Address Login Time Action techpubadmin 192 168 190 88 Thu Nov 19 09 20 16 2009 HF Dis connect Figure 11 13 The active user s user name group and IP address are listed in the table with a timestamp indicating the time and date that the user logged in To disconnect an active user click the Disconnect table button to the right of the user s table entry Viewing VPN Tunnel Connection Status To review the status of current IPsec VPN tunnels 1 Select Monitoring gt Active Users amp VPNs from the main menu The Active Users amp VPN submenu tabs appear with the Active Users screen in views 11 24 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Click the IPSec VPN Connection Status submenu tab The IPSec VPN Connection Status screen displays System Status Dashboard Diagnostics Logs amp Reports Active Users IPSec VPN Connection Status Meee tae iets SSL YPN Connection Status The page will auto refresh in 4 seconds Policy Name Endpoint Tx KB Tx Packets State Action GW1 to GW2 75 34 173 25 0 00 0 IPsec SA Not Established FA Connect Client Policy Poll Interval Seconds Set Interval Stop Figure 11 14 The Active IPsec SAs table lists each active connection with the information that is described in Table 11 12 The default poll interval is 5 seconds To change the poll interval p
192. VPN Tunnel The policy is applied only to a VPN tunnel e Port Forwarding The policy is applied only to port forwarding e All The policy is applied both to a VPN tunnel and to port forwarding Permission From the pull down menu select whether the policy permits PERMIT or denies DENY access All Addresses Policy Name A descriptive name of the SSL VPN policy for identification and management purposes Port Range Port Number A port enter in the Begin field or a range of ports enter in the Begin and End fields to which the SSL VPN policy is applied Ports can be 0 through 65535 The policy is applied to all TCP and UDP traffic that passes on those ports Leave the fields blank to apply the policy to all traffic Service From the pull down menu select the service to which the SSL VPN policy is applied e VPN Tunnel The policy is applied only to a VPN tunnel e Port Forwarding The policy is applied only to port forwarding e All The policy is applied both to a VPN tunnel and to port forwarding Permission From the pull down menu select whether the policy permits PERMIT or denies DENY access 8 36 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Click Apply to save your settings The policy is added to the List of SSL VPN Policies table on the Policies screen The n
193. a domain selection The domain determines both the authentication method and the portal layout that are used You must create name and password accounts for the SSL VPN users When you create a user account you must specify a group Groups are used to simplify the application of access policies When you create a group you must specify a domain Therefore you should create any domains first then groups and then user accounts To configure domains groups and users see Configuring VPN Authentication Domains Groups and Users on page 9 1 Configuring Applications for Port Forwarding Port forwarding provides access to specific defined network services To define these services you must specify the internal server addresses and port numbers for TCP applications that are intercepted by the port forwarding client on the user s PC This client reroutes the traffic to the UTM 8 22 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Adding Servers and Port Numbers To configure port forwarding you must define the IP addresses of the internal servers and the port number for TCP applications that are available to remote users To add a server and a port number 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the Port Forwarding submenu tab The Port Forwarding screen d
194. ade Figure 8 16 3 In the Add New Resource section of the screen specify information in the following fields e Resource Name A descriptive name of the resource for identification and management purposes e Service From the Service pull down menu select the type of service to which the resource applies VPN Tunnel The resource applies only to a VPN tunnel Port Forwarding The resource applies only to a port forwarding All The resource applies both to a VPN tunnel and to port forwarding 4 Click the Add table button The new resource is added to the List of Resources table To delete one or more network resources 1 Select the checkbox to the left of the network resource that you want to delete or click the Select All table button to select all VPN policies 2 Click the Delete table button Virtual Private Networking Using SSL Connections 8 29 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Editing Network Resources to Specify Addresses 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the Resources submenu tab The Resources screen displays see Figure 8 16 on page 8 29 which shows some examples 3 Type IP Address Figure 8 17 Policies OJIA Portal Layouts SSL YPN Client Port Forwarding 172 164 33 12 In the List of Resources table to the ri
195. agdon RNE C 2 Oe Rote o iinet NeneA Aneta C 3 Ll Camere temenenernrtomnrra rt ree rr reer mente recent teeter mmr rect Tomer ner nan nr eer C 3 LOGINVLGQOUT dE A E E C 4 xiv v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Frewall Restan sirinati ia a C 4 ao eS E eve ests eh cdc oc ducal Se ceed Ss steal A A T C 4 WAN INE 3c ouscedeocasctattmeacnscie eee ptitee uns oucats dna pueeaiges Sesuneubansaisdbetu pelaadouneaianwae tena C 5 Tane Rise EO se C 9 MIPIM eh Ea s A dda E T E A A T E T E E C 9 kwald Packet LOGON acts ccuccsacrencesnaiscasdetitacdiuiebeenereasipiaearetaeinenndemmaienemineeees C 10 Content Filtering and Security LoS sirrinin aunceusscatniiv adintesaraiaatvein anaes C 12 Web Filtering and Content Filtering LOS scaicsiidccescccascssceecescccsasnnessieneanenissasceamevviaaes C 12 PAN LOG a a A A debeesciausiiedd E E E cence ttiaaatingsdcnes C 13 TI Vg ace 2 sie Sea role cere tara sant Subeee T A A E A E A E im tudeestac C 14 SS LOOT faced azn iicuencmedacuece a alodectauinenenniedenormion C 14 Zag ha des E E A potted E pena ana C 14 igo Cals A eRe Coon Tn TT E EN Terre mone Tere ner A E rere C 15 Patetan LOGS osrin ae aa A Ea aeaa C 15 Instant Messaging Peer to Peer LOGS ciiccs ssicsstesssssnvisersenitavenssinnvisensscisasees saan C 15 Poumo LS ssc ge secaaugaeanceiasahe noniateaacancaieionenee eiscce ent ahsauabac iam dnbe en lanmsecane nisin ndedeeneeia C 16 LAN TO WAN LOOS oiiaii a N a C
196. agnostics 11 43 Differentiated Services Code Point See DSCP differentiated services See DiffServ mark Diffie Hellman See DH group DiffServ mark 5 37 digital certificates See certificates Distributed Spam Analysis 6 16 6 17 Index 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual DMZ DHCP address pool 4 20 DNS servers 4 21 domain name 4 20 LDAP server 4 2 lease time 4 21 relay 4 2 server 4 20 WINS server 4 2 DNS proxy 4 22 firewall security 4 18 increasing traffic 70 7 IP addresses 4 20 port 1 5 4 18 setup settings 4 20 subnet mask 4 20 DNS automatic configuration of PCs 1 6 dynamic 3 19 looking up an address 71 45 ModeConfig 7 46 proxy 1 6 2 11 4 10 4 22 proxy VLANs 4 5 queries auto rollover 3 11 server IP addresses 2 10 2 13 3 9 4 9 4 21 8 10 8 af documentation online 2 2 documents reference E domain name PPPoE 2 13 3 7 PPTP 2 12 3 7 SSL VPN 8 6 domain name server See DNS domains for authentication 9 2 9 10 DoS 1 4 5 7 5 28 5 29 5 52 downloading SSL certificate 2 3 DPD 7 29 7 57 DSCP 5 37 dual WAN ports dual WAN port models auto rollover B 6 B 8 B 10 FQDNs 3 19 7 1 7 2 B 1 B 9 load balancing 3 9 3 10 B 7 B 8 B 10 network planning B overview 1 3 duplex half and full 3 23 Dynamic DNS See DDNS Dynamic Host Configuration Protocol See DHCP 1 6 DynDNS org 3 19 3 21 E e commerce 8 edge devi
197. ail account with your ISP is aaa yyy com then use aaa as your host name Your ISP might call this your account user host computer or system name If your ISP s mail server is mail xxx yyy com then use xxx yyy com as the domain name ISP Host Name ISP Domain Name e Fully Qualified Domain Name Some organizations use a fully qualified domain name FQDN from a dynamic DNS service provider for their IP addresses Dynamic DSN Service Provider FQDN Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports such as the UTM include the following e Inbound traffic port forwarding port triggering e Outbound traffic protocol binding e Virtual private networks VPNs The two WAN ports can be configured on a mutually exclusive basis to either e auto rollover for increased reliability or e load balance for outgoing traffic Network Planning for Dual WAN Ports Dual WAN Port Models Only B 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual These various types of traffic and auto rollover or load balancing all interact to make the planning process more challenging Inbound Traffic Unrequested incoming traffic can be directed to a PC on your LAN rather than being discarded The mechanism for making the IP address public depends on whether the dual WAN ports are configured for auto rollover or load balancing Virtual P
198. ality of Service QoS priorities Each service has its own native priority that impacts its quality of performance and tolerance for jitter or delays You can change the QoS priority which changes the traffic mix through the system see Creating Quality of Service QoS Profiles on page 5 35 Outbound Rules Service Blocking The UTM allows you to block the use of certain Internet services by PCs on your network This is called service blocking or port filtering Note See Enabling Source MAC Filtering on page 5 42 for yet another way to block outbound traffic from selected PCs that would otherwise be allowed by the firewall AN Warning Allowing inbound services opens security holes in your UTM Only enable those ports that are necessary for your network Table 5 2 on page 5 5 describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens see Figure 5 3 on page 5 14 Figure 5 6 on page 5 17 and Figure 5 9 on page 5 20 The steps to configure outbound rules are described in the following sections e Setting LAN WAN Rules on page 5 12 e Setting DMZ WAN Rules on page 5 15 e Setting LAN DMZ Rules on page 5 19 5 4 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 5 2 Outbound Rules Overview Setting Description or Subfield and Description
199. allow or block internal LAN users from access to certain sites on the Internet use the UTM s Web URL filtering You can create or import a whitelist that contains domain names and URLs that are accepted and a blacklist with domain names and URLs that are blocked The whitelist takes precedence over the blacklist Both the whitelist and the blacklist take precedence over keyword blocking Note A URL that you enter on the whitelist or blacklist might contain other embedded gt URLs such as URLs for advertisements or sponsors causing unexpected behavior If you want to allow a URL by placing it on the whitelist make sure that all embedded URLs are also placed on the whitelist Similarly if you want to block a URL by placing it on the blacklist make sure that all embedded URLs are also placed on the blacklist 6 30 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To configure Web URL filtering 1 2 Select Application Security gt HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear with the Malware Scan screen in view Click the URL Filtering submenu tab The URL Filtering screen displays Figure 6 12 shows some examples URL Filtering i Whitelist takes precedence over Blacklist Enable URL http vww google com http www yahoo com Wildcards are supported Add URL Import from File
200. ally created p Note IPsec VPN users always belong to the default domain geardomain and are not assigned to groups Note Groups that are defined in the User menu are used for setting SSL VPN policies gt These groups should not be confused with LAN groups that are defined on the LAN Groups screen and that are used to simplify firewall policies For information about LAN groups see Managing Groups and Hosts LAN Groups on page 4 12 9 6 Managing Users Authentication and Certificates v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Creating and Deleting Groups To create a VPN group 1 Select Users gt Groups from the menu The Groups screen displays Figure 9 3 shows the UTM s default group geardomain and as an example several other groups in the List of Groups table Users Domains Operation succeeded Name Domain Action geardomain geardomain it SSLTestDomain SSLTestDomain Edit oO EMEA_Marketing geardomain Eit Default Groups Select Al pelete Add New Group Name Domain Idle Timeout Add geardomain v ada Figure 9 3 The List of Groups table displays the VPN groups with the following fields e Checkbox Allows you to select the group in the table e Name The name of the group If the group name is appended by an asterisk the group was created by default when you created the domain with the identical
201. an aas Figure 4 5 The Known PCs and Devices table lists the entries in the Network Database For each PC or device the following fields are displayed Checkbox Allows you to select the PC or device in the table Name The name of the PC or device For computers that do not support the NetBIOS protocol the name is displayed as Unknown you can edit the entry manually to add a meaningful name If the PC or device was assigned an IP address by the DHCP server then the name is appended by an asterisk IP Address The current IP address of the PC or device For DHCP clients of the UTM this IP address does not change If a PC or device is assigned a static IP address you need to update this entry manually after the IP address on the PC or device has changed MAC Address The MAC address of the PC or device s network interface Group Each PC or device can be assigned to a single LAN group By default a PC or device is assigned to Group 1 You can select a different LAN group from the Group pull down menu in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen Action The Edit table button that provides access to the Edit Groups and Hosts screen 4 14 LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Adding PCs or Devices to the Network Database To add PCs or devices manually to the Network Database 1 Inthe Add Known PCs and Device
202. an usually be determined by contacting the publisher of the application or from user groups of newsgroups When you have the port number information you can enter it on the Services screen To add a customized service 1 Select Network Security gt Firewall Objects from the menu The Firewall Objects submenu tabs appear with the Services screen in view The screen displays the Custom Services table with the user defined services Figure 5 19 shows some examples etwork Security IPS Firewall Address Filter Port Triggering Services QoS Profile Bandwidth Profile Schedule 1 Schedule 2 Schedule 3 Operation succeeded Name Type Start Port End Port Action O 2 ixia TCP 10115 10117 ait E 63 RemoteManagement TCP 8888 8888 eEsit O 64 Traceroute ICMP 30 o Eat Select Al delete Add Custom Service Name Type ICMP Type Start Port End Port Add e L Os Figure 5 19 Firewall Protection 5 33 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Inthe Add Customer Service section of the screen enter the settings as explained in Table 5 6 Table 5 6 Services Settings Setting Description or Subfield and Description Name A descriptive name of the service for identification and management purposes Type From the Type pull down menu select the Layer 3 protocol that the service uses as its transport protocol TCP e UDP ICMP ICMP Ty
203. and devices on your LAN Single address The rule is applied to the address of a particular PC 10 6 Network and System Management v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Address range The rule is applied to a range of addresses Groups The rule is applied to a group of PCs You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules The Known PCs and Devices table is an automatically maintained list of all known PCs and network devices and is generally referred to as the Network Database which is described in Managing the Network Database on page 4 13 PCs and network devices are entered into the Network Database by various methods that are described in Managing Groups and Hosts LAN Groups on page 4 12 e WAN Users You can specify which Internet locations are covered by an inbound rule based on their IP address Any The rule applies to all Internet IP address Single address The rule applies to a single Internet IP address Address range The rule is applied to a range of Internet IP addresses e Schedule You can configure three different schedules to specify when a rule is applied Once a schedule is configured it affects all rules that use this schedule You specify the days of the week and time of day for each schedule For more information see Setting a Schedule to Block or Allow Specific Traffic on pa
204. and graphics e The number of SMPT POP3 and IMAP incidents the top 10 e mail malware threats by count and the top 10 infected e mail clients by count e The number of HTTP HTTPS and FTP incidents the top 10 Web malware threats by count and the top 10 infected Web clients by count The reports that you select are generated as both Microsoft Office Comma Separated Values CSV and MHTML files The CSV files do not contain headers for the tables nor graphics but the MHTML files contain both You can download the reports as zipped files Generating Reports To generate a report 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view 2 Click the Generate Reports submenu tab The Generate Reports screen displays see Table 11 24 on page 11 41 11 40 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual System Status Active Users amp PNs Dashboard Diagnostics Email and Syslog Firewall Logs Alerts Log Query Generate Report Titles Scheduled Report Operation succeeded Time From 2009 10 20 22 To 2009 Vf 11 v j 19 12 Ml Email Reports V web Reports M system Reports Maximum 5 Report Date Download Delete 2009 11 19 12 56 26 Download Peiete Figure 11 24 3 Enter the settings as explained
205. and other malware threats Email filters All e mails that are blocked because of file extension and keyword violations Conient filters All attempts to access blocked Web sites and URLs IPS All IPS events e Port Scan All port scan events Instant Messaging Peer to Peer All instant messaging and peer to peer access violations Firewall The firewall logs that you have specified on the Firewall Logs screen see Configuring and Activating Firewall Logs on page 11 13 IPSEC VPN All IPsec VPN events e SSL VPN All SSL VPN events e e e e e View All Search Criteria Select one of the following radio buttons e View All Display or download the entire selected log Search Criteria Query the selected log by configuring the search criteria that are available for the selected log Start Date Time From the pull down menus select the year month day hours and minutes for the start date and time This field is available for the following logs Traffic Spam Service Malware Email filters Content filters Port Scan IPS Instant Messaging Peer to Peer End Date Time From the pull down menus select the year month day hours and minutes for the end date and time This field is available for the following logs Traffic Spam Service Malware Email filters Content filters Port Scan IPS Instant Messaging Peer to Peer Protocols Select one or more checkboxes to sp
206. anuary 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Enter the settings as explained in Table 7 20 Table 7 20 Keepalive Settings Item Description or Subfield and Description General Enable Keepalive Select the Yes radio button to enable the Keepalive feature Periodically the UTM sends ping packets to the remote endpoint to keep the tunnel alive You must enter the ping IP address detection period and the maximum number of times that the UTM attempts to reconnect see below Ping IP Address The IP address that the UTM pings The address must be of a host that can respond to ICMP ping requests Detection period The period in seconds between the ping packets The default setting is 10 seconds Reconnect after failure count The number of consecutive missed responses that are considered a tunnel connection failure The default setting is 3 missed responses 5 Click Apply to save your settings Configuring Dead Peer Connection The Dead Peer Detection DPD feature maintains the IKE SA by exchanging periodic messages with the remote VPN peer To configure DPD on a configured IKE policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 24 2 In the List of IKE Policies table click the Edit table button to the right of the IKE policy that you want to edi
207. anuary 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 4 1 VLAN Profile Settings continued Setting Description or Subfield and Description Enable LDAP Search Base The search objects that specify the location in the directory information tree from which the LDAP search begin You can specify continued multiple search object separated by commas The search objects include e cn for common name e ou for organizational unit e o for organization e c for country e dc for domain For example to search the Netgear net domain for all last names of Johnson you would enter cn Johnson dc Netgear dc net port The port number for the LDAP server The default setting is zero DNS Proxy Enable DNS Proxy _ This is optional Select the Enable DNS Proxy radio button to enable the UTM to provide a LAN IP address for DNS address name resolution This setting is disabled by default Note When you deselect the Enable DNS Proxy radio button the UTM still services DNS requests that are sent to its LAN IP address unless you disable DNS Proxy in the firewall settings see Attack Checks on page 5 27 Inter VLAN Routing Routing Enable Inter VLAN This is optional Select the Enable Inter VLAN Routing radio button to ensure that traffic is routed only to VLANs for which inter VLAN routing is enabled This setting is disabled by default When the Enable
208. any of these services select the corresponding checkbox Note For Instant Messaging services the following services can be blocked logging in sharing files sharing video sharing audio and text messaging BitTorrent eDonkey Gnutella Scanning of these file sharing applications is disabled by default To enable any of these services select the corresponding checkbox Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Setup Wizard Step 5 of 10 Email Security Setup Wizard Step 5 of 10 Email Security SMTP Block infected email POP3 Delete attachment IMAP Delete attachment if the file or message is larger than KB Maximum 10240 KB Figure 2 11 Enter the settings as explained in Table 2 5 then click Next to go the following screen Note After you have completed the steps in the Setup Wizard you can make changes to the email security settings by selecting Application Security gt Email Anti Virus The Email Anti Virus screen also lets you specify notification settings and email alert settings For more information about these settings see Customizing E mail Anti Virus and Notification Settings on page 6 5 Table 2 5 Setup Wizard Step 5 Email Security Settings Setting Description or Subfield and Description Action SMTP From the SMTP pull dow
209. ar 11 44 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Tracing a Route A traceroute lists all routers between the source the UTM and the destination IP address To send a traceroute 1 Locate the Network Diagnostics section on the Diagnostics screen 2 Inthe IP Address field enter the IP address for which you want trace the route 3 Click the Traceroute button The results of the traceroute are displayed in a new screen To return to the Diagnostics screen click Back on the Windows menu bar Displaying the Routing Table Displaying the internal routing table can assist NETGEAR Technical Support to diagnose routing problems To display the routing table 1 Locate the Network Diagnostics section on the Diagnostics screen 2 Next to Display the Routing Table click the Display button The routing table is displayed in the Route Display screen that appears as a popup window Looking up a DNS Address A DNS Domain Name Server converts the Internet name for example www netgear com to an IP address If you need the IP address of a Web FTP mail or other server on the Internet request a DNS lookup to find the IP address To look up a DNS address 1 Locate the Perform a DNS Lookup section on the Diagnostics screen 2 Inthe Domain Name field enter a domain name 3 Click the Lookup button The results of the lookup action a
210. are applicable only to SMTP and POPS Monitoring System Access and Performance v1 0 January 2010 11 19 ProSecure Unified Threat Management UTM Appliance Reference Manual Viewing Status Screens The UTM provides real time information in a variety of status screens that are described in the following sections e Viewing System Status on this page e Viewing Active VPN Users on page 11 24 e Viewing VPN Tunnel Connection Status on page 11 24 e Viewing Port Triggering Status on page 11 26 e Viewing the WAN Ports Status on page 11 27 e Viewing Attached Devices and the DHCP Log on page 11 29 e Viewing the DHCP Log on page 11 31 Viewing System Status The System Status screen provides real time information about the following important components of the UTM e CPU memory and hard disk status and the number of active connections per protocol e Firmware versions and update information of the UTM software versions and update information of the components license expiration dates for each type of license and hardware serial number e WAN and LAN port information e Interface statistics To view the System Status screen click Monitoring gt System Status Because of the size of the System Status screen it is divided and presented in this manual in three figures Figure 11 10 on page 11 21 Figure 11 11 on page 11 22 and Figure 11 12 on page 11 23 all of which
211. are filtered to block objectionable or high risk content e Customer notifications and e mail alerts that are sent when events are detected e Rules and policies for spam detection Content Filtering and Optimizing Scans 6 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Customizing E mail Protocol Scan Settings To configure the e mail protocols and ports to scan 1 Select Application Security gt Services from the menu The Services screen displays Figure 6 1 shows the upper part of the Services screen only Email Anti Virus Email Filters Anti Spam HTIP HTIPS FIP Block Accept Exceptions Scanning Exclusions A Enable Service Ports to Scan Enable Service Ports to Scan Enable Service Ports to Scan SMTP POPS IMAP Figure 6 1 2 In the Email section of the screen select the protocols to scan by selecting the Enable checkboxes and enter the port numbers if different from the default port numbers e SMTP Simple Mail Transfer Protocol SMTP scanning is enabled by default on port 25 e POP3 Post Office Protocol 3 POP3 scanning is enabled by default on port 110 e IMAP Internet Message Access Protocol IMAP scanning is enabled by default on port 143 ____ Note If a protocol uses a port other than the standard service port for example port 25 for SMTP enter this non standard port in the Ports to Scan field For example if the SMTP service on your network
212. ary 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Either select an entry from the VLAN Profiles table by clicking the corresponding Edit table button or add anew VLAN profile by clicking the Add table button under the VLAN Profiles table The Edit VLAN Profile screen displays see Figure 4 3 Edit VLAN Profile Operation succeeded ii VLAN Profile 2 Profile Name VLAN ID Port Membership J E Port 1 Port 2 E Por 3 Port 4 DMZ 1P Address 92 Woes Ja ME Subnet Mask 255 Jess Jess e Disable DHCP Server Enable DHCP Server C Enable LDAP information Domain Name LDAP Server T Starting IP Address 168 2 Search Base i Ending IP Address 192 J168 1 100 port enter 0 for default port Primary ONS Server a E Secondary OnSServer __ J Wf WINS Server gt E H U Lease Time Hours DHCP Relay Relay Gateway ff Enable DNS Proxy m Inter VLAN Routng Enable Inter VLAN Routing O Figure 4 3 LAN Configuration 4 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Enter the settings as explained in Table 4 1 Table 4 1 VLAN Profile Settings Setting Description or Subfield and Description VLAN Profile Profile Name Enter a unique name for the VLAN profile Note You can also change the profile name of the default VLAN VLAN ID Enter a unique ID numb
213. ary DNS server IP address WINS Server This is optional Enter a WINS server IP address to specify the Windows NetBios Server IP if one is present in your network Lease Time Enter a lease time This specifies the duration for which IP addresses is leased to clients DHCP Relay Select the DHCP Relay radio button to use the UTM as a DHCP relay agent for a DHCP server somewhere else on your network Enter the following setting Relay Gateway The IP address of the DHCP server for which the UTM serves as a relay Enable LDAP Select the Enable LDAP information checkbox to enable the DHCP server to information provide Lightweight Directory Access Protocol LDAP server information Enter the following settings LDAP Server The IP address or name of the LDAP sever Search Base The search objects that specify the location in the directory tree from which the LDAP search begin You can specify multiple search object separated by commas The search objects include cn for common name ou for organizational unit e o for organization e c for country e dc for domain For example to search the in Netgear net domain for all last names of Johnson you would enter cn Johnson dc Netgear dc net port The port number for the LDAP server The default setting is zero LAN Configuration 4 21 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table
214. ary WAN Addresses A single WAN Ethernet port can be accessed through multiple IP addresses by adding aliases to the port An alias is a secondary WAN address One advantage is for example that you can assign different virtual IP addresses to a Web server and FTP server even though both servers use the same physical IP address You can add several secondary IP addresses to the WAN port of a single WAN port model or to WAN1 port and WAN2 port of a dual WAN port model After you have configured secondary WAN addresses these addresses are displayed on the following firewall rule screens e Inthe WAN Destination IP Address pull down menus of the following inbound firewall rule screens Add LAN WAN Inbound Service screen Add DMZ WAN Inbound Service screen e Inthe NAT IP pull down menus of the following outbound firewall rule screens Add LAN WAN Outbound Service screen Add DMZ WAN Outbound Service screen For more information about firewall rules see Using Rules to Block or Allow Specific Kinds of Traffic on page 5 3 It is important that you ensure that any secondary WAN addresses are different from the primary WAN LAN and DMZ IP addresses that are already configured on the UTM However primary and secondary WAN addresses can be in the same subnet The following is an example of properly configured IP addresses on a dual WAN port model Primary WAN1 IP address 10 0 0 1 with subnet 255 0 0 0 Secondary WANI1 IP
215. as the as the primary link for this mode Note Ensure that the backup WAN port is configured before enabling Auto Rollover mode 3 12 Manually Configuring Internet and WAN Settings v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 3 5 Auto Rollover Mode Settings Dual WAN Port Models Only continued Setting Description or Subfield and Description WAN Failure Detection Method Select one of the following detection failure methods DNS lookup using WAN DNS Servers DNS queries are sent to the DNS server configured on the WAN ISP pages see Configuring the Internet Connections on page 3 2 DNS lookup using this DNS Server DNS queries are sent to this server through the WAN interface being monitored The retry interval and number of failover attempts determine how quickly the UTM switches from the primary link to the backup link in case the primary link fails or when the primary link comes back up switches back from the backup link to the primary link Enter the following DNS settings WAN1 The IP address of the DNS server for port WAN1 WAN2 The IP address of the DNS server for port WAN2 Retry Interval is The retry interval in seconds The DNS query is sent periodically after every test period The default test period is 30 seconds Failover after The number of failover attempts The primary WAN link is considered down aft
216. at provides the SSL user with the following menu selections e VPN Tunnel Provides full network connectivity e Port Forwarding Provides access to the network services that you defined in SSL VPN Wizard Step 5 of 6 Port Forwarding on page 8 11 e Change Password Allows the user to change their password e Support Provides access to the NETGEAR Web site Viewing the UTM SSL VPN Connection Status To review the status of current SSL VPN tunnels 1 2 Select Monitoring gt Active Users amp VPNs from the main menu The Active Users amp VPN submenu tabs appear with the Active Users screen in views Click the SSL VPN Connection Status submenu tab The SSL VPN Connection Status screen displays Dashboard Diagnostics Logs amp Reports Active Users IPSec VPN Connection Status EIS LADE TTS cle crs d User Name Group IP Address Login Time Action techpubadmin g ardomain 192 168 190 88 Tue Nov 17 17 09 54 2009 MF Dis connect Figure 8 10 The active user s user name group and IP address are listed in the table with a timestamp indicating the time and date that the user connected To disconnect an active user click the Disconnect table button to the right of the user s table entry Viewing the UTM SSL VPN Log To query the SSL VPN log 1 2 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view Click the
217. at you select When you select a configuration menu link the letters are displayed in white against a grey background e 3rd Level Submenu tabs Each configuration menu item has one or more submenu tabs that are listed below the grey menu bar When you select a submenu tab the text is displayed in white against a blue background e Option arrows If there are additional screens for the submenu item they are displayed on the right side in blue letters against a white background preceded by a white arrow in a blue circle Using the Setup Wizard to Provision the UTM in Your Network 2 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The bottom of each screen provides action buttons The nature of the screen determines which action buttons are shown Figure 2 4 shows an example Figure 2 4 Any of the following action buttons might be displayed on screen this list might not be complete e Apply Save and apply the configuration e Reset Reset the configuration to default values e Test Test the configuration before you decide whether or not to save and apply the configuration e Auto Detect Enable the UTM to detect the configuration automatically and suggest values for the configuration e Next Go to the next screen for wizards e Back Go to the previous screen for wizards e Search Perform a search operation e Cancel Cancel the operation e Send Now Send a file or repo
218. ategories that are preceded by a green rectangular are allowed by default categories that are preceded by a pink rectangular are blocked by default Blocked Categories Scheduled Days Select one of the following radio buttons All Days The schedule is in effect all days of the week e Specific Days The schedule is active only on specific days To the right of the radio buttons select the checkbox for each day that you want the schedule to be in effect Blocked Categories Time of Day Select one of the following radio buttons All Day The schedule is in effect all hours of the selected day or days Specific Times The schedule is active only on specific hours of the selected day or days To the right of the radio buttons specify the Start Time and End Time fields Hour Minute AM PM during which the schedule is in effect Notification Settings The UTM replaces the content of a Web page that is blocked because of violating content with the following text which you can customize Internet Policy has restricted access to this location URL Full text search found the content to have the keyword KEYWORD Note The text is displayed on the Content Filtering screen with HTML tags However when the UTM replaces the content of a blocked Web page the screen displays the notification text in HTML format Note Make sure that you keep the URL and KEYWORD meta words in the text to enable the UTM to insert
219. ature to assign IP addresses to remote users including a network access IP address subnet mask WINS server and DNS address from the UTM Remote users are given IP addresses available in a secured network space so that remote users appear as seamless extensions of the network Mode Config Operation After the IKE Phase 1 negotiation is complete the VPN connection initiator which is the remote user with a VPN client requests the IP configuration settings such as the IP address subnet mask WINS server and DNS address from the UTM The Mode Config feature allocates an IP address from the configured IP address pool and activates a temporary IPsec policy using the information that is specified in the Traffic Tunnel Security Level section of the Mode Config record on the Add Mode Config Record screen that is shown in Figure 7 26 on page 7 45 Note After configuring a Mode Config record you must manually configure an IKE gt policy and select the newly created Mode Config record from the Select Mode Config Record pull down menu see Configuring Mode Config Operation on the UTM on page 7 43 You do not need to make changes to any VPN policy Note An IP address that is allocated to a VPN client is released only after the VPN client has gracefully disconnected or after the SA liftetime for the connection has timed out Configuring Mode Config Operation on the UTM To configure Mode Config on the UTM yo
220. atus monitoring Number of concurrent users supported The number of supported dedicated SSL VPN tunnels depends on the model see NETGEAR s marketing documentation at http prosecure netgear com SSL versions SSLv3 TLS1 0 SSL encryption algorithm DES 3DES ARC4 AES 128 AES 192 AES 256 SSL message integrity MD5 SHA 1 MAC MD5 SHA 1 HMAC MD5 SHA 1 SSL authentication types Local User database RADIUS PAP RADIUS CHAP RADIUS MSCHAP RADIUS MSCHAPVv2 WIKI PAP WIKID CHAP MIAS PAP MIAS CHAP NT Domain SSL certificates supported CA digital certificate Self digital certificate gt Note For default e mail and Web scan settings see Table 6 1 on page 6 2 A 4 Default Settings and Technical Specifications v1 0 January 2010 Appendix B Network Planning for Dual WAN Ports Dual WAN Port Models Only This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports This appendix does not apply to single WAN port models This appendix contains the following sections e What to Consider Before You Begin on this page e Overview of the Planning Process on page B 5 e Inbound Traffic on page B 7 e Virtual Private Networks VPNs on page B 9 What to Consider Before You Begin The UTM is a powerful and versatile solution for your networking needs To make the configuration process
221. ave located your Internet configuration information you might want to record the information in the following section Internet Connection Information Print these pages with the Internet connection information Fill in the configuration settings that are provided to you by ISP e ISP Login Name The login name and password are case sensitive and must be entered exactly as given by your ISP For AOL customers the login name is their primary screen name Some ISPs use your full e mail address as the login name The Service Name is not required by all ISPs If you connect using a login name and password then fill in the following Login Name Password Service Name e Fixed or Static IP Address If you have a static IP address record the following information For example 169 254 141 148 could be a valid IP address Fixed or Static Internet IP Address B 4 Network Planning for Dual WAN Ports Dual WAN Port Models Only v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Gateway IP Address Subnet Mask e ISP DNS Server Addresses If you were given DNS server addresses fill in the following Primary DNS Server IP Address 3 Secondary DNS Server IP Address e Host and Domain Names Some ISPs use a specific host or domain name like CCA7324 A or home If you have not been given host or domain names you can use the following examples as a guide If your main e m
222. ay WAN ports can be either fixed or dynamic If an IP address is dynamic you must use a FQDN If an IP address is fixed an FQDN is optional VPN Gateway to Gateway Dual Gateway WAN Ports for Improved Reliability In a configuration with two dual WAN port VPN gateways that function in auto rollover mode either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance In this example see Figure B 14 port WAN_A1 is active and port WAN_A2 is inactive at Gateway A port WAN_B1 is active and port WAN_B2 is inactive at Gateway B 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0124 Dual WAN Ports Before Rollover WAN_A 1 IP WAN_B1 IP Gateway A netgearA dyndns org netgearB dyndns org Gateway B LAN IP a i 10 5 6 1 WAN_A2 port inactive D port inactive 17223 91 VPN Router WAN_A2 IP N A WAN_B2 IP N A VPN Router at office A Fully Qualified Domain Names FQDN at office B required for Fixed IP addresses required for Dynamic IP addresses Figure B 14 The IP addresses of the gateway WAN ports can be either fixed or dynamic but you must always use a FQDN because the active WAN ports could be either WAN_A1l WAN_A2 WAN_B1 or WAN_B2 that is the IP address of the active WAN ports is not known in advance B 14 Network Planning for Dual WA
223. ays the information that is described in Table 11 13 Table 11 13 Port Triggering Status Information Item Description or Subfield and Description The sequence number of the rule on screen Rule The name of the port triggering rule that is associated with this entry LAN IP Address The IP address of the computer or device that is currently using this rule Open Ports The incoming ports that are associated with this rule Incoming traffic using one of these ports is sent to the IP address that is listed in the LAN IP Address field Time Remaining The time remaining before this rule is released and made available for other computers or devices This timer is restarted when incoming or outgoing traffic is received Viewing the WAN Ports Status You can view the status of both of the WAN connections the DNS servers and the DHCP servers To view the status of the WAN1 port dual WAN port models or WAN port single WAN port models 1 Select Network Config gt WAN Settings from the menu On the dual WAN port models the WAN Settings submenu tabs appear with the WAN1 ISP Settings screen in view see Figure 11 18 on page 11 28 On the single WAN port models the WAN ISP Settings screen displays Monitoring System Access and Performance 11 27 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual few a ee WANL ISP Settings _WAN2Z ISP Settings MA Does Your Internet
224. banner message on login page Portal Site Title V HTTP meta tags for cache control recommended Banner Title Activex web cache cleaner r Banner Message In case of login difficulty call 1 kieme gt SSL VPN Portal Pages to Display Gg E VPN Tunnel page C Port Forwarding J Figure 8 13 8 20 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Complete the fields and select the checkboxes as explained Table 8 6 Table 8 6 Add Portal Layout Settings Item Description or Subfield and Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout This name is part of the path of the SSL VPN portal URL Note Custom portals are accessed at a different URL than the default portal For example if your SSL VPN portal is hosted at jttps vpn company com and you create a portal layout named CustomerSupport then users access the sub site at https vpn company com portal CustomerSupport Note Only alphanumeric characters hyphens and underscores _ are accepted in the Portal Layout Name field If you enter other types of characters or spaces the layout name is truncated before the first non alphanumeric character Note Unlike most other URLs this name is case sensitive Portal Site Title The title that appears at the top of the user s Web browser win
225. bar indicates traffic on the tunnel Viewing the UTM IPsec VPN Connection Status To review the status of current IPsec VPN tunnels 1 Select Monitoring gt Active Users amp VPNs from the main menu The Active Users amp VPN submenu tabs appear with the Active Users screen in views 2 Click the IPSec VPN Connection Status submenu tab The IPSec VPN Connection Status screen displays Figure 7 18 shows an IPSec SA as an example System Status Dashboard Diagnostics Logs amp Reports Active Users IPSec YPN Connection Status ears SSL YPN Connection Status The page will auto refresh in 4 seconds Policy Name Endpoint Tx KB Tx Packets State Action GW1 to GW2 75 34 173 25 0 00 0 IPsec SA Not Established 5 Connect Client Policy Poll Interval Seconds Set Interval Stop Figure 7 18 7 20 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The Active IPsec SAs table lists each active connection with the information that is described in Table 7 8 The default poll interval is 5 seconds To change the poll interval period enter a new value in the Poll Interval field and then click set interval To stop polling click stop Table 7 8 IPsec VPN Connection Status Information Item Description or Subfield and Description Policy Name The name of the VPN policy that is associated with thi
226. bb 22 cc 03 Click the Add table button The MAC address is added to the MAC Addresses table Click Apply to save your settings To remove one or more entries from the table 1 Select the checkbox to the left of the MAC address that you want to delete or click the Select All table button to select all entries 2 Click the Delete table button Firewall Protection 5 43 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Setting up IP MAC Bindings IP MAC Binding allows you to bind an IP address to a MAC address and vice versa Some PCs or devices are configured with static addresses To prevent users from changing their static IP addresses the IP MAC Binding feature must be enabled on the UTM If the UTM detects packets with a matching IP address but with the inconsistent MAC address or vice versa the packets are dropped If you have enabled the logging option for the IP MAC Binding feature these packets are logged before they are dropped The UTM displays the total number of dropped packets that violate either the IP to MAC binding or the MAC to IP binding Note You can bind IP addresses to MAC addresses for DHCP assignment on the LAN Groups submenu See Managing the Network Database on page 4 13 As an example assume that three computers on the LAN are set up as follows e Hostl MAC address 00 01 02 03 04 05 and IP address 192 168 10 10 e Host2 MAC address
227. between the Starting IP address and this IP address The IP address 192 168 1 100 is the default ending address Note The starting and ending DHCP IP addresses should be in the same network as the LAN TCP IP address of the UTM the IP address in LAN TCP IP section above Using the Setup Wizard to Provision the UTM in Your Network 2 9 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 2 1 Setup Wizard Step 1 LAN Settings continued Setting Description or Subfield and Description Enable DHCP Server continued Primary DNS _ This is optional If an IP address is specified the UTM provides Server this address as the primary DNS server IP address If no address is specified the UTM provides its own LAN IP address as the primary DNS server IP address Secondary This is optional If an IP address is specified the UTM provides DNS Server this address as the secondary DNS server IP address WINS Server This is optional Enter a WINS server IP address to specify the Windows NetBios server if one is present in your network Lease Time Enter a lease time This specifies the duration for which IP addresses are leased to clients DHCP Relay Select the DHCP Relay radio button to use the UTM as a DHCP relay agent for a DHCP server somewhere else on your network Enter the following setting Relay Gateway The IP address of the DHCP se
228. bject line for the notification e mail is Malware detected You can change this subject line Message The warning message informs the sender the recipient or both about the name of the malware threat You can change the default message to include more information Note Make sure that you keep the VIRUSINFO meta word in a message to enable the UTM to insert the proper malware information In addition to the VIRUSINFO meta word you can insert the following meta words in your customized message TIME YPROTOCOL FROM TO YSUBJECT FILENAME ACTION VIRUSNAME 3 Click Apply to save your settings E mail Content Filtering The UTM provides several options to filter unwanted content from e mails You can filter content from e mails based on keywords in the subject line file type of the attachment and file name of the attachment You can also set an action to perform on e mails with password protected attachments Several types of e mail blocking are available Keyword blocking You can specify words that should they appear in the e mail subject line cause that e mail to be blocked by the UTM Password protected attachments You can block e mails based on password protected attachments such as ZIP or RAR attachments File extension blocking You can block e mails based on the extensions of attached files Such files can include executable files audio and video files and compressed files File
229. blacklist and it is disabled by default To delete a blacklist provider from the real time blacklist 1 In the real time blacklist click the Delete table button next to the blacklist provider that you want to delete 2 Click Apply to save your settings Configuring Distributed Spam Analysis Spam phishing and other e mail borne threats consist of millions of messages intentionally composed differently to evade commonly used filters Nonetheless all messages within the same outbreak share at least one unique identifiable value which can be used to distinguish the outbreak With distributed spam analysis message patterns are extracted from the message envelope headers and body with no reference to the content itself Pattern analysis can then be applied to identify outbreaks in any language message format or encoding type Message patterns can be divided into distribution patterns and structure patterns Distribution patterns determine if the message is legitimate or a potential threat by analyzing the way it is distributed to the recipients while structure patterns determine the volume of the distribution The UTM uses a Distributed Spam Analysis architecture to determine whether or not an e mail is spam for SMTP and POP3 e mails Any e mail that is identified as spam is tagged as spam an option for both SMTP and POP3 or blocked an option possible only for SMTP _____ Note Unlike other scans you do not need to configur
230. blocked URL in the notification text 4 Click Apply to save your settings Content Filtering and Optimizing Scans 6 33 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual HTTPS Scan Settings HTTPS traffic is encrypted traffic that cannot be scanned otherwise the data stream would not be secure However the UTM can scan HTTPS traffic that is transmitted through an HTTP proxy that is HTTPS traffic is scanned as a proxy between the HTTPS client and the HTTPS server Figure 6 13 shows the HTTPS scanning traffic flow UTM communicates on Client s behalf HTTPS Client p UTM sends its own Server returns Cert to Cert to Client UTM for authentication HTTPS request gt Figure 6 13 The HTTPS scanning process functions with the following principles e The UTM breaks up an SSL connection between an HTTPS server and an HTTP client in two parts A connection between the HTTPS client and the UTM A connection between the UTM and the HTTPS server e The UTM simulates the HTTPS server communication to the HTTPS client including the SSL negotiation certificate exchange and certificate authentication In effect the UTM functions as the HTTPS server for the HTTPS client e The UTM simulates the HTTPS client communication to the HTTPS server including the SSL negotiation certificate exchange and certificate authentication In effect the UTM funct
231. c when the traffic limit is reached Complete the monthly limit field below Monthly Limit Enter the monthly traffic volume limit in MB The default setting is 0 MB Increase this month limit by Select this checkbox to temporarily increase a previously specified monthly traffic volume limit and enter the additional allowed volume in MB The default setting is 0 MB Note When you click Apply to save these settings this field is reset to 0 MB so that the increase is applied only once This month limit This is a non configurable field that displays the total monthly traffic volume limit that is applicable to this month This total is the sum of the monthly traffic volume and the increased traffic volume Traffic Counter Restart traffic counter Select one of the following radio buttons to specify when the traffic counter restarts e Restart Traffic Counter Now Select this option and click Apply at the bottom of the screen to restart the traffic counter immediately e Restart Traffic Counter at a Specific Time Restart the traffic counter at a specific time and day of the month Fill in the time fields and choose AM or PM and the day of the month from the pull down menus Send e mail report before restarting counter An e mail report is sent immediately before restarting the counter Ensure that e mailing of logs is enabled on the Email and Syslog screen see Configuring Logging Alerts and
232. c Meter If your ISP charges by traffic volume over a given period of time or if you want to study traffic types over a period of time you can activate the traffic meter for one or both WAN ports To monitor traffic limits on each of the WAN ports 1 Select Network Config gt WAN Metering from the menu On the dual WAN port models the WAN Metering tabs appear with the WAN1 Traffic Meter screen in view see Figure 11 1 on page 11 2 On the the single WAN port models the WAN Traffic Meter screen displays v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The Internet Traffic Statistics section in the lower part of the screen displays statistics on Internet traffic via the WAN port If you have not enabled the traffic meter these statistics are not available WANI Traffic Meter Enable Traffic Meter No Limit Download only Both Directions Monthly Limit 0 mB Increase this month limit by E MB This month limit 0 MB Do you want to enable Traffic Metering on WAN1 Yes O No if Traffic Counter i When Limit is reached Restart Traffic Counter Now Restart Traffic Counter at Specific Time Eteo on the day of Month CO Send e mail report before restarting counter Block All Traffic Block All Traffic Except E Mail C send e mail alert i Internet Traffic Statistics Start Date Time Outgoing Traffic Volume MB Incoming
233. cally updated according to the Update Frequency settings below Update From Set the update source server by selecting one of the following radio buttons Default update server Files are updated from the default NETGEAR update server e Server address Files are updated from the server that you specify enter the IP address or host name of the update server Update Frequency Specify the frequency with which the UTM checks for file updates Weekly From the pull down menus select the weekday hour and minutes that the updates occur Daily From the pull down menus select the hour and minutes that the updates occur Every From the pull down menu select the frequency with which the updates occur The range is from 15 minutes to 12 hours HTTPS Proxy Seitings Enable If computers on the network connect to the Internet via a proxy server select the Enable checkbox to specify and enable a proxy server and enter the following settings Proxy server The IP address and port number of the proxy server User name The user name for proxy server authentication Password The password for proxy server authentication 3 Click Apply to save your settings Network and System Management 10 23 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Date and Time Service Configure date time and NTP server designations on the System Da
234. cates the status of the VLAN profile Green circle the VLAN profile is enabled Grey circle the VLAN profile is disabled e Profile Name The unique name assigned to the VLAN profile e VLAN ID The unique ID or tag assigned to the VLAN profile e Subnet IP The subnet IP address for the VLAN profile e DHCP Status The DHCP server status for the VLAN profile which can be either DHCP Enabled or DHCP Disabled e Action The Edit table button that provides access to the Edit VLAN Profile screen 2 Assign a VLAN profile to a LAN port Port 1 Port 2 Port 3 or Port 4 DMZ by selecting a VLAN profile from the pull down menu Both enabled and disabled VLAN profiles are displayed in the pull down menus 3 Click Apply to save your settings VLAN DHCP Options For each VLAN you must specify the Dynamic Host Configuration Protocol DHCP options The configuration of the DHCP options for the UTM s default VLAN or VLAN 1 are explained in Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network This section provides further information about the DHCP options DHCP Server The default VLAN VLAN 1 has the DHCP Server option enabled by default allowing the UTM to assign IP DNS server WINS server and default gateway addresses to all computers connected to the UTM s LAN The assigned default gateway address is the LAN address of the UTM IP addresses are assigned to the attached computers from a pool of addres
235. cation Security gt HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear with the Malware Scan screen in view see Figure 6 8 on page 6 22 Content Filtering and Optimizing Scans 6 21 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual ed ts Action HTTP Delete file w aS J Scan Exception Q if the file or message is larger than KB Maximum 10240 KB H E scan HTML Files Notification Settings Replace the Content of a Blocked Page with the Following Text lt DOCTYPE HTML PUBLIC W3C DTD HTML 4 0 Transitional EN gt lt HTML gt lt HEAD gt lt TITLE gt NETGEAR ProSecure User Notification lt TITLE gt l charset windows 1252 gt i l icon gt lt l AR All rights reserved gt lt LINK href STYLE_CSS type text css rel stylesheet gt Note Insert the following meta word s to automatically include the relevant malware detection information TIME YPROTOCOL FROM TO Y SUBIECT FILENAME ACTION VIRUSNAME VIRUSINFO Figure 6 8 2 Enter the settings as explained in Table 6 2 Table 6 7 Malware Scan Settings Setting Description or Subfield and Description Action HTTP and Action From the HTTP or HTTPS pull down menu specify one of the following HTTPS actions when an infected Web file or object is detected e Delete file This is the default setting The Web file or object is de
236. ce see Performance Management on page 10 1 Block Web Objects Select any or all of t he following checkboxes Remove Embedded Objects All embedded objects such as ActiveX Java and Flash objects are removed from downloaded Web pages Note Because embedded objects are commonly used on legitimate Web sites blocking embedded objects globally might have a negative impact on a user s Web browsing experience Disable Javascript Javascript is disabled on downloaded Web pages Proxy All Web proxy servers are blocked Cookies All cookies are blocked 6 28 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 6 8 Content Filtering Settings continued Setting Description or Subfield and Description Select the Web Categories You Wish to Block Select the Enable Blocking checkbox to enable blocking of Web categories By default this checkbox is deselected Select the checkboxes of any Web categories that you want to block Use the action buttons at the top of the section in the following way Allow All All Web categories are allowed Block All All Web categories are blocked e Set to Defaults Blocking and allowing of Web categories are returned to their default settings See Table 6 1 on page 6 2 for information about the Web categories that are blocked by default C
237. ce 7 39 7 40 eDonkey 2 17 6 21 EICAR 2 26 e mail notification server configuring manually 71 5 settings using the Setup Wizard 2 23 SMTP server 2 23 e mails audio and video files filtering 6 17 compressed files filtering 6 Distributed Spam Analysis 6 16 6 17 executable files filtering 6 filter logs 11 8 11 33 11 35 protection See SMTP POP3 or IMAP protocols 6 4 real time blacklist 6 4 reports 39 security settings using the Setup Wizard 2 18 spam protection 6 traffic statistics 77 16 whitelist and blacklist 6 72 embedded objects 6 28 environmental specifications A 3 error messages and log messages understanding C Ethernet ports 0 exceptions Web access 6 4 exchange mode IKE policies 7 24 7 27 exclusions scanning 6 44 executable files e mail filtering 6 FTP filtering 6 41 Web filtering 6 28 exposed hosts 3 19 5 25 Extended Authentication See XAUTH Index 4 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual F factory default settings reverting to 10 18 service licenses automatic retrieval 2 28 failover attempts DNS lookup 3 13 pinging 3 13 failover protection See auto rollover mode dual WAN port models failure detection method dual WAN port models 3 10 3 11 3 13 file extensions blocking 6 8 6 24 6 28 file names blocking 6 8 firewall attack checks 5 27 bandwidth profiles 5 38 connecting to the Inte
238. ce Manual Traffic Metering Logs This section describes logs that are generated when the traffic meter has reached a limit Table C 13 System Logs Traffic Metering Message Jan 23 19 03 44 TRAFFIC_METER TRAFFIC_METER Monthly Limit of 10 MB has reached for WAN1 _ Explanation Logs that are generated when the traffic limit for WAN1 interface that was set at 10 MB has been reached Depending on the setting that is configured in the When Limit is reached section on the WAN1 Traffic Meter screen see Enabling the WAN Traffic Meter on page 11 1 all the incoming and outgoing traffic might be stopped Note For WAN2 interface see the settings on the WAN2 Traffic Meter screen Recommended Action To start the traffic restart the traffic counter in the Traffic Counter section on the WAN1 Traffic Meter screen Note For WAN2 interface see the settings on the WAN2 Traffic Meter screen Unicast Logs This section describes logs that are generated when the UTM processes unicast packets Table C 14 System Logs Unicast Message Nov 24 11 52 55 UTM kernel UCAST IN SELF OUT WAN SRC 192 168 10 1 DST 192 168 10 10 PROTO UDP SPT 800 DPT 2049 Explanation This unicast packet is destined to the device from the WAN network e For other parameters see Table C 1 Recommended Action None ICMP Redirect Logs This section describes logs that are generated when the UTM processes ICMP Re
239. ceeeeseeeeeseeeeeeneeeees 7 17 Testing the VPN Connection sesssisissnsissii a 7 17 NETGEAR VPN Client Status and Log Information 0 ccecccccceeeeeeeeeeeeteeeeeeeees 7 18 Viewing the UTM IPsec VPN Connection Status ee eeeesseeseeereeeeseenereeeetenenes 7 20 viewing the UTM IP See YPN LOO soenennidiinneninini paataerae 7 21 Konad er FN FOL O anina 7 22 Managing IKE FOIOS sis iccccascrncscczsmetionsannviecenutenrsscnemsencnntatienteenemssenisenindenedarntas 7 23 Pees eis YPN FORES reai oer anaa E a a 7 31 Configuring Extended Authentication XAUTH s sseessssssesssessssrsssrrssrrnesrnnssnnersnessne 7 38 G nfigurimg XAUTH for YPN CIOnE serisssicninsinisi a 7 39 User Database Conniguratioh sisiuisnisnanuisiannara iada aaa 7 40 RADIUS Cheni CGNMNQUIARION gcczcccdseiescsnraseedaccecusteeddvcemsunpdigiendenesaisaneelccencdueeeaante 7 40 Assigning IP Addresses to Remote Users Mode Config ccccecceeseeeseeeeeessneeeeees 7 43 Moge Conio TMG NUD siersteen a E 7 43 Configuring Mode Config Operation on the UTM ssssssesssessseesssessssssrensssrrssrrrssnnens 7 43 Configuring the ProSafe VPN Client for Mode Config Operation cceeee 7 50 Testing the Mode Config Connection 0 ccccceeceeeeeeeeeeeeeeeneeeseaeeeeseeeeeteaeesseneees 7 55 Configuring Keepalives and Dead Peer Detection 0 00 ec cecessneseneeeeeseneeseeerseeeeaners 7 55 HOU SEE Keepa Sse ate ede ath evanescence atau 7 56 Conigunng Dead Peer Connie s
240. ces Google Talk Jabber Allowed mIRC Allowed MSN Messenger Allowed Yahoo Messenger Allowed Peer to Peer P2P Services BitTorrent Allowed eDonkey Allowed Gnutella Allowed Web Objects Embedded Objects ActiveX Java Flash Allowed Javascript Allowed Proxy Allowed Cookies Allowed Web Content Categories Commerce Allowed Drugs and Violence Blocked 6 2 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 6 1 Default E mail and Web Scan Settings continued Internet Communication and Search Scan Type Default Scan Setting Default Action if applicable Education Allowed with the exception of School Cheating Gaming Blocked Inactive Sites Allowed Allowed with the exception of Anonymizers Leisure and News Allowed Malicious Blocked Politics and Religion Allowed Sexual Content Blocked Technology Allowed a Files or messages that are larger than 2048 KB are skipped b y default Configuring E mail Protection The UTM lets you configure the following settings to protect the network s e mail communication e The e mail protocols that are scanned for malware threats e Actions that are taken when infected e mails are detected e The maximum file sizes that are scanned e Keywords file types and file names in e mails that
241. checkbox to the left of the rule that you want to delete or disable or click the Select All table button to select all rules 5 16 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Click one of the following table buttons e Disable Disables the rule or rules The status icon changes from a green circle to a grey circle indicating that the rule is or rules are disabled By default when a rule is added to the table it is automatically enabled e Delete Deletes the rule or rules DMZ WAN Outbound Services Rules You may change the default outbound policy or define rules that specify exceptions to the default outbound policy By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day An outbound rule may block or allow traffic between the DMZ and any external WAN IP address according to the schedule created in the Schedule menu To create a new outbound DMZ WAN service rule 1 Inthe DMZ WAN Rules screen click the Add table button under the Outbound Services table The Add DMZ WAN Outbound Service screen displays Add DMZ WAN Outbound Service Operation succeeded Service ANY v Action BLOCK always v Select Schedule DMZ Users Any Stet ii Finish WAN Users Any Start Finish QoS Profile None Log Never NAT IP WAN Interface Address
242. chedule is in effect all days of the week e Specific Days The schedule is active only on specific days To the right of the radio buttons select the checkbox for each day that you want the schedule to be in effect 4 Inthe Scheduled Time of Day section select one of the following radio buttons e All Day The schedule is in effect all hours of the selected day or days Firewall Protection 5 41 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Specific Times The schedule is active only on specific hours of the selected day or days To the right of the radio buttons specify the Start Time and End Time fields Hour Minute AM PM during which the schedule is in effect 5 Click Apply to save your settings to Schedule 1 Repeat these steps to set to a schedule for Schedule 2 and Schedule 3 Enabling Source MAC Filtering The Source MAC Filter screen enables you to permit or block traffic coming from certain known PCs or devices By default the source MAC address filter is disabled All the traffic received from PCs with any MAC address is allowed When the source MAC address filter is enabled depending on the selected policy traffic is either permitted or blocked if it comes from any PCs or devices whose MAC addresses are listed in MAC Addresses table Note For additional ways of restricting outbound traffic see Outbound Rules Service Blocking on page 5 4 To
243. crease performance IP Address Enter your fixed static IP address If your IP address is dynamic leave this field blank Optional Fields Domain Name Enter your Internet domain name or leave this field blank E mail Address Enter the e mail address of a technical contact in your company 3 Click the Generate table button A new SCR is created and added to the Self Certificate Requests table 4 In the Self Certificate Requests table click the View table button in the Action column to view the new SCR The Certificate Request Data screen displays see Figure 9 14 on page 9 24 Managing Users Authentication and Certificates 9 23 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Certificate Request Data Operation succeeded i Certificate Details Subject Name CN NETGEAR Hash Algorithm MDS signature Algorithm RSA Key Lenath 1024 oe H Data to supply to CA BEGIN CERTIFICATE REQUEST a MIIBUTCBuwIBADASMRAwDgYDVQQDEwdORVRHRUFSMIGIMA ASGNADCBIQKBGQDNI wwf 3sNES9k OkvIVgiAgGSuPTVyMn3FOt alk2KO O1DQpvEihFeCy 29Npy3r9F1 aBbSIFmroSMQPaZASGTa e hUbVjw3pIODMDPdEV LXRGBI4aLRG4VCOhwGLXADkHku oAAwDQYJKoZIhvcNAQEEBQADgYEAVbPS3 Q8I7QN6scEoJal lodXxilcb3torqaLJDIIQAgOfS dS tqli mzpN m9BryoLAsPa0uvd KIr32CetiBAbYfk m3LePucM228pK4uOuexe hPVEyhpJFkna7 kItUGUO Figure 9 14 5 Copy the contents of the Data to su
244. created The FTP file or object is not deleted Scan Exceptions maximum size The default maximum file or object size that are scanned is 2048 KB but you can define a maximum size of up to 10240 KB However setting the maximum size to a high value might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions when the file or message exceeds the e Skip The file is not scanned but skipped leaving the end user vulnerable This is the default setting Block The file is blocked and does reach the end user 2 20 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Setup Wizard Step 7 of 10 Web Categories to Be Blocked Setup Wizard Step 7 Blocked Web Categories J Menable Blocking of 10 Web Categories to be blocked C commerce Cladvertisements amp Pop Ups Creal Estate Oo Drugs and Violence m Alcohol amp Tabacco B Ditasteless O education Education O Gaming m E Gambling C Inactive Sites Onetwork Errors O Business C Shopping ElHate Intolerance B Flviolence Health amp Medicine m E Games Parked Domain C Internet Communication and Search m Manonymizers C General Cob Search C Streaming Media amp Downloads C webmail C Leisure and News Oars
245. ct Manual Policy as the policy type When you specify the settings for the fields in this section a security association SA is created SPI Incoming The Security Parameters Index SPI for the inbound policy Enter a hexadecimal value between 3 and 8 characters for example 0x1234 Encryption Algorithm From the pull down menu select one of the following five algorithms to negotiate the security association SA DES Data Encryption Standard DES e 3DES Triple DES This is the default algorithm e AES 128 Advanced Encryption Standard AES with a 128 bits key size e AES 192 AES with a 192 bits key size e AES 256 AES with a 256 bits key size Key In The encryption key for he inbound policy The length of the key depends on the selected encryption algorithm DES enter 8 characters 3DES enter 24 characters e AES 128 enter 16 characters e AES 192 enter 24 characters e AES 256 enter 32 characters Key Out The encryption key for he outbound policy The length of the key depends on the selected encryption algorithm The required key lengths are the same as for the Key In se above SPl Outgoing The Security Parameters Index SPI for the outbound policy Enter a hexadecimal value between 3 and 8 characters for example 0x1234 7 36 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual
246. ctions IV Enable Perfect Forward Secrecy PFS PFS Key Group Diffie Hellman Group 2 X V Enable Replay Detection Figure 7 14 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 9 Enter the settings as explained in Table 7 6 Table 7 6 Security Policy Editor Security Policy Settings Setting Description or Subfield and Description Select Phase 1 Negotiation Select the Aggressive Mode radio button Mode Enable Perfect Forward Select the Enable Perfect Forward Secrecy PFS checkbox From the Secrecy PFS pull down menu below select Diffie Hellman Group 2 Enable Replay Detection Leave the default setting which is selection of the Enable Replay Detection checkbox 10 Click on the disk icon to save the configuration or select File gt Save from the Security Policy Editor menu 11 Close the VPN ProSafe VPN client _____ Note You do not need to open or change the settings on the Authentication Phase 1 rd screen or its accompanying Proposal 1 and Proposal 2 screens nor on the Key Exchange Phase 2 screen or its accompanying Proposal 1 screen Leave the default settings for these screens Testing the Connections and Viewing Status Information Both the NETGEAR ProSafe VPN Client and the UTM provide VPN connection and status information This information is useful for veri
247. d 1 Select VPN gt IPsec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Wizard submenu tab The VPN Wizard screen displays see Figure 7 9 on page 7 10 which contains some examples for a dual WAN port model The WAN1 and WAN2 radio buttons are shown on the VPN Wizard screen for the dual WAN port models but not on the VPN Wizard screen for the single WAN port models Virtual Private Networking Using IPsec Connections 7 9 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual DETTI Mode Config RADIUS Client 6 VPN Wizard Default Values iH About YPN Wizard g The Wizard sets most parameters to defaults as proposed by the VPN Consortium PNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This PN tunnel will connect to the following peers O Gateway vpn Client i Connection Name and Remote IP Type What is the new Connection Name Client to UTM What is the pre shared key 111122223333 Key Length 8 49 Char This VPN tunnel will use following local WAN Interface WAN1 WAN2 i End Point Information What is the Remote Identifier Information What is the Local Identifier Information if Secure Connection Remote Accessibility What is the remote LAN IP Address lt T gil
248. d Service ANY v Action BLOCK always vj Select Schedule Schedule 1 LAN Users Any v Start E Sr Finish J Al DMZ Users Any v Start lad Fee a Finish J SS Ss Log Never Figure 5 10 2 Enter the settings as explained in Table 5 3 on page 5 8 3 Click Apply to save your changes The new rule is now added to the Inbound Services table Firewall Protection 5 21 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Inbound Rules Examples LAN WAN Inbound Rule Hosting A Local Public Web Server If you host a public Web server on your local network you can define a rule to allow inbound Web HTTP requests from any outside IP address to the IP address of your Web server at any time of the day Add LAN WAN Inbound Service Operation succeeded Action ALLOW always Select Schedule Scheduled Send to LAN Server 192 fies i Jes Translate to Port Number L WAN Destination IP Address wan J LAN Users Any Start Finish WAN Users Any Start Finish QoS Profile None v Log Never_ Bandwidth Profile NONE Figure 5 11 LAN WAN Inbound Rule Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule see Figure 5 11 on
249. d Operation succeeded Outbound Services o E 1 aa Nae ii Filter omz users WAN Users QoS Profile Log Action Oo e CU SEEME TCP Block k by schedule 3 else a allow ANY ANY Normal Service Never up j Pown PEHI Select Au Pelete Enable O disable a amp Inbound Services Q Service Name Filter pz Server 1p Address omz Users WAN Soi Qos Profile Log Action Select au Ddelete Enable D disabie a 3 Note Inbound rules configured in the LAN WAN Rules page will take precedence over the Inbound rules configured in the DMZ WAN Rules page As 4 result if an inbound packet matches an Inbound rule in the LAN WAN Rules page then it will not be matched against the Inbound rules in the DMZ WAN Rules page i Figure 5 5 To make changes to an existing outbound or inbound service rule In the Action column to the right of to the rule click on of the following table buttons Edit Allows you to make any changes to the rule definition of an existing rule Depending on your selection either the Edit DMZ WAN Outbound Service screen identical to Figure 5 6 on page 5 17 or Edit DMZ WAN Inbound Service screen identical to Figure 5 7 on page 5 18 displays containing the data for the selected rule Up Moves the rule up one position in the table rank Down Moves the rule down one position in the table rank To delete or disable one or more rules 1 Select the
250. d field above Idle Timeout The period after which an idle user is automatically logged out of the Web management interface De default idle timeout period is 10 minutes Managing Users Authentication and Certificates 9 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Click Apply to save your settings The user is added to the List of Users table To delete one or more users 1 In the List of Users table select the checkbox to the left of the user that you want to delete or click the Select All table button to select all users You cannot delete a default user 2 Click the Delete table button Setting User Login Policies You can restrict the ability of defined users to log into the UTM s Web management interface You can also require or prohibit logging in from certain IP addresses or from particular browsers Configuring Login Policies To configure user login policies 1 Select Users gt Users from the menu The Users screen displays see Figure 9 5 on page 9 10 2 Inthe Action column of the List of Users table click the Policies table button for the user for which you want to set login policies The Policies submenu tabs appear with the Login Policies screen in view ETOLOGIE by Source IP Address by Client Browser Operation succeeded User Name techpub C Disable Login C Deny Login from WAN Interface Figure 9 7 3 In the User Login Polici
251. d to become part of the ProSecure community How to Print This Manual To print this manual your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http www adobe com Vue A Tip If your printer supports printing two pages on a single sheet of paper you can i save paper and printer ink by selecting this feature Revision History Version Part Number Number Date Description 202 10482 01 1 0 September 2009 Initial publication of this reference manual 202 10482 02 1 0 January 2010 Updated the Web Management Interface screens made the manual platform independent added a model comparison table and removed performance specifications see marketing documentation for such specifications xviii v1 0 January 2010 Chapter 1 Introduction This chapter provides an overview of the features and capabilities of the ProSecure Unified Threat Management UTM Appliance This chapter contains the following sections e What Is the ProSecure Unified Threat Management UTM Appliance on this page e Key Features and Capabilities on page 1 2 e Service Registration Card with License Keys on page 1 8 e Package Contents on page 1 9 e Hardware Features on page 1 10 e Choosing a Location for the UTM on page 1 14 What Is the ProSecure Uni
252. d unknown threats The malware database contains hundreds of thousands of signatures of spyware viruses and other malware 1 4 Introduction v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Objectionable traffic protection The UTM prevents objectionable content from reaching your computers You can control access to the Internet content by screening for Web services Web addresses and keywords within Web addresses You can log and report attempts to access objectionable Internet sites e Automatic signature updates Malware signatures are updated as frequently as every hour and the UTM can check automatically for new signatures as frequently as every 15 minutes Security Features The UTM is equipped with several features designed to maintain security e PCs hidden by NAT NAT opens a temporary path to the Internet for requests originating from the local network Requests originating from outside the LAN are discarded preventing users outside the LAN from finding and directly accessing the computers on the LAN e Port forwarding with NAT Although NAT prevents Internet locations from directly accessing the PCs on the LAN the UTM allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request You can specify forwarding of single ports or ranges of ports e DMZ port Incoming traffic from the Internet is normally discarded by the UTM unless th
253. dary subnets must be manually configured with the IP addresses gateway IP address and DNS server IP addresses Managing Groups and Hosts LAN Groups The Known PCs and Devices table on the LAN Groups screen see Figure 4 5 on page 4 14 contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the UTM or have been discovered by other means Collectively these entries make up the Network Database The Network Database is updated by these methods DHCP Client Requests When the DHCP server is enabled it accepts and responds to DHCP client requests from PCs and other network devices These requests also generate an entry in the Network Database This is an advantage of enabling the DHCP Server feature e Scanning the Network The local network is scanned using Address Resolution Protocol ARP requests The ARP scan detects active devices that are not DHCP clients gt Note In large networks scanning the network might generate unwanted traffic ___ Note When the UTM receives a reply to an ARP request it might not be able to _ gt determine the device name if the software firewall of the device blocks the name e Manual Entry You can manually enter information about a network device 4 12 LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Some advantages of the Network Database are Generall
254. ddition a Certificate Authority CA can also be used to perform authentication see Managing Digital Certificates on page 9 17 To use a CA each VPN gateway must have a certificate from the CA For each certificate there is both a public key and a private key The public key is freely distributed and is used by any sender to encrypt data intended for the receiver the key owner The receiver then uses its private key to decrypt the data without the private key decryption is impossible The use of certificates for authentication reduces the amount of data entry that is required on each VPN endpoint The VPN Policies Screen The VPN Policies screen allows you to add additional policies either Auto or Manual and to manage the VPN policies already created You can edit policies enable or disable policies or delete them entirely The rules for VPN policy use are 1 Traffic covered by a policy is automatically sent via a VPN tunnel 2 When traffic is covered by two or more policies the first matching policy is used In this situation the order of the policies is important However if you have only one policy for each remote VPN endpoint then the policy order is not important 3 The VPN tunnel is created according to the settings in the security association SA 4 The remote VPN endpoint must have a matching SA otherwise it refuses the connection To access the VPN Policies screen 1 Select VPN gt IPSec VPN from the m
255. ddress in the field next to the radio button You would typically enter the MAC address that your ISP is requiring for MAC authentication Note The format for the MAC address is 01 23 45 67 89 AB numbers 0 9 and either uppercase or lowercase letters A F If you enter a MAC address the existing entry is overwritten traffic that is being forwarded by the UTM WAN Connection Type From the pull down menu select the type of connection that the UTM uses to connect to the Internet DSL ADLS Cable Modem T1 T3 or Other WAN Connection Speed Upload From the pull down menu select the maximum upload speed that is provided by your ISP You can select from 56 Kbps to 1 Gbps or you can select Custom and enter the speed in Kbps in the field to the right WAN Connection Speed Download From the pull down menu select the maximum download speed that is provided by your ISP You can select from 56 Kbps to 1 Gbps or you can select Custom and enter the speed in Kbps in the field to the right 4 Click Apply to save your changes Note Depending on the changes that you make when you click Apply the UTM _ might restart or services such as HTTP and SMTP might restart _____ Note For dual WAN port models only to configure advanced WAN options for WAN2 gt port select Network Config gt WAN Settings from the menu The WAN Settings tabs appear with the WAN1 ISP Settings screen in view
256. dels only select a radio button to specify the dual WAN port models WAN1 or WAN2 interface only Remote Endpoint Select a radio button to specify how the remote endpoint is defined IP Address Enter the IP address of the remote endpoint in the fields to the right of the radio button FQDN Enter the FQDN of the remote endpoint in the field to the right of the radio button Enable NetBIOS Select this checkbox to allow NetBIOS broadcasts to travel over the VPN tunnel For more information about NetBIOS see Configuring NetBIOS Bridging with IPsec VPN on page 7 59 This feature is disabled by default Enable RollOver Select this checkbox to allow the VPN tunnel to roll over to the other WAN interface when the WAN mode is set to Auto Rollover and an actual rollover occurs This feature is disabled by default Enable Keepalive Select a radio button to specify if Keepalive is enabled e Yes This feature is enabled periodically the UTM sends ping packets to Note See also the remote endpoint to keep the tunnel alive You must enter the ping IP Configuring Keepalives address detection period and the maximum number of times that the and Dead Peer UTM attempts to reconnect see below Detection on page 7 55 No This feature is disabled This is the default setting Ping IP Address The IP address that the UTM pings The address must be of a host that can respond to ICMP ping requests Detection
257. depends on your selection from the QoS pull down menu e For IP Precedence select a value from 0 to 7 e For DSCP select a value from 0 to 63 QoS Priority From the QoS Priority pull down menu select one of the following priority queues e Default e High e Medium High e Medium e Low 5 Click Apply to save your settings The new QoS profile is added to the List of QoS Profiles table To edit a QoS profile 1 In the List of QoS Profiles table click the Edit table button to the right of the QoS profile that you want to edit The Edit QoS Profile screen displays 2 Modify the settings that you wish to change see Table 5 7 Firewall Protection 5 37 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Click Apply to save your changes The modified QoS profile is displayed in the List of QoS Profiles table Creating Bandwidth Profiles Bandwidth profiles determine the way in which data is communicated with the hosts The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN link For outbound traffic you can apply bandwidth profiles on the available WAN interfaces in both the single WAN port mode and auto rollover modes and in load balancing mode on interface that you specify For inbound traffic y
258. dio and video files 6 28 compressed files 6 28 executable files 6 28 log messages C 2 logs 11 9 11 33 11 35 scheduling 2 22 settings using the Setup Wizard 2 27 Web categories 2 22 cookies 6 24 6 28 counter WAN traffic 3 CPU usage 11 21 CRL 9 19 9 25 crossover cable 5 12 3 CSR 9 2 custom services firewall 5 32 D Data Encryption Standard See DES database local user 8 6 9 4 date settings 2 15 10 24 troubleshooting 172 10 daylight savings time 2 15 10 25 DDNS auto rollover mode 3 19 configuring 3 19 load balancing mode 3 19 updating 3 21 wildcards 3 2 Dead Peer Detection See DPD debug logs 47 defaults configuration settings A 1 configuration restoring 72 9 content filtering settings 6 2 factory 10 18 12 9 IPsec VPN Wizard 7 5 login time out 2 4 MTU 3 23 password 2 3 12 9 PVID 4 2 user name 2 3 UTM IP address 2 9 4 8 UTM subnet mask 2 9 4 8 VLAN 2 8 de militarized zone See DMZ denial of service See DoS deployment testing connectivity 2 26 testing HTTP scanning 2 26 DES and 3DES 7 28 7 36 7 37 7 46 DH 7 29 7 38 7 46 DH group 7 24 DHCP automatic configuration of devices 1 6 DNS servers IP addresses 2 10 4 9 4 2 domain name 2 9 4 8 4 20 LDAP server 2 10 4 9 4 21 lease time 2 10 4 9 4 21 log monitoring 71 31 relay 2 10 4 9 4 2 relay VLANs 4 5 server VLANs 4 4 servers 2 9 4 8 4 20 settings 2 9 4 8 4 20 VLANs 4 4 WINS server 2 10 4 9 4 21 di
259. direct messages Table C 15 System Logs Unicast Redirect Message Feb 2007 22 14 36 07 UTM kernel LOG_PACKET SRC 192 168 1 49 DST 192 168 1 124 PROTO ICMP TYPE 5 CODE 1 Explanation e This packet is an ICMP Redirect message sent to the device by another device For other parameters see Table C 1 Recommended Action None System Logs and Error Messages C 9 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Multicast Broadcast Logs This section describes logs that are generated when the UTM processes multicast and broadcast packets Table C 16 System Logs Multicast Broadcast Message Jan 1 07 24 13 UTM kernel MCAST BCAST IN WAN OUT SELF SRC 192 168 1 73 DST 192 168 1 255 PROTO UDP SPT 138 DPT 138 Explanation This packet broadcast is destined to the device from the WAN network e For other settings see Table C 1 Recommended Action None Invalid Packet Logging This section describes logs that are generated when the UTM processes invalid packets Table C 17 System Logs Invalid Packets Message 2007 Oct 1 00 44 17 UTM kernel INVALID NO_CONNTRACK_ENTRY DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation No connection tracking entry exists Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID RST_PACKET DROP SRC 192 168 20 10 DST 192 168
260. dow For example Company Customer Support Banner Title The banner title of a banner message that users see before they log in to the portal For example Welcome to Customer Support Note For an example see Figure 8 8 on page 8 15 The banner title text is displayed in the orange header bar Banner Message The text of a banner message that users see before they log in to the portal For example In case of login difficulty call 123 456 7890 Enter a plain text message or include HTML and Java script tags The maximum length of the login page message is 4096 characters Note For an example see Figure 8 8 on page 8 15 The banner message text is displayed in the grey header bar Display banner Select this checkbox to show the banner title and banner message text on the message on login page login screen as shown in Figure 8 8 on page 8 15 HTTP meta tags for Select this checkbox to apply HTTP meta tag cache control directives to this cache control portal layout Cache control directives include recommended lt meta http equiv pragma content no cache gt lt meta http equiv cache control content no cache gt lt meta http equiv cache control content must revalidate gt Note NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out of date Web pages themes and data being stored in a user s Web browser cache V
261. down menu specify one of the following actions when a password protected attachment to an e mail is detected Delete attachment The e mail is not blocked but the attachment is deleted and a log entry is created Log only This is the default setting Only a log entry is created The e mail is not blocked and the attachment is not deleted Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 6 3 E mail Filter Settings continued Setting Description or Subfield and Description Filter by File Type File By default the File Extension field lists the most common file extensions You can Extension manually add or delete extensions Use commas to separate different extensions You can enter a maximum of 40 file extensions the maximum total length of this field excluding the delimiter commas is 160 characters You can also use the pull down menu to add predefined file extensions from a specific category to the File Extension field e None No file extensions are added to the File Extension field This is the default setting e Executables Executable file extensions exe com dll so lib scr bat and cmd are added to the File Extension field e Audio Video Audio and video file extensions wav mp3 avi rm rmvb wma wmv mpg mp4 and aac are added to the File Extension field Compressed Files Compressed fi
262. dress of a different interface The options are WAN Interface Address All the outgoing packets on the WAN are to the address of the assigned WAN interface Single Address All the outgoing packets on the WAN are assigned the specified IP address for example a secondary WAN address that you have configured Note This option is available only when the WAN mode is NAT The IP address specified should fall under the WAN subnet Inbound Rules Port Forwarding If you have enabled Network Address Translation NAT your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers However by defining an inbound rule you can make a local server for example a Web server or game server visible and available to the Internet The rule informs the firewall to direct inbound traffic for a particular service to one local server based on the destination port number This process is also known as port forwarding 5 6 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Whether or not DHCP is enabled how the PCs accesses the server s LAN address impacts the inbound rules For example e If your external IP address is assigned dynamically by your ISP DHCP enabled the IP address might change periodically as the DHCP lease expires Consider using Dyamic DNS so that external users can always find your networ
263. dress of a remote device such as your ISP s DNS server If the path is functioning correctly replies as in the previous section are displayed If you do not receive replies e Check that your PC has the IP address of your UTM listed as the default gateway If the IP configuration of your PC is assigned by DHCP this information is not visible in your PC s Network Control Panel e Check to see that the network address of your PC the portion of the IP address that is specified by the netmask is different from the network address of the remote device e Check that the modem or router is connected and functioning e If your ISP assigned a host name system name or account name to your PC enter that name in the Account Name field on the WAN1 ISP Settings or WAN2 ISP Settings screen of the dual WAN port models or in the Account Name field on the WAN ISP Settings screen of the single WAN port models You might also have to enter the assigned domain name or workgroup name in the Domain Name field and you might have to enter additional information see Manually Configuring the Internet Connection on page 3 5 e Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem If this is the case you must configure
264. during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu See an example in Figure 5 15 on page 5 27 You can also enable the UTM log any attempt to use Instant Messenger during that blocked period 5 26 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Add LAN WAN Outbound Service Operation succeeded Service AIM v Action BLOCK by schedule otherwise allow v Select Schedule Schedule 1 LAN Users Any v Start J d J Finish A J WAN Users Any v Start pig J J F Finish 4 QoS Profile Normal_Service v Log Never Bandwidth Profile NONE NAT IP WAN Interface Address w Figure 5 15 Configuring Other Firewall Features You can configure attack checks set session limits and manage the Application Level Gateway ALG for SIP sessions Attack Checks The Attack Checks screen allows you to specify whether or not the UTM should be protected against common attacks in the DMZ LAN and WAN networks The various types of attack checks are listed on the Attack Checks screen and defined in Table 5 4 on page 5 28 To enable the appropriate attack checks for your network environment 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs
265. e None Log Bandwidth Profile NONE Figure 5 4 2 Enter the settings as explained in Table 5 3 on page 5 8 3 Click Apply to save your changes The new rule is now added to the Inbound Services table Setting DMZ WAN Rules The firewall rules for traffic between the DMZ and the Internet are configured on the DMZ WAN Rules screen The default outbound policy is to allow all traffic from and to the Internet to pass through You can then apply firewall rules to block specific types of traffic from either going out from the DMZ to the Internet outbound or coming in from the Internet to the DMZ inbound There is no pull down menu that lets you set the default outbound policy as there is on the LAN WAN Rules screen You can change the default outbound policy by blocking all outbound traffic and then enabling only specific services to pass through the UTM You do so by adding outbound services rules see DMZ WAN Outbound Services Rules on page 5 17 Firewall Protection 5 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To access the DMZ WAN Rules screen 1 2 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear Click the DMZ WAN Rules submenu tab The DMZ WAN Rules screen displays Figure 5 5 shows a rule in the Outbound Services table as an example LAN WAN Rules EXER AAGU LAN DMZ Rules Attack Checks Session Limit Advance
266. e Revert to factory default settings Default Figure 10 5 Backup Settings The backup feature saves all UTM settings to a file These settings include e Network settings IP address subnet mask gateway and so on e Scan settings Services to scan primary and secondary actions and so on e Update settings Update source update frequency and so on e Anti spam settings Whitelist blacklist content filtering settings and so on Back up your UTM settings periodically and store the backup file in a safe place language and management software versions Remember to change the IP address of the second UTM before deploying it to eliminate IP address conflicts on the network Oo Tip You can use a backup file to export all settings to another UTM that has the same To backup settings 1 On the Backup amp Restore Settings screen see Figure 10 5 next to Save a copy of current settings click the backup button to save a copy of your current settings A dialog screen appears showing the file name of the backup file backup gpg 10 16 Network and System Management v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Select Save file and then click OK 3 Open the folder where you have saved the backup file and then verify that it has been saved successfully Note the following e If your browser is not configured to save downloaded files automatica
267. e e Group Each PC or device can be assigned to a single LAN group By default a PC or device is assigned to Group 1 You can select a different LAN group from the Group pull down menu in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen e Action The Edit table button that provides access to the Edit Groups and Hosts screen gt Note If the UTM is rebooted the data in the Known PCs and Devices table is lost until the UTM rediscovers the devices Viewing the DHCP Log To review the most recent entries in the DHCP log 1 Select Network Config gt LAN Settings from the menu The LAN Settings submenu tabs appear with the LAN Setup screen in view see Figure 11 20 on page 11 30 Click the DHCP Log option arrow at the top right of the LAN Setup screen The DHCP Log appears in a popup window see Figure 11 22 on page 11 32 To view the most recent entries click refresh To delete all the existing log entries click clear log Monitoring System Access and Performance 11 31 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual DHCP Log 2009 Sep 19 06 15 10 UTM dhcpd Wrote 0 leases to leases file A 2009 Sep 19 06 15 10 UTM dhcpd Listening on LPF eth0 1 00 2009 Sep 19 06 15 10 UTM dhepd Sending on LPF ethO 1 00 2 2009 Sep 19 06 15 10 UTM dhepd Sending on Socket fallba 2009 Sep 19 06 15 12 UTM dhepd Wrote 0 leases to lea
268. e traffic is a response to one of your local computers or a service for which you have configured an inbound rule Instead of discarding this traffic you can use the dedicated De Militarized Zone DMZ port to forward the traffic to one PC on your network Autosensing Ethernet Connections with Auto Uplink With its internal 4 port 10 100 1000 Mbps switch and single or dual model dependant 10 100 1000 WAN ports the UTM can connect to either a 10 Mbps standard Ethernet network a 100 Mbps Fast Ethernet network or a 1000 Mbps Gigabit Ethernet network The four LAN and one or two WAN interfaces are autosensing and capable of full duplex or half duplex operation The UTM incorporates Auto Uplink technology Each Ethernet port automatically senses whether the Ethernet cable plugged into the port should have a normal connection such as to a PC or an uplink connection such as to a switch or hub That port then configures itself to the correct configuration This feature eliminates the need to think about crossover cables as Auto Uplink accommodates either type of cable to make the right connection Introduction 1 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Extensive Protocol Support The UTM supports the Transmission Control Protocol Internet Protocol TCP IP and Routing Information Protocol RIP For further information about TCP IP see Internet Configuration Requirements o
269. e using the default IP address or the IP address that you assigned to the UTM in Setup Wizard Step 1 of 10 LAN Settings on page 2 8 The UTM is ready for use However some important tasks that you might want to address before you deploy the UTM in your network are listed below e Configuring the WAN Mode Required for Dual WAN Port Models Only on page 3 9 e Configuring VPN Authentication Domains Groups and Users on page 9 1 e Managing Digital Certificates on page 9 17 e Using the IPsec VPN Wizard for Client and Gateway Configurations on page 7 3 e Using the SSL VPN Wizard for Client Configurations on page 8 2 2 28 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 Chapter 3 Manually Configuring Internet and WAN Settings Note The initial Internet configuration of the UTM is described in Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network If you used the Setup Wizard to configure your Internet settings you need this chapter only to configure WAN features such as Dual WAN and Dynamic DNS and to configure secondary WAN addresses and advanced WAN options This chapter contains the following sections Understanding the Internet and WAN Configuration Tasks on this page Configuring the Internet Connections on page 3 2 Configuring the WAN Mode Required for Dual WAN Port Models Only on page 3 9 Con
270. e Manual Reverting to Factory Default Settings To reset the UTM to the original factory default settings you can use one of the following two methods e Using a sharp object press and hold the Reset button on the rear panel of the UTM see Rear Panel on page 1 12 for about eight seconds until the Test LED turns on and begins to blink about 30 seconds To restore the factory default configuration settings without knowing the administration password or IP address you must use the Reset button method e On the Backup amp Restore Settings screen see Figure 10 5 on page 10 16 next to Revert to factory default settings click the default button The UTM reboots If you use the software default button the Backup amp Restore Settings screen remains visible during the reboot process The reboot process is complete after several minutes when the Test LED on the front panel goes off button the UTM settings are erased All firewall rules VPN policies LAN WAN settings and other settings are lost Back up your settings if you intend on using them Warning When you push the hardware Reset button or click the software default Note After rebooting with factory default settings the UTM s password is password and the LAN IP address is 192 168 1 1 gt Updating the Firmware The UTM can automatically detect any new firmware version from NETGEAR The firmware upgrade process for the UTM consists
271. e Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Security Policy Editor Certificate Manager Deactivate Security Policy 2 Bal Reload Security Policy Networl Disconnect Connect Log Viewer Connection Monitor Help About NETGEAR ProSafe YPN Client Remove Icon ree pry Figure 7 11 N Security Policy Editor al cencecons NETGEAR ProSafe VPN Client Global Policy Settings Policy Management Certificate Settings Certificate Manager None Specified Connections 2 In the upper left of the Policy Editor window click the New Connection icon the first icon on the left to open a new connection Give the new connection a name in this example we are using UTM_SJ Security Policy Editor NETGEAR ProSafe VPN Client alexa tle Network Security Policy L My Connections amp UTM ireland Bh UTM Test Bh FVS336G_Lab Ap Other Connections ID Type IP Subnet Subnet Mask NETGEAR S Connection Security Secure C Nonsecure 1 Only Connect Manually C Block f Remote Pasty Identity and Addressing 192168 1 0 255 255 255 0 Protocol Pa E A K Use Secure Gateway Tunnel z 10 Type Domain Name x Gateway IP Address fuim_localcom 192 168 50 61 Figure 7 12 Virtual Private Networking Using IPsec Connections 7 13 v1 0 January 2010 ProSec
272. e Reference Manual LDAP Server A Lightweight Directory Access Protocol LDAP server allows a user to query and modify directory services that run over TCP IP For example clients can query email addresses contact information and other service information using an LDAP server For each VLAN you can specify an LDAP server and a search base that defines the location in the directory that is the directory tree from which the LDAP search begins Configuring a VLAN Profile For each VLAN on the UTM you can configure its profile port membership LAN TCP IP settings DHCP options and DNS server To add or edit a VLAN profile 1 Select Network Config gt LAN Settings from the menu The LAN submenu tabs appear with the LAN Setup screen in view see Figure 4 2 which shows two VLAN profiles as an example Note For information about how to manage VLANs see Managing the UTM s Port Based VLANs on page 4 2 The information below describes how to configure a VLAN profile WAN Settings Protocol Binding Dynamic DNS WAN Metering DMZ Setup Routing Email Notification LAN Setup LAN Groups LAN Multi homing 8 DHCP Log Profile Name VLAN ID Subnet IP DHCP Status Action 9 defaultVian 1 192 168 1 1 DHCP Enabled eait oe SalesVLAN 2 192 170 1 100 DHCP Disabled esit Select al Pelete Enadle Oo Disable Aia Port 1 Port 2 Port 3 Port 4 DM2 Figure 4 2 4 6 LAN Configuration v1 0 Janu
273. e Route DNS lookup and remote reboot e Remote management The UTM allows you to login to the Web Management Interface from a remote location on the Internet For security you can limit remote management access to a specified remote IP address or range of addresses e Visual monitoring The UTM s front panel LEDs provide an easy way to monitor its status and activity Maintenance and Support NETGEAR offers the following features to help you maximize your use of the UTM e Flash memory for firmware upgrade e Technical support seven days a week 24 hours a day according to the terms identified in the Warranty and Support information card provided with your product Model Comparison Table 1 1 compares the UTM models to show the differences For performance specifications and sizing guidelines see NETGEAR s marketing documentation at hittp prosecure netgear com Table 1 1 Differences Between the UTM Models Feature UTM5 UTM10 UTM25 IPsec VPN tunnels Number of supported site to site IPsec VPN tunnels 5 10 25 from which the model derives its model number Hardware LAN ports Gigabit RJ 45 4 4 4 WAN ports Gigabit RJ 45 1 1 2 DMZ Interfaces configurable 1 1 1 Introduction 1 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 1 1 Differences Between the UTM Models continued Feature
274. e Web services include IMail Web Calendaring ZixForum ScozNet ScozNews and other services inappropriate Detect the behavior about visiting pornographic Web sites Misc policy Detects traffic that violates common policies such as traffic that flows because of certain network installer applications and traffic that flows when Google SafeSearch is turned off misc Detects the Web attacks that cannot be placed in other categories such as attacks specifically against SNMP or DNS 5 52 Firewall Protection v1 0 January 2010 Chapter 6 Content Filtering and Optimizing Scans This chapter describes how to apply the content filtering features of the UTM and how to optimize scans to protect your network This chapter contains the following sections e About Content Filtering and Scans on this page e Configuring E mail Protection on page 6 3 e Configuring Web and Services Protection on page 6 19 e Setting Web Access Exceptions and Scanning Exclusions on page 6 41 About Content Filtering and Scans The UTM provides very extensive Web content and e mail content filtering options Web browsing activity reporting e mail anti virus and anti spam options and instant alerts via e mail You can establish restricted Web access policies that are based on the time of day Web addresses and Web address keywords You can also block Internet access by applications and services such as ins
275. e a DNS server address in the Network menu before the UTM can perform this lookup Network and System Management 10 25 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 10 26 Network and System Management v1 0 January 2010 Chapter 11 Monitoring System Access and Performance This chapter describes the system monitoring features of the UTM You can be alerted to important events such as a WAN port rollover WAN traffic limits reached login failures and attacks You can also view status information about the firewall WAN ports LAN ports active VPN users and tunnels and more In addition the diagnostics utilities are described Note All log and report functions that are part of the Logs amp Reports configuration gt menu and some of the functions that are part of the Diagnostics configuration menu require that you configure the e mail notification server see Configuring the E mail Notification Server on page 11 5 This chapter contains the following sections e Enabling the WAN Traffic Meter on this page e Configuring Logging Alerts and Event Notifications on page 11 5 e Monitoring Real Time Traffic Security and Statistics on page 11 14 e Viewing Status Screens on page 11 20 e Querying Logs and Generating Reports on page 11 32 e Using Diagnostics Utilities on page 11 43 Enabling the WAN Traffi
276. e connections covered by the rule e BLOCK always e BLOCK by schedule otherwise Allow e ALLOW always e ALLOW by schedule otherwise Block The section below summarizes the various criteria that you can apply to inbound rules and that might increase traffic For more information about inbound rules see Inbound Rules Port Forwarding on page 5 6 For detailed procedures on how to configure inbound rules see Setting LAN WAN Rules on page 5 12 and Setting DMZ WAN Rules on page 5 15 When you define inbound firewall rules you can further refine their application according to the following criteria e Services You can specify the services or applications to be covered by an inbound rule If the desired service or application does not appear in the list you must define it using the Services screen see Services Based Rules on page 5 3 and Adding Customized Services on page 5 32 e WAN Destination IP Address For the dual WAN port models only you can specify the destination IP address for incoming traffic Traffic is directed to the specified address only when the destination IP address of the incoming packet matches the IP address of the selected WAN interface that is WAN1 or WAN2 interface For the single WAN port models the WAN Destination IP Address is a fixed field e LAN Users You can specify which computers on your network are affected by an inbound rule There are several options Any All PCs
277. e full duplex settings do not function properly Select one of the following speeds from the pull down menu AutoSense Speed autosensing This is the default setting which can sense 1000BaseT speed at full duplex 10BaseT Half_Duplex Ethernet speed at half duplex 10BaseT Full_Duplex Ethernet speed at full duplex 100BaseT Half_Duplex Fast Ethernet speed at half duplex 100BaseT Full_Duplex Fast Ethernet speed at full duplex Router s MAC Address Make one of the following selections Use Default Address Each computer or router on your network has a unique 32 bit local Ethernet address This is also referred to as the computer s Media Access Control MAC address To use the UTM s own MAC address select the Use Default Address radio button Use this computer s MAC Select the Use this computer s MAC radio button to allow the UTM to use the MAC address of the computer you are now using to access the Web Management Interface This setting is useful if you ISP requires MAC authentication Manually Configuring Internet and WAN Settings 3 23 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 3 8 Advanced WAN Seitings continued Setting Description or Subfield and Description Use this MAC Address These settings rate limit the Upload Download Settings Select the Use this MAC Address radio button to manually enter the MAC a
278. e password Here too use lower case letters Note The UTM user name and password are not the same as any user name or ne 7 assword you might use to log in to your Internet connection p y g g y Using the Setup Wizard to Provision the UTM in Your Network 2 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 5 Click Login The Web Management Interface appears displaying the System Status screen Figure 2 2 on page 2 4 shows the top part of a dual WAN port model screen For information about this screen see Viewing System Status on page 11 20 g Note After 5 minutes of inactivity the default login time out you are automatically logged out System Status System CPU 9 Mernory a 14 54 Disk E 25 9 SMTP ON POP3 ON IMAP ON HTTP ON HTTPS GFF FTP ON Active Connections 0 0 0 0 it 0 Services System up Time 1 Days 00 Hours 21 Minutes System Information Firmware Information Type Version Last Downloaded active secondary Component Scan engine Pattern file Firewall License Expiration Date 1 0 2 0 1 0 0 32 Current Yersion 20090723 322 0 0 200907230322 50_3 0 5 28 2009 11 10 N A Last Update 2009 11 04 2009 11 04 2009 11 10 Email Protection 2009 12 10 Web Protection 2009 12 10 Maintenance 2009 12 10 Hardware Serial Number 23X1993N0001D Figure 2 2 2 4 Using the Setup Wizard to Provis
279. e password user type and idle timeout settings Only administrators have read write access All other users have read only access Note The default password for the administrator and for a guest to access the UTM s Web management interface is password To modify user settings 1 Select Users gt Users from the menu The Users screen displays see Figure 9 5 on page 9 10 2 Inthe Action column of the List of Users table click the Edit table button for the user for which you want to modify the settings The Edit User screen displays Operation succeeded User Name TestUser User Authentication Type local Select User Type SSL VPN User v V Check to Edit Password Enter Your Password eeeeeeeseece New Password Confirm New Password Idle Timeout S Minutes Figure 9 10 9 16 Managing Users Authentication and Certificates v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Enter the settings as explained in Table 9 6 Table 9 6 Edit User Settings Setting Description or Subfield and Description User Type From the pull down menu select one of the pre defined user types that determines the access credentials e Administrator User who has full access and the capacity to change the UTM configuration that is read write access e SSL VPN User User who can only log in to the SSL VPN portal e IPSEC VPN User User who can only
280. e same network as the LAN TCP IP address of the UTM the IP address in LAN TCP IP section above Primary DNS Server This is optional If an IP address is specified the UTM provides this address as the primary DNS server IP address If no address is specified the UTM uses the VLAN IP address as the primary DNS server IP address Secondary DNS Server This is optional If an IP address is specified the UTM provides this address as the secondary DNS server IP address WINS Server This is optional Enter a WINS server IP address to specify the Windows NetBios server if one is present in your network Lease Time Enter a lease time This specifies the duration for which IP addresses are leased to clients DHCP Relay Select the DHCP Relay radio button to use the UTM as a DHCP relay agent for a DHCP server somewhere else on your network Enter the following setting Relay Gateway The IP address of the DHCP server for which the UTM serves as a relay Enable LDAP Select the Enable LDAP information checkbox to enable the DHCP server to information provide Lightweight Directory Access Protocol LDAP server information Enter the settings below Note The LDAP settings that you specify as part of the VLAN profile are used only for SSL VPN and UTM authentication but not for Web and e mail security LDAP Server The IP address or name of the LDAP server LAN Configuration v1 0 J
281. e screen adjusts N Security Policy Editor NETGEAR ProSafe VPN Client Network Security Policy L My Connections My Identity By ModeConfigT est Select Certificate G E Securty Policy sone Gy Clent_to_Cork ID Type Port Qs Other Connections DomainName x J utm25_remote com Secure Interface Configuration Virtual Adapter Disabled Me Internet Interface Name fAny X IP Addr Any Pre Shared Key Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared key Figure 7 29 6 Enter the settings as explained in Table 7 18 Table 7 18 Security Policy Editor My Identity Mode Config Settings Setting Description or Subfield and Description Select Certificate From the pull down menu select None The Pre Shared Key window appears Pre Shared Key Enter the same pre shared key that you specified on the UTM s VPN Wizard screen see Figure 7 9 on page 7 10 In this example the pre shared key is 12345678910 However the pre shared key is masked for security Virtual Private Networking Using IPsec Connections 7 53 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 18 Security Policy Editor My Identity Mode Config Settings continued Setting Description or Subfield and Description ID Type
282. e selection of the Identifier Type pull down menu enter the IP address e mail address FQDN or distinguished name Remote Identifier Type From the pull down menu select one of the following ISAKMP identifiers to be used by the remote endpoint and then specify the identifier in the field below e Local WAN IP The WAN IP address of the remote endpoint When you select this option the Identifier field automatically shows the IP address of the selected WAN interface e FQDN The FQDN for a remote gateway e User FQDN The e mail address for a remote VPN client or gateway e DER ASN1 DN A distinguished name DN that identifies the remote endpoint in the DER encoding and ASN 1 format Identifier Depending on the selection of the Identifier Type pull down menu enter the IP address e mail address FQDN or distinguished name IKE SA Parameters Encryption Algorithm From the pull down menu select one of the following five algorithms to negotiate the security association SA DES Data Encryption Standard DES e 3DES Triple DES This is the default algorithm e AES 128 Advanced Encryption Standard AES with a 128 bits key size AES 192 AES with a 192 bits key size AES 256 AES with a 256 bits key size 7 28 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 10 Add IKE
283. e the spam score because the NETGEAR Spam Classification Center performs the scoring automatically as long as the UTM is connected to the Internet However this does mean that the UTM must be connected to the Internet for the spam analysis to be performed correctly To configure Distributed Spam Analysis and the anti spam engine settings 1 Select Application Security gt Anti Spam from the menu The Anti Spam submenu tabs appear with the Whitelist Blacklist screen in view 2 Click the Distributed Spam Analysis submenu tab The Distributed Spam Analysis screen displays see Figure 6 6 on page 6 17 6 16 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Application Security HTTP HTTPS FTP Block Accept Exceptions Scanning Exclusions Whitelist Blacklist Real time Blacklist PIC ALM ET Pine UE E i Distributed Spam Analysis Sensitivity Medium high Action SMTP Tag spamemail SMTP O pops POP3 Add tag to mail subject SPAM Maximum 32 characters E add tag X NETGEAR SPAM to mail header Anti Spam Engine Settings Q Ouse a proxy server to connect to the Detection Center This proxy server requires authentication Figure 6 6 3 Enter the settings as explained in Table 6 5 Table 6 5 Distributed Spam Analysis Settings Setting Description or Subfield and Description Dis
284. earing install a root certificate on the client PC The root certificate can be downloaded from the UTM s Manager Login screen see Figure 2 1 on page 2 3 If client authentication is required the UTM might not be able to scan the HTTPS traffic because of the nature of SSL SSL has two parts client and server authentication HTTPS server authentication occurs with every HTTPS request but HTTPS client authentication is not mandatory and rarely occurs Therefore it is of less importance whether the HTTPS request comes from the UTM or from the real HTTPS client However certain HTTPS servers do require HTTPS client certificate authentication for every HTTPS request Because of the design of SSL the HTTPS client must present its own certificate in this situation rather than using the one from the UTM preventing the UTM from scanning the HTTPS traffic For information about certificates see Managing Digital Certificates on page 9 17 You can specify trusted hosts for which the UTM bypasses HTTPS traffic scanning For more information see Specifying Trusted Hosts on page 6 37 Content Filtering and Optimizing Scans 6 35 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To configure the HTTPS scan settings 1 Select Application Security gt HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear with the Malware Scan screen in view 2 Click the HTTPS Settings submenu tab
285. easier and to understand all of the choices that are available to you consider the following before you begin 1 Plan your network a Determine whether you will use one or both WAN ports For one WAN port you might need a fully qualified domain name either for convenience or to remotely access a dynamic WAN IP address b If you intend to use both WAN ports determine whether you will use them in auto rollover mode for increased system reliability or load balancing mode for maximum bandwidth efficiency See the topics in this appendix for more information Your decision has the following implications e Fully qualified domain name FQDN For auto rollover mode you will need a FQDN e to implement features such as exposed hosts and virtual private networks For load balancing mode you might still need a FQDN either for convenience or to remotely access a dynamic WAN IP address Network Planning for Dual WAN Ports Dual WAN Port Models Only B 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Protocol binding For auto rollover mode protocol binding does not apply For load balancing mode decide which protocols should be bound to a specific WAN port You can also add your own service protocols to the list 2 Set up your accounts a Obtain active Internet services such as cable or DSL broadband accounts and locate the Internet service provider ISP configurat
286. ecify the protocols that are queried The following protocols can be selected e For Traffic and Malware logs SMTP POP3 IMAP HTTP FTP and HTTPS e For the Spam log SMTP and POPS e For the Email filters log SMTP POP3 and IMAP e For the Content filters log HTTP FTP and HTTPS Monitoring System Access and Performance 11 35 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 15 Logs Query Settings continued Setting Description or Subfield and Description Search Criteria continued Client IP The client IP address that is queried This field is available for the following logs Traffic Spam Malware Content filters Port Scan IPS Instant Messaging Peer to Peer Server IP The server IP address that is queried This field is available for the following logs Traffic Malware Content filters Port Scan IPS Instant Messaging Peer to Peer Category From the pull down menu select a category that is queried The following categories can be selected e For the IPS log a threat protocol or application e For the Instant Messaging Peer to Peer log an instant messaging or peer to peer application Reason Select one or more checkboxes to specify the reasons that are queried The following reasons can be selected e For the Email filters log keyword file type file name password and size limit e For
287. edule You specify the days of the week and time of day for each schedule For more information see Setting a Schedule to Block or Allow Specific Traffic on page 5 41 Network and System Management 10 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e QoS Profile You can define QoS profiles and then apply them to outbound rules to regulate the priority of traffic To define QoS profiles see Creating Quality of Service QoS Profiles on page 5 35 e Bandwidth Profile You can define bandwidth profiles and then apply them to outbound rules to limit traffic To define bandwidth profiles see Creating Bandwidth Profiles on page 5 38 Content Filtering If you want to reduce traffic by preventing undesired e mails from reaching their destinations or by preventing access to certain sites on the Internet you can use the UTM s content filtering feature By default this feature is disabled all requested traffic from any Web site is allowed with the exception of Web content categories that are mentioned in Default E mail and Web Scan Settings on page 6 2 e E mail Content Filtering To reduce incoming e mail traffic you can block e mails with large attachments reject e mails based on keywords file extensions or file names and set spam protection rules There are several ways you can reduce undesired e mail traffic Setting the size of e mail files to be scanned Scannin
288. eeeseaees 3 2 seting tie UTM S MAG ACIS socks ecivsn is phentitiatnpnll NR 3 5 Manually Configuring the Internet Connection cccecceeeeeeeeceeeeeeeeeeeeeeeeeeeaeeteees 3 5 Configuring the WAN Mode Required for Dual WAN Port Models Only 0006 3 9 Network Address Translation All Models ceeeesseeceeeeeceeeeeeeenaeeeeeeeaeeeeeeeaaas 3 10 Classical Routing All MOUS cciaiccistacsandsidecsiaioatsdtiiaderteanieiedien aetidatbemenlediiaeness 3 11 Configuring Auto Rollover Mode Dual WAN Port Models Only sassen 3 11 Configuring Load Balancing and Optional Protocol Binding DUARWAN Port Models Orly ciccscccectnccacanceysacvenaee dace taiscncetiheetceardeede ceacsatdphicuenaee 3 14 viii v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Secondary WAN Addresses 2 n iccccccscccscsctseneceencstenssnnesteoessnaseeneceeniadneroitne 3 17 CCCI Fy Dynamit DNG arice aoa aeia A A a ibedaeluaaiomicas 3 19 Configuring Advanced WAN Opie israsesiiizssinnieiina ineeie daaa 3 22 Additional WAN Related Configuration Tasks seeessseeeeseesseesssessrrrerrresrressrresrens 3 24 Chapter 4 LAN Configuration Managing Virtual LANs and DAGP OpUOnS cesrsssscsaininssnanimna 4 1 Managing the UTM s Port Based VLANS sisiisasccicisaniassenscuovacsctteeasidanteansaiadeceenninasenens 4 2 VLAN DHCP OPIONS sascha cesaetaarene eects ptindals a E aE 4 4 Configuring a YLAN Profile iscsi chuas s
289. efer to the CA for guidelines about the information that you must include in your CSR To generate a new CSR file obtain a digital certificate from a CA and upload it to the UTM 1 Select VPN gt Certificates from the menu The Certificates screen displays Figure 9 13 on page 9 22 shows the middle section of the screen with the Active Self Certificates section Generate Self Certificate Request section and Self Certificate Requests section The Self Certificate Requests table contains some examples Managing Users Authentication and Certificates 9 21 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual i Active Self Certificates Name Subject Name Serial Number Issuer Name Select All oelete amp Generate Self Certificate Request lt a Name Subject __ oo Hash Algorithm Signature Algorithm Signature Key Length IP Address Optional fo Wo le Io Domain Name Options sd E mail Address Optional SS D Generate SS 095000Nsses sq sahaessSoo gt o4 gt gt 4 gt s gt somoN _NGNGSe Name Status o SampleCertificate UTM Active Self Certificate Not Uploaded o SarnpleCertificate_2_UTM Active Self Certificate Not Uploaded Select All Pelete Upload certificate corresponding to a request above Certificate File Browse Bo Upload Figure 9 13 Certificates screen 2
290. eference Manual The following sections explain the five configuration screens of the SSL VPN Wizard On the sixth screen you can save your SSL VPN policy The tables in the following sections explain the buttons and fields of the SSL VPN Wizard screens Additional information about the settings in the SSL VPN Wizard screens is provided in Manually Configuring and Editing SSL Connections on page 8 17 or in other chapters each section below provides a specific link to a section in Manually Configuring and Editing SSL Connections on page 8 17 or to a section in another chapter SSL VPN Wizard Step 1 of 6 Portal Settings SSL VPN Wizard Step 1 of 6 Portal Layout and Theme Name Portal Layout Name E Display banner message on login page Portal Site Title HTTP meta tags for cache control recommended Banner Title Z Activex web cache cleaner Banner Message In case of login difficulty cal 123 4 gt i SSL YPN Portal Pages to Display E VPN Tunnel page E Port Forwarding eee ee ny Note Leave the Portal Layout Name field blank if you wish to use the system default portal layout SSL VPN without any changes Otherwise the wizard will attempt to create a new portal layout Please make sure that the portal layout name is NOT used If the Portal Layout Name already exists the wizard will not be able to create a new portal layout under that name You should check at least one of VPN Tunnel page and Port Forwa
291. ement UTM Appliance Reference Manual Table 8 1 SSL VPN Wizard Step 1 Portal Settings continued Item Description or Subfield and Description HTTP meta tags Select this checkbox to apply HTTP meta tag cache control directives to this portal for cache control layout Cache control directives include recommended lt meta http equiv pragma content no cache gt lt meta http equiv cache control content no cache gt lt meta http equiv cache control content must revalidate gt Note NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out of date Web pages themes and data being stored in a user s Web browser cache ActiveX web Select this checkbox to enable ActiveX cache control to be loaded when users log in to cache cleaner the SSL VPN portal The Web cache cleaner prompts the user to delete all temporary Internet files cookies and browser history when the user logs out or closes the Web browser window The ActiveX Web cache control is ignored by Web browsers that do not support ActiveX SSL VPN Portal Pages to Display VPN Tunnel page Select this checkbox to provide full network connectivity Port Forwarding Select this checkbox to provides access to specific defined network services Note Any pages that are not selected are not visible from the SSL VPN portal however users can still access the hidden pages unless you create SS
292. en a keyword that is defined in the Keywords field is detected e Block email The e mail is blocked and a log entry is created e Log only This is the default setting Only a log entry is created The e mail is not blocked POP3 From the POP3 pull down menu specify one of the following actions when a keyword that is defined in the Keywords field is detected e Block email The e mail is blocked and a log entry is created e Log only This is the default setting Only a log entry is created The e mail is not blocked Filter by Password Protected Attachments ZIP RAR etc Action SMTP From the SMTP pull down menu specify one of the following actions when a password protected attachment to an e mail is detected e Block email The e mail is blocked and a log entry is created Delete attachment The e mail is not blocked but the attachment is deleted and a log entry is created Log only This is the default setting Only a log entry is created The e mail is not blocked and the attachment is not deleted POP3 From the POP3 pull down menu specify one of the following actions when a password protected attachment to an e mail is detected Delete attachment The e mail is not blocked but the attachment is deleted and a log entry is created Log only This is the default setting Only a log entry is created The e mail is not blocked and the attachment is not deleted IMAP From the IMAP pull
293. en rectangular are allowed by default categories that are preceded by a pink rectangular are blocked by default Blocked Categories Scheduled Days Make one of the following selections Select the All Days radio button to enable content filtering to be active all days of the week Select the Specific Days radio button to enable content filtering to be active on the days that are specified by the checkboxes Blocked Categories Time of Day Make one of the following selections Select the All Day radio button to enable content filtering to be active all 24 hours of each selected day Select the Specific Times radio button to enable content filtering to be active during the time that is specified by the Start Time and End Time fields for each day that content filtering is active 2 22 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Setup Wizard Step 8 of 10 Email Notification Setup Wizard Step 8 of 10 Email Notification Show as mail sender UTM_Notifications netgear com SMTP server mail yourdomain com 2s oO This server requires authentication User name Password E Send notifications to admin yourdomain com Example admin yourdomain com Figure 2 14 Enter the settings as explained in Table 2 8 then click Next to go the following screen
294. enable MAC filtering and add MAC addresses to be permitted or blocked 1 Select Network Security gt Address Filter from the menu The Address Filter submenu tabs appear with the Source MAC Filter screen in view see Figure 5 26 on page 5 43 which shows one address in the MAC Addresses table as an example 5 42 Firewall Protection v1 0 January 2010 5 6 ProSecure Unified Threat Management UTM Appliance Reference Manual IPS Firewall Objects Firewall Port Triggering Source MAC Filter IP MAC Binding Operation succeeded Do you want to enable Source MAC Address Filtering Yes No Policy for MAC Addresses listed below MAC Addresses go aaili bb 22 cc 03 Select All pelete Add Source MAC Address MAC Address Add asa Figure 5 26 In the MAC Filtering Enable section select the Yes radio button In the same section select one of the following options from the pull down menu next to Policy for MAC Addresses listed below e Block Traffic coming from all addresses in the MAC Addresses table is blocked e Permit Traffic coming from all addresses in the MAC Addresses table is permitted Below Add Source MAC Address build your list of source MAC addresses to be permitted or blocked by entering the first MAC address in the MAC Address field A MAC address must be entered in the form xx xx XX Xx Xx Xx Where x is a numeric 0 to 9 or a letter between and a and f inclusive for example aa 11
295. enu The IPsec VPN submenu tabs appear with the IKE Policies screen in view Virtual Private Networking Using IPsec Connections 7 31 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Click the VPN Policies submenu tab The VPN Policies screen displays Figure 7 22 shows some examples Name mig Gwa to Gw2 Client to uTm Client Policy Figure 7 22 SSL YPN Certificates IKE Policies VPN Policies GTE YPN Wizard Mode Config RADIUS Client Type Remote Auth Encr Action Auto Policy 192 168 255 255 0 192 172 1 0 255 255 255 0 SHA 1 3DES eit Auto Policy 192 168 1 0 255 255 255 0 Any SHA 1 3DES esit Select au Delete Erai O Disable Add Each policy contains the data that are explained in Table 7 11 These fields are explained in more detail in Table 7 12 on page 7 35 Table 7 11 List of VPN Policies Information Item Description or Subfield and Description Status Name Indicates whether the policy is enabled green circle or disabled grey circle To enable or disable a policy select the checkbox adjacent to the circle and click the Enable or Disable table button as required The name that identifies the VPN policy When you use the VPN Wizard to create a VPN policy the name of the VPN policy and of the automatically created accompanying IKE policy is the Connection Name Type Auto or
296. eparate policy tables The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy You can edit existing policies or manually add new VPN and IKE policies directly in the policy tables 7 22 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Managing IKE Policies The Internet Key Exchange IKE protocol performs negotiations between the two VPN gateways and provides automatic management of the keys that are used for IPsec connections It is important to remember that e An automatically generated VPN policy Auto Policy must use the IKE negotiation protocol e A manually generated VPN policies Manual Policy cannot use the IKE negotiation protocol IKE policies are activated when the following situations occur 1 The VPN policy selector determines that some traffic matches an existing VPN policy e Ifthe VPN policy is of an Auto Policy type the IKE policy that is specified in the Auto Policy Parameters section of the Add VPN Policy screen see Figure 7 23 on page 7 34 is used to start negotiations with the remote VPN gateway e Ifthe VPN policy is of a Manual Policy type the settings that are specified in the Manual Policy Parameters section of the Add VPN Policy screen see Figure 7 23 on page 7 34 are accessed and the first matchin
297. eps to configure inbound rules are described in the following sections e Setting LAN WAN Rules on page 5 12 e Setting DMZ WAN Rules on page 5 15 e Setting LAN DMZ Rules on page 5 19 Firewall Protection 5 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 5 3 Inbound Rules Overview Setting Description or Subfield and Description Service The service or application to be covered by this rule If the service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 5 32 Action Filter The action for outgoing connections covered by this rule e BLOCK always BLOCK by schedule otherwise allow e ALLOW always ALLOW by schedule otherwise block Note Any inbound traffic that is not blocked by rules you create is allowed by the default rule Select Schedule The time schedule that is Schedule1 Schedule2 or Schedule3 that is used by this rule e This pull down menu is activated only when BLOCK by schedule otherwise allow or ALLOW by schedule otherwise block is selected as the Action e Use the schedule screen to configure the time schedules see Setting a Schedule to Block or Allow Specific Traffic on page 5 41 Send to LAN Server The LAN server address determines which computer on your network is hosting this service rule You can also
298. er when the reboot process is complete connections to the Internet are automatically re established when possible To reboot the UTM 1 Locate the Reboot the System section on the Diagnostics screen 2 Click the Reboot button The UTM reboots If you can see the unit the reboot process is complete when the Test LED on the front panel goes off lt p Note See also Rebooting Without Changing the Firmware on page 10 21 To shut down the UTM 1 Locate the Reboot the System section on the Diagnostics screen 2 Click the Shutdown button The UTM shuts down Note You can shut down the UTM using the Web Management Interface but you cannot start up the UTM using the Web Management Interface 11 48 Monitoring System Access and Performance v1 0 January 2010 Chapter 12 Troubleshooting and Using Online Support This chapter provides troubleshooting tips and information for the UTM After each problem description instructions are provided to help you diagnose and solve the problem For the common problems listed go to the section indicated e Is the UTM on Go to Basic Functioning on page 12 2 e Have I connected the UTM correctly Go to Basic Functioning on page 12 2 e cannot access the UTM s Web Management Interface Go to Troubleshooting the Web Management Interface on page 12 3 e A time out occurs Go to When You Enter a URL or IP Address a Time
299. er for the VLAN profile No two VLAN can have the same VLAN ID number Note You can enter VLAN IDs from 2 to 4093 VLAN ID 1 is reserved for the default VLAN VLAN ID 4094 is reserved for the DMZ interface Port Membership Port 1 Select one several or all port checkboxes to make the port s member of this Port 2 VLAN Port 3 Note A port that is defined as a member of a VLAN profile can send and receive Port 4 DMZ data frames that are tagged with the VLAN ID LAN TCP IP Setup IP Address Enter the IP address of the UTM the factory default is 192 168 1 1 Note Always make sure that the LAN port IP address and DMZ port IP address are in different subnets Note If you change the LAN IP address of the VLAN while being connected through the browser to the VLAN you will be disconnected You must then open a new connection to the new IP address and log in again For example if you change the default IP address 192 168 1 1 to 10 0 0 1 you must now enter https 10 0 0 1 in your browser to reconnect to the Web Management Interface Subnet Mask Enter the IP subnet mask The subnet mask specifies the network number portion of an IP address Based on the IP address that you assign the UTM automatically calculates the subnet mask Unless you are implementing subnetting use 255 255 255 0 as the subnet mask computed by the UTM DHCP Disable DHCP If another device on your network is the DHCP server for the VLAN
300. er side IP address Message 6 primary DNS configured in WAN status page Message 7 secondary DNS configured in WAN status page Message 8 The PPP link has transitioned to idle mode This event occurs if there is no traffic from the LAN network Message 9 The time in minutes for which the link has been up Message 10 Data sent and received at the LAN side during the link was up Message 11 PPP connection terminated after idle timeout Recommended Action To reconnect during idle mode initiate traffic from the LAN side System Logs and Error Messages C 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e PPTP Idle Timeout Logs Table C 11 System Logs WAN Status PPTP Idle Timeout Message 1 Nov 29 11 19 02 UTM pppd Starting connection Message 2 Nov 29 11 19 05 UTM pppd CHAP authentication succeeded Message 3 Nov 29 11 19 05 UTM pppd local IP address 192 168 200 214 Message 4 Nov 29 11 19 05 UTM pppd remote IP address 192 168 200 1 Message 5 Nov 29 11 19 05 UTM pppd primary DNS address 202 153 32 2 Message 6 Nov 29 11 19 05 UTM pppd secondary DNS address 202 153 32 2 Message 7 Nov 29 11 20 45 UTM pppd No response to 10 echo requests Nov 29 11 20 45 UTM pppd Serial link appears to be disconnected Nov 29 11 20 45 UTM pppd Connect time 1 7 minutes Message 8 Nov 29 11 20 45 UTM pppd Sent 520 bytes received 80 bytes Message 9 No
301. er the configured number of queries have failed to elicit a reply The backup link is brought up after this has occurred The failover default is 4 failures Ping these IP addresses A public IP address that does not reject the ping request and does not consider ping traffic to be abusive Queries are sent to this server through the WAN interface that is being monitored The retry interval and number of failover attempts determine how quickly the UTM switches from the primary link to the backup link in case the primary link fails or when the primary link comes back up switches back from the backup link to the primary link Enter the following DNS settings WAN1 The IP address of the DNS server for port WAN1 WAN2 The IP address of the DNS server for port WAN2 Retry Intervalis The retry interval in seconds The ping is sent periodically after every test period The default test period is 30 seconds Failover after The number of failover attempts The primary WAN link is considered down after the configured number of queries have failed to elicit a reply The backup link is brought up after this has occurred The failover default is 4 failures Manually Configuring Internet and WAN Settings 3 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual max Note The default time to roll over after the primary WAN interface fails is Cd rai Ne a 2 m
302. eriod enter a new value in the Poll Interval field and then click Set interval To stop polling click Stop Table 11 12 IPsec VPN Connection Status Information Item Description or Subfield and Description Policy Name The name of the VPN policy that is associated with this SA Endpoint The IP address on the remote VPN endpoint Tx KB The amount of data that is transmitted over this SA Tx Packets The number of IP packets that are transmitted over this SA State The current status of the SA Phase 1 is the authentication phase and Phase 2 is key exchange phase If there is no connection the statu is IPsec SA Not Established Action Click the Connect table button to build the connection or click the Disconnect table button to terminate the connection To review the status of current SSL VPN tunnels 1 Select Monitoring gt Active Users amp VPNs from the main menu The Active Users amp VPN submenu tabs appear with the Active Users screen in views Monitoring System Access and Performance 11 25 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Click the SSL VPN Connection Status submenu tab The SSL VPN Connection Status screen displays i SSL YPN Active Connections R User Name Group IP Address Login Time Action 4 techpubadmin geardomain 192 168 190 88 Tue Nov 17 17 09 54 2009 PF Dis connect Figure 11 15 The act
303. es 72 6 SSL certificate warning and downloading 2 3 connection and HTTPS scanning 6 34 disabling SSLv2 connections 6 37 SSLv2 SSLv3 and TLSv1 6 37 SSL VPN ActiveX web cache cleaner 8 5 8 22 ActiveX based client 8 authentication 8 6 cache control 8 5 8 21 client IP address range and routes using SSL VPN Wizard 8 9 client routes 8 27 domain name 8 6 domain settings using SSL VPN Wizard 8 5 domains groups and users 8 22 FQDNs port forwarding 8 18 logs 8 16 11 9 11 33 11 35 manual configuration steps 8 17 network resources 8 28 overview 1 3 policies managing 8 31 settings 8 34 port forwarding description 8 2 host names 8 24 IP addresses 8 23 port numbers 8 12 8 24 using SSL VPN Wizard 8 11 portal accessing 8 14 options S settings configuring manually 8 18 settings using SSL VPN Wizard 8 3 specifications A 4 status 8 16 tunnel description 8 user account 9 9 9 user portal 8 15 user settings using SSL VPN Wizard 8 7 SSL VPN Wizard 1 7 8 2 stateful packet inspection See SPI static IP address 2 3 3 4 3 8 static routes configuring 4 22 example 4 27 RIP 4 24 settings 4 24 table 4 23 statistics service and traffic 77 19 status screens 71 20 stealth mode 5 28 Stream Scanning technology overview 1 4 streaming HTTP and HTTPS traffic 2 20 6 22 submenu tabs Web Management Interface 2 5 support online 72 10 suspicious files sending to NETGEAR 2 SYN flood 5 28 syslog server 71 9
304. es PPTP for login select this radio button and enter the following settings Account Name The account name is also known as the host name or system name Enter the valid account name for the PPTP connection usually your email ID assigned by your ISP Some ISPs require entering your full e mail address here Domain Name Your domain name or workgroup name assigned by your ISP or your ISP s domain name You may leave this field blank 2 12 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 2 2 Setup Wizard Step 2 WAN Settings continued Setting Description or Subfield and Description Austria PPTP continued Idle Timeout My IP Address Select the Keep Connected radio button to keep the connection always on To log out after the connection is idle for a period of time select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in The IP address assigned by the ISP to make the connection with the ISP server Server IP Address The IP address of the PPTP server Other PPPoE If you have installed login software such as WinPoET or Enternet then your connection type is PPPoE Select this radio button and enter the
305. es by a comma To allow any trusted SNMP host access leave the field blank which is the default setting SNMP Traps Enter the IP addresses of the SNMP management stations that are allowed to receive the UTM s SNMP traps Separate IP addresses by a comma If you leave the field blank which is the default setting no SNMP management station can receive the UTM s SNMP traps 3 Click Apply to save your settings Managing the Configuration File The configuration settings of the UTM are stored in a configuration file on the UTM This file can be saved backed up to a PC retrieved restored from the PC or cleared to factory default settings Once the UTM is installed and works properly make a back up of the configuration file to a computer If necessary you can later restore the UTM settings from this file Network and System Management 10 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The Backup amp Restore Settings screen lets you e back up and save a copy of the current settings e restore saved settings from the backed up file e revert to the factory default settings To display the Backup amp Restore Settings screen select Administration gt Backup amp Restore Settings from the menu System Update System Date amp Time Backup amp Restore Settings Save a copy of current settings g Backup Restore saved settings from file GF Restor
306. es depend on the threat level of the file or email as determined by NETGEAR Figure 12 3 Enter the settings as explained in Table 12 1 Table 12 1 Malware Analysis Settings Setting Description or Subfield and Description Email Address The e mail address of the submitter to enable NETGEAR to contact the submitter if needed File Location Click Browse to navigate to the file that you want to submit to NETGEAR Source Product Model Specify where the file originated for example an e mail address if received via e mail and if known which product or scan feature for example the UTM or a desktop anti virus application detected the file Description As an option include a description or any information that is relevant Click Submit Accessing the Knowledge Base and Documentation To access NETGEAR s Knowledge Base for the UTM select Support gt Knowledge Base from the menu To access NETGEAR s documentation library for your UTM model select Support gt Documentation from the menu 12 12 Troubleshooting and Using Online Support v1 0 January 2010 Appendix A Default Settings and Technical Specifications You can use the Reset button located on the rear panel to reset all settings to their factory defaults This is called a hard reset for more information see Reverting to Factory Default Settings on page 10 18 e To perform a hard reset press and hold the Reset but
307. es in 31 Seconds LOCO EOE AEE EOE CE AEC CAE ACCA Figure D 2 Two Factor Authentication D 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual gt Note The one time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time If a user does not use this passcode before it is expired the user must go through the request process again to generate a new OTP 3 The user then proceeds to the Two Factor Authentication login page and enters the generated one time passcode as the login password 2 Factor Authentication harkeme fener W Token client test Passcode Password eeesees 468713 7 Domain WIKID tA PassCode expires int SL Seconds Figure D 3 D 4 Two Factor Authentication v1 0 January 2010 Appendix E Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product Document TCP IP Networking Basics Wireless Networking Basics Preparing Your Network Virtual Private Networking Basics Glossary Link http documentation netgear com reference enu tcpip index htm http documentation netgear com reference enu wireless index htm http documentation netgear com reference enu wsdhcp index htm http documentation netgear com reference enu vpn index htm
308. es section of the screen make the following selections e To prohibit this user from logging in to the UTM select the Disable Login checkbox e To prohibit this user from logging in from the WAN interface select the Deny Login from WAN Interface checkbox In this case the user can log in only from the LAN interface 9 12 Managing Users Authentication and Certificates v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual gt Note For security reasons the Deny Login from WAN Interface checkbox is selected by default for guests and administrators The Disable Login checkbox is disabled masked out for administrators 4 Click Apply to save your settings Configuring Login Restrictions Based on IP Address To restrict logging in based on IP address 1 Select Users gt Users from the menu The Users screen displays see Figure 9 5 on page 9 10 2 Inthe Action column of the List of Users table click the Policies table button for the user for which you want to set login policies The Policies submenu tabs appear with the Login Policies screen in view 3 Click the by Source IP Address submenu tab The by Source IP Address screen displays Figure 9 8 shows an IP address in the Defined Addresses table as an example Users Groups Domains Operation succeeded User Name TestUser O Deny Login from Defined Addresses Allow Login only from Defined Addresses
309. essive utrn_local com utm_remote com 3DES SHA 1 Group 2 1024 bit esit Client Policy Select All Deste Add Figure 7 20 Each policy contains the data that are explained in Table 7 9 These fields are explained in more detail in Table 7 10 on page 7 27 Table 7 9 List of IKE Policies Information Item Description or Subfield and Description Name The name that identifies the IKE policy When you use the VPN Wizard to set up a VPN policy an accompanying IKE policy is automatically created with the same name that you select for the VPN policy Note The name is not supplied to the remote VPN endpoint Mode The exchange mode Main or Aggressive Local ID The IKE ISAKMP identifier of the UTM The remote endpoint must have this value as its remote ID Remote ID The IKE ISAKMP identifier of the remote endpoint which must have this value as its Local ID Encr The encryption algorithm that is used for the IKE security association SA This setting must match the setting on the remote endpoint Auth The authentication algorithm that is used for the IKE SA This setting must match the setting on the remote endpoint DH The Diffie Hellman DH group that is used when exchanging keys This setting must match the setting on the remote endpoint To delete one or more IKE polices 1 Select the checkbox to the left of the policy that you want to delete or click the Selec
310. et Configuration Requirements Depending on how your ISPs set up your Internet accounts you will need the following Internet configuration information to connect UTM to the Internet e Host and domain names e One or more ISP login names and passwords Network Planning for Dual WAN Ports Dual WAN Port Models Only B 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e ISP Domain Name Server DNS addresses e One ore more fixed IP addresses also known as static IP addresses Where Do Get The Internet Configuration Information There are several ways you can gather the required Internet connection information e Your ISPs provide all the information needed to connect to the Internet If you cannot locate this information you can ask your ISPs to provide it to you or if you have a computer already connected using the active Internet access account you can gather the configuration information from that computer For Windows 95 98 ME open the Network control panel select the TCP IP entry for the Ethernet adapter and click Properties Record all the settings for each tab page For Windows 2000 XP Vista open the Local Area Network Connection select the TCP IP entry for the Ethernet adapter and click Properties Record all the settings for each tab page For Macintosh computers open the TCP IP or Network control panel Record all the settings for each section After you h
311. etgear2 dyndns org and optional for fixed IP addresses VPN Router WAN2 IP Figure B 8 B 10 Network Planning for Dual WAN Ports Dual WAN Port Models Only v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual VPN Road Warrior Client to Gateway The following situations exemplify the requirements for a remote PC client with no firewall to establish a VPN tunnel with a gateway VPN firewall such as an UTM e Single gateway WAN port e Redundant dual gateway WAN ports for increased reliability before and after rollover e Dual gateway WAN ports for load balancing VPN Road Warrior Single Gateway WAN Port Reference Case In a single WAN port gateway configuration the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance The gateway WAN port must act as the responder 10 5 6 0 24 Road Warrior Example Single WAN Port Client B Gateway A z WAN IP WAN IP ae S i 10 5 6 1 i FQDN 0 0 0 0 bzrouter dyndns org VPN Router at employer s a main office Fully Qualified Domain Names FQDN Remote PC optional for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 9 The IP address of the gateway WAN port can be either fixed or dynamic If the IP address is dynamic a FQDN must be used If the IP address is fixed a FQDN is optional VPN Road Warrior Dual Gateway WAN
312. etwork address enter the netmask length 0 32 Note By default a single IP address is assigned a netmask length of 32 7 Click the Add table button The address is added to the Defined Addresses table 8 Repeat step 6 and step 7 for any other addresses that you want to add to the Defined Addresses table To delete one or more addresses 1 Inthe Defined Addresses table select the checkbox to the left of the address that you want to delete or click the Select All table button to select all addresses 2 Click the Delete table button Configuring Login Restrictions Based on Web Browser To restrict logging in based on the user s browser 1 Select Users gt Users from the menu The Users screen displays see Figure 9 5 on page 9 10 2 Inthe Action column of the List of Users table click the Policies table button for the user for which you want to set login policies The Policies submenu tabs appear with the Login Policies screen in view 9 14 Managing Users Authentication and Certificates v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Click the by Client Browser submenu tab The by Client Browser screen displays Figure 9 9 shows a browser in the Defined Browsers table as an example Login Policies by Source IP Address JASCO AG Operation succeeded 8 Defined Browsers Status Q User Name TestUser Deny Login from Defined Browsers Allow Login
313. ew policy goes into effect immediately Note In addition to configuring SSL VPN user policies ensure that HTTPS remote management is enabled see Configuring Remote Management Access on page 10 12 If it not enabled all SSL VPN user connections are disabled Virtual Private Networking Using SSL Connections 8 37 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 8 38 Virtual Private Networking Using SSL Connections v1 0 January 2010 Chapter 9 Managing Users Authentication and Certificates This chapter describes how to manage users authentication and security certificates for IPsec VPN and SSL VPN This chapter contains the following sections e Configuring VPN Authentication Domains Groups and Users on this page e Managing Digital Certificates on page 9 17 Configuring VPN Authentication Domains Groups and Users Users are assigned to a group and a group is assigned to a domain Therefore you should first create any domains then groups then user accounts You must create name and password accounts for all users who must be able connect to the UTM This includes administrators and SSL VPN clients Accounts for Psec VPN clients are required only if you have enabled Extended Authentication XAUTH in your IPsec VPN configuration Users connecting to the UTM must be authenticated before being allowed to access the UTM or the VPN protected network
314. f Warning Once you start the firmware installation process do not interrupt the A process Do not try to go online turn off the UTM or do anything else to the UTM until the UTM has fully rebooted After the UTM has rebooted check the firmware version in Firmware Reboot section of the Firmware screen to verify that the UTM now has the new firmware installed the newly loaded firmware should be shown as the active firmware and the Activation radio button should be automatically selected The previously loaded firmware should be shown as the secondary firmware and the Activation radio button should be automatically deselected gt configuration and manually reconfigure your UTM after upgrading it Refer to the Note In some cases such as a major upgrade it might be necessary to erase the firmware release notes that NETGEAR makes available 10 20 Network and System Management v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Rebooting Without Changing the Firmware To reboot the UTM without changing the firmware 1 In the Firmware Reboot section of the Firmware screen see Figure 10 6 on page 10 19 select the active firmware version by clicking the Activation radio button for the firmware that states active in the Type column 2 Select the radio button that corresponds to the firmware version that you want to download onto the UTM 3 Click Reboo
315. ffic from LAN to WAN and from the DMZ to WAN The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for outbound traffic If you have not defined any rules only the default rule is listed The default rule allows all outgoing traffic Any outbound rule that you create restricts outgoing traffic and therefore decreases the traffic load on the WAN side AN Warning This feature is for advanced administrators only Incorrect configuration might cause serious problems Each rule lets you specify the desired action for the connections that re covered by the rule e BLOCK always e BLOCK by schedule otherwise allow e ALLOW always 10 2 Network and System Management v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual ALLOW by schedule otherwise block The section below summarizes the various criteria that you can apply to outbound rules in order to reduce traffic For more information about outbound rules see Outbound Rules Service Blocking on page 5 4 For detailed procedures on how to configure outbound rules see Setting LAN WAN Rules on page 5 12 and Setting DMZ WAN Rules on page 5 15 When you define outbound firewall rules you can further refine their application according to the following criteria Services You can specify the services or applications to be covered by an outbound rule If the desired service or application does not a
316. fied Threat Management UTM Appliance The ProSecure Unified Threat Management UTM Appliance hereafter referred to as the UTM connects your local area network LAN to the Internet through one or two external broadband access devices such as cable modems or DSL modems Dual wide area network WAN ports allow you to increase effective throughput to the Internet by utilizing both WAN ports to carry session traffic or to maintain a backup connection in case of failure of your primary Internet connection As a complete security solution the UTM combines a powerful flexible firewall with a content scan engine that uses NETGEAR Stream Scanning technology to protect your network from denial of service DoS attacks unwanted traffic traffic with objectionable content spam phishing and Web borne threats such as spyware viruses and other malware threats The UTM provides advanced IPsec and SSL VPN technologies for secure and simple remote connections The use of Gigabit Ethernet LAN and WAN ports ensures extremely high data transfer speeds The UTM is a plug and play device that can be installed and configured within minutes v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Key Features and Capabilities The UTM provides the following key features and capabilities For the single WAN port models a single 10 100 1000 Mbps Gigabit Ethernet WAN port For the dual WAN port models dual 10
317. fied Threat Management UTM Appliance Reference Manual 4 Note When you reset the UTM to the original factory default settings after you have entered the license keys to activate the UTM see Registering the UTM with NETGEAR on page 2 26 the license keys are erased The license keys and the different types of licenses that are available for the UTM are no longer displayed on the Registration screen However after you have reconfigured the UTM to connect to the Internet and to the NETGEAR registration server the UTM retrieves and restores all registration information based on its MAC address and hardware serial number You do not need to re enter the license keys and reactivate the UTM Package Contents The UTM product package contains the following items ProSecure Unified Threat Management UTM Appliance One AC power cable Rubber feet 4 One rack mounting kit depends on UTM model ProSecure Unified Threat Management UTM Installation Guide Resource CD including Application Notes and other helpful information ProSafe VPN Client Software VPNO1L depends on the UTM model Service Registration Card with License Key s Warranty and Support Information Card If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the product for repair Introduction 1 9 v1 0 Januar
318. fied Threat Management UTM Appliance Reference Manual 4 28 LAN Configuration v1 0 January 2010 Chapter 5 Firewall Protection This chapter describes how to use the firewall features of the UTM to protect your network This chapter contains the following sections e About Firewall Protection on this page e Using Rules to Block or Allow Specific Kinds of Traffic on page 5 3 e Configuring Other Firewall Features on page 5 27 e Creating Services QoS Profiles and Bandwidth Profiles on page 5 32 e Setting a Schedule to Block or Allow Specific Traffic on page 5 41 e Enabling Source MAC Filtering on page 5 42 e Setting up IP MAC Bindings on page 5 44 e Configuring Port Triggering on page 5 46 e Using the Intrusion Prevention System on page 5 49 About Firewall Protection A firewall protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication between the two You can further segment keyword blocking to certain known groups To set up LAN Groups see Managing Groups and Hosts LAN Groups on page 4 12 A firewall incorporates the functions of a Network Address Translation NAT router protects the trusted network from hacker intrusions or attacks and controls the types of traffic that can flow between the two networks Unlike simple Internet sharing NAT routers a firewal
319. figuring Secondary WAN Addresses on page 3 17 Configuring Dynamic DNS on page 3 19 Configuring Advanced WAN Options on page 3 22 Understanding the Internet and WAN Configuration Tasks Generally five steps are required to complete the Internet connection of your UTM 1 Configure the Internet connections to your ISP s During this phase you connect to your ISPs You can also program the WAN traffic meters at this time if desired See Configuring the Internet Connections on page 3 2 Configure the WAN mode required for operation of the dual WAN port models For all models select either NAT or classical routing For the dual WAN port models only select either dedicated single WAN mode auto rollover mode or load balancing mode For load balancing you can also select any necessary protocol bindings See Configuring the WAN Mode Required for Dual WAN Port Models Only on page 3 9 Configure secondary WAN addresses on the WAN ports optional Configure aliases for each WAN port See Configuring Secondary WAN Addresses on page 3 17 3 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Configure dynamic DNS on the WAN ports optional Configure your fully qualified domain names during this phase if required See Configuring Dynamic DNS on page 3 19 5 Configure the WAN options optional Optionally you can enable each WAN port to
320. firm Password Idle Timeout Minutes 3 Enter the settings as explained in Table 9 4 Table 9 4 Add User Settings Setting Description or Subfield and Description User Name A descriptive alphanumeric name of the user for identification and management purposes User Type From the pull down menu select one of the pre defined user types that determines the access credentials Administrator User who has full access and the capacity to change the UTM configuration that is read write access e SSL VPN User User who can only log in to the SSL VPN portal e IPSEC VPN User User who can only make an IPsec VPN connection via a NETGEAR ProSafe VPN Client and only when the XAUTH feature is enabled see Configuring Extended Authentication XAUTH on page 7 38 e Guest User User who can only view the UTM configuration that is read only access Select Group The pull down menu shows the groups that are listed on the Group screen From the pull down menu select the group to which the user is assigned For information about how to configure groups see Configuring Groups for VPN Policies on page 9 6 Note The user is assigned to the domain that is associated with the selected group Password The password that the user must enter to gain access to the UTM The password must contain alphanumeric or _ characters Confirm Password This field must be identical to the Passwor
321. fying the status of a connection and troubleshooting problems with a connection Testing the VPN Connection To test a client connection and view the status and log information follow these steps To test the client connection from your PC right click on the VPN client icon in your Windows toolbar and then select the VPN connection that you want to test In the example that is shown in Figure 7 15 on page 7 18 select Connect gt My Connections UTM_SJ Virtual Private Networking Using IPsec Connections 7 17 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Security Policy Editor Certificate Manager Deactivate Security Policy Reload Security Policy Disconnect My Connections UTM_Ireland My Connections UTM_SJ My Connections UTM_Test My Connections FV5336G_Lab Log Viewer Connection Monitor Help About NETGEAR ProSafe VPN Client Remove Icon Figure 7 15 In the example that is shown in Figure 7 15 you should receive the message Successfully connected to My Connections UTM_SJ within 30 seconds The VPN client icon in the system tray should say On PENE E Er NETGEAR VPN Client Status and Log Information To view more detailed additional status and troubleshooting information from the NETGEAR VPN client e Right click the VPN Client icon in the system tray and select Log Viewer see Figure 7 2 on page 7 2 7 18 Virtual Private Networking
322. g IKE policy is used to start negotiations with the remote VPN gateway If negotiations fail the next matching IKE policy is used Ifnone of the matching IKE policies are acceptable to the remote VPN gateway then a VPN tunnel cannot be established 2 An IKE session is established using the Security Association SA settings that are specified in a matching IKE Policy e Keys and other settings are exchanged e An IPsec SA is established using the settings that are specified in the VPN policy The VPN tunnel is then available for data transfer When you use the VPN Wizard to set up a VPN tunnel an IKE policy is established and populated in the List of IKE Policies and is given the same name as the new VPN connection name You can also edit exiting policies or add new IKE policies from the IKE Policies screen The IKE Policies Screen To access the IKE Policies screen Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view Figure 7 20 on page 7 24 shows some examples Virtual Private Networking Using IPsec Connections 7 23 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual SSLYPN Certificates IKE Policies IE VPN Policies VPN Wizard Mode Config RADIUS Client Name Mode Local ID Remote ID Encr Auth DH Action GW1 to GW2 Main 192 168 50 60 75 34 173 25 3DES SHA 1 Group 2 1024 bit CRY 00 Client to UTM Aggr
323. g Internet and WAN Settings v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 5 If your connection is PPTP or PPPoE your ISP requires an initial login Enter the settings as explained in Table 3 2 Table 3 2 PPTP and PPPoE Settings Setting Description or Subfield and Description Austria PPTP If your ISP is Austria Telecom or any other ISP that uses PPTP for login select this radio button and enter the following settings Account Name The account name is also known as the host name or system name Enter the valid account name for the PPTP connection usually your e mail ID assigned by your ISP Some ISPs require entering your full e mail address here Domain Name Your domain name or workgroup name assigned by your ISP or your ISP s domain name You may leave this field blank Idle Timeout Select the Keep Connected radio button to keep the connection always on To log out after the connection is idle for a period of time select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in My IP Address The IP address assigned by the ISP to make the connection with the ISP server Server IP Address The IP address of the PPTP server Other PPPoE If you have installed login software such as WinPoET or Enternet then yo
324. g and Activating System E mail and Syslog LOGS sses 11 6 Configuring and Activating Update Failure and Attack Alerts 0 cceeeeee 11 10 Configuring and Activating Firewall LOGS c cceescseeeeeseeeeeceeeeseseeeseeeeeeaeeeneas 11 13 Monitoring Real Time Traffic Security and Statistics cccccssseeeeeseeeeeeeeeeeeeeeees 11 14 Vievio AUIS OTIS a a E RNE aAA 11 20 viewing Veten SAUE oiiire aaa a aa S Aa di aE 11 20 viewng Active YPN USOS sesssteccedesssccacvecuntercctecsitpanciersedpcneeesteptncrsSieetrecteaaenteacds 11 24 Viewing VPN Tunnel Connection Status sccccitccccsscssgentesnstccdenssssevecntoatesmcssarsees 11 24 Viano Pont TRACY Stalts sensenta aa 11 26 Viewing the WAN Pons SIUS cicciscncric ceca dnsencascanmteysccutsanesecaecmnadeteqmaciapsatearomtaisoas 11 27 Viewing Attached Devices and the DHCP Log ssssesssssssssssrsesrrsssrsssrresssessresssnns 11 29 Querying Logs and Generating Reports si ccccecccsecccsdeiccensasedesnetanviccarentadadasnesatulsceasesvice 11 32 Covering ME LagS sansin N N aai 11 32 Scheduling and Generating Reports iu descersneticnn da cetabieanaomisanssamaccueauivencas 11 39 Using Diagnostics WES cescaccccincsscccteanmsaccsonmmnesartenemenccccomsmanderstammnnasdvensuanscactateemnniies 11 43 Using the Network Diagnose Tools asi ssssdecisinarsseamonaismaicemnsaeinaenamiies 11 44 Using the Realtime Traffic Diagnostics Tool ccccccsscceceeesseneeeeeeteeeeeeeeenenees 11 46 Gather
325. g large e mail files requires network resources and might slow down traffic You can specify the maximum file or message size that is scanned and if files that exceed the maximum size are skipped which might compromise security or blocked For more information see Customizing E mail Anti Virus and Notification Settings on page 6 5 Keyword file extension and file name blocking You can reject e mails based on keywords in the subject line file type of the attachment and file name of the attachment For more information see E mail Content Filtering on page 6 8 Protecting against spam Set up spam protection to prevent spam from using up valuable bandwidth For more information see Protecting Against E mail Spam on page 6 11 e Web Content Filtering The UTM provides extensive methods to filtering Web content in order to reduce traffic Web category blocking You can block entire Web categories because their content is undesired offensive or not relevant or simply to reduce traffic For more information see Configuring Web Content Filtering on page 6 23 Keyword and file extension blocking You can specify words that should they appear in the Web site name URL file extension or newsgroup name cause that site file or newsgroup to be blocked by the UTM For more information see Configuring Web Content Filtering on page 6 23 10 4 Network and System Management v1 0 January 2010 ProSecu
326. ge 192 168 35 165 8081 WEB CGI Trend Micro OfficeScan CGI password decryption buffer overflow attempt Explanation Logs that are generated when traffic matches IPS rules The message shows the date and time action that is taken protocol client IP address client port number server IP address server port number IPS category and reason for the action Recommended Action None Port Scan Logs This section describes logs that are generated when ports are scanned Table C 24 Content Filtering and Security Logs Port Scan Message 2008 12 31 23 59 12 192 168 1 10 192 168 35 160 5 10 1 18 188 UDP Portscan Explanation Logs that are generated when port scans are detected The message shows the date and time client IP address server IP address connection number IP number port number port range and details Recommended Action None Instant Messaging Peer to Peer Logs This section describes logs that are generated when the UTM filters instant messaging and peer to peer traffic Table C 25 Content Filtering and Security Logs Instant Messaging Peer to Peer Message 2008 12 31 23 59 31 0 block 1 8800115 2 TCP 192 168 1 2 543 65 54 239 210 1863 MSN login attempt Explanation Logs that are generated when an IM P2P traffic violation occurs The message shows the date and time action that is taken protocol client IP address client port number server IP address server
327. ge 5 41 e QoS Profile You can define QoS profiles and then apply them to inbound rules to regulate the priority of traffic To define QoS profiles see Creating Quality of Service QoS Profiles on page 5 35 e Bandwidth Profile You can define bandwidth profiles and then apply them to inbound rules to limit traffic To define bandwidth profiles see Creating Bandwidth Profiles on page 5 38 Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall Using this the port triggering feature requires that you know the port numbers used by the application Without port triggering the response from the external application would be treated as a new connection request rather than a response to a requests from the LAN network As such it would be handled in accordance with the inbound port forwarding rules and most likely would be blocked For the procedure on how to configure port triggering see Configuring Port Triggering on page 5 46 Configuring the DMZ Port The De Militarized Zone DMZ is a network that by default has fewer firewall restrictions when compared to the LAN The DMZ can be used to host servers such as a Web server FTP server or Network and System Management 10 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e mail server and provide
328. ge 6 41 Ifnecessary you can also create firewall rules to apply to a single PC see Enabling Source MAC Filtering on page 5 42 Because the MAC address is used to identify each PC users cannot avoid these restrictions by changing their IP address Managing the Network Database You can view the Network Database manually add or remove database entries and edit database entries To view the Network Database 1 Select Network Config gt LAN Settings from the menu The LAN Settings submenu tabs appear with the LAN Setup screen in view Click the LAN Groups submenu tab The LAN Groups screen displays see Figure 4 5 on page 4 14 which shows some examples in the Known PCs and Devices table LAN Configuration 4 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual WAN Settings Protocol Binding Dynamic DNS WAN Metering DMZ Setup Routing Email Notification LAN Multi homing 6 Edit Group Names Name IP Address MAC Address Group Profile Name Action o Marketing 192 168 1 15 oi bi 14 22 10 1b Group1 defaultvian esit o Sales 192 168 1 20 a1 1 33 44 2a 2b Group2 defaultVlan Beaj a Sales EMEA 192 168 1 35 d1 e1 55 56 9e 8f Group2 defaultVian B Edit DHCP Assigned IP Address Select Al Pelete GSave Binding Add Known PCs and Devices Name IP Address Type IP Address MAC Address Group Profile Name Add Fixed set on PC x 192 168 fz 3s Group1 v defaultvl
329. ge to be assigned to VPN tunnel clients then define the address range To define the client IP address range 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the SSL VPN Client submenu tab The SSL VPN Client screen displays ii Client IP Address Range Enable Full Tunnel Support C DNs Suffixs _ SSS Primary DNS Server LCE H U Secondary DNS Server _M_W_ W Client Address Range Begin Client Address Range End aL L Note Static routes should be added to reach any secure network in SPLIT TUNNEL mode In FULL TUNNEL mode all client routes will be ineffective Configured Client Routes Destination Network Add Routes for YPN Tunnel Clients Destination Network Cy Figure 8 15 8 26 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Select the checkbox and complete the fields as explained Table 8 8 Table 8 8 Client IP Address Range Settings Item Description or Subfield and Description Client IP Address Range Enable Full Tunnel Support Select this checkbox to enable full tunnel support If you leave this checkbox deselected which is the default setting split tunnel support is enabled and you must add client routes see Adding Routes for VPN Tunnel Clients on page 8 27 Note When full tunnel sup
330. ght of the new resource in the Action column click the Edit table button A new screen displays Figure 8 17 shows some examples Resource Name RoadWarrior Service YPN Tunnel Object Type IP Address v IP Address Name Network Address A J Mask Length 3 Begin End Port Range Port Number 0 65525 re Action pelete Resource Port Mask Length 4000 4090 4 Complete the fields and make your selection from the pull down menu as explained Table 8 8 Table 8 9 Add Resource Addresses Settings Item Description or Subfield and Description Add Resource Addresses Resource Name The unique identifier for the resource You cannot modify the resource name after you have created it on the first Resources screen Service The SSL service that is assigned to the resource You cannot modify the service after you have assigned it to the resource on the first Resources screen 8 30 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 8 9 Add Resource Addresses Settings continued Item Description or Subfield and Description Object Type From the pull down menu select one of the following options IP Address The object is an IP address You must enter the IP address or the FQDN in the IP Address Name field IP Network The object is an IP
331. gistration information WAN Settings Protocol Binding WAN Metering LAN Settings DMZ Setup Routing Email Notification Dynamic DNS DNS TZO DNS Oray z DynDNS Information Figure 3 12 5 Access the Web site of the DDNS service provider and register for an account for example for dyndns org go to http www dyndns com 6 For each WAN port of a dual WAN port model or for the single WAN port of a single WAN port model configure the DDNS service settings as explained in Table 3 7 which shows the settings for a dual WAN port model The screen for a single WAN port model shows settings for a single WAN port only Table 3 7 DNS Service Settings Setting Description or Subfield and Description WAN1 Dynamic DNS Status Change DNS to Select the Yes radio button to enable the DDNS service The service that displays on DynDNS TZO screen depends on the submenu tab for the DDNS service provider that you have or Oray selected Enter the following settings Host and Domain Name The host and domain name for the DDNS service User Name The user name for DDNS server authentication Password The password that is used for DDNS server authentication Use wildcards If your DDNS provider allows the use of wild cards in resolving your URL you may select the Use wildcards checkbox to activate this feature For example the wildcard feature causes yourhost dyndns org to be aliased to the same IP addres
332. gs on page 6 4 Content Filtering and Optimizing Scans 6 19 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Application Security Services Enable Service Ports to Scan Enable Service Ports to Scan Enable Service Ports to Scan W sme amp Pors imap Enable Service Ports to Scan Enable Service Ports to Scan Enable Service Ports to Scan ooa oao TE l i ZE a o 21 4 Instant Messaging Q Block Service Block Service Block Service o Google Talk Jabber oO mIRC oO MSN Messenger oO Yahoo Messenger Peer to Peer P2P 9 Block Service Block Service Block Service o BitTorrent o eDonkey o Gnutella Figure 6 7 2 Enter the settings as explained in Table 6 5 Table 6 6 Web Protocol Instant Messaging and Peer to Peer Settings Setting Description or Subfield and Description Web HTTP Select the HTTP checkbox to enable Hypertext Transfer Protocol HTTP scanning This service is enabled by default and uses default port 80 HTTPS Select the HTTPS checkbox to enable Hypertext Transfer Protocol over Secure Socket Layer HTTPS This service is disabled by default The default port is 443 FTP Select the FTP checkbox to enable File Transfer Protocol FTP This service is enabled by default and uses default port 21 6 20 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management
333. gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view 2 Click the Firewall Logs submenu tab The Firewall Logs screen displays see Figure 11 6 System Status Active Users amp VPNs Dashboard Diagnostics Email and Syslog RAKSTIET Alerts Log Query Generate Report Scheduled Report Accepted Packets Dropped Packets C LAN to WAN C LAN to WAN C LAN to DMZ C LAN to DMZ C DMZ to WAN C DMZ to WAN C WAN to LAN C WAN to LAN C DMZ to LAN C DMZ to LAN C WAN to DMZ C wan to DMZ 9 C Source MAC Filter O Session Limit C Bandwidth Limit Figure 11 6 3 Enter the settings as explained in Table 11 5 on page 11 14 Monitoring System Access and Performance 11 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 5 Firewall Logs Settings Setting Description or Subfield and Description Routing Logs From the Accepted Packets and Dropped Packets columns select checkboxes to specify which traffic is logged LAN to WAN LAN to DMZ DMZ to WAN WAN to LAN DMZ to LAN WAN to DMZ Other Event Logs Source MAC Filter Select this checkbox to log packets from MAC addresses that match the source MAC address filter settings Session Limit Select this checkbox to log packets that are dropped because the session limit has been exceeded Bandwidth Limi
334. gt gt gt gt ISAKMP OAK QM HASH SA NON KE ID 2x RECEIVED lt lt lt ISAKMP OAK INFO HASH NOTIFY STATUS INITIAL_CONTACT RECEIVED lt lt lt ISAKMP OAK QM HASH SA NON KE ID 2x Fiter entry 5 added SECURE 192 169 001 004 255 255 255 255 192 168 001 049 25 SENDING gt gt gt gt ISAKMP OAK QM HA amp SH 51 20 843 My Connections UTM_Su 51 20 843 Loading IPSec SA Message ID C5CB4433 OUTBOUND SPI A647273 INBOUND Figure 7 16 e Right click the VPN Client icon in the system tray and select Connection Monitor Connection Monitor NETGEAR ProSafe VPN Client Global Statistics NonSecured Packets 38501 SecuredPackets 43 few I Show Ide Connections Cose Dropped Packets H Secured Data KBytes 6 Bd z My Connections UTM_SJ 192 168 001 004 255 255 255 255 192 168 001 049 amp 255 255 255 000 192 168 50 61 ALL Figure 7 17 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The VPN client system tray icon provides a variety of status indications which are listed below Table 7 7 Status Indications for the VPN Client System Tray Icon System Tray Icon Status il Lal gt 12 22 PM The client policy is deactivated The client policy is deactivated but not connected BS qa 12 26 PM The client policy is activated and connected SS We 12 32PM A flashing vertical
335. h subnet 255 255 255 0 Secondary LAN IP address 192 168 20 1 with subnet 255 255 255 0 To add a secondary LAN IP address 1 Select Network Config gt LAN Settings from the menu The LAN Settings submenu tabs appear with the LAN Setup screen in view 2 Click the LAN Multi homing submenu tab The LAN Multi homing screen displays gt WAN Settings Protocol Binding Dynamic DNS WAN Metering DMZ Setup Routing Email Notification LAN Setup LAN Groups LAN Multi homing Multi homing IP Address Subnet Mask Action Select Au Delete Add Secondary LAN IP Address IP Address Subnet Mask Add aa a CH U yy ORT Figure 4 4 The Available Secondary LAN IPs table displays the secondary LAN IP addresses added to the UTM LAN Configuration 4 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Inthe Add Secondary LAN IPs section of the screen enter the following settings e IP Address Enter the secondary address that you want to assign to the LAN ports e Subnet Mask Enter the subnet mask for the secondary IP address 4 Click the Add table button in the rightmost column to add the secondary IP address to the Available Secondary LAN IPs table Repeat step 3 and step 4 for each secondary IP address that you want to add to the Available Secondary LAN IPs table Note Secondary IP addresses cannot be configured in the DHCP server The hosts on the secon
336. has a permanently assigned IP address you can register a domain name and have that name linked with your IP address by public Domain Name Servers DNS However if your Internet account uses a dynamically assigned IP address you will not know in advance what your IP address will be and the address can change frequently hence the need for a commercial DDNS service which allows you to register an extension to its domain and restores DNS requests for the resulting FQDN to your frequently changing IP address After you have configured your account information on the UTM when your ISP assigned IP address changes your UTM automatically contacts your DDNS service provider logs in to your account and registers your new IP address Consider the following e For auto rollover mode you need a fully qualified domain name FQDN to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address e For load balancing mode you might still need a fully qualified domain name FQDN either for convenience or if you have a dynamic IP address Note If your ISP assigns a private WAN IP address such as 192 168 x x or 10 x x x the gt dynamic DNS service does not work because private addresses are not routed on the Internet To configure Dynamic DNS 1 Select Network Config gt Dynamic DNS from the menu 2 Click the Dynamic DNS tab The Dynamic DNS screen displays
337. he Internet via a Secure Sockets Layer SSL VPN connection Note When remote management is enabled and administrative access through a WAN interface is granted see Configuring Login Policies on page 9 12 the UTM s Web Management Interface is accessible to anyone who knows its IP address and default password Because a malicious WAN user can reconfigure the UTM and misuse it in many ways NETGEAR highly recommends that you change the admin and guest default passwords before continuing see Changing Passwords and Administrator Settings on page 10 9 To configure the UTM for remote management 1 Select Administration gt Remote Management from the menu The Remote Management screen displays SNMP Backup amp Restore Settings System Update System Date amp Time Remote Management Do you want to enable https Yes No Port Number Figure 10 3 2 Select one of the following radio buttons e Yes Enable HTTPS remote management This is the default setting e No Disable HTTPS remote management radio button you and all other SSL VPN users are disconnected when you click Apply f Warning If you are remotely connected to the UTM and you select the No 3 As an option you can change the default HTTPS port The default port number is 443 10 12 Network and System Management v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 C
338. he Subcategory Expression field depends on your selection from the Expression Category pull down menu When you select URL Filtering The Subcategory Expression field becomes a blank field in which you can enter a full or partial URL When you select Web category The Subcategory Expression field becomes a pull down menu that lets you select a Web category e When you select Application The Subcategory Expression field becomes a pull down menu that lets you select an application Notes A description of the exception rule for identification and management purposes or any other relevant information that you wish to include 4 Click Apply to save your settings The new exception rule is added to the Exceptions table 5 Select the checkbox to the left of the rule that you want to enable or click the Select All table button to select all rules 6 Click the Apply table button to enable the selected rule or rules To make changes to an existing exception rule 1 Inthe Action column to the right of to the exception rule click the Edit table button The Add or Edit Block Accept Exceptions screen displays see Figure 6 18 on page 6 42 Content Filtering and Optimizing Scans 6 43 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Modify the settings that you wish to change see Table 6 13 on page 6 43 3 Click Apply to save your changes The modified exception rule is displayed
339. he authentication method and enter a key in the field below Pre shared key A key with a minimum length of 8 characters no more than 49 characters Do not use a double quote in the key In this example we are using 12345678910 Diffie Hellman DH The DH Group sets the strength of the algorithm in bits From the pull down Group menu select Group 2 1024 bit SA Lifetime sec The period in seconds for which the IKE SA is valid When the period times out the next rekeying must occur The default is 28800 seconds 8 hours However for a Mode Config configuration NETGEAR recommends 3600 seconds 1 hour Enable Dead Peer Select a radio button to specify whether or not Dead Peer Detection DPD is Detection enabled e Yes This feature is enabled when the UTM detects an IKE connection Note See also failure it deletes the IPsec and IKE SA and forces a reestablishment of the Configuring connection You must enter the detection period and the maximum number Keepalives and Dead of times that the UTM attempts to reconnect see below Peer Detection on e No This feature is disabled This is the default setting page 7 55 Detection Period The period in seconds between consecutive DPD R U THERE messages which are sent only when the IPsec traffic is idle The default setting is 10 seconds Reconnect after The maximum number of times that the UTM attempts to failure count reconnect after a DPD
340. he rack onto which you will mount the UTM is suitably located Introduction 1 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 1 16 Introduction v1 0 January 2010 Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network Understanding the Steps for Initial Connection Typically the UTM is installed as a network gateway to function as a combined LAN switch firewall and content scan engine in order to protect the network from all incoming and outgoing malware threats Generally five steps are required to complete the basic and security configuration of your UTM 1 4 5 Connect the UTM physically to your network Connect the cables and restart your network according to the instructions in the installation guide See the ProSecure Unified Threat Management UTM Installation Guide for complete steps A PDF of the Installation Guide is on the NETGEAR website at http prosecure netgear com or http kb netgear com app home Log in to the UTM After logging in you are ready to set up and configure your UTM See Logging In to the UTM on page 2 2 Use the Setup Wizard to configure basic connections and security During this phase you connect the UTM to one or more ISPs more than one ISP applies to dual WAN port models only See Using the Setup Wizard to Perform the Initial Configuration on page 2 7 Verify the installation See Verifying Proper
341. he storage space that is assigned to the logs is full e Daily Logs are sent daily at the time that you specify from the pull down menus hours and minutes Weekly Logs are sent weekly at the day and time that you specify from the pull down menus weekday hours and minutes Select Logs to Select the checkboxes to specify which logs are sent via e mail Send e System Logs The system event logs that you have specified in the System Logs Options section at the top of the screen However by default many more types of events are logged in the system logs Traffic Logs All scanned incoming and outgoing traffic e Malware Logs All intercepted viruses and malware threats e Spam Logs All intercepted spam IM P2P Logs All instant messaging and peer to peer access violations e Email filter Logs All e mails that are blocked because of file extension and keyword violations e Firewall Logs The firewall logs that you have specified on the Firewall Logs screen see Configuring and Activating Firewall Logs on page 11 13 11 8 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 3 E mail and Syslog Settings continued Setting Description or Subfield and Description Enable continued Select Logs to Send continued e IPS Logs All IPS events SSL VPN Logs All SSL VPN events e IP
342. hen you select the Mode Config record see above Local Select Local Gateway dual WAN port For the dual WAN port models only select a radio button to specify the WAN1 or WAN2Z interface models only Identifier Type From the pull down menu select FQDN Note Mode Config requires that the UTM that is the local end is defined by a FQDN Identifier Enter a FQDN for the UTM In this example we are using utm25_local com 7 48 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 16 Add IKE Policy Settings for a Mode Config Configuration continued Item Description or Subfield and Description Remote Identifier Type From the pull down menu select FQDN Note Mode Config requires that the remote end is defined by a FQDN Identifier Enter the FQDN for the remote end This must be a FQDN that is not used in any other IKE policy In this example we are using utm25_remote com IKE SA Parameters Note Generally the default settings work well for a Mode Config configuration Encryption Algorithm From the pull down menu select the 3DES algorithm to negotiate the security association SA Authentication From the pull down menu select the SHA 1 algorithm to be used in the VPN Algorithm header for the authentication process Authentication Method Select Pre shared key as t
343. hree way handshake in which the client and server trade challenge messages each responding with a hash of the other s challenge message that is calculated using a shared secret value RADIUS A network validated PAP or CHAP password based authentication method that functions with Remote Authentication Dial In User Service RADIUS MIAS A network validated PAP or CHAP password based authentication method that functions with Microsoft Internet Authentication Service MIAS which is a component of Microsoft Windows 2003 Server WiKID WiKID Systems is a PAP or CHAP key based two factor authentication method that functions with public key cryptography The client sends an encrypted PIN to the WiKID server and receives a one time pass code with a short expiration period The client logs in with the pass code See Appendix D Two Factor Authentication for more on WiKID authentication NT Domain A network validated domain based authentication method that functions with a Microsoft Windows NT Domain authentication server This authentication method has been superseded by Microsoft Active Directory authentication but is supported to authenticate legacy Windows clients Active Directory A network validated domain based authentication method that functions with a Microsoft Active Directory authentication server Microsoft Active Directory authentication servers support a group and user structure Because the Active Directory support
344. hrough a cable modem to an ISP e The UTM is ona local LAN with IP address is 192 168 1 100 e The UTM connects to a remote network where you must access a device e The LAN IP address of the remote network is 134 177 0 0 When you first configured the UTM two implicit static routes were created e A default static route was created with your ISP as the gateway e A second static route was created to the local LAN for all 192 168 1 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 remote network the UTM forwards your request to the ISP In turn the ISP forwards your request to the remote network where the request is likely to be denied by the remote network s firewall In this case you must define a static route informing the UTM that the 134 177 0 0 IP address should be accessed through the local LAN IP address 192 168 1 100 The static route on the UTM must be defined as follows e The destination IP address and IP subnet mask must specify that the static route applies to all 134 177 x x IP addresses e The gateway IP address must specify that all traffic for the 134 177 x x IP addresses should be forwarded to the local LAN IP address 192 168 1 100 e A metric value of 1 should work since the UTM is on the local LAN e The static route can be made private only as a precautionary security measure in case RIP is activated LAN Configuration 4 27 v1 0 January 2010 ProSecure Uni
345. iate the security association SA DES Data Encryption Standard DES e 3DES Triple DES This is the default algorithm e AES 128 Advanced Encryption Standard AES with a 128 bits key size e AES 192 AES with a 192 bits key size e AES 256 AES with a 256 bits key size Integrity Algorithm From the pull down menu select one of the following two algorithms to be used in the VPN header for the authentication process e SHA 1 Hash algorithm that produces a 160 bit digest This is the default setting MD5 Hash algorithm that produces a 128 bit digest Virtual Private Networking Using IPsec Connections 7 37 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 12 Add VPN Policy Settings continued Item Description or Subfield and Description PFS Key Group Select this checkbox to enable Perfect Forward Secrecy PFS and then select a Diffie Hellman DH group from the pull down menu The DH Group sets the strength of the algorithm in bits The higher the group the more secure the exchange From the pull down menu select one of the following three strengths e Group 1 768 bit Group 2 1024 bit This is the default setting e Group 5 1536 bit Select IKE Policy Select an existing IKE policy that defines the characteristics of the Phase 1 negotiation Click the view selected button to display the selected IKE policy 5 Clic
346. ic FQDN required FQDN required a All tunnels must be re established after a rollover using the new WAN IP address Using the IPsec VPN Wizard for Client and Gateway Configurations You can use the IPsec VPN Wizard to configure multiple gateway or client VPN tunnel policies The section below provides wizard and NETGEAR ProSafe VPN Client Software configuration procedures for the following scenarios e Using the wizard to configure a VPN tunnel between two VPN gateways e Using the wizard to configure a VPN tunnel between a VPN gateway and a VPN client Configuring a VPN tunnel connection requires that all settings on both sides of the VPN tunnel match or mirror each other precisely which can be a daunting task The VPN Wizard efficiently guides you through the setup procedure with a series of questions that determine the IPsec keys and VPN policies it sets up The VPN Wizard also configures the settings for the network connection security association SA traffic selectors authentication algorithm and encryption The settings that are used by the VPN wizard are based on the recommendations of the VPN Consortium VPNC an organization that promotes multi vendor VPN interoperability Virtual Private Networking Using IPsec Connections 7 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Creating Gateway to Gateway VPN Tunnels with the Wizard Gateway to Gateway Example
347. ices e Groups Select the Group to which the rule applies Use the LAN Groups screen under Network Configuration to assign PCs to Groups See Managing Groups and Hosts LAN Groups on page 4 12 WAN Users The settings that determine which Internet locations are covered by the rule based on their IP address The options are Any All Internet IP address are covered by this rule e Single address Enter the required address in the start field Address range Enter the Start and Finish fields DMZ Users The settings that determine which DMZ computers on the DMZ network are affected by this rule The options are Any All PCs and devices on your DMZ network e Single address Enter the required address to apply the rule to a single PC on the DMZ network e Address range Enter the required addresses in the Start and Finish fields to apply the rule to a range of DMZ computers Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 5 2 Outbound Rules Overview continued Setting Description or Subfield and Description QoS Profile The priority assigned to IP packets of this service The priorities are defined by Type of Service ToS in the Internet Protocol Suite standards RFC 1349 The QoS profile determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall The
348. ificant event occurs Stream Scanning for Content Filtering Stream Scanning is based on the simple observation that network traffic travels in streams The UTM scan engine starts receiving and analyzing traffic as the stream enters the network As soon as a number of bytes are available scanning starts The scan engine continues to scan more bytes as they become available while at the same time another thread starts to deliver the bytes that have been scanned This multithreaded approach in which the receiving scanning and delivering processes occur concurrently ensures that network performance remains unimpeded The result is file scanning is up to five times faster than with traditional antivirus solutions a performance advantage that you will notice Stream Scanning also enables organizations to withstand massive spikes in traffic as in the event of a malware outbreak The scan engine has the following capabilities e Real time protection The patent pending Stream Scanning technology enables scanning of previously undefended real time protocols such as HTTP Network activities susceptible to latency for example Web browsing are no longer brought to a standstill e Comprehensive protection Provides both Web and e mail security covering six major network protocols HTTP HTTPS FTP SMTP POP3 and IMAP The UTM uses enterprise class scan engines employing both signature based and Distributed Spam Analysis to stop both known an
349. in Table 11 16 Table 11 16 Generate Report Settings Setting Description or Subfield and Description Time From From the pull down menus specify the start year month day hour and minutes for the report Time To From the pull down menus specify the end year month day hour and minutes for the report Note The maximum report period is 31 days Reports Select one or more checkboxes to specify the reports that are generated Email Reports Web Reports System Reports Note You can select all three checkboxes but you might generate a very large report 4 Click Generate After a few minutes the report is added to the Report List which can contain a maximum of five saved reports To delete a a previously saved report click its Delete table button 5 Select the new or a previously saved report for downloading by clicking its Download table button The reports download as a zipped file that contains both CSV and HTML files Monitoring System Access and Performance 11 41 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Scheduling Reports To schedule automatic generation and e mailing of reports 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view 2 Click the Schedule Reports submenu tab The Schedule Reports screen displays Monitoring S
350. in the Exceptions table To delete or disable one or more exception rules 1 Select the checkbox to the left of the rule that you want to delete or disable or click the Select All table button to select all rules 2 Click one of the following table buttons e Disable Disables the rule or rules The status icon changes from a green circle to a grey circle indicating that the rule is or rules are disabled By default when a rule is added to the table it is automatically enabled e Delete Deletes the rule or rules The table rank of the exception rule in the Exceptions table determines the order in which the rule is applied To change the position of the rules in the table click the following table buttons e Up Moves the rule up one position in the table rank e Down Moves the rule down one position in the table rank Setting Scanning Exclusions To save resources you can configure scanning exclusions for IP addresses and ports that you know are secure For example if your network includes a Web server that hosts Web pages that are accessible by anyone on the Internet the files that are hosted by your Web server do not need to be scanned To prevent the UTM from scanning these files you can configure a scanning exclusion for your Web server To configure scanning exclusion rules 1 Select Application Security gt Scanning Exclusions from the menu The Scanning Exclusions screen displays This screen shows the Scan
351. inf hts jse mp3 aacwshyl 4 Reel Example exe com pif Figure 6 17 2 Enter the settings as explained in Table 6 12 Table 6 12 FTP Scan Settings Setting Description or Subfield and Description Action FTP Action From the FTP pull down menu specify one of the following actions when an infected FTP file or object is detected Delete file This is the default setting The FTP file or object is deleted and a log entry is created Log only Only a log entry is created The FTP file or object is not deleted 6 40 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 6 12 FTP Scan Settings continued Setting Description or Subfield and Description Scan Exception The default maximum file or object size that is scanned is 2048 KB but you can define a maximum size of up to 10240 KB However setting the maximum size to a high value might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions when the file or message exceeds the maximum size e Skip The file is not scanned but skipped leaving the end user vulnerable This is the default setting e Block The file is blocked and does not reach the end user Block Files with the Following Extensions By default the File Extension field lists the mo
352. information that is described in Table 11 14 Table 11 14 WAN1 Dual WAN Port Models or WAN Single WAN Port Models Port Status Informations Item Description or Subfield and Description Connection Time The period that the UTM has been connected through the WAN port Connection Type DHCP or Static IP Connection Status Connected or Disconnected IP Address f The addresses that were automatically detected see Automatically Detecting Subnet Mask and Connecting on page 3 2 or that you configured on the WAN1 ISP Settings Gateway screen dual WAN port models or WAN ISP Settings screen single WAN port models see Manually Configuring the Internet Connection on page 3 5 DNS Server DHCP Server The DHCP server that was automatically detected see Automatically Detecting and Connecting on page 3 2 or that you configured for a VLAN profile on the Edit VLAN Profile screen see Configuring a VLAN Profile on page 4 6 Lease Obtained The time when the DHCP lease was obtained Lease Duration The period that the DHCP lease remains in effect Depending on the type of connections any of the following buttons may be displayed on the Connection Status screen e Renew Click to renew the DHCP lease e Release Click to disconnect the DHCP connection e Disconnect Click to disconnect the static IP connection For the dual WAN port models only the procedure to view the stat
353. ing Important Log Information and Generating a Network Statistics Report c cccceceeseseeeeeeeeeseaeeeeeeeeeeeaeeseeneeeeas 11 47 Rebooting and Shutting Down the UTM sccciscssccscccdsstersancetandasterds cceccssintandurnmacceds 11 48 Chapter 12 Troubleshooting and Using Online Support Basie FUNCIONE sessie aa ia aa a a 12 2 Power LED NOUO nangisiino gasaren a N A 12 2 TALEO Naver MMEO umanacan ann a T rr tte trecerer ay err 12 2 LAN or WAN Pon LEDS NOT OP oisinnean ENE 12 3 Troubleshooting the Web Management Interface ssessessssssiiressssrrrssrsrrrsssrrrnnssrrernnn 12 3 When You Enter a URL or IP Address a Time out Error Occurs s es 12 4 xiii v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Treubleshooting the ISP Gonna xssatt ncients accsshectcevensncein aie aar Ean 12 5 Troubleshooting a TCP IP Network Using a Ping Utility 0 00 eect eeeeeeceeeeeeeeneeeeeee 12 7 Testing tie LAN Path to Your VTM cats tcierdccenatsvdaietinnecattwctweerandagnssanddegttaneivetsetsacvians 12 7 Testing the Path from Your PC to a Remote Device ccccsccceceeseseeeeesstneeeeeees 12 8 Restoring the Default Configuration and Password ccccceccesesseeeeeeeesteeeeeeeeseeeeenens 12 9 Problems wiin Date and TIME sonrisas eerie a A 12 10 erno Onine UPEO ssia a EE DN 12 10 Enabling Remote Troubleshooting css scviccscescessinsersocivacpenonsiammaekonniidopseomnioanceneniens 12 10 Sending Suspic
354. ing Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Add Mode Config Record Record Name First Pool Starting EE hy i aa Ending wo wi Second Pool Starting 1o Jo o Endingipfo lo e W Third Pool Starting iro Jo J o Endinorpo lo e Wp WINS Server Primaryo_ Jo o JMe Secondary o_ Jo Jo o DNS Server Primaryfo Jo Jo o Secondaryfo_ Jo Jo o Miers Key Group SA Lifetime 3600 Seconds Encryption Algorithm Integrity Algorithm Local IP Address 0_Ho foo Local Subnet mask lo lo Ho Figure 7 26 4 Complete the fields select the checkbox and make your selections from the pull down menus as explained Table 7 15 Table 7 15 Add Mode Config Record Settings Item Description or Subfield and Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable Second Pool the UTM to allocate these to remote VPN clients The Second Pool and Third Pool fields are options To specify any client pool enter the starting IP address Third Pool for the pool in the Starting IP field and enter the ending IP address for the pool in the Ending IP field Note Any IP pool should not be within the local network IP addresses Use a different range of private IP addresses such as 172 173
355. ing addresses 10 0 0 5 10 0 0 20 and the FQDN ftp company com which resolves to 10 0 1 3 Assuming that no conflicting user or group policies have been configured if a user would attempt to access e an FTP server at 10 0 0 1 the user would be blocked by Policy 1 e an FTP server at 10 0 1 5 the user would be blocked by Policy 2 e an FTP server at 10 0 0 10 the user would be granted access by Policy 3 The IP address range 10 0 0 5 10 0 0 20 is more specific than the IP address range that is defined in Policy 1 e an FTP server at ftp company com the user would be granted access by Policy 3 A single host name is more specific than the IP address range that is configured in Policy 2 gt Note The user would not be able to access ftp company com using its IP address 10 0 1 3 The UTM s policy engine does not perform reverse DNS lookups Viewing Policies To view the existing policies follow these steps 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view Figure 8 18 on page 8 33 shows some examples 8 32 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Operation succeeded a View List of SSL VPN Policies for z Global Group User admin iv ii List of SSL VPN Policies R f a RoadWarrior Permit eEsit J o _ RoadWar
356. ing extraneous traffic and improving the efficiency of the whole network e They are easy to manage The addition of nodes as well as moves and other changes can be dealt with quickly and conveniently from a management interface rather than from the wiring closet e They provide increased performance VLANs free up bandwidth by limiting node to node and broadcast traffic throughout the network e They ensure enhanced network security VLANs create virtual boundaries that can be crossed only through a router So standard router based security measures can be used to restrict access to each VLAN Managing the UTM s Port Based VLANs The UTM supports port based VLANs Port based VLANs help to confine broadcast traffic to the LAN ports Even though a LAN port can be a member of more than one VLAN the port can have only one VLAN ID as its Port VLAN Identifier PVID By default all four LAN ports of the UTM are assigned to the default VLAN or VLAN 1 Therefore by default all four LAN ports have default PVID 1 However you can assign another PVID to a LAN port by selecting a VLAN profile from the pull down menu on the LAN Setup screen After you have created a VLAN profile and assigned one or more ports to the profile you must first enable the profile to activate it The UTM s default VLAN cannot be deleted All untagged traffic is routed through the default VLAN VLAN1 which must be assigned to at least one LAN port Note the fol
357. inutes a 30 second minimum test period for a minimum of 4 tests 3 Click Apply to save your settings When a rollover occurs you can configure the UTM to generate a notification e mail to a specified address see Configuring and Activating System E mail and Syslog Logs on page 11 6 When the UTM detects that the failed primary WAN interface has been restored an automatic rollover to the primary WAN interface occurs Configuring Load Balancing and Optional Protocol Binding Dual WAN Port Models Only For the dual WAN port models only to use multiple ISP links simultaneously configure load balancing In load balancing mode either WAN port carries any outbound protocol unless protocol binding is configured When a protocol is bound to a particular WAN port all outgoing traffic of that protocol is directed to the bound WAN port For example if the HTTPS protocol is bound to the WAN1 port and the FTP protocol is bound to the WAN2 port then the UTM automatically routes all outbound HTTPS traffic from the computers on the LAN through the WAN port All outbound FTP traffic is routed through the WAN2 port Protocol binding addresses two issues e Segregation of traffic between links that are not of the same speed High volume traffic can be routed through the WAN port connected to a high speed link and low volume traffic can be routed through the WAN port connected to the low speed link e Continuity of source IP address
358. ion the peer VPN device on the other end of the tunnel must also support DPD Keepalive though less reliable than DPD does not require any support from the peer device Virtual Private Networking Using IPsec Connections 7 55 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Keepalives The Keepalive feature maintains the IPSec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies To configure the Keepalive feature on a configured VPN policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Policies submenu tab The VPN Policies screen displays see Figure 7 22 on page 7 32 3 Inthe List of VPN Policies table click the Edit table button to the right of the VPN policy that you want to edit The Edit VPN Policy screen displays Figure 7 31 shows only the top part of the screen with the General section Edit PN Policy Operation succeeded E Policy Name Client to UTM ___ BE Policy Type Select Local Gateway wan O wanz Remote Endpoint 1P Address SS Sey Foon O Enable NetBios able Keepalive Yes O No Ping 1P Address 208 J133 s7 2 _ Detection period ft0__ Seconds Reconnect after failure count b n ee i Traffic Selection Figure 7 31 7 56 Virtual Private Networking Using IPsec Connections v1 0 J
359. ion information e In this manual the WAN side of the network is presumed to be provisioned as shown in Figure B 1 with two ISPs connected to the UTM through separate physical facilities e Each WAN port must be configured separately whether you are using a separate ISP for each WAN port or you are using the same ISP to route the traffic of both WAN ports customer premises route diversity WAN port 1 physical facility 1 ISP 41 a WAN port 2 physical facility 2 ee ISP 2 Figure B 1 e If your ISP charges by the volume of data traffic each month consider enabling the UTM s traffic meter to monitor or limit your traffic b Contact a Dynamic DNS service and register FQDNs for one or both WAN ports 3 Plan your network management approach e The UTM is capable of being managed remotely but this feature must be enabled locally after each factory default reset NETGEAR strongly advises you to change the default management password to a strong password before enabling remote management B 2 Network Planning for Dual WAN Ports Dual WAN Port Models Only v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e You can choose a variety of WAN options if the factory default settings are not suitable for your installation These options include enabling a WAN port to respond to a ping and setting MTU size port speed and upload bandwidth 4 P
360. ion the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Understanding the Web Management Interface Menu Layout Figure 2 3 shows the menu at the top of a dual WAN port model s Web Management Interface in this example the UTM25 The single WAN port model s Web Management Interface layout is identical with the exception that it shows only a single WAN ISP Setting submenu tab a PROSECURE SECURITY ARCHITECTURE BY NETGEAR Protocol Binding Dynamic DNS WAN Metering LAN Settings DMZ Setup Routing Email Notification LI Ea ETEA WAN2 ISP Settings WAN Mode 6 Secondary Addresses Advanced gt WAN Status Option Arrow Additional screen for submenu item Level Submenu Tab blue 2nd Level Configuration Menu Link gray 1st Level Main Navigation Menu Link orange Figure 2 3 The Web Management Interface menu consists of the following components e Ist Level Main navigation menu links The main navigation menu in the orange bar across the top of the Web Management Interface provide access to all the configuration functions of the UTM and remain constant When you select a main navigation menu link the letters are displayed in white against an orange background e 2nd Level Configuration menu links The configuration menu links in the gray bar immediately below the main navigation menu bar change according to the main navigation menu link th
361. ions v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Click Apply to save your settings The IPsec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen By default the VPN policy is enabled SSLYPN Certificates IKE Policies KADITI YPN Wizard Mode Config RADIUS Client Operation succeeded Name Type Local Remote Auth Encr Action Gwite cw2 Auto Policy 192 168 1 0 255 255 255 0 192 172 1 0 255 255 255 0 SHA 1 3DES esit Client to UTM Auto Policy 192 168 1 0 255 255 255 0 Any SHA 1 3DeEs METS Selaat Delte Enable Disable Add CERN NS Seat Sos BAe Figure 7 10 Note When using FQDNs if the dynamic DNS service is slow to update their servers when your DHCP WAN address changes the VPN tunnel will fail because the FQDNs do not resolve to your new address If you have the option to configure the update interval set it to an appropriately short time Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR ProSafe VPN Client installed configure a VPN client policy to connect to the UTM 1 Right click on the VPN client icon in your Windows toolbar select Security Policy Editor Then select Options gt Secure and verify that the Specified Connections selection is enabled see Figure 7 11 on page 7 13 7 12 Virtual Privat
362. ions as the HTTPS client for the HTTPS server During SSL authentication the HTTPS client authenticates three items e Is the certificate trusted e Has the certificate expired Does the name on the certificate match that of the Web site 6 34 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual If one of these is not satisfied a security alert message appears in the browser window see Figure 6 14 Information you exchange with this site cannot be viewed or i changed by others However there is a problem with the site s secumty certificate A The security certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority iv The security certificate date is valid The name on the securty certificate is invalid or does not match the name of the ste Do you want to proceed va We ence Figure 6 14 However even when a certificate is trusted or still valid or when the name of a certificate does match the name of the Web site a security alert message still appears when a user who is connected to the UTM visits an HTTPS site The appearance of this security alert message is expected behavior because the HTTPS client receives a certificate from the UTM instead of directly from the HTTPS server If you want to prevent this security alert message from app
363. ious Files to NETGEAR for Analysis cccccccssssseeeeessteeeeeeees 12 11 Accessing the Knowledge Base and Documentation cccceeeeeeeeeeeeeeeteees 12 12 Appendix A Default Settings and Technical Specifications Appendix B Network Planning for Dual WAN Ports Dual WAN Port Models Only What to Consider Before You Begin cccuicssceeasiecerencdacastnnsrageors oadressesscaseuss nii aih B 1 Cabling and Computer Hardware Requirements ccccceseeeeeeeeeeseeseeeeeeeeaeeeees B 3 Computer Network Configuration Requirements sessesssessssesssesssirsssrrssrrnssresse B 3 internet Configuration Reguirements ss sirsisssisiirsniuanirina innnan iaa B 3 Overview oi ihe Planning Probes Senanin ea A A aN B 5 Cee Miemie Eo E A E E E A E E E A B 7 Inbound Traffic to a Single WAN Port System sericiimisrorisinnnireriaieisinosena B 7 Inbound Traffic to a Dual WAN Port System susissiissosiconinisnisrrenirsrenininiiennainna B 8 viinua Privala Newa VYPNE sariini vied B 9 VPN Road Warrior Clientto Gateway cic ctceccecssaavventescatcceers aiian an B 11 VPN Gateway t0 GENAY siiani i ai N aai B 13 VPN Telecommuter Client to Gateway Through a NAT Router ceee B 16 Appendix C System Logs and Error Messages System LOG Message s cinsicsdcccassscciaisnmmmvasuncanneneantassninseasinebsatadansiuctenmndennciaramuscannnnue C 2 STON SIME ari E S C 2 PUEDEN fc red ecgonsdanegin daca asst ctauccday ass picgnistuaaicvenda
364. irtual Private Networking Using SSL Connections 8 21 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 8 6 Add Portal Layout Settings continued Item Description or Subfield and Description ActiveX web cache Select this checkbox to enable ActiveX cache control to be loaded when cleaner users log in to the SSL VPN portal The Web cache cleaner prompts the user to delete all temporary Internet files cookies and browser history when the user logs out or closes the Web browser window The ActiveX Web cache control is ignored by Web browsers that do not support Activex SSL VPN Portal Pages to Display VPN Tunnel page Select this checkbox to provide full network connectivity Port Forwarding Select this checkbox to provides access to specific defined network services Note Any pages that are not selected are not visible from the SSL VPN portal however users can still access the hidden pages unless you create SSL VPN access policies to prevent access to these pages 5 Click Apply to save your settings The new portal layout is added to the List of Layouts table To display the new portal layout Configuring Domains Groups and Users Remote users connecting to the UTM through an SSL VPN portal must be authenticated before they are being granted access to the network The login window that is presented to the user requires three items a user name a password and
365. is setting is enabled by default Note When you deselect the Enable DNS Proxy radio button the UTM still services DNS requests that are sent to its LAN IP address unless you disable DNS Proxy in the firewall settings see Attack Checks on page 5 27 Setup Wizard Step 2 of 10 WAN Settings B setup Wizard Step 2 of 10 WAN Settings DHCP service detected Does Your Internet Connection Require a Login Login No Password Account Name es Domainname L Which type of ISP connection do you use zP y Idle Timeout Keep Connected Austria PPTP Idle Time 5 Minutes Other PPPoE r My IP Address Seyver IP Address i Current IP Address G l gt g Get Dynamically from ISP Get Automatically from ISP Use Static IP Address Use These DNS Servers IP Address 0 o p fo Phimary DNS Server 0 Jo 0 Jo IP Subnet Mask 0 o o o Secndary DNS Server 0 o o o Gateway IP Address 0 Als T jo Figure 2 8 Enter the settings as explained in Table 2 2 on page 2 12 then click Next to go the following screen Using the Setup Wizard to Provision the UTM in Your Network 2 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Note Click the Auto Detect action button at the bottom of the menu The auto detect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support _____
366. isable Java scripts Even sites on the whitelist see Configuring Web URL Filtering on page 6 30 are subject to Web object blocking when the blocking of a particular Web object is enabled e Web category blocking You can block entire Web categories because their content is undesired offensive or not relevant or simply to reduce traffic ____ Note You can bypass any type of Web blocking for trusted hosts by adding the exact matching domain names to the trusted host list see Specifying Trusted Hosts on page 6 37 Access to the domains on the trusted host list is allowed for PCs in the groups for which file extension keyword object or category blocking or a combination of these types of Web blocking has been enabled 6 24 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Note You can bypass any type of Web blocking for trusted URLs by adding the URLs to the whitelist see Configuring Web URL Filtering on page 6 30 Access to the URLs on the whitelist is allowed for PCs in the groups for which file extension keyword object or category blocking or a combination of these types of Web blocking has been enabled To configure Web content filtering 1 Select Application Security gt HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear with the Malware Scan screen in view 2 Click the Con
367. isc org bin view Servers WebHome Server 1 Name Enter the IP address or host name the primary NTP server IP Address Server 2 Name Enter the IP address or host name the backup NTP server IP Address Using the Setup Wizard to Provision the UTM in Your Network 2 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Setup Wizard Step 4 of 10 Services Setup Wizard Step 4 of 10 Services Email Enable Service Ports to Scan Enable Service Ports to Scan Enable Service Ports to Scan osm Mors imap Enable Service Ports to Scan Enable Service Ports to Scan Enable Service Ports to Scan une O umes QB re fa i Instant Messaging xe Block Service Block Service Service o Google Talk Jabber go mIRC MSN Messenger o Yahoo Messenger i Peer to Peer P2P Block Service Block Service Service o BitTorrent eDonkey Gnutella Figure 2 10 Enter the settings as explained in Table 2 4 on page 2 17 then click Next to go the following screen Note After you have completed the steps in the Setup Wizard you can make changes to the security services by selecting Application Security gt Services For more information about these settings see Customizing E mail Protocol Scan Settings on page 6 4 and Customizing Web Protocol Scan Settings and Services on page 6 19 2 16 Using the Setup Wizard to Provision the UTM in Your Network
368. isplays Figure 8 14 shows some examples Policies Resources Portal Layouts SSL YPN Client KATLAR TEEI O _ Operation succeeded List of Configured Applications for Port Forwarding a Local Server IP Address TCP Port Number Action goi 192 168 50 8 21 Add New Application for Port Forwarding IP Address List of Configured Host Names for Port Forwarding Q Local Server IP Address Fully Qualified Domain Name Action go 192 168 50 8 ftp customer com pelete Add New Host Name for Port Forwarding Local Server IP Address Fully Qualified Domain Name nS Sa E Figure 8 14 3 Inthe Add New Application for Port Forwarding section of the screen specify information in the following fields e IP Address The IP address of an internal server or host computer that a remote user has access to e TCP Port The TCP port number of the application that is accessed through the SSL VPN tunnel Table 8 7 on page 8 24 lists some commonly used TCP applications and port numbers Virtual Private Networking Using SSL Connections 8 23 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 8 7 Port Forwarding Applications TCP Port Numbers TCP Application Port Number FTP Data usually not needed 20 FTP Control Protocol 21 SSH 22a Telnet 23a SMTP send mail 25 HTTP web 80 POP3 receive mail 110 NTP network time protoco
369. ity NETGEAR strongly recommends that you avoid creating an A exposed host When a computer is designated as the exposed host it loses much of the protection of the firewall and is exposed to many exploits from the Internet If compromised the computer can be used to attack your network Firewall Protection 5 25 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual WEEE ig DMZ WAN Rules LAN DMZ Rules At Operation succeeded Default Outbound Policy Apply Outbound Services i Service Name Filter LAN Users WAN Users QoS Profile Bandwidth Profile Log Select All Delete Enable D Disable Add ii Inbound Services Service LAN Server IP LAN WAN Qos Bandwidth P Destination Log Action Address Users Users Profile Profile Allow 192 168 1 2 ANY 10 1 0 52 NONE NONE Never Up Oow Bes Always Allow j I iz 192 168 0 50 ANY WANI NONE NONE Never Up Edit Levee erer Dur Qn eat Select All Delete Enable Disable Add 1 Select Any and Allow Always or Allow by Schedule 2 Place the rule below all other inbound rules Figure 5 14 Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger Real Audio or other non essential sites LAN WAN Outbound Rule Blocking Instant Messenger If you want to block Instant Messenger usage by employees
370. ive user s user name group and IP address are listed in the table with a timestamp indicating the time and date that the user connected To disconnect an active user click the Disconnect table button to the right of the user s table entry Viewing Port Triggering Status To view the status of the Port Triggering feature 1 Select Network Security gt Port Triggering from the menu The Port Triggering screen displays Figure 11 16 shows one rule in the Port Triggering Rules table as an example Port Triggering Operation succeeded i Port Triggering Rules Name Enable Protocol Outgoing Ports Incoming Ports Start Port End Port Start Port No TCP 20 22 20 Select An o 1 Abstracts Add Port Triggering Rule Name Enable Protocol Outgoing Tigger Port Range Incoming Response Port Range Start Port End Port Start Port End Port ath 165535 1 65535 1 65535 1565535 C maea Cd C om Figure 11 16 11 26 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Click the Status option arrow at the top right of the Port Triggering screen The Port Triggering Status screen appears in a popup window Port Triggering Status x Rule LAN IP Address Open Ports Time Remaining Sec Refresh Figure 11 17 The Port Triggering Status screen displ
371. ively you can rack mount the UTM in a wiring closet or equipment room A rack mounting kit containing two mounting brackets and four screws is provided in the package for the dual WAN port models Consider the following when deciding where to position the UTM e The unit is accessible and cables can be connected easily e Cabling is away from sources of electrical noise These include lift shafts microwave ovens and air conditioning units e Water or moisture cannot enter the case of the unit e Airflow around the unit and through the vents in the side of the case is not restricted Provide a minimum of 25 mm or 1 inch clearance e The air is as free of dust as possible 1 14 Introduction v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Temperature operating limits are not likely to be exceeded Install the unit in a clean air conditioned environment For information about the recommended operating temperatures for the UTM see Appendix A Default Settings and Technical Specifications Using the Rack Mounting Kit Use the mounting kit for the UTM to install the appliance in a rack A mounting kit is provided in the package for the dual WAN port models Attach the mounting brackets using the hardware that is supplied with the mounting kit Figure 1 7 Before mounting the UTM in a rack verify that e You have the correct screws supplied with the installation kit e T
372. izard you can make changes to the domain settings by selecting Users gt Domains For more information about domain settings see Configuring Domains on page 9 2 Table 8 2 SSL VPN Wizard Step 2 Domain Settings Setting Description or Subfield and Description DOMAIN NAME A descriptive alphanumeric name of the domain for identification and management purposes Authentication Type Note If you select any type of RADIUS authentication make sure that one or more RADIUS servers are configured see RADIUS Client Configuration on page 7 40 Authentication Type continued From the pull down menu select the authentication method that the UTM applies Local User Database default Users are authenticated locally on the UTM This is the default setting You do not need to complete any other fields on this screen Radius PAP RADIUS Password Authentication Protocol PAP Complete the Authentication Server and Authentication Secret fields e Radius CHAP RADIUS Challenge Handshake Authentication Protocol CHAP Complete the Authentication Server and Authentication Secret fields e Radius MSCHAP RADIUS Microsoft CHAP Complete the Authentication Server and Authentication Secret fields e Radius MSCHAPv2 RADIUS Microsoft CHAP version 2 Complete the Authentication Server and Authentication Secret fields e WIKID PAP WIKID Systems PAP Complete the Authentication Server and Authentication
373. izes with any of the servers is Thu Jan 01 00 01 52 GMT 1970 e The resynchronization interval is governed by the specification defined in DOC 00045_Ntp_Spec pdf Table C 5 System Logs NTP Message 1 Nov 28 12 31 13 UTM ntpdate Looking Up time f netgear com Message 2 Nov 28 12 31 13 UTM ntpdate Requesting time from time f netgear com Message 3 Nov 28 12 31 14 UTM ntpdate adjust time server 69 25 106 19 offset 0 140254 sec Message 4 Nov 28 12 31 14 UTM ntpdate Synchronized time with time f netgear com Message 5 Nov 28 12 31 16 UTM ntpdate Date and Time Before Synchronization Tue Nov 28 12 31 13 GMT 0530 2006 Message 6 Nov 28 12 31 16 UTM ntpdate Date and Time After Synchronization Tue Nov 28 12 31 16 GMT 0530 2006 Example Nov 28 12 31 16 UTM ntpdate Next Synchronization after 2 Hours Explanation Message1 DNS resolution for the NTP server time f netgear com Message2 request for NTP update from the time server Message3 Adjust time by re setting system time Message4 Display date and time before synchronization that is when resynchronization started Message5 Display the new updated date and time Message6 Next synchronization will be after the specified time mentioned Example In the above logs the next synchronization will be after two hours Recommended Action None System Logs and Error Messages C 3 v1 0 January 2010 ProSecure Unified Threat Management U
374. ject line that is queried This field is available only for the Traffic log Size The file s minimum and maximum size in bytes that are queried This field is available only for the Traffic log Event The type of event that is queried These events are the same events that are used for syslog server severity indications EMERG ALERT CRITICAL ERROR WARNING NOTICE INFO and DEBUG This field is available only for the Service log URL The URL that is queried This field is available only for the Content filters log Display The maximum number of pages that is displayed Download Log Select a radio button to specify the format to download the zipped log file zipped File Format CSV Download the log file as a comma separated values CSV file HTML Download the log file as an HTML file 4 Click one of the following action buttons e Search Query the log according to the search criteria that you specified and view the log through the Web Management Interface that is on screen e Download Query the log according to the search criteria that you specified and download the log to a computer Note The system firewall Psec VPN and SSL VPN logs cannot be queried or downloaded When you select any of these logs you can view them through the Web Management Interface that is they appear on screen Monitoring System Access and Performance 11 37 v1 0 January 2010 P
375. k see Configuring Dynamic DNS on page 3 19 e If the IP address of the local server PC is assigned by DHCP it might change when the PC is rebooted To avoid this use the Reserved DHCP Client feature in the LAN Groups menu to keep the PC s IP address constant see Setting Up Address Reservation on page 4 17 e Local PCs must access the local server using the PCs local LAN address Attempts by local PCs to access the server using the external WAN IP address will fail gt Note See Configuring Port Triggering on page 5 46 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall ___ Note The UTM always blocks denial of service DoS attacks A DoS attack does not attempt to steal data or damage your PCs but overloads your Internet connection so you cannot use it that is the service becomes unavailable For example multiple concurrent connections of the same application from one host or IP addresses such as multiple DNS queries from one PC triggers the UTM s DoS protection For more information about protecting the UTM from incoming threats see Using the Intrusion Prevention System on page 5 49 4 Table 5 3 on page 5 8 describes the fields that define the rules for inbound traffic and that are common to most Inbound Service screens see Figure 5 4 on page 5 15 Figure 5 7 on page 5 18 and Figure 5 10 on page 5 21 The st
376. k Apply to save your settings The VPN policy is added to the List of VPN Policies table To edit a VPN policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Policies submenu tab The VPN Policies screen displays see Figure 7 22 on page 7 32 3 In the List of VPN Policies table click the Edit table button to the right of the VPN policy that you want to edit The Edit VPN Policy screen displays This screen shows the same field as the Add VPN Policy screen see Figure 7 23 on page 7 34 4 Modify the settings that you wish to change see Table 7 12 5 Click Apply to save your changes The modified VPN policy is displayed in the List of VPN Policies table Configuring Extended Authentication XAUTH When many VPN clients connect to a UTM you might want to use a unique user authentication method beyond relying on a single common pre shared key for all clients Although you could configure a unique VPN policy for each user it is more efficient to authenticate users from a stored list of user accounts XAUTH provides the mechanism for requesting individual authentication information from the user and a local user database or an external authentication server such as a RADIUS server provides a method for storing the authentication information centrally in the local network 7 38 Virtual Private Networking Using IPsec Connections v1 0 January
377. k occurs Five types of alerts are supported Update Failure Alert Sent when an attempt to update any component such as a pattern file or scan engine firmware fails Malware Alert Sent when the UTM detects a malware threat Malware Outbreak Alert Sent when the malware outbreak criteria that you have configured are reached or exceeded Outbreak criteria are based on the number of malware threats detected within a specified period of time IPS Alert Sent when the UTM detects an attack IPS Outbreak Alert Sent when the IPS outbreak criteria that you have configured are reached or exceeded Outbreak criteria are based on the number of IPS attacks detected within a specified period of time To configure and activate the e mail alerts 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view 2 Click the Alerts submenu tab The Alerts screen displays Figure 11 5 on page 11 11 11 10 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual System Status Active Users amp VPNs Dashboard Diagnostics Email and Syslog Firewall Logs Alerts Log Query Generate Report Scheduled Report C Enable Update Failure Alerts V Enable License Expiration Alerts C Enable Malware Alerts Subject I Message Note Insert the following meta word s to automatically incl
378. l 123 Citrix 1494 Terminal Services 3389 VNC virtual network computing 5900 or 5800 a Users can specify the port number together with the host name or IP address 4 Click the Add table button The new application entry is added to the List of Configured Applications for Port Forwarding table Remote users can now securely access network applications once they have logged into the SSL VPN portal and launched port forwarding To delete an application from the List of Configured Applications for Port Forwarding table select the checkbox to the left of the application that you want to delete and then click the Delete table button in the Action column Adding A New Host Name After you have configured port forwarding by defining the IP addresses of the internal servers and the port number for TCP applications that are available to remote users you then can also specify host name to IP address resolution for the network servers as a convenience for users Host name resolution allows users to access TCP applications at familiar addresses such as mail example com or ftp customer com rather than by IP addresses To add servers and host names for client name resolution 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the Port Forwarding submenu tab The Port Forwarding screen displays see Figure 8 14 on page 8 23 8 24 Virtual Private Networking Using S
379. l uses a process called stateful packet inspection to protect your network from attacks and intrusions NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request but true stateful packet inspection goes far beyond NAT 5 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Administrator Tips Consider the following operational items As an option you can enable remote management if you have to manage distant sites from a central location see Configuring VPN Authentication Domains Groups and Users on page 9 1 and Configuring Remote Management Access on page 10 12 Although rules see Using Rules to Block or Allow Specific Kinds of Traffic on page 5 3 is the basic way of managing the traffic through your system you can further refine your control using the following features and capabilities of the UTM Groups and hosts see Managing Groups and Hosts LAN Groups on page 4 12 Services see Services Based Rules on page 5 3 Schedules see Setting a Schedule to Block or Allow Specific Traffic on page 5 41 Allow or block sites and applications see Setting Web Access Exception Rules on page 6 41 Source MAC filtering see Enabling Source MAC Filtering on page 5 42 Port triggering see Configuring Port Triggering on page 5 46 Conte
380. last week using different colors for the various applications Note IMBlock stands for instant messaging applications blocked P2PBlock stands for peer to peer applications blocked IPSSisMatch stands for IPS signatures matched Total Traffic Bytes This is a graphic that shows the relative number of traffic in bytes over the last week 18 Most Recent 5 Threats Detected 2 ii Top 5 Threats Detected a Protocol Date and Time Malware Name Count EICAR AV Test HTTP 2009 04 18 00 12 02 EICAR AV Test 1 ii Most Recent 5 IPS Signature Matches Top 5 IPS Signature Matches Signature Name Category Date and Time Signature Name Count Percentage mod_jrun ove WEB M 2009 07 08 22 42 36 mod_jrun overf 628 100 Application Category Date and Time MSN IM 2009 07 08 21 09 45 YAHOOMSG IM 2009 07 08 21 09 21 Category Date and Time Category Hacking 2009 07 08 17 59 13 Games Alcohol and Tabacco Anonymizers Sex Education 2009 06 24 21 00 07 2009 06 24 17 17 53 2009 06 22 20 10 12 Pornograph or Sexual Malware Hacking Spam Sites 2009 06 22 19 19 19 Nudity Most Recent 5 SPAMs Email Subject Top 5 SPAM recipients Recipient Figure 11 8 Dashboard screen 2 of 3 Monitoring System Access and Performance 11 17 v1 0 January
381. lays 2 Modify the settings that you wish to change see Table 5 8 Click Apply to save your changes The modified bandwidth profile is displayed in the List of Bandwidth Profiles table 5 40 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Setting a Schedule to Block or Allow Specific Traffic Schedules define the timeframes under which firewall rules may be applied Three schedules Schedule 1 Schedule 2 and Schedule3 can be defined and any one of these can be selected when defining firewall rules To set a schedule 1 Select Network Security gt Firewall Objects from the menu The Firewall Objects submenu tabs appear with the Services screen in view 2 Click the Schedule 1 submenu tab The Schedule 1 screen displays Network Security IPS Firewall Objects Firewall Address Filter Port Triggering Services QoS Profile Bandwidth Profile EIUS MICE Schedule 2 Schedule 3 Sunday Monday Do you want this schedule to be active on Tuesday Wednesday all days or specific days A Thursday Friday All Days Specific Days Saturday 9 Do you want this schedule to be active Start Time 12 Hour 00 Minute AM all day or at specific times during the day ere ye End Time l12 _ Hour 00 Minute PM All Day Specific Times Figure 5 25 3 In the Scheduled Days section select one of the following radio buttons e All Days The s
382. le source device as a percentage of the total session connection capacity of the UTM The session limit is per device based If the User Limit Parameter is set to Number of Sessions the number specifies an absolute value Note Some protocols such as FTP and RSTP create two sessions per connection which should be considered when configuring a session limit Total Number of This is a non configurable counter that displays the total number of dropped Packets Dropped due packets when the session limit is reached to Session Limit Session Timeout TCP Timeout For each protocol specify a timeout in seconds A session expires if no data for UDP Timeout the session is received for the duration of the timeout period The default timeout periods are 1200 seconds for TCP sessions 180 seconds for UDP ICMP Timeout sessions and 8 seconds for ICMP sessions 5 Click Apply to save your settings Managing the Application Level Gateway for SIP Sessions The Application Level Gateway ALG facilitates multimedia sessions such as voice over IP VoIP sessions that use the Session Initiation Protocol SIP across the firewall and provides support for multiple SIP clients ALG support for SIP is disabled by default To enable ALG for SIP 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear 2 Click the Advanced submenu tab The Advanced screen displays see Figure 5 18 on page 5 32
383. le extensions zip rar gz tar and bz2 added to the File Extension field Action SMTP From the pull down menu specify an action when an e mail attachment with a POP3_ file extension that is defined in the File Extension field is detected The pull down menu selections and defaults are the same as the ones for the Filter by Password Protected Attachments ZIP RAR etc section above IMAP Filter by File Name File Name Enter the file names that are detected Use commas to separate multiple file names For example to block the Netsky worm which normally arrives as netsky exe enter netsky exe Action SMTP From the pull down menu specify an action when an e mail attachment with a pop3 name that is defined in the File Name field is detected The pull down menu selections and defaults are the same as the ones for the Filter by Password IMAP Protected Attachments ZIP RAR etc section above 3 Click Apply to save your settings Protecting Against E mail Spam The UTM integrates multiple anti spam technologies to provide comprehensive protection against unwanted e mail You can enable all or a combination of these anti spam technologies The UTM implements these spam prevention technologies in the following order 1 Whitelist E mails from the specified sources or to the specified recipients are not considered spam and are accepted 2 Blacklist E mails from the s
384. lect the Yes radio button to enable and configure the backup RADIUS server and then enter the settings for the three fields below The default setting is that the No radio button is selected Backup Server IP Address The IP address of the backup RADIUS server Secret Phrase The a shared secret phrase to authenticate the transactions between the client and the backup RADIUS server The same Secret Phrase must be configured on both the client and the server Backup Server NAS Identifier The backup Network Access Server NAS identifier that must be present in a RADIUS request Note See the Note above for the Primary Server NAS Identifier Connection Configuration Time out period The period in seconds that the UTM waits for a response from a RADIUS server Maximum Retry Counts The maximum number of times that the UTM attempts to connect to a RADIUS server 4 Click Apply to save your settings 7 42 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Note You select the RADIUS authentication protocol PAP or CHAP on the Edit gt IKE Policy screen or Add IKE Policy screen see Configuring XAUTH for VPN Clients on page 7 39 Assigning IP Addresses to Remote Users Mode Config To simplify the process of connecting remote VPN clients to the UTM use the Mode Config fe
385. led Firewall Inbound communications coming in from the Internet All communication denied Outbound communications from the LAN to the Internet All communication allowed Source MAC filtering Disabled Stealth mode Enabled Respond to ping on Internet ports Disabled Table A 2 shows the physical and technical specifications for the UTM Table A 2 UTM Physical and Technical Specifications Feature Specification Network Protocol and Standards Compatibility Data and Routing Protocols TCP IP RIP 1 RIP 2 DHCP PPP over Ethernet PPPoE Power Adapter Universal input 100 240V AC 50 60Hz 1 2 Amp maximum Physical Specifications cm 33 x 4 3 x 20 9 Dimensions W x H x D inches 13 x 1 7 x 8 2 kg 2 1 Weight Ib 4 6 A 2 Default Settings and Technical Specifications v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table A 2 UTM Physical and Technical Specifications continued Feature Specification Environmental Specifications C 0 to 45 Operating temperatures F 32 to 113 Storage temperatures C 20 to 70 F 4 to 158 Operating humidity 90 maximum relative humidity noncondensing Storage humidity 95 maximum relative humidity noncondensing Major Regulatory Compliance FCC Class A CE Meets requirements of
386. leted and a log entry is created e Log only Only a log entry is created The Web file or object is not deleted Streaming Select the Streaming checkbox to enable streaming of partially downloaded and scanned HTTP or HTTPS file parts to the user This method allows the user to experience more transparent Web downloading Streaming is enabled by default 6 22 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 6 7 Malware Scan Settings continued Setting Description or Subfield and Description Scan Exception The default maximum file or object size that are scanned is 2048 KB but you can define a maximum size of up to 10240 KB However setting the maximum size to a high value might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions when the file or message exceeds the maximum size Skip The file is not scanned but skipped leaving the end user vulnerable This is the default setting e Block The file is blocked and does reach the end user HTML Scan Scan HTML elect this checkbox to enable scanning of HyperText Markup Language HTML files Files which is enabled by default Notification Settings By default the content of a Web page that is blocked because of a detected malware threat is replaced wi
387. letters both upper and lower case numbers and symbols Your password can be up to 30 characters 5 As an option you can change the idle timeout for an administrator login session Enter a new number of minutes in the Idle Timeout field The default setting is 5 minutes Click Apply to save your settings Repeat step 1 through step 6 for the user with the name guest gt Note After a factory default reset the password and timeout value are changed back to password and 5 minutes respectively You can also change the administrator login policies e Deny login access from a WAN interface By default the administrator can log in from a WAN interface e Deny or allow login access from specific IP addresses By default the administrator can log in from any IP address Es Note For enhanced security restrict access to as few external IP addresses as practical e Deny or allow login access from specific browsers By default the administrator can log in from any browser In general these policy settings work well for an administrator However if you need to change any of these policy settings see Setting User Login Policies on page 9 12 Network and System Management 10 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Remote Management Access An administrator can configure upgrade and check the status of the UTM over t
388. lication would be treated as a new connection request rather than a response to a requests from the LAN network As such it would be handled in accordance with the inbound port forwarding rules and most likely would be blocked 5 46 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Note these restrictions on port triggering Only one PC can use a port triggering application at any time After a PC has finished using a port triggering application there is a short time out period before the application can be used by another PC This time out period is required so the UTM can determine that the application has terminated ES Note For additional ways of allowing inbound traffic see Inbound Rules Port Forwarding on page 5 6 To add a port triggering rule 1 Select Network Security gt Port Triggering from the menu The Port Triggering screen displays Figure 5 28 shows a rule in the Port Triggering Rule table as an example IPS Firewall Objects Firewall Address Filter Port Triggering Triggering 6 Status Operation succeeded Name Enable Protocol Outgoing Ports Incoming Ports Action Start Port End Port Start Port End Port 1 Abstracts No TCP 20 22 20 40 Edit Select all alete Add Port Triggering Rule Name Enable Protocol Outgoing Trigger Port Range Incoming Response Port Range Add Start Port E
389. licies 7 37 shutting down 71 48 signature key length 9 23 signatures amp engine settings HTTP proxy 2 25 update frequency 2 25 update settings using the Setup Wizard 2 24 Simple Mail Transfer Protocol See SMTP Simple Network Management Protocol See SNMP single WAN port mode bandwidth capacity 0 2 description dual WAN port models 3 10 SIP 5 31 size e mail messages 2 19 Web files 2 20 Web objects 2 20 SMTP action infected e mail 2 8 anti virus settings 6 6 default port 2 17 6 4 Distributed Spam Analysis 6 17 enabling scanning 2 17 file extension blocking 6 11 file name blocking 6 11 keyword blocking 6 0 password protected attachment blocking 6 0 server for e mail notification 2 23 sniffer 72 4 SNMP attached devices 70 14 community strings 0 5 configuring 10 14 description 7 overview 10 14 traps 10 15 trusted hosts 70 15 source MAC filtering configuring MAC addresses 5 42 logging matched packets 71 14 reducing traffic 70 5 Index 12 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual spam blocked messages recent 5 and top 5 71 18 Distributed Spam Analysis 6 16 logs 11 8 11 32 11 34 protection 6 11 real time blacklist RBL 6 4 whitelist and blacklist 6 2 Spamcop 6 15 Spamhaus 6 15 specifications physical and technical A 2 speed ports 3 23 uploading and downloading 3 24 SPI 1 2 1 4 5 1 7 36 split tunnel 8 25 spoofing MAC address
390. lick Apply to save your changes When remote management is enabled you must use an SSL connection to access the UTM from the Internet You must enter Attps not http and type the UTM s WAN IP address in your browser For example if the UTM s WAN IP address is 172 16 0 123 type the following in your browser https 172 16 0 123 The UTM s remote login URL is https lt IP_address gt or https lt FullyQualifiedDomainName Note For enhanced security restrict access to as few external IP addresses as practical gt See Setting User Login Policies on page 9 12 for instructions on restricting administrator access by IP address Note To maintain security the UTM rejects a login that uses http address rather than the SSL https address n Note The first time that you remotely connect to the UTM with a browser via an SSL connection you might get a warning message regarding the SSL certificate If you are using a Windows computer with Internet Explorer 5 5 or higher simply click Yes to accept the certificate n Note If you are unable to remotely connect to the UTM after enabling HTTPS remote gt management check if other user policies such as the default user policy are preventing access For access to the UTM s Web Management Interface check if administrative access through a WAN interface is granted see Configuring Login Policies on page 9 12 gt Note If y
391. llover Dual WAN Ports After Rollover WAN1 IP WANT IP N A Router netgear dyndns org Router WAN port inactive O EO __ X Yo x o SRS D WAN2Z port inactive D netgear dyndns org WAN2IP N A WAN2 IP d IP address of active WAN port changes after a rollover use of fully qualified domain names always required Figure B 5 Inbound Traffic Dual WAN Ports for Load Balancing In a dual WAN port load balancing configuration the Internet address of each WAN port is either fixed if the IP address is fixed or a FQDN if the IP address is dynamic see Figure B 6 on page B 9 Note Load balancing is implemented for outgoing traffic and not for incoming traffic Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port traffic B 8 Network Planning for Dual WAN Ports Dual WAN Port Models Only v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Dual WAN Ports Load Balancing WAN1 IP Router Figure B 6 netgear1 dyndns org D netgear2 dyndns org WAN2 IP Virtual Private Networks VPNs IP addresses of WAN ports use of fully qualified domain names required for dynamic IP addresses and optional for fixed IP addresses When implementing virtual private network VPN tunnels a mechanism must be used for determining the IP addresses of the tunnel end points
392. llowing information per day both in tables and graphics Number of connections Traffic amount in MB Number of malware incidents Number of files blocked Number of URLs blocked not applicable to FTP e System Reports The report shows IPS application and malware incidents The following IPS incident are shown per day both in tables and graphics e Number of detected port scans and top 10 scanned destination IP addresses by count e Number of Web attacks e Number of mail attacks e Number of database attacks e Number of application attacks e Number of network protocol attacks Number of malware attacks Number of miscellaneous attacks e Top 10 attacking IPS rule names by count top 10 attacking source IP addresses by count and top 10 attacked destination IP addresses by count Monitoring System Access and Performance 11 39 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The following application incident are shown per day both in tables and graphics e Number of instant messaging application violations top 10 violating instant messaging applications by count and top 10 violating instant messaging clients by count e Number of peer to peer application violations top 10 violating peer to peer applications by count and top 10 violating peer to peer clients by count The following malware incident are shown per day both in tables
393. lly locate the folder in which you want to save the file specify the file name and save the file e If you have your browser configured to save downloaded files automatically the file is saved to your browser s download location on the hard disk Restore Settings Warning Restore only settings that were backed up from the same software version A Restoring settings from a different software version can corrupt your backup file or the UTM system software To restore settings from a backup file 1 On the Backup amp Restore Settings screen see Figure 10 5 on page 10 16 next to Restore save settings from file click Browse 2 Locate and select the previously saved backup file by default backup pkg 3 When you have located the file click the restore button A warning screen might appear and you might have to confirm that you want to restore the configuration The UTM reboots During the reboot process the Backup amp Restore Settings screen remains visible The reboot process is complete after several minutes when the Test LED on the front panel goes off Warning Once you start restoring settings do not interrupt the process Do not try AN to go online turn off the UTM shut down the computer or do anything else to the UTM until the settings have been fully restored Network and System Management 10 17 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Referenc
394. lock access to applications Web categories and URLs that you have allowed access to for all other users To specify members of a LAN group and to customize LAN group names see Managing Groups and Hosts LAN Groups on page 4 12 Content Filtering and Optimizing Scans 6 41 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To set Web access exception rules 1 Select Application Security gt Block Accept Exceptions from the menu The Block Accept Exceptions screen displays This screen shows the Exceptions table which is empty if you have not specified any exception rules Figure 6 18 shows three exception rules in the Exceptions table as an example Exceptions Sub Category Action Applies to hss End Time Category Note Expression oe lallow Group3 oe block Groups 8 00 17 30 Application All P2P No P2P daytime Web Category All Category Full access Mars oe laliow Group3 URL Filtering ww Full access Mars EEEE JEE Enavie Ovime aad w Gom BAr Figure 6 18 2 Under the Exceptions table click the Add table button to specify an exception rule The Add or Edit Block Accept Exceptions screen displays Add or Edit Block Accept Exceptions i Add or Edit Block Accept Exceptions Action Applies to start Tim J End Time C Category Sub Category Expression e Figure 6 19 6 42 Content Filte
395. lowing about VLANs and PVIDs e One physical port is assigned to at least one VLAN e One physical port can be assigned to multiple VLANs e When one port is assigned to multiple VLAN the port is used as a trunk port to connect to another switch or router e When a port receives an untagged packet this packet is forwarded to a VLAN based on the PVID e When a port receives a tagged packet this packet is forwarded to a VLAN based on the ID that is extracted from the tagged packet 4 2 LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual When you create a VLAN profile assign LAN ports to the VLAN and enable the VLAN the LAN ports that are member of the VLAN can send and receive both tagged and untagged packets Untagged packets that enter these LAN ports are assigned to the default PVID 1 packets that leave these LAN ports with the same default PVID 1 are untagged All other packets are tagged according to the VLAN ID that you assigned to the VLAN when you created the VLAN profile This is a typical scenario for a configuration with an IP phone that has two Ethernet ports one of which is connected to the UTM the other one to another device Packets coming from the IP phone to the UTM LAN port are tagged Packets passing through the IP phone from the connected device to the UTM LAN port are untagged When you assign the UTM LAN port to a VLAN packets entering and leaving the por
396. ls for Increased Reliability or Outbound Load Balancing The UTM product line offers models with two broadband WAN ports The second WAN port allows you to connect a second broadband Internet line that can be configured on a mutually exclusive basis to e Provide backup and rollover if one line is inoperable ensuring you are never disconnected e Load balance or use both Internet lines simultaneously for outgoing traffic A UTM with dual WAN ports balances users between the two lines for maximum bandwidth efficiency See Network Planning for Dual WAN Ports Dual WAN Port Models Only on page B 1 for the planning factors to consider when implementing the following capabilities with dual WAN port gateways e Single or multiple exposed hosts e Virtual private networks Advanced VPN Support for Both IPsec and SSL The UTM supports Psec and SSL virtual private network VPN connections e IPsec VPN delivers full network access between a central office and branch offices or between a central office and telecommuters Remote access by telecommuters requires the installation of VPN client software on the remote computer IPsec VPN with broad protocol support for secure connection to other IPsec gateways and clients Depending on the model bundled with a 1 user license of the NETGEAR ProSafe VPN Client software VPNOIL e SSL VPN provides remote access for mobile users to selected corporate resources without requiring
397. ls that are accepted or blocked based on the originating IP address domain and e mail address by setting up the whitelist and blacklist You can also specify e mails that are accepted based on the destination domain and e mail address The whitelist ensures that e mail from listed that is trusted sources and recipients are not mistakenly tagged as spam E mails going to and from these sources and recipients are delivered to their destinations immediately without being scanned by the anti spam engines This can help to speed up the system and network performance The blacklist on the other hand lists sources from which all e mail messages are blocked You can enter up to 200 entries per list separated by commas __ Note The whitelist takes precedence over the blacklist which means that if an e mail source is on both the blacklist and the whitelist the e mail is not scanned by the anti spam engines 6 12 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To configure the whitelist and blacklist 1 Select Application Security gt Anti Spam from the menu The Anti Spam submenu tabs appear with the Whitelist Blacklist screen in view Whitelist Blacklist L L Sender IP Address SMTP Only J Whitelist Blacklist Use commas to separate multiple entries Example 192 168 32 1 192 168 32 2 192 168 32 8 E Sender Domain SMTP Only
398. lt IPS configuration goes into effect The default IPS configuration is the configuration that the Advanced IPS screen returns to when you click the Reset button To modify the default IPS configuration 1 Select Network Security gt IPS from the menu The IPS submenu tabs appear with the Global IPS screen in view see Figure 5 30 on page 5 49 From the IPS submenu tabs click Advanced The Advanced IPS screen displays see Figure 5 31 on page 5 51 This screen displays sections for the different categories of attacks such as Web Mail Databases and so on In the Enabled column for each section either select individual attacks by selecting the checkboxes to the left of the names or select all attacks for that category by selecting the checkbox to the left of All web attacks In the Action column for each section either select the actions for individual attacks by making selections from the pull down menus to the right of the names or select a global action for all attacks for that category by making a selection from the pull down menu to the right of All web attacks Some of the less familiar Web and miscellaneous attacks are explained in Table 5 11 on page 5 52 The pull down menus let you make one of the following actions e Alert When an attack occurs an alert is logged but the traffic that carries the attack is not dropped e Drop The traffic that carries the attack is dropped and an alert is logged
399. ly Configuring Internet and WAN Settings 3 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The auto detect process will return one of the following results e If the auto detect process is successful a status bar at the top of the menu displays the results see the red text in Figure 3 2 on page 3 3 e Ifthe auto detect process senses a connection method that requires input from you it prompts you for the information All methods with their required settings are detailed in Table 3 1 Table 3 1 Internet connection methods Connection Method Data Required DHCP Dynamic IP No data is required PPPoE Login Username Password Account Name Domain Name PPTP Login Username Password Account Name Local IP address and PPTP Server IP address Fixed Static IP Static IP address Subnet and Gateway IP and related data supplied by your ISP e If the auto detect process does not find a connection you are prompted to either check the physical connection between your UTM and the cable or DSL line or to check your UTM s MAC address For more information see Configuring the WAN Mode Required for Dual WAN Port Models Only on page 3 9 and Troubleshooting the ISP Connection on page 12 5 3 To verify the connection click the WAN Status option arrow at the top right of the screen A popup window appears displaying the connection status of the WAN por
400. mail Reports Web Reports e System Reports Note You can select all three checkboxes but you might generate a very large report Send Report by Select this checkbox to enable the UTM to send the report to the recipients that Email you must specify below Recipients The e mail addresses of the report recipients Note Use commas to separate email addresses Report List Number of Enter the number of reports that the UTM saves The maximum number is 12 Reports to Keep 4 Click Apply to save your settings Using Diagnostics Utilities The UTM provides diagnostic tools that help you analyze traffic conditions and the status of the network Two sets of tools are available Network diagnostic tools These tools include a ping utility traceroute utility and DNS lookup utility and the option to display the routing table Traffic diagnostic tools These tools allow you to perform real time per protocol traffic analysis between specific source and destination addresses and let you generate reports on network usage in your network gt Note For normal operation diagnostic tools are not required To display the Diagnostics screen select Monitoring gt Diagnostics from the menu To facilitate the explanation of the tools the Diagnostics screen is divided and presented in this manual in three figures Figure 11 26 on page 11 44 Figure 11 27 on page 11 46 and Figure 11 28 on page 11 47
401. make an IPsec VPN connection via a NETGEAR ProSafe VPN Client and only when the XAUTH feature is enabled see Configuring Extended Authentication XAUTH on page 7 38 e Guest User User who can only view the UTM configuration that is read only access Check to Edit Password Select this checkbox to make the password fields accessible to modify the password Enter Your Password Enter the old password New Password Enter the new password Confirm New Password Re enter the new password for confirmation Idle Timeout The period after which an idle user is automatically logged out of the Web management interface De default idle timeout period is 10 minutes 4 Click Apply to save your settings Managing Digital Certificates The UTM uses digital certificates also known as X509 certificates during the Internet Key Exchange IKE authentication phase to authenticate connecting IPsec VPN gateways or clients or to be authenticated by remote entities The same digital certificates are extended for secure web access connections over HTTPS that is SSL connections Digital certificates can be either self signed or can be issued by certification authorities CAs such as an internal Windows server or an external organizations such as Verisign or Thawte However if the digital certificates contain the extKeyUsage extension the certificate must be used for one of the purposes defined by the exte
402. mes_ Nov 17 10 03 27 UTM wand LBFO WAN1 Test Failed 8 of 3 times_ Nov 17 10 03 57 UTM wand LBFO WAN1 Test Failed 9 of 3 times_ Nov 17 10 03 57 UTM wand LBFO Restarting WAN1_ System Logs and Error Messages C 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual System Logs WAN Status Auto Rollover continued Explanation The logs suggest that the fail over was detected after five attempts instead of three However the reason the messages appear as above is because of the WAN state transition logic which is part of the failover algorithm The above logs can be interpreted as below The primary link failure is properly detected after the 3rd attempt Thereafter the algorithm attempts to restart WAN and checks once again to see if WAN1 is still down This results in the 4th failure detection message If it is then it starts secondary link and once secondary link is up secondary link is marked as active Meanwhile secondary link has failed once more and that results 5th failure detection message Note that the 5th failure detection and the message suggesting that the secondary link is active have the same timestamp and so they happen in the same algorithm state machine cycle So although it appears that the failover did not happen immediately after three failures internally the failover process is triggered after the 3rd failure and transition to secondary link is comple
403. mful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense Changes or modifications not expressly approved by NETGEAR could void the user s authority to operate the equipment EU Regulatory Compliance Statement The ProSecure Unified Threat Management UTM Appliance is compliant with the following EU Council Directives EMC Directive 2004 108 EC and Low Voltage Directive 2006 95 EC Compliance is verified by testing to the following standards EN55022 EN55024 and EN60950 1 For the EU Declaration of Conformity please visit http kb netgear com app answers detail a_id 11621 sno 0 Bestatigung des Herstellers Importeurs Es wird hiermit best tigt da das ProSecure Unified Threat Management UTM Appliance gem der im BMPT AmtsblVfg 243 1991 und Vfg 46 1992 aufgef hrten Bestimmungen entst rt ist Das vorschriftsmafige Betreiben einiger Ger te z B Testsender kann jedoch gewissen Beschr nkungen unterliegen Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung Das Bundesamt fiir Zulassungen in der Telekommunikation wurde davon unterrichtet da dieses Ger t auf den Markt gebracht wurde und es ist berechtigt die Serie auf die Erf llung der Vorschriften hin zu berpr fen Certificate of the Manufacturer Importer It is hereby certified that the ProSecu
404. mize this tag The default setting is to add the default tag to the subject line Add tag X NETGEAR When the option Tag spam email is selected from the Action SPAM to mail header pull down menu see above select this checkbox to add the X NETGEAR SPAM tag to the e mail header The default setting is to add the default tag to the e mail header Anti Spam Engine Settings Use a proxy server to connect to the Detection Center Select this checkbox if the UTM connects to the Netgear Spam Classification Center also referred to as the Detection Center over a proxy server Then specify the following information Proxy server The IP address and the port number of the proxy server User name Optional the user name for proxy server authentication Password Optional The password for proxy server authentication 4 Click Apply to save your settings The Distributed Spam Analysis section and the Anti Spam Engine Settings section each have their own Apply and Reset buttons to enable you to make changes to these sections separately Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Web and Services Protection The UTM lets you configure the following settings to protect the network s Internet and Web services communication e The Web protocols instant messaging services and peer to peer
405. mum The minimum allocated bandwidth in Kbps The default setting is 0 Kops Bandwidth Maximum The maximum allowed bandwidth in Kbps The default setting and minimum setting is Bandwidth 100 Kbps the maximum allowable bandwidth is 100000 Kbps Type From the Type pull down menu select the type for the bandwidth profile e Group The profile applies to all users that is all user share the available bandwidth e Individual The profile applies to an individual user that is each user can use the available bandwidth Maximum Number If you select Individual from the Type pull down menu you must of Instances specify the maximum number of class instances that can be created by the individual bandwidth profile Direction From the Direction pull down menu select the traffic direction for the bandwidth profile Outbound Traffic The profile applies to outbound traffic only e Inbound Traffic The profile applies to inbound traffic only 5 Click Apply to save your settings The new bandwidth profile is added to the List of Bandwidth Profiles table 6 Inthe Bandwidth Profiles section of the screen select the Yes radio button under Enable Bandwidth Profiles By default the No radio button is selected 7 Click Apply to save your setting To edit a bandwidth profile 1 Inthe List of Bandwidth Profiles table click the Edit table button to the right of the bandwidth profile that you want to edit The Edit Bandwidth Profile screen disp
406. must be added through the Add User screen see User Database Configuration on page 7 40 Radius PAP XAUTH occurs through RADIUS Password Authentication Protocol PAP The local user database is first checked If the user account is not present in the local user database the UTM connects to a RADIUS server For more information see RADIUS Client Configuration on page 7 40 Radius CHAP XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol CHAP For more information see RADIUS Client Configuration on page 7 40 Username The user name for XAUTH Password The password for XAUTH 9 Click Apply to save your settings The IKE policy is added to the List of IKE Policies table Configuring the ProSafe VPN Client for Mode Config Operation From a client PC running NETGEAR ProSafe VPN Client software configure the remote VPN client connection for Mode Config operation 1 Right click on the VPN client icon in your Windows toolbar select Security Policy Editor Then select Options gt Secure and verify that the Specified Connections selection is enabled see Figure 7 11 on page 7 13 7 50 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 In the upper left of the Policy Editor window click the New Connection icon the first icon on the left to open a new connection Give the
407. n menu specify one of the following actions when an infected e mail is detected e Block infected email This is the default setting The e mail is blocked anda log entry is created e Delete attachment The e mail is not blocked but the attachment is deleted and a log entry is created e Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted POP3 From the POP3 pull down menu specify one of the following actions when an infected e mail is detected Delete attachment This is the default setting The e mail is not blocked but the attachment is deleted and a log entry is created Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted 2 18 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 2 5 Setup Wizard Step 5 Email Security Settings continued Setting Description or Subfield and Description IMAP From the IMAP pull down menu specify one of the following actions when an infected e mail is detected e Delete attachment This is the default setting The e mail is not blocked but the attachment is deleted and a log entry is created Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted Scan Exceptions The default maximum file or message size
408. n page B 3 The UTM provides the following protocol support IP address sharing by NAT The UTM allows many networked PCs to share an Internet account using only a single IP address which might be statically or dynamically assigned by your Internet service provider ISP This technique known as NAT allows the use of an inexpensive single user ISP account Automatic configuration of attached PCs by DHCP The UTM dynamically assigns network configuration information including IP gateway and domain name server DNS addresses to attached PCs on the LAN using the Dynamic Host Configuration Protocol DHCP This feature greatly simplifies configuration of PCs on your local network DNS proxy When DHCP is enabled and no DNS addresses are specified the firewall provides its own address as a DNS server to the attached PCs The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN PPP over Ethernet PPPoE PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial up connection Quality of Service QoS The UTM supports QoS including traffic prioritization and traffic classification with Type Of Service ToS and Differentiated Services Code Point DSCP marking Easy Installation and Management You can install configure and operate the UTM within minutes after connecting it to the network The following features simplify installa
409. n the UTM s VPN Wizard screen see Figure 7 9 on page 7 10 In this example the pre shared key is 111122223333 However the pre shared key is masked for security Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 5 Security Policy Editor My Identity Settings continued Setting Description or Subfield and Description ID Type From the pull down menu select Domain Name Then below enter the remote FQDN that you entered on the UTM s VPN Wizard screen see Figure 7 9 on page 7 10 In this example the domain name is utm_remote com Secure Interface Leave the default setting which is the Disabled selection from the Virtual Configuration Adapter pull down menu Internet Interface Leave the default setting which is the Any selection from the Name pull down menu 7 Click on the disk icon to save the configuration or select File gt Save from the Security Policy Editor menu 8 In the left frame click Security Policy The screen adjusts NESTEN Policy Editor NETGEAR ProSafe VPN Client File Ed Options Help Q NETGEAR N Netveatk Secunty Policy C My Connections Security Policy amp UTM_Ireland TA N amp UTIMS Select Phase 1 Negotiation Mode My Identity Main Mode Aggressive Mode UTM_Test c M IK amp FVS3366_Lab Csa Mantas 2 Other Conne
410. n the same IP address Fully Qualified Domain NameAction The full server name that is the host name to IP address resolution for the network server as a convenience for remote users a Users can specify the port number together with the host name or IP address 8 12 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual SSL VPN Wizard Step 6 of 6 Verify and Save Your Settings SSL PN Wizard Step 6 of 6 Portal Layout and Theme Name Portal Layout Name CustomerSupport Display banner message on login page Portal Site Title CompanyCustumerSupport HTTP meta tags for cache control recommended Banner Title Welcome to Customer Support ActiveX web cache cleaner Banner Message In case of login difficulty call 123 456 7890 Hi SSL VPN Portal Pages to Display VPN Tunnel page Port Forwarding Domain DOMAIN NAME SSLTestDomain Authentication Type Local User Database default Select Portal CustomerSupport Authentication Server Authentication Secret Workgroup LDAP Base DN Active Directory Domain Name SSLTestDomain Domain SSLTestDomain User Name TestUser User Type SSL VPN User Select Group SSLTestDomain Password 1234567890 Idle Timeout 5 Minutes HE VPN Client Full Tunnel Support true DNS Suffix Primary DNS Server 192 168 50 1 Secondary DNS Server Client Addre
411. n to which their login account belongs The domain determines the authentication method that is used and the portal layout that is presented which in turn determines the network resources to which the users are granted access Because you must assign a portal layout when creating a domain the domain is created after you have created the portal layout b Create one or more groups for your SSL VPN users Virtual Private Networking Using SSL Connections 8 17 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual When you define the SSL VPN policies that determine network resource access for your SSL VPN users you can define global policies group policies or individual policies Because you must assign an authentication domain when creating a group the group is created after you have created the domain c Create one or more SSL VPN user accounts Because you must assign a group when creating aSSL VPN user account the user account is created after you have created the group 3 For port forwarding define the servers and services Configuring Applications for Port Forwarding on page 8 22 Create a list of servers and services that can be made available through user group or global policies You can also associate fully qualified domain names FQDNs with these servers The UTM resolves the names to the servers using the list you have created 4 For SSL VPN tunnel service configure the vi
412. n view see Figure 7 20 on page 7 24 In the List of IKE Policies table click the Edit table button to the right of the IKE policy for which you want to enable and configure XAUTH The Edit IKE Policy screen displays This screen shows the same field as the Add IKE Policy screen see Figure 7 21 on page 7 26 Locate the Extended Authentication section on the screen Virtual Private Networking Using IPsec Connections 7 39 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Complete the fields select the radio buttons and make your selections from the pull down menus as explained Table 7 13 Table 7 13 Extended Authentication Settings Item Description or Subfield and Description Select one of the following radio buttons to specify whether or not Extended Authentication XAUTH is enabled and if enabled which device is used to verify user account information None XAUTH is disabled This the default setting Edge Device The UTM functions as a VPN concentrator on which one or more gateway tunnels terminate The authentication mode that is available for this configuration is User Database RADIUS PAP or RADIUS CHAP IPSec Host The UTM functions as a VPN client of the remote gateway In this configuration the UTM is authenticated by a remote gateway with a user name and password combination Authentication For an Edge Device configuration from the pull down menu
413. nabled and if enabled which device is used to verify user account information e None XAUTH is disabled This the default setting e Edge Device The UTM functions as a VPN concentrator on which one or more gateway tunnels terminate The authentication mode that is available for this configuration is User Database RADIUS PAP or RADIUS CHAP e IPSec Host The UTM functions as a VPN client of the remote gateway In this configuration the UTM is authenticated by a remote gateway with a user name and password combination Authentication For an Edge Device configuration from the pull down Type menu select one of the following authentication types User Database XAUTH occurs through the UTM s user database Users must be added through the Add User screen see User Database Configuration on page 7 40 e Radius PAP XAUTH occurs through RADIUS Password Authentication Protocol PAP The local user database is first checked If the user account is not present in the local user database the UTM connects to a RADIUS server For more information see RADIUS Client Configuration on page 7 40 e Radius CHAP XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol CHAP For more information see RADIUS Client Configuration on page 7 40 Username The user name for XAUTH Password The password for XAUTH 4 Click Apply to save your settings The IKE policy is added to the List of
414. name as the default group You cannot delete a default group you can only delete the domain with the identical name which causes the default group to be deleted e Domain The name of the domain to which the group is assigned e Action The Edit table button that provides access to the Edit Group screen 2 Inthe Add New Group section of the screen enter the settings as explained in Table 9 3 on page 9 8 Managing Users Authentication and Certificates 9 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Table 9 3 VPN Group Settings Setting Description or Subfield and Description Name A descriptive alphanumeric name of the group for identification and management purposes Domain The pull down menu shows the domains that are listed on the Domain screen From the pull down menu select the domain with which the group is associated For information about how to configure domains see Configuring Domains on page 9 2 Idle Timeout The period after which an idle user is automatically logged out of the UTM s Web management interface De default idle timeout period is 10 minutes Click the Add table button The new group is added to the List of Groups table To delete one or more groups 1 In the List of Groups table select the checkbox to the left of the group that you want to delete or click the Select All table button to select all groups
415. name blocking You can block e mails based on the names of attached files Such names can include for example names of known malware threat such as the Netsky worm which normally arrives as netsky exe 6 8 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To configure e mail content filtering 1 Select Application Security gt Email Filters from the menu The Email Filters screen displays Email Filters ii Filter by Subject Keywords Example mortgage viagra Action sme ogony Pors goy 9 ii Filter by Password Protected Attachments ZIP RAR etc Example exe com pif bat Action SMTP POPS Example netsky exe mydoom pif Action swe ogony rors ogo Figure 6 3 Content Filtering and Optimizing Scans 6 9 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Enter the settings as explained in Table 6 3 Table 6 3 E mail Filter Settings Setting Description or Subfield and Description Filter by Subject Keywords Keywords Enter keywords that should be detected in the e mail subject line Use commas to separate different keywords The total maximum length of this field is 2048 characters excluding duplicate words and delimiter commas Action SMTP From the SMTP pull down menu specify one of the following actions wh
416. nd Por Start Port End Port 1 65535 1 65535 1 65535 1 65535 Figure 5 28 2 Below Add Port Triggering Rule enter the settings as explained in Table 5 10 on page 5 48 Firewall Protection 5 47 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 5 10 Port Triggering Settings Setting Description or Subfield and Description Name A descriptive name of the rule for identification and management purposes Enable From the pull down menu select Yes to enable the rule You can define a rule but not enable it The default setting is No Protocol From the pull down menu select the protocol to which the rule applies TCP The rule applies to an application that uses the Transmission Control Protocol TCP UDP The rule applies to an application that uses the User Control Protocol UCP Outgoing Trigger Start Port The start port 1 65534 of the range for triggering Port Range End Port The end port 1 65534 of the range for triggering Incoming Response Start Port The start port 1 65534 of the range for responding Port Range End Port The end port 1 65534 of the range for responding 3 Click the Add table button The new port triggering rule is added to the Port Triggering Rules table To edit a port triggering rule 1 Inthe Port Triggering Rules table click the Edit table button to the right of the port
417. nd others System Startup This section describes log messages generated during system startup Table C 2 System Logs System Startup Message Jan 1 15 22 28 UTM ledTog SYSTEM START UP System Started Explanation Logs that are generated when the system is started Recommended Action None Reboot This section describes log messages generated during a system reboot Table C 3 System Logs Reboot Message Nov 25 19 42 57 UTM reboot Rebooting in 3 seconds Explanation Logs that are generated when the system is rebooted from the Web Management Interface Recommended Action None C 2 System Logs and Error Messages v1 0 January 2010 Service Logs ProSecure Unified Threat Management UTM Appliance Reference Manual This section describes log messages generated during firmware updates and other service related events Table C 4 System Logs Service Message 2008 12 31 23 59 48 error Firmware update failed Either the subscription is not yet registered or has been expired Explanation Logs that are generated when a firmware update fails or succeeds The message shows the date and time and the event Note The service log includes miscellaneous service messages Recommended Action None NTP This section describes log messages generated by the NTP daemon during synchronization with the NTP server e The fixed time and date before NTP synchron
418. ndary DNS server Serve Click Test to evaluate your entries The UTM attempts to make a connection according to the settings that you entered Click Apply to save any changes to the WAN1 ISP settings of a dual WAN port model or WAN ISP settings of a single WAN port model Or click Reset to discard any changes and revert to the previous settings For the dual WAN port models only if you intend to use a dual WAN mode click the WAN2 ISP Settings tab and configure the WAN2 ISP settings using the same steps as WAN1 When you are finished click the Logout link at the upper right corner of the Web Management Interface or proceed to additional setup and management tasks Configuring the WAN Mode Required for Dual WAN Port Models Only On dual WAN port models only the dual WAN ports of the UTM can be configured on a mutually exclusive basis for either auto rollover for increased system reliability or load balancing for maximum bandwidth efficiency or one port can be disabled Auto Rollover Mode The selected WAN interface is defined as the primary link and the other interface is defined as the rollover link As long as the primary link is up all traffic is sent over the primary link When the primary link goes down the rollover link is brought up to send the traffic When the primary link comes back up traffic automatically rolls back to the original primary link Manually Configuring Internet and WAN Settings 3
419. network You must enter the network IP address in the Network Address field and the network mask length in the Mask Length field IP Address Name Applicable only when you select IP Address as the Object Type enter the IP address or FQDN for the location that is permitted to use this resource Network Address Applicable only when you select IP Network as the Object Type enter the network IP address for the locations that are permitted to use this resource Mask Length Applicable only when you select IP Network as the Object Type as an option enter the network mask 0 31 for the locations that are permitted to use this resource Port Range Port Number A port or a range of ports 0 65535 to apply the policy to the policy is applied to all TCP and UDP traffic that passes on those ports Leave the fields blank to apply the policy to all traffic 5 Click Apply to save your settings The new configuration is added to the Defined Resource Addresses table To delete a configuration from the Defined Resource Addresses table click the Delete table button to the right of the configuration that you want to delete Configuring User Group and Global Policies You can define and apply user group and global policies to predefined network resource objects IP addresses address ranges or all IP addresses and to different SSL VPN services A specific hierarchy is invoked over which policies take precedence The
420. new connection a name in this example we are using ModeConfigTest N Security Policy Editor NETGEAR ProSafe VPN Client aeei 2 NETGEAR N Network Security Policy LJ My Connections Connection Secwity 2 Secure K G My Identty Pinan A Only Connect Manually A Secuy Policy GB Client_to_Cok Block a Other Connections Remote Party Identity and Addressing ID Type IP Subnet Subnet 192 168 1 0 Mask 255 255 255 0 Protocol All v Pot n V Use Secure Gateway Tunnel x ID Type DomainName x Gateway IP Address v futm25_local com 192 168 50 61 Figure 7 28 3 Enter the settings as explained in Table 7 17 Table 7 17 Security Policy Editor Remote Party Mode Config Settings Setting Description or Subfield and Description Connection Security Select the Secure radio button If you want to connect manually only select the Only Connect Manually checkbox ID Type From the pull down menu select IP Subnet Subnet Enter the LAN IP subnet address that you specified on the Add Mode Config Record in the Local IP Address field If you left the Local IP Address field blank enter the UTM s default IP subnet address In this example we are using 192 168 1 0 Mask Enter the LAN IP subnet mask that you specified on the Add Mode Config Record in the Local Subnet Mask field If you left the Local Subnet Mask field blank enter the UTM s default IP subnet mask In this example we are u
421. nfiguring 11 13 management 38 querying logs 71 32 search criteria 71 35 selecting logs 71 34 specifying logs to send via e mail 71 8 syslog server 171 9 terms in messages C login default settings A policy restricting by browser 9 14 restricting by IP address 9 13 time out changing 9 16 10 9 default 2 4 looking up DNS address 11 45 MAC addresses blocked adding 5 42 configuring 3 5 format 3 24 format of 5 43 IP binding 5 44 spoofing 12 6 UTM s 3 23 main navigation menu Web Management Interface 2 5 malware alert 10 logs 11 8 11 33 11 35 outbreak alert 77 10 outbreak defining 2 protection 6 5 6 21 recent 5 and top 5 71 18 management default settings A 2 maximum transmission unit See MTU MD5 IKE polices 7 29 ModeConfig 7 46 RIP 2 4 26 self certificate requests 9 23 VPN policies 7 37 Media Access Control See MAC memory usage 2 Message Digest algorithm 5 See MD5 meter WAN traffic metric static routes 4 24 MIAS description 9 2 MIAS CHAP 8 6 9 5 MIAS PAP 8 6 9 5 Microsoft Internet Authentication Service See MIAS mIRC 2 17 6 21 misclassification of URLs 6 30 ModeConfig assigning addresses 7 43 description 7 43 examples 7 44 pools 7 45 record 7 27 settings 7 45 models UTM 7 MSN Messenger 2 17 6 21 MTU configuring 3 23 default 3 23 multi home IP addresses 4 71 LAN IPs 4 2 N NAS 7 42 NAT configuring 3 10 description 6 features of 7
422. nfiguring and Activating Firewall Logs on page 11 13 on page 11 14 IPSEC VPN Logs All IPsec VPN events SSL VPN Logs All SSL VPN events You can query and generate each type of log separately and filter the information based on a number of criteria For example you can filter the malware logs using the following criteria other log types have similar filtering criteria Start date time and end date time Protocols HTTP HTTPS FTP SMTP POP3 and IMAP Malware name Action Client and server IP addresses Recipient e mail address To query and download logs 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view Click the Logs Query submenu tab The Logs Query screen displays see Figure 11 23 on page 11 34 which shows the Malware log information settings as an example Depending on the selection that you make from the Log Type pull down menu the screen adjusts to display the settings for the selected type of log Monitoring System Access and Performance 11 33 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual System Status Active Users amp PNs Dashboard Diagnostics Email and Syslog Firewall Logs Alerts TRY EITGSA Generate Report Scheduled Report Select Log Type Log Type Malware v O view All Search Criteria Start Date Time 2009 05 a0 a4 y s9 v
423. ning Exclusions table which is empty if you have not specified any exclusions Figure 6 20 on page 6 45 shows one exclusion rule in the table as an example 6 44 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Services Email Anti Virus Email Filters Anti Spam HTIP HTIPS FIP Block Accept Exceptions Bi Scanning Xc 5 Operation succeeded Enable Client IP Destination IP Port Brief Description Action M 192 168 120 0 24 515 Printers deiete Add Scanning Exclusions IP Example 192 168 32 1 192 168 32 0 24 Client IP Destination IP Port Brief Description Add LoD wv Ca eer Figure 6 20 2 Inthe Add Scanning Exclusions section of the screen specify an exclusion rule as explained in Table 6 14 Table 6 14 Add Scanning Exclusion Settings Setting Description or Subfield and Description Client IP The client IP address and optional subnet mask that are excluded from all scanning Destination IP The destination IP address and optional subnet mask that are excluded from all scanning Port The port number that is excluded from all scanning Brief Description A description of the exclusion rule for identification and management purposes 3 Inthe Add column click the Add table button to add the exclusion rule to the Scanning Exclusions table The new exclusion rule is enabled by default T
424. nnection status 24 XAUTH 7 38 VPNC 1 6 7 3 Index 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual W WAN aliases 3 17 auto rollover mode dual WAN port models configuring 3 11 DDNS 3 19 description 3 9 settings 3 12 VPN IPsec 7 1 bandwidth capacity 10 1 classical routing 3 connection speed and type 3 24 failure detection method dual WAN port models 3 10 3 11 3 13 interfaces primary and backup 3 11 LEDs 1 11 12 3 load balancing mode dual WAN port models configuring 3 14 DDNS 3 19 description 3 10 settings 3 14 VPN IPsec 7 1 mode status 71 23 NAT configuring 3 10 ports 2 1 10 secondary IP addresses 3 17 settings auto detecting 2 12 3 3 settings using the Setup Wizard 2 11 single port mode dual WAN port models 3 10 status 3 4 11 23 11 28 traffic meter or counter 71 1 warning SSL certificate 2 3 Web audio and video files filtering 6 28 categories blocked recent 5 and top 5 71 18 blocking 2 22 6 24 6 29 compressed files filtering 6 28 executable files filtering 6 28 objects blocking 6 24 6 28 reports 71 39 security settings using the Setup Wizard 2 19 statistics 77 16 Web Management Interface description 2 5 troubleshooting 2 3 Web protection See HTTP See HTTPS See FTP whitelist e mails 6 12 URLs 6 32 WiKID authentication overview D description 9 2 WiKID CHAP 8 6 9 5 WiKID PAP 8 6 9 4 wildcards keyw
425. nonymous Disable Ping Reply Select the Disable Ping Reply on LAN Ports checkbox to prevent the UTM on LAN Ports from responding to a ping on a LAN port A ping can be used as a diagnostic tool Keep this checkbox deselected unless you have a specific reason to prevent the UTM from responding to a ping on a LAN port VPN Pass through IPSec When the UTM functions in NAT mode all packets going to the remote VPN PPTP gateway are first filtered through NAT and then encrypted per the VPN policy L2TP For example if a VPN client or gateway on the LAN side of the UTM wants to connect to another VPN endpoint on the WAN side placing the UTM between two VPN endpoints encrypted packets are sent to the UTM Because the UTM filters the encrypted packets through NAT the packets become invalid unless you enable the VPN Pass through feature To enable the VPN tunnel to pass the VPN traffic without any filtering select any or all of the following checkboxes e IPSec Disables NAT filtering for IPSec tunnels PPTP Disables NAT filtering for PPTP tunnels L2TP Disables NAT filtering for L2TP tunnels By default all three checkboxes are selected 4 Click Apply to save your settings Firewall Protection 5 29 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Setting Session Limits Session limits allows you to specify the total number of sessions that are allowed per user
426. ns e Yes IP addresses are assigned to remote VPN clients You must select a Mode Config record from the pull down menu Note Because Mode Config functions only in Aggressive Mode selecting the Yes radio button sets the tunnel exchange mode to Aggressive mode and disables the Main mode Mode Config also requires that both the local and remote ends are defined by their FQDNs e No Disables Mode Config for this IKE policy Note An XAUTH configuration via an edge device is not possible without Mode Config and is therefore disabled too For more information about XAUTH see Configuring Extended Authentication KAUTH on page 7 38 Select Mode From the pull down menu select one of the Mode Config Config Record records that you defined on the Add Mode Config Record screen see Configuring Mode Config Operation on the UTM on page 7 43 Note Click the View Selected button to open the Selected Mode Config Record Details popup window General Policy Name A descriptive name of the IKE policy for identification and management purposes Note The name is not supplied to the remote VPN endpoint Direction Type From the pull down menu select the connection method for the UTM Initiator The UTM initiates the connection to the remote endpoint Responder The UTM responds only to an IKE request from the remote endpoint Both The UTM can both initiate a connection to the remote endpoint and respond to an IKE
427. nsion For example if the digital certificate contains the extKey Usage extension that is defined for SNMPV2 the same certificate cannot be used for secure web management The extKeyUsage would govern the certificate acceptance criteria on the UTM when the same digital certificate is being used for secure web management Managing Users Authentication and Certificates 9 17 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual On the UTM the uploaded digital certificate is checked for validity and purpose The digital certificate is accepted when it passes the validity test and the purpose matches its use The check for the purpose must correspond to its use for IPsec VPN SSL VPN or both If the defined purpose is for IPsec VPN and SSL VPN the digital certificate is uploaded to both the IPsec VPN certificate repository and the SSL VPN certificate repository However if the defined purpose is for IPsec VPN only the certificate is uploaded only to the IPsec VPN certificate repository The UTM uses digital certificates to authenticate connecting VPN gateways or clients and to be authenticated by remote entities A digital certificate that authenticates a server for example is a file that contains the following elements e A public encryption key to be used by clients for encrypting messages to the server e Information identifying the operator of the server e A digital signature confirming the identit
428. nt CPU memory and hard disk usage When usage is within safe limits the status bars show green Services The protocols that are being scanned for malware threats ON or OFF stated next to the protocol and the number of active connections for each protocol Monitoring System Access and Performance 11 21 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 9 System Status Status and System Information continued Setting Description or Subfield and Description System Information States system up time since last reboot Firmware Information The firmware version and most recent download for the active and secondary firmware of the UTM and for the scan engine pattern file and firewall License Expiration Date Hardware Serial Number red font The hardware serial number of the UTM The license expiration dates for the e mail protection Web protection and maintenance licenses Note When a license has expired the license expiration date is displayed in WAN Mode WAN State NAT Connection Type Connection State IP Address Subnet Mask Gateway Primary DNS Secondary DNS MAC Address Single Port uP Enabled Static IP Connected 192 168 50 61 255 255 255 0 192 168 50 1 192 168 50 1 0 0 0 0 00 00 00 00 00 02 MAC Address IP Address DHCP IP Subnet Mask WAN Mode WAN State NAT
429. nt filtering is a firewall component The UTM provides such extensive content filtering options that an entire chapter is dedicated to this subject see Chapter 6 Content Filtering and Optimizing Scans Some firewall settings might affect the performance of the UTM For more information see Performance Management on page 10 1 You can monitor blocked content and malware threats in real time For more information see Monitoring Real Time Traffic Security and Statistics on page 11 14 The firewall logs can be configured to log and then e mail denial of access general attack information and other information to a specified e mail address For information about how to configure logging and notifications see Configuring Logging Alerts and Event Notifications on page 11 5 5 2 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other You can configure up to 800 rules on the UTM Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and one for outb
430. o disable a rule select the checkbox in the Enable column for the rule Unlike the operation of the Web Management Interface on other screens you do not need to click any other button to disable the rule To delete an exclusion rule from the Scanning Exclusions table click the Delete table button in the Action column to the right of the rule that you want to delete Content Filtering and Optimizing Scans 6 45 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 6 46 Content Filtering and Optimizing Scans v1 0 January 2010 Chapter 7 Virtual Private Networking Using IPsec Connections This chapter describes how to use the IP security IPsec virtual private networking VPN features of the UTM to provide secure encrypted communications between your local network and a remote network or computer This chapter contains the following sections e Considerations for Dual WAN Port Systems Dual WAN Port Models Only on this page e Using the IPsec VPN Wizard for Client and Gateway Configurations on page 7 3 e Testing the Connections and Viewing Status Information on page 7 17 e Managing IPsec VPN Policies on page 7 22 e Configuring Extended Authentication XAUTH on page 7 38 e Assigning IP Addresses to Remote Users Mode Config on page 7 43 e Configuring Keepalives and Dead Peer Detection on page 7 55 e Configuring NetBIOS Bridging with IPsec V
431. ode radio button Mode Enable Perfect Forward Select the Enable Perfect Forward Secrecy PFS checkbox From the Secrecy PFS pull down menu below select Diffie Hellman Group 2 Enable Replay Detection Leave the default setting which is selection of the Enable Replay Detection checkbox 10 Click on the disk icon to save the configuration or select File gt Save from the Security Policy Editor menu 11 Close the VPN ProSafe VPN client Testing the Mode Config Connection To test the connection 1 Right click on the VPN client icon in the Windows toolbar and click Connect The connection policy you configured appears in this example My Connections ModeConfigTest 2 Click on the connection For this example the message Successfully connected to MyConnections ModeConfigTest is displayed within 30 seconds and the VPN client icon in the toolbar displays On 3 From the client PC ping a computer on the UTM LAN Configuring Keepalives and Dead Peer Detection In some cases you might not want a VPN tunnel to be disconnected when traffic is idle for example when client server applications over the tunnel cannot tolerate the tunnel establishment time If you require a VPN tunnel to remain connected you can use the Keepalive and Dead Peer Detection DPD features to prevent the tunnel from being disconnected and to force a reconnection if the tunnel disconnects for any reason For DPD to funct
432. of 3 2 In the Generate Self Certificate Request section of the screen enter the settings as explained in Table 9 7 Table 9 7 Generate Self Certificate Request Settings Setting Description or Subfield and Description Name A descriptive name of the domain for identification and management purposes Subject The name that other organizations see as the holder owner of the certificate In general use your registered business name or official company name for this purpose Note Generally all of your certificates should have the same value in the Subject field 9 22 Managing Users Authentication and Certificates v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 9 7 Generate Self Certificate Request Settings continued Setting Description or Subfield and Description Hash Algorithm From the pull down menu select one of the following hash algorithms MD5 A 128 bit 16 byte message digest slightly faster than SHA 1 SHA 1 A 160 bit 20 byte message digest slightly stronger than MD5 Signature Algorithm Although this seems to be a pull down menu the only possible selection is RSA In other words RSA is the default to generate a CSR Signature Key Length From the pull down menu select one of the following signature key lengths in bits 512 1024 2048 Note Larger key sizes might improve security but might also de
433. of the following actions when an infected e mail is detected Delete attachment This is the default setting The e mail is not blocked but the attachment is deleted and a log entry is created e Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted IMAP From the IMAP pull down menu specify one of the following actions when an infected e mail is detected Delete attachment This is the default setting The e mail is not blocked but the attachment is deleted and a log entry is created Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted Scan Exceptions maximum size The default maximum file or message size that is scanned is 2048 KB but you can define a maximum size of up to 10240 KB However setting the maximum size to a high value might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions when the file or message exceeds the e Skip The file is not scanned but skipped leaving the end user vulnerable This is the default setting Block The file is blocked and does not reach the end user Notification Settings Insert Warning into Email Subject SMTP For SMTP e mail messages select this checkbox to insert a warning into the e mail subject line Malware Found If a malware threat is found a MALWARE INFECTE
434. of the sender for e mail identification purposes For example enter UTMnotification netgear com SMTP server The IP address and port number or Internet name and port number of your ISP s outgoing e mail SMTP server The default port number is 25 Note If you leave this field blank the UTM cannot send e mail notifications This server requires authentication If the SMTP server requires authentication select the This server requires authentication checkbox and enter the following settings User name The user name for SMTP server authentication Password The password for SMTP server authentication Send notifications to The email address to which the notifications should be sent Typically this is the e mail address of the administrator 3 Click Test to ensure that the connection to the server and e mail address succeeds 4 Click Apply to save your settings Configuring and Activating System E mail and Syslog Logs You can configure the UTM to log system events such as a change of time by an NTP server secure login attempts reboots and other events You can also send logs to the administrator or schedule logs to be sent to the administrator or to a syslog server on the network In addition the Email and Syslog screen provides the option to selectively clear logs To configure and activate logs 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submen
435. ol Binding table Configure the protocol binding settings as explained in Table 3 6 Table 3 6 Protocol Binding Settings Dual WAN Port Models Only Setting Description or Subfield and Description Add Protocol Binding Service From the pull down menu select a service or application to be covered by this rule If the service or application does not appear in the list you must define it using the Services menu see Services Based Rules on page 5 3 Source Network The source network settings determine which computers on your network are affected by this rule Select one of the following options from the pull down menu Any All devices on your LAN Single address In the Start Address field enter the IP address to which the rule is applied Address range In the Start Address field and End Address field enter the IP addresses for the range to which the rule is applied Manually Configuring Internet and WAN Settings 3 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 3 6 Protocol Binding Settings Dual WAN Port Models Only continued Setting Description or Subfield and Description Source Network Group 1 Group 8 If this option is selected the rule is applied to the devices continued that are assigned to the selected group Note You may also assign a customized name to a group see Changing Group Names in the Network
436. olicies on page 8 28 The screen adjust to unmask the fields that are shown in the Network Resource fields below IP Address The policy is applied to a single IP address The screen adjust to unmask the fields that are shown in the IP Address fields below IP Network The policy is applied to a network address The screen adjust to unmask the fields that are shown in the IP Network fields below All Addresses The policy is applied to a all address The screen adjust to unmask the fields that are shown in the All Addresses fields below Network Policy Name A descriptive name of the SSL VPN policy for identification Resource and management purposes Defined From the pull down menu select the network resource that Resources you have defined on the Resources screen see Using Network Resource Objects to Simplify Policies on page 8 28 Permission From the pull down menu select whether the policy permits PERMIT or denies DENY access IP Address Policy Name A descriptive name of the SSL VPN policy for identification and management purposes IP Address The IP address to which the SSL VPN policy is applied Port Range A port enter in the Begin field or a range of ports enter in Port Number the Begin and End fields to which the SSL VPN policy is applied Ports can be 0 through 65535 The policy is applied to all TCP and UDP traffic that passes on those ports Leave the fields blank to apply
437. olicy see Manually Adding or Editing a VPN Policy on this page Note You cannot delete or edit an IKE policy for which the VPN policy is active You gt first must disable or delete the VPN policy before you can delete or edit the IKE policy Manually Adding or Editing a VPN Policy To manually add a VPN policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 24 2 Click the VPN Policies submenu tab The VPN Policies screen displays see Figure 7 22 on page 7 32 3 Under the List of VPN Policies table click the Add table button The Add VPN Policy screen displays see Figure 7 23 on page 7 34 which shows a dual WAN port model screen The WAN 1 and WAN2 radio buttons next to Select Local Gateway are shown on the Add VPN Policy screen for the dual WAN port models but not on the Add VPN Policy screen for the single WAN port models Virtual Private Networking Using IPsec Connections 7 33 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Add VPN Policy Policy Name 4 Policy Type Auto Poli y Select Local Gateway wan Owanz Remote Endpoint 1P Address Le E Fy Oraon a O Enable NetBios O Enable Rollover Enable Keepalive OYes No Ping IP Address J ff Detection period Seconds Reconnect after failure count Traffic Selection Local IP Remote IP
438. omized Services Services are functions performed by server computers at the request of client computers You can configure up to 125 custom services 5 32 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual For example Web servers serve Web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified by a service or port number This number appears as the destination port number in the transmitted IP packets For example a packet that is sent with destination port number 80 is an HTTP Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC 1700 Assigned Numbers Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application Although the UTM already holds a list of many service port numbers you are not limited to these choices Use the Services screen to add additional services and applications to the list for use in defining firewall rules The Services menu shows a list of services that you have defined as shown in Figure 5 19 To define a new service first you must determine which port number or range of numbers is used by the application This information c
439. omponent updates and technical support you must register your UTM with NETGEAR The support registration key is provided with the product package see Service Registration Card with License Keys on page 1 8 2 26 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Note Activating the service licenses initiates their terms of use Activate the licenses only when you are ready to start using this unit If your unit has never been registered before you can use the 30 day trial period for all 3 types of licenses to perform the initial testing and configuration To use the trial period do not click Register in step 4 of the procedure below but click Trial instead If your UTM is connected to the Internet you can activate the service licenses 1 Select Support gt Registration The Registration screen displays Registration Registration Key icense Key License Type Expiration Date rial eb Protection 2009 05 14 ial Email Protection 2009 05 14 krial Support amp Maintenance 2009 05 14 Customer Information Company Name First Name Last Name Email Address Fax Number Phone Number Address Country VAR Information Company Name First Name Last Name Email Address Fax Number Phone Number Address Country
440. on None C 4 System Logs and Error Messages v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual WAN Status This section describes the logs that are generated by the WAN component If there are two ISP links for Internet connectivity the router can be configured either in auto rollover mode or load balancing mode Auto Rollover Mode When the WAN mode is configured for auto rollover the primary link is active and secondary acts only as a backup When the primary link goes down the secondary link becomes active only until the primary link comes back up The device monitors the status of the primary link using the configured WAN Failure Detection method This section describes the logs that are generated when the WAN mode is set to auto rollover System Logs WAN Status Auto Rollover Message Nov 17 09 59 09 UTM wand LBFO WAN1 Test Failed 1 of 3 times_ Nov 17 09 59 39 UTM wand LBFO WAN1 Test Failed 2 of 3 times_ Nov 17 10 00 09 UTM wand LBFO WAN1 Test Failed 3 of 3 times_ Nov 17 10 01 01 UTM wand LBFO WAN1 Test Failed 4 of 3 times_ Nov 17 10 01 35 UTM wand LBFO WAN1 Test Failed 5 of 3 times_ Nov 17 10 01 35 UTM wand LBFO WAN1 DOWN WAN2 UP ACTIVE WAN2 __ Nov 17 10 02 25 UTM wand LBFO WAN1 Test Failed 6 of 3 times_ Nov 17 10 02 25 UTM wand LBFO Restarting WAN1_ Nov 17 10 02 57 UTM wand LBFO WAN1 Test Failed 7 of 3 ti
441. on Solutions NETGEAR has implemented 2 Two Factor Authentication solutions from WiKID WiKID is the software based token solution So instead of using only Windows Active Directory or LDAP as the authentication server administrators now have the option to use WiKID to perform Two Factor Authentication on NETGEAR SSL and VPN firewall products The WiKID solution is based on a request response architecture where a one time passcode OTP that is time synchronized with the authentication server is generated and sent to the user after the validity of a user credential has been confirmed by the server D 2 Two Factor Authentication v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The request response architecture is capable of self service initialization by end users dramatically reducing implementation and maintenance costs Here is an example of how WiKID works 1 The user launches the WiKID token software enter the PIN that has been given to them something they know and then press continue to receive the OTP from the WiKID authentication server File Actions Help Copyright 2001 2007 WiKID Systems Inc ud Enter your PIN for the Token client test domain PIN Figure D 1 2 A one time passcode something they have is generated for this user File Actions Help Copyright 2001 2007 WiKID Systems Inc 468713 PassCode expir
442. on mark icon Web Management Interface 2 7 R rack mounting kit 7 15 RADIUS backup server 7 42 description 9 2 NAS 7 42 primary server 7 42 RADIUS CHAP 7 30 7 39 7 40 8 6 9 4 RADIUS MSCHAP v2 8 6 9 4 RADIUS PAP 7 30 7 39 7 40 8 6 9 4 server configuring 7 41 read write access 9 9 read only access 9 9 real time blacklist RBL e mails 6 4 real time traffic diagnostics 71 46 rebooting 0 2 11 48 reducing traffic blocking sites 70 4 overview 10 2 service blocking 0 2 source MAC filtering 0 5 reference documents E registering with NETGEAR 2 26 registration information 1 9 regulatory compliance A 3 relay gateway 2 10 4 9 4 21 Remote Authentication Dial In User Service See RADIUS remote management access 10 12 troubleshooting 0 3 remote troubleshooting enabling 12 10 remote users assigning addresses via ModeConfig 7 43 reports administrator e mailing options 171 43 e mail address for sending reports 2 23 11 6 generating 71 40 scheduling 71 42 types of 11 39 requirements hardware B 3 reserved IP addresses configuring 4 17 in LAN groups database 4 15 Reset button 2 retry interval DNS lookup 3 13 pinging 3 13 RFC 1349 5 35 RFC 1700 5 33 RFC 2865 7 40 RIP advertising static routes 4 24 configuring 4 25 direction 4 26 feature 1 6 settings 4 26 versions RIP 1 RIP 2B RIP 2M 4 26 Road Warrior client to gateway B 11 routes routing table 71 45 tracing 11 45 Routing Inf
443. onds 8 hours Enable Dead Peer Select a radio button to specify whether or not Dead Peer Detection DPD is Detection enabled e Yes This feature is enabled when the UTM detects an IKE connection Note See also failure it deletes the IPsec and IKE SA and forces a reestablishment of the Configuring connection You must enter the detection period and the maximum number Keepalives and Dead of times that the UTM attempts to reconnect see below Peer Detection on e No This feature is disabled This is the default setting page 7 55 Detection Period The period in seconds between consecutive DPD R U THERE messages which are sent only when the IPsec traffic is idle Reconnect after The maximum number of times that the UTM attempts to failure count reconnect after a DPD situation When the maximum number of times is exceeded the IPsec connection is terminated Virtual Private Networking Using IPsec Connections 7 29 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 10 Add IKE Policy Settings continued Item Description or Subfield and Description Extended Authenticati on XAUTH Configuration Note For more information about XAUTH and its authentication modes see Configuring XAUTH for VPN Clients on page 7 39 Select one of the following radio buttons to specify whether or not Extended Authentication XAUTH is e
444. oniten aula ap iauat se Gusta causiduiu side yusuidseuteauiaasiiaatis 4 6 Configuring Multi Home LAN IPs on the Default VLAN ccceeeeeeeeeeceeeeeeeeeeeetees 4 11 Managing Groups and Hosts LAN Groups c ceeceeeeeeeeeeeeeeeeeeeeaeeseeeeeeseaaeeseneeeeaas 4 12 Managing The Network Database csi ccsscsisucsstccsccuceserscdeessessisouecssscnemencesnoane nann 4 13 Changing Group Names in the Network Database eneeieneneeerreeeerrrernn 4 16 Seting Up Address Feseiwaltan ssisuisiiisnisioniiin aa iii 4 17 Configuring and Enabling the DMZ POT sccccsscccassescssiecenansucdacutapiieaenssuciaaagunsacckontevncniaaes 4 18 Managing ROUTING scccteiiecssssrsssnnrsonencnenarieiensesauvtese qemtewnenneuukermuncesearinesnesskunessecemmuntancens 4 22 CANINA Ae ROUES asseirai aa AS a a E ASAS NN 4 23 Configuring Routing Information Protocol RIP ssseiinenmisnsireenasrennannsnniaiai 4 24 Salie RONE EXaMPIE aiaia ERAEN 4 27 Chapter 5 Firewall Protection Pour gooey col PTO O aO 5 1 AMST 0 9 aaa Ta 5 2 Using Rules to Block or Allow Specific Kinds of Traffic 0 00 5 3 Se e e E a e aig E A A E E A E sans 5 3 Order of Precedence Tor RUSS saiccsisdssiteielaciccazeiediss obeladechvasiaiedacseauingsedaeededagenensulds 5 11 Seting LAN WAN PRU soriana aaia chee esa alias EN S 5 12 Seting DMZ WAN RUBS saaana a i i an ii aa 5 15 Seting LAN DMZ PUES saicccinsesiccciaieens iacsasatetdsccescedyscceanteeddeetnburndicgcane gesceladieiaiaienne 5 19 inpound Rule
445. onnect to the Web Management Interface Subnet Mask Enter the IP subnet mask The subnet mask specifies the network number portion of an IP address The UTM automatically calculates the subnet mask based on the IP address that you assign Unless you are implementing subnetting use 255 255 255 0 as the subnet mask computed by the UTM DHCP Disable DHCP Server If another device on your network is the DHCP server for the default VLAN or if you will manually configure the network settings of all of your computers select the Disable DHCP Server radio button to disable the DHCP server This is the default setting Enable DHCP Server Select the Enable DHCP Server radio button to enable the UTM to function as a Dynamic Host Configuration Protocol DHCP server providing TCP IP configuration for all computers connected to the default VLAN Enter the following settings Domain Name This is optional Enter the domain name of the UTM Starting IP Enter the starting IP address This address specifies the first of Address the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between this address and the Ending IP Address The IP address 192 168 1 2 is the default start address Ending IP Enter the ending IP address This address specifies the last of Address the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address
446. ont panel see Front Panel on page 1 10 To configure classical routing 1 Select Network Config gt WAN Settings from the menu then click the WAN Mode tab The WAN Mode screen displays see Figure 3 8 on page 3 12 2 Inthe NAT Network Address Translation section of the screen select the Classical Routing radio button 3 Click Apply to save your settings Configuring Auto Rollover Mode Dual WAN Port Models Only For the dual WAN port models only to use a redundant ISP link for backup purposes ensure that the backup WAN interface has already been configured Then select the WAN interface that will act as the primary link for this mode and configure the WAN failure detection method on the WAN Mode screen to support auto rollover When the UTM is configured in auto rollover mode it uses the selected WAN failure detection method to check the connection of the primary link at regular intervals to detect router status Link failure is detected in one of the following ways e By sending DNS queries to a DNS server or e By sending a ping request to an IP address or e None no failure detection is performed From the primary WAN interface DNS queries or ping requests are sent to the specified IP address If replies are not received after a specified number of retries the primary WAN interface is considered down and a rollover to the backup WAN interface occurs When the the primary WAN interface comes back up another
447. ontent Filtering Message 2009 08 01 00 00 01 HTTP 192 168 1 3 192 168 35 165 http 192 168 35 165 testcases files virus normal b4 f3 d3 da2048 rar SizeLimit Block Explanation Logs that are generated when Web content is blocked because it exceeds the allowed size limit The message shows the date and time protocol client IP address server IP address URL reason for the action and action that is taken Recommended Action None Message 2009 08 01 00 00 01 HTTP 192 168 1 3 192 168 35 165 http 192 168 35 165 testcases files virus normal b4 f3 d3 da2048 rar URL Block Explanation Logs that are generated when Web content is blocked because it violates a blocked Web category The message shows the date and time protocol client IP address server IP address URL reason for the action and action that is taken Recommended Action None Message 2009 08 01 00 00 01 HTTP 192 168 1 3 192 168 35 165 http 192 168 35 165 testcases files virus normal b4 f3 d3 da2048 rar FileType Block Explanation Logs that are generated when Web content is blocked because it violates a blocked file extension The message shows the date and time protocol client IP address server IP address URL reason for the action and action that is taken Recommended Action None C 12 System Logs and Error Messages v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual
448. or corrupted Network and System Management 10 19 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To see which other firmware versions are available click Query under the Firmware Download section to allow the UTM to connect to the NETGEAR update server The Firmware Download section shows the available firmware versions including any new versions and the date when the current firmware version was downloaded to the UTM Upgrading the Firmware and Rebooting the UTM To upgrade the UTM s firmware and reboot the UTM 1 In the Firmware Download section of the Firmware screen see Figure 10 6 on page 10 19 click Query to display the available firmware versions Select the radio button that corresponds to the firmware version that you want to download onto the UTM Click Download The Download Status bar shows the progress of the download When the firmware download process has completed click Install Downloaded Firmware After the firmware installation process is complete the newly installed firmware should be the secondary firmware and not the active firmware Select the Activation radio button for he secondary firmware that is the newly installed firmware Click the Reboot button the UTM reboots automatically During the reboot process the Firmware screen remains visible The reboot process is complete after several minutes when the Test LED on the front panel goes of
449. or example if 192 168 1 1 through 192 168 1 100 are currently assigned to devices on the local network then start the client address range at 192 168 1 101 or choose an entirely different subnet altogether e The VPN tunnel client cannot contact a server on the local network if the VPN tunnel client s Ethernet interface shares the same IP address as the server or the UTM for example if your PC has a network interface IP address of 10 0 0 45 then you cannot contact a server on the remote network that also has the IP address 10 0 0 45 e Select whether you want to enable full tunnel or split tunnel support based on your bandwidth A full tunnel sends all of the client s traffic across the VPN tunnel A split tunnel sends only traffic that is destined for the local network based on the specified client routes All other traffic is sent to the Internet A split tunnel allows you to manage bandwidth by reserving the VPN tunnel for local traffic only Virtual Private Networking Using SSL Connections 8 25 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Ifyou enable split tunnel support and you assign an entirely different subnet to the VPN tunnel clients than the subnet that is used by the local network you must add a client route to ensure that a VPN tunnel client connects to the local network over the VPN tunnel Configuring the Client IP Address Range First determine the address ran
450. ords blocking 6 24 URL blocking 6 32 WinPoET 2 13 3 7 WINS server DHCP 2 10 4 9 4 21 ModeConfig 7 46 wizard See Setup Wizard See IPsec VPN Wizard See SSL VPN Wizard X XAUTH configuring 7 38 edge device 7 39 7 40 IKE policies 7 30 IPsec host 7 39 7 40 Y Yahoo Messenger 2 17 6 21 Index 16 v1 0 January 2010
451. ormation Protocol See RIP routing log messages C 6 RSA signatures 7 29 rules See inbound rules See outbound rules Web access exceptions 6 41 S SA IKE policies 7 24 7 28 IPsec VPN Wizard 7 3 ModeConfig 7 46 VPN connection status 7 21 VPN policies 7 36 7 37 Index 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual scan engine firmware 0 21 scan exceptions e mail message size 2 79 Web file or object size 2 20 scan signatures 70 21 scanning exclusions 6 44 size exceptions 6 6 6 23 6 41 scheduling blocking traffic 5 41 reports 42 Web content filtering 2 22 search criteria logs 71 35 Secure Hash Algorithm 1 See SHA 1 Secure Sockets Layer See SSL VPN security log messages C 2 overview 1 5 services settings using the Setup Wizard 2 16 security association See SA security lock 7 72 Security Parameters Index See SPI service blocking reducing traffic 70 2 rules 5 4 rules firewall 5 3 5 4 service licenses activating 2 27 automatic retrieval 2 28 expiration dates 22 trial period 2 27 service logs 11 9 11 33 11 35 service numbers common protocols 5 33 service registration card 7 8 Session Initiation Protocol See SIP session limits configuring 5 30 logging dropped packets 71 14 Setup Wizard initial configuration 2 7 severities syslog 71 9 SHA 1 IKE policies 7 29 ModeConfig 7 46 self certificate requests 9 23 VPN po
452. ot configured or e mail notification is disabled you can still query the logs and generate log reports that you then can view on the Web Management Interface screen or save in CSV format For more information about logs see Querying Logs and Generating Reports on page 11 32 Configuring the E mail Notification Server The UTM can automatically send information such as notifications and reports to the administrator You must configure the necessary information for sending e mail such as the administrator s e mail address the e mail server user name and password To configure the e mail notification server 1 Select Network Config gt Email Notification from the menu The Email Notification screen displays Figure 11 3 shows some examples WAN Setup DynamicDNS WANMetering LANSetup DMZ Setup Routing Email Notification Show es Mail Sender UTMnotification netgear com SMTP Server imail yourdomain com _ 25 O This server requires authentication User Name Password peen Send Notifications to Admin 2dmin yourdomain com Example admin yourdomain com Figure 11 3 Monitoring System Access and Performance 11 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Enter the settings as explained in Table 11 2 Table 11 2 E mail Notification Settings Setting Description or Subfield and Description Show as mail sender A descriptive name
453. ou can apply bandwidth profiles to a LAN interface for all WAN modes Bandwidth profiles do not apply to the DMZ interface For example when a new connection is established by a device the device locates the firewall rule corresponding to the connection e Ifthe rule has a bandwidth profile specification the device creates a bandwidth class in the kernel e If multiple connections correspond to the same firewall rule the connections all share the same bandwidth class An exception occurs for an individual bandwidth profile if the classes are per source IP address classes The source IP address is the IP address of the first packet that is transmitted for the connection So for outbound firewall rules the source IP address is the LAN side IP address for inbound firewall rules the source IP address is the WAN side IP address The class is deleted when all the connections that are using the class expire After you have created a bandwidth profile you can assign the bandwidth profile to firewall rules on the following screens e Add LAN WAN Outbound Services screen see Figure 5 3 on page 5 14 e Add LAN WAN Inbound Services screen see Figure 5 4 on page 5 15 To add and enable a bandwidth profile 1 Select Network Security gt Firewall Objects from the menu The Firewall Objects submenu tabs appear with the Services screen in view 2 Click the Bandwidth Profiles submenu tab The Bandwidth Profiles screen displays see Figure 5 23
454. ou disable HTTPS remote management all SSL VPN user connections are also disabled address of your UTM by running tracert from the Windows Run menu option Trace the route to your registered FQDN For example enter tracert UTM mynetgear net and the WAN IP address that your ISP assigned to the UTM is displayed x i Tip If you are using a dynamic DNS service such as TZO you can identify the WAN IP Network and System Management 10 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Using an SNMP Manager Simple Network Management Protocol SNMP forms part of the Internet Protocol Suite as defined by the Internet Engineering Task Force IETF SNMP is used in network management systems to monitor network attached devices for conditions that warrant administrative attention SNMP exposes management data in the form of variables on the managed systems which describe the system configuration These variables can then be queried and sometimes set by managing applications SNMP lets you monitor and manage your UTM from an SNMP manager It provides a remote means to monitor and control network devices and to manage configurations statistics collection performance and security To configure the SNMP settings 1 Select Administration gt SNMP from the menu The SNMP screen displays Do You Want to Enable SNMP Set Community Biss Oto Contact Bamin Location
455. ou keep the VIRUSINFO and TIME meta words in a message to enable the UTM to insert the proper malware name and time information In addition to these meta word you can insert the following meta words in your customized message PROTOCOL FROM TO YSUBJECT FILENAME ACTION YVIRUSNAME Enable Malware Select this checkbox to enable malware outbreak alerts and configure the Outbreak Outbreak Alerts Criteria Protocol and Subject fields Outbreak To define a malware outbreak specify the following fields Criteria malware found within The number of malware threats that are detected e minutes maximum 90 minutes The period in which the specified number of malware threats are detected Note When the specified number of detected malware threats is reached within the time threshold the UTM sends a malware outbreak alert Protocol Select the checkbox or checkboxes to specify the protocols SMTP POP3 IMAP HTTP FTP and HTTPS for which malware threats are detected Subject Enter the subject line for the e mail alert The default text is Outbreak alert Enable IPS Select this checkbox to enable malware outbreak alerts and configure the Outbreak Outbreak Alerts Criteria and Subject fields Outbreak To define an IPS outbreak specify the following fields Criteria e Attacks found within The number of IPS attacks that are detected e minutes maximum 90 minutes The period in which the specified number of
456. ound The default rules of the UTM are e Inbound Block all access from outside except responses to requests from the LAN side e Outbound Allow all access from the LAN side to the outside The firewall rules for blocking and allowing traffic on the UTM can be applied to LAN WAN traffic DMZ WAN traffic and LAN DMZ traffic Table 5 1 Number of Supported Firewall Rule Configurations Traffic Rule Maximum Number of Maximum Number of Maximum Number of Outbound Rules Inbound Rules Supported Rules LAN WAN 300 300 600 DMZ WAN 50 50 100 LAN DMZ 50 50 100 Total Rules 400 400 800 Services Based Rules The rules to block traffic are based on the traffic s category of service e Outbound Rules service blocking Outbound traffic is normally allowed unless the firewall is configured to disallow it Inbound Rules port forwarding Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side The firewall can be configured to allow this otherwise blocked traffic e Customized Services Additional services can be added to the list of services in the factory default list These added services can then have rules defined for them to either allow or block that traffic see Adding Customized Services on page 5 32 Firewall Protection 5 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Qu
457. owsers user login policies 9 5 Web Management Interface 2 2 button Reset 2 buttons Web Management Interface action 2 6 C CA 7 31 cache control SSL VPN 8 5 8 21 card service registration 7 8 categories Web content 2 22 category 5 cable B 3 Certificate Authority See CA Certificate Revocation List See CRL Certificate Signing Request See CSR certificates 3rd party Web site 6 37 authentication 6 34 CA 9 18 commercial CAs 9 8 CRL 9 19 9 25 CSR 9 2 exchange 6 34 overview 9 17 self signed 9 78 9 20 signature key length 9 23 trusted CA certificates 9 79 9 20 Challenge Handshake Authentication Protocol See CHAP CHAP See also RADIUS CHAP MIAS CHAP or WiKID CHAP 9 2 classical routing mode 3 11 clearing statistics 1 16 clients infected identifying 71 38 community strings 10 15 comparison UTM models 7 compatibility protocols and standards A 2 compliance regulatory A 3 compressed files e mail filtering 6 FTP filtering 6 41 Web filtering 6 28 configuration settings defaults A using the Setup Wizard 2 7 help 2 7 configuration file table 2 6 backing up 10 16 Index 2 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual managing 10 15 restoring 10 17 reverting to defaults 0 18 configuration menu Web Management Interface 2 5 connection requirements 2 speed and type WAN 3 24 console port 1 12 content filtering au
458. pe A numeric value that can range between 0 and 40 For a list of ICMP types see http www iana org assignments icmp parameters This field is enabled only when you select ICMP from the Type pull down menu Start Port The first TCP or UDP port of a range that the service uses This field is enabled only when you select TCP or UDP from the Type pull down menu Finish Port The first TCP or UDP port of a range that the service uses If the service uses only a single port number enter the same number in the Start Port and Finish Port fields This field is enabled only when you select TCP or UDP from the Type pull down menu 3 Click Apply to save your settings The new custom service is added to the Custom Services table To edit a service 1 Inthe Custom Services table click the Edit table button to the right of the service that you want to edit The Edit Service screen displays Network Security Firewall Address Filter Port Triggering Edit Service Operation succeeded Name ICMP Type oiis Start Port 10115 Finish Port 10117 Figure 5 20 5 34 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Modify the settings that you wish to change see Table 5 6 on page 5 34 3 Click Apply to save your changes The modified service is displayed in the Custom Services table Creating Quality of Service QoS Profiles A quality of se
459. pecified sources are considered spam and are blocked Content Filtering and Optimizing Scans 6 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Real time blacklist E mails from known spam sources that are collected by blacklist providers are blocked 4 Distributed Spam Analysis E mails that are detected as spam by the NETGEAR Spam Classification Center are either tagged or blocked This order of implementation ensures the optimum balance between spam prevention and system performance For example if an e mail originates from a whitelisted source the UTM delivers the e mail immediately to its destination inbox without implementing the other spam prevention technologies thereby speeding up mail delivery and conserving the UTM system resources However regardless of whether or not an e mail is whitelisted the e mail is still scanned by the UTM s anti malware engines You can configure these anti spam options in conjunction with content filtering to optimize blocking of unwanted mails Note E mails that are processed through the UTM over an authenticated e mail connection between a client and a mail server are not checked for spam gt Note An e mail has been checked for spam by the UTM contains an X STM SMTP for SMTP e mails or X STM POP3 for POP 3 e mails tag in its header Setting Up the Whitelist and Blacklist You can specify e mai
460. pecifying QoS and bandwidth profiles and assigning these profiles to outbound and inbound firewall rules you can shift the traffic mix to aim for optimum performance of the UTM Assigning QoS Profiles The QoS profile settings determine the priority and in turn the quality of service for the traffic passing through the UTM After you have created a QoS profile you can assign the QoS profile to firewall rules The QoS is set individually for each service You can change the mix of traffic through the WAN ports by granting some services a higher priority than others e You can accept the default priority defined by the service itself by not changing its QoS setting e You can change the priority to a higher or lower value than its default setting to give the service higher or lower priority than it otherwise would have 10 8 Network and System Management v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual For more information about QoS profiles see Creating Quality of Service QoS Profiles on page 5 35 Assigning Bandwidth Profiles By applying a QoS profile the WAN bandwidth does not change You change the WAN bandwidth that is assigned to a service or application by applying a bandwidth profile The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth
461. period The period in seconds between the ping packets The default setting is 10 seconds Reconnect after The number of consecutive missed responses that are failure count considered a tunnel connection failure The default setting is 3 missed responses Virtual Private Networking Using IPsec Connections 7 35 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 12 Add VPN Policy Settings continued Item Description or Subfield and Description Traffic Selection Local IP From the pull down menu select the address or addresses that are part of the VPN tunnel on the UTM Any All PCs and devices on the network Note You cannot select Any for both the UTM and the remote endpoint e Single A single IP address on the network Enter the IP address in the Start IP Address field Range A range of IP addresses on the network Enter the starting IP address in the Start IP Address field and the ending IP address in the End IP Address field e Subnet A subnet on the network Enter the starting IP address in the Start IP Address field and the subnet mask in the Subnet Mask field Remote IP From the pull down menu select the address or addresses that are part of the VPN tunnel on the remote endpoint The menu choices are the same as for the Local IP pull down menu see above Manual Policy Parameters Note These fields apply only when you sele
462. pes of digital certificates e CA digital certificates Each CA issues its own CA identity digital certificate to validate communication with the CA and to verify the validity of digital certificates that are signed by the CA e Self digital certificates The digital certificates that are issued to you by a CA to identify your device 9 18 Managing Users Authentication and Certificates v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The Certificates screen contains four tables that are explained in detail in the following sections Trusted Certificates CA Certificate table Contains the trusted digital certificates that were issued by CAs and that you uploaded see Managing CA Certificates on this page Active Self Certificates table Contains the digital self certificates that were issued by CAs and that you uploaded see Managing Self Certificates on page 9 20 Self Certificate Requests table Contains the self certificate requests that you generated These request may or may not have been submitted to CAs and CAs may or may not have issued digital certificates for these requests Only the digital self certificates in the Active Self Certificates table are active on the UTM see Managing Self Certificates on page 9 20 Certificate Revocation Lists CRL table Contains the lists with digital certificates that have been revoked and are no longer valid that were issued
463. ply to save your settings or click Reset to clear all entries from these fields Recipients Domain Whitelist Enter the sender e mail domains of the recipients to which e mails can be safely delivered Click Apply to save your settings or click Reset to clear all entries from this field Recipients Email Address Whitelist Enter the e mail addresses of the recipients to which e mails can be safely delivered Click Apply to save your settings or click Reset to clear all entries from this field Note In the fields of the Whitelist Blacklist screen use commas to separate multiple entries For IP addresses use a dash to indicate a range for example 192 168 32 2 192 168 32 8 Configuring the Real time Blacklist Blacklist providers are organizations that collect IP addresses of verified open SMTP relays that might be used by spammers as media for sending spam These known spam relays are compiled by 6 14 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual blacklist providers and are made available to the public in the form of real time blacklists RBLs By accessing these RBLs the UTM can block spam originating from known spam sources By default the UTM comes with three pre defined blacklist providers Dsbl Spamhaus and Spamcop There is no limit to the number of blacklist providers that you can add to the RBL
464. port is enabled client routes are not operable DNS Suffix A DNS suffix to be appended to incomplete DNS search strings This is an option Primary DNS Server The IP address of the primary DNS server that is assigned to the VPN tunnel clients This is an option Note If you do not assign a DNS server the DNS settings remain unchanged in the VPN client after a VPN tunnel has been established Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients This is an option Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients Client Address Range End The last IP address of the IP address range that you want to assign to the VPN tunnel clients 4 Click Apply to save your settings VPN tunnel clients are now able to connect to the UTM and receive a virtual IP address in the client address range Adding Routes for VPN Tunnel Clients The VPN tunnel clients assume that the following networks are located across the VPN over SSL tunnel e The subnet that contains the client IP address that is PPP interface as determined by the class of the address Class A B or C e Subnets that are specified in the Configured Client Routes table on the SSL VPN Client screen If the assigned client IP address range is in a different subnet than the local network or if the local network has multiple subnets
465. ppear in the list you must define it using the Services screen see Services Based Rules on page 5 3 and Adding Customized Services on page 5 32 LAN Users You can specify which computers on your network are affected by an outbound rule There are several options Any All PCs and devices on your LAN Single address The rule is applied to the address of a particular PC Address range The rule is applied to a range of addresses Groups The rule is applied to a group of PCs You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules The Known PCs and Devices table is an automatically maintained list of all known PCs and network devices and is generally referred to as the Network Database which is described in Managing the Network Database on page 4 13 PCs and network devices are entered into the Network Database by various methods that are described in Managing Groups and Hosts LAN Groups on page 4 12 WAN Users You can specify which Internet locations are covered by an outbound rule based on their IP address Any The rule applies to all Internet IP address Single address The rule applies to a single Internet IP address Address range The rule is applied to a range of Internet IP addresses Schedule You can configure three different schedules to specify when a rule is applied Once a schedule is configured it affects all rules that use this sch
466. pply to CA text box into a text file including all of the data contained from BEGIN CERTIFICATE REQUEST to END CERTIFICATE REQUEST 6 Submit your SCR to a CA Connect to the website of the CA b Start the SCR procedure c When prompted for the requested data copy the data from your saved text file including BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST d Submit the CA form If no problems ensue the digital certificate is issued by the CA Download the digital certificate file from the CA and store it on your computer Return to the Certificates screen see Figure 9 13 on page 9 22 and locate the Self Certificate Requests section 9 Select the checkbox next to the self certificate request 9 24 Managing Users Authentication and Certificates v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 10 Click Browse and navigate to the digital certificate file from the CA that you just stored on your computer 11 Click the Upload table button If the verification process on the UTM approves the digital certificate for validity and purpose the digital certificate is added to the Active Self Certificates table To delete one or more SCRs 1 In the Self Certificate Requests table select the checkbox to the left of the SCR that you want to delete or click the Select All table button to select all SCRs 2 Click the Delete table bu
467. r UTM Publication Date January 2010 Product Family UTM Product Name ProSecure Unified Threat Management UTM Appliance Home or Business Product Business Language English Publication Part Number 202 10482 02 Publication Version Number 1 0 v1 0 January 2010 vi v1 0 January 2010 Contents ProSecure Unified Threat Management UTM Appliance Reference Manual About This Manual Conventions Formats and SCOPE sivicccisssdeacdcssseccatssessdedarnsesadddansheoaradsnnessaadadnressenainnneas xvii Mono Fan TE Kana ea pbeeaniapekdeaminds oes tanaapeiaesirataermeita peau xviii POV O EIO eaa Sa tua pet aah ac Oa uci eaten e Sadat ae sate sabe Ss anaes xviii Chapier 1 Introduction What Is the ProSecure Unified Threat Management UTM Appliance s s s 1 1 Key Featres and Capabilllieg issrooririricisanreciesano eanna a N EEA 1 2 Dual WAN Port Models for Increased Reliability or CUTAN Load BaCi cerisier i iE EEE EDE 1 3 Advanced VPN Support for Both IPsec and SSL 0 ececeeceeeeeeceeeeeeeeeeeeeeesetaeetennees 1 3 A Fowertul Trus Firewall srcsocsenonaninien ea aE 1 4 Steam Scanning for Content FMM sirsenis 1 4 SEn FONE eea i A a A Nea 1 5 Autosensing Ethernet Connections with Auto Uplink sssssssessseessreresrrrrreensenn 1 5 Extensive Protocol SUNDON sasyimaeie iritan eon imi yeaa anise 1 6 Easy Installation and Management ciicscsccsusiresansusdsebasusasreadenanadstasedduusrtdansudensaas 1 6 Mamenance and SUPOOT
468. r RADIUS WIKID or MIAS authentication Workgroup The workgroup that is required for Microsoft NT Domain authentication LDAP Base DN The LDAP base distinguished name DN that is required for LDAP authentication Active Directory The active directory domain name that is required for Microsoft Active Directory Domain authentication SSL VPN Wizard Step 3 of 6 User Settings SSL VPN Wizard Step 3 of 6 VPN Wizard Step 3 of 6 User Name User Type SSL VPN User Group SSLTestDomain Password ececcccces Confirm Password eeeeeeeeee Idle Timeout fs__ m nutes Note Please make sure that the user name has NOT been used If the user name already exists the wizard will fail and the UTM will have to reboot to recover a previously working configuration Figure 8 4 Note that Figure 8 4 contains some examples Enter the settings as explained in Table 8 3 on page 8 8 then click Next to go the following screen es Note Do not enter an existing user name in the in the User Name field otherwise the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration Virtual Private Networking Using SSL Connections 8 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Note After you have completed the steps in the SSL VPN Wizard you can make changes gt to the user settings by selecting Users g
469. r mode after completing the wizard you must manually update the VPN policy to enable VPN rollover For more information see Manually Adding or Editing a VPN Policy on page 7 33 End Point Information What is the Remote WAN s IP Address or Internet Name Enter the IP address or Internet name FQDN of the WAN interface on the remote VPN tunnel endpoint What is the Local WAN s IP Address or Internet Name When you select the Gateway radio button in the About VPN Wizard section of the screen the IP address of the UTM s active WAN interface is automatically entered Secure Connection Remote Accessibility What is the remote LAN IP Address Enter the LAN IP address of the remote gateway Note The remote LAN IP address must be in a different subnet than the local LAN IP address For example if the local subnet is 192 168 1 x then the remote subnet could be 192 168 10 x but could not be 192 168 1 x If this information is incorrect the tunnel will fail to connect What is the remote LAN Subnet Mask Enter the LAN subnet mask of the remote gateway a Both local and remote endpoints should be defined as either FQDNs or IP addresses A combination of an IP address and a FQDN is not supported Tip To assure tunnels stay active after completing the wizard manually edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of the net
470. r setup 12 8 time out error 12 4 Web Management Interface 2 3 trusted certificates 9 19 9 20 hosts 6 37 Two Factor Authentication See WiKID Type of Service See ToS TZO com 3 19 3 2 U UDP flood blocking 5 29 UDP time out 5 3 understanding log messages C update failure alert 77 10 upgrading firmware 0 20 URLs blacklist 6 32 misclassification 6 30 using wildcards 6 32 whitelist 6 32 USB port non functioning 0 user name default 2 3 user policies precedence 8 31 user portal 8 15 users active VPN users 24 administrator admin settings 0 9 assigned groups 9 11 login policies based on IP address 9 3 based on Web browser 9 4 general 9 12 login time out 9 16 passwords changing 9 16 user accounts 9 9 user types 9 11 9 17 Index 14 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual V videoconferencing DMZ port 4 18 from restricted address 5 22 virtual LAN See VLAN Virtual Private Network Consortium See VPNC virtual private network See VPN tunnel virus database 70 21 logs See malware logs protection 6 5 6 21 signature files 70 27 VLAN advantages 4 2 default 2 8 description 4 1 DHCP address pool 4 9 DNS servers 4 9 domain name 4 8 LDAP server 4 9 lease time 4 9 options 4 4 relay 4 5 4 9 server 4 4 4 8 WINS server 4 9 DNS proxy 4 5 4 10 ID 4 8 LAN TCP IP 4 8 LDAP server 4 6 port membership 4 8 port based 4
471. r to your UTM Troubleshooting and Using Online Support 12 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual If your UTM is still unable to obtain an IP address from the ISP the problem might be one of the following Your ISP might require a login program Ask your ISP whether they require PPP over Ethernet PPPoE or some other type of login If your ISP requires a login you might have incorrectly set the login name and password Your ISP might check for your PC s host name Enter the host name system name or account name that was assigned to you by your ISP in the Account Name field on the WAN1 ISP Settings or WAN2 ISP Settings screen of the dual WAN port models or on the WAN ISP Settings screen of the single WAN port models You might also have to enter the assigned domain name or workgroup name in the Domain Name field and you might have to enter additional information see Manually Configuring the Internet Connection on page 3 5 Your ISP allows only one Ethernet MAC address to connect to the Internet and might check for your PC s MAC address In this case Inform your ISP that you have bought a new network device and ask them to use the UTM s MAC address or Configure your UTM to spoof your PC s MAC address You can do this in the Router s MAC Address section of the WAN1 Advanced Options or WAN2 Advanced Options screen of the dual WAN port models or in the
472. rding if input a new portal layout name In this case SSL VPN Wizard will skip step 4 if VPN Tunnel page does not be selected And the wizard will skip step 5 if uncheck Port Forwarding Figure 8 2 Note that Figure 8 2 contains some examples Enter the settings as explained in Table 8 1 on page 8 4 then click Next to go the following screen Virtual Private Networking Using SSL Connections 8 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual _____ Note If you leave the Portal Layout Name field blank the SSL VPN Wizard uses the fd default portal layout SSL VPN You must enter a name other than SSL VPN in the Portal Layout Name field so the SSL VPN Wizard can create a new portal layout Do not enter an existing portal layout name in the in the Portal Layout Name field otherwise the SSL VPN Wizard will fail although the UTM will not reboot in this situation Note After you have completed the steps in the SSL VPN Wizard you can make changes gt to the portal settings by selecting VPN gt SSL VPN gt Portal Layout For more information about portal settings see Creating the Portal Layout on page 8 18 Table 8 1 SSL VPN Wizard Step 1 Portal Settings Item Description or Subfield and Description Portal Layout and Theme Name Portal Layout A descriptive name for the portal layout This name is part of the path of the SSL VPN Name portal U
473. re Unified Threat Management UTM Appliance Reference Manual URL blocking You can specify up to 200 URLs that are blocked by the UTM For more information see Configuring Web URL Filtering on page 6 30 Web services blocking You can block Web services such as instant messaging and peer to peer services For more information see Customizing Web Protocol Scan Settings and Services on page 6 19 Web object blocking You can block the following Web component types embedded objects ActiveX Java Flash proxies and cookies and you can disable Java scripts For more information see Configuring Web Content Filtering on page 6 23 Setting the size of Web files to be scanned Scanning large Web files requires network resources and might slow down traffic You can specify the maximum file size that is scanned and if files that exceed the maximum size are skipped which might compromise security or blocked For more information see Configuring Web Malware Scans on page 6 21 For these features with the exception of Web object blocking and setting the size of files to be scanned you can set schedules to specify when Web content is filtered see Configuring Web Content Filtering on page 6 23 and configure exceptions for groups see Setting Web Access Exception Rules on page 6 41 Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on
474. re Unified Threat Management UTM Appliance has been suppressed in accordance with the conditions set out in the BMPT AmtsblVfg 243 1991 and Vfg 46 1992 The operation of some equipment for example test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions v1 0 January 2010 Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations Voluntary Control Council for Interference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV receiver it may become the cause of radio interference Read instructions for correct handling Additional Copyrights AES Copyright c 2001 Dr Brian Gladman brg gladman uk net Worcester UK All rights reserved TERMS Redistribution and use in source and binary forms with or without modification are permitted subject to the following conditions 1 Redistributions of source code must retain the above copyright notice this lis
475. re displayed in a new screen To return to the Diagnostics screen click Back on the Windows menu bar Monitoring System Access and Performance 11 45 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Using the Realtime Traffic Diagnostics Tool This section discusses the Realtime Traffic Diagnostics section and the Perform a DNS Lookup section of the Diagnostics screen Source IP address a a T Destination IP Address a ee Please Stop the diagnostic tests to save results All packets will be captured unless filters are set here Figure 11 27 Diagnostics screen 2 of 3 You can use the Realtime Traffic Diagnostics tool to analyze traffic patterns with a network traffic analyzer tool Depending on the network traffic analyzer tool that you use you can find out which applications are using most bandwidth which users use most bandwidth how long users are connected and other information To use the Realtime Traffic Diagnostics tool 1 Locate the Realtime Traffic Diagnostics section on the Diagnostics screen 2 Inthe Source IP address field enter the IP address of source of the traffic stream that you want to analyze 3 In Destination IP address enter the IP address of the destination of the traffic stream that you want to analyze 4 Click Start You are prompted to save the downloaded traffic information file to your computer however do not save the file until you have s
476. reat Management UTM Appliance Reference Manual Table 6 10 HTTPS Settings Setting Description or Subfield and Description HTTP Tunneling Select this checkbox to allow scanning of HTTPS connections through an HTTP proxy which is disabled by default Traffic from trusted hosts is not scanned see Specifying Trusted Hosts on page 6 37 Note For HTTPS scanning to occur properly you must add the HTTP proxy server port in the Ports to Scan field for the HTTPS service on the Services screen see Customizing Web Protocol Scan Settings and Services on page 6 19 HTTPS 3rd Party Website Certificate Handling Select the Allow the UTM to present the website to the client checkbox to allow a Secure Sockets Layer SSL connection with a valid certificate that is not signed by a trusted certificate authority CA The default setting is to block such as a connection HTTPS SSL Settings Select the Allow the UTM to handle HTTPS connections using SSLv2 checkbox to allow HTTPS connections using SSLv2 SSLv3 or TLSv1 If this checkbox is deselected the UTM allows HTTPS connections using SSLv3 or TLSv1 but not using SSLv2 Show This Message When an SSL Connection Attempt Fails By default a rejected SSL connection is replaced with the following text which you can customize The SSL connection to URL cannot be established because of YREASON Note Make sure that you keep the URL and REASO
477. rence that may cause undesired operation TORBI JIAAGHRRHRACT CORMERBRRCEATSE BRBBSNFRCOTCEMSVETF COMBCISEASMBVEHR eBTSLIBRKRENSCEMHVET VCCI A DEFAULT ACCESS https 192 168 1 1 UL us uso 107 CE X LIT E E212778 N10947 m user name admin password password Input Rating AC 100 240V 50 60Hz 0 7A max a a se WAN a LAN Made in China 272 10758 04 Figure 1 5 Introduction 1 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Figure 1 6 shows the product label for the UTM25 0 Bi So ProSecure Unified Threat Management UTM25 This device complies with part 15 of the FCC Rules and Canada ICES 003 Operation is subject to the following two conditions 1 this device may not cause harmful interference and 2 this device must accept any interference received including interference that may cause undesired operation CORB 232A PRRHRACTT CORMERBRRCERTSE BARGES FR CTCEMSHVET COMBICIARASMBIEH RK eRTSLIBKENSCEMHVET VCCI A DEFAULT ACCESS https 192 168 1 1 Uy us LISTED Ty C x ITE E212778 10947 AY x user name admin password password input Rating AC 100 240V 50 60Hz 1 2A max Made in China 272 10722 04 Figure 1 6 Choosing a Location for the UTM The UTM is suitable for use in an office environment where it can be free standing on its runner feet or mounted into a standard 19 inch equipment rack Alternat
478. repare to physically connect the firewall to your cable or DSL modems and a computer Instructions for connecting the UTM are in the ProSecure Unified Threat Management UTM Installation Guide Cabling and Computer Hardware Requirements To use the UTM in your network each computer must have an Ethernet Network Interface Card NIC installed and must be equipped with an Ethernet cable If the computer will connect to your network at 100 Mbps or higher speeds you must use a Category 5 CATS cable Computer Network Configuration Requirements The UTM integrates a Web Management Interface To access the configuration menus on the UTM your must use a Java enabled Web browser that supports HTTP uploads such as Microsoft Internet Explorer 6 or higher Mozilla Firefox 3 or higher or Apple Safari 3 or higher with JavaScript cookies and you must have SSL enabled Free browsers are readily available for Windows Macintosh or UNIX Linux For the initial connection to the Internet and configuration of the UTM you must connect a computer to the UTM and the computer must be configured to automatically get its TCP IP configuration from the UTM via DHCP Ee Note For help with the DHCP configuration see the TCP IP Networking Basics document that you can access from the link in Appendix E Related Documents The cable or DSL modem broadband access device must provide a standard 10 Mbps LOBASE T Ethernet interface Intern
479. respond to a ping and you can change the factory default MTU size and port speed However these are advanced features and changing them is not usually required See Configuring Advanced WAN Options on page 3 22 Each of these tasks is detailed separately in this chapter Note For information about how to configure the WAN meters see Enabling the WAN _ _ Traffic Meter on page 11 1 Configuring the Internet Connections _____ Note The initial Internet configuration of the UTM is described in Chapter 2 Using the gt Setup Wizard to Provision the UTM in Your Network If you used the Setup Wizard to configure your Internet settings you need this section only if you want to make changes to your Internet connections To set up your UTM for secure Internet connections you configure WAN ports 1 and 2 The Web Configuration Manager offers two connection configuration options e Automatic detection and configuration of the network connection e Manual configuration of the network connection Each option is detailed in the sections following Automatically Detecting and Connecting To automatically configure the WAN ports for connection to the Internet 1 Select Network Config gt WAN Settings from the menu On dual WAN port models the WAN Settings tabs appear with the WAN1 ISP Settings screen in view see Figure 3 1 on page 3 3 On the single WAN port models the WAN ISP screen display
480. right WAN port nor any Active WAN LEDs The function of each LED is described in Table 1 2 Table 1 2 LED Descriptions Object Activity Description Power On Green Power is supplied to the UTM Off Power is not supplied to the UTM Test On Amber during Test mode The UTM is initializing After approximately 2 minutes startup when the UTM has completed its initialization the Test LED goes off On Amber during The initialization has failed or a hardware failure has occurred any other time Blinking Amber Writing to flash memory during upgrading or resetting to defaults Off The system has booted successfully LAN Ports Left LED Off The LAN port has no link On Green The LAN port has detected a link with a connected Ethernet device Blink Green Data is being transmitted or received by the LAN port Right LED Off The LAN port is operating at 10 Mbps On Amber The LAN port is operating at 100 Mbps On Green The LAN port is operating at 1000 Mbps DMZ LED Off Port 4 is operating as a normal LAN port On Green Port 4 is operating as a dedicated hardware DMZ port WAN Ports Left LED Off The WAN port has no physical link that is no Ethernet cable is plugged into the UTM On Green The WAN port has a valid connection with a device that provides an Internet connection Blink Green Data is being transmitted or received by the WAN port Righ
481. ring and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Enter the settings as explained in Table 6 13 Table 6 13 Add and Edit Block Scanning Exception Settings Setting Description or Subfield and Description Action From the pull down menu select the action that the UTM applies allow The exception allows access to an application Web category or URL that is otherwise blocked e block The exception blocks access to an application Web category or URL that is otherwise allowed Applies to The group to which the exception applies you can configure groups in Managing Groups and Hosts LAN Groups on page 4 12 Start Time The time in 24 hour format hours and minutes when the action starts If you leave these fields empty the action applies continuously End Time The time in 24 hour format hours and minutes when the action ends If you leave these fields empty the action applies continuously Category From the pull down menu select the category to which the action applies e URL Filtering The action applies to a URL Enter the URL in the Subcategory Expression field Web category The action applies to a Web category Select a category from the Subcategory Expression pull down menu Application The action applies to an application Select an application from the Subcategory Expression pull down menu Subcategory The nature of t
482. riorPolicy VPN Tunnel Select All Peviete Add ii Related Policies Table populated only for Group User Name Type Service Destination Permission FTP ServerPolicy Global Port Forwarding FTPServer Permit Figure 8 18 2 Make your selection from the following Query options e Click Global to view all global policies e Click Group to view group policies and choose the relevant group s name from the pull down menu e Click User to view group policies and choose the relevant user s name from the pull down menu 3 Click the Display action button The List of SSL VPN Policies table displays the list for your selected Query option Adding a Policy To add an SSL VPN policy 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view see Figure 8 18 which shows some examples 2 Under the List of SSL VPN Policies table click the Add table button The Add Policy screen displays see Figure 8 19 on page 8 34 Virtual Private Networking Using SSL Connections 8 33 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Add Policy Figure 8 19 Apply Policy to IPSec YPN SSLYPN Certificates Operation succeeded Group geardomain Policy Name L___ o o i IP Address Network Resource Subnet Mask l Begin End IP Address Port Range Port Number 0 6
483. rivate Networks A virtual private network VPN tunnel provides a secure communication channel between either two gateway VPN firewalls or between a remote PC client and gateway VPN firewall As a result the IP address of at least one of the tunnel endpoints must be known in advance in order for the other tunnel end point to establish or re establish the VPN tunnel Note When the UTM s WAN port rolls over the VPN tunnel collapses and must be gt re established using the new WAN IP address However you can configure automatic IPsec VPN rollover to ensure that an IPsec VPN tunnel is re established Dual WAN Ports in Auto Rollover Mode Rollover for an UTM with dual WAN ports is different from a single WAN port gateway configuration when you specify the IP address Only one WAN port is active at a time and when it rolls over the IP address of the active WAN port always changes Therefore the use of a fully qualified domain name FQDN is always required even when the IP address of each WAN port is fixed Dual WAN Ports Before Rollover Dual WAN Ports After Rollover WAN1 IP WAN1 IP N A Router WAN1 port active Router WAN1 port inactive m D l WAN2 port inactive ree WANZ IP N A IP address of active WAN port changes after a rollover o use of fully qualified domain names always required o features requiring fixed IP address blocks not supported Figure B 2 Features such as multiple exposed hosts are not suppo
484. rnet 3 B 3 custom services 5 32 default settings A 2 inbound rules See inbound rules logs 11 8 11 33 outbound rules See outbound rules overview 1 4 QoS profiles 5 35 rules inbound See inbound rules number supported 5 3 order of precedence 5 77 outbound See outbound rules port forwarding 5 3 5 6 service blocking 5 3 5 4 service based 5 3 firmware upgrading process 70 20 versions 70 19 11 22 Flash objects 6 24 6 28 FQDNs auto rollover mode dual WAN port models 3 19 dual WAN ports dual WAN port models 7 1 7 2 B 1 B 9 load balancing mode dual WAN port models 3 19 SSL VPN port forwarding 8 8 VPN tunnels 7 2 front panel LEDs 1 11 ports 0 FTP action infected Web file or object 2 20 6 40 audio and video files filtering 6 41 compressed files filtering 6 4 default port 2 17 6 20 enabling scanning 2 17 6 20 executable files filtering 6 41 fully qualified domain name See FQDN G gateway IP address ISP 2 13 3 8 Gnutella 2 17 6 21 Google Talk Jabber 2 17 6 21 group policies precedence 8 3 groups LAN 4 14 4 16 VPN policies 9 6 guests user account 9 9 9 H hard disk usage 71 21 hardware bottom panel label 3 front panel LEDs 7 17 front panel ports 17 10 rear panel components 2 requirements B 3 serial number 22 help button Web Management Interface 2 7 hosts exposed increasing traffic 0 8 specifying 5 25 name resolution 8 24 public
485. roSecure Unified Threat Management UTM Appliance Reference Manual Example Using Logs to Identify Infected Clients You can use the UTM logs to help identify potentially infected clients on the network For example clients that are generating abnormally high volumes of HTTP traffic might be infected with spyware or other malware threats To identify infected clients that are sending spyware in outbound traffic query the UTM malware logs and see if any of your internal IP addresses are the source of spyware On the Log Query screen see Figure 11 23 on page 11 34 select Traffic as the log type Select the start date and time from the pull down menus Select the end date and time from the pull down menus Next to Protocols select the HTTP checkbox Click Search After a few minutes the log appears on screen Na gt NS Check if there are clients that are sending out suspicious volumes of data especially to the same destination IP address on a regular basis If you find a client exhibiting this behavior you can run a query on that client s HTTP traffic activities to get more information Do so by running the same HTTP traffic query and entering the client IP address in the Client IP field Log Management Generated logs take up space and resources on the UTM internal disk To ensure that there is always sufficient space to save newer logs the UTM automatically deletes older logs whenever the total log size reaches 50 of
486. roducts derived from this software without prior written permission For written permission contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com MD5 Copyright C 1990 RSA Data Securi
487. rollover occurs from the backup WAN interface back to the primary WAN interface The WAN failure detection method that you select applies only to the primary WAN interface that is it monitors the primary link only Manually Configuring Internet and WAN Settings 3 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To configure the dual WAN ports for auto rollover mode 1 Select Network Config gt WAN Settings from the menu then click the WAN Mode tab The WAN Mode screen displays Protocol Binding DynamicDNS WAN Metering LAN Settings DMZSetup Routing Email Notification WANI ISP Settings WAN Mode Use NAT or Classical Routing between WAN amp LAN interfaces NAT Classical Routing 9 None DNS lookup using WAN DNS Servers DNS lookup using these DNS Servers Auto Rollover using WAN port WANT WAN1 0 J0 al J0 wanz o o D Load Balancing J view protocol bindings Ping these IP addresses Use only single WAN port wani CEL Ce wan2z f0 o o D Retry Interval is 30 Seconds Failover after 4 Failures Figure 3 8 2 Enter the settings as explained in Table 3 5 Table 3 5 Auto Rollover Mode Settings Dual WAN Port Models Only Setting Description or Subfield and Description Port Mode Auto Rollover using Select the Auto Rollover using WAN port radio button Then from the pull down WAN port menu select the WAN port that must function
488. roxy Enable DNS Proxy Figure 2 7 Enter the settings as explained in Table 2 1 on page 2 9 then click Next to go the following screen Note In this first step you are actually configuring the LAN settings for the UTM s default VLAN For more information about VLANs see Managing Virtual LANs and DHCP Options on page 4 1 Note After you have completed the steps in the Setup Wizard you can make changes to the LAN settings by selecting Network Config gt LAN Settings gt Edit LAN Profile For more information about these LAN settings see VLAN DHCP Options on page 4 4 2 8 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 2 1 Setup Wizard Step 1 LAN Settings Setting Description or Subfield and Description LAN TCP IP Setup IP Address Enter the IP address of the UTM s default VLAN the factory default is 192 168 1 1 Note Always make sure that the LAN port IP address and DMZ port IP address are in different subnets Note If you change the LAN IP address of the UTM s default VLAN while being connected through the browser you will be disconnected You must then open a new connection to the new IP address and log in again For example if you change the default IP address from 192 168 1 1 to 10 0 0 1 you must now enter https 10 0 0 1 in your browser to rec
489. rt When a screen includes a table table buttons are displayed to let you configure the table entries The nature of the screen determines which table buttons are shown Figure 2 5 shows an example Select All Delete Enable O Disable Add Up Down Apply Figure 2 5 Any of the following table buttons might be displayed on screen e Select All Select all entries in the table e Delete Delete the selected entry or entries from the table e Enable Enable the selected entry or entries in the table e Disable Disable the selected entry or entries in the table e Add Add an entry to the table e Edit Edit the selected entry e Up Move up the selected entry in the table 2 6 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Down Move down the selected entry in the table e Apply Apply the selected entry Almost all screens and sections of screens have an accompanyning help screen To open the help screen click the question mark icon Using the Setup Wizard to Perform the Initial Configuration The Setup Wizard facilitates the initial configuration of the UTM by taking you through ten screens the last of which allows you to save the configuration If you prefer to perform the initial WAN setup manually see Chapter 3 Manually Configuring Internet and WAN Settings To start the
490. rt speed 3 23 port triggering adding arule 5 47 description 5 46 increasing traffic 10 7 status monitoring 5 48 11 26 Port VLAN Identifier See PVID portals SSL VPN 8 1 8 14 8 18 ports console 7 12 explanation of WAN and LAN 7 11 front panel 7 10 LAN 1 10 numbers 5 33 5 46 numbers for SSL VPN port forwarding 8 12 8 24 USB non functioning 0 WAN 1 10 portscan logs 11 9 11 33 11 35 Post Office Protocol 3 See POP3 power receptacle 7 12 specifications adapter A 2 Power LED 12 11 12 2 PPP connection 8 PPP over Ethernet See PPPoE PPPoE description 6 settings 2 13 3 4 3 7 PPTP settings 2 12 3 4 pre shared key 7 6 7 11 7 15 7 29 priority queue QoS 5 37 profiles bandwidth 5 38 QoS 5 35 ProSafe VPN Client software license 2 protection from common attacks 5 27 protocol binding dual WAN port models 3 4 3 15 protocols compatibilities A 2 e mails 6 4 RIP 1 6 service numbers 5 33 supported 2 traffic volume by protocol 71 4 Web 6 19 proxy servers 6 28 public Web server hosting 5 22 PVID default 4 2 description 4 2 Q QoS DiffServ mark 5 37 DSCP 5 37 IP header 5 37 IP precedence 5 37 priority queue 5 37 profiles assigning to firewall rules 5 35 Index 10 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual description 5 35 examples 5 35 shifting traffic mix 170 8 value 5 37 quality of service See QoS questi
491. rted in auto rollover mode because the IP addresses of each WAN port must be in the identical range of fixed addresses B 6 Network Planning for Dual WAN Ports Dual WAN Port Models Only v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Dual WAN Ports in Load Balancing Mode Load balancing for an UTM with dual WAN ports is similar to a single WAN gateway configuration when you specify the IP address Each IP address is either fixed or dynamic based on the ISP You must use FQDNs when the IP address is dynamic but FQDNs are optional when the IP address is static Dual WAN Ports Load Balancing WAN1 IP Router netgear1 dyndns org Use of fully qualified domain names for IP addresses of WAN ports D o required for dynamic IP addresses O o E o optional for fixed IP addresses netgear2 dyndns org WAN2 IP Figure B 3 Inbound Traffic Incoming traffic from the Internet is normally discarded by the UTM unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule Instead of discarding this traffic you can configure the UTM to forward it to one or more LAN hosts on your network The addressing of the UTM s dual WAN port depends on the configuration being implemented Table B 1 IP Addressing Requirements for Exposed Hosts in Dual WAN Port Systems Configuration and Single WAN Port Dual WAN Port Cases W
492. rtual network adapter see Configuring the SSL VPN Client on page 8 25 For the SSL VPN tunnel option the UTM creates a virtual network adapter on the remote PC that then functions as if it were on the local network Configure the portal s SSL VPN client to define a pool of local IP addresses to be issued to remote clients as well as DNS addresses Declare static routes or grant full access to the local network subject to additional policies 5 To simplify policies define network resource objects see Using Network Resource Objects to Simplify Policies on page 8 28 Network resource objects are groups of IP addresses IP address ranges and services By defining resource objects you can more quickly create and configure network policies 6 Configure the SSL VPN policies see Configuring User Group and Global Policies on page 8 31 Policies determine access to network resources and addresses for individual users groups or everyone Creating the Portal Layout The Portal Layouts screen that you can access from the SSL VPN menu allows you to create a custom page that remote users see when they log into the portal Because the page is completely customizable it provides an ideal way to communicate remote access instructions support information technical contact information or VPN related news updates to remote users The page is also well suited as a starting page for restricted users if mobile users or busine
493. rver for which the UTM serves as a relay Enable LDAP information Select the Enable LDAP information checkbox to enable the DHCP server to provide Lightweight Directory Access Protocol LDAP server information Enter the settings below Note The LDAP settings that you specify as part of the VLAN profile are used only for SSL VPN and UTM authentication but not for Web and e mail security LDAP Server The IP address or name of the LDAP server Search Base The search objects that specify the location in the directory tree from which the LDAP search begin You can specify multiple search object separated by commas The search objects include e cn for common name ou for organizational unit o for organization e c for country e dc for domain For example to search the Netgear net domain for all last names of Johnson you would enter cn Johnson dc Netgear dc net port The port number for the LDAP server The default setting is zero 2 10 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 2 1 Setup Wizard Step 1 LAN Settings continued Setting Description or Subfield and Description DNS Proxy Enable DNS Proxy This is optional Select the Enable DNS Proxy radio button to enable the UTM to provide a LAN IP address for DNS address name resolution Th
494. rvice QoS profile defines the relative priority of an IP packet when multiple connections are scheduled for simultaneous transmission on the UTM A QoS profile becomes active only when it is associated with a non blocking inbound or outbound firewall rule and traffic matching the firewall rule flows through the router After you have created a QoS profile you can assign the QoS profile to firewall rules on the following screens e Add LAN WAN Outbound Services screen see Figure 5 3 on page 5 14 e Add LAN WAN Inbound Services screen see Figure 5 4 on page 5 15 e Add DMZ WAN Outbound Services screen see Figure 5 6 on page 5 17 e Add DMZ WAN Inbound Services screen see Figure 5 7 on page 5 18 Priorities are defined by the Type of Service ToS in the Internet Protocol Suite standards RFC 1349 There is no default QoS profile on the UTM Following are examples of QoS profiles that you could create e Normal service profile used when no special priority is given to the traffic You would typically mark the IP packets for services with this priority with a ToS value of 0 e Minimize cost profile used when data must be transferred over a link that has a lower cost You would typically mark the IP packets for services with this priority with a ToS value of 1 e Maximize reliability profile used when data must travel to the destination over a reliable link and with little or no retransmission You would typically mark the
495. s 3 2 Manually Configuring Internet and WAN Settings v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual ing LAN Settings DMZ Setup Routing Email Notification 8 Secondary Addresses 5 Advanced WAN Status CANTE CLET LEA WANZ ISP Settings WAN Mode Does Your Internet Connection Require a Login Login O Yes No Password Peeeessessse if ISP Type Account Name L d O Domain name L h of IS d Which type P connection do you use nE Kaap connected Austria PPTP Idle Time 5 Minutes Other PPPoE A My IP Address an Server IP Address EE Se ii Internet IP Address Domain Name Server DNS Servers Get Dynamically from ISP Get Automatically from ISP Use Static IP Address Use These DNS Servers IP Address 0 o 0 oo Primary DNS server o o o IP Subnet masko o o D Secondary DNS server 0 0 0 ca Gateway IP Address 0 o 0 0 Figure 3 1 2 Click the Auto Detect action button at the bottom of the menu The auto detect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support Figure 3 2 shows a dual WAN port model s screen A single WAN port model s screen shows only a single WAN ISP Settings submenu tab tering LAN Settings DMZ Setup uting Email jon 6 Secondary Addresses 6 Advanced 8 WAN Status DHCP service detected Figure 3 2 Manual
496. s WAN to DMZ Message Nov 29 09 19 43 UTM kernel WAN2DMZ ACCEPT IN WAN OUT DMZ SRC 192 168 1 214 DST 192 168 20 10 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the WAN to the DMZ has been allowed by the firewall e For other settings see Table C 1 Recommended Action None System Logs and Error Messages C 17 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual C 18 System Logs and Error Messages v1 0 January 2010 Appendix D Two Factor Authentication This appendix provides an overview of Two Factor Authentication and an example of how to implement the WiKID solution This appendix contains the following sections e Why do I need Two Factor Authentication on this page e NETGEAR Two Factor Authentication Solutions on page D 2 Why do I need Two Factor Authentication In today s market online identity theft and online fraud continue to be one of the fast growing cyber crime activities used by many unethical hackers and cyber criminals to steal digital assets for financial gains Many companies and corporations are losing millions of dollars and running into risks of revealing their trade secrets and other proprietary information as the results of these cyber crime activities Security threats and hackers have become more sophisticated and user names encrypted passwords and the presence of firewalls are no longer enough to protect the ne
497. s precedence and URLs on the whitelist are not scanned Note Wildcards are supported For example if you enter www net com in the URL field any URL that begins with www net is blocked and any URL that ends with com is blocked Delete To delete one or more URLs highlight the URLs and click the Delete table button Export To export the URLs click the Export table button and follow the instructions of your browser Add URL Type or copy a URL in the Add URL field Then click the Add table button to add the URL to the URL field Import from File To import a list with URLs into the URL field click the Browse button and navigate to a file in txt format that contains line delimited URLs that is one URL per line Then click the Upload table button to add the URLs to the URL field Note Any existing URLs in the URL field are overwritten when you import a list of URLs from a file Replace the Content of a Blocked Page with the Following Text By default a blocked URL is replaced with the following text which you can customize Internet Policy has restricted access to this location URL Note The text is displayed on the URL Filtering screen with HTML tags However when the UTM replaces the content of a blocked Web page the screen displays the notification text in HTML format Note Make sure that you keep the URL meta word in the text to enable the UTM to insert the
498. s you can block or allow access based on the service or application source or destination IP addresses and time of day An outbound rule may block or allow traffic between the DMZ and any internal LAN IP address according to the schedule created in the Schedule menu To create a new outbound LAN DMZ service rule 1 Inthe LAN DMZ Rules screen click the Add table button under the Outbound Services table The Add LAN DMZ Outbound Service screen displays Add LAN DMZ Outbound Service Operation succeeded Service ANY Action BLOCK always Select Schedule Scheduled LAN Users Any Start Finish P DMZ Users Start P Finish Never Figure 5 9 5 20 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Enter the settings as explained in Table 5 2 on page 5 5 3 Click Apply The new rule is now added to the Outbound Services table The rule is automatically enabled LAN DMZ Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic If you have not defined any rules no rules are listed By default all inbound traffic from the LAN to the DMZ is allowed To create a new inbound LAN DMZ service rule 1 Inthe LAN DMZ Rules screen click the Add table button under the Inbound Services table The Add LAN DMZ Inbound Service screen displays Add LAN DMZ Inbound Service Operation succeede
499. s EXAmpIES ssent deie EEEE EEEN 5 22 COIs RUBS Example cuscini R 5 26 Gantiguring Other Firewall Features acct iisd natalia i aaa 5 27 AIHER OUE ON Rent ee omne tee Tear Reg reer aren tee Comme ne ner Ne nat eT ern nr rennet merry 5 27 Seting Session MTN recinto anina Ee a E ai 5 30 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Managing the Application Level Gateway for SIP Sessions Creating Services QoS Profiles and Bandwidth Profiles cc0008 Adding Customized Services sex cccssieseas seenscaasseaccnxenss oopaverteewnadaatamericets Creating Quality of Service QOS Profiles ceeeeeseeeeeeeeeeeeeeees Gresiing Bandwidih Proleg secvitarutsressaionesiiracudditadal tend siausateadisusie Setting a Schedule to Block or Allow Specific Traffic 0 ccccceeseeeeee Enabling Source MAG Filtering ariii eN DNS Seling up IP MAG BiG sacicicaczsecesiiccscndeiavecuasnds iauonenssseadeentsrdimemsssoiaccien Conkguning Por THQ OTN socana onian anr eiai aE Using the Intrusion Prevention System sesseessesssessssessressesrsserrserrresrnens Chapter 6 Content Filtering and Optimizing Scans About Content Fitering and SCANS siiin ianiai Default E mail and Web Scan Settings cccceecceeseseeeeeeeeeeesteeeteaes Ganhaudng E mail Protec raian hanes maintenant Customizing E mail Protocol Scan Settings cceeesceeeeteeeeeeeeees Customizing E mail
500. s SA Endpoint The IP address on the remote VPN endpoint Tx KB The amount of data that is transmitted over this SA Tx Packets The number of IP packets that are transmitted over this SA State The current status of the SA Phase 1 is the authentication phase and Phase 2 is key exchange phase If there is no connection the statu is IPsec SA Not Established Action Click the Connect table button to build the connection or click the Disconnect table button to terminate the connection Viewing the UTM IPsec VPN Log To query the IPsec VPN log 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view 2 Click the Logs Query submenu tab The Logs Query screen displays 3 From the Log Type pull down menu select IPSEC VPN The IPsec VPN logs display see Figure 7 19 on page 7 22 Virtual Private Networking Using IPsec Connections 7 21 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 8 IPSec YPN Logs a lo 192 168 1 1 12009 Jun 29 lisakap port 12009 Jun 29 isakmp port 2009 Jun 29 NAT T_ 2009 Jun 29 isakmp port 2009 Jun 29 isakup port 2009 Jun 29 MAT T_ 2009 etho 1 23 24 32 fd 7 _ 23 24 32 fd 8 _ 23 24 32 23 24 32 ftd 9 _ 23 24 32 UTM UTM UTM UTM UTM UTM UTM UTM UTM UTM UTM UTM UTM 2009 Jun 29 23 24 3
501. s a multilevel hierarchy for example groups or organizational units this information can be queried to provide specific group policies or bookmarks based on Active Directory attributes Note A Microsoft Active Directory database uses an LDAP organization schema 9 2 Managing Users Authentication and Certificates v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 9 1 Authentication Protocols and Methods Authentication Protocol or Method Description or Subfield and Description LDAP A network validated domain based authentication method that functions with a Lightweight Directory Access Protocol LDAP authentication server LDAP is a standard for querying and updating a directory Because LDAP supports a multilevel hierarchy for example groups or organizational units this information can be queried to provide specific group policies or bookmarks based on LDAP attributes To create a domain 1 Select Users gt Domains from the menu The Domains screen displays Figure 9 1 shows the UTM s default domain geardomain and as an example another domain in the List of Domains table Domains Do you want to disable Local Authentication Yes No d Domain Name Authentication Type Portal Layout Name Action geardomain local SSL VPN esit go SSLTestDornain local CustomerSupport esit Default Domains Select al Peiete Ada
502. s and as explained Table 7 2 Table 7 2 IPsec VPN Wizard Settings for a Gateway to Gateway Tunnel Setting About VPN Wizard Description or Subfield and Description This VPN tunnel will connect to the following peers Select the Gateway radio button The local WAN port s IP address or Internet name appears in the End Point Information section of the screen Connection Name and Remote IP Type What is the new Connection Name Enter a descriptive name for the connection This name is used to help you to manage the VPN settings the name is not supplied to the remote VPN endpoint What is the pre shared key Enter a pre shared key The key must be entered both here and on the remote VPN gateway This key must have a minimum length of 8 characters and should not exceed 49 characters Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 2 IPsec VPN Wizard Settings for a Gateway to Gateway Tunnel continued Setting Description or Subfield and Description This VPN tunnel will use following local WAN Interface dual WAN port models only For the dual WAN port models only select one of the two radio buttons WAN1 or WAN2 to specify which local WAN interface the VPN tunnel uses as the local endpoint Note If a dual WAN port model is configured to function in WAN auto rollove
503. s as yourhost dyndns org Update every 30 days If your WAN IP address does not change often you might need to force a periodic update to the DDNS service to prevent your account from expiring If it appears you can select the Update every 30 days checkbox to enable a periodic update WAN2 Dynamic DNS Status See the information for WAN 1 above about how to enter the settings You can select different DDNS services for WAN 1 and WAN 2 Manually Configuring Internet and WAN Settings 3 21 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 7 Click Apply to save your configuration Configuring Advanced WAN Options The advanced options include configuration of the maximum transmission unit MTU size port speed UTM s MAC address and setting a rate limit on the traffic that is being forwarded by the UTM To configure advanced WAN options 1 Select Network Config gt WAN Settings from the menu On a dual WAN port model the WAN Settings tabs appear with the WAN1 ISP Settings screen screen in view On a single WAN port model the WAN ISP Settings screen displays 2 Click the Advanced option arrow On a dual WAN port model the WAN1 Advanced Options screen displays see Figure 3 13 On a single WAN port model the WAN Advanced Options screen displays WANI Advanced Options Default Port Speed Custom 1500 Bytes i Router s MAC Address Q
504. s ccissceicccceue ste iieccdrcatrenie arrears 7 57 Configuring NetBIOS Bridging with IPsec VPN cecesesesescreessesseeeeeneeseeeeseeseaters 7 59 Chapter 8 Virtual Private Networking Using SSL Connections Understanding the SSL VPN Portal Options sissciisscccssereastissrencteceelecndanaeisaeccaneraceceinds 8 1 Using the SSL VPN Wizard for Client Configurations 0 cccccccsceeceeeeeeeseeeeeeeeeeeaeeeeee 8 2 SSL VPN Wizard Step 1 of 6 Portal Settings oxi ai cscs cccsicciesccncdssssecssedcessnnessiacetaactaseece 8 3 SSL VPN Wizard Step 2 of 6 Domain SOMOS sect nchencsccccssnstiassvadsemdccstintierousnmmmness 8 5 Sol VPN Wizard Step 3 of 6 User Settings a icccicscissesceeceidencsedeeursnenaasdcdaarneesns 8 7 SSL VPN Wizard Step 4 of 6 Client IP Address Range and Routes 0 008 8 9 SSL VPN Wizard Step 5 of 6 Port Forwarding ccsssiscsscccuttcissteesaacesisienveenisenen 8 11 SSL VPN Wizard Step 6 of 6 Verify and Save Your Settings ceceeseeee 8 13 Accessing the New SSL Portal Login Sereen ccsccccoccciscccccce coe steteatseneasscameccivannennnne 8 14 xi v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Viewing the UTM SSL VPN Connection Statue sic ccicisescccccssstntcendtiwincetannteonaniie 8 16 Viewing the UTR BSL VPN OG seccuciscsscociacttivgccuctecsstiusattesso doukeea touche sduias 8 16 Manually Configuring and Editing SSL Connections cccccecessseceeeee
505. s field blank to specify the address of the appropriate subnet mask 8 10 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual SSL VPN Wizard Step 5 of 6 Port Forwarding SSL VPN Wizard Step 5 of 6 YPN Wizard Step 5 of 6 Local Server IP Address TCP Port Number Local Server IP Address Fully Qualified Domain Name 192 168 191 102 terminalservices com Note If you do not need to configure port forwarding you can leave all the fields blank and proceed to the next step Please make sure that the IP and the port number have NOT been used if you want to add a new application Otherwise the wizard will fail and the UTM will have to reboot to recover a previously working configuration Figure 8 6 Note that Figure 8 6 contains some examples Enter the settings as explained in Table 8 5 then click Next to go the following screen Note Do not enter an IP address that is already in use in the first Local Server IP Address field or a port number that is already in use in the TCP Port NumberAction field otherwise the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration Note After you have completed the steps in the SSL VPN Wizard you can make changes gt to the client IP address range and routes by selecting VPN gt SSL VPN gt Port Forwarding For more information about port forwarding
506. s infected with a default warning message The warning message informs the end user about the name of the malware threat You can change the default message to include the action that the UTM has taken see example below By default this checkbox is selected and a warning message replaces an infected e mail Note Make sure that you keep the VIRUSINFO meta word in a message to enable the UTM to insert the proper malware information The following is an example message where the VIRUSINFO meta word is replaced with the EICAR test virus This attachment contains malware File 1 exe contains malware EICAR Action Delete Email Alert Settings Note Ensure that the E mail Notification Server see Configuring the E mail Notification Server on page 11 5 is configured before you specify the e mail alert settings Send alert to In addition to inserting an warning message to replace an infected e mail you can configure the UTM to send a notification e mail to the sender the recipient or both by selecting the corresponding checkbox or checkboxes By default both checkboxes are deselected and no notification e mail is sent Content Filtering and Optimizing Scans 6 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 6 2 E mail Anti Virus and Notification Settings continued Setting Description or Subfield and Description Subject The default su
507. s section of the LAN Groups screen see Figure 4 5 on page 4 14 enter the settings as explained in Table 4 2 Table 4 2 Add Known PCs and Devices Settings Setting Description or Subfield and Description Name Enter the name of the PC or device IP Address Type From the pull down menu select how the PC or device receives it IP address e Fixed set on PC The IP address is statically assigned on the PC or device e Reserved DHCP Client Directs the UTM s DHCP server to always assign the specified IP address to this client during the DHCP negotiation see Setting Up Address Reservation on page 4 17 Note When assigning a reserved IP address to a client the IP address selected must be outside the range of addresses allocated to the DHCP server pool IP Address Enter the IP address that this PC or device is assigned in the IP Address field If the IP Address Type is Reserved DHCP Client the UTM reserves the IP address for the associated MAC address MAC Address Enter the MAC address of the PC or device s network interface The MAC address format is six colon separated pairs of hexadecimal characters 0 9 and A F such as 01 23 45 67 89 AB Group From the pull down menu select the group to which the PC or device is assigned Group 1 is the default group Profile Name From the pull down menu select the VLAN profile to which the PC or device is assigned The defaultVlan is the default VLAN group
508. s support the following traffic rates e Load balancing mode dual WAN port models only 3 Mbps two WAN ports at 1 5 Mbps each 10 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Auto rollover mode dual WAN port models only 1 5 Mbps one active WAN port at 1 5 Mbps e Single WAN port mode single WAN port models and dual WAN port models 1 5 Mbps one active WAN port at 1 5 Mbps As a result and depending on the traffic that is being carried the WAN side of the UTM is the limiting factor to throughput for most installations Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the UTM but there is no backup in case one of the WAN ports fail When such as failure occurs the traffic that would have been sent on the failed WAN port is diverted to the WAN port that is still working thus increasing its load However there is one exception traffic that is bound by protocol to the WAN port that failed is not diverted Features That Reduce Traffic You can adjust the following features of the UTM in such a way that the traffic load on the WAN side decreases e LAN WAN outbound rules also referred to as service blocking e DMZ WAN outbound rules also referred to as service blocking e Content filtering e Source MAC filtering LAN WAN Outbound Rules and DMZ WAN Outbound Rules Service Blocking You can control specific outbound tra
509. s to apply the rule to a range of devices Groups Select the Group to which the rule applies Use the LAN Groups screen under Network Configuration to assign PCs to Groups See Managing Groups and Hosts LAN Groups on page 4 12 Note This field is not applicable to inbound LAN WAN rules WAN Users The settings that determine which Internet locations are covered by the rule based on their IP address The options are Any All Internet IP address are covered by this rule Single address Enter the required address in the start field Address range Enter the Start and Finish fields DMZ Users The settings that determine which DMZ computers on the DMZ network are affected by this rule The options are Any All PCs and devices on your DMZ network e Single address Enter the required address to apply the rule to a single PC on the DMZ network e Address range Enter the required addresses in the Start and Finish fields to apply the rule to a range of DMZ computers Note This field is not applicable to inbound DMZ WAN rules QoS Profile The priority assigned to IP packets of this service The priorities are defined by Type of Service ToS in the Internet Protocol Suite standards RFC 1349 The QoS profile determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall The UTM marks the Type Of Service ToS field as defined in the QoS profiles that
510. se 2009 Sep 19 06 15 12 UTM dhcpd Listening on LPF eth0 1 00 22 2009 Sep 19 06 15 12 UTM dhepd Sending on LPF eth0 1 00 2 2009 Sep 19 06 15 12 UTM dhcpd Sending on Socket fallback f 2009 Sep 19 06 15 23 UTM dhepd Wrote 0 leases to leases file 2009 Sep 19 06 15 23 UTM dhcpd Listening on LPF eth0 1 00 22 2009 Sep 19 0 23 UTM dhepd Sending on LPF eth0 1 0 2009 Sep 19 06 15 23 UTM dhcpd Sending on Socket fallback f 2009 Sep 19 06 16 14 UTM dhcpd Wrote 0 leases to leases file 2009 Sep 19 06 16 14 UTM dhcpd Listening on LPF eth0 1 00 22 2009 Sep 19 06 16 14 UTM dhcpd Sending on LPF eth0 1 00 2 lt gt Retresh Clear Log Figure 11 22 Querying Logs and Generating Reports The extensive logging and reporting functions of the UTM let you perform the following tasks that help you to monitor the protection of the network and the performance of the UTM e Querying and downloading logs e Generating and downloading e mail Web and system reports e Scheduling automatic e mail Web and system reports and e mailing these reports to specified recipients For information about e mailing logs and sending logs to a syslog server see Configuring and Activating System E mail and Syslog Logs on page 11 6 Querying the Logs The UTM generates logs that provide detailed information about malware threats and traffic activities on the network You can view these logs
511. see Figure 3 11 on page 3 20 Manually Configuring Internet and WAN Settings 3 19 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Dynamic DNS 1 DynDNS Information Current WAN Mode Single Port WANI i WAN1 Dynamic DNS Status service is not enabled g Host and Domain Name S Example yourname dyndns org User Name Password O Use wildcards O Update every 30 days ii WAN2 Dynamic DNS Status service is not enabled Host and Domain Name Example yourname dyndns org none User Name Change DNS to DynDNS org Password Use wildcards Update every 30 days Configured DDNS none Change DNS to DynDNS org Yes No Configured DDNS Figure 3 11 The WAN Mode section on screen reports the currently configured WAN mode For the dual WAN port models for example Single Port WAN1 Load Balancing or Auto Rollover Only those options that match the configured WAN Mode are accessible on screen 3 Select the submenu tab for your DDNS service provider e Dynamic DNS submenu tab which is shown in Figure 3 11 for DynDNS org or DYNDNS com e DNS TZO submenu tab for TZO com e DNS Oray submenu tab for Oray net 3 20 Manually Configuring Internet and WAN Settings v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Click the Information option arrow in the upper right corner of a DNS screen for re
512. ses that you must specify Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN When you create a new VLAN the DHCP server option is disabled by default For most applications the default DHCP server and TCP IP settings of the UTM are satisfactory See the link to Preparing Your Network in Appendix E for an explanation of DHCP and information about how to assign IP addresses for your network 4 4 LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The UTM delivers the following settings to any LAN device that requests DHCP e An IP address from the range that you have defined e Subnet mask e Gateway IP address the UTM s LAN IP address e Primary DNS server the UTM s LAN IP address e WINS server if you entered a WINS server address in the DHCP Setup menu e Lease time the date obtained and the duration of the lease DHCP Relay DHCP relay options allow you to make the UTM a DHCP relay agent for a VLAN The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages The DHCP Relay Agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet If you do not configure a DHCP Relay Agent for a VLAN its clients can only obtain IP addresses from a DHCP server that is on the same subnet
513. settings see Configuring Applications for Port Forwarding on page 8 22 Table 8 5 SSL VPN Wizard Step 5 Port Forwarding Settings Item Description or Subfield and Description Add New Application for Port Forwarding Local Server IP Address The IP address of an internal server or host computer that remote users have access to Virtual Private Networking Using SSL Connections 8 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 8 5 SSL VPN Wizard Step 5 Port Forwarding Settings continued Item Description or Subfield and Description TCP Port NumberAction The TCP port number of the application that is accessed through the SSL VPN tunnel Below are some commonly used TCP applications and port numbers FTP Data usually not needed 20 FTP Control Protocol 21 SSH 22a Telnet 23a SMTP send mail 25 HTTP web 80 POP3 receive mail 110 NTP network time protocol 123 Citrix 1494 Terminal Services 3389 VNC virtual network computing 5900 or 5800 Add New Host Name for Port Forwarding Local Server IP Address The IP address of an internal server or host computer that you want to name Note Both Local Server IP Address fields on this screen that is the one in the Add New Application for Port Forwarding section and the one in the Add New Host Name for Port Forwarding section must contai
514. side of the DHCP server pool LAN Configuration 4 17 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To reserve an IP address select Reserved DHCP Client from the IP Address Type pull down menu on the LAN Groups screen as described in Adding PCs or Devices to the Network Database on page 4 15 or on the Edit Groups and Hosts screen as described in Editing PCs or Devices in the Network Database on page 4 16 Note The reserved address is not assigned until the next time the PC or device contacts gt the UTM s DHCP server Reboot the PC or device or access its IP configuration and force a DHCP release and renew Configuring and Enabling the DMZ Port The De Militarized Zone DMZ is a network that by default has fewer firewall restrictions when compared to the LAN The DMZ can be used to host servers such as a web server FTP server or e mail server and provide public access to them The fourth LAN port on the UTM the rightmost LAN port can be dedicated as a hardware DMZ port to safely provide services to the Internet without compromising security on your LAN By default the DMZ port and both inbound and outbound DMZ traffic are disabled Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports Using a DMZ port is also helpful with online games and videoconferencing applications that are incompatible with NA
515. sing 255 255 255 0 Protocol From the pull down menu select All Virtual Private Networking Using IPsec Connections 7 51 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 17 Security Policy Editor Remote Party Mode Config Settings continued Setting Description or Subfield and Description Use Select the Use checkbox Then from the pull down menu select Secure Gateway Tunnel Left pull down menu From the left pull down menu select Domain Name Then below enter the local FQDN that you specified in the UTM s Mode Config IKE policy In this example we are using utm25_local com Right pull down menu From the right pull down menu select Gateway IP Address Then below enter the IP address of the ID Type WAN interface that you selected on the UTM s VPN Wizard screen see Figure 7 9 on page 7 10 In this example the WAN IP address is 192 168 50 61 Note You can find the WAN IP address on the Connection Status screen for the selected WAN port For more information see Viewing the WAN Ports Status on page 11 27 4 Click on the disk icon to save the configuration or select File gt Save from the Security Policy Editor menu 7 52 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 5 In the left frame click My Identity Th
516. single WAN port gateway configuration when you specify the IP address of the VPN tunnel endpoint Only one WAN port is active at a time and when it rolls over the IP address of the active WAN port always changes Therefore the use of an FQDN is always required even when the IP address of each WAN port is fixed Note When the UTM s WAN port rolls over the VPN tunnel collapses and must be re established using the new WAN IP address However you can configure automatic IPsec VPN rollover to ensure that an IPsec VPN tunnel is re established Dual WAN Ports Before Rollover Dual WAN Ports After Rollover WANT1 IP WANT IP N A Gateway _netgear dyndns org Gateway WAN port inactive WAN2 port TRENA netgear dyndns org VPN Router WANZ IP N A VPN Router WAN2 IP IP address of active WAN port changes after a rollover use of fully qualified domain names always required Figure B 7 Dual WAN Ports in Load Balancing Mode A dual WAN port load balancing gateway configuration is the same as a single WAN port configuration when you specify the IP address of the VPN tunnel endpoint Each IP address is either fixed or dynamic based on the ISP you must use FQDNs when the IP address is dynamic and FQDNs are optional when the IP address is static Dual WAN Ports Load Balancing Gateway n isd bo dns org IP addresses of WAN ports same as single i ss WAN port case use of fully qualified dom f names required for dynamic IP addresses h
517. situation When the maximum number of times is exceeded the IPsec connection is terminated The default setting is 3 IKE connection failures Virtual Private Networking Using IPsec Connections 7 49 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 7 16 Add IKE Policy Settings for a Mode Config Configuration continued Item Description or Subfield and Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended Authentication XAUTH is enabled and if enabled which device is used to Note For more verify user account information information about e None XAUTH is disabled This the default setting XAUTH and its e Edge Device The UTM functions as a VPN concentrator on which one or authentication modes more gateway tunnels terminate The authentication mode that is available see Configuring for this configuration is User Database RADIUS PAP or RADIUS CHAP XAUTH for VPN e IPSec Host The UTM functions as a VPN client of the remote gateway In Clients on page 7 39 this configuration the UTM is authenticated by a remote gateway with a user name and password combination Authentication For an Edge Device configuration from the pull down Type menu select one of the following authentication types User Database XAUTH occurs through the UTM s user database Users
518. sources To enable the real time blacklist 1 Select Application Security gt Anti Spam from the menu The Anti Spam submenu tabs appear with the Whitelist Blacklist screen in view 2 Click the Real time Blacklist submenu tab The Real time Blacklist screen displays Services Email Anti Virus Email Filters HTTP HTTPS FIP Block Accept Exceptions Scanning Exclusions Whitelist Blacklist Real Time Blacklist GEGAJ Distributed Spam Analysis C Enable RBL Domain Suffix Action Provider g Spamhaus zen spamhaus org Delete go Spamcop bl spamcop net Delete Add Real Time Blacklist Provider RBL Domain Suffix Add Sau Figure 6 5 3 Select the Enable checkbox enable the Real Time Blacklist function 4 Select the Active checkboxes to the left of the default blacklist providers Spamhaus and Spamcop that you want to activate 5 Click Apply to save your settings To add a blacklist provider to the real time blacklist 1 Inthe Add Real time Blacklist section add the following information e In the Provider field add the name of the blacklist provider e Inthe RBL Domain Suffix field enter the domain suffix of the blacklist provider Content Filtering and Optimizing Scans 6 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Click the Add table button in the Add column The new blacklist provider is added to the real time
519. ss Range Begin 192 168 251 1 Client Address Range End 192 168 251 254 Client Route Port Forwarding Local Server IP Address 192 168 191 102 TCP Port Number 3389 Local Server IP Address 192 168 191 102 Fully Qualified Domain Name terminalservices com Figure 8 7 Virtual Private Networking Using SSL Connections 8 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Verify your settings if you need to make any changes click the Back action button if needed several times to return to the screen on which you want to make changes Click Apply to save your settings If the settings are accepted by the UTM a message Operation Succeeded appears at the top of the screen and the Welcome to the Netgear Configuration Wizard screen displays again see Figure 8 1 on page 8 2 Accessing the New SSL Portal Login Screen All screens that you can access from the SSL VPN menu of the Web Management Interface display a user portal link at the right upper corner above the menu bars user Portail When you click on the user portal link the SSL VPN default portal opens see Figure 8 9 on page 8 15 This user portal is not the same as the new SSL portal login screen that you defined with the help of the SSL VPN Wizard To open the new SSL portal login screen 1 Select VPN gt SSL VPN from the menu The SSL VPN submenu tabs appear with the Policies screen in view
520. ss partners are only permitted to access a few resources the page that you create presents only the resources that are relevant to these users 8 18 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Portal layouts are applied by selecting one from the available portal layouts in the configuration of a domain When you have completed your portal layout you can apply the portal layout to one or more authentication domains see Configuring Domains on page 9 2 You can also make the new portal the default portal for the SSL VPN gateway by selecting the default radio button adjacent to the portal layout name gt Note The UTM s default portal address is https lt IP_Address gt portal SSL VPN The default domain geardomain is attached to the SSL VPN portal You may define individual layouts for the SSL VPN portal The layout configuration includes the menu layout theme portal pages to display and Web cache control options The default portal layout is the SSL VPN portal You can add additional portal layouts You can also make any portal the default portal for the SSL UTM by clicking the default button in the Action column of the List of Layouts to the right of the desired portal layout To create a new SSL VPN portal layout 1 Select VPN gt SSL VPN from the menu The SSL VPN submenu tabs appear with the Policies screen in vie
521. ssneeeeeeesseeeeeees 8 17 Creating ihe PornalLayOUi sererneniinen a 8 18 Configuring Domains Groups and USERS susresrsisriaiiriadinossianinoou sainia 8 22 Configuring Applications for Port Forwarding sscsecccccccssnecteocsseseccedecsmesdeersstaieesenonace 8 22 Ganigorna Tie SSL VPN CMI press cecestscceessauesivngts aektuctuaauniinsaed EN a N 8 25 Using Network Resource Objects to Simplify Policies ccseeeeeeeeeeteeseneeeeee 8 28 Configuring User Group and Global Policies siiccccictstisccccasncscscesanscancdeneresaaceness 8 31 Chapter 9 Managing Users Authentication and Certificates Configuring VPN Authentication Domains Groups and Users eseese 9 1 CEOS FONTAINE ariora aaan A NENE nse aS aAA 9 2 Configunng Groups for YPN PoliES scctsscscasssconierar deter sesia 9 6 GTI USEF ACCUMS cnpuitingena iea E R 9 9 Sening User Login PONS agirmisnsse riiin N 9 12 Changing Passwords and Other User Settings ceccseccsecseeeneeeeeeesseteeeeesarees 9 16 PRA Digital Certificates onies kanani aaa aiaa aiai aai 9 17 Managing GA CPU smirene o E S 9 19 Managma ser Cerine AS iraa aana a N NN latins pies 9 20 Managing the Certificate Revocation List ccsceeceseeeeeeeeeeeeeeeeeeeeeesseeeeeeneeeees 9 25 Chapter 10 Network and System Management Panommance Mangen sco ee ars egd coe reacgu os covetcuantae dxatens cecdcosas araesweencanatameaee acne aaa 10 1 EUCDAACIEY Canary ainina ao E r EE EENS 10 1 Features That Reduce MAI
522. st common file extensions You can manually add or delete extensions Use commas to separate different extensions You can enter a maximum of 40 file extensions the maximum total length of this field excluding the delimiter commas is 160 characters You can also use the pull down menu to add predefined file extensions from a specific category to the File Extension field e None No file extensions are added to the File Extension field This is the default setting Executables Executable file extensions exe com dll so lib scr bat and cmd are added to the File Extension field Audio Video Audio and video file extensions wav mp3 avi rm rmvb wma wmv mpg mp4 and aac are added to the File Extension field Compressed Files Compressed file extensions zip rar gz tar and bz2 added to the File Extension field 3 Click Apply to save your settings Setting Web Access Exceptions and Scanning Exclusions After you have specified which content the UTM filters you can set exception rules for users of certain LAN groups Similarly after you have specified which IP addresses and ports the UTM scans for malware threats you can set scanning exclusion rules for certain IP addresses and ports Setting Web Access Exception Rules You can set exception rules for members of a LAN group to allow access to applications Web categories and URLs that you have blocked for all other users or the other way around to b
523. t Operation succeeded Connection Time 0 Days 00 23 41 Connection Type DHCP Connection State Connected IP Address 192 168 50 61 Subnet Mask 255 255 255 0 Gateway 192 168 50 1 DNS Server 192 168 50 1 DHCP Server 192 168 50 1 Tue Apr 14 16 46 03 GMT Lease Obtained 2009 Lease Duration 1 Day 00 00 00 Figure 3 3 3 4 Manually Configuring Internet and WAN Settings v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The WAN Status window should show a valid IP address and gateway If the configuration was not successful skip ahead to Manually Configuring the Internet Connection on this page or see Troubleshooting the ISP Connection on page 12 5 Note If the configuration process was successful you are connected to the Internet through WAN port 1 If you intend to use the dual WAN capabilities of the UTM25 continue with the configuration process for WAN port 2 Note For more information about the WAN Connection Status screen see Viewing the WAN Ports Status on page 11 27 4 Click the WAN2 ISP Settings tab dual WAN port models only 5 Repeat the previous steps to automatically detect and configure the WAN2 Internet connection dual WAN port models only 6 Open the WAN Status window and verify a successful connection If your WAN ISP configuration was successful you can skip ahead to Configuring the WAN Mode
524. t The Edit IKE Policy screen displays Figure 7 31 on page 7 56 shows only the top part of the screen with the General section Virtual Private Networking Using IPsec Connections 7 57 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Inthe IKE SA Parameters section of the screen locate the DPD fields Encryption Algorithm Authentication Algorithm Authentication Method Pre shared key O RSA Signature Pre shared key 111122223333 Key Length 8 49 Char Diffie Hellman DH Group Group 2 1024 bit SA Lifetime sec nable Dead Peer Detection Yes O No Detection Period Seconds Reconnect after failure count Figure 7 32 4 Select the radio button and complete the fields as explained Table 7 21 Table 7 21 Dead Peer Detection Settings Item Description or Subfield and Description IKE SA Parameters Select the Yes radio button to enable DPD When the UTM detects an IKE connection failure it deletes the IPsec and IKE SA and forces a reestablishment of the connection You must enter the detection period and the maximum number of times that the UTM attempts to reconnect see below Detection Period The period in seconds between consecutive DPD R U THERE messages which are sent only when the IPsec traffic is idle The default setting is 10 seconds Enable Dead Peer Detection Reconnect after The maximum number of times that the UT
525. t The UTM reboots During the reboot process the Firmware screen remains visible The reboot process is complete after several minutes when the Test LED on the front panel goes off Updating the Scan Signatures and Scan Engine Firmware To scan and detect viruses spyware and other malware threats the UTM s scan engine requires two components e A pattern file that contains the virus signature files and virus database e Firmware that functions in conjunction with the pattern file Because new virus threats can appear any hour of the day it is very important to keep both the pattern file and scan engine firmware as current as possible The UTM can automatically check for updates as often as every 15 minutes to ensure that your network protection is current To view the current versions and most recent updates of the pattern file and scan engine firmware that your UTM is running Select Administration gt System Update from the menu The System Update submenu tabs appear with the Signatures amp Engine screen in view see Figure 10 7 on page 10 22 Network and System Management 10 21 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Signatures amp Engine Component Current ersion Last Updated Scan engine 20090327 1733 0 0 2009 04 29 Pattern file 200905191534 2009 05 19 i Update Settings Update Scan engine and Signatures Update From Default update server O
526. t Users For more information about user settings see Configuring User Accounts on page 9 9 Table 8 3 SSL VPN Wizard Step 3 User Settings Setting Description or Subfield and Description User Name A descriptive alphanumeric name of the user for identification and management purposes User Type When you use the SSL VPN Wizard the user type always is SSL VPN User You cannot change the user type on this screen the user type is displayed for information only Group When you create a new domain on the second SSL VPN Wizard screen a group with the same name is automatically created A user must belong to a group and a group must belong to a domain You cannot change the group on this screen the group is displayed for information only Password The password that must be entered by the user to gain access to the UTM The password must contain alphanumeric or characters Confirm Password This field must be identical to the Password field above Idle Timeout The period after which an idle user is automatically logged out of the Web management interface The default idle time out period is 5 minutes 8 8 Virtual Private Networking Using SSL Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual SSL VPN Wizard Step 4 of 6 Client IP Address Range and Routes SSL PN Wizard Step 4 of 6 Enable Full Tunnel Support ons suf SS
527. t All table button to select all IKE policies 2 Click the Delete table button 7 24 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To add or edit an IKE policy see Manually Adding or Editing an IKE Policy on this page Note You cannot delete or edit an IKE policy for which the VPN policy is active You first must disable or delete the VPN policy before you can delete or edit the IKE policy Note To gain a more complete understanding of the encryption authentication and gt DH algorithm technologies see the link to Virtual Private Networking Basics in Appendix E Manually Adding or Editing an IKE Policy To manually add an IKE policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 24 2 Under the List of IKE Policies table click the Add table button The Add IKE Policy screen displays see Figure 7 21 on page 7 26 which shows a dual WAN port model screen The WAN 1 and WAN2 radio buttons next to Select Local Gateway are shown on the Add IKE Policy screen for the dual WAN port models but not on the Add IKE Policy screen for the single WAN port models Virtual Private Networking Using IPsec Connections 7 25 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual
528. t LED Off The WAN port is operating at 10 Mbps On Amber The WAN port is operating at 100 Mbps On Green The WAN port is operating at 1000 Mbps Introduction 1 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 1 2 LED Descriptions continued Object Activity Description Active LED Off The WAN port is either not enabled or has no link to the Internet dual WAN On Green The WAN port has a valid Internet connection port models only Rear Panel The rear panel of the UTM includes a cable lock receptacle a console port a reset button and an AC power connection Security lock Console port Reset button AC power receptacle receptacle Figure 1 3 Viewed from left to right the rear panel contains the following components 1 Cable security lock receptacle 2 Console port Port for connecting to an optional console terminal The ports has a DB9 male connector The default baud rate is 9600 K The pinouts are 2 Tx 3 Rx 5 and 7 Gnd 3 Factory default Reset button Using a sharp object press and hold this button for about eight seconds until the front panel Test light flashes to reset the UTM to factory default settings All configuration settings are lost and the default password is restored 4 AC power receptacle Universal AC input 100 240 VAC 50 60 Hz Bottom Panel With Product Label The product label on the bottom of the U
529. t Select this checkbox to log packets that are dropped because the bandwidth limit has been exceeded 4 Click Apply to save your settings Monitoring Real Time Traffic Security and Statistics When you start up the UTM the default screen that displays is the Dashboard screen which lets you monitor the real time security scanning status with detected network threats detected network traffic and service statistics for the six supported protocols HTTP HTTPS FTP SMTP POP3 and IMAP In addition the screen displays statistics for the most recent five and top five malware threats detected IPS signatures matched instant messaging peer to peer applications blocked Web categories blocked and spam e mails blocked To display the Dashboard screen select Monitoring gt Dashboard from the menu Because of the size of the Dashboard screen it is divided and presented in this manual in three figures Figure 11 7 on page 11 15 Figure 11 8 on page 11 17 and Figure 11 9 on page 11 19 each with its own table that explains the fields Except for setting the poll interval and clearing the statistics you cannot configure the fields on the Dashboard screen Any changes must be made on other screens 11 14 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Dashboard Auto refresh in 12 seconds Poll interval pasema set lnteval O so M
530. t aN 6 WAN IP 7 bzrouter dyndns org 0 0 0 0 10 5 6 1 WAN2 IP VPN Router at employer s main office Fully Qualified Domain Names FQDN Remote PC required for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Remote PC must re establish VPN tunnel after a rollover Figure B 11 The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port that is WAN1 and WAN2 so that the remote PC client can determine the gateway IP address to establish or re establish a VPN tunnel B 12 Network Planning for Dual WAN Ports Dual WAN Port Models Only v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual VPN Road Warrior Dual Gateway WAN Ports for Load Balancing In a dual WAN port load balancing gateway configuration the remote PC initiates the VPN tunnel with the appropriate gateway WAN port that is port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports because the IP address of the active WAN port is not known in advance The selected gateway WAN port must act as the responder 10 5 6 0 24 Road Warrior Example Dual WAN Ports Load Balancing WAN IP Gateway A bzrouter1 dyndns or l S WAN IP LAN IP i 7 10 5 6 1 OAs 0 0 0 0 z VPN Router at employer s y main office Fully Qualified Domain Names FQDN Remote PC optional for Fi
531. t are tagged with the VLAN ID However untagged packets entering the UTM LAN port are forwarded to the default VLAN with PVID 1 packets that leave the LAN port with the same default PVID 1 are untagged ____ Note The configuration of the DHCP options for the default VLAN are explained in Using the Setup Wizard to Provision the UTM in Your Network on page 2 1 For information about how to add and edit a VLAN profile including its DHCP options see Configuring a VLAN Profile on page 4 6 To manage the VLAN profiles and assign VLAN profiles to the LAN ports 1 Select Network Config gt LAN Settings from the menu The LAN submenu tabs appear with the LAN Setup screen in view Figure 4 1 shows two VLAN profiles as an example WAN Settings Protocol Binding Dynamic DNS WAN Metering DMZ Setup Routing Email Notification LAN Setup LAN Groups LAN Multi homing 8 DHCP Log Profile Name VLAN ID Subnet IP DHCP Status Action oO defaultVian 1 192 168 1 1 DHCP Enabled eait o e SalesVLAN 2 192 170 1 100 DHCP Disabled esit Select Al Delete Enadle Disable id Port 1 Port 2 Port 3 Port 4 DM2 Figure 4 1 LAN Configuration 4 3 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual For each VLAN profile the following fields are displayed in the VLAN Profiles table e Checkbox Allows you to select the VLAN profile in the table e Status Icon Indi
532. t is not disabled select the No radio button in the Local Authentication section of the Domain screen see Figure 9 1 on page 9 3 p Note A combination of local and external authentication is supported A Warning If you disable local authentication make sure that there is at least one external administrative user otherwise access to the UTM is blocked Managing Users Authentication and Certificates 9 5 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 6 If you change local authentication click Apply in the Domain screen to save your settings To delete one or more domains 1 In the List of Domains table select the checkbox to the left of the domain that you want to delete or click the Select All table button to select all domains You cannot delete a default domain 2 Click the Delete table button Configuring Groups for VPN Policies The use of groups simplifies the configuration of VPN policies when different sets of users have different restrictions and access controls Like the default domain of the UTM the default group is also named geardomain The default group geardomain is assigned to the default domain geardomain You cannot delete the default group In addition when you create a new domain on the second SSL VPN Wizard screen see SSL VPN Wizard Step 2 of 6 Domain Settings on page 8 5 a default group with the same name as the domain is automatic
533. t matched filters to configure see E mail Content Filtering on page 6 8 Spam to configure see Protecting Against E mail Spam on page 6 11 Web Displays the total number of e Files scanned e Malware detected to configure see Configuring Web Malware Scans on page 6 21 e Files blocked to configure see Configuring Web Content Filtering on page 6 23 e URLs blocked to configure see Configuring Web URL Filtering on page 6 30 IM Peer to Peer Displays the total number of Instant Messaging blocked to configure see Customizing Web Protocol Scan Settings and Services on page 6 19 e Peer to Peer blocked to configure see Customizing Web Protocol Scan Settings and Services on page 6 19 Network Displays the total number of e IPS attack signatures matched to configure see Using the Intrusion Prevention System on page 5 49 Port scans detected to configure see Using the Intrusion Prevention System on page 5 49 11 16 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 6 Dashboard Total Threats Threats Counts and Total Traffic Bytes Information continued Item Description or Subfield and Description Threats Counts This is a graphic that shows the relative number of threats and access violations over the
534. t of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The copyright holder s name must not be used to endorse or promote any products derived from this software without his specific prior written permission This software is provided as is with no express or implied warranties of correctness or fitness for purpose v1 0 January 2010 Open SSL Copyright c 1998 2000 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit Attp www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote p
535. tabase of user information and can validate a user at the request of a gateway or 7 40 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual server in the network when a user requests access to network resources During the establishment of a VPN connection the VPN gateway can interrupt the process with an XAUTH request At that point the remote user must provide authentication information such as a user name and password or some encrypted response using his user name and password information The gateway then attempts to verify this information first against a local user database if RADIUS PAP is enabled and then by relaying the information to a central authentication server such as a RADIUS server To configure primary and backup RADIUS servers 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the RADIUS Client submenu tab The RADIUS Client screen displays i Primary RADIUS Server Q Do you want to enable a Primary RADIUS Primary Server 1P Address _ I_C Server Secret Phrase sd Yes No Primary Server NAS Identifier furs o Backup RADIUS Server Q Do you want to enable a Backup RADIUS Backup Server IP Address _ fT Server Secret Phrase sd fe Yes O No Backup Server NAS Identifier LUTM25 i Connection Configuration Q Time out period
536. tant messaging and peer to peer file sharing clients _____ Note Traffic that passes on the UTM s VLANs and on the secondary IP addresses that you have configured on the LAN Multi homing screen see Configuring Multi Home LAN IPs on the Default VLAN on page 4 11 is also scanned for content and malware threats _____ Note For information about how to monitor blocked content and malware threats in real time see Monitoring Real Time Traffic Security and Statistics on page 11 14 For information about how to view blocked content and malware threats in the logs see Querying Logs and Generating Reports on page 11 32 6 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Default E mail and Web Scan Settings For most network environments the default scan settings and actions that are shown in Table 6 1 work well but you can adjust these to the needs of your specific environment Table 6 1 Default E mail and Web Scan Settings Scan Type Default Scan Seiting Default Action if applicable Email Server Protocols SMTP Enabled Block infected e mail POP3 Enabled Delete attachment if infected IMAP Enabled Delete attachment if infected Web Server Protocols 2 HTTP Enabled Delete file if malware threat detected HTTPS Disabled No action scan disabled FTP Enabled Delete file if malware threat detected Instant Messaging Servi
537. te amp Time screen Network Time Protocol NTP is a protocol that is used to synchronize computer clock times in a network of computers Setting the correct system time and time zone ensures that the date and time recorded in the UTM logs and reports are accurate To set time date and NTP servers 1 Select Administration gt System Date amp Time from the menu The System Date amp Time screen displays Administration Remote Management SNMP Backup amp Restore System Update System Date amp Time Date Time GMT Greenwich Mean Time Edinburgh London oO Automatically Adjust for Daylight Savings Time Use Default NTP Servers Use Custom NTP Servers Server 1 Name IP Address time g netgear com Server 2 Name IP Address ltime h netgear com Current Time Thu May 21 01 37 18 GMT 2009 Figure 10 8 The bottom of the screen displays the current weekday date time time zone and year in the example in Figure 10 8 Current Time Thu May 21 01 37 18 GMT 2009 2 Enter the settings as explained in Table 10 2 Table 10 3 System Date amp Time Settings Setting Description or Subfield and Description Date Time From the pull down menu select the local time zone in which the UTM operates The proper time zone is required in order for scheduling to work correctly The UTM includes a real time clock RTC which it uses for scheduling 10 24 Network and System Management v1
538. ted by the 5th failure The primary link is also restarted every three failures till it is functional again In the above log primary link was restarted after the 6th failure that is three failures after the failover process was triggered Recommended Action Check the WAN settings and WAN failure detection method configured for the primary link Load Balancing Mode When the WAN mode is configured for load balancing both the WAN ports are active simultaneously and the traffic is balanced between them If one WAN link goes down all the traffic is diverted to the WAN link that is active This section describes the logs that are generated when the WAN mode is set to load balancing Table C 9 System Logs WAN Status Load Balancing Message 1 Dec 1 12 11 27 UTM wand LBFO Restarting WAN1_ Message 2 Dec 1 12 11 31 UTM wand LBFO Restarting WAN2_ Message 3 Dec 1 12 11 35 UTM wand LBFO WAN1 UP WAN2 UP _ Message 4 Dec 1 12 24 12 UTM wand LBFO WAN1 UP WAN2 DOWN _ Dec 1 12 29 43 UTM wand LBFO Restarting WAN2_ Dec 1 12 29 47 UTM wand LBFO WAN1 UP WAN2 DOWN _ Explanation Message 1 and Message 2 indicate that both the WANs are restarted Message 3 This message shows that both the WANs are up and the traffic is balanced between the two WAN interfaces Message 4 This message shows that one of the WAN links is down At this point all the traffic is directed through the WAN which is up
539. tent Filtering submenu tab The Content Filtering screen displays Because of the large size of this screen it is presented in this manual in three figures Figure 6 9 on this page Figure 6 10 on page 6 26 and Figure 6 11 on page 6 27 Content Filtering O Log HTTP Traffic This will slow down performance O Block Files with the Following Extensions Seente Full Text Search SEEE C Block web pages with the Following keywords This will slow down performance le gt Example exe com pif Example foo bar 4 Block Web Objects g Cl Remove Embedded Objects ActiveXx Java Flash Cl Disable Javascript o Proxy CO Cookies 2 Select the Web Categories You Wish to Block 4 Figure 6 9 Content Filtering screen 1 of 3 Content Filtering and Optimizing Scans 6 25 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 9 amp Select the Web Categories You Wish to Block g Cl Enable Blocking C commerce C Advertisements amp Pop Ups Real Estate o Drugs and Violence E X Alcohol amp Tabacco m Tasteless C Education Education o Gaming f Z Gambling C inactive sites network Errors eBusiness a Cl Shopping E Mate amp Intolerance E violence health amp Medicine m Y Games Parked Domain CI Internet Communication and Search E E Anonymizers C General Job Search B
540. th the following text which you can customize NETGEAR ProSecure UTM has detected and stopped malicious code embedded in this web site or web mail for protecting your computer and network from infection VIRUSINFO Note Make sure that you keep the VIRUSINFO meta word in a message to enable the UTM to insert the proper malware information In addition to the VIRUSINFO meta word you can insert the following meta words in your customized message TIME Y PROTOCOL FROM TO SUBJECT FILENAME ACTION VIRUSNAME 3 Click Apply to save your settings Configuring Web Content Filtering If you want to restrict internal LAN users from access to certain types of information and objects on the Internet use the UTM s content filtering and Web objects filtering With the exception of the Web content categories that are mentioned in Default E mail and Web Scan Settings on page 6 2 all requested traffic from any Web site is allowed You can specify a message such as Blocked by NETGEAR that is displayed on screen if a LAN user attempts to access a blocked site see the Notification Settings section that is described at the bottom of Table 6 8 on page 6 28 Content Filtering and Optimizing Scans 6 23 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Several types of Web content blocking are available e File extension blocking You can block files based on
541. that is scanned is 2048 KB but you can define a maximum size of up to 10240 KB However setting the maximum size to a high value might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions when the file or message exceeds the maximum size Skip The file is not scanned but skipped leaving the end user vulnerable This is the default setting Block The file is blocked and does not reach the end user Setup Wizard Step 6 of 10 Web Security Setup Wizard Step 6 of 10 Web Security Wizard Step 6 of 10 Web Security Service Action Streaming HTTP Delete file v mM HTTPS Delete file w M FTP Delete file if the file or message is larger than KB Maximum 10240 KB Figure 2 12 Enter the settings as explained in Table 2 6 on page 2 20 then click Next to go the following screen Using the Setup Wizard to Provision the UTM in Your Network 2 19 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual _____ Note After you have completed the steps in the Setup Wizard you can make changes to the Web security settings by selecting Application Security gt HTTP HTTPS gt Malware Scan The Malware Scan screen also lets you specify HTML scanning and notification settings For more information about these settings see Configuring Web Malware Scans on page 6 21 Table 2 6 Set
542. the Content filters log URL file type and size limit Spam Found By This field is available only for the Spam log Select a checkbox to specify the method by which Spam is detected Blacklist or Heuristic Scan Note Heuristic Scan refers to Distributed Spam Analysis Malware Name The name of the malware threat that is queried This field is available only for the Malware log Action The spam or malware detection action that is queried The following actions can be selected e For the Spam log block or tag e For the Malware log delete block email or log Email Subject The e mail subject that is queried This field is available for the following logs Spam and Email filters Sender Email The sender s e mail address that is queried This field is available only for the Traffic log Recipient Email The recipient s e mail address that is queried This field is available for the following logs Traffic Spam Malware and Email filters 11 36 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 15 Logs Query Settings continued Setting Description or Subfield and Description Search Criteria Message The e mail message text that is queried continued This field is available for the following logs Port Scan IPS Instant Messaging Peer to Peer Subject The e mail sub
543. the allocated file size for each log type Automated log purging means that you do not need to constantly manage the size of the UTM logs and ensures that the latest malware threats and traffic activities are always recorded ____ Note After the UTM reboots traffic logs are lost Therefore NETGEAR recommends that you connect the UTM to a syslog server to save the traffic logs externally Other logs that is non traffic logs are automatically backed up on the UTM every 15 minutes However if a power failure affects the UTM logs that where created within this 15 minute period are lost To manually purge selected logs see Configuring and Activating System E mail and Syslog Logs on page 11 6 11 38 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Scheduling and Generating Reports The UTM lets you schedule and generate three types of reports e Email Reports For each protocol SMTP POP3 and IMAP the report shows the following information per day both in tables and graphics Number of connections Traffic amount in MB Number of malware incidents Number of files blocked Number of blacklist violations not applicable to POP3 and IMAP Number of e mails captured by Distributed Spam Analysis not applicable to IMAP e Web Reports For each protocol HTTP HTTPS and FTP the report shows the fo
544. the blocked URL and the keyword that caused the Web page to be blocked in the notification text Content Filtering and Optimizing Scans 6 29 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 6 8 Content Filtering Settings continued Setting Description or Subfield and Description Web Category Lookup URL Enter a URL to find out if it has been categorized and if so in which category Then click the lookup button If the URL has been categorized the category appears next to Lookup Results If the URL appears to be uncategorized you can submit it to NETGEAR for analysis Submit to To submit an uncategorized URL to NETGEAR for analysis select the category in NETGEAR which you think that the URL must be categorized from the pull down menu Then enter the Submit button 4 Click Apply to save your settings _____ Note When the UTM blocks access to a link of a certain blocked Web category the UTM displays an HTML warning screen that includes a hyperlink to submit a URL misclassifiation To submit a misclassified or uncategorized URL to NETGEAR for analysis click on the Click here to Report a URL Misclassification hyperlink A second screen opens that allows you to select from pull down menus up to two categories in which you think that the URL could be categorized Then click the Submit button Configuring Web URL Filtering If you want to
545. the request was successful using the Web Management Interface To check the WAN IP address 1 2 3 Launch your browser and navigate to an external site such as www netgear com Access the Web Management Interface of the UTM s configuration at https 192 168 1 1 Select Network Security gt WAN Settings from the menu The WAN1 ISP Settings screen dual WAN port models or WAN ISP Settings screen single WAN port models displays For dual WAN port models only to display the WAN2 ISP Settings screen click WAN2 ISP Settings Click the WAN Status option arrow at the top right of the WAN1 ISP Settings or WAN2 ISP Settings screen of the dual WAN port models or at the top right of the WAN IPS Settings screen of the single WAN port models The Connection Status screen appears in a popup window For more information see Viewing the WAN Ports Status on page 11 27 Check that an IP address is shown for the WAN Port If 0 0 0 0 is shown your UTM has not obtained an IP address from your ISP If your UTM is unable to obtain an IP address from the ISP you might need to force your modem or router to recognize your new UTM by performing the following procedure 1 Turn off the power to the modem or router 2 Turn off the power to your UTM 3 Wait five minutes and then turn on the power to the modem or router 4 When the modem s or router s LEDs indicate that it has reacquired synchronization with the ISP turn on the powe
546. the settings as explained in Table 4 4 3 Click Apply to save your settings Configuring Routing Information Protocol RIP Routing Information Protocol RIP RFC 2453 is an Interior Gateway Protocol IGP that is commonly used in internal networks LANs RIP enables a router to exchange its routing information automatically with other routers to dynamically adjust its routing tables and to adapt to changes in the network RIP is disabled by default 4 24 LAN Configuration v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To enable and configure RIP 1 Select Network Configuration gt Routing from the menu 2 Click the RIP Configuration option arrow at the right of the Routing submenu tab The RIP Configuration screen displays RIP Configuration RIP Direction RIP Version i Authentication for RIP 2B 2M First Key Parameters MDS keyi MDS Auth Key Ld YYYY HH MM SS Not Valid Before son o_o ie EDE Authentication for RIP 2B 2M required Not Valid After MM DD HH MM ss Yes L AL ui se 1 if Second Key Parameters No MDS Key Id MDS Auth Key Not Valid Before nm Do Y HH MM SS YYY HH MM ss Not Valid After pu ee cor e fea a Figure 4 11 3 Enter the settings as explained in Table 4 5 on page 4 26 LAN Configuration 4 25 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual
547. their extension Such files can include executable files audio and video files and compressed files e Keyword blocking You can specify words that should they appear in the Web site name URL or in a newsgroup name cause that site or newsgroup to be blocked by the UTM The following are keyword blocking examples Ifthe keyword XXX is specified the URL www zzyyqq com xxx html is blocked as is the newsgroup alt pictures XXX Ifthe keyword com is specified only Web sites with other domain suffixes such as edu or gov can be viewed Ifa period is specified as the keyword all Internet browsing access is blocked ___ Note Wildcards are supported For example if www net com is specified any URL that begins with www net is blocked and any URL that ends with com is blocked You can apply the keywords to one or more groups Requests from the PCs in the groups for which keyword blocking has been enabled are blocked Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled Note The whitelist has priority over the blacklist for these lists see Configuring Web URL Filtering on page 6 30 and both the whitelist and the blacklist have priority over keyword blocking e Web object blocking You can block the following Web objects embedded objects ActiveX Java Flash proxies and cookies and you can d
548. thentication and Certificates v1 0 January 2010 Chapter 10 Network and System Management This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the UTM This chapter contains the following sections e Performance Management on this page e System Management on page 10 9 Performance Management Performance management consists of controlling the traffic through the UTM so that the necessary traffic gets through when there is a bottleneck and either reducing unnecessary traffic or rescheduling some traffic to low peak times to prevent bottlenecks from occurring in the first place The UTM has the necessary features and tools to help the network manager accomplish these goals Bandwidth Capacity The maximum bandwidth capacity of the UTM in each direction is as follows e LAN side single WAN port models and dual WAN port models 2000 Mbps two LAN ports at 1000 Mbps each e WAN side Load balancing mode dual WAN port models only 2000 Mbps two WAN ports at 1000 Mbps each Auto rollover mode dual WAN port models only 1000 Mbps one active WAN port at 1000 Mbps Single WAN port mode single WAN port models and dual WAN port models 1000 Mbps one active WAN port at 1000 Mbps In practice the WAN side bandwidth capacity is much lower when DSL or cable modems are used to connect to the Internet At 1 5 Mbps the WAN port
549. through the Web Management Interface or save the log records in CSV or HTML format and download them to a computer the downloading option is not available for all logs The UTM provides 13 types of logs e Traffic Logs All scanned incoming and outgoing traffic e Spam Logs All intercepted spam 11 32 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual System Logs The system event logs that you have specified on the Email and Syslog screen see Configuring and Activating System E mail and Syslog Logs on page 11 6 However by default many more types of events are logged in the system logs Service Logs All events that are related to the status of scanning and filtering services that are part of the Application Security main navigation menu These events include update success messages update failed messages network connection errors and so on Malware Logs All intercepted viruses spyware and other malware threats Email filter Logs All e mails that are blocked because of file extension and keyword violations Content Filter Logs All attempts to access blocked Web sites and URLs IPS Logs All IPS events Portscan Logs All port scan events Instant Messaging Peer to Peer Logs All instant messaging and peer to peer access violations Firewall Logs The firewall logs that you have specified on the Firewall Logs screen see Co
550. tings Save a copy of current settings e Backup Restore saved settings from file GF Restore Revert to factory default settings Default Figure 12 1 b Click the Default button The UTM reboots During the reboot process the Backup amp Restore Settings screen remains visible The reboot process is complete after several minutes when the Test LED on the front panel goes off Warning When you push the hardware Reset button or click the software default A button the UTM settings are erased All firewall rules VPN policies LAN WAN settings and other settings are lost Back up your settings if you intend on using them Note After rebooting with factory default settings the UTM s password is password an and the LAN IP address is 192 168 1 1 Troubleshooting and Using Online Support 12 9 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Problems with Date and Time The System Date amp Time screen displays the current date and time of day see Configuring Date and Time Service on page 10 24 The UTM uses the Network Time Protocol NTP to obtain the current time from one of several Network Time Servers on the Internet Each entry in the log is stamped with the date and time of day Problems with the date and time function can include e Date shown is January 1 2000 Cause The UTM has not yet successfully reached a Network Time
551. tings including the password 1 Select Users gt Users from the menu The Users screen displays Figure 10 1 shows the UTM s default users admin and guest and as an example several other users in the List of Users table Name Group admin geardomain Administrator geardomain Type Authentication Domain geardomain o techpubadmin geardomain Administrator geardomain o TestUser quest geardomain Guest User SSLTestOomain SSL VPN User SSLTestDomain Default Users Select All Pelete Add Figure 10 1 2 Inthe Action column of the List of Users table click the Edit table button for the user with the name admin The Edit User screen displays Edit User Operation succeeded f User Name TestUser User Authentication Type local Select User Type Check to Edit Password Enter Your Password New Password f Confirm New Password _ Idle Timeout EJ Minutes Figure 10 2 10 10 Network and System Management v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Select the Check to Edit Password checkbox The password fields become active 4 Enter the old password enter the new password and then confirm the new password _ Note The ideal password should contain no dictionary words from any language and gt should be a mixture of
552. tion about your UTM 1 Locate the Gather Important Log Information section on the Diagnostics screen 2 Click Download Now You are prompted to save the downloaded log information file to your computer The default file name is importantlog gpg 3 When the download is complete browse to the download location you specified and verify that the file has been downloaded successfully Generating Network Statistics The Network Statistic Report provides a detailed overview of the network utilization in the UTM managed network environment The report allows you to see what consumes the most resources on the network Monitoring System Access and Performance 11 47 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual To generate the Network Statistic Report 1 Locate the Network Statistics Report section on the Diagnostics screen 2 Click Generate Network Statistics The network statistics report is sent as an e mail to the recipient that you specified on the Email Notification screen see Configuring the E mail Notification Server on page 11 5 Rebooting and Shutting Down the UTM You can perform a remote reboot restart for example when the UTM seems to have become unstable or is not operating normally ____ Note Rebooting breaks any existing connections either to the UTM such as your ford management session or through the UTM for example LAN users accessing the Internet Howev
553. tion and management tasks Browser based management Browser based configuration allows you to easily configure your firewall from almost any type of personal computer such as Windows Macintosh or Linux A user friendly Setup Wizard is provided and online help documentation is built into the browser based Web Management Interface Auto detection of ISP The UTM automatically senses the type of Internet connection asking you only for the information required for your type of ISP account IPsec VPN Wizard The UTM includes the NETGEAR IPSec VPN Wizard to easily configure IPsec VPN tunnels according to the recommendations of the Virtual Private Network Consortium VPNC to ensure the IPsec VPN tunnels are interoperable with other VPNC compliant VPN routers and clients Introduction v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e SSL VPN Wizard The UTM includes the NETGEAR SSL VPN Wizard to easily configure SSL connections over VPN according to the recommendations of the VPNC to ensure the SSL connections are interoperable with other VPNC compliant VPN routers and clients e SNMP The UTM supports the Simple Network Management Protocol SNMP to let you monitor and manage log resources from an SNMP compliant system manager The SNMP system configuration lets you change the system variables for MIB2 e Diagnostic functions The UTM incorporates built in diagnostic functions such as Ping Trac
554. to the rules in the order shown in the Rules table beginning at the top and proceeding to the bottom In some cases the order of precedence of two or more rules might be important in determining the disposition of a packet For example you should place the most strict rules at the top those with the most specific services or addresses The Up and Down table buttons in the Action column allows you to relocate a defined rule to a new position in the table Firewall Protection 5 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Setting LAN WAN Rules The default outbound policy is to allow all traffic to the Internet to pass through Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet outbound This feature is also referred to as service blocking You can change the default policy of Allow Always to Block Always to block all outbound traffic which then allows you to enable only specific services to pass through the UTM To change the default outbound policy 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear with the LAN WAN Rules screen in view 2 Next to Default Outbound Policy select Block Always from the pull down menu Next to the pull down menu click the Apply table button WUE tied DMZ WAN Rules LAN DMZ Rules Attack Checks Session Limit Advanced amp Outbound Services
555. ton for approximately eight seconds until the TEST LED blinks rapidly The UTM returns to the factory configuration settings that are shown in Table A 1 below e Pressing the Reset button for a shorter period of time simply causes the UTM to reboot Table A 1 shows the default configuration settings for the UTM Table A 1 UTM Default Configuration Settings Feature Default behavior Router Login User login URL https 192 168 1 1 Administrator user name case sensitive admin Administrator login password case sensitive password Guest user name case sensitive guest Guest login password case sensitive password Internet Connection WAN MAC address Use default address WAN MTU size 1500 Port speed AutoSense Local Network LAN Lan IP address 192 168 1 1 Subnet mask 255 255 255 0 RIP direction None RIP version Disabled RIP authentication Disabled Default Settings and Technical Specifications v1 0 January 2010 A 1 ProSecure Unified Threat Management UTM Appliance Reference Manual Table A 1 UTM Default Configuration Settings continued Feature Default behavior continued DHCP server Enabled DHCP starting IP address 192 168 1 2 DHCP starting IP address 192 168 1 100 Management Time zone GMT Time zone adjusted for daylight savings time Disabled SNMP Disabled Remote management Disab
556. top right of the WAN Traffic Meter screen single WAN port models The Traffic by Protocol screen appears in a popup window The incoming and outgoing volume of traffic for each protocol and the total volume of traffic is displayed Traffic counters are updated in MBs the counter starts only when traffic passed is at least 1 MB In addition the popup screen displays the traffic meter s start end dates Traffic by Protocol x Start Date End Date Incoming Traffic Outgoing Traffic Protocol Total MB MB Per Day Total MB MB Per Day Email o o o o HTTP o o 0 o Others o o o o Total o o o o Refresh Figure 11 2 11 4 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Configuring Logging Alerts and Event Notifications By default the UTM logs security related events such as accepted and dropped packets on different segments of your LAN denied incoming and outgoing service requests hacker probes and login attempts content filtering events such as attempts to access blocked sites and URLs unwanted e mail content spam attempts and many other types of events You can configure the UTM to e mail logs and alerts to a specified e mail address To receive the logs in an e mail message the UTM s e mail notification server must be configured and e mail notification must be enabled If the e mail notification server is n
557. topped capturing the traffic flow When you want to stop capturing the traffic flow click Stop 6 Select a location to save the captured traffic flow The default file name is diagnostics result dat The file downloads to the location that you specify 7 When the download is complete browse to the download location you specified and verify that the file has been downloaded successfully 8 Send the file to NETGEAR Technical Support for analysis 11 46 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Gathering Important Log Information and Generating a Network Statistics Report When you request support NETGEAR Technical Support might ask you to collect the debug logs and other information from your UTM This section discusses the Gather Important Log Information section Network Statistics Report section and Reboot the System section of the Diagnostics screen This function is used by NETGEAR Support to help troubleshoot your appliance Please click button Download Now and email the file to NETGEAR Support for analysis Network Statistics Report provided a detailed overview of the network utilization Please click the button Generate Network Statistics Reboot the UTM o Reboot Shutdown the UTM Shut Down Figure 11 28 Diagnostics screen 3of 3 Gathering Important Log Information To gather log informa
558. translate this address to a port number Send to DMZ Server The DMZ server address determines which computer on your network is hosting this service rule You can also translate this address to a port number Translate to Port You can enable this setting and specify a port number if you want to assign the LAN Number server or DMZ server to a specific port WAN Destination IP The setting that determines the destination IP address applicable to incoming traffic Address This is the public IP address that maps to the internal LAN server On the dual WAN port models it can either be the address of the WAN1 or WAN2 interface or another public IP address when you have a secondary WAN address configured On the single WAN port models it can either be the address of the single WAN interface or another public IP address when you have a secondary WAN address configured 5 8 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 5 3 Inbound Rules Overview continued Setting Description or Subfield and Description LAN Users The settings that determine which computers on your network are affected by this rule The options are Any All PCs and devices on your LAN e Single address Enter the required address to apply the rule to a single device on your LAN e Address range Enter the required addresses in the Start and Finish field
559. tributed Spam Analysis SMTP Select the SMTP checkbox to enable Distributed Spam Analysis for the SMTP protocol You can enable Distributed Spam Analysis for both SMTP and POPS POP3 Select the POP3 checkbox to enable Distributed Spam Analysis for the POP3 protocol You can enable Distributed Spam Analysis for both SMTP and POPS Content Filtering and Optimizing Scans 6 17 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 6 5 Distributed Spam Analysis Settings continued Setting Description or Subfield and Description Sensitivity From the Sensitivity pull down menu select the level of sensitivity for the anti spam engine that performs the analysis Low Medium Low Medium Medium High This is the default setting High Note A low sensitivity allows more e mails to pass through but increases the risk of spam messages A high sensitivity allows fewer e mails to pass through but diminishes the risk of spam messages Action SMTP From the SMTP pull down menu select the action that is taken when spam is detected by the anti spam engine Tag spam email This is the default setting Block spam email POP3 The only option is to block spam e mail Tag Add tag to mail When the option Tag spam email is selected from the Action subject pull down menu see above select this checkbox to add a tag to the e mail subject line The default tag is SPAM but you can custo
560. triggering rule that you want to edit The Edit Port Triggering Rule screen displays 2 Modify the settings that you wish to change see Table 5 10 3 Click Apply to save your changes The modified port triggering rule is displayed in the Port Triggering Rules table To display the status of the port triggering rules click the Status option arrow at the top right of the Port Triggering screen A popup window appears displaying the status of the port triggering rules Figure 5 29 Rule LAN IP Address Open Ports Time Remaining Sec Refresh Port Triggering Status x 5 48 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Using the Intrusion Prevention System The Intrusion Prevention System IPS of the UTM monitors all network traffic to detect in real time network attacks and port scans and to protect your network from such intrusions You can set up alerts block source IP addresses from which port scans are initiated and drop traffic that carries attacks You can configure detection of and protection from specific attacks such as Web e mail database malware and other attacks The IPS differs from the malware scan mechanism see Configuring Web Malware Scans on page 6 21 in that it monitors individual packets whereas the malware scan mechanism monitors files The IPS also allows you to configure port scan detection to adjust
561. tton Viewing and Managing Self Certificates The Active Self Certificates table on the Certificates screen see Figure 9 13 on page 9 22 shows the digital certificates issued to you by a CA and available for use For each self certificate the table lists the following information e Name The name that you used to identify this digital certificate e Subject Name The name that you used for your company and that other organizations see as the holder owner of the certificate e Serial Number This is a serial number maintained by the CA It is used to identify the digital certificate with in the CA e Issuer Name The name of the CA that issued the digital certificate e Expiry Time The date on which the digital certificate expires You should renew the digital certificate before it expires To delete one or more self certificates 1 Inthe Active Self Certificates table select the checkbox to the left of the self certificate that you want to delete or click the Select All table button to select all self certificates 2 Click the Delete table button Managing the Certificate Revocation List A Certificate Revocation List CRL file shows digital certificates that have been revoked and are no longer valid Each CA issues their own CRLs It is important that you keep your CRLs up to date You should obtain the CRL for each CA regularly Managing Users Authentication and Certificates 9 25 v1 0 January 2010 ProSecure
562. tup Wizard Step 9 of 10 Signatures amp Engine Setup Wizard Step 9 of 10 Signatures amp Engine ii Update Settings 2 Update Scan engine and Signatures Update From Default update server O server address _ amp Update Frequency a Weekly Sunday i 23 1 00 hh mm O Daily hh mm Oers amp HTTPS Proxy Settings n C Enable Proxy serve L CES This server requires authentication Figure 2 15 Enter the settings as explained in Table 2 9 on page 2 25 then click Next to go the following screen Note After you have completed the steps in the Setup Wizard you can make changes to the signatures and engine settings by selecting Administration gt System Update gt Signatures and Engine For more information about these settings see Updating the Scan Signatures and Scan Engine Firmware on page 10 21 2 24 Using the Setup Wizard to Provision the UTM in Your Network v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 2 9 Setup Wizard Step 9 Signatures amp Engine Settings Setting Description or Subfield and Description Update Settings Update From the pull down menu select one of the following options e Never The pattern and firmware files are never automatically updated e Scan engine and Signatures The pattern and firmware files are automatically updated according to the Update Frequenc
563. tworks from being compromised IT professionals and security experts have recognized the need to go beyond the traditional authentication process by introducing and requiring additional factors to the authentication process NETGEAR has also recognized the need to provide more than just a firewall to protect the networks As part the new maintenance firmware release NETGEAR has implemented a more robust authentication system known as Two Factor Authentication 2FA or T FA on its SSL and IPSec VPN firewall product line to help address the fast growing network security issues What are the benefits of Two Factor Authentication e Stronger security Passwords cannot efficiently protect the corporate networks because attackers can easily guess simple passwords or users cannot remember complex and unique passwords One time passcode OTP strengthens and replaces the need to remember complex password e No need to replace existing hardware Two Factor Authentication can be added to existing NETGEAR products through via firmware upgrade Two Factor Authentication D 1 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual e Quick to deploy and manage The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products e Proven regulatory compliance Two Factor Authentication has been used as a mandatory authentication process for many corporations and enterprises worldwide What is Two
564. ty Inc All rights reserved License to copy and use this software is granted provided that it is identified as the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing this software or this function License is also granted to make and use derivative works provided that such works are identified as derived from the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing the derived work RSA Data Security Inc makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose It is provided as is without express or implied warranty of any kind These notices must be retained in any copies of any part of this documentation and or software v1 0 January 2010 PPP Copyright c 1989 Carnegie Mellon University All rights reserved Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPR
565. u tabs appear with the Malware Scan screen in view 2 Click the Trusted Hosts submenu tab The Trusted Hosts screen displays Figure 6 16 shows some examples Services Email Anti Virus Email Filters Anti Spam FIP Block Accept Exceptions Scanning Exclusions Malware Scan Content Filtering URL Filtering HTTPS Settings Certificate Management Trusted Hosts E Enable trustedhostserverl example com Delete nests trustedhostserver2 example com e imageserver example com Export Add Host Import from File a Upload Figure 6 16 6 38 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Enter the settings as explained in Table 6 11 Table 6 11 Trusted Hosts Settings Setting Description or Subfield and Description Enable Do Not Intercept HTTPS Connections for the following Hosts Select this checkbox to bypass scanning of trusted hosts that are listed in the Hosts field Users do not receive a security alert for trusted hosts that are listed in the Host field Hosts This field contains the trusted hosts for which scanning is bypassed To add a host to this field use the Add Host field or the Import from File tool see below You can add a maximum of 200 URLs Delete To delete one or more hosts highlight the hosts and click the Delete table button Export To export the hosts click the Export
566. u first must create a Mode Config record and then select the Mode Config record for an IKE policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view Virtual Private Networking Using IPsec Connections 7 43 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 2 Click the Mode Config submenu tab The Mode Config screen displays IKE Policies VPN Policies VPN Wizard DUCATIA RADIUS Client Operation succeeded i List of Mode Config Records Record Name Pool Start IP 172 169 100 1 EMEA Sales 172 183 200 1 0 0 0 0 172 173 100 50 NA Sales 172 185 210 1 172 210 220 80 SENN paiete Add Figure 7 25 As an example the screen shows two Mode Config records with the names EMEA Sales and NA Sales e For EMEA Sales a first pool 172 169 100 1 through 172 169 100 99 and second pool 182 183 200 1 through 172 183 200 99 are shown e For NA Sales a first pool 172 173 100 50 through 172 173 100 90 a second pool 182 185 210 1 through 182 185 210 99 and a third pool 172 210 220 80 through 172 210 220 99 are shown 3 Under the List of Mode Config Records table click the Add table button The Add Mode Config Record screen displays see Figure 7 26 on page 7 45 Pool End IP 172 169 100 99 172 183 200 99 0 0 0 0 172 173 100 90 172 185 210 99 172 210 220 993 7 44 Virtual Private Network
567. u only have a single public Internet IP address you must use NAT the default setting e If your ISP has provided you with multiple public IP addresses you can use one address as the primary shared address for Internet access by your PCs and you can map incoming traffic on the other public IP addresses to specific PCs on your LAN This one to one inbound mapping is configured using an inbound firewall rule To configure NAT 1 Select Network Config gt WAN Settings from the menu then click the WAN Mode tab The WAN Mode screen displays see Figure 3 8 on page 3 12 2 Inthe NAT Network Address Translation section of the screen select the NAT radio button 3 Click Apply to save your settings 3 10 Manually Configuring Internet and WAN Settings v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Classical Routing All Models In classical routing mode the UTM performs routing but without NAT To gain Internet access each PC on your LAN must have a valid static Internet IP address If your ISP has allocated a number of static IP addresses to you and you have assigned one of these addresses to each PC you can choose classical routing Or you can use classical routing for routing private IP addresses within a campus environment To learn the status of the WAN ports you can view the System Status screen page see Viewing System Status on page 11 20 or look at the LEDs on the fr
568. u tabs appear with the Email and Syslog screen in view see Figure 11 4 on page 11 7 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual E System Logs Option J C Change of Time by NTP C Secure Login Attempts O Reboots O All Unicast Traffic O All Broadcast Multicast Traffic C WAN Status O Resolved DNS Names ii Email Logs to Administrator z a gt a CO Enable Send to SN Example admin yourdomain com Frequency O when the space is full O Daily st 00 hh mm O weekly on at 00 m hh mm Select Logs to Send system togs L Traffic Logs C malware Logs O spam togs C mP2P Logs C Email filter Logs C Firewall Logs O IPS togs CI SSLVPN Logs C IPSEC VPN Logs I content filter Logs C Service Logs C Portscan Logs Plain Text O csv o Zip the logs to save space o Split logs size to f2o me if Send Logs via Syslog gt CO Enable Syslog Server systeg Severity CO system Logs D traffic Logs O malware Logs o Spam Logs C meP Logs C Email fiter togs C Firewall Logs O ips Logs C SSL ven Logs C IPSEC VPN Logs C content fiter Logs 1 Service Logs C Portscan Logs Clear the Following Logs Information o System Logs O Traffic Logs O malware Logs o Spam Logs o IM P2P Logs C Email fiter Logs O Firewall Logs O iPS Logs C SSL ven Logs C IPSEC VPN Logs C content fiter Logs C Service Logs C Portscan Logs Figure 11 4
569. ude the relevant malware detection information YTIME YoPROTOCOL FROM YTO SUBIECT FILENAME ACTION Y VIRUSNAME VIRUSINFO C Enable Malware Outbreak Alerts Outbreak Criteria malware found within O minutes maximum 90 minutes Protocol Osme Orors Omar Orre Orre Ones Subject ooo OE C Enable IPS Outbreak Alerts Outbreak Criteria Attacks found within minutes maximum 90 minutes Subject C Enable IPS Alerts Subject a tpi Eke Figure 11 5 3 Enter the settings as explained in Table 11 4 Table 11 4 Alerts Settings Setting Description or Subfield and Description Enable Update Select this checkbox to enable update failure alerts Failure Alerts Enable License Select this checkbox to enable license expiration alerts This checkbox is enabled by Expiration Alerts default Enable Malware Select this checkbox to enable malware alerts and configure the Subject and Alerts Message fields Monitoring System Access and Performance 11 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 4 Alerts Settings continued Setting Description or Subfield and Description Enable Malware Subject Enter the subject line for the e mail alert The default text is Malware Alerts alert continued Message Enter the content for the e mail alert Note Make sure that y
570. uest and as an example several other users in the List of Users table Name Group Type Authentication Domain Action admin geardomain Administrator geardomain Ean eaPotcies guest geardomain Guest User geardomain Edit eaPotcies oO techpubadmin geardomain Administrator geardomain Edit BPotcies oO TestUser SSLTestOomain SSL VPN User SSLTestDomain Edit BPobcies Default Users Select All Delete Add Figure 9 5 The List of Users table displays the users with the following fields Checkbox Allows you to select the user in the table Name The name of the user If the user name is appended by an asterisk the user is a default user that came pre configured with the UTM and cannot be deleted Group The group to which the user is assigned Type The type of access credentials that are assigned to the user Authentication Domain The authentication domain to which the user is assigned Action The Edit table button that provides access to the Edit User screen the policies table button that provides access to the policy screens 2 Click the Add table button The Add User screen displays see Figure 9 6 on page 9 11 9 10 Managing Users Authentication and Certificates v1 0 January 2010 Figure 9 6 ProSecure Unified Threat Management UTM Appliance Reference Manual User Name Select Group prosecure v Password eeeeeceecece Con
571. uf What is the remote LAN Subnet Mask foot j Figure 7 9 To display the wizard default settings click the VPN Wizard Default Values option arrow at the top right of the screen A popup window appears see Figure 7 5 on page 7 6 displaying the wizard default values After you have completed the wizard you can modify these settings for the tunnel policy that you have set up 7 10 Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 3 Select the radio buttons and complete the fields and as explained Table 7 3 Table 7 3 IPsec VPN Wizard Settings for a Client to Gateway Tunnel Setting Description or Subfield and Description About VPN Wizard This VPN tunnel will connect to the following peers Select the VPN Client radio button The default remote FQDN utm_remote com and the default local FQDN utm_local com appear in the End Point Information section of the screen Connection Name and Remote IP Type What is the new Connection Name Enter a descriptive name for the connection This name is used to help you to manage the VPN settings the name is not supplied to the remote VPN endpoint What is the pre shared key Enter a pre shared key The key must be entered both here and on the remote VPN gateway or the remote VPN client This key must have a minimum length of 8 characters and should not e
572. ull down menu select ALLOW Always 5 24 Firewall Protection v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 6 Inthe Send to LAN Server field enter the local IP address of your Web server PC 192 168 1 2 in this example 7 For the dual WAN port models only from the WAN Destination IP Address pull down menu select the Web server the simulated 10 1 0 52 address in this example that you first must have defined on the WAN1 Secondary Addresses or WAN2 Secondary Addresses screen see Configuring Secondary WAN Addresses on page 3 17 For the single WAN port models the WAN Destination IP Address is a fixed field 8 Click Apply to save your settings Your is now added to the Inbound Services table of the LAN WAN Rules screen To test the connection from a PC on the Internet type http lt IP_address gt where lt IP_address gt is the public IP address that you have mapped to your Web server You should see the home page of your Web server LAN WAN or DMZ WAN Inbound Rule Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined To expose one of the PCs on your LAN or DMZ as this host 1 Create an inbound rule that allows all protocols 2 Place the rule below all other inbound rules See an example in Figure 5 14 on page 5 26 Warning For secur
573. up Wizard Step 3 of 10 System Date and Time 0 cccesceeeeeesteeeeesssteeeeeeees 2 14 Setup Wizard Step 4 of 10 Series seirinin eriak 2 16 Setup Wizard Step 5 of 10 Email SeCurity sessininonisiinrsin m 2 18 Setup Wizard Step 6 of 10 Web Security sicieiiescsenisecnsamesesseauasoosaderasauinaasinades 2 19 Setup Wizard Step 7 of 10 Web Categories to Be Blocked ccccceceessseeeeeees 2 21 Setup Wizard Step 3 of 10 Email Ngtificatiom srsssicnississni arian 2 23 Setup Wizard Step 9 of 10 Signatures amp Engine cccceesseeceeeeeeeeeeeeseeeeeeeneees 2 24 Setup Wizard Step 10 of 10 Saving the Configuration cccsseeeseeeetteeeeeeees 2 25 VENTE Proper WISN WGI siess cirstisessennsukecs Srndancese diwstines aaia AE ENa EaR 2 26 Jacina RU Hy oinen ems tedeabemer Wiese eadudagnomaaleom ieee 2 26 Tes mo HIP SCANIA dria eer reetr Cerrar irrete rer Mr err rremr renter re err rre te mrerer rere rr rey 2 26 Registering the UTM with NETGEAR esis ci tence an ncubinin dec atiivhainsNeaeadeaasn obbiaieexcaei ath uae 2 26 Wibiae WH DONER ciiir a O Eie AEE AEN 2 28 Chapter 3 Manually Configuring Internet and WAN Settings Understanding the Internet and WAN Configuration Tasks 0 cecceeseseeeeetteeeeneees 3 1 Configuring the Internet Connections ecicsicctagriccsserccundieatan russes daw abeninsududunr radoawsenicaadnuunns 3 2 Automatically Detecting and Connecting cceeccceeeeeeeeeeeeeeeeeeeeeeeeeeseeeeeeea
574. up Wizard Step 6 Web Security Settings Setting Description or Subfield and Description Action HTTP From the HTTP pull down menu specify one of the following actions when an infected Web file or object is detected e Delete file This is the default setting The Web file or object is deleted and a log entry is created e Log only Only a log entry is created The Web file or object is not deleted Select the Streaming checkbox to enable streaming of partially downloaded and scanned HTTP file parts to the user This method allows the user to experience more transparent Web downloading Streaming is enabled by default HTTPS From the HTTPS pull down menu specify one of the following actions when an infected Web file or object is detected Delete file This is the default setting The Web file or object is deleted anda log entry is created Log only Only a log entry is created The Web file or object is not deleted Select the Streaming checkbox to enable streaming of partially downloaded and scanned HTTPS file parts to the user This method allows the user to experience more transparent Web downloading Streaming is enabled by default FTP From the FTP pull down menu specify one of the following actions when an infected FTP file or object is detected e Delete file This is the default setting The FTP file or object is deleted and a log entry is created e Log only Only a log entry is
575. ur connection type is PPPoE Select this radio button and enter the following settings Account Name The valid account name for the PPPoE connection Domain Name The name of your ISP s domain or your domain name if your ISP has assigned one You may leave this field blank Idle Timeout Select the Keep Connected radio button to keep the connection always on To log out after the connection is idle for a period of time select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in Manually Configuring Internet and WAN Settings 3 7 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 6 Configure the Internet IP Address settings as explained in Table 3 3 Click the Current IP Address link to see the currently assigned IP address Current IP Address gl Get Dynamically from ISP Use Static IP Address IP Address 172 J16 j J0 1 IP Subnet Mask 255 J255 255 Jo Gateway IP Address 172 ie fo 25 Figure 3 6 Table 3 3 Internet IP Address Settings Setting Description or Subfield and Description Get Dynamically If your ISP has not assigned you a static IP address select the Get dynamically from ISP from ISP radio button The ISP automatically assigns an IP address to the UTM
576. ure Unified Threat Management UTM Appliance Reference Manual 3 Enter the settings as explained in Table 7 4 Table 7 4 Security Policy Editor Remote Party Settings Setting Description or Subfield and Description Connection Security Select the Secure radio button If you want to connect manually only select the Only Connect Manually checkbox ID Type From the pull down menu select IP Subnet Subnet Enter the LAN IP subnet address of the UTM that is displayed on the UTM s VPN Policies screen see Figure 7 10 on page 7 12 In this example the subnet address is 192 168 1 0 Mask Enter the LAN IP subnet mask of the UTM that is displayed on the UTM s VPN Policies screen see Figure 7 10 on page 7 12 In this example the subnet mask is 255 255 255 0 Protocol From the pull down menu select All Use Select the Use checkbox Then from the pull down menu select Secure Gateway Tunnel ID Type Left pull down menu From the left pull down menu select Domain Name Then below enter the local FQDN that you entered on the UTM s VPN Wizard screen see Figure 7 9 on page 7 10 In this example the domain name is utm_local com Right pull down menu From the right pull down menu select Gateway IP Address Then below enter the IP address of the WAN interface that you selected on the UTM s VPN Wizard screen see Figure 7 9 on page 7 10 In this example the WAN
577. us of the WAN port is identical to the one for the WAN1 port with the exception that you must select the WAN2 ISP Settings submenu tab to display the WAN2 ISP Setting screen Viewing Attached Devices and the DHCP Log The LAN Groups screen contains a table of all IP devices that the UTM has discovered on the local network The LAN Setup screen lets you access the DHCP log Viewing Attached Devices To view the attached devices in the LAN Groups screen 1 Select Network Config gt LAN Settings from the menu The LAN Settings submenu tabs appear with the LAN Setup screen in view see Figure 11 20 on page 11 30 which contains some profiles in the VLAN Profiles table as an example Monitoring System Access and Performance 11 29 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Subnet IP DHCP Status defaultVian 192 168 1 1 DHCP Enabled SalesVLAN 2 192 170 1 100 DHCP Disabled Select all Qreiete Enadle oO Disable Aad Port 1 Port 2 Port 3 Port 4 DMZ defaultVian v defaultVian defaultVian defaultVian Figure 11 20 2 Click the LAN Groups submenu tab The LAN Groups screen displays Figure 11 21 shows some examples in the Known PCs and Devices table Name IP Address MAC Address oO Marketing 192 168 1 15 a b1 11 22 1a 1b defaultvlan o Sales 192 168 1 20 1 1 33 44 2a 2b defaultVlan ol Sales EMEA 192 168 1 35 d1 e1
578. uses both port 25 and port 2525 enter both port numbers in the Ports to Scan field and separate them by a comma _ Note The following protocols are not supported by the UTM SMTP over SSL using port number 465 POP3 over SSL using port number 995 and IMAP over SSL using port number 993 3 Click Apply to save your settings 6 4 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Customizing E mail Anti Virus and Notification Settings Whether or not the UTM detects an e mail virus you can configure it to take a variety of actions some of the default actions are listed in Table 6 1 on page 6 2 and send notifications e mails or both to the end users To configure the e mail anti virus settings 1 Select Application Security gt Email Anti Virus from the menu The Email Anti Virus screen displays SMTP Block infected email POP3 Delete attachment v IMAP Delete attachment 4 i Scan Exceptions J if the file or message is larger than KB Maximum 10240 KB A Notification Settings O insert Warning into Email Subject SMTP Malware Found No Malware Found MALWARE FREE o Append Safe Stamp SMTP and POP3 Message No malware was found NETGEAR ProSecure Web land Email Threat Manager has scanned this mail and its attachment s a Append Warning if Attachment Exceeds Scan Size Limit SMTP and PO
579. using DHCP network protocol Use Static IP If your ISP has assigned you a fixed static or permanent IP address select the Use Address Static IP Address radio button and enter the following settings IP Address Static IP address assigned to you This address identifies the UTM to your ISP Subnet Mask The subnet mask is usually provided by your ISP Gateway IP Address The IP address of the ISP s gateway is usually provided by your ISP 7 Configure the Domain Name Server DNS servers settings as explained in Table 3 4 on page 3 9 re Get Automatically from ISP Use These DNS Servers Primary DNS Serveriizz 16 Jo Jm Secondary DNS Server 172 16 0 113 Figure 3 7 3 8 Manually Configuring Internet and WAN Settings v1 0 January 2010 10 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 3 4 DNS Server Settings Setting Description or Subfield and Description Get Automatically If your ISP has not assigned any Domain Name Servers DNS addresses select from ISP the Get Automatically from ISP radio button Use These DNS If your ISP has assigned DNS addresses select the Use these DNS Servers Servers radio button Ensure that you fill in valid DNS server IP addresses in the fields Incorrect DNS entries might cause connectivity issues Primary DNS Server The IP address of the primary DNS server Secondary DNS The IP address of the seco
580. v 29 11 20 51 UTM pppd Connection terminated Explanation Message 1 Starting PPP connection process Message 2 Message from server for authentication success Message 3 Local IP address assigned by the server Message 4 Server side IP address Message 5 primary DNS configured in WAN status page Message 6 secondary DNS configured in WAN status page Message 7 Sensing idle link Message 8 Data sent and received at the LAN side while the link was up Message 9 PPP connection terminated after idle timeout Recommended Action To reconnect during idle mode initiate traffic from the LAN side e PPP Authentication Logs Table C 12 System Logs WAN Status PPP Authentication Message Nov 29 11 29 26 UTM pppd Starting link Nov 29 11 29 29 UTM pppd Remote message Login incorrect Nov 29 11 29 29 UTM pppd PAP authentication failed Nov 29 11 29 29 UTM pppd Connection terminated WAN2 DOWN _ Explanation Starting link Starting PPPoE connection process Remote message Login incorrect Message from PPPoE server for incorrect login PAP authentication failed PPP authentication failed due to incorrect login Connection terminated PPP connection terminated Recommended Action If authentication fails then check the login password and enter the correct one C 8 System Logs and Error Messages v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Referen
581. ve on all days or specific days All Days Specific Days Tuesday Wednesday Thursday Friday Saturday Blocked Categories Time of Day Do you want this schedule to be active Start Time 12 _ Hour Minute AM all day or at specific times during the day rJ o au All Day Specific Times Endmime eJ nour mios Notification Settings Replace the Content of a Blocked Page with the Following Text lt DOCTYPE HTML PUBLIC W3C DTD HTML 4 0 Transitional EN gt lt html gt lt head gt lt title gt NETGEAR ProSecure User Notification lt title gt lt link href STYLE_CSS rel stylesheet type text css gt lt head gt i zi Note Use URL to show the URL of the blocked page i Web Category Lookup g Enter a URL and press Lookup to see if it has been categorized URL a lt 1 Lookup Results Please enter a URL above and click Lookup Click here to Report a URL Misclassification Figure 6 11 Content Filtering screen 3 of 3 3 Enter the settings as explained in Table 6 8 on page 6 28 Content Filtering and Optimizing Scans 6 27 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 6 8 Content Filtering Settings Setting Description or Subfield and Description Content Filtering Log HTTP Traffic Select this checkbox to log HTTP traffic For information about how to view the logged traffic see Quer
582. ver and Authentication Secret fields NT Domain Microsoft Windows NT Domain Complete the Authentication Server and Workgroup fields e Active Directory Microsoft Active Directory Complete the Authentication Server and Active Directory Domain fields e LDAP Lightweight Directory Access Protocol LDAP Complete the Authentication Server and LDAP Base DN fields Select Portal The pull down menu shows the SSL portals that are listed on the Portal Layout screen From the pull down menu select the SSL portal with which the domain is associated For information about how to configure SSL portals see Creating the Portal Layout on page 8 18 Authentication Server The server IP address or server name of the authentication server for any type of authentication other than authentication through the local user database Authentication Secret The authentication secret or password that is required to access the authentication server for RADIUS WIKID or MIAS authentication Workgroup The workgroup that is required for Microsoft NT Domain authentication LDAP Base DN The LDAP base distinguished name DN that is required for LDAP authentication Active Directory The active directory domain name that is required for Microsoft Active Directory Domain authentication 4 Click Apply to save your settings The domain is added to the List of Domains table 5 If you use local authentication make sure that i
583. w 2 Click the Portal Layouts submenu tab The Portal Layout screen displays Figure 8 12 shows layouts in the List of Layouts table as an example IPSec YPN Certificates Policies Resources Portal Layouts SSL YPN Client Port Forwarding Operation succeeded d Layout Name Description Portal URL Action In case of login difficulty call SSL VPN 1 https 192 168 50 60 portal SSL VPN esit Detault 123 4565 7890 In case of login difficulty call ins SAER EN X os ttos 192 168 50 60 portal j i o CustomerSupport 1 CustornerSupport xit OLS autt 123 456 7890 Default Portal Layout Select All Pelete Add Figure 8 12 Virtual Private Networking Using SSL Connections 8 19 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual The List of Layouts table displays the following fields Layout Name The descriptive name of the portal Description The banner message that is displayed at the top of the portal see Figure 8 8 on page 8 15 Use Count The number of remote users that are currently using the portal Portal URL The URL at which the portal can be accessed Action The table buttons that allow you to edit or delete the portal layout 3 Under the List of Layouts table click the Add table button The Add Portal Layout screen displays Figure 8 13 shows some examples Add Portal Layout Portal Layout Name MI Display
584. w net is allowed and any URL that ends with com is allowed Delete To delete one or more URLs highlight the URLs and click the Delete table button Export To export the URLs click the Export table button and follow the instructions of your browser Add URL Type or copy a URL in the Add URL field Then click the Add table button to add the URL to the URL field Import from File To import a list with URLs into the URL field click the Browse button and navigate to a file in txt format that contains line delimited URLs that is one URL per line Then click the Upload table button to add the URLs to the URL field Note Any existing URLs in the URL field are overwritten when you import a list of URLs from a file Blacklist Enable Select this checkbox to block the URLs that are listed in the URL field Users attempting to access these URLs receive a notification see below 6 32 Content Filtering and Optimizing Scans v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 6 9 URL Filtering Settings continued Setting Description or Subfield and Description URL This field contains the URLs that are blocked To add a URL to this field use the Add URL field or the Import from File tool see below You can add a maximum of 200 URLs Note If a URL is in both on the whitelist and blacklist then the whitelist take
585. wn menu select the authentication method that the UTM applies e Local User Database default Users are authenticated locally on the UTM This is the default setting You do not need to complete any other fields on this screen e Radius PAP RADIUS Password Authentication Protocol PAP Complete the Authentication Server and Authentication Secret fields e Radius CHAP RADIUS Challenge Handshake Authentication Protocol CHAP Complete the Authentication Server and Authentication Secret fields Radius MSCHAP RADIUS Microsoft CHAP Complete the Authentication Server and Authentication Secret fields e Radius MSCHAPv2 RADIUS Microsoft CHAP version 2 Complete the Authentication Server and Authentication Secret fields e WIKID PAP WIKID Systems PAP Complete the Authentication Server and Authentication Secret fields Managing Users Authentication and Certificates v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 9 2 Add Domain Settings continued Setting Description or Subfield and Description Authentication Type WIKID CHAP WIKID Systems CHAP Complete the Authentication Server continued and Authentication Secret fields e MIAS PAP Microsoft Internet Authentication Service MIAS PAP Complete the Authentication Server and Authentication Secret fields e MIAS CHAP Microsoft Internet Authentication Service MIAS CHAP Complete the Authentication Ser
586. work to keep the tunnel alive For more information see The VPN Policies Screen on page 7 31 Tip For DHCP WAN configurations first set up the tunnel with IP addresses After you have validated the connection you can use the wizard to create new policies using the FQDN for the WAN addresses Virtual Private Networking Using IPsec Connections v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 4 Click Apply to save your settings The IPsec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen By default the VPN policy is enabled F YPN Policies Operation succeeded Name Type Local O ows to cw2 auto Policy 192 168 1 0 255 255 255 0 192 172 1 0 255 255 255 0 sta s aves OEsit Client Policy Select Au Poslete Enadle O Disable Add Figure 7 6 Configure a VPN policy on the remote gateway that allows connection to the UTM Activate the IPsec VPN connection Select Monitoring gt Active Users amp VPNs from the menu The Active Users amp VPNs a submenu tabs appear with the Active Users screen in view b Click the IPSec VPN Connection Status submenu tab The IPSec VPN Connection Status screen displays The page will auto refresh in 4 seconds i Active IPSec SA s E T e Policy Name Endpoint Tx KB Tx Packets State GW1 to GW2 75 34 173 25
587. xceed 49 characters This VPN tunnel will use following local WAN Interface dual WAN port models only For the dual WAN port models only select one of the two radio buttons WAN1 or WAN2 to specify which local WAN interface the VPN tunnel uses as the local endpoint Note If a dual WAN port model is configured to function in WAN auto rollover mode after completing the wizard you must manually update the VPN policy to enable VPN rollover For more information see Manually Adding or Editing a VPN Policy on page 7 33 End Point Information What is the Remote Identifier Information When you select the Client radio button in the About VPN Wizard section of the screen the default remote FQDN utm_remote com is automatically entered Use the default remote FQDN or enter another FQDN What is the Local Identifier Information When you select the Client radio button in the About VPN Wizard section of the screen the default local FQDN utm_local com is automatically entered Use the default local FQDN or enter another FQDN Secure Connection Remote Accessibility What is the remote LAN IP Address What is the remote LAN Subnet Mask These fields are masked out for VPN client connections a Both local and remote endpoints should be defined as either FQDNs or IP addresses A combination of an IP address and a FQDN is not supported Virtual Private Networking Using IPsec Connect
588. xed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 12 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you must use a FQDN If an IP address is fixed an FQDN is optional VPN Gateway to Gateway The following situations exemplify the requirements for a gateway VPN firewall such as an UTM to establish a VPN tunnel with another gateway VPN firewall e Single gateway WAN ports e Redundant dual gateway WAN ports for increased reliability before and after rollover e Dual gateway WAN ports for load balancing VPN Gateway to Gateway Single Gateway WAN Ports Reference Case In a configuration with two single WAN port gateways either gateway WAN port can initiate the VPN tunnel with the other gateway WAN port because the IP addresses are known in advance see Figure B 13 on page B 14 Network Planning for Dual WAN Ports Dual WAN Port Models Only B 13 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual 10 5 6 0 24 172 23 9 0 24 Gateway to Gateway Example Single WAN Ports Gateway A Gateway B WAN IP WAN IP lt LAN IP ez a 10 5 6 1 A FQDN z 172 23 9 1 VPN Router etgear dyndns org 22 23 24 25 VPN Router at office A Fully Qualified Domain Names FQDN at office B optional for Fixed IP addresses required for Dynamic IP addresses Figure B 13 The IP address of the gatew
589. xplanation Short packet Recommended Action None Message INVALID INVALID_STATE DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Packet with invalid state Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID REOPEN_CLOSE_CONN DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Attempt to re open close session Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID OUT_OF_WINDOW DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Packet not in TCP window Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID ERR_HELPER_ROUTINE DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 System Logs and Error Messages C 11 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table C 17 System Logs Invalid Packets continued Explanation Error returned from helper routine Recommended Action None Content Filtering and Security Logs This section describes the log messages that are generated by the content filtering and security mechanisms Web Filtering and Content Filtering Logs This section describes logs that are generated when the UTM filters Web content Table C 18 Content Filtering and Security Logs Web Filtering and C
590. y you do not need to enter either IP address or MAC addresses Instead you can just select the name of the desired PC or device There is no need to reserve an IP address for a PC in the DHCP server All IP address assignments made by the DHCP server are maintained until the PC or device is removed from the Network Database either by expiration inactive for a long time or by you There is no need to use a fixed IP address on a PCs Because the IP address allocated by the DHCP server never changes you do not need to assign a fixed IP address to a PC to ensure it always has the same IP address A PC is identified by its MAC address not its IP address The Network Database uses the MAC address to identify each PC or device Therefore changing a PC s IP address does not affect any restrictions applied to that PC Control over PCs can be assigned to groups and individuals You can assign PCs to groups see Managing the Network Database on this page and apply restrictions outbound rules and inbound rules to each group see Using Rules to Block or Allow Specific Kinds of Traffic on page 5 3 You can select groups that are allowed access to applications Web categories and URLs that you have blocked for all other users or the other way around block access to applications Web categories and URLs that you have allowed access to for all other users see Setting Web Access Exceptions and Scanning Exclusions on pa
591. y 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Hardware Features The front panel ports and LEDs rear panel ports and bottom label of the UTM are described below Front Panel Viewed from left to right the UTM front panel contains the following ports see Figure 1 2 on page 1 10 which shows a dual WAN port model the UTM25 e One non functioning USB port this port is included for future management enhancements The port is currently not operable on the UTM e LAN Ethernet ports four switched N way automatic speed negotiating Auto MDI MDIX Gigabit Ethernet ports with RJ 45 connectors e WAN Ethernet ports one single WAN port models or two dual WAN port models independent N way automatic speed negotiating Auto MDI MDIX Gigabit Ethernet ports with RJ 45 connectors The front panel also contains three groups of status indicator light emitting diodes LEDs including Power and Test LEDs LAN LEDs and WAN LEDs all of which are explained in Table 1 2 Power LED DMZ LED USB port Left LAN LEDs Left WAN LEDs LAN E WAN WAN 2 hehe ga tye NI Active WAN Test LED Right LAN LEDs Right WAN LEDs LEDs Figure 1 2 1 10 Introduction v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Note Figure 1 2 shows a dual WAN port model the UTM25 Single WAN port models contain the left WAN port that is shown in Figure 1 2 but no
592. y WAN Port Reference Case In a single WAN port gateway configuration the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance The gateway WAN port must act as the responder 10 5 6 0 24 Telecommuter Example Single WAN Port Client B Gateway A NAT Router B WAN IP WAN IP ae Soe 10 5 6 1 sy b A Epe 0 0 0 0 a ey a VPN Router Pe ae NAT Router atemployer s Fully Qualified Domain Names FQDN ac telacommuters Remote PC main office optional for Fixed IP addresses nome otes running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 17 The IP address of the gateway WAN port can be either fixed or dynamic If the IP address is dynamic you must use a FQDN If the IP address is fixed a FQDN is optional B 16 Network Planning for Dual WAN Ports Dual WAN Port Models Only v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual VPN Telecommuter Dual Gateway WAN Ports for Improved Reliability In a dual WAN port auto rollover gateway configuration the remote PC client initiates the VPN tunnel with the active gateway WAN port port WAN1 in Figure B 18 because the IP address of the remote NAT router is not known in advance The gateway WAN port must act as the responder 10 5 6 0 24 Telecommuter Example Dual WAN Ports Before Rollover Client B Gateway A WAN IP NAT Router B LAN IP B m
593. y of the operator of the server Ideally the signature is from a trusted third party whose identity can be verified You can obtain a digital certificate from a well known commercial certificate authority CA such as Verisign or Thawte or you can generate and sign your own digital certificate Because a commercial CA takes steps to verify the identity of an applicant a digital certificate from a commercial CA provides a strong assurance of the server s identity A self signed digital certificate triggers a warning from most browsers because it provides no protection against identity theft of the server The UTM contains a self signed digital certificate from NETGEAR This certificate can be downloaded from the UTM login screen for browser import However NETGEAR recommends that you replace this digital certificate with a digital certificate from a well known commercial CA prior to deploying the UTM in your network To display the Certificates screen select VPN gt Certificates from the menu Because of the large size of this screen and because of the way the information is presented the Certificates screen is divided and presented in this manual in three figures Figure 9 11 on page 9 19 Figure 9 13 on page 9 22 and Figure 9 15 on page 9 26 The Certificates screen lets you to view the currently loaded digital certificates upload a new digital certificate and generate a Certificate Signing Request CSR The UTM typically holds two ty
594. y settings below Update From Set the update source server by selecting one of the following radio buttons Default update server Files are updated from the default NETGEAR update server Server address Files are updated from the server that you specify enter the IP address or host name of the update server Update Frequency Specify the frequency with which the UTM checks for file updates Weekly From the pull down menus select the weekday hour and minutes that the updates occur e Daily From the pull down menus select the hour and minutes that the updates occur Every From the pull down menu select the frequency with which the updates occur The range is from 15 minutes to 12 hours HTTPS Proxy Settings Enable If computers on the network connect to the Internet via a proxy server select the Enable checkbox to specify and enable a proxy server Enter the following settings Proxy server The IP address and port number of the proxy server User name The user name for proxy server authentication Password The password for proxy server authentication Setup Wizard Step 10 of 10 Saving the Configuration Setup Wizard Step 10 of 10 The system will be restarted Note The systern IP address is 192 168 1 1 Figure 2 16 Click Apply to save your settings and automatically restart the system Using the Setup Wizard to Provision the UTM in Your Network
595. y to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0 24 Dual WAN Ports Load Balancing WAN_A1 IP WAN_B1 IP Gateway A _netgear1 dyndns org_ 22 23 24 25 Gateway B 10 5 6 1 hetgear2 dyndns org 22 23 24 26 172 23 9 1 VPN Router WAN_A2 IP WAN_B2 IP VPN Router at office A Fully Qualified Domain Names FQDN at office B optional for Fixed IP addresses required for Dynamic IP addresses Figure B 16 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you must use a FQDN If an IP address is fixed an FQDN is optional Network Planning for Dual WAN Ports Dual WAN Port Models Only B 15 v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual VPN Telecommuter Client to Gateway Through a NAT Router p Note The telecommuter case presumes the home office has a dynamic IP address and NAT router The following situations exemplify the requirements for a remote PC client connected to the Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway VPN firewall such as an UTM at the company office e Single gateway WAN port e Redundant dual gateway WAN ports for increased reliability before and after rollover e Dual gateway WAN ports for load balancing VPN Telecommuter Single Gatewa
596. ying Logs and Generating Reports on page 11 32 By default HTTP traffic is not logged Note Logging HTTP traffic might affect the UTM s performance see Performance Management on page 10 1 Block Files with the Following Extensions By default the File Extension field lists the most common file extensions You can manually add or delete extensions Use commas to separate different extensions You can enter a maximum of 40 file extensions the maximum total length of this field excluding the delimiter commas is 160 characters You can also use the pull down menu to add predefined file extensions from a specific category to the File Extension field None No file extensions are added to the File Extension field This is the default setting Executables Executable file extensions exe com dll so lib scr bat and cmd are added to the File Extension field Audio Video Audio and video file extensions wav mp3 avi rm rmvb wma wmv mpg mp4 and aac are added to the File Extension field Compressed Files Compressed file extensions zip rar gz tar and bz2 added to the File Extension field Full Text Search Note This is keywo rd blocking Block web pages with the Following keywords Select the checkbox to enable keyword blocking Then enter keywords that you want to be blocked Separate the keywords by a comma Note Keywords searching and blocking might affect the UTM s performan
597. your UTM to clone or spoof the MAC address from the authorized PC You can do this in the Router s MAC Address section of the WAN1 Advanced Options or WAN2 Advanced Options screen of the dual WAN port models or in the Router s MAC Address section of the WAN Advanced Options screen of the single WAN port models see Configuring Advanced WAN Options on page 3 22 12 8 Troubleshooting and Using Online Support v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Restoring the Default Configuration and Password To reset the UTM to the original factory default settings you can use one of the following two methods e Push the Reset button on the rear panel of the UTM see Rear Panel on page 1 12 and hold the Reset button for about eight seconds until the Test LED turns on and begins to blink about 30 seconds To restore the factory default configuration settings without knowing the administration password or IP address you must use the Reset button method e On the Backup amp Restore Settings screen see Figure 12 1 next to Revert to factory default settings click the Default button a To display the Backup amp Restore Settings screen select Administration gt Backup amp Restore Settings from the menu see Figure 12 1 on page 12 9 Administration Remote Management SNMP System Update System Date amp Time Backup amp Restore Settings amp Restore Set
598. ystem Status Active Users amp PNs Dashboard Diagnostics Email and Syslog Firewall Logs Alerts Log Query Generate Report KIUL MOTEO TIAS Frequency Cl oaily Occurs at 03 00 am everyday C Weekly Occurs at 03 00 am on the Sunday of week C monthly Occurs at 03 00 am on the first day of month C Email Reports o Web Reports C System Reports CI Send Report by Email Recipients ___ i S Note Use commas to separate email addresses Example admini yourdomain com admin2 yourdomain com Number of Reports to Keep 5 0 12 Report Date Figure 11 25 Type Download Delete 3 Enter the settings as explained in Table 11 17 Table 11 17 Schedule Report Settings Setting Description or Subfield and Description Report Settings Frequency Select one of the following checkboxes to specify the frequency with which the reports are generated and e mailed Daily The report is generated daily at 3 00 am e Weekly The report is generated weekly on Sunday at 3 00 am e Monthly The report is generated monthly on first day of the month at 3 00 am 11 42 Monitoring System Access and Performance v1 0 January 2010 ProSecure Unified Threat Management UTM Appliance Reference Manual Table 11 17 Schedule Report Settings continued Setting Description or Subfield and Description Reports Select one or more checkboxes to specify the reports that are generated E
Download Pdf Manuals
Related Search