Invacare 300 Mobility Aid User Manual
Contents
1. Dynamic FQDN required FQDN required VPN Telecommuter Fixed FQDN required FQDN Allowed optional client to gateway through a Dynamic FQDN required FQDN required a All tunnels must be re established after a rollover using the new WAN IP address 7 2 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Using the IPsec VPN Wizard for Client and Gateway Configurations You can use the IPsec VPN Wizard to configure multiple gateway or client VPN tunnel policies The section below provides wizard and NETGEAR ProSafe VPN Client Software configuration procedures for the following scenarios e Using the wizard to configure a VPN tunnel between two VPN gateways e Using the wizard to configure a VPN tunnel between a VPN gateway and a VPN client Configuring a VPN tunnel connection requires that all settings on both sides of the VPN tunnel match or mirror each other precisely which can be a daunting task The VPN Wizard efficiently guides you through the setup procedure with a series of questions that determine the IPsec keys and VPN policies it sets up The VPN Wizard also configures the settings for the network connection security association SA traffic selectors authentication algorithm and encryption The settings that are used by the VPN wizard are based on the recommendations of the VPN Consortium VPNC an or2. Encryption Algorithm From the pull down menu select one of the following five algorithms to negotiate the security association SA DES Data Encryption Standard DES e 3DES Triple DES This is the default algorithm e AES 128 Advanced Encryption Standard AES with a 128 bits key size e AES 192 AES with a 192 bits key size e AES 256 AES with a 256 bits key size Key In The encryption key for he inbound policy The length of the key depends on the selected encryption algorithm DES enter 8 characters 3DES enter 24 characters e AES 128 enter 16 characters e AES 192 enter 24 characters e AES 256 enter 32 characters Key Out The encryption key for he outbound policy The length of the key depends on the selected encryption algorithm The required key lengths are the same as for the Key In se above SPl Outgoing The Security Parameters Index SPI for the outbound policy Enter a hexadecimal value between 3 and 8 characters for example 0x1234 Virtual Private Networking Using IPsec Connections 7 35 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 12 Add VPN Policy Settings continued Item Description or Subfield and Description Integrity Algorithm From the pull down menu select one of the following two algorithms to be used in the VPN header for the authentication process e SHA 1 Hash
3. ___ Note Scenarios could arise when load balancing needs to be bypassed for certain fd traffic or applications If certain traffic needs to travel on a specific WAN interface configure protocol binding rules for that WAN interface The rule should match the desired traffic e Single WAN Port Mode The selected WAN interface is made primary and the other is disabled For whichever WAN mode you choose you must also choose either NAT or classical routing as explained in the following sections Network Address Translation UTM10 and UTM25 Network Address Translation NAT allows all PCs on your LAN to share a single public Internet IP address From the Internet there is only a single device the UTM and a single IP address PCs on your LAN can use any private IP address range and these IP addresses are not visible from the Internet e The UTM uses NAT to select the correct PC on your LAN to receive any incoming data e If you only have a single public Internet IP address you must use NAT the default setting e If your ISP has provided you with multiple public IP addresses you can use one address as the primary shared address for Internet access by your PCs and you can map incoming traffic on the other public IP addresses to specific PCs on your LAN This one to one inbound mapping is configured using an inbound firewall rule To configure NAT 1 Select Network Config gt WAN Settings from the menu then click the
4. Audio Video Audio and video file extensions wav mp3 avi rm rmvb wma wmv mpg mp4 and aac are added to the File Extension field Compressed Files Compressed file extensions zip rar gz tar and bz2 added to the File Extension field Full Text Search Note This is keywo rd blocking Block web pages with the Following keywords Select the checkbox to enable keyword blocking Then enter keywords that you want to be blocked Separate the keywords by a comma Note Keywords searching and blocking might affect the UTM s performance see Performance Management on page 10 1 Block Web Objects Select any or all of t he following checkboxes Remove Embedded Objects All embedded objects such as ActiveX Java and Flash objects are removed from downloaded Web pages Note Because embedded objects are commonly used on legitimate Web sites blocking embedded objects globally might have a negative impact on a user s Web browsing experience Disable Javascript Javascript is disabled on downloaded Web pages Proxy All Web proxy servers are blocked Cookies All cookies are blocked 6 28 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 8 Content Filtering Settings continued Setting Description or Subfield and Description Select the Web Categori
5. Confirm Password This field must be identical to the Password field above Idle Timeout The period after which an idle user is automatically logged out of the Web management interface De default idle timeout period is 10 minutes Managing Users Authentication and Certificates 9 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Click Apply to save your settings The user is added to the List of Users table To delete one or more users 1 In the List of Users table select the checkbox to the left of the user that you want to delete or click the select all table button to select all users You cannot delete a default user 2 Click the delete table button Setting User Login Policies You can restrict the ability of defined users to log into the UTM s Web management interface You can also require or prohibit logging in from certain IP addresses or from particular browsers Configuring Login Policies To configure user login policies 1 Select Users gt Users from the menu The Users screen displays see Figure 9 5 on page 9 10 2 Inthe Action column of the List of Users table click the policies table button for the user for which you want to set login policies The Policies submenu tabs appear with the Login Policies screen in view eTiuewiiaiem by Source IP Address by Client Browser Operation succeeded User Name techpub C Disable Login C Den
6. Figure 9 1 The List of Domains table displays the domains with the following fields Checkbox Allows you to select the domain in the table Domain Name The name of the domain The default domain name geardomain is appended by an asterisk Authentication Type The authentication method that is assigned to the domain Portal Layout Name The SSL portal layout that is assigned to the domain Action The edit table button that provides access to the Edit Domain screen Managing Users Authentication and Certificates 9 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Under the List of Domains table click the add table button The Add Domain screen displays Add Domain Figure 9 2 DOMAIN NAME Authentication Type Radius MSCHAPv2 v Select Portal SSL VPN Authentication Server Authentication Secret Workgroup LDAP Base DN Active Directory Domain 3 Enter the settings as explained in Table 9 2 Table 9 2 Add Domain Settings Setting Description or Subfield and Description DOMAIN NAME A descriptive alphanumeric name of the domain for identification and management purposes Authentication Type Note If you select any type of RADIUS authentication make sure that one or more RADIUS servers are configured see RADIUS Client Configuration on page 7 39 From the pull down menu
7. Add DMZ WAN Outbound Service screen For more information about firewall rules see Using Rules to Block or Allow Specific Kinds of Traffic on page 5 3 It is important that you ensure that any secondary WAN addresses are different from the primary WAN LAN and DMZ IP addresses that are already configured on the UTM However primary and secondary WAN addresses can be in the same subnet The following is an example of properly configured IP addresses on the UTM25 Primary WAN1 IP address 10 0 0 1 with subnet 255 0 0 0 Secondary WANI1 IP 30 0 0 1 with subnet 255 0 0 0 Primary WAN2 IP address 20 0 0 1 with subnet 255 0 0 0 Secondary WAN2 IP 40 0 0 1 with subnet 255 0 0 0 DMZ IP address 192 168 10 1 with subnet 255 255 255 0 Primary LAN IP address 192 168 1 1 with subnet 255 255 255 0 Secondary LAN IP 192 168 20 1 with subnet 255 255 255 0 gt To add a secondary WAN address to a WAN port 1 Select Network Config gt WAN Settings from the menu On the UTM25 the WAN Settings submenu tabs appear with the WAN1 ISP Settings screen in view On the UTM10 the WAN ISP Settings screen displays Manually Configuring Internet and WAN Settings 3 17 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Click the Secondary Addresses option arrow On the UTM25 the WAN1 Secondary Addresses screen displays see Figure 3 10 which shows the UTM25 screen with some exampl
8. Figure D 3 D 4 Two Factor Authentication v1 0 September 2009 Appendix E Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product Document Using Microsoft Vista and Windows XP to Manage Wireless Network Connections TCP IP Networking Basics Wireless Networking Basics Preparing Your Network Virtual Private Networking Basics Glossary Link http documentation netgear com reference enu winzerocfg vistaxpconfig pdf http documentation netgear com reference enu tcpip index htm http documentation netgear com reference enu wireless index htm http documentation netgear com reference enu wsdhcp index htm http documentation netgear com reference enu vpn index htm http documentation netgear com reference enu glossary index htm Related Documents E 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual E 2 Related Documents v1 0 September 2009 Numerics 10BaseT 100BaseT and 1000BaseT 3 23 A AAA 7 39 AC input 2 12 access remote management 0 2 action buttons Web Management Interface 2 6 activating service licenses 7 8 2 27 Active Directory 8 6 9 2 9 5 Active LED UTM25 only 1 11 ActiveX 6 24 6 28 ActiveX web cache cleaner SSL VPN 8 5 8 22 address reservation 4 17 Address Resolution Protocol See ARP
9. K i Tip If you are using a dynamic DNS service such as TZO you can identify the WAN IP Network and System Management 10 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Using an SNMP Manager Simple Network Management Protocol SNMP forms part of the Internet Protocol Suite as defined by the Internet Engineering Task Force IETF SNMP is used in network management systems to monitor network attached devices for conditions that warrant administrative attention SNMP exposes management data in the form of variables on the managed systems which describe the system configuration These variables can then be queried and sometimes set by managing applications SNMP lets you monitor and manage your UTM from an SNMP manager It provides a remote means to monitor and control network devices and to manage configurations statistics collection performance and security To configure the SNMP settings 1 Select Administration gt SNMP from the menu The SNMP screen displays Read Community Do You Want to Enable SNMP Set Community Yes No Contact admin Location Trusted SNMP Hosts Wd Specify IP addresses or IP address ranges that are allowed to access SNMP To allow access from all IP addresses and IP address ranges leave the list blank Example 192 168 2 1 192 168 2 0 24 192 168 2 0 255 255 255 0 SNMP Traps Specify IP
10. Reports Select one or more checkboxes to specify the reports that are generated Email Reports Web Reports e System Reports Note You can select all three checkboxes but you might generate a very large report Send Report by Select this checkbox to enable the UTM to send the report to the recipients that Email you must specify below Recipients The e mail addresses of the report recipients Note Use commas to separate email addresses Report List Number of Enter the number of reports that the UTM saves The maximum number is 12 Reports to Keep 4 Click Apply to save your settings Using Diagnostics Utilities The UTM provides diagnostic tools that help you analyze traffic conditions and the status of the network Two sets of tools are available Network diagnostic tools These tools include a ping utility traceroute utility and DNS lookup utility and the option to display the routing table Traffic diagnostic tools These tools allow you to perform real time per protocol traffic analysis between specific source and destination addresses and let you generate reports on network usage in your network gt Note For normal operation diagnostic tools are not required To display the Diagnostics screen select Monitoring gt Diagnostics from the menu To facilitate the explanation of the tools the Diagnostics screen is divided and presented in this manual in three figures
11. To disconnect an active user click the disconnect table button to the right of the user s table entry Viewing the UTM SSL VPN Log To query the SSL VPN log 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view 2 Click the Logs Query submenu tab The Logs Query screen displays 8 16 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 From the Log Type pull down menu select SSL VPN The SSL VPN logs display System Status Active Users amp YPNs Dashboard Diagnostics Email and Syslog Firewall Logs Alerts TRQgttie Generate Report Scheduled Report 2009 Jun 20 00 38 51 UTM ssivpneunnel id UTM25 time 2009 6 20 0 38 51 tw prosecure homeip net pri 6 rule access policy proto SSL VPN Tunnel Java src 208 123 146 89 user techpubadmin dst prosecure homeip net arg op result revd msg SSL VPN Tunnel Java Figure 8 11 Manually Configuring and Editing SSL Connections To manually configure and activate SSL connections perform the following six basic steps in the order that they are presented 1 Edit the existing SSL portal or create a new one see Creating the Portal Layout on page 8 18 When remote users log in to the UTM they see a portal page that you can customize to present the resources and func
12. i List of SSL VPN Policies Name Service Destination Permission Action E FTPServerPolicy Port Forwarding FTPServer Permit Gedit lt elect at detere add fi Related Policies Table populated only for Group User Name Type Service Destination RoadWarriorPolicy Global VPN Tunnel RoadWarrior Permit Figure 8 18 2 Make your selection from the following Query options e Click Global to view all global policies e Click Group to view group policies and choose the relevant group s name from the pull down menu e Click User to view group policies and choose the relevant user s name from the pull down menu 3 Click the Display action button The List of SSL VPN Policies table displays the list for your selected Query option Adding a Policy To add an SSL VPN policy 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view see Figure 8 18 which shows some examples 2 Under the List of SSL VPN Policies table click the add table button The Add Policy screen displays see Figure 8 19 on page 8 34 Virtual Private Networking Using SSL Connections 8 33 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Add Policy Figure 8 19 Network Resource Operation succeeded Group User geardomain admin e IP Address a n Subnet Mask
13. Configuring Advanced WAN Options on page 3 22 If your UTM can obtain an IP address but an attached PC is unable to load any Web pages from the Internet e Your PC might not recognize any DNS server addresses A DNS server is a host on the Internet that translates Internet names such as www netgear com to numeric IP addresses Typically your ISP provides the addresses of one or two DNS servers for your use You may configure your PC manually with DNS addresses as explained in your operating system documentation e Your PC might not have the UTM configured as its TCP IP gateway Troubleshooting a TCP IP Network Using a Ping Utility Most TCP IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device The device then responds with an echo reply Troubleshooting a TCP IP network is made very easy by using the Ping utility in your PC or workstation 12 6 Troubleshooting and Using Online Support v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Testing the LAN Path to Your UTM You can ping the UTM from your PC to verify that the LAN path to the UTM is set up correctly To ping the UTM from a PC running Windows 95 or later 1 From the Windows toolbar click Start and choose Run 2 In the field provided type ping followed by the IP address of the UTM for example ping 192 168 1 1 3 Click OK A message similar to th
14. Connect to the website of the CA Start the SCR procedure When prompted for the requested data copy the data from your saved text file including BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST Submit the CA form If no problems ensue the digital certificate is issued by the CA Download the digital certificate file from the CA and store it on your computer Return to the Certificates screen see Figure 9 13 on page 9 22 and locate the Self Certificate Requests section 9 Select the checkbox next to the self certificate request 9 24 Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 10 Click Browse and navigate to the digital certificate file from the CA that you just stored on your computer 11 Click the upload table button If the verification process on the UTM approves the digital certificate for validity and purpose the digital certificate is added to the Active Self Certificates table To delete one or more SCRs 1 In the Self Certificate Requests table select the checkbox to the left of the SCR that you want to delete or click the select all table button to select all SCRs 2 Click the delete table button Viewing and Managing Self Certificates The Active Self Certificates table on the Certificates screen see Figure 9 13 on page 9 22 shows the digital certificates issued to you b
15. Local User database RADIUS PAP RADIUS CHAP RADIUS MSCHAP RADIUS MSCHAPVv2 WIKI PAP WIKID CHAP MIAS PAP MIAS CHAP NT Domain SSL certificates supported CA digital certificate Self digital certificate gt Note For default e mail and Web scan settings see Table 6 1 on page 6 2 A 4 Default Settings and Technical Specifications v1 0 September 2009 Appendix B Network Planning for Dual WAN Ports UTM25 Only This appendix describes the factors to consider when planning a network using a firewall such as the UTM25 that has dual WAN ports This appendix does not apply to the UTM10 This appendix contains the following sections e What to Consider Before You Begin on this page e Overview of the Planning Process on page B 5 e Inbound Traffic on page B 7 e Virtual Private Networks VPNs on page B 9 What to Consider Before You Begin The UTM is a powerful and versatile solution for your networking needs To make the configuration process easier and to understand all of the choices that are available to you consider the following before you begin 1 Plan your network a Determine whether you will use one or both WAN ports For one WAN port you might need a fully qualified domain name either for convenience or to remotely access a dynamic WAN IP address b If you intend to use both WAN ports determine whether you will use them in auto rollover
16. Resource Name Service Actior I o FTPServer Port Forwarding Bear go RoadWarrior VPN Tunnel edit selee at detete Add New Resource Resource Name Service Add J VPN Tunnel 204 Figure 8 16 3 Inthe Add New Resource section of the screen specify information in the following fields e Resource Name A descriptive name of the resource for identification and management purposes e Service From the Service pull down menu select the type of service to which the resource applies VPN Tunnel The resource applies only to a VPN tunnel Port Forwarding The resource applies only to a port forwarding All The resource applies both to a VPN tunnel and to port forwarding 4 Click the add table button The new resource is added to the List of Resources table To delete one or more network resources 1 Select the checkbox to the left of the network resource that you want to delete or click the select all table button to select all VPN policies 2 Click the delete table button Virtual Private Networking Using SSL Connections 8 29 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Editing Network Resources to Specify Addresses 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the Resources submenu tab The Resources screen displays see Figure 8 16 on page 8 29 which shows some example
17. System Logs WAN Status Auto Rollover Message Nov 17 09 59 09 UTM wand LBFO WAN1 Test Failed 1 of 3 times_ Nov 17 09 59 39 UTM wand LBFO WAN1 Test Failed 2 of 3 times_ Nov 17 10 00 09 UTM wand LBFO WAN1 Test Failed 3 of 3 times_ Nov 17 10 01 01 UTM wand LBFO WAN1 Test Failed 4 of 3 times_ Nov 17 10 01 35 UTM wand LBFO WAN1 Test Failed 5 of 3 times_ Nov 17 10 01 35 UTM wand LBFO WAN1 DOWN WAN2 UP ACTIVE WAN2 __ Nov 17 10 02 25 UTM wand LBFO WAN1 Test Failed 6 of 3 times_ Nov 17 10 02 25 UTM wand LBFO Restarting WAN1_ Nov 17 10 02 57 UTM wand LBFO WAN1 Test Failed 7 of 3 times_ Nov 17 10 03 27 UTM wand LBFO WAN1 Test Failed 8 of 3 times_ Nov 17 10 03 57 UTM wand LBFO WAN1 Test Failed 9 of 3 times_ Nov 17 10 03 57 UTM wand LBFO Restarting WAN1_ System Logs and Error Messages C 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual System Logs WAN Status Auto Rollover continued Explanation The logs suggest that the fail over was detected after five attempts instead of three However the reason the messages appear as above is because of the WAN state transition logic which is part of the failover algorithm The above logs can be interpreted as below The primary link failure is properly detected after the 3rd attempt Thereafter the algorithm attempts to restart WAN and checks once again to see if WAN
18. e About Content Filtering and Scans on this page e Configuring E mail Protection on page 6 3 e Configuring Web and Services Protection on page 6 19 e Setting Web Access Exceptions and Scanning Exclusions on page 6 41 About Content Filtering and Scans The UTM provides very extensive Web content and e mail content filtering options Web browsing activity reporting e mail anti virus and anti spam options and instant alerts via e mail You can establish restricted Web access policies that are based on the time of day Web addresses and Web address keywords You can also block Internet access by applications and services such as instant messaging and peer to peer file sharing clients _____ Note Traffic that passes on the UTM s VLANs and on the secondary IP addresses that you have configured on the LAN Multi homing screen see Configuring Multi Home LAN IPs on the Default VLAN on page 4 11 is also scanned for content and malware threats _____ Note For information about how to monitor blocked content and malware threats in real time see Monitoring Real Time Traffic Security and Statistics on page 11 14 For information about how to view blocked content and malware threats in the logs see Querying Logs and Generating Reports on page 11 32 6 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Default E mail an
19. e Viewing Port Triggering Status on page 11 26 e Viewing the WAN Ports Status on page 11 27 e Viewing Attached Devices and the DHCP Log on page 11 29 e Viewing the DHCP Log on page 11 31 Viewing System Status The System Status screen provides real time information about the following important components of the UTM e CPU memory and hard disk status and the number of active connections per protocol e Firmware versions and update information of the UTM software versions and update information of the components license expiration dates for each type of license and hardware serial number e WAN and LAN port information e Interface statistics To view the System Status screen click Monitoring gt System Status Because of the size of the System Status screen it is divided and presented in this manual in three figures Figure 11 10 on page 11 21 Figure 11 11 on page 11 22 and Figure 11 12 on page 11 23 all of which show examples for the UTM25 each with its own table that explains the fields For the UTM25 the System Status screen shows information for both the WAN1 and WAN2 port For the UTM10 the System Status screen shows information for the single WAN port 11 20 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual System Status System CPU 2 94 Memory x 32 31 Disk 36 66 Services SMTP ON
20. 1 Cable security lock receptacle 2 Console port Port for connecting to an optional console terminal The ports has a DB9 male connector The default baud rate is 9600 K The pinouts are 2 Tx 3 Rx 5 and 7 Gnd 3 Factory default Reset button Using a sharp object press and hold this button for about eight seconds until the front panel Test light flashes to reset the UTM to factory default settings All configuration settings are lost and the default password is restored 4 AC power receptacle Universal AC input 100 240 VAC 50 60 Hz Bottom Panel With Product Label The product label on the bottom of the UTM s enclosure displays factory default regulatory compliance and other information see Figure 1 4 and Figure 1 5 on page 1 13 1 12 Introduction v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Figure 1 4 shows the product label for the UTM10 NETGEAR ProSecure Unified Threat Management UTM10 This device complies with part 15 of the FCC Rules and Canada ICES 003 Operation is subject to the following two conditions 1 this device may not cause hormfu interference and 2 this device must accept any interference received including interferance that may cause undesired operation CORB TIAA RMAMARARETT COSBERERATKATZE TAARE RITIENE T TDRS ttti BPSSIRRENATCEMSHVET VCCI A DEFAULT ACCESS htip 192 168 1 1 US LISTED D C X user na
21. 9 User Name Select Group Password eeeesceccese Confirm Password Idle Timeout 5 minu Steph SS Skat Ss Figure 9 6 3 Enter the settings as explained in Table 9 4 Table 9 4 Add User Settings Setting Description or Subfield and Description User Name A descriptive alphanumeric name of the user for identification and management purposes User Type From the pull down menu select one of the pre defined user types that determines the access credentials Administrator User who has full access and the capacity to change the UTM configuration that is read write access e SSL VPN User User who can only log in to the SSL VPN portal e IPSEC VPN User User who can only make an IPsec VPN connection via a NETGEAR ProSafe VPN Client and only when the XAUTH feature is enabled see Configuring Extended Authentication KAUTH on page 7 37 e Guest User User who can only view the UTM configuration that is read only access Select Group The pull down menu shows the groups that are listed on the Group screen From the pull down menu select the group to which the user is assigned For information about how to configure groups see Configuring Groups for VPN Policies on page 9 6 Note The user is assigned to the domain that is associated with the selected group Password The password that the user must enter to gain access to the UTM The password must contain alphanumeric or _ characters
22. Adding Customized Services on page 5 30 Action Filter The action for outgoing connections covered by this rule e BLOCK always BLOCK by schedule otherwise allow ALLOW always ALLOW by schedule otherwise block Note Any outbound traffic that is not blocked by rules you create is allowed by the default rule ALLOW rules are only useful if the traffic is already covered by a BLOCK rule That is you wish to allow a subset of traffic that is currently blocked by another rule Select Schedule The time schedule that is Schedule1 Schedule2 or Schedule3 that is used by this rule This pull down menu is activated only when BLOCK by schedule otherwise allow or ALLOW by schedule otherwise block is selected as the Action e Use the schedule screen to configure the time schedules see Setting a Schedule to Block or Allow Specific Traffic on page 5 39 LAN Users The settings that determine which computers on your network are affected by this rule The options are Any All PCs and devices on your LAN e Single address Enter the required address to apply the rule to a single device on your LAN e Address range Enter the required addresses in the Start and Finish fields to apply the rule to a range of devices e Groups Select the Group to which the rule applies Use the LAN Groups screen under Network Configuration to assign PCs to Groups See Managing Groups and Hosts LAN Gr
23. E F School Cheating OForums Dinstant Messaging Private IP Addresses Dtransiators Clentertainment Dteisure amp Recreation Crersonal Sites Csports n Hacking Phishing amp Fraud Politics Fl Pomnography Sexually Explicit information Security A Do you want this schedule to be active on all days or specific days All Days Sunday Tuesday Thursday Specific Days Saturday H Blocked Categories Scheduled Days 3 Monday Wednesday Friday i Blocked Categories Time of Day Do you want this schedule to be active all day or at specific times during All Day O Specific Times the day Start Time 12_ Hour Minute AM End Time Hour G0_ Minute Figure 2 13 Using the Setup Wizard to Provision the UTM in Your Network 2 21 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Enter the settings as explained in Table 2 7 then click Next to go the following screen ____ Note After you have completed the steps in the Setup Wizard you can make changes to the content filtering settings by selecting Application Security gt HTTP HTTPS gt Content Filtering The Content Filtering screen lets you specify additional filtering tasks and notification settings For more information about these settings see Configuring Web Content Filtering on page 6 23 Table 2 7 S
24. Maximum Number If you select Individual from the Type pull down menu you must of Instances specify the maximum number of class instances that can be created by the individual bandwidth profile Direction From the Direction pull down menu select the traffic direction for the bandwidth profile Outbound Traffic The profile applies to outbound traffic only e Inbound Traffic The profile applies to inbound traffic only 5 Click Apply to save your settings The new bandwidth profile is added to the List of Bandwidth Profiles table 6 Inthe Bandwidth Profiles section of the screen select the Yes radio button under Enable Bandwidth Profiles By default the No radio button is selected 7 Click Apply to save your setting To edit a bandwidth profile 1 Inthe List of Bandwidth Profiles table click the edit table button to the right of the bandwidth profile that you want to edit The Edit Bandwidth Profile screen displays 2 Modify the settings that you wish to change see Table 5 8 Click Apply to save your changes The modified bandwidth profile is displayed in the List of Bandwidth Profiles table 5 38 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Setting a Schedule to Block or Allow Specific Traffic Schedules define the timeframes under which firewall rules may be applied Three schedules Schedule 1 Schedule 2 and Schedule3 can be defined a
25. ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual NETGEAR NETGEAR Inc 350 East Plumeria Drive San Jose CA 95134 202 10482 01 September 2009 v1 0 2009 by NETGEAR Inc All rights reserved Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSecure and ProSafe are trademarks of NETGEAR Inc Microsoft Windows and Windows NT are registered trademarks of Microsoft Corporation Other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Federal Communications Commission FCC Compliance Notice Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Oper
26. R i Begin End Port Range Port Number 0 655325 Service VPN Tunnel Defined Resources Permission LPERMIT 3 Select the radio buttons complete the fields and make your selection from the pull down menus as explained Table 8 10 Table 8 10 Add Policy Settings Item Description or Subfield and Description Policy For name Select one of the following radio buttons to specify the type of SSL VPN policy Global The new policy is global and excludes all groups and users Group The new policy must be limited to a single group From the pull down menu select a group Note For information about how to create groups see Configuring Groups for VPN Policies on page 9 6 User The new policy must be limited to a single user From the pull down menu select a user name Note For information about how to create user accounts see Configuring User Accounts on page 9 9 8 34 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 8 10 Add Policy Settings continued Item Description or Subfield and Description Add SSL VPN Policies Apply Select one of the following radio buttons to specify how the policy is applied Policy For Network Resource The policy is applied to a network resource that you have defined on the Resources screen see Using Network Res
27. Send notifications to The email address to which the notifications should be sent Typically this is the e mail address of the administrator 3 Click Test to ensure that the connection to the server and e mail address succeeds 4 Click Apply to save your settings Configuring and Activating System E mail and Syslog Logs You can configure the UTM to log system events such as a change of time by an NTP server secure login attempts reboots and other events You can also send logs to the administrator or schedule logs to be sent to the administrator or to a syslog server on the network In addition the Email and Syslog screen provides the option to selectively clear logs To configure and activate logs 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view see Figure 11 4 on page 11 7 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual C Change of Time by NTP sil E Secure Login Attempts O Reboots O All Unicast Traffic O All Broadcast Multicast Traffic C WAN Status O Resolved DNS Names E Email Logs to Administrator O Enable Send to Example admin yourdomain com Frequency when the space is full O Daily at 00 3 hh mm O Weekly on at 00 F hh mm Select Logs to Send C systemtogs 1 Traffic Logs C ma
28. Table A 1 UTM Default Configuration Settings Feature Default behavior Router Login User login URL https 192 168 1 1 Administrator user name case sensitive admin Administrator login password case sensitive password Guest user name case sensitive guest Guest login password case sensitive password Internet Connection WAN MAC address Use default address WAN MTU size 1500 Port speed AutoSense Local Network LAN Lan IP address 192 168 1 1 Subnet mask 255 255 255 0 RIP direction None RIP version Disabled RIP authentication Disabled Default Settings and Technical Specifications v1 0 September 2009 A 1 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table A 1 UTM Default Configuration Settings continued Feature Default behavior continued DHCP server Enabled DHCP starting IP address 192 168 1 2 DHCP starting IP address 192 168 1 100 Management Time zone GMT Time zone adjusted for daylight savings time Disabled SNMP Disabled Remote management Disabled Firewall Inbound communications coming in from the Internet All communication denied Outbound communications from the LAN to the Internet All communication allowed Source MAC filtering Disabled Stealth mode Enabled Respond to ping on Internet ports Disabled Ta
29. Viewing System Status on page 11 20 gt Note After 5 minutes of inactivity the default login time out you are automatically logged out System Status i Status 6 system cpu l J24 memory ME b231 pis O s s Services SMTP ON POP3 ON IMAP ON HTTP ON HTTPS OFF FTP ON Active Connections 0 0 0 0 0 it H System Information System up Time 13 Days 19 Hours O1 Minutes Firmware Information Type Version Last Downloaded active 1 0 0 17 N A secondary N A N A Component Current Version Last Update Scan engine 20090521 215 0 0 2009 05 21 Pattern file 200905271503 2009 05 27 Firewall 23_3 0 5 25 N A License Expiration Date Email Protection 2010 04 16 Web Protection 2010 04 16 Maintenance 2010 04 16 Hardware Serial Number 0000000000001 Figure 2 2 2 4 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Understanding the Web Management Interface Menu Layout Figure 2 3 shows the menu at the top of the UTM25 s Web Management Interface The UTM10 s Web Management Interface layout is identical with the exception that it shows only a single WAN ISP Setting submenu tab NETGEAR GALL istwork Config unity pplication U PN T dm n onito J Protocol Binding Dynamic DNS WAN Metering LAN Settings DMZ Setup Routing Email Notification WINI PELLE WAN2 ISP Settings WAN
30. on page 5 14 e Setting LAN DMZ Rules on page 5 18 Firewall Protection 5 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 5 3 Inbound Rules Overview Setting Description or Subfield and Description Service The service or application to be covered by this rule If the service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 5 30 Action Filter The action for outgoing connections covered by this rule e BLOCK always BLOCK by schedule otherwise allow e ALLOW always ALLOW by schedule otherwise block Note Any inbound traffic that is not blocked by rules you create is allowed by the default rule Select Schedule The time schedule that is Schedule1 Schedule2 or Schedule3 that is used by this rule e This pull down menu is activated only when BLOCK by schedule otherwise allow or ALLOW by schedule otherwise block is selected as the Action e Use the schedule screen to configure the time schedules see Setting a Schedule to Block or Allow Specific Traffic on page 5 39 3 Send to LAN Server The LAN server address determines which computer on your network is hosting this service rule You can also translate this address to a port number Send to DMZ Server The DMZ server address determines which computer on your network
31. 3 14 Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Dynamic DNS WAN Metering LAN Settings DMZSetup Routing Email Notification CANE liiciice WANZ Protocol Bindings Operation succeeded Service Source Network Destination Network O ANY ANY ANY Protocol Binding is used when Load Balancing option is selected in WAN Mode select all isete enable O disable Add Protocol Binding Service Destination Network Any Start Address Figure 3 9 a Figure 3 9 shows one example in the Protocol Binding table Configure the protocol binding settings as explained in Table 3 6 Table 3 6 Protocol Binding Settings UTM25 Only Setting Description or Subfield and Description Add Protocol Binding Service From the pull down menu select a service or application to be covered by this rule If the service or application does not appear in the list you must define it using the Services menu see Services Based Rules on page 5 3 Source Network The source network settings determine which computers on your network are affected by this rule Select one of the following options from the pull down menu Any All devices on your LAN Single address In the Start Address field enter the IP address to which the rule is applied Address range In the Start Address field and End Address field enter the IP ad
32. After you have created a QoS profile it can become active only when you apply it to a non blocking inbound or outbound firewall rule Log The settings that determines whether packets covered by this rule are logged The options are Always Always log traffic considered by this rule whether it matches or not This is useful when debugging your rules e Never Never log traffic considered by this rule whether it matches or not Bandwidth Profile Bandwidth limiting determines the way in which the data is sent to and from your host The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic thus preventing the LAN users from consuming all the bandwidth of the Internet link Bandwidth limiting occurs in the following ways e For outbound traffic on the available WAN interface in the single WAN port mode and auto rollover mode and on the selected interface in load balancing mode e For inbound traffic on the LAN interface for all WAN modes Note Bandwidth Limiting does not apply to the DMZ interface Firewall Protection 5 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Note Some residential broadband ISP accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP might periodically check for servers and might suspend your account if it discovers any active service
33. CA Tike ERE w Figure 6 8 2 Enter the settings as explained in Table 6 2 Table 6 7 Malware Scan Settings Setting Description or Subfield and Description Action HTTP and Action From the HTTP or HTTPS pull down menu specify one of the following HTTPS actions when an infected Web file or object is detected Delete file This is the default setting The Web file or object is deleted and a log entry is created e Log only Only a log entry is created The Web file or object is not deleted Streaming Select the Streaming checkbox to enable streaming of partially downloaded and scanned HTTP or HTTPS file parts to the user This method allows the user to experience more transparent Web downloading Streaming is enabled by default 6 22 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 7 Malware Scan Settings continued Setting Description or Subfield and Description Scan Exception The default maximum file or object size that are scanned is 2048 KB but you can define a maximum size of up to 10240 KB However setting the maximum size to a high value might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions when the file or message exceeds the maximum size Skip The file is not scan
34. DMZ increases the traffic through the WAN ports For the information on how to enable the DMZ port see Configuring and Enabling the DMZ Port on page 4 18 For the procedures on how to configure DMZ traffic rules see Setting DMZ WAN Rules on page 5 14 Configuring Exposed Hosts Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined For an example on how to set up an exposed host see LAN WAN or DMZ WAN Inbound Rule Specifying an Exposed Host on page 5 28 Configuring VPN Tunnels The UTM supports up to 25 site to site Psec VPN tunnels and up to 13 dedicated SSL VPN tunnels Each tunnel requires extensive processing for encryption and authentication thereby increasing traffic through the WAN ports For information about IPsec VPN tunnels see Chapter 7 Virtual Private Networking Using IPsec Connections For information about SSL VPN tunnels see Chapter 8 Virtual Private Networking Using SSL Connections Using QoS and Bandwidth Assignment to Shift the Traffic Mix By specifying QoS and bandwidth profiles and assigning these profiles to outbound and inbound firewall rules you can shift the traffic mix to aim for optimum performance of the UTM Assigning QoS Profiles The QoS profile settings determine the priority and in turn the quality of service for the traffic passing through the UTM After you ha
35. Figure 7 27 shows the upper part of the UTM25 screen only The WAN1 and WAN2 radio buttons next to Select Local Gateway are shown on the Add IKE Policy screen for the UTM25 but not on the Add IKE Policy screen for the UTM10 a T ae i T E IPSec YPN SSLYPN Certif Esm gt Sm Add IKE Policy O add New VPN Policy Do you want to use Mode Config Record Policy Name ModeConfigNA_Sales Yes O no Select Mode Config Record NA Sales v Direction Type KAZpaEdEk Exchange Mode Prien selected Select Local Gateway wan1 O wanz Identifier Type Identifier Type FDN Identifier aumd5_remote com Identifier utm25_local com Encryption Algorithm Authentication Algorithm Authentication Method Pre shared key ORSA Signature Pre shared key fiz34s676910 diikey Length 6 49 Char Diffie Hellman DH Group SA Lifetime sec Enable Dead Peer Detection O Yes No Detection Period fio Seconds Reconnect after failure count ey i Extended Authentication Figure 7 27 7 46 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 8 On the Add IKE Policy screen complete the fields select the radio buttons and make your selections from the pull down menus as explained Table 7 16 gt Note The settings that are explained in Table 7 16 are specifically for a Mode Confi
36. For a group that is associated with a domain that uses the LDAP authentication method configure the LDAP attributes in fields 1 through 4 as needed 4 Click Apply to save your changes The modified group is displayed in the List of Groups table Configuring User Accounts When you create a user account you must assign the user to a user group When you create a group you must assign the group to a domain that specifies the authentication method Therefore you should first create any domains then groups then user accounts You can create different types of user accounts by applying pre defined user types e Administrator A user who has full access and the capacity to change the UTM configuration that is read write access e SSL VPN User A user who can only log in to the SSL VPN portal e IPSEC VPN User A user who can only make an IPsec VPN connection via a NETGEAR ProSafe VPN Client and only when the XAUTH feature is enabled see Configuring Extended Authentication XAUTH on page 7 37 e Guest user A user who can only view the UTM configuration that is read only access Managing Users Authentication and Certificates 9 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To create an individual user account 1 Select Users gt Users from the menu The Users screen displays Figure 9 5 shows the UTM s default users admin and guest and as an example severa
37. Forwarding on page 5 6 For detailed procedures on how to configure inbound rules see Setting LAN WAN Rules on page 5 11 and Setting DMZ WAN Rules on page 5 14 When you define inbound firewall rules you can further refine their application according to the following criteria Services You can specify the services or applications to be covered by an inbound rule If the desired service or application does not appear in the list you must define it using the Services screen see Services Based Rules on page 5 3 and Adding Customized Services on page 5 30 WAN Destination IP Address For the UTM25 you can specify the destination IP address for incoming traffic Traffic is directed to the specified address only when the destination IP address of the incoming packet matches the IP address of the selected WAN interface that is WANI or WAN2 interface For the UTM10 with its single WAN interface the WAN Destination IP Address is a fixed field LAN Users You can specify which computers on your network are affected by an inbound rule There are several options Any All PCs and devices on your LAN Single address The rule is applied to the address of a particular PC Address range The rule is applied to a range of addresses 10 6 Network and System Management v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Groups The rule is applied to a group
38. Idle Timeout My IP Address Select the Keep Connected radio button to keep the connection always on To log out after the connection is idle for a period of time select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in The IP address assigned by the ISP to make the connection with the ISP server Server IP Address The IP address of the PPTP server Other PPPoE If you have installed login software such as WinPoET or Enternet then your connection type is PPPoE Select this radio button and enter the following settings Account Name The valid account name for the PPPoE connection Domain Name The name of your ISP s domain or your domain name if your ISP has assigned one You may leave this field blank Idle Timeout Select the Keep Connected radio button to keep the connection always on To log out after the connection is idle for a period of time select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in Internet IP Address Click the Current IP Address link to see the currently assigned IP address Get Dynamically from ISP If your ISP has not assigned you a static IP address select the Get d
39. Signature Name Category Date and Time Signature Name Count mod_jrun ove WES M 2009 07 08 22 42 36 meod_jrun overt 628 i Most Recent 5 IM Peer to Peer Blocked i Top 5S IM Peer to Peer Blocked ig Application Category Date and Time Application Requests Source IPs IM 2009 07 08 21 09 45 MSN 2 MSN YAHOOMSG IM 2009 07 08 21 09 21 YAHOOMSG 2 Category Date and Time Category Requests Source IPs 39 1 J Hacking 2009 07 08 17 59 13 Games Alcohol and Tabacco 2009 06 24 21 00 07 Pornograph or Sexual 19 Anonymizers 2009 06 24 17 17 53 Malware 13 Sex Education 2009 06 22 20 10 12 Hacking e Spam Sites 2009 06 22 19 19 19 Nudity 5 Top 5 SPAM recipients l Recipient Emails J Figure 11 8 Dashboard screen 2 of 3 Monitoring System Access and Performance 11 17 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 7 explains the fields of the Most Recent 5 and Top 5 sections of the Dashboard screen Table 11 7 Dashboard Most Recent 5 and Top 5 Information Category Most Recent 5 Description Top 5 Description Threats Malware Name The name of the malware threat Protocol The protocol in which the malware threat was detected Date and Time The date and time that the
40. This is rarely required and should not be done unless you are sure it is necessary for your ISP connection Port Speed In most cases the UTM can automatically determine the connection speed of the WAN port of the device modem or router that provides the WAN connection If you cannot establish an Internet connection you might need to manually select the port speed If you know the Ethernet port speed of the modem or router select it from the pull down menu Use the half duplex settings only of the full duplex settings do not function properly Select one of the following speeds from the pull down menu AutoSense Speed autosensing This is the default setting which can sense 1000BaseT speed at full duplex 10BaseT Half_Duplex Ethernet speed at half duplex 10BaseT Full_Duplex Ethernet speed at full duplex 100BaseT Half_Duplex Fast Ethernet speed at half duplex 100BaseT Full_Duplex Fast Ethernet speed at full duplex Router s MAC Address Make one of the following selections Use Default Address Each computer or router on your network has a unique 32 bit local Ethernet address This is also referred to as the computer s Media Access Control MAC address To use the UTM s own MAC address select the Use Default Address radio button Use this computer s MAC Select the Use this computer s MAC radio button to allow the UTM to use the MAC address of the computer you are now using to access
41. What is the remote LAN Subnet Mask oo Figure 7 9 To display the wizard default settings click the VPN Wizard Default Values option arrow at the top right of the screen A popup window appears see Figure 7 5 on page 7 5 displaying the wizard default values After you have completed the wizard you can modify these settings for the tunnel policy that you have set up Virtual Private Networking Using IPsec Connections 7 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Select the radio buttons and complete the fields and as explained Table 7 3 Table 7 3 IPsec VPN Wizard Settings for a Client to Gateway Tunnel Setting Description or Subfield and Description About VPN Wizard This VPN tunnel will connect to the following peers Select the VPN Client radio button The default remote FQDN utm_remote com and the default local FQDN utm_local com appear in the End Point Information section of the screen Connection Name and Remote IP Type What is the new Connection Name Enter a descriptive name for the connection This name is used to help you to manage the VPN settings the name is not supplied to the remote VPN endpoint What is the pre shared key Enter a pre shared key The key must be entered both here and on the remote VPN gateway or the remote VPN client This key must have a minimum length of 8 characters and should not exceed 49 charac
42. XAUTH 7 29 IMAP action infected e mail 2 9 anti virus settings 6 6 default port 2 17 6 4 enabling scanning 2 17 file extension blocking 6 11 file name blocking 6 11 password protected attachment blocking 6 0 inbound rules default 5 3 DMZ to WAN 5 17 examples 5 25 increasing traffic 70 5 LAN to DMZ 5 20 LAN to WAN 5 3 order of precedence 5 10 overview 5 6 settings 5 8 increasing traffic DMZ port 10 7 exposed hosts 0 8 overview 10 5 port forwarding 5 7 10 5 port triggering 10 7 VPN tunnels 0 8 initial configuration Setup Wizard 2 7 initial connection 2 Installation Guide 2 1 installation verifying 2 26 Instant Messaging blocked applications recent 5 and top 5 18 blocking applications 5 29 6 21 logs 11 8 11 33 11 35 traffic statistics 77 16 interface specifications A 3 Interior Gateway Protocol See IGP Internet configuration requirements B 3 connecting to 3 1 connection default settings A form connection information B 4 Internet Key Exchange See IKE policies Internet Message Access Protocol See IMAP Internet Service Provider See ISP Intrusion Prevention System See IPS IP addresses auto generated 2 3 default 2 9 4 8 DHCP address pool 2 9 4 9 4 20 DMZ port 4 20 DNS servers 3 9 4 9 4 2 gateway ISP 2 13 3 8 LAN multi home 4 4 12 MAC binding 5 42 port forwarding SSL VPN 8 23 reserved 4 17 secondary LAN 4 11 secondary WAN 3 17 static or permanent 2 3 3 4 3
43. see Figure 5 3 on page 5 13 e Add LAN WAN Inbound Services screen see Figure 5 4 on page 5 14 e Add DMZ WAN Outbound Services screen see Figure 5 6 on page 5 16 e Add DMZ WAN Inbound Services screen see Figure 5 7 on page 5 17 Priorities are defined by the Type of Service ToS in the Internet Protocol Suite standards RFC 1349 There is no default QoS profile on the UTM Following are examples of QoS profiles that you could create e Normal service profile used when no special priority is given to the traffic You would typically mark the IP packets for services with this priority with a ToS value of 0 e Minimize cost profile used when data must be transferred over a link that has a lower cost You would typically mark the IP packets for services with this priority with a ToS value of 1 e Maximize reliability profile used when data must travel to the destination over a reliable link and with little or no retransmission You would typically mark the IP packets for services with this priority with a ToS value of 2 e Maximize throughput profile used when the volume of data transferred during an interval is important even if the latency over the link is high You would typically mark the IP packets for services with this priority with a ToS value of 3 or 4 e Minimize delay profile used when the time required latency for the packet to reach the destination must be low You would typically mark the IP packets for
44. the DNS servers inaccessible However when the DNS Proxy option is enabled the DHCP clients can make requests to the UTM which in turn can send those requests to the DNS servers of the active WAN connection However disable the DNS Proxy if you are using a dual WAN configuration in auto rollover mode with route diversity that is with two different ISPs and you cannot ensure that the DNS server is available after a rollover has occurred LAN Configuration 4 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual LDAP Server A Lightweight Directory Access Protocol LDAP server allows a user to query and modify directory services that run over TCP IP For example clients can query email addresses contact information and other service information using an LDAP server For each VLAN you can specify an LDAP server and a search base that defines the location in the directory that is the directory tree from which the LDAP search begins Configuring a VLAN Profile For each VLAN on the UTM you can configure its profile port membership LAN TCP IP settings DHCP options and DNS server To add or edit a VLAN profile 1 Select Network Config gt LAN Settings from the menu The LAN submenu tabs appear with the LAN Setup screen in view see Figure 4 2 which shows two VLAN profiles as an example Note For information about how to manage VLANs see Managing the UTM s Port Based VL
45. the remote LAN IP address and subnet mask Auth The authentication algorithm that is used for the VPN tunnel This setting must match the setting on the remote endpoint Virtual Private Networking Using IPsec Connections 7 31 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 11 List of VPN Policies Information continued Item Description or Subfield and Description Encr The encryption algorithm that is used for the VPN tunnel This setting must match the setting on the remote endpoint Action An edit table button allows you to access an individual policy to make changes To delete one or more VPN polices 1 Select the checkbox to the left of the policy that you want to delete or click the select all table button to select all VPN policies 2 Click the delete table button To enable or disable one ore more VPN policies 1 Select the checkbox to the left of the policy that you want to delete or click the select all table button to select all IKE Policies 2 Click the enable or disable table button To add or edit a VPN policy see Manually Adding or Editing a VPN Policy on this page Note You cannot delete or edit an IKE policy for which the VPN policy is active You first must disable or delete the VPN policy before you can delete or edit the IKE policy y policy Manually Adding or Editing a VPN Pol
46. v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual For example Web servers serve Web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified by a service or port number This number appears as the destination port number in the transmitted IP packets For example a packet that is sent with destination port number 80 is an HTTP Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC 1700 Assigned Numbers Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application Although the UTM already holds a list of many service port numbers you are not limited to these choices Use the Services screen to add additional services and applications to the list for use in defining firewall rules The Services menu shows a list of services that you have defined as shown in Figure 5 19 To define a new service first you must determine which port number or range of numbers is used by the application This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups When you have the port number information you can enter it on the Services
47. wjis2 hies i is Groupt wv defautevian w 249 Figure 4 5 The Known PCs and Devices table lists the entries in the Network Database For each PC or device the following fields are displayed Checkbox Allows you to select the PC or device in the table Name The name of the PC or device For computers that do not support the NetBIOS protocol the name is displayed as Unknown you can edit the entry manually to add a meaningful name If the PC or device was assigned an IP address by the DHCP server then the name is appended by an asterisk IP Address The current IP address of the PC or device For DHCP clients of the UTM this IP address does not change If a PC or device is assigned a static IP address you need to update this entry manually after the IP address on the PC or device has changed MAC Address The MAC address of the PC or device s network interface Group Each PC or device can be assigned to a single LAN group By default a PC or device is assigned to Group 1 You can select a different LAN group from the Group pull down menu in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen Action The edit table button that provides access to the Edit Groups and Hosts screen 3 As an optional step To enable DHCP address reservation for an entry in the table select the checkbox for the table entry and click Save Binding to bind the IP address to the MAC address for DHCP assignment 4
48. 0 3 tracing a route traceroute 71 45 traffic action when reaching limit 4 diagnostic tools 71 43 11 46 inbound UTM25 planning B 6 increasing 10 5 logs 11 8 11 32 11 34 management 10 1 meter or counter 3 24 11 1 real time diagnostics 11 46 reducing 0 2 total scanned in MB 71 19 total in bytes 71 17 volume by protocol 4 traps SNMP 10 15 trial period service licenses 2 27 troubleshooting basic functioning 2 2 browsers 12 4 configuration settings using sniffer 72 4 date and time 72 9 defaults 72 4 ISP connection 2 5 LEDs 12 2 12 3 NTP 2 9 remote management 0 3 remotely 2 0 testing your setup 12 7 time out error 12 4 Web Management Interface 2 3 trusted certificates 9 19 9 20 hosts 6 37 Two Factor Authentication See WiKID Type of Service See ToS TZO com 3 19 3 2 U UDP flood blocking 5 22 UDP time out 5 24 understanding log messages C update failure alert 0 upgrading firmware 170 20 URLs blacklist 6 32 misclassification 6 30 using wildcards 6 32 whitelist 6 32 USB port non functioning 9 user name default 2 3 user policies precedence 8 3 user portal 8 15 users active VPN users 24 administrator admin settings 0 9 assigned groups 9 11 login policies based on IP address 9 13 based on Web browser 9 14 general 9 12 login time out 9 6 passwords changing 9 16 user accounts 9 9 user types 9 11 9 17 V videoconferencing DMZ port 4 18 from restr
49. 1 Day 00 00 00 new F release Figure 3 3 3 4 Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The WAN Status window should show a valid IP address and gateway If the configuration was not successful skip ahead to Manually Configuring the Internet Connection on this page or see Troubleshooting the ISP Connection on page 12 5 Note If the configuration process was successful you are connected to the Internet through WAN port 1 If you intend to use the dual WAN capabilities of the UTM25 continue with the configuration process for WAN port 2 Note For more information about the WAN Connection Status screen see Viewing the WAN Ports Status on page 11 27 4 Click the WAN2 ISP Settings tab UTM25 only 5 Repeat the previous steps to automatically detect and configure the WAN2 Internet connection UTM25 only 6 Open the WAN Status window and verify a successful connection If your WAN ISP configuration was successful you can skip ahead to Configuring the WAN Mode Required for the UTM25 s Dual WAN Mode on page 3 9 If one or both automatic WAN ISP configurations failed you can attempt a manual configuration as described in the following section or see Troubleshooting the ISP Connection on page 12 5 Setting the UTM s MAC Address Each computer or router o
50. 14 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Adding PCs or Devices to the Network Database To add PCs or devices manually to the Network Database 1 Inthe Add Known PCs and Devices section of the LAN Groups screen see Figure 4 5 on page 4 14 enter the settings as explained in Table 4 2 Table 4 2 Add Known PCs and Devices Settings Setting Description or Subfield and Description Name Enter the name of the PC or device IP Address Type From the pull down menu select how the PC or device receives it IP address e Fixed set on PC The IP address is statically assigned on the PC or device e Reserved DHCP Client Directs the UTM s DHCP server to always assign the specified IP address to this client during the DHCP negotiation see Setting Up Address Reservation on page 4 17 Note When assigning a reserved IP address to a client the IP address selected must be outside the range of addresses allocated to the DHCP server pool IP Address Enter the IP address that this PC or device is assigned in the IP Address field If the IP Address Type is Reserved DHCP Client the UTM reserves the IP address for the associated MAC address MAC Address Enter the MAC address of the PC or device s network interface The MAC address format is six colon separated pairs of hexadecimal characters 0 9 and A F such as 01 23 45 67 89 AB Group From the pull d
51. 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To configure Web URL filtering 1 Select Application Security gt HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear with the Malware Scan screen in view Click the URL Filtering submenu tab The URL Filtering screen displays Figure 6 12 shows some examples 2 t Whitelist takes precedence over Blacklist Enable URL http www google com http www yahoo com Wildcards are supported Tom Import from Browse a uploas File Blacklist Enable URL http www undesiredcontent com http www blockthissite Wildcards are supported Add URL asaj Import fram lie Ta wrteas File Replace the Content of a Blocked Page with the e Following Text lt IDOCTYPE HTML PUBLIC W3C DTD HTML a 4 0 Transitional EN gt lt html gt lt head gt lt title gt NETGEAR ProSecure User Notification lt title gt lt LINK href FAVICON_ICO type image ico rel icon gt _ Note Fx Use URL to show the URL of the blocked page Figure 6 12 Content Filtering and Optimizing Scans 6 31 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Enter the settings as explained in Table 6 9 Table 6 9 URL Filtering Settings Setting Description or Subfield and Description Whitelist Enable Select this checkbox to by
52. 23 24 32 fd 10 _ 23 24 32 UTM UTM UTM UTM UTM UTM UTH UTM UTH UTM UTM UTM 701 UTM IKE IKE LIKE IKE TIKE IRE IKE IKE IKE IKE IKE IRE IKE IRE DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUC DEBUG DEBUG DEBUG DEBUG DEBUG lt grabmyaddr c 345 grab_myaddrs my interface grabmyaddr c 555 autoconf ayaddrsport configuring grabmyaddr c 562 autoconf _myaddrsport WAT T is grabmyaddr_c 616 autoconf myaddrsport 4 addrs are asakup c isakmp_c isakmp c asakmp isakmp c aisakmp c session c 354 Managing IPsec VPN Policies 1677 isaksp_open 1677 1693 1677 1677 1693 isakmp_open isakmp_open igskmp open isakmp_open isakmp_open 192 168 1 1 500 used as 192 168 1 1 4500 used as 19Z2 168 1 1 4500 used for 127 0 0 1 500 used as 127 0 0 1 4500 used as 127 0 0 1 4506 used for check sigreq caught signal 15_ ptkey c 428 pfkey_dump_sadb call pfkey_send_dump_ IKE stopped_ INFO session c 215 close session IKE stopped_ IRE started_ INFO racoon c 214 main IKE started_ DEBUG racoon c ZlS main racoon 20001216 20001216 lt return gt After you have used the VPN Wizard to set up a VPN tunnel a VPN policy and an IKE policy are stored in separate policy tables The name that you selected as the VPN tunnel connecti
53. 28 ModeConfig 7 45 RIP 2 4 26 self certificate requests 9 23 VPN policies 7 36 Media Access Control See MAC memory usage 2 Message Digest algorithm 5 See MDS meter WAN traffic 11 1 metric static routes 4 24 MIAS description 9 2 MIAS CHAP 8 6 9 5 MIAS PAP 8 6 9 5 Microsoft Internet Authentication Service See MIAS mIRC 2 17 6 21 misclassification of URLs 6 30 ModeConfig assigning addresses 7 42 description 7 42 examples 7 43 pools 7 44 record 7 26 settings 7 44 MSN Messenger 2 17 6 21 MTU configuring 3 23 default 3 23 multi home IP addresses 4 71 LAN IPs 4 2 N NAS 7 4 NAT configuring 3 10 description 6 features of 7 5 firewall use with 5 mapping one to one 3 0 5 26 NetBIOS VPN tunnels 7 34 7 58 NETGEAR registration server 1 8 network configuration requirements B 3 database 4 12 4 13 11 31 diagnostic tools 71 43 11 44 planning dual WAN ports UTM25 B 1 protocols supported 2 resources SSL VPN 8 28 statistics report diagnostics 71 47 traffic statistics 11 16 Index 8 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Network Access Server See NAS Network Address Translation See NAT Network Time Protocol See NTP newsgroups 6 24 NT Domain 8 6 9 2 9 5 NTP servers settings 2 15 10 25 troubleshooting 12 9 number of concurrent sessions 2 concurrent users 2 VPN tunnels 2 O objects em
54. 5 24 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Enable sip O Figure 5 13 3 Select the Enable SIP checkbox 4 Click Apply to save your settings Inbound Rules Examples LAN WAN Inbound Rule Hosting A Local Public Web Server If you host a public Web server on your local network you can define a rule to allow inbound Web HTTP requests from any outside IP address to the IP address of your Web server at any time of the day Add LAN WAN Inbound Service T Operation succeeded a service Action Select Schedule Schedule Send to LAN Server i92 hes Ma _ Hos Translate to Port Number Ll p WAN Destination IP Address LAN Users ANE son M Finish ee a WAN Users Start E Finish EZES FEJ E QoS Profile Log Bandwidth Profile Figure 5 14 Firewall Protection 5 25 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual LAN WAN Inbound Rule Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule see Figure 5 14 on page 5 25 In the example CU SeeMe connections are allowed only from a specified range of external IP addresses Add LAN WAN Inbound Service Operation succeeded Service Action BLOCK b
55. Action column to the right of to the exception rule click the edit table button The Add or Edit Block Accept Exceptions screen displays see Figure 6 18 on page 6 42 Content Filtering and Optimizing Scans 6 43 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Modify the settings that you wish to change see Table 6 13 on page 6 43 3 Click Apply to save your changes The modified exception rule is displayed in the Exceptions table To delete or disable one or more exception rules 1 Select the checkbox to the left of the rule that you want to delete or disable or click the select all table button to select all rules 2 Click one of the following table buttons e disable Disables the rule or rules The status icon changes from a green circle to a grey circle indicating that the rule is or rules are disabled By default when a rule is added to the table it is automatically enabled e delete Deletes the rule or rules The table rank of the exception rule in the Exceptions table determines the order in which the rule is applied To change the position of the rules in the table click the following table buttons e up Moves the rule up one position in the table rank e down Moves the rule down one position in the table rank Setting Scanning Exclusions To save resources you can configure scanning exclusions for IP addresses and ports that you know are secure For e
56. Addresses Advanced iS WAN Status WANI ISP Settings By i ISP Login Login adr min Does Your Internet Connection Require a Login O Yes No Password Pesseessssoe i ISP Type J SoodontWanaf Domain Name L_________ Which type of ISP connection do you use de eee Keep Connected Austria PPTP Idle Time 5 _ Minutes Other PPPoE 3 S A My IP Address t Sas i s A H Server IP Address aj Internet IP Address Domain Name Server DNS Servers Get Dynamically from ISP Get Automatically from ISP Use Static IP Address IP Address 0 Ja AG J i Primary DNS Server 0 KG i0 If 5 IP Subnet masko o 0 jo W Secondary DNS Server a min 7 Jo p Gateway IP Address 0 o 0 Do Use These DNS Servers Figure 3 1 Click the Auto Detect action button at the bottom of the menu The auto detect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support Figure 3 2 shows the UTM25 screen The UTM10 screen shows only a single WAN ISP Settings submenu tab Figure 3 2 Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The auto detect process will return one of the following results e If the auto detect process is successful a status bar at the top of the menu displays the results see the red text in Figure 3 2 on page 3 3 e
57. Figure 11 1 on page 11 2 which shows the UTM25 screen On the the UTM10 the WAN Traffic Meter screen displays v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The Internet Traffic Statistics section in the lower part of the screen displays statistics on Internet traffic via the WAN port If you have not enabled the traffic meter these statistics are not available WANI Traffic Meter No Limit Download only Do you want to enable Traffic Metering on WAN1 Both Directions Yes No Monthly Limit i MB Increase this month limit by MB This month limit 0 MB O Restart Traffic Counter Now Block All Traffic Restart Traffic Counter at Specific Time Block all Traffic Except E Mail Ezo on the Gs w day of Month C send e mail alert CO Send e mail report before restarting counter Internet Traffic Statistics Start Date Time Outgoing Traffic Volume MB Incoming Traffic Volume MB Total Traffic Volume MB Average per day of Standard Limit of this Month s Limit Figure 11 1 2 Enter the settings as explained in Table 11 1 on page 11 3 11 2 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 1 WAN Traffic Meter Settings Setting Description or Subfield and Description Enable Traffic Me ter Do you w
58. Figure 11 26 on page 11 44 Figure 11 27 on page 11 46 and Figure 11 28 on page 11 47 Monitoring System Access and Performance 11 43 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Using the Network Diagnostic Tools This section discusses the Network Diagnostics section and the Perform a DNS Lookup section of the Diagnostics screen System Status Active Users amp PNs Dashboard Diagnostics Ping through YPN tunnel IP Address COOCOO a eee Display the Routing Table amp display Domain Name CJ 2 rer Figure 11 26 Diagnostics screen 1of 3 Sending a Ping Packet Use the Ping utility to send a ping packet request in order to check the connection between the UTM and a specific IP address If the request times out no reply is received it usually means that the destination is unreachable However some network devices can be configured not to respond to a ping The ping results are displayed on a new screen click Back on the Windows menu bar to return to the Diagnostics screen To send a ping 1 Locate the Network Diagnostics section on the Diagnostics screen 2 In the IP Address field enter the IP address that you want to ping 3 If the specified address is reached through a VPN tunnel select the Ping through VPN tunnel checkbox 4 Click the ping button The results of the ping are displayed in a new screen To return to the Diagnostics s
59. If negotiations fail the next matching IKE policy is used Ifnone of the matching IKE policies are acceptable to the remote VPN gateway then a VPN tunnel cannot be established 2 An IKE session is established using the Security Association SA settings that are specified in a matching IKE Policy e Keys and other settings are exchanged e An IPsec SA is established using the settings that are specified in the VPN policy The VPN tunnel is then available for data transfer When you use the VPN Wizard to set up a VPN tunnel an IKE policy is established and populated in the List of IKE Policies and is given the same name as the new VPN connection name You can also edit exiting policies or add new IKE policies from the IKE Policies screen The IKE Policies Screen To access the IKE Policies screen Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view Figure 7 20 on page 7 23 shows some examples 7 22 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual SSLYPN Certificates IKE Policies AIGE YPN Policies VPN Wizard Mode Config RADIUS Client Name Mode Local ID Remote ID Encr Auth DH Action g GW1 to GW2 Main 192 168 50 61 75 34 173 25 3DES SHA 1 Group 2 1024 bit Oeiit oO Client to UTM Aggressive utm local com utm_remote com 3DES SHA 1 Group 2 1024 bi
60. In the List of QoS Profiles table click the edit table button to the right of the QoS profile that you want to edit The Edit QoS Profile screen displays 2 Modify the settings that you wish to change see Table 5 7 Firewall Protection 5 35 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Click Apply to save your changes The modified QoS profile is displayed in the List of QoS Profiles table Creating Bandwidth Profiles Bandwidth profiles determine the way in which data is communicated with the hosts The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN link For outbound traffic you can apply bandwidth profiles on the available WAN interfaces in both the single WAN port mode and auto rollover modes and in load balancing mode on interface that you specify For inbound traffic you can apply bandwidth profiles to a LAN interface for all WAN modes Bandwidth profiles do not apply to the DMZ interface For example when a new connection is established by a device the device locates the firewall rule corresponding to the connection e Ifthe rule has a bandwidth profile specification the device creates a bandwidth class in the kernel e If multiple connections correspond to the same firewall rule the connections all share the same ba
61. Keepalives The Keepalive feature maintains the IPSec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies To configure the Keepalive feature on a configured VPN policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Policies submenu tab The VPN Policies screen displays see Figure 7 22 on page 7 31 3 Inthe List of VPN Policies table click the edit table button to the right of the VPN policy that you want to edit The Edit VPN Policy screen displays Figure 7 31 shows only the top part of the screen with the General section V N Edit YPN Policy Operation succeeded x Policy Name Clent to UT M ___ Policy Type Select Local Gateway wani O wanz Remote Endpoint 1P Address a ean ae ronn O Enable NetBios able Keepalive Yes No Ping 1P Address 208 133 ie7 e2_ Detection period Seconds Reconnect after failure count is 1 Traffic Selection Figure 7 31 Virtual Private Networking Using IPsec Connections 7 55 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Enter the settings as explained in Table 7 20 Table 7 20 Keepalive Settings Item Description or Subfield and Description General Enable Keepalive Select the Yes radio button to enable the Keepalive fe
62. LAN Settings Setting Description or Subfield and Description LAN TCP IP Setup IP Address Enter the IP address of the UTM s default VLAN the factory default is 192 168 1 1 Note Always make sure that the LAN port IP address and DMZ port IP address are in different subnets Note If you change the LAN IP address of the UTM s default VLAN while being connected through the browser you will be disconnected You must then open a new connection to the new IP address and log in again For example if you change the default IP address from 192 168 1 1 to 10 0 0 1 you must now enter https 10 0 0 1 in your browser to reconnect to the Web Management Interface Subnet Mask Enter the IP subnet mask The subnet mask specifies the network number portion of an IP address The UTM automatically calculates the subnet mask based on the IP address that you assign Unless you are implementing subnetting use 255 255 255 0 as the subnet mask computed by the UTM DHCP Disable DHCP Server If another device on your network is the DHCP server for the default VLAN or if you will manually configure the network settings of all of your computers select the Disable DHCP Server radio button to disable the DHCP server This is the default setting Enable DHCP Server Select the Enable DHCP Server radio button to enable the UTM to function as a Dynamic Host Configuration Protocol DHCP server providing TCP IP configuration for all comput
63. Network Planning for Dual WAN Ports UTM25 Only B 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual VPN Telecommuter Client to Gateway Through a NAT Router p Note The telecommuter case presumes the home office has a dynamic IP address and NAT router The following situations exemplify the requirements for a remote PC client connected to the Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway VPN firewall such as an UTM at the company office e Single gateway WAN port e Redundant dual gateway WAN ports for increased reliability before and after rollover e Dual gateway WAN ports for load balancing VPN Telecommuter Single Gateway WAN Port Reference Case In a single WAN port gateway configuration the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance The gateway WAN port must act as the responder 10 5 6 0 24 Telecommuter Example Single WAN Port Client B NAT Router B Gateway A WAN IP gt a i mee e 10 5 61 FQDN 0 0 0 0 ENE bzrouter dyndns org NAT Router at employer s Fully Qualified Domain Names FQDN at telecommuter s Remote PC main office optional for Fixed IP addresses home office running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 17 The IP address of the gateway WAN port can be either fixe
64. ONS Sever U HH D wmsseve WWW Lease Time 2s__ Hours O DHCP Relay Relay Gateway Y fd i DNS Proxy Enable DNS Proxy ic Figure 4 3 3 Enter the settings as explained in Table 4 1 on page 4 8 LAN Configuration 4 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 4 1 VLAN Profile Settings Setting Description or Subfield and Description VLAN Profile Profile Name Enter a unique name for the VLAN profile Note You can also change the profile name of the default VLAN VLAN ID Enter a unique ID number for the VLAN profile No two VLAN can have the same VLAN ID number Note You can enter VLAN IDs from 2 to 4093 VLAN ID 1 is reserved for the default VLAN VLAN ID 4094 is reserved for the DMZ interface Port Membership Port 1 Select one several or all port checkboxes to make the port s member of this Port 2 VLAN Port 3 Note A port that is defined as a member of a VLAN profile can send and Port 4 DMZ receive data frames that are tagged with the VLAN ID LAN TCP IP Setup IP Address Enter the IP address of the UTM the factory default is 192 168 1 1 Note Always make sure that the LAN port IP address and DMZ port IP address are in different subnets Note If you change the LAN IP address of the VLAN while being connected through the browser to the VLAN you will be disconnected You must then open a new connection to the new IP
65. PC or an uplink connection such as to a switch or hub That port then configures itself to the correct configuration This feature eliminates the need to think about crossover cables as Auto Uplink accommodates either type of cable to make the right connection Introduction 1 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Extensive Protocol Support The UTM supports the Transmission Control Protocol Internet Protocol TCP IP and Routing Information Protocol RIP For further information about TCP IP see Internet Configuration Requirements on page B 3 The UTM provides the following protocol support IP address sharing by NAT The UTM allows many networked PCs to share an Internet account using only a single IP address which might be statically or dynamically assigned by your Internet service provider ISP This technique known as NAT allows the use of an inexpensive single user ISP account Automatic configuration of attached PCs by DHCP The UTM dynamically assigns network configuration information including IP gateway and domain name server DNS addresses to attached PCs on the LAN using the Dynamic Host Configuration Protocol DHCP This feature greatly simplifies configuration of PCs on your local network DNS proxy When DHCP is enabled and no DNS addresses are specified the firewall provides its own address as a DNS server to the attached PCs The firewall obtains
66. ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 5 In the left frame click My Identity The screen adjusts Nl Security Policy Editor NETGEAR ProSafe VPN Client NETGEAR N L My Connections My Identity j UTM ireland Select Certificate Pre Shared Key UMS G None I p amp Security Policy ID Type Port UTM Test amanha a a ae amp FVS3386_Lab eae Bp Other Connections utm_temote com Secure Interface Configuration Virtual Adapter Disabled bd Internet Interface Name Any v IP Addr Any Pre Shared Key Entes Pre Shared Key at least 8 characters This key is used duting Authentication Phase if the Authentication Method Proposal is Pre Shared key Figure 7 13 6 Enter the settings as explained in Table 7 5 Table 7 5 Security Policy Editor My Identity Settings Setting Description or Subfield and Description Select Certificate From the pull down menu select None The Pre Shared Key window appears Pre Shared Key Enter the same pre shared key that you specified on the UTM s VPN Wizard screen see Figure 7 9 on page 7 9 In this example the pre shared key is 111122223333 However the pre shared key is masked for security 7 14 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 5 Security Polic
67. Profiles on page 5 33 Bandwidth Profile You can define bandwidth profiles and then apply them to outbound rules to limit traffic To define bandwidth profiles see Creating Bandwidth Profiles on page 5 36 Network and System Management 10 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Content Filtering If you want to reduce traffic by preventing undesired e mails from reaching their destinations or by preventing access to certain sites on the Internet you can use the UTM s content filtering feature By default this feature is disabled all requested traffic from any Web site is allowed with the exception of Web content categories that are mentioned in Default E mail and Web Scan Settings on page 6 2 e E mail Content Filtering To reduce incoming e mail traffic you can block e mails with large attachments reject e mails based on keywords file extensions or file names and set spam protection rules There are several ways you can reduce undesired e mail traffic Setting the size of e mail files to be scanned Scanning large e mail files requires network resources and might slow down traffic You can specify the maximum file or message size that is scanned and if files that exceed the maximum size are skipped which might compromise security or blocked For more information see Customizing E mail Anti Virus and Notification Settings on page 6 5 Keywo
68. RIP Routing Information Protocol RIP RFC 2453 is an Interior Gateway Protocol IGP that is commonly used in internal networks LANs RIP enables a router to exchange its routing information automatically with other routers to dynamically adjust its routing tables and to adapt to changes in the network RIP is disabled by default 4 24 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To enable and configure RIP 1 Select Network Configuration gt Routing from the menu 2 Click the RIP Configuration option arrow at the right of the Routing submenu tab The RIP Configuration screen displays Network Config RIP Configuration RIP Direction RIP Version 3 Authentication for RIP 2B 2M g First Key Parameters MDS Key Id MDS Auth Key YYYY HH MM Ss Not Valid Before t PO v if EE BC Authentication for RIP 2B 2M required Not Valid Soe DD YY Ta ma sl Yes y ES Second Key Parameters No MDS Key Id MDS Auth Key MM DO YYYY HH Mm Not Valid Before 7 Not Valid After pe Feet A ate Figure 4 11 3 Enter the settings as explained in Table 4 5 on page 4 26 LAN Configuration 4 25 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 4 5 RIP Configuration Settings Setting Description or Subfield and Description RIP RIP Direct
69. SA KE NON ID VID Bx 19 51 20 062 My Cohnections UTM_SJ RECEIVED lt lt lt ISAKMP DAK AG SA KE NON ID HASH VID 3x NAT D 2x VID 19 51 20 062 My Connections UTM er Peet ic NATT daftO2 capable 19 51 20 062 My Connechons UTM_Su NAT ts detected for oa 19 51 20 062 My Connectons UTM rt Floating ta IKE noni 19 51 20 156 My Connections UTM_Su SENDING gt gt gt gt TSAR OAK AG HASH NAT D 2x NOTIFY STATUS_REPLAY_STS 19 51 20 171 My Connections UTM_SJ Established IKE SA 19 51 20 171 My Connections UTM_SJ MY COOKIE 28 e3 Se 70 1e 94 Sc 34 3 19 51 20 171 My Connections UTM_SJ HIS COOKIE 7e 26 96 52 7e te a f7 7 13 19 51 20 328 My Connections UTM_Su Intisting IKE Phase 2 with Client IDs message ict 5084433 7 13 19 51 20 328 My Connections UTM_SJ Initiator IP ADDR 192 168 1 4 prot 0 port 0 7 13 19 51 20 328 My Connections UTM_SJ Responder IP SUBNET MASKe192 168 1 49 255 ee prot 0 p t 0 713 19 51 20 323 My Connections UTM_SJ SENDING gt gt gt ISAKMP DAK QM HASH SA NON KE ID 2x 7 13 19 51 20 484 My Connechons UTM_SJ RECEWED lt lt lt ISAKMP OAK INFO HASH NOTIFY rege _INITIAL_CONTACT 7 13 19 51 20 781 My Connachons UTM_Su RECEIVED lt lt lt ISAKMP DAK OM HASH SA NON KE 1D 24 7 13 19 51 20 795 My Connections UTM_SJ Fite erty 5 added SECURE 192 168 001 004 255 255 295 255 192 168 001 049 2 7 13 19 51 20 785 My Connections UTM_SJ SENDING gt gt 2 gt ISAKMP OAK QM HASH U
70. SSH 22a Telnet 23a SMTP send mail 25 HTTP web 80 POP3 receive mail 110 NTP network time protocol 123 Citrix 1494 Terminal Services 3389 VNC virtual network computing 5900 or 5800 a Users can specify the port number together with the host name or IP address 4 Click the Add table button The new application entry is added to the List of Configured Applications for Port Forwarding table Remote users can now securely access network applications once they have logged into the SSL VPN portal and launched port forwarding To delete an application from the List of Configured Applications for Port Forwarding table select the checkbox to the left of the application that you want to delete and then click the delete table button in the Action column Adding A New Host Name After you have configured port forwarding by defining the IP addresses of the internal servers and the port number for TCP applications that are available to remote users you then can also specify host name to IP address resolution for the network servers as a convenience for users Host name resolution allows users to access TCP applications at familiar addresses such as mail example com or ftp customer com rather than by IP addresses To add servers and host names for client name resolution 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the Port Forwarding submenu tab T
71. SSL VPN policy is applied e VPN Tunnel The policy is applied only to a VPN tunnel e Port Forwarding The policy is applied only to port forwarding e All The policy is applied both to a VPN tunnel and to port forwarding Permission From the pull down menu select whether the policy permits PERMIT or denies DENY access All Addresses Policy Name A descriptive name of the SSL VPN policy for identification and management purposes Port Range Port Number A port enter in the Begin field or a range of ports enter in the Begin and End fields to which the SSL VPN policy is applied Ports can be 0 through 65535 The policy is applied to all TCP and UDP traffic that passes on those ports Leave the fields blank to apply the policy to all traffic Service From the pull down menu select the service to which the SSL VPN policy is applied e VPN Tunnel The policy is applied only to a VPN tunnel e Port Forwarding The policy is applied only to port forwarding e All The policy is applied both to a VPN tunnel and to port forwarding Permission From the pull down menu select whether the policy permits PERMIT or denies DENY access 8 36 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Click Apply to save your settings The policy is added to the List of SSL VPN Policies tab
72. Service o Google Talk Jabber oO mIRC MSN Messenger oD Yahoo Messenger go Skype Peer to Peer P2P 7 Block Service Block Service Block Service o BitTorrent o eDonkey o Gnutella Figure 2 10 Enter the settings as explained in Table 2 4 on page 2 17 then click Next to go the following screen Note After you have completed the steps in the Setup Wizard you can make changes to the security services by selecting Application Security gt Services For more information about these settings see Customizing E mail Protocol Scan Settings on page 6 4 and Customizing Web Protocol Scan Settings and Services on page 6 19 2 16 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 2 4 Setup Wizard Step 4 Security Services Settings Setting Description or Subfield and Description Email SMTP SMTP scanning is enabled by default on standard service port 25 To disable any of these services POP3 POPS scanning is enabled by default gee eee eee i 110 On standard service port 110 port or add another port in the IMAP IMAP scanning is enabled by default corresponding Ports to Scan field on standard service port 143 Web HTTP HTTP scanning is enabled by default To disable HTTP scanning deselect the on standard service port 80 corresponding checkbox You can change the standard
73. Settings Setting Description or Subfield and Description Profile Name A descriptive name of the QoS profile for identification and management purposes Don t Change Select the Don t Change radio button to ignore the QoS type IP Precedence or DHCP and QoS value and to set only the QoS priority Add DiffServ Mark Select the Add DiffServ Mark radio button to set the differentiated services DiffServ mark in the Type of Service ToS byte of an IP header by specifying the QoS type IP Precedence or DHCP and QoS value QoS Type From the QoS pull down menu select one of the following traffic classification methods e IP Precedence A legacy method that sets the priority in the ToS byte of an IP header e DSCP A method that sets the Differentiated Services Code Point DSCP in the Differentiated Services DS field which is the same as the ToS byte of an IP header QoS Value The QoS value in the ToS or Diffserv byte of an IP header The QoS value that you enter depends on your selection from the QoS pull down menu e For IP Precedence select a value from 0 to 7 e For DSCP select a value from 0 to 63 QoS Priority From the QoS Priority pull down menu select one of the following priority queues e Default e High e Medium High e Medium e Low 5 Click Apply to save your settings The new QoS profile is added to the List of QoS Profiles table To edit a QoS profile 1
74. UTM s IP address has been changed and you do not know the current IP address clear the UTM s configuration to factory defaults This sets the UTM s IP address to 192 168 1 1 This procedure is explained in Restoring the Default Configuration and Password on page 12 8 ex Tip If you do not want to revert to the factory default settings and lose your 6 configuration settings you can reboot the UTM and use a sniffer to capture packets sent during the reboot Look at the ARP packets to locate the UTM s LAN interface address e Make sure that you are using the SSL https address login rather than the http address login e Make sure that your browser has Java JavaScript or ActiveX enabled If you are using Internet Explorer click Refresh to be sure that the Java applet is loaded e Try quitting the browser and launching it again e Make sure that you are using the correct login information The factory default login name is admin and the password is password Make sure that Caps Lock is off when entering this information If the UTM does not save changes you have made in the Web Configuration Interface check the following e When entering configuration settings be sure to click the Apply button before moving to another menu or tab or your changes are lost e Click the Refresh or Reload button in the Web browser The changes might have occurred but the Web browser might be caching the old configur
75. UTM or the VPN protected network The login window that is presented to the user requires three items a user name a password and a domain selection The domain determines the authentication method that is used and for SSL connections the portal layout that is presented ES Note IPsec VPN users always belong to the default domain geardomain and are not assigned to groups Except in the case of IPsec VPN users when you create a user account you must specify a group When you create a group you must specify a domain Therefore you should first create any domains then groups then user accounts 9 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring Domains The domain determines the authentication method to be used for associated users For SSL connections the domain also determines the portal layout that is presented which in turn determines the network resources to which the associated users have access The default domain of the UTM is named geardomain You cannot delete the default domain Table 9 1 summarizes the authentication protocols and methods that the UTM supports Table 9 1 Authentication Protocols and Methods Authentication Protocol or Method Description or Subfield and Description PAP Password Authentication Protocol PAP is a simple protocol in which the client sends a password in clear text CHAP Challenge Handshake Authen
76. UTM replaces the content of a Web page that is blocked because of violating content with the following text which you can customize Internet Policy has restricted access to this location URL Full text search found the content to have the keyword KEYWORD Note The text is displayed on the Content Filtering screen with HTML tags However when the UTM replaces the content of a blocked Web page the screen displays the notification text in HTML format Note Make sure that you keep the URL and KEYWORD meta words in the text to enable the UTM to insert the blocked URL and the keyword that caused the Web page to be blocked in the notification text Content Filtering and Optimizing Scans 6 29 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 8 Content Filtering Settings continued Setting Description or Subfield and Description Web Category Lookup URL Enter a URL to find out if it has been categorized and if so in which category Then click the lookup button If the URL has been categorized the category appears next to Lookup Results If the URL appears to be uncategorized you can submit it to NETGEAR for analysis Submit to To submit an uncategorized URL to NETGEAR for analysis select the category in NETGEAR which you think that the URL must be categorized from the pull down menu Then enter the Submit button 4 Click Apply to save your s
77. UTM10 or UTM25 Reference Manual Table 11 10 System Status WAN Configuration and LAN Port Information Setting Description or Subfield and Description WANT1 Configuration WAN2 Configuration UTM25 or WAN Configuration UTM10 WAN Mode Single Port Load Balancing or Auto Rollover WAN State UP or DOWN NAT Enabled or Disabled Connection Type Static IP DHCP PPPoE or PPTP Connection State Connected or Not Connected IP Address Subnet Mask Gateway Primary DNS Secondary DNS MAC Address LAN Port MAC Address IP Address DHCP DHCP or None IP Subnet Mask This field is self explanatory These fields are self explanatory These fields are self explanatory Interface Status LAN No Link WANI 1000Mbps Full duplex WAN2 No Link DMZ No Link Figure 11 12 System Status screen 3 of 3 Table 11 11 on page 11 24 explains the Interface Statistics section of the System Status screen Monitoring System Access and Performance 11 23 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 11 System Status Interface Statistics Setting Description or Subfield and Description For each interface LAN WAN1 WAN2 and DMZ for the UTM25 LAN WAN and DMZ for the UTM10 the following statistics are displayed Status 10BaseT Half duplex 10BaseT Full duplex 100Ba
78. VLAN or VLAN 1 Therefore by default all four LAN ports have default PVID 1 However you can assign another PVID to a LAN port by selecting a VLAN profile from the pull down menu on the LAN Setup screen After you have created a VLAN profile and assigned one or more ports to the profile you must first enable the profile to activate it The UTM s default VLAN cannot be deleted All untagged traffic is routed through the default VLAN VLAN1 which must be assigned to at least one LAN port Note the following about VLANs and PVIDs e One physical port is assigned to at least one VLAN e One physical port can be assigned to multiple VLANs e When one port is assigned to multiple VLAN the port is used as a trunk port to connect to another switch or router e When a port receives an untagged packet this packet is forwarded to a VLAN based on the PVID e When a port receives a tagged packet this packet is forwarded to a VLAN based on the ID that is extracted from the tagged packet 4 2 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual When you create a VLAN profile assign LAN ports to the VLAN and enable the VLAN the LAN ports that are member of the VLAN can send and receive both tagged and untagged packets Untagged packets that enter these LAN ports are assigned to the default PVID 1 packets that leave these LAN ports with the same default PVID 1 are untagged All o
79. WAN 1 IP NAT Router B bzrouter1 dyndns or ors WAN IP mr 0 0 0 0 10 5 6 1 bzrouter2 dyndns org VPN Router WAN2 IP NAT Router at employer s Fully Qualified Domain Names FQDN at telecommuter s Remote PC main office optional for Fixed IP addresses home oce running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 20 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you must use a FQDN If an IP address is fixed an FQDN is optional B 18 Network Planning for Dual WAN Ports UTM25 Only v1 0 September 2009 Appendix C System Logs and Error Messages This appendix explains provides examples and explanations of system logs and error message When applicable a recommended action is provided This appendix contains the following sections e System Log Messages on page C 2 e Content Filtering and Security Logs on page C 12 e Routing Logs on page C 16 This appendix uses the following log message terms Table C 1 Log Message Terms Term Description or Subfield and Description UTM System identifier kernel Message from the kernel CODE Protocol code e g protocol is ICMP type 8 and CODE 0 means successful reply DEST Destination IP Address of the machine to which the packet is destined DPT Destination port IN Incoming interface for packet OUT Outgoing
80. WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic If you have not defined any rules no rules are listed By default all inbound traffic from the Internet to the LAN is blocked Remember that allowing inbound services opens potential security holes in your firewall Only enable those ports that are necessary for your network Firewall Protection 5 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To create a new inbound LAN WAN service rule 1 Inthe LAN WAN Rules screen click the add table button under the Inbound Services table The Add LAN WAN Inbound Service screen displays Add LAN WAN Inbound Service Operation succeeded Service ANY Action BLOCK always Select Schedule Schedule 1 Send to LAN Server _ Translate to Port Number C WAN Destination IP Address LAN Users Any s Finish r WAN Users Any Start Finish QoS Profile None Log Never Bandwidth Profile NONE Figure 5 4 2 Enter the settings as explained in Table 5 3 on page 5 8 3 Click Apply to save your changes The new rule is now added to the Inbound Services table Setting DMZ WAN Rules The firewall rules for traffic between the DMZ and the Internet are configured on the DMZ WAN Rules screen The default outbound policy is to allow all traffic from and to the Internet to pass through You can then apply firewall rule
81. WAN Mode tab The WAN Mode screen displays see Figure 3 8 on page 3 12 2 Inthe NAT Network Address Translation section of the screen select the NAT radio button Click Apply to save your settings Classical Routing UTM10 and UTM25 In classical routing mode the UTM performs routing but without NAT To gain Internet access each PC on your LAN must have a valid static Internet IP address 3 10 Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual If your ISP has allocated a number of static IP addresses to you and you have assigned one of these addresses to each PC you can choose classical routing Or you can use classical routing for routing private IP addresses within a campus environment To learn the status of the WAN ports you can view the System Status screen page see Viewing System Status on page 11 20 or look at the LEDs on the front panel see Front Panel on page 1 9 To configure classical routing 1 Select Network Config gt WAN Settings from the menu then click the WAN Mode tab The WAN Mode screen displays see Figure 3 8 on page 3 12 2 Inthe NAT Network Address Translation section of the screen select the Classical Routing radio button 3 Click Apply to save your settings Configuring Auto Rollover Mode UTM25 Only For the UTM25 only to use a redundant ISP link for backup purposes ensure t
82. Whitelist Enter the source IP addresses from which e mails can be trusted Blacklist Enter the source IP addresses from which e mails are blocked Click Apply to save your settings or click Reset to clear all entries from these fields Sender Domain Whitelist Enter the sender e mail domains from which e mails can be trusted Blacklist Enter the sender e mail domains from which e mails are blocked Click Apply to save your settings or click Reset to clear all entries from these fields Sender Email Address Whitelist Enter the e mail addresses from which e mails can be trusted Blacklist Enter the e mail addresses from which e mails are blocked Click Apply to save your settings or click Reset to clear all entries from these fields Recipients Domain Whitelist Enter the sender e mail domains of the recipients to which e mails can be safely delivered Click Apply to save your settings or click Reset to clear all entries from this field Recipients Email Address Whitelist Enter the e mail addresses of the recipients to which e mails can be safely delivered Click Apply to save your settings or click Reset to clear all entries from this field Note In the fields of the Whitelist Blacklist screen use commas to separate multiple entries For IP addresses use a dash to indicate a range for example 192 168 32 2 192 168 32 8 Configuring the Real time
83. _ Jo o e Secondary o_ Jo Jo e DNS Server Primarylo__ o Jo Jo Secondaryfo_ Mo Jo Wo PFS Key Group SA Lifetime s00 Seconds Encryption Algorithm Integrity Algorithm Local IP address 0 Mo o Wo Local Subnet mask 0 Io foo Figure 7 26 4 Complete the fields select the checkbox and make your selections from the pull down menus as explained Table 7 15 Table 7 15 Add Mode Config Record Settings Item Description or Subfield and Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable Second Pool the UTM to allocate these to remote VPN clients The Second Pool and Third Pool fields are options To specify any client pool enter the starting IP address Third Pool for the pool in the Starting IP field and enter the ending IP address for the pool in the Ending IP field Note Any IP pool should not be within the local network IP addresses Use a different range of private IP addresses such as 172 173 xxXx XX 7 44 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 15 Add Mode Config Record Settings continued Item Description or Subfield and Description WINS Server If there is a WINS server on the loca
84. a default group you can only delete the domain with the identical name which causes the default group to be deleted e Domain The name of the domain to which the group is assigned e Action The edit table button that provides access to the Edit Group screen In the Add New Group section of the screen enter the settings as explained in Table 9 3 on page 9 8 Managing Users Authentication and Certificates 9 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Table 9 3 VPN Group Settings Setting Description or Subfield and Description Name A descriptive alphanumeric name of the group for identification and management purposes Domain The pull down menu shows the domains that are listed on the Domain screen From the pull down menu select the domain with which the group is associated For information about how to configure domains see Configuring Domains on page 9 2 Idle Timeout The period after which an idle user is automatically logged out of the UTM s Web management interface De default idle timeout period is 10 minutes Click the add table button The new group is added to the List of Groups table To delete one or more groups 1 In the List of Groups table select the checkbox to the left of the group that you want to delete or click the select all table button to select all groups You cannot delete a default group you
85. action and action that is taken Recommended Action None Message 2009 08 01 00 00 01 HTTP 192 168 1 3 192 168 35 165 http 192 168 35 165 testcases files virus normal b4 f3 d3 da2048 rar FileType Block Explanation Logs that are generated when Web content is blocked because it violates a blocked file extension The message shows the date and time protocol client IP address server IP address URL reason for the action and action that is taken Recommended Action None C 12 System Logs and Error Messages v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table C 18 Content Filtering and Security Logs Web Filtering and Content Filtering Message 2009 08 01 00 00 01 HTTP 192 168 1 3 192 168 35 165 http 192 168 35 165 testcases files virus normal b4 f3 d3 da2048 rar Proxy Block Explanation Logs that are generated when Web content is blocked because it uses a proxy The message shows the date and time protocol client IP address server IP address URL reason for the action and action that is taken Recommended Action None Message 2009 08 01 00 00 01 HTTP 192 168 1 3 192 168 35 165 http 192 168 35 165 testcases files virus normal b4 f3 d3 da2048 rar Keyword Block Explanation Logs that are generated when Web content is blocked because it violates a blocked keyword The message shows the date and time protocol client IP
86. address server IP address URL reason for the action and action that is taken Recommended Action None Spam Logs This section describes logs that are generated when the UTM filters spam e mail messages Table C 19 Content Filtering and Security Logs Spam Message 2009 02 28 23 59 59 SMTP 192 168 1 2 192 168 35 165 xlzimap test com xlzpop3 test com Blocked by customized blacklist 0 RBL Block Explanation Logs that are generated when spam messages are blocked by the RBL The message shows the date and time protocol client IP address server IP address sender recipient subject line mechanism that detected the spam and action that is taken Recommended Action None Message 2009 02 28 23 59 59 SMTP 192 168 1 2 192 168 35 165 xlzimap test com xlzpop3 test com Blocked by customized blacklist 0 Heuristic Block Explanation Logs that are generated when spam messages are blocked by Distributed Spam Analysis The message shows the date and time protocol client IP address server IP address sender recipient subject line mechanism that detected the spam and action that is taken Recommended Action None System Logs and Error Messages C 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Traffic Logs This section describes logs that are generated when the UTM processes Web and e mail traffic Table C 20 Content Filte
87. algorithm that produces a 160 bit digest This is the default setting MD5 Hash algorithm that produces a 128 bit digest Key In The integrity key for the inbound policy The length of the key depends on the selected integrity algorithm e MD5 enter 16 characters e SHA 1 enter 20 characters Key Out The integrity key for he outbound policy The length of the key depends on the selected integrity algorithm The required key lengths are the same as for the Key In se above Auto Policy Parameters Note These fields apply only when you select Auto Policy as the policy type SA Lifetime The lifetime of the Security Association SA is the period or the amount of transmitted data after which the SA becomes invalid and must be renegotiated From the pull down menu select how the SA lifetime is specified e Seconds In the SA Lifetime field enter a period in seconds The minimum value is 300 seconds The default value is 3600 seconds e KBytes In the SA Lifetime field enter a number of kilobytes The minimum value is 1920000 KB Encryption Algorithm From the pull down menu select one of the following five algorithms to negotiate the security association SA DES Data Encryption Standard DES e 3DES Triple DES This is the default algorithm e AES 128 Advanced Encryption Standard AES with a 128 bits key size e AES 192 AES with a 192 bits key size e AES 256 AES with a 256 bits key
88. an attacker sends a succession of SYN requests to a target system When the system responds the attacker does not complete the connections thus leaving the connection half open and flooding the server with SYN messages No legitimate connections can then be made By default the Block TCP Flood checkbox is deselected Firewall Protection 5 21 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 5 4 Attack Checks Settings continued Setting Description or Subfield and Description LAN Security Checks Block UDP flood Select the Block UDP flood checkbox to prevent the UTM from accepting more than 20 simultaneous active UDP connections from a single device on the LAN By default the Block UDP flood checkbox is deselected A UDP flood is a form of denial of service attack that can be initiated when one device sends a large number of UDP packets to random ports on a remote host As a result the distant host does the following 1 Check for the application listening at that port 2 See that no application is listening at that port 3 Reply with an ICMP Destination Unreachable packet When the victimized system is flooded it is forced to send many ICMP packets eventually making it unreachable by other clients The attacker might also spoof the IP address of the UDP packets ensuring that the excessive ICMP return packets do not reach him thus making the a
89. and Syslog Logs on page 11 6 Querying the Logs The UTM generates logs that provide detailed information about malware threats and traffic activities on the network You can view these logs through the Web Management Interface or save the log records in CSV or HTML format and download them to a computer the downloading option is not available for all logs The UTM provides 13 types of logs e Traffic Logs All scanned incoming and outgoing traffic e Spam Logs All intercepted spam 11 32 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual System Logs The system event logs that you have specified on the Email and Syslog screen see Configuring and Activating System E mail and Syslog Logs on page 11 6 However by default many more types of events are logged in the system logs Service Logs All events that are related to the status of scanning and filtering services that are part of the Application Security main navigation menu These events include update success messages update failed messages network connection errors and so on Malware Logs All intercepted viruses spyware and other malware threats Email filter Logs All e mails that are blocked because of file extension and keyword violations Content Filter Logs All attempts to access blocked Web sites and URLs IPS Logs All IPS events Portscan Logs All port scan even
90. and the types of traffic that they are allowed to have See Monitoring System Access and Performance on page 11 1 for a description of these tools System Management System management tasks are described in the following sections e Changing Passwords and Administrator Settings on this page e Configuring Remote Management Access on page 10 12 e Using an SNMP Manager on page 10 14 e Managing the Configuration File on page 10 15 e Updating the Firmware on page 10 18 e Updating the Scan Signatures and Scan Engine Firmware on page 10 21 e Configuring Date and Time Service on page 10 24 Changing Passwords and Administrator Settings The default administrator and default guest passwords for the Web Management Interface are both password NETGEAR recommends that you change these passwords to more secure passwords You can also configure a separate password for the guest account Network and System Management 10 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To modify the administrator user account settings including the password 1 Select Users gt Users from the menu The Users screen displays Figure 10 1 shows the UTM s default users admin and guest and as an example several other users in the List of Users table i List of Users gt Name Group Type Authentication Domain admin geardomain Administrator geard
91. any external network The total count of dropped packets is displayed To set up IP MAC bindings 1 Select Network Security gt Address Filter from the menu The Address Filter submenu tabs appear with the Source MAC Filter screen in view 2 Click the IP MAC Binding submenu tab The IP MAC Binding screen displays see Figure 5 27 on page 5 43 which shows some bindings in the IP MAC Binding table as an example 5 42 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Neteork Security Source MAC Filter POJATA OE OT Set Poll Interval Do you want to enable E mail Logs for IP MAC Binding Violation O Yes No For this option e mailing of logs must be enabled in Firewall Logs amp E mail page Al Name MAC Addresses IP Addresses Log Dropped Packets Marketing l b1 11 22 1a 1b 192 168 1 15 No Sales a1 ci 33 44 2a 2b 192 168 1 20 No select all deters Add IP MAC Binding Name MAC Address IP Address Log Dropped Packets Add SS EAA 235 Figure 5 27 3 Enter the settings as explained in Table 5 9 Table 5 9 IP MAC Binding Settings Setting Description or Subfield and Description Email IP MAC Violations Do you want to Select one of the following radio buttons enable E mail e Yes IP MAC binding violations are e mailed Logs for IP MAC_ _ No IP MAC binding violations are not e mailed Bi
92. are other applications that might not function well In some cases local PCs can run the application properly if those PCs are used on the DMZ port gt Note A separate firewall security profile is provided for the DMZ port that is hardware independent of the standard firewall security used for the LAN The DMZ Setup screen lets you set up the DMZ port It permits you to enable or disable the hardware DMZ port LAN port 4 see Front Panel on page 1 9 and configure an IP address and subnet mask for the DMZ port 4 18 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To enable and configure the DMZ port 1 Select Network Config gt DMZ Setup from the menu The DMZ Setup screen displays DMZ Setup DMZ Port Setup c IP adaress 0 Ho Jo Mo Do you want to enable DMZ Port Yes No Subnet Mask 0_ Ho MHo Mo i DHCP for DMZ Connected Computers D Enable LDAP information Enable DHCP Server Domain Name ee LDAP Server ij Disable DHCP Server Starting IP address fT sd Search Base Ending IP Address _ TE port B leave blank for default port Primary ONS server Lf Me WO Secondary DNS server Wei IC WINS server IEW i Lease time 24___ Hours DHCP Relay Relay Gateway I m mT DNS Proxy J Enable DNS Proxy Figure 4 8 2 Enter the settings as explained in Table 4 3 on page 4
93. as explained Table 7 14 Table 7 14 RADIUS Client Settings Item Description or Subfield and Description Primary RADIUS Server Select the Yes radio button to enable and configure the primary RADIUS server and then enter the settings for the three fields below The default setting is that the No radio button is selected Primary Server IP Address The IP address of the primary RADIUS server Secret Phrase The a shared secret phrase to authenticate the transactions between the client and the primary RADIUS server The same Secret Phrase must be configured on both the client and the server Primary Server NAS Identifier The primary Network Access Server NAS identifier that must be present in a RADIUS request Note The UTM functions as a NAS allowing network access to external users after verification of their authentication information In a RADIUS transaction the NAS must provide some NAS identifier information to the RADIUS server Depending on the configuration of the RADIUS server the UTM s IP address might be sufficient as an identifier or the server might require a name which you must enter in this field Backup RADIUS Server Select the Yes radio button to enable and configure the backup RADIUS server and then enter the settings for the three fields below The default setting is that the No radio button is selected Backup Server IP Address The IP address of the backup RAD
94. as explained in Table 11 5 on page 11 14 Monitoring System Access and Performance 11 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 5 Firewall Logs Settings Setting Description or Subfield and Description Routing Logs From the Accepted Packets and Dropped Packets columns select checkboxes to specify which traffic is logged LAN to WAN LAN to DMZ DMZ to WAN WAN to LAN DMZ to LAN WAN to DMZ Other Event Logs Source MAC Filter Select this checkbox to log packets from MAC addresses that match the source MAC address filter settings Session Limit Select this checkbox to log packets that are dropped because the session limit has been exceeded Bandwidth Limit Select this checkbox to log packets that are dropped because the bandwidth limit has been exceeded 4 Click Apply to save your settings Monitoring Real Time Traffic Security and Statistics When you start up the UTM the default screen that displays is the Dashboard screen which lets you monitor the real time security scanning status with detected network threats detected network traffic and service statistics for the six supported protocols HTTP HTTPS FTP SMTP POP3 and IMAP In addition the screen displays statistics for the most recent five and top five malware threats detected IPS signatures matched instant messaging peer to peer
95. bandwidth 5 36 QoS 5 33 ProSafe VPN Client software license 2 protection from common attacks 5 20 protocol binding UTM25 3 14 3 15 protocols compatibilities A 2 e mails 6 4 RIP 1 6 service numbers 5 3 supported 2 traffic volume by protocol 71 4 Web 6 19 proxy servers 6 28 public Web server hosting 5 25 PVID default 4 2 description 4 2 Q QoS DiffServ mark 5 35 DSCP 5 35 IP header 5 35 IP precedence 5 35 priority queue 5 35 profiles assigning to firewall rules 5 33 description 5 33 examples 5 33 shifting traffic mix 10 8 value 5 35 Index 10 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual quality of service See QoS question mark icon Web Management Interface 2 7 R rack mounting kit 7 14 RADIUS backup server 7 41 description 9 2 NAS 7 4 primary server 7 41 RADIUS CHAP 7 29 7 38 7 39 8 6 9 4 RADIUS MSCHAP v2 8 6 9 4 RADIUS PAP 7 29 7 38 7 39 8 6 9 4 server configuring 7 40 read write access 9 9 read only access 9 9 real time blacklist RBL e mails 6 4 real time traffic diagnostics 71 46 rebooting 0 2 11 48 reducing traffic blocking sites 70 4 overview 10 2 service blocking 0 2 source MAC filtering 0 5 reference documents E registering with NETGEAR 2 27 registration information 1 8 regulatory compliance A 3 relay gateway 2 10 4 9 4 2 Remote Authentication Dial In User Service See RADIUS remote man
96. blocked and the attachment is not deleted 2 18 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 2 5 Setup Wizard Step 5 Email Security Settings continued Setting Description or Subfield and Description IMAP From the IMAP pull down menu specify one of the following actions when an infected e mail is detected e Delete attachment This is the default setting The e mail is not blocked but the attachment is deleted and a log entry is created Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted Scan Exceptions The default maximum file or message size that is scanned is 2048 KB but you can define a maximum size of up to 10240 KB However setting the maximum size to a high value might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions when the file or message exceeds the maximum size Skip The file is not scanned but skipped leaving the end user vulnerable This is the default setting Block The file is blocked and does not reach the end user Setup Wizard Step 6 of 10 Web Security Setup Wizard Step 6 of 10 Web Security Service Action Streaming HTTP i HTTPS Delete file ica FTP Delete file if the file or message is l
97. browser open to maintain the connection Connect using YPN Tunnel Note If you reload your browser VPN Tunnel client will disconnect and then reconnect to the remote network Figure 8 9 Virtual Private Networking Using SSL Connections 8 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The default User Portal screen displays a simple menu that provides the SSL user with the following menu selections e VPN Tunnel Provides full network connectivity e Port Forwarding Provides access to the network services that you defined in SSL VPN Wizard Step 5 of 6 Port Forwarding on page 8 11 e Change Password Allows the user to change their password e Support Provides access to the NETGEAR Web site Viewing the UTM SSL VPN Connection Status To review the status of current SSL VPN tunnels 1 Select Monitoring gt Active Users amp VPNs from the main menu The Active Users amp VPN submenu tabs appear with the Active Users screen in views Click the SSL VPN Connection Status submenu tab The SSL VPN Connection Status screen displays Active Users IPSec YPN Connection Status EFIS LADET tae ety User Name IP Address Login Time Action techpubadrnin 192 168 190 88 Wed May 27 19 43 28 2009 HS diz connect Figure 8 10 The active user s user name group and IP address are listed in the table with a timestamp indicating the time and date that the user connected
98. by default The default port is 443 FTP Select the FTP checkbox to enable File Transfer Protocol FTP This service is enabled by default and uses default port 21 6 20 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 6 Web Protocol Instant Messaging and Peer to Peer Settings continued Setting Description or Subfield and Description Note If a protocol uses a port other than the standard service port for example port 80 for HTTP enter this non standard port in the Ports to Scan field For example if the HTTP service on your network uses both port 80 and port 8080 enter both port numbers in the Ports to Scan field and separate them by a comma Instant Messaging Google Talk Jabber Yahoo messenger Select the corresponding checkboxes to block any of these common instant mRG messaging services all of which are allowed by default Note For Instant Messaging services the following services can be blocked Skype logging in sharing files sharing video sharing audio and text messaging MSN Messenger Peer to Peer P2P BitTorrent Select the corresponding checkboxes to block any of these common peer to eDonkey peer file sharing services all of which are allowed by default Gnutella 3 Click Apply to save your settings Configuring Web Malware Scan
99. defaultvlan v defaultvlan w DHCP Enabled DHCP Disabled Figure 11 20 Click the LAN Groups submenu tab The LAN Groups screen displays Figure 11 21 shows some examples in the Known PCs and Devices table H Known PCs and Devices IP Address MAC Address Group Profile Name defaultlan 192 168 1 15 192 168 1 20 192 168 1 35 Name oO Marketing al bi 11 22 1a 1b Groupi T Group2 defaultVlan alicl 33 44 2a 2b Group2 default lan ditei 55 56 9e 8f o Sales g Sales EMEA DHCP Assigned IP Address Deseta eoeiete ave dinaing Add Known PCs and Devices Name IP Address Type Figure 11 21 Monitoring System Access and Performance 11 30 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The Known PCs and Devices table contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the UTM or have been discovered by other means Collectively these entries make up the Network Database For each attached PC or device the Known PCs and Devices table displays the following fields e Checkbox Allows you to select the PC or device in the table e Name The name of the PC or device For computers that do not support the NetBIOS protocol the name is displayed as Unknown you can edit the entry manually to add a meaningful name If the PC or device was assigned an IP address by the DHC
100. disabled select the No radio button in the Local Authentication section of the Domain screen see Figure 9 1 on page 9 3 Note A combination of local and external authentication is supported AN Warning If you disable local authentication make sure that there is at least one external administrative user otherwise access to the UTM25 is blocked Managing Users Authentication and Certificates 9 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 6 If you change local authentication click Apply in the Domain screen to save your settings To delete one or more domains 1 In the List of Domains table select the checkbox to the left of the domain that you want to delete or click the select all table button to select all domains You cannot delete a default domain 2 Click the delete table button Configuring Groups for VPN Policies The use of groups simplifies the configuration of VPN policies when different sets of users have different restrictions and access controls Like the default domain of the UTM the default group is also named geardomain The default group geardomain is assigned to the default domain geardomain You cannot delete the default group In addition when you create a new domain on the second SSL VPN Wizard screen see SSL VPN Wizard Step 2 of 6 Domain Settings on page 8 5 a default group with the same name as the domain is automatically
101. download the eicar com test file from http www eicar org download eicar com The eicar com test file is a legitimate DoS program and is safe to use because it is not a malware threat and does not include any fragments of malware code The test file is provided by EICAR an organization that unites efforts against computer crime fraud and misuse of computers or networks 2 26 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Verify that the UTM properly scans HTTP traffic 1 Log on to the UTM Web Management Interface and then verify that HTTP scanning is enabled For information about how to enable HTTP scanning see Customizing Web Protocol Scan Settings and Services on page 6 19 and Configuring Web Malware Scans on page 6 21 2 Check the downloaded eicar com test file and note the attached malware information file Registering the UTM with NETGEAR To receive threat management component updates and technical support you must register your UTM with NETGEAR The support registration key is provided with the product package see Service Registration Card with License Keys on page 1 8 _____ Note Activating the service licenses initiates their terms of use Activate the licenses only when you are ready to start using this unit If your unit has never been registered before you can use the 30 day trial period
102. e Block All Traffic Except E Mail All incoming and outgoing Internet traffic is blocked but incoming and outgoing e mail traffic is still allowed Send e mail alert An e mail alert is sent when traffic is blocked Ensure that e mailing of logs is enabled on the Email and Syslog screen see Configuring and Activating System E mail and Syslog Logs on page 11 6 Click Apply to save your settings 4 For the UTM25 only click the WAN2 Traffic Meter submenu tab The WAN Traffic Meter screen displays This screen is identical to the WAN1 Traffic Meter screen see Figure 11 1 on page 11 2 5 For the UTM25 only repeat step 2 and step 3 for the WAN2 interface To display a report of the Internet traffic by type click the Traffic by Protocol option arrow at the top right of the WAN1 Traffic Meter or WAN2 Traffic Meter screen UTM25 or at the top right of the WAN Traffic Meter screen UTM10 The Traffic by Protocol screen appears in a popup window The incoming and outgoing volume of traffic for each protocol and the total volume of traffic is displayed Traffic counters are updated in MBs the counter starts only when traffic passed is at least 1 MB In addition the popup screen displays the traffic meter s start end dates Traffic by Protocol Start Date End Date Incoming Traffic Outgoing Traffic Protocol Total MB MB Per Day Total MB MB Per Day 5 o 0 o 0 o o o Figure 11 2 11 4 M
103. enabled by default Note When you deselect the Enable DNS Proxy radio button the UTM still services DNS requests that are sent to its LAN IP address unless you disable DNS Proxy in the firewall settings see Attack Checks on page 5 20 4 Click Apply to save your settings gt Note Once you have completed the LAN setup all outbound traffic is allowed and all inbound traffic is discarded except responses to requests from the LAN side To change these default traffic rules see Chapter 5 Firewall Protection LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring Multi Home LAN IPs on the Default VLAN If you have computers using different IP networks in the LAN for example 172 16 2 0 or 10 0 0 0 you can add aliases to the LAN ports and give computers on those networks access to the Internet but you can do so only for the default VLAN The IP address that is assigned as a secondary IP address must be unique and must not be assigned to the VLAN _____ Jt ig important that you ensure that any secondary LAN addresses are different from the primary LAN WAN and DMZ IP addresses and subnet addresses that are already configured on the UTM The following is an example of properly configured IP addresses on the UTM25 WANI IP address 10 0 0 1 with subnet 255 0 0 0 WAN2 IP address 20 0 0 1 with subnet 255 0 0 0 DMZ IP add
104. encryption establishing a secure connection to the UTM Upon successful connection an ActiveX based SSL VPN client is downloaded to the remote PC to allow the remote user to virtually join the corporate network The SSL VPN client provides a point to point PPP connection between the client and the UTM and a virtual network interface is created on the user s PC The UTM assigns the PC an IP address and DNS server IP addresses allowing the remote PC to access network resources in the same manner as if it were connected directly to the corporate network subject to any policy restrictions that you configure 8 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e SSL Port Forwarding Like an SSL VPN tunnel port forwarding is a Web based client that installs transparently and then creates a virtual encrypted tunnel to the remote network However port forwarding differs from an SSL VPN tunnel in several ways Port forwarding supports only TCP connections not UDP connections or connection using other IP protocols Port forwarding detects and reroutes individual data streams on the user s PC to the port forwarding connection rather than opening up a full tunnel to the corporate network Port forwarding offers more fine grained management than an SSL VPN tunnel You define individual applications and resources that are available to remote users The SSL VPN portal can present the
105. end users To configure the e mail anti virus settings 1 Select Application Security gt Email Anti Virus from the menu The Email Anti Virus screen display SMTP Block infected email POP3 IMAP i D if the file or message is larger than KB Maximum 10240 KB j i Notification Settings gt i O insert Warning into Email Subject SMTP Malware Found MALWARE INFECTED No Malware Found MALWARE FREE E Append Safe Stamp SMTP and POP3 No malware was found NETGEAR ProSecure Web and Email Threat Manager has scanned this mail and its attachment s the attachment s was not scanned for malware because it exceeded the scan size limit Message Skip scanning for malware because the imessage email is larger than scan size limit Replace Infected Attachments with the Following Warning Message Message VIRUSINFO Note Insert the following meta word s to automatically include the relevant malware detection information VIRUSINFO E Email Alert Settings J Send alert to o Sender o Recipient Subject Malware detected Magu PaVIRUSINFO Note Insert the following meta word s to automatically include the relevant malware detection information TIME PROTOCOL FROM TO SUBJECT FILENAME SACTION VIRUSNAME VIRUSINFO Figure 6 2 Content Filtering and Optimizing Scans 6 5 v1 0 September 2009 ProSecure Unified Threat Management UT
106. entry 2 6 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Almost all screens and sections of screens have an accompanyning help screen To open the help screen click the question mark icon i Using the Setup Wizard to Perform the Initial Configuration The Setup Wizard facilitates the initial configuration of the UTM by taking you through ten screens the last of which allows you to save the configuration If you prefer to perform the initial WAN setup manually see Chapter 3 Manually Configuring Internet and WAN Settings To start the Setup Wizard 1 Select Wizards from the main navigation menu The Welcome to the Netgear Configuration Wizard screen displays Setup Wizard IPSec YPN Wizard SSL YPN Wizard Figure 2 6 2 Select the Setup Wizard radio button 3 Click Next The first Setup Wizard screen displays The following sections explain the nine configuration screens of the Setup Wizard On the 10th screen you can save your configuration The tables in the following sections explain the buttons and fields of the Setup Wizard screens Additional information about the settings in the Setup Wizard screens is provided in other chapters that explain manual configuration each section below provides a specific link to a section in another chapters Using the Setup Wizard to Provisio
107. file or object is detected Delete file This is the default setting The Web file or object is deleted anda log entry is created Log only Only a log entry is created The Web file or object is not deleted Select the Streaming checkbox to enable streaming of partially downloaded and scanned HTTPS file parts to the user This method allows the user to experience more transparent Web downloading Streaming is enabled by default FTP From the FTP pull down menu specify one of the following actions when an infected FTP file or object is detected e Delete file This is the default setting The FTP file or object is deleted and a log entry is created e Log only Only a log entry is created The FTP file or object is not deleted Scan Exceptions maximum size The default maximum file or object size that are scanned is 2048 KB but you can define a maximum size of up to 10240 KB However setting the maximum size to a high value might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions when the file or message exceeds the e Skip The file is not scanned but skipped leaving the end user vulnerable This is the default setting Block The file is blocked and does reach the end user 2 20 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10
108. for all 3 types of licenses to perform the initial testing and configuration To use the trial period do not click Register in step 4 of the procedure below but click Trial instead Using the Setup Wizard to Provision the UTM in Your Network 2 27 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual If your UTM is connected to the Internet you can activate the service licenses 1 Select Support gt Registration The Registration screen displays 2 3 4 5 Registration E Online Registration R Registration Keys DO SSS O U O icense Ke License Type xpiration Date rial eb Protection 2009 05 14 ial mail Protection 009 05 14 ial Support amp Maintenance 2009 05 14 Customer Information Company Name First Name Last Name Email Address Fax Number Phone Number Address Country VAR Information Company Narne First Name Last Name Email Address Fax Number Phone Number Address Country Figure 2 17 Enter the license key in the Registration Key field Fill out the customer and VAR fields Click Register Repeat step 2 and step 4 for additional license keys The UTM activates the licenses and registers the unit with the NETGEAR registration server 2 28 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UT
109. from all incoming and outgoing malware threats Generally five steps are required to complete the basic and security configuration of your UTM 1 4 5 Connect the UTM physically to your network Connect the cables and restart your network according to the instructions in the installation guide See the ProSecure Unified Threat Management UTM10 or UTM25 Installation Guide for complete steps A PDF of the Installation Guide is on the NETGEAR website at http prosecure netgear com or http kb netgear com app home Log in to the UTM After logging in you are ready to set up and configure your UTM See Logging In to the UTM on page 2 2 Use the Setup Wizard to configure basic connections and security During this phase you connect the UTM to one or more ISPs more than one ISP applies to the UTM25 only See Using the Setup Wizard to Perform the Initial Configuration on page 2 7 Verify the installation See Verifying Proper Installation on page 2 26 Register the UTM Registering the UTM with NETGEAR on page 2 27 Each of these tasks is described separately in this chapter The configuration of the WAN mode required for dual WAN operation for the UTM25 dynamic DNS and other WAN options is described in Chapter 3 Manually Configuring Internet and WAN Settings The configuration of LAN firewall scanning VPN management and monitoring features is described in later chapters 2 1 v1 0 Septem
110. from the menu On the UTM25 the WAN Settings tabs appear with the WAN1 ISP Settings screen screen in view On the UTM10 the WAN ISP Settings screen displays 2 Click the Advanced option arrow On the UTM25 the WAN1 Advanced Options screen displays Figure 3 13 shows the UTM25 screen On the UTM10 the WAN Advanced Options screen displays Network Config WANI Advanced Options Default Custom 1500 Bytes j Port Speed i Router s MAC Address Use Default Address Use this computer s MAC Use this MAC Address O0 1e 2a d0 96 b4 H Upload Download Settings WAN Connection Speed Upload WAN Connection Speed Download 1 Gbps v WAN Connection Type 2000000 fin Kbps 1000000 __ fin Kbps Figure 3 13 3 22 Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Enter the default information settings as explained in Table 3 8 Table 3 8 Advanced WAN Settings Setting Description or Subfield and Description MTU Size Make one of the following selections Default Select the Default radio button for the normal Maximum Transmit Unit MTU value For most Ethernet networks this value is 1500 Bytes or 1492 Bytes for PPPoE connections Custom Select the Custom radio button and enter an MTU value in the Bytes field For some ISPs you might need to reduce the MTU
111. identifier Type Identifier Id Select Local Gateway WAN1 O wanz Identifier Type Identifier i IKE SA Parameters Encryption Algorithm Authentication Algorithm Enable Dead Peer Detection O Yes No Detection Period fro Seconds Reconnect after failure count E 29 Extended Authentication Authentication Method Pre shared key Pre sharedkey i Key Length 49 Char Diffie Hellman OH Group SA Lifetime sec ORSA Signature XAUTH Configuration none O Edge Device O psec Host Figure 7 21 Virtual Private Networking Using IPsec Connections v1 0 September 2009 7 25 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Complete the fields select the radio buttons and make your selections from the pull down menus as explained Table 7 10 Table 7 10 Add IKE Policy Settings Item Description or Subfield and Description Mode Config Record Do you want to use Mode Config Record Specify whether or not the IKE policy uses a Mode Config Record For information about how to define a Mode Config Record see Mode Config Operation on page 7 42 Select one of the following radio buttons Yes IP addresses are assigned to remote VPN clients You must select a Mode Config record from the pull down menu Note Because Mode Config functions only in Aggressive Mode selecting the Yes radio button sets the tunnel exchange mode to A
112. in MB Total Emails Files Scanned The total number of scanned e mails Total Malwares Found The total number of detected viruses and attacks Total Files Blocked The total number of downloaded files that were blocked Total URLs Blocked The total number of URL requests that were blocked These statistics are applicable only to HTTP and HTTPS Total Spam Emails The total number of soam messages that were blocked These statistics are applicable only to SMTP and POPS Blacklist The total number of e mails that were detected from sources on the spam blacklist and Real time blacklist see Setting Up the Whitelist and Blacklist on page 6 12 and Configuring the Real time Blacklist on page 6 14 These statistics are applicable only to SMTP Distributed Spam Analysis The total number of spam messages that were detected through Distributed Spam Analysis see Configuring Distributed Spam Analysis on page 6 16 These statistics are applicable only to SMTP and POPS Monitoring System Access and Performance 11 19 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Viewing Status Screens The UTM provides real time information in a variety of status screens that are described in the following sections e Viewing System Status on this page e Viewing Active VPN Users on page 11 24 e Viewing VPN Tunnel Connection Status on page 11 24
113. in the first Local Server IP Address field or a port number that is already in use in the TCP Port NumberAction field otherwise the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration Note After you have completed the steps in the SSL VPN Wizard you can make changes gt to the client IP address range and routes by selecting VPN gt SSL VPN gt Port Forwarding For more information about port forwarding settings see Configuring Applications for Port Forwarding on page 8 22 Table 8 5 SSL VPN Wizard Step 5 Port Forwarding Settings Item Description or Subfield and Description Add New Application for Port Forwarding Local Server IP Address The IP address of an internal server or host computer that remote users have access to Virtual Private Networking Using SSL Connections 8 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 8 5 SSL VPN Wizard Step 5 Port Forwarding Settings continued Item Description or Subfield and Description TCP Port NumberAction The TCP port number of the application that is accessed through the SSL VPN tunnel Below are some commonly used TCP applications and port numbers FTP Data usually not needed 20 FTP Control Protocol 21 SSH 22a Telnet 23a SMTP send mail 25 HTTP web 80 POP3 receive mail 110 NTP network time pro
114. is from a trusted third party whose identity can be verified You can obtain a digital certificate from a well known commercial certificate authority CA such as Verisign or Thawte or you can generate and sign your own digital certificate Because a commercial CA takes steps to verify the identity of an applicant a digital certificate from a commercial CA provides a strong assurance of the server s identity A self signed digital certificate triggers a warning from most browsers because it provides no protection against identity theft of the server The UTM contains a self signed digital certificate from NETGEAR This certificate can be downloaded from the UTM login screen for browser import However NETGEAR recommends that you replace this digital certificate with a digital certificate from a well known commercial CA prior to deploying the UTM in your network To display the Certificates screen select VPN gt Certificates from the menu Because of the large size of this screen and because of the way the information is presented the Certificates screen is divided and presented in this manual in three figures Figure 9 11 on page 9 19 Figure 9 13 on page 9 22 and Figure 9 15 on page 9 26 The Certificates screen lets you to view the currently loaded digital certificates upload a new digital certificate and generate a Certificate Signing Request CSR The UTM typically holds two types of digital certificates e CA digital certificat
115. is applied to the address of a particular PC Address range The rule is applied to a range of addresses Groups The rule is applied to a group of PCs You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules The Known PCs and Devices table is an automatically maintained list of all known PCs and network devices and is generally referred to as the Network Database which is described in Managing the Network Database on page 4 13 PCs and network devices are entered into the Network Database by various methods that are described in Managing Groups and Hosts LAN Groups on page 4 12 WAN Users You can specify which Internet locations are covered by an outbound rule based on their IP address Any The rule applies to all Internet IP address Single address The rule applies to a single Internet IP address Address range The rule is applied to a range of Internet IP addresses Schedule You can configure three different schedules to specify when a rule is applied Once a schedule is configured it affects all rules that use this schedule You specify the days of the week and time of day for each schedule For more information see Setting a Schedule to Block or Allow Specific Traffic on page 5 39 QoS Profile You can define QoS profiles and then apply them to outbound rules to regulate the priority of traffic To define QoS profiles see Creating Quality of Service QoS
116. is displayed on screen if a LAN user attempts to access a blocked site see the Notification Settings section that is described at the bottom of Table 6 8 on page 6 28 Content Filtering and Optimizing Scans 6 23 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Several types of Web content blocking are available e File extension blocking You can block files based on their extension Such files can include executable files audio and video files and compressed files e Keyword blocking You can specify words that should they appear in the Web site name URL or in a newsgroup name cause that site or newsgroup to be blocked by the UTM The following are keyword blocking examples Ifthe keyword XXX is specified the URL www zzyyqq com xxx html is blocked as is the newsgroup alt pictures XXX Ifthe keyword com is specified only Web sites with other domain suffixes such as edu or gov can be viewed Ifa period is specified as the keyword all Internet browsing access is blocked ___ Note Wildcards are supported For example if www net com is specified any URL that begins with www net is blocked and any URL that ends with com is blocked You can apply the keywords to one or more groups Requests from the PCs in the groups for which keyword blocking has been enabled are blocked Blocking does not occur for the PCs th
117. is the default setting Block spam email POP3 The only option is to block spam e mail Tag Add tag to mail When the option Tag spam email is selected from the Action subject pull down menu see above select this checkbox to add a tag to the e mail subject line The default tag is SPAM but you can customize this tag The default setting is to add the default tag to the subject line Add tag X NETGEAR When the option Tag spam email is selected from the Action SPAM to mail header pull down menu see above select this checkbox to add the X NETGEAR SPAM tag to the e mail header The default setting is to add the default tag to the e mail header Anti Spam Engine Settings Use a proxy Select this checkbox if the UTM connects to the Netgear Spam Classification Center server to also referred to as the Detection Center over a proxy server Then specify the connect to following information the Detection Center Proxy server The IP address and the port number of the proxy server User name Optional the user name for proxy server authentication Password Optional The password for proxy server authentication 4 Click Apply to save your settings The Distributed Spam Analysis section and the Anti Spam Engine Settings section each have their own Apply and Reset buttons to enable you to make changes to these sections separately 6 18 Content Filtering and Optimizi
118. malware threat was detected Malware Name The name of the malware threat Count The number of times that the malware threat was detected Percentage The percentage that the malware threat represents in relation to the total number of detected malware threats IPS Signatures Signature Name The name of the attack Category The category in which the attack was detected such as Web Mail Databases and so on Note For more information about categories see Using the Intrusion Prevention System on page 5 47 Date and Time The date and time that the attack was detected e e Signature Name The name of the attack Count The number of times that the attack was detected Percentage The percentage that the attack represents in relation to the total number of detected attacks e IM Peer to Peer Application The name of the application that was blocked Category Instant messaging or peer to peer Date and Time The date and time that the application request was blocked e e Application The name of the application that was blocked Requests The total number of user requests for the blocked application Source IPs The source IP address from which the request came Web Categories Category The Web category that was Category The Web category that was blocked blocked Note For more information about Web Note For more info
119. object 2 20 6 40 audio and video files filtering 6 41 compressed files filtering 6 47 default port 2 17 6 20 enabling scanning 2 17 6 20 executable files filtering 6 41 fully qualified domain name See FQDN G gateway IP address ISP 2 13 3 8 Gnutella 2 17 6 21 Google Talk Jabber 2 17 6 21 group policies precedence 8 37 groups LAN 4 14 4 16 VPN policies 9 6 guests user account 9 9 9 H hard disk usage 71 21 hardware bottom panel label 3 front panel LEDs 7 10 front panel ports 1 9 rear panel components 2 requirements B 3 serial number 22 help button Web Management Interface 2 7 hosts exposed increasing traffic 170 8 specifying 5 28 name resolution 8 24 public Web server 5 25 trusted SNMP 10 15 specifying 6 37 HTML files scanning 6 23 HTTP action infected Web file or object 2 20 6 22 default port 2 17 6 20 Index 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual enabling scanning 2 17 6 20 proxy for HTTPS scanning 6 34 6 37 proxy security subscription update 2 25 trusted hosts 6 37 HTTPS action infected Web file or object 2 20 6 22 default port 2 17 6 20 enabling scanning 2 17 6 20 scanning process 6 34 trusted hosts 6 37 HyperText Markup Language See HTML ICMP time out 5 24 type 5 32 IGP 4 24 IKE policies exchange mode 7 23 7 26 ISAKMP identifier 7 23 7 27 managing 7 22 ModeConfig 7 26 7 46
120. on the secondary subnets must be manually configured with the IP addresses gateway IP address and DNS server IP addresses Managing Groups and Hosts LAN Groups The Known PCs and Devices table on the LAN Groups screen see Figure 4 5 on page 4 14 contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the UTM or have been discovered by other means Collectively these entries make up the Network Database The Network Database is updated by these methods DHCP Client Requests When the DHCP server is enabled it accepts and responds to DHCP client requests from PCs and other network devices These requests also generate an entry in the Network Database This is an advantage of enabling the DHCP Server feature e Scanning the Network The local network is scanned using Address Resolution Protocol ARP requests The ARP scan detects active devices that are not DHCP clients gt Note In large networks scanning the network might generate unwanted traffic ___ Note When the UTM receives a reply to an ARP request it might not be able to _ gt determine the device name if the software firewall of the device blocks the name e Manual Entry You can manually enter information about a network device 4 12 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Some advantages of the Network Database a
121. only from Defined Browsers Client Browsers o Netscape Navigator select all delete Add Defined Browser Client Browser Internet Explorer _ Figure 9 9 4 Inthe Defined Browsers Status section of the screen select one of the following radio buttons e Deny Login from Defined Browsers Deny logging in from the browsers in the Defined Browsers table e Allow Login only from Defined Browsers Allow logging in from the browsers in the Defined Browsers table Click Apply to save your settings 6 Inthe Add Defined Browser section of the screen add a browser to the Defined Browsers table by selecting one of the following browsers from the pull down menu e Internet Explorer e Opera e Netscape Navigator e Firefox Mozilla Firefox e Mozilla Other Mozilla browsers Managing Users Authentication and Certificates 9 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 7 Click the add table button The browser is added to the Defined Browsers table 8 Repeat step 6 and step 7 for any other browsers that you want to add to the Defined Browsers table To delete one or more browsers 1 In the Defined Browsers table select the checkbox to the left of the browser that you want to delete or click the select all table button to select all browsers 2 Click the delete table button Changing Passwords and Other User Settings For any user you can change the p
122. or UTM25 Reference Manual Note After you have completed the steps in the SSL VPN Wizard you can make changes gt to the portal settings by selecting VPN gt SSL VPN gt Portal Layout For more information about portal settings see Creating the Portal Layout on page 8 18 Table 8 1 SSL VPN Wizard Step 1 Portal Settings Item Description or Subfield and Description Portal Layout and Theme Name Portal Layout A descriptive name for the portal layout This name is part of the path of the SSL VPN Name portal URL Note Custom portals are accessed at a different URL than the default portal For example if your SSL VPN portal is hosted at https vpn company com and you create a portal layout named CustomerSupport then users access the sub site at https vpn company com portal CustomerSupport Note Only alphanumeric characters hyphens and underscores _ are accepted in the Portal Layout Name field If you enter other types of characters or spaces the layout name is truncated before the first non alphanumeric character Note Unlike most other URLs this name is case sensitive Portal Site Title The title that appears at the top of the user s Web browser window For example Company Customer Support Banner Title The banner title of a banner message that users see before they log in to the portal For example Welcome to Customer Support Banner Message The text of a banner m
123. or UTM25 Reference Manual Setup Wizard Step 7 of 10 Web Categories to Be Blocked Setup Wizard Step 7 of 10 Web Categories to be blocked amp Blocked Web Categories Menable Blocking C commerce advertisements amp Pop Ups reat estate Oo Drugs and Violence S alcohol amp Tabacco Dirasteless CI education Education CI Gaming E Gambling C Inactive Sites network Errors Cleusiness E C Shopping Date amp Intolerance Dvictence E Health amp Medicine Games Clparked Domain CI internet Communication and Search m Manonymizers C General Cob Search Streaming Media amp Downloads C webmail C Leisure and News Oars E CFashion amp Beauty Onews E Restaurants amp Dining Ctransportation C Malicious B Libotnets Dittegal software Ulspam sites C Politics and Religion Ceuts Religion C sexual Content m El Child Abuse Images E E Sex Education CI Technology C Computers amp Technology C uncategorized m Mluncategorized Note Allowed by Default H Blocked by Default Ochat Ditmage Photo sharing Cpeer to Peer C Search Engines amp Portals Dating amp Personals Cicreeting cards non profits E Cisocial Networking Orravei El Criminal activity B E malware m DAvirus Infected Compromised Cl Government B Unusity C Download sites CBanking Finance Ditegal Drugs weapons
124. replies as in the previous section are displayed If you do not receive replies Check that your PC has the IP address of your UTM listed as the default gateway If the IP configuration of your PC is assigned by DHCP this information is not visible in your PC s Network Control Panel Check to see that the network address of your PC the portion of the IP address that is specified by the netmask is different from the network address of the remote device Check that the modem or router is connected and functioning If your ISP assigned a host name system name or account name to your PC enter that name in the Account Name field on the WAN1 ISP Settings or WAN2 ISP Settings screen of the UTM25 or in the Account Name field on the WAN ISP Settings screen of the UTM10 You might also have to enter the assigned domain name or workgroup name in the Domain Name field and you might have to enter additional information see Manually Configuring the Internet Connection on page 3 5 Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem If this is the case you must configure your UTM to clone or spoof the MAC address from the authorized PC You can do this in the Router s MAC Address section of th
125. required so the UTM can determine that the application has terminated ES Note For additional ways of allowing inbound traffic see Inbound Rules Port Forwarding on page 5 6 To add a port triggering rule 1 Select Network Security gt Port Triggering from the menu The Port Triggering screen displays Figure 5 28 shows a rule in the Port Triggering Rule table as an example Network Security IPS Firewall Objects Firewall Address Filter Port Triggering Operation succeeded Outgoing Ports Incoming Ports Start Port End Port Start Port End Port 20 22 20 40 Oeait lt elect all setete Add Port Triggering Rule Name Enable Protocol Outgoing Trigger Port Range Incoming Response Port Range Add Start Port End Port Start Port 5535 o 65595 _ 0 65535 _ 0 65535 0 655353 ADA Figure 5 28 2 Below Add Port Triggering Rule enter the settings as explained in Table 5 10 on page 5 46 Firewall Protection 5 45 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 5 10 Port Triggering Settings Setting Description or Subfield and Description Name A descriptive name of the rule for identification and management purposes Enable From the pull down menu select Yes to enable the rule You can define a rule but not enable it The default setting is No Protocol From the pull down menu select the protocol to whi
126. reserved License to copy and use this software is granted provided that it is identified as the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing this software or this function License is also granted to make and use derivative works provided that such works are identified as derived from the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing the derived work RSA Data Security Inc makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose It is provided as is without express or implied warranty of any kind These notices must be retained in any copies of any part of this documentation and or software v1 0 September 2009 PPP Copyright c 1989 Carnegie Mellon University All rights reserved Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED W
127. rrr reer eer ree areerer nec rererrr rer te rrea 4 4 Configuning a VLAN PROMS cisco ccd sinetsovsatriey asieas e aian a a 4 6 Configuring Multi Home LAN IPs on the Default VLAN ssssssesssesssesersssrssrresrresnesen 4 11 Managing Groups and Hosts LAN Groups sescissc ccssscceesccsesasecenesaccesecncusasneteseccuesncenaaee 4 12 Managing the Network DATED SSE orisscinusnnis 4 13 Changing Group Names in the Network Database ieee eee eeeeeeeeeteneeeeees 4 16 Setting Up Address HESS AON scsscccascccssseteencrcasdsatevasientisweeheeds aniaieesnontatietasnteees 4 17 Gontiguring and Enabling the DMZ POTE sccsssiicssecsatvenls niet a n entvan ines 4 18 Konad FROU oana Aa 4 22 Configunng Stalig Routes access deccciccnepessthsaueteisrasardcenttancedetanreneacienempatastuulasnneca 4 23 Configuring Routing Information Protocol RIP sissisodan 4 24 Slane RONS TEA IENO scsi ces cetgcncdecuitdaxtecsibieadetecutascetyasladeanstesaieam cceeduded nes ynigmiamninnes 4 27 Chapter 5 Firewall Protection About Firewall FProlOCION scsi cessessstvancisssectvanvsenap iaiia tecnraaveneaeremeensey 5 1 P ERO PS aa 5 2 Using Rules to Block or Allow Specific Kinds of Traffic eccccecseeeeeeeeeeeeeeeeeteeeeeneeeens 5 3 RU VICSS Based RUES seiorn ina a E EEA EEE 5 3 Order of Precedence for ROS idiin tiana iaoi kia ain 5 10 OCU LAN WAN RUBS sairnsnneinseno iin a a e 5 11 Setting DMZ WAN RUBS oinin AANS 5 14 Seting LAN DMZ RUIGE roiuri a aai 5 18 PTC SNES scicca
128. s default VLAN or VLAN 1 are explained in Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network This section provides further information about the DHCP options DHCP Server The default VLAN VLAN 1 has the DHCP Server option enabled by default allowing the UTM to assign IP DNS server WINS server and default gateway addresses to all computers connected to the UTM s LAN The assigned default gateway address is the LAN address of the UTM IP addresses are assigned to the attached computers from a pool of addresses that you must specify Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN When you create a new VLAN the DHCP server option is disabled by default For most applications the default DHCP server and TCP IP settings of the UTM are satisfactory See the link to Preparing Your Network in Appendix E for an explanation of DHCP and information about how to assign IP addresses for your network 4 4 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The UTM delivers the following settings to any LAN device that requests DHCP e An IP address from the range that you have defined e Subnet mask e Gateway IP address the UTM s LAN IP address e Primary DNS server the UTM s LAN IP address e WINS server if you entered a WINS server address in the DHCP Setup menu e Lease time the date obtained and the
129. section of the Firmware screen to verify that the UTM now has the new firmware installed the newly loaded firmware should be shown as the active firmware and the Activation radio button should be automatically selected The previously loaded firmware should be shown as the secondary firmware and the Activation radio button should be automatically deselected gt configuration and manually reconfigure your UTM after upgrading it Refer to the Note In some cases such as a major upgrade it might be necessary to erase the firmware release notes that NETGEAR makes available 10 20 Network and System Management v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Rebooting Without Changing the Firmware To reboot the UTM without changing the firmware 1 In the Firmware Reboot section of the Firmware screen see Figure 10 6 on page 10 19 select the active firmware version by clicking the Activation radio button for the firmware that states active in the Type column 2 Select the radio button that corresponds to the firmware version that you want to download onto the UTM 3 Click Reboot The UTM reboots During the reboot process the Firmware screen remains visible The reboot process is complete after several minutes when the Test LED on the front panel goes off Updating the Scan Signatures and Scan Engine Firmware To scan and detect viruses spyware and other malw
130. section of the screen locate the DPD fields Figure 7 32 Encryption Algorithm Authentication Algorithm Authentication Method Pre shared key ORSA Signature Pre shared key fiai2z2223333 sd ey Length 8 49 Char Diffie Hellman DH Group SA Lifetime sec nable Dead Peer Detection Yes O No Detection Period fio__ e econds Reconnect after failure count 4 Select the radio button and complete the fields as explained Table 7 21 Table 7 21 Dead Peer Detection Settings Item Description or Subfield and Description IKE SA Parameters Enable Dead Peer Detection Select the Yes radio button to enable DPD When the UTM25 detects an IKE connection failure it deletes the IPsec and IKE SA and forces a reestablishment of the connection You must enter the detection period and the maximum number of times that the UTM attempts to reconnect see below Detection Period The period in seconds between consecutive DPD R U THERE messages which are sent only when the IPsec traffic is idle The default setting is 10 seconds Reconnect after The maximum number of times that the UTM attempts to failure count reconnect after a DPD situation When the maximum number of times is exceeded the IPsec connection is terminated The default setting is 3 IKE connection failures 5 Click Apply to save your settings Virtual Private Networking Using IPsec Connections 7 57 v1 0 Septem
131. select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in Manually Configuring Internet and WAN Settings 3 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 6 Configure the Internet IP Address settings as explained in Table 3 3 Click the Current IP Address link to see the currently assigned IP address Current IP Address ie Get Dynamically from ISP Use Static IP Address IP Address 172 J16 JJO Ji IP Subnet Mask 255 255 J255 Jo Gateway IP Address 172 ie Jo 254 Figure 3 6 Table 3 3 Internet IP Address Settings Setting Description or Subfield and Description Get Dynamically If your ISP has not assigned you a static IP address select the Get dynamically from ISP from ISP radio button The ISP automatically assigns an IP address to the UTM using DHCP network protocol Use Static IP If your ISP has assigned you a fixed static or permanent IP address select the Use Address Static IP Address radio button and enter the following settings IP Address Static IP address assigned to you This address identifies the UTM to your ISP Subnet Mask The subnet mask is usually provided by your ISP Gateway IP Address The IP address of the ISP s gateway is usually provided by y
132. services with this priority with a ToS value of 7 Firewall Protection 5 33 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To create a QoS profile 1 Select Network Security gt Firewall Objects from the menu The Firewall Objects submenu tabs appear with the Services screen in view 2 Click the QoS Profiles submenu tab The QoS Profiles screen displays Figure 5 21 shows some profiles in the List of QoS Profiles table as an example ne Re QoS Type Priority Action Maximize_Through IP Precedence High edit Normal_Service j E DSCP pi Medium edit lt elect all delete add Figure 5 21 The screen displays the List of QoS Profiles table with the user defined profiles 3 Under the List of QoS Profiles table click the add table button The Add QoS Profile screen displays tH Firewall Object Add QoS Profile Profle Name S O Add DiffServ Mark Don t Change Qos fap Precedence QoS Value For IP Precedence 1 7 0SCP 1 63 Qos Priority Ei Eien Figure 5 22 4 Enter the settings as explained in Table 5 7 on page 5 35 5 34 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual as Note This document assumes that you are familiar with QoS concepts such QoS priority queues IP Precedence DHCP and their values Table 5 7 QoS Profile
133. side to the outside The firewall rules for blocking and allowing traffic on the UTM can be applied to LAN WAN traffic DMZ WAN traffic and LAN DMZ traffic Table 5 1 Number of Supported Firewall Rule Configurations Traffic Rule Maximum Number of Maximum Number of Maximum Number of Outbound Rules Inbound Rules Supported Rules LAN WAN 300 300 600 DMZ WAN 50 50 100 LAN DMZ 50 50 100 Total Rules 400 400 800 Services Based Rules The rules to block traffic are based on the traffic s category of service e Outbound Rules service blocking Outbound traffic is normally allowed unless the firewall is configured to disallow it Inbound Rules port forwarding Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side The firewall can be configured to allow this otherwise blocked traffic e Customized Services Additional services can be added to the list of services in the factory default list These added services can then have rules defined for them to either allow or block that traffic see Adding Customized Services on page 5 30 Firewall Protection 5 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e Quality of Service QoS priorities Each service has its own native priority that impacts its quality of performance and tolerance for jitter or delays You can change the Qo
134. siiccccissceseecnccncannees season tasenanecinaenanaen B 11 VFN Gateway NY anionini T E E iN a B 13 VPN Telecommuter Client to Gateway Through a NAT Router oseese B 16 Appendix C System Logs and Error Messages gysten LOG MESSIES dirie E N NASN C 2 Sei go Boaz EE E rere ter E nr nee Tee Creer erent rrr re A tr tere eter reenter er C 2 PIGDOUO rcce AE C 2 So I T sn aves ada Sic elas ale EE saa anno Ke daar E A C 3 DU a E E A EE rer terry arr Petre re Per reer rte rer ce ey ere T rere rr reer re errr re C 3 UF ole ci els 21u eee pereer erect Rrrecerrrere e Mtrrcr errr Teer teeerer tee cre tren rT creer t C 4 Prena PSO cassis eccastivinecicyinsd se cue vincagutariaegubmriacaguatesascatinitea neat guaes C 4 IP SOG Rosta ucno OA A C 4 xiv v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual WAN SMG nose Sch wetted ep Salads tees a C 5 mame Melong gl Mc ls aie eeeerenet et eeretT cebcrne Teer rear t serntnat earern et cerrrte Te conn errr C 9 LASSIE TE COG ea T C 9 vaid aie coi LOGON Reem te epee eeet er eerste rPeR tt Mer r Cn ener T ter rrr tt ep rrr rte tr rer ter rr C 10 Conten Fileing and Securty LagS sivas vaca aativan danse use otadainusasd a an ONEAN C 12 Web Filtering and Content Filtering LOGS sssccisciccsscecencccnccateceteetetcsnedsmietertaaes C 12 REMIT LOU see setae N aa pee ata eee ge na eaten Aas C 13 Tane Bs a aeereeerper epee tet reenter re recent rrreen rene cetrenernt er rte ten reerr
135. test In the example that is shown in Figure 7 15 on page 7 17 select Connect gt My Connections UTM_SJ 7 16 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Security Policy Editor Certificate Manager Deactivate Security Policy Reload Security Policy Disconnect My Connections UTM_Ireland My Connections UTM_SJ My Connections UTM_Test My Connections FV5336G_Lab Log Viewer Connection Monitor Help About NETGEAR ProSafe VPN Client Zoom Remove Icon Figure 7 15 In the example that is shown in Figure 7 15 you should receive the message Successfully connected to My Connections UTM_SJ within 30 seconds The VPN client icon in the system tray should say On EGRESS slic DR bya NETGEAR VPN Client Status and Log Information To view more detailed additional status and troubleshooting information from the NETGEAR VPN client e Right click the VPN Client icon in the system tray and select Log Viewer see Figure 7 2 on page 7 2 Virtual Private Networking Using IPsec Connections 7 17 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Log Viewer NETGEAR ProSafe VPN Client 19 51 19 312 19 51 19 312 My Connections UTM_SJ Indiating IKE Phase 1 IP ADDR 83 71 251 30 19 51 19 489 My Connections UTM_ SE SENDING gt gt gt gt ISAKMP DAK AG
136. the DMZ outbound or coming in from the DMZ to the LAN inbound There is no pull down menu that lets you set the default outbound policy as there is on the LAN WAN Rules screen You can change the default outbound policy by blocking all outbound traffic and then enabling only specific services to pass through the UTM You do so by adding outbound services rules see LAN DMZ Outbound Services Rules on page 5 19 To access the LAN DMZ Rules screen 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear 2 Click the LAN DMZ Rules submenu tab The LAN DMZ Rules screen displays Service Name Filter LAN Users DMZ Users Log select all delete enable O disabte add Service Name Filter DMZ Users LAN Users Log select at telete nadie O disable add Figure 5 8 To make changes to an existing outbound or inbound service rule In the Action column to the right of to the rule click on of the following table buttons e edit Allows you to make any changes to the rule definition of an existing rule Depending on your selection either the Edit LAN DMZ Outbound Service screen identical to Figure 5 9 on page 5 19 or Edit LAN DMZ Inbound Service screen identical to Figure 5 10 on page 5 20 displays containing the data for the selected rule 5 18 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e up M
137. the URL field are overwritten when you import a list of URLs from a file Replace the Content of a Blocked Page with the Following Text By default a blocked URL is replaced with the following text which you can customize Internet Policy has restricted access to this location URL Note The text is displayed on the URL Filtering screen with HTML tags However when the UTM replaces the content of a blocked Web page the screen displays the notification text in HTML format Note Make sure that you keep the URL meta word in the text to enable the UTM to insert the blocked URL in the notification text 4 Click Apply to save your settings Content Filtering and Optimizing Scans 6 33 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual HTTPS Scan Settings HTTPS traffic is encrypted traffic that cannot be scanned otherwise the data stream would not be secure However the UTM can scan HTTPS traffic that is transmitted through an HTTP proxy that is HTTPS traffic is scanned as a proxy between the HTTPS client and the HTTPS server Figure 6 13 shows the HTTPS scanning traffic flow UTM communicates on Client s behalf HTTPS Client p UTM sends its own Server returns Cert to Cert to Client UTM for authentication HTTPS request gt Figure 6 13 The HTTPS scanning process functions with the following principles e The UTM breaks u
138. the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The copyright holder s name must not be used to endorse or promote any products derived from this software without his specific prior written permission This software is provided as is with no express or implied warranties of correctness or fitness for purpose v1 0 September 2009 Open SSL Copyright c 1998 2000 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit Attp www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived fro
139. the local network configure an IP address range that does not directly overlap with addresses on your local network For example if 192 168 1 1 through 192 168 1 100 are currently assigned to devices on the local network then start the client address range at 192 168 1 101 or choose an entirely different subnet altogether e The VPN tunnel client cannot contact a server on the local network if the VPN tunnel client s Ethernet interface shares the same IP address as the server or the UTM for example if your PC has a network interface IP address of 10 0 0 45 then you cannot contact a server on the remote network that also has the IP address 10 0 0 45 e Select whether you want to enable full tunnel or split tunnel support based on your bandwidth A full tunnel sends all of the client s traffic across the VPN tunnel A split tunnel sends only traffic that is destined for the local network based on the specified client routes All other traffic is sent to the Internet A split tunnel allows you to manage bandwidth by reserving the VPN tunnel for local traffic only Virtual Private Networking Using SSL Connections 8 25 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e Ifyou enable split tunnel support and you assign an entirely different subnet to the VPN tunnel clients than the subnet that is used by the local network you must add a client route to ensure that a VPN tunnel client co
140. the network to keep the tunnel alive For more information see The VPN Policies Screen on page 7 30 Tip For DHCP WAN configurations first set up the tunnel with IP addresses After you have validated the connection you can use the wizard to create new policies using the FQDN for the WAN addresses Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Click Apply to save your settings The IPsec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen By default the VPN policy is enabled izard Mode Config RADIUS Client IKE Pe licies PN Policies yP Operation succeeded 4 List of VPN Policies a Name Type Local Remote auth Encr Action CO awa to aw2 Auto Policy 192 168 1 0 255 255 255 0 192 4172 1 0 255 255 255 0 SHA 1 30 s eait Client Policy select all delete rabie O disabte add Figure 7 6 Configure a VPN policy on the remote gateway that allows connection to the UTM Activate the IPsec VPN connection a Select Monitoring gt Active Users amp VPNs from the menu The Active Users amp VPNs submenu tabs appear with the Active Users screen in view b Click the IPSec VPN Connection Status submenu tab The IPSec VPN Connection Status screen displays t mF Active Users ET2PERT ne
141. the real time blacklist 1 Inthe Add Real time Blacklist section add the following information e In the Provider field add the name of the blacklist provider e Inthe RBL Domain Suffix field enter the domain suffix of the blacklist provider Content Filtering and Optimizing Scans 6 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Click the add table button in the Add column The new blacklist provider is added to the real time blacklist and it is disabled by default To delete a blacklist provider from the real time blacklist 1 In the real time blacklist click the delete table button next to the blacklist provider that you want to delete 2 Click Apply to save your settings Configuring Distributed Spam Analysis Spam phishing and other e mail borne threats consist of millions of messages intentionally composed differently to evade commonly used filters Nonetheless all messages within the same outbreak share at least one unique identifiable value which can be used to distinguish the outbreak With distributed spam analysis message patterns are extracted from the message envelope headers and body with no reference to the content itself Pattern analysis can then be applied to identify outbreaks in any language message format or encoding type Message patterns can be divided into distribution patterns and structure patterns Distribution patterns determine if the mes
142. those options that match the configured WAN Mode are accessible on screen 3 Select the submenu tab for your DDNS service provider e Dynamic DNS submenu tab which is shown in Figure 3 11 for DynDNS org or DYNDNS com e DNS TZO submenu tab for TZO com e DNS Oray submenu tab for Oray net 3 20 Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Click the Information option arrow in the upper right corner of a DNS screen for registration information WAN Settings Protocol Binding WAN Metering LAN Settings DMZ Setup Routing Email Notification Dynamic DNS DNS TZO DNS Oray DynONS Information Figure 3 12 5 Access the Web site of the DDNS service provider and register for an account for example for dyndns org go to http www dyndns com 6 For each WAN port of the UTM25 or for the single WAN port of the UTM10 configure the DDNS service settings as explained in Table 3 7 which shows the settings for the UTM25 The screen for the UTM10 shows settings for a single WAN port only Table 3 7 DNS Service Settings Setting Description or Subfield and Description WAN1 Dynamic DNS Status Change DNS to Select the Yes radio button to enable the DDNS service The service that displays on DynDNS TZO screen depends on the submenu tab for the DDNS service provider that you have or Oray selected Enter the f
143. whom the digital certificate is issued e Issuer Name The name of the CA that issued the digital certificate e Expiry Time The date after which the digital certificate becomes invalid To upload a digital certificate of a trusted CA on the UTM 1 Download a digital certificate file from a trusted CA and store it on your computer 2 Inthe Upload Trusted Certificates section of the screen click Browse and navigate to the trusted digital certificate file that you downloaded on your computer 3 Click the upload table button If the verification process on the UTM approves the digital certificate for validity and purpose the digital certificate is added to the Trusted Certificates CA Certificates table To delete one or more digital certificates 1 Inthe Trusted Certificates CA Certificates table select the checkbox to the left of the digital certificate that you want to delete or click the select all table button to select all digital certificates 2 Click the delete table button Managing Self Certificates Instead of obtaining a digital certificate from a CA you can generate and sign your own digital certificate However a self signed digital certificate triggers a warning from most browsers because it provides no protection against identity theft of the server Figure 9 12 on page 9 21 shows an image of a browser security alert There can be three reasons why a security alert is generated for a security certificate
144. with the Wizard cccccsseeeeeneees 7 3 Creating a Client to Gateway VPN Tunnel siccnecosnatecccscctecncccesstomcstiedeontnbatiedesesnecnds 7 8 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Testing the Connections and Viewing Status Information ccceeeeseeeeeeteeeeeneeeee 7 16 Testing the VPN Connect sonundan inano ana a 7 16 NETGEAR VPN Client Status and Log Information ccccceeseeeeeeeceeeeeteeeeeeeeees 7 17 Viewing the UTM IPsec VPN Connection Status ccccceesseeeseeeeeeeeeeeeeteeeseneees 7 19 viewing the UTM PBs YPN LOG i ci ccccnsind Soxansasbissrandaentcersmontendeenidiadeerunoaueis E 7 20 Managing IF set VPN POICIES cccsccivscdcctntrcncdesiedvatsdonivendenipiasienney aaa 7 21 Kon eT U8 a FOR OS arenan 7 22 Pea VEN Fo OS nnan aaa 7 30 Configuring Extended Authentication XAUTH isiririsiirsiisiresiiosniininannnainn 7 37 OOM XAUTH for VPN CIEMS ins ishtisieisescasdacehcsseouinisctnas usin ukae 7 38 User Database Comiguralon x aaccscsecesscuiog ci sectedesheaiialeactecteiudganesedelemetacuiadairenaaace 7 39 RADIUS ient Contigua asinina R ages enaasd pleted dase 7 39 Assigning IP Addresses to Remote Users Mode Config ccccccceeseeeseeeeeeeeneeeens 7 42 Mode Contig QDeratiON sc ccaicdsiedasaceh anne iona aare n e a EE EES 7 42 Configuring Mode Config Operation on the UTM sssssessessseesssessseesrrsssrrssrrrsssrnens 7 42 Configuring the
145. you enter other types of characters or spaces the layout name is truncated before the first non alphanumeric character Note Unlike most other URLs this name is case sensitive Portal Site Title The title that appears at the top of the user s Web browser window For example Company Customer Support Banner Title The banner title of a banner message that users see before they log in to the portal For example Welcome to Customer Support Note For an example see Figure 8 8 on page 8 15 The banner title text is displayed in the orange header bar Banner Message The text of a banner message that users see before they log in to the portal For example In case of login difficulty call 123 456 7890 Enter a plain text message or include HTML and Java script tags The maximum length of the login page message is 4096 characters Note For an example see Figure 8 8 on page 8 15 The banner message text is displayed in the grey header bar Display banner Select this checkbox to show the banner title and banner message text on the login message on login screen as shown in Figure 8 8 on page 8 15 page HTTP meta tags Select this checkbox to apply HTTP meta tag cache control directives to this portal for cache control layout Cache control directives include recommended lt meta http equiv pragma content no cache gt lt meta http equiv cache control content no cache gt lt meta http e
146. 0 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Bad checksum Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID BAD_HW_CHECKSUM DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO ICMP TYPE 3 CODE 0 Explanation Bad hardware checksum for ICMP packets Recommended Action None Message INVALID MALFORMED_PACKET DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Malformed packet Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID SHORT_PACKET DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Short packet Recommended Action None Message INVALID INVALID_STATE DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Packet with invalid state Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID REOPEN_CLOSE_CONN DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Attempt to re open close session Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID OUT_OF_WINDOW DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Packet not in TCP window Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID ERR_HELPER_ROUTINE DROP SRC 192 168 20 10 DST 192 168 20 2 PROT
147. 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Enter the settings as explained in Table 5 2 on page 5 5 3 Click Apply The new rule is now added to the Outbound Services table The rule is automatically enabled LAN DMZ Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic If you have not defined any rules no rules are listed By default all inbound traffic from the LAN to the DMZ is allowed To create a new inbound LAN DMZ service rule 1 Inthe LAN DMZ Rules screen click the add table button under the Inbound Services table The Add LAN DMZ Inbound Service screen displays Add LAN DMZ Inbound Service Operation succeeded Action BLOCK always v Select Schedule Schedule 1 tan Users any w set C1 Finish E ami ee a rinis CI Log Never Figure 5 10 2 Enter the settings as explained in Table 5 3 on page 5 8 3 Click Apply to save your changes The new rule is now added to the Inbound Services table Attack Checks The Attack Checks screen allows you to specify whether or not the UTM should be protected against common attacks in the DMZ LAN and WAN networks The various types of attack checks are listed on the Attack Checks screen and defined in Table 5 4 on page 5 21 To enable the appropriate attack checks for your network environment 1 Select Network Security gt Firewall from the menu The Fi
148. 1 is still down This results in the 4th failure detection message If it is then it starts secondary link and once secondary link is up secondary link is marked as active Meanwhile secondary link has failed once more and that results 5th failure detection message Note that the 5th failure detection and the message suggesting that the secondary link is active have the same timestamp and so they happen in the same algorithm state machine cycle So although it appears that the failover did not happen immediately after three failures internally the failover process is triggered after the 3rd failure and transition to secondary link is completed by the 5th failure The primary link is also restarted every three failures till it is functional again In the above log primary link was restarted after the 6th failure that is three failures after the failover process was triggered Recommended Action Check the WAN settings and WAN failure detection method configured for the primary link Load Balancing Mode When the WAN mode is configured for load balancing both the WAN ports are active simultaneously and the traffic is balanced between them If one WAN link goes down all the traffic is diverted to the WAN link that is active This section describes the logs that are generated when the WAN mode is set to load balancing Table C 9 System Logs WAN Status Load Balancing Message 1 Dec 1 12 11 27 UTM wand LBFO Res
149. 10 or UTM25 Reference Manual Table 5 3 Inbound Rules Overview continued Setting Description or Subfield and Description WAN Users The settings that determine which Internet locations are covered by the rule based on their IP address The options are Any All Internet IP address are covered by this rule Single address Enter the required address in the start field Address range Enter the Start and Finish fields DMZ Users The settings that determine which DMZ computers on the DMZ network are affected by this rule The options are Any All PCs and devices on your DMZ network e Single address Enter the required address to apply the rule to a single PC on the DMZ network e Address range Enter the required addresses in the Start and Finish fields to apply the rule to a range of DMZ computers Note This field is not applicable to inbound DMZ WAN rules QoS Profile The priority assigned to IP packets of this service The priorities are defined by Type of Service ToS in the Internet Protocol Suite standards RFC 1349 The QoS profile determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall The UTM marks the Type Of Service ToS field as defined in the QoS profiles that you create For more information see Creating Quality of Service QoS Profiles on page 5 33 Note There is no default QoS profile on the UTM
150. 100 Mbps or higher speeds you must use a Category 5 CATS cable Computer Network Configuration Requirements The UTM integrates a Web Management Interface To access the configuration menus on the UTM your must use a Java enabled Web browser that supports HTTP uploads such as Microsoft Internet Explorer 5 1 or higher Mozilla Firefox 1 x or higher or Apple Safari 1 2 or higher with JavaScript Free browsers are readily available for Windows Macintosh or UNIX Linux For the initial connection to the Internet and configuration of the UTM you must connect a computer to the UTM and the computer must be configured to automatically get its TCP IP configuration from the UTM via DHCP ES Note For help with the DHCP configuration see the TCP IP Networking Basics document that you can access from the link in Appendix E Related Documents The cable or DSL modem broadband access device must provide a standard 10 Mbps LOBASE T Ethernet interface Internet Configuration Requirements Depending on how your ISPs set up your Internet accounts you will need the following Internet configuration information to connect UTM to the Internet e Host and domain names e One or more ISP login names and passwords e ISP Domain Name Server DNS addresses e One ore more fixed IP addresses also known as static IP addresses Network Planning for Dual WAN Ports UTM25 Only B 3 v1 0 September 2009 ProSecure Unified Thre
151. 2 DNS lookup using this DNS Server DNS queries are sent to this server through the WAN interface being monitored The retry interval and number of failover attempts determine how quickly the UTM switches from the primary link to the backup link in case the primary link fails or when the primary link comes back up switches back from the backup link to the primary link Enter the following DNS settings WAN1 The IP address of the DNS server for port WAN1 WAN2 The IP address of the DNS server for port WAN2 Retry Interval is The retry interval in seconds The DNS query is sent periodically after every test period The default test period is 30 seconds Failover after The number of failover attempts The primary WAN link is considered down after the configured number of queries have failed to elicit a reply The backup link is brought up after this has occurred The failover default is 4 failures Ping these IP addresses A public IP address that does not reject the ping request and does not consider ping traffic to be abusive Queries are sent to this server through the WAN interface that is being monitored The retry interval and number of failover attempts determine how quickly the UTM switches from the primary link to the backup link in case the primary link fails or when the primary link comes back up switches back from the backup link to the primary link Enter the following DNS settings
152. 2 49 UTM pppd primary DNS address 202 153 32 3 Message 7 Nov 29 13 12 49 UTM pppd secondary DNS address 202 153 32 3 Message 8 Nov 29 11 29 26 UTM pppd Terminating connection due to lack of activity Message 9 Nov 29 11 29 28 UTM pppd Connect time 8 2 minutes Message 10 Nov 29 11 29 28 UTM pppd Sent 1408 bytes received 0 bytes Message 11 Nov 29 11 29 29 UTM pppd Connection terminated Explanation Message 1 PPPoE connection establishment started Message 2 Message from PPPoE server for correct login Message 3 Authentication for PPP succeeded Message 4 Local IP address assigned by the server Message 5 Server side IP address Message 6 primary DNS configured in WAN status page Message 7 secondary DNS configured in WAN status page Message 8 The PPP link has transitioned to idle mode This event occurs if there is no traffic from the LAN network Message 9 The time in minutes for which the link has been up Message 10 Data sent and received at the LAN side during the link was up Message 11 PPP connection terminated after idle timeout Recommended Action To reconnect during idle mode initiate traffic from the LAN side System Logs and Error Messages C 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e PPTP Idle Timeout Logs Table C 11 System Logs WAN Status PPTP Idle Timeout Message 1 Nov 29 11 19 02 UTM pppd Starti
153. 20 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 4 3 DMZ Setup Settings Setting Description or Subfield and Description DMZ Port Setup Do you want to enable DMZ Port Select one of the following radio buttons e Yes Enables you to configure the DMZ port settings Enter the IP address and Subnet Mask fields see below e No Allows to disable the DMZ port after you have configured it IP Address Enter the IP address of the DMZ port Make sure that the DMZ port IP address and LAN port IP address are in different subnets for example an address outside the LAN address pool such as 192 168 1 101 Subnet Mask Enter the IP subnet mask of the DMZ port The subnet mask specifies the network number portion of an IP address DHCP Disable DHCP Server If another device on your network is the DHCP server for the VLAN or if you will manually configure the network settings of all of your computers select the Disable DHCP Server radio button to disable the DHCP server This is the default setting Enable DHCP Server Select the Enable DHCP Server radio button to enable the UTM to function as a Dynamic Host Configuration Protocol DHCP server providing TCP IP configuration for all computers connected to the VLAN Enter the following settings Domain Name This is optional Enter the domain name of the UTM Star
154. 7 46 XAUTH 7 29 IPsec VPN automatically generated auto 7 30 groups configuring 9 6 managing 7 21 Index 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual manually generated manual 7 30 SSL VPN managing 8 31 settings 8 34 policy hierarchy 8 31 pools ModeConfig 7 44 POP3 action infected e mail 2 8 anti virus settings 6 6 default port 2 17 6 4 Distributed Spam Analysis 6 17 enabling scanning 2 17 file extension blocking 6 11 file name blocking 6 11 keyword blocking 6 10 password protected attachment blocking 6 0 port filtering See service blocking port forwarding firewall rules 5 3 5 6 increasing traffic 5 7 reducing traffic 10 5 port membership VLANs 4 8 port speed 3 23 port triggering adding arule 5 45 description 5 44 increasing traffic 70 7 status monitoring 5 46 11 26 Port VLAN Identifier See PVID portals SSL VPN 8 1 8 14 8 18 ports console 7 12 explanation of WAN and LAN 1 10 front panel 9 LAN 1 9 numbers 5 31 5 44 numbers for SSL VPN port forwarding 8 12 8 24 USB non functioning 9 WAN 1 9 portscan logs 11 9 11 33 11 35 Post Office Protocol 3 See POP3 power receptacle 2 specifications adapter A 2 Power LED 1 10 12 2 PPP connection 8 PPP over Ethernet See PPPoE PPPoE description 6 settings 2 13 3 4 3 7 PPTP settings 2 12 3 4 pre shared key 7 5 7 10 7 14 7 28 priority queue QoS 5 35 profiles
155. 8 subnet mask default 2 9 4 8 subnet mask DMZ port 4 20 WAN aliases 3 17 IP header 5 35 IP precedence 5 35 IP security See IPsec Index 6 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual IP MAC binding 5 42 IPS alerts 77 10 attacks categories 5 48 recent 5 and top 5 71 18 description 5 47 logs 11 9 11 33 11 35 outbreak alerts 77 10 defining 11 12 IPsec hosts XAUTH 7 38 7 39 IPsec VPN Wizard client to gateway tunnels setting up 7 8 default settings 7 4 description 6 gateway to gateway tunnels setting up 7 3 IPsec VPN See VPN tunnels ISAKMP identifier 7 23 7 27 ISP connection troubleshooting 2 5 gateway IP address 2 13 3 8 login 2 12 3 6 J Java 6 24 6 28 K keepalives VPN tunnels 7 34 7 55 keywords blocking 6 8 6 24 6 28 using wildcards 6 24 kit rack mounting 1 14 Knowledge Base 2 2 L label bottom panel 3 LAN bandwidth capacity 10 1 configuration 4 default settings A groups 4 16 assigning 4 14 managing 4 2 hosts managing 4 2 Known PCs and Devices table 4 4 4 15 LEDs 1 11 12 3 network database 4 12 4 13 ports 2 1 9 secondary IP addresses 4 17 security checks 5 22 settings using the Setup Wizard 2 8 testing the LAN path 12 7 LDAP 8 6 9 3 9 5 server DHCP 2 10 4 10 4 21 VLANs 4 6 LEDs explanation of 7 10 front panel 7 10 troubleshooting 2 2 12 3 licenses expiration dates 22 key 1 8 Pro
156. ADIUS CHAP IPSec Host The UTM functions as a VPN client of the remote gateway In this configuration the UTM is authenticated by a remote gateway with a user name and password combination Authentication Type For an Edge Device configuration from the pull down menu select one of the following authentication types User Database XAUTH occurs through the UTM s user database Users must be added through the Add User screen see User Database Configuration on page 7 39 Radius PAP XAUTH occurs through RADIUS Password Authentication Protocol PAP The local user database is first checked If the user account is not present in the local user database the UTM25 connects to a RADIUS server For more information see RADIUS Client Configuration on page 7 39 Radius CHAP XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol CHAP For more information see RADIUS Client Configuration on page 7 39 Username The user name for XAUTH Password The password for XAUTH 4 Click Apply to save your settings The IKE policy is added to the List of IKE Policies table To edit an IKE policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 23 2 In the List of IKE Policies table click the edit table button to the right of the IKE policy that you want to edit The Edit
157. AN connections the DNS servers and the DHCP servers To view the status of the WAN1 port UTM25 or WAN port UTM10 1 Select Network Config gt WAN Settings from the menu On the UTM25 the WAN Settings submenu tabs appear with the WAN1 ISP Settings screen in view see Figure 11 18 on page 11 28 which shows the UTM25 screen On the UTM10 the WAN ISP Settings screen displays Monitoring System Access and Performance 11 27 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Vif Ae ok PP eo MZ Setup Routing Email Notification Does Your Internet Connection Require a Login Login admin j Yes No Password Seeeeeceoson H ISP Type Q Account Name Domain Name piemen Idle Timeout Keep Connected Austria PPTP Idle Time 5 Minutes Other PPPoE My IP Address J a Server IP address l A es ea Smee Get Dynamically from ISP Get Automatically from ISP Which type of ISP connection do you use Use Static IP Address Use These DNS Servers 1P Address 0 0 o Jc Primary DNS Server o o 0 IP Subnet masko o 0 0 Secondary DNS sever o o Wo Gateway IP Address o o o 0 Figure 11 18 2 Click the WAN Status option arrow at the top right of the WAN1 ISP Settings screen UTM25 or WAN1 ISP Settings screen UTM10 The Connection Status screen appears in a popup window Connection Status Operation succeeded C
158. ANs on page 4 2 The information below describes how to configure a VLAN profile WAN Settings Protocol Binding Dynamic DNS WAN Metering DMZ Setup Routing Email Notification i PAETAI LAN Groups LAN Multi homing DHCP Log Edit e W Action defaultVian 1 192 168 1 1 DHCP Enabled _Deait 192 170 1 100 DHCP Disabled a select all delete nadie O disable ja Add Profile Name VLAN ID Subnet IP DHCP Status SalesVLAN fault 9d Port 1 Port 2 Port 3 Port 4 DM2 defaultVian SalesVLAN defaultVlan defaultVlan Figure 4 2 4 6 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Either select an entry from the VLAN Profiles table by clicking the corresponding edit table button or add a new VLAN profile by clicking the add table button under the VLAN Profiles table The Edit VLAN Profile screen displays see Figure 4 3 Edit VLAN Profile Operation succeeded ii VLAN Profile Profile Name wan io fy H Port Membership E Port 2 M Port 2 E Port 3 E Port 4 Dmz IP Address 192 a Subnet Mask 255 J255 255 Jjo Disable DHCP Server Enable DHCP Server O Enable LDAP information Domain Name LDAP Server a Starting IP Address 192 i6e a M2 Search Base Ending IP Address i92 16e Ma 100 port 0 leave blank for default port Primary DNS seve W We Secondary
159. ARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE Zlib zlib h Interface of the zlib general purpose compression library version 1 1 4 March 11th 2002 Copyright C 1995 2002 Jean loup Gailly and Mark Adler This software is provided as is without any express or implied warranty In no event will the authors be held liable for any damages arising from the use of this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgment in the product documentation would be appreciated but is not required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution Jean loup Gailly jloup gzip org Mark Adler madler alumni caltech edu The data format used by the zlib library is described by RFCs Request for Comments 1950 to 1952 in the files ftp ds internic net rfc rfc1950 txt zlib format rfc1951 txt deflate format and rfc1952 txt gzip format Product and Publication Details Model Number UTM Publicat
160. Add IKE Policy screen see Figure 7 21 on page 7 25 3 Locate the Extended Authentication section on the screen 7 38 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Complete the fields select the radio buttons and make your selections from the pull down menus as explained Table 7 13 Table 7 13 Extended Authentication Settings Item Description or Subfield and Description Select one of the following radio buttons to specify whether or not Extended Authentication XAUTH is enabled and if enabled which device is used to verify user account information None XAUTH is disabled This the default setting Edge Device The UTM functions as a VPN concentrator on which one or more gateway tunnels terminate The authentication mode that is available for this configuration is User Database RADIUS PAP or RADIUS CHAP IPSec Host The UTM functions as a VPN client of the remote gateway In this configuration the UTM is authenticated by a remote gateway with a user name and password combination Authentication For an Edge Device configuration from the pull down menu select one of the Type following authentication types User Database XAUTH occurs through the UTM s user database Users must be added through the Add User screen see User Database Configuration on page 7 39 e Radius PAP XAUTH occurs throug
161. Authentication Secret fields NT Domain Microsoft Windows NT Domain Complete the Authentication Server and Workgroup fields e Active Directory Microsoft Active Directory Complete the Authentication Server and Active Directory Domain fields e LDAP Lightweight Directory Access Protocol LDAP Complete the Authentication Server and LDAP Base DN fields Select Portal The pull down menu shows the SSL portals that are listed on the Portal Layout screen From the pull down menu select the SSL portal with which the domain is associated For information about how to configure SSL portals see Creating the Portal Layout on page 8 18 Authentication Server The server IP address or server name of the authentication server for any type of authentication other than authentication through the local user database Authentication Secret The authentication secret or password that is required to access the authentication server for RADIUS WIKID or MIAS authentication Workgroup The workgroup that is required for Microsoft NT Domain authentication LDAP Base DN The LDAP base distinguished name DN that is required for LDAP authentication Active Directory The active directory domain name that is required for Microsoft Active Directory Domain authentication 4 Click Apply to save your settings The domain is added to the List of Domains table 5 If you use local authentication make sure that it is not
162. Because the Active Directory supports a multilevel hierarchy for example groups or organizational units this information can be queried to provide specific group policies or bookmarks based on Active Directory attributes Note A Microsoft Active Directory database uses an LDAP organization schema 9 2 Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 9 1 Authentication Protocols and Methods Authentication Protocol or Method LDAP Description or Subfield and Description A network validated domain based authentication method that functions with a Lightweight Directory Access Protocol LDAP authentication server LDAP is a standard for querying and updating a directory Because LDAP supports a multilevel hierarchy for example groups or organizational units this information can be queried to provide specific group policies or bookmarks based on LDAP attributes To create a domain 1 Select Users gt Domains from the menu The Domains screen displays Figure 9 1 shows the UTM s default domain geardomain and as an example another domain in the List of Domains table Domains Do you want to disable Local Authentication Yes No Domain Name Authentication Type Portal Layout Name geardomain ocal SSL VPN o prosecure lo SSL Default Domains select at edelete add
163. Blacklist Blacklist providers are organizations that collect IP addresses of verified open SMTP relays that might be used by spammers as media for sending spam These known spam relays are compiled by 6 14 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual blacklist providers and are made available to the public in the form of real time blacklists RBLs By accessing these RBLs the UTM can block spam originating from known spam sources By default the UTM comes with three pre defined blacklist providers Dsbl Spamhaus and Spamcop There is no limit to the number of blacklist providers that you can add to the RBL sources To enable the real time blacklist 1 Select Application Security gt Anti Spam from the menu The Anti Spam submenu tabs appear with the Whitelist Blacklist screen in view 2 Click the Real time Blacklist submenu tab The Real time Blacklist screen displays Provider RBL Domain Suffix Spamhaus zen spambhaus org delete Spamcop bl spamcop net delete Add Real Time Blacklist Provider RBL Domain Suffix Add asa Figure 6 5 3 Select the Enable checkbox enable the Real Time Blacklist function 4 Select the Active checkboxes to the left of the default blacklist providers Spamhaus and Spamcop that you want to activate 5 Click Apply to save your settings To add a blacklist provider to
164. C is rebooted To avoid this use the Reserved DHCP Client feature in the LAN Groups menu to keep the PC s IP address constant see Setting Up Address Reservation on page 4 17 e Local PCs must access the local server using the PCs local LAN address Attempts by local PCs to access the server using the external WAN IP address will fail gt Note See Configuring Port Triggering on page 5 44 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall ___ Note The UTM always blocks denial of service DoS attacks A DoS attack does not attempt to steal data or damage your PCs but overloads your Internet connection so you cannot use it that is the service becomes unavailable For example multiple concurrent connections of the same application from one host or IP addresses such as multiple DNS queries from one PC triggers the UTM s DoS protection For more information about protecting the UTM from incoming threats see Using the Intrusion Prevention System on page 5 47 4 Table 5 3 on page 5 8 describes the fields that define the rules for inbound traffic and that are common to most Inbound Service screens see Figure 5 4 on page 5 14 Figure 5 7 on page 5 17 and Figure 5 10 on page 5 20 The steps to configure inbound rules are described in the following sections e Setting LAN WAN Rules on page 5 11 e Setting DMZ WAN Rules
165. Client and only when the XAUTH feature is enabled see Configuring Extended Authentication XAUTH on page 7 37 e Guest User User who can only view the UTM configuration that is read only access Check to Edit Password Select this checkbox to make the password fields accessible to modify the password Enter Your Password Enter the old password New Password Enter the new password Confirm New Password Re enter the new password for confirmation Idle Timeout The period after which an idle user is automatically logged out of the Web management interface De default idle timeout period is 10 minutes 4 Click Apply to save your settings Managing Digital Certificates The UTM uses digital certificates also known as X509 certificates during the Internet Key Exchange IKE authentication phase to authenticate connecting IPsec VPN gateways or clients or to be authenticated by remote entities The same digital certificates are extended for secure web access connections over HTTPS that is SSL connections Digital certificates can be either self signed or can be issued by certification authorities CAs such as an internal Windows server or an external organizations such as Verisign or Thawte However if the digital certificates contain the extKeyUsage extension the certificate must be used for one of the purposes defined by the extension For example if the digital certificate contains
166. DN required Allowed FQDN optional FQDN optional Dynamic FQDN required FQDN required FQDN required VPN Telecommuter Client Fixed Allowed FQDN required Allowed to Gateway Through a NAT FQDN optional FQDN optional Router Dynamic FQDN required FQDN required FQDN required a All tunnels must be re established after a rollover using the new WAN IP address Network Planning for Dual WAN Ports UTM25 Only v1 0 September 2009 B 9 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual For a single WAN gateway configuration use a FQDN when the IP address is dynamic and either an FQDN or the IP address itself when the IP address is fixed The situation is different in dual WAN port gateway configurations Dual WAN Ports in Auto Rollover Mode A dual WAN port auto rollover gateway configuration is different from a single WAN port gateway configuration when you specify the IP address of the VPN tunnel endpoint Only one WAN port is active at a time and when it rolls over the IP address of the active WAN port always changes Therefore the use of an FQDN is always required even when the IP address of each WAN port is fixed Note When the UTM s WAN port rolls over the VPN tunnel collapses and must be re established using the new WAN IP address However you can configure automatic IPsec VPN rollover to ensure that an IPsec VPN tunnel is re established Dual WAN Ports Before Rollover Du
167. ETGEAR update server The Firmware Download section shows the available firmware versions including any new versions and the date when the current firmware version was downloaded to the UTM Upgrading the Firmware and Rebooting the UTM To upgrade the UTM s firmware and reboot the UTM 1 In the Firmware Download section of the Firmware screen see Figure 10 6 on page 10 19 click Query to display the available firmware versions Select the radio button that corresponds to the firmware version that you want to download onto the UTM Click Download The Download Status bar shows the progress of the download When the firmware download process has completed click Install Downloaded Firmware After the firmware installation process is complete the newly installed firmware should be the secondary firmware and not the active firmware Select the Activation radio button for he secondary firmware that is the newly installed firmware Click the Reboot button the UTM reboots automatically During the reboot process the Firmware screen remains visible The reboot process is complete after several minutes when the Test LED on the front panel goes off Warning Once you start the firmware installation process do not interrupt the A process Do not try to go online turn off the UTM or do anything else to the UTM until the UTM has fully rebooted After the UTM has rebooted check the firmware version in Firmware Reboot
168. Filtering and Optimizing Scans Some firewall settings might affect the performance of the UTM For more information see Performance Management on page 10 1 You can monitor blocked content and malware threats in real time For more information see Monitoring Real Time Traffic Security and Statistics on page 11 14 The firewall logs can be configured to log and then e mail denial of access general attack information and other information to a specified e mail address For information about how to configure logging and notifications see Configuring Logging Alerts and Event Notifications on page 11 5 5 2 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other You can configure up to 800 rules on the UTM Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and one for outbound The default rules of the UTM are e Inbound Block all access from outside except responses to requests from the LAN side e Outbound Allow all access from the LAN
169. Firewall Logs Alerts TRY ttisg Generate Report Scheduled Report Select Log Type Log Type O view all Search Criteria Start Date Time 2009 05 w Bo iy Gaw 59 m End Date Time 2009 05 14 S 59 S Protocols Osme Clpops Cmap Clnre Clr Cures Meneses Action Oo Delete oO Block email o Log Client IP a e Server IP E a Recipient Email S i Display E5 nties per page Download Log zipped File Format csy Oume Figure 11 23 3 Enter the settings as explained in Table 11 15 Table 11 15 Logs Query Settings Setting Description or Subfield and Description Log Type Select one of the following log types from the pull down menu Traffic All scanned incoming and outgoing traffic e Spam All intercepted spam e System The system event logs that you have specified in the System Logs Options section at the top of the screen However by default many more types of events are logged in the system logs 11 34 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 15 Logs Query Settings continued Setting Description or Subfield and Description Log Type continued Service Logs All events that are related to the status of scanning and filtering services that are part of the Application Security main navigation menu These events include update su
170. Firewall Protection This chapter describes how to use the firewall features of the UTM to protect your network This chapter contains the following sections e About Firewall Protection on this page e Using Rules to Block or Allow Specific Kinds of Traffic on page 5 3 e Creating Services QoS Profiles and Bandwidth Profiles on page 5 30 e Setting a Schedule to Block or Allow Specific Traffic on page 5 39 e Enabling Source MAC Filtering on page 5 40 e Setting up IP MAC Bindings on page 5 42 e Configuring Port Triggering on page 5 44 e Using the Intrusion Prevention System on page 5 47 About Firewall Protection A firewall protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication between the two You can further segment keyword blocking to certain known groups To set up LAN Groups see Managing Groups and Hosts LAN Groups on page 4 12 A firewall incorporates the functions of a Network Address Translation NAT router protects the trusted network from hacker intrusions or attacks and controls the types of traffic that can flow between the two networks Unlike simple Internet sharing NAT routers a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions NAT performs a very limited stateful inspection in that it considers wh
171. Gaming Blocked Inactive Sites Allowed Internet Communication and Search Allowed with the exception of Anonymizers Leisure and News Allowed Malicious Blocked Politics and Religion Allowed Sexual Content Blocked Technology Allowed a Files or messages that are larger than 2048 KB are skipped b y default Configuring E mail Protection The UTM lets you configure the following settings to protect the network s e mail communication e The e mail protocols that are scanned for malware threats e Actions that are taken when infected e mails are detected e The maximum file sizes that are scanned e Keywords file types and file names in e mails that are filtered to block objectionable or high risk content e Customer notifications and e mail alerts that are sent when events are detected e Rules and policies for spam detection Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Customizing E mail Protocol Scan Settings To configure the e mail protocols and ports to scan 1 Select Application Security gt Services from the menu The Services screen displays Figure 6 1 shows the upper part of the Services screen only Email Anti Virus Email Filters Anti Spam HTTP HTTPS FIP Block Accept Exceptions Scanning Exclusions Enable Service Ports to Scan Enable Service Ports to Scan Enable Servi
172. IKE Policy screen displays This screen shows the same field as the Add IKE Policy screen see Figure 7 21 on page 7 25 3 Modify the settings that you wish to change see Table 7 10 Virtual Private Networking Using IPsec Connections 7 29 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Click Apply to save your changes The modified IKE policy is displayed in the List of IKE Policies table Managing VPN Policies You can create two types of VPN policies When you use the VPN Wizard to create a VPN policy only the Auto method is available e Manual You manually enter all settings including the keys for the VPN tunnel on the UTM and on the remote VPN endpoint No third party server or organization is involved e Auto Some settings for the VPN tunnel are generated automatically by using the IKE Internet Key Exchange protocol to perform negotiations between the two VPN endpoints the local ID endpoint and the remote ID endpoint You still must manually enter all settings on the remote VPN endpoint unless the remote VPN endpoint also has a VPN Wizard In addition a Certificate Authority CA can also be used to perform authentication see Managing Digital Certificates on page 9 17 To use a CA each VPN gateway must have a certificate from the CA For each certificate there is both a public key and a private key The public key is freely distributed and is used by any send
173. IP address or the FQDN in the IP Address Name field IP Network The object is an IP network You must enter the network IP address in the Network Address field and the network mask length in the Mask Length field IP Address Name Applicable only when you select IP Address as the Object Type enter the IP address or FQDN for the location that is permitted to use this resource Network Address Applicable only when you select IP Network as the Object Type enter the network IP address for the locations that are permitted to use this resource Mask Length Applicable only when you select IP Network as the Object Type as an option enter the network mask 0 31 for the locations that are permitted to use this resource Port Range Port Number A port or a range of ports 0 65535 to apply the policy to the policy is applied to all TCP and UDP traffic that passes on those ports Leave the fields blank to apply the policy to all traffic 5 Click Apply to save your settings The new configuration is added to the Defined Resource Addresses table To delete a configuration from the Defined Resource Addresses table click the delete table button to the right of the configuration that you want to delete Configuring User Group and Global Policies You can define and apply user group and global policies to predefined network resource objects IP addresses address ranges or all IP addresses and to differen
174. ISP settings using the same steps as WAN1 When you are finished click the Logout link at the upper right corner of the Web Management Interface or proceed to additional setup and management tasks Configuring the WAN Mode Required for the UTM25 s Dual WAN Mode On the UTM25 only the dual WAN ports of the UTM can be configured on a mutually exclusive basis for either auto rollover for increased system reliability or load balancing for maximum bandwidth efficiency or one port can be disabled e Auto Rollover Mode The selected WAN interface is defined as the primary link and the other interface is defined as the rollover link As long as the primary link is up all traffic is sent over the primary link When the primary link goes down the rollover link is brought up to send the traffic When the primary link comes back up traffic automatically rolls back to the original primary link If you want to use a redundant ISP link for backup purposes select the WAN port that must act as the primary link for this mode Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method on the WAN Mode screen to support auto rollover Manually Configuring Internet and WAN Settings 3 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e Load Balancing Mode The UTM distributes the outbound traffic equally among the WAN interfaces that are functional
175. IUS server Secret Phrase The a shared secret phrase to authenticate the transactions between the client and the backup RADIUS server The same Secret Phrase must be configured on both the client and the server Backup Server NAS Identifier The backup Network Access Server NAS identifier that must be present in a RADIUS request Note See the Note above for the Primary Server NAS Identifier Connection Configuration Time out period The period in seconds that the UTM waits for a response from a RADIUS server Maximum Retry Counts The maximum number of times that the UTM attempts to connect to a RADIUS server 4 Click Apply to save your settings Virtual Private Networking Using IPsec Connections 7 41 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Note You select the RADIUS authentication protocol PAP or CHAP on the Edit gt IKE Policy screen or Add IKE Policy screen see Configuring XAUTH for VPN Clients on page 7 38 Assigning IP Addresses to Remote Users Mode Config To simplify the process of connecting remote VPN clients to the UTM use the Mode Config feature to assign IP addresses to remote users including a network access IP address subnet mask WINS server and DNS address from the UTM Remote users are given IP addresses available in a secured network space so that remote users appear as seamless extens
176. Ifthe auto detect process senses a connection method that requires input from you it prompts you for the information All methods with their required settings are detailed in Table 3 1 Table 3 1 Internet connection methods Connection Method Data Required DHCP Dynamic IP No data is required PPPoE Login Username Password Account Name Domain Name PPTP Login Username Password Account Name Local IP address and PPTP Server IP address Fixed Static IP Static IP address Subnet and Gateway IP and related data supplied by your ISP e If the auto detect process does not find a connection you are prompted to either check the physical connection between your UTM and the cable or DSL line or to check your UTM s MAC address For more information see Configuring the WAN Mode Required for the UTM25 s Dual WAN Mode on page 3 9 and Troubleshooting the ISP Connection on page 12 5 3 To verify the connection click the WAN Status option arrow at the top right of the screen A popup window appears displaying the connection status of the UTM25 s WAN port 1 The UTM10 has only a single WAN port Connection Status 1x Operation succeeded Connection Time 0 Days 00 23 41 Connection Type DHCP Connection State Connected IP Address 192 168 50 61 Subnet Mask 255 255 255 0 Gateway DNS Server 19 DHCP Server Tue Apr 14 16 46 03 GMT Lease Obtained 2009 Lease Duration
177. M for example LAN users accessing the Internet However when the reboot process is complete connections to the Internet are automatically re established when possible To reboot the UTM 1 Locate the Reboot the System section on the Diagnostics screen 2 Click the reboot button The UTM reboots If you can see the unit the reboot process is complete when the Test LED on the front panel goes off lt p Note See also Rebooting Without Changing the Firmware on page 10 21 To shut down the UTM 1 Locate the Reboot the System section on the Diagnostics screen 2 Click the shutdown button The UTM shuts down Note You can shut down the UTM using the Web Management Interface but you cannot start up the UTM using the Web Management Interface 11 48 Monitoring System Access and Performance v1 0 September 2009 Chapter 12 Troubleshooting and Using Online Support This chapter provides troubleshooting tips and information for the UTM After each problem description instructions are provided to help you diagnose and solve the problem For the common problems listed go to the section indicated e Is the UTM on Go to Basic Functioning on page 12 2 e Have I connected the UTM correctly Go to Basic Functioning on page 12 2 e cannot access the UTM s Web Management Interface Go to Troubleshooting the Web Management Interface on page 12 3 e A time out
178. M10 or UTM25 Reference Manual 2 Enter the settings as explained in Table 6 2 Table 6 2 E mail Anti Virus and Notification Settings Setting Description or Subfield and Description Action SMTP From the SMTP pull down menu specify one of the following actions when an infected e mail is detected Block infected email This is the default setting The e mail is blocked and a log entry is created Delete attachment The e mail is not blocked but the attachment is deleted and a log entry is created Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted POP3 From the POP3 pull down menu specify one of the following actions when an infected e mail is detected Delete attachment This is the default setting The e mail is not blocked but the attachment is deleted and a log entry is created e Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted IMAP From the IMAP pull down menu specify one of the following actions when an infected e mail is detected Delete attachment This is the default setting The e mail is not blocked but the attachment is deleted and a log entry is created Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted Scan Exceptions maximum size The default maximum file or message size that is scanned is 2048 KB but you can define a maximu
179. M25 Reference Manual _____ Note When you reset the UTM to the original factory default settings after you have entered the license keys to activate the UTM see Registering the UTM with NETGEAR on page 2 27 the license keys are erased The license keys and the different types of licenses that are available for the UTM are no longer displayed on the Registration screen However after you have reconfigured the UTM to connect to the Internet and to the NETGEAR registration server the UTM retrieves and restores all registration information based on its MAC address and hardware serial number You do not need to re enter the license keys and re activate the UTM What to Do Next You have completed setting up and deploying the UTM to the network The UTM is now ready to scan the protocols and services that you specified and perform automatic updates based on the update source and frequency that you specified If you need to change the settings or to view reports or logs log in to the UTM Web Management Interface using the default IP address or the IP address that you assigned to the UTM in Setup Wizard Step 1 of 10 LAN Settings on page 2 8 The UTM is ready for use However some important tasks that you might want to address before you deploy the UTM in your network are listed below e Configuring the WAN Mode Required for the UTM25 s Dual WAN Mode on page 3 9 e Configuring VPN Authentication Dom
180. MAC address and vice versa Some PCs or devices are configured with static addresses To prevent users from changing their static IP addresses the IP MAC Binding feature must be enabled on the UTM If the UTM detects packets with a matching IP address but with the inconsistent MAC address or vice versa the packets are dropped If you have enabled the logging option for the IP MAC Binding feature these packets are logged before they are dropped The UTM displays the total number of dropped packets that violate either the IP to MAC binding or the MAC to IP binding Note You can bind IP addresses to MAC addresses for DHCP assignment on the LAN Groups submenu See Managing the Network Database on page 4 13 As an example assume that three computers on the LAN are set up as follows e Hostl MAC address 00 01 02 03 04 05 and IP address 192 168 10 10 e Host2 MAC address 00 01 02 03 04 06 and IP address 192 168 10 11 e Host3 MAC address 00 01 02 03 04 07 and IP address 192 168 10 12 If all of the above host entry examples are added to the IP MAC Binding table the following scenarios indicate the possible outcome e Hostl Matching IP amp MAC address in IP MAC Table e Host2 Matching IP but inconsistent MAC address in IP MAC Table e Host3 Matching MAC but inconsistent IP address in IP MAC Table In this example the UTM blocks the traffic coming from Host2 and Host3 but allows the traffic coming from Host to
181. Mode Secondary Addresses 8 Advanced WAN Status i Option Arrow Additional screen for submenu item 3rd Level Submenu Tab blue 2nd Level Configuration Menu Link gray 1st Level Main Navigation Menu Link orange Figure 2 3 The Web Management Interface menu consists of the following components e 1st Level Main navigation menu links The main navigation menu in the orange bar across the top of the Web Management Interface provide access to all the configuration functions of the UTM and remain constant When you select a main navigation menu link the letters are displayed in white against an orange background e 2nd Level Configuration menu links The configuration menu links in the gray bar immediately below the main navigation menu bar change according to the main navigation menu link that you select When you select a configuration menu link the letters are displayed in white against a grey background e 3rd Level Submenu tabs Each configuration menu item has one or more submenu tabs that are listed below the grey menu bar When you select a submenu tab the text is displayed in white against a blue background e Option arrows If there are additional screens for the submenu item they are displayed on the right side in blue letters against a white background preceded by a white arrow in a blue circle Using the Setup Wizard to Provision the UTM in Your Network 2 5 v1 0 September 2009 ProSecure Unified Threat M
182. Mode Config Settings continued Setting Description or Subfield and Description Use Gateway Tunnel Select the Use checkbox Then from the pull down menu select Secure ID Type Left pull down menu From the left pull down menu select Domain Name Then below enter the local FQDN that you specified in the UTM s Mode Config IKE policy In this example we are using utm25_local com Right pull down menu From the right pull down menu select Gateway IP Address Then below enter the IP address of the WAN interface that you selected on the UTM s VPN Wizard screen see Figure 7 9 on page 7 9 In this example the WAN IP address is 192 168 50 61 Note You can find the WAN IP address on the Connection Status screen for the selected WAN port For more information see Viewing the WAN Ports Status on page 11 27 4 Click on the disk icon to save the configuration or select File gt Save from the Security Policy Editor menu Virtual Private Networking Using IPsec Connections 7 51 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 5 In the left frame click My Identity The screen adjusts NI Security Policy Editor NETGEAR ProSafe VPN Client a NETGEAR N Network Security Policy _J My Connections My Identity i Bore See EY Securty Policy None By Clent_to_Cork ID Type Port Qy Other Connection
183. N security log messages C 2 overview 1 5 settings using the Setup Wizard 2 16 security association See SA security lock 7 72 Security Parameters Index See SPI security subscription HTTP proxy 2 25 update frequency 2 25 update settings using the Setup Wizard 2 24 service blocking reducing traffic 70 2 rules 5 4 rules firewall 5 3 5 4 service licenses activating 2 27 automatic retrieval 2 29 expiration dates 22 trial period 2 27 service logs 171 9 11 33 11 35 service numbers common protocols 5 31 service registration card 7 8 Session Initiation Protocol See SIP session limits configuring 5 23 logging dropped packets 71 14 Setup Wizard initial configuration 2 7 severities syslog 77 9 SHA 1 IKE policies 7 28 ModeConfig 7 45 self certificate requests 9 23 VPN policies 7 36 shutting down 71 48 signature key length 9 23 Simple Mail Transfer Protocol See SMTP Simple Network Management Protocol See SNMP single WAN port mode bandwidth capacity 170 1 description UTM25 3 10 SIP 5 24 size e mail messages 2 19 Web files 2 20 Web objects 2 20 Skype 2 17 6 21 SMTP action infected e mail 2 8 anti virus settings 6 6 default port 2 17 6 4 Distributed Spam Analysis 6 17 enabling scanning 2 17 file extension blocking 6 11 file name blocking 6 11 keyword blocking 6 10 password protected attachment blocking 6 0 server for e mail notification 2 23 sniffer 2 4 SNMP atta
184. N A VPN Router at employer s A main office Fully Qualified Domain Names FQDN Remote PC required for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 10 The IP addresses of the WAN ports can be either fixed or dynamic but you must always use a FQDN because the active WAN port could be either WAN1 or WAN2 that is the IP address of the active WAN port is not known in advance After a rollover of the WAN port has occurred the previously inactive gateway WAN port becomes the active port port WAN2 in Figure B 11 and the remote PC client must re establish the VPN tunnel The gateway WAN port must act as the responder 10 5 6 0 24 Road Warrior Example Dual WAN Ports After Rollover Client B WANT IP N A Gateway A inacti p WAN1 port inactive WAN IP LAN IP T E bzrouter dyndns org 0 0 0 0 10 5 6 1 WAN2 IP VPN Router at employer s main office Fully Qualified Domain Names FQDN Remote PC required for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Remote PC must re establish VPN tunnel after a rollover Figure B 11 The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port that is WAN1 and WAN2 so that the remote PC client can determine the gateway IP address to establish or re establish a VPN tunnel B 12 Network Planning for D
185. N ID defauitVian a 192 168 1 1 DHCP Enabled SalesVLAN 192 170 1 100 DHCP Disabled select all delete nadie O disable ada Port 1 Port 2 Port 3 Port 4 DMZ defaultVlan SalesVLAN defaultVlan defaultVlan w Figure 4 1 LAN Configuration 4 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual For each VLAN profile the following fields are displayed in the VLAN Profiles table e Checkbox Allows you to select the VLAN profile in the table e Status Icon Indicates the status of the VLAN profile Green circle the VLAN profile is enabled Grey circle the VLAN profile is disabled e Profile Name The unique name assigned to the VLAN profile e VLAN ID The unique ID or tag assigned to the VLAN profile e Subnet IP The subnet IP address for the VLAN profile DHCP Status The DHCP server status for the VLAN profile which can be either DHCP Enabled or DHCP Disabled e Action The edit table button that provides access to the Edit VLAN Profile screen 2 Assign a VLAN profile to a LAN port Port 1 Port 2 Port 3 or Port 4 DMZ by selecting a VLAN profile from the pull down menu Both enabled and disabled VLAN profiles are displayed in the pull down menus 3 Click Apply to save your settings VLAN DHCP Options For each VLAN you must specify the Dynamic Host Configuration Protocol DHCP options The configuration of the DHCP options for the UTM
186. No message is logged when the Reset button has been pushed to reboot the UTM All Unicast Traffic All incoming unicast packets are logged All Broadcast Multicast Traffic All incoming broadcast and multicast packets are logged WAN Status WAN link status related events are logged Resolved DNS Names All resolved DNS names are logged Email Logs to Administrator Enable Select this checkbox to enable the UTM to send a log file to an e mail address Send to The e mail address of the recipient of the log file Click Send Now to immediately send the logs that you first must have specified below Frequency Select a radio button to specify how often the log file is sent When the space is full Logs are sent when the storage space that is assigned to the logs is full e Daily Logs are sent daily at the time that you specify from the pull down menus hours and minutes Weekly Logs are sent weekly at the day and time that you specify from the pull down menus weekday hours and minutes Select Logs to Select the checkboxes to specify which logs are sent via e mail Send e System Logs The system event logs that you have specified in the System Logs Options section at the top of the screen However by default many more types of events are logged in the system logs Traffic Logs All scanned incoming and outgoing traffic e Malware Logs All intercepted viruses and malware threats e Spam Logs Al
187. O TCP SPT 23 DPT 54899 System Logs and Error Messages C 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table C 17 System Logs Invalid Packets continued Explanation Error returned from helper routine Recommended Action None Content Filtering and Security Logs This section describes the log messages that are generated by the content filtering and security mechanisms Web Filtering and Content Filtering Logs This section describes logs that are generated when the UTM filters Web content Table C 18 Content Filtering and Security Logs Web Filtering and Content Filtering Message 2009 08 01 00 00 01 HTTP 192 168 1 3 192 168 35 165 http 192 168 35 165 testcases files virus normal b4 f3 d3 da2048 rar SizeLimit Block Explanation Logs that are generated when Web content is blocked because it exceeds the allowed size limit The message shows the date and time protocol client IP address server IP address URL reason for the action and action that is taken Recommended Action None Message 2009 08 01 00 00 01 HTTP 192 168 1 3 192 168 35 165 http 192 168 35 165 testcases files virus normal b4 f3 d3 da2048 rar URL Block Explanation Logs that are generated when Web content is blocked because it violates a blocked Web category The message shows the date and time protocol client IP address server IP address URL reason for the
188. P number port number port range and details Recommended Action None Instant Messaging Peer to Peer Logs This section describes logs that are generated when the UTM filters instant messaging and peer to peer traffic Table C 25 Content Filtering and Security Logs Instant Messaging Peer to Peer Message 2008 12 31 23 59 31 0 block 1 8800115 2 TCP 192 168 1 2 543 65 54 239 210 1863 MSN login attempt Explanation Logs that are generated when an IM P2P traffic violation occurs The message shows the date and time action that is taken protocol client IP address client port number server IP address server port number IM P2P category and reason for the action Recommended Action None System Logs and Error Messages v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Routing Logs This section explains the logging messages for each network segment such as LAN to WAN for debugging purposes These logs might generate a significant volume of messages LAN to WAN Logs This section describes logs that are generated when the UTM processes LAN to WAN traffic Table C 26 Routing Logs LAN to WAN Message Nov 29 09 19 43 UTM kernel LAN2WAN ACCEPT IN LAN OUT WAN SRC 192 168 10 10 DST 72 14 207 99 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the LAN to the WAN has been allowed by the firewall For other setting
189. P applications that are available to remote users To add a server and a port number 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the Port Forwarding submenu tab The Port Forwarding screen displays Figure 8 14 shows some examples Policies Resources Portal Layouts SSL VPN Client tise ria Operation succeeded Local Server IP Address TCP Port Number gO 192 168 50 8 21 Add New Application for Port Forwarding IP Address Local Server IP Address Fully Qualified Domain Name g 192 168 50 8 ftp customer com Add New Host Name for Port Forwarding Local Server IP Address Fully Qualified Domain Name TEN E R E E Figure 8 14 3 Inthe Add New Application for Port Forwarding section of the screen specify information in the following fields e IP Address The IP address of an internal server or host computer that a remote user has access to e TCP Port The TCP port number of the application that is accessed through the SSL VPN tunnel Table 8 7 on page 8 24 lists some commonly used TCP applications and port numbers Virtual Private Networking Using SSL Connections 8 23 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 8 7 Port Forwarding Applications TCP Port Numbers TCP Application Port Number FTP Data usually not needed 20 FTP Control Protocol 21
190. P server then the name is appended by an asterisk IP Address The current IP address of the PC or device For DHCP clients of the UTM this IP address does not change If a PC or device is assigned a static IP address you need to update this entry manually after the IP address on the PC or device has changed e MAC Address The MAC address of the PC or device s network interface e Group Each PC or device can be assigned to a single LAN group By default a PC or device is assigned to Group 1 You can select a different LAN group from the Group pull down menu in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen e Action The edit table button that provides access to the Edit Groups and Hosts screen gt Note If the UTM is rebooted the data in the Known PCs and Devices table is lost until the UTM rediscovers the devices Viewing the DHCP Log To review the most recent entries in the DHCP log 1 Select Network Config gt LAN Settings from the menu The LAN Settings submenu tabs appear with the LAN Setup screen in view see Figure 11 20 on page 11 30 Click the DHCP Log option arrow at the top right of the LAN Setup screen The DHCP Log appears in a popup window see Figure 11 22 on page 11 32 To view the most recent entries click refresh To delete all the existing log entries click clear log Monitoring System Access and Performance 11 31 v1 0 September 2009 ProS
191. POP3 ON IMAP ON HTTP ON HTTPS OFF FTP ON Active Connections 0 0 0 0 0 i System Information System up Time 13 Days 19 Hours O1 Minutes Firmware Information Type Version Last Downloaded active 1 0 0 17 N A secondary N A N A Component Current Yersion Last Update Scan engine 20090521 215 0 0 2009 05 21 Pattern file 200905271503 2009 05 27 Firewall 23_3 0 5 25 N A License Expiration Date Email Protection 2010 04 16 Web Protection 2010 04 16 Maintenance 2010 04 16 Hardware Serial Number 0000000000001 Figure 11 10 System Status screen 1 of 3 Table 11 9 explains the fields of the Status and System Information sections of the System Status screen Table 11 9 System Status Status and System Information Setting Description or Subfield and Description Status System The current CPU memory and hard disk usage When usage is within safe limits the status bars show green Services The protocols that are being scanned for malware threats ON or OFF stated next to the protocol and the number of active connections for each protocol Monitoring System Access and Performance 11 21 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 9 System Status Status and System Information continued Setting Description or Subfield and Description System Information States system up time since last reboot Firmware Inform
192. ProSafe VPN Client for Mode Config Operation s s s 7 49 Testing the Mode Contig COnmmectiony coccssstveas ccsnctsccesssecenuseseetccteritertssveshetaunieaaees 7 54 Configuring Keepalives and Dead Peer Detection 0 ccssceeeeeeeeeeeeeeeeeeeeeaeeeeneeeees 7 54 Gontang SOLANGE suisia eieae A AE RA 7 55 Configuring Dead Pger GOnnectiOrn scccisscreccesssscrieseianeesanaanmsnvend aoniieeass 7 56 Configuring NetBIOS Bridging with IPsec VPN ssssssssuisrissoninsssnnsuunsiariaiuinniaasuisissanevoas 7 58 Chapter 8 Virtual Private Networking Using SSL Connections Understanding the SSL VPN Portal OPONS seisssinninsiiiasnsnsaa a 8 1 Using the SSL VPN Wizard for Client Configurations ccccccesseeceeeeeeeseeeeeeeeeeeaeeeeee 8 2 SSL VPN Wizard Step 1 of 6 Portal Settings sccccsctrensceapiscieteticses cevtanetactevends 8 3 SSL VPN Wizard Step 2 of 6 Domain Settings 0 0 2 0 eececesceeeeeseeeeceeeeseeeeeeneeeesaes 8 5 SSL VPN Wizard Step 3 of 6 User Settings sc cciccssccccsvscctescocvsaetecessdestssvessucceteantaassee 8 7 SSL VPN Wizard Step 4 of 6 Client IP Address Range and Routes 0 0 08 8 9 SSL VPN Wizard Step 5 OF 6 Por Forwarding cssecscisscsiccrnisuieanieerssecmcrimerins 8 11 SSL VPN Wizard Step 6 of 6 Verify and Save Your Settings 0 ceeceeeeee 8 13 Accessing the New SSL Portal Login Screen ccccccccsecceeneeeeeteeeeeeneeeteaeeteneees 8 14 Viewing the UTM SSL VPN Connection Status 200 0 ee ceee
193. S 24 Char MD5 16 Cher amp SHA 1 20 Char Hi Auto Policy Parameters SA Lifetime Encryption Algorithm soes Integrity Algorithm l PFs key Group Select IKE Policy Avien seiectea Figure 7 23 Virtual Private Networking Using IPsec Connections 7 33 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Complete the fields select the radio buttons and checkboxes and make your selections from the pull down menus as explained Table 7 12 Table 7 12 Add VPN Policy Settings Item Description or Subfield and Description General Policy Name A descriptive name of the VPN policy for identification and management purposes Note The name is not supplied to the remote VPN endpoint Policy Type From the pull down menu select one of the following policy types e Auto Policy Some settings the ones in the Manual Policy Parameters section of the screen for the VPN tunnel are generated automatically e Manual Policy All settings must be specified including the ones in the Manual Policy Parameters section of the screen Select Local Gateway UTM25 only For the UTM25 only select a radio button to specify the WAN1 or WAN2 interface Remote Endpoint Select a radio button to specify how the remote endpoint is defined IP Address Enter the IP address of the remote endpoint in the fields to the right of the radio button FQDN Enter the FQDN o
194. S priority which changes the traffic mix through the system see Creating Quality of Service QoS Profiles on page 5 33 Outbound Rules Service Blocking The UTM allows you to block the use of certain Internet services by PCs on your network This is called service blocking or port filtering Note See Enabling Source MAC Filtering on page 5 40 for yet another way to block outbound traffic from selected PCs that would otherwise be allowed by the firewall AN Warning Allowing inbound services opens security holes in your UTM Only enable those ports that are necessary for your network Table 5 2 on page 5 5 describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens see Figure 5 3 on page 5 13 Figure 5 6 on page 5 16 and Figure 5 9 on page 5 19 The steps to configure outbound rules are described in the following sections e Setting LAN WAN Rules on page 5 11 e Setting DMZ WAN Rules on page 5 14 e Setting LAN DMZ Rules on page 5 18 5 4 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 5 2 Outbound Rules Overview Setting Description or Subfield and Description Service The service or application to be covered by this rule If the service or application does not appear in the list you must define it using the Services menu see
195. Safe VPN Client software 2 Lightweight Directory Access Protocol See LDAP limit traffic meter or counter 3 limits sessions 5 23 load balancing mode UTM25 bandwidth capacity 70 1 configuring 3 14 DDNS 3 19 description 3 10 settings 3 14 VPN IPsec 7 1 local area network See LAN local user database 8 6 9 4 location placement 4 lock security 7 12 log information diagnostics 171 47 log messages and error messages understanding C 1 logging administrator e mailing options 8 configuring options 8 e mail address for sending logs 2 24 11 6 firewall logs configuring 171 13 management 11 38 Index 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual querying logs 71 32 search criteria 71 35 selecting logs 1 34 specifying logs to send via e mail 171 8 syslog server 171 9 terms in messages C login default settings A policy restricting by browser 9 14 restricting by IP address 9 13 time out changing 9 16 10 9 default 2 4 looking up DNS address 71 45 MAC addresses blocked adding 5 40 configuring 3 5 format 3 24 format of 5 41 IP binding 5 42 spoofing 12 6 UTM s 3 23 main navigation menu Web Management Interface 2 5 malware alert 71 10 logs 11 8 11 33 11 35 outbreak alert 77 10 outbreak defining 2 protection 6 5 6 21 recent 5 and top 5 18 management default settings A 2 maximum transmission unit See MTU MD5 IKE polices 7
196. TM that is the local end is defined by a FQDN Identifier Enter a FQDN for the UTM In this example we are using utm25_local com Virtual Private Networking Using IPsec Connections 7 47 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 16 Add IKE Policy Settings for a Mode Config Configuration continued Item Description or Subfield and Description Remote Identifier Type From the pull down menu select FQDN Note Mode Config requires that the remote end is defined by a FQDN Identifier Enter the FQDN for the remote end This must be a FQDN that is not used in any other IKE policy In this example we are using utm25_remote com IKE SA Parameters Note Generally the default settings work well for a Mode Config configuration Encryption Algorithm From the pull down menu select the 3DES algorithm to negotiate the security association SA Authentication From the pull down menu select the SHA 1 algorithm to be used in the VPN Algorithm header for the authentication process Authentication Method Select Pre shared key as the authentication method and enter a key in the field below Pre shared key A key with a minimum length of 8 characters no more than 49 characters Do not use a double quote in the key In this example we are using 12345678910 Diffie Hellman DH The DH Group sets the strength of the a
197. TM25 Reference Manual xvi v1 0 September 2009 About This Manual The NETGEAR ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual describes how to install configure and troubleshoot a ProSecure Unified Threat Management Appliance UTM10 or UTM25 The information in this manual is intended for readers with intermediate computer and networking skills Conventions Formats and Scope The conventions formats and scope of this manual are described in the following paragraphs e Typographical conventions This manual uses the following typographical conventions Italic Emphasis books CDs Bold User input IP addresses GUI screen text Fixed Command prompt CLI text code italic URL links e Formats This manual uses the following formats to highlight special messages Note This format is used to highlight information of importance or special interest D Tip This format is used to highlight a procedure that will save time or resources A Warning Ignoring this type of note might result in a malfunction or damage to the equipment xvii v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual A Danger This is a safety warning Failure to take heed of this notice might result in personal injury or death e Scope This manual is written for the UTM according to these specifications Produc
198. TM25 Reference Manual Table 11 3 E mail and Syslog Settings continued Setting Description or Subfield and Description Clear the Following Logs Information Select the checkboxes to specify which logs are cleared The Select Logs to Send part of the Email Logs to Administrator section of the screen see above lists the same checkboxes as the Clear the Following Logs Information section of the screen 3 Click Apply to save your settings or click Clear Log Information to clear the selected logs Configuring and Activating Update Failure and Attack Alerts You can configure the UTM to send an e mail alert when a failure malware outbreak attack or Intrusion Prevention System IPS outbreak attack occurs Five types of alerts are supported Update Failure Alert Sent when an attempt to update any component such as a pattern file or scan engine firmware fails Malware Alert Sent when the UTM detects a malware threat Malware Outbreak Alert Sent when the malware outbreak criteria that you have configured are reached or exceeded Outbreak criteria are based on the number of malware threats detected within a specified period of time IPS Alert Sent when the UTM detects an attack IPS Outbreak Alert Sent when the IPS outbreak criteria that you have configured are reached or exceeded Outbreak criteria are based on the number of IPS attacks detected within a specified period of time To c
199. This packet broadcast is destined to the device from the WAN network e For other settings see Table C 1 Recommended Action None Invalid Packet Logging This section describes logs that are generated when the UTM processes invalid packets Table C 17 System Logs Invalid Packets Message 2007 Oct 1 00 44 17 UTM kernel INVALID NO_CONNTRACK_ENTRY DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation No connection tracking entry exists Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID RST_PACKET DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Invalid RST packet Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID ICMP_TYPE DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO ICMP TYPE 19 CODE 0 Explanation Invalid ICMP type Recommended Action None Message 2007 Oct 1 00 44 17 UTM kernel INVALID TCP_FLAG_COMBINATION DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Invalid TCP flag combination Recommended Action None System Logs and Error Messages v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table C 17 System Logs Invalid Packets continued Message 2007 Oct 1 00 44 17 UTM kernel INVALID BAD_CHECKSUM DROP SRC 192 168 20 1
200. WAN Users Destination Name Address Users Profile Profile Allow by O TELNET schedule 2 192 168 10 20 3 200 133 0 24 192 168 80 1 NONE NONE Always up Qeewo eait else block select at delete enable oO disable add Figure 5 2 Firewall Protection 5 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To make changes to an existing outbound or inbound service rule In the Action column to the right of to the rule click on of the following table buttons e edit Allows you to make any changes to the rule definition of an existing rule Depending on your selection either the Edit LAN WAN Outbound Service screen identical to Figure 5 3 on page 5 13 or Edit LAN WAN Inbound Service screen identical to Figure 5 4 on page 5 14 displays containing the data for the selected rule e up Moves the rule up one position in the table rank e down Moves the rule down one position in the table rank To delete or disable one or more rules 1 Select the checkbox to the left of the rule that you want to delete or disable or click the select all table button to select all rules 2 Click one of the following table buttons coy disable Disables the rule or rules The status icon changes from a green circle to a grey circle indicating that the rule is or rules are disabled By default when a rule is added to the table it is automatically enable
201. WAN1 The IP address of the DNS server for port WAN1 WAN2 The IP address of the DNS server for port WAN2 Retry Intervalis The retry interval in seconds The ping is sent periodically after every test period The default test period is 30 seconds Failover after The number of failover attempts The primary WAN link is considered down after the configured number of queries have failed to elicit a reply The backup link is brought up after this has occurred The failover default is 4 failures Manually Configuring Internet and WAN Settings 3 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual max Note The default time to roll over after the primary WAN interface fails is Cd rai Ne a 2 minutes a 30 second minimum test period for a minimum of 4 tests 3 Click Apply to save your settings When a rollover occurs you can configure the UTM to generate a notification e mail to a specified address see Configuring and Activating System E mail and Syslog Logs on page 11 6 When the UTM detects that the failed primary WAN interface has been restored an automatic rollover to the primary WAN interface occurs Configuring Load Balancing and Optional Protocol Binding UTM25 Only For the UTM25 only to use multiple ISP links simultaneously configure load balancing In load balancing mode either WAN port carries any outbound protocol unless pr
202. Wizard See IPsec VPN Wizard pass through IPsec PPTP L2TP 5 22 planning UTM25 B 6 VPN SSL Wizard See SSL VPN Wizard pre shared key 7 5 7 10 7 14 7 28 VPN tunnels rollover See failover active users 71 24 RSA signature 7 28 auto rollover mode 7 2 testing connections 7 16 client policy creating 7 11 tunnel connection status 24 client to gateway using IPsec VPN Wizard 7 8 XAUTH 7 37 connection status 7 19 VPNC 1 6 7 3 DPD 7 56 examples gateway to gateway dual WAN ports auto W rollover B 14 gateway to gateway dual WAN ports load balancing B 15 gateway to gateway single WAN port mode B 13 Road Warrior dual WAN mode auto rollover B 11 WAN aliases 3 17 auto rollover mode UTM25 configuring 3 11 Index 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual DDNS 3 19 description 3 9 settings 3 12 VPN IPsec 7 1 bandwidth capacity 170 1 classical routing 3 10 connection speed and type 3 24 failure detection method UTM25 3 9 3 11 3 13 interfaces primary and backup 3 11 LEDs 1 11 12 3 load balancing mode UTM25 configuring 3 14 DDNS 3 19 description 3 10 settings 3 14 VPN IPsec 7 1 mode status 71 23 NAT configuring 3 0 ports 1 2 1 9 secondary IP addresses 3 17 settings auto detecting 2 12 3 3 settings using the Setup Wizard 2 11 single port mode UTM25 3 10 status 3 4 11 23 11 28 traffic meter or counter 71 1 warning SSL certifica
203. Wizard for Client and Gateway Configurations on page 7 3 e Testing the Connections and Viewing Status Information on page 7 16 e Managing IPsec VPN Policies on page 7 21 e Configuring Extended Authentication XAUTH on page 7 37 e Assigning IP Addresses to Remote Users Mode Config on page 7 42 e Configuring Keepalives and Dead Peer Detection on page 7 54 e Configuring NetBIOS Bridging with IPsec VPN on page 7 58 Considerations for Dual WAN Port Systems UTM25 Only On the UTM25 only if both of the WAN ports are configured you can enable either auto rollover mode for increased system reliability or load balancing mode for optimum bandwidth efficiency Your WAN mode selection impacts how the VPN features must be configured The use of fully qualified domain names FQDNs in VPN policies is mandatory when the WAN ports function in auto rollover mode or load balancing mode and is also required for VPN tunnel failover When the WAN ports function in load balancing mode you cannot configure VPN tunnel failover A FQDN is optional when the WAN ports function in load balancing mode if the IP addresses are static but mandatory if the WAN IP addresses are dynamic See Virtual Private Networks VPNs on page B 9 for more information about the IP addressing requirements for VPNs in the dual WAN modes For information about how to select and configure a dynamic DNS service for resolving FODNSs se
204. You can configure the logging options for each network segment For example the UTM can log accepted packets for LAN to WAN traffic dropped packets for WAN to DMZ traffic and so on You can also configure logging of packets from MAC addresses that match the source MAC address filter settings see Enabling Source MAC Filtering on page 5 40 and packets that are dropped because the session limit see Setting Session Limits on page 5 23 bandwidth limit see Creating Bandwidth Profiles on page 5 36 or both have been exceeded Note Enabling firewall logs might generate a significant volume of log messages NETGEAR recommends that you enable firewall logs for debugging purposes only To configure and activate firewall logs 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view 2 Click the Firewall Logs submenu tab The Firewall Logs screen displays see Figure 11 6 System Status Active Users amp VPNs Dashboard Diagnostics Email and Syslog Igiza Tiseaee Alerts Log Query Generate Report Scheduled Report Accepted Packets Dropped Packets C LAN to WAN C LAN to wan C LAN to DMZ CJ LAN to DMZ C DMZ to WAN CI DMZ to WAN CI WAN to LAN C WAN to LAN C OMZ to LAN C DMZ to LAN C wan to DMZ wan to DMZ C Source MAC Filter J Session Limit C Bandwidth Limit Figure 11 6 3 Enter the settings
205. a RADIUS server For more information see RADIUS Client Configuration on page 7 39 Radius CHAP XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol CHAP For more information see RADIUS Client Configuration on page 7 39 Username The user name for XAUTH Password The password for XAUTH 9 Click Apply to save your settings The IKE policy is added to the List of IKE Policies table Configuring the ProSafe VPN Client for Mode Config Operation From a client PC running NETGEAR ProSafe VPN Client software configure the remote VPN client connection for Mode Config operation 1 Right click on the VPN client icon in your Windows toolbar select Security Policy Editor Then select Options gt Secure and verify that the Specified Connections selection is enabled see Figure 7 11 on page 7 12 Virtual Private Networking Using IPsec Connections 7 49 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 In the upper left of the Policy Editor window click the New Connection icon the first icon on the left to open a new connection Give the new connection a name in this example we are using ModeConfigTest N Security Policy Editor NETGEAR ProSafe VPN Client Re ajea NETGEAR fN Network Security Policy LJ My Connections Connection Security amp Terie iiaa z Only Connect Manually ae Melons C Non secure amp a Securty P
206. ab The VPN Policies screen displays see Figure 7 22 on page 7 31 3 Inthe List of VPN Policies table click the edit table button to the right of the VPN policy that you want to edit The Edit VPN Policy screen displays This screen shows the same field as the Add VPN Policy screen see Figure 7 23 on page 7 33 4 Modify the settings that you wish to change see Table 7 12 5 Click Apply to save your changes The modified VPN policy is displayed in the List of VPN Policies table Configuring Extended Authentication XAUTH When many VPN clients connect to a UTM you might want to use a unique user authentication method beyond relying on a single common pre shared key for all clients Although you could configure a unique VPN policy for each user it is more efficient to authenticate users from a stored list of user accounts XAUTH provides the mechanism for requesting individual authentication information from the user and a local user database or an external authentication server such as a RADIUS server provides a method for storing the authentication information centrally in the local network Virtual Private Networking Using IPsec Connections 7 37 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual You can enable XAUTH when you manually add or edit an IKE policy Two types of XAUTH are available Edge Device The UTM is used as a VPN concentrator on which one or more gateway tunnel
207. ablishment of the connection You must enter the detection period and the maximum number of times that the UTM attempts to reconnect see below e No This feature is disabled This is the default setting Detection Period The period in seconds between consecutive DPD R U THERE messages which are sent only when the IPsec traffic is idle Reconnect after failure count The maximum number of times that the UTM attempts to reconnect after a DPD situation When the maximum number of times is exceeded the IPsec connection is terminated 7 28 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 10 Add IKE Policy Settings continued Item Description or Subfield and Description Extended Authentication XAUTH Configuration Note For more information about XAUTH and its authentication modes see Configuring XAUTH for VPN Clients on page 7 38 Select one of the following radio buttons to specify whether or not Extended Authentication XAUTH is enabled and if enabled which device is used to verify user account information e None XAUTH is disabled This the default setting Edge Device The UTM functions as a VPN concentrator on which one or more gateway tunnels terminate The authentication mode that is available for this configuration is User Database RADIUS PAP or R
208. ace that is they appear on screen Monitoring System Access and Performance 11 37 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Example Using Logs to Identify Infected Clients You can use the UTM logs to help identify potentially infected clients on the network For example clients that are generating abnormally high volumes of HTTP traffic might be infected with spyware or other malware threats To identify infected clients that are sending spyware in outbound traffic query the UTM malware logs and see if any of your internal IP addresses are the source of spyware On the Log Query screen see Figure 11 23 on page 11 34 select Traffic as the log type Select the start date and time from the pull down menus Select the end date and time from the pull down menus Next to Protocols select the HTTP checkbox Click Search After a few minutes the log appears on screen Na gt NS Check if there are clients that are sending out suspicious volumes of data especially to the same destination IP address on a regular basis If you find a client exhibiting this behavior you can run a query on that client s HTTP traffic activities to get more information Do so by running the same HTTP traffic query and entering the client IP address in the Client IP field Log Management Generated logs take up space and resources on the UTM internal disk To ensure that there is al
209. actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN PPP over Ethernet PPPoE PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial up connection Quality of Service QoS The UTM supports QoS including traffic prioritization and traffic classification with Type Of Service ToS and Differentiated Services Code Point DSCP marking Easy Installation and Management You can install configure and operate the UTM within minutes after connecting it to the network The following features simplify installation and management tasks Browser based management Browser based configuration allows you to easily configure your firewall from almost any type of personal computer such as Windows Macintosh or Linux A user friendly Setup Wizard is provided and online help documentation is built into the browser based Web Management Interface Auto detection of ISP The UTM automatically senses the type of Internet connection asking you only for the information required for your type of ISP account IPsec VPN Wizard The UTM includes the NETGEAR IPSec VPN Wizard to easily configure IPsec VPN tunnels according to the recommendations of the Virtual Private Network Consortium VPNC to ensure the IPsec VPN tunnels are interoperable with other VPNC compliant VPN routers and clients Introduction v1 0 September 2009 ProSecure Unified Threat Manage
210. address and log in again For example if you change the default IP address 192 168 1 1 to 10 0 0 1 you must now enter https 10 0 0 1 in your browser to reconnect to the Web Management Interface Subnet Mask Enter the IP subnet mask The subnet mask specifies the network number portion of an IP address Based on the IP address that you assign the UTM automatically calculates the subnet mask Unless you are implementing subnetting use 255 255 255 0 as the subnet mask computed by the UTM DHCP Disable DHCP Server If another device on your network is the DHCP server for the VLAN or if you will manually configure the network settings of all of your computers select the Disable DHCP Server radio button to disable the DHCP server This is the default setting LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 4 1 VLAN Profile Settings continued Setting Description or Subfield and Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the UTM to function as a Dynamic Host Configuration Protocol DHCP server providing TCP IP configuration for all computers connected to the VLAN Enter the following settings Domain Name Starting IP Address Ending IP Address This is optional Enter the domain name of the UTM Enter the starting IP address This address specifies the first of the
211. addresses to receive SNMP traps _ i Example 192 168 2 1 192 168 2 2 Figure 10 4 10 14 Network and System Management v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Enter the settings as explained in Table 10 1 Table 10 1 SNMP Settings Setting Description or Subfield and Description Settings Do You Want to Enable SNMP Select one of the following radio buttons e Yes Enable SNMP e No Disable SNMP This is the default setting Read Community The community string to allow an SNMP manager access to the MIB objects of the UTM for the purpose of reading only The default setting is public Set Community The community string to allow an SNMP manager access to the MIB objects of the UTM for the purpose of reading and writing The default setting is private Contact The SNMP system contact information that is available to the SNMP manager This setting is optional Location The physical location of the UTM This setting is optional Trusted SNMP Hosts Enter the IP addresses of the computers and devices to which you want to grant read only GET or write SET privileges on the UTM Separate IP addresses by a comma To allow any trusted SNMP host access leave the field blank which is the default setting SNMP Traps Enter the IP addresses of the SNMP management stations that are allowed to rec
212. age 8 22 Create a list of servers and services that can be made available through user group or global policies You can also associate fully qualified domain names FQDNs with these servers The UTM resolves the names to the servers using the list you have created 4 For SSL VPN tunnel service configure the virtual network adapter see Configuring the SSL VPN Client on page 8 25 For the SSL VPN tunnel option the UTM creates a virtual network adapter on the remote PC that then functions as if it were on the local network Configure the portal s SSL VPN client to define a pool of local IP addresses to be issued to remote clients as well as DNS addresses Declare static routes or grant full access to the local network subject to additional policies 5 To simplify policies define network resource objects see Using Network Resource Objects to Simplify Policies on page 8 28 Network resource objects are groups of IP addresses IP address ranges and services By defining resource objects you can more quickly create and configure network policies 6 Configure the SSL VPN policies see Configuring User Group and Global Policies on page 8 31 Policies determine access to network resources and addresses for individual users groups or everyone Creating the Portal Layout The Portal Layouts screen that you can access from the SSL VPN menu allows you to create a custom page that remote users see when they lo
213. agement access 10 12 troubleshooting 0 3 remote troubleshooting enabling 12 10 remote users assigning addresses via ModeConfig 7 42 reports administrator e mailing options 43 e mail address for sending reports 2 24 11 6 generating 11 40 scheduling 71 42 types of 1 39 requirements hardware B 3 reserved IP addresses configuring 4 17 in LAN groups database 4 15 Reset button 2 retry interval DNS lookup 3 13 pinging 3 13 RFC 1349 5 33 RFC 1700 5 31 RFC 2865 7 39 RIP advertising static routes 4 24 configuring 4 25 direction 4 26 feature 1 6 settings 4 26 versions RIP 1 RIP 2B RIP 2M 4 26 Road Warrior client to gateway B 11 routes routing table 71 45 tracing 11 45 Routing Information Protocol See RIP routing log messages C 16 RSA signatures 7 28 rules See inbound rules See outbound rules Web access exceptions 6 41 S SA IKE policies 7 23 7 27 IPsec VPN Wizard 7 3 ModeConfig 7 45 VPN connection status 7 20 VPN policies 7 35 7 36 scan engine firmware 70 21 scan exceptions e mail message size 2 79 Web file or object size 2 20 scan signatures 10 21 Index 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual scanning exclusions 6 44 size exceptions 6 6 6 23 6 41 scheduling blocking traffic 5 39 reports 11 42 Web content filtering 2 22 search criteria logs 71 35 Secure Hash Algorithm 1 See SHA 1 Secure Sockets Layer See SSL VP
214. ains Groups and Users on page 9 1 e Managing Digital Certificates on page 9 17 e Using the IPsec VPN Wizard for Client and Gateway Configurations on page 7 3 e Using the SSL VPN Wizard for Client Configurations on page 8 2 Using the Setup Wizard to Provision the UTM in Your Network 2 29 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 30 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 Chapter 3 Manually Configuring Internet and WAN Settings Note The initial Internet configuration of the UTM is described in Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network If you used the Setup Wizard to configure your Internet settings you need this chapter only to configure WAN features such as Dual WAN and Dynamic DNS and to configure secondary WAN addresses and advanced WAN options This chapter contains the following sections Understanding the Internet and WAN Configuration Tasks on this page Configuring the Internet Connections on page 3 2 Configuring the WAN Mode Required for the UTM25 s Dual WAN Mode on page 3 9 Configuring Secondary WAN Addresses on page 3 17 Configuring Dynamic DNS on page 3 19 Configuring Advanced WAN Options on page 3 22 Understanding the Internet and WAN Configuration Tasks Generally five steps are required to compl
215. al 3 Select the radio buttons and complete the fields and as explained Table 7 2 Table 7 2 IPsec VPN Wizard Settings for a Gateway to Gateway Tunnel Setting Description or Subfield and Description About VPN Wizard This VPN tunnel will connect Select the Gateway radio button The local WAN port s IP address or to the following peers Internet name appears in the End Point Information section of the screen Connection Name and Remote IP Type What is the new Connection Enter a descriptive name for the connection This name is used to help Name you to manage the VPN settings the name is not supplied to the remote VPN endpoint What is the pre shared key Enter a pre shared key The key must be entered both here and on the remote VPN gateway This key must have a minimum length of 8 characters and should not exceed 49 characters Virtual Private Networking Using IPsec Connections 7 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 2 IPsec VPN Wizard Settings for a Gateway to Gateway Tunnel continued Setting Description or Subfield and Description This VPN tunnel will use following local WAN Interface UTM25 only For the UTM25 only select one of the two radio buttons WAN1 or WAN2 to specify which local WAN interface the VPN tunnel uses as the local endpoint Note If the UTM25 is configured to function in WAN auto ro
216. al WAN Ports After Rollover WAN IP WANT IP N A Gateway _netgear dyndns org Gateway WAN port inactive EZ 9 gt gt WAN2 port HER netgear dyndns org IP address of active WAN port changes after a rollover use of fully qualified domain names always required Figure B 7 Dual WAN Ports in Load Balancing Mode A dual WAN port load balancing gateway configuration is the same as a single WAN port configuration when you specify the IP address of the VPN tunnel endpoint Each IP address is either fixed or dynamic based on the ISP you must use FQDNs when the IP address is dynamic and FQDNs are optional when the IP address is static Dual WAN Ports Load Balancing Gateway BY ne a dns org IP addresses of WAN ports same as single WAN port case use of fully qualified dom names required for dynamic IP addresses and optional for fixed IP addresses metgear2 dyndns org VPN Router WAN2 IP Figure B 8 B 10 Network Planning for Dual WAN Ports UTM25 Only v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual VPN Road Warrior Client to Gateway The following situations exemplify the requirements for a remote PC client with no firewall to establish a VPN tunnel with a gateway VPN firewall such as an UTM e Single gateway WAN port e Redundant dual gateway WAN ports for increased reliability before and after rollover e Dual gateway WAN ports for load balancing VPN Road Warrior Sin
217. all e mail messages are blocked You can enter up to 200 entries per list separated by commas __ Note The whitelist takes precedence over the blacklist which means that if an e mail source is on both the blacklist and the whitelist the e mail is not scanned by the anti spam engines 6 12 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To configure the whitelist and blacklist 1 Select Application Security gt Anti Spam from the menu The Anti Spam submenu tabs appear with the Whitelist Blacklist screen in view 5 Sender IP Address Blacklist cae a Use commas to separate multiple entries Example 192 168 32 1 192 168 32 2 192 168 32 8 Whitelist TH Example yourdomain com Wildcards are supported Sender Email Address Example admin yourdomain com E Recipients Domain Whitelist Example yourdomain com Wildcards are supported Recipients Email Address Whitelist aE Example admin yourdomain com Figure 6 4 Content Filtering and Optimizing Scans 6 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Enter the settings as explained in Table 6 3 Table 6 4 Whitelist Blacklist Settings Setting Description or Subfield and Description Sender IP Address
218. ame Enable Protocol Outgoing Trigger Port Range Incoming Response Port Range Start Port End Port Start Port End Port 0 65535 0 65535 _ 0 65535 0 65535 BEEN E e J Cos Figure 11 16 11 26 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Click the Status option arrow at the top right of the Port Triggering screen The Port Triggering Status screen appears in a popup window Port Triggering Status Rule LAN IP Address Open Ports Time Remaining Sec tefresn Figure 11 17 The Port Triggering Status screen displays the information that is described in Table 11 13 Table 11 13 Port Triggering Status Information Item Description or Subfield and Description The sequence number of the rule on screen Rule The name of the port triggering rule that is associated with this entry LAN IP Address The IP address of the computer or device that is currently using this rule Open Ports The incoming ports that are associated with this rule Incoming traffic using one of these ports is sent to the IP address that is listed in the LAN IP Address field Time Remaining The time remaining before this rule is released and made available for other computers or devices This timer is restarted when incoming or outgoing traffic is received Viewing the WAN Ports Status You can view the status of both of the W
219. ame as the local ID and or remote ID see the sections below the aggressive mode is automatically selected 7 26 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 10 Add IKE Policy Settings continued Item Description or Subfield and Description Local Select Local Gateway UTM25 only Identifier Type For the UTM25 only select a radio button to specify the WAN1 or WAN2 interface From the pull down menu select one of the following ISAKMP identifiers to be used by the UTM and then specify the identifier in the field below e Local WAN IP The WAN IP address of the UTM When you select this option the Identifier field automatically shows the IP address of the selected WAN interface e FQDN The Internet address for the UTM e User FQDN The e mail address for a local VPN client or the UTM DER ASN1 DN A distinguished name DN that identifies the UTM in the DER encoding and ASN 1 format Identifier Depending on the selection of the Identifier Type pull down menu enter the IP address e mail address FQDN or distinguished name Remote Identifier Type From the pull down menu select one of the following ISAKMP identifiers to be used by the remote endpoint and then specify the identifier in the field below Local WAN IP The WAN IP address of the remote endpoint Wh
220. amp Fraud Politics A MPornography Sexually Explicit C information Security Blocked Categories Scheduled Days Figure 6 10 Content Filtering screen 2 of 3 6 26 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual i Blocked Categories Scheduled Days Sunday Monday Do you want this schedule to be active on all days or specific days All Days Specific Days Tuesday Wednesday Thursday Friday _ Saturday Blocked Categories Time of Day Do you want this schedule to be active Start Time Hour Minute AM gt all day or at specific times during the day bz e KE All Day Specific Times End Time i2 Hour 6 Minute Notification Settings Replace the Content of a Blocked Page with the Following Text lt DOCTYPE HTML PUBLIC W3C DTO HTML 4 0 Transitional EN gt lt html gt lt head gt lt title gt NETGEAR ProSecure User Notification lt title gt lt LINK href FAVICON ICO type image ico rel icon gt lt Copyright c 2008 NETGEAR All rights reserved gt lt link href STYLE_CSS rel stylesheet type text css gt lt head gt awe sy ee Note Use URL to show the URL of the blocked page ii Web Category Lookup R Enter a URL and press lookup to see if it has been categorized WRL es Lookup Results Please enter a URL above an
221. an 23 16 20 44 UTM wand FW Firewall Restarted Explanation Logs that are generated when the firewall is restarted This log is logged when firewall restarts after applying any changes in the configuration Recommended Action None IPsec Restart This section describes logs that are generated when the IPsec restarts Table C 8 System Logs IPsec Resiart Message Jan 23 16 20 44 UTM wand IPSEC IPSEC Restarted Explanation Logs that are generated when the IPsec is restarted This log is logged when IPsec restarts after applying any changes in the configuration Recommended Action None C 4 System Logs and Error Messages v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual WAN Status This section describes the logs that are generated by the WAN component If there are two ISP links for Internet connectivity the router can be configured either in auto rollover mode or load balancing mode Auto Rollover Mode When the WAN mode is configured for auto rollover the primary link is active and secondary acts only as a backup When the primary link goes down the secondary link becomes active only until the primary link comes back up The device monitors the status of the primary link using the configured WAN Failure Detection method This section describes the logs that are generated when the WAN mode is set to auto rollover
222. anagement UTM10 or UTM25 Reference Manual Package Contents The UTM product package contains the following items ProSecure Unified Threat Management Appliance UTM10 or UTM25 One AC power cable Rubber feet 4 One rack mounting kit UTM25 only ProSecure Unified Threat Management UTM10 or UTM25 Installation Guide Resource CD including Application Notes and other helpful information ProSafe VPN Client Software VPNO1L Service Registration Card with License Key s Warranty and Support Information Card If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the product for repair Hardware Features The front panel ports and LEDs rear panel ports and bottom label of the UTM are described below Front Panel Viewed from left to right the UTM front panel contains the following ports see Figure 1 2 on page 1 10 which shows the UTM25 One non functioning USB port this port is included for future management enhancements The port is currently not operable on the UTM LAN Ethernet ports four switched N way automatic speed negotiating Auto MDI MDIX Gigabit Ethernet ports with RJ 45 connectors WAN Ethernet ports one UTM10 or two UTM25 independent N way automatic speed negotiating Auto MDI MDIX Gigabit Ethernet ports with RJ 45 connectors Introduction 1 9 v1 0 Septemb
223. anagement UTM10 or UTM25 Reference Manual The bottom of each screen provides action buttons The nature of the screen determines which action buttons are shown Figure 2 4 shows an example Figure 2 4 Any of the following action buttons might be displayed on screen this list might not be complete e Apply Save and apply the configuration e Reset Reset the configuration to default values e Test Test the configuration before you decide whether or not to save and apply the configuration e Auto Detect Enable the UTM to detect the configuration automatically and suggest values for the configuration e Next Go to the next screen for wizards e Back Go to the previous screen for wizards e Search Perform a search operation e Cancel Cancel the operation e Send Now Send a file or report When a screen includes a table table buttons are displayed to let you configure the table entries The nature of the screen determines which table buttons are shown Figure 2 5 shows an example select all delete enable O disable add Besit Figure 2 5 Any of the following table buttons might be displayed on screen e select all Select all entries in the table e delete Delete the selected entry or entries from the table e enable Enable the selected entry or entries in the table e disable Disable the selected entry or entries in the table e add Add an entry to the table e edit Edit the selected
224. ance UTM10 or UTM25 on this page e Key Features and Capabilities on page 1 2 e Service Registration Card with License Keys on page 1 8 e Package Contents on page 1 9 e Hardware Features on page 1 9 e Choosing a Location for the UTM on page 1 14 What Is the ProSecure Unified Threat Management Appliance UTM10 or UTM25 The ProSecure Unified Threat Management Appliance UTM10 or UTM25 hereafter referred to as the UTM connects your local area network LAN to the Internet through one or two external broadband access devices such as cable modems or DSL modems Dual wide area network WAN ports allow you to increase effective throughput to the Internet by utilizing both WAN ports to carry session traffic or to maintain a backup connection in case of failure of your primary Internet connection As a complete security solution the UTM combines a powerful flexible firewall with a content scan engine that uses NETGEAR Stream Scanning technology to protect your network from denial of service DoS attacks unwanted traffic traffic with objectionable content spam phishing and Web borne threats such as spyware viruses and other malware threats The UTM provides advanced IPsec and SSL VPN technologies for secure and simple remote connections The use of Gigabit Ethernet LAN and WAN ports ensures extremely high data transfer speeds The UTM is a plug and play device that can be installed and configur
225. ant to enable Traffic Metering on WAN1 UTM25 or Do you want to enable Traffic Metering on WAN UTM10 Select one of the following radio buttons to configure traffic metering e Yes Traffic metering is enabled and the traffic meter records the volume of Internet traffic passing through the WAN1 UTM25 or WAN UTM10 interface Complete the fields below on the screen these fields are presented on the right e No Traffic metering is disabled This is the default setting Select one of the following radio buttons to specify if or how the UTM applies restrictions when the traffic limit is reached No Limit No restrictions are applied when the traffic limit is reached Download only Restrictions are applied to incoming traffic when the traffic limit is reached Complete the monthly limit field below e Both Directions Restrictions are applied to both incoming and outgoing traffic when the traffic limit is reached Complete the monthly limit field below Monthly Limit Enter the monthly traffic volume limit in MB The default setting is 0 MB Select this checkbox to temporarily increase a previously specified monthly traffic volume limit and enter the additional allowed volume in MB The default setting is 0 MB Note When you click Apply to save these settings this field is reset to 0 MB so that the increase is applied only once Increase this month limit by This month limit This is a non conf
226. applications blocked Web categories blocked and spam e mails blocked To display the Dashboard screen select Monitoring gt Dashboard from the menu Because of the size of the Dashboard screen it is divided and presented in this manual in three figures Figure 11 7 on page 11 15 Figure 11 8 on page 11 17 and Figure 11 9 on page 11 19 each with its own table that explains the fields Except for setting the poll interval and clearing the statistics you cannot configure the fields on the Dashboard screen Any changes must be made on other screens 11 14 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Dashboard Auto refresh in 12 seconds Poll Interval 30 secs Fet interval stop Clear Statistics i Total Threats Since last clear at 2009 05 28 17 49 34 Emails Scanned Malware detected Matched filters Spam Web Files scanned 524627 Malware detected File blocked it URLs blocked IM Peer to Peer Instant Messaging blocked 4 Peer to Peer blocked Network IPS signatures matched Port scans detected Jul 02 Julos Jul 04 Julos Jul 06 Jul 07 Julos B EmailFilter m EmailVirus S EmailSpam IMBlock mm P2PBlock g IPSSigMatch GWebUrlBlock OWebMalware WebContentBlock Figure 11 7 Dashboard screen 1 of 3 Monitoring System Access and Perfor
227. are threats the UTM s scan engine requires two components e A pattern file that contains the virus signature files and virus database e Firmware that functions in conjunction with the pattern file Because new virus threats can appear any hour of the day it is very important to keep both the pattern file and scan engine firmware as current as possible The UTM can automatically check for updates as often as every 15 minutes to ensure that your network protection is current To view the current versions and most recent updates of the pattern file and scan engine firmware that your UTM is running Select Administration gt System Update from the menu The System Update submenu tabs appear with the Signatures amp Engine screen in view see Figure 10 7 on page 10 22 Network and System Management 10 21 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Component Current Version Last Updated Scan engine 20090327 1733 0 0 2009 04 29 Pattern file 200905191534 2009 05 19 Update Settings Update Scen engine and Signatures Update From Default update server O Server address O Weekly Sunday m 23 0 00 1 thh mm O baily oo hh mm Every if HTTPS Proxy Settings EO Enable Proxy Server D C This server requires authentication wsernoe C Figure 10 7 The Info section shows the following information fields for the scan engine f
228. arger than KB Maximum 10240 KB Figure 2 12 Enter the settings as explained in Table 2 6 on page 2 20 then click Next to go the following screen Using the Setup Wizard to Provision the UTM in Your Network 2 19 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual _____ Note After you have completed the steps in the Setup Wizard you can make changes to the Web security settings by selecting Application Security gt HTTP HTTPS gt Malware Scan The Malware Scan screen also lets you specify HTML scanning and notification settings For more information about these settings see Configuring Web Malware Scans on page 6 21 Table 2 6 Setup Wizard Step 6 Web Security Settings Setting Description or Subfield and Description Action HTTP From the HTTP pull down menu specify one of the following actions when an infected Web file or object is detected e Delete file This is the default setting The Web file or object is deleted and a log entry is created e Log only Only a log entry is created The Web file or object is not deleted Select the Streaming checkbox to enable streaming of partially downloaded and scanned HTTP file parts to the user This method allows the user to experience more transparent Web downloading Streaming is enabled by default HTTPS From the HTTPS pull down menu specify one of the following actions when an infected Web
229. as in the event of a malware outbreak The scan engine has the following capabilities e Real time protection The patent pending Stream Scanning technology enables scanning of previously undefended real time protocols such as HTTP Network activities susceptible to latency for example Web browsing are no longer brought to a standstill e Comprehensive protection Provides both Web and e mail security covering six major network protocols HTTP HTTPS FTP SMTP POP3 and IMAP The UTM uses enterprise class scan engines employing both signature based and Distributed Spam Analysis to stop both known and unknown threats The malware database contains hundreds of thousands of signatures of spyware viruses and other malware 1 4 Introduction v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e Objectionable traffic protection The UTM prevents objectionable content from reaching your computers You can control access to the Internet content by screening for Web services Web addresses and keywords within Web addresses You can log and report attempts to access objectionable Internet sites e Automatic signature updates Malware signatures are updated as frequently as every hour and the UTM can check automatically for new signatures as frequently as every 15 minutes Security Features The UTM is equipped with several features designed to maintain security e PCs hidden by NAT NAT opens a t
230. as the primary DNS server IP address Secondary This is optional If an IP address is specified the UTM provides DNS Server this address as the secondary DNS server IP address WINS Server This is optional Enter a WINS server IP address to specify the Windows NetBios server if one is present in your network Lease Time Enter a lease time This specifies the duration for which IP addresses are leased to clients DHCP Relay Select the DHCP Relay radio button to use the UTM as a DHCP relay agent for a DHCP server somewhere else on your network Enter the following setting Relay Gateway The IP address of the DHCP server for which the UTM serves as a relay Enable LDAP information Select the Enable LDAP information checkbox to enable the DHCP server to provide Lightweight Directory Access Protocol LDAP server information Enter the settings below Note The LDAP settings that you specify as part of the VLAN profile are used only for SSL VPN and UTM authentication but not for Web and e mail security LDAP Server The IP address or name of the LDAP server Search Base The search objects that specify the location in the directory tree from which the LDAP search begin You can specify multiple search object separated by commas The search objects include e cn for common name ou for organizational unit o for organization e c for country e dc for domain For example to search
231. ask gateway and so on e Scan settings Services to scan primary and secondary actions and so on e Update settings Update source update frequency and so on e Anti spam settings Whitelist blacklist content filtering settings and so on Back up your UTM settings periodically and store the backup file in a safe place language and management software versions Remember to change the IP address of the second UTM before deploying it to eliminate IP address conflicts on the network x S Tip You can use a backup file to export all settings to another UTM that has the same To backup settings 1 On the Backup amp Restore Settings screen see Figure 10 5 next to Save a copy of current settings click the backup button to save a copy of your current settings A dialog screen appears showing the file name of the backup file backup gpg 10 16 Network and System Management v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Select Save file and then click OK 3 Open the folder where you have saved the backup file and then verify that it has been saved successfully Note the following e If your browser is not configured to save downloaded files automatically locate the folder in which you want to save the file specify the file name and save the file e If you have your browser configured to save downloaded files automatically the file is saved to your brow
232. assword user type and idle timeout settings Only administrators have read write access All other users have read only access Note The default password for the administrator and for a guest to access the UTM s Web management interface is password To modify user settings 1 Select Users gt Users from the menu The Users screen displays see Figure 9 5 on page 9 10 2 Inthe Action column of the List of Users table click the edit table button for the user for which you want to modify the settings Edit User Operation succeeded User Name techpub User Authentication Type local Select User Type V Check to Edit Password Enter Your Password New Password EE Confirm New Password Idle Timeout ro min utes Figure 9 10 9 16 Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Enter the settings as explained in Table 9 6 Table 9 6 Edit User Settings Setting Description or Subfield and Description User Type From the pull down menu select one of the pre defined user types that determines the access credentials e Administrator User who has full access and the capacity to change the UTM configuration that is read write access e SSL VPN User User who can only log in to the SSL VPN portal e IPSEC VPN User User who can only make an IPsec VPN connection via a NETGEAR ProSafe VPN
233. at Management UTM10 or UTM25 Reference Manual Where Do Get The Internet Configuration Information There are several ways you can gather the required Internet connection information Your ISPs provide all the information needed to connect to the Internet If you cannot locate this information you can ask your ISPs to provide it to you or if you have a computer already connected using the active Internet access account you can gather the configuration information from that computer For Windows 95 98 ME open the Network control panel select the TCP IP entry for the Ethernet adapter and click Properties Record all the settings for each tab page For Windows 2000 XP Vista open the Local Area Network Connection select the TCP IP entry for the Ethernet adapter and click Properties Record all the settings for each tab page For Macintosh computers open the TCP IP or Network control panel Record all the settings for each section After you have located your Internet configuration information you might want to record the information in the following section Internet Connection Information Print these pages with the Internet connection information Fill in the configuration settings that are provided to you by ISP ISP Login Name The login name and password are case sensitive and must be entered exactly as given by your ISP For AOL customers the login name is their primary screen name Some ISPs use your full e ma
234. at are generated when e mails are blocked because of a keyword violation in the subject line The message shows the date and time protocol client IP address server IP address sender recipient e mail subject line reason for the action details and action that is taken Recommended Action None System Logs and Error Messages v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual IPS Logs This section describes logs that are generated when traffic matches IPS rules Table C 23 Content Filtering and Security Logs IPS 2008 12 31 23 59 37 drop TCP 192 168 1 2 3496 Message 192 168 35 165 8081 WEB CGI Trend Micro OfficeScan CGI password decryption buffer overflow attempt Explanation Logs that are generated when traffic matches IPS rules The message shows the date and time action that is taken protocol client IP address client port number server IP address server port number IPS category and reason for the action Recommended Action None Port Scan Logs This section describes logs that are generated when ports are scanned Table C 24 Content Filtering and Security Logs Port Scan Message 2008 12 31 23 59 12 192 168 1 10 192 168 35 160 5 10 1 18 188 UDP Portscan Explanation Logs that are generated when port scans are detected The message shows the date and time client IP address server IP address connection number I
235. at are in the groups for which keyword blocking has not been enabled Note The whitelist has priority over the blacklist for these lists see Configuring Web URL Filtering on page 6 30 and both the whitelist and the blacklist have priority over keyword blocking e Web object blocking You can block the following Web objects embedded objects ActiveX Java Flash proxies and cookies and you can disable Java scripts Even sites on the whitelist see Configuring Web URL Filtering on page 6 30 are subject to Web object blocking when the blocking of a particular Web object is enabled e Web category blocking You can block entire Web categories because their content is undesired offensive or not relevant or simply to reduce traffic ____ Note You can bypass any type of Web blocking for trusted hosts by adding the exact matching domain names to the trusted host list see Specifying Trusted Hosts on page 6 37 Access to the domains on the trusted host list is allowed for PCs in the groups for which file extension keyword object or category blocking or a combination of these types of Web blocking has been enabled 6 24 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Note You can bypass any type of Web blocking for trusted URLs by adding the URLs to the whitelist see Configuring Web URL Filter
236. ation When You Enter a URL or IP Address a Time out Error Occurs A number of things could be causing this situation Try the following troubleshooting steps e Check whether other computers on the LAN work properly If they do ensure that your computer s TCP IP settings are correct If you use a fixed static IP address check the subnet mask default gateway DNS and IP addresses on the WAN1 ISP Settings or WAN2 ISP Settings screen of the UTM25 or on the WAN ISP Settings screen of the UTM10 see Manually Configuring the Internet Connection on page 3 5 12 4 Troubleshooting and Using Online Support v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual If the computer is configured correctly but still not working ensure that the UTM is connected and turned on Connect to the Web Management Interface and check the UTM s settings If you cannot connect to the UTM see the information in the previous section Troubleshooting the Web Management Interface on page 12 3 If the UTM is configured correctly check your Internet connection for example your modem or router to make sure that it is working correctly Troubleshooting the ISP Connection If your UTM is unable to access the Internet you should first determine whether the UTM is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your UTM requests an IP address from the ISP Y
237. ation The firmware version and most recent download for the active and secondary firmware of the UTM and for the scan engine pattern file and firewall License Expiration Date The license expiration dates for the e mail protection Web protection and maintenance licenses Note When a license has expired the license expiration date is displayed in red font Hardware Serial Number The hardware serial number of the UTM 3 uera WAN Mode Single Port WAN Mode Single Port WAN State UP WAN State DOWN NAT Enabled NAT Enabled Connection Type Static IP Connection Type DHCP Connection State Connected Connection State Not Connected IP Address 192 168 50 61 IP Address 0 0 0 0 Subnet Mask 255 255 255 0 Subnet Mask 0 0 0 0 Gateway 192 168 50 1 Gateway 0 0 0 0 Primary DNS 192 168 50 1 Primary DNS 0 0 0 0 Secondary DNS 0 0 0 0 Secondary DNS 0 0 0 0 MAC Address 00 00 00 00 00 02 MAC Address 00 00 00 00 00 03 MAC Address 00 00 00 00 00 01 IP Address 192 168 1 1 DHCP Enabled IP Subnet Mask 255 255 255 0 Figure 11 11 System Status screen 2 of 3 Table 11 10 on page 11 23 explains the UTM25 fields of the WAN1 Configuration WAN2 Configuration and LAN Port sections of the System Status screen On the UTM10 System Status screen there is only a WAN Configuration and LAN Port section 11 22 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management
238. ation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense Changes or modifications not expressly approved by NETGEAR could void the user s authority to operate the equipment EU Regulatory Compliance Statement The ProSecure Unified Threat Management Appliance UTM10 or UTM25 is compliant with the following EU Council Directives EMC Directive 2004 108 EC and Low Voltage Directive 2006 95 EC Compliance is verified by testing to the following standards EN55022 EN55024 and EN60950 1 For the EU Declaration of Conformity please visit http kb netgear com app answers detail a_id 11621 sno 0 Bestatigung des Herstellers Importeurs Es wird hiermit best tigt da das ProSecure Unified Threat Management Appliance UTM10 or UTM25 gem der im BMPT AmtsblVfg 243 1991 und Vfg 46 1992 aufgef hrten Bestimmungen entst rt ist Das vorschriftsmabige Betreiben einiger Ger te z B Testsender kann jedoch gewissen Beschr nkungen unterliegen Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung Das Bundesamt f r Zulassungen in der Telekommunikation wurde davon unterrichtet da dieses Ger t auf den Markt gebracht wurde und es ist berechtigt die Serie auf die Erf llung der Vorschriften hin zu berpr fen Certificate of the Manufacturer Importer It is hereby certified that the ProSecure Unified Threat Management Ap
239. ature Periodically the UTM sends ping packets to the remote endpoint to keep the tunnel alive You must enter the ping IP address detection period and the maximum number of times that the UTM attempts to reconnect see below Ping IP Address The IP address that the UTM pings The address must be of a host that can respond to ICMP ping requests Detection period The period in seconds between the ping packets The default setting is 10 seconds Reconnect after failure count The number of consecutive missed responses that are considered a tunnel connection failure The default setting is 3 missed responses 5 Click Apply to save your settings Configuring Dead Peer Connection The Dead Peer Detection DPD feature maintains the IKE SA by exchanging periodic messages with the remote VPN peer To configure DPD on a configured IKE policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 23 2 In the List of IKE Policies table click the edit table button to the right of the IKE policy that you want to edit The Edit IKE Policy screen displays Figure 7 31 on page 7 55 shows only the top part of the screen with the General section 7 56 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Inthe IKE SA Parameters
240. bedded 6 28 one time passcode See OTP online documentation 2 2 support 2 0 online games DMZ port 4 18 option arrow Web Management Interface 2 5 Oray net 3 19 3 2 order of precedence firewall rules 5 70 OTP D 1 D 2 outbound rules default 5 3 DMZ to WAN 5 16 examples 5 29 LAN to DMZ 5 19 LAN to WAN 5 12 order of precedence 5 10 overview 5 4 reducing traffic 70 2 service blocking 5 4 settings 5 5 outbreak IPS defining 71 12 malware defining 71 12 P package contents UTM 1 9 packets accepted and dropped 11 14 PAP See also RADIUS PAP MIAS PAP or WiKID PAP 9 2 Password Authentication Protocol See PAP password protected attachments 6 8 passwords changing 9 16 10 9 default 2 3 restoring 72 8 pattern file 70 27 Peer to Peer P2P blocked applications recent 5 and top 5 71 18 blocking applications 6 27 logs 11 8 11 33 11 35 traffic statistics 77 16 Perfect Forward Secrecy See PFS performance management 70 1 permanent IP address 2 13 3 4 3 8 PFS 7 37 7 45 phishing 6 16 physical specifications A 2 pinging auto rollover 3 11 checking connections 11 44 failover attempts 3 13 responding on Internet ports 5 21 responding on LAN ports 5 22 retry interval 3 3 troubleshooting TCP IP 2 6 using the ping utility 71 44 placement location 7 14 Point to Point Tunneling Protocol See PPTP policies IKE exchange mode 7 23 7 26 ISAKMP identifier 7 23 7 27 managing 7 22 ModeConfig 7 26
241. ber If the port functions at 10 Mbps the Right LED is off If any of these conditions do not occur see the appropriate following section Power LED Not On If the Power and other LEDs are off when your UTM is turned on make sure that the power cord is properly connected to your UTM and that the power supply adapter is properly connected to a functioning power outlet If the error persists you have a hardware problem and should contact NETGEAR Technical Support Test LED Never Turns Off When the UTM is powered on the Test LED turns on for approximately 2 minutes and then turns off when the UTM has completed its initialization If the Test LED remains on there is a fault within the UTM If all LEDs are still on more than several minutes minute after power up e Turn the power off and then turn it on again to see if the UTM recovers e Clear the UTM s configuration to factory defaults Doing so sets the UTM s IP address to 192 168 1 1 This procedure is explained in Restoring the Default Configuration and Password on page 12 8 If the error persists you might have a hardware problem and should contact NETGEAR Technical Support 12 2 Troubleshooting and Using Online Support v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made check the following e Make sure
242. ber 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring NetBIOS Bridging with IPsec VPN Windows networks use the Network Basic Input Output System NetBIOS for several basic network services such as naming and neighborhood device discovery Because VPN routers do not normally pass NetBIOS traffic these network services do not function for hosts on opposite ends of a VPN connection To solve this problem you can configure the UTM to bridge NetBIOS traffic over the VPN tunnel To enable NetBIOS bridging on a configured VPN tunnel 1 2 3 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view Click the VPN Policies submenu tab The VPN Policies screen displays see Figure 7 22 on page 7 31 In the List of VPN Policies table click the edit table button to the right of the VPN policy that you want to edit The Edit VPN Policy screen displays Figure 7 31 shows only the top part of the screen with the General section Edit YPN Policy Operation succeeded Policy Name Chent to uTM E Select Local Gateway want O wanz Remote Endpoint 1P Address A A J C Enable Rollover Enable Keepalive Yes No Ping IP Address z08 133 187 ez Detection period ko j Seconds Reconnect after failure count Figure 7 33 4 Select the Enable NetBIOS checkbox 5 Click Apply to save your settings 7 58 Virtual Pri
243. ber 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Qualified Web Browsers To configure the UTM you must use a Web browser such as Microsoft Internet Explorer 6 or higher Mozilla Firefox 4 or higher or Apple Safari 3 or higher with JavaScript cookies and you must have SSL enabled Although these web browsers are qualified for use with the UTM s Web Management Interface SSL VPN users should choose a browser that supports JavaScript Java cookies SSL and ActiveX to take advantage of the full suite of applications Note that Java is only required for the SSL VPN portal not for the Web Management Interface Logging In to the UTM To connect to the UTM your computer needs to be configured to obtain an IP address automatically from the UTM via DHCP For instructions on how to configure your computer for DHCP see the document that you can access from Preparing Your Network in Appendix E To connect and log in to the UTM 1 Start any of the qualified Web browsers as explained in Qualified Web Browsers on this page 2 Enter https 192 168 1 1 in the address field The NETGEAR Configuration Manager Login screen displays in the browser see Figure 2 1 on page 2 3 which shows the UTM25 Note The UTM factory default IP address is 192 168 1 1 If you change the IP address you must use the IP address that you assigned to the UTM to log in to the UTM 2 2 Using the Setup Wiza
244. ber of sessions that are allowed per user over an IP connection across the UTM The Session Limit feature is disabled by default To enable and configure the Session Limit feature 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear 2 Click the Session Limit submenu tab The Session Limit screen displays IF Do you want to enable Session Limit 7 Yes O No User Limit Parameter User Lim Total Number of Packets Dropped due to Session Limit 0 li Session Timeout 6 TC R PRES UDP Timeout Seconds ICMP Timeout Seconds Figure 5 12 3 Click the Yes radio button under Do you want to enable Session Limit 4 Enter the settings as explained in Table 5 5 on page 5 24 Firewall Protection 5 23 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 5 5 Session Limit Settings Setting Description or Subfield and Description Session Limit User Limit Parameter From the User Limit Parameter pull down menu select one of the following options Percentage of Max Sessions A percentage of the total session connection capacity of the UTM Number of Sessions An absolute number of maximum sessions User Limit Enter a number to indicate the user limit If the User Limit Parameter is set to Percentage of Max Sessions the number specifies the maximum number of sessions that are allowed from a single s
245. bilities e DoS protection Automatically detects and thwarts denial of service DoS attacks such as Ping of Death and SYN Flood e Secure firewall Blocks unwanted traffic from the Internet to your LAN e Schedule policies Permits scheduling of firewall policies by day and time e Logs security incidents Logs security events such as blocked incoming traffic port scans attacks and administrator logins You can configure the firewall to email the log to you at specified intervals You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs Stream Scanning for Content Filtering Stream Scanning is based on the simple observation that network traffic travels in streams The UTM scan engine starts receiving and analyzing traffic as the stream enters the network As soon as a number of bytes are available scanning starts The scan engine continues to scan more bytes as they become available while at the same time another thread starts to deliver the bytes that have been scanned This multithreaded approach in which the receiving scanning and delivering processes occur concurrently ensures that network performance remains unimpeded The result is file scanning is up to five times faster than with traditional antivirus solutions a performance advantage that you will notice Stream Scanning also enables organizations to withstand massive spikes in traffic
246. ble A 2 shows the physical and technical specifications for the UTM Table A 2 UTM Physical and Technical Specifications Feature Specification Network Protocol and Standards Compatibility Data and Routing Protocols TCP IP RIP 1 RIP 2 DHCP PPP over Ethernet PPPoE Power Adapter Universal input 100 240V AC 50 60Hz 1 2 Amp maximum Physical Specifications cm 33 x 4 3 x 20 9 Dimensions W x H x D inches 13 x 1 7 x 8 2 kg 2 1 Weight Ib 4 6 A 2 Default Settings and Technical Specifications v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table A 2 UTM Physical and Technical Specifications continued Feature Specification Environmental Specifications C 0 to 45 Operating temperatures F 32 to 113 Storage temperatures C 20 to 70 F 4 to 158 Operating humidity 90 maximum relative humidity noncondensing Storage humidity 95 maximum relative humidity noncondensing Major Regulatory Compliance Meets requirements of FCC Class A CE WEEE RoHS Interface Specifications 4 LAN one of which is a configurable DMZ interface AutoSense 10 100 1000BASE T RJ 45 UTM25 2 WAN UTM10 1 WAN AutoSense 10 100 1000BASE T RJ 45 1 administrative console port RS 232 1 USB non functioning inclu
247. ble Source MAC Address Filtering Yes No Policy for MAC Addresses listed below MAC Addresses astllibb 22 cc 03 select ail delers Add Source MAC Address MAC Address E Figure 5 26 2 Inthe MAC Filtering Enable section select the Yes radio button 3 In the same section select one of the following options from the pull down menu next to Policy for MAC Addresses listed below e Block Traffic coming from all addresses in the MAC Addresses table is blocked e Permit Traffic coming from all addresses in the MAC Addresses table is permitted 4 Below Add Source MAC Address build your list of source MAC addresses to be permitted or blocked by entering the first MAC address in the MAC Address field A MAC address must be entered in the form xx xx XxX Xx Xx Xx where x is a numeric 0 to 9 or a letter between and a and f inclusive for example aa 11 bb 22 cc 03 5 Click the add table button The MAC address is added to the MAC Addresses table 6 Click Apply to save your settings To remove one or more entries from the table 1 Select the checkbox to the left of the MAC address that you want to delete or click the select all table button to select all entries 2 Click the delete table button Firewall Protection 5 41 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Setting up IP MAC Bindings IP MAC Binding allows you to bind an IP address to a
248. boot process the Backup amp Restore Settings screen remains visible The reboot process is complete after several minutes when the Test LED on the front panel goes off button the UTM settings are erased All firewall rules VPN policies LAN WAN settings and other settings are lost Back up your settings if you intend on using them A Warning When you push the hardware Reset button or click the software default Ey Note After rebooting with factory default settings the UTM s password is password and the LAN IP address is 192 168 1 1 Problems with Date and Time The System Date amp Time screen displays the current date and time of day see Configuring Date and Time Service on page 10 24 The UTM uses the Network Time Protocol NTP to obtain the current time from one of several Network Time Servers on the Internet Each entry in the log is stamped with the date and time of day Problems with the date and time function can include e Date shown is January 1 2000 Cause The UTM has not yet successfully reached a Network Time Server Check that your Internet access settings are configured correctly If you have just completed configuring the UTM wait at least five minutes and check the date and time again Troubleshooting and Using Online Support 12 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e Time is off by one hour Cause The UTM
249. buted Spam Analysis not applicable to IMAP e Web Reports For each protocol HTTP HTTPS and FTP the report shows the following information per day both in tables and graphics Number of connections Traffic amount in MB Number of malware incidents Number of files blocked Number of URLs blocked not applicable to FTP e System Reports The report shows IPS application and malware incidents The following IPS incident are shown per day both in tables and graphics e Number of detected port scans and top 10 scanned destination IP addresses by count e Number of Web attacks e Number of mail attacks e Number of database attacks e Number of application attacks e Number of network protocol attacks Number of malware attacks Number of miscellaneous attacks e Top 10 attacking IPS rule names by count top 10 attacking source IP addresses by count and top 10 attacked destination IP addresses by count Monitoring System Access and Performance 11 39 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The following application incident are shown per day both in tables and graphics e Number of instant messaging application violations top 10 violating instant messaging applications by count and top 10 violating instant messaging clients by count e Number of peer to peer application violations top 10 violating peer to peer applications by c
250. button If an existing route is no longer needed for any reason you can delete it Using Network Resource Objects to Simplify Policies Network resources are groups of IP addresses IP address ranges and services By defining resource objects you can more quickly create and configure network policies You do not need to redefine the same set of IP addresses or address ranges when you configure the same access policies for multiple users Defining network resources is optional smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources But for most organizations NETGEAR recommends that you use network resources If your server or network configuration changes you can perform an update quickly by using network resources instead of individually updating all of the user and group policies 8 28 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Adding New Network Resources To define a network resource 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the Resources submenu tab The Resources screen displays Figure 8 16 shows some resources in the List of Resource s table as an example Policies ORIEL Portal Layouts SSL YPN Client Port Forwarding Operation succeeded
251. c configuration of PCs 1 6 dynamic 3 19 looking up an address 71 45 ModeConfig 7 45 proxy 1 6 2 11 4 10 4 22 proxy VLANs 4 5 queries auto rollover 3 server IP addresses 2 10 2 13 3 9 4 9 4 21 8 10 8 af documentation online 2 2 documents reference E domain name PPPoE 2 13 3 7 PPTP 2 12 3 7 SSL VPN 8 6 domain name server See DNS domains for authentication 9 2 9 10 DoS 1 4 5 7 5 21 5 22 5 50 downloading SSL certificate 2 3 DPD 7 28 7 56 DSCP 5 35 dual WAN ports UTM25 auto rollover B 6 B 8 B 10 FQDNs 3 19 7 1 7 2 B 1 B 9 load balancing 3 9 3 10 B 7 B 8 B 10 network planning B overview 1 3 duplex half and full 3 23 Dynamic DNS See DDNS Dynamic Host Configuration Protocol See DHCP 1 6 DynDNS org 3 19 3 21 E e commerce 8 edge device 7 38 7 39 eDonkey 2 17 6 21 EICAR 2 26 e mail notification server configuring manually 71 5 settings using the Setup Wizard 2 23 SMTP server 2 23 e mails audio and video files filtering 6 17 compressed files filtering 6 Distributed Spam Analysis 6 16 6 17 executable files filtering 6 filter logs 11 8 11 33 11 35 protection See SMTP POP3 or IMAP protocols 6 4 real time blacklist 6 4 reports 39 security settings using the Setup Wizard 2 18 spam protection 6 traffic statistics 77 16 whitelist and blacklist 6 72 embedded objects 6 28 environmental specifications A 3 error messages and log messages under
252. can only delete the domain with the identical name as the default group see Configuring Domains on page 9 2 which causes the default group to be deleted Click the delete table button _____ Note You cannot delete a default group that was automatically created when you created a new domain on the second SSL VPN Wizard screen see SSL VPN Wizard Step 2 of 6 Domain Settings on page 8 5 You can only delete such a default group by deleting the domain for which the group was created see Configuring Domains on page 9 2 Editing Groups To edit a VPN group 1 Select Users gt Groups from the menu The Groups screen displays see Figure 9 3 on page 9 7 2 Inthe Action column of the List of Groups table click the edit table button for the group that you want to edit The Edit Groups screen displays see Figure 9 4 on page 9 9 With the exception of groups that are associated with domains that use the LDAP authentication method you can only modify the idle timeout settings 9 8 Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Operation succeeded Group Name LDAPDomain LDAP attribute 1 a LDAP attribute 2 7 LDAP attribute 3 _ Cid LDAP attribute 4 Idle Timeout Minutes Figure 9 4 3 Modify the idle timeout period in minutes in the Idle Timeout field
253. cans for malware threats you can set scanning exclusion rules for certain IP addresses and ports Setting Web Access Exception Rules You can set exception rules for members of a LAN group to allow access to applications Web categories and URLs that you have blocked for all other users or the other way around to block access to applications Web categories and URLs that you have allowed access to for all other users To specify members of a LAN group and to customize LAN group names see Managing Groups and Hosts LAN Groups on page 4 12 Content Filtering and Optimizing Scans 6 41 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To set Web access exception rules 1 2 Select Application Security gt Block Accept Exceptions from the menu The Block Accept Exceptions screen displays This screen shows the Exceptions table which is empty if you have not specified any exception rules Figure 6 18 shows three exception rules in the Exceptions table as an example Security Services Email Anti Virus Email Filter EET ET Ea SpE c Block Accept Exceptions Note Expression E je be Group 3 web Category fll Category Full access Mars oO block laroup 5 08 00 17 30 fapplication poe Skype No Skype daytime hy ey Applies to start mane nde Category T O lailow Group 3 URL Filtering www Full access Mgrs select all dele
254. cations that would otherwise be partially blocked by the firewall Using this the port triggering feature requires that you know the port numbers used by the application Once configured port triggering operates as follows 1 APC makes an outgoing connection using a port number that is defined in the Port Triggering Rules table 2 The UTM records this connection opens the additional incoming port or ports that are associated with the rule in the port triggering table and associates them with the PC 3 The remote system receives the PCs request and responds using the incoming port or ports that are associated with the rule in the port triggering table on the UTM 4 The UTM matches the response to the previous request and forwards the response to the PC Without port triggering the response from the external application would be treated as a new connection request rather than a response to a requests from the LAN network As such it would be handled in accordance with the inbound port forwarding rules and most likely would be blocked 5 44 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Note these restrictions on port triggering e Only one PC can use a port triggering application at any time e After a PC has finished using a port triggering application there is a short time out period before the application can be used by another PC This time out period is
255. ccess messages update failed messages network connection errors and so on Malware All intercepted viruses spyware and other malware threats Email filters All e mails that are blocked because of file extension and keyword violations Conient filters All attempts to access blocked Web sites and URLs IPS All IPS events e Port Scan All port scan events Instant Messaging Peer to Peer All instant messaging and peer to peer access violations Firewall The firewall logs that you have specified on the Firewall Logs screen see Configuring and Activating Firewall Logs on page 11 13 IPSEC VPN All IPsec VPN events e SSL VPN All SSL VPN events e e e e e View All Search Criteria Select one of the following radio buttons e View All Display or download the entire selected log Search Criteria Query the selected log by configuring the search criteria that are available for the selected log Start Date Time From the pull down menus select the year month day hours and minutes for the start date and time This field is available for the following logs Traffic Spam Service Malware Email filters Content filters Port Scan IPS Instant Messaging Peer to Peer End Date Time From the pull down menus select the year month day hours and minutes for the end date and time This field is available for the following logs Traffic Spam Service Malware Email filte
256. ce Manual _ Operation succeeded Default Outbound Policy QO apply E Outbound Services 2 Service Name Filter LAN Users WAN Users QoS Profile Bandwidth Profile tag Action elot at seieto enadie dizable acd Inbound Services Q z as 7 d Log Action Profile service LANServerIp LAN WAN B estination Name Address Users Users Profile Allow E T 192 168 1 2 ANY 10 1 0 52 NONE NONE N Gi up down edit Always eve j j Sai ANY WANA NONE NONE Never up joel eait select at serete enable Oo disable add Allow 192 168 0 50 Always 1 Select Any and Allow Always or Allow by Schedule 2 Place the rule below all other inbound rules Figure 5 17 Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger Real Audio or other non essential sites LAN WAN Outbound Rule Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu You can also enable the UTM log any attempt to use Instant Messenger during that blocked period Firewall Protection 5 29 v1 0 Septe
257. ce Ports to Scan M smtp M pops M map Figure 6 1 2 In the Email section of the screen select the protocols to scan by selecting the Enable checkboxes and enter the port numbers if different from the default port numbers e SMTP Simple Mail Transfer Protocol SMTP scanning is enabled by default on port 25 e POP3 Post Office Protocol 3 POP3 scanning is enabled by default on port 110 e IMAP Internet Message Access Protocol IMAP scanning is enabled by default on port 143 ___ Note If a protocol uses a port other than the standard service port for example port 25 for SMTP enter this non standard port in the Ports to Scan field For example if the SMTP service on your network uses both port 25 and port 2525 enter both port numbers in the Ports to Scan field and separate them by a comma ___ Note The following protocols are not supported by the UTM SMTP over SSL using port number 465 POP3 over SSL using port number 995 and IMAP over SSL using port number 993 3 Click Apply to save your settings 6 4 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Customizing E mail Anti Virus and Notification Settings Whether or not the UTM detects an e mail virus you can configure it to take a variety of actions some of the default actions are listed in Table 6 1 on page 6 2 and send notifications e mails or both to the
258. ch the rule applies TCP The rule applies to an application that uses the Transmission Control Protocol TCP UDP The rule applies to an application that uses the User Control Protocol UCP Outgoing Trigger Start Port The start port 1 65534 of the range for triggering Por Range End Port The end port 1 65534 of the range for triggering Incoming Response Start Port The start port 1 65534 of the range for responding Port Rang End Port The end port 1 65534 of the range for responding 3 Click the add table button The new port triggering rule is added to the Port Triggering Rules table To edit a port triggering rule 1 In the Port Triggering Rules table click the edit table button to the right of the port triggering rule that you want to edit The Edit Port Triggering Rule screen displays 2 Modify the settings that you wish to change see Table 5 10 3 Click Apply to save your changes The modified port triggering rule is displayed in the Port Triggering Rules table To display the status of the port triggering rules click the Status option arrow at the top right of the Port Triggering screen A popup window appears displaying the status of the port triggering rules Port Triggering Status Rule LAN IP Address Open Ports Time Remaining Sec retresh Figure 5 29 5 46 Firewall Protection v1 0 September 2009 ProSecure Unified Threa
259. ched devices 70 14 community strings 10 15 configuring 10 14 description 7 overview 10 14 traps 10 15 trusted hosts 70 15 source MAC filtering configuring MAC addresses 5 40 logging matched packets 71 14 reducing traffic 10 5 spam blocked messages recent 5 and top 5 71 18 Distributed Spam Analysis 6 16 logs 11 8 11 32 11 34 protection 6 11 Index 12 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual real time blacklist RBL 6 4 whitelist and blacklist 6 2 Spamcop 6 15 Spamhaus 6 15 specifications physical and technical A 2 speed ports 3 23 uploading and downloading 3 24 SPI 1 2 1 4 5 1 7 35 split tunnel 8 25 spoofing MAC addresses 2 6 SSL certificate warning and downloading 2 3 connection and HTTPS scanning 6 34 SSL VPN ActiveX web cache cleaner 8 5 8 22 ActiveX based client 8 authentication 8 6 cache control 8 4 8 21 client IP address range and routes using SSL VPN Wizard 8 9 client routes 8 27 domain name 8 6 domain settings using SSL VPN Wizard 8 5 domains groups and users 8 22 FQDNs port forwarding 8 18 logs 8 16 11 9 11 33 11 35 manual configuration steps 8 17 network resources 8 28 overview 1 3 policies managing 8 31 settings 8 34 port forwarding description 8 2 host names 8 24 IP addresses 8 23 port numbers 8 12 8 24 using SSL VPN Wizard 8 1 portal accessing 8 14 options 8 settings configuring manually 8 18 settings
260. contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between this address and the Ending IP Address The IP address 192 168 1 2 is the default start address Enter the ending IP address This address specifies the last of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between the Starting IP address and this IP address The IP address 192 168 1 100 is the default ending address Note The starting and ending DHCP IP addresses should be in the same network as the LAN TCP IP address of the UTM the IP address in LAN TCP IP section above Primary DNS Server This is optional If an IP address is specified the UTM provides this address as the primary DNS server IP address If no address is specified the UTM uses the VLAN IP address as the primary DNS server IP address Secondary DNS Server This is optional If an IP address is specified the UTM provides this address as the secondary DNS server IP address WINS Server This is optional Enter a WINS server IP address to specify the Windows NetBios server if one is present in your network Lease Time Enter a lease time This specifies the duration for which IP addresses are leased to clients DHCP Relay Select the DHCP Relay radio button to use the UTM as a DHCP relay agent for a DHCP server somewhere else on your network Enter the followin
261. created p Note IPsec VPN users always belong to the default domain geardomain and are not assigned to groups Note Groups that are defined in the User menu are used for setting SSL VPN policies gt These groups should not be confused with LAN groups that are defined on the LAN Groups screen and that are used to simplify firewall policies For information about LAN groups see Managing Groups and Hosts LAN Groups on page 4 12 9 6 Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Creating and Deleting Groups To create a VPN group 1 Select Users gt Groups from the menu The Groups screen displays Figure 9 3 shows the UTM s default group geardomain and as an example several other groups in the List of Groups table Groups prosecure LDAPDomain gesrdomain Administrators Default Groups Add New Group l Figure 9 3 Domain prosecure LDAPDomain geardomain prosecure lt select at detete Domain Idle Timeout The List of Groups table displays the VPN groups with the following fields e Checkbox Allows you to select the group in the table e Name The name of the group If the group name is appended by an asterisk the group was created by default when you created the domain with the identical name as the default group You cannot delete
262. creen click Back on the Windows menu bar 11 44 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Tracing a Route A traceroute lists all routers between the source the UTM and the destination IP address To send a traceroute 1 Locate the Network Diagnostics section on the Diagnostics screen 2 Inthe IP Address field enter the IP address for which you want trace the route 3 Click the traceroute button The results of the traceroute are displayed in a new screen To return to the Diagnostics screen click Back on the Windows menu bar Displaying the Routing Table Displaying the internal routing table can assist NETGEAR Technical Support to diagnose routing problems To display the routing table 1 Locate the Network Diagnostics section on the Diagnostics screen 2 Next to Display the Routing Table click the display button The routing table is displayed in the Route Display screen that appears as a popup window Looking up a DNS Address A DNS Domain Name Server converts the Internet name for example www netgear com to an IP address If you need the IP address of a Web FTP mail or other server on the Internet request a DNS lookup to find the IP address To look up a DNS address 1 Locate the Perform a DNS Lookup section on the Diagnostics screen 2 Inthe Domain Name field enter a domain name 3 Click the loo
263. ct IP Subnet Subnet Enter the LAN IP subnet address of the UTM that is displayed on the UTM s VPN Policies screen see Figure 7 10 on page 7 11 In this example the subnet address is 192 168 1 0 Mask Enter the LAN IP subnet mask of the UTM that is displayed on the UTM s VPN Policies screen see Figure 7 10 on page 7 11 In this example the subnet mask is 255 255 255 0 Protocol From the pull down menu select All Use Select the Use checkbox Then from the pull down menu select Secure Gateway Tunnel ID Type Left pull down menu From the left pull down menu select Domain Name Then below enter the local FQDN that you entered on the UTM s VPN Wizard screen see Figure 7 9 on page 7 9 In this example the domain name is utm_local com Right pull down menu From the right pull down menu select Gateway IP Address Then below enter the IP address of the WAN interface that you selected on the UTM s VPN Wizard screen see Figure 7 9 on page 7 9 In this example the WAN IP address is 192 168 50 61 Note You can find the WAN IP address on the Connection Status screen for the selected WAN port For more information see Viewing the WAN Ports Status on page 11 27 4 Click on the disk icon to save the configuration or select File gt Save from the Security Policy Editor menu Virtual Private Networking Using IPsec Connections 7 13 v1 0 September 2009
264. d delete Deletes the rule or rules LAN WAN Outbound Services Rules You can define rules that specify exceptions to the default rules By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day An outbound rule may block or allow traffic between an internal IP LAN address and any external WAN IP address according to the schedule created in the Schedule menu You can also tailor these rules to your specific needs see Administrator Tips on page 5 2 gt Note This feature is for advanced administrators only Incorrect configuration might cause serious problems 5 12 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To create a new outbound LAN WAN service rule 1 Inthe LAN WAN Rules screen click the add table button under the Outbound Services table The Add LAN WAN Outbound Service screen displays Add LAN WAN Outbound Service Operation succeeded Dutbound Service Action Select Schedule Scheduler LAN Users Start fisz fies he IB Finish Sa WAN Users Any w Start i i a Finish SaaS Sea QoS Profile Log Bandwidth Profile NAT IP Figure 5 3 2 Enter the settings as explained in Table 5 2 on page 5 5 3 Click Apply to save your changes The new rule is now added to the Outbound Services table LAN
265. d Web Scan Settings For most network environments the default scan settings and actions that are shown in Table 6 1 work well but you can adjust these to the needs of your specific environment Table 6 1 Default E mail and Web Scan Settings Scan Type Default Scan Seiting Default Action if applicable Email Server Protocols SMTP Enabled Block infected e mail POP3 Enabled Delete attachment if infected IMAP Enabled Delete attachment if infected Web Server Protocols 2 HTTP Enabled Delete file if malware threat detected HTTPS Disabled No action scan disabled FTP Enabled Delete file if malware threat detected Instant Messaging Services Google Talk Jabber Allowed mIRC Allowed MSN Messenger Allowed Yahoo Messenger Allowed Skype Allowed Peer to Peer P2P Services BitTorrent Allowed eDonkey Allowed Gnutella Allowed Web Objects Embedded Objects ActiveX Java Flash Allowed Javascript Allowed Proxy Allowed Cookies Allowed Web Content Categories Commerce Allowed 6 2 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 1 Default E mail and Web Scan Settings continued Scan Type Default Scan Setting Default Action if applicable Drugs and Violence Blocked Education Allowed with the exception of School Cheating
266. d authentication approach because it typically relies on what you know and what you have A common example of two factor authentication is a bank ATM card that has been issued by a bank institute e The PIN to access your account is something you know e The ATM card is something you have You must have both of these factors to gain access to your bank account Similar to the ATM card access to the corporate networks and data can also be strengthen using combination of the multiple factors such as a PIN and a token hardware or software to validate the users and reduce the incidence of online identity theft NETGEAR Two Factor Authentication Solutions NETGEAR has implemented 2 Two Factor Authentication solutions from WiKID WiKID is the software based token solution So instead of using only Windows Active Directory or LDAP as the authentication server administrators now have the option to use WiKID to perform Two Factor Authentication on NETGEAR SSL and VPN firewall products The WiKID solution is based on a request response architecture where a one time passcode OTP that is time synchronized with the authentication server is generated and sent to the user after the validity of a user credential has been confirmed by the server D 2 Two Factor Authentication v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The request response architecture is capable of self service initial
267. d before you specify the e mail alert settings Send alert to In addition to inserting an warning message to replace an infected e mail you can configure the UTM to send a notification e mail to the sender the recipient or both by selecting the corresponding checkbox or checkboxes By default both checkboxes are deselected and no notification e mail is sent Content Filtering and Optimizing Scans 6 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 2 E mail Anti Virus and Notification Settings continued Setting Description or Subfield and Description Subject The default subject line for the notification e mail is Malware detected You can change this subject line Message The warning message informs the sender the recipient or both about the name of the malware threat You can change the default message to include more information Note Make sure that you keep the VIRUSINFO meta word in a message to enable the UTM to insert the proper malware information In addition to the VIRUSINFO meta word you can insert the following meta words in your customized message TIME YPROTOCOL FROM TO YSUBJECT FILENAME ACTION VIRUSNAME 3 Click Apply to save your settings E mail Content Filtering The UTM provides several options to filter unwanted content from e mails You can filter content from e mails based
268. d click lookup Click here to Report a URL Misclassification Figure 6 11 Content Filtering screen 3 of 3 3 Enter the settings as explained in Table 6 8 on page 6 28 Content Filtering and Optimizing Scans 6 27 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 8 Content Filtering Settings Setting Description or Subfield and Description Content Filtering Log HTTP Traffic Select this checkbox to log HTTP traffic For information about how to view the logged traffic see Querying Logs and Generating Reports on page 11 32 By default HTTP traffic is not logged Note Logging HTTP traffic might affect the UTM s performance see Performance Management on page 10 1 Block Files with the Following Extensions By default the File Extension field lists the most common file extensions You can manually add or delete extensions Use commas to separate different extensions You can enter a maximum of 40 file extensions the maximum total length of this field excluding the delimiter commas is 160 characters You can also use the pull down menu to add predefined file extensions from a specific category to the File Extension field None No file extensions are added to the File Extension field This is the default setting Executables Executable file extensions exe com dll so lib scr bat and cmd are added to the File Extension field
269. d from all scanning Destination IP The destination IP address and optional subnet mask that are excluded from all scanning Port The port number that is excluded from all scanning Brief Description A description of the exclusion rule for identification and management purposes 3 Inthe Add column click the add table button to add the exclusion rule to the Scanning Exclusions table The new exclusion rule is enabled by default To disable a rule select the checkbox in the Enable column for the rule Unlike the operation of the Web Management Interface on other screens you do not need to click any other button to disable the rule To delete an exclusion rule from the Scanning Exclusions table click the delete table button in the Action column to the right of the rule that you want to delete Content Filtering and Optimizing Scans 6 45 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 6 46 Content Filtering and Optimizing Scans v1 0 September 2009 Chapter 7 Virtual Private Networking Using IPsec Connections This chapter describes how to use the IP security IPsec virtual private networking VPN features of the UTM to provide secure encrypted communications between your local network and a remote network or computer This chapter contains the following sections e Considerations for Dual WAN Port Systems UTM25 Only on this page e Using the IPsec VPN
270. d or dynamic If the IP address is dynamic you must use a FQDN If the IP address is fixed a FQDN is optional B 16 Network Planning for Dual WAN Ports UTM25 Only v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual VPN Telecommuter Dual Gateway WAN Ports for Improved Reliability In a dual WAN port auto rollover gateway configuration the remote PC client initiates the VPN tunnel with the active gateway WAN port port WAN1 in Figure B 18 because the IP address of the remote NAT router is not known in advance The gateway WAN port must act as the responder 10 5 6 0 24 Telecommuter Example Dual WAN Ports Before Rollover Client B Gateway A WAN1 IP NAT Router B bzrouter1 CY RAO WAN IP 7 a 0 0 0 0 ES 10 5 6 1 WAN2 port inactive y VPN Router WAN2 IP N A NAT Router at employer s Fully Qualified Domain Names FQDN lattatecumnmuter s Remote PC main office required for Fixed IP addresses homeoffica running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 18 The IP addresses of the gateway WAN ports can be either fixed or dynamic but you must always use a FQDN because the active WAN port could be either WAN1 or WAN 2 that is the IP address of the active WAN port is not known in advance After a rollover of the WAN port has occurred the previously inactive gateway WAN port becomes the active port port WAN2 in Figure B 19 and the remote PC must re
271. ded for future management enhancements Table A 3 shows the IPsec VPN specifications for the UTM Table A 3 UTM IPsec VPN Specifications Setting Specification Network Management Web based configuration and status monitoring Number of concurrent users supported 10 UTM10 or 25 UTM25 site to site IPsec VPN tunnels IPsec encryption algorithm DES 3DES AES 128 AES 192 AES 256 IPsec authentication algorithm SHA 1 MD5 IPsec key exchange IKE Manual Key Pre Shared Key PKI X 500 Default Settings and Technical Specifications v1 0 September 2009 A 3 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table A 3 UTM IPsec VPN Specifications continued Setting Specification IPsec authentication types Local User database RADIUS PAP RADIUS CHAP IPsec certificates supported CA digital certificate Self digital certificate Table A 4 shows the SSL VPN specifications for the UTM Table A 4 UTM SSL VPN Specifications Setting Specification Network Management Web based configuration and status monitoring Number of concurrent users supported 5 UTM10 or 13 UTM25 dedicated SSL VPN tunnels SSL versions SSLv3 TLS1 0 SSL encryption algorithm DES 3DES ARC4 AES 128 AES 192 AES 256 SSL message integrity MD5 SHA 1 MAC MD5 SHA 1 HMAC MD5 SHA 1 SSL authentication types
272. default message By default this checkbox is deselected and no safe stamp is inserted The attachment s was not scanned for malware because it exceeded the scan size limit Select this checkbox to append a default warning message to an e mail if the message or an attachment to the message exceeds the scan size limit The warning message informs the end user that the attachment was skipped and might not be safe to open You can change the default message By default this checkbox is selected and a warning message is appended to the e mail Replace Infected Attachments with the Following Warning Message Select this checkbox to replace an e mail that is infected with a default warning message The warning message informs the end user about the name of the malware threat You can change the default message to include the action that the UTM has taken see example below By default this checkbox is selected and a warning message replaces an infected e mail Note Make sure that you keep the VIRUSINFO meta word in a message to enable the UTM to insert the proper malware information The following is an example message where the VIRUSINFO meta word is replaced with the EICAR test virus This attachment contains malware File 1 exe contains malware EICAR Action Delete Email Alert Settings Note Ensure that the E mail Notification Server see Configuring the E mail Notification Server on page 11 5 is configure
273. detailed separately in this chapter Note For information about how to configure the WAN meters see Enabling the WAN _ _ Traffic Meter on page 11 1 Configuring the Internet Connections _____ Note The initial Internet configuration of the UTM is described in Chapter 2 Using the gt Setup Wizard to Provision the UTM in Your Network If you used the Setup Wizard to configure your Internet settings you need this section only if you want to make changes to your Internet connections To set up your UTM for secure Internet connections you configure WAN ports 1 and 2 The Web Configuration Manager offers two connection configuration options e Automatic detection and configuration of the network connection e Manual configuration of the network connection Each option is detailed in the sections following Automatically Detecting and Connecting To automatically configure the WAN ports for connection to the Internet 1 Select Network Config gt WAN Settings from the menu On the UTM25 the WAN Settings tabs appear with the WAN1 ISP Settings screen in view see Figure 3 1 on page 3 3 which shows the UTM25 screen On the UTM10 the WAN ISP screen displays 3 2 Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual letwork Config er re ne ae gs DMZ Setup Routing Email Notification 9 Secondary
274. digest Authentication Method Select one of the following radio buttons to specify the authentication method e Pre shared key A secret that is shared between the UTM and the remote endpoint e RSA Signature Uses the active Self Certificate that you uploaded on the Certificates screen see Managing Self Certificates on page 9 20 The Pre shared key is masked out when you select the RSA Signature option Pre shared key A key with a minimum length of 8 characters no more than 49 characters Do not use a double quote in the key Diffie Hellman DH Group The DH Group sets the strength of the algorithm in bits The higher the group the more secure the exchange From the pull down menu select one of the following three strengths e Group 1 768 bit Group 2 1024 bit This is the default setting e Group 5 1536 bit Note Ensure that the DH Group is configured identically on both sides SA Lifetime sec The period in seconds for which the IKE SA is valid When the period times out the next rekeying must occur The default is 28800 seconds 8 hours Enable Dead Peer Detection Note See also Configuring Keepalives and Dead Peer Detection on page 7 54 Select a radio button to specify whether or not Dead Peer Detection DPD is enabled e Yes This feature is enabled when the UTM25 detects an IKE connection failure it deletes the IPsec and IKE SA and forces a reest
275. djust for Daylight Savings Time checkbox NTP Server default or From the pull down menu select an NTP server custom e Use Default NTP Servers The UTM s RTC is updated regularly by contacting a default Netgear NTP server on the Internet e Use Custom NTP Servers The UTM s RTC is updated regularly by contacting one of the two NTP servers primary and backup both of which you must specify in the fields that become available with this menu selection Note If you select this option but leave either the Server 1 or Server 2 field blank both fields are set to the default Netgear NTP servers Note A list of public NTP servers is available at http ntp isc org bin view Servers WebHome Server 1 Name Enter the IP address or host name the primary NTP server IP Address Server 2 Name Enter the IP address or host name the backup NTP server IP Address Using the Setup Wizard to Provision the UTM in Your Network 2 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Setup Wizard Step 4 of 10 Security Services Setup Wizard Step 4 of 10 Security Services i Email Enable Service Ports to Scan Enable Service Ports to Scan Enable Service Ports to Scan B se fs W Pors B map ii Web Enable Service Ports to Scan Enable Service Ports to Scan Enable Service Ports to Scan D m B ames Bo re i Instant Messaging Q Block Service Block Service
276. doauseticasdnuns 3 2 Automatically Detecting and Connecting cceeccceceeeeeeseeeeeeeeeeeeaaeeeeeeeeteaeeeeeaees 3 2 seting tie UTM S MAG Addiess scsinaniieniianienir ia aided ANR 3 5 Manually Configuring the Internet Connection ccceecceeeeseeceeeeeeeeeeeseeeeeeaeeeeees 3 5 Configuring the WAN Mode Required for the UTM25 s Dual WAN Mode 6 3 9 Network Address Translation UTM10 and UTM25 sssssssssssrrrssserrsssrrrrsssns 3 10 Classical Routing UTM10 and UTM S scsscccccecccccurnscniecceiaterassnbtatvcrbeseteieantanviease 3 10 Configuring Auto Rollover Mode UTM25 Only ceessceeceeeeeeeeeeeeeeeeeesaeeeenaees 3 11 Configuring Load Balancing and Optional Protocol Binding UTM25 Only 3 14 Configuring Secondary WAN AGOreS SOS icicccocncceciasscnessccicnseiiencinnienasonsniandenscrserascstanece 3 17 viii v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Gonkguino Dynami DUIS sacs estenten css ieo a aerian an a r Gr 3 19 Configuring Advanced WAN Options ssssssssesssseeesseessissssisssinssrnnssstnssinnsstnnstnnnnnnsennne 3 22 Additional WAN Related Configuration Tasks ccccccsesceeseceeeeeneeeeseeeeseeeeseees 3 24 Chapter 4 LAN Configuration Managing Virtual LANS and DHCP ODIOS sicctsccccanedescenictvescscenueinaccuanteasnstoanetcesemeees 4 1 Managing the UT s Port Based YLANS issisiiniirs sis 4 2 YLAN DHCP OPHION aciri reer cree
277. does not automatically sense Daylight Savings Time Check the Time Zone menu and select or deselect the checkbox marked Adjust for Daylight Savings Time Using Online Support The UTM includes online support tools that allow NETGEAR Technical Support to securely perform diagnostics of the UTM and that lets you submit suspicious files for analysis by NETGEAR You can also access the knowledge base and documentation online Enabling Remote Troubleshooting One of the advanced features that the UTM provides is online support through a support tunnel With this feature NETGEAR Technical Support staff is able to analyze from a remote location any difficulty you might be experiencing with the UTM and to perform advanced diagnostics Make sure that ports 443 and 2222 are open on your firewall and that you have the support key that was given to you by NETGEAR To initiate the support tunnel 1 Select Support gt Online Support from the menu The Online Support screen displays Malware Analysis Registration Knowledge Base Documentation Online Support Enter the support key issued by NETGEAR This information will enable the NETGEAR support team to troubleshoot remotely Support Key CT Tunnel Status OFF Figure 12 2 2 In the Support Key field enter the support key that was given to you by NETGEAR 3 Click Connect When the tunnel is established the tunnel status field displays ON To terminate the tunnel click Disco
278. dress enter the netmask length 0 32 Note By default a single IP address is assigned a netmask length of 32 7 Click the add table button The address is added to the Defined Addresses table 8 Repeat step 6 and step 7 for any other addresses that you want to add to the Defined Addresses table To delete one or more addresses 1 Inthe Defined Addresses table select the checkbox to the left of the address that you want to delete or click the select all table button to select all addresses 2 Click the delete table button Configuring Login Restrictions Based on Web Browser To restrict logging in based on the user s browser 1 Select Users gt Users from the menu The Users screen displays see Figure 9 5 on page 9 10 2 Inthe Action column of the List of Users table click the policies table button for the user for which you want to set login policies The Policies submenu tabs appear with the Login Policies screen in view 9 14 Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Click the by Client Browser submenu tab The by Client Browser screen displays Figure 9 9 shows a browser in the Defined Browsers table as an example Login Policies by Source IP Address by Client Browser Operation succeeded Defined Browsers Status g User Name techpub Deny Login from Defined Browsers Allow Login
279. dresses for the range to which the rule is applied Manually Configuring Internet and WAN Settings 3 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 3 6 Protocol Binding Settings UTM25 Only continued Setting Description or Subfield and Description Source Network Group 1 Group 8 If this option is selected the rule is applied to the devices continued that are assigned to the selected group Note You may also assign a customized name to a group see Changing Group Names in the Network Database on page 4 16 Destination The destination network settings determine which Internet locations based on Network their IP address are covered by the rule Select one of the following options from the pull down menu Any All Internet IP address Single address In the Start Address field enter the IP address that is covered by the rule Address range In the Start Address field and End Address field enter the IP addresses for the range that is covered by the rule Click the add table button in the rightmost column to add the protocol binding rule to the Protocol Binding table The rule is automatically enabled which is indicated by the 1 status icon that displays a green circle Repeat step a and step b for each protocol binding rule that you want to add to the Protocol Binding table If not all table ent
280. duration of the lease DHCP Relay DHCP relay options allow you to make the UTM a DHCP relay agent for a VLAN The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages The DHCP Relay Agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet If you do not configure a DHCP Relay Agent for a VLAN its clients can only obtain IP addresses from a DHCP server that is on the same subnet To enable clients to obtain IP addresses from a DHCP server on a remote subnet you must configure the DHCP Relay Agent on the subnet that contains the remote clients so that the DHCP Relay Agent can relay DHCP broadcast messages to your DHCP server DNS Proxy When the DNS Proxy option is enabled for a VLAN the UTM acts as a proxy for all DNS requests and communicates with the ISP s DNS servers as configured on the WAN ISP Settings screens All DHCP clients receive the primary and secondary DNS IP addresses along with the IP address where the DNS proxy is located that is the UTM s LAN IP address When the DNS Proxy option is disabled for a VLAN all DHCP clients receive the DNS IP addresses of the ISP but without the DNS proxy IP address A DNS proxy is particularly useful in auto rollover mode For example if the DNS servers for each WAN connection are different servers then a link failure might render
281. dwidth profiles see Creating Bandwidth Profiles on page 5 36 Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall Using this the port triggering feature requires that you know the port numbers used by the application Without port triggering the response from the external application would be treated as a new connection request rather than a response to a requests from the LAN network As such it would be handled in accordance with the inbound port forwarding rules and most likely would be blocked For the procedure on how to configure port triggering see Configuring Port Triggering on page 5 44 Configuring the DMZ Port The De Militarized Zone DMZ is a network that by default has fewer firewall restrictions when compared to the LAN The DMZ can be used to host servers such as a Web server FTP server or e mail server and provide public access to them The fourth LAN port on the UTM the rightmost Network and System Management 10 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual LAN port can be dedicated as a hardware DMZ port to safely provide services to the Internet without compromising security on your LAN By default the DMZ port and both inbound and outbound DMZ traffic are disabled Enabling the DMZ port and allowing traffic to and from the
282. dynamic see Figure B 6 on page B 9 Note Load balancing is implemented for outgoing traffic and not for incoming traffic Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port traffic B 8 Network Planning for Dual WAN Ports UTM25 Only v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Dual WAN Ports Load Balancing WAN IP Router Figure B 6 netgear1 dyndns org netgear2 dyndns org p WAN2 IP Virtual Private Networks VPNs IP addresses of WAN ports use of fully qualified domain names required for dynamic IP addresses and optional for fixed IP addresses When implementing virtual private network VPN tunnels a mechanism must be used for determining the IP addresses of the tunnel end points The addressing of the firewall s dual WAN port depends on the configuration being implemented Table B 2 IP addressing requirements for VPNs in dual WAN port systems Configuration and WAN IP address Single WAN Port Configurations Reference Cases Dual WAN Port Configurations Rollover Mode Load Balancing Mode VPN Road Warrior Client Fixed Allowed FQDN required Allowed to Gateway FQDN optional FQDN optional Dynamic FQDN required FQDN required FQDN required VPN Gateway to Gateway Fixed Allowed FQ
283. e Configuring Dynamic DNS on page 3 19 For information about WAN mode configuration see Configuring the WAN Mode Required for the UTM25 s Dual WAN Mode on page 3 9 7 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The diagrams and table below show how the WAN mode selection relates to VPN configuration WAN Auto Rollover FQDN Required for VPN UTM25 Rest of UTM25 UTM25 UTM25 WAN Port Rollover Functions Functions Control WAN 1 Port WAN 2 Port Figure 7 1 WAN Load Balancing FQDN Optional for VPN Internet Same FQDN required for both WAN ports WAN 1 Port WAN 2 Port UTM25 Rest of UTM25 Load UTM25 WAN Port Balancing Functions Functions Control Figure 7 2 Internet FQDN required for dynamic IP addresses FQDN optional for static IP addresses Table 7 1 summarizes the WAN addressing requirements FQDN or IP address for a VPN tunnel in either dual WAN mode Table 7 1 IP Addressing for VPNs in Dual WAN Port Systems Configuration and WAN IP address Rollover Mode Load Balancing Mode VPN Road Warrior client to gateway Fixed FQDN required FQDN Allowed optional Dynamic FQDN required FQDN required VPN Gateway to Gateway Fixed FQDN required FQDN Allowed optional NAT router
284. e e mail immediately to its destination inbox without implementing the other spam prevention technologies thereby speeding up mail delivery and conserving the UTM system resources However regardless of whether or not an e mail is whitelisted the e mail is still scanned by the UTM s anti malware engines You can configure these anti spam options in conjunction with content filtering to optimize blocking of unwanted mails Note E mails that are processed through the UTM over an authenticated e mail connection between a client and a mail server are not checked for spam gt Note An e mail has been checked for spam by the UTM contains an X STM SMTP for SMTP e mails or X STM POP3 for POP 3 e mails tag in its header Setting Up the Whitelist and Blacklist You can specify e mails that are accepted or blocked based on the originating IP address domain and e mail address by setting up the whitelist and blacklist You can also specify e mails that are accepted based on the destination domain and e mail address The whitelist ensures that e mail from listed that is trusted sources and recipients are not mistakenly tagged as spam E mails going to and from these sources and recipients are delivered to their destinations immediately without being scanned by the anti spam engines This can help to speed up the system and network performance The blacklist on the other hand lists sources from which
285. e passwords One time passcode OTP strengthens and replaces the need to remember complex password e No need to replace existing hardware Two Factor Authentication can be added to existing NETGEAR products through via firmware upgrade Two Factor Authentication D 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e Quick to deploy and manage The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products e Proven regulatory compliance Two Factor Authentication has been used as a mandatory authentication process for many corporations and enterprises worldwide What is Two Factor Authentication Two factor authentication is a new security solution that enhances and strengthens security by implementing multiple factors to the authentication process that challenge and confirm the users identities before they can gain access to the network There are several factors that are used to validate the users to make that you are who you said you are These factors are e Something you know for example your password or your PIN e Something you have for example a token with generated passcode that is either 6 to 8 digits in length e Something you are for example biometrics such as fingerprints or retinal This appendix focuses and discusses only the first two factors something you know and something you have This new security method can be viewed as a two tiere
286. e IP address is dynamic but FQDNs are optional when the IP address is static Dual WAN Ports Load Balancing WAN IP Router netgear1 dyndns org O netgear2 dyndns org D WAN2 IP Use of fully qualified domain names for IP addresses of WAN ports o required for dynamic IP addresses o optional for fixed IP addresses Figure B 3 Inbound Traffic Incoming traffic from the Internet is normally discarded by the UTM unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule Instead of discarding this traffic you can configure the UTM to forward it to one or more LAN hosts on your network The addressing of the UTM s dual WAN port depends on the configuration being implemented Table B 1 IP Addressing Requirements for Exposed Hosts in Dual WAN Port Systems Configuration and Single WAN Port Dual WAN Port Cases WAN IP address reference case Rollover Load Balancing Inbound traffic Fixed Allowed FQDN required Allowed e Port forwarding FQDN optional FQDN optional Port triggering Dynamic FQDN required FQDN required FQDN required Inbound Traffic to a Single WAN Port System The Internet IP address of the UTM s WAN port must be known to the public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled Network Planning for Dual WAN Ports UTM25 Only B 7 v1 0 Sept
287. e The security certificate was issued by a company you have not chosen to trust e The date of the security certificate is invalid e The name on the security certificate is invalid or does not match the name of the site 9 20 Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual When a security alert is generated the user can decide whether or not to trust the host Secu rity Ale rt information you exchange with this ste cannot be viewed or by others However there is a problem with the ste s secumy certificate A The security certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority The secunty certficate date is valid A The name on the secufy certificate is invaid or does not match the name of the ste Do you went to proceed va E enceten Figure 9 12 Generating a CSR and Obtaining a Self Certificate from a CA To use a self certificate you must first request the digital certificate from a CA and then download and activate the digital certificate on the UTM To request a self certificate from a CA you must generate a Certificate Signing Request CSR for and on the UTM The CSR is a file that contains information about your company and about the device that holds the certificate Refer to the CA for guidelines about the informati
288. e WAN1 Advanced Options or WAN2 Advanced Options screen of the UTM25 or in the Router s MAC Address section of the WAN Advanced Options screen of the UTM10 see Configuring Advanced WAN Options on page 3 22 Restoring the Default Configuration and Password To reset the UTM to the original factory default settings you can use one of the following two methods Push the Reset button on the rear panel of the UTM see Rear Panel on page 1 12 and hold the Reset button for about eight seconds until the Test LED turns on and begins to blink about 30 seconds To restore the factory default configuration settings without knowing the administration password or IP address you must use the Reset button method On the Backup amp Restore Settings screen see Figure 12 1 next to Revert to factory default settings click the default button a To display the Backup amp Restore Settings screen select Administration gt Backup amp Restore Settings from the menu see Figure 12 1 on page 12 9 12 8 Troubleshooting and Using Online Support v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual System Update System Date amp Time Backup amp Restore Settings Saye a copy of current settings a backup Restore saved settings from file Browse G restore Revert to factory default settings defauit Figure 12 1 b Click the default button The UTM reboots During the re
289. e following should display Pinging lt IP address gt with 32 bytes of data If the path is working you will see this message Reply from lt IP address gt bytes 32 time NN ms TTL xxx If the path is not working you will see this message Request timed out If the path is not functioning correctly you could have one of the following problems e Wrong physical connections Make sure that the LAN port LED is on If the LED is off follow the instructions in LAN or WAN Port LEDs Not On on page 12 3 Check that the corresponding Link LEDs are on for your network interface card and for the hub ports if any that are connected to your workstation and UTM e Wrong network configuration Verify that the Ethernet card driver software and TCP IP software are both installed and configured on your PC or workstation Verify that the IP address for your UTM and your workstation are correct and that the addresses are on the same subnet Testing the Path from Your PC to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 lt P address gt where lt P address gt is the IP address of a remote device such as your ISP s DNS server Troubleshooting and Using Online Support 12 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual If the path is functioning correctly
290. e marketing VLAN members accessible to all or accessible only to specified individuals depending on how the IT manager has set up the VLANs 4 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual VLANs have a number of advantages e Itis easy to set up network segmentation Users who communicate most frequently with each other can be grouped into common VLANs regardless of physical location Each group s traffic is contained largely within the VLAN reducing extraneous traffic and improving the efficiency of the whole network e They are easy to manage The addition of nodes as well as moves and other changes can be dealt with quickly and conveniently from a management interface rather than from the wiring closet e They provide increased performance VLANs free up bandwidth by limiting node to node and broadcast traffic throughout the network e They ensure enhanced network security VLANs create virtual boundaries that can be crossed only through a router So standard router based security measures can be used to restrict access to each VLAN Managing the UTM s Port Based VLANs The UTM supports port based VLANs Port based VLANs help to confine broadcast traffic to the LAN ports Even though a LAN port can be a member of more than one VLAN the port can have only one VLAN ID as its Port VLAN Identifier PVID By default all four LAN ports of the UTM are assigned to the default
291. e oh tye My Connections UTM_Su Loading IPSec SA Message ID C5CB4433 OUTBOUND SPY ABA7273 INBOUND BABGERSGSRS 13 13 13 13 13 4 13 13 13 13 1 Figure 7 16 e Right click the VPN Client icon in the system tray and select Connection Monitor A Connection Monitor NETGEAR ProSafe VPN Client Global Statistics Non Secured Packets 335017 SecuredPackets 43 Cra I Show Ide Connections Cose Dropped Packets fiz Seued Data KBytes 6 I Freeze Display Ta Connection Nane LocalAddess Local Subnet Remote Addose Remote Moder GWAddess Piolocol Local Pon Rem Pon Ez My Connections UTM_SJ 192 168 001 004 255 255 255 255 192 168 001 049 255 255 255 000 192 168 50 61 ALL Figure 7 17 7 18 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The VPN client system tray icon provides a variety of status indications which are listed below Table 7 7 System Tray Icon Status The client policy is deactivated SW 1pm The client policy is deactivated but not connected SS Wale 1226PM The client policy is activated and connected ms il ce 12 32 PM A flashing vertical bar indicates traffic on the tunnel Viewing the UTM IPsec VPN Connection Status To review the status of current IPsec VPN tunnels 1 Select Monitoring gt Active Users amp VPN
292. e pull down menu select an NTP server custom e Use Default NTP Servers The UTM s RTC is updated regularly by contacting a default Netgear NTP server on the Internet Use Custom NTP Servers The UTM s RTC is updated regularly by contacting one of the two NTP servers primary and backup both of which you must specify in the fields that become available with this menu selection Note If you select this option but leave either the Server 1 or Server 2 field blank both fields are set to the default Netgear NTP servers Note A list of public NTP servers is available at http ntp isc org bin view Servers WebHome Server 1 Name IP Address Enter the IP address or host name the primary NTP server Server 2 Name IP Address Enter the IP address or host name the backup NTP server 3 Click Apply to save your settings Note If you select the default NTP servers or if you enter a custom server FQDN the Es UTM determines the IP address of the NTP server by performing a DNS lookup You must configure a DNS server address in the Network menu before the UTM can perform this lookup Network and System Management 10 25 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 10 26 Network and System Management v1 0 September 2009 Chapter 11 Monitoring System Access and Performance This chapter describes the system monitoring features of the UTM Yo
293. e the license key card that came with your UTM in a secure location You do need these keys to activate your product during the initial setup NETGEAR DO NOT DISCARD GIPROSECURE IMPORTANT KEY INFORMATION INSTRUCTIONS 1 Log in to the unit The Default Access URL usar nome and password ore printed on the product bottom label 2 Click Support and then Registration to view the Registration screen 3 Enter the first registration key customer information and then click Register 4 Enter the remaining registrotion keys one by one clicking Register to register each Save these keys If you ever reset the unit back to its factory defaults you will need to re enter these keys NETGEAR wun Figure 1 1 _____ Note When you reset the UTM to the original factory default settings after you have entered the license keys to activate the UTM see Registering the UTM with NETGEAR on page 2 27 the license keys are erased The license keys and the different types of licenses that are available for the UTM are no longer displayed on the Registration screen However after you have reconfigured the UTM to connect to the Internet and to the NETGEAR registration server the UTM retrieves and restores all registration information based on its MAC address and hardware serial number You do not need to re enter the license keys and reactivate the UTM 1 8 Introduction v1 0 September 2009 ProSecure Unified Threat M
294. e unit is accessible and cables can be connected easily e Cabling is away from sources of electrical noise These include lift shafts microwave ovens and air conditioning units e Water or moisture cannot enter the case of the unit e Airflow around the unit and through the vents in the side of the case is not restricted Provide a minimum of 25 mm or 1 inch clearance e The air is as free of dust as possible e Temperature operating limits are not likely to be exceeded Install the unit in a clean air conditioned environment For information about the recommended operating temperatures for the UTM see Appendix A Default Settings and Technical Specifications Using the Rack Mounting Kit Use the mounting kit for the UTM to install the appliance in a rack A mounting kit is provided in the product package for the UTM25 Attach the mounting brackets using the hardware that is supplied with the mounting kit Figure 1 6 Before mounting the UTM in a rack verify that e You have the correct screws supplied with the installation kit e The rack onto which you will mount the UTM is suitably located 1 14 Introduction v1 0 September 2009 Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network Understanding the Steps for Initial Connection Typically the UTM is installed as a network gateway to function as a combined LAN switch firewall and content scan engine in order to protect the network
295. e uses If the service uses only a single port number enter the same number in the Start Port and Finish Port fields This field is enabled only when you select TCP or UDP from the Type pull down menu 3 Click Apply to save your settings The new custom service is added to the Custom Services table To edit a service 1 Inthe Custom Services table click the edit table button to the right of the service that you want to edit The Edit Service screen displays Network Security Edit Service Operation succeeded Name Type TCP v ICMP Type Horis Start Port Finish Port Figure 5 20 5 32 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Modify the settings that you wish to change see Table 5 6 on page 5 32 3 Click Apply to save your changes The modified service is displayed in the Custom Services table Creating Quality of Service QoS Profiles A quality of service QoS profile defines the relative priority of an IP packet when multiple connections are scheduled for simultaneous transmission on the UTM A QoS profile becomes active only when it is associated with a non blocking inbound or outbound firewall rule and traffic matching the firewall rule flows through the router After you have created a QoS profile you can assign the QoS profile to firewall rules on the following screens e Add LAN WAN Outbound Services screen
296. eave the fields blank to apply the policy to all traffic Service From the pull down menu select the service to which the SSL VPN policy is applied VPN Tunnel The policy is applied only to a VPN tunnel Port Forwarding The policy is applied only to port forwarding All The policy is applied both to a VPN tunnel and to port forwarding Permission From the pull down menu select whether the policy permits PERMIT or denies DENY access Virtual Private Networking Using SSL Connections 8 35 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 8 10 Add Policy Settings continued Item Description or Subfield and Description Apply Policy For continued IP Network Policy Name A descriptive name of the SSL VPN policy for identification and management purposes IP Address The network IP address to which the SSL VPN policy is applied Subnet Mask The network subnet mask to which the SSL VPN policy is applied Port Range Port Number A port enter in the Begin field or a range of ports enter in the Begin and End fields to which the SSL VPN policy is applied Ports can be 0 through 65535 The policy is applied to all TCP and UDP traffic that passes on those ports Leave the fields blank to apply the policy to all traffic Service From the pull down menu select the service to which the
297. ecure Unified Threat Management UTM10 or UTM25 Reference Manual DHCP Log Ei p 2009 May 28 19 50 21 UTM dhepd DHCPDISCOVER frorn 00 00 00 C 2009 May 28 19 50 22 UTM dhcpd OHCPOFFER on 192 168 1 3 to Ol 2009 May 28 19 50 23 UTM dhcpd DHCPDISCOVER from 00 00 00 2009 May 28 19 3 UTM dhepd DHCROFFER on 192 168 1 3 to Of 2009 May 23 19 5 UTM dhepd DHCPDISCOVER from 00 00 00 C 2009 May 28 19 50 25 UTM dhepd DHCPOFFER on 192 168 1 3 to Of 2009 May 28 19 51 01 UTM dhcpd OHCPDISCOVER from 00 00 00 C 2009 May 28 19 51 01 UTM dhepd DHCPOFFER on 192 168 1 3 to Ot 2009 May 28 19 51 09 UTM dhcpd OHCPOISCOVER frorn 00 00 00 2009 May 28 19 51 09 UTM dhcpd DHCPOFFER on 192 168 1 3 to OF 2009 May 28 19 51 09 UTM dhepd OHCPREQUEST for 192 168 50 62 2009 May 28 19 51 09 UTM dhcpd DHCPNAK on 192 168 50 65 to Ol etresh clear log Figure 11 22 Querying Logs and Generating Reports The extensive logging and reporting functions of the UTM let you perform the following tasks that help you to monitor the protection of the network and the performance of the UTM e Querying and downloading logs e Generating and downloading e mail Web and system reports e Scheduling automatic e mail Web and system reports and e mailing these reports to specified recipients For information about e mailing logs and sending logs to a syslog server see Configuring and Activating System E mail
298. ecurity certificate is invatd or does not match the name of the ste Do you want to proceed va e conten Figure 6 14 However even when a certificate is trusted or still valid or when the name of a certificate does match the name of the Web site a security alert message still appears when a user who is connected to the UTM visits an HTTPS site The appearance of this security alert message is expected behavior because the HTTPS client receives a certificate from the UTM instead of directly from the HTTPS server If you want to prevent this security alert message from appearing install a root certificate on the client PC The root certificate can be downloaded from the UTM s Manager Login screen see Figure 2 1 on page 2 3 If client authentication is required the UTM might not be able to scan the HTTPS traffic because of the nature of SSL SSL has two parts client and server authentication HTTPS server authentication occurs with every HTTPS request but HTTPS client authentication is not mandatory and rarely occurs Therefore it is of less importance whether the HTTPS request comes from the UTM or from the real HTTPS client However certain HTTPS servers do require HTTPS client certificate authentication for every HTTPS request Because of the design of SSL the HTTPS client must present its own certificate in this situation rather than using the one from the UTM preventing the UTM from scanning the HTTPS traffic For informati
299. ed which is the default setting split tunnel support is enabled and you must add client routes see Adding Routes for VPN Tunnel Clients on page 8 27 Note When full tunnel support is enabled client routes are not operable DNS Suffix A DNS suffix to be appended to incomplete DNS search strings This is an option Primary DNS Server The IP address of the primary DNS server that is assigned to the VPN tunnel clients This is an option Note If you do not assign a DNS server the DNS settings remain unchanged in the VPN client after a VPN tunnel has been established Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients This is an option Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients Client Address Range End The last IP address of the IP address range that you want to assign to the VPN tunnel clients 4 Click Apply to save your settings VPN tunnel clients are now able to connect to the UTM and receive a virtual IP address in the client address range Adding Routes for VPN Tunnel Clients The VPN tunnel clients assume that the following networks are located across the VPN over SSL tunnel e The subnet that contains the client IP address that is PPP interface as determined by the class of the address Class A B or C e Subnets that are specified in the Configu
300. ed within minutes v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Key Features and Capabilities The UTM provides the following key features and capabilities For the UTM10 a single 10 100 1000 Mbps Gigabit Ethernet WAN port For the UTM25 dual 10 100 1000 Mbps Gigabit Ethernet WAN ports for load balancing or failover protection of your Internet connection providing increased system reliability or increased throughput Built in four port 10 100 1000 Mbps Gigabit Ethernet LAN switch for extremely fast data transfer between local network resources Support for up to 15 UTM10 or 30 UTM25 concurrent users and up to 12 000 UTM10 or 27 000 UTM25 concurrent sessions Advanced IPsec VPN and SSL VPN support with support for up to 10 UTM10 or 25 UTM25 site to site IPsec VPN tunnels and up to 5 UTM10 or 13 UTM25 dedicated SSL VPN tunnels Bundled with a 1 user license of the NETGEAR ProSafe VPN Client software VPNOIL Advanced stateful packet inspection SPI firewall with multi NAT support Patent pending Stream Scanning technology that enables scanning of real time protocols such as HTTP Comprehensive Web and email security covering six major network protocols HTTP HTTPS FTP SMTP POP3 and IMAP Malware database containing hundreds of thousands of signatures of spyware viruses and other malware threats Very frequently updated malware signatures hourly if requ
301. eeeeeeseeereeneeeenereeeeeeneees 8 16 Viewing the UTM SSL VPN LOG siccsscissiccicnmicsacstascdivernenincencmaumeecteaniuiccenmaisdinieans 8 16 xi v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Manually Configuring and Editing SSL Connections 0 ccceceeeeeeeeeeteeeeeeeeeeeeeeeeeaees 8 17 Creating the Portal Layout wets coasts Saat nouns Spec an tas ariaa a a kaai iadaaa i 8 18 Contig ring Domains Groups and Users secccccsnsisasoncssscterorsscsandeseadaccearesaventntwenaees 8 22 Configuring Applications for Port Forwarding seeeesseesseeesseessessrrrssrrsssrnrssrrssren 8 22 COTES Me SSL VPN CIEE sausscussdcrnisaakansnanids a aA 8 25 Using Network Resource Objects to Simplify Policies c cccsseeeeeeeeseeeeeeeeeees 8 28 Configuring User Group and Global Policies ssireisisiiisaisirnatssinnieiaaa 8 31 Chapter 9 Managing Users Authentication and Certificates Configuring VPN Authentication Domains Groups and Users cccceseeesteeeeeeeees 9 1 Gwig nng COM IANS airiai te ceatituaestypateenatan dae tmeneioeeree aa omeaaena 9 2 Configuring Groups for VPN PONIGS souclatacassieaanunn meas aa 9 6 CITI User ACEOUME asiron aiarad area Aaaa i 9 9 Setting User Logri PolCiES sosrssdsrsiosnare aa A A 9 12 Changing Passwords and Other User Settings esssesessreesesererersresrnrerererernnssnerene 9 16 Managing Digital CPT NCS saucissa AR N 9 17 Managing CA CORINGH OS scsiiin
302. either for convenience or if you have a dynamic IP address Note If your ISP assigns a private WAN IP address such as 192 168 x x or 10 x x x the gt dynamic DNS service does not work because private addresses are not routed on the Internet To configure Dynamic DNS 1 Select Network Config gt Dynamic DNS from the menu 2 Click the Dynamic DNS tab The Dynamic DNS screen displays see Figure 3 11 on page 3 20 Manually Configuring Internet and WAN Settings 3 19 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual o uaa N Settings ET TY e WAN M Tre LANS a mpe Metering L we ior Dynamic DNS yo DynONS Information 2 WAN Mode Current WAN Mode Single Port WANI E WANI Dynamic DNS Status service is not enabled Host and Domain Nam i S S Example yourname dyndns org Configured DDNS none User Name Change DNS to DynDNS org t eseccccccees Yes O Ne Password eeeeeeeeesee O Use wildcards C Update every 30 days if WAN2 Dynamic DNS Status service is not enabled Host and Domain Name Example yourname dyndns org Configured DDNS none User Name i Change DNS to DynDNS org Password Yes No Use wildcards Update every 30 days Figure 3 11 The WAN Mode section on screen reports the currently configured WAN mode For the UTM25 for example Single Port WAN1 Load Balancing or Auto Rollover Only
303. eive the UTM s SNMP traps Separate IP addresses by a comma If you leave the field blank which is the default setting no SNMP management station can receive the UTM s SNMP traps 3 Click Apply to save your settings Managing the Configuration File The configuration settings of the UTM are stored in a configuration file on the UTM This file can be saved backed up to a PC retrieved restored from the PC or cleared to factory default settings Once the UTM is installed and works properly make a back up of the configuration file to a computer If necessary you can later restore the UTM settings from this file Network and System Management 10 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The Backup amp Restore Settings screen lets you e back up and save a copy of the current settings e restore saved settings from the backed up file e revert to the factory default settings To display the Backup amp Restore Settings screen select Administration gt Backup amp Restore Settings from the menu System Update System Date amp Time Backup amp Restore Settings Saye a copy of current settings e backup Restore saved settings from file E restore Revert to factory default settings defaut Figure 10 5 Backup Settings The backup feature saves all UTM settings to a file These settings include e Network settings IP address subnet m
304. el Specify where the file originated for example an e mail address if received via e mail and if known which product or scan feature for example the UTM or a desktop anti virus application detected the file Description As an option include a description or any information that is relevant Troubleshooting and Using Online Support 12 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Click Submit Accessing the Knowledge Base and Documentation To access NETGEAR s Knowledge Base for the UTM select Support gt Knowledge Base from the menu To access NETGEAR s documentation library for your UTM model select Support gt Documentation from the menu 12 12 Troubleshooting and Using Online Support v1 0 September 2009 Appendix A Default Settings and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults This is called a hard reset for more information see Reverting to Factory Default Settings on page 10 18 e To perform a hard reset press and hold the Reset button for approximately eight seconds until the TEST LED blinks rapidly The UTM returns to the factory configuration settings that are shown in Table A 1 below e Pressing the Reset button for a shorter period of time simply causes the UTM to reboot Table A 1 shows the default configuration settings for the UTM
305. ember 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual In the single WAN case the WAN s Internet address is either fixed IP or a FQDN if the IP address is dynamic WAN IP N netgear dyndns org IP address of WAN port FQDN is required for dynamic IP address and is optional for fixed IP address Router Figure B 4 Inbound Traffic to a Dual WAN Port System The IP address range of the UTM s WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled Inbound Traffic Dual WAN Ports for Improved Reliability In a dual WAN port auto rollover configuration the WAN port s IP address will always change when a rollover occurs You must use a FQDN that toggles between the IP addresses of the WAN ports that is WAN1 or WAN2 Dual WAN Ports Before Rollover Dual WAN Ports After Rollover WANT1 IP WANT IP N A Router netgear dyndns org Router WAN port inactive 4 ow X X X INJ s B INi WAN2 port inactive netgear dyndns org WAN2Z IP N A q _WANZ2 IP y IP address of active WAN port changes after a rollover use of fully qualified domain names always required Figure B 5 Inbound Traffic Dual WAN Ports for Load Balancing In a dual WAN port load balancing configuration the Internet address of each WAN port is either fixed if the IP address is fixed or a FQDN if the IP address is
306. emporary path to the Internet for requests originating from the local network Requests originating from outside the LAN are discarded preventing users outside the LAN from finding and directly accessing the computers on the LAN e Port forwarding with NAT Although NAT prevents Internet locations from directly accessing the PCs on the LAN the UTM allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request You can specify forwarding of single ports or ranges of ports e DMZ port Incoming traffic from the Internet is normally discarded by the UTM unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule Instead of discarding this traffic you can use the dedicated De Militarized Zone DMZ port to forward the traffic to one PC on your network Autosensing Ethernet Connections with Auto Uplink With its internal 4 port 10 100 1000 Mbps switch and single UTM10 or dual UTM25 10 100 1000 WAN ports the UTM can connect to either a 10 Mbps standard Ethernet network a 100 Mbps Fast Ethernet network or a 1000 Mbps Gigabit Ethernet network The four LAN and one or two WAN interfaces are autosensing and capable of full duplex or half duplex operation The UTM incorporates Auto Uplink technology Each Ethernet port automatically senses whether the Ethernet cable plugged into the port should have a normal connection such as to a
307. en you select this option the Identifier field automatically shows the IP address of the selected WAN interface FQDN The FQDN for a remote gateway e User FQDN The e mail address for a remote VPN client or gateway DER ASN1 DN A distinguished name DN that identifies the remote endpoint in the DER encoding and ASN 1 format Identifier Depending on the selection of the Identifier Type pull down menu enter the IP address e mail address FQDN or distinguished name IKE SA Parameters Encryption Algorithm From the pull down menu select one of the following five algorithms to negotiate the security association SA DES Data Encryption Standard DES 3DES Triple DES This is the default algorithm e AES 128 Advanced Encryption Standard AES with a 128 bits key size e AES 192 AES with a 192 bits key size e AES 256 AES with a 256 bits key size Virtual Private Networking Using IPsec Connections 7 27 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 10 Add IKE Policy Settings continued Item Description or Subfield and Description Authentication Algorithm From the pull down menu select one of the following two algorithms to use in the VPN header for the authentication process SHA 1 Hash algorithm that produces a 160 bit digest This is the default setting MD5 Hash algorithm that produces a 128 bit
308. enisd seseunenananananiia aeseaninseenianaieaa ee durin dpenaeaa tant 11 43 Using the Network Diagnostic TONS cisis ec ccscsiaisscntsia se ctecaaannenuda ac cdie emai 11 44 Using the Realtime Traffic Diagnostics Tool 1c ccccccsssccsecnesnenenessremosensnsnreeenencees 11 46 Gathering Important Log Information and Generating a Network Statistics Report c cccccceseseeeeeeeeeceeeeeneeeeeeeaeeeseneeeeaas 11 47 Rebooting and Shutting Down the UTM nuricssssirsinarnisnenanen 11 48 Chapter 12 Troubleshooting and Using Online Support Ie PURINE cccutiriiennamimariadaeien sian ein ear emaRT 12 2 Fowo LED NO OA sarrien r bere ales weenie idamroriles 12 2 Test DED Neyer TUME OT rsi aa Ea ee ahh 12 2 LAN f WAN P rt LEDs Not Oi eronierionniasiinn inaa aaiae aa 12 3 Troubleshooting the Web Management Interface ssssesessssesessrrrssessrrnesrsnnnessrennneerrennnns 12 3 When You Enter a URL or IP Address a Time out Error Occurs ssssseeeeeeeeee 12 4 Troubleshooting the ISP Connection sussidiarie nanoa anaa 12 5 Troubleshooting a TCP IP Network Using a Ping Utility 20 0 0 eee cece eeeeeeeeeteeeeeeeeees 12 6 xiii v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Testing Te LAN Path ta Your UTIM acces cesesecndcsorsnuedysnckiensietsssasbonncaceendietaviateeddantvese 12 7 Testing the Path from Your PC to a Remote Device ccccsccceceessteeeeeeestteeeeeens 12 7 Restoring the Default Configurati
309. entical to the Password field above Idle Timeout The period after which an idle user is automatically logged out of the Web management interface The default idle time out period is 5 minutes 8 8 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual SSL VPN Wizard Step 4 of 6 Client IP Address Range and Routes SSL VPN Wizard Step 4 of 6 Client IP Address Range Enable Full Tunnel Support DNS Suffx SY Primary ONS Server is2 ies So i Secondary DNS server IE WW Client Address Range Begin 192 Jines esia Client Address Range End is2 i68 251 fesa Note Static routes should be added to reach any secure network in SPLIT TUNNEL mode In FULL TUNNEL mode all client routes will be ineffective You can leave Destination Network and Subnet Mask blank or assign a network address has NOT been setted Otherwise applying wizard will fail and UTM have to reboot to recover confiquations i Add Routes for VPN Tunnel Clients f Destination Network Subnet Mask E EE E E CRR E E Figure 8 5 Note that Figure 8 5 contains some examples Enter the settings as explained in Table 8 4 on page 8 10 then click Next to go the following screen ____ Note Do not enter an existing route for a VPN tunnel client in the Destination Network and Subnet Mask fields otherwise the SSL VPN Wizard w
310. eplaced with the following text which you can customize The SSL connection to URL cannot be established because of REASON Note Make sure that you keep the URL and REASON meta words in a message to enable the UTM to insert the proper URL information and the reason of the rejection Note For information about certificates that are used for SSL connections and HTTPS gt d ce os e 33 traffic see Managing Digital Certificates on page 9 17 Specifying Trusted Hosts You can specify trusted hosts for which the UTM bypasses HTTPS traffic scanning and security certificate authentication The security certificate is sent directly to the client for authentication which means that the user does not receive a security alert for trusted hosts For more information about security alerts see Managing Self Certificates on page 9 20 Note that certain sites contain elements from different HTTPS hosts As an example assume that the https example com site contains HTTPS elements from the following three hosts trustedhostserver1 example com trustedhostserver2 example com imageserver example com Content Filtering and Optimizing Scans 6 37 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To completely bypass the scanning of the https example com site you must add all three hosts to the trusted hosts list because different files from these three ho
311. er 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The front panel also contains three groups of status indicator light emitting diodes LEDs including Power and Test LEDs LAN LEDs and WAN LEDs all of which are explained in Table 1 1 Power LED DMZ LED USB port Left LAN LEDs Left WAN LEDs Active WAN LEDs Test LED Right LAN LEDs Right WAN LEDs Figure 1 2 Note Figure 1 2 shows the UTM25 with two WAN ports The UTM10 has a single WAN port the left WAN port that is shown in Figure 1 2 and no Active WAN LEDs The function of each LED is described in Table 1 1 Table 1 1 LED Descriptions Object Activity Description Power On Green Power is supplied to the UTM Off Power is not supplied to the UTM Test On Amber during Test mode The UTM is initializing After approximately 2 minutes startup when the UTM has completed its initialization the Test LED goes off On Amber during The initialization has failed or a hardware failure has occurred any other time Blinking Amber Writing to flash memory during upgrading or resetting to defaults Off The system has booted successfully 1 10 Introduction v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 1 1 LED Descriptions continued Object Activity Desc
312. er 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual disposition of a packet For example you should place the most strict rules at the top those with the most specific services or addresses The up and down table buttons in the Action column allows you to relocate a defined rule to a new position in the table Setting LAN WAN Rules The default outbound policy is to allow all traffic to the Internet to pass through Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet outbound This feature is also referred to as service blocking You can change the default policy of Allow Always to Block Always to block all outbound traffic which then allows you to enable only specific services to pass through the UTM To change the default outbound policy 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear with the LAN WAN Rules screen in view Next to Default Outbound Policy select Block Always from the pull down menu Next to the pull down menu click the apply table button Bandwidth Filter LAN Users Log Action Profile Allow Reat aupio 192 168 4 1 192 168 4 99 Y NONE Naver up sown eait Always Allo o e SMTP me 192 168 4 35 ANY NONE NONE Always up sown Qesit Always select at delete enable oO disable add g Service LAN Server IP LAN QoS Bandwidth Filter
313. er Portail When you click on the user portal link the SSL VPN default portal opens see Figure 8 9 on page 8 15 This user portal is not the same as the new SSL portal login screen that you defined with the help of the SSL VPN Wizard To open the new SSL portal login screen 1 Select VPN gt SSL VPN from the menu The SSL VPN submenu tabs appear with the Policies screen in view 2 Click the Portal Layouts submenu tab The Portal Layout screen displays see Figure 8 12 on page 8 19 3 Inthe Portal URL field of the List of Layouts table click on the URL that ends with the portal layout name that you defined with the help of the SSL VPN Wizard The new SSL portal login screen displays see Figure 8 8 on page 8 15 8 14 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual NETGEAR j An case of login difficulty call 123 456 7890 t NETGEAR Configuration Manager Login G User Name Password Passcode Domain SSLTestDomain w When the UTM scans secure HTTPS traffic you must import root CA certificate into your browser Click to download 2009 Copyright NETGEAR Figure 8 8 4 Enter the user name and password that you just created with the help of the SSL VPN Wizard 5 Click Login The default User Portal screen displays Click the VPN Tunnel client icon to connect to the remote network Keep your
314. er errr tree err C 14 VINS LOOS sitine AOA E C 14 S PPM E rt esis susi A A T E A E T T C 14 WP Se ui aidan vaniaiesm ieeuuadeserddnieoeaees C 15 Pot ocan Bole nia ye nne pee pe ree ree me rrr re reer Ter Tere rrr errencres er renee terre eye C 15 Instant Messaging Peer to Peer LOGS c cccceeseecceeeeensneeeeeeeseeeeeeeeeneeeeeeeeenennaes C 15 FOUNO LOGS lt csccivtaccantesecdecamuicccnndamecacecaemaiesadenmnes love caemmucdt desmieaddetenuassdeduummndedieoasentinnes C 16 LAN PIN TOD S sonnin carpiupsais tins epnaaSuien pesadinug dnp suis bepesavaban papnabnnseneaaaNanpeoNatuNeeptads C 16 LANTO MAGE LOG icc atr yhedcud nce taduteensiuedacebenpioguacant ialeanenued wanee muntncateentindeddbunntundmeemunsiie C 16 DMZ TO WAN LOOS conunianissennini a aa C 16 VANTO LCAN LOOT nouni eecereem rT rerrren tt correc erent eter ere erent erect rte C 17 PZ Ht EGS cornia a C 17 RANT DLE LOOS siri C 17 Appendix D Two Factor Authentication Why do need Two Factor Authentication cccccsseeececeeeeeeeeceeeeeseaaeeseeeeeeeeaaeeeaes D 1 What are the benefits of Two Factor Authentication ccccccccsssssceeesssseeeeees D 1 Wiha tS Two Factor Authemticatidri ccd cccc cscs Ses osasetusdacmatneneca deen aueiee E D 2 NETGEAR Two Factor Authentication Solutions cccccccsscseceeseeeeeeceeeeessesssseeaeees D 2 Appendix E Related Documents Index XV v1 0 September 2009 ProSecure Unified Threat Management UTM10 or U
315. er settings see Table C 1 Recommended Action None DMZ to LAN Logs This section describes logs that are generated when the UTM processes DMZ to LAN traffic Table C 30 Routing Logs DMZ to WAN Message Nov 29 09 44 06 UTM kernel DMZ2LAN DROP IN DMZ OUT LAN SRC 192 168 20 10 DST 192 168 10 10 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the DMZ to the LAN has been dropped by the firewall e For other settings see Table C 1 Recommended Action None WAN to DMZ Logs This section describes logs that are generated when the UTM processes WAN to DMZ traffic Table C 31 Routing Logs WAN to DMZ Message Nov 29 09 19 43 UTM kernel WAN2DMZ ACCEPT IN WAN OUT DMZ SRC 192 168 1 214 DST 192 168 20 10 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the WAN to the DMZ has been allowed by the firewall e For other settings see Table C 1 Recommended Action None System Logs and Error Messages C 17 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual C 18 System Logs and Error Messages v1 0 September 2009 Appendix D Two Factor Authentication This appendix provides an overview of Two Factor Authentication and an example of how to implement the WiKID solution This appendix contains the following sections e Why do I need Two Factor Authentication on this page e NETGEAR Two Factor Authe
316. er to encrypt data intended for the receiver the key owner The receiver then uses its private key to decrypt the data without the private key decryption is impossible The use of certificates for authentication reduces the amount of data entry that is required on each VPN endpoint The VPN Policies Screen The VPN Policies screen allows you to add additional policies either Auto or Manual and to manage the VPN policies already created You can edit policies enable or disable policies or delete them entirely The rules for VPN policy use are 1 Traffic covered by a policy is automatically sent via a VPN tunnel 2 When traffic is covered by two or more policies the first matching policy is used In this situation the order of the policies is important However if you have only one policy for each remote VPN endpoint then the policy order is not important 3 The VPN tunnel is created according to the settings in the security association SA 4 The remote VPN endpoint must have a matching SA otherwise it refuses the connection To access the VPN Policies screen 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 7 30 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Click the VPN Policies submenu tab The VPN Policies screen display Figure 7 22 shows some e
317. ers attempting to access these URLs receive a notification see below 6 32 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 9 URL Filtering Settings continued Setting Description or Subfield and Description URL This field contains the URLs that are blocked To add a URL to this field use the Add URL field or the Import from File tool see below You can add a maximum of 200 URLs Note If an URL is in both on the whitelist and blacklist then the whitelist takes precedence and URLs on the whitelist are not scanned Note Wildcards are supported For example if you enter www net com in the URL field any URL that begins with www net is blocked and any URL that ends with com is blocked delete To delete one or more URLs highlight the URLs and click the delete table button export To export the URLs click the export table button and follow the instructions of your browser Add URL Type or copy a URL in the Add URL field Then click the add table button to add the URL to the URL field Import from File To import a list with URLs into the URL field click the Browse button and navigate to a file in txt format that contains line delimited URLs that is one URL per line Then click the upload table button to add the URLs to the URL field Note Any existing URLs in
318. ers connected to the default VLAN Enter the following settings Domain Name This is optional Enter the domain name of the UTM Starting IP Enter the starting IP address This address specifies the first of Address the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between this address and the Ending IP Address The IP address 192 168 1 2 is the default start address Ending IP Enter the ending IP address This address specifies the last of Address the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between the Starting IP address and this IP address The IP address 192 168 1 100 is the default ending address Note The starting and ending DHCP IP addresses should be in the same network as the LAN TCP IP address of the UTM the IP address in LAN TCP IP section above Using the Setup Wizard to Provision the UTM in Your Network 2 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 2 1 Setup Wizard Step 1 LAN Settings continued Setting Description or Subfield and Description Enable DHCP Server continued Primary DNS _ This is optional If an IP address is specified the UTM provides Server this address as the primary DNS server IP address If no address is specified the UTM provides its own LAN IP address
319. es Each CA issues its own CA identity digital certificate to validate communication with the CA and to verify the validity of digital certificates that are signed by the CA e Self digital certificates The digital certificates that are issued to you by a CA to identify your device 9 18 Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The Certificates screen contains four tables that are explained in detail in the following sections Trusted Certificates CA Certificate table Contains the trusted digital certificates that were issued by CAs and that you uploaded see Managing CA Certificates on this page e Active Self Certificates table Contains the digital self certificates that were issued by CAs and that you uploaded see Managing Self Certificates on page 9 20 e Self Certificate Requests table Contains the self certificate requests that you generated These request may or may not have been submitted to CAs and CAs may or may not have issued digital certificates for these requests Only the digital self certificates in the Active Self Certificates table are active on the UTM see Managing Self Certificates on page 9 20 e Certificate Revocation Lists CRL table Contains the lists with digital certificates that have been revoked and are no longer valid that were issued by CAs and that you uploaded Note however
320. es You Wish to Block Select the Enable Blocking checkbox to enable blocking of Web categories By default this checkbox is deselected Select the checkboxes of any Web categories that you want to block Use the action buttons at the top of the section in the following way Allow All All Web categories are allowed Block All All Web categories are blocked e Set to Defaults Blocking and allowing of Web categories are returned to their default settings See Table 6 1 on page 6 2 for information about the Web categories that are blocked by default Categories that are preceded by a green rectangular are allowed by default categories that are preceded by a pink rectangular are blocked by default Blocked Categories Scheduled Days Select one of the following radio buttons All Days The schedule is in effect all days of the week e Specific Days The schedule is active only on specific days To the right of the radio buttons select the checkbox for each day that you want the schedule to be in effect Blocked Categories Time of Day Select one of the following radio buttons All Day The schedule is in effect all hours of the selected day or days Specific Times The schedule is active only on specific hours of the selected day or days To the right of the radio buttons specify the Start Time and End Time fields Hour Minute AM PM during which the schedule is in effect Notification Settings The
321. es in the List of Secondary WAN addresses table On the UTM10 the WAN Secondary Addresses screen displays Network Config Protocol Binding Dynamic ONS WAN Metering LAN Settings DMZ Setup Routing Email Notification WANIL Secondary Addresses IP Address Subnet Mask 192 168 60 61 255 255 255 0 192 168 80 1 255 255 255 0 select all delete Add WAN1 Secondary Addresses IP Address Subnet Mask Figure 3 10 The List of Secondary WAN addresses table displays the secondary LAN IP addresses added to the UTM 3 Inthe Add WAN1 Secondary Addresses section UTM25 or Add WAN Secondary Addresses section of the screen UTM10 enter the following settings e IP Address Enter the secondary address that you want to assign to WAN1 port UTM25 or to the single WAN port UTM10 e Subnet Mask Enter the subnet mask for the secondary IP address 4 Click the add table button in the rightmost column to add the secondary IP address to the List of Secondary WAN addresses table Repeat step 3 and step 4 for each secondary IP address that you want to add to the List of Secondary WAN addresses table 3 18 Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring Dynamic DNS Dynamic DNS DDNS is an Internet service that allows devices with varying public IP addresses to be located using Internet domain names To use DDNS you m
322. essage that users see before they log in to the portal For example In case of login difficulty call 123 456 7890 Enter a plain text message or include HTML and Java script tags The maximum length of the login page message is 4096 characters Display banner Select this checkbox to show the banner title and banner message text on the login message on login screen as shown in Figure 8 8 on page 8 15 page HTTP meta tags Select this checkbox to apply HTTP meta tag cache control directives to this portal for cache control layout Cache control directives include recommended lt meta http equiv pragma content no cache gt lt meta http equiv cache control content no cache gt lt meta http equiv cache control content must revalidate gt Note NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out of date Web pages themes and data being stored in a user s Web browser cache 8 4 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 8 1 SSL VPN Wizard Step 1 Portal Settings continued Item Description or Subfield and Description ActiveX web Select this checkbox to enable ActiveX cache control to be loaded when users log in to cache cleaner the SSL VPN portal The Web cache cleaner prompts the user to delete all temporary Internet f
323. establish the VPN tunnel The gateway WAN port must act as the responder 10 5 6 0 24 Telecommuter Example Dual WAN Ports After Rollover Client B Gateway A wa lANN Ie NAT Router B me 10 5 6 1 bzrouter2 dyndns org a 9 VPN Router WAN2 IP NAT Router atemployer s Fully Qualified Domain Names FQDN lat teleconnmmutes Remote PC main office required for Fixed IP addresses homeotic running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Remote PC must re establish VPN tunnel after a rollover Figure B 19 Network Planning for Dual WAN Ports UTM25 Only B 17 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The purpose of the FQDN is to toggle the domain name of the gateway between the IP addresses of the active WAN port that is WAN1 and WAN2 so that the remote PC client can determine the gateway IP address to establish or re establish a VPN tunnel VPN Telecommuter Dual Gateway WAN Ports for Load Balancing In a dual WAN port load balancing gateway configuration the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port that is port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports because the IP address of the remote NAT router is not known in advance The selected gateway WAN port must act as the responder 10 5 6 0 24 Telecommuter Example Dual WAN Ports Load Balancing Client B Gateway A
324. ete the Internet connection of your UTM 1 Configure the Internet connections to your ISP s During this phase you connect to your ISPs You can also program the WAN traffic meters at this time if desired See Configuring the Internet Connections on page 3 2 Configure the WAN mode required for the UTM25 s dual WAN operation For both the UTM10 and UTM25 select either NAT or classical routing For the UTM25 only select either dedicated single WAN mode auto rollover mode or load balancing mode For the UTM25 s load balancing you can also select any necessary protocol bindings See Configuring the WAN Mode Required for the UTM25 s Dual WAN Mode on page 3 9 Configure secondary WAN addresses on the WAN ports optional Configure aliases for each WAN port See Configuring Secondary WAN Addresses on page 3 17 3 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Configure dynamic DNS on the WAN ports optional Configure your fully qualified domain names during this phase if required See Configuring Dynamic DNS on page 3 19 5 Configure the WAN options optional Optionally you can enable each WAN port to respond to a ping and you can change the factory default MTU size and port speed However these are advanced features and changing them is not usually required See Configuring Advanced WAN Options on page 3 22 Each of these tasks is
325. ether the incoming packet is in response to an outgoing request but true stateful packet inspection goes far beyond NAT 5 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Administrator Tips Consider the following operational items As an option you can enable remote management if you have to manage distant sites from a central location see Configuring VPN Authentication Domains Groups and Users on page 9 1 and Configuring Remote Management Access on page 10 12 Although rules see Using Rules to Block or Allow Specific Kinds of Traffic on page 5 3 is the basic way of managing the traffic through your system you can further refine your control using the following features and capabilities of the UTM Groups and hosts see Managing Groups and Hosts LAN Groups on page 4 12 Services see Services Based Rules on page 5 3 Schedules see Setting a Schedule to Block or Allow Specific Traffic on page 5 39 Allow or block sites and applications see Setting Web Access Exception Rules on page 6 41 Source MAC filtering see Enabling Source MAC Filtering on page 5 40 Port triggering see Configuring Port Triggering on page 5 44 Content filtering is a firewall component The UTM provides such extensive content filtering options that an entire chapter is dedicated to this subject see Chapter 6 Content
326. ettings _____ Note When the UTM blocks access to a link of a certain blocked Web category the UTM displays an HTML warning screen that includes a hyperlink to submit a URL misclassifiation To submit a misclassified or uncategorized URL to NETGEAR for analysis click on the Click here to Report a URL Misclassification hyperlink A second screen opens that allows you to select from pull down menus up to two categories in which you think that the URL could be categorized Then click the Submit button Configuring Web URL Filtering If you want to allow or block internal LAN users from access to certain sites on the Internet use the UTM s Web URL filtering You can create or import a whitelist that contains domain names and URLs that are accepted and a blacklist with domain names and URLs that are blocked The whitelist takes precedence over the blacklist Both the whitelist and the blacklist take precedence over keyword blocking Note A URL that you enter on the whitelist or blacklist might contain other embedded gt URLs such as URLs for advertisements or sponsors causing unexpected behavior If you want to allow a URL by placing it on the whitelist make sure that all embedded URLs are also placed on the whitelist Similarly if you want to block a URL by placing it on the blacklist make sure that all embedded URLs are also placed on the blacklist 6 30 Content Filtering and Optimizing Scans v1 0 September
327. etup Wizard Step 7 Content Filtering Settings Setting Description or Subfield and Description Blocked Web Categories Select the Enable Blocking checkbox to enable blocking of Web categories By default this checkbox is deselected Select the checkboxes of any Web categories that you want to block Use the action buttons at the top of the section in the following way Allow All All Web categories are allowed Block All All Web categories are blocked Set to Defaults Blocking and allowing of Web categories are returned to their default settings See Table 6 1 on page 6 2 for information about the Web categories that are blocked by default Categories that are preceded by a green rectangular are allowed by default categories that are preceded by a pink rectangular are blocked by default Blocked Categories Scheduled Days Make one of the following selections Select the All Days radio button to enable content filtering to be active all days of the week Select the Specific Days radio button to enable content filtering to be active on the days that are specified by the checkboxes Blocked Categories Time of Day Make one of the following selections Select the All Day radio button to enable content filtering to be active all 24 hours of each selected day Select the Specific Times radio button to enable content filtering to be active during the time that is specified by the Start Time and End T
328. etworking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 12 Add VPN Policy Settings continued Item Description or Subfield and Description Traffic Selection Local IP From the pull down menu select the address or addresses that are part of the VPN tunnel on the UTM Any All PCs and devices on the network Note You cannot select Any for both the UTM and the remote endpoint e Single A single IP address on the network Enter the IP address in the Start IP Address field Range A range of IP addresses on the network Enter the starting IP address in the Start IP Address field and the ending IP address in the End IP Address field e Subnet A subnet on the network Enter the starting IP address in the Start IP Address field and the subnet mask in the Subnet Mask field Remote IP From the pull down menu select the address or addresses that are part of the VPN tunnel on the remote endpoint The menu choices are the same as for the Local IP pull down menu see above Manual Policy Parameters Note These fields apply only when you select Manual Policy as the policy type When you specify the settings for the fields in this section a security association SA is created SPI Incoming The Security Parameters Index SPI for the inbound policy Enter a hexadecimal value between 3 and 8 characters for example 0x1234
329. f the remote endpoint in the field to the right of the radio button Enable NetBIOS Select this checkbox to allow NetBIOS broadcasts to travel over the VPN tunnel For more information about NetBIOS see Configuring NetBIOS Bridging with IPsec VPN on page 7 58 This feature is disabled by default Enable RollOver Select this checkbox to allow the VPN tunnel to roll over to the other WAN interface when the WAN mode is set to Auto Rollover and an actual rollover occurs This feature is disabled by default Enable Keepalive Note See also Configuring Keepalives and Dead Peer Detection on page 7 54 Select a radio button to specify if Keepalive is enabled e Yes This feature is enabled periodically the UTM sends ping packets to the remote endpoint to keep the tunnel alive You must enter the ping IP address detection period and the maximum number of times that the UTM attempts to reconnect see below e No This feature is disabled This is the default setting Ping IP Address The IP address that the UTM pings The address must be of a host that can respond to ICMP ping requests Detection period The period in seconds between the ping packets The default setting is 10 seconds Reconnect after failure count The number of consecutive missed responses that are considered a tunnel connection failure The default setting is 3 missed responses 7 34 Virtual Private N
330. figuration file 70 16 bandwidth capacity auto rollover mode 0 LAN 10 1 load balancing mode 70 1 single WAN port mode 0 WAN 10 1 bandwidth limits logging dropped packets 71 14 bandwidth profiles assigning to firewall rule 5 36 description 5 36 direction 5 38 shifting traffic mix 10 9 type 5 38 BitTorrent 2 17 6 21 blacklist e mails 6 72 URLs 6 32 blocking applications services 6 21 e mails 6 14 file extensions 6 8 6 24 6 28 file names 6 8 Instant Messaging applications 5 29 6 21 keywords 6 8 6 24 6 28 Peer to Peer P2P applications 6 27 sites to reduce traffic 10 4 TCP flood 5 2 traffic scheduling 5 39 traffic when reaching limit 4 UDP flood 5 22 URLs 6 32 using wildcards 6 24 6 32 Web categories 2 22 6 24 6 29 Web objects 6 24 6 28 browsers user login policies 9 5 Web Management Interface 2 2 button Reset 2 buttons Web Management Interface action 2 6 help 2 7 table 2 6 C CA 7 30 cache control SSL VPN 8 4 8 21 card service registration 7 8 categories Web content 2 22 category 5 cable B 3 Certificate Authority See CA Certificate Revocation List See CRL Certificate Signing Request See CSR certificates 3rd party Web site 6 37 authentication 6 34 CA 9 18 commercial CAs 9 18 CRL 9 19 9 25 CSR 9 2 exchange 6 34 overview 9 17 self signed 9 78 9 20 signature key length 9 23 trusted CA certificates 9 79 9 20 Challenge Handshake Authentication P
331. figured on the LAN WAN Rules screen take precedence over inbound rules that are configured on the DMZ WAN Rules screen As a result if an inbound packet matches an inbound rule on the LAN WAN Rules screen it is not matched against the inbound rules on the DMZ WAN Rules screen To create a new inbound DMZ WAN service rule 1 Inthe DMZ WAN Rules screen click the add table button under the Inbound Services table The Add DMZ WAN Inbound Service screen displays i Add DMZ WAN Inbound Service Operation succeeded Action BLOCK always Select Schedule Schedule 1 Send to DMZ Server i Translate to Port Number LJ WAN Destination IP Address WANI v DMZ Users Any Start f Finish A WAN Users Start Finish FR Iyi J J B a al QoS Profile None Log Figure 5 7 2 Enter the settings as explained in Table 5 3 on page 5 8 3 Click Apply to save your changes The new rule is now added to the Inbound Services table Firewall Protection 5 17 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Setting LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ The default outbound and inbound policies are to allow all traffic between the local LAN and DMZ network You can then apply firewall rules to block specific types of traffic from either going out from the LAN to
332. formance Management on page 10 1 To configure the Web protocols ports and applications to scan 1 Select Application Security gt Services from the menu The Services screen displays see Table 6 7 on page 6 20 m Note For information about e mail protocols and ports see Customizing E mail Protocol Scan Settings on page 6 4 Content Filtering and Optimizing Scans 6 19 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Services Enable Service Ports to Scan Enable Service Ports to Scan Enable Service Ports to Scan M sme fs Pops B map Enable Service Ports to Scan Enable Service Ports to Scan Enable Service Ports to Scan B ae O ms Do m Instant Messaging R Service Block Service Service Google Talk Jabber Oo mIRC MSN Messenger Yahoo Messenger Oo Skype 48 Peer to Peer P2P 2 Block Service Block Service Block Service oO BitTorrent oO eDonkey oO Gnutella Figure 6 7 2 Enter the settings as explained in Table 6 5 Table 6 6 Web Protocol Instant Messaging and Peer to Peer Settings Setting Description or Subfield and Description Web HTTP Select the HTTP checkbox to enable Hypertext Transfer Protocol HTTP scanning This service is enabled by default and uses default port 80 HTTPS Select the HTTPS checkbox to enable Hypertext Transfer Protocol over Secure Socket Layer HTTPS This service is disabled
333. from the menu The System Date amp Time screen displays Administration System Date amp Time Date Time GMT Greenwich Mean Time Edinburgh London C Automatically Adjust for Daylight Savings Time Use Default NTP Servers Use Custom NTP Servers Server 1 Name IP Address time g netgear com Server 2 Name IP Address time h netgear com Current Time Thu May 21 01 37 18 GMT 2009 Figure 10 8 The bottom of the screen displays the current weekday date time time zone and year in the example in Figure 10 8 Current Time Thu May 21 01 37 18 GMT 2009 2 Enter the settings as explained in Table 10 2 Table 10 3 System Date amp Time Settings Setting Description or Subfield and Description Date Time From the pull down menu select the local time zone in which the UTM operates The proper time zone is required in order for scheduling to work correctly The UTM includes a real time clock RTC which it uses for scheduling 10 24 Network and System Management v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 10 3 System Date amp Time Settings continued Setting Description or Subfield and Description Automatically Adjust for If daylight savings time is supported in your region select the Automatically Daylight Savings Time Adjust for Daylight Savings Time checkbox NTP Server default or From th
334. g configuration Table 7 10 on page 7 26 explains the general IKE policy settings Table 7 16 Add IKE Policy Settings for a Mode Config Configuration Item Mode Config Record Description or Subfield and Description Do you want to use Mode Config Record Select the Yes radio button Note Because Mode Config functions only in Aggressive Mode selecting the Yes radio button sets the tunnel exchange mode to Aggressive mode and disables the Main mode Mode Config also requires that both the local and remote ends are defined by their FQDNs Select Mode Config Record From the pull down menu select the Mode Config record that you created in step 5 above In this example we are using NA Sales General Policy Name A descriptive name of the IKE policy for identification and management purposes Note The name is not supplied to the remote VPN endpoint Direction Type Responder is automatically selected when you select the Mode Config record see above This ensures that the UTM responds to an IKE request from the remote endpoint but does not initiate one Exchange Mode Aggressive Mode is automatically selected when you select the Mode Config record see above Local Select Local Gateway UTM25 only For the UTM25 only select a radio button to specify the WAN1 or WAN2 interface Identifier Type From the pull down menu select FQDN Note Mode Config requires that the U
335. g into the portal Because the page is completely customizable it provides an ideal way to communicate remote access instructions support information technical contact information or VPN related news updates to remote users The page is also well suited as a starting page for restricted users if mobile users or business partners are only permitted to access a few resources the page that you create presents only the resources that are relevant to these users 8 18 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Portal layouts are applied by selecting one from the available portal layouts in the configuration of a domain When you have completed your portal layout you can apply the portal layout to one or more authentication domains see Configuring Domains on page 9 2 You can also make the new portal the default portal for the SSL VPN gateway by selecting the default radio button adjacent to the portal layout name gt Note The UTM s default portal address is https lt IP_Address gt portal SSL VPN The default domain geardomain is attached to the SSL VPN portal You may define individual layouts for the SSL VPN portal The layout configuration includes the menu layout theme portal pages to display and Web cache control options The default portal layout is the SSL VPN portal You can add additional portal layouts You can a
336. g setting Relay Gateway The IP address of the DHCP server for which the UTM serves as a relay LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 4 1 VLAN Profile Settings continued Setting Description or Subfield and Description Enable LDAP Select the Enable LDAP information checkbox to enable the DHCP server to information provide Lightweight Directory Access Protocol LDAP server information Enter the settings below Note The LDAP settings that you specify as part of the VLAN profile are used only for SSL VPN and UTM authentication but not for Web and e mail security LDAP Server The IP address or name of the LDAP server Search Base The search objects that specify the location in the directory tree from which the LDAP search begin You can specify multiple search object separated by commas The search objects include cn for common name ou for organizational unit o for organization e c for country e dc for domain For example to search the Netgear net domain for all last names of Johnson you would enter cn Johnson dc Netgear dc net port The port number for the LDAP server The default setting is zero DNS Proxy Enable DNS Proxy This is optional Select the Enable DNS Proxy radio button to enable the UTM to provide a LAN IP address for DNS address name resolution This setting is
337. ganization that promotes multi vendor VPN interoperability Creating Gateway to Gateway VPN Tunnels with the Wizard Gateway to Gateway Example Single WAN Ports Gateway A Gateway B LAN IP ee WAN IP o i 3 FQDN VPN Router VPN Router at office A at office B Fully Qualified Domain Names FQDN optional for Fixed IP addresses required for Dynamic IP addresses Figure 7 3 To set up a gateway to gateway VPN tunnel using the VPN Wizard 1 Select VPN gt IPsec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Wizard submenu tab The VPN Wizard screen displays see Figure 7 4 on page 7 4 which contains some examples for the UTM25 The WAN1 and WAN2 radio buttons are shown on the VPN Wizard screen for the UTM25 but not on the VPN Wizard screen for the UTM10 Virtual Private Networking Using IPsec Connections 7 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual H About VPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium VPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This VPN tunnel will connect to the following peers Gateway ven Client ii Connection Name and Remote IP Type What is the new Connection Name What is the pre s
338. ges generated during firmware updates and other service related events Table C 4 System Logs Service Message 2008 12 31 23 59 48 error Firmware update failed Either the subscription is not yet registered or has been expired Explanation Logs that are generated when a firmware update fails or succeeds The message shows the date and time and the event Note The service log includes miscellaneous service messages Recommended Action None NTP This section describes log messages generated by the NTP daemon during synchronization with the NTP server e The fixed time and date before NTP synchronizes with any of the servers is Thu Jan 01 00 01 52 GMT 1970 e The resynchronization interval is governed by the specification defined in DOC 00045_Ntp_Spec pdf Table C 5 System Logs NTP Message 1 Nov 28 12 31 13 UTM ntpdate Looking Up time f netgear com Message 2 Nov 28 12 31 13 UTM ntpdate Requesting time from time f netgear com Message 3 Nov 28 12 31 14 UTM ntpdate adjust time server 69 25 106 19 offset 0 140254 sec Message 4 Nov 28 12 31 14 UTM ntpdate Synchronized time with time f netgear com Message 5 Nov 28 12 31 16 UTM ntpdate Date and Time Before Synchronization Tue Nov 28 12 31 13 GMT 0530 2006 Message 6 Nov 28 12 31 16 UTM ntpdate Date and Time After Synchronization Tue Nov 28 12 31 16 GMT 0530 2006 Example Nov 28 12 31 16 UTM ntpdate Next Synchronizati
339. ggressive mode and disables the Main mode Mode Config also requires that both the local and remote ends are defined by their FQDNs No Disables Mode Config for this IKE policy Note An XAUTH configuration via an edge device is not possible without Mode Config and is therefore disabled too For more information about XAUTH see Configuring Extended Authentication XAUTH on page 7 37 Select Mode From the pull down menu select one of the Mode Config Config Record records that you defined on the Add Mode Config Record screen see Configuring Mode Config Operation on the UTM on page 7 42 General Policy Name A descriptive name of the IKE policy for identification and management purposes Note The name is not supplied to the remote VPN endpoint Direction Type From the pull down menu select the connection method for the UTM Initiator The UTM initiates the connection to the remote endpoint e Responder The UTM responds only to an IKE request from the remote endpoint Both The UTM can both initiate a connection to the remote endpoint and respond to an IKE request from the remote endpoint Exchange Mode From the pull down menu select the exchange more between the UTM and the remote VPN endpoint e Main This mode is slower than the Aggressive mode but more secure Aggressive This mode is faster than the Main mode but less secure Note If you specify either a FQDN or a User FQDN n
340. gin incorrect Nov 29 11 29 29 UTM pppd PAP authentication failed Nov 29 11 29 29 UTM pppd Connection terminated WAN2 DOWN _ Explanation Starting link Starting PPPoE connection process Remote message Login incorrect Message from PPPoE server for incorrect login PAP authentication failed PPP authentication failed due to incorrect login Connection terminated PPP connection terminated Recommended Action If authentication fails then check the login password and enter the correct one C 8 System Logs and Error Messages v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Traffic Metering Logs This section describes logs that are generated when the traffic meter has reached a limit Table C 13 System Logs Traffic Metering Message Jan 23 19 03 44 TRAFFIC_METER TRAFFIC_METER Monthly Limit of 10 MB has reached for WAN1 _ Explanation Logs that are generated when the traffic limit for WAN1 interface that was set at 10 MB has been reached Depending on the setting that is configured in the When Limit is reached section on the WAN1 Traffic Meter screen see Enabling the WAN Traffic Meter on page 11 1 all the incoming and outgoing traffic might be stopped Note For WAN2 interface see the settings on the WAN2 Traffic Meter screen Recommended Action To start the traffic restart the traffic counter in the Traffic Counter section on
341. gle Gateway WAN Port Reference Case In a single WAN port gateway configuration the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance The gateway WAN port must act as the responder 10 5 6 0 24 Road Warrior Example Single WAN Port Client B eck A WAN IP WAN IP 10 5 6 1 FQDN ToD bzrouter dyndns org VPN Router at employer s main office Fully Qualified Domain Names FQDN Remote PC optional for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 9 The IP address of the gateway WAN port can be either fixed or dynamic If the IP address is dynamic a FQDN must be used If the IP address is fixed a FQDN is optional VPN Road Warrior Dual Gateway WAN Ports for Improved Reliability In a dual WAN port auto rollover gateway configuration the remote PC client initiates the VPN tunnel with the active WAN port port WAN1 in Figure B 10 on page B 12 because the IP address of the remote PC client is not known in advance The gateway WAN port must act as a responder Network Planning for Dual WAN Ports UTM25 Only B 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 10 5 6 0 24 Road Warrior Example Dual WAN Ports Before Rollover Client B Gateway A er f zrouter dyndns org ae WAN IP LAN IP m X X 1 e 410 5 6 1 WAN2 port inactive 0 0 0 0 P WANZ2 IP
342. gs 47 defaults configuration settings A configuration restoring 12 8 content filtering settings 6 2 factory 10 18 12 8 IPsec VPN Wizard 7 4 login time out 2 4 MTU 3 23 password 2 3 12 8 PVID 4 2 user name 2 3 UTM IP address 2 9 4 8 UTM subnet mask 2 9 4 8 VLAN 2 8 de militarized zone See DMZ denial of service See DoS deployment testing connectivity 2 26 testing HTTP scanning 2 26 DES and 3DES 7 27 7 35 7 36 7 45 DH 7 28 7 37 7 45 DH group 7 23 DHCP automatic configuration of devices 1 6 DNS servers IP addresses 2 0 4 9 4 2 domain name 2 9 4 9 4 20 LDAP server 2 10 4 10 4 21 lease time 2 10 4 9 4 2 log monitoring 171 31 relay 2 10 4 9 4 2 relay VLANs 4 5 server VLANs 4 4 servers 2 9 4 8 4 20 settings 2 9 4 8 4 20 VLANs 4 4 WINS server 2 10 4 9 4 21 diagnostics 11 43 Differentiated Services Code Point See DSCP differentiated services See DiffServ mark Diffie Hellman See DH group DiffServ mark 5 35 digital certificates See certificates Distributed Spam Analysis 6 16 6 17 Index 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual DMZ DHCP address pool 4 20 DNS servers 4 21 domain name 4 20 LDAP server 4 2 lease time 4 21 relay 4 2 server 4 20 WINS server 4 2 DNS proxy 4 22 firewall security 4 18 increasing traffic 70 7 IP addresses 4 20 port 1 5 4 18 setup settings 4 20 subnet mask 4 20 DNS automati
343. guring Domains Groups and Users Remote users connecting to the UTM through an SSL VPN portal must be authenticated before they are being granted access to the network The login window that is presented to the user requires three items a user name a password and a domain selection The domain determines both the authentication method and the portal layout that are used You must create name and password accounts for the SSL VPN users When you create a user account you must specify a group Groups are used to simplify the application of access policies When you create a group you must specify a domain Therefore you should create any domains first then groups and then user accounts To configure domains groups and users see Configuring VPN Authentication Domains Groups and Users on page 9 1 Configuring Applications for Port Forwarding Port forwarding provides access to specific defined network services To define these services you must specify the internal server addresses and port numbers for TCP applications that are intercepted by the port forwarding client on the user s PC This client reroutes the traffic to the UTM 8 22 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Adding Servers and Port Numbers To configure port forwarding you must define the IP addresses of the internal servers and the port number for TC
344. h RADIUS Password Authentication Protocol PAP The local user database is first checked If the user account is not present in the local user database the UTM25 connects to a RADIUS server For more information see RADIUS Client Configuration on page 7 39 Radius CHAP XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol CHAP For more information see RADIUS Client Configuration on page 7 39 Username The user name for XAUTH Password The password for XAUTH 5 Click Apply to save your settings User Database Configuration When XAUTH is enabled in an Edge Device configuration users must be authenticated either by a local user database account or by an external RADIUS server Whether or not you use a RADIUS server you might want some users to be authenticated locally These users must be added to the List of Users table on the Users screen as described in Configuring User Accounts on page 9 9 RADIUS Client Configuration Remote Authentication Dial In User Service RADIUS RFC 2865 is a protocol for managing authentication authorization and accounting AAA of multiple users in a network A RADIUS server stores a database of user information and can validate a user at the request of a gateway or Virtual Private Networking Using IPsec Connections 7 39 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual server in the network w
345. hared key 1234567890 Key Length 8 49 Char This VPN tunnel will use following local WAN Interface WAN1 WAN2 ii End Point Information What is the Remote WAN s IP Address or Internet Name 75 34 173 25 What is the Local WAN s IP Address or Internet Name 192 168 50 61 Secure Connection Remote Accessibility g What is the remote LAN IP Address 192 lo What is the remote LAN Subnet Mask 255 255 J255 Jo Figure 7 4 To view the wizard default settings click the VPN Wizard Default Values option arrow at the top right of the screen A popup window appears see Figure 7 5 on page 7 5 displaying the wizard default values After you have completed the wizard you can modify these settings for the tunnel policy that you have set up 7 4 Virtual Private Networking Using IPsec Connections v1 0 September 2009 VPN Wizard default values Default values of IKE Policy Exchange Mode ID Type Local WAN ID Remote WAN ID Eneryption Algorithm Authentication Algorithm Authentication Method Key Group Life Time Default values for PN Policy Encryption Algorithm Authentication Algorithm Life Time PFS Key Group NETBIOS Figure 7 5 Aggressive FQDN utm_local com utm_remote com 3DES SHA 1 Pre shared Key DH Group 2 1024 bit 24 hours 3DES SHA 1 8 hours DH Group 2 1024 bit Enabled ProSecure Unified Threat Management UTM10 or UTM25 Reference Manu
346. hat Increase Traffic The following features of the UTM tend to increase the traffic load on the WAN side e LAN WAN inbound rules also referred to as port forwarding e DMZ WAN inbound rules also referred to as port forwarding e Port triggering e Enabling the DMZ port e Configuring Exposed hosts e Configuring VPN tunnels LAN WAN Inbound Rules and DMZ WAN Inbound Rules Port Forwarding The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for inbound traffic from WAN to LAN and from WAN to the DMZ If you have not defined any rules only the default rule is listed The default rule blocks all access from outside except responses to requests from the LAN side Any inbound rule that you create allows additional incoming traffic and therefore increases the traffic load on the WAN side Network and System Management 10 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual A Warning This feature is for advanced administrators only Incorrect configuration might cause serious problems Each rule lets you specify the desired action for the connections covered by the rule BLOCK always BLOCK by schedule otherwise Allow ALLOW always ALLOW by schedule otherwise Block The section below summarizes the various criteria that you can apply to inbound rules and that might increase traffic For more information about inbound rules see Inbound Rules Port
347. hat the backup WAN interface has already been configured Then select the WAN interface that will act as the primary link for this mode and configure the WAN failure detection method on the WAN Mode screen to support auto rollover When the UTM is configured in auto rollover mode it uses the selected WAN failure detection method to check the connection of the primary link at regular intervals to detect router status Link failure is detected in one of the following ways e By sending DNS queries to a DNS server or e By sending a ping request to an IP address or e None no failure detection is performed From the primary WAN interface DNS queries or ping requests are sent to the specified IP address If replies are not received after a specified number of retries the primary WAN interface is considered down and a rollover to the backup WAN interface occurs When the the primary WAN interface comes back up another rollover occurs from the backup WAN interface back to the primary WAN interface The WAN failure detection method that you select applies only to the primary WAN interface that is it monitors the primary link only Manually Configuring Internet and WAN Settings 3 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To configure the dual WAN ports for auto rollover mode 1 Select Network Config gt WAN Settings from the menu then click the WAN Mode tab The WAN Mode screen display
348. he LAN only select the Private checkbox Doing so prevents the static route from being advertised in RIP Destination IP Address The destination IP address to the host or network to which the route leads IP Subnet Mask The IP subnet mask to the host or network to which the route leads If the destination is a single host enter 255 255 255 255 Interface From the pull down menu select the interface that is the physical network interface WAN1 WAN2 LAN or DMZ for the UTM25 or WAN LAN or DMZ for the UTM10 or virtual interface VLAN profile through which the route is accessible Gateway IP Address The gateway IP address through which the destination host or network can be reached Metric The priority of the route Select a value between 2 and 15 If multiple routes to the same destination exist the route with the lowest metric is used 4 Click Apply to save your settings The new static route is added to the Static Route table To edit a static route that is in the Static Route table 1 Select its entry from the table and click the edit table button in the Action column The Edit Static Route screen displays This screen is identical to the Add Static Route screen that is described above with the exception that you cannot change the name of the static route 2 Enter the settings as explained in Table 4 4 3 Click Apply to save your settings Configuring Routing Information Protocol
349. he Port Forwarding screen displays see Figure 8 14 on page 8 23 8 24 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Inthe Add New Host Name for Port Forwarding section of the screen specify information in the following fields e Local Server IP Address The IP address of an internal server or host computer that you want to name Fully Qualified Domain Name The full server name gt Note If the server or host computer that you want to name does not appear in the List of Configured Applications for Port Forwarding table you must add it before you can rename it 4 Click the Add table button The new application entry is added to the List of Configured Host Names for Port Forwarding table To delete a name from the List of Configured Host Names for Port Forwarding table select the checkbox to the left of the name that you want to delete and then click the delete table button in the Action column Configuring the SSL VPN Client The SSL VPN client on the UTM assigns IP addresses to remote VPN tunnel clients Because the VPN tunnel connection is a point to point connection you can assign IP addresses from the local subnet to the remote VPN tunnel clients The following are some additional considerations e So that the virtual PPP interface address of a VPN tunnel client does not conflict with addresses on
350. he amount of data that is transmitted over this SA Tx Packets The number of IP packets that are transmitted over this SA State The current status of the SA Phase 1 is the authentication phase and Phase 2 is key exchange phase If there is no connection the statu is IPsec SA Not Established Action Click the connect table button to build the connection or click the drop table button to terminate the connection Viewing the UTM IPsec VPN Log To query the IPsec VPN log 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view 2 Click the Logs Query submenu tab The Logs Query screen displays 3 From the Log Type pull down menu select IPSEC VPN The IPsec VPN logs display see Figure 7 19 on page 7 21 7 20 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual A tlo 2009 Jun 29 23 24 32 UTM IKE 192 168 1 1 etho 1 2009 Jun 29 23 24 32 UTM IKE default isakup port _ 2009 Jun 29 23 24 32 UTM IKE enabled autoconfiguring ports_ 12009 Jun 29 23 24 32 UTH configured successfully 2009 Jun 29 isakmp port 2009 Jun 29 jisakmp port Z009 Jun 29 NAT T_ 2009 Jun 29 isakmp port 2009 Jun 29 isakmp port 2009 Jun 29 Figure 7 19 23 24 32 fds7 _ 23 24 32 fd 3 _ 23 24 32 23 24 32 td 9 _
351. he log file Size Select the Split logs size to checkbox to break up the log file into smaller files and specify the maximum size of each file in MB Send Logs via Syslog continued Enable Select this checkbox to enable the UTM to send a log file to a syslog server SysLog Server The IP address or name of the syslog server Enable SysLog Severity All the logs with a severity that is equal to and above the severity that you specify are logged on the specified syslog server For example if you select LOG_CRITICAL as the severity then the logs with the severities LOG_CRITICAL LOG_ALERT and LOG_EMERG are logged Select one of the following syslog severities e LOG EMERG The UTM is unusable e LOG ALERT An action must be taken immediately e LOG CRITICAL There are critical conditions e LOG ERROR There are error conditions e LOG WARNING There are warning conditions e LOG NOTICE There are normal but significant conditions LOG INFO Informational messages e LOG DEBUG Debug level messages Logs Select the checkboxes to specify which logs are sent via the syslog server The Select Logs to Send part of the Email Logs to Administrator section of the screen see above lists the same checkboxes as the Send Logs via Syslog section of the screen Monitoring System Access and Performance 11 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or U
352. hen a user requests access to network resources During the establishment of a VPN connection the VPN gateway can interrupt the process with an XAUTH request At that point the remote user must provide authentication information such as a user name and password or some encrypted response using his user name and password information The gateway then attempts to verify this information first against a local user database if RADIUS PAP is enabled and then by relaying the information to a central authentication server such as a RADIUS server To configure primary and backup RADIUS servers 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the RADIUS Client submenu tab The RADIUS Client screen displays ii Primary RADIUS Server 3 Do you want to enable a Primary RADIUS Primary Server IP address fT Server Secret Phrase si Yes No Primary Server NAS Identifier Lms o i Backup RADIUS Server 9 Do you want to enable a Backup RADIUS Backup Server IP Address Wf Server SecretPhrase sd fe Yes O No Backup Server NAS Identifier LUTM25 Connection Configuration id Time out period Sec Maximum Retry Count p Figure 7 24 7 40 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Complete the fields and select the radio buttons
353. hen the file or message exceeds the maximum size e Skip The file is not scanned but skipped leaving the end user vulnerable This is the default setting e Block The file is blocked and does not reach the end user Block Files with the Following Extensions By default the File Extension field lists the most common file extensions You can manually add or delete extensions Use commas to separate different extensions You can enter a maximum of 40 file extensions the maximum total length of this field excluding the delimiter commas is 160 characters You can also use the pull down menu to add predefined file extensions from a specific category to the File Extension field e None No file extensions are added to the File Extension field This is the default setting Executables Executable file extensions exe com dll so lib scr bat and cmd are added to the File Extension field Audio Video Audio and video file extensions wav mp3 avi rm rmvb wma wmv mpg mp4 and aac are added to the File Extension field Compressed Files Compressed file extensions zip rar gz tar and bz2 added to the File Extension field 3 Click Apply to save your settings Setting Web Access Exceptions and Scanning Exclusions After you have specified which content the UTM filters you can set exception rules for users of certain LAN groups Similarly after you have specified which IP addresses and ports the UTM s
354. hentication Protocol PAP Complete the Authentication Server and Authentication Secret fields e Radius CHAP RADIUS Challenge Handshake Authentication Protocol CHAP Complete the Authentication Server and Authentication Secret fields Radius MSCHAP RADIUS Microsoft CHAP Complete the Authentication Server and Authentication Secret fields e Radius MSCHAPv2 RADIUS Microsoft CHAP version 2 Complete the Authentication Server and Authentication Secret fields e WIKID PAP WIKID Systems PAP Complete the Authentication Server and Authentication Secret fields e WIKID CHAP WIKID Systems CHAP Complete the Authentication Server and Authentication Secret fields MIAS PAP Microsoft Internet Authentication Service MIAS PAP Complete the Authentication Server and Authentication Secret fields MIAS CHAP Microsoft Internet Authentication Service MIAS CHAP Complete the Authentication Server and Authentication Secret fields NT Domain Microsoft Windows NT Domain Complete the Authentication Server and Workgroup fields Active Directory Microsoft Active Directory Complete the Authentication Server and Active Directory Domain fields LDAP Lightweight Directory Access Protocol LDAP Complete the Authentication Server and LDAP Base DN fields 8 6 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 8 2 SSL VPN Wizard Ste
355. hering Important Log Information To gather log information about your UTM 1 Locate the Gather Important Log Information section on the Diagnostics screen 2 Click Download Now You are prompted to save the downloaded log information file to your computer The default file name is importantlog gpg 3 When the download is complete browse to the download location you specified and verify that the file has been downloaded successfully Generating Network Statistics The Network Statistic Report provides a detailed overview of the network utilization in the UTM managed network environment The report allows you to see what consumes the most resources on the network Monitoring System Access and Performance 11 47 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To generate the Network Statistic Report 1 Locate the Network Statistics Report section on the Diagnostics screen 2 Click Generate Network Statistics The network statistics report is sent as an e mail to the recipient that you specified on the Email Notification screen see Configuring the E mail Notification Server on page 11 5 Rebooting and Shutting Down the UTM You can perform a remote reboot restart for example when the UTM seems to have become unstable or is not operating normally ____ Note Rebooting breaks any existing connections either to the UTM such as your ford management session or through the UT
356. his radio button and enter the following settings Account Name The account name is also known as the host name or system name Enter the valid account name for the PPTP connection usually your e mail ID assigned by your ISP Some ISPs require entering your full e mail address here Domain Name Your domain name or workgroup name assigned by your ISP or your ISP s domain name You may leave this field blank Idle Timeout Select the Keep Connected radio button to keep the connection always on To log out after the connection is idle for a period of time select the Idle Time radio button and in the timeout field enter the number of minutes to wait before disconnecting This is useful if your ISP charges you based on the period that you have logged in My IP Address The IP address assigned by the ISP to make the connection with the ISP server Server IP Address The IP address of the PPTP server Other PPPoE If you have installed login software such as WinPoET or Enternet then your connection type is PPPoE Select this radio button and enter the following settings Account Name The valid account name for the PPPoE connection Domain Name The name of your ISP s domain or your domain name if your ISP has assigned one You may leave this field blank Idle Timeout Select the Keep Connected radio button to keep the connection always on To log out after the connection is idle for a period of time
357. iccami senina aeaaeae aaa anaia 9 19 Managing Sel TNE asiri niatysa in na aaa aka EDANE 9 20 Managing the Certificate Revocation List 2 ccc scccsssccsesesessenceesstccnneseesssensenscecene 9 25 Chapter 10 Network and System Management Perormahce Management sccecccvsntvaccdesmadpcuncumvanetesedaadediapcamteummdenie a 10 1 Banovdi arc ac b iai 10 1 Feantres Thal Reduce Waite cremans 10 2 Features That Increase TRAM sicsccssccirssctennedadanonteiecciionnpncacamniencadeaneneadetonmescattacie 10 5 Using QoS and Bandwidth Assignment to Shift the Traffic Mix c eceeeeeeeees 10 8 Monitoring Tools for Traffic Management sscscctiaeiscsecccessicicetecvicsaetenesieiebecedncdcneresvicane 10 9 Se SIO HIN Manage are as ph anaa A S leeds eaters 10 9 Changing Passwords and Administrator Settings 0 0 0 ec eeeeeee seer eeeeeeeeeeeeeeeneee 10 9 Configuring Remote Management ACCESS c ccceeeeeeeneeeeeeeeeeaeeeteaeeeeesaeeeeaes 10 12 Uang an SNMP MANAGOT surina sanak aaO AARS denies 10 14 Managing the Configuration FIS seicsciscsiadecstiaseiagsigessinicgeabatetasstiaasiicerpensnedgetbazvlas 10 15 Updabno Wo FIA T aaa oa woniadante ppaavaseaesoaseneeg wantuand pads 10 18 Updating the Scan Signatures and Scan Engine Firmware ccccssceeeeesees 10 21 Configuring Date anid TMG Senie c ccccascieicssintetdaccnssivdesndnchasscinasamiesscsennietaseranes 10 24 xii v1 0 September 2009 ProSecure Unified Threat Management UTM10 o
358. ice and branch offices or between a central office and telecommuters Remote access by telecommuters requires the installation of VPN client software on the remote computer IPsec VPN with broad protocol support for secure connection to other IPsec gateways and clients Bundled with a 1 user license of the NETGEAR ProSafe VPN Client software VPNOIL Supports up to 10 UTM10 or 25 UTM25 site to site IPsec VPN tunnels e SSL VPN provides remote access for mobile users to selected corporate resources without requiring a pre installed VPN client on their computers Uses the familiar Secure Sockets Layer SSL protocol commonly used for e commerce transactions to provide client free access with customizable user portals and support for a wide variety of user repositories Browser based platform independent remote access through a number of popular browsers such as Microsoft Internet Explorer Mozilla Firefox or Apple Safari Provides granular access to corporate resources based upon user type or group membership Supports up to 5 UTM10 or 13 UTM25 dedicated SSL VPN tunnels Introduction 1 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual A Powerful True Firewall Unlike simple Internet sharing NAT routers the UTM is a true firewall using stateful packet inspection SPI to defend against hacker attacks Its firewall features have the following capa
359. icted address 5 26 virtual LAN See VLAN Index 14 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Virtual Private Network Consortium See VPNC Road Warrior dual WAN mode load balancing B virtual private network See VPN tunnel 13 Road Warrior single WAN port mode B 11 VPN Telecommuter dual WAN ports auto rollover B 17 VPN Telecommuter dual WAN ports load balancing B 18 VPN Telecommuter single WAN port mode B 16 virus database 70 21 logs See malware logs protection 6 5 6 21 signature files 70 27 VLAN failover 7 34 advantages 4 2 FQDNs 7 2 B 9 default 2 8 gateway to gateway using IPsec VPN Wizard 7 3 description 4 IKE policies DHCP exchange mode 7 23 7 26 address pool 4 9 ISAKMP identifier 7 23 7 27 DNS servers 4 9 managing 7 22 domain name 4 9 ModeConfig 7 26 7 46 LDAP server 4 10 XAUTH 7 29 lease time 4 9 increasing traffic 70 8 options 4 4 IPsec VPN relay 4 5 4 9 logs 7 20 11 9 11 33 11 35 server 4 4 4 8 specifications A 3 WINS server 4 9 user account 9 9 9 1 DNS proxy 4 5 4 10 IPsec VPN policies ID 4 8 automatically generated auto 7 30 LAN TCP IP 4 8 groups configuring 9 6 LDAP server 4 6 managing 7 2 port membership 4 8 port based 4 2 profile name 4 8 manually generated manual 7 30 keepalives 7 34 7 55 load balancing mode 7 2 profiles 4 3 4 6 NetBIOS 7 34 7 58 VoIP voice over IP sessions 5 24 number of 2 VPN IPsec
360. icy To manually add a VPN policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 23 2 Click the VPN Policies submenu tab The VPN Policies screen displays see Figure 7 22 on page 7 31 3 Under the List of VPN Policies table click the add table button The Add VPN Policy screen displays see Figure 7 23 on page 7 33 which shows the UTM25 screen The WAN1 and WAN2 radio buttons next to Select Local Gateway are shown on the Add VPN Policy screen for the UTM25 but not on the Add VPN Policy screen for the UTM10 7 32 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Add VPN Policy Policy Name sd Policy Type Select Local Gatevay wan1 Owanz Remote Endpoint 1p address fe shh the ahs O Foon EE C Enable Neteros C Enable RollOver Enable Keepalive Q Yes No Ping IP Address ip J i Detection period fro Seconds Reconnect after failure count E F Local IP any Remote IP Any Me Start IP Address H Start IP Address E ee ae End IP Address 4 i J ii 3 End IP Address j 7 i j 4 Subnet Mask i J J Subnet Mask i i eS 5 SPI Incomiing P H x 3 8 Chars SPI Outgoing Hex 2 8 Cher Encryption Algorithm Bos Integrity Algorithm SHA 2 Key Out key out TO DES Char amp SDE
361. idth Limit 0 select all aciete 204 Figure 5 23 The screen displays the List of Bandwidth Profiles table with the user defined profiles 3 Under the List of Bandwidth Profiles table click the add table button The Add Bandwidth Profile screen displays Jetwork Security Add Bandwidth Profile Bandwidth Profile OQ Profile Name _________ Minimum Bandwidth f 0 Max Bandwidth Kbps Maximum Bandwidth 100 100000 Kbps Type Maximum Number of Instances Direction Figure 5 24 4 Enter the settings as explained in Table 5 8 on page 5 38 Firewall Protection 5 37 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 5 8 Bandwidth Profile Settings Setting Description or Subfield and Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes Minimum The minimum allocated bandwidth in Kbps The default setting is 0 Kops Bandwidth Maximum The maximum allowed bandwidth in Kbps The default setting and minimum setting is Bandwidth 100 Kbps the maximum allowable bandwidth is 100000 Kbps Type From the Type pull down menu select the type for the bandwidth profile e Group The profile applies to all users that is all user share the available bandwidth e Individual The profile applies to an individual user that is each user can use the available bandwidth
362. ied number of malware threats are detected Note When the specified number of detected malware threats is reached within the time threshold the UTM sends a malware outbreak alert Protocol Select the checkbox or checkboxes to specify the protocols SMTP POP3 IMAP HTTP FTP and HTTPS for which malware threats are detected Subject Enter the subject line for the e mail alert The default text is Outbreak alert Enable IPS Select this checkbox to enable malware outbreak alerts and configure the Outbreak Outbreak Alerts Criteria and Subject fields Outbreak To define an IPS outbreak specify the following fields Criteria e Attacks found within The number of IPS attacks that are detected e minutes maximum 90 minutes The period in which the specified number of IPS attacks are detected Note When the specified number of IPS attacks is reached within the time threshold the UTM sends a malware outbreak alert Subject Enter the subject line for the e mail alert The default text is Outbreak alert Enable IPS Alerts Select this checkbox to enable IPS alerts and configure the Subject field Subject Enter the subject line for the e mail alert The default text is IPS alert 4 Click Apply to save your settings 11 12 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring and Activating Firewall Logs
363. igned WAN interface e Single Address All the outgoing packets on the WAN are assigned the specified IP address for example a secondary WAN address that you have configured Note This option is available only when the WAN mode is NAT The IP address specified should fall under the WAN subnet Inbound Rules Port Forwarding If you have enabled Network Address Translation NAT your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers However by defining an inbound rule you can make a local server for example a Web server or game server visible and available to the Internet The rule informs the firewall to direct inbound traffic for a particular service to one local server based on the destination port number This process is also known as port forwarding 5 6 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Whether or not DHCP is enabled how the PCs accesses the server s LAN address impacts the inbound rules For example e If your external IP address is assigned dynamically by your ISP DHCP enabled the IP address might change periodically as the DHCP lease expires Consider using Dyamic DNS so that external users can always find your network see Configuring Dynamic DNS on page 3 19 e If the IP address of the local server PC is assigned by DHCP it might change when the P
364. igurable field that displays the total monthly traffic volume limit that is applicable to this month This total is the sum of the monthly traffic volume and the increased traffic volume Traffic Counter Restart traffic counter Select one of the following radio buttons to specify when the traffic counter restarts e Restart Traffic Counter Now Select this option and click Apply at the bottom of the screen to restart the traffic counter immediately Restart Traffic Counter at a Specific Time Restart the traffic counter at a specific time and day of the month Fill in the time fields and choose AM or PM and the day of the month from the pull down menus Send e mail report before restarting counter An e mail report is sent immediately before restarting the counter Ensure that e mailing of logs is enabled on the Email and Syslog screen see Configuring Logging Alerts and Event Notifications on page 11 5 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 1 WAN Traffic Meter Settings continued Setting Description or Subfield and Description When Limit is reached Block traffic Select one of the following radio buttons to specify what action the UTM performs when the traffic limit has been reached e Block All Traffic All incoming and outgoing Internet and e mail traffic is blocked
365. il address as the login name The Service Name is not required by all ISPs If you connect using a login name and password then fill in the following Login Name Password Service Name Fixed or Static IP Address If you have a static IP address record the following information For example 169 254 141 148 could be a valid IP address Fixed or Static Internet IP Address Gateway IP Address Subnet Mask B 4 Network Planning for Dual WAN Ports UTM25 Only v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e ISP DNS Server Addresses If you were given DNS server addresses fill in the following Primary DNS Server IP Address Secondary DNS Server IP Address e Host and Domain Names Some ISPs use a specific host or domain name like CCA7324 A or home If you have not been given host or domain names you can use the following examples as a guide If your main e mail account with your ISP is aaa yyy com then use aaa as your host name Your ISP might call this your account user host computer or system name If your ISP s mail server is mail xxx yyy com then use xxx yyy com as the domain name ISP Host Name ISP Domain Name e Fully Qualified Domain Name Some organizations use a fully qualified domain name FQDN from a dynamic DNS service provider for their IP addresses Dynamic DSN Service Provider FQDN Overview of the Planning Process The a
366. ile By default the File Extension field lists the most common file extensions You can Extension manually add or delete extensions Use commas to separate different extensions You can enter a maximum of 40 file extensions the maximum total length of this field excluding the delimiter commas is 160 characters You can also use the pull down menu to add predefined file extensions from a specific category to the File Extension field e None No file extensions are added to the File Extension field This is the default setting e Executables Executable file extensions exe com dll so lib scr bat and cmd are added to the File Extension field e Audio Video Audio and video file extensions wav mp3 avi rm rmvb wma wmv mpg mp4 and aac are added to the File Extension field Compressed Files Compressed file extensions zip rar gz tar and bz2 added to the File Extension field Action SMTP From the pull down menu specify an action when an e mail attachment with a POP3_ file extension that is defined in the File Extension field is detected The pull down menu selections and defaults are the same as the ones for the Filter by Password Protected Attachments ZIP RAR etc section above IMAP Filter by File Name File Name Enter the file names that are detected Use commas to separate multiple file names For example to block the Netsky worm which normally arrives as netsky exe enter ne
367. iles on page 5 33 Note There is no default QoS profile on the UTM After you have created a QoS profile it can become active only when you apply it to a non blocking inbound or outbound firewall rule Bandwidth Profile Bandwidth limiting determines the way in which the data is sent to and from your host The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic thus preventing the LAN users from consuming all the bandwidth of the Internet link Bandwidth limiting occurs in the following ways e For outbound traffic on the available WAN interface in the single WAN port mode and auto rollover mode and on the selected interface in load balancing mode e For inbound traffic on the LAN interface for all WAN modes Note Bandwidth Limiting does not apply to the DMZ interface Log The settings that determines whether packets covered by this rule are logged The options are Always Always log traffic considered by this rule whether it matches or not This is useful when debugging your rules e Never Never log traffic considered by this rule whether it matches or not NAT IP The settings that specify whether the source address of the outgoing packets on the WAN should be assigned the address of the WAN interface or the address of a different interface The options are WAN Interface Address All the outgoing packets on the WAN are to the address of the ass
368. iles cookies and browser history when the user logs out or closes the Web browser window The ActiveX Web cache control is ignored by Web browsers that do not support ActiveX SSL VPN Portal Pages to Display VPN Tunnel page Select this checkbox to provide full network connectivity Port Forwarding Select this checkbox to provides access to specific defined network services Note Any pages that are not selected are not visible from the SSL VPN portal however users can still access the hidden pages unless you create SSL VPN access policies to prevent access to these pages SSL VPN Wizard Step 2 of 6 Domain Settings SSL VPN Wizard Step 2 of 6 DOMAIN NAME CustornerDomain Authentication Type Local User Database default Y Portal CustumerSupport Authentication Server Authentication Secret Workgroup LDAP Base DN Active Directory Domain Note Leave the DOMAIN NAME blank means using system default domain geardomain without any change Otherwise the wizard will try to create a new one Please make sure that the domain name has NOT been used If the name already exists applying wizard will fail and UTM have to reboot to recover configuations Figure 8 3 Note that Figure 8 3 contains some examples Enter the settings as explained in Table 8 2 on page 8 6 then click Next to go the following screen Virtual Private Networking Using SSL Connections 8 5 v1 0 Sep
369. ill fail and the UTM will reboot to recover its configuration Note After you have completed the steps in the SSL VPN Wizard you can make changes to the client IP address range and routes by selecting VPN gt SSL VPN gt SSL VPN Client For more information about client IP address range and routes settings see Configuring the SSL VPN Client on page 8 25 4 Virtual Private Networking Using SSL Connections 8 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 8 4 SSL VPN Wizard Step 4 Client IP Address Range and Routes Settings Item Description or Subfield and Description Client IP Address Range Enable Full Tunnel Support Select this checkbox to enable full tunnel support If you leave this checkbox deselected which is the default setting split tunnel support is enabled and you must add a client route by completing the Destination Network and Subnet Mask fields Note When full tunnel support is enabled client routes are not operable DNS Suffix A DNS suffix to be appended to incomplete DNS search strings This is an option Primary DNS Server The IP address of the primary DNS server that is assigned to the VPN tunnel clients This is an option Note If you do not assign a DNS server the DNS settings remain unchanged in the VPN client after a VPN tunnel has been established Secondary DNS Server The IP address of the secondar
370. ime fields for each day that content filtering is active 2 22 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Setup Wizard Step 8 of 10 Administrator Email Notification Settings Setup Wizard Step 8 of 10 Email Notification Show as mail sender UTM_Notifications netgear com SMTP server Mail yourdomain com 25 oO This server requires authentication User name ee Password Send notifications to admin yourdomain com x Example admin yourdomain com Figure 2 14 Enter the settings as explained in Table 2 8 then click Next to go the following screen Note After you have completed the steps in the Setup Wizard you can make changes to the administrator email notification settings by selecting Network Config gt Email Notification For more information about these settings see Configuring the E mail Notification Server on page 11 5 Table 2 8 Setup Wizard Step 8 Administrator Email Notification Settings Setting Description or Subfield and Description Administrator Email Notification Settings Show as mail sender A descriptive name of the sender for e mail identification purposes For example enter UTM_Notifications netgear com SMTP server The IP address and port number or Internet name and port number of your ISP s outgoing e mail SMTP se
371. in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual ____ Note After you have completed the steps in the Setup Wizard you can make changes to the security subscription update settings by selecting Administration gt System Update gt Signatures and Engine For more information about these settings see Updating the Scan Signatures and Scan Engine Firmware on page 10 21 Table 2 9 Setup Wizard Step 9 Security Subscription Update Settings Setting Description or Subfield and Description Update Settings Update From the pull down menu select one of the following options e Never The pattern and firmware files are never automatically updated e Scan engine and Signatures The pattern and firmware files are automatically updated according to the Update Frequency settings below Update From Set the update source server by selecting one of the following radio buttons Default update server Files are updated from the default NETGEAR update server Server address Files are updated from the server that you specify enter the IP address or host name of the update server Update Frequency minutes to 12 hours Specify the frequency with which the UTM checks for file updates Weekly From the pull down menus select the weekday hour and minutes that the updates occur e Daily From the pull down menus select the hour and mi
372. ine cs deceudvonctosteeteaetenestenieeneee 6 4 Customizing E mail Anti Virus and Notification Settings cccceeseceeeeeeeeeeneeeees 6 5 Emal Gonen FUMING ao ic ccs cee ci ctcsaernastiad gen casaneane A 6 8 Protecting Against E mail SHE a cicccsctsciscnceisncedcasvecstarneasccecstundedorvenmniaiencemsedeneais 6 11 Configuring Web and Services Protection ccccccesseeeeeeeeeeeeeeeeeeeeeeaaeseeneeeseaeeeenes 6 19 Customizing Web Protocol Scan Settings and Services ccceeeseeeettteeeeeeees 6 19 Configuring Web Malwares Seans suonano airasia EnaA E SA 6 21 Coniiguring Web Content FIKSring srsiseiosnsirisiaai nanii ii 6 23 CONTOURING Web URL Filtering gaccisntesictadiesseie lana dente inanin a 6 30 Pe IP Soe Can SEINGE rnia nA N eee 6 34 OBCHVING Musieo OBIS lt secicdscernicniccinde biaiend sedi odegane niadeccaasoagad seu niodiab ec uneadbnaniades 6 37 UIT FETE FTF NG ps ccs ciate Seater a E 6 39 Setting Web Access Exceptions and Scanning Exclusions ccccscccceesesteeeeeeeneaes 6 41 Setting Web Access Exception Rules ccc icsisccccsccsssesccsssstetaersessnsccesicctneneseasstntnevacsse 6 41 Seiling scanning ECUSOANE 6 44 Chapter 7 Virtual Private Networking Using IPsec Connections Considerations for Dual WAN Port Systems UTM25 Only c ceeeseeeeeeeeeesstteeeeeeees 7 1 Using the IPsec VPN Wizard for Client and Gateway Configurations ceceee 7 3 Creating Gateway to Gateway VPN Tunnels
373. ined The time when the DHCP lease was obtained Lease Duration The period that the DHCP lease remains in effect Depending on the type of connections any of the following buttons may be displayed on the Connection Status screen e renew Click to renew the DHCP lease e release Click to disconnect the DHCP connection e disconnect Click to disconnect the static IP connection For the UTM25 only the procedure to view the status of the WAN port is identical to the one for the WAN port with the exception that you must select the WAN2 ISP Settings submenu tab to display the WAN2 ISP Setting screen Viewing Attached Devices and the DHCP Log The LAN Groups screen contains a table of all IP devices that the UTM has discovered on the local network The LAN Setup screen lets you access the DHCP log Viewing Attached Devices To view the attached devices in the LAN Groups screen 1 Select Network Config gt LAN Settings from the menu The LAN Settings submenu tabs appear with the LAN Setup screen in view see Figure 11 20 on page 11 30 which contains some profiles in the VLAN Profiles table as an example Monitoring System Access and Performance 11 29 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Subnet IP DHCP Status defaultVian 192 168 1 1 SalesVLAN 192 170 1 100 t select all delete ti enable fe disable ada Zz Port 1 Port 2 Port 3 Port 4 DM2 defaultVian v
374. ing on page 6 30 Access to the URLs on the whitelist is allowed for PCs in the groups for which file extension keyword object or category blocking or a combination of these types of Web blocking has been enabled To configure Web content filtering 1 Select Application Security gt HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear with the Malware Scan screen in view 2 Click the Content Filtering submenu tab The Content Filtering screen displays Because of the large size of this screen it is presented in this manual in three figures Figure 6 9 on this page Figure 6 10 on page 6 26 and Figure 6 11 on page 6 27 Content Filtering Content Filtering O Log HTTP Traffic This will slow down performance o Block Files with the Following Extensions gt Example exe com pif i Full Text Search 2 Block web pages with the Following keywords This will slow down performance i Example foo bar Block Web Objects Cl Remove Embedded Objects Activex Java Flash C Disable Javascript o Proxy C cookies i Select the Web Categories You Wish to Block E Figure 6 9 Content Filtering screen 1 of 3 Content Filtering and Optimizing Scans 6 25 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual J 4 Select the Web Categories You Wish to Block Cl Enable Blocking C commerce C Advert
375. interface for packet PROTO Protocol used SELF Packet coming from the system only SPT Source port SRC Source IP Address of machine from where the packet is coming TYPE Protocol type System Logs and Error Messages C 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual System Log Messages This section describes log messages that belong to one of the following categories e Logs that are generated by traffic that is meant for the UTM e Logs that are generated by traffic that is routed or forwarded through the UTM e Logs that are generated by system daemons NTP the WAN daemon and others System Startup This section describes log messages generated during system startup Table C 2 System Logs System Startup Message Jan 1 15 22 28 UTM ledTog SYSTEM START UP System Started Explanation Logs that are generated when the system is started Recommended Action None Reboot This section describes log messages generated during a system reboot Table C 3 System Logs Reboot Message Nov 25 19 42 57 UTM reboot Rebooting in 3 seconds Explanation Logs that are generated when the system is rebooted from the Web Management Interface Recommended Action None C 2 System Logs and Error Messages v1 0 September 2009 Service Logs ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual This section describes log messa
376. ion From the RIP Direction pull down menu select the direction in which the UTM sends and receives RIP packets e None The neither advertises its route table nor does it accept any RIP packets from other routers This effectively disables RIP e In Only The accepts RIP information from other routers but does not advertises its routing table e Out Only The advertises its routing table but does not accept RIP information from other routers e Both The advertises its routing table and also processes RIP information received from other routers RIP Version From the RIP Version pull down menu select the version e RIP 1 Classful routing that does not include subnet information This is the most commonly supported version e RIP 2 Routing that supports subnet information Both RIP 2B and RIP 2M send the routing data in RIP 2 format RIP 2B Sends the routing data in RIP 2 format and uses subnet broadcasting RIP 2M Sends the routing data in RIP 2 format and uses multicasting Authentication for RIP 2B 2M Authentication for RIP 2B 2M required Authentication for RP 2B or RIP 2M is disabled by default that is the No radio button is selected To enable authentication for RP 2B or RIP 2M select the Yes radio button and enter the settings for the fields below First Key Parameters MD5 Key Id The identifier for the key that is used for authentication MD5 Auth Key The password that is used fo
377. ion Date September 2009 Product Family UTM Product Name ProSecure Unified Threat Management Appliance UTM10 or UTM25 Home or Business Product Business Language English Publication Part Number 202 10482 01 Publication Version Number 1 0 v1 0 September 2009 vi v1 0 September 2009 Contents ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual About This Manual Conventions Formats and SCOPE sivicscisssdeacdcssseccatsseasdeddrnresadddansheoasadannsssdddadnressensinnnees xvii Mono Fan E Kana e xviii POV O PSIO eaa Sa tua pet aah ac Oa uci eaten e Sadat ae sate sabe Ss anaes xviii Chapier 1 Introduction What Is the ProSecure Unified Threat Management Appliance UTM10 or UTM25 1 1 Key Fealtwes and aa cick daccrcscedgsccecescencrartbanescea caseeddeaqonteiocsantutaceerabbenaigaomenecs 1 2 Dual WAN Ports for Increased Reliability or Ouibound Load Balancing UTS OMIY sciscssntcs sacs dean ccccnentsed sceuanetdesdnonteetsanataeenact 1 3 Advanced VPN Support for Both IPsec and SSL 0 eeccceeceeeeeeceeeeeeeeeeeeeeesecaeetennes 1 3 A POW Trus Firewall gc cicccinissviccactidaiadecandstbiasans So uunacanebdaiagaanniediesaaied plaenieulaieas 1 4 Steam Scanning for Content PIMGMING irssi 1 4 SEn FeS eei A a A ea 1 5 Autosensing Ethernet Connections with Auto Uplink sssssssessseessreresrrrrreensenn 1 5 Extensive Protocol SUNDON sasyimseii rina eon imi yee aniseed 1 6 Easy Installation and Manageme
378. ion below If you select Yes enter the following settings Login The login name that your ISP has assigned to you Password The password that your ISP has assigned to you ISP Type What type of ISP connection do you use If your connection is PPPoE or PPTP then you must log in Select the Yes radio button Based on the connection that you select the text box fields that require data entry are highlighted If your ISP has not assigned any login information then select the No radio box and skip this section If you select Yes enter the following settings Austria PPTP If your ISP is Austria Telecom or any other ISP that uses PPTP for login select this radio button and enter the following settings Account Name The account name is also known as the host name or system name Enter the valid account name for the PPTP connection usually your email ID assigned by your ISP Some ISPs require entering your full e mail address here Domain Name Your domain name or workgroup name assigned by your ISP or your ISP s domain name You may leave this field blank 2 12 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 2 2 Setup Wizard Step 2 WAN Settings continued Setting Description or Subfield and Description Austria PPTP continued
379. ions on page 8 17 or to a section in another chapter SSL VPN Wizard Step 1 of 6 Portal Settings SSL YPN Wizard Step 1 of 6 Ee o r t c 3 W Portal Layout Name CustumerSupport z Display banner message on login page Portal Site Title Company CustumerSuppord HTTP meta tags for cache control recommended Banner Title Welcome to Customer Sup ActiveX web cache cleaner e 7 a 33 449 Banner Message V VPN Tunnel page Port Forwarding Note Leave the Portal Layout Name blank means using system default portal layout SSL PN without any change Otherwise the wizard will try to create a new one Please make sure that the portal layout name is NOT used If the name already exists applying wizard will fail Figure 8 2 Note that Figure 8 2 contains some examples Enter the settings as explained in Table 8 1 on page 8 4 then click Next to go the following screen ____ Note If you leave the Portal Layout Name field blank the SSL VPN Wizard uses the default portal layout SSL VPN You must enter a name other than SSL VPN in the Portal Layout Name field so the SSL VPN Wizard can create a new portal layout Do not enter an existing portal layout name in the in the Portal Layout Name field otherwise the SSL VPN Wizard will fail although the UTM will not reboot in this situation Virtual Private Networking Using SSL Connections 8 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10
380. ions of the network Mode Config Operation After the IKE Phase 1 negotiation is complete the VPN connection initiator which is the remote user with a VPN client requests the IP configuration settings such as the IP address subnet mask WINS server and DNS address from the UTM The Mode Config feature allocates an IP address from the configured IP address pool and activates a temporary IPsec policy using the information that is specified in the Traffic Tunnel Security Level section of the Mode Config record on the Add Mode Config Record screen that is shown in Figure 7 26 on page 7 44 Note After configuring a Mode Config record you must manually configure an IKE gt policy and select the newly created Mode Config record from the Select Mode Config Record pull down menu see Configuring Mode Config Operation on the UTM on page 7 42 You do not need to make changes to any VPN policy Note An IP address that is allocated to a VPN client is released only after the VPN client has gracefully disconnected or after the SA liftetime for the connection has timed out Configuring Mode Config Operation on the UTM To configure Mode Config on the UTM you first must create a Mode Config record and then select the Mode Config record for an IKE policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 7 42 Virtual Private Networking Usi
381. iption Hosts This field contains the trusted hosts for which scanning is bypassed To add a host to this field use the Add Host field or the Import from File tool see below You can add a maximum of 200 URLs delete To delete one or more hosts highlight the hosts and click the delete table button export To export the hosts click the export table button and follow the instructions of your browser Add Host Type or copy a trusted host in the Add Host field Then click the add table button to add the host to the Host field Importfrom To import a list with trusted hosts into the Host field click the Browse button and navigate File to a file in txt format that contains line delimited hosts that is one host per line Then click the upload table button to add the hosts to the Host field Note Any existing hosts in the Host field are overwritten when you import a list of hosts from a file 4 Click Apply to save your settings Configuring FTP Scans Some malware threats are specifically developed to spread through the FTP protocol By default the UTM scans FTP traffic but you can specify how the UTM scans FTP traffic and which action is taken when a malware threat is detected Note The UTM does not scan password protected FTP files Content Filtering and Optimizing Scans 6 39 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To configure the FTP scan set
382. iption or Subfield and Description Name A descriptive name of the domain for identification and management purposes Subject The name that other organizations see as the holder owner of the certificate In general use your registered business name or official company name for this purpose Note Generally all of your certificates should have the same value in the Subject field 9 22 Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 9 7 Generate Self Certificate Request Settings continued Setting Description or Subfield and Description Hash Algorithm From the pull down menu select one of the following hash algorithms MD5 A 128 bit 16 byte message digest slightly faster than SHA 1 SHA 1 A 160 bit 20 byte message digest slightly stronger than MD5 Signature Algorithm Although this seems to be a pull down menu the only possible selection is RSA In other words RSA is the default to generate a CSR Signature Key Length From the pull down menu select one of the following signature key lengths in bits 512 1024 2048 Note Larger key sizes might improve security but might also decrease performance IP Address Enter your fixed static IP address If your IP address is dynamic leave this field blank Optional Fields Domain Name Enter your Internet domain name or leave th
383. ired The UTM can automatically check for new malware signatures as frequently as every 15 minutes Multiple anti spam technologies to provide extensive protection against unwanted mail Easy Web based wizard setup for installation and management SNMP manageable Front panel LEDs for easy monitoring of status and activity Flash memory for firmware upgrade Internal universal switching power supply Introduction v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Dual WAN Ports for Increased Reliability or Outbound Load Balancing UTM25 Only The UTM25 has two broadband WAN ports The second WAN port allows you to connect a second broadband Internet line that can be configured on a mutually exclusive basis to e Provide backup and rollover if one line is inoperable ensuring you are never disconnected e Load balance or use both Internet lines simultaneously for outgoing traffic The UTM25 balances users between the two lines for maximum bandwidth efficiency See Network Planning for Dual WAN Ports UTM25 Only on page B 1 for the planning factors to consider when implementing the following capabilities with dual WAN port gateways e Single or multiple exposed hosts e Virtual private networks Advanced VPN Support for Both IPsec and SSL The UTM supports Psec and SSL virtual private network VPN connections e IPsec VPN delivers full network access between a central off
384. irmware and pattern file e Current Version The version of the files e Last Updated The date of the most recent update To immediately update the scan engine firmware and pattern file click Update Now at the bottom of the screen 10 22 Network and System Management v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring Automatic Update and Frequency Settings To configure the update settings and frequency settings for automatic downloading of the scan engine firmware and pattern file 1 Locate the Update Settings Frequency Settings and HTTPS Proxy Settings section on the Signatures amp Engine screen see Figure 10 7 on page 10 22 Enter the settings as explained in Table 10 2 Table 10 2 Signatures amp Scan Engine Settings Setting Description or Subfield and Description Update Settings Update From the pull down menu select one of the following options e Never The pattern and firmware files are never automatically updated Scan engine and Signatures The pattern and firmware files are automatically updated according to the Update Frequency settings below Update From Set the update source server by selecting one of the following radio buttons Default update server Files are updated from the default NETGEAR update server e Server address Files are updated from the server that you specify enter the IP address or host name of the upda
385. is field blank E mail Address Enter the e mail address of a technical contact in your company 3 Click the generate table button A new SCR is created and added to the Self Certificate Requests table 4 Inthe Self Certificate Requests table click the view table button in the Action column to view the new SCR The Certificate Request Data screen displays see Figure 9 14 on page 9 24 Managing Users Authentication and Certificates 9 23 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Certificate Request Data Operation succeeded iH Certificate Details Subject Namai CN NETGEAR Hash Algorithm MDS signature Algorithm RSA Key Length 1024 Data to supply to CA BEGIN CERTIFICATE REQUEST A MIIBUTCBuwIBADASMRAwDgYDVQ QDEwdORVRHRUFSMIGIMA x AF GNADCBIQKEGQDNlwwik SsNESSKOKvIVQiAgGSuPTVyMn3FOr Qlk 2KQ D1IDQpvEihFeCyS9Npy3rSF1aBbSlFmroSMQPa2ASGTa lethUbVjw3plODMDPdEV LXRGBISaLRG4 jCOhwGLXADKHkuL oRAWDQYJKoZThycNAQEEBQADgYEAVbPS3 Q817 QNEscEoJaL odXLlebStorqLIDIIQAgDfSd8 tqli mzph m9BryoLAsPa0uud KJr32CetiBAbYfkm3LePucM22SpkK4uOuexe hPVEyhpJFkna7 kItuGUO END CERTIFICATE REQUEST Figure 9 14 5 Copy the contents of the Data to supply to CA text box into a text file including all of the data contained from BEGIN CERTIFICATE REQUEST to END CERTIFICATE REQUEST d Submit your SCR to a CA
386. is hosting this service rule You can also translate this address to a port number Translate to Port Number You can enable this setting and specify a port number if you want to assign the LAN server or DMZ server to a specific port WAN Destination IP Address The setting that determines the destination IP address applicable to incoming traffic This is the public IP address that maps to the internal LAN server On the UTM25 it can either be the address of the WAN1 or WAN2 interface or another public IP address when you have a secondary WAN address configured On the UTM10 it can either be the address of the single WAN interface or another public IP address when you have a secondary WAN address configured LAN Users The settings that determine which computers on your network are affected by this rule The options are Any All PCs and devices on your LAN e Single address Enter the required address to apply the rule to a single device on your LAN e Address range Enter the required addresses in the Start and Finish fields to apply the rule to a range of devices Groups Select the Group to which the rule applies Use the LAN Groups screen under Network Configuration to assign PCs to Groups See Managing Groups and Hosts LAN Groups on page 4 12 Note This field is not applicable to inbound LAN WAN rules 5 8 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM
387. is inactive at Gateway B 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0 24 Dual WAN Ports Before Rollover WAN_A1 IP WAN_B1 IP Gateway A netgearA dyndns org netgearB dyndns org Gateway B LAN IP a l X X xX xX 10 5 6 1 AN_A2 port inactive gt port inactive ERIR VPN Router WAN_A2 IP N A WAN_B2 IP N A VPN Router at office A Fully Qualified Domain Names FQDN at office B required for Fixed IP addresses required for Dynamic IP addresses Figure B 14 The IP addresses of the gateway WAN ports can be either fixed or dynamic but you must always use a FQDN because the active WAN ports could be either WAN_A1 WAN_A2 WAN_B1 or WAN_B2 that is the IP address of the active WAN ports is not known in advance B 14 Network Planning for Dual WAN Ports UTM25 Only v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual After a rollover of a gateway WAN port the previously inactive gateway WAN port becomes the active port port WAN_A2 in Figure B 15 and one of the gateways must re establish the VPN tunnel 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0 24 Dual WAN Ports After Rollover WAN_A IP N A WAN B1 IP Gateway A WAN_A1 port inactive netgearB dyndns org Gateway B LAN IP aS D E 10 5 64 netgear dyndns org te Ba pacnetive 172 23 9 1 VPN Router WAN_A2 IP WAN_B2 IP N A VPN Router at office A Fully Qualified Domain Names FQDN at office B
388. isconnect Connect Log Viewer Connection Monitor Help About NETGEAR ProSafe VPN Client Remove Icon Figure 7 11 NEF urity Policy Editor NETGEAR ProSafe VPN Client 2 In the upper left of the Policy Editor window click the New Connection icon the first icon on the left to open a new connection Give the new connection a name in this example we are using UTM_SJ N Security Policy Editor NETGEAR ProSafe VPN Client Blm fal tl Network Security Poley L My Connections amp UTM ireland re dy UTM_Test FVS3366_Lab Bp Other Connections Figure 7 12 NETGEAR S Connection Security Secue EE Only Connect Manually Nonsecwe amp Block Remote Patty Identity and Addressing ID Type IP Subnet gt Subnet 192169 1 0 Mask 255 255 255 0 wh a eae PE R Use Secure Gateway Tunnel z ID Type Domain Name x Gateway IP Address z Jutm_focal com 192 168 50 61 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Enter the settings as explained in Table 7 4 Table 7 4 Security Policy Editor Remote Party Settings Setting Description or Subfield and Description Connection Security Select the Secure radio button If you want to connect manually only select the Only Connect Manually checkbox ID Type From the pull down menu sele
389. isements amp Pop Ups Real Estate o Drugs and Violence 5 X Alcohol amp Tabacco E Dtasteless CI Education Education oO Gaming E Gambling C inactive Sites network Errors Cc Manonymizers E Oceneral 30b search C Streaming Media amp Downloads C webmail O Leisure and News Oars C Fashion amp Beauty Onews O Restaurants amp Dining Transportation C malicious M Botnets a M ilegal Software E Spam Sites C Politics and Religion m Ocutts Direligion CI Sexual Content child abuse Images Msex Education o Technology C Computers amp Technology o UnCategorized B uncategorized Note Allowed by Default E Blocked by Default Clausiness eH Shopping B Wate amp Intolerance M violence Health amp Medicine E F Games Parked Domain C Internet Communication and Search Chat Ditmage Photo sharing Dbeer to Peer Search Engines amp Portals Lj C Dating amp Personals a C Greeting Cards Non Profits Osociat Networking Travel criminal activity V malware m El virus Infected Compromised Cl Government M Nudity C Download sites O Banking Finance a Mittegal Orugs A E weapons E F School Cheating C Forums Clinstant Messaging Private 1P Addresses CTranslators CEntertainment Leisure amp Recreation Personal Sites O Sports D Mnacking a M phishing
390. iv Content Type content text html charset windows 1252 gt lt Copyright c 2008 NETGEAR All rights reserved gt Note Use URL to show the URL of the blocked page Use REASON to display why a page was blocked Figure 6 15 3 Enter the settings as explained in Table 6 10 on page 6 37 6 36 Content Filtering and Optimizing Scans v1 0 September 2009 4 Click Apply to save your settings ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 10 HTTPS Settings Setting Description or Subfield and Description HTTP Tunneling Select this checkbox to allow scanning of HTTPS connections through an HTTP proxy which is disabled by default Traffic from trusted hosts is not scanned see Specifying Trusted Hosts on page 6 37 Note For HTTPS scanning to occur properly you must add the HTTP proxy server port in the Ports to Scan field for the HTTPS service on the Services screen see Customizing Web Protocol Scan Settings and Services on page 6 19 HTTPS 3rd Party Website Certificate Handling Select the Allow the UTM to present the website to the client checkbox to allow a Secure Sockets Layer SSL connection with a valid certificate that is not signed by a trusted certificate authority CA The default setting is to block such as a connection Show This Message When an SSL Connection Attempt Fails By default a rejected SSL connection is r
391. izard Configure the Gateway for a Client Tunnel To set up a client to gateway VPN tunnel using the VPN Wizard 1 Select VPN gt IPsec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Wizard submenu tab The VPN Wizard screen displays see Figure 7 9 on page 7 9 which contains some examples for the UTM25 The WAN1 and WAN2 radio buttons are shown on the VPN Wizard screen for the UTM25 but not on the VPN Wizard screen for the UTM10 7 8 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual E About VPN Wizard R The Wizard sets most parameters to defaults as proposed by the VPN Consortium YPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This PN tunnel will connect to the following peers O Gateway VPN Client i Connection Name and Remote IP Type What is the new Connection Name Client to UTM What is the pre shared key 111122223333 Key Length 8 49 Char This VPN tunnel will use following local WAN Interface WAN1 WAN2 ii End Paint Information What is the Remote Identifier Information What is the Local Identifier Information i Secure Connection Remote Accessibility What is the remote LAN IP Address DES lf Saal
392. ization by end users dramatically reducing implementation and maintenance costs Here is an example of how WiKID works 1 The user launches the WiKID token software enter the PIN that has been given to them something they know and then press continue to receive the OTP from the WiKID authentication server File Actions Help Copyright 2001 2007 WiKID Systems Inc wD Enter your PIN for the Token client test domain PIN Figure D 1 2 A one time passcode something they have is generated for this user iat at4 File Actions Help Copyright 2001 2007 WikID Systems Inc 468713 PassCode expires in 31 Seconds Figure D 2 Two Factor Authentication D 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual gt Note The one time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time If a user does not use this passcode before it is expired the user must go through the request process again to generate a new OTP 3 The user then proceeds to the Two Factor Authentication login page and enters the generated one time passcode as the login password 2 Factor Authentication Passcone neq tit Ww Token client test Passcode UserName user Password eseese 468713 Domain WIKID PassCode expires in SL Seconds
393. kup button The results of the lookup action are displayed in a new screen To return to the Diagnostics screen click Back on the Windows menu bar Monitoring System Access and Performance 11 45 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Using the Realtime Traffic Diagnostics Tool This section discusses the Realtime Traffic Diagnostics section and the Perform a DNS Lookup section of the Diagnostics screen Source IP address FEA et Destination IP Address as es ee es Please Stop the diagnostic tests to save results All packets will be captured unless filters are set here Figure 11 27 Diagnostics screen 2 of 3 You can use the Realtime Traffic Diagnostics tool to analyze traffic patterns with a network traffic analyzer tool Depending on the network traffic analyzer tool that you use you can find out which applications are using most bandwidth which users use most bandwidth how long users are connected and other information To use the Realtime Traffic Diagnostics tool 1 Locate the Realtime Traffic Diagnostics section on the Diagnostics screen 2 Inthe Source IP address field enter the IP address of source of the traffic stream that you want to analyze 3 In Destination IP address enter the IP address of the destination of the traffic stream that you want to analyze 4 Click Start You are prompted to save the downloaded traffic information file to you
394. l Table 7 16 Add IKE Policy Settings for a Mode Config Configuration continued Item Description or Subfield and Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended Authentication XAUTH is enabled and if enabled which device is used to Note For more verify user account information information about e None XAUTH is disabled This the default setting XAUTH and its e Edge Device The UTM functions as a VPN concentrator on which one or authentication modes more gateway tunnels terminate The authentication mode that is available see Configuring for this configuration is User Database RADIUS PAP or RADIUS CHAP XAUTH for VPN e IPSec Host The UTM functions as a VPN client of the remote gateway In Clients on page 7 38 this configuration the UTM is authenticated by a remote gateway with a user name and password combination Authentication For an Edge Device configuration from the pull down Type menu select one of the following authentication types User Database XAUTH occurs through the UTM s user database Users must be added through the Add User screen see User Database Configuration on page 7 39 Radius PAP XAUTH occurs through RADIUS Password Authentication Protocol PAP The local user database is first checked If the user account is not present in the local user database the UTM25 connects to
395. l intercepted spam IM P2P Logs All instant messaging and peer to peer access violations e Email filter Logs All e mails that are blocked because of file extension and keyword violations e Firewall Logs The firewall logs that you have specified on the Firewall Logs screen see Configuring and Activating Firewall Logs on page 11 13 11 8 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 3 E mail and Syslog Settings continued Setting Description or Subfield and Description Enable continued Select Logs to Send continued e IPS Logs All IPS events SSL VPN Logs All SSL VPN events e IPSEC VPN Logs All IPsec VPN events e Content Filter Logs All attempts to access blocked Web sites and URLs e Service Logs All events that are related to the status of scanning and filtering services that are part of the Application Security main navigation menu These events include update success messages update failed messages network connection errors and so on Portscan Logs All port scan events Format Select a radio button to specify the format in which the log file is sent e Plain text The log file is sent as a plain text file e CSV The log file is sent as a comma separated values CSV file Select the Zip the logs to save space checkbox to enable the UTM to compress t
396. l network enter its IP address in the Primary field You can enter the IP address of a second WINS server in the Secondary field DNS Server Enter the IP address of the DNS server that is used by remote VPN clients in the Primary field You can enter the IP address of a second DNS server in the Secondary field Traffic Tunnel Security Level Note Generally the default setting work well for a Mode Config configuration PFS Key Group Select this checkbox to enable Perfect Forward Secrecy PFS and then select a Diffie Hellman DH group from the pull down menu The DH Group sets the strength of the algorithm in bits The higher the group the more secure the exchange From the pull down menu select one of the following three strengths Group 1 768 bit Group 2 1024 bit This is the default setting e Group 5 1536 bit SA Lifetime The lifetime of the Security Association SA is the period or the amount of transmitted data after which the SA becomes invalid and must be renegotiated From the pull down menu select how the SA lifetime is specified e Seconds In the SA Lifetime field enter a period in seconds The minimum value is 300 seconds The default value is 3600 seconds e KBytes In the SA Lifetime field enter a number of kilobytes The minimum value is 1920000 KB Encryption Algorithm From the pull down menu select one of the following five algorithms to negotiate the security association SA DES Da
397. l other users in the List of Users table Name Group Type Authentication Domain Action sdmin geardormain Administrator geardomsin edit Stecicies guest geardomain Guest User geardormain Besit Eoc cies Peter prosecure SSL VPN User prosecure edit teotcies rsademo geardomain Guest User geardomain edit Eposcies techpub geardomain Guest User geardomain eait seoscies techpubadmin geardomain Administrator geardomain edit Epossies Default Users select all derete ads Figure 9 5 The List of Users table displays the users with the following fields e Checkbox Allows you to select the user in the table e Name The name of the user If the user name is appended by an asterisk the user is a default user that came pre configured with the UTM and cannot be deleted e Group The group to which the user is assigned e Type The type of access credentials that are assigned to the user e Authentication Domain The authentication domain to which the user is assigned e Action The edit table button that provides access to the Edit User screen the policies table button that provides access to the policy screens 2 Click the add table button The Add User screen displays see Figure 9 6 on page 9 11 9 10 Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual
398. le on the Policies screen The new policy goes into effect immediately Note In addition to configuring SSL VPN user policies ensure that HTTPS remote management is enabled see Configuring Remote Management Access on page 10 12 If it not enabled all SSL VPN user connections are disabled Virtual Private Networking Using SSL Connections 8 37 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 8 38 Virtual Private Networking Using SSL Connections v1 0 September 2009 Chapter 9 Managing Users Authentication and Certificates This chapter describes how to manage users authentication and security certificates for IPsec VPN and SSL VPN This chapter contains the following sections e Configuring VPN Authentication Domains Groups and Users on this page e Managing Digital Certificates on page 9 17 Configuring VPN Authentication Domains Groups and Users Users are assigned to a group and a group is assigned to a domain Therefore you should first create any domains then groups then user accounts You must create name and password accounts for all users who must be able connect to the UTM This includes administrators and SSL VPN clients Accounts for Psec VPN clients are required only if you have enabled Extended Authentication XAUTH in your IPsec VPN configuration Users connecting to the UTM must be authenticated before being allowed to access the
399. le Gateway WAN Ports Reference Case In a configuration with two single WAN port gateways either gateway WAN port can initiate the VPN tunnel with the other gateway WAN port because the IP addresses are known in advance see Figure B 13 on page B 14 Network Planning for Dual WAN Ports UTM25 Only B 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 10 5 6 0 24 172 23 9 0 24 Gateway to Gateway Example Single WAN Ports LAN IP az 00 z D WANIP aE 10 5 6 1 E FQDN 172 23 9 1 VPN Router etgear dyndns org 22 23 24 25 VPN Router at office A Fully Qualified Domain Names FQDN at office B optional for Fixed IP addresses required for Dynamic IP addresses Figure B 13 The IP address of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you must use a FQDN If an IP address is fixed an FQDN is optional VPN Gateway to Gateway Dual Gateway WAN Ports for Improved Reliability In a configuration with two dual WAN port VPN gateways that function in auto rollover mode either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance In this example see Figure B 14 port WAN_A1 is active and port WAN_A2 is inactive at Gateway A port WAN_B1 is active and port WAN_B2
400. le update failure alerts Failure Alerts Enable License Select this checkbox to enable license expiration alerts This checkbox is enabled by Expiration Alerts default Enable Malware Select this checkbox to enable malware alerts and configure the Subject and Alerts Message fields Monitoring System Access and Performance 11 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 4 Alerts Settings continued Setting Description or Subfield and Description Enable Malware Subject Enter the subject line for the e mail alert The default text is Malware Alerts alert continued Message Enter the content for the e mail alert Note Make sure that you keep the VIRUSINFO and TIME meta words in a message to enable the UTM to insert the proper malware name and time information In addition to these meta word you can insert the following meta words in your customized message PROTOCOL FROM TO SUBJECT FILENAME ACTION YVIRUSNAME Enable Malware Select this checkbox to enable malware outbreak alerts and configure the Outbreak Outbreak Alerts Criteria Protocol and Subject fields Outbreak To define a malware outbreak specify the following fields Criteria malware found within The number of malware threats that are detected e minutes maximum 90 minutes The period in which the specif
401. lgorithm in bits From the pull down Group menu select Group 2 1024 bit SA Lifetime sec The period in seconds for which the IKE SA is valid When the period times out the next rekeying must occur The default is 28800 seconds 8 hours However for a Mode Config configuration NETGEAR recommends 3600 seconds 1 hour Enable Dead Peer Select a radio button to specify whether or not Dead Peer Detection DPD is Detection enabled e Yes This feature is enabled when the UTM25 detects an IKE connection Note See also failure it deletes the IPsec and IKE SA and forces a reestablishment of the Configuring connection You must enter the detection period and the maximum number Keepalives and Dead of times that the UTM attempts to reconnect see below Peer Detection on e No This feature is disabled This is the default setting page 7 54 Detection Period The period in seconds between consecutive DPD R U THERE messages which are sent only when the IPsec traffic is idle The default setting is 10 seconds Reconnect after The maximum number of times that the UTM attempts to failure count reconnect after a DPD situation When the maximum number of times is exceeded the IPsec connection is terminated The default setting is 3 IKE connection failures 7 48 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manua
402. lies continuously Category From the pull down menu select the category to which the action applies e URL Filtering The action applies to a URL Enter the URL in the Subcategory Expression field Web category The action applies to a Web category Select a category from the Subcategory Expression pull down menu Application The action applies to an application Select an application from the Subcategory Expression pull down menu Subcategory The nature of the Subcategory Expression field depends on your selection from the Expression Category pull down menu When you select URL Filtering The Subcategory Expression field becomes a blank field in which you can enter a full or partial URL When you select Web category The Subcategory Expression field becomes a pull down menu that lets you select a Web category e When you select Application The Subcategory Expression field becomes a pull down menu that lets you select an application Notes A description of the exception rule for identification and management purposes or any other relevant information that you wish to include 4 Click Apply to save your settings The new exception rule is added to the Exceptions table 5 Select the checkbox to the left of the rule that you want to enable or click the select all table button to select all rules 6 Click the apply table button to enable the selected rule or rules To make changes to an existing exception rule 1 Inthe
403. llover mode after completing the wizard you must manually update the VPN policy to enable VPN rollover For more information see Manually Adding or Editing a VPN Policy on page 7 32 End Point Information What is the Remote WAN s IP Address or Internet Name Enter the IP address or Internet name FQDN of the WAN interface on the remote VPN tunnel endpoint What is the Local WAN s IP Address or Internet Name When you select the Gateway radio button in the About VPN Wizard section of the screen the IP address of the UTM s active WAN interface is automatically entered Secure Connection Remote Accessibility What is the remote LAN IP Address Enter the LAN IP address of the remote gateway Note The remote LAN IP address must be in a different subnet than the local LAN IP address For example if the local subnet is 192 168 1 x then the remote subnet could be 192 168 10 x but could not be 192 168 1 x If this information is incorrect the tunnel will fail to connect What is the remote LAN Subnet Mask Enter the LAN subnet mask of the remote gateway a Both local and remote endpoints should be defined as either FQDNs or IP addresses A combination of an IP address and a FQDN is not supported Tip To assure tunnels stay active after completing the wizard manually edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of
404. llowing screen Note Do not enter an existing user name in the in the User Name field otherwise the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration gt Virtual Private Networking Using SSL Connections 8 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Note After you have completed the steps in the SSL VPN Wizard you can make changes gt to the user settings by selecting Users gt Users For more information about user settings see Configuring User Accounts on page 9 9 Table 8 3 SSL VPN Wizard Step 3 User Settings Setting Description or Subfield and Description User Name A descriptive alphanumeric name of the user for identification and management purposes User Type When you use the SSL VPN Wizard the user type always is SSL VPN User You cannot change the user type on this screen the user type is displayed for information only Group When you create a new domain on the second SSL VPN Wizard screen a group with the same name is automatically created A user must belong to a group and a group must belong to a domain You cannot change the group on this screen the group is displayed for information only Password The password that must be entered by the user to gain access to the UTM The password must contain alphanumeric or characters Confirm Password This field must be id
405. lso make any portal the default portal for the SSL UTM by clicking the default button in the Action column of the List of Layouts to the right of the desired portal layout To create a new SSL VPN portal layout 1 Select VPN gt SSL VPN from the menu The SSL VPN submenu tabs appear with the Policies screen in view 2 Click the Portal Layouts submenu tab The Portal Layout screen displays Figure 8 12 shows layouts in the List of Layouts table as an example Description Portal URL Action Name 77192 16 r mpra SSL VPN In case of login difficulty cal 123 456 7890 mabpst ia makin aS Gea setaun In case of login difficulties call the webmaster at https re En g E x R ps 192 168 50 61 portal dit defautt C TestPortal o TestPortal ea setaut SE 123 456 7990 Default Portal Layout select all seiste ade Figure 8 12 Virtual Private Networking Using SSL Connections 8 19 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The List of Layouts table displays the following fields e Layout Name The descriptive name of the portal e Description The banner message that is displayed at the top of the portal see Figure 8 8 on page 8 15 e Use Count The number of remote users that are currently using the portal e Portal URL The URL at which the portal can be accessed e Action The table buttons that allow you to edit or delete the por
406. lware Logs O spam togs C mP2P Logs C Emailfitter Logs 1 Firewall Logs O ws togs C ssLvPN togs C ipsec ventogs C Content fiter Logs C Service Logs O Portscan Logs Plain Text O csv o Zip the logs to save space o Split logs size to Eome i Sond Logs via Syslog 5 C Enable Syslog Server L syslog Severity C system togs D Traffic Logs O malware Logs Oo Spam Logs C imyr2e Logs C Email fitter Logs 0 Firewall Logs O ips Logs CI SSL ven Logs C IPSEC VPN Logs O Content filter Logs D service Logs O Portscan Logs o System Logs O traffic Logs C malware Logs o Spam Logs m IM P2P Logs CI Email fitter Logs CI Firewall Logs O iPS Logs C SSL ven Logs C IPSEC VPN Logs E content fitter Logs C Service Logs C Portscan Logs Figure 11 4 Monitoring System Access and Performance 11 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Enter the settings as explained in Table 11 2 Table 11 3 E mail and Syslog Settings Setting Description or Subfield and Description System Logs Option Select the checkboxes to specify which system events are logged Change of Time by NTP Logs a message when the system time changes after a request from an NTP server Secure Login Attempts Logs a message when a secure login is attempted Both successful and failed login attempts are logged e Reboots Logs a message when the UTM has been rebooted through the Web Management Interface
407. m ane Example exe com pif bat Action SMTP POPS IMAP Log only H Filter by File Name File Name Example netsky exe mydoom pif Action SMTP Figure 6 3 Content Filtering and Optimizing Scans 6 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Enter the settings as explained in Table 6 3 Table 6 3 E mail Filter Settings Setting Description or Subfield and Description Filter by Subject Keywords Keywords Enter keywords that should be detected in the e mail subject line Use commas to separate different keywords The total maximum length of this field is 2048 characters excluding duplicate words and delimiter commas Action SMTP From the SMTP pull down menu specify one of the following actions when a keyword that is defined in the Keywords field is detected e Block email The e mail is blocked and a log entry is created e Log only This is the default setting Only a log entry is created The e mail is not blocked POP3 From the POP3 pull down menu specify one of the following actions when a keyword that is defined in the Keywords field is detected e Block email The e mail is blocked and a log entry is created e Log only This is the default setting Only a log entry is created The e mail is not blocked Filter by Password Protected Attachments ZIP RAR etc Action SMTP From
408. m size of up to 10240 KB However setting the maximum size to a high value might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions when the file or message exceeds the e Skip The file is not scanned but skipped leaving the end user vulnerable This is the default setting Block The file is blocked and does not reach the end user Notification Settings Insert Warning into Email Subject SMTP For SMTP e mail messages select this checkbox to insert a warning into the e mail subject line Malware Found If a malware threat is found a MALWARE INFECTED message is inserted You can change this default message No Malware Found If no malware threat is found a MALWARE FREE message is inserted You can change this default message By default this checkbox is deselected and no warnings are inserted Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 2 E mail Anti Virus and Notification Settings continued Setting Description or Subfield and Description Append Safe Stamp SMTP and POP3 For SMTP and POP3 e mail messages select this checkbox to insert a default safe stamp message at the end of an e mail The safe stamp insertion serves as a security confirmation to the end user You can change the
409. m this software without prior written permission For written permission contact openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com MD5 Copyright C 1990 RSA Data Security Inc All rights
410. mance 11 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To clear the statistics click Clear statistics To set the poll interval 1 Click the stop button 2 From the Poll Interval pull down menu select a new interval the minimum is 5 seconds the maximum is 5 minutes 3 Click the set interval button Table 11 6 explains the fields of the Total Threats Threats Counts and Total Traffic Bytes sections of the Dashboard screen Table 11 6 Dashboard Total Threats Threats Counts and Total Traffic Bytes Information Item Description or Subfield and Description Total Threats Emails Displays the total number of e Scanned e mails e Viruses detected to configure see Customizing E mail Anti Virus and Notification Settings on page 6 5 e E mails that matched filters to configure see E mail Content Filtering on page 6 8 Spam to configure see Protecting Against E mail Spam on page 6 11 Web Displays the total number of e Files scanned e Malware detected to configure see Configuring Web Malware Scans on page 6 21 e Files blocked to configure see Configuring Web Content Filtering on page 6 23 e URLs blocked to configure see Configuring Web URL Filtering on page 6 30 IM Peer to Peer Displays the total number of Instant Messaging blocked to configure see Customizing Web Pr
411. mance and the system management features of the UTM This chapter contains the following sections e Performance Management on this page e System Management on page 10 9 Performance Management Performance management consists of controlling the traffic through the UTM so that the necessary traffic gets through when there is a bottleneck and either reducing unnecessary traffic or rescheduling some traffic to low peak times to prevent bottlenecks from occurring in the first place The UTM has the necessary features and tools to help the network manager accomplish these goals Bandwidth Capacity The maximum bandwidth capacity of the UTM in each direction is as follows e LAN side UTM25 or UTM10 2000 Mbps two LAN ports at 1000 Mbps each e WAN side 2000 Mbps in load balancing mode UTM25 only two WAN ports at 1000 Mbps each 1000 Mbps in auto rollover mode UTM25 only one active WAN port at 1000 Mbps or 1000 Mbps in single WAN port mode UTM25 or UTM10 one active WAN port at 1000 Mbps In practice the WAN side bandwidth capacity is much lower when DSL or cable modems are used to connect to the Internet At 1 5 Mbps the WAN ports support the following traffic rates e Load balancing mode UTM25 only 3 Mbps two WAN ports at 1 5 Mbps each e Auto rollover mode UTM25 only 1 5 Mbps one active WAN port at 1 5 Mbps e Single WAN port mode UTM25 or UTM10 1 5 Mbps one active WAN port at 1 5 Mbps As a resul
412. mber 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Add LAN WAN Outbound Service Operation succeeded Service Action BLOCK by schedule otherwise allow Select Schedule Schedule 1 LAN Users Any y Start Finish mun WAN Users Any Start Finish QoS Profile Normal_Service v Log Never Bandwidth Profile NONE NAT IP WAN Interface Address Figure 5 18 Creating Services QoS Profiles and Bandwidth Profiles When you create inbound and outbound firewall rules you use firewall objects such as services QoS profiles bandwidth profiles and schedules to narrow down the firewall rules e Services A service narrows down the firewall rule to an application and a port number e QoS profiles A quality of service QoS profile defines the relative priority of an IP packet for traffic that matches the firewall rule e Bandwidth Profiles A bandwidth profile allocates and limits traffic bandwidth for the LAN users to which a firewall rule is applied e Schedules A schedule narrows down the period during which a firewall rule is applied For information about specifying schedules see Setting a Schedule to Block or Allow Specific Traffic on page 5 39 Adding Customized Services Services are functions performed by server computers at the request of client computers You can configure up to 125 custom services 5 30 Firewall Protection
413. me admin ITE E212778 yur password possword input Rating AC 100 240V 50 60Hz 0 7A max MAC SERIAL WAN a OO O LAN Made in China 272 10758 02 Figure 1 4 Figure 1 5 shows the product label for the UTM25 NETGEAR ProSecure Unified Threat Management UTM25 This device complies with part 15 of the FCC Rules and Canada ICES 003 Operation is subject to the following two conditions 1 this device may not couse harmful interference and 2 this device must accept any interference received including interference that may cause undesired operati ORES TOA A MARMEECH COMBERMBECHATSL RUGREMAROFCEMSVET COMFSCREMEMBU t eMBTSLIBKENSZCEMSVET VCCI A DEFAULT ACCESS http 192 168 1 1 C US LISTED C x user name admin IT E E212778 10947 nies password password Input Rating AC 100 240V 50 60Hz 1 2A max Made in China 272 10722 02 Figure 1 5 Introduction 1 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Choosing a Location for the UTM The UTM is suitable for use in an office environment where it can be free standing on its runner feet or mounted into a standard 19 inch equipment rack Alternatively you can rack mount the UTM in a wiring closet or equipment room A rack mounting kit containing two mounting brackets and four screws is provided in the UTM25 package Consider the following when deciding where to position the UTM e Th
414. ment UTM10 or UTM25 Reference Manual SSL VPN Wizard The UTM includes the NETGEAR SSL VPN Wizard to easily configure SSL connections over VPN according to the recommendations of the VPNC to ensure the SSL connections are interoperable with other VPNC compliant VPN routers and clients SNMP The UTM supports the Simple Network Management Protocol SNMP to let you monitor and manage log resources from an SNMP compliant system manager The SNMP system configuration lets you change the system variables for MIB2 Diagnostic functions The UTM incorporates built in diagnostic functions such as Ping Trace Route DNS lookup and remote reboot Remote management The UTM allows you to login to the Web Management Interface from a remote location on the Internet For security you can limit remote management access to a specified remote IP address or range of addresses Visual monitoring The UTM s front panel LEDs provide an easy way to monitor its status and activity Maintenance and Support NETGEAR offers the following features to help you maximize your use of the UTM Flash memory for firmware upgrade Technical support seven days a week 24 hours a day according to the terms identified in the Warranty and Support information card provided with your product Introduction 1 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Service Registration Card with License Keys Be sure to stor
415. mes The schedule is active only on specific hours of the selected day or days To the right of the radio buttons specify the Start Time and End Time fields Hour Minute AM PM during which the schedule is in effect 5 Click Apply to save your settings to Schedule 1 Repeat these steps to set to a schedule for Schedule 2 and Schedule 3 Enabling Source MAC Filtering The Source MAC Filter screen enables you to permit or block traffic coming from certain known PCs or devices By default the source MAC address filter is disabled All the traffic received from PCs with any MAC address is allowed When the source MAC address filter is enabled depending on the selected policy traffic is either permitted or blocked if it comes from any PCs or devices whose MAC addresses are listed in MAC Addresses table Note For additional ways of restricting outbound traffic see Outbound Rules Service Blocking on page 5 4 To enable MAC filtering and add MAC addresses to be permitted or blocked 1 Select Network Security gt Address Filter from the menu The Address Filter submenu tabs appear with the Source MAC Filter screen in view see Figure 5 26 on page 5 41 which shows one address in the MAC Addresses table as an example 5 40 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Tee eee eel IP MAC Binding Operation succeeded Do you want to ena
416. mode for increased system reliability or load balancing mode for maximum bandwidth efficiency See the topics in this appendix for more information Your decision has the following implications e Fully qualified domain name FQDN For auto rollover mode you will need a FQDN e to implement features such as exposed hosts and virtual private networks For load balancing mode you might still need a FQDN either for convenience or to remotely access a dynamic WAN IP address Network Planning for Dual WAN Ports UTM25 Only B 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e Protocol binding For auto rollover mode protocol binding does not apply For load balancing mode decide which protocols should be bound to a specific WAN port You can also add your own service protocols to the list 2 Set up your accounts a Obtain active Internet services such as cable or DSL broadband accounts and locate the Internet service provider ISP configuration information e In this manual the WAN side of the network is presumed to be provisioned as shown in Figure B 1 with two ISPs connected to the UTM through separate physical facilities e Each WAN port must be configured separately whether you are using a separate ISP for each WAN port or you are using the same ISP to route the traffic of both WAN ports customer premise
417. mote network where you must access a device e The LAN IP address of the remote network is 134 177 0 0 When you first configured the UTM two implicit static routes were created e A default static route was created with your ISP as the gateway e A second static route was created to the local LAN for all 192 168 1 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 remote network the UTM forwards your request to the ISP In turn the ISP forwards your request to the remote network where the request is likely to be denied by the remote network s firewall In this case you must define a static route informing the UTM that the 134 177 0 0 IP address should be accessed through the local LAN IP address 192 168 1 100 The static route on the UTM must be defined as follows e The destination IP address and IP subnet mask must specify that the static route applies to all 134 177 x x IP addresses e The gateway IP address must specify that all traffic for the 134 177 x x IP addresses should be forwarded to the local LAN IP address 192 168 1 100 e A metric value of 1 should work since the UTM is on the local LAN e The static route can be made private only as a precautionary security measure in case RIP is activated LAN Configuration 4 27 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 28 LAN Configuration v1 0 September 2009 Chapter 5
418. n Active IPSec SA s Policy Name Endpoint Tx KB Tx Packets State GWi to GW2 75 324 173 25 0 00 o IPsec SA Not Established D Client Policy Poll Interval 5___ Seconds OBRY intervat sto Figure 7 7 c Locate the policy in the table and click the connect action button The IPsec VPN connection should become active Virtual Private Networking Using IPsec Connections 7 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Note When using FQDNs if the dynamic DNS service is slow to update their gt servers when your DHCP WAN address changes the VPN tunnel will fail because the FQDNs do not resolve to your new address If you have the option to configure the update interval set it to an appropriately short time Creating a Client to Gateway VPN Tunnel Road Warrior Example Single WAN Port Client B Gateway A WAN IP A O a i ee a FQDN 5 VPN Router e at employer s main office Fully Qualified Domain Names FQDN Remote PC optional for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure 7 8 Follow the steps in the following sections to configure a VPN client tunnel e Using the VPN Wizard Configure the Gateway for a Client Tunnel on page 7 8 e Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection on page 7 11 Using the VPN W
419. n To review the status of current SSL VPN tunnels 1 Select Monitoring gt Active Users amp VPNs from the main menu The Active Users amp VPN submenu tabs appear with the Active Users screen in views Monitoring System Access and Performance 11 25 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Click the SSL VPN Connection Status submenu tab The SSL VPN Connection Status screen displays Active Users IPSec YPN Connection Status BEIM ADETUS TET User Name Group IP Address Login Time Action techpubadrmin geardomain 192 168 190 88 Wed May 27 19 43 28 2009 HF disconnect Figure 11 15 The active user s user name group and IP address are listed in the table with a timestamp indicating the time and date that the user connected To disconnect an active user click the disconnect table button to the right of the user s table entry Viewing Port Triggering Status To view the status of the Port Triggering feature 1 Select Network Security gt Port Triggering from the menu The Port Triggering screen displays Figure 11 16 shows one rule in the Port Triggering Rules table as an example Vetwork Security IPS Firewall Objects Firewall Address Filter Port Triggering Status Operation succeeded Outgoing Ports Incoming Ports Start Port End Port Start Port End Port 20 22 20 40 select all setete Add Port Triggering Rule N
420. n displays Figure 9 15 shows the bottom section of the screen with Certificate Revocation Lists CRL table There are no examples in the table that is the table is empty CA Identity Last Update Next Update Omaa daista Upload CRL CRL File Browse upload Figure 9 15 Certificates screen 3 of 3 The Certificate Revocation Lists CRL table lists the active CAs and their critical release dates e CA Identify The official name of the CA that issued the CRL e Last Update The date when the CRL was released e Next Update The date when the next CRL will be released 2 Inthe Upload CRL section click Browse and navigate to the CLR file that you previously downloaded from a CA 3 Click the upload table button If the verification process on the UTM approves the CRL the CRL is added to the Certificate Revocation Lists CRL table mr Note If the table already contains a CRL from the same CA the old CRL is deleted when you upload the new CRL To delete one or more CRLs 1 Inthe Certificate Revocation Lists CRL table select the checkbox to the left of the CRL that you want to delete or click the select all table button to select all CRLs 2 Click the delete table button 9 26 Managing Users Authentication and Certificates v1 0 September 2009 Chapter 10 Network and System Management This chapter describes the tools for managing the network traffic to optimize its perfor
421. n in view 2 Click the Schedule Reports submenu tab The Schedule Reports screen displays System Status Active Users amp PNs Dashboard Diagnostics Email and Syslog Firewall Logs Alerts Log Query Generate Report KIIL MCT EO TIAS Frequency Ci oaily Occurs at 03 00 am everyday Cl weekly Occurs at 03 00 am on the Sunday of week C monthly Occurs at 03 00 arn on the first day of month Email Reports go Web Reports C system Reports C Send Report by Email Recipients C o Note Use commas to separate email addresses Example admini yourdomain com admin2 yourdomain com Number of Reports to Keep 5_ 0 12 Report Date Type Download Delete Figure 11 25 3 Enter the settings as explained in Table 11 17 Table 11 17 Schedule Report Settings Setting Description or Subfield and Description Report Settings Frequency Select one of the following checkboxes to specify the frequency with which the reports are generated and e mailed e Daily The report is generated daily at 3 00 am e Weekly The report is generated weekly on Sunday at 3 00 am e Monthly The report is generated monthly on first day of the month at 3 00 am 11 42 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 17 Schedule Report Settings continued Setting Description or Subfield and Description
422. n section of the screen hele Does Your Internet Connection Require a Login Login C Yes No Gaesuorde Figure 3 4 In the ISP Login section of the screen select one of the following options e If your ISP requires an initial login to establish an Internet connection click Yes this is the default e Ifa login is not required click No and ignore the Login and Password fields If you clicked Yes enter the login name in the Login field and the password in the Password field This information is provided by your ISP In the ISP Type section on the screen select the type of ISP connection that you use from the three listed options By default Other PPPoE is selected as shown in Figure 3 5 Account Name O j Domainname L Which type of ISP connection do you use r Login Server Austria PPTP Keep Connected Idle Time Minutes Idle Timeout Other PPPoE My IP address Server IP Address a l Figure 3 5 3 6 Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 5 If your connection is PPTP or PPPoE your ISP requires an initial login Enter the settings as explained in Table 3 2 Table 3 2 PPTP and PPPoE Settings Setting Description or Subfield and Description Austria PPTP If your ISP is Austria Telecom or any other ISP that uses PPTP for login select t
423. n the UTM in Your Network 2 7 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Setup Wizard Step 1 of 10 LAN Settings LAN TEP IP Setup 4 IP Address 192 168 Subnet Mask 255 255 lo ODisable DHCP Server Enable DHCP Server F Enable LDAP information Domain Name LDAP Server i Starting IP Address fisz tes fa e Search Base E a_k Ending IP Address Esz Ess E lio port leave blank for default port Primary DNS Server eS Secondary DNS Server SS pa ee wins serve ICJ IL Lease Time Hours O DHCP Relay Relay Gateway l l J J a A Enable DNS Proxy Fi Figure 2 7 Enter the settings as explained in Table 2 1 on page 2 9 then click Next to go the following screen Note In this first step you are actually configuring the LAN settings for the UTM s default VLAN For more information about VLANs see Managing Virtual LANs and DHCP Options on page 4 1 Note After you have completed the steps in the Setup Wizard you can make changes to the LAN settings by selecting Network Config gt LAN Settings gt Edit LAN Profile For more information about these LAN settings see VLAN DHCP Options on page 4 4 2 8 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 2 1 Setup Wizard Step 1
424. n your network has a unique 48 bit local Ethernet address This is also referred to as the computer s Media Access Control MAC address The default is set to Use Default Address If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP then you must enter that address Setting the UTM s MAC address is controlled through the Advanced options on UTM10 s WAN ISP Settings screen or the UTM25 s WAN ISP Settings and WAN2 ISP Settings screen see Configuring Advanced WAN Options on page 3 22 Manually Configuring the Internet Connection Unless your ISP automatically assigns your configuration via DHCP you need to obtain configuration parameters from your ISP in order to manually establish an Internet connection The necessary parameters for various connection types are listed in Table 3 1 on page 3 4 Manually Configuring Internet and WAN Settings 3 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To manually configure the WAN1 ISP UTM25 or WAN ISP UTM10 settings 1 On the UTM25 select Network Configuration gt WAN Settings gt WAN1 ISP Settings The WAN Settings tabs appear with the WAN1 ISP Settings screen in view see Figure 3 1 on page 3 3 which shows the UTM25 s screen On the UTM10 select Network Configuration gt WAN Settings gt WAN ISP Settings The WAN ISP Settings screen displays Figure 3 4 shows the ISP Logi
425. nd any one of these can be selected when defining firewall rules To set a schedule 1 Select Network Security gt Firewall Objects from the menu The Firewall Objects submenu tabs appear with the Services screen in view 2 Click the Schedule 1 submenu tab The Schedule 1 screen displays Network Security IPS Firewall Objects Firewall Address Filter Port Triggering Services QoS Profile Bandwidth Profile EUTM S Schedule 2 Schedule 3 Sunday Do you want this schedule to be active on Tuesday all days or specific days Thursday All Days Specific Days Saturday Do you want this schedule to be active all day or at specific times during the day All Day Specific Times Figure 5 25 Start Time fiz End Time 2 Monday Wednesday Friday mi Hour 00 Minute AM T Hour 00 Minute PM 3 In the Scheduled Days section select one of the following radio buttons e All Days The schedule is in effect all days of the week e Specific Days The schedule is active only on specific days To the right of the radio buttons select the checkbox for each day that you want the schedule to be in effect 4 Inthe Scheduled Time of Day section select one of the following radio buttons e All Day The schedule is in effect all hours of the selected day or days Firewall Protection v1 0 September 2009 5 39 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e Specific Ti
426. nd rules configured in the DMZ WAN Rules page As a result if an inbound packet matches an Inbound rule in the LAN WAN Rules page then it will not be matched against the Inbound rules in the DMZ WAN Rules page Figure 5 5 To make changes to an existing outbound or inbound service rule In the Action column to the right of to the rule click on of the following table buttons e edit Allows you to make any changes to the rule definition of an existing rule Depending on your selection either the Edit DMZ WAN Outbound Service screen identical to Figure 5 6 on page 5 16 or Edit DMZ WAN Inbound Service screen identical to Figure 5 7 on page 5 17 displays containing the data for the selected rule e up Moves the rule up one position in the table rank e down Moves the rule down one position in the table rank To delete or disable one or more rules 1 Select the checkbox to the left of the rule that you want to delete or disable or click the select all table button to select all rules Firewall Protection 5 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Click one of the following table buttons e disable Disables the rule or rules The status icon changes from a green circle to a grey circle indicating that the rule is or rules are disabled By default when a rule is added to the table it is automatically enabled e delete Deletes the rule or rules DMZ WAN Ou
427. nding Violation Note Click the Firewall Logs amp E mail page hyperlink to ensure that e mailing of logs is enabled on the Email and Syslog screen see Configuring Logging Alerts and Event Notifications on page 11 5 IP MAC Bindings Name A descriptive name of the binding for identification and management purposes MAC Address The MAC address of the PC or device that is bound to the IP address Firewall Protection 5 43 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 5 9 IP MAC Binding Settings continued Setting Description or Subfield and Description IP Address The IP address of the PC or device that is bound to the MAC address Log Dropped To log the dropped packets select Enable from the pull down menu The default Packets setting is Disable 4 Click the add table button The new IP MAC rule is added to the IP MAC Bindings table 5 Click Apply to save your changes To edit an IP MAC binding 1 Inthe IP MAC Bindings table click the edit table button to the right of the IP MAC binding that you want to edit The Edit IP MAC Binding screen displays 2 Modify the settings that you wish to change see Table 5 9 3 Click Apply to save your changes The modified IP MAC binding is displayed in the IP MAC Bindings table Configuring Port Triggering Port triggering allows some applications running on a LAN network to be available to external appli
428. ndwidth class An exception occurs for an individual bandwidth profile if the classes are per source IP address classes The source IP address is the IP address of the first packet that is transmitted for the connection So for outbound firewall rules the source IP address is the LAN side IP address for inbound firewall rules the source IP address is the WAN side IP address The class is deleted when all the connections that are using the class expire After you have created a bandwidth profile you can assign the bandwidth profile to firewall rules on the following screens e Add LAN WAN Outbound Services screen see Figure 5 3 on page 5 13 e Add LAN WAN Inbound Services screen see Figure 5 4 on page 5 14 To add and enable a bandwidth profile 1 Select Network Security gt Firewall Objects from the menu The Firewall Objects submenu tabs appear with the Services screen in view 2 Click the Bandwidth Profiles submenu tab The Bandwidth Profiles screen displays see Figure 5 23 on page 5 37 which shows one profile in the List of Bandwidth Profiles table as an example 5 36 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual H Bandwidth Profiles Enable Bandwidth Profiles 7 Yes E List of Bandwidth Profiles Name Bandwidth Range kbps Type Direction BusinessLeveli 750 25000 Group Outbound Traffic Packets Dropped due to Bandw
429. ned but skipped leaving the end user vulnerable This is the default setting e Block The file is blocked and does reach the end user HTML Scan Scan HTML elect this checkbox to enable scanning of HyperText Markup Language HTML files Files which is enabled by default Notification Settings By default the content of a Web page that is blocked because of a detected malware threat is replaced with the following text which you can customize NETGEAR ProSecure UTM has detected and stopped malicious code embedded in this web site or web mail for protecting your computer and network from infection VIRUSINFO Note Make sure that you keep the VIRUSINFO meta word in a message to enable the UTM to insert the proper malware information In addition to the VIRUSINFO meta word you can insert the following meta words in your customized message TIME Y PROTOCOL FROM TO SUBJECT FILENAME ACTION VIRUSNAME 3 Click Apply to save your settings Configuring Web Content Filtering If you want to restrict internal LAN users from access to certain types of information and objects on the Internet use the UTM s content filtering and Web objects filtering With the exception of the Web content categories that are mentioned in Default E mail and Web Scan Settings on page 6 2 all requested traffic from any Web site is allowed You can specify a message such as Blocked by NETGEAR that
430. ng IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Click the Mode Config submenu tab The Mode Config screen displays Figure 7 25 Record Name EMEA Sales Operation succeeded Pool Start IP Pool End IP 172 169 100 1 172 169 100 99 172 183 200 1 172 183 200 99 0 0 0 0 0 0 0 0 172 173 100 50 172 173 100 90 172 185 210 1 172 185 210 999 172 210 220 99 lt select at delete add D Action As an example the screen shows two Mode Config records with the names EMEA Sales and NA Sales For EMEA Sales a first pool 172 169 100 1 through 172 169 100 99 and second pool 182 183 200 1 through 172 183 200 99 are shown For NA Sales a first pool 172 173 100 50 through 172 173 100 90 a second pool 182 185 210 1 through 182 185 210 99 and a third pool 172 210 220 80 through 172 210 220 99 are shown 3 Under the List of Mode Config Records table click the add table button The Add Mode Config Record screen displays see Figure 7 26 on page 7 44 Virtual Private Networking Using IPsec Connections v1 0 September 2009 7 43 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Add Mode Config Record Record Name _ First Pool Starting 1e M M M J Endino H M E Second Pool Starting mo o lo Wo Ending mo o lo fo Third Pool Starting ifo Jo Jo o Ending o e Je WINS Server Primaryjo
431. ng Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring Web and Services Protection The UTM lets you configure the following settings to protect the network s Internet and Web services communication e The Web protocols instant messaging services and peer to peer services that are scanned for malware threats e Actions that are taken when infected Web files or objects are detected e The maximum file sizes that are scanned e Web objects that are blocked e Web categories keywords and file types that are filtered to block objectionable or high risk content e Domains and URLs that are blocked for objectionable or high risk content e Customer notifications and e mail alerts that are sent when events are detected e Schedules that determine when content filtering is active Customizing Web Protocol Scan Settings and Services You can specify the Web protocols HTTP HTTPS and FTP that are scanned for malware threats and the instant messaging and peer to peer applications that are allowed or blocked Scanning all protocols enhances network security but might affect the performance of the UTM For an optimum balance between security and performance only enable scanning of the most commonly used protocols on your network For example you can scan FTP and HTTP but not HTTPS if this last protocol is not often used For more information about performance see Per
432. ng connection Message 2 Nov 29 11 19 05 UTM pppd CHAP authentication succeeded Message 3 Nov 29 11 19 05 UTM pppd local IP address 192 168 200 214 Message 4 Nov 29 11 19 05 UTM pppd remote IP address 192 168 200 1 Message 5 Nov 29 11 19 05 UTM pppd primary DNS address 202 153 32 2 Message 6 Nov 29 11 19 05 UTM pppd secondary DNS address 202 153 32 2 Message 7 Nov 29 11 20 45 UTM pppd No response to 10 echo requests Nov 29 11 20 45 UTM pppd Serial link appears to be disconnected Nov 29 11 20 45 UTM pppd Connect time 1 7 minutes Message 8 Nov 29 11 20 45 UTM pppd Sent 520 bytes received 80 bytes Message 9 Nov 29 11 20 51 UTM pppd Connection terminated Explanation Message 1 Starting PPP connection process Message 2 Message from server for authentication success Message 3 Local IP address assigned by the server Message 4 Server side IP address Message 5 primary DNS configured in WAN status page Message 6 secondary DNS configured in WAN status page Message 7 Sensing idle link Message 8 Data sent and received at the LAN side while the link was up Message 9 PPP connection terminated after idle timeout Recommended Action To reconnect during idle mode initiate traffic from the LAN side e PPP Authentication Logs Table C 12 System Logs WAN Status PPP Authentication Message Nov 29 11 29 26 UTM pppd Starting link Nov 29 11 29 29 UTM pppd Remote message Lo
433. ng reasons can be selected e For the Email filters log keyword file type file name password and size limit e For the Content filters log URL file type and size limit Spam Found By This field is available only for the Spam log Select a checkbox to specify the method by which Spam is detected Blacklist or Heuristic Scan Note Heuristic Scan refers to Distributed Spam Analysis Malware Name The name of the malware threat that is queried This field is available only for the Malware log Action The spam or malware detection action that is queried The following actions can be selected e For the Spam log block or tag e For the Malware log delete block email or log Email Subject The e mail subject that is queried This field is available for the following logs Spam and Email filters Sender Email The sender s e mail address that is queried This field is available only for the Traffic log Recipient Email The recipient s e mail address that is queried This field is available for the following logs Traffic Spam Malware and Email filters 11 36 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 15 Logs Query Settings continued Setting Description or Subfield and Description Search Criteria Message The e mail message text that is queried conti
434. nline Support 12 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual If your UTM is still unable to obtain an IP address from the ISP the problem might be one of the following e Your ISP might require a login program Ask your ISP whether they require PPP over Ethernet PPPoE or some other type of login e Tf your ISP requires a login you might have incorrectly set the login name and password e Your ISP might check for your PC s host name Enter the host name system name or account name that was assigned to you by your ISP in the Account Name field on the WAN1 ISP Settings or WAN2 ISP Settings screen of the UTM25 or on the WAN ISP Settings screen of the UTM10 You might also have to enter the assigned domain name or workgroup name in the Domain Name field and you might have to enter additional information see Manually Configuring the Internet Connection on page 3 5 e Your ISP allows only one Ethernet MAC address to connect to the Internet and might check for your PC s MAC address In this case Inform your ISP that you have bought a new network device and ask them to use the UTM s MAC address or Configure your UTM to spoof your PC s MAC address You can do this in the Router s MAC Address section of the WAN1 Advanced Options or WAN2 Advanced Options screen of the UTM25 or in the Router s MAC Address section of the WAN Advanced Options screen of the UTM10 see
435. nnect The tunnel status field displays OFF 12 10 Troubleshooting and Using Online Support v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual If NETGEAR Technical Support cannot access the UTM remotely they might ask you to save a log file to your computer and then e mail it to NETGEAR for analysis see Gathering Important Log Information on page 11 47 Sending Suspicious Files to NETGEAR for Analysis You can report any undetected malware file or malicious e mail to NETGEAR for analysis The file is compressed and password protected before it is sent To submit a file to NETGEAR for analysis 1 Select Support gt Malware Analysis from the menu The Online Support screen displays Malware Analysis Submit a suspicious file an infected file that was not detected or a malicious email to NETGEAR for analysis Email Address File Location Browse Source Product Model Description Note Response and handling times depend on the threat level of the file or email as determined by NETGEAR Figure 12 3 2 Enter the settings as explained in Table 12 1 Table 12 1 Malware Analysis Settings Setting Description or Subfield and Description Email Address The e mail address of the submitter to enable NETGEAR to contact the submitter if needed File Location Click Browse to navigate to the file that you want to submit to NETGEAR Source Product Mod
436. nnects to the local network over the VPN tunnel Configuring the Client IP Address Range First determine the address range to be assigned to VPN tunnel clients then define the address range To define the client IP address range 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the SSL VPN Client submenu tab The SSL VPN Client screen displays Client IP Address Range R Enable Full Tunnel Support C DNS Suffix L ___ 4 Primary DNS server WT E F Secondary DNS seve _ WWC W IC Client Address Range Begin 192 J168 251 La Client Address Range End 192 i68 251 s4 Note Static routes should be added to reach any secure network in SPLIT TUNNEL mode In FULL TUNNEL mode all client routes will be ineffective i Configured Client Routes Q Destination Network Subnet Mask Add Routes for VPN Tunnel Clients J Dustination Network L l y Subnet Mask s Figure 8 15 8 26 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Select the checkbox and complete the fields as explained Table 8 8 Table 8 8 Client IP Address Range Settings Item Description or Subfield and Description Client IP Address Range Enable Full Tunnel Support Select this checkbox to enable full tunnel support If you leave this checkbox deselect
437. nt cicscesccsusiresoninscssbasuscsreadenanesesasedduasrtidanudenseas 1 6 Mamenancs and SUPON iisinsniaineiniiiar aada a 1 7 Service Registration Card with License Keys sisiisriinaiseirisiisnnisiisiiisaniiissinniiviseiiss 1 8 Pe COGS cantuaria AA EA 1 9 Hardware FEGIUrES caicciciccssmpaisnsnanteansceasiniesanesninedonndsnerpcsiealaieecsrtentindcnanoniens cckconmenensnontens 1 9 POE EO O eai itniatedieieldsatiscetl Etats es eka Sibadectahetadiacctisels teat 1 9 FREE NG acc cacoacecieteviceetiee dick etchancad tanta ena ee 1 12 Bottom Panel With Product Lapel sscciccssiessuctcccrssnurenddentepbasiebierbectrstentendlenieebeavehie 1 12 Choosing a Location tor the UTI sirasini naasi a aia iden 1 14 Using the Rack Mouning Kil cescssccnnscanescnenncendsdvocceenesd anna EA 1 14 vii v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network Understanding the Steps for Initial Connection 20 ce eeceeeeeeeceeeeeeeeeeeeceeaeeeeeneeettaeeeteneees 2 1 Qualified Web BR WSO IS cacra 2 2 Lora n OTE UTM eee eer emenerten tecreent re corer errr tt rerrrre reser ent rr nerre er cernrnr ry eer rere 2 2 Understanding the Web Management Interface Menu Layout ceceeeeeeeees 2 5 Using the Setup Wizard to Perform the Initial Configuration c ccescceeseeesteeeeeeeneeees 2 7 Setup Wizard Step 1 of 10 LAN Settings a ccisisccinsa
438. ntication Solutions on page D 2 Why do I need Two Factor Authentication In today s market online identity theft and online fraud continue to be one of the fast growing cyber crime activities used by many unethical hackers and cyber criminals to steal digital assets for financial gains Many companies and corporations are losing millions of dollars and running into risks of revealing their trade secrets and other proprietary information as the results of these cyber crime activities Security threats and hackers have become more sophisticated and user names encrypted passwords and the presence of firewalls are no longer enough to protect the networks from being compromised IT professionals and security experts have recognized the need to go beyond the traditional authentication process by introducing and requiring additional factors to the authentication process NETGEAR has also recognized the need to provide more than just a firewall to protect the networks As part the new maintenance firmware release NETGEAR has implemented a more robust authentication system known as Two Factor Authentication 2FA or T FA on its SSL and IPSec VPN firewall product line to help address the fast growing network security issues What are the benefits of Two Factor Authentication e Stronger security Passwords cannot efficiently protect the corporate networks because attackers can easily guess simple passwords or users cannot remember complex and uniqu
439. nued This field is available for the following logs Port Scan IPS Instant Messaging Peer to Peer Subject The e mail subject line that is queried This field is available only for the Traffic log Size The file s minimum and maximum size in bytes that are queried This field is available only for the Traffic log Event The type of event that is queried These events are the same events that are used for syslog server severity indications EMERG ALERT CRITICAL ERROR WARNING NOTICE INFO and DEBUG This field is available only for the Service log URL The URL that is queried This field is available only for the Content filters log Display The maximum number of pages that is displayed Download Log Select a radio button to specify the format to download the zipped log file zipped File Format CSV Download the log file as a comma separated values CSV file HTML Download the log file as an HTML file 4 Click one of the following action buttons e Search Query the log according to the search criteria that you specified and view the log through the Web Management Interface that is on screen e Download Query the log according to the search criteria that you specified and download the log to a computer Note The system firewall Psec VPN and SSL VPN logs cannot be queried or downloaded When you select any of these logs you can view them through the Web Management Interf
440. nutes that the updates occur Every From the pull down menu select the frequency with which the updates occur The range is from 15 HTTPS Proxy Settings Enable If computers on the network connect to the Internet via a proxy server select the Enable checkbox to specify and enable a proxy server Enter the following settings Proxy server The IP address and port number of the proxy server User name The user name for proxy server authentication Password The password for proxy server authentication Using the Setup Wizard to Provision the UTM in Your Network 2 25 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Setup Wizard Step 10 of 10 Saving the Configuration Setup Wizard Step 10 of 10 The system will be restarted Note The system IP address is 192 166 1 1 Figure 2 16 Click Apply to save your settings and automatically restart the system Verifying Proper Installation Test the UTM before deploying it in a live production environment The following instructions walk you through a couple of quick tests that are designed to ensure that your UTM is functioning correctly Testing Connectivity Verify that network traffic can pass through the UTM e Ping an Internet URL e Ping the IP address of a device on either side of the UTM Testing HTTP Scanning If client computers have direct access to the Internet through your LAN try to
441. o a computer and then to the UTM Installing the downloaded firmware version 4 Rebooting the UTM with the new firmware version 10 18 Network and System Management v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Viewing the Available Firmware Versions To view the current version of the firmware that your UTM is running and the other available firmware versions 1 Select Administration gt System Update from the menu The System Update submenu tabs appear with the Signatures amp Engine screen in view 2 Click the Firmware submenu tab The Firmware screen displays Adromnustraton i continue downloading Firmware been Downloaded Firmware Version Last Downloaded Download Status Oo 1 0 0 14 N A O 1 0 0 15 N A 1 0 0 17 Activation Type Version Status active 1 0 0 17 ok O secondary N A corrupted Figure 10 6 The Firmware Reboot section shows the following information fields for both the active and secondary that is non active firmware e Type Active or secondary firmware e Version The firmware version e Status The status of the firmware ok or corrupted Network and System Management 10 19 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To see which other firmware versions are available click Query under the Firmware Download section to allow the UTM to connect to the N
442. oad on the WAN side A Warning This feature is for advanced administrators only Incorrect configuration might cause serious problems Each rule lets you specify the desired action for the connections that re covered by the rule e BLOCK always e BLOCK by schedule otherwise allow e ALLOW always e ALLOW by schedule otherwise block The section below summarizes the various criteria that you can apply to outbound rules in order to reduce traffic For more information about outbound rules see Outbound Rules Service Blocking on page 5 4 For detailed procedures on how to configure outbound rules see Setting LAN WAN Rules on page 5 11 and Setting DMZ WAN Rules on page 5 14 10 2 Network and System Management v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual When you define outbound firewall rules you can further refine their application according to the following criteria Services You can specify the services or applications to be covered by an outbound rule If the desired service or application does not appear in the list you must define it using the Services screen see Services Based Rules on page 5 3 and Adding Customized Services on page 5 30 LAN Users You can specify which computers on your network are affected by an outbound rule There are several options Any All PCs and devices on your LAN Single address The rule
443. occurs Go to When You Enter a URL or IP Address a Time out Error Occurs on page 12 4 e cannot access the Internet or the LAN Troubleshooting the ISP Connection on page 12 5 e Ihave problems with the LAN connection Go to Troubleshooting a TCP IP Network Using a Ping Utility on page 12 6 e I want to clear the configuration and start over again Go to Restoring the Default Configuration and Password on page 12 8 e The date or time is not correct Go to Problems with Date and Time on page 12 9 e need help from NETGEAR Go to Using Online Support on page 12 10 gt Note The UTM s diagnostic tools are explained in Using Diagnostics Utilities on gt page 11 43 12 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Basic Functioning After you turn on power to the UTM the following sequence of events should occur 1 When power is first applied verify that the PWR LED is on 2 After approximately two minutes verify that a The Test LED is no longer lit b The LAN port Left LEDs are lit for any local ports that are connected c The WAN port Left LEDs are lit for any WAN ports that are connected If a port s Left LED is lit a link has been established to the connected device If a port is connected to a 1000 Mbps device verify that the port s Right LED is green If the port functions at 100 Mbps the Right LED is am
444. of PCs You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules The Known PCs and Devices table is an automatically maintained list of all known PCs and network devices and is generally referred to as the Network Database which is described in Managing the Network Database on page 4 13 PCs and network devices are entered into the Network Database by various methods that are described in Managing Groups and Hosts LAN Groups on page 4 12 e WAN Users You can specify which Internet locations are covered by an inbound rule based on their IP address Any The rule applies to all Internet IP address Single address The rule applies to a single Internet IP address Address range The rule is applied to a range of Internet IP addresses e Schedule You can configure three different schedules to specify when a rule is applied Once a schedule is configured it affects all rules that use this schedule You specify the days of the week and time of day for each schedule For more information see Setting a Schedule to Block or Allow Specific Traffic on page 5 39 e QoS Profile You can define QoS profiles and then apply them to inbound rules to regulate the priority of traffic To define QoS profiles see Creating Quality of Service QoS Profiles on page 5 33 e Bandwidth Profile You can define bandwidth profiles and then apply them to inbound rules to limit traffic To define ban
445. of your UTM This chapter contains the following sections e Managing Virtual LANs and DHCP Options on this page e Configuring Multi Home LAN IPs on the Default VLAN on page 4 11 e Managing Groups and Hosts LAN Groups on page 4 12 e Configuring and Enabling the DMZ Port on page 4 18 e Managing Routing on page 4 22 Managing Virtual LANs and DHCP Options A local area network LAN can generally be defined as a broadcast domain Hubs bridges or switches in the same physical segment or segments connect all end node devices End nodes can communicate with each other without the need for a router Routers connect LANs together routing the traffic to the appropriate port A virtual LAN VLAN is a local area network with a definition that maps workstations on some basis other than geographic location for example by department type of user or primary application To enable traffic to flow between VLANs traffic must go through a router just as if the VLANs were on two separate LANs A VLAN is a group of PCs servers and other network resources that behave as if they were connected to a single network segment even though they might not be For example all marketing personnel might be spread throughout a building Yet if they are all assigned to a single VLAN they can share resources and bandwidth as if they were connected to the same segment The resources of other departments can be invisible to th
446. olicy Bh Client_to_Cok Ei Bbck a Other Connections Remote Party Identity and Addressing ID Type fir Subnet X Subnet 192 168 1 0 Mask 255 255 255 0 Protocol Ail Area m V Use Secure Gateway Tunnel ID Type Domain Name w Gateway IP Address utm25_local com 192 163 50 61 Figure 7 28 3 Enter the settings as explained in Table 7 17 Table 7 17 Security Policy Editor Remote Party Mode Config Settings Setting Description or Subfield and Description Connection Security Select the Secure radio button If you want to connect manually only select the Only Connect Manually checkbox ID Type From the pull down menu select IP Subnet Subnet Enter the LAN IP subnet address that you specified on the Add Mode Config Record in the Local IP Address field If you left the Local IP Address field blank enter the UTM s default IP subnet address In this example we are using 192 168 1 0 Mask Enter the LAN IP subnet mask that you specified on the Add Mode Config Record in the Local Subnet Mask field If you left the Local Subnet Mask field blank enter the UTM s default IP subnet mask In this example we are using 255 255 255 0 Protocol From the pull down menu select All 7 50 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 17 Security Policy Editor Remote Party
447. ollowing settings Host and Domain Name The host and domain name for the DDNS service User Name The user name for DDNS server authentication Password The password that is used for DDNS server authentication Use wildcards If your DDNS provider allows the use of wild cards in resolving your URL you may select the Use wildcards checkbox to activate this feature For example the wildcard feature causes yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org Update every 30 days If your WAN IP address does not change often you might need to force a periodic update to the DDNS service to prevent your account from expiring If it appears you can select the Update every 30 days checkbox to enable a periodic update WAN2 Dynamic DNS Status See the information for WAN 1 above about how to enter the settings You can select different DDNS services for WAN 1 and WAN 2 7 Click Apply to save your configuration Manually Configuring Internet and WAN Settings 3 21 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring Advanced WAN Options The advanced options include configuration of the maximum transmission unit MTU size port speed UTM s MAC address and setting a rate limit on the traffic that is being forwarded by the UTM To configure advanced WAN options 1 Select Network Config gt WAN Settings
448. omain guest Guest User geardornain Peter prosecure SSL VPN User prosecure rsademo geardomain Guest User geardornain geardomain Guest User geardormain Oo techpubadmin geardomain Administrator geardomain sdai Gosete acs Default Users Figure 10 1 2 Inthe Action column of the List of Users table click the edit table button for the user with the name admin The Edit User screen displays Edit User Operation succeeded User Name techpub User Authentication Type local Select User Type E Check to Edit Password Enter Your Password New Password D Confirm New Passwords Idle Timeout Minutes Figure 10 2 10 10 Network and System Management v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Select the Check to Edit Password checkbox The password fields become active 4 Enter the old password enter the new password and then confirm the new password _ Note The ideal password should contain no dictionary words from any language and gt should be a mixture of letters both upper and lower case numbers and symbols Your password can be up to 30 characters 5 As an option you can change the idle timeout for an administrator login session Enter a new number of minutes in the Idle Timeout field The default setting is 5 minutes Click Apply to save your settings Repeat step 1 through step 6 fo
449. on about certificates see Managing Digital Certificates on page 9 17 You can specify trusted hosts for which the UTM bypasses HTTPS traffic scanning For more information see Specifying Trusted Hosts on page 6 37 Content Filtering and Optimizing Scans 6 35 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To configure the HTTPS scan settings 1 Select Application Security gt HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear with the Malware Scan screen in view 2 Click the HTTPS Settings submenu tab The HTTPS Settings screen display o Allow scanning of HTTPS connections through an HTTP proxy if used Note In order to use this you must add the HTTP proxy server port into the Ports to Scan field under Application Security Services 38 HTTPS 3rd Party Website Certificate Handling When the UTM is scanning HTTPS traffic the client builds trust with the UTM and the UTM builds trust with Srd party websites If the 3rd party website s certificate is not signed by a trusted CA C Allow the UTM to present the website to the client H Show This Message When an SSL Connection Attempt Fails a Replace the Content of a Blocked Page with the Following Text lt IDOCTYPE H TML PUBLIC JIN3CHOTD HTML 4 0 Transitional EN gt lt HTML gt lt HEAD gt lt TITLE gt NETGEAR ProSecure User Notification lt TITLE gt lt META http equ
450. on after 2 Hours Explanation Message1 DNS resolution for the NTP server time f netgear com Message2 request for NTP update from the time server Message3 Adjust time by re setting system time Message4 Display date and time before synchronization that is when resynchronization started Message5 Display the new updated date and time Message6 Next synchronization will be after the specified time mentioned Example In the above logs the next synchronization will be after two hours Recommended Action None System Logs and Error Messages C 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Login Logout This section describes logs that are generated by the administrative interfaces of the device Table C 6 System Logs Login Logout Message Nov 28 14 45 42 UTM login Login succeeded user admin from 192 168 10 10 Explanation Login of user admin from host with IP address 192 168 10 10 Recommended Action None Message Nov 28 14 55 09 UTM seclogin Logout succeeded for user admin Nov 28 14 55 13 UTM seclogin Login succeeded user admin from 192 168 1 214 Explanation Secure login logout of user admin from host with IP address 192 168 1 214 Recommended Action None Firewall Restart This section describes logs that are generated when the firewall restarts Table C 7 System Logs Firewall Restart Message J
451. on and Password ccseccceeeeseeeeeeeecsneeeeeeeesaeeeeenees 12 8 Problems wih Date and Te sixaresncsranvamanientaierten rials a a 12 9 smg mie SUPRON casas ses saad cirtiirradoaausaeisanoniaatdananauesiisiurdiendaamniustiaandianshdaiundadcsaaiins 12 10 Enabling Remote Troubleshooting siscossacssscniecsentessiecsirensteeuserecarviatinessriamdenneries 12 10 Sending Suspicious Files to NETGEAR for Analysis c cccccscssccceeeessteeeeeeens 12 11 Accessing the Knowledge Base and Documentation c cccceeeeeeeeeeeeeeeeeeee 12 12 Appendix A Default Settings and Technical Specifications Appendix B Network Planning for Dual WAN Ports UTM25 Only What to Consider Before You Begim ssiru adane a B 1 Cabling and Computer Hardware Requirements cccceseeeseeeeseeeeeeeeeeeeeeeeees B 3 Computer Network Configuration Requirements cccccceeceeceeeeeeeteeeeeeeeeeeeeeees B 3 Internet Configuration Requirements cccceeteeeeceteeeeeeeeeeeeeeeeeaaeeeneneeeteaeeseeneeeees B 3 Oveniew OT 1 Planning Procesgang iaaiiai Aa aa B 5 Inbound TAG scnasena aN B 7 Inbound Traffic to a Single WAN Port System sseeeesssssesssrsessresrressrerssrrssennnens B 7 Inbound Traffic toa Dual WAN Port System srcssccicieiiccessceivessenccsssccsesesessaccaetonssncasees B 8 virtual Private Networks VYPNE cssccracctiissorccceannmneccvtanmnaciessmerccetmnmradcvemmeccceesmmeredceanee B 9 VPN Road Warrior Chentto Gateway
452. on keywords in the subject line file type of the attachment and file name of the attachment You can also set an action to perform on e mails with password protected attachments Several types of e mail blocking are available Keyword blocking You can specify words that should they appear in the e mail subject line cause that e mail to be blocked by the UTM Password protected attachments You can block e mails based on password protected attachments such as ZIP or RAR attachments File extension blocking You can block e mails based on the extensions of attached files Such files can include executable files audio and video files and compressed files File name blocking You can block e mails based on the names of attached files Such names can include for example names of known malware threat such as the Netsky worm which normally arrives as netsky exe 6 8 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To configure e mail content filtering 1 Select Application Security gt Email Filters from the menu The Email Filters screen displays Keywords Example mortgage viagra Action SMTP POPS i Filter by Password Protected Attachments ZIP RAR etc Action SMTP POPS IMAP Filter by File Type File Extension exe msi com bat vbx inf hta jse mp3 aac wsh vbs vbe Ink chm mpg pif reg wmy scr c
453. on name during the VPN Wizard setup identifies both the VPN policy and IKE policy You can edit existing policies or manually add new VPN and IKE policies directly in the policy tables Virtual Private Networking Using IPsec Connections v1 0 September 2009 7 21 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Managing IKE Policies The Internet Key Exchange IKE protocol performs negotiations between the two VPN gateways and provides automatic management of the keys that are used for IPsec connections It is important to remember that e An automatically generated VPN policy Auto Policy must use the IKE negotiation protocol e A manually generated VPN policies Manual Policy cannot use the IKE negotiation protocol IKE policies are activated when the following situations occur 1 The VPN policy selector determines that some traffic matches an existing VPN policy e Ifthe VPN policy is of an Auto Policy type the IKE policy that is specified in the Auto Policy Parameters section of the Add VPN Policy screen see Figure 7 23 on page 7 33 is used to start negotiations with the remote VPN gateway e Ifthe VPN policy is of a Manual Policy type the settings that are specified in the Manual Policy Parameters section of the Add VPN Policy screen see Figure 7 23 on page 7 33 are accessed and the first matching IKE policy is used to start negotiations with the remote VPN gateway
454. on that you must include in your CSR To generate a new CSR file obtain a digital certificate from a CA and upload it to the UTM 1 Select VPN gt Certificates from the menu The Certificates screen displays Figure 9 13 on page 9 22 shows the middle section of the screen with the Active Self Certificates section Generate Self Certificate Request section and Self Certificate Requests section The Self Certificate Requests table contains some examples Managing Users Authentication and Certificates 9 21 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual if Active Self Certificates Q a Domeen pee select at delete wame Subjects o l Hash Algorithm Signature Algorithm Signature Key Length IP Address Option Mo fo Mo Domain Name Optional E E mail Address Optional B amp generate _ H Self Certificate Requests Q Name Status Ej SampleCertificateUTM Active Self Certificate Not Uploaded iO SampleCertificatelIUTM Active Self Certificate Not Uploaded elect at selete Upload certificate corresponding to a request above EA File 1 vploaa Figure 9 13 Certificates screen 2 of 3 2 In the Generate Self Certificate Request section of the screen enter the settings as explained in Table 9 7 Table 9 7 Generate Self Certificate Request Settings Setting Descr
455. on to save the configuration or select File gt Save from the Security Policy Editor menu 11 Close the VPN ProSafe VPN client Testing the Mode Config Connection To test the connection 1 Right click on the VPN client icon in the Windows toolbar and click Connect The connection policy you configured appears in this example My Connections ModeConfigTest 2 Click on the connection For this example the message Successfully connected to MyConnections ModeConfigTest is displayed within 30 seconds and the VPN client icon in the toolbar displays On 3 From the client PC ping a computer on the UTM LAN Configuring Keepalives and Dead Peer Detection In some cases you might not want a VPN tunnel to be disconnected when traffic is idle for example when client server applications over the tunnel cannot tolerate the tunnel establishment time If you require a VPN tunnel to remain connected you can use the Keepalive and Dead Peer Detection DPD features to prevent the tunnel from being disconnected and to force a reconnection if the tunnel disconnects for any reason For DPD to function the peer VPN device on the other end of the tunnel must also support DPD Keepalive though less reliable than DPD does not require any support from the peer device 7 54 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring
456. onfigure and activate the e mail alerts 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view 2 Click the Alerts submenu tab The Alerts screen displays Figure 11 5 on page 11 11 11 10 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual System Status Active Users amp PNs Dashboard Diagnostics Email and Syslog Firewall Logs Alerts Log Query Generate Report Scheduled Report H Alerts 9 CO Enable Update Failure Alerts Enable License Expiration Alerts C Enable Malware Alerts Subject SSS Message Note Insert the following meta word s to automatically include the relevant malware detection information NTIME YoPROTOCOL Y FROM TO Y SUBIECT FILENAME ACTION YVIRUSNAME VIRUSINFO C Enable Malware Outbreak Alerts Outbreak Criteria k malware found within Ei minutes maximum 90 minutes Protocol Osmer Oroes Omare Orre Ore CHres Subject ee C Enable IPS Outbreak Alerts Outbreak Criteria Attacks found within fre if minutes maximum 90 minutes Subject C Enable IPS Alerts Subject CaA l 2 aReset Sp Figure 11 5 3 Enter the settings as explained in Table 11 4 Table 11 4 Alerts Settings Setting Description or Subfield and Description Enable Update Select this checkbox to enab
457. onitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring Logging Alerts and Event Notifications By default the UTM logs security related events such as accepted and dropped packets on different segments of your LAN denied incoming and outgoing service requests hacker probes and login attempts content filtering events such as attempts to access blocked sites and URLs unwanted e mail content spam attempts and many other types of events You can configure the UTM to e mail logs and alerts to a specified e mail address To receive the logs in an e mail message the UTM s e mail notification server must be configured and e mail notification must be enabled If the e mail notification server is not configured or e mail notification is disabled you can still query the logs and generate log reports that you then can view on the Web Management Interface screen or save in CSV format For more information about logs see Querying Logs and Generating Reports on page 11 32 Configuring the E mail Notification Server The UTM can automatically send information such as notifications and reports to the administrator You must configure the necessary information for sending e mail such as the administrator s e mail address the e mail server user name and password To configure the e mail notification server 1 Select Network Config gt Email No
458. onnection Time 0 Days 00 23 41 Connection Type DHCP Connection State Connected IP Address 192 168 50 61 Subnet Mask 255 255 255 0 Gateway 192 168 50 1 ONS Server 192 168 50 1 DHCP Server 192 168 50 1 Tue Apr 14 16 46 03 GMT Lease Obtained 2009 Lease Duration 1 Day 00 00 00 new release Figure 11 19 11 28 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The Connection Status screen displays the information that is described in Table 11 14 Table 11 14 WAN1 UTM25 or WAN UTM10 Port Status Informations Item Description or Subfield and Description Connection Time The period that the UTM has been connected through the WAN port Connection Type DHCP or Static IP Connection Status Connected or Disconnected IP Address f The addresses that were automatically detected see Automatically Detecting Subnet Mask and Connecting on page 3 2 or that you configured on the WAN1 ISP Settings Gateway screen UTM25 or WAN ISP Settings screen UTM10 see Manually Configuring the Internet Connection on page 3 5 DNS Server DHCP Server The DHCP server that was automatically detected see Automatically Detecting and Connecting on page 3 2 or that you configured for a VLAN profile on the Edit VLAN Profile screen see Configuring a VLAN Profile on page 4 6 Lease Obta
459. ork resource with the name FTP Servers The FTP Servers network resource includes the following addresses 10 0 0 5 10 0 0 20 and the FQDN ftp company com which resolves to 10 0 1 3 Assuming that no conflicting user or group policies have been configured if a user would attempt to access e an FTP server at 10 0 0 1 the user would be blocked by Policy 1 e an FTP server at 10 0 1 5 the user would be blocked by Policy 2 e an FTP server at 10 0 0 10 the user would be granted access by Policy 3 The IP address range 10 0 0 5 10 0 0 20 is more specific than the IP address range that is defined in Policy 1 e an FTP server at ftp company com the user would be granted access by Policy 3 A single host name is more specific than the IP address range that is configured in Policy 2 gt Note The user would not be able to access ftp company com using its IP address 10 0 1 3 The UTM s policy engine does not perform reverse DNS lookups Viewing Policies To view the existing policies follow these steps 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view Figure 8 18 on page 8 33 shows some examples 8 32 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Operation succeeded View List of SSL YPN Policies for Global Group User admin Display
460. otocol Scan Settings and Services on page 6 19 e Peer to Peer blocked to configure see Customizing Web Protocol Scan Settings and Services on page 6 19 Network Displays the total number of e IPS attack signatures matched to configure see Using the Intrusion Prevention System on page 5 47 e Port scans detected to configure see Using the Intrusion Prevention System on page 5 47 11 16 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 6 Dashboard Total Threats Threats Counts and Total Traffic Bytes Information continued Item Description or Subfield and Description Threats Counts This is a graphic that shows the relative number of threats and access violations over the last week using different colors for the various applications Note IMBlock stands for instant messaging applications blocked P2PBlock stands for peer to peer applications blocked IPSSisMatch stands for IPS signatures matched Total Traffic Bytes This is a graphic that shows the relative number of traffic in bytes over the last week E Most Recent 5 Threats Detected if Top 5 Threats Detected Malware Name Protocol Date and Time Malware Name EICAR AV Test HTTP 2009 04 18 00 12 02 EICAR A V Test ii Most Recent 5 IPS Signature Matches Top 5 IPS Signature Matches
461. otocol binding is configured When a protocol is bound to a particular WAN port all outgoing traffic of that protocol is directed to the bound WAN port For example if the HTTPS protocol is bound to the WANI1 port and the FTP protocol is bound to the WAN2 port then the UTM automatically routes all outbound HTTPS traffic from the computers on the LAN through the WAN port All outbound FTP traffic is routed through the WAN2 port Protocol binding addresses two issues e Segregation of traffic between links that are not of the same speed High volume traffic can be routed through the WAN port connected to a high speed link and low volume traffic can be routed through the WAN port connected to the low speed link e Continuity of source IP address for secure connections Some services particularly HTTPS cease to respond when a client s source IP address changes shortly after a session has been established To configure the dual WAN ports for load balancing mode with optional protocol binding 1 Select Network Config gt WAN Settings from the menu then click the WAN Mode tab The WAN Mode screen displays see Figure 3 8 on page 3 12 2 Select the Load Balancing radio button Optional Next to the Load Balancing radio button click the view protocol bindings button The WAN Protocol Bindings screen displays see Figure 3 9 on page 3 15 The Web Management Interface path to this screen is Network Config gt Protocol Bindings
462. ou can determine whether the request was successful using the Web Management Interface To check the WAN IP address 1 2 3 Launch your browser and navigate to an external site such as www netgear com Access the Web Management Interface of the UTM s configuration at https 192 168 1 1 Select Network Security gt WAN Settings from the menu The WAN1 ISP Settings screen UTM25 or WAN ISP Settings screen UTM10 displays For the UTM25 only to display the WAN2Z ISP Settings screen click WAN2 ISP Settings Click the WAN Status option arrow at the top right of the WAN1 ISP Settings or WAN2 ISP Settings screen of the UTM25 or at the top right of the WAN IPS Settings screen of the UTM10 The Connection Status screen appears in a popup window For more information see Viewing the WAN Ports Status on page 11 27 Check that an IP address is shown for the WAN Port If 0 0 0 0 is shown your UTM has not obtained an IP address from your ISP If your UTM is unable to obtain an IP address from the ISP you might need to force your modem or router to recognize your new UTM by performing the following procedure 1 2 3 4 Turn off the power to the modem or router Turn off the power to your UTM Wait five minutes and then turn on the power to the modem or router When the modem s or router s LEDs indicate that it has reacquired synchronization with the ISP turn on the power to your UTM Troubleshooting and Using O
463. ount and top 10 violating peer to peer clients by count The following malware incident are shown per day both in tables and graphics e The number of SMPT POP3 and IMAP incidents the top 10 e mail malware threats by count and the top 10 infected e mail clients by count e The number of HTTP HTTPS and FTP incidents the top 10 Web malware threats by count and the top 10 infected Web clients by count The reports that you select are generated as both Microsoft Office Comma Separated Values CSV and MHTML files The CSV files do not contain headers for the tables nor graphics but the MHTML files contain both You can download the reports as zipped files Generating Reports To generate a report 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view 2 Click the Generate Reports submenu tab The Generate Reports screen displays see Table 11 24 on page 11 41 11 40 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual System Status Active Users amp VPNs Dashboard Diagnostics Email and Syslog Firewall Logs Alerts Log Query Generate Report GO Tad Scheduled Report Operation succeeded Time From 2009 m 04 30 01 To 2009 v 05 mj 27 j 01 Ml Email Reports Web Reports System Reports Maximum 5 Report Date Do
464. oups on page 4 12 WAN Users The settings that determine which Internet locations are covered by the rule based on their IP address The options are Any All Internet IP address are covered by this rule e Single address Enter the required address in the start field Address range Enter the Start and Finish fields DMZ Users The settings that determine which DMZ computers on the DMZ network are affected by this rule The options are Any All PCs and devices on your DMZ network e Single address Enter the required address to apply the rule to a single PC on the DMZ network e Address range Enter the required addresses in the Start and Finish fields to apply the rule to a range of DMZ computers Firewall Protection 5 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 5 2 Outbound Rules Overview continued Setting Description or Subfield and Description QoS Profile The priority assigned to IP packets of this service The priorities are defined by Type of Service ToS in the Internet Protocol Suite standards RFC 1349 The QoS profile determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall The UTM marks the Type Of Service ToS field as defined in the QoS profiles that you create For more information see Creating Quality of Service QoS Prof
465. our ISP 7 Configure the Domain Name Server DNS servers settings as explained in Table 3 4 on page 3 9 Get Automatically from ISP Use These DNS Servers Primary DNS Serversi7z 16 Mo lB Secondary DNS Server 172 J16 JO 113 Figure 3 7 3 8 Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 3 4 DNS Server Settings Setting Description or Subfield and Description Get Automatically If your ISP has not assigned any Domain Name Servers DNS addresses select from ISP the Get Automatically from ISP radio button Use These DNS If your ISP has assigned DNS addresses select the Use these DNS Servers Servers radio button Ensure that you fill in valid DNS server IP addresses in the fields Incorrect DNS entries might cause connectivity issues Primary DNS Server The IP address of the primary DNS server Secondary DNS The IP address of the secondary DNS server Serve 8 Click Test to evaluate your entries The UTM attempts to make a connection according to the settings that you entered 9 Click Apply to save any changes to the WANI ISP settings UTM25 or WAN ISP settings UTM10 Or click Reset to discard any changes and revert to the previous settings 10 For the UTM25 only if you intend to use a dual WAN mode click the WAN2 ISP Settings tab and configure the WAN2
466. ource Objects to Simplify Policies on page 8 28 The screen adjust to unmask the fields that are shown in the Network Resource fields below IP Address The policy is applied to a single IP address The screen adjust to unmask the fields that are shown in the IP Address fields below IP Network The policy is applied to a network address The screen adjust to unmask the fields that are shown in the IP Network fields below All Addresses The policy is applied to a all address The screen adjust to unmask the fields that are shown in the All Addresses fields below Network Policy Name A descriptive name of the SSL VPN policy for identification Resource and management purposes Defined From the pull down menu select the network resource that Resources ___ you have defined on the Resources screen see Using Network Resource Objects to Simplify Policies on page 8 28 Permission From the pull down menu select whether the policy permits PERMIT or denies DENY access IP Address Policy Name A descriptive name of the SSL VPN policy for identification and management purposes IP Address The IP address to which the SSL VPN policy is applied Port Range A port enter in the Begin field or a range of ports enter in Port Number the Begin and End fields to which the SSL VPN policy is applied Ports can be 0 through 65535 The policy is applied to all TCP and UDP traffic that passes on those ports L
467. ource device as a percentage of the total session connection capacity of the UTM The session limit is per device based If the User Limit Parameter is set to Number of Sessions the number specifies an absolute value Note Some protocols such as FTP and RSTP create two sessions per connection which should be considered when configuring a session limit Total Number of This is a non configurable counter that displays the total number of dropped Packets Dropped due packets when the session limit is reached to Session Limit Session Timeout TCP Timeout For each protocol specify a timeout in seconds A session expires if no data for UDP Timeout the session is received for the duration of the timeout period The default timeout periods are 1200 seconds for TCP sessions 180 seconds for UDP ICMP Timeout sessions and 8 seconds for ICMP sessions 5 Click Apply to save your settings Managing the Application Level Gateway for SIP Sessions The Application Level Gateway ALG facilitates multimedia sessions such as voice over IP VoIP sessions that use the Session Initiation Protocol SIP across the firewall and provides support for multiple SIP clients ALG support for SIP is disabled by default To enable ALG for SIP 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear 2 Click the Advanced submenu tab The Advanced screen displays see Figure 5 13 on page 5 25
468. oves the rule up one position in the table rank e down Moves the rule down one position in the table rank To delete or disable one or more rules 1 Select the checkbox to the left of the rule that you want to delete or disable or click the select all table button to select all rules 2 Click one of the following table buttons coy e disable Disables the rule or rules The status icon changes from a green circle to a grey circle indicating that the rule is or rules are disabled By default when a rule is added to the table it is automatically enabled e delete Deletes the rule or rules LAN DMZ Outbound Services Rules You may change the default outbound policy or define rules that specify exceptions to the default outbound policy By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day An outbound rule may block or allow traffic between the DMZ and any internal LAN IP address according to the schedule created in the Schedule menu To create a new outbound LAN DMZ service rule 1 In the LAN DMZ Rules screen click the add table button under the Outbound Services table The Add LAN DMZ Outbound Service screen displays i Add LAN DMZ Outbound Service Operation succeeded Action BLOCK always Select Schedule Scheduled LAN Users Start E Finish Finish Figure 5 9 Firewall Protection 5 19 v1
469. own menu select the group to which the PC or device is assigned Group 1 is the default group Profile Name From the pull down menu select the VLAN profile to which the PC or device is assigned The defaultVlan is the default VLAN group 2 Click the add table button to add the PC or device to the Known PCs and Devices table LAN Configuration 4 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Editing PCs or Devices in the Network Database To edit PCs or devices manually in the Network Database 1 Inthe Known PCs and Devices table of the LAN Groups screen see Figure 4 5 on page 4 14 click the edit table button of a table entry The Edit Groups and Hosts screen displays see Figure 4 6 which contains some examples WAN Settings Protocol Binding Dynamic DNS WAN Metering DMZ Setup Routing Email Notification Edit Groups and Hosts Operation succeeded Name Sales EMEA IP Address Type IP Addressi is2 hes a MBs MAC Address Group Profile Name Figure 4 6 2 Inthe Edit Known PC and Device section specify the fields and make selections from the pull down menus as explained in step 1 of the previous section Adding PCs or Devices to the Network Database on page 4 15 3 Click Apply to save your settings in the Known PCs and Devices table Changing Group Names in the Network Database By default the groups are named Group1 through G
470. p 2 Domain Settings continued Setting Description or Subfield and Description Portal The portal that you selected on the first SSL VPN Wizard screen You cannot change the portal on this screen the portal is displayed for information only Authentication Server The server IP address or server name of the authentication server for any type of authentication other than authentication through the local user database Authentication Secret The authentication secret or password that is required to access the authentication server for RADIUS WIKID or MIAS authentication Workgroup The workgroup that is required for Microsoft NT Domain authentication LDAP Base DN The LDAP base distinguished name DN that is required for LDAP authentication Active Directory The active directory domain name that is required for Microsoft Active Directory Domain authentication SSL VPN Wizard Step 3 of 6 User Settings SSL VPN Wizard Step 3 of 6 User Name Dohn_at_Company User Type SSL VPN User Group CustomerDomain Confirm Password eosssessoe Idle Timeout E Jm utes Note Please make sure that the user name has NOT been used If the name already exists applying wizard will fail and UTM have to reboot to recover confiquations Figure 8 4 Note that Figure 8 4 contains some examples Enter the settings as explained in Table 8 3 on page 8 8 then click Next to go the fo
471. p an SSL connection between an HTTPS server and an HTTP client in two parts A connection between the HTTPS client and the UTM A connection between the UTM and the HTTPS server e The UTM simulates the HTTPS server communication to the HTTPS client including the SSL negotiation certificate exchange and certificate authentication In effect the UTM functions as the HTTPS server for the HTTPS client e The UTM simulates the HTTPS client communication to the HTTPS server including the SSL negotiation certificate exchange and certificate authentication In effect the UTM functions as the HTTPS client for the HTTPS server During SSL authentication the HTTPS client authenticates three items e Is the certificate trusted e Has the certificate expired e Does the name on the certificate match that of the Web site 6 34 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual If one of these is not satisfied a security alert message appears in the browser window see Figure 6 14 information you exchange with this ste cannot be viewed or a changed by others However there is a problem with the site s secumy certificate A The security certificate was issued by a company you have not chosen to trust Vew the certificate to determine whether you want to trust the certifying authority iv The secunty certificate date is vad a The name on the s
472. pass scanning of the URLs that are listed in the URL field Users are allowed to access the URLs that are listed in the URL field URL This field contains the URLs for which scanning is bypassed To add a URL to this field use the Add URL field or the Import from File tool see below You can add a maximum of 200 URLs Note If an URL is in both on the whitelist and blacklist then the whitelist takes precedence and URLs on the whitelist are not scanned Note Wildcards are supported For example if you enter www net com in the URL field any URL that begins with www net is blocked and any URL that ends with com is blocked delete To delete one or more URLs highlight the URLs and click the delete table button export To export the URLs click the export table button and follow the instructions of your browser Add URL Type or copy a URL in the Add URL field Then click the add table button to add the URL to the URL field Import from File To import a list with URLs into the URL field click the Browse button and navigate to a file in txt format that contains line delimited URLs that is one URL per line Then click the upload table button to add the URLs to the URL field Note Any existing URLs in the URL field are overwritten when you import a list of URLs from a file Blacklist Enable Select this checkbox to block the URLs that are listed in the URL field Us
473. pliance UTM10 or UTM25 has been suppressed in accordance with the conditions set out in the BMPT AmtsblVfg 243 1991 and Vfg 46 1992 The operation of some equipment for example test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions v1 0 September 2009 Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations Voluntary Control Council for Interference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV receiver it may become the cause of radio interference Read instructions for correct handling Additional Copyrights AES Copyright c 2001 Dr Brian Gladman brg gladman uk net Worcester UK All rights reserved TERMS Redistribution and use in source and binary forms with or without modification are permitted subject to the following conditions 1 Redistributions of source code must retain the above copyright notice this list of conditions and
474. quiv cache control content must revalidate gt Note NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out of date Web pages themes and data being stored ina user s Web browser cache Virtual Private Networking Using SSL Connections 8 21 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 8 6 Add Portal Layout Settings continued Item Description or Subfield and Description ActiveX web Select this checkbox to enable ActiveX cache control to be loaded when users log cache cleaner in to the SSL VPN portal The Web cache cleaner prompts the user to delete all temporary Internet files cookies and browser history when the user logs out or closes the Web browser window The ActiveX Web cache control is ignored by Web browsers that do not support ActiveX SSL VPN Portal Pages to Display VPN Tunnel page Select this checkbox to provide full network connectivity Port Forwarding Select this checkbox to provides access to specific defined network services Note Any pages that are not selected are not visible from the SSL VPN portal however users can still access the hidden pages unless you create SSL VPN access policies to prevent access to these pages 5 Click Apply to save your settings The new portal layout is added to the List of Layouts table To display the new portal layout Confi
475. r computer however do not save the file until you have stopped capturing the traffic flow When you want to stop capturing the traffic flow click Stop 6 Select a location to save the captured traffic flow The default file name is diagnostics result dat The file downloads to the location that you specify 7 When the download is complete browse to the download location you specified and verify that the file has been downloaded successfully 8 Send the file to NETGEAR Technical Support for analysis 11 46 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Gathering Important Log Information and Generating a Network Statistics Report When you request support NETGEAR Technical Support might ask you to collect the debug logs and other information from your UTM This section discusses the Gather Important Log Information section Network Statistics Report section and Reboot the System section of the Diagnostics screen This function is used by NETGEAR Support to help troubleshoot your appliance Please click button Download Now and email the file to NETGEAR Support for analysis Network Statistics Report provided a detailed overview of the network utilization Please click the button Generate Network Statistics Reboot the Router d reboot Shutdown the Router W shutdowmn Figure 11 28 Diagnostics screen 3of 3 Gat
476. r MD5 authentication Not Valid Before The beginning of the lifetime of the MD5 key Enter the month date year hour minute and second Before this date and time the MD5 key is not valid Not Valid After The end of the lifetime of the MD5 key Enter the month date year hour minute and second After this date and time the MD5 key is no longer valid Second Key Parameters MD5 Key Id The identifier for the key that is used for authentication MD5 Auth Key The password that is used for MD5 authentication 4 26 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 4 5 RIP Configuration Settings continued Setting Description or Subfield and Description Authentication for Not Valid Before The beginning of the lifetime of the MD5 key Enter the RIP 2B 2M required month date year hour minute and second Before this continued date and time the MD5 key is not valid Not Valid After The end of the lifetime of the MD5 key Enter the month date year hour minute and second After this date and time the MD5 key is no longer valid 4 Click Apply to save your settings Static Route Example In this example we assume the following e The UTM s primary Internet access is through a cable modem to an ISP e The UTM is ona local LAN with IP address is 192 168 1 100 e The UTM connects to a re
477. r Subfield and Description DNS Proxy Enable DNS Proxy This is optional Select the Enable DNS Proxy radio button to enable the UTM to provide a LAN IP address for DNS address name resolution This setting is enabled by default Note The UTM still services DNS requests sent to its LAN IP address unless you disable DNS Proxy in the firewall settings see Attack Checks on page 5 20 3 Click Apply to save your settings _ Note The DMZ LED next to LAN port 4 see Front Panel on page 1 9 lights _ green to indicate that the DMZ port is enabled To define the DMZ WAN Rules and LAN DMZ Rules see Setting DMZ WAN Rules on page 5 14 and Setting LAN DMZ Rules on page 5 18 respectively Managing Routing Static Routes provide additional routing information to your UTM Under normal circumstances the has adequate routing information after it has been configured for Internet access and you do not need to configure additional static routes You should configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network Note The automatically sets up routes between VLANs and secondary IP addresses that you have configured on the LAN Multi homing screen see Configuring Multi Home LAN IPs on the Default VLAN on page 4 11 Therefore you do not need to manually add a static route between a VLAN and a secondary IP add
478. r UTM25 Reference Manual Chapter 11 Monitoring System Access and Performance Enabing he WAN Traic Melai ccs cecaicmencbionmiccrcameneteietae x tide eile creamer eae 11 1 Configuring Logging Alerts and Event Notifications c cccescceeeseeeeeeeeeeeeeeeeeeeneeeeees 11 5 Configuring the E mail Notification Server 0 cccecccceeeesceceeeeeeeeeeeeeneeeeeaeeneneees 11 5 Configuring and Activating System E mail and Syslog LOGS seeeeeeeeeeees 11 6 Configuring and Activating Update Failure and Attack Alerts 0 ccceeeeee 11 10 Configuring and Activating Firewall Logs c cccccceeeeeeseeeeeceeeeseeeeeseeeeteneeeeeees 11 13 Monitoring Real Time Traffic Security and Statistics ccccceeeeeeeeeeeeeeeteeeeeeeeeees 11 14 VIENNE SNS NI te sis carseat aa aa esa biutl aa a 11 20 RSNA Say SD NS rana daa ae 11 20 vowing CI YFN USOS sannri 11 24 Viewing VPN Tunnel Connection Status asrisisiiiisnriioisiinn saninin 11 24 Viewing Pot Tiggerninig SAS tarian a ated 11 26 Viewing the WAN Pans SWS yonnanssniniiania a antennae 11 27 Viewing Attached Devices and the DHCP Log c ccessececeeteeeeeneeeeeeeeeeaeeeeaes 11 29 Querying Logs and Generating Reports seccissc costae ivoicteesacecasertanninnnincocsmaevastermmsecuaes 11 32 CENNO TE LAGS anaes E iaa Ea 11 32 Scheduling and Generating Reports sssccicccscccscssesccsnscculocesenansesseicenvicccnesctesaannnenvice 11 39 Usma Diagnostic UNIOS sass sks sev
479. r each section either select individual attacks by selecting the checkboxes to the left of the names or select all attacks for that category by selecting the checkbox to the left of All web attacks In the Action column for each section either select the actions for individual attacks by making selections from the pull down menus to the right of the names or select a global action for all attacks for that category by making a selection from the pull down menu to the right of All web attacks Some of the less familiar Web and miscellaneous attacks are explained in Table 5 11 on page 5 50 The pull down menus let you make one of the following actions e Alert When an attack occurs an alert is logged but the traffic that carries the attack is not dropped e Drop The traffic that carries the attack is dropped and an alert is logged _____ Note To ensure that alerts are emailed to an administrator you must configure the e mail notification server see Configuring the E mail Notification Server on page 11 5 and the IPS alerts see Configuring and Activating Update Failure and Attack Alerts on page 11 10 Click Apply to save your settings 5 48 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual All database attacks oracle sql injection amp Applica
480. r the user with the name guest gt Note After a factory default reset the password and timeout value are changed back to password and 5 minutes respectively You can also change the administrator login policies e Deny login access from a WAN interface By default the administrator can log in from a WAN interface e Deny or allow login access from specific IP addresses By default the administrator can log in from any IP address Es Note For enhanced security restrict access to as few external IP addresses as practical e Deny or allow login access from specific browsers By default the administrator can log in from any browser In general these policy settings work well for an administrator However if you need to change any of these policy settings see Setting User Login Policies on page 9 12 Network and System Management 10 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring Remote Management Access An administrator can configure upgrade and check the status of the UTM over the Internet via a Secure Sockets Layer SSL VPN connection Note When remote management is enabled and administrative access through a WAN Es interface is granted see Configuring Login Policies on page 9 12 the UTM s Web Management Interface is accessible to anyone who knows its IP address and default password Because a malicious WAN u
481. r you can select Custom and enter the speed in Kbps in the field to the right 4 Click Apply to save your changes Note Depending on the changes that you make when you click Apply the UTM _ might restart or services such as HTTP and SMTP might restart displays ____ Note For the UTM25 only to configure advanced WAN options for WAN2 port select gt Network Config gt WAN Settings from the menu The WAN Settings tabs appear with the WAN1 ISP Settings screen in view Now click the WAN2 ISP Settings tab and then the Advanced option arrow The WAN2 Advanced Options screen Additional WAN Related Configuration Tasks e Ifyou want the ability to manage the UTM remotely enable remote management see Configuring Remote Management Access on page 10 12 If you enable remote management NETGEAR strongly recommend that you change your password see Changing Passwords and Administrator Settings on page 10 9 e You can set up the traffic meter for each WAN if desired See Enabling the WAN Traffic Meter on page 11 1 3 24 Manually Configuring Internet and WAN Settings v1 0 September 2009 Chapter 4 LAN Configuration Note The initial LAN configuration of the UTM s default VLAN 1 is described in Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network This chapter describes how to configure the advanced LAN features
482. rd file extension and file name blocking You can reject e mails based on keywords in the subject line file type of the attachment and file name of the attachment For more information see E mail Content Filtering on page 6 8 Protecting against spam Set up spam protection to prevent spam from using up valuable bandwidth For more information see Protecting Against E mail Spam on page 6 11 e Web Content Filtering The UTM provides extensive methods to filtering Web content in order to reduce traffic Web category blocking You can block entire Web categories because their content is undesired offensive or not relevant or simply to reduce traffic For more information see Configuring Web Content Filtering on page 6 23 Keyword and file extension blocking You can specify words that should they appear in the Web site name URL file extension or newsgroup name cause that site file or newsgroup to be blocked by the UTM For more information see Configuring Web Content Filtering on page 6 23 URL blocking You can specify up to 200 URLs that are blocked by the UTM For more information see Configuring Web URL Filtering on page 6 30 Web services blocking You can block Web services such as instant messaging and peer to peer services For more information see Customizing Web Protocol Scan Settings and Services on page 6 19 10 4 Network and System Management v1 0 Sep
483. rd to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual NETGEAR 6 PROSECURE amp NETGEAR Configuration Manager Login Password Passcode eeeeeeee Domain When the UTM scans secure HTTPS traffic you must import root CA certificate into your browser Click to download 2009 Copyright NETGEARS Figure 2 1 Note The first time that you remotely connect to the UTM with a browser via an SSL connection you might get a warning message regarding the SSL certificate You can follow to directions of your browser to accept the SSL certificate or you can import the UTM s root certificate by clicking the hyperlink at the he bottom of the NETGEAR Configuration Manager Login screen 3 In the User field type admin Use lower case letters 4 Inthe Password field type password Here too use lower case letters Note The UTM user name and password are not the same as any user name or d h password you might use to log in to your Internet connection Using the Setup Wizard to Provision the UTM in Your Network 2 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 5 Click Login The Web Management Interface appears displaying the System Status screen Figure 2 2 on page 2 4 shows the top part of the UTM25 s screen For information about this screen see
484. re Generally you do not need to enter either IP address or MAC addresses Instead you can just select the name of the desired PC or device There is no need to reserve an IP address for a PC in the DHCP server All IP address assignments made by the DHCP server are maintained until the PC or device is removed from the Network Database either by expiration inactive for a long time or by you There is no need to use a fixed IP address on a PCs Because the IP address allocated by the DHCP server never changes you do not need to assign a fixed IP address to a PC to ensure it always has the same IP address A PC is identified by its MAC address not its IP address The Network Database uses the MAC address to identify each PC or device Therefore changing a PC s IP address does not affect any restrictions applied to that PC Control over PCs can be assigned to groups and individuals You can assign PCs to groups see Managing the Network Database on this page and apply restrictions outbound rules and inbound rules to each group see Using Rules to Block or Allow Specific Kinds of Traffic on page 5 3 You can select groups that are allowed access to applications Web categories and URLs that you have blocked for all other users or the other way around block access to applications Web categories and URLs that you have allowed access to for all other users see Setting Web Access Exceptions and Scanning Excl
485. reas that require planning when using a firewall that has dual WAN ports such as the UTM include the following e Inbound traffic port forwarding port triggering e Outbound traffic protocol binding e Virtual private networks VPNs The two WAN ports can be configured on a mutually exclusive basis to either e auto rollover for increased reliability or e load balance for outgoing traffic Network Planning for Dual WAN Ports UTM25 Only B 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual These various types of traffic and auto rollover or load balancing all interact to make the planning process more challenging Inbound Traffic Unrequested incoming traffic can be directed to a PC on your LAN rather than being discarded The mechanism for making the IP address public depends on whether the dual WAN ports are configured for auto rollover or load balancing Virtual Private Networks A virtual private network VPN tunnel provides a secure communication channel between either two gateway VPN firewalls or between a remote PC client and gateway VPN firewall As a result the IP address of at least one of the tunnel endpoints must be known in advance in order for the other tunnel end point to establish or re establish the VPN tunnel Note When the UTM s WAN port rolls over the VPN tunnel collapses and must be re established using the new WAN IP address However you can configure au
486. red Client Routes table on the SSL VPN Client screen If the assigned client IP address range is in a different subnet than the local network or if the local network has multiple subnets or if you select split mode tunnel operation you must define client routes Virtual Private Networking Using SSL Connections 8 27 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To add an SSL VPN tunnel client route 1 Select VPN gt SSL VPN from the menu The SSL VPN s submenu tabs appear with the Policies screen in view 2 Click the SSL VPN Client submenu tab The SSL VPN Client screen displays see Figure 8 15 on page 8 26 3 Inthe Add Routes for VPN Tunnel Clients section of the screen specify information in the following fields Destination Network The destination network IP address of a local network or subnet For example enter 192 168 1 60 e Subnet Mask The address of the appropriate subnet mask 4 Click the add table button The new client route is added to the Configured Client Routes table Restart the UTM if VPN tunnel clients are currently connected Restarting forces clients to reconnect and receive new addresses and routes To change the specifications of an existing route and to delete an old route 1 Add anew route to the Configured Client Routes table 2 Inthe Configured Client Routes table to the right of the route that is out of date click the delete table
487. remote user with one or both of these SSL service levels depending on how you set up the configuration Using the SSL VPN Wizard for Client Configurations The SSL VPN Wizard facilitates the configuration of the SSL VPN client connections by taking you through six screens the last of which allows you to save the SSL VPN policy To edit policies or to manually configure policies see Manually Configuring and Editing SSL Connections on page 8 17 To start the SSL VPN Wizard 1 Select Wizards from the main navigation menu The Welcome to the Netgear Configuration Wizard screen displays Setup Wizard psec VPN Wizard Sst YPN Wizard Figure 8 1 2 Select the SSLS VPN Wizard radio button 3 Click Next The first SSL VPN Wizard screen displays 8 2 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The following sections explain the five configuration screens of the SSL VPN Wizard On the sixth screen you can save your SSL VPN policy The tables in the following sections explain the buttons and fields of the SSL VPN Wizard screens Additional information about the settings in the SSL VPN Wizard screens is provided in Manually Configuring and Editing SSL Connections on page 8 17 or in other chapters each section below provides a specific link to a section in Manually Configuring and Editing SSL Connect
488. requests administrator default name and password 2 3 receiving alerts by e mail 77 10 receiving logs by e mail 71 8 receiving reports by e mail 43 settings admin 0 9 user account 9 9 9 11 Advanced Encryption Standard See AES AES 7 27 7 35 7 36 7 45 alerts configuring 11 1 e mail address for sending alerts 2 24 11 6 specifying alerts to send via e mail 77 10 ALG 5 24 allowing applications services 6 21 e mails 6 14 URLs 6 32 Web categories 2 22 Index application services protection 6 19 6 21 Application Level Gateway See ALG ARP requests 4 2 arrow Web Management Interface 2 5 attached devices monitoring with SNMP 10 14 viewing 11 29 attacks alerts 71 10 checks 5 20 IPS categories 5 48 audio and video files e mail filtering 6 FTP filtering 6 41 Web filtering 6 28 authentication for IPsec VPN pre shared key 7 5 7 10 7 14 7 28 RSA signature 7 28 for SSL VPN 8 6 See also RADIUS MIAS WiKID NT Domain Active Directory or LDAP authentication domain 9 10 authentication authorization and accounting See AAA auto uplink autosensing Ethernet connections 5 auto detecting WAN settings 2 12 3 3 auto rollover mode UTM25 bandwidth capacity 70 1 configuring 3 11 DDNS 3 19 description 3 9 settings 3 2 VPN IPsec 7 1 auto sensing port speed 3 23 Index 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual backing up con
489. required for Fixed IP addresses required for Dynamic IP addresses One of the gateway routers must re establish VPN tunnel after a rollover Figure B 15 The purpose of the FQDNs is to toggle the domain name of the rolled over gateway between the IP addresses of the active WAN port that is WAN_A1 and WAN_A2 in Figure B 15 so that the other end of the tunnel has a known gateway IP address to establish or re establish a VPN tunnel VPN Gateway to Gateway Dual Gateway WAN Ports for Load Balancing In a configuration with two dual WAN port VPN gateways that function in load balancing mode either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0 24 Dual WAN Ports Load Balancing WAN_A1 IP WAN_B1 IP Gateway A netgear1 dyndns org 22 23 24 25 Gateway B 10 5 6 1 netgear2 dyndns org 22 23 24 26 172 23 9 1 VPN Router WAN_A2 IP WAN_B2 IP VPN Router at office A Fully Qualified Domain Names FQDN at office B optional for Fixed IP addresses required for Dynamic IP addresses Figure B 16 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you must use a FQDN If an IP address is fixed an FQDN is optional
490. ress 4 4 22 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring Static Routes To add a static route to the Static Route table 1 Select Network Config gt Routing from the menu The Routing screen displays 9 RIP Configuration Gateway Interface Metric Active Private Action BEA lt elect all eiste add Figure 4 9 2 Click the add table button under the Static Routes table The Add Static Route screen displays Add Static Route Operation succeeded Static Route d RouteName E Active Private Destination IP Address He WO Md iP subnet Mask I i If J Interface Gateway IP Address Lf We Metric Figure 4 10 4 23 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Enter the settings as explained in Table 4 4 Table 4 4 Static Route Settings Setting Description or Subfield and Description Route Name The route name for the static route for purposes of identification and management Active To make the static route effective select the Active checkbox Note A route can be added to the table and made inactive if not needed This allows routes to be used as needed without deleting and re adding the entry an inactive route is not advertised if RIP is enabled Private If you want to limit access to t
491. ress 192 168 10 1 with subnet 255 255 255 0 Primary LAN IP address 192 168 1 1 with subnet 255 255 255 0 Secondary LAN IP address 192 168 20 1 with subnet 255 255 255 0 To add a secondary LAN IP address 1 Select Network Config gt LAN Settings from the menu The LAN Settings submenu tabs appear with the LAN Setup screen in view 2 Click the LAN Multi homing submenu tab The LAN Multi homing screen displays WAN Settings Protocol Binding Dynamic DNS WAN Metering DMZ Setup Routing Email Notification LAN Setup LAN Groups TERM ear IP Address select all delete Add Secondary LAN IP Address IP Address Subnet Mask CH Figure 4 4 The Available Secondary LAN IPs table displays the secondary LAN IP addresses added to the UTM LAN Configuration 4 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Inthe Add Secondary LAN IPs section of the screen enter the following settings e IP Address Enter the secondary address that you want to assign to the LAN ports e Subnet Mask Enter the subnet mask for the secondary IP address 4 Click the add table button in the rightmost column to add the secondary IP address to the Available Secondary LAN IPs table Repeat step 3 and step 4 for each secondary IP address that you want to add to the Available Secondary LAN IPs table Note Secondary IP addresses cannot be configured in the DHCP server The hosts
492. rewall submenu tabs appear 5 20 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Click the Attack Checks submenu tab The Attack Checks screen displays 14 Network Securty LAN WAN Rules DMZ WAN Rules LAN DMZ Rules icta aa eE Session Limit Advanced WAN Security Checks VPN Pass through O Respond to Ping on Internet Ports M IPsec Enable Stealth Mode PPTP C Block TCP flood M L2te LAN Security Checks C Block UDP flood C Disable Ping Reply on LAN Ports Figure 5 11 3 Enter the settings as explained in Table 5 4 Table 5 4 Attack Checks Settings Setting Description or Subfield and Description WAN Security Checks Respond To Ping On Select the Respond To Ping On Internet Ports checkbox to enable the UTM to Internet Ports respond to a ping from the Internet A ping can be used as a diagnostic tool Keep this checkbox deselected unless you have a specific reason to enable the UTM to respond to a ping from the Internet Enable Stealth Mode Select the Enable Stealth Mode checkbox which is the default setting to prevent the UTM from responding to port scans from the WAN thus making it less susceptible to discovery and attacks Block TCP Flood Select the Block TCP Flood checkbox to enable the UTM to drop all invalid TCP packets and to protect the UTM from a SYN flood attack A SYN flood is a form of denial of service attack in which
493. rface Leave the default setting which is the Any selection from the Name pull down menu 7 Click on the disk icon to save the configuration or select File gt Save from the Security Policy Editor menu 8 In the left frame click Security Policy The screen adjusts NETES Policy Editor NETGEAR ProSafe VPN Client File Edt Options Help NETGEAR N Network Securty Policy _J My Connections Secwity Policy By ModeContigT est My Identity Select Phase 1 Negotiation Mode F Security Policy C Main Mode amp Cient_to_Cork Aggiessive Mode Bb Other Connections C Use Manual Keys I Enable Perfect Forward Secrecy PFS PFS Key Group Diffie Hellman Group 2 v W Enable Replay Detection Figure 7 30 Virtual Private Networking Using IPsec Connections 7 53 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 9 Enter the settings as explained in Table 7 19 Table 7 19 Security Policy Editor Security Policy Mode Config Settings Setting Description or Subfield and Description Select Phase 1 Negotiation Select the Aggressive Mode radio button Mode Enable Perfect Forward Select the Enable Perfect Forward Secrecy PFS checkbox From the Secrecy PFS pull down menu below select Diffie Hellman Group 2 Enable Replay Detection Leave the default setting which is selection of the Enable Replay Detection checkbox 10 Click on the disk ic
494. ries are enabled select the table entries that you want to enable or click the select all table button Then click the enable table button Open the WAN Protocol Bindings screen and repeat step a through step d to set protocol bindings for the WAN port Return to the WAN Mode screen by selecting Network Config gt WAN Settings from the menu and clicking the WAN Mode tab 4 Click Apply to save your settings 3 16 Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring Secondary WAN Addresses A single WAN Ethernet port can be accessed through multiple IP addresses by adding aliases to the port An alias is a secondary WAN address One advantage is for example that you can assign different virtual IP addresses to a Web server and FTP server even though both servers use the same physical IP address You can add several secondary IP addresses to the UTM10 s single WAN port or to the UTM25 s WAN port and WAN port After you have configured secondary WAN addresses these addresses are displayed on the following firewall rule screens e Inthe WAN Destination IP Address pull down menus of the following inbound firewall rule screens Add LAN WAN Inbound Service screen Add DMZ WAN Inbound Service screen e Inthe NAT IP pull down menus of the following outbound firewall rule screens Add LAN WAN Outbound Service screen
495. ring and Security Logs Traffic 2009 02 28 23 59 59 HTTP 99 192 168 1 2 192 168 33 8 Message xlzimap test com xlzpop3 test com MALWARE INFECTED Fw cleanvirus Explanation Web and e mail traffic logs for HTTP SMTP POP3 IMAP HTTPS and FTP traffic In this example message a malware threat was cleaned from the traffic The message shows the date and time protocol size of the Web file or e mail client IP address server IP address sender recipient and Web URL or e mail subject line Recommended Action None Virus Logs This section describes logs that are generated when the UTM detects viruses Table C 21 Content Filtering and Security Logs Virus 2008 02 29 23 59 00 POP3 OF97 Jerk Delete cleanvirus zip Message 192 168 1 2 192 168 35 166 xlzimap test com xlzimap test com MALWARE INFECTED Fw cleanvirus Explanation Virus logs for all services The message shows the date and time protocol virus name action that is taken file name client IP address server IP address sender recipient and Web URL or e mail subject line Recommended Action None E mail Filter Logs This section describes logs that are generated when the UTM filters e mail content Table C 22 Content Filtering and Security Logs E mail Filter Message 2009 04 31 23 59 59 SMTP 192 168 1 2 192 168 35 165 xlzimap test com xlzpop3 test com test Keyword test BlockMail Explanation Logs th
496. ription LAN Ports Left LED Off The LAN port has no link On Green The LAN port has detected a link with a connected Ethernet device Blink Green Data is being transmitted or received by the LAN port Right LED Off The LAN port is operating at 10 Mbps On Amber The LAN port is operating at 100 Mbps On Green The LAN port is operating at 1000 Mbps DMZ LED Off Port 4 is operating as a normal LAN port On Green Port 4 is operating as a dedicated hardware DMZ port WAN Ports Left LED Off The WAN port has no physical link that is no Ethernet cable is plugged into the UTM On Green The WAN port has a valid connection with a device that provides an Internet connection Blink Green Data is being transmitted or received by the WAN port Right LED Off The WAN port is operating at 10 Mbps On Amber The WAN port is operating at 100 Mbps On Green The WAN port is operating at 1000 Mbps Active LED Off The WAN port is either not enabled or has no link to the Internet fetes On Green The WAN port has a valid Internet connection Introduction 1 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Rear Panel The rear panel of the UTM includes a cable lock receptacle a console port a reset button and an AC power connection Security lock Console port Reset button AC power receptacle receptacle Figure 1 3 Viewed from left to right the rear panel contains the following components
497. rity Policy Editor Security Policy Settings Setting Description or Subfield and Description Select Phase 1 Negotiation Select the Aggressive Mode radio button Mode Enable Perfect Forward Select the Enable Perfect Forward Secrecy PFS checkbox From the Secrecy PFS pull down menu below select Diffie Hellman Group 2 Enable Replay Detection Leave the default setting which is selection of the Enable Replay Detection checkbox 10 Click on the disk icon to save the configuration or select File gt Save from the Security Policy Editor menu 11 Close the VPN ProSafe VPN client _____ Note You do not need to open or change the settings on the Authentication Phase 1 rd screen or its accompanying Proposal 1 and Proposal 2 screens nor on the Key Exchange Phase 2 screen or its accompanying Proposal 1 screen Leave the default settings for these screens Testing the Connections and Viewing Status Information Both the NETGEAR ProSafe VPN Client and the UTM provide VPN connection and status information This information is useful for verifying the status of a connection and troubleshooting problems with a connection Testing the VPN Connection To test a client connection and view the status and log information follow these steps To test the client connection from your PC right click on the VPN client icon in your Windows toolbar and then select the VPN connection that you want to
498. rmation about Web categories see Configuring Web Content categories see Configuring Web Content Filtering on page 6 23 Filtering on page 6 23 Date and Time The date and time that Requests The total number of user the Web request was blocked requests for the blocked Web category Source IPs The source IP address from which the request came Spam Email Subject The e mail subject line in Recipient The intended recipient of the the spam message spam message Date and Time The date and time that Emails The number of spam messages the spam message was detected for the intended recipient 11 18 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Protocol HTTP HTTPS FTP SMTP POP3 IMAP Total Scanned Traffic M8 29777 34 0 19 282 99 Total Emails Files Scanned 524616 Total Malwares Found Total Files Blocked Total URLs Blocked 8 Total Spam Emails Distributed Spam Analysis Figure 11 9 Dashboard screen 3 of 3 Table 11 8 explains the fields of the Service Statistics section of the Dashboard screen Table 11 8 Dashboard Service Statistics Information Item Description or Subfield and Description For each of the six supported protocols HTTP HTTPS FTP SMTP POP3 and IMAP this section provides the following statistics Total Scanned Traffic MB The total quantity of scanned traffic
499. rotocol See CHAP CHAP See also RADIUS CHAP MIAS CHAP or WiKID CHAP 9 2 classical routing mode 3 10 clearing statistics 1 16 clients infected identifying 71 38 community strings 10 15 compatibility protocols and standards A 2 compliance regulatory A 3 compressed files e mail filtering 6 FTP filtering 6 41 Web filtering 6 28 concurrent sessions number of 2 users number of 2 configuration settings defaults A using the Setup Wizard 2 7 Index 2 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual configuration file backing up 0 16 managing 10 15 restoring 10 17 reverting to defaults 0 18 configuration menu Web Management Interface 2 5 connection requirements 2 speed and type WAN 3 24 console port 1 12 content filtering audio and video files 6 28 compressed files 6 28 executable files 6 28 log messages C 2 logs 11 9 11 33 11 35 scheduling 2 22 settings using the Setup Wizard 2 27 Web categories 2 22 cookies 6 24 6 28 counter WAN traffic 3 CPU usage 11 21 CRL 9 19 9 25 crossover cable 5 12 3 CSR 9 2 custom services firewall 5 30 D Data Encryption Standard See DES database local user 8 6 9 4 date settings 2 15 10 24 troubleshooting 12 9 daylight savings time 2 15 10 25 DDNS auto rollover mode 3 19 configuring 3 19 load balancing mode 3 19 updating 3 21 wildcards 3 2 Dead Peer Detection See DPD debug lo
500. roup8 You can rename these group names to be more descriptive such as GlobalMarketing and GlobalSales To edit the names of any of the eight available groups 1 Select Network Config gt LAN Settings from the menu The LAN Settings submenu tabs appear with the LAN Setup screen in view 4 16 LAN Configuration v1 0 September 2009 2 5 6 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Click the Edit Group Names option arrow at the right of the LAN submenu tabs The Network Database Group Names screen displays Figure 4 7 shows some examples Network Database Group Names Y GlobalMarketing GlobalSales Figure 4 7 Select the radio button next to any group name to enable editing Type a new name in the field The maximum number of characters is 15 spaces and double quotes are not allowed Repeat step 3 and step 4 for any other group names Click Apply to save your settings Setting Up Address Reservation When you specify a reserved IP address for a PC or device on the LAN based on the MAC address of the device that PC or device always receives the same IP address each time it accesses the UTM s DHCP server Reserved IP addresses should be assigned to servers or access points that require permanent IP address settings The reserved IP address that you select must be outside of the DHCP server pool LAN Configuration 4 17 v1 0 September 2009 ProSecure Unified Threa
501. rs Content filters Port Scan IPS Instant Messaging Peer to Peer Protocols Select one or more checkboxes to specify the protocols that are queried The following protocols can be selected e For Traffic and Malware logs SMTP POP3 IMAP HTTP FTP and HTTPS e For the Spam log SMTP and POPS e For the Email filters log SMTP POP3 and IMAP e For the Content filters log HTTP FTP and HTTPS Monitoring System Access and Performance 11 35 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 11 15 Logs Query Settings continued Setting Description or Subfield and Description Search Criteria continued Client IP The client IP address that is queried This field is available for the following logs Traffic Spam Malware Content filters Port Scan IPS Instant Messaging Peer to Peer Server IP The server IP address that is queried This field is available for the following logs Traffic Malware Content filters Port Scan IPS Instant Messaging Peer to Peer Category From the pull down menu select a category that is queried The following categories can be selected e For the IPS log a threat protocol or application e For the Instant Messaging Peer to Peer log an instant messaging or peer to peer application Reason Select one or more checkboxes to specify the reasons that are queried The followi
502. rver The default port number is 25 Note If you leave this field blank the UTM cannot send e mail notifications Using the Setup Wizard to Provision the UTM in Your Network 2 23 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 2 8 Setup Wizard Step 8 Administrator Email Notification Settings continued Setting Description or Subfield and Description This server requires If the SMTP server requires authentication select the This server requires authentication authentication checkbox and enter the following settings User name The user name for SMTP server authentication Password The password for SMTP server authentication Send notifications to The email address to which the notifications should be sent Typically this is the e mail address of the administrator Setup Wizard Step 9 of 10 Security Subscription Update Settings Setup Wizard Step 9 of 10 Security Subscription Update Settings Update Sean engine and Signatures x Update From Default update server Server address k A D O Weekly Sunday w 23 i i 00 hh mm Daily 00 hh mm every G C Enable Proxy server This server requires authentication Figure 2 15 Enter the settings as explained in Table 2 9 on page 2 25 then click Next to go the following screen 2 24 Using the Setup Wizard to Provision the UTM
503. rver the simulated 10 1 0 52 address in this example that you first must have defined on the WANI Secondary Addresses or WAN2 Secondary Addresses screen see Configuring Secondary WAN Addresses on page 3 17 For the UTM10 with its single WAN interface the WAN Destination IP Address is a fixed field 8 Click Apply to save your settings Your is now added to the Inbound Services table of the LAN WAN Rules screen To test the connection from a PC on the Internet type http lt IP_address gt where lt IP_address gt is the public IP address that you have mapped to your Web server You should see the home page of your Web server LAN WAN or DMZ WAN Inbound Rule Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined To expose one of the PCs on your LAN or DMZ as this host 1 Create an inbound rule that allows all protocols 2 Place the rule below all other inbound rules Warning For security NETGEAR strongly recommends that you avoid creating an A exposed host When a computer is designated as the exposed host it loses much of the protection of the firewall and is exposed to many exploits from the Internet If compromised the computer can be used to attack your network 5 28 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Referen
504. s 3 Inthe List of Resources table to the right of the new resource in the Action column click the edit table button A new screen displays Figure 8 17 shows some examples Policies DUTT sy Portal Layouts SSL YPN Client Port Forwarding Resource Name RoadWarrior Service PN Tunnel Object Type IP Address Name HE E Network Address Mask Length F o 34 Begin End Port Range Port Number J 0 65535 e Port Mask Length Action 4000 4090 32 derete Figure 8 17 4 Complete the fields and make your selection from the pull down menu as explained Table 8 8 Table 8 9 Add Resource Addresses Settings Item Description or Subfield and Description Add Resource Addresses Resource Name The unique identifier for the resource You cannot modify the resource name after you have created it on the first Resources screen Service The SSL service that is assigned to the resource You cannot modify the service after you have assigned it to the resource on the first Resources screen 8 30 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 8 9 Add Resource Addresses Settings continued Item Description or Subfield and Description Object Type From the pull down menu select one of the following options IP Address The object is an IP address You must enter the
505. s WAN Mode Use NAT or Classical Routing between WAN amp LAN interfaces NAT Classical Routing None DNS lookup using WAN DNS Servers DNS lookup using these DNS Servers Auto Rollover using WAN port WAN wanco o 0 Jo wan2 0 o o o Load Balancing P view protocol bindings Ping these IP addresses Use only single WAN port wanco o 0 wan2 f0 o o D Retry Interval is 30 Seconds Failover after 4 Failures Figure 3 8 2 Enter the settings as explained in Table 3 5 Table 3 5 Auto Rollover Mode Settings UTM25 Only Setting Description or Subfield and Description Port Mode Auto Rollover using Select the Auto Rollover using WAN port radio button Then from the pull down WAN port menu select the WAN port that must function as the as the primary link for this mode Note Ensure that the backup WAN port is configured before enabling Auto Rollover mode Manually Configuring Internet and WAN Settings v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 3 5 Auto Rollover Mode Settings UTM25 Only continued Setting Description or Subfield and Description WAN Failure Detection Method Select one of the following detection failure methods DNS lookup using WAN DNS Servers DNS queries are sent to the DNS server configured on the WAN ISP pages see Configuring the Internet Connections on page 3
506. s Whether or not the UTM detects Web based malware threats you can configure it to take a variety of actions some of the default actions are listed in Table 6 1 on page 6 2 and send notifications e mails or both to the end users To configure the Web based malware settings 1 Select Application Security gt HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear with the Malware Scan screen in view see Figure 6 8 on page 6 22 Content Filtering and Optimizing Scans 6 21 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Application Security Delete file v Delete file v if the file or message is larger than KB Maximum 10240 KB amp HTML Scan E scan HTML Files Notification Settings Replace the Content of a Blocked Page with the Following Text lt IDOCTYPE HTML PUBLIC W3C DTD HTML 4 0 Transitional EN gt lt HTML gt lt HEAD gt lt TITLE gt NETGEAR ProSecure User Notification lt TITLE gt lt META http equive Content Type contente text html charset windows 1252 gt lt LINK href F ONI lt Copyright c AR All rights reserved gt lt LINK href STYLE SS type text css rel stylesheet gt Note Insert the following mete word s to automatically include the relevant malware detection information TIME YPROTOCOL FROM TO SUBIECT YFILENAME ACTION VIRUSNAME VIRUSINFO seanar an a h o S L S
507. s see Table C 1 Recommended Action None LAN to DMZ Logs This section describes logs that are generated when the UTM processes LAN to DMZ traffic Table C 27 Routing Logs LAN to DMZ Message Nov 29 09 44 06 UTM kernel LAN2DMZ ACCEPT IN LAN OUT DMZ SRC 192 168 10 10 DST 192 168 20 10 PROTO ICMP TYPE 8 CODE 0 Explanation e This packet from the LAN to the DMZ has been allowed by the firewall For other settings see Table C 1 Recommended Action None DMZ to WAN Logs This section describes logs that are generated when the UTM processes DMZ to WAN traffic Table C 28 Routing Logs DMZ to WAN Message Nov 29 09 19 43 UTM kernel DMZ2WAN DROP IN DMZ OUT WAN SRC 192 168 20 10 DST 72 14 207 99 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the DMZ to the WAN has been dropped by the firewall For other settings see Table C 1 Recommended Action None C 16 System Logs and Error Messages v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual WAN to LAN Logs This section describes logs that are generated when the UTM processes WAN to LAN traffic Table C 29 Routing Logs WAN to LAN Message Nov 29 10 05 15 UTM kernel WAN2LAN ACCEPT IN WAN OUT LAN SRC 192 168 1 214 DST 192 168 10 10 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from the LAN to the WAN has been allowed by the firewall For oth
508. s terminate You must specify the authentication type that must be used during verification of the credentials of the remote VPN gateways User Database RADIUS PAP or RADIUS CHAP IPsec Host Authentication by the remote gateway through a user name and password that are associated with the IKE policy The user name and password that are used to authenticate the UTM must be specified on the remote gateway Note If a RADIUS PAP server is enabled for authentication XAUTH first checks the Es local user database for the user credentials If the user account is not present the UTM then connects to a RADIUS server Configuring XAUTH for VPN Clients Once the XAUTH has been enabled you must establish user accounts on the User Database to be authenticated against XAUTH or you must enable a RADIUS CHAP or RADIUS PAP server Note You cannot modify an existing IKE policy to add XAUTH while the IKE policy is gt in use by a VPN policy The VPN policy must be disabled before you can modify the IKE policy To enable and configure XAUTH 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 23 2 In the List of IKE Policies table click the edit table button to the right of the IKE policy for which you want to enable and configure XAUTH The Edit IKE Policy screen displays This screen shows the same field as the
509. s Damia sad a futm25_temate com Secure Interface Configuration Virtual Adapter Disabled hd Internet Inteiface Name any 7 IP Addr Any Pre Shared Key Enter Pre Shared Key at least 8 characters This key is used duting Authentication Phase if the Authentication Method Proposal is Pre Shared key Figure 7 29 6 Enter the settings as explained in Table 7 18 Table 7 18 Security Policy Editor My Identity Mode Config Settings Setting Description or Subfield and Description Select Certificate From the pull down menu select None The Pre Shared Key window appears Pre Shared Key Enter the same pre shared key that you specified on the UTM s VPN Wizard screen see Figure 7 9 on page 7 9 In this example the pre shared key is 12345678910 However the pre shared key is masked for security 7 52 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 18 Security Policy Editor My Identity Mode Config Settings continued Setting Description or Subfield and Description ID Type From the pull down menu select Domain Name Then below enter the remote FQDN that you specified in the UTM s Mode Config IKE policy In this example we are using utm25_remote com Secure Interface Select Preferred from the Virtual Adapter pull down menu Configuration Internet Inte
510. s at your location If you are unsure see the Acceptable Use Policy of your ISP Order of Precedence for Rules As you define new rules they are added to the tables in the Rules screen as the last item in the list as shown in the LAN WAN Rules screen example in Figure 5 1 s d iil Ob Fin Address Filter Port Triggering PUR nite DMZ WAN Rules LAN DMZ Rules Attack Checks Session Limit Advanced Operation succeeded Default Outbound Policy apply Outbound Services Service WAN Qos r Filter LAN Users Name Users Profile Allow O Rea aunto 292 168 4 2 192 168 4 99 ANY NONE Always EREA Allow Oo SMTP 192 168 4 35 ANY NONE Always select all delete enable ii Inbound Services Service N Server IP LAN t WAN Users Destination Address Users Profile Profile 4 i oe 4 LA Filter Name 4 ails 1 ji Allow by l C TELNET schedule lianes 200 133 0 24192 168 80 1 NONE NONE Alva up Ome edit j else block select all delete endie oO add Figure 5 1 For any traffic attempting to pass through the firewall the packet information is subjected to the rules in the order shown in the Rules table beginning at the top and proceeding to the bottom In some cases the order of precedence of two or more rules might be important in determining the 5 10 Firewall Protection v1 0 Septemb
511. s from the main menu The Active Users amp VPN submenu tabs appear with the Active Users screen in views 2 Click the IPSec VPN Connection Status submenu tab The IPSec VPN Connection Status screen displays Figure 7 18 shows some policies as an example Dashboard Diagnostics Log amp Reports Active Users BLET S IDET TIZA EI ENTE SSL YPN Connection Status The page will auto refresh in 3 seconds Policy Name Endpoint Tx KB Tx Packets State Action UTM25_to_FVS336G 83 71 251 27 0 00 o IPsec SA Not Established connect Cork to 3 192 169 50 61 0 00 0 IPsec SA Not Established 3 connect 192 168 1 4 203 143 33 198 0 00 0 IPsec SA Established 5 drop Client Policy Poll Interval E Seconds set interval stop Figure 7 18 Virtual Private Networking Using IPsec Connections 7 19 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The Active IPsec SAs table lists each active connection with the information that is described in Table 7 8 The default poll interval is 5 seconds To change the poll interval period enter a new value in the Poll Interval field and then click set interval To stop polling click stop Table 7 8 IPsec VPN Connection Status Information Item Description or Subfield and Description Policy Name The name of the VPN policy that is associated with this SA Endpoint The IP address on the remote VPN endpoint Tx KB T
512. s route diversity WAN port 1 physical facility 1 ISP 41 mes WAN port 2 physical facility 2 ee ISP 2 Figure B 1 e If your ISP charges by the volume of data traffic each month consider enabling the UTM s traffic meter to monitor or limit your traffic b Contact a Dynamic DNS service and register FQDNs for one or both WAN ports 3 Plan your network management approach e The UTM is capable of being managed remotely but this feature must be enabled locally after each factory default reset NETGEAR strongly advises you to change the default management password to a strong password before enabling remote management B 2 Network Planning for Dual WAN Ports UTM25 Only v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e You can choose a variety of WAN options if the factory default settings are not suitable for your installation These options include enabling a WAN port to respond to a ping and setting MTU size port speed and upload bandwidth 4 Prepare to physically connect the firewall to your cable or DSL modems and a computer Instructions for connecting the UTM are in the ProSecure Unified Threat Management UTM10 or UTM25 Installation Guide Cabling and Computer Hardware Requirements To use the UTM in your network each computer must have an Ethernet Network Interface Card NIC installed and must be equipped with an Ethernet cable If the computer will connect to your network at
513. s to block specific types of traffic from either going out from the DMZ to the Internet outbound or coming in from the Internet to the DMZ inbound There is no pull down menu that lets you set the default outbound policy as there is on the LAN WAN Rules screen You can change the default outbound policy by blocking all outbound traffic and then enabling only specific services to pass through the UTM You do so by adding outbound services rules see DMZ WAN Outbound Services Rules on page 5 16 5 14 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To access the DMZ WAN Rules screen 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear 2 Click the DMZ WAN Rules submenu tab The DMZ WAN Rules screen displays Figure 5 5 shows a rule in the Outbound Services table as an example intwork Security pat Outbound Services Service Name Filter DM Users WAN Users QoS Profile log oe CU SEEME TEP Block by schedule 3 else allow ANY ANY Normal Service never up jami Fal select all delete enadle disable adi Mes inbound satvices t Service Name Filter DMZ Server IP Address poe Users WAN Users Destination Qos Profile Log select all delete enable D disable add Note Inbound rules configured in the LAN WAN Rules page will take precedence over the Inbou
514. sage is legitimate or a potential threat by analyzing the way it is distributed to the recipients while structure patterns determine the volume of the distribution The UTM uses a Distributed Spam Analysis architecture to determine whether or not an e mail is spam for SMTP and POP3 e mails Any e mail that is identified as spam is tagged as spam an option for both SMTP and POP3 or blocked an option possible only for SMTP _____ Note Unlike other scans you do not need to configure the spam score because the NETGEAR Spam Classification Center performs the scoring automatically as long as the UTM is connected to the Internet However this does mean that the UTM must be connected to the Internet for the spam analysis to be performed correctly To configure Distributed Spam Analysis and the anti spam engine settings 1 Select Application Security gt Anti Spam from the menu The Anti Spam submenu tabs appear with the Whitelist Blacklist screen in view 2 Click the Distributed Spam Analysis submenu tab The Distributed Spam Analysis screen displays see Figure 6 6 on page 6 17 6 16 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Sensitivity Action SMTP POPS E add tag to mail subject Maximum 32 characters Add tag X NETGEAR SPAM to mail header E Anti Spam Engine Settings Ouse 4 proxy server to connect to the De
515. screen To add a customized service 1 Select Network Security gt Firewall Objects from the menu The Firewall Objects submenu tabs appear with the Services screen in view The screen displays the Custom Services table with the user defined services Figure 5 19 shows some examples Network Security Type Start Port TCP 10115 RemoteManagement TCP 8988 Traceroute ICMP 30 lt etect all delate Add Custom Service Name ICMP Type Figure 5 19 Firewall Protection 5 31 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Inthe Add Customer Service section of the screen enter the settings as explained in Table 5 6 Table 5 6 Services Settings Setting Description or Subfield and Description Name A descriptive name of the service for identification and management purposes Type From the Type pull down menu select the Layer 3 protocol that the service uses as its transport protocol TCP e UDP ICMP ICMP Type A numeric value that can range between 0 and 40 For a list of ICMP types see http www iana org assignments icmp parameters This field is enabled only when you select ICMP from the Type pull down menu Start Port The first TCP or UDP port of a range that the service uses This field is enabled only when you select TCP or UDP from the Type pull down menu Finish Port The first TCP or UDP port of a range that the servic
516. seT Half duplex 100BaseT Full duplex or No Link Tx KB The number of transmitted packets in KB Rx KB The number of received packets in KB Viewing Active VPN Users The Active Users screen displays a list of administrators Psec VPN and SSL VPN users that are currently logged into the UTM To display the list of active VPN users Select Monitoring gt Active Users amp VPNs from the main menu The Active Users amp VPN submenu tabs appear with the Active Users screen in views Dashboard Diagnostics Log amp Reports GATAS IPSec VPN Connection Status SSL YPN Connection Status User Name IP Address Login Time Action techpubadmin 3 Y 192 168 190 88 Wed May 27 19 43 28 2009 F dis connect Figure 11 13 The active user s user name group and IP address are listed in the table with a timestamp indicating the time and date that the user logged in To disconnect an active user click the disconnect table button to the right of the user s table entry Viewing VPN Tunnel Connection Status To review the status of current IPsec VPN tunnels 1 Select Monitoring gt Active Users amp VPNs from the main menu The Active Users amp VPN submenu tabs appear with the Active Users screen in views 11 24 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Click the IPSec VPN Connection Status submenu tab The IPSec VPN Connec
517. seatccateteesaiccenceteaciadadeebaietebuendicudlaede laced EES 5 20 SERING S3610 LIMINE ch cscs wssiia don rsxerusornd AE aa AES NAA spiinudes 5 23 Managing the Application Level Gateway for SIP Sessions csccceesstteeeeeeenees 5 24 InBobnicl Files Exam S oaa 5 25 Gubi Rues EXAME sursa ai 5 29 Creating Services QoS Profiles and Bandwidth Profiles c ccccccssseceeeeessteeeeeeeeees 5 30 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Adding Customized SEVES sis cewscsicts cece ctonii eects ality aa A i E eet aae bate 5 30 Creating Quality of Service QOS Profiles ce ceecceeeceeeeeeeeeeeeeeeeeeeeeeeeeeeeeneeeee 5 33 Greailng Gandaidih PT race accor ede se eenczac en ccsensieh nem ARA 5 36 Setting a Schedule to Block or Allow Specific Traffic cccccccseeeseeeeeeeeeeeseeeeeenaeeneees 5 39 Enabling Source MAC FING sisaria iaaa aaa ied aain 5 40 Seting Ub WR BINNS risiini daea a a a aaa 5 42 Gonkong Forn Mogerini srsrnsiierini aa ENA A N 5 44 Using the Intrusion Prevention System cccecsceesescececeeeeeaeeeeeeeeeeaaeseeneeeetaeeeeeneeeneas 5 47 Chapter 6 Content Filtering and Optimizing Scans About Contem Filiennig and SCANS ansiedade AeA 6 1 Default E mail and Web Scan SettingS cceccccesceeeceeeeeeeeeeeeeeeeeeeeaaeeeeeeeseeneeeenaes 6 2 LENT RIES Email PAID asarana aandaa kea aidea kiaat 6 3 Customizing E mail Protocol Scan Settings cxsncsecscss
518. select the authentication method that the UTM applies e Local User Database default Users are authenticated locally on the UTM This is the default setting You do not need to complete any other fields on this screen e Radius PAP RADIUS Password Authentication Protocol PAP Complete the Authentication Server and Authentication Secret fields e Radius CHAP RADIUS Challenge Handshake Authentication Protocol CHAP Complete the Authentication Server and Authentication Secret fields Radius MSCHAP RADIUS Microsoft CHAP Complete the Authentication Server and Authentication Secret fields e Radius MSCHAPv2 RADIUS Microsoft CHAP version 2 Complete the Authentication Server and Authentication Secret fields e WIKID PAP WIKID Systems PAP Complete the Authentication Server and Authentication Secret fields Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 9 2 Add Domain Settings continued Setting Description or Subfield and Description Authentication Type WIKID CHAP WIKID Systems CHAP Complete the Authentication Server continued and Authentication Secret fields e MIAS PAP Microsoft Internet Authentication Service MIAS PAP Complete the Authentication Server and Authentication Secret fields e MIAS CHAP Microsoft Internet Authentication Service MIAS CHAP Complete the Authentication Server and
519. ser s download location on the hard disk Restore Settings Warning Restore only settings that were backed up from the same software version A Restoring settings from a different software version can corrupt your backup file or the UTM system software To restore settings from a backup file 1 On the Backup amp Restore Settings screen see Figure 10 5 on page 10 16 next to Restore save settings from file click Browse 2 Locate and select the previously saved backup file by default backup pkg 3 When you have located the file click the restore button A warning screen might appear and you might have to confirm that you want to restore the configuration The UTM reboots During the reboot process the Backup amp Restore Settings screen remains visible The reboot process is complete after several minutes when the Test LED on the front panel goes off Warning Once you start restoring settings do not interrupt the process Do not try A to go online turn off the UTM shut down the computer or do anything else to the UTM until the settings have been fully restored Network and System Management 10 17 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Reverting to Factory Default Settings To reset the UTM to the original factory default settings you can use one of the following two methods e Using a sharp object press and hold the Reset but
520. ser can reconfigure the UTM and misuse it in many ways NETGEAR highly recommends that you change the admin and guest default passwords before continuing see Changing Passwords and Administrator Settings on page 10 9 To configure the UTM for remote management 1 Select Administration gt Remote Management from the menu The Remote Management screen displays Administration SNMP Backup amp Restore Settings System Update System Date amp Time Remote Management Do you want to enable https Yes No Port Number Figure 10 3 2 Select one of the following radio buttons e Yes Enable HTTPS remote management This is the default setting e No Disable HTTPS remote management radio button you and all other SSL VPN users are disconnected when you click Apply Warning If you are remotely connected to the UTM and you select the No 3 As an option you can change the default HTTPS port The default port number is 443 10 12 Network and System Management v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Click Apply to save your changes When remote management is enabled you must use an SSL connection to access the UTM from the Internet You must enter Attps not http and type the UTM s WAN IP address in your browser For example if the UTM s WAN IP address is 172 16 0 123 type the following in your browser h
521. service port or add another port in the corresponding Ports to Scan field HTTPS HTTPS scanning is disabled by To enable HTTPS scanning select the default corresponding checkbox You can change the standard service port port 443 or add another port in the corresponding Ports to Scan field FTP FTP scanning is enabled by default To disable FTP scanning deselect the on standard service port 21 corresponding checkbox You can change the standard service port or add another port in the corresponding Ports to Scan field Instant Messaging Google Talk Jabber Yahoo Messenger mIRC Skype MSN Messenger Scanning of these instant messaging services is disabled by default To enable any of these services select the corresponding checkbox Note For Instant Messaging services the following services can be blocked logging in sharing files sharing video sharing audio and text messaging Peer to Peer P2P BitTorrent eDonkey Gnutella Scanning of these file sharing applications is disabled by default To enable any of these services select the corresponding checkbox Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Setup Wizard Step 5 of 10 Email Security Setup Wizard Step 5 of 10 Email Security SMTP Block infected email POP3 Delete attachmen
522. size Integrity Algorithm From the pull down menu select one of the following two algorithms to be used in the VPN header for the authentication process e SHA 1 Hash algorithm that produces a 160 bit digest This is the default setting MD5 Hash algorithm that produces a 128 bit digest 7 36 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7 12 Add VPN Policy Settings continued Item Description or Subfield and Description PFS Key Group Select this checkbox to enable Perfect Forward Secrecy PFS and then select a Diffie Hellman DH group from the pull down menu The DH Group sets the strength of the algorithm in bits The higher the group the more secure the exchange From the pull down menu select one of the following three strengths e Group 1 768 bit Group 2 1024 bit This is the default setting e Group 5 1536 bit Select IKE Policy Select an existing IKE policy that defines the characteristics of the Phase 1 negotiation Click the view selected button to display the selected IKE policy 5 Click Apply to save your settings The VPN policy is added to the List of VPN Policies table To edit a VPN policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view 2 Click the VPN Policies submenu t
523. sses are available to map to your servers x Oo Tip If you arrange with your ISP to have more than one public IP address for your use To configure the UTM for additional IP addresses 1 Select Network Security gt Firewall from the menu The Firewall submenu tabs appear 2 If your server is to be on your LAN select the LAN WAN Rules submenu tab This is the screen we will use in this example If your server is to be on your DMZ select DMZ WAN Rules submenu tab 3 Click the add table button under the Inbound Services table The Add LAN WAN Inbound Service screen displays Add LAN WAN Inbound Service Service Operation succeeded Action ALLOW always Select Schedule Schedule i Send to LAN Server is2 Jase i Me Translate to Port Number O WAN Destination IP Address 10 1 0 52 y LAN Users Any WAN Users Any v QoS Profile None v Bandwidth Profile NONE y Figure 5 16 Start Finish Start Finish Firewall Protection 5 27 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 From the Service pull down menu select HTTP for a Web server From the Action pull down menu select ALLOW Always 6 Inthe Send to LAN Server field enter the local IP address of your Web server PC 192 168 1 2 in this example 7 For the UTM25 only from the WAN Destination IP Address pull down menu select the Web se
524. standing C Ethernet ports 9 exceptions Web access 6 4 exchange mode IKE policies 7 23 7 26 exclusions scanning 6 44 executable files e mail filtering 6 FTP filtering 6 41 Web filtering 6 28 exposed hosts 3 19 5 28 Extended Authentication See XAUTH Index 4 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual F factory default settings reverting to 10 18 service licenses automatic retrieval 2 29 failover attempts DNS lookup 3 13 pinging 3 13 failover protection See auto rollover mode UTM25 failure detection method UTM25 3 9 3 11 3 13 file extensions blocking 6 8 6 24 6 28 file names blocking 6 8 firewall attack checks 5 20 bandwidth profiles 5 36 connecting to the Internet 3 B 3 custom services 5 30 default settings A 2 inbound rules See inbound rules logs 11 8 11 33 outbound rules See outbound rules overview 1 4 QoS profiles 5 33 rules inbound See inbound rules number supported 5 3 order of precedence 5 0 outbound See outbound rules port forwarding 5 3 5 6 service blocking 5 3 5 4 service based 5 3 firmware upgrading process 70 20 versions 70 19 11 22 Flash objects 6 24 6 28 FQDNs auto rollover mode UTM25 3 19 dual WAN ports UTM25 7 1 7 2 B 1 B 9 load balancing mode UTM25 3 19 SSL VPN port forwarding 8 18 VPN tunnels 7 2 front panel LEDs 1 10 ports 1 9 FTP action infected Web file or
525. sts are also downloaded when a user attempts to access the https example com site To specify trusted hosts 1 Select Application Security gt HTTP HTTPS from the menu The HTTP HTTPS submenu tabs appear with the Malware Scan screen in view 2 Click the Trusted Hosts submenu tab The Trusted Hosts screen displays Figure 6 16 shows some examples Application Securnty Services Email Anti Virus Email Filters Anti Spam FIP Block Accept Exceptions Scanning Exclusions Malware Scan Content Filtering URL Filtering HTTPS Settings Certificate Management Trusted Hosts 3 E Enable Hosts trustedhostserver1 example com darete trustedhostserver2 example com imageserver example com la export Add Host asa Import from File 9 upload Figure 6 16 3 Enter the settings as explained in Table 6 11 Table 6 11 Trusted Hosts Settings Setting Description or Subfield and Description Do Not Intercept HTTPS Connections for the following Hosts Enable Select this checkbox to bypass scanning of trusted hosts that are listed in the Hosts field Users do not receive a security alert for trusted hosts that are listed in the Host field 6 38 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 11 Trusted Hosts Settings continued Setting Description or Subfield and Descr
526. t IMAP Delete attachment if the file or message is larger than KB Maximum 10240 KB Figure 2 11 Enter the settings as explained in Table 2 5 then click Next to go the following screen _____ Note After you have completed the steps in the Setup Wizard you can make changes to the email security settings by selecting Application Security gt Email Anti Virus The Email Anti Virus screen also lets you specify notification settings and email alert settings For more information about these settings see Customizing E mail Anti Virus and Notification Settings on page 6 5 Table 2 5 Setup Wizard Step 5 Email Security Settings Setting Description or Subfield and Description Action SMTP From the SMTP pull down menu specify one of the following actions when an infected e mail is detected e Block infected email This is the default setting The e mail is blocked anda log entry is created e Delete attachment The e mail is not blocked but the attachment is deleted and a log entry is created Log only Only a log entry is created The e mail is not blocked and the attachment is not deleted POP3 From the POP3 pull down menu specify one of the following actions when an infected e mail is detected e Delete attachment This is the default setting The e mail is not blocked but the attachment is deleted and a log entry is created e Log only Only a log entry is created The e mail is not
527. t Authentication Server Authentication Secret Workgroup LDAP Base ON Active Directory Domain Name CustomerDomain Domain CustomerDomain User Name John_at_Company User Type SSL VPN User Select Group CustomerDomain Password 1234567890 Idle Timeout 5 Minutes E VPN Clipat Full Tunnel Support true NS Suffix Primary ONS Server 192 168 50 1 Secondary DNS Server Client Address Range Begin 192 168 244 1 Client Address Range End 192 168 244 99 Client Route Local Server IP Address 192 168 191 102 TCP Port NumberAction 3389 Local Server IP Address 192 168 191 102 Fully Qualified Domain NemeAction terminalseryvices com Figure 8 7 Virtual Private Networking Using SSL Connections 8 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Verify your settings if you need to make any changes click the Back action button if needed several times to return to the screen on which you want to make changes Click Apply to save your settings If the settings are accepted by the UTM a message Operation Succeeded appears at the top of the screen and the Welcome to the Netgear Configuration Wizard screen displays again see Figure 8 1 on page 8 2 Accessing the New SSL Portal Login Screen All screens that you can access from the SSL VPN menu of the Web Management Interface display a user portal link at the right upper corner above the menu bars fus
528. t Gesit Client Policy lt select an delete add Figure 7 20 Each policy contains the data that are explained in Table 7 9 These fields are explained in more detail in Table 7 10 Table 7 9 List of IKE Policies Information Item Description or Subfield and Description Name The name that identifies the IKE policy When you use the VPN Wizard to set up a VPN policy an accompanying IKE policy is automatically created with the same name that you select for the VPN policy Note The name is not supplied to the remote VPN endpoint Mode The exchange mode Main or Aggressive Local ID The IKE ISAKMP identifier of the UTM The remote endpoint must have this value as its remote ID Remote ID The IKE ISAKMP identifier of the remote endpoint which must have this value as its Local ID Encr The encryption algorithm that is used for the IKE security association SA This setting must match the setting on the remote endpoint Auth The authentication algorithm that is used for the IKE SA This setting must match the setting on the remote endpoint DH The Diffie Hellman DH group that is used when exchanging keys This setting must match the setting on the remote endpoint To delete one or more IKE polices 1 Select the checkbox to the left of the policy that you want to delete or click the select all table button to select all IKE policies 2 Click the delete table bu
529. t and depending on the traffic that is being carried the WAN side of the UTM is the limiting factor to throughput for most installations 10 1 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the UTM but there is no backup in case one of the WAN ports fail When such as failure occurs the traffic that would have been sent on the failed WAN port is diverted to the WAN port that is still working thus increasing its load However there is one exception traffic that is bound by protocol to the WAN port that failed is not diverted Features That Reduce Traffic You can adjust the following features of the UTM in such a way that the traffic load on the WAN side decreases e LAN WAN outbound rules also referred to as service blocking e DMZ WAN outbound rules also referred to as service blocking e Content filtering e Source MAC filtering LAN WAN Outbound Rules and DMZ WAN Outbound Rules Service Blocking You can control specific outbound traffic from LAN to WAN and from the DMZ to WAN The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for outbound traffic If you have not defined any rules only the default rule is listed The default rule allows all outgoing traffic Any outbound rule that you create restricts outgoing traffic and therefore decreases the traffic l
530. t Management UTM10 or UTM25 Reference Manual 4 Click Apply to save your settings The IPsec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen By default the VPN policy is enabled d Name Type Remote Auth Encr Action GW1 to GW2 Auto Policy 255 255 255 0 192 172 1 0 255 255 255 0 SHA 1 3DES Qeait 7 5 55 0 g gt Client to UTM Auto Policy lt elect all delete enable Oo disable add Figure 7 10 Note When using FQDNs if the dynamic DNS service is slow to update their p servers when your DHCP WAN address changes the VPN tunnel will fail because the FQDNs do not resolve to your new address If you have the option to configure the update interval set it to an appropriately short time Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR ProSafe VPN Client installed configure a VPN client policy to connect to the UTM 1 Right click on the VPN client icon in your Windows toolbar select Security Policy Editor Then select Options gt Secure and verify that the Specified Connections selection is enabled see Figure 7 11 on page 7 12 Virtual Private Networking Using IPsec Connections 7 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Security Policy Editor Certificate Manager Deactivate Security Policy Reload Security Policy D
531. t Management UTM10 or UTM25 Reference Manual To reserve an IP address select Reserved DHCP Client from the IP Address Type pull down menu on the LAN Groups screen as described in Adding PCs or Devices to the Network Database on page 4 15 or on the Edit Groups and Hosts screen as described in Editing PCs or Devices in the Network Database on page 4 16 Note The reserved address is not assigned until the next time the PC or device contacts gt the UTM s DHCP server Reboot the PC or device or access its IP configuration and force a DHCP release and renew Configuring and Enabling the DMZ Port The De Militarized Zone DMZ is a network that by default has fewer firewall restrictions when compared to the LAN The DMZ can be used to host servers such as a web server FTP server or e mail server and provide public access to them The fourth LAN port on the UTM the rightmost LAN port can be dedicated as a hardware DMZ port to safely provide services to the Internet without compromising security on your LAN By default the DMZ port and both inbound and outbound DMZ traffic are disabled Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports Using a DMZ port is also helpful with online games and videoconferencing applications that are incompatible with NAT The UTM is programmed to recognize some of these applications and to work properly with them but there
532. t Management UTM10 or UTM25 Reference Manual Using the Intrusion Prevention System The Intrusion Prevention System IPS of the UTM monitors all network traffic to detect in real time network attacks and port scans and to protect your network from such intrusions You can set up alerts block source IP addresses from which port scans are initiated and drop traffic that carries attacks You can configure detection of and protection from specific attacks such as Web e mail database malware and other attacks The IPS differs from the malware scan mechanism see Configuring Web Malware Scans on page 6 21 in that it monitors individual packets whereas the malware scan mechanism monitors files The IPS also allows you to configure port scan detection to adjust it to your needs and to protect the network from unwanted port scans that could compromise the network security The IPS is disabled by default To enable intrusion prevention and configure port scan detection 1 Select Network Security gt IPS from the menu The IPS submenu tabs appear with the Global IPS screen in view Network Security pplic D cu l p Firewall Objects Firewall Address Filtering Port Triggering ALLEI Advanced IPS Detect Port Scans O Block Source IP for 300 Seconds Figure 5 30 2 To enable the IPS select the ON radio button The default setting is OFF Configure port scan detection by selecting one of the following radio bu
533. t SSL VPN services A specific hierarchy is invoked over which policies take precedence The UTM policy hierarchy is defined as 1 User policies take precedence over all group policies 2 Group policies take precedence over all global policies 3 If two or more user group or global policies are configured the most specific policy takes precedence Virtual Private Networking Using SSL Connections 8 31 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual For example a policy that is configured for a single IP address takes precedence over a policy that is configured for a range of addresses And a policy that applies to a range of IP addresses takes precedence over a policy that is applied to all IP addresses If two or more IP address ranges are configured then the smallest address range takes precedence Host names are treated the same as individual IP addresses Network resources are prioritized just like other address ranges However the prioritization is based on the individual address or address range not the entire network resource For example assume the following global policy configuration e Policy 1 A Deny rule has been configured to block all services to the IP address range 10 0 0 0 10 0 0 255 e Policy 2 A Deny rule has been configured to block FTP access to 10 0 1 2 10 0 1 10 e Policy 3 A Permit rule has been configured to allow FTP access to the predefined netw
534. t Version ProSecure Unified Threat Management Appliance UTM10 or UTM25 Manual Publication Date September 2009 For more information about network Internet firewall and VPN technologies click the links to the NETGEAR Website in Appendix E Related Documents Note Product updates are available on the NETGEAR website at http prosecure netgear com or http kb netgear com app home Note Go to hitp prosecure netgear com community forum php for information about the ProSecure forum and to become part of the ProSecure community How to Print This Manual To print this manual your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http www adobe com Tip If your printer supports printing two pages on a single sheet of paper you can eT save paper and printer ink by selecting this feature Revision History Part Number Vero on Date Description Number 202 10482 01 1 0 September 2009 Initial publication of this reference manual xviii v1 0 September 2009 Chapter 1 Introduction This chapter provides an overview of the features and capabilities of the ProSecure Unified Threat Management Appliance UTM10 or UTM25 This chapter contains the following sections e What Is the ProSecure Unified Threat Management Appli
535. ta Encryption Standard DES e 3DES Triple DES This is the default algorithm AES 128 Advanced Encryption Standard AES with a 128 bits key size e AES 192 AES with a 192 bits key size e AES 256 AES with a 256 bits key size Integrity Algorithm From the pull down menu select one of the following two algorithms to be used in the VPN header for the authentication process SHA 1 Hash algorithm that produces a 160 bit digest This is the default setting MD5 Hash algorithm that produces a 128 bit digest Local IP Address The local IP address to which remote VPN clients have access Typically this is the UTM s LAN subnet such as 192 168 1 0 Note If you do not specify a local IP address the UTM s default LAN subnet is used Local Subnet Mask The local subnet mask Typically this is 255 255 255 0 Virtual Private Networking Using IPsec Connections 7 45 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 5 Click Apply to save your settings The new Mode Config record is added to the List of Mode Config Records table Continue the Mode Config configuration procedure by configuring an IKE policy 6 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 23 7 Under the List of IKE Policies table click the add table button The Add IKE Policy screen displays
536. tal layout 3 Under the List of Layouts table click the add table button The Add Portal Layout screen displays Figure 8 13 shows some examples Add Portal Layout i Portal Layout and Theme Name G Portal Layout Name CustumerSupport E Display banner message on login page Portal Site Title HTTP meta tags for cache control recommended Banner Title Welcome to Customer Sup E Activex web cache cleaner Mantiot Medadget i casa OF lacing dife eal 24 Ca l 2 H SSL VPN Portal Pages to Display E VPN Tunnel page C Port Forwarding Figure 8 13 8 20 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Complete the fields and select the checkboxes as explained Table 8 6 Table 8 6 Add Portal Layout Settings Item Description or Subfield and Description Portal Layout and Theme Name Portal Layout A descriptive name for the portal layout This name is part of the path of the SSL Name VPN portal URL Note Custom portals are accessed at a different URL than the default portal For example if your SSL VPN portal is hosted at https vpn company com and you create a portal layout named CustomerSupport then users access the sub site at https pn company com portal CustomerSupport Note Only alphanumeric characters hyphens and underscores _ are accepted in the Portal Layout Name field If
537. tarting WAN1_ Message 2 Dec 1 12 11 31 UTM wand LBFO Restarting WAN2_ Message 3 Dec 1 12 11 35 UTM wand LBFO WAN1 UP WAN2 UP _ Message 4 Dec 1 12 24 12 UTM wand LBFO WAN1 UP WAN2 DOWN _ Dec 1 12 29 43 UTM wand LBFO Restarting WAN2_ Dec 1 12 29 47 UTM wand LBFO WAN1 UP WAN2 DOWN _ Explanation Message 1 and Message 2 indicate that both the WANs are restarted Message 3 This message shows that both the WANs are up and the traffic is balanced between the two WAN interfaces Message 4 This message shows that one of the WAN links is down At this point all the traffic is directed through the WAN which is up Recommended Action None C 6 System Logs and Error Messages v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual PPP Logs This section describes the WAN PPP connection logs The PPP type can be configured through the Web Management Interface see Manually Configuring the Internet Connection on page 3 5 e PPPoE Idle Timeout Logs Table C 10 System Logs WAN Status PPPoE Idle Timeout Message 1 Nov 29 13 12 46 UTM pppd Starting connection Message 2 Nov 29 13 12 49 UTM pppd Remote message Success Message 3 Nov 29 13 12 49 UTM pppd PAP authentication succeeded Message 4 Nov 29 13 12 49 UTM pppd local IP address 50 0 0 62 Message 5 Nov 29 13 12 49 UTM pppd remote IP address 50 0 0 1 Message 6 Nov 29 13 1
538. tbound Services Rules You may change the default outbound policy or define rules that specify exceptions to the default outbound policy By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day An outbound rule may block or allow traffic between the DMZ and any external WAN IP address according to the schedule created in the Schedule menu To create a new outbound DMZ WAN service rule 1 Inthe DMZ WAN Rules screen click the add table button under the Outbound Services table The Add DMZ WAN Outbound Service screen displays Add DMZ WAN Outbound Service Operation succeeded Service ANY v Action BLOCK always y Select Schedule Schedule 1 DMZ Users Any Start Finish WAN Users Any Start Finish QoS Profile None NAT IP WAN Interface Address apy PS Figure 5 6 2 Enter the settings as explained in Table 5 2 on page 5 5 3 Click Apply The new rule is now added to the Outbound Services table The rule is automatically enabled 5 16 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual DMZ WAN Inbound Services Rules The Inbound Services table lists all existing rules for inbound traffic If you have not defined any rules no rules are listed By default all inbound traffic from the Internet to the DMZ is allowed Inbound rules that are con
539. te 2 3 Web audio and video files filtering 6 28 categories blocked recent 5 and top 5 171 18 blocking 2 22 6 24 6 29 compressed files filtering 6 28 executable files filtering 6 28 objects blocking 6 24 6 28 reports 171 39 security settings using the Setup Wizard 2 19 statistics 77 16 Web Management Interface description 2 5 troubleshooting 12 3 Web protection See HTTP See HTTPS See FTP whitelist e mails 6 2 URLs 6 32 WiKID authentication overview D 1 description 9 2 WiKID CHAP 8 6 9 5 WiKID PAP 8 6 9 4 wildcards keywords blocking 6 24 URL blocking 6 32 WinPoET 2 3 3 7 WINS server DHCP 2 10 4 9 4 21 ModeConfig 7 45 wizard See Setup Wizard See IPsec VPN Wizard See SSL VPN Wizard X XAUTH configuring 7 37 edge device 7 38 7 39 IKE policies 7 29 IPsec host 7 38 7 39 Y Yahoo Messenger 2 17 6 21 Index 16 v1 0 September 2009
540. te and Time Setup Wizard Step 3 of 10 System Date and Time Date Time GMT Greenwich Mean Time Edinburgh London Y Automatically Adjust for Daylight Savings Time Use Default NTP Servers Use Custom NTP Servers Server 1 Name IP Address ltime g netgear com Server 2 Name IP Address time h netgear com Current Time Mon Apr 13 16 53 12 GMT 0000 2009 Figure 2 9 Enter the settings as explained in Table 2 3 on page 2 15 then click Next to go the following screen Note After you have completed the steps in the Setup Wizard you can make changes to the date and time by selecting Administration gt System Date amp Time For more information about these settings see Configuring Date and Time Service on page 10 24 2 14 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 2 3 Setup Wizard Step 3 System Date and Time Settings Setting Description or Subfield and Description Set Time Date and NTP Servers Date Time From the pull down menu select the local time zone in which the UTM operates The proper time zone is required in order for scheduling to work correctly The UTM includes a real time clock RTC which it uses for scheduling Automatically Adjust for If daylight savings time is supported in your region select the Automatically Daylight Savings Time A
541. te i enable Oo disable add a Gaun apply Figure 6 18 Under the Exceptions table click the add table button to specify an exception rule The Add or Edit Block Accept Exceptions screen displays Add or Edit Block Accept Exceptions i Add or Edit Block Accept Exceptions Action allow Applies to Start Time EE End Time C m Category Sub Category Expression Eeee ia ss Figure 6 19 6 42 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Enter the settings as explained in Table 6 13 Table 6 13 Add and Edit Block Scanning Exception Settings Setting Description or Subfield and Description Action From the pull down menu select the action that the UTM applies e allow The exception allows access to an application Web category or URL that is otherwise blocked e block The exception blocks access to an application Web category or URL that is otherwise allowed Applies to The group to which the exception applies you can configure groups in Managing Groups and Hosts LAN Groups on page 4 12 Start Time The time in 24 hour format hours and minutes when the action starts If you leave these fields empty the action applies continuously End Time The time in 24 hour format hours and minutes when the action ends If you leave these fields empty the action app
542. te server Update Frequency Specify the frequency with which the UTM checks for file updates Weekly From the pull down menus select the weekday hour and minutes that the updates occur Daily From the pull down menus select the hour and minutes that the updates occur Every From the pull down menu select the frequency with which the updates occur The range is from 15 minutes to 12 hours HTTPS Proxy Seitings Enable If computers on the network connect to the Internet via a proxy server select the Enable checkbox to specify and enable a proxy server and enter the following settings Proxy server The IP address and port number of the proxy server User name The user name for proxy server authentication Password The password for proxy server authentication 3 Click Apply to save your settings Network and System Management 10 23 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Configuring Date and Time Service Configure date time and NTP server designations on the System Date amp Time screen Network Time Protocol NTP is a protocol that is used to synchronize computer clock times in a network of computers Setting the correct system time and time zone ensures that the date and time recorded in the UTM logs and reports are accurate To set time date and NTP servers 1 Select Administration gt System Date amp Time
543. techpub Deny Login from Defined Addresses Allow Login only from Defined Addresses Source Address Type Network Address IP Address IP Address 192 158 20 3 select all delete Add Defined Addresses Source Address Type Network Address IP Address I Figure 9 8 Managing Users Authentication and Certificates 9 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 4 Inthe Defined Addresses Status section of the screen select one of the following radio buttons e Deny Login from Defined Addresses Deny logging in from the IP addresses in the Defined Addresses table e Allow Login only from Defined Addresses Allow logging in from the IP addresses in the Defined Addresses table 5 Click Apply to save your settings 6 Inthe Add Defined Addresses section of the screen add an address to the Defined Addresses table by entering the settings as explained in Table 9 5 on page 9 14 Table 9 5 Add Defined Addresses Settings Setting Description or Subfield and Description Source Address Type Select the type of address from the pull down menu IP Address A single IP address e IP Network A subnet of IP Addresses You must enter a netmask length in the Mask Length field Network Address IP Depending on your selection of the Source Address Type pull down menu Address enter the IP address or the network address Mask Length For a network ad
544. tection Center Proxy server HT This proxy server requires authentication Username ____ Passwords S Figure 6 6 3 Enter the settings as explained in Table 6 5 Table 6 5 Distributed Spam Analysis Settings Setting Description or Subfield and Description Distributed Spam Analysis SMTP Select the SMTP checkbox to enable Distributed Spam Analysis for the SMTP protocol You can enable Distributed Spam Analysis for both SMTP and POPS POP3 Select the POP3 checkbox to enable Distributed Spam Analysis for the POP3 protocol You can enable Distributed Spam Analysis for both SMTP and POPS Content Filtering and Optimizing Scans 6 17 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 5 Distributed Spam Analysis Settings continued Setting Description or Subfield and Description Sensitivity From the Sensitivity pull down menu select the level of sensitivity for the anti spam engine that performs the analysis Low Medium Low Medium Medium High This is the default setting High Note A low sensitivity allows more e mails to pass through but increases the risk of spam messages A high sensitivity allows fewer e mails to pass through but diminishes the risk of spam messages Action SMTP From the SMTP pull down menu select the action that is taken when spam is detected by the anti spam engine Tag spam email This
545. tember 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual gt Note If you leave the Domain Name field blank the SSL VPN Wizard uses the default domain name geardomain You must enter a name other than geardomain in the Domain Name field so the SSL VPN Wizard can create a new domain Do not enter an existing domain name in the in the Domain Name field otherwise the SSL VPN Wizard will fail and the UTM will reboot to recover its configuration gt Note After you have completed the steps in the SSL VPN Wizard you can make changes to the domain settings by selecting Users gt Domains For more information about domain settings see Configuring Domains on page 9 2 Table 8 2 SSL VPN Wizard Step 2 Domain Settings Setting Description or Subfield and Description DOMAIN NAME A descriptive alphanumeric name of the domain for identification and management purposes Authentication Type Note If you select any type of RADIUS authentication make sure that one or more RADIUS servers are configured see RADIUS Client Configuration on page 7 39 Authentication Type continued From the pull down menu select the authentication method that the UTM applies Local User Database default Users are authenticated locally on the UTM This is the default setting You do not need to complete any other fields on this screen Radius PAP RADIUS Password Aut
546. tember 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Web object blocking You can block the following Web component types embedded objects ActiveX Java Flash proxies and cookies and you can disable Java scripts For more information see Configuring Web Content Filtering on page 6 23 Setting the size of Web files to be scanned Scanning large Web files requires network resources and might slow down traffic You can specify the maximum file size that is scanned and if files that exceed the maximum size are skipped which might compromise security or blocked For more information see Configuring Web Malware Scans on page 6 21 For these features with the exception of Web object blocking and setting the size of files to be scanned you can set schedules to specify when Web content is filtered see Configuring Web Content Filtering on page 6 23 and configure exceptions for groups see Setting Web Access Exception Rules on page 6 41 Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on the LAN you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses By default this feature is disabled all traffic received from PCs with any MAC address is allowed See Enabling Source MAC Filtering on page 5 40 for the procedure on how to use this feature Features T
547. ter a WINS server IP address to specify the Windows NetBios Server IP if one is present in your network Lease Time Enter a lease time This specifies the duration for which IP addresses is leased to clients DHCP Relay Select the DHCP Relay radio button to use the UTM as a DHCP relay agent for a DHCP server somewhere else on your network Enter the following setting Relay Gateway The IP address of the DHCP server for which the UTM serves as a relay Enable LDAP Select the Enable LDAP information checkbox to enable the DHCP server to information provide Lightweight Directory Access Protocol LDAP server information Enter the following settings LDAP Server The IP address or name of the LDAP sever Search Base The search objects that specify the location in the directory tree from which the LDAP search begin You can specify multiple search object separated by commas The search objects include cn for common name ou for organizational unit e o for organization e c for country e dc for domain For example to search the in Netgear net domain for all last names of Johnson you would enter cn Johnson dc Netgear dc net port The port number for the LDAP server The default setting is zero LAN Configuration 4 21 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 4 3 DMZ Setup Settings continued Setting Description o
548. ters This VPN tunnel will use following local WAN Interface UTM25 only For the UTM25 only select one of the two radio buttons WAN1 or WAN2 to specify which local WAN interface the VPN tunnel uses as the local endpoint Note If the UTM25 is configured to function in WAN auto rollover mode after completing the wizard you must manually update the VPN policy to enable VPN rollover For more information see Manually Adding or Editing a VPN Policy on page 7 32 End Point Information What is the Remote Identifier Information When you select the Client radio button in the About VPN Wizard section of the screen the default remote FQDN utm_remote com is automatically entered Use the default remote FQDN or enter another FQDN What is the Local Identifier Information When you select the Client radio button in the About VPN Wizard section of the screen the default local FQDN utm_local com is automatically entered Use the default local FQDN or enter another FQDN Secure Connection Remote Accessibility What is the remote LAN IP Address What is the remote LAN Subnet Mask These fields are masked out for VPN client connections a Both local and remote endpoints should be defined as either FQDNs or IP addresses A combination of an IP address and a FQDN is not supported Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threa
549. tesssstcsaanioonssaresagsensananseaseneatvadccres 2 8 Setup Wizard Step 2 of 10 WAN Seinge cccicaccts cect etic constadenitinetsedensetseneconnes 2 11 Setup Wizard Step 3 of 10 System Date and Time 0 ccccsccceeessteeeeessteeeeeeees 2 14 Setup Wizard Step 4 of 10 Security Services 2 0 0 eceeeseeeeeeeeeeeeeeeeeeeeeeaeeetenees 2 16 Setup Wizard Step 5 of 10 Email SeCurity sernesta 2 18 Setup Wizard Step 6 of 10 Web Securty icisiscsccecisecstamesesspeusnosadsraeaunraacinaes 2 19 Setup Wizard Step 7 of 10 Web Categories to Be Blocked 0 cccccececseseeeeeees 2 21 Setup Wizard Step 8 of 10 Administrator Email Notification Settings 2 23 Setup Wizard Step 9 of 10 Security Subscription Update Settings e 2 24 Setup Wizard Step 10 of 10 Saving the Configuration c ccceeeeseeeeetteeeeeees 2 26 VENTING Proper WS TAN AWG ic ss civasirdssennsikecs indaneevedivasrdssnmaike es aiaa SAE ENa EaR 2 26 Tecin STA OY orien e E Wiest eatadajnomaaleomiaeince 2 26 Teemo Bg Desi Cat Me prereerereerreercetren N 2 26 Registering the UTM with NETGEAR is scsi i aretc a ntti aac atdivhins acreado aan oednaee ncaa aaa 2 27 Whati DONER cincia ar ae OD E Ri aa AEE E A 2 29 Chapter 3 Manually Configuring Internet and WAN Settings Understanding the Internet and WAN Configuration Tasks ccccceeeeseeeeeeteeeeneeees 3 1 Configuring the Internet Connections siciisicctageiccssecundieatannucsacdauwadenineuadunva
550. that the Ethernet cable connections are secure at the UTM and at the hub router or workstation e Make sure that power is turned on to the connected hub router or workstation e Be sure you are using the correct cables When connecting the UTM s WAN ports to one or two devices that provide the Internet connections use the cables that are supplied with the devices These cables could be a standard straight through Ethernet cables or an Ethernet crossover cables Troubleshooting the Web Management Interface If you are unable to access the UTM s Web Management Interface from a PC on your local network check the following e Check the Ethernet connection between the PC and the UTM as described in the previous section LAN or WAN Port LEDs Not On e Make sure your PC s IP address is on the same subnet as the UTM If you are using the recommended addressing scheme your PC s address should be in the range of 192 168 1 2 to 192 168 1 254 ___ Note If your PC s IP address is shown as 169 254 x x fd Windows and MacOS generate and assign an IP address if the computer cannot reach a DHCP server These auto generated addresses are in the range of 169 254 x x If your IP address is in this range check the connection from the PC to the UTM and reboot your PC Troubleshooting and Using Online Support 12 3 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e If your
551. that the table displays only the active CAs and their critical release dates see Managing the Certificate Revocation List on page 9 25 Managing CA Certificates To view and upload trusted certificates Select VPN gt Certificates from the menu The Certificates screen displays Figure 9 11 shows the top section of the screen with the trusted certificate information and some example certificates in the Trusted Certificates CA Certificates table Certificates Operation succeeded Q Expiry CA Identity Subject Name Issuer Name Time C US ST Californis L Santa Clara O KETGEAR Inc C US T California L Santa Clara O NETGEAR Inc Aug 24 OU Netgear Prosafe OU Netgear Prosafe 16 26 04 CN NetGear emailAddress support netgear com CN NetGear emailAddress support netaear com 2037 GMT CUS OFRSA Dats Security Ine OUeSecure Server CUS OF RSA Data Security Ince OUsSecure Server Certification Authority Certification Authority lt elect at delete Upload Trusted Certificate Trusted Certificate File Tg upload 2010 GMT Figure 9 11 Certificates screen 1 of 3 Managing Users Authentication and Certificates 9 19 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual The Trusted Certificates CA Certificates table lists the digital certificates of CAs and contains the following fields e CA Identity Subject Name The organization or person to
552. the Web Management Interface This setting is useful if you ISP requires MAC authentication Manually Configuring Internet and WAN Settings 3 23 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 3 8 Advanced WAN Seitings continued Setting Description or Subfield and Description Use this MAC Address These settings rate limit the Upload Download Settings Select the Use this MAC Address radio button to manually enter the MAC address in the field next to the radio button You would typically enter the MAC address that your ISP is requiring for MAC authentication Note The format for the MAC address is 01 23 45 67 89 AB numbers 0 9 and either uppercase or lowercase letters A F If you enter a MAC address the existing entry is overwritten traffic that is being forwarded by the UTM WAN Connection Type From the pull down menu select the type of connection that the UTM uses to connect to the Internet DSL ADLS Cable Modem T1 T3 or Other WAN Connection Speed Upload From the pull down menu select the maximum upload speed that is provided by your ISP You can select from 56 Kbps to 1 Gbps or you can select Custom and enter the speed in Kbps in the field to the right WAN Connection Speed Download From the pull down menu select the maximum download speed that is provided by your ISP You can select from 56 Kbps to 1 Gbps o
553. the extKey Usage extension that is defined for SNMPV2 the same certificate cannot be used for secure web management The extKeyUsage would govern the certificate acceptance criteria on the UTM when the same digital certificate is being used for secure web management Managing Users Authentication and Certificates 9 17 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual On the UTM the uploaded digital certificate is checked for validity and purpose The digital certificate is accepted when it passes the validity test and the purpose matches its use The check for the purpose must correspond to its use for IPsec VPN SSL VPN or both If the defined purpose is for IPsec VPN and SSL VPN the digital certificate is uploaded to both the IPsec VPN certificate repository and the SSL VPN certificate repository However if the defined purpose is for IPsec VPN only the certificate is uploaded only to the IPsec VPN certificate repository The UTM uses digital certificates to authenticate connecting VPN gateways or clients and to be authenticated by remote entities A digital certificate that authenticates a server for example is a file that contains the following elements e A public encryption key to be used by clients for encrypting messages to the server e Information identifying the operator of the server e A digital signature confirming the identity of the operator of the server Ideally the signature
554. the Netgear net domain for all last names of Johnson you would enter cn Johnson dc Netgear dc net port The port number for the LDAP server The default setting is zero 2 10 Using the Setup Wizard to Provision the UTM in Your Network v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 2 1 Setup Wizard Step 1 LAN Settings continued Setting Description or Subfield and Description DNS Proxy Enable DNS Proxy This is optional Select the Enable DNS Proxy radio button to enable the UTM to provide a LAN IP address for DNS address name resolution This setting is enabled by default Note When you deselect the Enable DNS Proxy radio button the UTM still services DNS requests that are sent to its LAN IP address unless you disable DNS Proxy in the firewall settings see Attack Checks on page 5 20 Setup Wizard Step 2 of 10 WAN Settings B setup Wizard Step 2 of 10 WAN Settings DHCP service detected Does Your Internet Connection Require a Login Login Ye No Password Account Name A Domain Name L _ 4 Which type of ISP connection do you use Keep Connected Idle Timeout Austria PPTP Idle Time 5 Minutes Other PPPoE i My IP Address x i f Sever IP Address e Curent 1p Address 2 I Dumain Name Server DNS Server ze Get Dynamically from ISP Get Automaticall
555. the SMTP pull down menu specify one of the following actions when a password protected attachment to an e mail is detected e Block email The e mail is blocked and a log entry is created Delete attachment The e mail is not blocked but the attachment is deleted and a log entry is created Log only This is the default setting Only a log entry is created The e mail is not blocked and the attachment is not deleted POP3 From the POP3 pull down menu specify one of the following actions when a password protected attachment to an e mail is detected Delete attachment The e mail is not blocked but the attachment is deleted and a log entry is created Log only This is the default setting Only a log entry is created The e mail is not blocked and the attachment is not deleted IMAP From the IMAP pull down menu specify one of the following actions when a password protected attachment to an e mail is detected Delete attachment The e mail is not blocked but the attachment is deleted and a log entry is created Log only This is the default setting Only a log entry is created The e mail is not blocked and the attachment is not deleted Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 3 E mail Filter Settings continued Setting Description or Subfield and Description Filter by File Type F
556. the WAN1 Traffic Meter screen Note For WAN2 interface see the settings on the WAN2 Traffic Meter screen Unicast Logs This section describes logs that are generated when the UTM processes unicast packets Table C 14 System Logs Unicast Message Nov 24 11 52 55 UTM kernel UCAST IN SELF OUT WAN SRC 192 168 10 1 DST 192 168 10 10 PROTO UDP SPT 800 DPT 2049 Explanation This unicast packet is destined to the device from the WAN network e For other parameters see Table C 1 Recommended Action None ICMP Redirect Logs This section describes logs that are generated when the UTM processes ICMP Redirect messages Table C 15 System Logs Unicast Redirect Message Feb 2007 22 14 36 07 UTM kernel LOG_PACKET SRC 192 168 1 49 DST 192 168 1 124 PROTO ICMP TYPE 5 CODE 1 Explanation e This packet is an ICMP Redirect message sent to the device by another device For other parameters see Table C 1 Recommended Action None System Logs and Error Messages C 9 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Multicast Broadcast Logs This section describes logs that are generated when the UTM processes multicast and broadcast packets Table C 16 System Logs Multicast Broadcast Message Jan 1 07 24 13 UTM kernel MCAST BCAST IN WAN OUT SELF SRC 192 168 1 73 DST 192 168 1 255 PROTO UDP SPT 138 DPT 138 Explanation
557. ther packets are tagged according to the VLAN ID that you assigned to the VLAN when you created the VLAN profile This is a typical scenario for a configuration with an IP phone that has two Ethernet ports one of which is connected to the UTM the other one to another device Packets coming from the IP phone to the UTM LAN port are tagged Packets passing through the IP phone from the connected device to the UTM LAN port are untagged When you assign the UTM LAN port to a VLAN packets entering and leaving the port are tagged with the VLAN ID However untagged packets entering the UTM LAN port are forwarded to the default VLAN with PVID 1 packets that leave the LAN port with the same default PVID 1 are untagged ____ Note The configuration of the DHCP options for the default VLAN are explained in Using the Setup Wizard to Provision the UTM in Your Network on page 2 1 For information about how to add and edit a VLAN profile including its DHCP options see Configuring a VLAN Profile on page 4 6 To manage the VLAN profiles and assign VLAN profiles to the LAN ports 1 Select Network Config gt LAN Settings from the menu The LAN submenu tabs appear with the LAN Setup screen in view Figure 4 1 shows two VLAN profiles as an example WAN Settings Protocol Binding Dynamic DNS WAN Metering DMZ Setup Routing Email Notification i eye LAN Groups LAN Multi homing DHCP Log Subnet IP DHCP Status Profile Name VLA
558. tication Protocol CHAP executes a three way handshake in which the client and server trade challenge messages each responding with a hash of the other s challenge message that is calculated using a shared secret value RADIUS A network validated PAP or CHAP password based authentication method that functions with Remote Authentication Dial In User Service RADIUS MIAS A network validated PAP or CHAP password based authentication method that functions with Microsoft Internet Authentication Service MIAS which is a component of Microsoft Windows 2003 Server WiKID WiKID Systems is a PAP or CHAP key based two factor authentication method that functions with public key cryptography The client sends an encrypted PIN to the WiKID server and receives a one time pass code with a short expiration period The client logs in with the pass code See Appendix D Two Factor Authentication for more on WiKID authentication NT Domain A network validated domain based authentication method that functions with a Microsoft Windows NT Domain authentication server This authentication method has been superseded by Microsoft Active Directory authentication but is supported to authenticate legacy Windows clients Active Directory A network validated domain based authentication method that functions with a Microsoft Active Directory authentication server Microsoft Active Directory authentication servers support a group and user structure
559. tification from the menu The Email Notification screen displays Figure 11 3 shows some examples Network Config t tion WAN Setup Dynamic DNS WAN Metering LAN Setup DMZ Setup Routing Email Notification Show es Mal Sender UTMnotification netgear com SMTP Server mail yourdomain com __ 25 O This server requires authentication User Name Password SY Send Notifications to Admin 2dmin yourdomain com Example admin yourdomain com Figure 11 3 Monitoring System Access and Performance 11 5 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 2 Enter the settings as explained in Table 11 2 Table 11 2 E mail Notification Settings Setting Description or Subfield and Description Show as mail sender A descriptive name of the sender for e mail identification purposes For example enter UTM25Notifications SMTP server The IP address and port number or Internet name and port number of your ISP s outgoing e mail SMTP server The default port number is 25 Note If you leave this field blank the UTM cannot send e mail notifications This server requires authentication If the SMTP server requires authentication select the This server requires authentication checkbox and enter the following settings User name The user name for SMTP server authentication Password The password for SMTP server authentication
560. ting IP Enter the starting IP address This address specifies the first Address of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between this address and the Ending IP Address The IP address 192 168 1 2 is the default start address Ending IP Enter the ending IP address This address specifies the last Address of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address between the Starting IP address and this IP address The IP address 192 168 1 100 is the default ending address Note The starting and ending DHCP IP addresses should be in the same network as the LAN TCP IP address of the UTM the IP address in LAN TCP IP section above 4 20 LAN Configuration v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 4 3 DMZ Setup Settings continued Setting Description or Subfield and Description Enable DHCP Server Primary DNS This is optional If an IP address is specified the UTM continued Server provides this address as the primary DNS server IP address If no address is specified the UTM provides its own LAN IP address as the primary DNS server IP address Secondary DNS _ This is optional If an IP address is specified the UTM Server provides this address as the secondary DNS server IP address WINS Server This is optional En
561. tings 1 Select Application Security gt FTP from the menu The FTP screen displays Service FTP i Scan Exception if the file or message is larger than KB Maximum 10240 KB Application Security Action ii Block Files with the Following Extensions CI Enable exe mszi com bat vbx inf hts jze mpS aacweh ve K Example exe com pif Figure 6 17 2 Enter the settings as explained in Table 6 12 Table 6 12 FTP Scan Settings Setting Description or Subfield and Description Action FTP Action From the FTP pull down menu specify one of the following actions when an infected FTP file or object is detected Delete file This is the default setting The FTP file or object is deleted and a log entry is created Log only Only a log entry is created The FTP file or object is not deleted 6 40 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 6 12 FTP Scan Settings continued Setting Description or Subfield and Description Scan Exception The default maximum file or object size that is scanned is 2048 KB but you can define a maximum size of up to 10240 KB However setting the maximum size to a high value might affect the UTM s performance see Performance Management on page 10 1 From the pull down menu specify one of the following actions w
562. tion Status screen displays Active Users LETTS Tierra SSt YPN Connection Status The page will auto refresh in 3 seconds Policy Name Endpoint Tx KB Tx Packets State Action UTM25_to_FVS336G 83 71 251 27 0 00 o IPsec SA Not Established F connect Cork to S3 192 169 50 61 0 00 o IPsec SA Not Established connect 192 168 1 4 203 143 33 198 6 00 o IPsec SA Established ibid drop Client Policy Poll Interval 5 Seconds set intervat stop Figure 11 14 The Active IPsec SAs table lists each active connection with the information that is described in Table 11 12 The default poll interval is 5 seconds To change the poll interval period enter a new value in the Poll Interval field and then click set interval To stop polling click stop Table 11 12 IPsec VPN Connection Status Information Item Description or Subfield and Description Policy Name The name of the VPN policy that is associated with this SA Endpoint The IP address on the remote VPN endpoint Tx KB The amount of data that is transmitted over this SA Tx Packets The number of IP packets that are transmitted over this SA State The current status of the SA Phase 1 is the authentication phase and Phase 2 is key exchange phase If there is no connection the statu is IPsec SA Not Established Action Click the connect table button to build the connection or click the drop table button to terminate the connectio
563. tions Name plications C All application attacks o Network protocols fz Figure 5 31 Firewall Protection 5 49 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 5 11 IPS Less Familiar Attack Names Attack Name Description or Subfield and Description Web web misc Detects some specific Web attack tools such as the fingerprinting tool and the password cracking tool web attacks Detects the Web attacks that cannot be placed under other Web categories such as DoS and overflow attacks against specific Web services These Web services include IMail Web Calendaring ZixForum ScozNet ScozNews and other services inappropriate Detect the behavior about visiting pornographic Web sites Misc policy Detects traffic that violates common policies such as traffic that flows because of certain network installer applications and traffic that flows when Google SafeSearch is turned off misc Detects the Web attacks that cannot be placed in other categories such as attacks specifically against SNMP or DNS 5 50 Firewall Protection v1 0 September 2009 Chapter 6 Content Filtering and Optimizing Scans This chapter describes how to apply the content filtering features of the UTM and how to optimize scans to protect your network This chapter contains the following sections
564. tions that you choose to make available 2 Create authentication domains user groups and user accounts see Configuring Domains Groups and Users on page 8 22 a Create one or more authentication domains for authentication of SSL VPN users When remote users log in to the UTM they must specify a domain to which their login account belongs The domain determines the authentication method that is used and the portal layout that is presented which in turn determines the network resources to which the users are granted access Because you must assign a portal layout when creating a domain the domain is created after you have created the portal layout b Create one or more groups for your SSL VPN users Virtual Private Networking Using SSL Connections 8 17 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual When you define the SSL VPN policies that determine network resource access for your SSL VPN users you can define global policies group policies or individual policies Because you must assign an authentication domain when creating a group the group is created after you have created the domain c Create one or more SSL VPN user accounts Because you must assign a group when creating aSSL VPN user account the user account is created after you have created the group 3 For port forwarding define the servers and services Configuring Applications for Port Forwarding on p
565. tocol 123 Citrix 1494 Terminal Services 3389 VNC virtual network computing 5900 or 5800 Add New Host Name for Port Forwarding Local Server IP Address The IP address of an internal server or host computer that you want to name Note Both Local Server IP Address fields on this screen that is the one in the Add New Application for Port Forwarding section and the one in the Add New Host Name for Port Forwarding section must contain the same IP address Fully Qualified Domain NameAction The full server name that is the host name to IP address resolution for the network server as a convenience for remote users a Users can specify the port number together with the host name or IP address 8 12 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual SSL VPN Wizard Step 6 of 6 Verify and Save Your Settings SSL VPN Wizard Step 6 of Portal Layout Name CustumerSupport Display banner message on login page Portal Site Title CompanyCustumerSupport HTTP meta tags for cache control recommended Banner Title Welcome to Customer Support ActiveX web cache cleaner Bonner Message In case of login difficulty call 123 456 7690 SSL VPN Purtal Pages to Display VPN Tunnel page Port Forwarding DOMAIN NAME CustornerDomain Authentication Type Local User Database default Select Portal CustumerSuppor
566. tomatic IPsec VPN rollover to ensure that an IPsec VPN tunnel is re established Dual WAN Ports in Auto Rollover Mode Rollover for an UTM with dual WAN ports is different from a single WAN port gateway configuration when you specify the IP address Only one WAN port is active at a time and when it rolls over the IP address of the active WAN port always changes Therefore the use of a fully qualified domain name FQDN is always required even when the IP address of each WAN port is fixed Dual WAN Ports Before Rollover Dual WAN Ports After Rollover WAN IP WANT IP N A Router WAN1 port active Router WAN1 port inactive Ez gt ea WANZ port inactive MUNA oe WAN2 IP N A IP address of active WAN port changes after a rollover o use of fully qualified domain names always required o features requiring fixed IP address blocks not supported Figure B 2 Features such as multiple exposed hosts are not supported in auto rollover mode because the IP addresses of each WAN port must be in the identical range of fixed addresses B 6 Network Planning for Dual WAN Ports UTM25 Only v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e Dual WAN Ports in Load Balancing Mode Load balancing for an UTM with dual WAN ports is similar to a single WAN gateway configuration when you specify the IP address Each IP address is either fixed or dynamic based on the ISP You must use FQDNs when th
567. ton on the rear panel of the UTM see Rear Panel on page 1 12 for about eight seconds until the Test LED turns on and begins to blink about 30 seconds To restore the factory default configuration settings without knowing the administration password or IP address you must use the Reset button method e On the Backup amp Restore Settings screen see Figure 10 5 on page 10 16 next to Revert to factory default settings click the default button The UTM reboots If you use the software default button the Backup amp Restore Settings screen remains visible during the reboot process The reboot process is complete after several minutes when the Test LED on the front panel goes off button the UTM settings are erased All firewall rules VPN policies LAN WAN settings and other settings are lost Back up your settings if you intend on using them Warning When you push the hardware Reset button or click the software default Note After rebooting with factory default settings the UTM s password is password and the LAN IP address is 192 168 1 1 gt Updating the Firmware The UTM can automatically detect any new firmware version from NETGEAR The firmware upgrade process for the UTM consists of the following stages that are explained in detail in the sections below 1 Querying the available firmware versions 2 Selecting a firmware version to download directly to the UTM that is not first t
568. ts Instant Messaging Peer to Peer Logs All instant messaging and peer to peer access violations Firewall Logs The firewall logs that you have specified on the Firewall Logs screen see Configuring and Activating Firewall Logs on page 11 13 on page 11 14 IPSEC VPN Logs All IPsec VPN events SSL VPN Logs All SSL VPN events You can query and generate each type of log separately and filter the information based on a number of criteria For example you can filter the malware logs using the following criteria other log types have similar filtering criteria Start date time and end date time Protocols HTTP HTTPS FTP SMTP POP3 and IMAP Malware name Action Client and server IP addresses Recipient e mail address To query and download logs 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog screen in view Click the Logs Query submenu tab The Logs Query screen displays see Figure 11 23 on page 11 34 which shows the Malware log information settings as an example Depending on the selection that you make from the Log Type pull down menu the screen adjusts to display the settings for the selected type of log Monitoring System Access and Performance 11 33 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual System Status Active Users amp PNs Dashboard Diagnostics Email and Syslog
569. tsky exe Action SMTP From the pull down menu specify an action when an e mail attachment with a pop3 name that is defined in the File Name field is detected The pull down menu selections and defaults are the same as the ones for the Filter by Password IMAP Protected Attachments ZIP RAR etc section above 3 Click Apply to save your settings Protecting Against E mail Spam The UTM integrates multiple anti spam technologies to provide comprehensive protection against unwanted e mail You can enable all or a combination of these anti spam technologies The UTM implements these spam prevention technologies in the following order 1 Whitelist E mails from the specified sources or to the specified recipients are not considered spam and are accepted 2 Blacklist E mails from the specified sources are considered spam and are blocked Content Filtering and Optimizing Scans 6 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 3 Real time blacklist E mails from known spam sources that are collected by blacklist providers are blocked 4 Distributed Spam Analysis E mails that are detected as spam by the NETGEAR Spam Classification Center are either tagged or blocked This order of implementation ensures the optimum balance between spam prevention and system performance For example if an e mail originates from a whitelisted source the UTM delivers th
570. ttacker s network location anonymous Disable Ping Reply on LAN Ports Select the Disable Ping Reply on LAN Ports checkbox to prevent the UTM from responding to a ping on a LAN port A ping can be used as a diagnostic tool Keep this checkbox deselected unless you have a specific reason to prevent the UTM from responding to a ping on a LAN port VPN Pass through IPSec PPTP L2TP When the UTM functions in NAT mode all packets going to the remote VPN gateway are first filtered through NAT and then encrypted per the VPN policy For example if a VPN client or gateway on the LAN side of the UTM wants to connect to another VPN endpoint on the WAN side placing the UTM between two VPN endpoints encrypted packets are sent to the UTM Because the UTM filters the encrypted packets through NAT the packets become invalid unless you enable the VPN Pass through feature To enable the VPN tunnel to pass the VPN traffic without any filtering select any or all of the following checkboxes e IPSec Disables NAT filtering for IPSec tunnels PPTP Disables NAT filtering for PPTP tunnels L2TP Disables NAT filtering for L2TP tunnels By default all three checkboxes are selected 4 Click Apply to save your settings 5 22 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Setting Session Limits Session limits allows you to specify the total num
571. tton Virtual Private Networking Using IPsec Connections 7 23 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To add or edit an IKE policy see Manually Adding or Editing an IKE Policy on this page Note You cannot delete or edit an IKE policy for which the VPN policy is active You first must disable or delete the VPN policy before you can delete or edit the IKE policy Note To gain a more complete understanding of the encryption authentication and gt DH algorithm technologies see the link to Virtual Private Networking Basics in Appendix E Manually Adding or Editing an IKE Policy To manually add an IKE policy 1 Select VPN gt IPSec VPN from the menu The IPsec VPN submenu tabs appear with the IKE Policies screen in view see Figure 7 20 on page 7 23 2 Under the List of IKE Policies table click the add table button The Add IKE Policy screen displays see Figure 7 21 on page 7 25 which shows the UTM25 screen The WAN and WAN2 radio buttons next to Select Local Gateway are shown on the Add IKE Policy screen for the UTM25 but not on the Add IKE Policy screen for the UTM10 7 24 Virtual Private Networking Using IPsec Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Add IKE Policy Add New VPN Policy Do you want to use Mode Config Record O Yes wo J view selected
572. ttons e OFF Port scan detection is disabled This is the default setting e ALERT When a port is scanned an alert is e mailed to the administrator that is specified in the Email Notification screen e Block Source IP When a port is scanned the IP address of the PC or device that scans the port is blocked for the duration that you specify in the Seconds field The default setting is 300 seconds 4 Click Apply to save your settings Firewall Protection 5 47 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual gt you have configured on the LAN Multi homing screen see Configuring Multi Note Traffic that passes on the UTM s VLANs and on the secondary IP addresses that Home LAN IPs on the Default VLAN on page 4 11 is also scanned by the IPS When you enable the IPS the default IPS configuration goes into effect The default IPS configuration is the configuration that the Advanced IPS screen returns to when you click the Reset button To modify the default IPS configuration 1 Select Network Security gt IPS from the menu The IPS submenu tabs appear with the Global IPS screen in view see Figure 5 30 on page 5 47 From the IPS submenu tabs click Advanced The Advanced IPS screen displays see Figure 5 31 on page 5 49 This screen displays sections for the different categories of attacks such as Web Mail Databases and so on In the Enabled column fo
573. ttps 172 16 0 123 The UTM s remote login URL is https lt IP_address gt or https lt FullyQualifiedDomainName Note For enhanced security restrict access to as few external IP addresses as practical gt See Setting User Login Policies on page 9 12 for instructions on restricting administrator access by IP address Note To maintain security the UTM rejects a login that uses http address rather than the SSL https address n Note The first time that you remotely connect to the UTM25 with a browser via an SSL connection you might get a warning message regarding the SSL certificate If you are using a Windows computer with Internet Explorer 5 5 or higher simply click Yes to accept the certificate n Note If you are unable to remotely connect to the UTM after enabling HTTPS remote gt management check if other user policies such as the default user policy are preventing access For access to the UTM s Web Management Interface check if administrative access through a WAN interface is granted see Configuring Login Policies on page 9 12 gt Note If you disable HTTPS remote management all SSL VPN user connections are also disabled address of your UTM by running tracert from the Windows Run menu option Trace the route to your registered FQDN For example enter tracert UTM mynetgear net and the WAN IP address that your ISP assigned to the UTM is displayed
574. u can be alerted to important events such as a WAN port rollover WAN traffic limits reached login failures and attacks You can also view status information about the firewall WAN ports LAN ports active VPN users and tunnels and more In addition the diagnostics utilities are described ____ Note All log and report functions that are part of the Logs amp Reports configuration gt menu and some of the functions that are part of the Diagnostics configuration menu require that you configure the e mail notification server see Configuring the E mail Notification Server on page 11 5 This chapter contains the following sections e Enabling the WAN Traffic Meter on this page e Configuring Logging Alerts and Event Notifications on page 11 5 e Monitoring Real Time Traffic Security and Statistics on page 11 14 e Viewing Status Screens on page 11 20 e Querying Logs and Generating Reports on page 11 32 e Using Diagnostics Utilities on page 11 43 Enabling the WAN Traffic Meter If your ISP charges by traffic volume over a given period of time or if you want to study traffic types over a period of time you can activate the traffic meter for one or both WAN ports To monitor traffic limits on each of the WAN ports 1 Select Network Config gt WAN Metering from the menu On the UTM25 the WAN Metering tabs appear with the WAN1 Traffic Meter screen in view see
575. ual WAN Ports UTM25 Only v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual VPN Road Warrior Dual Gateway WAN Ports for Load Balancing In a dual WAN port load balancing gateway configuration the remote PC initiates the VPN tunnel with the appropriate gateway WAN port that is port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports because the IP address of the active WAN port is not known in advance The selected gateway WAN port must act as the responder 10 5 6 0 24 Road Warrior Example Dual WAN Ports Load Balancing Client B WAN1 IP Gateway A bzrouteri dyndns org WAN IP LAN IP W 10 5 6 1 peak Spa 0 0 0 0 A VPN Router at employer s main office Fully Qualified Domain Names FQDN Remote PC optional for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure B 12 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic you must use a FQDN If an IP address is fixed an FQDN is optional VPN Gateway to Gateway The following situations exemplify the requirements for a gateway VPN firewall such as an UTM to establish a VPN tunnel with another gateway VPN firewall e Single gateway WAN ports e Redundant dual gateway WAN ports for increased reliability before and after rollover e Dual gateway WAN ports for load balancing VPN Gateway to Gateway Sing
576. using SSL VPN Wizard 8 3 specifications A 4 status 8 16 tunnel description 8 7 user account 9 9 9 user portal 8 15 user settings using SSL VPN Wizard 8 7 SSL VPN Wizard 1 7 8 2 stateful packet inspection See SPI static IP address 2 13 3 4 3 8 static routes configuring 4 22 example 4 27 RIP 4 24 settings 4 24 table 4 23 statistics service and traffic 19 status screens 77 20 stealth mode 5 2 Stream Scanning technology overview 1 4 streaming HTTP and HTTPS traffic 2 20 6 22 submenu tabs Web Management Interface 2 5 support online 72 10 suspicious files sending to NETGEAR 2 SYN flood 5 2 syslog server 171 9 system date and time settings using the Setup Wizard 2 14 10 24 log messages C 2 logs 11 8 11 33 11 34 reports 71 39 status 77 20 updating 0 20 T table buttons Web Management Interface 2 6 tabs submenu Web Management Interface 2 5 TCP flood blocking 5 27 TCP time out 5 24 TCP IP network troubleshooting 12 6 settings 2 9 Index 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual technical specifications A 2 Test LED 1 10 12 2 testing connectivity 2 26 HTTP scanning 2 26 time daylight savings troubleshooting 172 10 settings 2 15 10 24 troubleshooting 2 9 time out error troubleshooting 2 4 sessions 5 24 tips firewall and content filtering 5 2 ToS 1 6 5 6 5 9 5 33 5 35 tracert using with DDNS
577. usions on page 6 41 Ifnecessary you can also create firewall rules to apply to a single PC see Enabling Source MAC Filtering on page 5 40 Because the MAC address is used to identify each PC users cannot avoid these restrictions by changing their IP address Managing the Network Database You can view the Network Database manually add or remove database entries and edit database entries To view the Network Database 1 Select Network Config gt LAN Settings from the menu The LAN Settings submenu tabs appear with the LAN Setup screen in view Click the LAN Groups submenu tab The LAN Groups screen displays see Figure 4 5 on page 4 14 which shows some examples in the Known PCs and Devices table LAN Configuration 4 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual WAN Settings Protocol Binding Dynamic DNS WAN Metering Routing Email Notification LAN Setup PE Sega LAN Multi homing Edit Group Names Name IP Address MAC Address Group Profile Name Action Marketing 192 168 1 15 al b1 11 22 1la 1b Groupi defaultVian aiit Sales 192 168 1 20 a1 cl 33 44 2a 2b Group2 defsultVlan edit Sales EMEA 192 168 1 35 dite1 55 56 9e 8f Group2 defaultVlan Gedit DHCP Assigned IP Address lt elect all seiete save binding Add Known PCs and Devices Name IP Address Type IP Address MAC Address Group Profile Name Add Fixed ceton pc
578. ust set up an account with a DDNS provider such as DynDNS org TZO com or Oray net Links to DynDNS TZO and Oray are provided for your convenience as submenu tabs of the Dynamic DNS configuration menu The UTM firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address so that the services running on this network can be accessed by others on the Internet If your network has a permanently assigned IP address you can register a domain name and have that name linked with your IP address by public Domain Name Servers DNS However if your Internet account uses a dynamically assigned IP address you will not know in advance what your IP address will be and the address can change frequently hence the need for a commercial DDNS service which allows you to register an extension to its domain and restores DNS requests for the resulting FQDN to your frequently changing IP address After you have configured your account information on the UTM when your ISP assigned IP address changes your UTM automatically contacts your DDNS service provider logs in to your account and registers your new IP address Consider the following e For auto rollover mode you need a fully qualified domain name FQDN to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address e For load balancing mode you might still need a fully qualified domain name FQDN
579. vate Networking Using IPsec Connections v1 0 September 2009 Chapter 8 Virtual Private Networking Using SSL Connections The UTM provides a hardware based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources bypassing the need for a pre installed VPN client on their computers Using the familiar Secure Sockets Layer SSL protocol commonly used for e commerce transactions the UTM can authenticate itself to an SSL enabled client such as a standard Web browser Once the authentication and negotiation of encryption information is completed the server and client can establish an encrypted connection With support for up to 13 dedicated SSL VPN tunnels users can easily access the remote network for a customizable secure user portal experience from virtually any available platform This chapter contains the following sections e Understanding the SSL VPN Portal Options on this page e Using the SSL VPN Wizard for Client Configurations on page 8 2 e Manually Configuring and Editing SSL Connections on page 8 17 Understanding the SSL VPN Portal Options The UTM s SSL VPN portal can provide two levels of SSL service to the remote user e SSL VPN Tunnel The UTM can provide the full network connectivity of a VPN tunnel using the remote user s browser instead of a traditional IPsec VPN client The SSL capability of the user s browser provides authentication and
580. ve created a QoS profile you can assign the QoS profile to firewall rules The QoS is set individually for each service You can change the mix of traffic through the WAN ports by granting some services a higher priority than others e You can accept the default priority defined by the service itself by not changing its QoS setting e You can change the priority to a higher or lower value than its default setting to give the service higher or lower priority than it otherwise would have 10 8 Network and System Management v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual For more information about QoS profiles see Creating Quality of Service QoS Profiles on page 5 33 Assigning Bandwidth Profiles By applying a QoS profile the WAN bandwidth does not change You change the WAN bandwidth that is assigned to a service or application by applying a bandwidth profile The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN links For more information about bandwidth profiles see Creating Bandwidth Profiles on page 5 36 Monitoring Tools for Traffic Management The UTM includes several tools that can be used to monitor the traffic conditions of the firewall and content filtering engine and to monitor the users access to the Internet
581. ways sufficient space to save newer logs the UTM automatically deletes older logs whenever the total log size reaches 50 of the allocated file size for each log type Automated log purging means that you do not need to constantly manage the size of the UTM logs and ensures that the latest malware threats and traffic activities are always recorded ____ Note After the UTM reboots traffic logs are lost Therefore NETGEAR recommends that you connect the UTM to a syslog server to save the traffic logs externally Other logs that is non traffic logs are automatically backed up on the UTM every 15 minutes However if a power failure affects the UTM logs that where created within this 15 minute period are lost To manually purge selected logs see Configuring and Activating System E mail and Syslog Logs on page 11 6 11 38 Monitoring System Access and Performance v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Scheduling and Generating Reports The UTM lets you schedule and generate three types of reports e Email Reports For each protocol SMTP POP3 and IMAP the report shows the following information per day both in tables and graphics Number of connections Traffic amount in MB Number of malware incidents Number of files blocked Number of blacklist violations not applicable to POP3 and IMAP Number of e mails captured by Distri
582. wnload Delete 2009 05 27 01 01 02 amp download delete Figure 11 24 3 Enter the settings as explained in Table 11 16 Table 11 16 Generate Report Settings Setting Description or Subfield and Description Time From From the pull down menus specify the start year month day hour and minutes for the report Time To From the pull down menus specify the end year month day hour and minutes for the report Note The maximum report period is 31 days Reports Select one or more checkboxes to specify the reports that are generated Email Reports Web Reports System Reports Note You can select all three checkboxes but you might generate a very large report 4 Click Generate After a few minutes the report is added to the Report List which can contain a maximum of five saved reports To delete a a previously saved report click its delete table button 5 Select the new or a previously saved report for downloading by clicking its download table button The reports download as a zipped file that contains both CSV and HTML files Monitoring System Access and Performance 11 41 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Scheduling Reports To schedule automatic generation and e mailing of reports 1 Select Monitoring gt Logs amp Reports from the menu The Logs amp Reports submenu tabs appear with the Email and Syslog scree
583. xample if your network includes a Web server that hosts Web pages that are accessible by anyone on the Internet the files that are hosted by your Web server do not need to be scanned To prevent the UTM from scanning these files you can configure a scanning exclusion for your Web server To configure scanning exclusion rules 1 Select Application Security gt Scanning Exclusions from the menu The Scanning Exclusions screen displays This screen shows the Scanning Exclusions table which is empty if you have not specified any exclusions Figure 6 20 on page 6 45 shows one exclusion rule in the table as an example 6 44 Content Filtering and Optimizing Scans v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Application Security Services Email Anti Virus Email Filters Anti Spam HTTP HTTPS FIP Block Accept Exceptions Scanning Exclusions Save successfully Client IP Destination IP Port Brief Description 192 168 120 0 24 515 Printers Add Scanning Exclusions IP Example 192 168 32 1 192 168 32 0 24 Client IP Destination IP Port Brief Description Add a a a A ej Figure 6 20 2 Inthe Add Scanning Exclusions section of the screen specify an exclusion rule as explained in Table 6 14 Table 6 14 Add Scanning Exclusion Settings Setting Description or Subfield and Description Client IP The client IP address and optional subnet mask that are exclude
584. xamples Figure 7 22 Type Remote Auth Encr Action Auto Policy 92 168 1 0 2 2 255 0 192 172 1 0 255 255 255 0 SHA 1 3DES eait Auto Policy 255 0 Any SHA 1 3DES Oese select all delete enadie O disable ade Each policy contains the data that are explained in Table 7 11 These fields are explained in more detail in Table 7 12 on page 7 34 Table 7 11 List of VPN Policies Information Item Description or Subfield and Description Status Name Indicates whether the policy is enabled green circle or disabled grey circle To enable or disable a policy select the checkbox adjacent to the circle and click the enable or disable table button as required The name that identifies the VPN policy When you use the VPN Wizard to create a VPN policy the name of the VPN policy and of the automatically created accompanying IKE policy is the Connection Name Type Auto or Manual as described previously Auto is used during VPN Wizard configuration Local IP address either a single address range of address or subnet address on your local LAN Traffic must be from or to these addresses to be covered by this policy The subnet address is supplied as the default IP address when using the VPN Wizard Remote IP address or address range of the remote network Traffic must be to or from these addresses to be covered by this policy The VPN Wizard default requires
585. y DNS server that is assigned to the VPN tunnel clients This is an option Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients Client Address Range End The last IP address of the IP address range that you want to assign to the VPN tunnel clients Add Routes for VPN Tunnel Clients Destination Network Leave this field blank or specify a destination network IP address of a local network or subnet that has not yet been used Subnet Mask Leave this field blank to specify the address of the appropriate subnet mask 8 10 Virtual Private Networking Using SSL Connections v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual SSL VPN Wizard Step 5 of 6 Port Forwarding SSL VPN Wizard Step 5 of 6 Local Server IP Address TCP Port NumberAction fise ies Jis Joz Local Server IP Address Fully Qualified Domain NameAction Goz ies Jasi Maoz Note You can input nothing for skipping this step Please make sure that the IP and the port number have NOT been used if you want to add a new application Otherwise applying wizard will fail and UTM have to reboot to recover configuations Figure 8 6 Note that Figure 8 6 contains some examples Enter the settings as explained in Table 8 5 then click Next to go the following screen _____ Note Do not enter an IP address that is already in use
586. y Editor My Identity Settings continued Setting Description or Subfield and Description ID Type From the pull down menu select Domain Name Then below enter the remote FQDN that you entered on the UTM s VPN Wizard screen see Figure 7 9 on page 7 9 In this example the domain name is utm_remote com Secure Interface Leave the default setting which is the Disabled selection from the Virtual Configuration Adapter pull down menu Internet Interface Leave the default setting which is the Any selection from the Name pull down menu 7 Click on the disk icon to save the configuration or select File gt Save from the Security Policy Editor menu 8 In the left frame click Security Policy The screen adjusts N Security Policy Editor NETGEAR ProSafe VPN Client File Ed Options Help NETGEAR N Network Securty Policy LJ My Connections Secwity Policy UTM Ireland 1 i amp UTM_SJ Select Phase 1 Negotiation Mode My Identity F Main Mode Aggressive Mode amp UTM_Test c M IK FVS3365_Lab se Manuaikess b Other Connections V Enable Perfect Forward Secrecy PFS PFS Key Group Diffie Hellman Group 2 X V Enable Replay Detection Figure 7 14 Virtual Private Networking Using IPsec Connections 7 15 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual 9 Enter the settings as explained in Table 7 6 Table 7 6 Secu
587. y Login from WAN Interface Figure 9 7 3 In the User Login Policies section of the screen make the following selections e To prohibit this user from logging in to the UTM select the Disable Login checkbox e To prohibit this user from logging in from the WAN interface select the Deny Login from WAN Interface checkbox In this case the user can log in only from the LAN interface 9 12 Managing Users Authentication and Certificates v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Note For security reasons the Deny Login from WAN Interface checkbox is selected gt by default for guests and administrators The Disable Login checkbox is disabled masked out for administrators 4 Click Apply to save your settings Configuring Login Restrictions Based on IP Address To restrict logging in based on IP address 1 Select Users gt Users from the menu The Users screen displays see Figure 9 5 on page 9 10 2 Inthe Action column of the List of Users table click the policies table button for the user for which you want to set login policies The Policies submenu tabs appear with the Login Policies screen in view 3 Click the by Source IP Address submenu tab The by Source IP Address screen displays Figure 9 8 shows an IP address in the Defined Addresses table as an example Login Policies AJACA ete Clie tsg by Client Browser Operation succeeded User Name
588. y a CA and available for use For each self certificate the table lists the following information e Name The name that you used to identify this digital certificate e Subject Name The name that you used for your company and that other organizations see as the holder owner of the certificate e Serial Number This is a serial number maintained by the CA It is used to identify the digital certificate with in the CA e Issuer Name The name of the CA that issued the digital certificate e Expiry Time The date on which the digital certificate expires You should renew the digital certificate before it expires To delete one or more self certificates 1 Inthe Active Self Certificates table select the checkbox to the left of the self certificate that you want to delete or click the select all table button to select all self certificates 2 Click the delete table button Managing the Certificate Revocation List A Certificate Revocation List CRL file shows digital certificates that have been revoked and are no longer valid Each CA issues their own CRLs It is important that you keep your CRLs up to date You should obtain the CRL for each CA regularly Managing Users Authentication and Certificates 9 25 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual To view the currently loaded CRLs and upload a new CRL 1 Select VPN gt Certificates from the menu The Certificates scree
589. y from ISP Use Static IP Address Use These DNS Servers IP Address 0 0 jo Phimary DNS Server 0 0 0 ie IP Subnet Mask Jo o Secdndary DNS Server 0 Jo o A Gateway IP Address TEN Figure 2 8 Enter the settings as explained in Table 2 2 on page 2 12 then click Next to go the following screen Using the Setup Wizard to Provision the UTM in Your Network 2 11 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Note Click the Auto Detect action button at the bottom of the menu The auto detect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support ____ Note After you have completed the steps in the Setup Wizard you can make changes to the WAN settings by selecting Network Config gt WAN Settings Then for the UTM25 select either WAN1 ISP Settings or WAN2 ISP Settings or for the UTM10 select WAN ISP Settings For more information about these WAN settings see Configuring the Internet Connections on page 3 2 Table 2 2 Setup Wizard Step 2 WAN Settings Setting Description or Subfield and Description ISP Login Does your Internet connection require a login If you need to enter login information every time you connect to the Internet through your ISP select the Yes radio button Otherwise select the No radio button which is the default setting and skip the ISP Type sect
590. y schedule otherwise allow Select Schedule Send to LAN Server i92 168 a Imi Translate to Port Number L WAN Destination IP Address WANL v LAN Users Any Start Finish 4 lt WAN Users Start Finish 134 fa77 Mee esa Qos Profile Log Bandwidth Profile NONE Figure 5 15 LAN WAN or DMZ WAN Inbound Rule Setting Up One to One NAT Mapping In this example we will configure multi NAT to support multiple public IP addresses on one WAN interface By creating an inbound rule we will configure the UTM to host an additional public IP address and associate this address with a Web server on the LAN The following addressing scheme is used to illustrate this procedure e Netgear UTM WANT IP address UTM25 or WAN IP address UTM10 10 1 0 118 LAN IP address subnet 192 168 1 1 subnet 255 255 255 0 DMZIP address subnet 192 168 10 1 subnet 255 255 255 0 5 26 Firewall Protection v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual e Web server PC on the UTM s LAN LAN P address 192 168 1 2 DMZ IP Address 192 168 10 2 Access to Web server is simulated public IP address 10 1 0 52 you can use the additional public IP addresses to map to servers on your LAN or DMZ One of these public IP addresses is used as the primary IP address of the router that provides Internet access to your LAN PCs through NAT The other addre
591. ynamically from ISP radio button The ISP automatically assigns an IP address to the UTM using DHCP network protocol Use Static IP Address If your ISP has assigned you a fixed static or permanent IP address select the Use Static IP Address radio button and enter the following settings IP Address Static IP address assigned to you This address identifies the UTM to your ISP Subnet Mask The subnet mask is usually provided by your ISP Gateway IP Address The IP address of the ISP s gateway is usually provided by your ISP Domain Name Server DNS Servers Get Automatically from ISP If your ISP has not assigned any Domain Name Servers DNS addresses select the Get Automatically from ISP radio button Using the Setup Wizard to Provision the UTM in Your Network 2 13 v1 0 September 2009 ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 2 2 Setup Wizard Step 2 WAN Settings continued Setting Description or Subfield and Description Use These DNS If your ISP has assigned DNS addresses select the Use these DNS Servers radio Servers button Ensure that you fill in valid DNS server IP addresses in the fields Incorrect DNS entries might cause connectivity issues Primary DNS Server The IP address of the primary DNS server Secondary DNS Serve The IP address of the secondary DNS server Setup Wizard Step 3 of 10 System Da
Download Pdf Manuals
Related Search