| Section |
Page |
| ProSecure Unified Threat Management (UTM) Appliance |
1 |
| Contents |
5 |
| 1. Introduction |
15 |
| What Is the ProSecure Unified Threat Management (UTM) Appliance? |
15 |
| Key Features and Capabilities |
16 |
| Multiple WAN Port Models for Increased Reliability or Outbound Load Balancing |
17 |
| Wireless Features |
18 |
| DSL Features |
18 |
| Advanced VPN Support for Both IPSec and SSL |
18 |
| A Powerful, True Firewall |
19 |
| Stream Scanning for Content Filtering |
19 |
| Security Features |
20 |
| Autosensing Ethernet Connections with Auto Uplink |
20 |
| Extensive Protocol Support |
21 |
| Easy Installation and Management |
21 |
| Maintenance and Support |
22 |
| Model Comparison |
22 |
| Service Registration Card with License Keys |
23 |
| Package Contents |
24 |
| Hardware Features |
24 |
| Front Panel UTM5 and UTM10 |
25 |
| Front Panel UTM25 |
26 |
| Front Panel UTM50 |
26 |
| Front Panel UTM150 |
27 |
| Front Panel UTM9S and UTM25S and Network Modules |
28 |
| LED Descriptions, UTM5, UTM10, UTM25, UTM50, and UTM150 |
30 |
| LED Descriptions, UTM9S, UTM25S, and their Network Modules |
32 |
| Rear Panel UTM5, UTM10, and UTM25 |
33 |
| Rear Panel UTM50 and UTM150 |
34 |
| Rear Panel UTM9S and UTM25S |
35 |
| Bottom Panels with Product Labels |
36 |
| Choose a Location for the UTM |
39 |
| Use the Rack-Mounting Kit |
40 |
| 2. Use the Setup Wizard to Provision the UTM in Your Network |
41 |
| Steps for Initial Connection |
41 |
| Qualified Web Browsers |
42 |
| Requirements for Entering IP Addresses |
42 |
| Log In to the UTM |
42 |
| Web Management Interface Menu Layout |
44 |
| Use the Setup Wizard to Perform the Initial Configuration |
47 |
| Setup Wizard Step 1 of 10: LAN Settings |
48 |
| Setup Wizard Step 2 of 10: WAN Settings |
51 |
| Setup Wizard Step 3 of 10: System Date and Time |
54 |
| Setup Wizard Step 4 of 10: Services |
55 |
| Setup Wizard Step 5 of 10: Email Security |
57 |
| Setup Wizard Step 6 of 10: Web Security |
58 |
| Setup Wizard Step 7 of 10: Web Categories to Be Blocked |
60 |
| Setup Wizard Step 8 of 10: Email Notification |
62 |
| Setup Wizard Step 9 of 10: Signatures & Engine |
63 |
| Setup Wizard Step 10 of 10: Saving the Configuration |
64 |
| Register the UTM with NETGEAR |
65 |
| Use the Web Management Interface to Activate Licenses |
65 |
| Electronic Licensing |
67 |
| Automatic Retrieval of Licenses after a Factory Default Reset |
67 |
| Verify Correct Installation |
68 |
| Test Connectivity |
68 |
| Test HTTP Scanning |
68 |
| What to Do Next |
68 |
| 3. Manually Configure Internet and WAN Settings |
70 |
| Internet and WAN Configuration Tasks |
71 |
| Automatically Detecting and Connecting the Internet Connections |
71 |
| Manually Configure the Internet Connection |
75 |
| Configure the WAN Mode |
80 |
| Overview of the WAN Modes |
80 |
| Configure Network Address Translation (All Models) |
81 |
| Configure Classical Routing (All Models) |
82 |
| Configure Auto-Rollover Mode and the Failure Detection Method (Multiple WAN Port Models) |
82 |
| Configure Load Balancing and Optional Protocol Binding (Multiple WAN Port Models) |
85 |
| Configure Secondary WAN Addresses |
89 |
| Configure Dynamic DNS |
91 |
| Set the UTM’s MAC Address and Configure Advanced WAN Options |
94 |
| Additional WAN-Related Configuration Tasks |
97 |
| 4. LAN Configuration |
98 |
| Manage Virtual LANs and DHCP Options |
98 |
| Port-Based VLANs |
99 |
| Assign and Manage VLAN Profiles |
100 |
| VLAN DHCP Options |
101 |
| Configure a VLAN Profile |
103 |
| Configure VLAN MAC Addresses and Advanced LAN Settings |
108 |
| Configure Multihome LAN IP Addresses on the Default VLAN |
109 |
| Manage Groups and Hosts (LAN Groups) |
111 |
| Manage the Network Database |
112 |
| Change Group Names in the Network Database |
115 |
| Set Up Address Reservation |
116 |
| Configure and Enable the DMZ Port |
117 |
| Manage Routing |
121 |
| Configure Static Routes |
121 |
| Configure Routing Information Protocol |
123 |
| Static Route Example |
126 |
| 5. Firewall Protection |
127 |
| About Firewall Protection |
127 |
| Administrator Tips |
128 |
| Overview of Rules to Block or Allow Specific Kinds of Traffic |
128 |
| Outbound Rules (Service Blocking) |
129 |
| Inbound Rules (Port Forwarding) |
133 |
| Order of Precedence for Rules |
138 |
| Configure LAN WAN Rules |
139 |
| Create LAN WAN Outbound Service Rules |
140 |
| Create LAN WAN Inbound Service Rules |
141 |
| Configure DMZ WAN Rules |
142 |
| Create DMZ WAN Outbound Service Rules |
144 |
| Create DMZ WAN Inbound Service Rules |
144 |
| Configure LAN DMZ Rules |
145 |
| Create LAN DMZ Outbound Service Rules |
147 |
| Create LAN DMZ Inbound Service Rules |
147 |
| Examples of Firewall Rules |
148 |
| Inbound Rule Examples |
148 |
| Outbound Rule Example |
153 |
| Configure Other Firewall Features |
154 |
| VLAN Rules |
154 |
| Attack Checks, VPN Pass-through, and Multicast Pass-through |
157 |
| Set Session Limits |
160 |
| Manage the Application Level Gateway for SIP Sessions and VPN Scanning |
161 |
| Create Services, QoS Profiles, Bandwidth Profiles, and Traffic Meter Profiles |
162 |
| Add Customized Services |
163 |
| Create Service Groups |
165 |
| Create IP Groups |
167 |
| Create Quality of Service Profiles |
169 |
| Create Bandwidth Profiles |
171 |
| Create Traffic Meter Profiles |
174 |
| Set a Schedule to Block or Allow Specific Traffic |
177 |
| Enable Source MAC Filtering |
179 |
| Set Up IP/MAC Bindings |
181 |
| Configure Port Triggering |
183 |
| Configure Universal Plug and Play |
186 |
| Enable and Configure the Intrusion Prevention System |
187 |
| 6. Content Filtering and Optimizing Scans |
192 |
| About Content Filtering and Scans |
192 |
| Default Email and Web Scan Settings |
193 |
| Configure Email Protection |
194 |
| Customize Email Protocol Scan Settings |
194 |
| Customize Email Antivirus and Notification Settings |
196 |
| Email Content Filtering |
199 |
| Protect Against Email Spam |
202 |
| Configure Web and Services Protection |
210 |
| Customize Web Protocol Scan Settings |
210 |
| Configure HTTPS Smart Block |
212 |
| Configure Web Malware or Antivirus Scans |
216 |
| Configure Web Content Filtering |
218 |
| Configure Web URL Filtering |
224 |
| Configure HTTPS Scanning and SSL Certificates |
228 |
| How HTTPS Scanning Works |
228 |
| Configure the HTTPS Scan Settings |
230 |
| Manage SSL Certificates for HTTPS Scanning |
231 |
| Specify Trusted Hosts for HTTPS Scanning |
235 |
| Configure the SSL Settings for HTTPS Scanning |
237 |
| Configure FTP Scanning |
238 |
| Customize FTP Antivirus Settings |
238 |
| Configure FTP Content Filtering |
239 |
| Configure Application Control |
240 |
| Set Exception Rules for Web and Application Access |
248 |
| Create Custom Categories for Exceptions for Web and Application Access |
258 |
| Set Scanning Exclusions for IP Addresses and Ports |
262 |
| 7. Virtual Private Networking Using IPSec, PPTP, or L2TP Connections |
264 |
| Considerations for Dual WAN Port Systems (Multiple WAN Port Models Only) |
264 |
| Use the IPSec VPN Wizard for Client and Gateway Configurations |
266 |
| Create Gateway-to-Gateway VPN Tunnels with the Wizard |
266 |
| Create a Client-to-Gateway VPN Tunnel |
271 |
| Test the Connection and View Connection and Status Information |
287 |
| Test the NETGEAR VPN Client Connection |
287 |
| NETGEAR VPN Client Status and Log Information |
289 |
| View the UTM IPSec VPN Connection Status |
289 |
| View the UTM IPSec VPN Log |
290 |
| Manage IPSec VPN and IKE Policies |
291 |
| Manage IKE Policies |
292 |
| Manage VPN Policies |
300 |
| Configure Extended Authentication (XAUTH) |
308 |
| Configure XAUTH for VPN Clients |
309 |
| User Database Configuration |
310 |
| RADIUS Client and Server Configuration |
310 |
| Assign IP Addresses to Remote Users (Mode Config) |
312 |
| Mode Config Operation |
312 |
| Configure Mode Config Operation on the UTM |
312 |
| Configure the ProSafe VPN Client for Mode Config Operation |
319 |
| Test the Mode Config Connection |
326 |
| Modify or Delete a Mode Config Record |
327 |
| Configure Keep-Alives and Dead Peer Detection |
328 |
| Configure Keep-Alives |
328 |
| Configure Dead Peer Detection |
329 |
| Configure NetBIOS Bridging with IPSec VPN |
330 |
| Configure the PPTP Server |
331 |
| View the Active PPTP Users |
333 |
| Configure the L2TP Server |
334 |
| View the Active L2TP Users |
336 |
| For More IPSec VPN Information |
336 |
| 8. Virtual Private Networking Using SSL Connections |
337 |
| SSL VPN Portal Options |
337 |
| Build a Portal Using the SSL VPN Wizard |
338 |
| SSL VPN Wizard Step 1 of 6 (Portal Settings) |
339 |
| SSL VPN Wizard Step 2 of 6 (Domain Settings) |
342 |
| SSL VPN Wizard Step 3 of 6 (User Settings) |
347 |
| SSL VPN Wizard Step 4 of 6 (Client IP Addresses and Routes) |
348 |
| SSL VPN Wizard Step 5 of 6 (Port Forwarding) |
350 |
| SSL VPN Wizard Step 6 of 6 (Verify and Save Your Settings) |
351 |
| Access the New SSL VPN Portal |
353 |
| View the UTM SSL VPN Connection Status |
356 |
| View the UTM SSL VPN Log |
357 |
| Manually Configure and Modify SSL Portals |
357 |
| Manually Create or Modify the Portal Layout |
359 |
| Configure Domains, Groups, and Users |
362 |
| Configure Applications for Port Forwarding |
363 |
| Configure the SSL VPN Client |
365 |
| Use Network Resource Objects to Simplify Policies |
369 |
| Configure User, Group, and Global Policies |
371 |
| For More SSL VPN Information |
377 |
| 9. Manage Users, Authentication, and VPN Certificates |
378 |
| Authentication Process and Options |
378 |
| Configure Authentication Domains, Groups, and Users |
380 |
| Login Portals |
380 |
| Active Directories and LDAP Configurations |
384 |
| Configure Domains |
388 |
| Configure Groups |
394 |
| Configure Custom Groups |
397 |
| Configure User Accounts |
401 |
| Set User Login Policies |
404 |
| Change Passwords and Other User Settings |
408 |
| DC Agent |
409 |
| Configure RADIUS VLANs |
415 |
| Configure Global User Settings |
416 |
| View and Log Out Active Users |
417 |
| Manage Digital Certificates for VPN Connections |
419 |
| VPN Certificates Screen |
420 |
| Manage CA Certificates |
421 |
| Manage Self-Signed Certificates |
422 |
| Manage the Certificate Revocation List |
426 |
| 10. Network and System Management |
428 |
| Performance Management |
428 |
| Bandwidth Capacity |
428 |
| Features That Reduce Traffic |
429 |
| Features That Increase Traffic |
432 |
| Use QoS and Bandwidth Assignments to Shift the Traffic Mix |
435 |
| Monitoring Tools for Traffic Management |
436 |
| System Management |
436 |
| Change Passwords and Administrator and Guest Settings |
436 |
| Configure Remote Management Access |
438 |
| Use a Simple Network Management Protocol Manager |
440 |
| Manage the Configuration File |
445 |
| Update the Firmware |
448 |
| Update the Scan Signatures and Scan Engine Firmware |
454 |
| Configure Date and Time Service |
456 |
| Connect to a ReadyNAS and Configure Quarantine Settings |
458 |
| Log Storage |
459 |
| Connect to a ReadyNAS |
459 |
| Configure the Quarantine Settings |
460 |
| 11. Monitor System Access and Performance |
462 |
| Enable the WAN Traffic Meter |
462 |
| Configure Logging, Alerts, and Event Notifications |
466 |
| Configure the Email Notification Server |
466 |
| Configure and Activate System, Email, and Syslog Logs |
467 |
| How to Send Syslogs over a VPN Tunnel between Sites |
471 |
| Configure and Activate Update Failure and Attack Alerts |
473 |
| Configure and Activate Firewall Logs |
476 |
| Monitor Real-Time Traffic, Security, and Statistics |
477 |
| Monitor Application Use in Real Time |
483 |
| View Status Screens |
486 |
| View the System Status |
486 |
| View the Active VPN Users |
499 |
| View the VPN Tunnel Connection Status |
500 |
| View the Active PPTP and L2TP Users |
501 |
| View the Port Triggering Status |
502 |
| View the WAN, xDSL, or USB Port Status |
504 |
| View Attached Devices and the DHCP Leases |
505 |
| Query and Manage the Logs |
507 |
| Overview of the Logs |
508 |
| Query and Download Logs |
509 |
| Example: Use the Logs to Identify Infected Clients |
513 |
| Log Management |
514 |
| Query and Manage the Quarantine Logs |
514 |
| Query the Quarantined Logs |
515 |
| View and Manage the Quarantined Spam Table |
517 |
| View and Manage the Quarantined Infected Files Table |
518 |
| Spam Reports for End Users |
519 |
| View, Schedule, and Generate Reports |
520 |
| Enable Application Session Monitoring |
521 |
| Report Filtering Options |
522 |
| Use Report Templates and View Reports Onscreen |
524 |
| Schedule, Email, and Manage Reports |
529 |
| Use Diagnostics Utilities |
531 |
| Use the Network Diagnostic Tools |
532 |
| Use the Real-Time Traffic Diagnostics Tool |
533 |
| Gather Important Log Information and Generate a Network Statistics Report |
534 |
| Perform Maintenance on the USB Device, Reboot the UTM, or Shut Down the UTM |
536 |
| 12. Troubleshoot and Use Online Support |
538 |
| Basic Functioning |
539 |
| Verify the Correct Sequence of Events at Startup |
539 |
| Power LED Not On |
539 |
| Test LED Never Turns Off |
539 |
| LAN or WAN Port LEDs Not On |
540 |
| Troubleshoot the Web Management Interface |
540 |
| When You Enter a URL or IP Address, a Time-Out Error Occurs |
541 |
| Troubleshoot the ISP Connection |
541 |
| Troubleshoot a TCP/IP Network Using a Ping Utility |
543 |
| Test the LAN Path to Your UTM |
543 |
| Test the Path from Your Computer to a Remote Device |
544 |
| Restore the Default Configuration and Password |
545 |
| Problems with Date and Time |
546 |
| Use Online Support |
546 |
| Enable Remote Troubleshooting |
546 |
| Send Suspicious Files to NETGEAR for Analysis |
547 |
| Access the Knowledge Base and Documentation |
548 |
| A. xDSL Network Module for the UTM9S and UTM25S |
549 |
| xDSL Network Module Configuration Tasks |
550 |
| Configure the xDSL Settings |
550 |
| Automatically Detecting and Connecting the xDSL Internet Connection |
553 |
| Manually Configure the xDSL Internet Connection |
556 |
| Configure the WAN Mode |
561 |
| Overview of the WAN Modes |
561 |
| Configure Network Address Translation |
562 |
| Configure Classical Routing |
563 |
| Configure Auto-Rollover Mode and the Failure Detection Method |
563 |
| Configure Load Balancing and Optional Protocol Binding |
566 |
| Configure Secondary WAN Addresses |
570 |
| Configure Dynamic DNS |
572 |
| Set the UTM’s MAC Address and Configure Advanced WAN Options |
574 |
| Additional WAN-Related Configuration Tasks |
577 |
| B. Wireless Network Module for the UTM9S and UTM25S |
578 |
| Overview of the Wireless Network Module |
579 |
| Configuration Order |
579 |
| Wireless Equipment Placement and Range Guidelines |
579 |
| Configure the Basic Radio Settings |
580 |
| Operating Frequency (Channel) Guidelines |
583 |
| Wireless Data Security Options |
584 |
| Wireless Security Profiles |
585 |
| Before You Change the SSID, WEP, and WPA Settings |
587 |
| Configure and Enable Wireless Profiles |
588 |
| Restrict Wireless Access by MAC Address |
593 |
| View the Access Point Status and Connected Clients for a Wireless Profile |
595 |
| Configure a Wireless Distribution System |
596 |
| Configure Advanced Radio Settings |
598 |
| Configure WMM QoS Priority Settings |
600 |
| Test Basic Wireless Connectivity |
602 |
| For More Information About Wireless Configurations |
602 |
| C. 3G/4G Dongles for the UTM9S and UTM25S |
603 |
| 3G/4G Dongle Configuration Tasks |
603 |
| Manually Configure the USB Internet Connection |
604 |
| Configure the 3G/4G Settings |
608 |
| Configure the WAN Mode |
610 |
| Overview of the WAN Modes |
611 |
| Configure Network Address Translation |
612 |
| Configure Classical Routing |
613 |
| Configure Load Balancing and Optional Protocol Binding |
614 |
| Configure Dynamic DNS |
618 |
| Additional WAN-Related Configuration Tasks |
621 |
| D. Network Planning for Dual WAN Ports (Multiple WAN Port Models Only) |
622 |
| What to Consider Before You Begin |
622 |
| Plan Your Network and Network Management and Set Up Accounts |
622 |
| Cabling and Computer Hardware Requirements |
624 |
| Computer Network Configuration Requirements |
624 |
| Internet Configuration Requirements |
624 |
| Overview of the Planning Process |
626 |
| Inbound Traffic |
627 |
| Inbound Traffic to a Single WAN Port System |
628 |
| Inbound Traffic to a Dual WAN Port System |
628 |
| Virtual Private Networks |
629 |
| VPN Road Warrior (Client-to-Gateway) |
630 |
| VPN Gateway-to-Gateway |
633 |
| VPN Telecommuter (Client-to-Gateway through a NAT Router) |
635 |
| E. ReadyNAS Integration |
638 |
| Supported ReadyNAS Models |
638 |
| Install the UTM Add-On on the ReadyNAS |
639 |
| Connect to the ReadyNAS on the UTM |
641 |
| F. Two-Factor Authentication |
644 |
| Why Do I Need Two-Factor Authentication? |
644 |
| What Are the Benefits of Two-Factor Authentication? |
644 |
| What Is Two-Factor Authentication? |
645 |
| NETGEAR Two-Factor Authentication Solutions |
645 |
| G. System Logs and Error Messages |
648 |
| System Log Messages |
649 |
| System Startup |
649 |
| Reboot |
649 |
| NTP |
650 |
| Login/Logout |
650 |
| Firewall Restart |
651 |
| IPSec Restart |
651 |
| WAN Status |
651 |
| Traffic Metering Logs |
655 |
| Unicast, Multicast, and Broadcast Logs |
655 |
| Invalid Packet Logging |
656 |
| Service Logs |
658 |
| Content-Filtering and Security Logs |
658 |
| Web Filtering and Content-Filtering Logs |
659 |
| Spam Logs |
660 |
| Traffic Logs |
661 |
| Malware Logs |
661 |
| Email Filter Logs |
661 |
| IPS Logs |
662 |
| Anomaly Behavior Logs |
662 |
| Application Logs |
663 |
| Routing Logs |
663 |
| LAN-to-WAN Logs |
663 |
| LAN-to-DMZ Logs |
664 |
| DMZ-to-WAN Logs |
664 |
| WAN-to-LAN Logs |
664 |
| DMZ-to-LAN Logs |
665 |
| WAN-to-DMZ Logs |
665 |
| H. Default Settings and Technical Specifications |
666 |
| Default Settings |
666 |
| Physical and Technical Specifications |
673 |
| I. Notification of Compliance (Wired) |
677 |
| J. Notification of Compliance (Wireless) |
681 |
1
315
316
317
318
319
320
321
322
323
324
325
