Section |
Page |
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual |
1 |
Contents |
7 |
About This Manual |
17 |
Conventions, Formats, and Scope |
17 |
How to Print This Manual |
18 |
Revision History |
18 |
Chapter 1 Introduction |
19 |
What Is the ProSecure Unified Threat Management Appliance UTM10 or UTM25? |
19 |
Key Features and Capabilities |
20 |
Dual WAN Ports for Increased Reliability or Outbound Load Balancing (UTM25 Only) |
21 |
Advanced VPN Support for Both IPsec and SSL |
21 |
A Powerful, True Firewall |
22 |
Stream Scanning for Content Filtering |
22 |
Security Features |
23 |
Autosensing Ethernet Connections with Auto Uplink |
23 |
Extensive Protocol Support |
24 |
Easy Installation and Management |
24 |
Maintenance and Support |
25 |
Service Registration Card with License Keys |
26 |
Package Contents |
27 |
Hardware Features |
27 |
Front Panel |
27 |
Rear Panel |
30 |
Bottom Panel With Product Label |
30 |
Choosing a Location for the UTM |
32 |
Using the Rack-Mounting Kit |
32 |
Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network |
33 |
Understanding the Steps for Initial Connection |
33 |
Qualified Web Browsers |
34 |
Logging In to the UTM |
34 |
Understanding the Web Management Interface Menu Layout |
37 |
Using the Setup Wizard to Perform the Initial Configuration |
39 |
Setup Wizard Step 1 of 10: LAN Settings |
40 |
Setup Wizard Step 2 of 10: WAN Settings |
43 |
Setup Wizard Step 3 of 10: System Date and Time |
46 |
Setup Wizard Step 4 of 10: Security Services |
48 |
Setup Wizard Step 5 of 10: Email Security |
50 |
Setup Wizard Step 6 of 10: Web Security |
51 |
Setup Wizard Step 7 of 10: Web Categories to Be Blocked |
53 |
Setup Wizard Step 8 of 10: Administrator Email Notification Settings |
55 |
Setup Wizard Step 9 of 10: Security Subscription Update Settings |
56 |
Setup Wizard Step 10 of 10: Saving the Configuration |
58 |
Verifying Proper Installation |
58 |
Testing Connectivity |
58 |
Testing HTTP Scanning |
58 |
Registering the UTM with NETGEAR |
59 |
What to Do Next |
61 |
Chapter 3 Manually Configuring Internet and WAN Settings |
63 |
Understanding the Internet and WAN Configuration Tasks |
63 |
Configuring the Internet Connections |
64 |
Automatically Detecting and Connecting |
64 |
Setting the UTM’s MAC Address |
67 |
Manually Configuring the Internet Connection |
67 |
Configuring the WAN Mode (Required for the UTM25’s Dual WAN Mode) |
71 |
Network Address Translation (UTM10 and UTM25) |
72 |
Classical Routing (UTM10 and UTM25) |
72 |
Configuring Auto-Rollover Mode (UTM25 Only) |
73 |
Configuring Load Balancing and Optional Protocol Binding (UTM25 Only) |
76 |
Configuring Secondary WAN Addresses |
79 |
Configuring Dynamic DNS |
81 |
Configuring Advanced WAN Options |
84 |
Additional WAN-Related Configuration Tasks |
86 |
Chapter 4 LAN Configuration |
87 |
Managing Virtual LANs and DHCP Options |
87 |
Managing the UTM’s Port-Based VLANs |
88 |
VLAN DHCP Options |
90 |
DHCP Server |
90 |
DHCP Relay |
91 |
DNS Proxy |
91 |
LDAP Server |
92 |
Configuring a VLAN Profile |
92 |
Configuring Multi-Home LAN IPs on the Default VLAN |
97 |
Managing Groups and Hosts (LAN Groups) |
98 |
Managing the Network Database |
99 |
Adding PCs or Devices to the Network Database |
101 |
Editing PCs or Devices in the Network Database |
102 |
Changing Group Names in the Network Database |
102 |
Setting Up Address Reservation |
103 |
Configuring and Enabling the DMZ Port |
104 |
Managing Routing |
108 |
Configuring Static Routes |
109 |
Configuring Routing Information Protocol (RIP) |
110 |
Static Route Example |
113 |
Chapter 5 Firewall Protection |
115 |
About Firewall Protection |
115 |
Administrator Tips |
116 |
Using Rules to Block or Allow Specific Kinds of Traffic |
117 |
Services-Based Rules |
117 |
Outbound Rules (Service Blocking) |
118 |
Inbound Rules (Port Forwarding) |
120 |
Order of Precedence for Rules |
124 |
Setting LAN WAN Rules |
125 |
LAN WAN Outbound Services Rules |
126 |
LAN WAN Inbound Services Rules |
127 |
Setting DMZ WAN Rules |
128 |
DMZ WAN Outbound Services Rules |
130 |
DMZ WAN Inbound Services Rules |
131 |
Setting LAN DMZ Rules |
132 |
LAN DMZ Outbound Services Rules |
133 |
LAN DMZ Inbound Services Rules |
134 |
Attack Checks |
134 |
Setting Session Limits |
137 |
Managing the Application Level Gateway for SIP Sessions |
138 |
Inbound Rules Examples |
139 |
LAN WAN Inbound Rule: Hosting A Local Public Web Server |
139 |
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses |
140 |
LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping |
140 |
LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host |
142 |
Outbound Rules Example |
143 |
LAN WAN Outbound Rule: Blocking Instant Messenger |
143 |
Creating Services, QoS Profiles, and Bandwidth Profiles |
144 |
Adding Customized Services |
144 |
Creating Quality of Service (QoS) Profiles |
147 |
Creating Bandwidth Profiles |
150 |
Setting a Schedule to Block or Allow Specific Traffic |
153 |
Enabling Source MAC Filtering |
154 |
Setting up IP/MAC Bindings |
156 |
Configuring Port Triggering |
158 |
Using the Intrusion Prevention System |
161 |
Chapter 6 Content Filtering and Optimizing Scans |
165 |
About Content Filtering and Scans |
165 |
Default E-mail and Web Scan Settings |
166 |
Configuring E-mail Protection |
167 |
Customizing E-mail Protocol Scan Settings |
168 |
Customizing E-mail Anti-Virus and Notification Settings |
169 |
E-mail Content Filtering |
172 |
Protecting Against E-mail Spam |
175 |
Setting Up the Whitelist and Blacklist |
176 |
Configuring the Real-time Blacklist |
178 |
By default, the UTM comes with three pre-defined blacklist providers: Dsbl, Spamhaus, and Spamcop. There is no limit to the number of blacklist providers that you can add to the RBL sources. |
179 |
Configuring Distributed Spam Analysis |
180 |
Configuring Web and Services Protection |
183 |
Customizing Web Protocol Scan Settings and Services |
183 |
Configuring Web Malware Scans |
185 |
Configuring Web Content Filtering |
187 |
Configuring Web URL Filtering |
194 |
HTTPS Scan Settings |
198 |
Specifying Trusted Hosts |
201 |
Configuring FTP Scans |
203 |
Setting Web Access Exceptions and Scanning Exclusions |
205 |
Setting Web Access Exception Rules |
205 |
Setting Scanning Exclusions |
208 |
Chapter 7 Virtual Private Networking Using IPsec Connections |
211 |
Considerations for Dual WAN Port Systems (UTM25 Only) |
211 |
Using the IPsec VPN Wizard for Client and Gateway Configurations |
213 |
Creating Gateway-to-Gateway VPN Tunnels with the Wizard |
213 |
Creating a Client to Gateway VPN Tunnel |
218 |
Using the VPN Wizard Configure the Gateway for a Client Tunnel |
218 |
Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection |
221 |
Testing the Connections and Viewing Status Information |
226 |
Testing the VPN Connection |
226 |
NETGEAR VPN Client Status and Log Information |
227 |
Viewing the UTM IPsec VPN Connection Status |
229 |
Viewing the UTM IPsec VPN Log |
230 |
Managing IPsec VPN Policies |
231 |
Managing IKE Policies |
232 |
The IKE Policies Screen |
232 |
Manually Adding or Editing an IKE Policy |
234 |
Managing VPN Policies |
240 |
The VPN Policies Screen |
240 |
Manually Adding or Editing a VPN Policy |
242 |
Configuring Extended Authentication (XAUTH) |
247 |
Configuring XAUTH for VPN Clients |
248 |
User Database Configuration |
249 |
RADIUS Client Configuration |
249 |
Assigning IP Addresses to Remote Users (Mode Config) |
252 |
Mode Config Operation |
252 |
Configuring Mode Config Operation on the UTM |
252 |
Configuring the ProSafe VPN Client for Mode Config Operation |
259 |
Testing the Mode Config Connection |
264 |
Configuring Keepalives and Dead Peer Detection |
264 |
Configuring Keepalives |
265 |
Configuring Dead Peer Connection |
266 |
Configuring NetBIOS Bridging with IPsec VPN |
268 |
Chapter 8 Virtual Private Networking Using SSL Connections |
269 |
Understanding the SSL VPN Portal Options |
269 |
Using the SSL VPN Wizard for Client Configurations |
270 |
SSL VPN Wizard Step 1 of 6: Portal Settings |
271 |
SSL VPN Wizard Step 2 of 6: Domain Settings |
273 |
SSL VPN Wizard Step 3 of 6: User Settings |
275 |
SSL VPN Wizard Step 4 of 6: Client IP Address Range and Routes |
277 |
SSL VPN Wizard Step 5 of 6: Port Forwarding |
279 |
SSL VPN Wizard Step 6 of 6: Verify and Save Your Settings |
281 |
Accessing the New SSL Portal Login Screen |
282 |
Viewing the UTM SSL VPN Connection Status |
284 |
Viewing the UTM SSL VPN Log |
284 |
Manually Configuring and Editing SSL Connections |
285 |
Creating the Portal Layout |
286 |
Configuring Domains, Groups, and Users |
290 |
Configuring Applications for Port Forwarding |
290 |
Adding Servers and Port Numbers |
291 |
Adding A New Host Name |
292 |
Configuring the SSL VPN Client |
293 |
Configuring the Client IP Address Range |
294 |
Adding Routes for VPN Tunnel Clients |
295 |
Using Network Resource Objects to Simplify Policies |
296 |
Adding New Network Resources |
297 |
Editing Network Resources to Specify Addresses |
298 |
Configuring User, Group, and Global Policies |
299 |
Viewing Policies |
300 |
Adding a Policy |
301 |
Chapter 9 Managing Users, Authentication, and Certificates |
307 |
Configuring VPN Authentication Domains, Groups, and Users |
307 |
Configuring Domains |
308 |
Configuring Groups for VPN Policies |
312 |
Creating and Deleting Groups |
313 |
Editing Groups |
314 |
Configuring User Accounts |
315 |
Setting User Login Policies |
318 |
Configuring Login Policies |
318 |
Configuring Login Restrictions Based on IP Address |
319 |
Configuring Login Restrictions Based on Web Browser |
320 |
Changing Passwords and Other User Settings |
322 |
Managing Digital Certificates |
323 |
Managing CA Certificates |
325 |
Managing Self Certificates |
326 |
Generating a CSR and Obtaining a Self Certificate from a CA |
327 |
Viewing and Managing Self Certificates |
331 |
Managing the Certificate Revocation List |
331 |
Chapter 10 Network and System Management |
333 |
Performance Management |
333 |
Bandwidth Capacity |
333 |
Features That Reduce Traffic |
334 |
LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking) |
334 |
Content Filtering |
336 |
Source MAC Filtering |
337 |
Features That Increase Traffic |
337 |
LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding) |
337 |
Port Triggering |
339 |
Configuring the DMZ Port |
339 |
For the information on how to enable the DMZ port, see “Configuring and Enabling the DMZ Port” on page 4-18. For the procedures on how to configure DMZ traffic rules, see “Setting DMZ WAN Rules” on page 5-14. |
340 |
Configuring Exposed Hosts |
340 |
Configuring VPN Tunnels |
340 |
Using QoS and Bandwidth Assignment to Shift the Traffic Mix |
340 |
Assigning QoS Profiles |
340 |
Monitoring Tools for Traffic Management |
341 |
System Management |
341 |
Changing Passwords and Administrator Settings |
341 |
Configuring Remote Management Access |
344 |
Using an SNMP Manager |
346 |
Managing the Configuration File |
347 |
Backup Settings |
348 |
Restore Settings |
349 |
Reverting to Factory Default Settings |
350 |
Updating the Firmware |
350 |
Viewing the Available Firmware Versions |
351 |
Upgrading the Firmware and Rebooting the UTM |
352 |
Rebooting Without Changing the Firmware |
353 |
Updating the Scan Signatures and Scan Engine Firmware |
353 |
Configuring Automatic Update and Frequency Settings |
355 |
Configuring Date and Time Service |
356 |
Chapter 11 Monitoring System Access and Performance |
359 |
Enabling the WAN Traffic Meter |
359 |
Configuring Logging, Alerts, and Event Notifications |
363 |
Configuring the E-mail Notification Server |
363 |
Configuring and Activating System, E-mail, and Syslog Logs |
364 |
Configuring and Activating Update Failure and Attack Alerts |
368 |
Configuring and Activating Firewall Logs |
371 |
Monitoring Real-Time Traffic, Security, and Statistics |
372 |
Viewing Status Screens |
378 |
Viewing System Status |
378 |
Viewing Active VPN Users |
382 |
Viewing VPN Tunnel Connection Status |
382 |
Viewing Port Triggering Status |
384 |
Viewing the WAN Ports Status |
385 |
Viewing Attached Devices and the DHCP Log |
387 |
Viewing Attached Devices |
387 |
Viewing the DHCP Log |
389 |
Querying Logs and Generating Reports |
390 |
Querying the Logs |
390 |
Example: Using Logs to Identify Infected Clients |
396 |
Log Management |
396 |
Scheduling and Generating Reports |
397 |
Generating Reports |
398 |
Scheduling Reports |
400 |
Using Diagnostics Utilities |
401 |
Using the Network Diagnostic Tools |
402 |
Sending a Ping Packet |
402 |
Tracing a Route |
403 |
Displaying the Routing Table |
403 |
Looking up a DNS Address |
403 |
Using the Realtime Traffic Diagnostics Tool |
404 |
Gathering Important Log Information and Generating a Network Statistics Report |
405 |
Gathering Important Log Information |
405 |
Rebooting and Shutting Down the UTM |
406 |
Chapter 12 Troubleshooting and Using Online Support |
407 |
Basic Functioning |
408 |
Power LED Not On |
408 |
Test LED Never Turns Off |
408 |
LAN or WAN Port LEDs Not On |
409 |
Troubleshooting the Web Management Interface |
409 |
When You Enter a URL or IP Address a Time-out Error Occurs |
410 |
Troubleshooting the ISP Connection |
411 |
Troubleshooting a TCP/IP Network Using a Ping Utility |
412 |
Testing the LAN Path to Your UTM |
413 |
Testing the Path from Your PC to a Remote Device |
413 |
Restoring the Default Configuration and Password |
414 |
Problems with Date and Time |
415 |
Using Online Support |
416 |
Enabling Remote Troubleshooting |
416 |
Sending Suspicious Files to NETGEAR for Analysis |
417 |
Accessing the Knowledge Base and Documentation |
418 |
Appendix A Default Settings and Technical Specifications |
419 |
Appendix B Network Planning for Dual WAN Ports (UTM25 Only) |
423 |
What to Consider Before You Begin |
423 |
Cabling and Computer Hardware Requirements |
425 |
Computer Network Configuration Requirements |
425 |
Internet Configuration Requirements |
425 |
Where Do I Get The Internet Configuration Information? |
426 |
Internet Connection Information |
426 |
Overview of the Planning Process |
427 |
Inbound Traffic |
429 |
Inbound Traffic to a Single WAN Port System |
429 |
Inbound Traffic to a Dual WAN Port System |
430 |
Inbound Traffic: Dual WAN Ports for Improved Reliability |
430 |
Inbound Traffic: Dual WAN Ports for Load Balancing |
430 |
Virtual Private Networks (VPNs) |
431 |
VPN Road Warrior (Client-to-Gateway) |
433 |
VPN Road Warrior: Single Gateway WAN Port (Reference Case) |
433 |
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability |
433 |
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing |
435 |
VPN Gateway-to-Gateway |
435 |
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case) |
435 |
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability |
436 |
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing |
437 |
VPN Telecommuter (Client-to-Gateway Through a NAT Router) |
438 |
VPN Telecommuter: Single Gateway WAN Port (Reference Case) |
438 |
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability |
439 |
VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing |
440 |
Appendix C System Logs and Error Messages |
441 |
System Log Messages |
442 |
System Startup |
442 |
Reboot |
442 |
Service Logs |
443 |
NTP |
443 |
Login/Logout |
444 |
Firewall Restart |
444 |
IPsec Restart |
444 |
WAN Status |
445 |
Auto-Rollover Mode |
445 |
Load-Balancing Mode |
446 |
PPP Logs |
447 |
Traffic Metering Logs |
449 |
Unicast Logs |
449 |
ICMP Redirect Logs |
449 |
Multicast/Broadcast Logs |
450 |
Invalid Packet Logging |
450 |
Content Filtering and Security Logs |
452 |
Web Filtering and Content Filtering Logs |
452 |
Spam Logs |
453 |
Traffic Logs |
454 |
Virus Logs |
454 |
E-mail Filter Logs |
454 |
IPS Logs |
455 |
Port Scan Logs |
455 |
Instant Messaging/Peer-to-Peer Logs |
455 |
Routing Logs |
456 |
LAN to WAN Logs |
456 |
LAN to DMZ Logs |
456 |
DMZ to WAN Logs |
456 |
WAN to LAN Logs |
457 |
DMZ to LAN Logs |
457 |
WAN to DMZ Logs |
457 |
Appendix D Two Factor Authentication |
459 |
Why do I need Two-Factor Authentication? |
459 |
What are the benefits of Two-Factor Authentication? |
459 |
What is Two-Factor Authentication |
460 |
NETGEAR Two-Factor Authentication Solutions |
460 |
Appendix E Related Documents |
463 |