Home » Netgear Manuals » Network Security & Firewall Devices » Netgear UTM25-100NAS » Manual Viewer

Netgear UTM25-100NAS Reference Manual - Page 246

SHA-1, Auto Policy Parameters, Seconds, KBytes, AES-128, AES-256

UPC - 606449061383

View all Netgear UTM25-100NAS manuals

Add to My Manuals
Save this manual to your list of manuals

Page 246 highlights

ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual Table 7-12. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Integrity Algorithm Key-In Key-Out From the pull-down menu, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest. The integrity key for the inbound policy. The length of the key depends on the selected integrity algorithm: • MD5: enter 16 characters. • SHA-1: enter 20 characters. The integrity key for he outbound policy. The length of the key depends on the selected integrity algorithm. The required key lengths are the same as for the Key-In (se above). Auto Policy Parameters Note: These fields apply only when you select Auto Policy as the policy type. SA Lifetime Encryption Algorithm Integrity Algorithm The lifetime of the Security Association (SA) is the period or the amount of transmitted data after which the SA becomes invalid and must be renegotiated. From the pull-down menu, select how the SA lifetime is specified: • Seconds. In the SA Lifetime field, enter a period in seconds. The minimum value is 300 seconds. The default value is 3600 seconds. • KBytes. In the SA Lifetime field, enter a number of kilobytes. The minimum value is 1920000 KB. From the pull-down menu, select one of the following five algorithms to negotiate the security association (SA): • DES. Data Encryption Standard (DES) • 3DES. Triple DES. This is the default algorithm. • AES-128. Advanced Encryption Standard (AES) with a 128-bits key size. • AES-192. AES with a 192-bits key size. • AES-256. AES with a 256-bits key size. From the pull-down menu, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest. 7-36 Virtual Private Networking Using IPsec Connections v1.0, September 2009

Section	Page
ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual	1
Contents	7
About This Manual	17
Conventions, Formats, and Scope	17
How to Print This Manual	18
Revision History	18
Chapter 1 Introduction	19
What Is the ProSecure Unified Threat Management Appliance UTM10 or UTM25?	19
Key Features and Capabilities	20
Dual WAN Ports for Increased Reliability or Outbound Load Balancing (UTM25 Only)	21
Advanced VPN Support for Both IPsec and SSL	21
A Powerful, True Firewall	22
Stream Scanning for Content Filtering	22
Security Features	23
Autosensing Ethernet Connections with Auto Uplink	23
Extensive Protocol Support	24
Easy Installation and Management	24
Maintenance and Support	25
Service Registration Card with License Keys	26
Package Contents	27
Hardware Features	27
Front Panel	27
Rear Panel	30
Bottom Panel With Product Label	30
Choosing a Location for the UTM	32
Using the Rack-Mounting Kit	32
Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network	33
Understanding the Steps for Initial Connection	33
Qualified Web Browsers	34
Logging In to the UTM	34
Understanding the Web Management Interface Menu Layout	37
Using the Setup Wizard to Perform the Initial Configuration	39
Setup Wizard Step 1 of 10: LAN Settings	40
Setup Wizard Step 2 of 10: WAN Settings	43
Setup Wizard Step 3 of 10: System Date and Time	46
Setup Wizard Step 4 of 10: Security Services	48
Setup Wizard Step 5 of 10: Email Security	50
Setup Wizard Step 6 of 10: Web Security	51
Setup Wizard Step 7 of 10: Web Categories to Be Blocked	53
Setup Wizard Step 8 of 10: Administrator Email Notification Settings	55
Setup Wizard Step 9 of 10: Security Subscription Update Settings	56
Setup Wizard Step 10 of 10: Saving the Configuration	58
Verifying Proper Installation	58
Testing Connectivity	58
Testing HTTP Scanning	58
Registering the UTM with NETGEAR	59
What to Do Next	61
Chapter 3 Manually Configuring Internet and WAN Settings	63
Understanding the Internet and WAN Configuration Tasks	63
Configuring the Internet Connections	64
Automatically Detecting and Connecting	64
Setting the UTM’s MAC Address	67
Manually Configuring the Internet Connection	67
Configuring the WAN Mode (Required for the UTM25’s Dual WAN Mode)	71
Network Address Translation (UTM10 and UTM25)	72
Classical Routing (UTM10 and UTM25)	72
Configuring Auto-Rollover Mode (UTM25 Only)	73
Configuring Load Balancing and Optional Protocol Binding (UTM25 Only)	76
Configuring Secondary WAN Addresses	79
Configuring Dynamic DNS	81
Configuring Advanced WAN Options	84
Additional WAN-Related Configuration Tasks	86
Chapter 4 LAN Configuration	87
Managing Virtual LANs and DHCP Options	87
Managing the UTM’s Port-Based VLANs	88
VLAN DHCP Options	90
DHCP Server	90
DHCP Relay	91
DNS Proxy	91
LDAP Server	92
Configuring a VLAN Profile	92
Configuring Multi-Home LAN IPs on the Default VLAN	97
Managing Groups and Hosts (LAN Groups)	98
Managing the Network Database	99
Adding PCs or Devices to the Network Database	101
Editing PCs or Devices in the Network Database	102
Changing Group Names in the Network Database	102
Setting Up Address Reservation	103
Configuring and Enabling the DMZ Port	104
Managing Routing	108
Configuring Static Routes	109
Configuring Routing Information Protocol (RIP)	110
Static Route Example	113
Chapter 5 Firewall Protection	115
About Firewall Protection	115
Administrator Tips	116
Using Rules to Block or Allow Specific Kinds of Traffic	117
Services-Based Rules	117
Outbound Rules (Service Blocking)	118
Inbound Rules (Port Forwarding)	120
Order of Precedence for Rules	124
Setting LAN WAN Rules	125
LAN WAN Outbound Services Rules	126
LAN WAN Inbound Services Rules	127
Setting DMZ WAN Rules	128
DMZ WAN Outbound Services Rules	130
DMZ WAN Inbound Services Rules	131
Setting LAN DMZ Rules	132
LAN DMZ Outbound Services Rules	133
LAN DMZ Inbound Services Rules	134
Attack Checks	134
Setting Session Limits	137
Managing the Application Level Gateway for SIP Sessions	138
Inbound Rules Examples	139
LAN WAN Inbound Rule: Hosting A Local Public Web Server	139
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses	140
LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping	140
LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host	142
Outbound Rules Example	143
LAN WAN Outbound Rule: Blocking Instant Messenger	143
Creating Services, QoS Profiles, and Bandwidth Profiles	144
Adding Customized Services	144
Creating Quality of Service (QoS) Profiles	147
Creating Bandwidth Profiles	150
Setting a Schedule to Block or Allow Specific Traffic	153
Enabling Source MAC Filtering	154
Setting up IP/MAC Bindings	156
Configuring Port Triggering	158
Using the Intrusion Prevention System	161
Chapter 6 Content Filtering and Optimizing Scans	165
About Content Filtering and Scans	165
Default E-mail and Web Scan Settings	166
Configuring E-mail Protection	167
Customizing E-mail Protocol Scan Settings	168
Customizing E-mail Anti-Virus and Notification Settings	169
E-mail Content Filtering	172
Protecting Against E-mail Spam	175
Setting Up the Whitelist and Blacklist	176
Configuring the Real-time Blacklist	178
By default, the UTM comes with three pre-defined blacklist providers: Dsbl, Spamhaus, and Spamcop. There is no limit to the number of blacklist providers that you can add to the RBL sources.	179
Configuring Distributed Spam Analysis	180
Configuring Web and Services Protection	183
Customizing Web Protocol Scan Settings and Services	183
Configuring Web Malware Scans	185
Configuring Web Content Filtering	187
Configuring Web URL Filtering	194
HTTPS Scan Settings	198
Specifying Trusted Hosts	201
Configuring FTP Scans	203
Setting Web Access Exceptions and Scanning Exclusions	205
Setting Web Access Exception Rules	205
Setting Scanning Exclusions	208
Chapter 7 Virtual Private Networking Using IPsec Connections	211
Considerations for Dual WAN Port Systems (UTM25 Only)	211
Using the IPsec VPN Wizard for Client and Gateway Configurations	213
Creating Gateway-to-Gateway VPN Tunnels with the Wizard	213
Creating a Client to Gateway VPN Tunnel	218
Using the VPN Wizard Configure the Gateway for a Client Tunnel	218
Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection	221
Testing the Connections and Viewing Status Information	226
Testing the VPN Connection	226
NETGEAR VPN Client Status and Log Information	227
Viewing the UTM IPsec VPN Connection Status	229
Viewing the UTM IPsec VPN Log	230
Managing IPsec VPN Policies	231
Managing IKE Policies	232
The IKE Policies Screen	232
Manually Adding or Editing an IKE Policy	234
Managing VPN Policies	240
The VPN Policies Screen	240
Manually Adding or Editing a VPN Policy	242
Configuring Extended Authentication (XAUTH)	247
Configuring XAUTH for VPN Clients	248
User Database Configuration	249
RADIUS Client Configuration	249
Assigning IP Addresses to Remote Users (Mode Config)	252
Mode Config Operation	252
Configuring Mode Config Operation on the UTM	252
Configuring the ProSafe VPN Client for Mode Config Operation	259
Testing the Mode Config Connection	264
Configuring Keepalives and Dead Peer Detection	264
Configuring Keepalives	265
Configuring Dead Peer Connection	266
Configuring NetBIOS Bridging with IPsec VPN	268
Chapter 8 Virtual Private Networking Using SSL Connections	269
Understanding the SSL VPN Portal Options	269
Using the SSL VPN Wizard for Client Configurations	270
SSL VPN Wizard Step 1 of 6: Portal Settings	271
SSL VPN Wizard Step 2 of 6: Domain Settings	273
SSL VPN Wizard Step 3 of 6: User Settings	275
SSL VPN Wizard Step 4 of 6: Client IP Address Range and Routes	277
SSL VPN Wizard Step 5 of 6: Port Forwarding	279
SSL VPN Wizard Step 6 of 6: Verify and Save Your Settings	281
Accessing the New SSL Portal Login Screen	282
Viewing the UTM SSL VPN Connection Status	284
Viewing the UTM SSL VPN Log	284
Manually Configuring and Editing SSL Connections	285
Creating the Portal Layout	286
Configuring Domains, Groups, and Users	290
Configuring Applications for Port Forwarding	290
Adding Servers and Port Numbers	291
Adding A New Host Name	292
Configuring the SSL VPN Client	293
Configuring the Client IP Address Range	294
Adding Routes for VPN Tunnel Clients	295
Using Network Resource Objects to Simplify Policies	296
Adding New Network Resources	297
Editing Network Resources to Specify Addresses	298
Configuring User, Group, and Global Policies	299
Viewing Policies	300
Adding a Policy	301
Chapter 9 Managing Users, Authentication, and Certificates	307
Configuring VPN Authentication Domains, Groups, and Users	307
Configuring Domains	308
Configuring Groups for VPN Policies	312
Creating and Deleting Groups	313
Editing Groups	314
Configuring User Accounts	315
Setting User Login Policies	318
Configuring Login Policies	318
Configuring Login Restrictions Based on IP Address	319
Configuring Login Restrictions Based on Web Browser	320
Changing Passwords and Other User Settings	322
Managing Digital Certificates	323
Managing CA Certificates	325
Managing Self Certificates	326
Generating a CSR and Obtaining a Self Certificate from a CA	327
Viewing and Managing Self Certificates	331
Managing the Certificate Revocation List	331
Chapter 10 Network and System Management	333
Performance Management	333
Bandwidth Capacity	333
Features That Reduce Traffic	334
LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking)	334
Content Filtering	336
Source MAC Filtering	337
Features That Increase Traffic	337
LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding)	337
Port Triggering	339
Configuring the DMZ Port	339
For the information on how to enable the DMZ port, see “Configuring and Enabling the DMZ Port” on page 4-18. For the procedures on how to configure DMZ traffic rules, see “Setting DMZ WAN Rules” on page 5-14.	340
Configuring Exposed Hosts	340
Configuring VPN Tunnels	340
Using QoS and Bandwidth Assignment to Shift the Traffic Mix	340
Assigning QoS Profiles	340
Monitoring Tools for Traffic Management	341
System Management	341
Changing Passwords and Administrator Settings	341
Configuring Remote Management Access	344
Using an SNMP Manager	346
Managing the Configuration File	347
Backup Settings	348
Restore Settings	349
Reverting to Factory Default Settings	350
Updating the Firmware	350
Viewing the Available Firmware Versions	351
Upgrading the Firmware and Rebooting the UTM	352
Rebooting Without Changing the Firmware	353
Updating the Scan Signatures and Scan Engine Firmware	353
Configuring Automatic Update and Frequency Settings	355
Configuring Date and Time Service	356
Chapter 11 Monitoring System Access and Performance	359
Enabling the WAN Traffic Meter	359
Configuring Logging, Alerts, and Event Notifications	363
Configuring the E-mail Notification Server	363
Configuring and Activating System, E-mail, and Syslog Logs	364
Configuring and Activating Update Failure and Attack Alerts	368
Configuring and Activating Firewall Logs	371
Monitoring Real-Time Traffic, Security, and Statistics	372
Viewing Status Screens	378
Viewing System Status	378
Viewing Active VPN Users	382
Viewing VPN Tunnel Connection Status	382
Viewing Port Triggering Status	384
Viewing the WAN Ports Status	385
Viewing Attached Devices and the DHCP Log	387
Viewing Attached Devices	387
Viewing the DHCP Log	389
Querying Logs and Generating Reports	390
Querying the Logs	390
Example: Using Logs to Identify Infected Clients	396
Log Management	396
Scheduling and Generating Reports	397
Generating Reports	398
Scheduling Reports	400
Using Diagnostics Utilities	401
Using the Network Diagnostic Tools	402
Sending a Ping Packet	402
Tracing a Route	403
Displaying the Routing Table	403
Looking up a DNS Address	403
Using the Realtime Traffic Diagnostics Tool	404
Gathering Important Log Information and Generating a Network Statistics Report	405
Gathering Important Log Information	405
Rebooting and Shutting Down the UTM	406
Chapter 12 Troubleshooting and Using Online Support	407
Basic Functioning	408
Power LED Not On	408
Test LED Never Turns Off	408
LAN or WAN Port LEDs Not On	409
Troubleshooting the Web Management Interface	409
When You Enter a URL or IP Address a Time-out Error Occurs	410
Troubleshooting the ISP Connection	411
Troubleshooting a TCP/IP Network Using a Ping Utility	412
Testing the LAN Path to Your UTM	413
Testing the Path from Your PC to a Remote Device	413
Restoring the Default Configuration and Password	414
Problems with Date and Time	415
Using Online Support	416
Enabling Remote Troubleshooting	416
Sending Suspicious Files to NETGEAR for Analysis	417
Accessing the Knowledge Base and Documentation	418
Appendix A Default Settings and Technical Specifications	419
Appendix B Network Planning for Dual WAN Ports (UTM25 Only)	423
What to Consider Before You Begin	423
Cabling and Computer Hardware Requirements	425
Computer Network Configuration Requirements	425
Internet Configuration Requirements	425
Where Do I Get The Internet Configuration Information?	426
Internet Connection Information	426
Overview of the Planning Process	427
Inbound Traffic	429
Inbound Traffic to a Single WAN Port System	429
Inbound Traffic to a Dual WAN Port System	430
Inbound Traffic: Dual WAN Ports for Improved Reliability	430
Inbound Traffic: Dual WAN Ports for Load Balancing	430
Virtual Private Networks (VPNs)	431
VPN Road Warrior (Client-to-Gateway)	433
VPN Road Warrior: Single Gateway WAN Port (Reference Case)	433
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability	433
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing	435
VPN Gateway-to-Gateway	435
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case)	435
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability	436
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing	437
VPN Telecommuter (Client-to-Gateway Through a NAT Router)	438
VPN Telecommuter: Single Gateway WAN Port (Reference Case)	438
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability	439
VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing	440
Appendix C System Logs and Error Messages	441
System Log Messages	442
System Startup	442
Reboot	442
Service Logs	443
NTP	443
Login/Logout	444
Firewall Restart	444
IPsec Restart	444
WAN Status	445
Auto-Rollover Mode	445
Load-Balancing Mode	446
PPP Logs	447
Traffic Metering Logs	449
Unicast Logs	449
ICMP Redirect Logs	449
Multicast/Broadcast Logs	450
Invalid Packet Logging	450
Content Filtering and Security Logs	452
Web Filtering and Content Filtering Logs	452
Spam Logs	453
Traffic Logs	454
Virus Logs	454
E-mail Filter Logs	454
IPS Logs	455
Port Scan Logs	455
Instant Messaging/Peer-to-Peer Logs	455
Routing Logs	456
LAN to WAN Logs	456
LAN to DMZ Logs	456
DMZ to WAN Logs	456
WAN to LAN Logs	457
DMZ to LAN Logs	457
WAN to DMZ Logs	457
Appendix D Two Factor Authentication	459
Why do I need Two-Factor Authentication?	459
What are the benefits of Two-Factor Authentication?	459
What is Two-Factor Authentication	460
NETGEAR Two-Factor Authentication Solutions	460
Appendix E Related Documents	463

Match case Limit results 1 per page

ProSecure Unified Threat Management UTM10 or UTM25 Reference Manual

7-36

Virtual Private Networking Using IPsec Connections

v1.0, September 2009

Integrity Algorithm

From the pull-down menu, select one of the following two algorithms to be

used in the VPN header for the authentication process:

•

SHA-1

. Hash algorithm that produces a 160-bit digest. This is the default

setting.

•

MD5

. Hash algorithm that produces a 128-bit digest.

Key-In

The integrity key for the inbound policy. The length of the key depends on

the selected integrity algorithm:

•

MD5: enter 16 characters.

•

SHA-1: enter 20 characters.

Key-Out

The integrity key for he outbound policy. The length of the key depends on

the selected integrity algorithm. The required key lengths are the same as

for the Key-In (se above).

Auto Policy Parameters

Note

: These fields apply only when you select Auto Policy as the policy type.

SA Lifetime

The lifetime of the Security Association (SA) is the period or the amount of

transmitted data after which the SA becomes invalid and must be

renegotiated. From the pull-down menu, select how the SA lifetime is

specified:

•

Seconds

. In the SA Lifetime field, enter a period in seconds. The minimum

value is 300 seconds. The default value is 3600 seconds.

•

KBytes

. In the SA Lifetime field, enter a number of kilobytes. The

minimum value is 1920000 KB.

Encryption Algorithm

From the pull-down menu, select one of the following five algorithms to

negotiate the security association (SA):

•

DES

. Data Encryption Standard (DES)

•

3DES

. Triple DES. This is the default algorithm.

•

AES-128

. Advanced Encryption Standard (AES) with a 128-bits key size.

•

AES-192

. AES with a 192-bits key size.

•

AES-256

. AES with a 256-bits key size.