Section |
Page |
ProSecure Unified Threat Management (UTM) Appliance Reference Manual |
1 |
Contents |
7 |
About This Manual |
17 |
Conventions, Formats, and Scope |
17 |
How to Print This Manual |
18 |
Revision History |
18 |
Chapter 1 Introduction |
19 |
What Is the ProSecure Unified Threat Management (UTM) Appliance? |
19 |
Key Features and Capabilities |
20 |
Dual-WAN Port Models for Increased Reliability or Outbound Load Balancing |
21 |
Advanced VPN Support for Both IPsec and SSL |
21 |
A Powerful, True Firewall |
22 |
Stream Scanning for Content Filtering |
22 |
Security Features |
23 |
Autosensing Ethernet Connections with Auto Uplink |
23 |
Extensive Protocol Support |
24 |
Easy Installation and Management |
24 |
Maintenance and Support |
25 |
Model Comparison |
25 |
Service Registration Card with License Keys |
26 |
Package Contents |
27 |
Hardware Features |
28 |
Front Panel |
28 |
Rear Panel |
30 |
Bottom Panel With Product Label |
30 |
Choosing a Location for the UTM |
32 |
Using the Rack-Mounting Kit |
33 |
Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network |
35 |
Understanding the Steps for Initial Connection |
35 |
Qualified Web Browsers |
36 |
Logging In to the UTM |
36 |
Understanding the Web Management Interface Menu Layout |
39 |
Using the Setup Wizard to Perform the Initial Configuration |
41 |
Setup Wizard Step 1 of 10: LAN Settings |
42 |
Setup Wizard Step 2 of 10: WAN Settings |
45 |
Setup Wizard Step 3 of 10: System Date and Time |
48 |
Setup Wizard Step 4 of 10: Services |
50 |
Setup Wizard Step 5 of 10: Email Security |
52 |
Setup Wizard Step 6 of 10: Web Security |
53 |
Setup Wizard Step 7 of 10: Web Categories to Be Blocked |
55 |
Setup Wizard Step 8 of 10: Email Notification |
57 |
Setup Wizard Step 9 of 10: Signatures & Engine |
58 |
Setup Wizard Step 10 of 10: Saving the Configuration |
59 |
Verifying Proper Installation |
60 |
Testing Connectivity |
60 |
Testing HTTP Scanning |
60 |
Registering the UTM with NETGEAR |
60 |
What to Do Next |
62 |
Chapter 3 Manually Configuring Internet and WAN Settings |
63 |
Understanding the Internet and WAN Configuration Tasks |
63 |
Configuring the Internet Connections |
64 |
Automatically Detecting and Connecting |
64 |
Setting the UTM’s MAC Address |
67 |
Manually Configuring the Internet Connection |
67 |
Configuring the WAN Mode (Required for Dual-WAN Port Models Only) |
71 |
Network Address Translation (All Models) |
72 |
Classical Routing (All Models) |
73 |
Configuring Auto-Rollover Mode (Dual-WAN Port Models Only) |
73 |
Configuring Load Balancing and Optional Protocol Binding (Dual-WAN Port Models Only) |
76 |
Configuring Secondary WAN Addresses |
79 |
Configuring Dynamic DNS |
81 |
Configuring Advanced WAN Options |
84 |
Additional WAN-Related Configuration Tasks |
86 |
Chapter 4 LAN Configuration |
87 |
Managing Virtual LANs and DHCP Options |
87 |
Managing the UTM’s Port-Based VLANs |
88 |
VLAN DHCP Options |
90 |
DHCP Server |
90 |
DHCP Relay |
91 |
DNS Proxy |
91 |
LDAP Server |
92 |
Configuring a VLAN Profile |
92 |
Configuring Multi-Home LAN IPs on the Default VLAN |
97 |
Managing Groups and Hosts (LAN Groups) |
98 |
Managing the Network Database |
99 |
Adding PCs or Devices to the Network Database |
101 |
Editing PCs or Devices in the Network Database |
102 |
Changing Group Names in the Network Database |
102 |
Setting Up Address Reservation |
103 |
Configuring and Enabling the DMZ Port |
104 |
Managing Routing |
108 |
Configuring Static Routes |
109 |
Configuring Routing Information Protocol (RIP) |
110 |
Static Route Example |
113 |
Chapter 5 Firewall Protection |
115 |
About Firewall Protection |
115 |
Administrator Tips |
116 |
Using Rules to Block or Allow Specific Kinds of Traffic |
117 |
Services-Based Rules |
117 |
Outbound Rules (Service Blocking) |
118 |
Inbound Rules (Port Forwarding) |
120 |
Order of Precedence for Rules |
125 |
Setting LAN WAN Rules |
126 |
LAN WAN Outbound Services Rules |
127 |
LAN WAN Inbound Services Rules |
128 |
Setting DMZ WAN Rules |
129 |
DMZ WAN Outbound Services Rules |
131 |
DMZ WAN Inbound Services Rules |
132 |
Setting LAN DMZ Rules |
133 |
LAN DMZ Outbound Services Rules |
134 |
LAN DMZ Inbound Services Rules |
135 |
Inbound Rules Examples |
136 |
LAN WAN Inbound Rule: Hosting A Local Public Web Server |
136 |
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses |
136 |
LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping |
137 |
LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host |
139 |
Outbound Rules Example |
140 |
LAN WAN Outbound Rule: Blocking Instant Messenger |
140 |
Configuring Other Firewall Features |
141 |
Attack Checks |
141 |
Setting Session Limits |
144 |
Managing the Application Level Gateway for SIP Sessions |
145 |
Creating Services, QoS Profiles, and Bandwidth Profiles |
146 |
Adding Customized Services |
146 |
Creating Quality of Service (QoS) Profiles |
149 |
Creating Bandwidth Profiles |
152 |
Setting a Schedule to Block or Allow Specific Traffic |
155 |
Enabling Source MAC Filtering |
156 |
Setting up IP/MAC Bindings |
158 |
Configuring Port Triggering |
160 |
Using the Intrusion Prevention System |
163 |
Chapter 6 Content Filtering and Optimizing Scans |
167 |
About Content Filtering and Scans |
167 |
Default E-mail and Web Scan Settings |
168 |
Configuring E-mail Protection |
169 |
Customizing E-mail Protocol Scan Settings |
170 |
Customizing E-mail Anti-Virus and Notification Settings |
171 |
E-mail Content Filtering |
174 |
Protecting Against E-mail Spam |
177 |
Setting Up the Whitelist and Blacklist |
178 |
Configuring the Real-time Blacklist |
180 |
By default, the UTM comes with three pre-defined blacklist providers: Dsbl, Spamhaus, and Spamcop. There is no limit to the number of blacklist providers that you can add to the RBL sources. |
181 |
Configuring Distributed Spam Analysis |
182 |
Configuring Web and Services Protection |
185 |
Customizing Web Protocol Scan Settings and Services |
185 |
Configuring Web Malware Scans |
187 |
Configuring Web Content Filtering |
189 |
Configuring Web URL Filtering |
196 |
HTTPS Scan Settings |
200 |
Specifying Trusted Hosts |
203 |
Configuring FTP Scans |
205 |
Setting Web Access Exceptions and Scanning Exclusions |
207 |
Setting Web Access Exception Rules |
207 |
Setting Scanning Exclusions |
210 |
Chapter 7 Virtual Private Networking Using IPsec Connections |
213 |
Considerations for Dual WAN Port Systems (Dual-WAN Port Models Only) |
213 |
Using the IPsec VPN Wizard for Client and Gateway Configurations |
215 |
Creating Gateway-to-Gateway VPN Tunnels with the Wizard |
216 |
Creating a Client to Gateway VPN Tunnel |
221 |
Using the VPN Wizard Configure the Gateway for a Client Tunnel |
221 |
Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection |
224 |
Testing the Connections and Viewing Status Information |
229 |
Testing the VPN Connection |
229 |
NETGEAR VPN Client Status and Log Information |
230 |
Viewing the UTM IPsec VPN Connection Status |
232 |
Viewing the UTM IPsec VPN Log |
233 |
Managing IPsec VPN Policies |
234 |
Managing IKE Policies |
235 |
The IKE Policies Screen |
235 |
Manually Adding or Editing an IKE Policy |
237 |
Managing VPN Policies |
243 |
The VPN Policies Screen |
243 |
Manually Adding or Editing a VPN Policy |
245 |
Configuring Extended Authentication (XAUTH) |
250 |
Configuring XAUTH for VPN Clients |
251 |
User Database Configuration |
252 |
RADIUS Client Configuration |
252 |
Assigning IP Addresses to Remote Users (Mode Config) |
255 |
Mode Config Operation |
255 |
Configuring Mode Config Operation on the UTM |
255 |
Configuring the ProSafe VPN Client for Mode Config Operation |
262 |
Testing the Mode Config Connection |
267 |
Configuring Keepalives and Dead Peer Detection |
267 |
Configuring Keepalives |
268 |
Configuring Dead Peer Connection |
269 |
Configuring NetBIOS Bridging with IPsec VPN |
271 |
Chapter 8 Virtual Private Networking Using SSL Connections |
273 |
Understanding the SSL VPN Portal Options |
273 |
Using the SSL VPN Wizard for Client Configurations |
274 |
SSL VPN Wizard Step 1 of 6: Portal Settings |
275 |
SSL VPN Wizard Step 2 of 6: Domain Settings |
277 |
SSL VPN Wizard Step 3 of 6: User Settings |
279 |
SSL VPN Wizard Step 4 of 6: Client IP Address Range and Routes |
281 |
SSL VPN Wizard Step 5 of 6: Port Forwarding |
283 |
SSL VPN Wizard Step 6 of 6: Verify and Save Your Settings |
285 |
Accessing the New SSL Portal Login Screen |
286 |
Viewing the UTM SSL VPN Connection Status |
288 |
Viewing the UTM SSL VPN Log |
288 |
Manually Configuring and Editing SSL Connections |
289 |
Creating the Portal Layout |
290 |
Configuring Domains, Groups, and Users |
294 |
Configuring Applications for Port Forwarding |
294 |
Adding Servers and Port Numbers |
295 |
Adding A New Host Name |
296 |
Configuring the SSL VPN Client |
297 |
Configuring the Client IP Address Range |
298 |
Adding Routes for VPN Tunnel Clients |
299 |
Using Network Resource Objects to Simplify Policies |
300 |
Adding New Network Resources |
301 |
Editing Network Resources to Specify Addresses |
302 |
Configuring User, Group, and Global Policies |
303 |
Viewing Policies |
304 |
Adding a Policy |
305 |
Chapter 9 Managing Users, Authentication, and Certificates |
311 |
Configuring VPN Authentication Domains, Groups, and Users |
311 |
Configuring Domains |
312 |
Configuring Groups for VPN Policies |
316 |
Creating and Deleting Groups |
317 |
Editing Groups |
318 |
Configuring User Accounts |
319 |
Setting User Login Policies |
322 |
Configuring Login Policies |
322 |
Configuring Login Restrictions Based on IP Address |
323 |
Configuring Login Restrictions Based on Web Browser |
324 |
Changing Passwords and Other User Settings |
326 |
Managing Digital Certificates |
327 |
Managing CA Certificates |
329 |
Managing Self Certificates |
330 |
Generating a CSR and Obtaining a Self Certificate from a CA |
331 |
Viewing and Managing Self Certificates |
335 |
Managing the Certificate Revocation List |
335 |
Chapter 10 Network and System Management |
337 |
Performance Management |
337 |
Bandwidth Capacity |
337 |
Features That Reduce Traffic |
338 |
LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking) |
338 |
Content Filtering |
340 |
Source MAC Filtering |
341 |
Features That Increase Traffic |
341 |
LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding) |
342 |
Port Triggering |
343 |
Configuring the DMZ Port |
343 |
For the information on how to enable the DMZ port, see “Configuring and Enabling the DMZ Port” on page 4-18. For the procedures on how to configure DMZ traffic rules, see “Setting DMZ WAN Rules” on page 5-15. |
344 |
Configuring Exposed Hosts |
344 |
Configuring VPN Tunnels |
344 |
Using QoS and Bandwidth Assignment to Shift the Traffic Mix |
344 |
Assigning QoS Profiles |
344 |
Monitoring Tools for Traffic Management |
345 |
System Management |
345 |
Changing Passwords and Administrator Settings |
345 |
Configuring Remote Management Access |
348 |
Using an SNMP Manager |
350 |
Managing the Configuration File |
351 |
Backup Settings |
352 |
Restore Settings |
353 |
Reverting to Factory Default Settings |
354 |
Updating the Firmware |
354 |
Viewing the Available Firmware Versions |
355 |
Upgrading the Firmware and Rebooting the UTM |
356 |
Rebooting Without Changing the Firmware |
357 |
Updating the Scan Signatures and Scan Engine Firmware |
357 |
Configuring Automatic Update and Frequency Settings |
359 |
Configuring Date and Time Service |
360 |
Chapter 11 Monitoring System Access and Performance |
363 |
Enabling the WAN Traffic Meter |
363 |
Configuring Logging, Alerts, and Event Notifications |
367 |
Configuring the E-mail Notification Server |
367 |
Configuring and Activating System, E-mail, and Syslog Logs |
368 |
Configuring and Activating Update Failure and Attack Alerts |
372 |
Configuring and Activating Firewall Logs |
375 |
Monitoring Real-Time Traffic, Security, and Statistics |
376 |
Viewing Status Screens |
382 |
Viewing System Status |
382 |
Viewing Active VPN Users |
386 |
Viewing VPN Tunnel Connection Status |
386 |
Viewing Port Triggering Status |
388 |
Viewing the WAN Ports Status |
389 |
Viewing Attached Devices and the DHCP Log |
391 |
Viewing Attached Devices |
391 |
Viewing the DHCP Log |
393 |
Querying Logs and Generating Reports |
394 |
Querying the Logs |
394 |
Example: Using Logs to Identify Infected Clients |
400 |
Log Management |
400 |
Scheduling and Generating Reports |
401 |
Generating Reports |
402 |
Scheduling Reports |
404 |
Using Diagnostics Utilities |
405 |
Using the Network Diagnostic Tools |
406 |
Sending a Ping Packet |
406 |
Tracing a Route |
407 |
Displaying the Routing Table |
407 |
Looking up a DNS Address |
407 |
Using the Realtime Traffic Diagnostics Tool |
408 |
Gathering Important Log Information and Generating a Network Statistics Report |
409 |
Gathering Important Log Information |
409 |
Rebooting and Shutting Down the UTM |
410 |
Chapter 12 Troubleshooting and Using Online Support |
411 |
Basic Functioning |
412 |
Power LED Not On |
412 |
Test LED Never Turns Off |
412 |
LAN or WAN Port LEDs Not On |
413 |
Troubleshooting the Web Management Interface |
413 |
When You Enter a URL or IP Address a Time-out Error Occurs |
414 |
Troubleshooting the ISP Connection |
415 |
Troubleshooting a TCP/IP Network Using a Ping Utility |
417 |
Testing the LAN Path to Your UTM |
417 |
Testing the Path from Your PC to a Remote Device |
418 |
Restoring the Default Configuration and Password |
419 |
Problems with Date and Time |
420 |
Using Online Support |
420 |
Enabling Remote Troubleshooting |
420 |
Sending Suspicious Files to NETGEAR for Analysis |
421 |
Accessing the Knowledge Base and Documentation |
422 |
Appendix A Default Settings and Technical Specifications |
423 |
Appendix B Network Planning for Dual WAN Ports (Dual-WAN Port Models Only) |
427 |
What to Consider Before You Begin |
427 |
Cabling and Computer Hardware Requirements |
429 |
Computer Network Configuration Requirements |
429 |
Internet Configuration Requirements |
429 |
Where Do I Get The Internet Configuration Information? |
430 |
Internet Connection Information |
430 |
Overview of the Planning Process |
431 |
Inbound Traffic |
433 |
Inbound Traffic to a Single WAN Port System |
433 |
Inbound Traffic to a Dual WAN Port System |
434 |
Inbound Traffic: Dual WAN Ports for Improved Reliability |
434 |
Inbound Traffic: Dual WAN Ports for Load Balancing |
434 |
Virtual Private Networks (VPNs) |
435 |
VPN Road Warrior (Client-to-Gateway) |
437 |
VPN Road Warrior: Single Gateway WAN Port (Reference Case) |
437 |
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability |
437 |
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing |
439 |
VPN Gateway-to-Gateway |
439 |
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case) |
439 |
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability |
440 |
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing |
441 |
VPN Telecommuter (Client-to-Gateway Through a NAT Router) |
442 |
VPN Telecommuter: Single Gateway WAN Port (Reference Case) |
442 |
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability |
443 |
VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing |
444 |
Appendix C System Logs and Error Messages |
445 |
System Log Messages |
446 |
System Startup |
446 |
Reboot |
446 |
Service Logs |
447 |
NTP |
447 |
Login/Logout |
448 |
Firewall Restart |
448 |
IPsec Restart |
448 |
WAN Status |
449 |
Auto-Rollover Mode |
449 |
Load-Balancing Mode |
450 |
PPP Logs |
451 |
Traffic Metering Logs |
453 |
Unicast Logs |
453 |
ICMP Redirect Logs |
453 |
Multicast/Broadcast Logs |
454 |
Invalid Packet Logging |
454 |
Content Filtering and Security Logs |
456 |
Web Filtering and Content Filtering Logs |
456 |
Spam Logs |
457 |
Traffic Logs |
458 |
Virus Logs |
458 |
E-mail Filter Logs |
458 |
IPS Logs |
459 |
Port Scan Logs |
459 |
Instant Messaging/Peer-to-Peer Logs |
459 |
Routing Logs |
460 |
LAN to WAN Logs |
460 |
LAN to DMZ Logs |
460 |
DMZ to WAN Logs |
460 |
WAN to LAN Logs |
461 |
DMZ to LAN Logs |
461 |
WAN to DMZ Logs |
461 |
Appendix D Two Factor Authentication |
463 |
Why do I need Two-Factor Authentication? |
463 |
What are the benefits of Two-Factor Authentication? |
463 |
What is Two-Factor Authentication |
464 |
NETGEAR Two-Factor Authentication Solutions |
464 |
Appendix E Related Documents |
467 |