Home » Netgear Manuals » Network Security & Firewall Devices » Netgear UTM5EW-100NAS » Manual Viewer

Netgear UTM5EW-100NAS Reference Manual - Page 242

Apply, IPSec VPN, Add IKE Policy screen see

View all Netgear UTM5EW-100NAS manuals

Add to My Manuals
Save this manual to your list of manuals

Page 242 highlights

ProSecure Unified Threat Management (UTM) Appliance Reference Manual Table 7-10. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Extended Authentication XAUTH Configuration Note: For more information about XAUTH and its authentication modes, see "Configuring XAUTH for VPN Clients" on page 7-39. Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and-if enabled-which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. • Edge Device. The UTM functions as a VPN concentrator on which one or more gateway tunnels terminate. The authentication mode that is available for this configuration is User Database, RADIUS PAP, or RADIUS CHAP. • IPSec Host. The UTM functions as a VPN client of the remote gateway. In this configuration the UTM is authenticated by a remote gateway with a user name and password combination. Authentication Type For an Edge Device configuration: from the pull-down menu, select one of the following authentication types: • User Database. XAUTH occurs through the UTM's user database. Users must be added through the Add User screen (see "User Database Configuration" on page 7-40). • Radius PAP. XAUTH occurs through RADIUS Password Authentication Protocol (PAP). The local user database is first checked. If the user account is not present in the local user database, the UTM connects to a RADIUS server. For more information, see "RADIUS Client Configuration" on page 7-40. • Radius CHAP. XAUTH occurs through RADIUS Challenge Handshake Authentication Protocol (CHAP). For more information, see "RADIUS Client Configuration" on page 7-40. Username The user name for XAUTH. Password The password for XAUTH. 4. Click Apply to save your settings. The IKE policy is added to the List of IKE Policies table. To edit an IKE policy: 1. Select VPN > IPSec VPN from the menu. The IPsec VPN submenu tabs appear with the IKE Policies screen in view (see Figure 7-20 on page 7-24). 2. In the List of IKE Policies table, click the Edit table button to the right of the IKE policy that you want to edit. The Edit IKE Policy screen displays. This screen shows the same field as the Add IKE Policy screen (see Figure 7-21 on page 7-26). 3. Modify the settings that you wish to change (see Table 7-10). 7-30 Virtual Private Networking Using IPsec Connections v1.0, January 2010

Section	Page
ProSecure Unified Threat Management (UTM) Appliance Reference Manual	1
Contents	7
About This Manual	17
Conventions, Formats, and Scope	17
How to Print This Manual	18
Revision History	18
Chapter 1 Introduction	19
What Is the ProSecure Unified Threat Management (UTM) Appliance?	19
Key Features and Capabilities	20
Dual-WAN Port Models for Increased Reliability or Outbound Load Balancing	21
Advanced VPN Support for Both IPsec and SSL	21
A Powerful, True Firewall	22
Stream Scanning for Content Filtering	22
Security Features	23
Autosensing Ethernet Connections with Auto Uplink	23
Extensive Protocol Support	24
Easy Installation and Management	24
Maintenance and Support	25
Model Comparison	25
Service Registration Card with License Keys	26
Package Contents	27
Hardware Features	28
Front Panel	28
Rear Panel	30
Bottom Panel With Product Label	30
Choosing a Location for the UTM	32
Using the Rack-Mounting Kit	33
Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network	35
Understanding the Steps for Initial Connection	35
Qualified Web Browsers	36
Logging In to the UTM	36
Understanding the Web Management Interface Menu Layout	39
Using the Setup Wizard to Perform the Initial Configuration	41
Setup Wizard Step 1 of 10: LAN Settings	42
Setup Wizard Step 2 of 10: WAN Settings	45
Setup Wizard Step 3 of 10: System Date and Time	48
Setup Wizard Step 4 of 10: Services	50
Setup Wizard Step 5 of 10: Email Security	52
Setup Wizard Step 6 of 10: Web Security	53
Setup Wizard Step 7 of 10: Web Categories to Be Blocked	55
Setup Wizard Step 8 of 10: Email Notification	57
Setup Wizard Step 9 of 10: Signatures & Engine	58
Setup Wizard Step 10 of 10: Saving the Configuration	59
Verifying Proper Installation	60
Testing Connectivity	60
Testing HTTP Scanning	60
Registering the UTM with NETGEAR	60
What to Do Next	62
Chapter 3 Manually Configuring Internet and WAN Settings	63
Understanding the Internet and WAN Configuration Tasks	63
Configuring the Internet Connections	64
Automatically Detecting and Connecting	64
Setting the UTM’s MAC Address	67
Manually Configuring the Internet Connection	67
Configuring the WAN Mode (Required for Dual-WAN Port Models Only)	71
Network Address Translation (All Models)	72
Classical Routing (All Models)	73
Configuring Auto-Rollover Mode (Dual-WAN Port Models Only)	73
Configuring Load Balancing and Optional Protocol Binding (Dual-WAN Port Models Only)	76
Configuring Secondary WAN Addresses	79
Configuring Dynamic DNS	81
Configuring Advanced WAN Options	84
Additional WAN-Related Configuration Tasks	86
Chapter 4 LAN Configuration	87
Managing Virtual LANs and DHCP Options	87
Managing the UTM’s Port-Based VLANs	88
VLAN DHCP Options	90
DHCP Server	90
DHCP Relay	91
DNS Proxy	91
LDAP Server	92
Configuring a VLAN Profile	92
Configuring Multi-Home LAN IPs on the Default VLAN	97
Managing Groups and Hosts (LAN Groups)	98
Managing the Network Database	99
Adding PCs or Devices to the Network Database	101
Editing PCs or Devices in the Network Database	102
Changing Group Names in the Network Database	102
Setting Up Address Reservation	103
Configuring and Enabling the DMZ Port	104
Managing Routing	108
Configuring Static Routes	109
Configuring Routing Information Protocol (RIP)	110
Static Route Example	113
Chapter 5 Firewall Protection	115
About Firewall Protection	115
Administrator Tips	116
Using Rules to Block or Allow Specific Kinds of Traffic	117
Services-Based Rules	117
Outbound Rules (Service Blocking)	118
Inbound Rules (Port Forwarding)	120
Order of Precedence for Rules	125
Setting LAN WAN Rules	126
LAN WAN Outbound Services Rules	127
LAN WAN Inbound Services Rules	128
Setting DMZ WAN Rules	129
DMZ WAN Outbound Services Rules	131
DMZ WAN Inbound Services Rules	132
Setting LAN DMZ Rules	133
LAN DMZ Outbound Services Rules	134
LAN DMZ Inbound Services Rules	135
Inbound Rules Examples	136
LAN WAN Inbound Rule: Hosting A Local Public Web Server	136
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses	136
LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping	137
LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host	139
Outbound Rules Example	140
LAN WAN Outbound Rule: Blocking Instant Messenger	140
Configuring Other Firewall Features	141
Attack Checks	141
Setting Session Limits	144
Managing the Application Level Gateway for SIP Sessions	145
Creating Services, QoS Profiles, and Bandwidth Profiles	146
Adding Customized Services	146
Creating Quality of Service (QoS) Profiles	149
Creating Bandwidth Profiles	152
Setting a Schedule to Block or Allow Specific Traffic	155
Enabling Source MAC Filtering	156
Setting up IP/MAC Bindings	158
Configuring Port Triggering	160
Using the Intrusion Prevention System	163
Chapter 6 Content Filtering and Optimizing Scans	167
About Content Filtering and Scans	167
Default E-mail and Web Scan Settings	168
Configuring E-mail Protection	169
Customizing E-mail Protocol Scan Settings	170
Customizing E-mail Anti-Virus and Notification Settings	171
E-mail Content Filtering	174
Protecting Against E-mail Spam	177
Setting Up the Whitelist and Blacklist	178
Configuring the Real-time Blacklist	180
By default, the UTM comes with three pre-defined blacklist providers: Dsbl, Spamhaus, and Spamcop. There is no limit to the number of blacklist providers that you can add to the RBL sources.	181
Configuring Distributed Spam Analysis	182
Configuring Web and Services Protection	185
Customizing Web Protocol Scan Settings and Services	185
Configuring Web Malware Scans	187
Configuring Web Content Filtering	189
Configuring Web URL Filtering	196
HTTPS Scan Settings	200
Specifying Trusted Hosts	203
Configuring FTP Scans	205
Setting Web Access Exceptions and Scanning Exclusions	207
Setting Web Access Exception Rules	207
Setting Scanning Exclusions	210
Chapter 7 Virtual Private Networking Using IPsec Connections	213
Considerations for Dual WAN Port Systems (Dual-WAN Port Models Only)	213
Using the IPsec VPN Wizard for Client and Gateway Configurations	215
Creating Gateway-to-Gateway VPN Tunnels with the Wizard	216
Creating a Client to Gateway VPN Tunnel	221
Using the VPN Wizard Configure the Gateway for a Client Tunnel	221
Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection	224
Testing the Connections and Viewing Status Information	229
Testing the VPN Connection	229
NETGEAR VPN Client Status and Log Information	230
Viewing the UTM IPsec VPN Connection Status	232
Viewing the UTM IPsec VPN Log	233
Managing IPsec VPN Policies	234
Managing IKE Policies	235
The IKE Policies Screen	235
Manually Adding or Editing an IKE Policy	237
Managing VPN Policies	243
The VPN Policies Screen	243
Manually Adding or Editing a VPN Policy	245
Configuring Extended Authentication (XAUTH)	250
Configuring XAUTH for VPN Clients	251
User Database Configuration	252
RADIUS Client Configuration	252
Assigning IP Addresses to Remote Users (Mode Config)	255
Mode Config Operation	255
Configuring Mode Config Operation on the UTM	255
Configuring the ProSafe VPN Client for Mode Config Operation	262
Testing the Mode Config Connection	267
Configuring Keepalives and Dead Peer Detection	267
Configuring Keepalives	268
Configuring Dead Peer Connection	269
Configuring NetBIOS Bridging with IPsec VPN	271
Chapter 8 Virtual Private Networking Using SSL Connections	273
Understanding the SSL VPN Portal Options	273
Using the SSL VPN Wizard for Client Configurations	274
SSL VPN Wizard Step 1 of 6: Portal Settings	275
SSL VPN Wizard Step 2 of 6: Domain Settings	277
SSL VPN Wizard Step 3 of 6: User Settings	279
SSL VPN Wizard Step 4 of 6: Client IP Address Range and Routes	281
SSL VPN Wizard Step 5 of 6: Port Forwarding	283
SSL VPN Wizard Step 6 of 6: Verify and Save Your Settings	285
Accessing the New SSL Portal Login Screen	286
Viewing the UTM SSL VPN Connection Status	288
Viewing the UTM SSL VPN Log	288
Manually Configuring and Editing SSL Connections	289
Creating the Portal Layout	290
Configuring Domains, Groups, and Users	294
Configuring Applications for Port Forwarding	294
Adding Servers and Port Numbers	295
Adding A New Host Name	296
Configuring the SSL VPN Client	297
Configuring the Client IP Address Range	298
Adding Routes for VPN Tunnel Clients	299
Using Network Resource Objects to Simplify Policies	300
Adding New Network Resources	301
Editing Network Resources to Specify Addresses	302
Configuring User, Group, and Global Policies	303
Viewing Policies	304
Adding a Policy	305
Chapter 9 Managing Users, Authentication, and Certificates	311
Configuring VPN Authentication Domains, Groups, and Users	311
Configuring Domains	312
Configuring Groups for VPN Policies	316
Creating and Deleting Groups	317
Editing Groups	318
Configuring User Accounts	319
Setting User Login Policies	322
Configuring Login Policies	322
Configuring Login Restrictions Based on IP Address	323
Configuring Login Restrictions Based on Web Browser	324
Changing Passwords and Other User Settings	326
Managing Digital Certificates	327
Managing CA Certificates	329
Managing Self Certificates	330
Generating a CSR and Obtaining a Self Certificate from a CA	331
Viewing and Managing Self Certificates	335
Managing the Certificate Revocation List	335
Chapter 10 Network and System Management	337
Performance Management	337
Bandwidth Capacity	337
Features That Reduce Traffic	338
LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking)	338
Content Filtering	340
Source MAC Filtering	341
Features That Increase Traffic	341
LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding)	342
Port Triggering	343
Configuring the DMZ Port	343
For the information on how to enable the DMZ port, see “Configuring and Enabling the DMZ Port” on page 4-18. For the procedures on how to configure DMZ traffic rules, see “Setting DMZ WAN Rules” on page 5-15.	344
Configuring Exposed Hosts	344
Configuring VPN Tunnels	344
Using QoS and Bandwidth Assignment to Shift the Traffic Mix	344
Assigning QoS Profiles	344
Monitoring Tools for Traffic Management	345
System Management	345
Changing Passwords and Administrator Settings	345
Configuring Remote Management Access	348
Using an SNMP Manager	350
Managing the Configuration File	351
Backup Settings	352
Restore Settings	353
Reverting to Factory Default Settings	354
Updating the Firmware	354
Viewing the Available Firmware Versions	355
Upgrading the Firmware and Rebooting the UTM	356
Rebooting Without Changing the Firmware	357
Updating the Scan Signatures and Scan Engine Firmware	357
Configuring Automatic Update and Frequency Settings	359
Configuring Date and Time Service	360
Chapter 11 Monitoring System Access and Performance	363
Enabling the WAN Traffic Meter	363
Configuring Logging, Alerts, and Event Notifications	367
Configuring the E-mail Notification Server	367
Configuring and Activating System, E-mail, and Syslog Logs	368
Configuring and Activating Update Failure and Attack Alerts	372
Configuring and Activating Firewall Logs	375
Monitoring Real-Time Traffic, Security, and Statistics	376
Viewing Status Screens	382
Viewing System Status	382
Viewing Active VPN Users	386
Viewing VPN Tunnel Connection Status	386
Viewing Port Triggering Status	388
Viewing the WAN Ports Status	389
Viewing Attached Devices and the DHCP Log	391
Viewing Attached Devices	391
Viewing the DHCP Log	393
Querying Logs and Generating Reports	394
Querying the Logs	394
Example: Using Logs to Identify Infected Clients	400
Log Management	400
Scheduling and Generating Reports	401
Generating Reports	402
Scheduling Reports	404
Using Diagnostics Utilities	405
Using the Network Diagnostic Tools	406
Sending a Ping Packet	406
Tracing a Route	407
Displaying the Routing Table	407
Looking up a DNS Address	407
Using the Realtime Traffic Diagnostics Tool	408
Gathering Important Log Information and Generating a Network Statistics Report	409
Gathering Important Log Information	409
Rebooting and Shutting Down the UTM	410
Chapter 12 Troubleshooting and Using Online Support	411
Basic Functioning	412
Power LED Not On	412
Test LED Never Turns Off	412
LAN or WAN Port LEDs Not On	413
Troubleshooting the Web Management Interface	413
When You Enter a URL or IP Address a Time-out Error Occurs	414
Troubleshooting the ISP Connection	415
Troubleshooting a TCP/IP Network Using a Ping Utility	417
Testing the LAN Path to Your UTM	417
Testing the Path from Your PC to a Remote Device	418
Restoring the Default Configuration and Password	419
Problems with Date and Time	420
Using Online Support	420
Enabling Remote Troubleshooting	420
Sending Suspicious Files to NETGEAR for Analysis	421
Accessing the Knowledge Base and Documentation	422
Appendix A Default Settings and Technical Specifications	423
Appendix B Network Planning for Dual WAN Ports (Dual-WAN Port Models Only)	427
What to Consider Before You Begin	427
Cabling and Computer Hardware Requirements	429
Computer Network Configuration Requirements	429
Internet Configuration Requirements	429
Where Do I Get The Internet Configuration Information?	430
Internet Connection Information	430
Overview of the Planning Process	431
Inbound Traffic	433
Inbound Traffic to a Single WAN Port System	433
Inbound Traffic to a Dual WAN Port System	434
Inbound Traffic: Dual WAN Ports for Improved Reliability	434
Inbound Traffic: Dual WAN Ports for Load Balancing	434
Virtual Private Networks (VPNs)	435
VPN Road Warrior (Client-to-Gateway)	437
VPN Road Warrior: Single Gateway WAN Port (Reference Case)	437
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability	437
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing	439
VPN Gateway-to-Gateway	439
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case)	439
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability	440
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing	441
VPN Telecommuter (Client-to-Gateway Through a NAT Router)	442
VPN Telecommuter: Single Gateway WAN Port (Reference Case)	442
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability	443
VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing	444
Appendix C System Logs and Error Messages	445
System Log Messages	446
System Startup	446
Reboot	446
Service Logs	447
NTP	447
Login/Logout	448
Firewall Restart	448
IPsec Restart	448
WAN Status	449
Auto-Rollover Mode	449
Load-Balancing Mode	450
PPP Logs	451
Traffic Metering Logs	453
Unicast Logs	453
ICMP Redirect Logs	453
Multicast/Broadcast Logs	454
Invalid Packet Logging	454
Content Filtering and Security Logs	456
Web Filtering and Content Filtering Logs	456
Spam Logs	457
Traffic Logs	458
Virus Logs	458
E-mail Filter Logs	458
IPS Logs	459
Port Scan Logs	459
Instant Messaging/Peer-to-Peer Logs	459
Routing Logs	460
LAN to WAN Logs	460
LAN to DMZ Logs	460
DMZ to WAN Logs	460
WAN to LAN Logs	461
DMZ to LAN Logs	461
WAN to DMZ Logs	461
Appendix D Two Factor Authentication	463
Why do I need Two-Factor Authentication?	463
What are the benefits of Two-Factor Authentication?	463
What is Two-Factor Authentication	464
NETGEAR Two-Factor Authentication Solutions	464
Appendix E Related Documents	467

Match case Limit results 1 per page

ProSecure Unified Threat Management (UTM) Appliance Reference Manual

7-30

Virtual Private Networking Using IPsec Connections

v1.0, January 2010

Click

Apply

to save your settings. The IKE policy is added to the List of IKE Policies table.

To edit an IKE policy:

Select

VPN

IPSec VPN

from the menu. The IPsec VPN submenu tabs appear with the IKE

Policies screen in view (see

Figure 7-20 on page 7-24

In the List of IKE Policies table, click the

Edit

table button to the right of the IKE policy that

you want to edit. The Edit IKE Policy screen displays. This screen shows the same field as the

Add IKE Policy screen (see

Figure 7-21 on page 7-26

Modify the settings that you wish to change (see

Table 7-10

Extended Authentication

XAUTH Configuration

Note

: For more

information about

XAUTH and its

authentication modes,

see

“Configuring

XAUTH for VPN

Clients” on page 7-39

Select one of the following radio buttons to specify whether or not Extended

Authentication (XAUTH) is enabled, and–if enabled–which device is used to

verify user account information:

•

None

. XAUTH is disabled. This the default setting.

•

Edge Device

. The UTM functions as a VPN concentrator on which one or

more gateway tunnels terminate. The authentication mode that is available

for this configuration is User Database, RADIUS PAP, or RADIUS CHAP.

•

IPSec Host

. The UTM functions as a VPN client of the remote gateway. In

this configuration the UTM is authenticated by a remote gateway with a user

name and password combination.

Authentication

Type

For an Edge Device configuration: from the pull-down

menu, select one of the following authentication types:

•

User Database

. XAUTH occurs through the UTM’s user

database. Users must be added through the Add User

screen (see

“User Database Configuration” on

page 7-40

•

Radius PAP

. XAUTH occurs through RADIUS Password

Authentication Protocol (PAP). The local user database

is first checked. If the user account is not present in the

local user database, the UTM connects to a RADIUS

server. For more information, see

“RADIUS Client

Configuration” on page 7-40

•

Radius CHAP

. XAUTH occurs through RADIUS

Challenge Handshake Authentication Protocol (CHAP).

For more information, see

“RADIUS Client Configuration”

on page 7-40

Username

The user name for XAUTH.

Password

The password for XAUTH.

Table 7-10. Add IKE Policy Settings (continued)

Item

Description (or Subfield and Description)