ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA October 2008 202-10416-01 v1.0 Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Statement of Conditions In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: • Reorient or relocate the receiving antenna. • Increase the separation between the equipment and receiver. • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. • Consult the dealer or an experienced radio/TV technician for help. EU Regulatory Compliance Statement The ProSafe Wireless-N VPN Firewall is compliant with the following EU Council Directives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and EN60950-1. Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Wireless-N VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung. Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen. Certificate of the Manufacturer/Importer It is hereby certified that the ProSafe Wireless-N VPN Firewall has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions. Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations. ii 1.0, October 2008 Voluntary Control Council for Interference (VCCI) Statement This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas. When used near a radio or TV receiver, it may become the cause of radio interference. Read instructions for correct handling. Additional Copyrights AES Copyright (c) 2001, Dr Brian Gladman <[email protected]>, Worcester, UK. All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The copyright holder's name must not be used to endorse or promote any products derived from this software without his specific prior written permission. This software is provided 'as is' with no express or implied warranties of correctness or fitness for purpose. iii 1.0, October 2008 Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)” 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected] 5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]). MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 MessageDigest Algorithm" in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software. iv 1.0, October 2008 PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. Zlib zlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th, 2002. Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly: [email protected]; Mark Adler: [email protected] The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format) Product and Publication Details Model Number: SRXN3205 Publication Date: October 2008 Product Family: VPN Firewall Product Name: ProSafe Wireless-N VPN Firewall Home or Business Product: Business Language: English Publication Part Number: 202-10416-01 Publication Version Number 1.0 v 1.0, October 2008 vi 1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Contents About This Manual Conventions, Formats, and Scope ..................................................................................xiii How to Use This Manual ..................................................................................................xiv How to Print this Manual ..................................................................................................xiv Revision History ............................................................................................................... xv Chapter 1 Introduction Key Firewall Features .....................................................................................................1-1 A Powerful, True Firewall with Content Filtering ......................................................1-2 Autosensing Ethernet Connections with Auto Uplink ...............................................1-2 Extensive Protocol Support ......................................................................................1-3 Advanced VPN Support for Both IPsec and SSL .....................................................1-3 Wireless Networking Features ........................................................................................1-4 Easy Installation and Management ................................................................................1-5 System Requirements ..............................................................................................1-5 Package Contents ..........................................................................................................1-6 Front Panel Features ......................................................................................................1-6 Rear Panel Features ......................................................................................................1-8 Default IP Address, Login Name, and Password Location .............................................1-9 Qualified Web Browsers .................................................................................................1-9 Chapter 2 Connecting to the Internet (WAN) Understanding the Connection Steps .............................................................................2-1 Logging into the VPN Firewall ........................................................................................2-2 Navigating the Menus .....................................................................................................2-3 Configuring the Internet Connection (WAN) ...................................................................2-3 Automatically Detecting and Connecting .................................................................2-3 Manually Configuring the Internet Connection .........................................................2-6 vii v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring the WAN Mode ...................................................................................2-10 Configuring Dynamic DNS ........................................................................................... 2-11 Configuring the Advanced WAN Options (Optional) .....................................................2-12 Additional WAN Related Configuration ..................................................................2-14 Chapter 3 LAN Configuration Configuring the LAN Setup Options ...............................................................................3-1 Using the VPN Firewall as a DHCP Server ....................................................................3-3 Configuring DHCP Address Reservation ........................................................................3-4 Managing Groups and Hosts (LAN Groups) ...................................................................3-4 Viewing the LAN Groups Database .........................................................................3-5 Adding Devices to the LAN Groups Database .........................................................3-6 Changing Group Names in the LAN Groups Database ...........................................3-7 Configuring Multi Home LAN IP Addresses ....................................................................3-8 Configuring Static Routes .............................................................................................3-10 Configuring Routing Information Protocol (RIP) ........................................................... 3-11 Chapter 4 Wireless Configuration Wireless Equipment Placement and Range Guidelines .................................................4-2 Understanding SRXN3205 Wireless Security Options ...................................................4-2 Basic Wireless Setup (No Security) ................................................................................4-4 Completing Wireless Setup (No Security) ......................................................................4-5 Configuring 802.11b/g/n Wireless Settings ..............................................................4-5 Testing Wireless Connectivity (No Security) ............................................................4-6 Wireless Security Types and Settings ............................................................................4-8 SSID and WEP/WPA Settings Setup Form ..............................................................4-9 Configuring WEP .................................................................................................... 4-11 Configuring WPA-PSK ...........................................................................................4-12 Configuring WPA2-PSK .........................................................................................4-12 Configuring WPA-PSK and WPA2-PSK .................................................................4-13 Configuring WPA with RADIUS ..............................................................................4-13 Verifying Wireless Connectivity (Security) ..............................................................4-16 Deploying the firewall .............................................................................................4-16 Advanced Wireless Settings .........................................................................................4-17 Configuring Advanced Wireless Settings ...............................................................4-17 viii v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Restricting Wireless Access by MAC Address .......................................................4-18 Chapter 5 Firewall Security and Content Filtering About Firewall Security and Content Filtering ................................................................5-1 Using Rules & Services to Block or Allow Traffic ............................................................5-2 Services-Based Rules ..............................................................................................5-2 Viewing the Firewall Rules ....................................................................................5-7 Order of Precedence for Rules ................................................................................5-7 Setting the Outbound Policy .....................................................................................5-7 Creating a LAN WAN Outbound Services Rule .......................................................5-8 Creating a LAN WAN Inbound Services Rule ..........................................................5-8 Attack Checks ........................................................................................................5-10 Inbound Rules Examples ....................................................................................... 5-11 Outbound Rules Example ......................................................................................5-14 Enabling Session Limits .........................................................................................5-14 Adding Customized Services .................................................................................5-15 Setting Quality of Service (QoS) Priorities .............................................................5-16 Setting Schedules to Block or Allow Traffic ..................................................................5-17 Setting Block Sites (Content Filtering) ..........................................................................5-18 Enabling Source MAC Filtering (Address Filter) ...........................................................5-20 IP/MAC Binding Tab ...............................................................................................5-21 Enabling Port Triggering ...............................................................................................5-23 Bandwidth Profile ..........................................................................................................5-24 UPnP (Universal Plug and Play) ...................................................................................5-26 E-Mail Notifications of Event Logs and Alerts ...............................................................5-27 Administrator Tips .........................................................................................................5-27 Chapter 6 Virtual Private Networking Using IPsec Using the VPN Wizard for Client and Gateway Configurations ......................................6-1 Creating Gateway to Gateway VPN Tunnels with the Wizard ........................................6-2 Creating a Client to Gateway VPN Tunnel with the Wizard ............................................6-4 Viewing or Modifying IKE and VPN Policy Settings ........................................................6-5 Creating a VPN Client to SRXN3205 Connection ..........................................................6-7 Configuring the SRXN3205 ......................................................................................6-7 Configuring the VPN Client ......................................................................................6-8 ix v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Testing the Connection ........................................................................................... 6-11 Managing VPN Tunnel Policies .................................................................................... 6-11 About IKE ...............................................................................................................6-12 Managing IKE Policies ...........................................................................................6-12 About the IKE Policy Table .....................................................................................6-13 VPN Policy .............................................................................................................6-15 VPN Tunnel Connection Status ..............................................................................6-16 Manually Assigning IP Addresses to Remote Users (ModeConfig) .............................6-17 Mode Config Operation ..........................................................................................6-17 Configuring the VPN Firewall .................................................................................6-17 Configuring the ProSafe VPN Client for ModeConfig .............................................6-20 Extended Authentication (XAUTH) Configuration .........................................................6-22 Configuring XAUTH for VPN Clients ......................................................................6-23 User Database Configuration .................................................................................6-24 RADIUS Client Configuration .................................................................................6-24 Chapter 7 Virtual Private Networking Using SSL Understanding the Portal Options ...................................................................................7-1 Planning for SSL VPN ....................................................................................................7-2 Creating the Portal Layout ..............................................................................................7-3 Configuring Domains, Groups, and Users ......................................................................7-7 Configuring Applications for Port Forwarding .................................................................7-7 Adding Servers .........................................................................................................7-7 Adding A New Host Name .......................................................................................7-9 Configuring the SSL VPN Client .....................................................................................7-9 Configuring the Client IP Address Range .............................................................. 7-11 Adding Routes for VPN Tunnel Clients ..................................................................7-12 Replacing and Deleting Client Routes ...................................................................7-12 Using Network Resource Objects to Simplify Policies ..................................................7-13 Adding New Network Resources ..........................................................................7-13 Configuring User, Group, and Global Policies ..............................................................7-14 Viewing Policies .....................................................................................................7-15 Adding a Policy ......................................................................................................7-16 x v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 8 Managing Users, Authentication, and Certificates Adding Authentication Domains, Groups, and Users .....................................................8-1 Creating a Domain ...................................................................................................8-1 Creating a Group ......................................................................................................8-3 Creating a New User Account ..................................................................................8-4 Setting User Login Policies ......................................................................................8-5 Managing Certificates .....................................................................................................8-8 Viewing and Loading CA Certificates .......................................................................8-8 Viewing Active Self Certificates ................................................................................8-9 Obtaining a Self Certificate from a Certificate Authority .........................................8-10 Managing your Certificate Revocation List (CRL) ..................................................8-13 Chapter 9 Firewall and Network Management Performance Management .............................................................................................9-1 Bandwidth Capacity .................................................................................................9-1 Features that Reduce Traffic ....................................................................................9-2 Features that Increase Traffic ..................................................................................9-5 Using QoS to Shift the Traffic Mix ............................................................................9-7 Tools for Traffic Management ...................................................................................9-8 Changing Passwords and Administrator Settings ..........................................................9-8 Enabling Remote Management Access .......................................................................9-10 Using an SNMP Manager ............................................................................................. 9-11 Settings Backup and Firmware Upgrade ......................................................................9-13 Configuring Time Zone Settings ...................................................................................9-15 Chapter 11 Monitoring System Performance Enabling the Traffic Meter ............................................................................................. 11-1 Activating Notification of Events and Alerts .................................................................. 11-3 Viewing Firewall Logs ................................................................................................... 11-6 Viewing Router Configuration and System Status ........................................................ 11-7 Monitoring the WAN Port Status ................................................................................... 11-8 Monitoring Attached Devices ........................................................................................ 11-9 Reviewing the DHCP Log ........................................................................................... 11-10 Monitoring Active Users .............................................................................................. 11-11 xi v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Viewing Port Triggering Status ................................................................................... 11-12 Monitoring VPN Tunnel Connection Status ................................................................ 11-13 Reviewing the VPN Logs ............................................................................................ 11-14 Chapter 12 Troubleshooting Basic Functions ............................................................................................................12-1 Power LED Not On .................................................................................................12-2 LEDs Never Turn Off ..............................................................................................12-2 LAN or WAN Port LEDs Not On .............................................................................12-2 Troubleshooting the Web Configuration Interface ........................................................12-2 Troubleshooting the ISP Connection ............................................................................12-4 Troubleshooting a TCP/IP Network Using a Ping Utility ...............................................12-5 Testing the LAN Path to Your VPN Firewall ...........................................................12-5 Testing the Path from Your PC to a Remote Device ..............................................12-6 Restoring the Default Configuration and Password ......................................................12-7 Problems with Date and Time .......................................................................................12-7 Diagnostics Functions ..................................................................................................12-8 Appendix A Default Settings and Technical Specifications Default Settings ............................................................................................................. A-1 Technical Specifications ................................................................................................. A-3 Appendix B Related Documents Index xii v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual About This Manual The NETGEAR® ProSafe™ Wireless-N VPN FirewallReference Manual describes how to configure and troubleshoot a ProSafe Wireless-N VPN Firewall. The information in this manual is intended for readers with intermediate computer and networking skills. Conventions, Formats, and Scope The conventions, formats, and scope of this manual are described in the following paragraphs: • • Typographical Conventions. This manual uses the following typographical conventions: Italic Emphasis, books, CDs, file and server names, extensions Bold User input, IP addresses, GUI screen text Fixed Command prompt, CLI text, code italic URL links Formats. This manual uses the following formats to highlight special messages: Note: This format is used to highlight information of importance or special interest. Tip: This format is used to highlight a procedure that will save time or resources. Warning: Ignoring this type of note may result in a malfunction or damage to the equipment. xiii v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Danger: This is a safety warning. Failure to take heed of this notice may result in personal injury or death. • Scope. This manual is written for the firewall according to these specifications: Product ProSafe Wireless-N VPN Firewall Manual Publication Date October 2008 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix B, “Related Documents.”. Note: Product updates are available on the NETGEAR, Inc. website at http://kbserver.netgear.com/products/SRXN3205.asp. How to Use This Manual The HTML version of this manual includes the following: • Buttons, at a time and , for browsing forwards or backwards through the manual one page • A button that displays the table of contents and an button. Double-click on a link in the table of contents or index to navigate directly to where the topic is described in the manual. • A model. • Links to PDF versions of the full manual and individual chapters. button to access the full NETGEAR, Inc. online knowledge base for the product How to Print this Manual To print this manual, you can choose one of the following options, according to your needs. • Printing a Page from HTML. Each page in the HTML version of the manual is dedicated to a major topic. Select File > Print from the browser menu to print the page contents. xiv v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe Web site at http://www.adobe.com. – Printing a PDF Chapter. Use the PDF of This Chapter link at the top left of any page. – • Click the PDF of This Chapter link at the top left of any page in the chapter you want to print. The PDF version of the chapter you were viewing opens in a browser window. • Click the print icon in the upper left of your browser window. Printing a PDF version of the Complete Manual. Use the Complete PDF Manual link at the top left of any page. • Click the Complete PDF Manual link at the top left of any page in the manual. The PDF version of the complete manual opens in a browser window. • Click the print icon in the upper left of your browser window. Tip: If your printer supports printing two pages on a single sheet of paper, you can save paper and printer ink by selecting this feature. Revision History Manual Part Number Manual Publication Version Date Number Description 202-10416-01 1.0 First publication October 2008 xv v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual xvi v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 1 Introduction The SRXN3205 ProSafe Wireless-N VPN Firewall provides Internet connectivity to your local Ethernet and wireless networks via a broadband cable or DSL modem. The SRXN3205 is a complete security solution with a powerful and flexible firewall to safeguard your networks along with advanced IPsec and SSL VPN technologies for secure wired and wireless connections. Moreover, the ProSafe Wireless-N VPN Firewall supports wireless connections over the wider range and more robust connections afforded by 802.11N and 802.11a wireless networks. The SRXN3205 also supports wireless bridging. The Gigabit Ethernet LAN ports and WAN port ensure extremely high data transfer speeds. The SRXN3205 is a plug-and-play device that can be installed and configured within minutes. This chapter contains the following sections: • “Key Firewall Features” • “Wireless Networking Features” • “System Requirements” • “Package Contents” • “Front Panel Features” • “Rear Panel Features” • “Default IP Address, Login Name, and Password Location” • “Qualified Web Browsers” Key Firewall Features The firewall portion provides the following key features: • A single 10/100/1000 Mbps Gigabit Ethernet WAN port for your Internet connection. • Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data transfer between local network resources and all of the wireless clients. Introduction 1-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Advanced IPsec and SSL VPN support • Advanced stateful packet inspection (SPI) firewall with multi-NAT support • Easy, web-based setup for installation and management • Front panel LEDs for easy monitoring of status and activity • Flash memory for firmware upgrade • AC-DC power adapter for low current draw A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT routers, the SRXN3205 is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks. Its firewall features include: • Automatically detects and thwarts denial of service (DoS) attacks such as Ping of Death and SYN Flood. • Blocks unwanted traffic from the Internet to your LAN. • Blocks access from your LAN to Internet locations or services that you specify as off-limits. • Prevents objectionable content from reaching your PCs. You can control access to Internet content by screening for Web services, Web addresses, and keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites. • Permits scheduling of firewall policies by day and time. • Logs security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs. Autosensing Ethernet Connections with Auto Uplink With its internal 5-port 10/100/1000 Mbps switch and 10/100/1000 WAN port, the SRXN3205 can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit Ethernet network. The five LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation. The SRXN3205 incorporates Auto UplinkTM technology. Each Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a “normal” connection such as to a PC or an “uplink” connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection. 1-2 Introduction v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Extensive Protocol Support The firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to “Internet Configuration Requirements” on page C-4. • IP Address Sharing by NAT. The firewall allows many networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account. • Automatic Configuration of (Wired & Wireless) PCs by DHCP. The firewall dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to PCs on the LAN and Wireless LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network. • DNS Proxy. When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN. • PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC. Quality of Service (QoS) support for traffic prioritization. • Advanced VPN Support for Both IPsec and SSL The firewall supports IPsec and SSL virtual private network (VPN) connections. • IPsec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer. – IPsec VPN with broad protocol support for secure connection to other IPsec gateways and clients. – Bundled with the single-user license of the NETGEAR ProSafe VPN Client software (VPN01L) – Supports up to 5 (max) IPsec VPN tunnels (alternately, 4 IPsec VPN tunnels concurrently with 4 SSL VPN sessions, or 5 IPsec VPN tunnels concurrently with 3 SSL VPN sessions). The total number of concurrent tunnels and sessions is not to exceed eight. Introduction 1-3 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • SSL VPN provides remote access for mobile users to selected corporate resources without requiring a pre-installed VPN client on their computers. – Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories. – Browser based, platform-independent, remote access through a number of popular browsers, such as Microsoft Internet Explorer or Apple Safari. – Provides granular access to corporate resources based upon user type or group membership. – Supports up to 5 IPse VPN sessions and up to 5 SSL and VPN sessions. Wireless Networking Features • Dual Band Selection. The SRXN3205 allows you to configure the 802.11 wireless options for the 2.4 GHz band or the 5 GHz bands. • Upgradeable Firmware. Firmware is stored in a flash memory and can be upgraded easily, using only your Web browser, and can be also upgraded remotely. In addition to using Web browser to do so, command-line interface can also be used. • Access Control. The Access Control MAC address filtering feature can ensure that only trusted wireless stations can use the SRXN3205 to gain access to your LAN. • Hidden Mode. The SSID is not broadcast, assuring only clients configured with the correct SSID can connect. • Configuration Backup. Configuration settings can be backed up to a file and restored. • Secure and Economical Operation. Adjustable power output allows more secure or economical operation. • Autosensing Ethernet Connection with Auto Uplink Interface. Connects to 10/100/1000 Mbps IEEE 802.3 Ethernet networks. • LED Indicators. Power, test, LAN speed, LAN activity, and wireless activity for each radio mode are easily identified. 1-4 Introduction v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Easy Installation and Management You can install, configure, and operate the ProSafe Wireless-N VPN Firewall within minutes after connecting it to the network. The following features simplify installation and management tasks: • Browser-Based Management. Browser-based configuration allows you to easily configure your firewall and Wireless access from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface. • Auto Detection of ISP. The firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account. • VPN Wizard. The firewall includes the NETGEAR VPN Wizard to easily configure IPsec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the IPsec VPN tunnels are interoperable with other VPNC-compliant VPN firewalls and clients. • SNMP. The firewall supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2. • Diagnostic Functions. The firewall incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot. • Remote Management. The firewall allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses. • Visual monitoring. The firewall’s front panel LEDs provide an easy way to monitor its status and activity. System Requirements Before installing the SRXN3205, ensure your system meets the following requirements: • Category 5 UTP straight through Ethernet cable with RJ-45 connectors, like the one included in the package • A 100-240 V, 50-60 Hz AC power source • A Web browser for configuration, such as, Microsoft Internet Explorer 5.0 or above, or Mozilla 3.0 or above Introduction 1-5 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Package Contents The product package should contain the following items: • ProSafe Wireless-N VPN Firewall • Rubber feet (4) with adhesive backing • One AC-DC power adapter (12V, 1.5A) with cord (approximately 6 ft, or 183 cm) • Three dual-band antennas (SMA connectors): 2 dipole (long); 1 patch (square) • One Straight through Category 5 (Cat5) Ethernet cable. • Installation Guide, SRXN3205 ProSafe Wireless-N VPN Firewall . • Resource CD, including: – Application Notes and other helpful information. – ProSafe VPN Client Software – one user license. Warranty and Support Information Card. • If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. Front Panel Features The ProSafe Wireless-N VPN Firewall front panel is shown below: 1 2 4 3 Figure 1-1 1-6 Introduction v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 1-1. Description of Front Panel Items Item Activity Description PWR (Power) On Green Off Power is supplied to the firewall. Power is not supplied to the firewall. TEST On Amber Blinking Amber Off Test mode: The system is initializing (On) or the initialization has failed (Blinking). Writing to Flash memory (during upgrading or resetting to defaults). The system has booted successfully. Off WLAN 802.11n/a (5GHz) mode is disabled. Blink (Green) Wireless data traffic in 5GHz modes. 1 n/a 5 GHz n/g 2.4 GHz Off Blink (Green) WLAN 802.11b/g/n (2.4 GHz) mode is disabled. 2 Reboot Factory (Press with Defaults a sharp object) Press once to reboot the unit. Hold in for 15 seconds (until the TEST light flashes). This resets the unit to factory default settings, erasing all configuration settings and restores the default password. 3 LAN Ports Four Auto MDI/MDIX, Gigabit Ethernet ports. Reset button LAN connections Wireless data traffic in 2.4 GHz modes Left LED (status): On = Link; Blink = ACT Right LED (speed): Off = 10M; Amber = 100M; Green = 1000M 4 WAN Port WAN connection One Auto MDI/MDIX, Gigabit Ethernet port. Introduction 1-7 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Rear Panel Features The rear panel of the ProSafe Wireless-N VPN Firewall is shown below. 1 2 Figure 1-2 New Photo 1. Detachable (SMA) Antennas: The SRXN3205 provides three SMA connectors for the detachable antennas (two dipole and one patch). For the best performance, attach the patch antenna to the middle connector and attach the dipole antennas to the two connectors on both corners. The three antennas can be positioned horizontally or vertically for the best coverage. 2. DC Power Jack: This jack connects to the SRXN3205 12V 1.5A AC-DC power adapter. 1-8 Introduction v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Default IP Address, Login Name, and Password Location Check the label on the bottom of the SRXN3205’s enclosure if you need a reminder of the following factory default information: IP Address User Name Password Figure 1-3 Qualified Web Browsers To configure the ProSafe Wireless-N VPN Firewall, an administrator must use Internet Explorer 5.1 or higher, Apple Safari 1.2 or higher, or Mozilla Firefox l.x Web browser with JavaScript, cookies, and SSL enabled. Although these web browsers are qualified for use with the firewall’s Web Management Interface for configuring the firewall, SSL VPN users should choose a browser that supports JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications. Note that Java is only required for the SSL VPN portal, not the Web Management Interface. Introduction 1-9 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1-10 Introduction v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 2 Connecting to the Internet (WAN) The initial Internet configuration of the SRXN3205 ProSafe Wireless-N VPN Firewall is described in this chapter. This chapter contains the following sections: • “Understanding the Connection Steps” • “Logging into the VPN Firewall” • “Navigating the Menus” • “Configuring the Internet Connection (WAN)” • “Configuring Dynamic DNS” • “Configuring the Advanced WAN Options (Optional)” Understanding the Connection Steps Typically, six steps are required to complete the basic Internet connection of your firewall. 1. Connect the firewall to your network. Connect the cables and restart your network according to the instructions in the printed installation guide included in the product package. A PDF of the Installation Guide is on the product CD and on the NETGEAR web site at: http://kbserver.netgear.com. 2. Log in to the firewall. See “Logging into the VPN Firewall” on page 2-2. 3. Configure the Internet connection(s). See “Configuring the Internet Connection (WAN)” on page 2-3. Each of these tasks is detailed separately in this chapter. The configuration of firewall, VPN, and Wireless features are described in later chapters. Connecting to the Internet (WAN) 2-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Logging into the VPN Firewall To connect to the firewall, your computer needs to be configured to get an IP address via DHCP. To log in to the firewall, follow these steps: 1. Open a browser, and enter https://192.168.1.1 in the address field. The login window displays in the browser. Figure 2-1 2. Enter admin in lower case for the User Name and password for the Password. 3. Click Login. The Web Configuration Manager appears, displaying the Router Status menu as the default. Figure 2-2 2-2 Connecting to the Internet (WAN) v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Navigating the Menus The Web Configuration Manager menus are organized in a layered structure of main categories and submenus: • Main menu. The horizontal orange bar near the top of the page is the main menu, containing the primary configuration categories. Clicking on a primary category changes the contents of the submenu bar. • Submenu. The horizontal grey bar immediately below the main menu is the submenu, containing subcategories of the currently selected primary category. • Tab. Immediately below the submenu bar, at the top of the menu active window, are one or more tabs, further subdividing the currently selected subcategory if necessary. • Option arrow. To the right of the tabs on some menus are one or more blue dots with an arrow in the center. Clicking an option arrow brings up either a popup window or an advanced option menu. Tip: In the instructions in this guide, we may refer to a menu using the notation primary > subcategory, such as Network Configuration > WAN Settings. In this example, Network Configuration is the selected primary category (in the main menu) and WAN Settings is the selected subcategory (in the submenu). You can now proceed to the first configuration task, configuring the firewall’s Internet connections. Configuring the Internet Connection (WAN) To set up your firewall for secure Internet connections, you configure the WAN port. The Web Configuration Manager offers two connection configuration options: • Automatic detection and configuration of the network connection. • Manual configuration of the network connection. Each option is detailed in the following sections. Automatically Detecting and Connecting To automatically configure the WAN port for connection to the Internet: Connecting to the Internet (WAN) 2-3 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Select Network Configuration > WAN Settings from the menu/submenu. The WAN tabs appear on screen with the WAN ISP Settings tab in view. Figure 2-3 2. Click Auto Detect at the bottom of the menu. Auto Detect will probe the WAN port for a range of connection methods and suggest one that your ISP appears to support. a. If Auto Detect is successful, a status bar at the top of the menu will display the results:. Figure 2-4 2-4 Connecting to the Internet (WAN) v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual b. If Auto Detect senses a connection method that requires input from you, it will prompt you for the information. All methods with the required settings are detailed in the following table. Table 2-1. Internet connection methods Connection Method Data Required DHCP (Dynamic IP) No data is required. PPPoE Login (Username, Password); Account Name, Domain Name (sometimes required). PPTP Login (Username, Password), Local IP address, and PPTP Server IP address; Account Name (sometimes required). Fixed (Static) IP Static IP address, Subnet, and Gateway IP; DNS Server IP addresses. c. If Auto Detect does not find a connection, you will be prompted to (1) check the physical connection between your firewall and the cable or DSL line, or to (2) check your firewall’s MAC address (For more information, see “Troubleshooting the ISP Connection” on page 12-4). 3. To verify the connection, click the WAN Status option arrow at the top right of the screen. A popup window appears, displaying the connection status of the WAN port. Figure 2-5 Connecting to the Internet (WAN) 2-5 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, skip ahead to “Manually Configuring the Internet Connection” following this section, or see “Troubleshooting the ISP Connection” on page 12-4. Note: If the configuration process was successful, you are connected to the Internet through the WAN port. 4. If your WAN ISP configuration was successful, you can test the internet connection, or skip ahead to.......... 5. Click Test to evaluate your entries. The firewall will attempt to connect to the NETGEAR Web site. If a successful connection is made, NETGEAR’s Web site appears. If the automatic WAN ISP configurations failed, you can attempt a manual configuration as described in the following section, or see “Troubleshooting the ISP Connection” on page 12-4. Manually Configuring the Internet Connection Unless your ISP automatically assigns your configuration automatically via DHCP, you will need to obtain configuration parameters from your ISP in order to manually establish an Internet connection. The necessary parameters for various connection types are listed in Table 2-1. To manually configure your WAN ISP Settings: 1. Select Network Configuration> WAN ISP Settings and enter the following: 2. In the ISP Login options, choose one of these options: • If your ISP requires an initial login to establish an Internet connection, click Yes (this is the default). • If a login is not required, click No and ignore the Login and Password fields. Figure 2-6 3. If you clicked Yes, enter the ISP-provided Login and Password information. 2-6 Connecting to the Internet (WAN) v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. In the ISP Type options, select the type of ISP connection you use from the three listed options. (By default, “Other (PPPoE)” is selected, as shown below. Figure 2-7 (If your connection is PPPoE, PPTP or BigPond Cable, your ISP will require an initial login.) 5. If you have installed login software such as WinPoET or Enternet, then your connection type is PPPoE. If your ISP uses PPPoE as a login protocol: a. Select Other (PPPoE). Figure 2-8 b. Configure the following fields: • Account Name. Valid account name for the PPPoE connection • Domain Name. Name of your ISP’s domain or your domain name if your ISP has assigned one. In most cases, you may leave this field blank. • Idle Timeout. Select Keep Connected, to keep the connection always on. To logout after the connection is idle for a period of time, click Idle Time and in the timeout field enter the number of minutes to wait before disconnecting. 6. If your ISP is Austria Telecom or any other ISP that uses PPTP as a login protocol: Connecting to the Internet (WAN) 2-7 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual a. Select Austria (PPTP). b. Configure the following fields: • Account Name (also known as Host Name or System Name). Enter the valid account name for the PPTP connection (usually your e-mail name as assigned by your ISP). Some ISPs require entering your full email address here. • Domain Name. Your domain name or workgroup name assigned by your ISP, or your ISPs domain name. You may leave this field blank. • Idle Timeout. Check the Keep Connected radio box to keep the connection always on. To logout after the connection is idle for a period of time, click Idle Time and enter the number of minutes to wait before disconnecting in the timeout field. This is useful if your ISP charges you based on the amount of time you have logged in. • My IP Address. IP address assigned by the ISP to make the connection with the ISP server. • Server IP Address. IP address of the PPTP server. 7. If your ISP is Telstra BigPond Cable: a. Select BigPond Cable. b. Configure the Login Server and Idle Timeout fields. The Login Server is the IP address of the local BigPond Login Server in your area. 8. Review the Internet (IP) Address options. Figure 2-9 These options are inactive if BigPond Cable is selected???. 9. If your ISP has assigned a fixed (static) IP address, select Use Static IP Address, and configure the following fields: • IP Address. Enter the Static IP address assigned to you, that identifies the firewall to your ISP. 2-8 Connecting to the Internet (WAN) v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Subnet Mask. Enter the mask provided by the ISP or your network administrator. • Gateway IP Address. Enter the IP address of the ISP’s gateway, provided by the ISP or your network administrator. 10. If your ISP has not assigned a static IP address, click Get dynamically from ISP. The text fields will be inactivated. The ISP will automatically assign an IP address to the firewall using DHCP network protocol. 11. Review the Domain Name Server (DNS) Servers options. Figure 2-10 • If your ISP has not assigned any Domain Name Servers (DNS) addresses, click Get dynamically from ISP. • If your ISP (or your IT department) has assigned DNS addresses, click Use these DNS Servers and enter the DNS server IP addresses provided to you in the fields. 12. Click Apply to save any changes to the WAN ISP Settings. (Or click Reset to discard any changes and revert to the previous settings.) 13. Click Test to evaluate your entries. The firewall will attempt to connect to the NETGEAR Web site. If a successful connection is made, NETGEAR’s Web site appears. When you are finished, click Logout or proceed to additional setup and management tasks. Connecting to the Internet (WAN) 2-9 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring the WAN Mode To access the WAN Mode, click on Network Configuration > WAN Settings and select the WAN Mode tab. The WAN mode page allows you to configure how your firewall uses the external Internet connection. This screen gives you two choices for accessing the external Internet connection. • Network Address Translation (NAT). This technique allows several computers on a LAN to share the same Internet connection (IP address) while using private IP address on the LAN, which are hidden from the Internet. • Classical Routing. This method allows the firewall to perform the routing, but requires separate valid static Internet IP address for each PC on your LAN. Network Address Translation Network Address Translation (NAT) allows all PCs on your LAN to share a single public Internet IP address. From the Internet, there is only a single device (the firewall) and a single IP address. PCs on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet. • The firewall uses NAT to select the correct PC (on your LAN) to receive any incoming data. • If you only have a single public Internet IP address, you MUST use NAT. (the default setting). • If your ISP has provided you with multiple public IP addresses, you can use one address as the primary shared address for Internet access by your PCs, and you can map incoming traffic on the other public IP addresses to specific PCs on your LAN. This one-to-one inbound mapping is configured using an inbound firewall rule. Classical Routing In classical routing mode, the firewall performs routing, but without NAT. To gain Internet access, each PC on your LAN must have a valid static Internet IP address. If your ISP has allocated a number of static IP addresses to you, and you have assigned one of these addresses to each PC, you can choose classical routing. Or, you can use classical routing for routing private IP addresses within a campus environment. To learn the status of the WAN port, you can view the Router Status page (see “Monitoring VPN Tunnel Connection Status” on page 11-13) or look at the LEDs on the front panel (see “Front Panel Features” on page 1-6). 2-10 Connecting to the Internet (WAN) v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Dynamic DNS Note: Dynamic DNS enables you to employ some VPN configurations that require using an FQDN instead of the WAN IP address. Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such. Links to DynDNS, TZO and Oray are provided for your convenience as Tabbed menus in the Dynamic DNS configuration screen. The firewall firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet. If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently—hence, the need for a commercial DDNS service, which allows you to register an extension to its domain, and restores DNS requests for the resulting FQDN to your frequently-changing IP address. After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your DDNS service provider, log in to your account, and register your new IP address. • For auto-rollover mode, you will need a fully qualified domain name (FQDN) to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address. • For load balancing mode, you may still need a fully qualified domain name (FQDN) either for convenience or if you have a dynamic IP address. Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet. Connecting to the Internet (WAN) 2-11 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To configure Dynamic DNS: 1. Select Network Configuration > Dynamic DNS from the main/submenu. The Current WAN Mode section reports the currently configured WAN mode. Only those options that match the configured WAN Mode will be accessible. 2. Select the Dynamic DNS Service you will use. The fields corresponding to the selection you have chosen will be activated. Each DDNS service provider requires its own parameters. 3. Access the Web site of one of the DDNS service providers and set up an account. Links to three DDNS providers are in the tab header. 4. After registering for your account, return to the Dynamic DNS menu and fill in the required fields for the DDNS service you selected: a. In the Host and Domain Name field, enter the entire FQDN name that your dynamic DNS service provider gave you (for example: <yourname>.dyndns.org). b. Enter the User Name, User email Address, or Account Name requested by the DDNS Service to identify you when logging into your DDNS account. c. Enter the Password, or User Key, for your DDNS account. d. If your dynamic DNS provider allows the use of wildcards in resolving your URL, check Use wildcards to activate this feature. For example, the wildcard feature will cause anything.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org e. If your dynamic DNS provider requires you to renew your account monthly, check Update every 30 days to have the firewall renew the account automatically. 5. Click Apply to save your configuration. Configuring the Advanced WAN Options (Optional) To configure the Advanced WAN options: 1. Select Network Configuration > WAN Settings from the main/submenu. The WAN ISP Settings screen displays. 2-12 Connecting to the Internet (WAN) v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Click the Advanced link to the right of the tabs. The WAN Advanced Options tab is displayed. Figure 2-11 Need new screenshot 3. Edit the default information you want to change. a. MTU Size. The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs, you may need to reduce the MTU. This is rarely required, and should not be done unless you are sure it is necessary for your ISP connection. b. Port Speed. In most cases, your firewall can automatically determine the connection speed of the WAN port. If you cannot establish an Internet connection and the WAN Link or Speed LED blinks continuously, you may need to manually select the port speed. AutoSense is the default. If you know the Ethernet port speed that your broadband modem supports, select it; otherwise, select 10M. Use the half-duplex settings unless you are sure your broadband modem supports full duplex. c. Router's MAC Address. Each computer or router on your network has a unique 32-bit local Ethernet address. This is also referred to as the computer's MAC (Media Access Control) address. The default is Use default address. However, if your ISP requires MAC authentication, then select either of these options: • Use this Computer's MAC address to have the firewall use the MAC address of the computer you are now using, or • Use This MAC Address to manually type in the MAC address that your ISP expects. Connecting to the Internet (WAN) 2-13 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The format for the MAC address is 01:23:45:67:89:AB (numbers 0-9 and either uppercase or lowercase letters A-F). If you select Use This MAC Address and then type in a MAC address, your entry will be overwritten. 4. Click Apply to save your changes. Additional WAN Related Configuration • If you want the ability to manage the firewall remotely, enable remote management at this time (see “Enabling Remote Management Access” on page 9-10). If you enable remote management, we strongly recommend that you change your password (see “Changing Passwords and Administrator Settings” on page 9-8). • At this point, you can set up the traffic meter for the WAN, if desired. See “Enabling the Traffic Meter” on page 11-1. 2-14 Connecting to the Internet (WAN) v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Wireless-N VPN Firewall. This chapter contains the following sections: • “Configuring the LAN Setup Options” on page 3-1 • “Managing Groups and Hosts (LAN Groups)” on page 3-4 • “Configuring DHCP Address Reservation” on page 3-4 • “Using the VPN Firewall as a DHCP Server” on page 3-3 • “Configuring Multi Home LAN IP Addresses” on page 3-8 • “Configuring Static Routes” on page 3-10 • “Configuring Routing Information Protocol (RIP)” on page 3-11 Configuring the LAN Setup Options The LAN Setup menu allows configuration of LAN IP services such as DHCP and allows you to configure a secondary or “multi-home” LAN IP setup on the LAN. The default values are suitable for most users and situations. These are advanced settings usually configured by a network administrator. To modify your LAN setup, follow these steps: 1. Select Network Configuration > LAN Settings from the main/sub-menu. The LAN Settings tabs (LAN Setup, LAN Groups, and LAN Multi-homing) are displayed with LAN Setup as the default tab. LAN Configuration 3-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual . Figure 3-1 2. In the LAN TCP/IP Setup section, configure the following settings: • IP Address. The LAN address of your firewall (factory default: 192.168.1.1). Note: If you change the LAN IP address of the firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. For example, if you change the default IP address 192.168.1.1 to 10.0.0.1, you must now enter https://10.0.0.1 in your browser to reconnect to the Web Configuration Manager. • IP Subnet Mask. The subnet mask specifies the network number portion of an IP address. Your firewall will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask. 3. In the DHCP section, leave the DNCP enabled, or select Disable DHCP Server. • The firewall will function as a DHCP server (default), providing TCP/IP configuration settings for all the computers connected to the firewall's LAN. • If another device on your network will be the DHCP server, or if you will manually configure all devices, click Disable DHCP Server. If the DHCP server is enabled, enter the following parameters: • Domain Name. (Optional) The DHCP will assign the entered domain to its DHCP clients. 3-2 LAN Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Starting IP Address. Specifies the first of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address. The IP address 192.168.1.2 is the default start address. • Ending IP Address. Specifies the last of the contiguous addresses in the IP address pool. The IP address 192.168.1.100 is the default ending address. Note: The Starting and Ending DHCP addresses should be in the same subnet as the LAN IP address of the firewall (the IP Address configured in the LAN TCP/IP Setup section). • Primary DNS Server. (Optional) If an IP address is specified, the firewall will provide this address as the primary DNS server IP address. If no address is specified, the firewall will provide its own LAN IP address as the primary DNS server IP address. • Secondary DNS Server. (Optional) If an IP address is specified, the firewall will provide this address as the secondary DNS server IP address. • WINS Server. (Optional) Specifies the IP address of a local Windows NetBios Server if one is present in your network. • Lease Time. Specifies the duration for which a DHCP-provided IP address will be leased to a client. • Enable DNS Proxy. When DNS proxy is enabled (default), the DHCP server will provide the SRXN3205 LAN IP address as the DNS server for address name resolution. If this box is unchecked, the DHCP server will provide the ISP’s DNS server IP addresses. The firewall will still service DNS requests sent to its LAN IP address unless you disable DNS Proxy in the DHCP settings (see “Attack Checks” on page 5-10). 4. Click Apply to save your settings. Note: Once you have completed the LAN setup, all outbound traffic is allowed and all inbound traffic is discarded. To change these default traffic rules, refer to Chapter 5, “Firewall Security and Content Filtering. Using the VPN Firewall as a DHCP Server By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, WINS Server, and default gateway addresses to all computers connected to the LAN. The assigned default gateway address is the LAN address of the firewall. IP LAN Configuration 3-3 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual addresses will be assigned to the attached PCs from a pool of addresses specified in this menu. Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN. Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP Address. These addresses should be part of the same IP address subnet as the firewall’s LAN IP address. Using the default addressing scheme, you would define a range between 192.168.1.2 and 192.168.1.100, although you may wish to save part of the range for devices with fixed addresses. If another device on your network will be the DHCP server, or if you will manually configure the network settings of all of your computers, clear the Enable DHCP server radio box by clicking the Disable DHCP Server radio box. Otherwise, leave it checked. Configuring DHCP Address Reservation A computer (or device) will always receive the same IP address, if you specify a reserved IP address for the computer (or device) on the LAN (based on the MAC address of the device), each time it accesses the firewall’s DHCP server. Reserved IP addresses should be assigned to servers or access points that require permanent IP address settings. The Reserved IP address that you select must be outside of the DHCP Server pool. To reserve an IP address, manually enter the device in the LAN Groups tab, specifying Reserved (DHCP Client), as described in “Adding Devices to the LAN Groups Database” on page 3-6. Note: The reserved address will not be assigned until the next time the PC contacts the firewall’s DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew. Managing Groups and Hosts (LAN Groups) The Known PCs and Devices table in the LAN Groups menu contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the firewall, or have been discovered by other means. Collectively, these entries make up the LAN Groups Database. The LAN Groups Database is updated by these methods: • DHCP Client Requests. By default, the DHCP server in this firewall is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the LAN Groups Database. Because of this, leaving the DHCP server feature (LAN Setup tab) enabled is strongly recommended. 3-4 LAN Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Scanning the Network. The local network is scanned using ARP requests. The ARP scan will detect active devices that are not DHCP clients. However, sometimes the name of the PC or device cannot be accurately determined, and will appear in the database as Unknown. • Manual Entry. You can manually enter information about a network device. Some advantages of the LAN Groups Database are: • Generally, you do not need to enter IP addresses or MAC addresses. Instead, you can just select the desired PC or device. • No need to reserve an IP address for a PC in the DHCP server. All IP address assignments made by the DHCP server will be maintained until the PC or device is removed from the database, either by expiry (inactive for a long time) or by you. • No need to use a fixed IP on PCs. Because the address allocated by the DHCP server will never change, you don't need to assign a fixed IP to a PC to ensure it always has the same IP address. • MAC level control over PCs. The LAN Groups Database uses the MAC address to identify each PC or device. So changing a PC’s IP address does not affect any restrictions on that PC. • Group and individual control over PCs. • – You can assign PCs to Groups and apply restrictions to each Group using the Firewall Rules screen (see “Using Rules & Services to Block or Allow Traffic” on page 5-2). – You can also select the Groups to be covered by the Block Sites feature (see “Setting Block Sites (Content Filtering)” on page 5-18). – If necessary, you can also create Firewall Rules to apply to a single PC (see “Enabling Source MAC Filtering (Address Filter)” on page 5-20). Because the MAC address is used to identify each PC, users cannot avoid these restrictions by changing the IP address. A computer is identified by its MAC address—not its IP address. Hence, changing a computer’s IP address does not affect any restrictions applied to that PC. Viewing the LAN Groups Database To view the LAN Groups Database, follow these steps: 1. Select Network Configuration > LAN Settings from the main/sub-menu. The LAN Setup tab displays. LAN Configuration 3-5 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Click the LAN Groups tab and the LAN Groups tab displays. Figure 3-2 The Known PCs and Devices table lists the entries in the LAN Groups Database. For each computer or device, the following fields are displayed: • Name. The name of the PC or device. For computers that do not support the NetBIOS protocol, this will be listed as “Unknown” (you can edit the entry manually to add a meaningful name). If the computer was assigned an IP address by the DHCP server, then the Name will be appended by an asterisk. • IP Address. The current IP address of the computer. For DHCP clients of the firewall, this IP address will not change. If a computer is assigned a static IP addresses, you will need to update this entry manually if the IP address on the computer has been changed. • MAC Address. The MAC address of the PC’s network interface. • Group. Each PC or device can be assigned to a single group. By default, a computer is assigned to Group 1, unless a different group is chosen from the Group pull-down menu. • Action. Allows modification of the selected entry by clicking Edit. Adding Devices to the LAN Groups Database To add devices manually to the LAN Groups Database, follow these steps: 1. In the Add Known PCs and Devices section, make the following entries: • Name. Enter the name of the PC or device. 3-6 LAN Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • IP Address Type. From the pull-down menu, choose how this device receives its IP address. The choices are: – Fixed (Set on PC). The IP address is statically assigned on the computer. – Reserved (DHCP Client). Directs the firewall’s DHCP server to always assign the specified IP address to this client during the DHCP negotiation. Note: When assigning a Reserved IP address to a client, the IP address selected must be outside the range of addresses allocated to the DHCP server pool. • IP Address. Enter the IP address that this computer or device is assigned in the IP Address field. If the IP Address Type is Reserved (DHCP Client), the firewall will reserve the IP address for the associated MAC address. • MAC Address. Enter the MAC address of the computer’s network interface in the MAC Address field. The MAC address format is six colon-separated pairs of hexadecimal characters (0-9 and A-F), such as 01:23:45:67:89:AB. • Group. From the pull-down menu, select the LAN Group to which the computer will be assigned. (Group 1 is the default group.) 2. Click Add. The device will be added to the Known PCs and Devices table. Changing Group Names in the LAN Groups Database By default, the LAN Groups are named Group1 through Group8. You can rename these group names to be more descriptive, such as Engineering or Marketing. To edit the names of any of the eight available groups: 1. From the LAN Groups tab, click the Edit Group Names link to the right of the tabs. The Network Database Group Names tab appears. LAN Configuration 3-7 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 3-3 2. Select the radio button next to any group name to make that name active for editing. 3. Type a new name in the field. 4. Click Apply to save your setting, each time you change a name in the field. {{Possible bug}} 5. Select and edit other group names if desired. 6. Click Apply to save each field change. Configuring Multi Home LAN IP Addresses If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the firewall. This allows the firewall to act as a gateway to additional logical subnets on your LAN. You can assign the firewall an IP address on each additional logical subnet. To add a secondary LAN IP address, follow these steps: 1. Select Network Configuration > LAN Setup from the main/sub-menu. 3-8 LAN Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Click the LAN Multi-homing tab and the LAN Multi-homing screen displays. Figure 3-4 The Available Secondary LAN IPs table lists the secondary LAN IP addresses added to the firewall. • IP Address. The “alias,” an additional IP address hosted by the LAN port of the firewall. This address will be the gateway for computers on the secondary subnet. • Subnet Mask. The IPv4 subnet mask that defines the range of the secondary subnet. 3. In the Add Secondary LAN IP Address section, enter the additional IP address and subnet mask to be assigned to the LAN port of the firewall. 4. Click Add. The new Secondary LAN IP address will appear in the Available Secondary LAN IPs table. Note: IP addresses on these secondary subnets cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP addresses, and DNS server IP addresses. Tip: The secondary LAN IP address will be assigned to the LAN interface of the firewall and can be used as a gateway by computers on the secondary subnet. LAN Configuration 3-9 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Static Routes Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You should configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network. To add or edit a static route: 1. Select Network Configuration > Routing from the main/sub-menu. The Routing screen displays. Figure 3-5 2. Click Add and the Add Static Route tab is displayed. Figure 3-6 3-10 LAN Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Enter a route name for this static route in the Route Name field (for identification and management). 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network where the route leads. 7. Enter the IP Subnet Mask for this destination. If the destination is a single host, enter 255.255.255.255. 8. Enter the Interface which is the physical network interface (WAN or LAN) through which this route is accessible. 9. Enter the Gateway IP Address through which the destination host or network can be reached. This must be a firewall on the same LAN segment as the firewall. 10. Enter the Metric priority for this route. If multiple routes to the same destination exits, the route with the lowest metric is chosen (value must be between 1 and 15). 11. Click Apply to save your settings. The new static route will be added to the Static Route table. Configuring Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network. RIP is disabled by default. To configure RIP parameters: 1. Select Network Configuration > Routing from the main/sub-menu. 2. Click the RIP Configuration link to the right of the tab. LAN Configuration 3-11 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The RIP Configuration menu displays. Figure 3-7 3. From the RIP Direction pull-down menu, choose the direction in which the firewall will send and receive RIP packets. The choices are: • None. The firewall neither broadcasts its route table nor does it accept any RIP packets from other routers. This effectively disables RIP. • In Only. The firewall accepts RIP information from other routers, but does not broadcast its routing table. • Out Only. The firewall broadcasts its routing table periodically but does not accept RIP information from other routers. • Both. The firewall broadcasts its routing table and also processes RIP information received from other routers. 4. From the RIP Version pull-down menu, choose the version from the following options: • Disabled. The default section disables RIP versions. • RIP-1. A class-based routing that does not include subnet information. This is the most commonly supported version. 3-12 LAN Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • RIP-2. This includes all the functionality of RIPv1 plus it supports subnet information. Though the data is sent in RIP-2 format for both RIP-2B and RIP-2M, the modes in which packets are sent are different. – – RIP-2B. Sends the routing data in RIP-2 format and uses subnet broadcasting. RIP-2M. Sends the routing data in RIP-2 format and uses multicasting. 5. Authentication for RIP2B/2M required? If you selected RIP-2B or RIP-2M, check the Yes feature, and input the First Key Parameters and Second Key Parameters, MD-5 keys to authenticate between firewalls. 6. Click Add to save your settings. LAN Configuration 3-13 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3-14 LAN Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 4 Wireless Configuration This chapter describes how to set up your ProSafe Wireless-N VPN Firewall SRXN3205 for wireless connectivity to your LAN. This basic configuration will enable computers with 802.11b/ g/n or 802.11a/n wireless adapters to do such things as connect to the Internet, or access printers and files on your LAN. Note: Indoors, computers can connect over 802.11b/g/n or 802.11a/g/n wireless networks at ranges of several hundred feet or more. This distance can allow for others outside your area to access your network. It is important to take appropriate steps to secure your network from unauthorized access. The firewall provides highly effective security features which are covered in detail in “SSID and WEP/WPA Settings Setup Form” on page 4-9. Deploy the security features appropriate to your needs. You need to prepare these four things before you can establish a connection through your wireless firewall: • The firewall connected to your LAN through the WAN port to a device such as a hub, switch, router, or Cable/DSL gateway. • A correctly set up ProSafe Wireless-N VPN Firewall for wireless access • One or more computers with properly configured 802.11b/g/n or 802.11a/n wireless adapters. • A location for the SRXN3205 that conforms to the “Wireless Equipment Placement and Range Guidelines”. You will use the following topics to set up your ProSafe Wireless-N VPN Firewall for use as a wireless firewall: • “Basic Wireless Setup (No Security)” on page 4-4 • “Completing Wireless Setup (No Security)” on page 4-5 • “Wireless Security Types and Settings” on page 4-8 • “Advanced Wireless Settings” on page 4-17 • “Wireless Equipment Placement and Range Guidelines” on page 4-2 Wireless Configuration 4-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Wireless Equipment Placement and Range Guidelines The operating distance or range of your wireless connection can vary significantly based on the physical placement of the VPN firewall. The latency, data throughput performance, and notebook power consumption of wireless adapters also vary depending on your configuration choices. Note: Failure to follow these guidelines can result in significant performance degradation or inability to wirelessly connect to the SRXN3205. For complete performance specifications, see Appendix A, “Default Settings and Technical Specifications.” For best results, place your VPN firewall: • Near the center of the area in which your PCs will operate. • In an elevated location such as a high shelf where the wirelessly connected PCs have line-ofsight access (even if through walls). • Away from sources of interference, such as PCs, microwaves, and 2.4 GHz cordless phones. • Away from large metal surfaces. Putting the antenna in a vertical position provides best side-to-side coverage. Putting the antenna in a horizontal position provides best up-and-down coverage. If you are using multiple access points for 11b/bg/ng, it is better if adjacent access points use different radio frequency Channels to reduce interference. The recommended Channel spacing between adjacent access points is 5 Channels (for example, use Channels 1 and 6, or 6 and 11). For 11a/na, the 6 Channel spacing is not needed. The time it takes to establish a wireless connection can vary depending on both your security settings and placement. Some types of security connections can take slightly longer to establish and can consume more battery power on a notebook computer. Understanding SRXN3205 Wireless Security Options Your wireless data transmissions can be received well beyond your walls by anyone with a compatible adapter. For this reason, use the security features of your wireless equipment. The firewall provides highly effective security features which are covered in detail in this chapter. Deploy the security features appropriate to your needs. 4-2 Wireless Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 4-1Need new photo/picture There are several ways you can enhance the security of your wireless network: • Restrict Access Based on MAC address. You can restrict access to only trusted PCs so that unknown PCs cannot wirelessly connect to the SRXN3205. MAC address filtering adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed. • Turn Off the Broadcast of the Wireless Network Name (SSID). If you disable broadcast of the SSID, only devices that have the correct SSID can connect. This nullifies the wireless network “discovery” feature of some products such as Windows XP, but the data is still fully exposed to a determined snoop using specialized test equipment like wireless sniffers. • Use WEP. Wired Equivalent Privacy (WEP) data encryption provides data security. WEP open authentication and WEP data encryption will block all but the most determined eavesdropper. • Use WPA or WPA-PSK. Wi-Fi Protected Access (WPA) data encryption provides data security. The very strong authentication along with dynamic per frame rekeying of WPA make it virtually impossible to compromise. Because this is a new standard, wireless device driver and software availability may be limited. Note: WEP and TKIP provide only legacy rates of operation. So, AES is the recommended solution to use the 11n rates and speed. Wireless Configuration 4-3 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Basic Wireless Setup (No Security) Test wireless connectivity in your environment by setting up the unit without wireless security. To configure the SRXN3205 for basic Wireless access, follow these simple steps: 1. Log in to the SRXN3205. 2. Click Wireless Settings in the Network Configuration of the main menu. The default Wireless Settings screen displays as shown below. Use this screen to setup your wireless connectivity requirements. Figure 4-2 3. Click Enable Wireless Access Point on the right side of the screen. 4-4 Wireless Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. If you want your SSID (network name) broadcast, leave the default setting as is. If you disable Allow Broadcast of Name (SSID), only devices that have the correct SSID can connect. This nullifies the wireless network “discovery” feature of some products such as Windows XP, but the data is still fully exposed to a determined snoop using specialized test equipment like wireless sniffers. The default is enabled. 5. Type your network name in the Name (SSID) field on the upper left side of the screen. 6. From the Region pull-down menu, select the region where the SRXN3205 will be used (the default Region is North America). Note: If your country or region is not listed, please check with Netgear Support. 7. Select your wireless Mode setting from the pulldown menu or accept the default (11ng) setting. The selections are 802.11[a only, b only, g only, g and b, 11ng, or 11a]. 8. Leave the other settings at the defaults, including None as the Wireless Security Type. 9. Click Apply at the bottom of the Wireless Settings screen. If the settings were accepted, a message appears in the center of the screen, Operation succeeded. 10. Prepare a PC as the wireless PC Client with a wireless Ethernet adapter installed. Verify that you can wirelessly access a file or a printer on the LAN connected to the SRXN3205. Completing Wireless Setup (No Security) The purpose of setting your wireless settings in stages, without the security settings, is to eliminate any possible errors in setting up your wireless settings before adding the more complicated security settings. This method will greatly aid you in discovering where the errors in your security settings are by removing doubts about your wireless settings. Configuring 802.11b/g/n Wireless Settings To configure the 802.11 b/g/n wireless settings of your VPN firewall: Wireless Configuration 4-5 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Select Network Configuration > Wireless Settings from main. Note: The Enable Wireless Access Point checkbox must be checked to enable all the options on this screen. 2. Configure the Wireless LAN settings based on the following field descriptions: • Mode. Select the desired wireless operating mode. The default is 11ng. The selections are 802.11[a only, b only, g only, g and b, 11ng, or 11a]. Select an “only” option if all devices in the wireless network can support. Select ng mode if there are clients in the network that support 802.11n; this mode also supports legacy 802.11b and 802.11g clients. To support 802.11a and 802.11n clients concurrently, select na mode; this mode will NOT support 802.11b or 802.11g clients. • Channel (& Frequency). This is set to Auto by default, or select a channel and frequency from the pull-down menu to use on your wireless LAN. The Auto option intelligently picks a channel & frequency with least interference. The wireless channel in use will be between 1 to 11 for US and Canada, 1 to 13 for Europe and Australia. It is not necessary to change the wireless channel unless you experience interference (shown by lost connections and/or slow data transfers). If this happens, you may need to experiment with different channels to see which is the best. See the article on “Wireless Channels” available on the NETGEAR website. A link to this article and other articles of interest can be found in Appendix B, “Related Documents.” • Channel Spacing. From the pull-down menu, select the desired channel spacing. • • • 20 MHz - This is the static, legacy mode. It gives the least throughput. 20/40 MHz - This is the dynamic, compatibility mode. Legacy clients can connect to 20 MHz and 11n clients can connect to 40 MHz. 40 MHz - This is the static, high-throughput mode. Legacy clients will not be able to connect in this mode. 3. Click Apply to save your wireless settings. Testing Wireless Connectivity (No Security) Follow the instructions below to test wireless connectivity. Once you have established wireless connectivity, you can enable security settings appropriate to your needs. 4-6 Wireless Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. From your Web browser, log in to the SRXN3205 using its default address of http://192.168.1.1. 2. Use the default user name of admin and default password of password— or use a new LAN address and password if you have set them up. 3. Select Network Configuration > Wireless Settings from main/submenu. 4. In the Wireless Settings ensure the Auto (default) is set for the Channel feature. This feature selects a channel that has the least interference. It should not be necessary to change the wireless channel unless you notice interference problems or are near another wireless access point. Select a channel that is not being used by any other wireless networks within several hundred feet of your VPN firewall. Note: The SSID of a client computer must match what you configured in the firewall. If these do not match, you will not get a wireless connection to the SRXN3205. 5. Record the name used for SSID and then Disable the Allow Broadcast of Name (SSID). Note: If you are configuring the SRXN3205 from a wireless computer, you will lose your wireless connection when you click Apply to update settings. You will then need to update the wireless settings of your computer accordingly. 6. Click Apply to save any changes 7. Prepare PC(s) as the wireless PC Client(s) with wireless Ethernet adapters installed. 8. Configure the Client PCs to obtain the IP and DNS addresses automatically using the internal DHCP server (DHCP is the default firewall setting). 9. Configure the wireless adapters of your Client PCs to have the same SSID you configured in the SRXN3205. 10. Using this Client PCs, verify these PCs have a wireless link by trying to access a file or a printer on the LAN connected to the SRXN3205. 11. Once you have verified wireless connectivity to the SRXN3205, you can configure the wireless security functions. Refer to “Wireless Security Types and Settings” on page 4-8. Wireless Configuration 4-7 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Wireless Security Types and Settings Configure the Wireless Security Types based on the level of security you need using one of the following methods and print out the form provided to aid you in making your selections: • Print out the “SSID and WEP/WPA Settings Setup Form” on page 4-9 • To configure WEP encryption for Open Systems or Shared Key, see “Configuring WEP” on page 4-11. • To configure WPA-PSK, see “Configuring WPA-PSK” on page 4-12. • To configure WPA2-PSK, see “Configuring WPA2-PSK” on page 4-12. • To configure WPA-PSK and WPA2-PSK, see “Configuring WPA-PSK and WPA2-PSK” on page 4-13. • To configure WPA with RADIUS, see “Configuring WPA with RADIUS” on page 4-13. • To configure WPA2 with RADIUS, see “Configuring WPA2 with RADIUS” on page 4-14. • To configure WPA and WPA2 with RADIUS, see “Configuring WPA and WPA2 with RADIUS” on page 4-15 Use the Wireless Security Type section in the Wireless Settings menu to select the desired security method, but the balance of the security settings are set in the following main menus: • Go to “Firewall Security and Content Filtering” in Chapter 5 for the Security menu settings • Go to “Virtual Private Networking Using IPsec” in Chapter 6 for the VPN IPsec tunnel settings • Go to “Virtual Private Networking Using SSL” in Chapter 7 for the VPN SSL tunnel settings • Go to “Managing Users, Authentication, and Certificates” in Chapter 8 for the Users menu • Go to “Firewall and Network Management” in Chapter 9 for the Administration menu 4-8 Wireless Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual SSID and WEP/WPA Settings Setup Form 802.11b/g/n Configuration For a new wireless network, print or copy this form and fill in the configuration parameters. For an existing wireless network, the person who set it up or is responsible for the network will be able to provide this information. Be sure to set the Regulatory Domain correctly as the first step. • SSID: The Service Set Identification (SSID) requires the identity or name of the wireless local area network. NETGEAR is the default SRXN3205 SSID. However, you may customize it by using up to 32 alphanumeric characters. Write your customized SSID on the line below. ___________________________________ Note: The SSID in the VPN firewall is the SSID you configure in the wireless adapter card. All wireless nodes in the same network must be configured with the same SSID: • Authentication: Circle one: Automatic, Open System, or Shared Key. (Choose Shared Key for more security.) Note: If you select shared key, the other devices in the network will not connect unless they are set to Shared Key as well and have the same keys in the same positions as those in the SRXN3205. • WEP Encryption Keys. Circle one: 64, 128, or 152 bits. (Enter all four 802.11a/n keys for the Key Size chosen.) Key 1: ___________________________________ Key 2: ___________________________________ Key 3: ___________________________________ Key 4: ___________________________________ • WPA-PSK (Preshared Key) Record the WPA-PSK key. Key: ___________________________________ • WPA RADIUS Settings. For WPA, record the following settings for the primary and secondary RADIUS servers: Server Name/IP Address: Primary _________________ (Secondary __________________ ?) RADIUS Port: ___________________________________ Shared Key: ___________________________________ Wireless Configuration 4-9 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 802.11a/n Configuration For a new wireless network, print or copy this form and fill in the configuration parameters. For an existing wireless network, the person who set up or is responsible for the network will be able to provide this information. Be sure to set the Regulatory Domain correctly as the first step. • SSID: The Service Set Identification (SSID) requires the identity or name of the wireless local area network. NETGEAR is the default SRXN3205 SSID. However, you may customize it by using up to 32 alphanumeric characters. Write your customized SSID on the line below. ___________________________________ Note: The SSID in the VPN firewall is the SSID you configure in the wireless adapter card. All wireless nodes in the same network must be configured with the same SSID: • Authentication Circle one: Automatic, Open System, or Shared Key. Choose Shared Key for more security. Note: If you select shared key, the other devices in the network will not connect unless they are set to Shared Key as well and have the same keys in the same positions as those in the SRXN3205. • WEP Encryption Keys Circle one: 64, 128, or 152 bits. (Enter all four 802.11b/g/n keys for the Key Size chosen.) Key 1: ___________________________________ Key 2: ___________________________________ Key 3: ___________________________________ Key 4: ___________________________________ • WPA-PSK (Preshared Key) Record the WPA-PSK key. Key: ___________________________________ • WPA RADIUS Settings. For WPA, record the following settings for the primary and secondary RADIUS servers: Server Name/IP Address: Primary _________________ (Secondary __________________ ?) RADIUS Port: ___________________________________ Shared Key: ___________________________________ Use the procedures described in the following sections to configure the SRXN3205. Store this information in a safe place. 4-10 Wireless Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring WEP To configure WEP data encryption in the Wireless Settings menu: 1. Click the WEP radio button on the left to enable WEP data encryption. When you select the WEP data encryption, only the feature selections for WEP are made active on screen, while the other options and features remain grayed out. 2. In the Authentication drop-down menu, choose Automatic, Open System, or Shared Key authentication. 3. In the Encryption drop-down menu, select the encryption strength: 64 bit WEP, 128 bit WEP, or 152 bit WEP. 4. Enter a value in the WEP Passphrase text box to automatically program the four data encryption keys. You can also program the four keys manually. These values must be identical on all PCS and VPN firewalls in your network. • Automatically – Enter a word or group of printable characters in the form of 10 digits for 64-bit, 26 digits for 128-bit, or xx digits for 152-bit, in any combination of 0-9, a-f, or A-F characters. • Select which of the four keys will be the default by clicking on the Radio button next to the key. Data transmissions are always encrypted using the default key. • When done, click the Generate button and the four key boxes will be automatically populated with key values. • Manually – Enter the number of hexadecimal digits appropriate to the encryption strength for each of the four keys: • The number should be 10 digits for 64-bit, 26 digits for 128-bit, or xx digits for 152bit, in any combination of 0-9, a-f, or A-F characters. • Select which of the four keys will be the default by clicking on the Radio button next to the key. Data transmissions are always encrypted using the default key. See the document “Wireless Communications” for a full explanation of each of these options, as defined by the IEEE 802.11 wireless communication standard. A link to this document on the NETGEAR website is in Appendix B, “Related Documents.” 5. Click Apply to save your settings. Note: Your wireless connection will drop when you click Apply. Reconfigure your wireless adapter to match the new settings or access the VPN firewall from a wired computer to make any further changes. Wireless Configuration 4-11 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring WPA-PSK Not all wireless adapters support WPA. Furthermore, client software is required on the client. Windows XP and Windows 2000 with Service Pack 3 or above include the client software that supports WPA. Nevertheless, the wireless adapter hardware and driver must also support WPA. Consult the product document for your wireless adapter and WPA client software for instructions on configuring WPA settings. To configure WPA-PSK in the Wireless Settings menu: 1. Click the WPA radio button on the left to enable WPA data encryption. When you select the WPA data encryption, only the feature selections for WPA are made active on screen, while the other options and features remain grayed out. 2. Select PSK from the WPA with drop-down menu on the right. 3. Click on the TKIP radio button for Encryption on the right. 4. In the PSK Settings section, enter text in the Passphrase text box (Network Key) with 8-63 characters. 5. Enter a value for Key Lifetime text box in minutes. 6. Click Apply to save your settings. Configuring WPA2-PSK Not all wireless adapters support WPA2. Furthermore, client software is required on the client. Ensure your client card supports WPA2. Consult the product document for your wireless adapter and WPA2 client software for instructions on configuring WPA2 settings. To configure WPA2-PSK in the Wireless Settings menu: 1. Click the WPA2 radio button on the left to enable WPA2 data encryption. When you select the WPA2 data encryption, only the feature selections for WPA2 are made active on screen, while the other options and features remain grayed out. 2. Select PSK from the WPA with drop-down menu on the right. 3. Click on the AES radio button for Encryption on the right. AES is the default encryption. 4. In the PSK Settings section, enter text in the Passphrase text box (Network Key) with 8-63 characters. 5. Enter a value for Key Lifetime text box in minutes. 6. Click Apply to save your settings. 4-12 Wireless Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring WPA-PSK and WPA2-PSK Not all wireless adapters support WPA and WPA2. Client software is required on the client: • Windows XP and Windows 2000 with Service Pack 3 or above do include the client software that supports WPA. The wireless adapter hardware and driver must also support WPA. • Service Pack 3 does not include the client software that supports WPA2. Make sure your client card supports WPA2. The wireless adapter hardware and driver must also support WPA2. Consult the product documentation for your wireless adapter; WPA client software for instructions on configuring WPA settings; and WPA2 client software for instructions on configuring WPA2 settings. To configure WPA-PSK and WPA2-PSK in the Wireless Settings menu: 1. Click the WPA-PSK and WPA2-PSK radio button on the left to enable WPA-PSK and WPA2-PSK data encryption. When you select the WPA-PSK and WPA2-PSK data encryption, only the feature selections for WPA-PSK and WPA2-PSK are made active on screen, while the other options and features remain grayed out. 2. Select PSK from the WPA with drop-down menu on the right. 3. Click on the TKIP + AES radio button for Encryption on the right. TKIP + AES is the default encryption. 4. In the PSK Settings section, enter text in the Passphrase text box (Network Key) with 8-63 characters. 5. Enter a value for Key Lifetime text box in minutes. 6. Click Apply to save your settings. Configuring WPA with RADIUS Not all wireless adapters support WPA. Furthermore, client software is required on the client. Windows XP and Windows 2000 with Service Pack 3 or above do include the client software that supports WPA. Nevertheless, the wireless adapter hardware and driver must also support WPA. Consult the product document for your wireless adapter and WPA client software for instructions on configuring WPA settings. To configure WPA with RADIUS in the Wireless Settings menu: 1. Click the WPA radio button on the left to enable WPA data encryption. Wireless Configuration 4-13 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual When you select the WPA data encryption, only the feature selections for WPA and RADIUS are made active on screen, while the other options and features remain grayed out. 2. Select RADIUS from the WPA with drop-down menu on the right. PSK is the default WPA and the RADIUS Server Settings are highlighted. 3. Click on the TKIP radio button for Encryption on the right. TKIP is the default WPA encryption. 4. Enter the RADIUS Server Settings: • The Server Name, IP Address, RADIUS Port (number), and Shared Key are required for communication with the RADIUS Server. – Server Name. The – IP Address. The IP address of the RADIUS Server. The default is 0.0.0.0. – RADIUS Port. The port number of the RADIUS Server. The default is 1812. – Shared Key. This is shared between the VPN firewall and the RADIUS Server while authenticating the supplicant (wireless client). 5. Click Apply to save your settings. Configuring WPA2 with RADIUS Not all wireless adapters support WPA2. Furthermore, client software is required on the client. Make sure your client card supports WPA2. Consult the product document for your wireless adapter and WPA2 client software for instructions on configuring WPA2 settings To configure WPA2 with RADIUS in the Wireless Settings menu: 1. Click the WPA2 radio button on the left to enable WPA2 data encryption. When you select the WPA2 data encryption, only the feature selections for WPA2 and RADIUS are made active on screen, while the other options and features remain grayed out. 2. Select RADIUS from the WPA with drop-down menu on the right. PSK is the default WPA and the RADIUS Server Settings are highlighted. 3. Click on the AES radio button for Encryption on the right. AES is the default WPA encryption. 4. Enter the RADIUS Server Settings: 4-14 Wireless Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • The Server Name, IP Address, RADIUS Port (number), and Shared Key are required for communication with the RADIUS Server. – Server Name. The – IP Address. The IP address of the RADIUS Server. The default is 0.0.0.0. – RADIUS Port. The port number of the RADIUS Server. The default is 1812. – Shared Key. This is shared between the VPN firewall and the RADIUS Server while authenticating the supplicant (wireless client). 5. Click Apply to save your settings. Configuring WPA and WPA2 with RADIUS Not all wireless adapters support WPA and WPA2. Client software is required on the client: • Windows XP and Windows 2000 with Service Pack 3, or above, do include the client software that supports WPA. The wireless adapter hardware and driver must also support WPA. • Service Pack 3 does not include the client software that supports WPA2. Make sure your client card supports WPA2. The wireless adapter hardware and driver must also support WPA2. Consult the product documentation for your wireless adapter; WPA client software for instructions on configuring WPA settings; and WPA2 client software for instructions on configuring WPA2 settings. To configure WPA and WPA2 with RADIUS in the Wireless Settings menu: 1. Click the WPA and WPA2 radio button on the left to enable WPA and WPA2 data encryption. When you select the WPA and WPA2 data encryption, only the feature selections for WPA and WPA2 with RADIUS are made active on screen, while the other options and features remain grayed out. 2. Select RADIUS from the WPA with drop-down menu on the right. PSK is the default WPA and the RADIUS Server Settings are highlighted. 3. Click on the TKIP+AES radio button for Encryption on the right. TKIP+AES is the default WPA encryption. 4. Enter the RADIUS Server Settings: • The Server Name, IP Address, RADIUS Port (number), and Shared Key are required for communication with the RADIUS Server. – Server Name. The Wireless Configuration 4-15 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – IP Address. The IP address of the RADIUS Server. The default is 0.0.0.0. – RADIUS Port. The port number of the RADIUS Server. The default is 1812. – Shared Key. This is shared between the VPN firewall and the RADIUS Server while authenticating the supplicant (wireless client). 5. Click Apply to save your settings. Verifying Wireless Connectivity (Security) Using a Client PC with an 802.11b/g/n or 802.11a/n wireless adapter with the correct wireless and security settings for connection to the SRXN3205 (SSID, WEP/WPA, MAC ACL, etc.), verify connectivity by using a browser such as Mozilla Firefox, Netscape, or Internet Explorer to browse the Internet, or check for file and printer access on your network. The SSID of any wireless access adapters must match the SSID configured in the ProSafe Wireless-N VPN Firewall. If they do not match, no wireless connection will be made. Note: If you are unable to connect, see Chapter 12, “Troubleshooting.” Deploying the firewall Once you deploy your firewall in its final location, retest the SRXN3205 to ensure it is still operating properly. To deploy the firewall: 1. Disconnect the SRXN3205 and position it where it will be deployed. The best location is elevated, such as, on the top of a cubicle or wall mounted at the center of your wireless coverage area, and within line of sight of all the mobile devices. 2. Position all the antennas for the best coverage in your situation. Note: Refer to the antenna positioning information in “Wireless Equipment Placement and Range Guidelines” on page 4-2 earlier in this chapter. 3. Connect an Ethernet cable from the WAN connection on your firewall to a LAN port on your router, switch, or hub. 4-16 Wireless Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. Connect Ethernet cable(s) from the LAN ports on your firewall to a LAN port on your switch. Note: By default, SRXN3205 is set with the DHCP client Enabled. If your network uses dynamic IP addresses, you must change this setting. To connect to the SRXN3205 after the DHCP server on your network assigns it a new IP address, enter the VPN firewall name into your Web browser. The default VPN firewall name is netgearxxxxxx, where xxxxxx represents the last 6 bytes of the MAC address. The default name is printed on the bottom label of the SRXN3205. 5. Connect the power adapter to the SRXN3205 and plug the power adapter in to a AC power outlet. The PWR, Test, LAN, WAN, and Wireless LAN LEDs should light up. 6. Verify you still have wireless connections to the SRXN3205. 7. If you want to fine tune the overall performance of the Wireless Settings for your environment, refer to “Advanced Wireless Settings” on page 4-17. Advanced Wireless Settings Configuring Advanced Wireless Settings The Advanced screen of the Wireless Settings menu is used to configure and enable various wireless LAN parameters for all of the 802.11a/n and 802.11b/g/n modes. The default wireless LAN parameters usually work well. However, you can use these settings to fine tune the overall performance of your Wireless Settings for your environment. The Advanced menu in the Wireless Settings tab is used to configure the Wireless LAN parameters. To configure Advanced Wireless Options: 1. Select Network Configuration > Wireless Settings from main/submenu. 2. Select Advanced on the right side of the menu. 3. The Advanced Wireless Options screen displays. 4. Enter the appropriate information in the fields described below: Wireless Configuration 4-17 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • RTS Threshold (256 - 2346): Request to Send Threshold. The packet size that is used to determine if it should use the CSMA/CD (Carrier Sense Multiple Access with Collision Detection) mechanism or the CSMA/CA mechanism for packet transmission. With the CSMA/CD transmission mechanism, the transmitting station sends out the actual packet as soon as it has waited for the silence period. With the CSMA/CA transmission mechanism, the transmitting station sends out an RTS packet to the receiving station, and waits for the receiving station to send back a CTS (Clear to Send) packet before sending the actual packet data. The default is 2346. • Fragmentation Length (256 - 2346): This is the maximum packet size used for fragmentation. Packets larger than the size programmed in this field will be fragmented. The Fragment Threshold value must be larger than the RTS Threshold value. The default is 2346. • Beacon Interval (20 - 1000): The Beacon Interval. Specifies the interval time between 100ms and 1000ms for each beacon transmission, which allows the access point to synchronize the wireless network. The default is 100. • Preamble Mode: A long transmit preamble may provide a more reliable connection or a slightly longer range. A short transmit preamble gives better performance. The Automatic settings automatically handles both long and short preambles. The default is Automatic. 5. Click Apply to enable the Advanced Wireless Options. Restricting Wireless Access by MAC Address The optional enabling of the Access Control List lets you block the wireless access privileges of any specified stations through the firewall. When you enable access control, the SRXN3205 only accepts connections from wireless clients on the selected access control list. This provides an additional layer of security. Note: If configuring the SRXN3205 from a wireless computer whose MAC address is not in the access control list, if you select Turn Access Control On, you will lose your wireless connection when you click Apply. You must then access the VPN firewall from a wired computer or from a wireless computer that is on the access control list to make any further changes. To restrict access based on MAC addresses: 1. Click the Network Configurations > Wireless Settings in the main/submenu. 2. Click the Setup Access List to the right of the screen. 4-18 Wireless Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The Access Control List tab and Available Wireless Stations tab appear on screen with the Access Control List tab selected. 3. Click the radio button for Yes in the ACL Enable section to turn on the Access Control List feature. The Trusted Wireless Stations table will show any wireless stations you enter. If you have not entered any wireless stations to the list, it will be empty. The ACL (Access Control List) does not need to be enabled to add or delete MAC address to the list. 4. Click Apply to save the state (enabled or disabled) of the ACL (Access Control List). Select the stations from the list of Available Wireless Stations found in your area, or enter the MAC address of a station to add a new station manually. 5. To add a MAC address to the Trusted Wireless Station list, type in the MAC address in the Add New Trusted Station Manually section, in the form of xx:xx:xx:xx:xx:xx to the text box. You can usually find the MAC address printed on the bottom of the wireless adapter. 6. Click the Add button to the right when you have completed typing. Now, only devices on this list will be allowed to wirelessly connect to the SRXN3205. 7. Repeat these steps for each additional device you want to add to the list. 8. To delete an existing entry, click the check box to the left of the entry and then click the delete button. 9. To view the clients currently connected, click the Available Wireless Stations tab. This list auto-populates whether the ACL is enabled or disable and lists the MAC addresses found within range of this wireless VPN firewall. Wireless Configuration 4-19 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4-20 Wireless Configuration v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 5 Firewall Security and Content Filtering This chapter describes how to set up your firewall and use the content filtering features of the SRXN3205 VPN firewall to protect your network. This chapter contains the following sections: • “About Firewall Security and Content Filtering” • “Using Rules & Services to Block or Allow Traffic” • “Setting Schedules to Block or Allow Traffic” • “Setting Block Sites (Content Filtering)” • “Enabling Source MAC Filtering (Address Filter)” • “Enabling Port Triggering” • “Bandwidth Profile” • “UPnP (Universal Plug and Play)” • “E-Mail Notifications of Event Logs and Alerts” • “Administrator Tips” About Firewall Security and Content Filtering The ProSafe Wireless-N VPN Firewall provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail. Network administrators can establish restricted access policies based on time-of-day, Web addresses, and Web address keywords. You can also block Internet access by applications and services, such as chat or games. A firewall is a special category of router that protects one network (the “trusted” network, such as your LAN) from another (the untrusted network, such as the Internet), while allowing communication between the two. You can further segment keyword blocking to certain known groups (see “Managing Groups and Hosts (LAN Groups)” on page 3-4 to set up LAN Groups). Firewall Security and Content Filtering 5-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT. Using Rules & Services to Block or Allow Traffic Firewall rules and services are used to block or allow specific traffic passing through from one side to the other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine what outside resources local users can have access to. A firewall has two default rules, one for inbound traffic and one for outbound traffic. The default rules of the SRXN3205 are: • Inbound. Block all access from outside except responses to requests from the LAN side. • Outbound. Allow all access from the LAN side to the outside. User-defined firewall rules for blocking or allowing traffic on the firewall can be applied to inbound or outbound traffic. Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Outbound Rules (service blocking). Outbound traffic is normally allowed unless the firewall is configured to disallow it. • Inbound Rules (port forwarding). Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side. The firewall can be configured to allow this otherwise blocked traffic. • Customized Services. Additional services can be added to the list of services in the factory default list. These added services can then have rules defined for them to either allow or block that traffic (see “Adding Customized Services” on page 5-15. 5-2 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Quality of Service (QoS) priorities. Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays. You can change this QoS priority if desired to change the traffic mix through the system (see “Setting Quality of Service (QoS) Priorities” on page 5-16). Outbound Rules (Service Blocking) The SRXN3205 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. Note: See “Enabling Source MAC Filtering (Address Filter)” on page 5-20 for yet another way to block outbound traffic from selected PCs that would otherwise be allowed by the firewall. Table 5-1. Outbound Rules Item Description Service Name Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 5-15). Action (Filter) Select the desired action for outgoing connections covered by this rule: • BLOCK always • BLOCK by schedule, otherwise Allow • ALLOW always • ALLOW by schedule, otherwise Block Note: Any outbound traffic which is not blocked by rules you create will be allowed by the Default rule. ALLOW rules are only useful if the traffic is already covered by a BLOCK rule. That is, you wish to allow a subset of traffic that is currently blocked by another rule. Action (Select Schedule) Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be used by this rule. • This drop down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block” is selected as Action. • Use schedule page to configure the time schedules (see “Setting Schedules to Block or Allow Traffic” on page 5-17). Firewall Security and Content Filtering 5-3 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 5-1. Outbound Rules (continued) Item Description LAN users These settings determine which computers on your network are affected by this rule. Select the desired options: • Any – All PCs and devices on your LAN. • Single address – Enter the required address and the rule will be applied to that particular PC. • Address range – If this option is selected, you must enter the start and finish fields. • Groups – Select the Group to which this rule will apply. Use the LAN Groups screen (under Network Configuration) to assign PCs to Groups. See “Managing Groups and Hosts (LAN Groups)” on page 3-4. WAN Users These settings determine which Internet locations are covered by the rule, based on their IP address. Select the desired option: • Any – All Internet IP address are covered by this rule. • Single address – Enter the required address in the start field. • Address range – If this option is selected, you must enter the start and end fields. QoS Priority This setting determines the priority of a service which, in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change it accordingly. If the user does not make a selection (leaves it as Normal-Service), then the native priority of the service will be applied to the policy. See “Setting Quality of Service (QoS) Priorities” on page 5-16. Log This determines whether packets covered by this rule are logged. Select the desired action: • Always – always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules. • Never – never log traffic considered by this rule, whether it matches or not. Inbound Rules (Port Forwarding) When the SRXN3205 uses Network Address Translation (NAT), your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can make a local server (for example, a Web server or game server) visible and available to the Internet. The rule tells the firewall to direct inbound traffic for a particular service to one local server based on the destination port number. This is also known as port forwarding. Whether or not DHCP is enabled, how the PCs will access the server’s LAN address impacts the Inbound Rules. For example: 5-4 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP address may change periodically as the DHCP lease expires. Consider using Dyamic DNS (under Network Configuration) so that external users can always find your network (see “Configuring Dynamic DNS” on page 2-11. • If the IP address of the local server PC is assigned by DHCP, it may change when the PC is rebooted. To avoid this, use the Reserved IP address feature in the LAN Groups menu (under Network Configuration) to keep the PC’s IP address constant (see “Configuring DHCP Address Reservation” on page 3-4. • Local PCs must access the local server using the server’s local LAN address. Attempts by local PCs to access the server using the external WAN IP address will fail. Note: See “Enabling Port Triggering” on page 5-23 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall. Table 5-2. Inbound Rules Item Description Service Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 5-15). Action (Filter) Select the desired action for packets covered by this rule: • BLOCK always • BLOCK by schedule, otherwise Allow • ALLOW always • ALLOW by schedule, otherwise Block Note: Any inbound traffic which is not allowed by rules you create will be blocked by the Default rule. Schedule Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be used by this rule (see “Setting Schedules to Block or Allow Traffic” on page 5-17). • This drop down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block” is selected as Action. • Use schedule page to configure the time schedules. Send to LAN Server This LAN address determines which computer on your network is hosting this service rule. (You can also translate this address to a port number.) Translate to Port Number Check the “Translate to Port Number” and enter a port number if you want to assign the LAN Server to a different service port number. Inbound traffic to the service port will have the destination port number modified to the port number configured here. Firewall Security and Content Filtering 5-5 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 5-2. Inbound Rules (continued) Item Description WAN Users These settings determine which Internet locations are covered by the rule, based on their IP addresses. Select the desired option: • Any – All Internet IP address are covered by this rule. • Single address – Enter the required address in the start field. • Address range – If this option is selected, you must enter the start and end fields. WAN Destination IP Address This setting determines the destination IP address applicable to incoming traffic. This is the public IP address that will map to the internal LAN server; it can either be the address of the WAN1 or WAN2 ports or another public IP address. Log This determines whether packets covered by this rule are logged. Select the desired action: • Always – Always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules. • Never – Never log traffic considered by this rule, whether it matches or not. Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP. Remember that allowing inbound services opens holes in your firewall. Only enable those ports that are necessary for your network. It is also advisable to turn on the server application security and invoke the user password or privilege levels, if provided. 5-6 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Viewing the Firewall Rules To view the firewall rules, go to Security > Firewall from the main. The LAN WAN Rules tab displays. Figure 5-1 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu as the last item in the list, as shown in Figure 5-1. For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the bottom, before applying the default rule. In some cases, the order of precedence of two or more rules may be important in determining the disposition of a packet. For example, you should place the most strict rules at the top (those with the most specific services or addresses). The Up and Down buttons allow you to relocate a defined rule to a new position in the table. Setting the Outbound Policy The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (Outbound). The default policy of Allow Always can be changed to block all outbound traffic which then allows you to enable only specific services to pass through the firewall. To change the default outbound policy, follow these steps: 1. Go to the LAN WAN Rules tab, shown in Figure 5-1. 2. Add the outbound rules you plan to use. 3. Change the outbound policy by choosing Block Always from the drop-down menu. Firewall Security and Content Filtering 5-7 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. Click Apply. Creating a LAN WAN Outbound Services Rule An outbound rule will block or allow the selected application from an internal IP LAN address to an external WAN IP address according to the schedule created in the Schedule menu. You can also tailor these rules to your specific needs (see “Administrator Tips” on page 5-27). Note: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems. To create a new outbound service rule in the LAN WAN Rules tab: 1. Click Add under the Outbound Services Table. The Add LAN WAN Outbound Service screen is displayed. Figure 5-2 2. Configure the parameters and click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table. Creating a LAN WAN Inbound Services Rule This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound services opens holes in your firewall. Only enable those ports that are necessary for your network. To create a new inbound service rule in the LAN WAN Rules tab: 5-8 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Click Add under the Inbound Services Table. The Add LAN WAN Inbound Service screen is displayed. Figure 5-3 2. Configure the parameters and click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Inbound Services table. Modifying Rules To make changes to an existing outbound or inbound service rule: 1. In the Action column adjacent to the rule, do the following: • Click Edit to make any changes to the rule definition of an existing rule. The Outbound Service screen is displayed containing the data for the selected rule. • Click Up to move the rule up one position in the table rank. • Click Down to move the rule down one position in the table rank. 2. Check the radio box adjacent to the rule, then do the following: • Click Disable to disable the rule. The “!” Status icon will change from green to grey, indicating that the rule is disabled. (By default, when a rule is added to the table it is automatically enabled.) • Click Delete to delete the rule. 3. Click Select All to choose all rules. Firewall Security and Content Filtering 5-9 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Attack Checks This screen allows you to specify whether or not the firewall should be protected against common attacks in the LAN and WAN networks. The various types of attack checks are listed on the Attack Checks screen and defined below: • WAN Security Checks – Respond To Ping On Internet Ports. To allow the firewall to respond to a Ping request from the Internet, click this check box. Ping can be used as a diagnostic tool. You shouldn't check this box unless you have a specific reason to do so. – Enable Stealth Mode. In stealth mode, the firewall will not respond to port scans from the WAN, thus making it less susceptible to discovery and attacks. – Block TCP Flood. A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system. When the system responds, the attacker doesn’t complete the connection, thus saturating the server with half-open connections. No legitimate connections can then be made. When blocking is enabled, the firewall will limit the lifetime of partial connections and will be protected from a SYN flood attack. • LAN Security Checks – Block UDP flood. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application listening at that port, (2) see that no application is listening at that port, and (3) reply with an ICMP Destination Unreachable packet. When the victimized system is flooded, it is forced to send many ICMP packets, eventually making it unreachable by other clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach him, thus making the attacker’s network location anonymous. If flood checking is enabled, the firewall will not accept more than 20 simultaneous, active UDP connections from a single computer on the LAN. – • Disable Ping Reply on LAN Ports. To prevent the firewall from responding to Ping requests from the LAN, click this checkbox. VPN Pass through. When the firewall is in NAT mode, all packets going to the Remote VPN Gateway are first filtered through NAT and then encrypted per the VPN policy. 5-10 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual For example, if a VPN Client or Gateway on the LAN side of this firewall wants to connect to another VPN endpoint on the WAN (placing this firewall between two VPN end points), encrypted packets are sent to this firewall. Since this firewall filters the encrypted packets through NAT, the packets become invalid unless VPN pass through is enabled. When VPN pass through is enabled, the VPN tunnel will pass the VPN traffic without any filtering. Tunnels can be: IPsec; PPTP; or L2TP To enable the appropriate Attack Checks for your environment: 1. Select Security > Firewall from the main/submenu. 2. Click the Attack Checks tab and the Attack Checks screen displays.. Figure 5-4 3. Select the Attack Checks you wish to initiate, and click Apply to save your settings Inbound Rules Examples LAN WAN Inbound Rule: Hosting A Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day. In the example shown in Figure 5-5, unrestricted access is provided from the Internet to the local Web server at LAN IP address 192.168.0.99. Firewall Security and Content Filtering 5-11 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 5-5 LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 5-6, CU-SeeMe connections are allowed to a local host only from a specified range of external IP addresses. Connections are blocked during the period specified by Schedule 1. Figure 5-6 LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN. One of these public IP addresses will be used as the primary IP address of the firewall. This address will be used to provide Internet access to your LAN PCs through NAT. The other addresses are available to map to your servers. 5-12 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual In the example shown in Figure 5-7, we have configured multi-NAT to support multiple public IP addresses on one WAN interface. The inbound rule instructs the firewall to host an additional public IP address (10.1.0.5) and to associate this address with the Web server on the LAN (at 192.168.0.2). We also instruct the firewall to translate the incoming HTTP port number (port 80) to a different port number (port 8080). The following addressing scheme is used in this example: • • firewall SRXN3205 – WAN primary public IP address: 10.1.0.1 – WAN additional public IP address: 10.1.0.5 – LAN IP address 192.168.1.1 Web server PC on the firewall’s LAN – LAN IP address: 192.168.1.11 – Port number for Web service: 8080 Figure 5-7 To test the connection from a PC on the WAN side, type http://10.1.0.5. The home page of the Web server should appear. LAN WAN Inbound Rule: Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined. To expose one of the PCs on your LAN as this host: 1. Create an inbound rule that allows all protocols. Firewall Security and Content Filtering 5-13 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Place the new rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer on your LAN is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network. Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio, or other non-essential services. LAN WAN Outbound Rule: Blocking Instant Messenger To block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu. You can also have the firewall log any attempt to use Instant Messenger during that blocked period. Enabling Session Limits This page allows you to specify total number sessions per user (IP) allowed across the router. Session limiting is disabled by default. When enabling session limiting you can give the maximum number of sessions per IP either in percentage of maximum sessions or absolute number of maximum sessions. If you want to give the maximum number of sessions per IP in percentage check “yes” radio button otherwise check “No” radio button. The percentage is computed on the total connection capacity of the device. “User Limit” specifies the maximum number of sessions that should be allowed via router from a single source machine (i.e. session limiting is per machine based) as percentage of total connection capacity. Note that some protocols like ftp, rstp create two sessions per connection which should be considered when configuring session limiting. The label “Total Number of Packets Dropped due to Session Limit:” shows total number of packets dropped when session limit is reached The Session TimeOut table displays the TCP, UDP and ICMP Timeout values. Default Timeout values are 1200 seconds for Tcp,180 seconds for Udp and 8 seconds for Icmp. Timeout values can also be configured with user defined values. The maximum value for timeout is 43200 seconds. 5-14 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Adding Customized Services Services are functions performed by server computers at the request of client computers. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number. This number appears as the destination port number in the transmitted IP packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web server) request. The service numbers for many common protocols are defined by the Internet Engineering Task Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application. Although the SRXN3205 already holds a list of many service port numbers, you are not limited to these choices. Use the Services screen to add additional services and applications to the list for use in defining firewall rules. The Services menu shows a list of services that you have defined, as shown in Figure 5-8. To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups or newsgroups. When you have the port number information, you can enter it on the Services screen. To add a custom service: 1. Select Security > Services from the main/submenu and the Services screen displays. Figure 5-8 2. In the Add Custom Services section, enter a descriptive name for the service (this name is for your convenience). 3. Select the Layer 3 transport protocol of the service: TCP, UDP, or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses. 5. Enter the last port of the range that the service uses. If the service only uses a single port number, enter the same number in both fields. Firewall Security and Content Filtering 5-15 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 6. Click Add. The new custom service will be added to the Custom Services Table. Modifying a Service To edit the parameters of an existing service: 1. In the Custom Services Table, click the Edit button adjacent to the service you want to edit. The Edit Service screen is displayed. 2. Modify the parameters you wish to change. 3. Click Apply to confirm your changes. The modified service is displayed in the Custom Services Table. Setting Quality of Service (QoS) Priorities The Quality of Service (QoS) Priorities setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. The user can change this priority: • On the Services screen in the Custom Services Table for customized services (see Figure 5-8) [Security > Services]. • On the LAN WAN Outbound Services screen (see Figure 5-2) [Security > Firewall > LAN WAN Rules and click Add to the Outbound Services]. The QoS priority definition for a service determines the queue that is used for the traffic passing through the firewall. A priority is assigned to IP packets using this service. Priorities are defined by the “Type of Service (ToS) in the Internet Protocol Suite” standards, RFC 1349. A ToS priority for traffic passing through the VPN firewall is one of the following: • Normal-Service. No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0. • Minimize-Cost. Used when data has to be transferred over a link that has a lower “cost”. The IP packets for services with this priority are marked with a ToS value of 1. • Maximize-Reliability. Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a ToS value of 2. • Maximize-Throughput. Used when the volume of data transferred during an interval is important even if the latency over the link is high. The IP packets for services with this priority are marked with a ToS value of 4. • Minimize-Delay. Used when the time required (latency) for the packet to reach the destination must be low. The IP packets for services with this priority are marked with a ToS value of 8. 5-16 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Setting Schedules to Block or Allow Traffic If you enabled Content Filtering in the Block Sites menu, or if you defined an outbound or inbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall allows you to specify when blocking will be enforced by configuring one of the Schedules—Schedule 1, Schedule 2 or Schedule 3. To invoke rules and block keywords or Internet domains based on a schedule: 1. Select Security > Schedule from the main/submenu. The Schedule 1 screen displays as the default selection, along with tabs for Schedules 2 and 3. . Figure 5-9 2. Select either All Days or Specific Days. If you chose Specific Days, select each day the schedule will be in effect. 3. For the time of day, select either All Day or Specific Times. If you chose Specific Times, enter the Start Time and End Time (Hour, Minute, AM/PM) to gate access during the selected days. 4. Click Apply to save your settings to Schedule 1. Repeat this procedure to set schedules for Schedule 2 and Schedule 3. Firewall Security and Content Filtering 5-17 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Setting Block Sites (Content Filtering) To restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any Web site is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message. Several types of blocking are available: • Web Components blocking. You can block the following Web component types: Proxy, Java, ActiveX, and Cookies. Even sites on the Trusted Domains list will be subject to Web Components blocking when the blocking of a particular Web component is enabled. • Keyword Blocking (Domain Name Blocking). You can specify up to 32 words to block. If any of these words appear in the Web site name (URL) or in a newsgroup name, the web site or newsgroup will be blocked by the VPN firewall. You can apply the keywords to one or more groups. Requests from the PCs in the groups will be blocked where keyword blocking has been enabled. Blocking does not occur for the PCs in the groups where keyword blocking has been disabled. You can bypass Keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains or keywords on this list by PCs in the groups where keyword blocking has been enabled, will be allowed to pass without any blocking. Keyword application examples: • If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is blocked, as is the newsgroup alt.pictures.XXX. • If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or .gov) can be viewed. • If you wish to block all Internet browsing access, enter the keyword “.”. To enable Content Filtering: 1. Select Security > Block Sites from the main/submenu and the Block Sites screen is displayed. 5-18 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual . Figure 5-10 2. Select Yes to enable Content Filtering. 3. Click Apply to activate the menu controls. 4. Select any Web Components you wish to block. Proxy, Java, ActiveX, or Cookies 5. Select the groups to which Keyword Blocking will apply, then click Enable to activate Keyword blocking (or disable to deactivate Keyword Blocking). 6. Enter your list of blocked Keywords or Domain Names in the Blocked Keyword fields and click Add after each entry. The Keyword or Domain name will be added to the Blocked Keywords table. You can also edit an entry by clicking Edit in the Action column adjacent to the entry. 7. Enter a list of Trusted Domains in the Trusted Domains fields, and click Add after each entry. Firewall Security and Content Filtering 5-19 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The Trusted Domain will appear in the Trusted Domains table. You can also edit any entry by clicking Edit in the Action column adjacent to the entry. 8. Click Apply to save your settings. Enabling Source MAC Filtering (Address Filter) In the Address Filter submenu, the Source MAC Filter tab allows you to block traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. Traffic received from any MAC address is allowed. • When source MAC address filtering is enabled, traffic will be dropped from any computers or devices whose MAC addresses are listed in the Blocked MAC Addresses table. Note: For additional ways of restricting outbound traffic, see “Outbound Rules (Service Blocking)” on page 5-3 To enable MAC filtering and add MAC addresses for blocking: 1. Select Security > Address Filter from the main/submenu. The Source MAC Filter screen displays. 2. Click the Yes radio button to enable Source MAC Filtering. 3. Select the desired Policy for MAC Addresses listed below. Block and Permit the rest, or Permit and Block the rest. Figure 5-11 5-20 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. Enter your list of source MAC addresses to be blocked in the MAC Address field in the form 01:23:45:67:89:AB, using colon-separated hexadecimal characters (0-9, A-F). 5. Click the Add icon. The MAC address is added to the MAC Addresses table where it will be blocked. 6. Click Apply to save your settings. To remove an entry from the table, select the MAC address entry and click Delete. IP/MAC Binding Tab The IP/MAC Binding feature allows the VPN firewall to bind IP to MAC address and vice-versa. Some PCs or devices are configured with static (fixed) addresses. To prevent users from changing static IP addresses, the VPN firewall needs to enable IP/MAC Binding. If VPN firewall detects packets with matching IP addresses but inconsistent MAC addresses or vice-versa, it will drop such packets. If users have enabled the logging option for IP/MAC Binding on their PCs or devices, these packets will be logged before being dropped. The VPN firewall displays the total count of dropped packets, which violated either IP to MAC Binding, or MAC to IP Binding. To enable IP/MAC Binding and add IP and MAC address for binding: 1. Select Security > Address Filter from the main/submenu. The Source MAC Filter screen displays as the default with the IP/MAC Binding tab shown. 2. Click the IP/MAC Binding tab to view the options available. Figure 5-12 Firewall Security and Content Filtering 5-21 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Click the Yes radio button to enable Source MAC Filtering. IP/MAC Bind Table lists the currently defined IP/MAC Bind rules: – Name: Displays the user-defined name for this rule. – MAC Addresses: Displays the MAC Addresses for this rule. – IP Addresses: Displays the IP Addresses for this rule. – Log Dropped Packets: Displays logging option for this rule. To remove an entry from the table, select the IP/MAC Bind entry and click Delete. To edit an entry, click Edit adjacent to the entry. Add IP/MAC Bind Rule – Name: Specify easily identifiable name for this rule. – MAC Address: Specify the MAC Address for this rule. – IP Addresses: Specify the IP Address for this rule. – Log Dropped Packets: Specify Logging option for this rule. Edit IP/MAC Bind Rule: the following fields of an existing IP/MAC Bind rule can be modified: – MAC Address: Specify the MAC Address for this rule. – IP Addresses: Specify the IP Address for this rule. – Log Dropped Packets: Specify Logging option for this rule. Example: If three computers are on the LAN with the following setup: Host1 -- MAC address(00:01:02:03:04:05) & IP address(192.168.10.10) Host2 -- MAC address(00:01:02:03:04:06) & IP address(192.168.10.11) Host3 -- MAC address(00:01:02:03:04:07) & IP address(192.168.10.12) All the above host entries are added in IP/MAC Binding table. The scenario for the above hosts are as such: Host1 -- Matching IP & MAC address in IP/MAC Table. Host2 -- Matching IP but inconsistent MAC address in IP/MAC Table. Host3 -- Matching MAC but inconsistent IP address in IP/MAC Table. The router will block the traffic coming from Host2 & Host3 but allow the traffic coming from Host1 to any external network. Total count of dropped packets will be displayed. 5-22 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Enabling Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using this feature requires the port numbers used by the application. Once configured, port triggering operates as follows: 1. A PC makes an outgoing connection using a port number defined in the Port Triggering table. 2. The firewall records this connection, opens the additional INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC. 3. The remote system receives the PC’s request and responds using the different port numbers that you have now opened. 4. The VPN firewall matches the response to the previous request, and forwards the response to the PC. Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the inbound service rules. Note these restrictions with Port Triggering: • Only one PC can use a port triggering application at any time. • After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC. This is required because the VPN firewall cannot be sure when the application has terminated. Note: For additional ways of allowing inbound traffic, see “Inbound Rules (Port Forwarding)” on page 5-4. To add a port triggering rule: Firewall Security and Content Filtering 5-23 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Select Security from the main menu and Port Triggering from the submenu. Figure 5-13 The Port Triggering screen is displayed. 2. Enter a user-defined name for this rule in the Name field. 3. From the Enable pull-down menu, indicate if the rule is enabled or disabled. 4. From the Protocol pull-down menu, choose either TCP or UDP transport protocol. 5. In the Outgoing (Trigger) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 6. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 7. Click Add. The port triggering rule is added to the Port Triggering Rules table. To check the status of the port triggering rules, click the Status option arrow to the right of the tab on the Port Triggering screen. Bandwidth Profile The Bandwidth profile sets the limits on the bandwidth of internet link and determines the limits on the data traffic sent to or received from your host. Bandwidth Limiting, by providing limits on the outgoing/incoming traffic, prevents the LAN users for consuming all the bandwidth of internet link. Bandwidth Limiting for outbound traffic is set up on WAN interface, while limits for inbound traffic are set up on the LAN interface for all WAN modes. 5-24 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Example: When a new connection is established on the VPN firewall, the firewall rules are search for a corresponding rule limit to the connection. If the rule has a bandwidth profile setting, then the firewall will create a bandwidth class in the kernel. If multiple connections correspond to the same firewall rule, these will share the same class. An exception occurs when an individual type bandwidth profile has classes set per source IP. The “source IP” is the source IP of the first packet of the connection. For the outbound rules, the source IP will be on the LAN side IP and for inbound rules the source IP will be on the WAN-side IP. This class will be deleted when all the connections using the class expire. 1. To access the Bandwidth Profile tab, click Security > Bandwidth Profile in the main menu. Figure 5-14 The Bandwidth Profile tab appears on screen with a table titled, List of Bandwidth Profiles. • List of Bandwidth Profile Table - This table lists the currently defined bandwidth profiles. • Name: Displays the user-defined name for this bandwidth profile. • Bandwidth Range: Displays the range for bandwidth profile. • Type: Displays the type for bandwidth profile. • Direction: Displays direction of inbound or outbound traffic. 2. To add a Bandwidth Profile to the table, click the Add button. The Add Bandwidth Profile screen displays. 3. Type a value for each parameter text box to create a new bandwidth profile. • Profile Name: Specify an easily identifiable name for the profile. • Minimum Bandwidth: Specify the minimum bandwidth value in Kbps for the profile. • Maximum Bandwidth: Specify the maximum bandwidth value in Kbps for the profile. • Type: Select profile type, Group or Individual. • Direction: Select Inbound Traffic or Outbound Traffic. Firewall Security and Content Filtering 5-25 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. If you decide not to enter a new profile once you started a new profile, click Bandwidth Profile in the submenu to return to the List of Bandwidth Profiles table. 5. Click Apply to save your settings and accept the new bandwidth profile. 6. You can edit any existing profile by clicking Edit in the Action column. 7. If you change your mind while creating a new bandwidth profile, click Reset to discard any changes and revert to the previous settings. UPnP (Universal Plug and Play) The UPnP (Universal Plug and Play) feature allows the VPN Firewall to automatically discover and configure the devices when it searches over LAN and WAN. 1. To access the UPnP tab, click Security > UPnP in the main/submenu. The UPnP tab appears on screen with various options to select. 2. To enable the UPnP feature, click the Yes radio button or No to disable it. – No is the default and the VPN firewall will not automatically configure devices. – If Yes is selected it activates the two text boxes to the right. 3. Fill in the two text boxes to the right. – Advertisement Period: Type in the text box (in minutes), how often you want the firewall to broadcast its UPnP information to all devices within range. – Advertisement Time to Live: Type in the text box (in hops), how many steps (hops) each UPnP packet is allowed to propagate before being discarded. Small values will limit the UPnP broadcast range. 4. Click Reset to revert to the previous settings. 5. Click Apply to save changes. 6. To view the contents of the UPnP Portmap Table, click Refresh to refresh the table and search for any new UPnP devices. The UPnP Portmap Table shows the IP addresses and other settings of UPnP devices that have accessed this wireless VPN firewall. – Active: A Yes or No indicates if the UPnP device port that established a connection is currently active. 5-26 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – – – – Protocol: Indicates the network protocol (i.e. HTTP, FTP, etc.) used by the device to connect to the VPN firewall. Int. Port (Internal Port): Indicates if any internal ports are opened by the UPnP device. Ext. Port (External Port): Indicates if any external ports are opened by the UPnP device. IP Address: List the IP address of the UPnP device accessing the VPN firewall. E-Mail Notifications of Event Logs and Alerts The Firewall Logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address. For example, your VPN firewall will log security-related events such as: accepted and dropped packets on different segments of your LAN; denied incoming and outgoing service requests; hacker probes and login attempts; and other general information based on the settings you input on the Firewall Logs & E-mail menu. In addition, if you have set up Content Filtering on the Block Sites screen (see “Setting Block Sites (Content Filtering)” on page 5-18), a log will be generated when someone on your network tries to access a blocked site. To configure e-mail or syslog notification, or to view the logs, see “Activating Notification of Events and Alerts” on page 11-3. Administrator Tips Consider the following operational items: 1. As an option, you can enable remote management if you have to manage distant sites from a central location (see “Enabling Remote Management Access” on page 9-10). 2. Although rules are the basic way of managing the traffic through your system (see “Using Rules & Services to Block or Allow Traffic” on page 5-2), you can further refine your control with the following optional features of the firewall: • • • • • • Groups and hosts (see “Managing Groups and Hosts (LAN Groups)” on page 3-4) Services (see “Services-Based Rules” on page 5-2) Schedules (see “Setting Schedules to Block or Allow Traffic” on page 5-17) Block sites (see “Setting Block Sites (Content Filtering)” on page 5-18) Source MAC filtering (see “Enabling Source MAC Filtering (Address Filter)” on page 520) Port triggering (see “Enabling Port Triggering” on page 5-23) Firewall Security and Content Filtering 5-27 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 5-28 Firewall Security and Content Filtering v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 6 Virtual Private Networking Using IPsec This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Wireless-N VPN Firewall to provide secure, encrypted communications between your local network and a remote network or computer. This chapter contains the following sections: • “Using the VPN Wizard for Client and Gateway Configurations” • “Creating Gateway to Gateway VPN Tunnels with the Wizard” • “Creating a Client to Gateway VPN Tunnel with the Wizard” • “Viewing or Modifying IKE and VPN Policy Settings” • “Managing VPN Tunnel Policies” • “Manually Assigning IP Addresses to Remote Users (ModeConfig)” • “Extended Authentication (XAUTH) Configuration” Using the VPN Wizard for Client and Gateway Configurations Configuring a VPN tunnel connection requires that all settings and parameters on both sides of the VPN tunnel match or mirror each other precisely, which can be a daunting task. The VPN Wizard efficiently guides you through the setup procedure with a series of questions that will determine the IPsec keys and VPN policies it sets up. The VPN Wizard will also set the parameters for the network connection: Security Association, traffic selectors, authentication algorithm, and encryption. The parameters used by the VPN wizard are based on the recommendations of the VPN Consortium (VPNC), an organization that promotes multi-vendor VPN interoperability. The section below provides wizard and NETGEAR VPN Client configuration procedures for the following scenarios: • Using the wizard to configure a VPN tunnel between 2 VPN gateways • Using the wizard to configure a VPN tunnel between a VPN gateway and a VPN client Virtual Private Networking Using IPsec 6-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Creating Gateway to Gateway VPN Tunnels with the Wizard You can configure multiple gateway VPN tunnel policies through the VPN Wizard. You can also set up multiple remote VPN client policies through the VPN Wizard. To set up a gateway VPN Tunnel using the VPN Wizard: 1. Select VPN > IPsec VPN from the main/submenu. 2. Click the VPN Wizard tab and the VPN Wizard screen displays. To view the wizard default settings, click the VPN Default values link. You can modify these settings after completing the wizard. Figure 6-1 3. Select Gateway as your VPN tunnel connection. 4. Create a Connection Name. Enter an appropriate name for the connection. This name is not supplied to the remote VPN endpoint. It is used to help you manage the VPN settings. 5. Enter a Pre-shared Key. The key must be entered both here and on the remote VPN gateway, or the remote VPN client. This key should be minimum of 8 characters and should not exceed 49 characters. This method does not require using a CA (Certificate Authority). 6-2 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 6. Enter the Remote WAN IP Address or Internet Name of the gateway to which you want to connect. • Both the remote WAN address and your local WAN address are required. • The remote WAN IP address must be a public address or the Internet name of the remote gateway. The Internet name is the Fully Qualified Domain Name (FQDN) as registered in a Dynamic DNS service (see “Configuring Dynamic DNS” on page 2-11). Both local and remote endpoints should be defined as either FQDN or IP addresses. A combination of IP address and FQDN is not permissible. 7. Enter the Local WAN IP Address or FQDN of your SRXN3205. Note: When the SRXN3205 is online, this IP address is automatically filled in. The Local WAN IP address is used in the IKE negotiation phase. The WAN IP address assigned by your ISP may display automatically. You can modify the address to use your FQDN. 8. Enter the Remote LAN IP Address and Subnet Mask of the remote gateway. The Remote LAN IP address information you input on this screen is the local LAN IP and Subnet Mask of the remote gateway. If this information is incorrect, the tunnel will fail to connect. Tip: The Remote LAN IP address must be in a different subnet than the Local LAN IP address. For example, if the local subnet is 192.168.1.x, then the remote subnet could be 192.168.10.x. but could not be 192.168.1.x. Click the VPN Wizard Default Values option arrow at the top right of the screen to view the recommended VPNC parameters that will be used for additional settings configured by the Wizard. You can always modify the default settings after completing the wizard. If you do modify those settings, you will have to make the same modifications on both of the gateway units. 9. Click Apply to save your settings. The VPN Policies screen is displayed showing the new policy as enabled. Click Edit in the Action column adjacent to the policy to view or modify your policy settings. Virtual Private Networking Using IPsec 6-3 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Creating a Client to Gateway VPN Tunnel with the Wizard Follow these steps to configure the VPN client. 1. From the main menu, go to VPN > IPSec VPN > VPN Wizard. The VPN Wizard displays. . Figure 6-2 2. Select VPN Client as your VPN tunnel connection. 3. Create a Connection Name like “client”. Enter an appropriate name for the connection. This name is not supplied to the remote VPN client. It is only used to help you manage the VPN settings. 4. Enter a Pre-shared Key. The key must be entered both here and on the VPN Client. This key length should be minimum 8 characters and should not exceed 49 characters. 5. The public Remote and Local Identifier are automatically filled in. 6. Click Apply. Click Edit to review the VPN policy details the wizard just created for you. 6-4 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Viewing or Modifying IKE and VPN Policy Settings Follow these steps to view or modify IKE and VPN policy settings. 1. For IKE policy settings, go to VPN > IPSec VPN > IKE Policies. Figure 6-3 To view or modify the IKE policy settings, click Edit in the Action column of the policy you want to review. Virtual Private Networking Using IPsec 6-5 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. For VPN policy settings, go to VPN > IPSec VPN > VPN Policies. Figure 6-4 To view or modify the IKE Polic, click Edit in the Actioni columnof the policy you want to review. 6-6 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Creating a VPN Client to SRXN3205 Connection This section describes how to configure a VPN connection between a Windows PC and the SRXN3205 firewall. Using the SRXN3205's VPN Wizard, we will create VPN client policies (IKE and VPN) that will allow remote PCs to connect from locations in which their IP addresses are unknown in advance. The PCs may be directly connected to the Internet or may be behind NAT routers. Each PC will use Netgear's ProSafe VPN Client software. Since the PC's IP address is assumed to be unknown, the PC must always be the initiator of the connection. This procedure was developed and tested using: • Netgear SRXN3205 ProSafe Wireless-N VPN Firewall • Netgear ProSafe VPN Client • NAT router: Netgear FVX538 Configuring the SRXN3205 1. Start/open the VPN Wizard. 2. Select the VPN Client radio button for type of VPN connection. 3. Give the client connection a name, such as “client”. 4. Enter a value for the pre-shared key. 5. Enter the Remote Identifier Information. The default is srxn_remote.com. 6. Enter the Local Identifier information. The default is srxn_local.com 7. Click Apply to create the “client” VPN Client. The VPN Policies screen is displayed showing the VPN Client policy as enabled. 8. Click the IKE Policies tab to display the IKE Policies table and click Edit adjacent to the “client” policy to view the policy details. You can augment user authentication security by enabling the XAUTH server by selecting the Edge Device radio box and then adding users to the user database (see “Extended Authentication (XAUTH) Configuration” on page 6-22 and “User Database Configuration” on page 6-24, respectively). As an alternative to the local user database, you can also choose a RADIUS server. Virtual Private Networking Using IPsec 6-7 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring the VPN Client From a PC with the Netgear Prosafe VPN Client installed, you can configure a VPN client policy to connect to the SRXN3205. To configure your VPN client: 1. Right-click on the VPN client icon in your Windows toolbar and choose Security Policy Editor. 2. In the upper left of the Policy Editor window, click the New Document icon to open a New Connection. Give the New Connection a name, such as SRXN. Figure 6-5 3. From the ID Type pull-down menu, choose IP Subnet. 4. Enter the LAN IP Subnet Address and Subnet Mask of the SRXN3205 LAN. Check the Connect using radio box and choose Secure Gateway Tunnel from the pull-down menu. 5. From the first ID Type pull-down menus, choose Domain Name and enter the FQDN address of the SRXN3205. 6. From the second ID Type pull-down menu, choose Gateway IP Address and enter the WAN IP Gateway address of the SRXN3205. 6-8 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 7. In the left frame, click My Identity. Figure 6-6 8. From the Select Certificate pull-down menu, choose None. 9. From the ID Type pull-down menu, choose Domain Name. 10. Leave Virtual Adapter disabled, and click your computer’s Network Adapter. Your current IP address will appear. 1. Before leaving the My Identity menu, click Pre-Shared Key. 2. Click Enter Key and then enter your preshared key, and click OK. This key will be shared by all users of the SRXN3205 policy “client”. 3. In the left frame, click Security Policy. Virtual Private Networking Using IPsec 6-9 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. For the Phase 1 Negotiation Mode, check the Aggressive Mode radio box. Figure 6-7 5. PFS should be disabled, and Enable Replay Detection should be enabled. 6. In the left frame, expand Authentication (Phase 1) and choose Proposal 1. The Proposal 1 fields should mirror those in the following figure. No changes should be necessary. Figure 6-8 6-10 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 7. In the left frame, expand Key Exchange (Phase 2) and choose Proposal 1. The fields in this proposal should also mirror those in the following figure. No changes should be necessary. Figure 6-9 8. In the upper left of the window, click the disk icon to save the policy. Testing the Connection 1. From your PC, right-click on the VPN client icon in your Windows toolbar and choose Connect..., then My Connections\SRXN. Within 30 seconds you should receive the message “Successfully connected to My Connections\SRXN” and the VPN client icon in the toolbar should say On: 2. For additional status and troubleshooting information, right-click on the VPN client icon Logs and Connection Status screens in the SRXN3205. Managing VPN Tunnel Policies After you use the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name you selected as the VPN tunnel connection name during Virtual Private Networking Using IPsec 6-11 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or add new VPN and IKE policies directly in the policy tables. Note: An IKE policy cannot be edited if it is associated with an enabled VPN policy. About IKE The IKE (Internet Key Exchange) protocol performs negotiations between the two VPN gateways, and provides automatic management of the keys used in IPsec. It is important to remember the: • “Auto” generated VPN policies must use the IKE negotiation protocol. • “Manual” generated VPN policies cannot use the IKE negotiation protocol. Managing IKE Policies IKE Policies are activated when the following occur: 1. The VPN policy selector determines that some traffic matches an existing VPN policy. If the VPN policy is of type “Auto”, then the Auto Policy Parameters defined in the VPN policy are accessed which specify which IKE Policy to use. 2. If the VPN Policy is a “Manual” policy, then the Manual Policy Parameters defined in the VPN policy are accessed and the first matching IKE policy is used to start negotiations with the remote VPN gateway. • If negotiations fail, the next matching IKE policy is used. • If none of the matching IKE policies are acceptable to the remote VPN gateway, then a VPN tunnel cannot be established. 3. An IKE session is established, using the SA (Security Association) parameters specified in a matching IKE Policy: • Keys and other parameters are exchanged. • An IPsec SA (Security Association) is established, using the parameters in the VPN policy. The VPN tunnel is then available for data transfer. 6-12 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual About the IKE Policy Table When you use the VPN Wizard to set up a VPN tunnel, an IKE policy is established and populated in the List of IKE Policies and is given the same name as the new VPN connection name. You can also edit exiting policies or add new IKE policies directly on the List of IKE Policies. Each policy contains the following data: • Policy Name. Uniquely identifies each IKE policy. The name is chosen by you and used for the purpose of managing your policies; it is not supplied to the remote VPN Server. • Direction / Type. • Both • Initiator • Responder • Exchange Mode. Two modes are available: either Main or Aggressive. Main Mode negotiates the tunnel with higher security, but is slower whereas Aggressive Mode establishes a faster connection but with lowered security. Note: If either the Local or Remote identifier type (defined below) is not an IP address, then negotiation is only possible in Aggressive Mode. If FQDN, User FQDN or DER ASN1 DN is selected, the router will disable Main Mode and set the default to Aggressive Mode. • Mode Config Record Specify whether this IKE policy uses a Mode Config Record (Mode Config Records can be defined on the Mode Config page under the VPN menu). Select the Yes radio button if you would like IP addresses to be assigned to remote VPN Clients. Since Mode Config works only in Aggressive Mode, enabling this will set the tunnel exchange mode to Aggressive Mode and disable Main Mode. Mode Config also requires that both the local and remote ends be defined by their Internet Names (FQDN) only. • Local ID. The IKE/ISAKMP identify of this device. (The remote VPN must have this value as their “Remote ID”.) • Remote ID. The IKE/ISAKMP identify of the remote VPN gateway. (The remote VPN must have this value as its Local ID.) • IKE SA Parameters – Encryption Algorithm. This algorithm is used for the IKE SA. The default setting using the VPN Wizard is 3DES. (This setting must match the Remote VPN.) – Authentication Algorithm. This algorithm is used for the IKE SA. The default setting using the VPN Wizard is SHA1. (This setting must match the Remote VPN.) Virtual Private Networking Using IPsec 6-13 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – – Authentication Method. Select Pre-shared Key for a simple password based key. Selecting RSA-Signature will disable the Pre-shared key text box and uses the Active Self Certificate uploaded in the Certificates page. In that case, a certificate must be configured in order for RSA-Signature to work. Pre-shared Key Note: The “ (Double Quote) character is not supported for a Pre-shared Key. – – – Diffie-Hellman (DH) Group. This method is used when exchanging keys. The DH group sets the number of bits. The VPN Wizard default setting is Group 2. (This setting must match the remote VPN.) SA-Lifetime (sec) Enable Dead Peer Detection, if yes Dead Peer Detection is used to detect whether the Peer is alive or not. If the peer is detected as Dead, it deletes the IPSec and IKE Security Association. – Detection Period (Seconds): Detection Period is the interval between consecutive DPD R-U-THERE messages. DPD R-U-THERE messages are sent only when the IPSec traffic is idle. – Reconnect after failure count: Maximum number of DPD failures allowed before tearing down the connection. • Extended Authentication. The XAUTH Configuration Edge Device: Select this option to use this router as a VPN concentrator where one or more gateway tunnels terminate. The authentication modes are: – User Database: User accounts created in the router are used to authenticate users (under the VPN Client menu on the User Database page). – RADIUS: The router will connect to a RADIUS server and pass on the credentials it receives from the VPN Client. The connection between the router and the RADIUS server can be secured with the authentication protocol supported by the server (PAP or CHAP). RADIUS server settings are configured under the VPN Client menu on the RADIUS Client page. Note: If RADIUS – PAP is selected, the router will first check in the User Database to see if the user credentials are available. If the user account is not present, the router will then connect to the RADIUS server. 6-14 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual IPSec Host: The router is authenticated by a remote gateway with a username and password combination. In this mode, the router acts as a VPN Client of the remote gateway. VPN Policy You can create two types of VPN policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available. • Manual. All settings (including the keys) for the VPN tunnel are manually input at each end (both VPN Endpoints). No third party server or organization is involved. • Auto. Some parameters for the VPN tunnel are generated automatically by using the IKE (Internet Key Exchange) protocol to perform negotiations between the two VPN Endpoints (the Local ID Endpoint and the Remote ID Endpoint). In addition, a Certificate Authority (CA) can also be used to perform authentication (see “Managing Certificates” on page 8-8). To use a CA, each VPN gateway must have a certificate from the CA. For each certificate, there is both a public key and a private key. The public key is freely distributed, and is used to encrypt data. The receiver then uses its private key to decrypt the data (without the private key, decryption is impossible). The use of certificates for authentication reduces the amount of data entry required on each VPN endpoint. Managing VPN Policies The VPN Policies screen allows you to add additional policies—either Auto or Manual—and to manage the VPN policies already created. You can edit policies, enable or disable policies, or delete them entirely. The rules for VPN policy use are: 1. Traffic covered by a policy will automatically be sent via a VPN tunnel. 2. When traffic is covered by two or more policies, the first matching policy will be used. (In this situation, the order of the policies is important. However, if you have only one policy for each remote VPN Endpoint, then the policy order is not important.) 3. The VPN tunnel is created according to the parameters in the SA (Security Association). 4. The remote VPN Endpoint must have a matching SA, or it will refuse the connection. VPN Policy Table Only one Client Policy may configured at a time (noted by an “*” next to the policy name). The Policy Table contains the following fields: • ! (Status). Indicates whether the policy is enabled (green circle) or disabled (grey circle). To Enable or Disable a Policy, check the radio box adjacent to the circle and click Enable or Disable, as required. Virtual Private Networking Using IPsec 6-15 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Name. Each policy is given a unique name (the Connection Name when using the VPN Wizard). • Type. The Type is “Auto” or “Manual” as described previously (Auto is used during VPN Wizard configuration). • Local. IP address (either a single address, range of address or subnet address) on your local LAN. Traffic must be from (or to) these addresses to be covered by this policy. (The Subnet address is supplied as the default IP address when using the VPN Wizard). • Remote. IP address or address range of the remote network. Traffic must be to (or from) these addresses to be covered by this policy. (The VPN Wizard default requires the remote LAN IP address and subnet mask). • Auth. Authentication Algorithm used for the VPN tunnel. The default setting using the VPN Wizard is SHA1. (This setting must match the Remote VPN.) • Encr. Encryption algorithm used for the VPN tunnel. The default setting using the VPN Wizard is 3DES. (This setting must match the Remote VPN.) • Action. Allows you to access individual policies to make any changes or modifications. VPN Tunnel Connection Status Recent VPN tunnel activity is shown on the IPsec Connection Status screen (accessed by selecting VPN from the main menu and Connection Status from the submenu).You can set a Poll Interval (in seconds) to check the connection status of all active IKE Policies to obtain the latest VPN tunnel activity. The Active IPsec (SA)s table also lists current data for each active IPsec SA (Security Association): • Policy Name. The name of the VPN policy associated with this SA. • Endpoint. The IP address on the remote VPN Endpoint. • Tx (KBytes). The amount of data transmitted over this SA. • Tx (Packets). The number of packets transmitted over this SA. • State. The current state of the SA. Phase 1 is “Authentication phase” and Phase 2 is “Key Exchange phase”. • Action. Allows you to terminate or build the SA (connection), if required. 6-16 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Manually Assigning IP Addresses to Remote Users (ModeConfig) To simply the process of connecting remote VPN clients to the SRXN3205, the ModeConfig module can be used to assign IP addresses to remote users, including a network access IP address, subnet mask, and name server addresses from the firewall. Remote users are given IP addresses available in secured network space so that remote users appear as seamless extensions of the network. In the following example, we configured the firewall using ModeConfig, and then configured a PC running ProSafe VPN Client software using these IP addresses. • • NETGEAR SRXN3205 ProSafe Wireless-N VPN Firewall – WAN IP address: 172.21.4.1 – LAN IP address/subnet: 192.168.2.1/255.255.255.0 NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Mode Config Operation After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP configuration parameters such as IP address, subnet mask and name server addresses. The Mode Config module will allocate an IP address from the configured IP address pool and will activate a temporary IPsec policy using the template security proposal information configured in the Mode Config record. Note: After configuring a Mode Config record, you must go to the IKE Policies menu and configure an IKE policy using the newly-created Mode Config record as the Remote Host Configuration Record. The VPN Policies menu does not need to be edited. Configuring the VPN Firewall Two menus must be configured—the Mode Config menu and the IKE Policies menu. To configure the Mode Config menu: 1. Click VPN in the main menu. 2. Click IPsec VPN in the submenu. Virtual Private Networking Using IPsec 6-17 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Click the Mode Config tab. The Mode Config tab is displayed. Figure 6-10 4. Click Add. The Add Mode Config Record screen is displayed . Figure 6-11 5. Enter a descriptive Record Name such as “Sales”. 6. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients. Note: The IP Pool should not be within your local network IP addresses. Use a different range of private IP addresses such as 172.20.xx.xx. 7. If you have a WINS Server on your local network, enter its IP address. 8. Enter one or two DNS Server IP addresses to be used by remote VPN clients. 9. If you enable Perfect Forward Secrecy (PFS), choose DH Group 1 or 2. This setting must match exactly the configuration of the remote VPN client, 6-18 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 10. Specify the Local IP Subnet to which the remote client will have access. Typically, this is your firewall’s LAN subnet, such as 192.168.2.1/255.255.255.0. (If not specified, it will default to the LAN subnet of the firewall.) 11. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Encryption Algorithm: 3DES • Authentication Algorithm: SHA-1 12. Click Apply. The new record should appear in the VPN > Mode Config Table. Next, you must configure an IKE Policy: 1. On the main menu, click VPN. The IKE Policies screen is displayed showing the current policies in the List of IKE Policies Table. (See Figure 6-3 on page 6-5.) 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen displays. 3. Enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down menu. (You can view the parameters of the selected record by clicking the View selected radio box.) Mode Config works only in Aggressive Mode, and Aggressive Mode requires that both ends of the tunnel be defined by an FQDN. 4. In the General section: a. Enter a descriptive name in the Policy Name Field such as “salesperson”. This name will be used as part of the remote identifier in the VPN client configuration. b. Set Direction/Type to Responder. c. The Exchange Mode will automatically be set to Aggressive. 5. For Local information: a. Select Fully Qualified Domain Name for the Local Identity Type. b. Enter an identifier in the Remote Identity Data field that is not used by any other IKE policies. This identifier will be used as part of the local identifier in the VPN client configuration. 6. Specify the IKE SA parameters. These settings must be matched in the configuration of the remote VPN client. Recommended settings are: • Encryption Algorithm: 3DES Virtual Private Networking Using IPsec 6-19 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • • • Authentication Algorithm: SHA-1 Diffie-Hellman: Group 2 SA Lifetime: 3600 seconds 7. Enter a Pre-Shared Key that will also be configured in the VPN client. 8. XAUTH is disabled by default. To enable XAUTH, choose one of the following: • Edge Device to use this firewall as a VPN concentrator where one or more gateway tunnels terminate. (If selected, you must specify the Authentication Type to be used in verifying credentials of the remote VPN gateways.) • IPsec Host if you want this gateway to be authenticated by the remote gateway. Enter a Username and Password to be associated with the IKE policy. When this option is chosen, you will need to specify the user name and password to be used in authenticating this gateway (by the remote gateway). 9. If Edge Device was enabled, choose the Authentication Type from the pull down menu which will be used to verify account information: User Database, RADIUS-CHAP or RADIUS-PAP. Users must be added through the User Database screen (see “Creating a New User Account” on page 8-4 or “RADIUS Client Configuration” on page 6-24). Note: If RADIUS-PAP is selected, the firewall will first check the User Database to see if the user credentials are available. If the user account is not present, the firewall will then connect to the RADIUS server. 10. Click Apply. The new policy will appear in the IKE Policies Table. Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon. a. Give the connection a descriptive name such as “modecfg_test”. (This name will only be used internally). b. From the ID Type pull-down menu, choose IP Subnet. c. Enter the IP Subnet and Mask of the firewall (this is the LAN network IP address of the gateway). 6-20 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual d. Check the Connect using radio button and choose Secure Gateway Tunnel from the pulldown menu. e. From the ID Type pull-down menu, choose Domain name and enter the FQDN of the firewall; in this example it is “local_id.com”. f. Choose Gateway IP Address from the second pull-down menu and enter the WAN IP address of the firewall; in this example it is “172.21.4.1”. 2. From the left side of the menu, click My Identity and enter the following information: a. Click Pre-Shared Key and enter the key you configured in the SRXN3205 IKE menu. b. From the Select Certificate pull-down menu, choose None. c. From the ID Type pull-down menu, choose Domain Name and create an identifier based on the name of the IKE policy you created; for example “salesperson11.remote_id.com”. d. Under Virtual Adapter pull-down menu, choose Preferred. The Internal Network IP Address should be 0.0.0.0. Note: If no box is displayed for Internal Network IP Address, go to Options/ Global Policy Settings, and check the box for “Allow to Specify Internal Network Address.” e. Select your Internet Interface adapter from the Name pull-down menu. 3. On the left-side of the menu, choose Security Policy. a. Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio button. b. Check the Enable Perfect Forward Secrecy (PFS) radio button, and choose the DiffieHellman Group 2 from the PFS Key Group pull-down menu. c. Enable Replay Detection should be checked. 4. Click on Authentication (Phase 1) on the left-side of the menu and choose Proposal 1. Enter the Authentication values to match those in the firewall ModeConfig Record menu. 5. Click on Key Exchange (Phase 2) on the left-side of the menu and choose Proposal 1. Enter the values to match your configuration of the firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours [28800 seconds] 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. To test the connection: Virtual Private Networking Using IPsec 6-21 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Right-click on the VPN client icon in the Windows toolbar and click Connect. The connection policy you configured will appear; in this case “My Connections\modecfg_test”. 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test is displayed and the VPN client icon in the toolbar will read “On”. 3. From the client PC, ping a computer on the firewall LAN. Extended Authentication (XAUTH) Configuration When connecting many VPN clients to a firewall, an administrator may want a unique user authentication method beyond relying on a single common preshared key for all clients. Although the administrator could configure a unique VPN policy for each user, it is more convenient for the firewall to authenticate users from a stored list of user accounts. XAUTH provides the mechanism for requesting individual authentication information from the user, and a local User Database or an external authentication server, such as a RADIUS server, provides a method for storing the authentication information centrally in the local network. XAUTH can be enabled when adding or editing an IKE Policy. Two types of XAUTH are available: • Edge Device. If this is selected, the firewall is used as a VPN concentrator where one or more gateway tunnels terminate. If this option is chosen, you must specify the authentication type to be used in verifying credentials of the remote VPN gateways: User Database, RADIUS-PAP, or RADIUS-CHAP. • IPsec Host. If you want authentication by the remote gateway, enter a User Name and Password to be associated with this IKE policy. If this option is chosen, the remote gateway must specify the user name and password used for authenticating this gateway. Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the local User Database for the user credentials. If the user account is not present, the firewall will then connect to a RADIUS server. 6-22 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts in the User Database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server. Note: If you are modifying an existing IKE Policy to add XAUTH, if it is in use by a VPN policy, the VPN policy must be disabled before you can modify the IKE Policy. To enable and configure XAUTH: 1. Select VPN > IPsec VPN from the main/submenu. 2. Click the IKE Policies tab and the IKE Policies screen displays. Figure 6-12 3. You can add XAUTH to an existing IKE Policy by clicking Edit adjacent to the policy to be modified or you can create a new IKE Policy incorporating XAUTH by clicking Add. 4. In the Extended Authentication section check the Edge Device radio box to use this firewall as a VPN concentrator where one or more gateway tunnels terminate. You then must specify the authentication type to be used in verifying credentials of the remote VPN gateways. (Either the User Database or RADIUS Client must be configured when XAUTH is enabled.) 5. In the Extended Authentication section, choose the Authentication Type from the pulldown menu which will be used to verify user account information. Select • Edge Device to use this firewall as a VPN concentrator where one or more gateway tunnels terminate. When this option is chosen, you will need to specify the authentication type to be used in verifying credentials of the remote VPN gateways. – User Database to verify against the firewall’s user database. Users must be added through the User Database screen (see “User Database Configuration” on page 6-24). Virtual Private Networking Using IPsec 6-23 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – • RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the firewall will first check in the user database to see if the user credentials are available. If the user account is not present, the firewall will then connect to the RADIUS server (see “RADIUS Client Configuration” on page 6-24). IPsec Host if you want to be authenticated by the remote gateway. In the adjacent Username and Password fields, type in the information user name and password associated with the IKE policy for authenticating this gateway (by the remote gateway). 6. Click Apply to save your settings. User Database Configuration When XAUTH is enabled as an Edge Device, users must be authenticated either by a local User Database account or by an external RADIUS server. Whether or not you use a RADIUS server, you may want some users to be authenticated locally. These users must be added to the List of Users table, as described in “Creating a New User Account” on page 8-4. RADIUS Client Configuration RADIUS (Remote Authentication Dial In User Service, RFC 2865) is a protocol for managing Authentication, Authorization, and Accounting (AAA) of multiple users in a network. A RADIUS server will store a database of user information, and can validate a user at the request of a gateway or server in the network when a user requests access to network resources. During the establishment of a VPN connection, the VPN gateway can interrupt the process with an XAUTH request. At that point, the remote user must provide authentication information such as a username/password or some encrypted response using his username/password information. The gateway will try to verify this information, first against a local User Database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server. To configure the Primary RADIUS Server: 1. Select VPN > IPsec VPN from the main/submenu. 2. Click the RADIUS Client tab and the RADIUS Client screen displays. 6-24 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 6-13 3. To activate (enable) the Primary RADIUS server, click the Yes radio button. The primary server options become active. 4. Configure the following entries: • Primary RADIUS Server IP address. The IP address of the RADIUS server. • Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server. • Primary Server NAS Identifier (Network Access Server). This Identifier MUST be present in a RADIUS request. Ensure the NAS Identifier is configured identically on both client and server. The SRXN3205 is acting as a NAS (Network Access Server), allowing network access to external users after verifying their authentication information. In a RADIUS transaction, the NAS must provide some NAS Identifier information to the RADIUS Server. Depending on the configuration of the RADIUS Server, the SRXN3205’s IP address may be sufficient as an identifier, or the server may require a name, which you would enter here. This name would also be configured on the RADIUS server, although in some cases it should be left blank on the RADIUS server. 5. Enable a Backup RADIUS Server (if required). 6. Set the Time Out Period, in seconds, that the firewall should wait for a response from the RADIUS server. 7. Set the Maximum Retry Count. This is the number of tries the firewall will make to the RADIUS server before giving up. Virtual Private Networking Using IPsec 6-25 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 8. Click Apply to save the settings. Note: Selection of the Authentication Protocol, usually PAP or CHAP, is configured on the individual IKE policy screens. 6-26 Virtual Private Networking Using IPsec v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 7 Virtual Private Networking Using SSL The SRXN3205 ProSafe Wireless-N VPN Firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a pre-installed VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the SRXN3205 can authenticate itself to an SSL-enabled client, such as a standard web browser. Once the authentication and negotiation of encryption information is completed, the server and client can establish an encrypted connection. With support for 10 concurrent sessions, users can easily access the remote network for a customizable, secure, user portal experience from virtually any available platform. This chapter contains the following sections: • “Understanding the Portal Options” • “Planning for SSL VPN” • “Creating the Portal Layout” • “Configuring Domains, Groups, and Users” • “Configuring Applications for Port Forwarding” • “Configuring the SSL VPN Client” • “Using Network Resource Objects to Simplify Policies” • “Configuring User, Group, and Global Policies” Understanding the Portal Options The SRXN3205’s SSL VPN portal can provide two levels of SSL service to the remote user: • VPN Tunnel The SRXN3205 can provide the full network connectivity of a VPN tunnel using the remote user’s browser in the place of a traditional IPsec VPN client. The SSL capability of the user’s Virtual Private Networking Using SSL 7-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual browser provides authentication and encryption, establishing a secure connection to the firewall. Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote PC that will allow the remote user to virtually join the corporate network. The SSL VPN Client provides a PPP (point-to-point) connection between the client and the firewall, and a virtual network interface is created on the user’s PC. The firewall will assign the PC an IP address and DNS server IP addresses, allowing the remote PC to access network resources in the same manner as if it were connected directly to the corporate network, subject to any policy restrictions configured by the administrator. • Port Forwarding Like VPN Tunnel, Port Forwarding is a web-based client that installs transparently and then creates a virtual, encrypted tunnel to the remote network. However, Port Forwarding differs from VPN Tunnel in several ways. For example, Port Forwarding: – Only supports TCP connections, not UDP or other IP protocols. – Detects and reroutes individual data streams on the user’s PC to the Port Forwarding connection rather than opening up a full tunnel to the corporate network. – Offers more fine grained management than VPN Tunnel. The administrator defines individual applications and resources that will be available to remote users. The SSL VPN portal can present the remote user with one or both of these SSL service levels, depending on the configuration by the administrator. Planning for SSL VPN To set up and activate SSL VPN connections, you will perform these basic steps in this order: 1. Edit the existing SSL Portal or create a new one. When remote users log in to the SSL firewall, they see a portal page that you can customize to present the resources and functions that you choose to make available. 2. Create one or more authentication domains for authentication of SSL VPN users. When remote users log in to the SSL firewall, they must specify a domain to which their login account belongs. The domain determines the authentication method to be used and the portal layout that will be presented, which in turn determines the network resources to which they will have access. Because you must assign a portal layout when creating a domain, the domain is created after you have created the portal layout. 3. Create one or more groups for your SSL VPN users. 7-2 Virtual Private Networking Using SSL v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual When you define the SSL VPN policies that determine network resource access for your SSL VPN users, you can define global policies, group policies, or individual policies. Because you must assign an authentication domain when creating a group, the group is created after you have created the domain. 4. Create one or more SSL VPN user accounts. Because you must assign a group when creating a SSL VPN user account, the user account is created after you have created the group. 5. For port forwarding, declare the servers and services. Create a list of servers and services that can be made available through user, group, or global policies. You can also associate fully qualified domain names with these servers. The firewall will resolve the names to the servers using the list you have created. 6. For VPN tunnel service, configure the virtual network adapter. In the VPN tunnel option, the firewall creates a virtual network adapter on the remote PC that will function as if it were on the local network. Configure the portal’s SSL VPN Client to define a pool of local IP addresses to be issued to remote clients, as well as DNS addresses. Declare static routes or grant full access to the local network, subject to additional policies. 7. For simplifying policies, define network resource objects. Network resource objects are groups of IP addresses, IP address ranges, and services. By defining resource objects, you can more quickly create and configure network policies. 8. Configure the policies. Policies determine access to network resources and addresses for individual users, groups, or everyone. Creating the Portal Layout The SSL VPN Portal Layouts menu allows you to create a custom page that remote users will see when they log into the portal. Because the page is completely customizable, it provides an ideal way to communicate remote access instructions, support information, technical contact info, or VPN-related news updates to remote users. The page is also well-suited as a starting page for restricted users; if mobile users or business partners are only permitted to access a few resources, the page you create will present only the resources relevant to these users. Virtual Private Networking Using SSL 7-3 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Portal Layouts are applied by selecting from available portal layouts in the configuration of a Domain. When you have completed your Portal Layout, you can apply the Portal Layout to one or more authentication domains (see XREF to apply a Portal Layout to a Domain). You can also make the new portal the default portal for the SSL VPN gateway by selecting the default radio button adjacent to the portal layout name. Note: The default portal address is https://<IP_Address>/portal/SSL-VPN. The domain geardomain is attached to the SSL-VPN portal. The firewall administrator may define individual layouts for the SSL VPN portal. The layout configuration includes the menu layout, theme, portal pages to display, and web cache control options. The default portal layout is the SSL-VPN portal. You can add additional portal layouts. You can also make any portal the default portal for the SSL firewall by clicking the default button in the Action column of the List of Layouts, to the right of the desired portal layout. To create a New Portal Layout: 1. Select VPN > SSL VPN from the main/submenu, and then select the Portal Layouts tab. The Portal Layouts screen displays. Figure 7-1 2. Click Add. The Add Portal Layout screen is displayed. 7-4 Virtual Private Networking Using SSL v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 7-2 3. In the Portal Layout and Theme Name section of the menu, configure the following entries: a. Enter a descriptive name for the portal layout in the Portal Layout Name field. This name will be part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.com, and you created a portal layout named “sales”, then users will be able to access the sub-site at https://vpn.company.com/portal/sales. Only alphanumeric characters, hyphen (-), and underscore (_) are accepted for the Portal Layout Name. If you enter other types of characters or spaces, the layout name will be truncated before the first non-alphanumeric character. Note that unlike most other URLs, this name is case sensitive. b. In the Portal Site Title field, enter a title that will appear at the top of the user’s web browser window. c. To display a banner message to users before they log in to the portal, enter the banner title text in the Banner Title field. Also enter the banner message text in the Banner Message text area. Enter a plain text message or include HTML and JavaScript tags. The maximum length of the login page message is 4096 characters. Select the Display banner message Virtual Private Networking Using SSL 7-5 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual on login page checkbox to show the banner title and banner message text on the Login screen as shown below Figure 7-3 As shown in the figure, the banner title text is displayed in the orange header bar. The banner message text is displayed in the grey header bar. d. Check the Enable HTTP meta tags for cache control checkbox to apply HTTP meta tag cache control directives to this Portal Layout. Cache control directives include: <meta http-equiv=”pragma” content=”no-cache”> <meta http-equiv=”cache-control” content=”no-cache”> <meta http-equiv=”cache-control” content=”must-revalidate”> These directives help prevent clients browsers from caching SSL VPN portal pages and other web content. Note: NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out-of-date web pages, themes, and data being stored in a user’s web browser cache. e. Check the “ActiveX web cache cleaner checkbox to load an ActiveX cache control when users log in to the SSL VPN portal. The web cache cleaner will prompt the user to delete all temporary Internet files, cookies and browser history when the user logs out or closes the web browser window. The ActiveX web cache control will be ignored by web browsers that don't support ActiveX. 7-6 Virtual Private Networking Using SSL v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. In the SSL VPN Portal Pages to Display section, check the checkboxes for the portal pages you wish users to access. Any pages that are not selected will not be visible from the portal navigation menu. Your choices are: • VPN Tunnel. Provides full network connectivity. • Port Forwarding. Provides access to specific defined network services. 5. Click Apply to confirm your settings. The “Operation succeeded” message appears at the top of the tab. Your new layout appears in the List of Layouts table. Configuring Domains, Groups, and Users Remote users connecting to the SSL firewall must be authenticated before being allowed to access the network. The login window presented to the user requires three items: a User Name, a Password, and a Domain selection. The Domain determines the authentication method to be used and the portal layout that will be presented. You must create name and password accounts for your SSL VPN users. When you create a user account, you must specify a group. Groups are used to simplify the application of access policies. When you create a group, you must specify a domain. Therefore, you should create any needed domains first, then groups, then user accounts. To configure Domains, Groups, and Users, see “Adding Authentication Domains, Groups, and Users” on page 8-1. Configuring Applications for Port Forwarding Port Forwarding provides access to specific defined network services. To define these services, you must specify the internal addresses and TCP applications (port numbers) that will be intercepted by the Port Forwarding client on the user’s PC. The client will reroute this traffic to the firewall. Adding Servers To configure Port Forwarding, you must define the internal host machines (servers) and TCP applications available to remote users. To add servers, follow these steps: Virtual Private Networking Using SSL 7-7 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Select VPN > SSL VPN from the main/submenu, and then select the Port Forwarding tab. The Port Forwarding screen display. Figure 7-4 2. In the Add New Application for Port Forwarding section, enter the IP address of an internal server or host computer. 3. In the TCP Port field, enter the TCP port number of the application to be tunneled. The table below lists many commonly used TCP applications and port numbers. Table 7-1. Port Forwarding Applications/TCP Port Numbers TCP Application Port Number FTP Data (usually not needed) 20 FTP Control Protocol 21 SSH 22a Telnet 23a SMTP (send mail) 25 HTTP (web) 80 POP3 (receive mail) 110 NTP (network time protocol) 123 Citrix 1494 Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 a. Users can specify the port number together with the host name or IP address. 7-8 Virtual Private Networking Using SSL v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. Click Add. The “Operation succeeded” message appears at the top of the tab, and the new application entry is listed in the List of Configured Applications. 5. Repeat this process to add other applications for use in Port Forwarding. Adding A New Host Name Once the server IP address and port information has been configured, remote users will be able to access the private network servers using Port Forwarding. As a convenience for users, you can also specify host name to IP address resolution for the network servers. Host Name Resolution allows users to access TCP applications at familiar addresses such as mail.example.com or ftp.example.com rather than by IP addresses. To add a host name for client name resolution, follow these steps: 1. Select the Port Forwarding tab, shown in Figure 7-4. 2. If the server you want to name does not appear in the List of Configured Applications for Port Forwarding, you must add it before you can rename it. 3. In the Add New Host Name for Port Forwarding section, enter the IP address of the server you want to name. 4. In the Fully Qualified Domain Name field, enter the full server name. 5. Click Add. The “Operation succeeded” message appears at the top of the tab, and the new entry is listed in the List of Configured Host Names. Remote users can now securely access network applications once they have logged into the SSL VPN portal and launched Port Forwarding. Configuring the SSL VPN Client The SSL VPN Client within the SRXN3205 will assign IP addresses to remote VPN tunnel clients. Because the VPN tunnel connection is a point-to-point connection, you can assign IP addresses from the corporate subnet to the remote VPN tunnel clients. Some additional considerations are: Virtual Private Networking Using SSL 7-9 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • So that the virtual (PPP) interface address of a VPN tunnel client does not conflict with addresses on the corporate network, configure an IP address range that does not directly overlap with addresses on your local network. For example, if 192.168.1.1 through 192.168.1.100 are currently assigned to devices on your local network, then start the client address range at 192.168.1.101 or choose an entirely different subnet altogether. • The VPN tunnel client cannot contact a server on the corporate network if the VPN tunnel client’s Ethernet interface shares the same IP address as the server or the firewall (for example, if your laptop has a network interface IP address of 10.0.0.45, then you won’t be able to contact a server on the remote network that also has the IP address 10.0.0.45). • If you assign an entirely different subnet to the VPN tunnel clients than the subnet used by the corporate network, you must • – Add a client route to configure the VPN tunnel client to connect to the corporate network using the VPN tunnel. – Create a static route on the corporate network’s firewall to forward local traffic intended for the VPN tunnel clients to the firewall. Select whether you want to enable full tunnel or split tunnel support based on your bandwidth: – Full tunnel. Sends all of the client’s traffic across the VPN tunnel. – Split tunnel. Sends only traffic destined for the corporate network based on the specified client routes. All other traffic is sent to the Internet. Split tunnel allows you to manage your company bandwidth by reserving the VPN tunnel for corporate traffic only. 7-10 Virtual Private Networking Using SSL v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring the Client IP Address Range Determine the address range to be assigned to VPN tunnel clients, then define the address range. To configure the client IP address range: 1. Select VPN > SSL VPN from the main/submenu, and then select the SSL VPN Client tab. The SSL VPN Client screen displays. Figure 7-5 2. Select Enable Full Tunnel Support unless you want split tunneling. Note: In split tunneling, appropriate client routes must be added to allow traffic to be directed through the VPN tunnel. In full tunneling, all traffic is forwarded through the tunnel, including Internet traffic; client routes are not required. 3. (Optional) Enter a DNS Suffix to be appended to incomplete DNS search strings. 4. Enter Primary and Secondary DNS Server IP addresses to be assigned to the VPN tunnel clients. 5. In the Client Address Range Begin field, enter the first IP address of the IP address range. 6. In the Client Address Range End field, enter the last IP address of the IP address range. 7. Click Apply. The “Operation succeeded” message appears at the top of the tab. VPN tunnel clients are now able to connect to the firewall and receive a virtual IP address in the client address range. Virtual Private Networking Using SSL 7-11 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Adding Routes for VPN Tunnel Clients The VPN Tunnel Clients assume that the following networks are located across the VPN over the SSL tunnel: Note: VPN client routs need to be added in split tunnel mode only. • The subnet containing the client IP address (PPP interface), as determined by the class of the address (Class A, B, or C). • Subnets specified in the Configured Client Routes table. If the assigned client IP address range is in a different subnet than the corporate network, or the corporate network has multiple subnets, you must define Client Routes. To add an SSL VPN Tunnel client route, follow these steps: 1. Access the SSL VPN Client tab shown in Figure 7-5. 2. In the Add Routes section, enter the Destination Network IP address of a local area network or subnet. For example, enter 192.168.0.0. 3. Enter the appropriate Subnet Mask. 4. Click Add. The “Operation succeeded” message appears at the top of the tab and the new client route is listed in the Configured Client Routes table. Restart the firewall if VPN tunnel clients are currently connected. Restarting forces clients to reconnect and receive new addresses and routes. Replacing and Deleting Client Routes If the specifications of an existing route need to be changed, follow these steps: 1. Make a new entry with the correct specifications. 2. In the Configured Client Routes table, click the Delete button in the actions column. 3. If an existing route is no longer needed for any reason, you can delete it. 7-12 Virtual Private Networking Using SSL v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Using Network Resource Objects to Simplify Policies Network resources are groups of IP addresses, IP address ranges, and services. By defining resource objects, you can more quickly create and configure network policies. You will not need to redefine the same set of IP addresses or address ranges when configuring the same access policies for multiple users. Defining network resources is optional; smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources. But for most organizations, we recommend that you use network resources. If your server or network configuration changes, by using network resources you can perform an update quickly instead of individually updating all of the user and group policies. Adding New Network Resources To define a network resource: 1. Select VPN > SSL VPN from the main/submenu, and then select the Resources tab. The Resources screen displays. Figure 7-6 2. In the Add New Resource section, type the (qualified) resource name in the Resource Name field. 3. In the Service pull-down menu, select the type of service to apply to the resource: either VPN Tunnel or Port Forwarding. 4. Click Add. The “Operation succeeded” message appears at the top of the tab, and the newly-added resource name appears on the List of Resources table. Virtual Private Networking Using SSL 7-13 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 5. Adjacent to the new resource, click the Edit button. The Add Resource Addresses screen displays. Figure 7-7 6. From the Object Type pull-down menu, select either IP Address or IP Network: • If you selected IP Address, enter an IP address or fully qualified domain name in the IP Address/Name field. • If you selected IP Network, enter the IP network address in the Network Address field. Enter the mask length in the Mask Length (0-31) field. 7. Enter the Port Range or Port Number for the IP Address or IP Network you selected. 8. Click Apply to add the IP address or IP network to the resource. The new configuration appears in the Defined Resource Addresses table, as shown in Figure 7-7. Configuring User, Group, and Global Policies An administrator can define and apply user, group and global policies to predefined network resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN services. A specific hierarchy is invoked over which policies take precedence. The firewall policy hierarchy is defined as: 1. User Policies take precedence over all Group Policies. 2. Group Policies take precedence over all Global Policies. 3. If two or more user, group, or global policies are configured, the most specific policy takes precedence. 7-14 Virtual Private Networking Using SSL v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual For example, a policy configured for a single IP address takes precedence over a policy configured for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over a policy applied to all IP addresses. If two or more IP address ranges are configured, then the smallest address range takes precedence. Hostnames are treated the same as individual IP addresses. Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource. For example, let’s assume the following global policy configuration: • Policy 1: A Deny rule has been configured to block all services to the IP address range 10.0.0.0 – 10.0.0.255. • Policy 2: A Deny rule has been configured to block FTP access to 10.0.1.2 – 10.0.1.10. • Policy 3: A Permit rule has been configured to allow FTP access to the predefined network resource, FTP Servers. The FTP Servers network resource includes the following addresses: 10.0.0.5 – 10.0.0.20 and ftp.company.com, which resolves to 10.0.1.3. Assuming that no conflicting user or group policies have been configured, if a user attempted to access: • An FTP server at 10.0.0.1, the user would be blocked by Policy 1. • An FTP server at 10.0.1.5, the user would be blocked by Policy 2. • An FTP server at 10.0.0.10, the user would be granted access by Policy 3. The IP address range 10.0.0.5 - 10.0.0.20 is more specific than the IP address range defined in Policy 1. • An FTP server at ftp.company.com, the user would be granted access by Policy 3. A single host name is more specific than the IP address range configured in Policy 2. Note: The user would not be able to access ftp.company.com using its IP address 10.0.1.3. The firewall policy engine does not perform reverse DNS lookups. Viewing Policies To view the existing policies, follow these steps: Virtual Private Networking Using SSL 7-15 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Select VPN > SSL VPN from the main/submenu, and then select the Policies tab. The Policies screen will display. Figure 7-8 2. Make your selection from the following Query options: • Click Global to view all global policies. • Click Group to view group policies, and choose the relevant group’s name from the pulldown menu. • Click User to view group policies, and choose the relevant user’s name from the pulldown menu. 3. Click the Display button. The List of SSL VPN Policies will display the list for your selected Query option. Change Query selection and click display again for each of the three queries. Adding a Policy To add a policy, follow these steps: 1. Select VPN > SSL VPN from the main/submenu, and select the Policies tab. The Policies screen displays. Figure 7-9 2. Make your selection from the following Query options: 7-16 Virtual Private Networking Using SSL v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Click Global if this new policy is to exclude all users and groups. • Click Group if this new policy is to be limited to a selected group. Open the pull-down menu and choose the relevant group’s name. • Click User if this new policy is to be limited to a selected user. Open the pull-down menu and choose the individual user’s name. Note: You should have already created the needed groups or users as described in “Adding Authentication Domains, Groups, and Users” on page 8-1. 3. Click Add. The Add Policies screen appears. 4. In the Add SSL VPN Policies section, review the Apply Policy To options and click one. Depending upon your selection, specific options to the right are activated or inactivated as noted in the following: • If you choose Network Resource, you’ll need to enter a descriptive Policy Name, then choose a Defined Resource and relevant Permission (PERMIT or DENY) from the pulldown menus. Figure 7-10 If a needed network resource has not been defined, you can add it before proceeding with this new policy. See “Adding New Network Resources ” on page 7-13. • If you choose IP Address, you’ll need to enter a descriptive Policy Name, the specific IP Address, then choose the Service and relevant Permission from the pull-down menus. Virtual Private Networking Using SSL 7-17 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 7-11 • If you choose IP Network, you’ll need to enter a descriptive Policy Name, IP Address, Subnet Mask, then choose the Service and relevant Permission from the pull-down menus. Figure 7-12 • If you choose All Addresses, you’ll need to enter a descriptive Policy Name, then choose the Service and relevant Permission from the pull-down menus. Figure 7-13 5. When you are finished making your selections, click Apply. The Policies screen reappears. Your policy goes into effect immediately and is added to the policies in the List of SSL VPN Policies table on this screen. Note: In addition to configuring SSL VPN user policies, be sure that HTTPS remote management is enabled. Otherwise, all SSL VPN user connections will be disabled. See “Enabling Remote Management Access” on page 9-10. 7-18 Virtual Private Networking Using SSL v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 8 Managing Users, Authentication, and Certificates This chapter contains the following sections: • “Adding Authentication Domains, Groups, and Users” • “Managing Certificates” Adding Authentication Domains, Groups, and Users You must create name and password accounts for all users who will connect to the firewall. This includes administrators and SSL VPN clients. Accounts for IPsec VPN clients are only needed if you have enabled Extended Authentication (XAUTH) in your IPsec VPN configuration. Users connecting to the firewall must be authenticated before being allowed to access the firewall or the VPN-protected network. The login window presented to the user requires three items: a User Name, a Password, and a Domain selection. The Domain determines the authentication method to be used and, for SSL VPN connections, the portal layout that will be presented. Note: IPsec VPN users will always belong to the default domain (geardomain) and are not assigned to groups. Except in the case of IPsec VPN users, when you create a user account, you must specify a group. When you create a group, you must specify a domain. Therefore, you should create any needed domains first, then groups, then user accounts. Creating a Domain The domain determines the authentication method to be used for associated users. For SSL VPN connections, the domain also determines the portal layout that will be presented, which in turn determines the network resources to which the associated users will have access. To create a domain: 1. Select Users > Domains from the main/sub-menu. The Domains screen displays. Managing Users, Authentication, and Certificates v1.0, October 2008 8-1 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 8-1 2. Click Add. The Add Domain screen displays. Figure 8-2 3. Configure the following fields: a. Enter a descriptive name for the domain in the Domain Name field. b. Select the Authentication Type. The required fields are activated in varying combinations according to your selection of Authentication Type: 8-2 Authentication Type Required Authentication Information Fields Local User Database None Radius-PAP Authentication Server, Authentication Secret Radius-CHAP Authentication Server, Authentication Secret Radius-MSCHAP Authentication Server, Authentication Secret Radius-MSCHAPv2 Authentication Server, Authentication Secret NT Domain Authentication Server, Workgroup Managing Users, Authentication, and Certificates v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Authentication Type Required Authentication Information Fields Active Directory Authentication Server, Active Directory Domain LDAP Authentication Server, LDAP Base DN c. Select a portal to which this domain will be associated. 4. Click Apply to save and apply your entries. The Domain screen will display a new domain row. Creating a Group The use of groups simplifies the configuration of VPN policies when different sets of users will have different restrictions and access controls. Note: Groups that are defined in the User menu are used for setting SSL VPN policies. These groups should not be confused with LAN Groups that are defined in the Network | LAN Setup | LAN Groups tab, which are used to simplify firewall policies. To create a group: 1. Select Users > Groups from the main/submenu and the Groups screen displays. Figure 8-3 2. Configure the new group settings in the Add New Group section of the menu: a. Name. Enter a descriptive name for the group. b. Domain. Select the appropriate domain (only for Administrator or SSL VPN User). c. Timeout. For an Administrator, this is the period at which an idle user will be automatically logged out of the Web Configuration Manager Managing Users, Authentication, and Certificates v1.0, October 2008 8-3 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Click Add. The new group appears in the List of Groups, ready for use in user account setup. Creating a New User Account To add individual user accounts: 1. Select Users > Users from the main/submenu and the Users screen displays. . Figure 8-4 2. Click Add and the Add User tab screen displays. Figure 8-5 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Administrator, SSL VPN User, or IPsec VPN User. c. Select Group. Select from a list of configured groups. The user will be associated with the domain that is associated with that group. d. Password/Confirm Password. The password can contain alphanumeric characters, dash, and underscore. 8-4 Managing Users, Authentication, and Certificates v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual e. Idle Timeout. For an Administrator, this is the period at which an idle user will be automatically logged out of the Web Configuration Manager. 4. Click Apply to save and apply your entries. The new user appears in the List of Users. Setting User Login Policies You can restrict the ability of defined users to log into the Web Configuration Manager. You can also require or prohibit logging in from certain IP addresses or using particular browsers. To configure user login policies: 1. In the Action column of the List of Users table, click Policies adjacent to the user policy you want to configure. The Login Policies screen displays: Figure 8-6 2. To prohibit this user from logging in to the firewall, select the Disable Login checkbox. 3. To prohibit this user from logging in from the WAN interface, select the Deny Login from WAN Interface checkbox. In this case, the user can log in only from the LAN interface. Note: For security reasons, Deny Login from WAN Interface is checked by default for admin and guest. 4. Click Apply to save your settings. Managing Users, Authentication, and Certificates v1.0, October 2008 8-5 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To restrict logging in based on IP address: 1. Select the by Source IP Address tab and the by Source IP Address screen displays. Figure 8-7 2. In the Defined Addresses Status section, select: • the Deny Login from Defined Addresses to deny logging in from the IP addresses that you will specify • the Allow Login only from Defined Addresses to allow logging in from the IP addresses that you will specify. 3. Click Apply. 4. To specify a single IP address, select IP Address from the Source Address Type pull-down menu and enter the IP address in the Network Address/IP address field. 5. To specify a subnet of IP addresses, select IP Network from the Source Address Type pulldown menu. Enter the network address and netmask length in the Network Address/IP address field. 6. Click Add to move the defined address to the Defined Addresses table. 7. Repeat these steps to add additional addresses or subnets. 8-6 Managing Users, Authentication, and Certificates v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To restrict logging in based on the user’s browser: 1. Select the by Client Browser tab. The by Client Browser screen will display. Figure 8-8 2. In the Defined Browsers Status section, select: • the Deny Login from Defined Browsers to deny logging in from browsers that you will specify. • the Allow Login only from Defined Browsers to allow logging in from browsers that you will specify. 3. From the Add Defined Browser selection, select a browser from the Client Browser pulldown menu and click Add to move the defined browser to the Defined Browsers table. 4. Repeat these steps to add additional browsers, then click Apply to save your changes. Managing Users, Authentication, and Certificates v1.0, October 2008 8-7 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Managing Certificates The firewall uses digital certificates to authenticate connecting VPN gateways or clients, and to be authenticated by remote entities. A certificate that authenticates a server, for example, is a file that contains: • A public encryption key to be used by clients for encrypting messages to the server. • Information identifying the operator of the server. • A digital signature confirming the identity of the operator of the server. Ideally, the signature is from a trusted third party whose identity can be verified absolutely. You can obtain a certificate from a well-known commercial Certificate Authority (CA) such as Verisign or Thawte, or you can generate and sign your own certificate. Because a commercial CA takes steps to verify the identity of an applicant, a certificate from a commercial CA provides a strong assurance of the server’s identity. A self-signed certificate will trigger a warning from most browsers as it provides no protection against identity theft of the server. Your firewall contains a self-signed certificate from NETGEAR. We recommend that you replace this certificate prior to deploying the firewall in your network. From the VPN > Certificates main menu/submenu, you can view the currently loaded certificates, upload a new certificate and generate a Certificate Signing Request (CSR). Your firewall will typically hold two types of certificates: • CA certificate. Each CA issues its own CA identity certificate in order to validate communication with the CA and to verify the validity of certificates signed by the CA. • Self certificate. The certificate issued to you by a CA identifying your device. Viewing and Loading CA Certificates The Trusted Certificates (CA Certificates) table lists the certificates of CAs and contains the following data: • CA Identity (Subject Name). The organization or person to whom the certificate is issued. • Issuer Name. The name of the CA that issued the certificate. • Expiry Time. The date after which the certificate becomes invalid. 8-8 Managing Users, Authentication, and Certificates v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To view the VPN Certificates: Select VPN > Certificates from the main/sub-menu and the Certificates screen displays. The top section of the Certificates screen displays the Trusted Certificates (CA Certificates). Figure 8-9 When you obtain a self certificate from a CA, you will also receive the CA certificate. In addition, many CAs make their certificates available on their websites. To load a CA certificate into your firewall: 1. Store the CA certificate file on your computer. 2. Under Upload Trusted Certificates in the Certificates menu, click Browse and locate the CA certificate file. 3. Click Upload. The CA Certificate will appear in the Trusted Certificates (CA Certificates) table. Viewing Active Self Certificates The Active Self Certificates table in the Certificates screen shows the certificates issued to you by a CA and available for use. Figure 8-10 For each self certificate, the following data is listed: • Name. The name you used to identify this certificate. • Subject Name. This is the name that other organizations will see as the holder (owner) of this certificate. This should be your registered business name or official company name. Generally, all of your certificates should have the same value in the Subject field. Managing Users, Authentication, and Certificates v1.0, October 2008 8-9 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Serial Number. This is a serial number maintained by the CA. It is used to identify the certificate with in the CA. • Issuer Name. The name of the CA that issued the certificate. • Expiry Time. The date on which the certificate expires. You should renew the certificate before it expires. Obtaining a Self Certificate from a Certificate Authority To use a self certificate, you must first request the certificate from the CA, then download and activate the certificate on your system. To request a self certificate from a CA, you must generate a Certificate Signing Request (CSR) for your firewall. The CSR is a file containing information about your company and about the device that will hold the certificate. Refer to the CA for guidelines on the information you include in your CSR. To generate a new Certificate Signing Request (CSR) file: 1. Locate the Generate Self Certificate Request section of the Certificates screen. 2. Configure the following fields: • Name – Enter a descriptive name that will identify this certificate. • Subject – This is the name which other organizations will see as the holder (owner) of the certificate. Since this name will be seen by other organizations, you should use your registered business name or official company name. (Using the same name, or a derivation of the name, in the Title field would be useful.) • From the pull-down menus, choose the following values: 8-10 – Hash Algorithm: MD5 or SHA2. – Signature Algorithm: RSA. – Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but may also decrease performance.) Managing Users, Authentication, and Certificates v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 8-11 3. Complete the Optional fields, if desired, with the following information: • IP Address – If you have a fixed IP address, you may enter it here. Otherwise, you should leave this field blank. • Domain Name – If you have an Internet domain name, you can enter it here. Otherwise, you should leave this field blank. • E-mail Address – Enter the e-mail address of a technical contact in your organization. 4. Click Generate. A new certificate request is created and added to the Self Certificate Requests table. Figure 8-12 Managing Users, Authentication, and Certificates v1.0, October 2008 8-11 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 5. In the Self Certificate Requests table, click View under the Action column to view the request. Figure 8-13 6. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from “----BEGIN CERTIFICATE REQUEST---” to “---END CERTIFICATE REQUEST---”. 7. Submit your certificate request to a CA: a. Connect to the website of the CA. b. Start the Self Certificate request procedure. c. When prompted for the requested data, copy the data from your saved text file (including “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST”). d. Submit the CA form. If no problems occur, the certificate will be issued. 8. Store the certificate file from the CA on your computer and backup the certificate file from the CA in another location. 9. Return to the Certificates screen and locate the Self Certificate Requests section. Figure 8-14 8-12 Managing Users, Authentication, and Certificates v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 10. Select the checkbox next to the certificate request, then click Browse and locate the certificate file on your PC. 11. Click Upload. The certificate file will be uploaded to this device and will appear in the Active Self Certificates list. If you have not already uploaded the CA certificate, do so now, as described in “The top section of the Certificates screen displays the Trusted Certificates (CA Certificates).” on page 8-9. You should also periodically check your CA’s Certificate Revocation List, as described in “Managing your Certificate Revocation List (CRL)” on page 8-13. Managing your Certificate Revocation List (CRL) A CRL file shows certificates that have been revoked and are no longer valid. Each CA issues their own CRLs. It is important that you keep your CRLs up-to-date. You should obtain the CRL for each CA regularly. In the Certificates menu, you can view your currently-loaded CRLs and upload a new CRL. To view and upload CRLs: 1. Select VPN > Certificates from the main/submenu. The Certificates menu will display showing the Certificate Revocation Lists (CRL) table at the bottom of the screen. Figure 8-15 The CRL table lists your active CAs and their critical release dates: • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. 2. Click Browse and locate the CRL file you previously downloaded from a CA. 3. Click Upload. The CRL file will be uploaded and the CA Identity will appear in the Certificate Revocation Lists (CRL) table. If you had a previous CA Identity from the same CA, it will be deleted. Managing Users, Authentication, and Certificates v1.0, October 2008 8-13 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 8-14 Managing Users, Authentication, and Certificates v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 9 Firewall and Network Management This chapter describes how to use the network management features of your ProSafe Wireless-N VPN Firewall. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface. The ProSafe Wireless-N VPN Firewall offers many tools for managing the network traffic to optimize its performance. You can also control administrator access, be alerted to important events requiring prompt action, monitor the firewall status, perform diagnostics, and manage the firewall configuration file. This chapter contains the following sections: • “Performance Management” • “Changing Passwords and Administrator Settings” • “Enabling Remote Management Access” • “Using an SNMP Manager” • “Settings Backup and Firmware Upgrade” • “Configuring Time Zone Settings” Performance Management Performance management consists of controlling the traffic through the firewall so that the necessary traffic gets through when there is a bottleneck and either reducing unnecessary traffic or rescheduling some traffic to low-peak times to prevent bottlenecks from occurring in the first place. The firewall has the necessary features and tools to help the network manager accomplish these goals. Bandwidth Capacity The maximum bandwidth capacity of the firewall in each direction is as follows: • LAN side: 5000 Mbps (five LAN ports at 1000 Mbps each) Firewall and Network Management 9-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • WAN side: 1000 Mbps (one WAN port at 1000 Mbps) In practice, the WAN side bandwidth capacity will be much lower when DSL or cable modems are used to connect to the Internet. As a result and depending on the traffic being carried, the WAN side of the firewall will be the limiting factor to throughput for most installations. Features that Reduce Traffic Features of the VPN firewall that can be called upon to decrease WAN-side loading are as follows: • Service blocking • Block sites • Source MAC filtering Service Blocking You can control specific outbound traffic (from LAN to WAN). Outbound Services lists all existing rules for outbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule allows all outgoing traffic. Warning: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems. Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always • BLOCK by schedule, otherwise Allow • ALLOW always • ALLOW by schedule, otherwise Block As you define your firewall rules, you can further refine the application according to the following criteria: • LAN Users. These settings determine which computers on your network are affected by this rule. Select the desired options: – Any. All PCs and devices on your LAN. – Single address. The rule will be applied to the address of a particular PC. – Address range. The rule is applied to a range of addresses. 9-2 Firewall and Network Management v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – • Groups. The rule is applied to a Group (see “Managing Groups and Hosts (LAN Groups)” on page 3-4 to assign PCs to a Group using the LAN Groups Database). WAN Users. These settings determine which Internet locations are covered by the rule, based on the IP address. – Any. The rule applies to all Internet IP address. – Single address. The rule applies to a single Internet IP address. – Address range. The rule is applied to a range of Internet IP addresses. • Services. You can specify the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services-Based Rules” on page 5-2 and “Adding Customized Services” on page 515). • Schedule. You can specify whether the rule is to be applied on the Schedule 1, Schedule 2, or Schedule 3 time schedule (see “Setting Schedules to Block or Allow Traffic” on page 5-17). See “Using Rules & Services to Block or Allow Traffic” on page 5-2 for the procedure on how to use this feature. Services The Rules menu contains a list of predefined Services for creating firewall rules. If a service does not appear in the predefined Services list, you can define the service. The new service will then appear in the Rules menu's Services list. See “Services-Based Rules” on page 5-2 for the procedure on how to use this feature. Groups and Hosts You can apply these rules selectively to groups of PCs to reduce the outbound or inbound traffic. The LAN Groups Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: • DHCP Client Request. By default, the DHCP server in this firewall is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the LAN Groups Database. Because of this, leaving the DHCP server feature (on the LAN screen) enabled is strongly recommended. • Scanning the Network. The local network is scanned using ARP. requests. The ARP scan will detect active devices that are not DHCP clients. However, sometimes the name of the PC or device cannot be accurately determined, and will appear in the database as Unknown. • Manual Entry. You can manually enter information about a device. Firewall and Network Management 9-3 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual See “Managing Groups and Hosts (LAN Groups)” on page 3-4 for the procedure on how to use this feature. Schedule If you have set firewall rules on the Rules screen, you can configure three different schedules (for example, schedule 1, schedule 2, and schedule 3) for when a rule is to be applied. Once a schedule is configured, it affects all Rules that use this schedule. You specify the days of the week and time of day for each schedule. See “Setting Schedules to Block or Allow Traffic” on page 5-17 for the procedure on how to use this feature. Block Sites If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall’s filtering feature. By default, this feature is disabled; all requested traffic from any Web site is allowed. • Keyword (and Domain Name) Blocking. You can specify up to 32 words that, should they appear in the Web site name (i.e., URL) or in a newsgroup name, will cause that site or newsgroup to be blocked by the VPN firewall. You can apply the keywords to one or more groups. Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked. Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled. You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed without any blocking. • Web Component blocking. You can block the following Web component types: Proxy, Java, ActiveX, and Cookies. Sites on the Trusted Domains list are still subject to Web component blocking when the blocking of a particular Web component has been enabled. See “Setting Block Sites (Content Filtering)” on page 5-18 for the procedure on how to use this feature. Source MAC Filtering If you want to reduce outgoing traffic to prevent Internet access by certain PCs on the LAN, you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses. By default, this feature is disabled; all traffic received from PCs with any MAC address is allowed. 9-4 Firewall and Network Management v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual See “Enabling Source MAC Filtering (Address Filter)” on page 5-20 for the procedure on how to use this feature. Features that Increase Traffic Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • Exposed hosts • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (i.e., the service is unavailable). You can also create additional firewall rules that are customized to block or allow specific traffic. Warning: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems. You can control specific inbound traffic (from WAN to LAN). Inbound Services lists all existing rules for inbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule blocks all inbound traffic. Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always • ALLOW always • BLOCK by schedule, otherwise allow • ALLOW by schedule, otherwise block You can also enable a check on special rules: • VPN Passthrough. Passes the VPN traffic without any filtering, specially used when this firewall is between two VPN tunnel end points. • Drop fragmented IP packets. Drops any fragmented IP packets. • UDP Flooding. Limits the number of UDP sessions created from one LAN machine. • TCP Flooding. Protects the firewall from SYN flood attack. Firewall and Network Management 9-5 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Enable DNS Proxy. Allows the firewall to handle DNS queries from the LAN. • Enable Stealth Mode. Prevents the firewall from responding to incoming requests for unsupported services. As you define your firewall rules, you can further refine the application according to the following criteria: • LAN Users. These settings determine which computers on your network are affected by this rule. Select the desired IP Address in this field. • WAN Users. These settings determine which Internet locations are covered by the rule, based on the IP address. – Any: The rule applies to all Internet IP address. – Single address: The rule applies to a single Internet IP address. – Address range: The rule is applied to a range of Internet IP addresses. • Destination Address. These settings determine the destination IP address for this rule which will be applicable to incoming traffic. This rule will be applied only when the destination IP address of the incoming packet matches the IP address of the WAN interface. Selecting ANY enables the rule for any LAN IP destination. • Services. You can specify the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 5-15). • Schedule. You can specify whether the rule is to be applied on the Schedule 1, Schedule 2, or Schedule 3 time schedule (see “Setting Schedules to Block or Allow Traffic” on page 5-17). See “Using Rules & Services to Block or Allow Traffic” on page 5-2 for the procedure on how to use this feature. Port Triggering Port triggering allows some applications to function correctly that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the application. Once configured, port triggering operates as follows: • A PC makes an outgoing connection using a port number defined in the Port Triggering table. • This firewall records this connection, opens the additional INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC. 9-6 Firewall and Network Management v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • The remote system receives the PCs request and responds using the different port numbers that you have now opened. • This firewall matches the response to the previous request and forwards the response to the PC. Without port triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules. – Only one PC can use a port triggering application at any time. – After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC. This is required because the firewall cannot be sure when the application has terminated. See “Enabling Port Triggering” on page 5-23 for the procedure on how to use this feature. VPN Tunnels The VPN firewall permits up to 5 IPsec VPN tunnels and 3 SSL VPN tunnels not to exceed 8 total tunnels at a time. Each tunnel requires extensive processing for encryption and authentication. See Chapter 6, “Virtual Private Networking Using IPsec” for the procedures on how to use IPsec VPN, and Chapter 7, “Virtual Private Networking Using SSL for the procedures on how to use SSL VPN. Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and, in turn, the quality of service for the traffic passing through the firewall. The QoS is set individually for each service. • You can accept the default priority defined by the service itself by not changing its QoS setting. • You can change the priority to a higher or lower value than its default setting to give the service higher or lower priority than it otherwise would have. The QoS priority settings conform to the IEEE 802.1D-1998 (formerly 802.1p) standard for class of service tag. You will not change the WAN bandwidth used by changing any QoS priority settings. But you will change the mix of traffic through the WAN port by granting some services a higher priority than others. The quality of a service is impacted by its QoS setting, however. See “Setting Quality of Service (QoS) Priorities” on page 5-16 for the procedure on how to use this feature. Firewall and Network Management 9-7 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Tools for Traffic Management The ProSafe Wireless-N VPN Firewall includes several tools that can be used to monitor the traffic conditions of the firewall and control who has access to the Internet and the types of traffic each individual is allowed to have. See “Monitoring System Performance” on page 11-1 for a discussion of the tools. Changing Passwords and Administrator Settings The default administrator and guest password for the Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. You can also configure a separate password for the guest account. To modify the Administrator user account settings, including password: 1. Select Users > Users from the main/submenu and the List of Users screen displays. Figure 9-1OK 2. Select the checkbox adjacent to admin in the Name column, then click Edit in the Action column. 9-8 Firewall and Network Management v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The Edit User screen is displayed, with the current settings for Administrator displayed in the Select User Type pull-down menu. Figure 9-2 3. Select the Check to Edit Password checkbox. The password fields become active. 4. Enter the old password, then enter the new password twice. 5. (Optional) To change the idle timeout for an administrator login session, enter a new number of minutes in the Idle Timeout field. 6. Click Apply to save your settings or Reset to return to your previous settings. Note: If the administrator login timeout value is too large, you may have to wait a long time before you are able to log back into the firewall if your previous login was disrupted (for example, if you did not click Logout on the Main Menu bar to log out). Note: After a factory default reset, the password and timeout value will be changed back to password and 5 minutes, respectively. Firewall and Network Management 9-9 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Enabling Remote Management Access Using the Remote Management page, you can allow an administrator on the Internet to configure, upgrade, and check the status of your firewall. You must be logged in locally to enable remote management. Note: Be sure to change the default configuration password of the firewall to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and symbols. Your password can be up to 30 characters. See “Changing Passwords and Administrator Settings” on page 9-8 for the procedure on how to do this. To configure your firewall for Remote Management: 1. Select Administration > Remote Management from the main/submenu. The Remote Management screen displays. . Figure 9-3 2. Click the Yes radio box to enable HTTPS remote management (enabled by default). Note: For enhanced security, restrict access to as few external IP addresses as practical. See “Setting User Login Policies” on page 8-5 for instructions on restricting administrator access. Be sure to use strong passwords. 3. Click Apply to have your changes take effect. When accessing your firewall from the Internet, the Secure Sockets Layer (SSL) will be enabled. You will enter https:// (not http://) and type your firewall’s WAN IP address into your browser. For example, if your WAN IP address is 172.16.0.123, type the following in your browser: https://172.16.0.123 9-10 Firewall and Network Management v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The firewall’s remote login URL is https://<IP_address> or https://<FullyQualifiedDomainName>.. Note: To maintain security, the SRXN3205 will reject a login that uses http://address rather than the SSL https://address. Note: The first time you remotely connect to the SRXN3205 with a browser via SSL, you may get a warning message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 5.5 or higher, simply click Yes to accept the certificate. Note: If you are unable to remotely connect to the SRXN3205 after enabling HTTPS remote management, check whether other user policies, such as the default user policy, are preventing access. Note: If you disable HTTPS remote management, all SSL VPN user connections will also be disabled. Tip: If you are using a dynamic DNS service such as TZO, you can identify the WAN IP address of your SRXN3205 by running tracert from the Windows Run menu option. Trace the route to your registered FQDN. For example, enter tracert SRXN3205.mynetgear.net, and the WAN IP address that your ISP assigned to the SRXN3205 is displayed. Using an SNMP Manager Simple Network Management Protocol (SNMP) lets you monitor and manage your firewall from an SNMP Manager. It provides a remote means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security. The SNMP Configuration table lists the SNMP configurations by: • IP Address. The IP address of the SNMP manager. • Port. The trap port of the configuration. Firewall and Network Management 9-11 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Community. The trap community string of the configuration. To create a new SNMP configuration entry: 1. Select Administration > SNMP from the main/submenu and the SNMP screen displays. . Figure 9-4 2. Configure the following fields in the Create New SNMP Configuration Entry section: • Enter the IP Address of the SNMP manager in the IP Address field and the Subnet Mask in the Subnet Mask field. – If you want to allow only the host address to access the VPN firewall and receive traps, enter an IP Address of, for example, 192.168.1.101 with a Subnet Mask of 255.255.255.255. – If you want to allow a subnet access to the VPN firewall through SNMP, enter an IP address of, for example,192.168.1.101 with a Subnet Mask of 255.255.255.0. The traps will still be received on 192.168.1.101, but the entire subnet will have access through the community string. – If you want to make the VPN firewall globally accessible using the community string, but still receive traps on the host, enter 0.0.0.0 as the Subnet Mask and an IP Address for where the traps will be received. • Enter the trap port number of the configuration in the Port field. The default is 162. • Enter the trap community string of the configuration in the Community field. 3. Click Add to create the new configuration. The entry is displayed in the SNMP Configuration table. The SNMP System Info link, located in the upper right of the screen, opens the SNMP SysConfiguration screen. This screen displays the VPN firewall identification information available to the SNMP manager: System Contact, System Location, and System name. You can edit these values. 9-12 Firewall and Network Management v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Settings Backup and Firmware Upgrade Once you have installed the VPN firewall and have it working properly, you should back up a copy of your settings, in case something gets corrupted. When you backup the settings, these are saved as a file on your computer. You can then restore the VPN firewall settings from this file. The Settings Backup and Firmware Upgrade screen allows you to: • Back up and save a copy of your current settings • Restore saved settings from the backed-up file. • Revert to the factory default settings. • Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware version. Backup and Restore Settings To backup settings: 1. Select Administration > Settings Backup and Firmware Upgrade from the main/submenu. The Settings Backup and Firmware Upgrade screen displays. Figure 9-5 2. Click Backup to save a copy of your current settings. • If your browser isn’t set up to save downloaded files automatically, locate where you want to save the file, specify file name, and click Save. Firewall and Network Management 9-13 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • If you have your browser set up to save downloaded files automatically, the file will be saved to your browser’s download location on the hard disk. Warning: Once you start restoring settings or erasing the firewall, do NOT interrupt the process. Do not try to go online, turn off the firewall, shut down the computer or do anything else to the firewall until it finishes restarting! To restore settings from a backup file: 1. Next to Restore save settings from file, click the Browse button. 2. Locate and select the previously saved backup file (by default, netgear.cfg). 3. When you have located the file, click the Restore button. An Alert page will appear indicating the status of the restore operation. You must manually restart the VPN firewall for the restored settings to take effect. To reset the firewall to the original factory default settings, click the Default button. You must manually restart the VPN firewall before the default settings to take effect. After rebooting, the firewall’s password will be password and the LAN IP address will be 192.168.1.1. The VPN firewall will act as a DHCP server on the LAN, to the wireless clients, and act as a DHCP client to the Internet. Warning: When you click default, your firewall settings will be erased. All firewall rules, VPN policies, LAN/WAN settings and other settings will be lost. Please backup your settings or all your settings will be lost! Router Upgrade You can install a different version of the VPN firewall firmware from the Settings Backup and Firmware Upgrade menu. To view the current version of the firmware that your VPN firewall is running, choose Monitoring from the main menu. The Router Status screen is displayed, showing all of the VPN firewall router statistics, including the firmware version. When you upgrade your firmware, the new firmware version will be displayed. To download a firmware version: 1. Go to the NETGEAR Web site at http://www.netgear.com/support and click Downloads. 2. From the Product Selection pull-down menu, choose the SRXN3205. Select the software version and follow the To Install steps to download your software. 9-14 Firewall and Network Management v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual After downloading an upgrade file, you may need to unzip (uncompress) it before upgrading the firewall. If release notes are included in the download, read them before continuing. To upgrade the router software: 1. Select Administration > Settings Backup and Firmware Upgrade from the main/submenu. 2. In the Router Upgrade section, click Browse. 3. Locate the downloaded file and click Upload. This will start the software upgrade to your VPN firewall. This may take some time. At the conclusion of the upgrade, your firewall will reboot. Warning: Do not try to go online, turn off the firewall, shutdown the computer or do anything else to the firewall until the firewall finishes the upgrade! When the Test light turns off, wait a few more seconds before doing anything. 4. After the VPN firewall has rebooted, click Monitoring and confirm the new firmware version to verify that your firewall now has the new software installed. Note: In some cases, such as a major upgrade, it may be necessary to erase the configuration and manually reconfigure your firewall after upgrading it. Refer to the release notes included with the software to find out if this is required. Configuring Time Zone Settings The Time Zone screen provides settings for Date, Time and NTP server designations. The Network Time Protocol (NTP) is used to synchronize computer clock times in a network of computers. To set Time, Date and NTP servers: 1. Select Administration > Time Zone from the main/submenu. The Time Zone screen displays. Firewall and Network Management 9-15 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 9-6 2. From the Date/Time pull-down menu, choose the Local Time Zone. This is required for scheduling work correctly. The VPN firewall includes a real-time clock (RTC), which it uses for scheduling. 3. If supported in your region, click Automatically Adjust for Daylight Savings Time. 4. Select an NTP Server option: • Use Default NTP Servers. The RTC is updated regularly by contacting a Netgear NTP server on the Internet. A primary and secondary (backup) server are preloaded. • Use Custom NTP Servers. If you prefer to use a particular NTP server, enter the name or IP address of the NTP Server in the Server 1 Name/IP Address field. You can enter the address of a backup NTP server in the Server 2 Name/IP Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the default Netgear NTP servers. Note: If you select the default NTP servers or if you enter a custom server FQDN, the firewall must determine the IP address of the NTP server by a DNS lookup. You must configure a DNS server address in the Network menu before the firewall can perform this lookup. 5. Click Apply to save your settings. 9-16 Firewall and Network Management v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 11 Monitoring System Performance This chapter describes the full set of system monitoring features of your ProSafe Wireless-N VPN Firewall. You can be alerted to important events such as {{WAN port rollover}}, WAN traffic limits reached, and login failures and attacks. You can also view status information about the firewall, WAN port, LAN ports, and VPN tunnels. This chapter contains the following sections: • “Enabling the Traffic Meter” • “Activating Notification of Events and Alerts” • “Viewing Firewall Logs” • “Viewing Router Configuration and System Status” • “Monitoring the WAN Port Status” • “Monitoring Attached Devices” • “Reviewing the DHCP Log” • “Monitoring Active Users” • “Viewing Port Triggering Status” • “Monitoring VPN Tunnel Connection Status” • “Reviewing the VPN Logs” Enabling the Traffic Meter If your ISP charges by traffic volume over a given period of time, or if you want to study traffic types over a period of time, you can activate the Traffic Meter for the WAN port. To monitor traffic limits on the WAN port: 1. Select Monitoring > Traffic Meter from the main/submenu, and then the WAN Traffic Meter tab. The WAN Traffic Meter screen will display. Monitoring System Performance 11-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 11-1 2. Enable the traffic meter by clicking the Yes radio box under Do you want to enable Traffic Metering on WAN? The traffic meter will record the volume of Internet traffic passing through the WAN. Select the following options: • No Limit. Any specified restrictions will not be applied when traffic limit is reached. • Download only. The specified restrictions will be applied to the incoming traffic only • Both Directions. The specified restrictions will be applied to both incoming and outgoing traffic only • Monthly Limit. Enter the monthly volume limit and select the desired behavior when the limit is reached. Note: Both incoming and outgoing traffic are included in the limit 11-2 Monitoring System Performance v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Increase this month limit by. Temporarily increase the Traffic Limit if you have reached the monthly limit, but need to continue accessing the Internet. Select the checkbox and enter the desired increase. (The checkbox will automatically be cleared when saved so that the increase is only applied once.) • This month limit. Displays the limit for the current month. 3. In the Traffic Counter section, make your traffic counter selections: • Restart Traffic Counter Now. Select this option and click Apply to restart the Traffic Counter immediately. • Restart Traffic Counter at Specific Time. Restart the Traffic Counter at a specific time and day of the month. Fill in the time fields and choose AM or PM and the day of the month from the pull-down menus. • Send e-mail report before restarting counter. An E-mail report will be sent immediately before restarting the counter. You must configure the E-mail screen in order for this function to work (see “E-Mail Notifications of Event Logs and Alerts” on page 5-27). 4. In the When limit is reached section, make the following choice: • Block all traffic. All access to and from the Internet will be blocked. • Block all traffic except E-mail. Only E-mail traffic will be allowed. All other traffic will be blocked. • Send E-mail alert. You must configure the E-mail screen in order for this function to work. Go to the Firewall Logs and & E-mail Tab to set this up. 5. Click Apply to save your settings. The Internet Traffic Statistics section displays statistics on Internet Traffic via the WAN port. If you have not enabled the Traffic Meter, these statistics are not available. 6. Click the Traffic by Protocol link, in the upper right header, to see a report of the Internet traffic by type. The volume of traffic for each protocol will be displayed in a popup window. Traffic counters are updated in MBytes scale; the counter starts only when traffic passed is at least 1MB. Activating Notification of Events and Alerts The Firewall Logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address. For example, your VPN firewall will log security-related events such as: accepted and dropped packets on different segments of Monitoring System Performance 11-3 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual your LAN; denied incoming and outgoing service requests; hacker probes and login attempts; and other general information based on the settings you input on the Firewall Logs & E-mail menu. In addition, if you have set up Content Filtering on the Block Sites screen (see “Setting Block Sites (Content Filtering)” on page 5-18), a log will be generated when someone on your network tries to access a blocked site. You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs by clicking the View Logs option arrow to the right of the tab. Selecting all events will increase the size of the log, so it is good practice to select only those events which are required To configure logging and notifications: 1. Select Monitoring from the main menu and Firewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen displays. 2. Enter the name of the log in the Log Identifier field. Log Identifier is a mandatory field used to identify which device sent the log messages. The identifier is appended to log messages. 3. In the Routing Logs section, select the network segments for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets). 4. In the System Logs section, select the type of system events to be logged. 5. Check Yes to enable E-mail Logs. Then enter: a. E-mail Server address. Enter either the IP address or Internet name of your ISP’s outgoing E-mail SMTP server. If you leave this box blank, no logs will be sent to you. b. Return E-mail Address. Enter an e-mail address to appear as the sender. c. Send To E-mail Address. Enter the e-mail address where the logs and alerts should be sent. You must use the full e-mail address (for example, [email protected]). 6. No Authentication is selected by default. If your SMTP server requires user authentication, select the required authentication type—either Login Plain or CRAM-MD5. Then enter the user name and password to be used for authentication. 11-4 Monitoring System Performance v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 11-2 7. To respond to IDENT protocol messages, check the Respond to Identd from SMTP Server radio box. The Ident Protocol is a weak scheme to verify the sender of e-mail (a common daemon program for providing the ident service is identd). 8. Enter a Schedule for sending the logs. From the Unit pull-down menu, choose: Never, Hourly, Daily, or Weekly. Then set the Day and Time fields that correspond to your selection. 9. You can configure the firewall to send system logs to an external PC that is running a syslog logging program. Click Yes to enable SysLogs and send messages to the syslog server, then: a. Enter your SysLog Server IP address b. Select the appropriate syslog facility from the SysLog Facility pull-down menu. The SysLog Facility levels of severity are described in the table below. Monitoring System Performance 11-5 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 10. Click Apply to save your settings. Numerical Code Severity 0 Emergency: System is unusable 1 Alert: Action must be taken immediately 2 Critical: Critical conditions 3 Error: Error conditions 4 Warning: Warning conditions 5 Notice: Normal but significant conditions 6 Informational: Informational messages 7 Debug: Debug level messages Viewing Firewall Logs To view the Firewall logs: 1. Select Monitoring from the main menu and Firewall Logs & E-mail in the submenu. The Firewall Logs & E-mail screen displays 2. Click the View Log link in the upper right-hand section of the screen. The Logs screen is displayed. 3. If the E-mail Logs options as been enabled, you can send a copy of the log by clicking Send Log. 4. Click Refresh Log to retrieve the latest update; click Clear Log to delete all entries. Log entries are described in Table 11-1. Table 11-1. Firewall Logs Field Descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and interface The service port number of the initiating device, and whether it originated from the LAN or WAN. 11-6 Monitoring System Performance v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 11-1. Firewall Logs Field Descriptions Field Description Destination The name or IP address of the destination device or Web site. Destination port and interface The service port number of the destination device, and whether it’s on the LAN or WAN. Viewing Router Configuration and System Status The Router Status screen provides status and usage information. To view the router configuration and system status: 1. Select Monitoring from the main menu and Router Status in the submenu. The Router Status screen is displayed. Figure 11-3 The following information is displayed: Item Description System Info This is the Netgear product name. Firmware Version This is the current software the router is using. Monitoring System Performance 11-7 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Item Description LAN Port Displays the current settings for MAC address, IP address, DHCP role and IP Subnet Mask that you set in the LAN IP Setup page. DHCP can be either Server or None. WAN Configuration Indicates whether the WAN State is UP or DOWN. It also is displayed if: • NAT is Enabled or Disabled. • Connection Type: DHCP enabled or disabled. • Connection State • WAN IP Address • Subnet Mask • Gateway Address • Primary and Secondary DNS Server Addresses • MAC Address. Wireless Configuration • • • • • • • Wireless Status SSID Mode Security Settings Region Channel AP MAC Address Monitoring the WAN Port Status You can monitor the status of the WAN connection, the Dynamic DNS Server connection, and the DHCP Server connection. To monitor the status of the WAN port: 1. Select Network Configuration and WAN Settings to display the WAN ISP Settings screen. 2. Click the WAN Status to display the Connection Status popup window. 11-8 Monitoring System Performance v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual . Figure 11-4 Monitoring Attached Devices The LAN Groups screen contains a table of all IP devices that the VPN firewall has discovered on the local network. To view the LAN Groups screen: 1. Select Network Configuration from the main menu and LAN Settings in the submenu. 2. Then select the LAN Groups tab and the LAN Groups screen displays. 3. The Known PCs and Devices database is an automatically-maintained list of LAN-attached devices. PCs and other LAN devices become known by the following methods: • DHCP Client Requests. By default, the DHCP server in the firewall is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the database. Because of this, leaving the DHCP Server feature enabled (in the LAN Setup menu) is strongly recommended. • Scanning the Network. The local network is scanned using standard methods such as ARP. The scan will detect active devices that are not DHCP clients. However, sometimes the name of the PC or device cannot be accurately determined and will be shown as unknown. • Manually Adding Devices. You can enter information in the Add Known PCs and Devices section and click Add to manually add a device to the database. Monitoring System Performance 11-9 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 11-5 The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Table 11-2. Known PCs and Devices options Item Description Name The name of the PC or device. Sometimes, this can not be determined, and will be listed as Unknown. In this case, you can edit the entry to add a meaningful name. IP Address The current IP address. For DHCP clients, where the IP address is allocated by the DHCP Server in this device, this IP address will not change. Where the IP address is set on the PC (as a fixed IP address), you may need to update this entry manually if the IP address on the PC is changed. MAC Address The MAC address of the PC. The MAC address is a low-level network identifier which is fixed at manufacture. Group Each PC or device must be in a single group. The Group column indicates which group each entry is in. By default, all entries are in the Group1. Note: If the VPN firewall is rebooted, the table data is lost until the VPN firewall rediscovers the devices. Reviewing the DHCP Log To review the most recent entries in the DHCP log: 11-10 Monitoring System Performance v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Select Network Configuration > LAN Setup from the main/submenu, and then click the LAN Setup tab. The LAN Setup screen displays. Figure 11-6 2. Click the DHCP Log link to the right of the tabs. The DHCP Log appears in a popup window. Figure 11-7 3. To view the most recent entries, click refresh. To delete all the existing log entries, click clear log. Monitoring Active Users The Active Users menu screen displays a list of administrators and SSL VPN users currently logged into the device. To display the list of active users: Monitoring System Performance 11-11 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Select Monitoring > Active Users from the main/submenu. The Active Users screen is displayed. Figure 11-8 The active user’s username, group, and IP address are listed in the table with a timestamp indicating the time and date that the user logged in. 2. You can disconnect an active user by clicking Disconnect to the right of the user’s list entry. Viewing Port Triggering Status To view the status of Port Triggering: 1. Select Security > Port Triggering from the main/submenu. The Port Triggering screen displays. Figure 11-9 2. When the Port Triggering screen is displayed, click the Status link to the right of the tab to display the Port Triggering Status. Figure 11-10 11-12 Monitoring System Performance v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The status window displays the following information: Item Description Rule The name of the port triggering rule associated with this entry. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above. Time Remaining The time remaining before this rule is released and made available for other PCs. This timer is restarted whenever incoming or outgoing traffic is received. Monitoring VPN Tunnel Connection Status To review the status of current VPN tunnels: 1. Select VPN > Connection Status from the main/submenu, and then select the IPsec VPN Connection Status tab. The IPsec Connection Status screen displays. Figure 11-11 The Active IPsec SAs table lists each active connection with the following information. Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN endpoint. Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA. Phase 1 is Authentication phase and Phase 2 is Key Exchange phase. Action Use this button to terminate/build the SA (connection) if required. Monitoring System Performance 11-13 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Select the SSL VPN Connection Status tab and the SLL VPN Connection Status screen displays. Figure 11-12 The active SSL VPN user’s username, group, and IP address are listed in the table with a timestamp indicating the time and date that the user connected. 3. You can disconnect an active SSL VPN user by clicking Disconnect to the right of the user’s list entry. Reviewing the VPN Logs The VPN Logs screen gives log details for recent VPN activity. 1. Select Monitoring > VPN Logs from the main/submenu, and select the IPsec VPN Logs tab. The IPsec VPN Logs screen displays. Figure 11-13 2. To view the most recent entries, click refresh log. 3. To delete all the existing log entries, click clear log. 4. Select the SSL VPN Logs tab to view SSL VPN log details. 11-14 Monitoring System Performance v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 12 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe Wireless-N VPN Firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. This chapter contains the following sections: • “Basic Functions” • “Troubleshooting the Web Configuration Interface” • “Troubleshooting the ISP Connection” • “Troubleshooting a TCP/IP Network Using a Ping Utility” • “Restoring the Default Configuration and Password” • “Problems with Date and Time” • “Diagnostics Functions” Basic Functions After you turn on power to the VPN firewall, the following sequence of events should occur: 1. When power is first applied, verify the PWR LED is on. 2. After approximately two minutes, verify: a. The TEST LED is not lit. b. The LAN port LINK/ACT LEDs are lit for any local ports connected. c. The WAN port LINK/ACT LEDs are lit on the WAN port. If a port’s LINK/ACT LED is lit, a link has been established to the connected device. If a LAN port is connected to a 1000 Mbps device, verify the port’s SPEED LED is green. If the port is 100 Mbps, the LED will be amber. If the port is 10 Mbps, the LED will be off. If any of these conditions does not occur, refer to the appropriate following section. Troubleshooting 12-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Power LED Not On If the Power and other LEDs are off when your VPN firewall is turned on: • Verify the power adapter cord is properly connected to your VPN firewall and the power adapter is properly connected to a functioning power outlet. • Verify you are using the 12VDC, 1.5A power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support. LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: • Cycle the power to see if the firewall recovers. • Clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to 192.168.1.1. This procedure is explained in “Restoring the Default Configuration and Password” on page 12-7. If the error persists, you might have a hardware problem and should contact technical support. LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made, check the following: • Verify the Ethernet cable connections are secure at the firewall and at the hub or workstation. • Verify the power is turned on to the connected workstation. • Ensure you are using the correct cable: When connecting the firewall’s Internet port to a cable or DSL modem, use the cable that was supplied with the cable or DSL modem. This cable could be a standard straight-through Ethernet cable or an Ethernet crossover cable. Troubleshooting the Web Configuration Interface If you are unable to access the firewall’s Web Configuration interface from a PC on your local network, check the following: 12-2 Troubleshooting v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Check the Ethernet connection between the PC and the firewall as described in the previous section. • Ensure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.1.2 to 192.168.1.254. Note: If your PC’s IP address is shown as 169.254.x.x: Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server. These auto-generated addresses are in the range of 169.254.x.x. If your IP address is in this range, check the connection from the PC to the firewall and reboot your PC. • If your firewall’s IP address has been changed and you don’t know the current IP address, clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to 192.168.1.1. This procedure is explained in “Restoring the Default Configuration and Password” on page 12-7. Tip: If you don’t want to revert to the factory default settings and lose your configuration settings, you can reboot the firewall and use a sniffer to capture packets sent during the reboot. Look at the ARP packets to locate the firewall’s LAN interface address. • Ensure you are using the SSL https://address login rather than http://address. • Ensure your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure the Java applet is loaded. • Try quitting the browser and launching it again. • Ensure you are using the correct login information. The factory default login name is admin and the password is password. Verify CAPS LOCK is off when entering this information. If the firewall does not save changes you have made in the Web Configuration Interface, check the following: • When entering configuration settings, be sure to click the APPLY button before moving to another menu or tab, or your changes are lost. • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration. Troubleshooting 12-3 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1. Launch your browser and navigate to an external site such as www.netgear.com 2. Access the Main Menu of the firewall’s configuration at https://192.168.1.1 3. Under the Monitoring menu, click Router Status. 4. Check that an IP address is shown for the WAN Port. If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP. If your firewall is unable to obtain an IP address from the ISP, you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure: 1. Turn off power to the cable or DSL modem. 2. Turn off power to your firewall. 3. Wait five minutes and reapply power to the cable or DSL modem. 4. When the modem’s LEDs indicate that it has reacquired sync with the ISP, reapply power to your firewall. If your firewall is still unable to obtain an IP address from the ISP, the problem may be one of the following: • Your ISP may require a login program. Ask your ISP whether they require PPP over Ethernet (PPPoE) or some other type of login. • If your ISP requires a login, you may have incorrectly set the login name and password. • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name in the Basic Settings menu. • Your ISP only allows one Ethernet MAC address to connect to the Internet, and may check for your PC’s MAC address. In this case: – Inform your ISP that you have bought a new network device, and ask them to use the firewall’s MAC address; or 12-4 Troubleshooting v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring the Internet Connection” on page 2-6. If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: • Your PC may not recognize any DNS server addresses. A DNS server is a host on the Internet that translates Internet names (such as www addresses) to numeric IP addresses. Typically your ISP will provide the addresses of one or two DNS servers for your use. You may configure your PC manually with DNS addresses, as explained in your operating system documentation. • Your PC may not have the firewall configured as its TCP/IP gateway. Troubleshooting a TCP/IP Network Using a Ping Utility Most TCP/IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device. The device then responds with an echo reply. Troubleshooting a TCP/IP network is made very easy by using the Ping utility in your PC or workstation. Testing the LAN Path to Your VPN Firewall You can ping the firewall from your PC to verify that the LAN path to your firewall is set up correctly. To ping the firewall from a PC running Windows 95 or later: 1. From the Windows toolbar, click Start and choose Run. 2. In the field provided, type “ping” followed by the IP address of the firewall; for example: ping 192.168.1.1 3. Click OK. A message, similar to the following, should display: Pinging <IP address> with 32 bytes of data If the path is working, you will see this message: Reply from <IP address>: bytes=32 time=NN ms TTL=xxx If the path is not working, you will see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: Troubleshooting 12-5 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • • Wrong physical connections – Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or WAN Port LEDs Not On” on page 12-2. – Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and firewall. Wrong network configuration – Verify that the Ethernet card driver software and TCP/IP software are both installed and configured on your PC or workstation. – Verify that the IP address for your firewall and your workstation are correct and that the addresses are on the same subnet. Testing the Path from Your PC to a Remote Device After verifying the LAN path works correctly, test the path from your PC to a remote device. From the Windows run menu, type: PING -n 10 <IP address> where <IP address> is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed. If you do not receive replies: – Verify your PC has the IP address of your firewall listed as the default gateway. If the IP configuration of your PC is assigned by DHCP, this information will not be visible in your PC’s Network Control Panel. – Verify the network address of your PC (the portion of the IP address specified by the netmask) is different from the network address of the remote device. – Verify your cable or DSL modem is connected and functioning. – If your ISP assigned a host name to your PC, enter that host name as the Account Name in the Basic Settings menu. – Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem. If this is the case, you must configure your firewall to “clone” or “spoof” the MAC address from the authorized PC. Refer to “Manually Configuring the Internet Connection” on page 2-6. 12-6 Troubleshooting v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the VPN firewall’s administration password to password and the IP address to 192.168.1.1. You can erase the current configuration and restore factory defaults in two ways: • Use the Erase function of the VPN firewall (see “Settings Backup and Firmware Upgrade” on page 9-13). • Use the reset button (Factory Defaults) on the front panel of the VPN firewall. Use this method for cases when the administration password or IP address is not known. To restore the factory default configuration settings without knowing the administration password or IP address, you must use the reset button on the rear panel of the VPN firewall. To restore the factory defaults: 1. Press and hold the Factory Defaults (reset button) until the Test LED turns on and begins to blink (about 10 seconds). Use a slender pointed object, such as an ink pen or paper clip, to press and hold the reset button (Factory Defaults). 2. Release the reset button (Factory Defaults) and wait for the VPN firewall to reboot. Problems with Date and Time The Administration > Time Zone menu displays the current date and time of day. The VPN firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet. Each entry in the log is stamped with the date and time of day. Problems with the date and time function can include: • Date shown is January 1, 2000. Cause: The VPN firewall has not yet successfully reached a Network Time Server. Verify your Internet access settings are configured correctly. If you have just completed configuring the VPN firewall, wait at least five minutes and check the date and time again. • Time is off by one hour. Cause: The VPN firewall does not automatically sense Daylight Savings Time. Check the Time Zone menu, and check or uncheck the box marked “Adjust for Daylight Savings Time”. Troubleshooting 12-7 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Diagnostics Functions You can perform diagnostics such as pinging an IP address, performing a DNS lookup, displaying the routing table, rebooting the VPN firewall, and capturing packets. 1. Select Monitoring > Diagnostics from the main/submenu. The Diagnostics screen displays. 2. View the selections available in the Diagnostic screen and browse the descriptions listed in Table 12-1., “Diagnostics”. Note: For normal operation, diagnostics are not required. Figure 12-1 Table 12-1. Diagnostics Item Description Ping or trace an IP address Ping – Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping. The ping results will be displayed in a new screen; click “Back” on the Windows menu bar to return to the Diagnostics screen. If the specified address is intended to be reached through a VPN tunnel, check Ping through VPN tunnel. Traceroute – Lists all routers between the source (this device) and the destination IP address. The traceroute results will be displayed in a new screen; click “Back” on the Windows menu bar to return to the Diagnostics screen. 12-8 Troubleshooting v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 12-1. Diagnostics (continued) Item Description Perform a DNS lookup A DNS (Domain Name Server) converts the Internet name (for example, www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can request a DNS lookup to find the IP address. Display the routing table This operation will display the internal routing table, which can be used by Technical Support to diagnose routing problems. Reboot the firewall Used to perform a remote reboot (restart). You can use this if the firewall seems to have become unstable or is not operating normally. Note: Rebooting will break any existing connections either to the firewall (such as your management session) or through the firewall (for example, LAN users accessing the Internet). However, connections to the Internet will automatically be reestablished when possible. Packet trace Packet Trace selects the interface and starts the packet capture on that interface. Troubleshooting 12-9 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 12-10 Troubleshooting v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Appendix A Default Settings and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, press and hold the reset button for approximately 10 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below. • Pressing the reset button for a shorter period of time will simply cause your device to reboot. Default Settings Table A-1. firewall Default Configuration Settings Feature Default Behavior Router Login User Login URL https://192.168.1.1 User Name (case sensitive) admin Login Password (case sensitive) password Internet Connection WAN MAC Address Uses default address as printed on bottom label WAN MTU Size 1500 Port Speed 10/100/1000 AutoSense Default Settings and Technical Specifications v1.0, October 2008 A-1 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table A-1. firewall Default Configuration Settings (continued) Feature Default Behavior Local Network (LAN) Lan IP Address 192.168.1.1 Subnet Mask 255.255.255.0 RIP Direction None RIP Version Disabled RIP Authentication Disabled DHCP Server Enabled DHCP Starting IP Address 192.168.1.2 DHCP Ending IP Address 192.168.1.100 Management Time Zone GMT Time Zone Adjusted for Daylight Saving Time Disabled SNMP Disabled Remote Management Disabled Firewall Inbound (communications coming in from Denied the Internet) A-2 Outbound (communications from the LAN to the Internet) Allowed (all) Source MAC filtering Disabled Stealth Mode Enabled Default Settings and Technical Specifications v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table A-1. firewall Default Configuration Settings (continued) Feature Default Behavior Wireless Wireless Communication Enabled Network Name (SSID) NETGEAR Broadcast Network Name SSID Enabled Security Disabled Transmission Speed Besta Country/Region Varies by region 80211.a/b/g/n Radio Frequency Channel Auto 80211.na and 80211.ng Channel Spacing 20/40MHz Wireless Card Access List All wireless stations allowed a. Maximum Wireless signal rate derived from IEEE Standard 802.11 specifications. Actual throughput will vary. Network conditions and environmental factors, including volume of network traffic, building materials and construction, and network overhead, lower actual data throughput rate. Technical Specifications Table A-2. firewall Technical Specifications Feature Specifications Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe: 230V, 50 Hz, input Japan: 100V, 50/60 Hz, input Physical Specifications Dimensions: 1.7 x 10 x 7.2 in. Weight: 2 kg (4.5 lb) Default Settings and Technical Specifications v1.0, October 2008 A-3 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table A-2. firewall Technical Specifications (continued) Feature Specifications Environmental Specifications Operating temperature: 0 to 40 C (32º to 104º F) Operating humidity: 90% maximum relative humidity, noncondensing Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications LAN: 10BASE-T or 100BASE-Tx 1000BASE-T, RJ-45 WAN: 10BASE-T or 100BASE-Tx 1000BASE-T, RJ-45 Table A-3. SSL VPN Technical Specifications Parameter Specification Network Management Web-based configuration and status monitoring Concurrent Users Supported 10 tunnels Encryption DES, 3DES, AES, MD5, SHA-1 Authentication Local User database, RADIUS, LDAP, MS Active Directory Certificates supported X.509, CRL Electromagnetic Compliance FCC Part 15 Class B, CE, and C-TICK Environmental Specifications Operating temperature: 0 to 50° C Operating humidity: 5-95%, non-condensing A-4 Default Settings and Technical Specifications v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table A-4. Wireless Technical Specifications Parameter ProSafe Wireless-N VPN Firewall 802.11a Data Rates 6, 9, 12, 18, 24, 36, 48, 54, and 108 Mbps (Auto-rate capable) 802.11na Data Rates Data Rates for Channel Width=20MHz and Guard Interval=short (400ms): Best, 7.2 Mbps, 14.4 Mbps, 21.7 Mbps, 28.9 Mbps, 43.3 Mbps, 57.8 Mbps, 65 Mbps, 72.2 Mbps, 14.44 Mbps, 28.88 Mbps, 43.33 Mbps, 57.77 Mbps, 86.66 Mbps, 115.56 Mbps, 130 Mbps, 144.44 Mbps Data Rates for Channel Width=20MHz and Guard Interval=long (800ms): Best, 6.5 Mbps, 13 Mbps, 19.5 Mbps, 26 Mbps, 39 Mbps, 52 Mbps, 58.5 Mbps, 65 Mbps, 13 Mbps, 26 Mbps, 39 Mbps, 52 Mbps, 78 Mbps, 104 Mbps, 117 Mbps, 130 Mbps Data Rates for Channel Width=40MHz and Guard Interval=short: Best, 15 Mbps, 30 Mbps, 45 Mbps, 60 Mbps, 90 Mbps, 120 Mbps, 135 Mbps, 150 Mbps, 30 Mbps, 60 Mbps, 90 Mbps, 120 Mbps, 180 Mbps, 240 Mbps, 270 Mbps, 300 Mbps Data Rates for Channel Width=40MHz and Guard Interval=long: Best, 13.5 Mbps, 27 Mbps, 40.5 Mbps, 54 Mbps, 81 Mbps, 121.5 Mbps, 135 Mbps, 27 Mbps, 54 Mbps, 81 Mbps, 162 Mbps, 216 Mbps, 243 Mbps, 270 Mbps 802.11a/na Operating Frequencies 5.15 ~ 5.25 5.25 ~ 5.35 5.57 ~ 5.825 802.11a/na Encryption 64-bits, 128- and 152-bits WEP, AES, TKIP data encryption 802.11g Data Rates 1, 2, 5.5, 11, 12, 18, 24, 36, 38, 54, & 108 Mbps (Auto-rate capable) 802.11ng Data Rates Data Rates for Channel Width=20MHz and Guard Interval=short (400ms): Best, 7.2 Mbps, 14.4 Mbps, 21.7 Mbps, 28.9 Mbps, 43.3 Mbps, 57.8 Mbps, 65 Mbps, 72.2 Mbps, 14.44 Mbps, 28.88 Mbps, 43.33 Mbps, 57.77 Mbps, 86.66 Mbps, 115.56 Mbps, 130 Mbps, 144.44 Mbps Data Rates for Channel Width=20MHz and Guard Interval=long (800ms): Best, 6.5 Mbps, 13 Mbps, 19.5 Mbps, 26 Mbps, 39 Mbps, 52 Mbps, 58.5 Mbps, 65 Mbps, 13 Mbps, 26 Mbps, 39 Mbps, 52 Mbps, 78 Mbps, 104 Mbps, 117 Mbps, 130 Mbps Data Rates for Channel Width=40MHz and Guard Interval=short: Best, 15 Mbps, 30 Mbps, 45 Mbps, 60 Mbps, 90 Mbps, 120 Mbps, 135 Mbps, 150 Mbps, 30 Mbps, 60 Mbps, 90 Mbps, 120 Mbps, 180 Mbps, 240 Mbps, 270 Mbps, 300 Mbps Data Rates for Channel Width=40MHz and Guard Interval=long: Best, 13.5 Mbps, 27 Mbps, 40.5 Mbps, 54 Mbps, 81 Mbps, 121.5 Mbps, 135 Mbps, 27 Mbps, 54 Mbps, 81 Mbps, 162 Mbps, 216 Mbps, 243 Mbps, 270 Mbps Default Settings and Technical Specifications v1.0, October 2008 A-5 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table A-4. Wireless Technical Specifications Parameter ProSafe Wireless-N VPN Firewall 802.11b/bg/ng Operating Frequencies 2.412 ~ 2.462 GHz (US) 2.457 ~ 2.462 GHz (Spain) 2.412 ~ 2.484 GHz (Japan)2.457 ~ 2.472 GHz (France) 2.412 ~ 2.472 GHz (Europe ETSI) 802.11 b/bg/ng Encryption 64-bits, 128- and 152-bits WEP, AES, TKIP data encryption Network Management Web-based configuration and status monitoring Maximum Clients Limited by the amount of wireless network traffic generated by each node; maximum 64 supported. Status LEDs Power/Ethernet LAN/Wireless LAN/Test Power Adapter 12V DC, 1.5 A Electromagnetic Compliance FCC Part 15 Class B and Class E, CE, and C-TICK Environmental Specifications Operating temperature: 0 to 50° C Operating humidity: 5-95%, non-condensing A-6 Default Settings and Technical Specifications v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Appendix B Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP Addressing: http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for Network Access: http://documentation.netgear.com/reference/enu/wsdhcp/index.htm Virtual Private Networking (VPN): http://documentation.netgear.com/reference/enu/vpn/index.htm Glossary http://documentation.netgear.com/reference/enu/glossary/index.htm Related Documents B-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual B-2 Related Documents v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Index B backup and restore settings 9-13 Band selection 1-4 bandwidth capacity 9-1 LAN side 9-1 WAN side 9-2 A access remote management 9-10 Banner Message 7-5 Access Controll screens 4-19 Beacon Interval default setting 4-18 Banner Title 7-5 ActiveX web cache control 7-6 BigPond Cable 2-7 Internet connection 2-8 Add LAN WAN Inbound Service 5-9 Add LAN WAN Outbound Service 5-8 Add Resource Addresses menu 7-14 Block Sites Content Filtering 5-18 reducing traffic 9-4 Adding 5-15 Block Sites screen 5-18 address reservation 3-4 Block TCP Flood 5-10 administrator login timeout 9-9 block traffic with schedule 5-17 Add Mode Config Record screen 6-18 Advailable Wireless Stations 4-19 Advanced Options MTU Size 2-13 Port Speed 2-13 Router’s MAC Address 2-13 Blocking Instant Messenger example of 5-14 Broadcast Wireless Network Name (SSID) 4-5 Broadcast Wireless Network Name. See SSID Advanced screens of Wireless Settings 4-17 Allow 4-5 Allowing Videoconference from Restricted Addresses example of 5-12 Antenna 2.4 GHz 1-8 5 GHZ 1-8 antenna position 4-2, 4-16 Attack Checks about 5-10 C CA about 8-8 Carrier Sense Multiple Access with Collision Detection. See CSMA/CD. certificate generate new CSR 8-10 Certificate Authority. See CA. Attack Checks screen 5-11 Certificate Signing Request, see CSR Authentication Algorithm IKE Policy 6-13, 6-16 certificates management of 8-10 Auto Detect 2-4 channel interference,multiple access points channel spacing 4-2 Auto Uplink 1-2, 1-4 Auto-Rollover use with DDNS 2-11 Channel Width 4-6 Channel/Frequency 4-6 Index-1 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Classical Routing definition of 2-10 command line interface 9-11 configuration automatic by DHCP 1-3 connecting the VPN firewall 2-1 Connection Status VPN Tunnels 6-16 Content 5-18 Content Filtering 5-1 about 5-18 Block Sites 5-18 enabling 5-18 firewall protection, about 5-1 Denial of Service. See DoS. DHCP 2-5 DNS server address 3-3 DHCP Address Pool 3-3 DHCP log monitoring 11-10 DHCP server about 3-3 address pool 3-3, 3-4 configuring secondary IP addresses 3-9 enable 3-2 lease time 3-3 CSMA/CD 4-18 diagnostics DNS lookup 12-8 packet capture 12-8 ping 12-8 rebooting 12-8 routing table 12-8 CSR 8-10 Diagnostics screen 12-8 customized service adding 5-2, 5-15 editing 5-16 Diffie-Hellman Group IKE Policy 6-14 content filtering 1-2, 5-1 crossover cable 1-2, 12-2 Disable DHCP Server 3-4 D DMZ WAN Rule example of 5-12 Date setting 9-15 troubleshooting 12-7 DNS 7-2 ISP server addresses 2-9 server IP address 3-3 Daylight Savings Time adjusting for 9-16 DNS proxy 9-6 enable 3-3 feature 1-3 DDNS about 2-11 configuration of 2-12 links to 2-12 providers of 2-11 services, examples 2-12 DDNS providers links to 2-12 default configuration restoring 12-7 default password 2-2 default settings 4-7 denial of service attack 5-10 DNS Suffix 7-11 Domain Name router 3-2 Domain Name Blocking 5-18 Domain Name Servers. See DNS. DoS about protection 1-2 Dynamic DNS configuration of 2-11 Dynamic DNS Configuration screen 2-11, 2-12 Dynamic DNS. See DDNS dynamic IP addresses Index-2 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual enabling 4-17 E Edge Device 6-23 XAUTH, with ModeConfig 6-20 Edit Group Names 3-7 e-mail logs enabling notification 5-27, 11-4 E-mail Server address 11-4 Enable DHCP server 3-4 Enable DNS Proxy 3-3 Ending IP Address DHCP Address Pool 3-3 firmware downloading 9-14 upgrade 9-14 firmware, upgrading 1-4 fixed IP address 2-5, 3-7 FQDN 2-11 Fragmentation Length default setting 4-18 fragmented IP packets 9-5 fully qualified domain name. See FQDN. G Global Policies 7-14 equipment placement reception range 4-2 Group Names editing 3-7 Ethernet Autosensing connection 1-4 Group Policies 7-14 Event Logs emailing of 5-27, 11-3 Extended Authentication. See XAUTH. groups, managing 3-4 H host name resolution 7-9 F Hosting A Local Public Web Server example of 5-11 factory default login 1-9 hosts, managing 3-4 factory default settings revert to 9-13 hotspot settings 1-4 firewall connecting to the Internet 2-1 features 1-3 front panel 1-6 rear panel 1-8 technical specifications A-1 viewing activity 11-13 HTTP meta tags 7-6 Firewall Log Field Description 11-6 Firewall Logs emailing of 5-27, 11-3 viewing 11-6 Firewall Logs & E-mail screen 5-27, 11-4 Firewall Protection Content Filtering, about 5-1 firewall protection 5-1 I IGP 3-11 IKE Policy about 6-12 management of 6-12 ModeConfig, configuring with 6-19 XAUTH, adding to 6-23 Inbound Rules default definition 5-2 field descriptions 5-5 order of precedence 5-7 Port Forwarding 5-2, 5-4 rules for use 5-4 Index-3 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual inbound rules 5-4 example 5-12 Inbound Service Rule modifying 5-9 Inbound Services field descriptions 5-5 increasing traffic 9-5 Port Forwarding 9-5 Port Triggering 9-6 VPN Tunnels 9-7 installation 1-5 interference sources 4-2 Interior Gateway Protocol. See IGP. Internet configuring the connection manually 2-6 connecting to 2-1 Internet connection manual configuration 2-6 IP address default 4-7 IP addresses auto-generated 12-3 DHCP address pool 3-4 multi home LAN 3-4 reserved 3-4 router default 3-2 applying 5-19 Known PCs and Devices list of 3-6 L L2TP 5-11 LAN configuration 3-1 using LAN IP setup options 3-1 LAN Groups Database about 3-4 advantages of 3-5 fields 3-6 LAN Groups menu 3-6 LAN Security Checks 5-10 LAN Setup screen 3-1 LAN side bandwidth capacity 9-1 LAN WAN Inbound Rule example of 5-11, 5-12, 5-13 LAN WAN Inbound Services Rules about 5-8 add 5-9 LAN WAN Outbound Rule example of 5-14 IP Subnet Mask router default 3-2 LAN WAN Rule example of 5-12 IPsec 5-11 IPsec Connection Status screen 11-13 LAN WAN Rules default outbound 5-7 IPSec Host 6-24 lease time 3-3 IPsec Host XAUTH, with ModeConfig 6-20 LEDs troubleshooting 12-2 IPsec host 6-22 Load Balancing use with DDNS 2-11 ISP connection troubleshooting 12-4 K Keep Connected Idle TImeout 2-8 Idle Timeout 2-7 logging in default login 2-2 login policy restrict by browser 8-7 restrict by IP address 8-6 restrict by port 8-5 Keyword Blocking 5-18 Index-4 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual M MAC address 4-18, 12-6 authentication by ISP 2-13 configuring 2-5 format 2-14, 5-21 in LAN groups database 3-7 restricting access 4-3 spoofing 12-5 trusted PCs 4-3 MAC addresses blocked, adding 5-20 main menu 2-3 metric in static routes 3-11 ModeConfig 6-17 about 6-17 assigning remote addresses, example 6-17 Client Configuration 6-20 IKE Policies menu, configuring 6-17 menu, configuring 6-17 testing Client 6-21 monitoring devices 11-9 by DHCP Client Requests 11-9 by Scanning the Network 11-9 Network Address Translation. See NAT. Network Database table 3-6 Network Database Group Names screen 3-7 Network Time Protocol. See NTP. newsgroup 5-18 NTP 9-15 troubleshooting 12-7 NTP servers custom 9-16 default 9-16 setting 9-15 O option arrow 2-3 Outbound Rules default definition 5-2 field descriptions 5-3 order of precedence 5-7 service blocking 5-2 outbound rules 5-3 MTU Size 2-13 Outbound Service Rule adding 5-8 modifying 5-9 multi home LAN IPs 3-4 about 3-8 Outbound Services field descriptions 5-3 multi-NAT 5-13 multiple access points placement of 4-2 P N packet capture 12-9 NAS Identifier 6-25 NAT configuring 2-10 firewall, use with 5-2 multi-NAT 5-13 one-to-one mapping 2-10 one-to-one mapping example 5-12 Network 9-15 Network Access Server. See NAS. package contents 1-6 password default 4-7 passwords and login timeout changing 9-8 passwords,restoring 12-7 performance degradation causes of 4-2 performance management 9-1, 11-1 Ping troubleshooting TCP/IP 12-5 Index-5 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual ping 12-8 Quality of Service. See QoS. Ping On Internet Ports 5-10 point-to-point bridge 1-4 R policy hierarchy 7-14 RADIUS Server configuring 6-24 port filtering service blocking 5-3 Port Forwarding Inbound Rules 5-2, 5-4 increasing traffic 9-5 rules, about 5-4 port numbers 5-15 Port Speed 2-13 Port Triggering about 5-23 adding a rule 5-23 increasing traffic 9-6 rules of use 5-23 status monitoring 11-12 Port Triggering screen 5-24, 11-12 Portal Site Title 7-5 power adapter 1-8 PPP connection 7-2 PPP over Ethernet. See PPPoE. PPPoE 1-3, 2-5, 2-7 Internet connection 2-7 PPTP 2-5, 2-7, 5-11 Preamble Type defalt setting 4-18 protocol numbers assigned 5-15 protocols Routing Information Protocol 1-3 Q QoS about 5-16 priority definitions 5-16 shifting traffic mix 9-7 using in firewall rules 5-3 QoS. See Quality of Service 1-5 Quality of Service 1-5 RADIUS Server Settings 4-14, 4-15 RADIUS-CHAP 6-22, 6-24 AUTH, using with 6-23 RADIUS-PAP 6-22 XAUTH, using with 6-23 Range 4-2 reception range equipment placement 4-2 reducing traffic 9-2 Block Sites 9-4 service blocking 9-2 Source MAC Filtering 9-4 remote management 9-10 access 9-10 configuration 9-10 remote users assigning addresses 6-17 ModeConfig 6-17 reserved IP address configuring 3-4 in LAN groups database 3-7 restrictions 3-7 resources defining 7-13 restore saved settings 9-13 restricting access MAC address, using 4-18 Return E-mail Address 11-4 RFC 1349 5-16 RFC1700 protocol numbers 5-15 RIP about 3-11 advertising static routes 3-11 configuring parameters 3-11 feature 1-3 versions of 3-12 Index-6 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual RIP Configuration menu 3-11, 3-12 Service Based Rules 5-2 router upgrade software 9-15 service blocking 5-3 Outbound Rules 5-2 port filtering 5-3 reducing traffic 9-2 router administration tips on 5-27 Router Status 2-10 Router Status screen 11-7 Router Upgrade about 9-14 Router’s MAC Address 2-13 Routing Information Protocol. See RIP. routing menu 3-10 RTS Threshold default setting 4-18 service numbers common protocols 5-15 Services 5-15 Services menu 5-15 Setting Up One-to-One NAT Mapping example of 5-12 Settings Backup & Upgrade screen 9-13 Settings Backup and Firmware Upgrade 9-13 Simple Network Management Protocol. See SNMP. rules blocking traffic 5-2 inbound 5-4 inbound example 5-12 outbound 5-3 service blocking 5-3 services-based 5-2 sniffer 12-3 running tracert 9-11 SNMP screen 9-12 SNMP about 9-11 configuring 9-12 global access 9-12 host only access 9-12 subnet access 9-12 Source MAC Filter screen 5-20, 5-21 S schedule blocking traffic 5-17 Schedule 1 screen 5-17 secondary IP addresses DHCP, use with 3-9 Secondary LAN IPs see Multi Home LAN IPs 3-9 security network enhancements 4-3 WPA 4-3 WPA-PSK 4-3 security options WEP data encryption 4-3 WPA-PSK 4-3 self certificate request 8-10 Send To E-mail Address 11-4 service 5-15 Source MAC Filtering enabling 5-20 reducing traffic 9-4 Specifying an Exposed Host example of 5-13 split tunnel configuring 7-11 description 7-10 spoof MAC address 12-5 SSID 1-4 11a default name 4-5 11b/g default name 4-5 disabling, consequences of 4-3 SSL VPN Client description 7-2 SSL VPN Logs 11-14 Starting IP Address DHCP Address Pool 3-3 Stateful Packet Inspection Index-7 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual firewall, use with 5-2 traffic management 9-8 stateful packet inspection. See SPI. traffic meter 2-14 Static 3-10 troubleshooting 12-1 browsers 12-3 configuration settings, using sniffer 12-3 defaults 12-3 ISP connection 12-4 NTP 12-7 testing your setup 12-6 Web configuration 12-2 static IP address configuring 2-8 detecting 2-5 static routes about 3-10 configuring 3-10 metric 3-11 stealth mode 5-10, 9-6 submenu 2-3 SYN flood 5-10, 9-5 SysLog Server IP Address 11-5 system requirements 1-5 T tab, menu 2-3 TCP flood special rule 9-5 TCP/IP network, troubleshooting 12-5 Technical Specifications A-5 Time setting 9-15 troubleshooting 12-7 time daylight savings, troubleshooting 12-7 Time Zone settings 9-15 Time Zone screen 9-15 timeout, administrator login 9-9 ToS. See QoS. traceroute 12-8 tracert use with DDNS 9-11 traffic increasing 9-5 reducing 9-2 Trusted Certificates 8-8, 8-9 Trusted Domains building list of 5-19 Trusted Wireless Stations 4-19 trusted wireless stations MAC address filtering, use with 1-4 Turn Access Control On 4-19 U UDP flood 5-10 special rule 9-5 User Database 6-23 user name default 4-7 User Policies 7-14 V VPN Client configuring 6-4 configuring PC, example 6-8 VPN Wizard example 6-7 VPN firewall connecting 2-1 VPN Logs screen 11-14 VPN passthrough 5-10, 9-5 VPN Policies screen 6-3 VPN Policy Auto 6-15 field definitions 6-15 Manual 6-15 VPN Tunnel Connection Index-8 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual monitoring status 11-13 VPN tunnels about 6-1 Connection Status 6-16 increasing traffic 9-7 IPsec 5-11 L2TP 5-11 PPTP 5-11 VPN Wizard Gateway tunnel 6-2 VPN Client, configuring 6-4 VPN Wizard Default Values 6-3 VPNC 6-1 VPNs viewing VPN tunnel status 11-13 W WAN configuring Advanced options 2-12 WAN Port 1 status 2-5 WAN Ports monitoring status 11-8 WAN ports status of 2-10 WAN Security Check about 5-10 WAN side bandwidth capacity 9-2 WAN Status 2-5 WAN1 Advanced Options 2-13 WAN1 ISP Settings manual setup 2-6 WAN1 Traffic Meter 11-1 Web Components 5-18 blocking 5-19 filtering, about 5-18 Web configuration troubleshooting 12-2 WEP 4-3 wireless access point default name 4-17 deployment of 4-16 verifying connectivity 4-16 wireless connectivity testing 4-6 Wireless Mode 4-6 Wireless Multimedia 1-5 Wireless Repeater 1-4 wireless security options 4-2 wireless settings configuring 802.11b/g 4-5 Wireless Station adding new 4-19 WPA 4-3 WPA and WPA2 with RADIUS configuration of 4-15 Network Authentication screens 4-15 restrictions 4-15 WPA with RADIUS configuration of 4-13 restrictions 4-13 WPA2 with RADIUS configuration of 4-14 Network Authentication screen 4-14 restructions 4-14 WPA2-PSK configuration of 4-12 Network Authentication screens 4-12 restrictions 4-12 WPA-PSK 4-3 configuration of 4-12 Network Authentication screens 4-12 restrictions 4-12 WPA-PSK and WPA2-PSK configuration of 4-13 Network Authentication screens 4-13 restructions 4-13 WWM. See Wireless Multimedia. WinPoET 2-7 WINS server 3-3 Index-9 v1.0, October 2008 ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual X XAUTH IPsec host 6-22 types of 6-22 Index-10 v1.0, October 2008
* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project
advertisement
© 2021