Resumen del contenido incluido en la página 1
ProSafe Gigabit Quad WAN
SSL VPN Firewall SRX5308
Reference Manual
350 East Plumeria Drive
San Jose, CA 95134
USA
July, 2012
202-10536-04
v1.0
Resumen del contenido incluido en la página 2
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 © 2010–2012 NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or for more information about the topics covered in this man
Resumen del contenido incluido en la página 3
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 202-10536-02 1.0 July 2011 Added new features that are documented in the following sections: • Configure WAN QoS Profiles • Inbound Rules (Port Forwarding) and Create LAN WAN Inbound Service Rules • Attack Checks • Set Limits for IPv4 Sessions • Create IP Groups • Use the NETGEAR VPN Client Wizard to Create a Secure Connection • Manually Create a Secure Connection Using the NETGEAR VPN Client • Configure the ProSafe VPN Client for Mode Confi
Resumen del contenido incluido en la página 4
Contents Chapter 1 Introduction What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? . . 11 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Quad-WAN Ports for Increased Reliability and Load Balancing. . . . . . . 13 Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . . 13 A Powerful, True Firewall with Content Filtering. . . . . . . . . . . . . . . . . . . 14 Security Features . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 5
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Configure a Static IPv6 Internet Connection. . . . . . . . . . . . . . . . . . . . . .57 Configure a PPPoE IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . .60 Configure 6to4 Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . .63 Configure ISATAP Automatic Tunneling. . . . . . . . . . . . . . . . . . . . . . . . .64 View the Tunnel Status and IPv6 Addresses . . . . . . . . . . . . . . . . . . . . .66 Configure S
Resumen del contenido incluido en la página 6
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Create LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . . 143 Create LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . . 145 Configure DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Resumen del contenido incluido en la página 7
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 RADIUS Client and Server Configuration. . . . . . . . . . . . . . . . . . . . . . .241 Assign IPv4 Addresses to Remote Users (Mode Config). . . . . . . . . . . . .244 Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244 Configure Mode Config Operation on the VPN Firewall . . . . . . . . . . . .244 Configure t
Resumen del contenido incluido en la página 8
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Manage VPN CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 316 Manage the VPN Certificate Revocation List . . . . . . . . . . . . . . . . . . . . 320 Chapter 8 Network and System Management Performance Management. . . . . . . . .
Resumen del contenido incluido en la página 9
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .387 Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .388 Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .389 Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . .392 Test the LAN Path to Your VPN Firewall . . . . . . . . . . . . . . . . . . . . . . .392 Test the Pat
Resumen del contenido incluido en la página 10
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ to LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 WAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Other Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Session Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Source MAC Filter Logs . . . . . . . .
Resumen del contenido incluido en la página 11
1. Introduction 1 This chapter provides an overview of the features and capabilities of the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 and explains how to log in to the device and use its web management interface. The chapter contains the following sections: • What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308? • Key Features and Capabilities • Package Contents • Hardware Features • Choose a Location for the VPN Firewall • Log In to the VPN Firewall • Web Management I
Resumen del contenido incluido en la página 12
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The VPN firewall is a security solution that protects your network from attacks and intrusions. For example, the VPN firewall provides support for stateful packet inspection (SPI), denial of service (DoS) attack protection, and multi-NAT support. The VPN firewall supports multiple web content filtering options, plus browsing activity reporting and instant alerts—both through email. Network administrators can establish restricted access polic
Resumen del contenido incluido en la página 13
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • One console port for local management. • SNMP support with SNMPv1, SNMPv2c, and SNMPv3, and management optimized for the NETGEAR ProSafe Network Management Software (NMS200) over a LANJ connection. • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. • Internal universal switching power supply. • Rack-mounting kit for 1U rackmounting. Quad-WAN Ports for Increased Reliability and Load Balancing T
Resumen del contenido incluido en la página 14
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 - Allows browser-based, platform-independent remote access through a number of popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari. - Provides granular access to corporate resources based on user type or group membership. A Powerful, True Firewall with Content Filtering Unlike simple NAT routers, the VPN firewall is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks.
Resumen del contenido incluido en la página 15
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 network, a 1000-Mbps Gigabit Ethernet network, or a combination of these networks. All LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation. TM The VPN firewall incorporates Auto Uplink technology. Each Ethernet port automatically senses whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection such as to a switch or hub. That port then
Resumen del contenido incluido en la página 16
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 • Auto-detection of ISP. The VPN firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account. • IPSec VPN Wizard. The VPN firewall includes the NETGEAR IPSec VPN Wizard so you can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are interoperable with other V
Resumen del contenido incluido en la página 17
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Hardware Features • Front Panel • Rear Panel • Bottom Panel with Product Label The front panel ports and LEDs, rear panel ports, and bottom label of the VPN firewall are described in the following sections. Front Panel Viewed from left to right, the VPN firewall front panel contains the following ports (see the following figure). • LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports w
Resumen del contenido incluido en la página 18
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 1. LED descriptions LED Activity Description Power On (green) Power is supplied to the VPN firewall. Off Power is not supplied to the VPN firewall. Test On (amber) during Test mode: The VPN firewall is initializing. After approximately 2 minutes, startup. when the VPN firewall has completed its initialization, the Test LED goes off. On (amber) during The initialization has failed, or a hardware failure has occurred. any other time Blin
Resumen del contenido incluido en la página 19
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Rear Panel The rear panel of the VPN firewall includes a console port, a Factory Defaults Reset button, a cable lock receptacle, an AC power connection, and a power switch. Power Factory Defaults switch Reset button Security lock AC power Console port receptacle receptacle Figure 2. Viewed from left to right, the rear panel contains the following components: 1. Cable security lock receptacle. 2. Console port. Port for connecting to an optional
Resumen del contenido incluido en la página 20
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Choose a Location for the VPN Firewall The VPN firewall is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can rack-mount the VPN firewall in a wiring closet or equipment room. Consider the following when deciding where to position the VPN firewall: • The unit is accessible, and cables can be connected easily. • Cabling is away fro