User ManualTable of ContentsProSecure Unified Threat Management (UTM) Appliance Reference Manual1Contents7About This Manual17Conventions, Formats, and Scope17How to Print This Manual18Revision History18Chapter 1 Introduction19What Is the ProSecure Unified Threat Management (UTM) Appliance?19Key Features and Capabilities20Dual-WAN Port Models for Increased Reliability or Outbound Load Balancing21Advanced VPN Support for Both IPsec and SSL21A Powerful, True Firewall22Stream Scanning for Content Filtering22Security Features23Autosensing Ethernet Connections with Auto Uplink23Extensive Protocol Support24Easy Installation and Management24Maintenance and Support25Model Comparison25Service Registration Card with License Keys26Package Contents27Hardware Features28Front Panel28Rear Panel30Bottom Panel With Product Label30Choosing a Location for the UTM32Using the Rack-Mounting Kit33Chapter 2 Using the Setup Wizard to Provision the UTM in Your Network35Understanding the Steps for Initial Connection35Qualified Web Browsers36Logging In to the UTM36Understanding the Web Management Interface Menu Layout39Using the Setup Wizard to Perform the Initial Configuration41Setup Wizard Step 1 of 10: LAN Settings42Setup Wizard Step 2 of 10: WAN Settings45Setup Wizard Step 3 of 10: System Date and Time48Setup Wizard Step 4 of 10: Services50Setup Wizard Step 5 of 10: Email Security52Setup Wizard Step 6 of 10: Web Security53Setup Wizard Step 7 of 10: Web Categories to Be Blocked55Setup Wizard Step 8 of 10: Email Notification57Setup Wizard Step 9 of 10: Signatures & Engine58Setup Wizard Step 10 of 10: Saving the Configuration59Verifying Proper Installation60Testing Connectivity60Testing HTTP Scanning60Registering the UTM with NETGEAR60What to Do Next62Chapter 3 Manually Configuring Internet and WAN Settings63Understanding the Internet and WAN Configuration Tasks63Configuring the Internet Connections64Automatically Detecting and Connecting64Setting the UTM’s MAC Address67Manually Configuring the Internet Connection67Configuring the WAN Mode (Required for Dual-WAN Port Models Only)71Network Address Translation (All Models)72Classical Routing (All Models)73Configuring Auto-Rollover Mode (Dual-WAN Port Models Only)73Configuring Load Balancing and Optional Protocol Binding (Dual-WAN Port Models Only)76Configuring Secondary WAN Addresses79Configuring Dynamic DNS81Configuring Advanced WAN Options84Additional WAN-Related Configuration Tasks86Chapter 4 LAN Configuration87Managing Virtual LANs and DHCP Options87Managing the UTM’s Port-Based VLANs88VLAN DHCP Options90DHCP Server90DHCP Relay91DNS Proxy91LDAP Server92Configuring a VLAN Profile92Configuring Multi-Home LAN IPs on the Default VLAN97Managing Groups and Hosts (LAN Groups)98Managing the Network Database99Adding PCs or Devices to the Network Database101Editing PCs or Devices in the Network Database102Changing Group Names in the Network Database102Setting Up Address Reservation103Configuring and Enabling the DMZ Port104Managing Routing108Configuring Static Routes109Configuring Routing Information Protocol (RIP)110Static Route Example113Chapter 5 Firewall Protection115About Firewall Protection115Administrator Tips116Using Rules to Block or Allow Specific Kinds of Traffic117Services-Based Rules117Outbound Rules (Service Blocking)118Inbound Rules (Port Forwarding)120Order of Precedence for Rules125Setting LAN WAN Rules126LAN WAN Outbound Services Rules127LAN WAN Inbound Services Rules128Setting DMZ WAN Rules129DMZ WAN Outbound Services Rules131DMZ WAN Inbound Services Rules132Setting LAN DMZ Rules133LAN DMZ Outbound Services Rules134LAN DMZ Inbound Services Rules135Inbound Rules Examples136LAN WAN Inbound Rule: Hosting A Local Public Web Server136LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses136LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping137LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host139Outbound Rules Example140LAN WAN Outbound Rule: Blocking Instant Messenger140Configuring Other Firewall Features141Attack Checks141Setting Session Limits144Managing the Application Level Gateway for SIP Sessions145Creating Services, QoS Profiles, and Bandwidth Profiles146Adding Customized Services146Creating Quality of Service (QoS) Profiles149Creating Bandwidth Profiles152Setting a Schedule to Block or Allow Specific Traffic155Enabling Source MAC Filtering156Setting up IP/MAC Bindings158Configuring Port Triggering160Using the Intrusion Prevention System163Chapter 6 Content Filtering and Optimizing Scans167About Content Filtering and Scans167Default E-mail and Web Scan Settings168Configuring E-mail Protection169Customizing E-mail Protocol Scan Settings170Customizing E-mail Anti-Virus and Notification Settings171E-mail Content Filtering174Protecting Against E-mail Spam177Setting Up the Whitelist and Blacklist178Configuring the Real-time Blacklist180By default, the UTM comes with three pre-defined blacklist providers: Dsbl, Spamhaus, and Spamcop. There is no limit to the number of blacklist providers that you can add to the RBL sources.181Configuring Distributed Spam Analysis182Configuring Web and Services Protection185Customizing Web Protocol Scan Settings and Services185Configuring Web Malware Scans187Configuring Web Content Filtering189Configuring Web URL Filtering196HTTPS Scan Settings200Specifying Trusted Hosts203Configuring FTP Scans205Setting Web Access Exceptions and Scanning Exclusions207Setting Web Access Exception Rules207Setting Scanning Exclusions210Chapter 7 Virtual Private Networking Using IPsec Connections213Considerations for Dual WAN Port Systems (Dual-WAN Port Models Only)213Using the IPsec VPN Wizard for Client and Gateway Configurations215Creating Gateway-to-Gateway VPN Tunnels with the Wizard216Creating a Client to Gateway VPN Tunnel221Using the VPN Wizard Configure the Gateway for a Client Tunnel221Using the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection224Testing the Connections and Viewing Status Information229Testing the VPN Connection229NETGEAR VPN Client Status and Log Information230Viewing the UTM IPsec VPN Connection Status232Viewing the UTM IPsec VPN Log233Managing IPsec VPN Policies234Managing IKE Policies235The IKE Policies Screen235Manually Adding or Editing an IKE Policy237Managing VPN Policies243The VPN Policies Screen243Manually Adding or Editing a VPN Policy245Configuring Extended Authentication (XAUTH)250Configuring XAUTH for VPN Clients251User Database Configuration252RADIUS Client Configuration252Assigning IP Addresses to Remote Users (Mode Config)255Mode Config Operation255Configuring Mode Config Operation on the UTM255Configuring the ProSafe VPN Client for Mode Config Operation262Testing the Mode Config Connection267Configuring Keepalives and Dead Peer Detection267Configuring Keepalives268Configuring Dead Peer Connection269Configuring NetBIOS Bridging with IPsec VPN271Chapter 8 Virtual Private Networking Using SSL Connections273Understanding the SSL VPN Portal Options273Using the SSL VPN Wizard for Client Configurations274SSL VPN Wizard Step 1 of 6: Portal Settings275SSL VPN Wizard Step 2 of 6: Domain Settings277SSL VPN Wizard Step 3 of 6: User Settings279SSL VPN Wizard Step 4 of 6: Client IP Address Range and Routes281SSL VPN Wizard Step 5 of 6: Port Forwarding283SSL VPN Wizard Step 6 of 6: Verify and Save Your Settings285Accessing the New SSL Portal Login Screen286Viewing the UTM SSL VPN Connection Status288Viewing the UTM SSL VPN Log288Manually Configuring and Editing SSL Connections289Creating the Portal Layout290Configuring Domains, Groups, and Users294Configuring Applications for Port Forwarding294Adding Servers and Port Numbers295Adding A New Host Name296Configuring the SSL VPN Client297Configuring the Client IP Address Range298Adding Routes for VPN Tunnel Clients299Using Network Resource Objects to Simplify Policies300Adding New Network Resources301Editing Network Resources to Specify Addresses302Configuring User, Group, and Global Policies303Viewing Policies304Adding a Policy305Chapter 9 Managing Users, Authentication, and Certificates311Configuring VPN Authentication Domains, Groups, and Users311Configuring Domains312Configuring Groups for VPN Policies316Creating and Deleting Groups317Editing Groups318Configuring User Accounts319Setting User Login Policies322Configuring Login Policies322Configuring Login Restrictions Based on IP Address323Configuring Login Restrictions Based on Web Browser324Changing Passwords and Other User Settings326Managing Digital Certificates327Managing CA Certificates329Managing Self Certificates330Generating a CSR and Obtaining a Self Certificate from a CA331Viewing and Managing Self Certificates335Managing the Certificate Revocation List335Chapter 10 Network and System Management337Performance Management337Bandwidth Capacity337Features That Reduce Traffic338LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking)338Content Filtering340Source MAC Filtering341Features That Increase Traffic341LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding)342Port Triggering343Configuring the DMZ Port343For the information on how to enable the DMZ port, see “Configuring and Enabling the DMZ Port” on page 4-18. For the procedures on how to configure DMZ traffic rules, see “Setting DMZ WAN Rules” on page 5-15.344Configuring Exposed Hosts344Configuring VPN Tunnels344Using QoS and Bandwidth Assignment to Shift the Traffic Mix344Assigning QoS Profiles344Monitoring Tools for Traffic Management345System Management345Changing Passwords and Administrator Settings345Configuring Remote Management Access348Using an SNMP Manager350Managing the Configuration File351Backup Settings352Restore Settings353Reverting to Factory Default Settings354Updating the Firmware354Viewing the Available Firmware Versions355Upgrading the Firmware and Rebooting the UTM356Rebooting Without Changing the Firmware357Updating the Scan Signatures and Scan Engine Firmware357Configuring Automatic Update and Frequency Settings359Configuring Date and Time Service360Chapter 11 Monitoring System Access and Performance363Enabling the WAN Traffic Meter363Configuring Logging, Alerts, and Event Notifications367Configuring the E-mail Notification Server367Configuring and Activating System, E-mail, and Syslog Logs368Configuring and Activating Update Failure and Attack Alerts372Configuring and Activating Firewall Logs375Monitoring Real-Time Traffic, Security, and Statistics376Viewing Status Screens382Viewing System Status382Viewing Active VPN Users386Viewing VPN Tunnel Connection Status386Viewing Port Triggering Status388Viewing the WAN Ports Status389Viewing Attached Devices and the DHCP Log391Viewing Attached Devices391Viewing the DHCP Log393Querying Logs and Generating Reports394Querying the Logs394Example: Using Logs to Identify Infected Clients400Log Management400Scheduling and Generating Reports401Generating Reports402Scheduling Reports404Using Diagnostics Utilities405Using the Network Diagnostic Tools406Sending a Ping Packet406Tracing a Route407Displaying the Routing Table407Looking up a DNS Address407Using the Realtime Traffic Diagnostics Tool408Gathering Important Log Information and Generating a Network Statistics Report409Gathering Important Log Information409Rebooting and Shutting Down the UTM410Chapter 12 Troubleshooting and Using Online Support411Basic Functioning412Power LED Not On412Test LED Never Turns Off412LAN or WAN Port LEDs Not On413Troubleshooting the Web Management Interface413When You Enter a URL or IP Address a Time-out Error Occurs414Troubleshooting the ISP Connection415Troubleshooting a TCP/IP Network Using a Ping Utility417Testing the LAN Path to Your UTM417Testing the Path from Your PC to a Remote Device418Restoring the Default Configuration and Password419Problems with Date and Time420Using Online Support420Enabling Remote Troubleshooting420Sending Suspicious Files to NETGEAR for Analysis421Accessing the Knowledge Base and Documentation422Appendix A Default Settings and Technical Specifications423Appendix B Network Planning for Dual WAN Ports (Dual-WAN Port Models Only)427What to Consider Before You Begin427Cabling and Computer Hardware Requirements429Computer Network Configuration Requirements429Internet Configuration Requirements429Where Do I Get The Internet Configuration Information?430Internet Connection Information430Overview of the Planning Process431Inbound Traffic433Inbound Traffic to a Single WAN Port System433Inbound Traffic to a Dual WAN Port System434Inbound Traffic: Dual WAN Ports for Improved Reliability434Inbound Traffic: Dual WAN Ports for Load Balancing434Virtual Private Networks (VPNs)435VPN Road Warrior (Client-to-Gateway)437VPN Road Warrior: Single Gateway WAN Port (Reference Case)437VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability437VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing439VPN Gateway-to-Gateway439VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case)439VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability440VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing441VPN Telecommuter (Client-to-Gateway Through a NAT Router)442VPN Telecommuter: Single Gateway WAN Port (Reference Case)442VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability443VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing444Appendix C System Logs and Error Messages445System Log Messages446System Startup446Reboot446Service Logs447NTP447Login/Logout448Firewall Restart448IPsec Restart448WAN Status449Auto-Rollover Mode449Load-Balancing Mode450PPP Logs451Traffic Metering Logs453Unicast Logs453ICMP Redirect Logs453Multicast/Broadcast Logs454Invalid Packet Logging454Content Filtering and Security Logs456Web Filtering and Content Filtering Logs456Spam Logs457Traffic Logs458Virus Logs458E-mail Filter Logs458IPS Logs459Port Scan Logs459Instant Messaging/Peer-to-Peer Logs459Routing Logs460LAN to WAN Logs460LAN to DMZ Logs460DMZ to WAN Logs460WAN to LAN Logs461DMZ to LAN Logs461WAN to DMZ Logs461Appendix D Two Factor Authentication463Why do I need Two-Factor Authentication?463What are the benefits of Two-Factor Authentication?463What is Two-Factor Authentication464NETGEAR Two-Factor Authentication Solutions464Appendix E Related Documents467Index469Size: 10.4 MBPages: 484Language: EnglishOpen manual
