SRX5308 Reference Manual
Page 9
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Appendix A Default Settings and Technical Specifications Appendix B Network Planning for Multiple WAN Ports What to Consider Before You Begin B-1 Cabling and Computer Hardware Requirements B-3 Computer Network Configuration Requirements B-3 Internet Configuration Requirements B-3 Overview of the Planning Process B-5 Inbound Traffic ...B-7 Inbound Traffic to a Single WAN Port System B-7 Inbound Traffic to a Dual WAN Port System B-8 Virtual Private...
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Appendix A Default Settings and Technical Specifications Appendix B Network Planning for Multiple WAN Ports What to Consider Before You Begin B-1 Cabling and Computer Hardware Requirements B-3 Computer Network Configuration Requirements B-3 Internet Configuration Requirements B-3 Overview of the Planning Process B-5 Inbound Traffic ...B-7 Inbound Traffic to a Single WAN Port System B-7 Inbound Traffic to a Dual WAN Port System B-8 Virtual Private...
SRX5308 Reference Manual
Page 13
...configured within minutes. 1-1 v1.0, April 2010 For example, the SRX5308 provides support for secure and simple remote connections. The SRX5308 provides advanced IPsec and SSL VPN technologies for stateful packet inspection (SPI), denial of service (DoS) attack protection, and multi-NAT support. on this chapter referred to as the SRX5308...Location for the SRX5308" on time of your network from attacks and intrusions. This chapter contains the following sections: • "What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall?" The ProSafe Gigabit Quad WAN SSL VPN Firewall, hereafter in...
...configured within minutes. 1-1 v1.0, April 2010 For example, the SRX5308 provides support for secure and simple remote connections. The SRX5308 provides advanced IPsec and SSL VPN technologies for stateful packet inspection (SPI), denial of service (DoS) attack protection, and multi-NAT support. on this chapter referred to as the SRX5308...Location for the SRX5308" on time of your network from attacks and intrusions. This chapter contains the following sections: • "What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall?" The ProSafe Gigabit Quad WAN SSL VPN Firewall, hereafter in...
SRX5308 Reference Manual
Page 16
... LAN. • Port forwarding with several features designed to your network. 1-4 Introduction v1.0, April 20104 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual A Powerful, True Firewall with Content Filtering Unlike simple NAT routers, the SRX5308 is a true firewall, using stateful packet inspection (SPI) to you at specified intervals. Its firewall features have configured an inbound rule. Incoming traffic from the local network.
... LAN. • Port forwarding with several features designed to your network. 1-4 Introduction v1.0, April 20104 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual A Powerful, True Firewall with Content Filtering Unlike simple NAT routers, the SRX5308 is a true firewall, using stateful packet inspection (SPI) to you at specified intervals. Its firewall features have configured an inbound rule. Incoming traffic from the local network.
SRX5308 Reference Manual
Page 17
... "normal" connection such as to a PC or an "uplink" connection such as NAT, allows the use of an inexpensive single-user ISP account. • Automatic configuration of cable to run a login program. • Quality of PCs on your Internet...configuration of Service (QoS). The SRX5308 supports QoS, including traffic prioritization and traffic classification with Auto Uplink With its own address as Auto Uplink accommodates either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit Ethernet network. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308...
... "normal" connection such as to a PC or an "uplink" connection such as NAT, allows the use of an inexpensive single-user ISP account. • Automatic configuration of cable to run a login program. • Quality of PCs on your Internet...configuration of Service (QoS). The SRX5308 supports QoS, including traffic prioritization and traffic classification with Auto Uplink With its own address as Auto Uplink accommodates either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit Ethernet network. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308...
SRX5308 Reference Manual
Page 26
... v1.0, April 2010 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. See "Configuring the WAN Mode" on the WAN ports (optional). See "Configuring Secondary WAN Addresses" on page 2-31. You can change the factory default MTU size and port speed. Configure the Internet connections to configure the WAN meters, see "Enabling the WAN Traffic Meter" on page 2-27. 7. Configure the WAN mode. See "Configuring Advanced WAN Options" on page...
... v1.0, April 2010 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual 3. See "Configuring the WAN Mode" on the WAN ports (optional). See "Configuring Secondary WAN Addresses" on page 2-31. You can change the factory default MTU size and port speed. Configure the Internet connections to configure the WAN meters, see "Enabling the WAN Traffic Meter" on page 2-27. 7. Configure the WAN mode. See "Configuring Advanced WAN Options" on page...
SRX5308 Reference Manual
Page 40
... increased system reliability) or load balancing (for backup purposes, select the WAN port that WAN interface. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring the WAN Mode The VPN firewall can be configured on page 2-21). If you do not select load balancing, you configure the WAN failure detection method on the WAN Advanced Options screen to travel on page 2-18). Note: Scenarios could arise...
... increased system reliability) or load balancing (for backup purposes, select the WAN port that WAN interface. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Configuring the WAN Mode The VPN firewall can be configured on page 2-21). If you do not select load balancing, you configure the WAN failure detection method on the WAN Advanced Options screen to travel on page 2-18). Note: Scenarios could arise...
SRX5308 Reference Manual
Page 41
...one address as the primary shared address for routing private IP addresses within a campus environment. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note the following about NAT: • The VPN firewall uses NAT to select the correct PC (on your LAN) to receive any incoming data. • ...). 3. Click Apply to save your settings. Connecting the VPN Firewall to -one inbound mapping is configured using an inbound firewall rule. To configure NAT: 1. To gain Internet access, each PC on your LAN must use NAT (the default setting). • If your ISP has provided...
...one address as the primary shared address for routing private IP addresses within a campus environment. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Note the following about NAT: • The VPN firewall uses NAT to select the correct PC (on your LAN) to receive any incoming data. • ...). 3. Click Apply to save your settings. Connecting the VPN Firewall to -one inbound mapping is configured using an inbound firewall rule. To configure NAT: 1. To gain Internet access, each PC on your LAN must use NAT (the default setting). • If your ISP has provided...
SRX5308 Reference Manual
Page 49
... for example, that displays a green circle. Click Apply to the Internet v1.0, April 2010 2-25 Configuring Secondary WAN Addresses You can add several secondary IP addresses to be accessed through multiple IP addresses by the rule. Add LAN...NAT IP drop-down lists of the following outbound firewall rule screens: - Select one of the following inbound firewall rule screens: - After you can assign different virtual IP addresses to a Web server and an FTP server, even though both servers use the same physical IP address. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308...
... for example, that displays a green circle. Click Apply to the Internet v1.0, April 2010 2-25 Configuring Secondary WAN Addresses You can add several secondary IP addresses to be accessed through multiple IP addresses by the rule. Add LAN...NAT IP drop-down lists of the following outbound firewall rule screens: - Select one of the following inbound firewall rule screens: - After you can assign different virtual IP addresses to a Web server and an FTP server, even though both servers use the same physical IP address. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308...
SRX5308 Reference Manual
Page 80
... port 4, see "Front Panel" on page 3-18. In some of the standard firewall security component that , by default, has fewer firewall restrictions when compared to work correctly with NAT. It permits you set up the DMZ port. The DMZ can run the application ...Configuring and Enabling the DMZ Port The demilitarized zone (DMZ) is a network that is not assigned until the next time the PC or device contacts the VPN firewall's DHCP server. By default, the DMZ port and both inbound and outbound DMZ traffic are used for the LAN. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308...
... port 4, see "Front Panel" on page 3-18. In some of the standard firewall security component that , by default, has fewer firewall restrictions when compared to work correctly with NAT. It permits you set up the DMZ port. The DMZ can run the application ...Configuring and Enabling the DMZ Port The demilitarized zone (DMZ) is a network that is not assigned until the next time the PC or device contacts the VPN firewall's DHCP server. By default, the DMZ port and both inbound and outbound DMZ traffic are used for the LAN. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308...
SRX5308 Reference Manual
Page 91
..."Setting Up IP/MAC Bindings" on page 4-46 • "Configuring Port Triggering" on page 4-48 • "Configuring Universal Plug and Play" on page 4-51 About Firewall Protection A firewall protects one network (the "trusted" network, such as your LAN...VPN firewall to protect your network from hacker intrusions or attacks, and controls the types of traffic that it considers whether the incoming packet is in response to protect your network. This chapter contains the following sections: • "About Firewall Protection" on page 3-14. Unlike simple Internet-sharing NAT routers, a firewall...
..."Setting Up IP/MAC Bindings" on page 4-46 • "Configuring Port Triggering" on page 4-48 • "Configuring Universal Plug and Play" on page 4-51 About Firewall Protection A firewall protects one network (the "trusted" network, such as your LAN...VPN firewall to protect your network from hacker intrusions or attacks, and controls the types of traffic that it considers whether the incoming packet is in response to protect your network. This chapter contains the following sections: • "About Firewall Protection" on page 3-14. Unlike simple Internet-sharing NAT routers, a firewall...
SRX5308 Reference Manual
Page 96
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-2. Bandwidth limiting occurs in load balancing mode. • For inbound traffic. The options are debugging your local computers. Never log traffic considered by this rule, whether it matches or not. The source address of your rules. • Never. For example: 4-6 Firewall... Protection v1.0, April 2010 The setting that you have configured. Inbound Rules (Port Forwarding) If you have enabled Network Address Translation (NAT), your host. This process ...
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 4-2. Bandwidth limiting occurs in load balancing mode. • For inbound traffic. The options are debugging your local computers. Never log traffic considered by this rule, whether it matches or not. The source address of your rules. • Never. For example: 4-6 Firewall... Protection v1.0, April 2010 The setting that you have configured. Inbound Rules (Port Forwarding) If you have enabled Network Address Translation (NAT), your host. This process ...
SRX5308 Reference Manual
Page 112
... - DMZ IP address: 192.168.10.2 - ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-12 LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping In this example, we will configure multi-NAT to Web server is used to host an additional public IP address and associate this procedure: • NETGEAR VPN firewall: - LAN IP address subnet: 192.168...
... - DMZ IP address: 192.168.10.2 - ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Figure 4-12 LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping In this example, we will configure multi-NAT to Web server is used to host an additional public IP address and associate this procedure: • NETGEAR VPN firewall: - LAN IP address subnet: 192.168...
SRX5308 Reference Manual
Page 113
... the primary IP address of the router that provides Internet access to your servers. To configure the VPN firewall for your use, you arrange with your ISP to your LAN PCs through NAT. Figure 4-13 Firewall Protection v1.0, April 2010 4-23 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Tip: If you can use in this example). The other addresses are...
... the primary IP address of the router that provides Internet access to your servers. To configure the VPN firewall for your use, you arrange with your ISP to your LAN PCs through NAT. Figure 4-13 Firewall Protection v1.0, April 2010 4-23 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Tip: If you can use in this example). The other addresses are...
SRX5308 Reference Manual
Page 144
..." Fixed (client-to VPN configuration. Load Balancing Mode FQDN Allowed (optional) FQDN required FQDN Allowed (optional) FQDN required FQDN Allowed (optional) FQDN required 5-2 Virtual Private Networking Using IPsec Connections v1.0, April 2010 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The following diagrams and table show how the WAN mode selection relates to -gateway through a NAT router) Dynamic FQDN required...
..." Fixed (client-to VPN configuration. Load Balancing Mode FQDN Allowed (optional) FQDN required FQDN Allowed (optional) FQDN required FQDN Allowed (optional) FQDN required 5-2 Virtual Private Networking Using IPsec Connections v1.0, April 2010 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual The following diagrams and table show how the WAN mode selection relates to -gateway through a NAT router) Dynamic FQDN required...
SRX5308 Reference Manual
Page 289
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-4. MAC Address The MAC address of the four LAN port. IP Address The IP address for this port. WAN Mode WAN State NAT The WAN mode can be either DHCP Enabled or DHCP Disabled. If the VLAN is not enabled on... if LAN port 4 is enabled as the DMZ port, its MAC address is enabled (see "Configuring the WAN Mode" on page 3-3). For information about configuring the WAN mode, see "Configuring Classical Routing" on this port. DHCP Status The status can be Single Port, Load Balancing, or...
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table 9-4. MAC Address The MAC address of the four LAN port. IP Address The IP address for this port. WAN Mode WAN State NAT The WAN mode can be either DHCP Enabled or DHCP Disabled. If the VLAN is not enabled on... if LAN port 4 is enabled as the DMZ port, its MAC address is enabled (see "Configuring the WAN Mode" on page 3-3). For information about configuring the WAN mode, see "Configuring Classical Routing" on this port. DHCP Status The status can be Single Port, Load Balancing, or...
SRX5308 Reference Manual
Page 329
...traffic. Fixed to-Gateway)" Allowed (FQDN optional) Dynamic FQDN required "VPN Gateway-to -Gateway through a NAT Router)" Dynamic Allowed (FQDN optional) FQDN required FQDN required FQDN required...firewall's WAN ports in a Dual WAN Port Configuration Configuration and WAN IP address Single WAN Port Dual WAN Port Configurations Configurations (Reference Cases) Rollover Modea Load Balancing Mode "VPN Road Warrior (Client- The addressing of WAN port traffic. IP Addressing Requirements for Multiple WAN Ports B-9 v1.0, April 2010 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308...
...traffic. Fixed to-Gateway)" Allowed (FQDN optional) Dynamic FQDN required "VPN Gateway-to -Gateway through a NAT Router)" Dynamic Allowed (FQDN optional) FQDN required FQDN required FQDN required...firewall's WAN ports in a Dual WAN Port Configuration Configuration and WAN IP address Single WAN Port Dual WAN Port Configurations Configurations (Reference Cases) Rollover Modea Load Balancing Mode "VPN Road Warrior (Client- The addressing of WAN port traffic. IP Addressing Requirements for Multiple WAN Ports B-9 v1.0, April 2010 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308...
SRX5308 Reference Manual
Page 336
... The following situations exemplify the requirements for a remote PC client connected to the Internet with a gateway VPN firewall such as the responder. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Telecommuter (Client-to establish a VPN tunnel with a dynamic IP address through a NAT router to -Gateway through a NAT Router) Note: The telecommuter case presumes the home office has a dynamic IP address and...
... The following situations exemplify the requirements for a remote PC client connected to the Internet with a gateway VPN firewall such as the responder. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Telecommuter (Client-to establish a VPN tunnel with a dynamic IP address through a NAT router to -Gateway through a NAT Router) Note: The telecommuter case presumes the home office has a dynamic IP address and...
SRX5308 Reference Manual
Page 337
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Multiple WAN Ports v1.0, April 2010 B-17 Figure B-19 Network Planning for Improved Reliability In a dual WAN port auto-rollover gateway configuration, the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in Figure B-18) because the IP address of the remote NAT router...
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Multiple WAN Ports v1.0, April 2010 B-17 Figure B-19 Network Planning for Improved Reliability In a dual WAN port auto-rollover gateway configuration, the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in Figure B-18) because the IP address of the remote NAT router...
SRX5308 Reference Manual
Page 338
...IP address is not known in advance. B-18 Network Planning for Load Balancing In a dual WAN port load balancing gateway configuration, the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as necessary to balance the loads of the two... the remote NAT router is dynamic, you must act as the responder. If an IP address is fixed, an FQDN is , WAN1 and WAN2) so that the remote PC client can be either fixed or dynamic. The selected gateway WAN port must use an FQDN. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual ...
...IP address is not known in advance. B-18 Network Planning for Load Balancing In a dual WAN port load balancing gateway configuration, the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as necessary to balance the loads of the two... the remote NAT router is dynamic, you must act as the responder. If an IP address is fixed, an FQDN is , WAN1 and WAN2) so that the remote PC client can be either fixed or dynamic. The selected gateway WAN port must use an FQDN. ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual ...
SRX5308 Reference Manual
Page 348
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-16. System Logs: IPsec VPN Tunnel, Tunnel Establishment Messages 1 through 5 2000 Jan 1 04:01:39 [SRX5308] [wand] [IPSEC] IPSEC Restarted 2000 Jan 1 04:02:09 [SRX5308] [wand] [FW] Firewall Restarted 2000 Jan 1 04:02:29 [SRX5308] [IKE] IKE stopped_ 2000 Jan 1 04:02:31 [SRX5308] [IKE] IKE started_ 2000 Jan 1 04:02:31 [SRX5308] [wand...
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Reference Manual Table C-16. System Logs: IPsec VPN Tunnel, Tunnel Establishment Messages 1 through 5 2000 Jan 1 04:01:39 [SRX5308] [wand] [IPSEC] IPSEC Restarted 2000 Jan 1 04:02:09 [SRX5308] [wand] [FW] Firewall Restarted 2000 Jan 1 04:02:29 [SRX5308] [IKE] IKE stopped_ 2000 Jan 1 04:02:31 [SRX5308] [IKE] IKE started_ 2000 Jan 1 04:02:31 [SRX5308] [wand...