ProSafe Gigabit Quad WAN
SSL VPN Firewall SRX5308
Reference Manual
350 East Plumeria Drive
San Jose, CA 95134
USA
July, 2012
202-10536-04
v1.0
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
202-10536-02 1.0
July 2011
Added new features that are documented in the following
sections:
202-10536-01 1.0
April 2010
Initial publication of this reference manual.
3
Download from Www.Somanuals.com. All Manuals Search And Download.
Contents
Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Front Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Log In to the VPN Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
IPv4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Let the VPN Firewall Automatically Detect and
Configure an IPv4 Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . .30
4
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Verify the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
What to Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Manage the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Configure the IPv6 Router Advertisement Daemon and
Advertisement Prefixes for the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Configure the IPv6 Router Advertisement Daemon and
Advertisement Prefixes for the DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . .117
About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
5
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Examples of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Configure Port Triggering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Chapter 5 Virtual Private Networking
6
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Chapter 6 Virtual Private Networking
SSL VPN Portal Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .270
View Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .285
Configure Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
7
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
View Status Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
View the VPN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Diagnostics Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Send a Ping Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
8
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .396
Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .409
Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .411
System Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Login/Logout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
System Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
Firewall Restart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .423
WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424
Traffic Meter Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Routing Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
LAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .435
9
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
DMZ to LAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Bandwidth Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
DHCP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
10
Download from Www.Somanuals.com. All Manuals Search And Download.
1.
Introduction
1
This chapter provides an overview of the features and capabilities of the ProSafe Gigabit Quad
WAN SSL VPN Firewall SRX5308 and explains how to log in to the device and use its web
management interface. The chapter contains the following sections:
•
•
•
•
•
•
•
•
Note: For more information about the topics covered in this manual, visit
What Is the ProSafe Gigabit Quad WAN SSL VPN Firewall
SRX5308?
The ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308, hereafter referred to as the
VPN firewall, connects your local area network (LAN) to the Internet through up to four
external broadband access devices such as cable or DSL modems or satellite or wireless
Internet dishes. Four wide area network (WAN) ports allow you to increase effective data rate
to the Internet by utilizing all WAN ports to carry session traffic or to maintain backup
connections in case of failure of your primary Internet connection.
The VPN firewall routes both IPv4 and IPv6 traffic. A powerful, flexible firewall protects your
IPv4 and IPv6 networks from denial of service (DoS) attacks, unwanted traffic, and traffic
with objectionable content. IPv6 traffic is supported through 6to4 and Intra-Site Automatic
Tunnel Addressing Protocol (ISATAP) tunnels.
11
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
The VPN firewall is a security solution that protects your network from attacks and intrusions.
For example, the VPN firewall provides support for stateful packet inspection (SPI), denial of
service (DoS) attack protection, and multi-NAT support. The VPN firewall supports multiple
web content filtering options, plus browsing activity reporting and instant alerts—both through
email. Network administrators can establish restricted access policies based on time of day,
website addresses, and address keywords.
The VPN firewall provides advanced IPSec and SSL VPN technologies for secure and simple
remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures high data
transfer speeds.
The VPN firewall is a plug-and-play device that can be installed and configured within
minutes.
Key Features and Capabilities
•
•
•
•
•
•
•
•
The VPN firewall provides the following key features and capabilities:
•
Four 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover
protection of your Internet connection, providing increased data rate and increased
system reliability.
•
Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for fast data transfer
between local network resources and support for up to 200,000 internal or external
connections.
•
•
Both IPv4 and IPv6 support
Advanced IPSec VPN and SSL VPN support with support for up to 125 concurrent IPSec
VPN tunnels and up to 50 concurrent SSL VPN tunnels.
•
Bundled with a single-user license of the NETGEAR ProSafe VPN Client software
(VPN01L).
•
•
•
L2TP tunnel and PPTP tunnel support
Advanced stateful packet inspection (SPI) firewall with multi-NAT support.
Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and
multimedia.
•
Extensive protocol support.
Introduction
12
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
•
•
One console port for local management.
SNMP support with SNMPv1, SNMPv2c, and SNMPv3, and management optimized for
the NETGEAR ProSafe Network Management Software (NMS200) over a LANJ
connection.
•
•
•
•
Front panel LEDs for easy monitoring of status and activity.
Flash memory for firmware upgrade.
Internal universal switching power supply.
Rack-mounting kit for 1U rackmounting.
Quad-WAN Ports for Increased Reliability and Load Balancing
The VPN firewall provides four broadband WAN ports. These WAN ports allow you to
connect additional broadband Internet lines that can be configured to:
•
Load-balance outbound traffic between up to four lines for maximum bandwidth
efficiency.
•
Provide backup and rollover if one line is inoperable, ensuring that you are never
disconnected.
factors to consider when implementing the following capabilities with multiple WAN port
gateways:
•
•
Single or multiple exposed hosts.
Virtual private networks (VPNs).
Advanced VPN Support for Both IPSec and SSL
The VPN firewall supports IPSec and SSL virtual private network (VPN) connections:
•
IPSec VPN delivers full network access between a central office and branch offices, or
between a central office and telecommuters. Remote access by telecommuters requires
the installation of VPN client software on the remote computer.
-
IPSec VPN with broad protocol support for secure connection to other IPSec
gateways and clients.
-
-
Up to 125 simultaneous IPSec VPN connections.
Bundled with a 30-day trial license for the ProSafe VPN Client software (VPN01L).
•
SSL VPN provides remote access for mobile users to selected corporate resources
without requiring a preinstalled VPN client on their computers.
-
Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for
e-commerce transactions, to provide client-free access with customizable user
portals and support for a wide variety of user repositories.
-
Up to 50 simultaneous SSL VPN connections.
Introduction
13
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
-
-
Allows browser-based, platform-independent remote access through a number of
popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple
Safari.
Provides granular access to corporate resources based on user type or group
membership.
A Powerful, True Firewall with Content Filtering
Unlike simple NAT routers, the VPN firewall is a true firewall, using stateful packet inspection
(SPI) to defend against hacker attacks. Its firewall features have the following capabilities:
•
DoS protection. Automatically detects and thwarts denial of service (DoS) attacks such
as Ping of Death and SYN flood.
•
•
Secure firewall. Blocks unwanted traffic from the Internet to your LAN.
Content filtering. Prevents objectionable content from reaching your computers. You
can control access to Internet content by screening for web services, web addresses, and
keywords within web addresses.
•
•
Schedule policies. Permits scheduling of firewall policies by day and time.
Logs security incidents. Logs security events such as logins and secure logins. You can
configure the firewall to email the log to you at specified intervals. You can also configure
the VPN firewall to send immediate alert messages to your email address or email pager
when a significant event occurs.
Security Features
The VPN firewall is equipped with several features designed to maintain security:
•
Computers hidden by NAT. NAT opens a temporary path to the Internet for requests
originating from the local network. Requests originating from outside the LAN are
discarded, preventing users outside the LAN from finding and directly accessing the
computers on the LAN.
•
•
Port forwarding with NAT. Although NAT prevents Internet locations from directly
accessing the computers on the LAN, the VPN firewall allows you to direct incoming
traffic to specific computers based on the service port number of the incoming request.
DMZ port. Incoming traffic from the Internet is usually discarded by the VPN firewall
unless the traffic is a response to one of your local computers or a service for which you
have configured an inbound rule. Instead of discarding this traffic, you can use the
dedicated demilitarized zone (DMZ) port to forward the traffic to one computer on your
network.
Autosensing Ethernet Connections with Auto Uplink
With its internal four-port 10/100/1000 Mbps switch and four 10/100/1000 WAN ports, the
VPN firewall can connect to a 10-Mbps standard Ethernet network, a 100-Mbps Fast Ethernet
Introduction
14
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
network, a 1000-Mbps Gigabit Ethernet network, or a combination of these networks. All LAN
and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.
TM
The VPN firewall incorporates Auto Uplink technology. Each Ethernet port automatically
senses whether the Ethernet cable plugged into the port should have a normal connection
such as to a computer or an uplink connection such as to a switch or hub. That port then
configures itself correctly. This feature eliminates the need for you to think about crossover
cables, as Auto Uplink accommodates either type of cable to make the right connection.
Extensive Protocol Support
The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and
Routing Information Protocol (RIP). The VPN firewall provides the following protocol support:
•
•
•
IP address sharing by NAT. The VPN firewall allows many networked computers to
share an Internet account using only a single IP address, which might be statically or
dynamically assigned by your Internet service provider (ISP). This technique, known as
Network Address Translation (NAT), allows the use of an inexpensive single-user ISP
account.
Automatic configuration of attached computers by DHCP. The VPN firewall
dynamically assigns network configuration information, including IP, gateway, and
Domain Name Server (DNS) addresses, to attached computers on the LAN using the
Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies
configuration of computers on your local network.
DNS proxy. When DHCP is enabled and no DNS addresses are specified, the VPN
firewall provides its own address as a DNS server to the attached computers. The firewall
obtains actual DNS addresses from the ISP during connection setup and forwards DNS
requests from the LAN.
•
•
PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the
Internet over a DSL connection by simulating a dial-up connection.
Quality of Service (QoS). The VPN firewall supports QoS, including traffic prioritization
and traffic classification with Type of Service (ToS) and Differentiated Services Code
Point (DSCP) marking.
•
•
Layer 2 Tunneling Protocol (L2TP). A tunneling protocol that is used to support virtual
private networks (VPNs).
Point to Point Tunneling Protocol (PPTP). Another tunneling protocol that is used to
support VPNs.
Easy Installation and Management
You can install, configure, and operate the VPN firewall within minutes after connecting it to
the network. The following features simplify installation and management tasks:
•
Browser-based management. Browser-based configuration allows you to easily
configure the VPN firewall from almost any type of operating system, such as Windows,
Macintosh, or Linux. Online help documentation is built into the browser-based web
management interface.
Introduction
15
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
•
•
Auto-detection of ISP. The VPN firewall automatically senses the type of Internet
connection, asking you only for the information required for your type of ISP account.
IPSec VPN Wizard. The VPN firewall includes the NETGEAR IPSec VPN Wizard so you
can easily configure IPSec VPN tunnels according to the recommendations of the Virtual
Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are
interoperable with other VPNC-compliant VPN routers and clients.
•
SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to
let you monitor and manage log resources from an SNMP-compliant system manager.
The SNMP system configuration lets you change the system variables for MIB2.
•
•
Diagnostic functions. The VPN firewall incorporates built-in diagnostic functions such
as ping, traceroute, DNS lookup, and remote reboot.
Remote management. The VPN firewall allows you to log in to the web management
interface from a remote location on the Internet. For security, you can limit remote
management access to a specified remote IP address or range of addresses.
•
Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor
its status and activity.
Maintenance and Support
NETGEAR offers the following features to help you maximize your use of the VPN firewall:
•
•
Flash memory for firmware upgrades.
Technical support seven days a week, 24 hours a day. Information about support is
available on the NETGEAR website at
Package Contents
The VPN firewall product package contains the following items:
•
•
•
•
•
•
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
One AC power cable
One Category 5 (Cat 5) Ethernet cable
One rack-mounting kit
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation Guide
Resource CD, including:
-
-
Application Notes and other helpful information
ProSafe VPN Client software (VPN01L)
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep
the carton, including the original packing materials, in case you need to return the product for
repair.
Introduction
16
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Hardware Features
•
•
•
The front panel ports and LEDs, rear panel ports, and bottom label of the VPN firewall are
described in the following sections.
Front Panel
Viewed from left to right, the VPN firewall front panel contains the following ports (see the
following figure).
•
LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors
•
WAN Ethernet ports. Four independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors
The front panel also contains three groups of status indicator light-emitting diodes (LEDs),
including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in the
following table.
DMZ LED
Left WAN LEDs
Left LAN LEDs
Power LED
Internet
LEDs
Right WAN LEDs
Right LAN LEDs
Test LED
Figure 1.
Introduction
17
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 1. LED descriptions
LED
Activity
On (green)
Off
Description
Power
Power is supplied to the VPN firewall.
Power is not supplied to the VPN firewall.
Test
On (amber) during
startup.
Test mode: The VPN firewall is initializing. After approximately 2 minutes,
when the VPN firewall has completed its initialization, the Test LED goes
off.
On (amber) during
any other time
The initialization has failed, or a hardware failure has occurred.
Blinking (amber)
The VPN firewall is writing to flash memory (during upgrading or resetting
to defaults).
Off
The system has booted successfully.
LAN Ports
Left LED
On (green)
Blinking (green)
Off
The LAN port has detected a link with a connected Ethernet device.
The LAN port receives or transmits data.
The LAN port has no link.
Right LED
DMZ LED
On (green)
On (amber)
Off
The LAN port operates at 1000 Mbps.
The LAN port operates at 100 Mbps.
The LAN port operates at 10 Mbps.
On (green)
Off
Port 4 operates as a dedicated hardware DMZ port.
Port 4 operates as a normal LAN port.
WAN Ports
Left LED
On (green)
The WAN port has a valid connection with a device that provides an
Internet connection.
Blinking (green)
Off
The WAN port receives or transmits data.
The WAN port has no physical link, that is, no Ethernet cable is plugged
into the VPN firewall.
Right LED
On (green)
On (amber)
Off
The WAN port operates at 1000 Mbps.
The WAN port operates at 100 Mbps.
The WAN port operates at 10 Mbps.
Internet LED On (green)
Off
The WAN port has a valid Internet connection.
The WAN port is either not enabled or has no link to the Internet.
Introduction
18
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Rear Panel
The rear panel of the VPN firewall includes a console port, a Factory Defaults Reset button, a
cable lock receptacle, an AC power connection, and a power switch.
Power
Factory Defaults
switch
Reset button
Security lock
receptacle
AC power
receptacle
Console port
Figure 2.
Viewed from left to right, the rear panel contains the following components:
1. Cable security lock receptacle.
2. Console port. Port for connecting to an optional console terminal. The port has a DB9 male
connector. The default baud rate is 115200 K. The pinouts are (2) Tx, (3) Rx, (5) and (7)
Gnd. For information about accessing the command-line interface (CLI) using the console
3. Factory Defaults Reset button. Using a sharp object, press and hold this button for about
8 seconds until the front panel Test LED flashes to reset the VPN firewall to factory default
settings. All configuration settings are lost, and the default password is restored.
4. AC power receptacle. Universal AC input (100–240 VAC, 50–60 Hz).
5. A power on/off switch.
Bottom Panel with Product Label
The product label on the bottom of the VPN firewall’s enclosure displays factory default
settings, regulatory compliance, and other information.
Figure 3.
Introduction
19
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Choose a Location for the VPN Firewall
The VPN firewall is suitable for use in an office environment where it can be freestanding (on
its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can
rack-mount the VPN firewall in a wiring closet or equipment room.
Consider the following when deciding where to position the VPN firewall:
•
•
The unit is accessible, and cables can be connected easily.
Cabling is away from sources of electrical noise. These include lift shafts, microwave
ovens, and air-conditioning units.
•
•
Water or moisture cannot enter the case of the unit.
Airflow around the unit and through the vents in the side of the case is not restricted.
Provide a minimum of 25 mm or 1-inch clearance.
•
•
The air is as free of dust as possible.
Temperature operating limits are not likely to be exceeded. Install the unit in a clean,
air-conditioned environment. For information about the recommended operating
Use the Rack-Mounting Kit
Use the mounting kit for the VPN firewall to install the appliance in a rack. Attach the
mounting brackets using the hardware that is supplied with the mounting kit.
Figure 4.
Before mounting the VPN firewall in a rack, verify that:
•
•
You have the correct screws (supplied with the installation kit).
The rack onto which you plan to mount the VPN firewall is suitably located.
Introduction
20
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Log In to the VPN Firewall
Note: To connect the VPN firewall physically to your network, connect the
cables and restart your network according to the instructions in the
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Installation
Guide. A PDF of this guide is on the NETGEAR support website at
To configure the VPN firewall, you need to use a web browser such as Microsoft Internet
Explorer 7.0 or later, Mozilla Firefox 4.0 or later, or Apple Safari 3.0 or later with JavaScript,
cookies, and SSL enabled. (Google Chrome is not supported at this time.)
Although these web browsers are qualified for use with the VPN firewall’s web management
interface, SSL VPN users should choose a browser that supports JavaScript, Java, cookies,
SSL, and ActiveX to take advantage of the full suite of applications. Note that Java is required
only for the SSL VPN portal, not for the web management interface.
To log in to the VPN firewall:
1. Start any of the qualified web browsers.
2. In the address field, enter https://192.168.1.1. The NETGEAR Configuration Manager Login
screen displays in the browser.
Note: The VPN firewall factory default IP address is 192.168.1.1. If you
change the IP address, you need to use the IP address that you
assigned to the VPN firewall to log in to the VPN firewall.
Figure 5.
Introduction
21
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Note: The first time that you remotely connect to the VPN firewall with a
browser through an SSL connection, you might get a warning
message regarding the SSL certificate. Follow the directions of your
browser to accept the SSL certificate.
3. In the User Name field, type admin. Use lowercase letters.
4. In the Password / Passcode field, type password. Here, too, use lowercase letters.
Note: The VPN firewall user name and password are not the same as any
user name or password you might use to log in to your Internet
connection.
Note: Leave the domain as it is (geardomain).
5. Click Login. The web management interface displays, showing the Router Status screen.
The following figure shows the top part of the Router Status screen. For more information,
Note: After 5 minutes of inactivity (the default login time-out), you are
automatically logged out.
Figure 6.
Introduction
22
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Web Management Interface Menu Layout
The following figure shows the menu at the top the web management interface:
IP radio buttons
Option arrows: Additional screen for submenu item
3rd level: Submenu tab (blue)
2nd level: Configuration menu link (gray)
1st level: Main navigation menu link (orange)
Figure 7.
The web management interface menu consists of the following components:
•
1st level: Main navigation menu links. The main navigation menu in the orange bar
across the top of the web management interface provides access to all the configuration
functions of the VPN firewall, and remains constant. When you select a main navigation
menu link, the letters are displayed in white against an orange background.
•
2nd level: Configuration menu links. The configuration menu links in the gray bar
(immediately below the main navigation menu bar) change according to the main
navigation menu link that you select. When you select a configuration menu link, the
letters are displayed in white against a gray background.
•
•
•
3rd level: Submenu tabs. Each configuration menu item has one or more submenu tabs
that are listed below the gray menu bar. When you select a submenu tab, the text is
displayed in white against a blue background.
Option arrows. If there are additional screens for the submenu item, links to the screens
display on the right side in blue letters against a white background, preceded by a white
arrow in a blue circle.
IP radio buttons. The IPv4 and IPv6 radio buttons let you select the IP version for the
feature to be configured onscreen. There are four options:
-
Both buttons are operational.
You can configure the feature onscreen
for IPv4 functionality or for IPv6 functionality. After you have correctly configured the
feature for both IP versions, the feature can function with both IP versions
simultaneously.
-
The IPv4 button is operational but the IPv6 button is disabled.
You
can configure the feature onscreen for IPv4 functionality only.
Introduction
23
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
-
-
The IPv6 button is operational but the IPv4 button is disabled.
can configure the feature onscreen for IPv6 functionality only.
You
Both buttons are disabled.
IP functionality does not apply.
The bottom of each screen provides action buttons. The nature of the screen determines
which action buttons are shown. The following figure shows an example:
Figure 8.
Any of the following action buttons might display onscreen (this list might not be complete):
•
•
•
•
Apply. Save and apply the configuration.
Reset. Reset the configuration to the previously saved configuration.
Test. Test the configuration.
Auto Detect. Enable the VPN firewall to detect the configuration automatically and
suggest values for the configuration.
•
Cancel. Cancel the operation.
When a screen includes a table, table buttons display to let you configure the table entries.
The nature of the screen determines which table buttons are shown. The following figure
shows an example:
Figure 9.
Any of the following table buttons might display onscreen:
•
•
•
•
•
•
•
•
•
Select All. Select all entries in the table.
Delete. Delete the selected entry or entries from the table.
Enable. Enable the selected entry or entries in the table.
Disable. Disable the selected entry or entries in the table.
Add. Add an entry to the table.
Edit. Edit the selected entry.
Up. Move the selected entry up in the table.
Down. Move the selected entry down in the table.
Apply. Apply the selected entry.
Almost all screens and sections of screens have an accompanying help screen. To open the
help screen, click the
(question mark) icon.
Introduction
24
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Requirements for Entering IP Addresses
To connect to the VPN firewall, your computer needs to be configured to obtain an IP address
automatically from the VPN firewall, either an IPv4 address through DHCP or an IPv6
address through DHCPv6, or both.
IPv4
The fourth octet of an IP address needs to be between 0 and 255 (both inclusive). This
requirement applies to any IP address that you enter on a screen of the web management
interface.
IPv6
IPv6 addresses are denoted by eight groups of hexadecimal quartets that are separated by
colons. Any four-digit group of zeroes within an IPv6 address can be reduced to a single zero
or altogether omitted.
The following errors invalidate an IPv6 address:
•
•
•
More than eight groups of hexadecimal quartets
More than four hexadecimal characters in a quartet
More than two colons in a row
Introduction
25
Download from Www.Somanuals.com. All Manuals Search And Download.
2.
IPv4 and IPv6 Internet and WAN Settings
2
This chapter explains how to configure the IPv4 and IPv6 Internet and WAN settings. The
chapter contains the following sections:
•
•
•
•
•
•
•
Internet and WAN Configuration Tasks
•
•
Typically, the VPN firewall is installed as a network gateway to function as a combined LAN
switch and firewall to protect the network from incoming threats and provide secure
connections. To complement the firewall protection, NETGEAR advises that you use a
gateway security appliance such as a NETGEAR ProSecure STM appliance.
The tasks that are required to complete the Internet connection of your VPN firewall depend
on whether you use an IPv4 connection, an IPv6 connection, or both to your Internet service
provider (ISP).
Note: The VPN firewall supports simultaneous IPv4 and IPv6 connections.
26
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Tasks to Set Up IPv4 Internet Connections to Your ISPs
Complete these tasks:
1. Configure the IPv4 routing mode. Select either NAT or classical routing: see
2. Configure the IPv4 Internet connections to your ISPs. Connect to one or more ISPs by
configuring up to four WAN interfaces: See one of the following sections:
•
•
As an option, you can program the WAN traffic meter: See Configure and Enable the
3. (Optional) Configure either load balancing or auto-rollover. Select load balancing or
auto-rollover and a failure detection method: See Configure Load Balancing or
(single) WAN mode. If you configure load balancing, you can also configure protocol binding.
4. (Optional) Configure secondary WAN addresses on the WAN interfaces. Configure
5. (Optional) Configure Dynamic DNS on the WAN interfaces. If required, configure your
6. (Optional) Configure the WAN options. If required, change the factory default MTU size,
port speed, and MAC address of the VPN firewall: See Configure Advanced WAN Options
change the settings.
Tasks to Set Up an IPv6 Internet Connection to Your ISPs
Note: You can configure one WAN interface only for IPv6. This restriction
might be lifted in a later release.
Complete these tasks:
1. Configure the IPv6 routing mode. Configure the VPN firewall to support both devices
with IPv4 addresses and devices with IPv6 addresses: See Configure the IPv6 Routing
2. Configure the IPv6 Internet connections to your ISPs. Connect to an ISP by configuring
a WAN interface: See one of the following sections:
•
•
•
IPv4 and IPv6 Internet and WAN Settings
27
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
3. Configure the IPv6 tunnels. Enable 6to4 tunnels and configure ISATAP tunnels: See
4. (Optional) Configure Stateless IP/ICMP Translation (SIIT). Enable IPv6 devices that do
not have permanently assigned IPv4 addresses to communicate with IPv4-only devices:
5. (Optional) Configure the WAN options. If required, change the factory default MTU size,
port speed, and MAC address of the VPN firewall: See Configure Advanced WAN Options
change the settings.
Configure the IPv4 Internet Connection and WAN Settings
•
•
•
•
•
•
To set up your VPN firewall for secure IPv4 Internet connections, you need to determine the
IPv4 WAN mode (see the next section) and then configure the IPv4 Internet connection to
your ISP on the WAN port. The web management interface offers two connection
configuration options, discussed in the following sections:
•
•
Configure the IPv4 WAN Mode
By default, IPv4 is supported and functions in NAT mode but can also function in classical
routing mode. IPv4 functions the same way in IPv4-only mode that it does in IPv4 / IPv6
page 52).
Network Address Translation
Network Address Translation (NAT) allows all computers on your LAN to share a single public
Internet IP address. From the Internet, there is only a single device (the VPN firewall) and a
single IP address. Computers on your LAN can use any private IP address range, and these
IP addresses are not visible from the Internet.
IPv4 and IPv6 Internet and WAN Settings
28
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Note the following about NAT:
•
•
•
The VPN firewall uses NAT to select the correct computer (on your LAN) to receive any
incoming data.
If you have only a single public Internet IP address, you need to use NAT (the default
setting).
If your ISP has provided you with multiple public IP addresses, you can use one address
as the primary shared address for Internet access by your computers, and you can map
incoming traffic on the other public IP addresses to specific computers on your LAN. This
one-to-one inbound mapping is configured using an inbound firewall rule.
Classical Routing
In classical routing mode, the VPN firewall performs routing, but without NAT. To gain Internet
access, each computer on your LAN needs to have a valid static Internet IP address.
If your ISP has allocated a number of static IP addresses to you, and you have assigned one
of these addresses to each computer, you can choose classical routing. Or you can use
classical routing for routing private IP addresses within a campus environment.
Configure the IPv4 Routing Mode
To configure the IPv4 routing mode:
1. Select Network Configuration > WAN Settings > WAN Mode. The WAN Mode screen
displays:
Figure 10.
IPv4 and IPv6 Internet and WAN Settings
29
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
2. In the NAT (Network Address Translation) section of the screen, select the NAT radio button
or the Classical Routing radio button.
WARNING:
Changing the WAN mode causes all LAN WAN and DMZ WAN
inbound rules to revert to default settings.
3. Click Apply to save your settings. These settings apply to all WAN ports.
Let the VPN Firewall Automatically Detect and
Configure an IPv4 Internet Connection
To automatically configure a WAN port for an IPv4 connection to the Internet:
1. Select Network Configuration > WAN Settings > WAN Setup. In the upper right of the
screen, the IPv4 radio button is selected by default. The WAN Setup screen displays the
IPv4 settings:
Figure 11.
The IPv4 WAN Settings table displays the following fields:
•
•
•
•
WAN. The WAN interface (WAN1, WAN2, WAN3, and WAN4).
Status. The status of the WAN interface (UP or DOWN).
WAN IP. The IPv4 address of the WAN interface.
Failure Detection Method. The failure detection method that is active for the WAN
interface. The following methods can be displayed:
-
-
-
-
None
DNS Lookup (WAN DNS Servers)
DNS Lookup (the configured IP address is displayed)
PING (the configured IP address is displayed)
IPv4 and IPv6 Internet and WAN Settings
30
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
You can set the failure detection method for each WAN interface on its corresponding
WAN Advanced Options screen (see Configure the Auto-Rollover Mode and Failure
•
Action. The Edit table button provides access to the WAN IPv4 ISP Settings screen
2. Click the Edit table button in the Action column of the WAN interface for which you want to
automatically configure the connection to the Internet. The WAN IPv4 ISP Settings screen
displays. (The following figure shows the WAN2 IPv4 ISP Settings screen as an example.)
Figure 12.
3. Click the Auto Detect button at the bottom of the screen. The autodetect process probes
the WAN port for a range of connection methods and suggests one that your ISP is most
likely to support.
The autodetect process returns one of the following results:
•
If the autodetect process is successful, a status bar at the top of the screen displays
the results (for example, DHCP service detected).
IPv4 and IPv6 Internet and WAN Settings
31
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
•
If the autodetect process senses a connection method that requires input from you, it
prompts you for the information. The following table explains the settings that you
might have to enter:
Table 2. IPv4 Internet connection methods
Connection Method Manual Data Input Required
DHCP (Dynamic IP) No manual data input is required.
PPPoE
The following fields are required:
• Login
• Password
• Account Name
• Domain Name
PPTP
The following fields are required:
• Login
• Password
• Account Name
• Domain Name
• My IP Address
• Server IP Address
Fixed (Static) IP
The following fields are required:
• IP Address
• IP Subnet Mask
• Gateway IP Address
• Primary DNS Server
• Secondary DNS Server
•
If the autodetect process does not find a connection, you are prompted either to
check the physical connection between your VPN firewall and the cable, DSL line, or
satellite or wireless Internet dish, or to check your VPN firewall’s MAC address. For
4. Verify the connection:
a. Select Network Configuration > WAN Settings > WAN Setup. The WAN Setup
b. In the Action column, click the Status button of the WAN interface for which you
want to display the Connection Status pop-up screen. (The following figure shows a
static IP address configuration.)
IPv4 and IPv6 Internet and WAN Settings
32
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 13.
The Connection Status screen should show a valid IP address and gateway, and you are
connected to the Internet. If the configuration was not successful, skip ahead to Manually
Manually Configure an IPv4 Internet Connection
Unless your ISP automatically assigns your configuration through a DHCP server, you need
to obtain configuration parameters from your ISP to manually establish an Internet
To manually configure the WAN IPv4 ISP settings:
1. Select Network Configuration > WAN Settings > WAN Setup. In the upper right of the
screen, the IPv4 radio button is selected by default. The WAN Setup screen displays the
IPv4 settings:
Figure 14.
IPv4 and IPv6 Internet and WAN Settings
33
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
The IPv4 WAN Settings table displays the following fields:
•
•
•
•
WAN. The WAN interface (WAN1, WAN2, WAN3, and WAN4).
Status. The status of the WAN interface (UP or DOWN).
WAN IP. The IPv4 address of the WAN interface.
Failure Detection Method. The failure detection method that is active for the WAN
interface. The following methods can be displayed:
-
-
-
-
None
DNS Lookup (WAN DNS Servers)
DNS Lookup (the configured IP address is displayed)
PING (the configured IP address is displayed)
You can set the failure detection method for each WAN interface on its corresponding
WAN Advanced Options screen (see Configure the Auto-Rollover Mode and Failure
•
Action. The Edit table button provides access to the WAN IPv4 ISP Settings screen
2. Click the Edit table button in the Action column of the WAN interface for which you want to
manually configure the connection to the Internet. The WAN IPv4 ISP Settings screen
example).
3. Locate the ISP Login section on the screen:
Figure 15.
In the ISP Login section, select one of the following options:
•
If your ISP requires an initial login to establish an Internet connection, select Yes.
(The default is No.)
•
If a login is not required, select No, and ignore the Login and Password fields.
4. If you selected Yes, enter the login name in the Login field and the password in the
Password field. This information is provided by your ISP.
5. In the ISP Type section of the screen, select the type of ISP connection that you use from
the two listed options. By default, Austria (PPTP) is selected, as shown in the following
figure:
IPv4 and IPv6 Internet and WAN Settings
34
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 16.
6. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as
explained in the following table:
Table 3. PPTP and PPPoE settings
Setting
Description
Austria (PPTP)
If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this
radio button, and enter the following settings:
Account Name The account name is also known as the host name or system name.
Enter the valid account name for the PPTP connection (usually your
email ID assigned by your ISP). Some ISPs require you to enter
your full email address here.
Note: For login
and password
information, see
Domain Name Your domain name or workgroup name assigned by your ISP, or
your ISP’s domain name. You can leave this field blank.
Idle Timeout
Select the Keep Connected radio button to keep the connection
always on. To log out after the connection is idle for a period, select
the Idle Timeout radio button and, in the Idle Timeout field, enter the
number of minutes to wait before disconnecting. This is useful if your
ISP charges you based on the period that you have logged in.
My IP Address The IP address assigned by the ISP to make the connection with the
ISP server.
Server IP
Address
The IP address of the PPTP server.
IPv4 and IPv6 Internet and WAN Settings
35
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 3. PPTP and PPPoE settings (continued)
Setting
Description
Other (PPPoE)
If you have installed login software, then your connection type is PPPoE. Select this
radio button, and enter the following settings:
Note: For login
and password
Account Name The valid account name for the PPPoE connection.
information, see
Domain Name The name of your ISP’s domain or your domain name if your ISP
has assigned one. You can leave this field blank.
Idle Timeout
Select the Keep Connected radio button to keep the connection
always on. To log out after the connection is idle for a period, select
the Idle Timeout radio button and, in the Idle Timeout field, enter the
number of minutes to wait before disconnecting. This is useful if your
ISP charges you based on the period that you have logged in.
Connection
Reset
Select the Connection Reset check box to specify a time when the
PPPoE WAN connection is reset, that is, the connection is
disconnected momentarily and then reestablished. Then specify the
disconnect time and delay.
Disconnect Specify the hour and minutes when the connection
Time
should be disconnected.
Delay
Specify the period in seconds after which the
connection should be reestablished.
7. In the Internet (IP) Address section of the screen (see the following figure), configure the IP
address settings as explained in the following table. Click the Current IP Address link to
see the currently assigned IP address.
Figure 17.
IPv4 and IPv6 Internet and WAN Settings
36
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 4. Internet IP address settings
Setting Description
Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from
from ISP
ISP radio button. The ISP automatically assigns an IP address to the VPN firewall using
DHCP network protocol.
Client Identifier
If your ISP requires client identifier information to assign an IP
address using DHCP, select the Client Identifier check box,
and enter the client identifier information in the field.
Vendor Class Identifier If your ISP requires the vendor class identifier information to
assign an IP address using DHCP, select the Vendor Class
Identifier check box.
Use Static IP
Address
If your ISP has assigned you a fixed (static or permanent) IP address, select the Use
Static IP Address radio button, and enter the following settings:
IP Address
The static IP address assigned to you. This address identifies
the VPN firewall to your ISP.
IP Subnet Mask
The subnet mask is usually provided by your ISP.
Gateway IP Address
The IP address of the ISP’s gateway is usually provided by
your ISP.
8. In the Domain Name Server (DNS) Servers section of the screen (see the following figure),
specify the DNS settings as explained in the following table.
Figure 18.
Table 5. DNS server settings
Setting
Description
Get Automatically
from ISP
If your ISP has not assigned any Domain Name Server (DNS) addresses, select the
Get Automatically from ISP radio button.
Use These DNS
Servers
If your ISP has assigned DNS addresses, select the Use These DNS Servers radio
button. Make sure that you fill in valid DNS server IP addresses in the fields. Incorrect
DNS entries might cause connectivity issues.
Primary DNS Server
The IP address of the primary DNS server.
The IP address of the secondary DNS server.
Secondary DNS Server
IPv4 and IPv6 Internet and WAN Settings
37
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
9. Click Apply to save your changes.
10. Click Test to evaluate your entries. The VPN firewall attempts to make a connection
according to the settings that you entered.
11. Verify the connection:
a. Select Network Configuration > WAN Settings > WAN Setup. The WAN Setup
b. In the Action column, click the Status button of the WAN interface for which you
want to display the Connection Status pop-up screen. (The following figure shows a
PPPoE configuration; the IP addresses are not related to any other examples in this
manual.)
Figure 19.
The Connection Status screen should show a valid IP address and gateway, and you are
connected to the Internet. If the configuration was not successful, see Troubleshoot the
Note: If your ISP requires MAC authentication and another MAC address
has been previously registered with your ISP, then you need to enter
that address on the WAN Advanced Options screen for the WAN
IPv4 and IPv6 Internet and WAN Settings
38
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Configure Load Balancing or Auto-Rollover
The VPN firewall can be configured on a mutually exclusive basis for either auto-rollover (for
increased system reliability) or load balancing (for maximum bandwidth efficiency). If you do
not select load balancing, you need to specify one WAN interface as the primary interface.
•
Load balancing mode. The VPN firewall distributes the outbound traffic equally among
the WAN interfaces that are functional. You can configure up to four WAN interfaces. The
VPN firewall supports weighted load balancing and round-robin load balancing (see
Note: Scenarios could arise in which load balancing needs to be bypassed
for certain traffic or applications. If certain traffic needs to travel on a
specific WAN interface, configure protocol binding rules for that
WAN interface. The rule should match the desired traffic.
•
•
Primary WAN mode. The selected WAN interface is made the primary interface. The
other three interfaces are disabled.
Auto-rollover mode. The selected WAN interface is defined as the primary link, and
another interface needs to be defined as the rollover link. The remaining two interfaces
are disabled. As long as the primary link is up, all traffic is sent over the primary link.
When the primary link goes down, the rollover link is brought up to send the traffic. When
the primary link comes back up, traffic automatically rolls back to the original primary link.
If you want to use a redundant ISP link for backup purposes, select the WAN port that
should function as the primary link for this mode. Ensure that the backup WAN port has
also been configured and that you configure the WAN failure detection method on the
WAN Advanced Options screen to support auto-rollover (see Configure the Auto-Rollover
Note: If the VPN firewall functions in IPv4 / IPv6 mode, you cannot
configure load balancing mode nor auto-rollover mode.
Configure Load Balancing Mode and Optional Protocol Binding
To use multiple ISP links simultaneously, configure load balancing. In load balancing mode,
any WAN port carries any outbound protocol unless protocol binding is configured.
When a protocol is bound to a particular WAN port, all outgoing traffic of that protocol is
directed to the bound WAN port. For example, if the HTTPS protocol is bound to the WAN1
port and the FTP protocol is bound to the WAN2 port, then the VPN firewall automatically
routes all outbound HTTPS traffic from the computers on the LAN through the WAN1 port. All
outbound FTP traffic is routed through the WAN2 port.
IPv4 and IPv6 Internet and WAN Settings
39
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Protocol binding addresses two issues:
•
Segregation of traffic between links that are not of the same speed.
High-volume traffic can be routed through the WAN port connected to a high-speed link,
and low-volume traffic can be routed through the WAN port connected to the low-speed
link.
•
Continuity of source IP address for secure connections.
Some services, particularly HTTPS, cease to respond when a client’s source IP address
changes shortly after a session has been established.
Configure Load Balancing Mode
To configure load balancing mode:
1. Select Network Configuration > WAN Settings > WAN Mode. The WAN Mode screen
displays:
Figure 20.
2. In the Load Balancing Settings section of the screen, configure the following settings:
a. Select the Load Balancing Mode radio button.
b. From the corresponding drop-down list on the right, select one of the following load
balancing methods:
•
Weighted LB. With weighted load balancing, balance weights are calculated
based on WAN link speed and available WAN bandwidth. This is the default
setting and most efficient load balancing algorithm.
•
Round-robin. With round-robin load balancing, new traffic connections are sent
over a WAN link in a serial method irrespective of bandwidth or link speed. For
example, if the WAN1, WAN2, and WAN3 interfaces are active in round-robin load
balancing mode, an HTTP request could first be sent over the WAN1 interface,
then a new FTP session could start on the WAN2 interface, and then any new
IPv4 and IPv6 Internet and WAN Settings
40
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
connection to the Internet could be made on the WAN3 interface. This
load balancing method ensures that a single WAN interface does not carry a
disproportionate distribution of sessions.
3. Click Apply to save your settings.
Configure Protocol Binding (Optional)
To configure protocol binding and add protocol binding rules:
1. Select Network Configuration > Protocol Binding.
2. Select the Load Balancing radio button. The Protocol Bindings screen displays. (The
following figure shows two examples in the Protocol Bindings table.)
Figure 21.
The Protocol Bindings table displays the following fields:
•
•
Check box. Allows you to select the protocol binding rule in the table.
Status icon. Indicates the status of the protocol binding rule:
-
Green circle. The protocol binding rule is enabled.
Gray circle. The protocol binding rule is disabled.
-
•
•
•
Service. The service or protocol for which the protocol binding rule is set up.
Local Gateway. The WAN interface to which the service or protocol is bound.
Source Network. The computers or groups on your network that are affected by the
protocol binding rule.
•
•
Destination Network. The Internet locations (based on their IP address) or groups
that are covered by the protocol binding rule.
Action. The Edit table button, which provides access to the Edit Protocol Binding
screen for the corresponding service.
3. Click the Add table button below the Protocol Binding table. The Add Protocol Binding
screen displays:
IPv4 and IPv6 Internet and WAN Settings
41
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 22.
4. Configure the protocol binding settings as explained in the following table:
Table 6. Add Protocol Binding screen settings
Setting
Description
Service
From the drop-down list, select a service or application to be covered by this rule. If the
service or application does not appear in the list, you need to define it using the Services
Local Gateway From the drop-down list, select one of the WAN interfaces.
Source Network The source network settings determine which computers on your network are affected by
this rule. Select one of the following options from the drop-down list:
Any
All devices on your LAN.
Single address
Address Range
In the Start IP field, enter the IP address to which the rule is applied.
In the Start IP field and End IP field, enter the IP addresses for the
range to which the rule is applied.
Group
If this option is selected, the rule is applied to the selected group.
The group can be a LAN group or an IP (LAN) group.
IPv4 and IPv6 Internet and WAN Settings
42
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 6. Add Protocol Binding screen settings (continued)
Setting
Description
Destination
Network
The destination network settings determine which Internet locations (based on their IP
address) are covered by the rule. Select one of the following options from the drop-down
list:
Any
All Internet IP address.
Single address
Address range
In the Start IP field, enter the IP address to which the rule is applied.
In the Start IP field and Finish field, enter the IP addresses for the
range to which the rule is applied.
Group
If this option is selected, the rule is applied to the selected IP (WAN)
group.
5. Click Apply to save your settings. The protocol binding rule is added to the Protocol Binding
table. The rule is automatically enabled, which is indicated by the ! status icon that displays
a green circle.
To edit a protocol binding:
table, click the Edit table button to the right of the binding that you want to edit. The Edit
Protocol Bindings screen displays. This screen shows the same fields as the Add Protocol
Bindings screen (see the previous figure).
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.
To enable, disable, or delete one or more protocol bindings:
left of the protocol binding that you want to enable, disable, or delete, or click the Select
All table button to select all bindings.
2. Click one of the following table buttons:
•
Enable. Enables the binding or bindings. The ! status icon changes from a gray circle
to a green circle, indicating that the selected binding or bindings are enabled. (By
default, when a binding is added to the table, it is automatically enabled.)
•
•
Disable. Disables the binding or bindings. The ! status icon changes from a green
circle to a gray circle, indicating that the selected binding or bindings are disabled.
Delete. Deletes the binding or bindings.
IPv4 and IPv6 Internet and WAN Settings
43
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Configure the Auto-Rollover Mode and Failure Detection Method
To use a redundant ISP link for backup purposes, ensure that the backup WAN interface has
already been configured. Then select the WAN interface that will act as the primary link for
this mode, and configure the WAN failure detection method on the WAN Mode screen to
support auto-rollover.
When the VPN firewall is configured in auto-rollover mode, it uses the selected WAN failure
detection method to detect the status of the primary link connection at regular intervals. The
VPN firewall detects link failure in one of the following ways:
•
•
•
By sending DNS queries to a DNS server
By sending a ping request to an IP address
None (no failure detection is performed)
From the primary WAN interface, DNS queries or ping requests are sent to the specified IP
address. If replies are not received, after a specified number of retries, the primary WAN
interface is considered down and a rollover to the backup WAN interface occurs. When the
primary WAN interface comes back up, another rollover occurs from the backup WAN
interface back to the primary WAN interface. The WAN failure detection method that you
select applies only to the primary WAN interface, that is, it monitors the primary link only.
Configure Auto-Rollover Mode
To configure auto-rollover mode:
1. Select Network Configuration > WAN Settings > WAN Mode. The WAN Mode screen
displays:
Figure 23.
IPv4 and IPv6 Internet and WAN Settings
44
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
2. In the Load Balancing Settings section of the screen, configure the following settings:
a. Select the Primary WAN Mode radio button.
b. From the corresponding drop-down list on the right, select a WAN interface to
function as the primary WAN interface. The other WAN interfaces become disabled.
c. Select the Auto Rollover check box.
d. From the corresponding drop-down list on the right, select a WAN interface to
function as the backup WAN interface.
Note: Ensure that the backup WAN interface is configured before enabling
auto-rollover mode.
3. Click Apply to save your settings.
Configure the Failure Detection Method
To configure the failure detection method:
1. Select Network Configuration > WAN Settings > WAN Setup. In the upper right of the
screen, the IPv4 radio button is selected by default. The WAN Setup screen displays the
2. Click the Edit table button in the Action column of the WAN interface that you selected as
page 31, which shows the WAN2 IPv4 ISP Settings screen as an example).
3. Click the Advanced option arrow in the upper right of the screen. The WAN Advanced
Options screen displays for the WAN interface that you selected. (For an image of the entire
4. Locate the Failure Detection Method section on the screen. Enter the settings as explained
in the following table.
IPv4 and IPv6 Internet and WAN Settings
45
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 7. Failure detection method settings
Setting
Description
Failure Detection
Method
Select a failure detection method from the drop-down list:
• WAN DNS. DNS queries are sent to the DNS server that is configured in the
Domain Name Server (DNS) Servers section of the WAN ISP screen (see Manually
• Custom DNS. DNS queries are sent to a DNS server that you need to specify in
the DNS Server fields.
• Ping. Pings are sent to a server with a public IP address that you need to specify
in the IP Address fields. The server should not reject the ping request and should
not consider ping traffic to be abusive.
Note: DNS queries or pings are sent through the WAN interface that is being
monitored. The retry interval and number of failover attempts determine how quickly
the VPN firewall switches from the primary link to the backup link if the primary link
fails, or when the primary link comes back up, switches back from the backup link to
the primary link.
DNS Server
IP Address
The IP address of the DNS server.
The IP address of the ping server.
Retry Interval is
The retry interval in seconds. The DNS query or ping is sent periodically after every
test period. The default test period is 30 seconds.
Failover after
The number of failover attempts. The primary WAN interface is considered down after
the specified number of queries have failed to elicit a reply. The backup interface is
brought up after this situation has occurred. The failover default is 4 failures.
Note: The default time to roll over after the primary WAN interface fails is
2 minutes. The minimum test period is 30 seconds, and the
minimum number of tests is 2.
5. Click Apply to save your settings.
You can configure the VPN firewall to generate a WAN status log and email this log to a
Configure Secondary WAN Addresses
You can set up a single WAN Ethernet port to be accessed through multiple IPv4 addresses
by adding aliases to the port. An alias is a secondary WAN address. One advantage is, for
example, that you can assign different virtual IP addresses to a web server and an FTP
server, even though both servers use the same physical IP address. You can add several
secondary IP addresses to a single WAN port.
IPv4 and IPv6 Internet and WAN Settings
46
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
After you have configured secondary WAN addresses, these addresses are displayed on the
following firewall rule screens:
•
In the WAN Destination IP Address drop-down lists of the following inbound firewall rule
screens:
-
-
Add LAN WAN Inbound Service screen
Add DMZ WAN Inbound Service screen
•
In the NAT IP drop-down lists of the following outbound firewall rule screens:
-
Add LAN WAN Outbound Service screen
Add DMZ WAN Outbound Service screen
-
For more information about firewall rules, see Overview of Rules to Block or Allow Specific
Note: It is important that you ensure that any secondary WAN addresses are
different from the primary WAN, LAN, and DMZ IP addresses that are
already configured on the VPN firewall. However, primary and
secondary WAN addresses can be in the same subnet.
The following is an example of correctly configured IP addresses:
Primary WAN1 IP address: 10.0.0.1 with subnet 255.0.0.0
Secondary WAN1 IP: 30.0.0.1 with subnet 255.0.0.0
Primary WAN2 IP address: 20.0.0.1 with subnet 255.0.0.0
Secondary WAN2 IP: 40.0.0.1 with subnet 255.0.0.0
DMZ IP address: 192.168.10.1 with subnet 255.255.255.0
Primary LAN IP address: 192.168.1.1 with subnet 255.255.255.0
Secondary LAN IP: 192.168.20.1 with subnet 255.255.255.0
To add a secondary WAN address to a WAN port:
1. Select Network Configuration > WAN Settings > WAN Setup. In the upper right of the
screen, the IPv4 radio button is selected by default. The WAN Setup screen displays the
2. Click the Edit table button in the Action column of the WAN interface for which you want to
add a secondary WAN address. The WAN IPv4 ISP Settings screen displays (see Figure 12
on page 31, which shows the WAN2 IPv4 ISP Settings screen as an example).
3. Click the Secondary Addresses option arrow in the upper right of the screen. The WAN
Secondary Addresses screen displays for the WAN interface that you selected. (The
following figure shows the WAN1 Secondary Addresses screen as an example and includes
one entry in the List of Secondary WAN addresses table.)
IPv4 and IPv6 Internet and WAN Settings
47
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 24.
The List of Secondary WAN addresses table displays the secondary LAN IP addresses
added for the selected WAN interface.
4. In the Add WAN Secondary Addresses section of the screen, enter the following settings:
•
•
IP Address. Enter the secondary address that you want to assign to the WAN port.
Subnet Mask. Enter the subnet mask for the secondary IP address.
5. Click the Add table button in the rightmost column to add the secondary IP address to the
List of Secondary WAN addresses table.
the List of Secondary WAN addresses table.
To delete one or more secondary addresses:
1. In the List of Secondary WAN addresses table, select the check box to the left of the
address that you want to delete, or click the Select All table button to select all
addresses.
2. Click the Delete table button.
Configure Dynamic DNS
Dynamic DNS (DDNS) is an Internet service that allows devices with varying public IPv4
addresses to be located using Internet domain names. To use DDNS, you need to set up an
account with a DDNS provider such as DynDNS.org, TZO.com, Oray.net, or 3322.org. (Links
to DynDNS, TZO, Oray, and 3322 are provided for your convenience as option arrows on the
DDNS configuration screens.) The VPN firewall firmware includes software that notifies
DDNS servers of changes in the WAN IP address so that the services running on this
network can be accessed by others on the Internet.
If your network has a permanently assigned IP address, you can register a domain name and
have that name linked with your IP address by public Domain Name Servers (DNS).
However, if your Internet account uses a dynamically assigned IP address, you will not know
in advance what your IP address will be, and the address can change frequently—hence, the
need for a commercial DDNS service, which allows you to register an extension to its
IPv4 and IPv6 Internet and WAN Settings
48
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
domain, and restores DNS requests for the resulting fully qualified domain name (FQDN) to
your frequently changing IP address.
After you have configured your account information on the VPN firewall, when your
ISP-assigned IP address changes, your VPN firewall automatically contacts your DDNS
service provider, logs in to your account, and registers your new IP address. Consider the
following:
•
For auto-rollover mode, you need a fully qualified domain name (FQDN) to implement
features such as exposed hosts and virtual private networks regardless of whether you
have a fixed or dynamic IP address.
•
For load balancing mode, you might still need a fully qualified domain name (FQDN)
either for convenience or if you have a dynamic IP address.
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x
or 10.x.x.x, the DDNS service does not work because private
addresses are not routed on the Internet.
To configure DDNS:
1. Select Network Configuration > Dynamic DNS. The Dynamic DNS screen displays
(see the following figure).
The WAN Mode section on the screen reports the currently configured WAN mode (for
example, Single Port WAN1, Load Balancing, or Auto Rollover). Only those options that
match the configured WAN mode are accessible on the screen.
2. Click the submenu tab for your DDNS service provider:
•
•
•
•
Dynamic DNS for DynDNS.org (which is shown in the following figure)
DNS TZO for TZO.com
DNS Oray for Oray.net
3322 DDNS for 3322.org
IPv4 and IPv6 Internet and WAN Settings
49
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 25.
3. Click the Information option arrow in the upper right of a DNS screen for registration
information (for example, DynDNS Information).
Figure 26.
4. Access the website of the DDNS service provider, and register for an account (for example,
for DynDNS.org, go to http://www.dyndns.com/).
IPv4 and IPv6 Internet and WAN Settings
50
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
5. Configure the DDNS service settings as explained in the following table:
Table 8. DDNS service settings
Setting
Description
WAN1 (... Status: ...)
Select the Yes radio button to enable the DDNS service. The fields that display on the screen depend on
the DDNS service provider that you have selected. Enter the following settings:
Host and Domain Name The host and domain name for the DDNS service.
Username or
The user name or email address for DDNS server authentication.
User Email Address
Password or User Key
Use wildcards
The password that is used for DDNS server authentication.
If your DDNS provider allows the use of wildcards in resolving your URL, you
can select the Use wildcards check box to activate this feature. For example,
the wildcard feature causes *.yourhost.dyndns.org to be aliased to the same IP
address as yourhost.dyndns.org.
Update every 30 days
If your WAN IP address does not change often, you might need to force a
periodic update to the DDNS service to prevent your account from expiring. If
the Update every 30 days check box displays, select it to enable a periodic
update.
WAN2 (... Status: ...)
WAN3 (... Status: ...)
WAN4 (... Status: ...)
See the information for WAN1 about how to enter the settings. You can select different DDNS services for
different WAN interfaces.
6. Click Apply to save your configuration.
Configure the IPv6 Internet Connection and WAN Settings
•
•
•
•
•
•
•
•
IPv4 and IPv6 Internet and WAN Settings
51
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Note: You can configure only one WAN interface for IPv6. This restriction
might be lifted in a later release. You can configure the other three
WAN interfaces for IPv4.
The nature of your IPv6 network determines how you need to configure the IPv6 Internet
connections:
•
•
•
Native IPv6 network. Your network is a native IPv6 network if the VPN firewall has an
IPv6 address and is connected to an IPv6 ISP and if your network consists of IPv6-only
devices. However, because we are in a IPv4-to-IPv6 transition period, native IPv6 is not
yet very common.
Isolated IPv6 network. If your network is an isolated IPv6 network that is not connected
to an IPv6 ISP, you need to make sure that the IPv6 packets can travel over the IPv4
Internet backbone; you do this by enabling automatic 6to4 tunneling (see Configure 6to4
Mixed network with IPv4 and IPv6 devices. If your network is an IPv4 network that
consists of both IPv4 and IPv6 devices, you need to make sure that the IPv6 packets can
travel over the IPv4 intranet; you do this by enabling and configuring ISATAP tunneling
Note: A network can be both an isolated IPv6 network and a mixed
network with IPv4 and IPv6 devices.
After you have configured the IPv6 routing mode (see the next section), you need to
configure one or more WAN interfaces with a global unicast address to enable secure IPv6
Internet connections on your VPN firewall. A global unicast address is a public and routable
IPv6 WAN address that can be statically or dynamically assigned. The web management
interface offers two connection configuration options:
•
Automatic configuration of the network connection (see Use a DHCPv6 Server to
•
Manual configuration of the network connection (see Configure a Static IPv6 Internet
Configure the IPv6 Routing Mode
By default the VPN firewall supports IPv4 only. To use IPv6, you need to enable the VPN
firewall to support both devices with IPv4 addresses and devices with IPv6 addresses. The
routing mode does not include an IPv6-only option; however, you still can configure a native
IPv6 network if your ISP supports IPv6.
IPv4 and IPv6 Internet and WAN Settings
52
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
These are the options:
•
IPv4-only mode. The VPN firewall communicates only with devices that have IPv4
addresses.
•
IPv4/IPv6 mode. The VPN firewall communicates with both devices that have IPv4
addresses and devices that have IPv6 addresses.
Note: IPv6 always functions in classical routing mode between the WAN
interface and the LAN interfaces; NAT does not apply to IPv6.
Note: When the Load Balancing Mode radio button is selected in the Load
Balancing Settings section of the WAN Mode screen, the IPv4 / IPv6
mode radio button is dimmed, preventing you from selecting it. You
can select the IPv4 / IPv6 mode radio button only when the Primary
WAN Mode radio button is selected.
To configure the IPv6 routing mode:
1. Select Network Configuration > WAN Settings > WAN Mode. The WAN Mode screen
displays:
Figure 27.
2. In the Routing Mode section of the screen, select the IPv4 / IPv6 mode radio button. By
default, the IPv4 only mode radio button is selected, and IPv6 is disabled.
IPv4 and IPv6 Internet and WAN Settings
53
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
WARNING:
Changing the IP routing mode causes the VPN firewall to reboot.
3. Click Apply to save your changes.
Use a DHCPv6 Server to Configure an IPv6 Internet
Connection
The VPN firewall can autoconfigure its ISP settings through a DHCPv6 server by using either
stateless or stateful address autoconfiguration:
•
Stateless address autoconfiguration. The VPN firewall generates its own IP address
by using a combination of locally available information and router advertisements, but
receives DNS server information from a DHCPv6 server.
Router advertisements include a prefix that identifies the subnet that is associated with
the WAN port. The IP address is formed by combining this prefix and the MAC address of
the WAN port. The IP address is a dynamic address.
As an option for stateless address autoconfiguration, the ISP’s stateful DHCPv6 server
can assign a prefix through prefix delegation. The VPN firewall’s own stateless DHCPv6
server can assign this prefix to its IPv6 LAN clients. For more information about prefix
•
Stateful address autoconfiguration. The VPN firewall obtains an interface address,
configuration information such as DNS server information, and other parameters from a
DHCPv6 server. The IP address is a dynamic address.
To automatically configure a WAN interface for an IPv6 connection to the Internet:
1. Select Network Configuration > WAN Settings > WAN Setup.
2. In the upper right of the screen, select the IPv6 radio button. The WAN Setup screen
displays the IPv6 settings:
Figure 28.
IPv4 and IPv6 Internet and WAN Settings
54
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
The IPv6 WAN Settings table displays the following fields:
•
•
•
•
WAN. The WAN interface (WAN1, WAN2, WAN3, and WAN4).
Status. The status of the WAN interface (UP or DOWN).
WAN IP. The IPv6 address of the WAN interface.
Action. The Edit table button provides access to the WAN IPv6 ISP Settings screen
3. Click the Edit table button in the Action column of the WAN interface for which you want to
automatically configure the connection to the Internet. The WAN IPv6 ISP Settings screen
displays. (The following figure shows the WAN2 IPv6 ISP Settings screen as an example.)
Figure 29.
4. In the Internet Address section of the screen, from the IPv6 drop-down list, select DHCPv6.
5. In the DHCPv6 section of the screen, select one of the following radio buttons:
•
•
Stateless Address Auto Configuration
Stateful Address Auto Configuration
IPv4 and IPv6 Internet and WAN Settings
55
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
6. As an optional step: If you have selected the Stateless Address Auto Configuration radio
button, you can select the Prefix Delegation check box:
•
Prefix delegation check box is selected. A prefix is assigned by the ISP’s stateful
DHCPv6 server through prefix delegation, for example, 2001:db8:: /64. The VPN
firewall’s own stateless DHCPv6 server can assign this prefix to its IPv6 LAN clients.
For more information about prefix delegation, see Stateless DHCPv6 Server With
•
Prefix delegation check box is cleared. Prefix delegation is disabled. This is the
default setting.
7. Click Apply to save your changes.
8. Verify the connection:
a. Select Network Configuration > WAN Settings > WAN Setup.
b. In the upper right of the screen, select the IPv6 radio button. The WAN Setup screen
c. In the Action column, click the Status button of the WAN interface for which you
want to display the Connection Status pop-up screen. (The following figure shows a
dynamic IP address configuration.)
Figure 30.
The Connection Status screen should show a valid IP address and gateway, and you are
connected to the Internet. If the configuration was not successful, see Troubleshoot the
IPv4 and IPv6 Internet and WAN Settings
56
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Configure a Static IPv6 Internet Connection
To configure a static IPv6 or PPPoE IPv6 Internet connection, you need to enter the IPv6
address information that you should have received from your ISP.
To configure static IPv6 ISP settings for a WAN interface:
1. Select Network Configuration > WAN Settings > WAN Setup.
2. In the upper right of the screen, select the IPv6 radio button. The WAN Setup screen
displays the IPv6 settings:
Figure 31.
The IPv6 WAN Settings table displays the following fields:
•
•
•
•
WAN. The WAN interface (WAN1, WAN2, WAN3, and WAN4).
Status. The status of the WAN interface (UP or DOWN).
WAN IP. The IPv6 address of the WAN interface.
Action. The Edit table button provides access to the WAN IPv6 ISP Settings screen
3. Click the Edit table button in the Action column of the WAN interface for which you want to
automatically configure the connection to the Internet. The WAN IPv6 ISP Settings screen
displays. (The following figure shows the WAN2 IPv6 ISP Settings screen as an example.)
IPv4 and IPv6 Internet and WAN Settings
57
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Figure 32.
4. In the Internet Address section of the screen, from the IPv6 drop-down list, select Static
IPv6.
5. In the Static IP Address section of the screen, enter the settings as explained in the following
table. You should have received static IPv6 address information from your IPv6 ISP:
Table 9. WAN ISP IPv6 Settings screen settings for a static IPv6 address
Setting
Description
IPv6 Address
The IP address that your ISP assigned to you. Enter the address in one of the
following formats (all four examples specify the same IPv6 address):
• 2001:db8:0000:0000:020f:24ff:febf:dbcb
• 2001:db8:0:0:20f:24ff:febf:dbcb
• 2001:db8::20f:24ff:febf:dbcb
• 2001:db8:0:0:20f:24ff:128.141.49.32
IPv6 Prefix Length
Default IPv6 Gateway
Primary DNS Server
The prefix length that your ISP assigned to you, typically 64.
The IPv6 IP address of the ISP’s default IPv6 gateway.
The IPv6 IP address of the ISP’s primary DNS server.
Secondary DNS Server The IPv6 IP address of the ISP’s secondary DNS server.
IPv4 and IPv6 Internet and WAN Settings
58
Download from Www.Somanuals.com. All Manuals Search And Download.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
6. Click Apply to save your changes.
7. Verify the connection:
a. Select Network Configuration > WAN Settings > WAN Setup.
b. In the upper right of the screen, select the IPv6 radio button. The WAN Setup screen
c. In the Action column, click the Status button of the WAN interface for which you
want to display the Connection Status pop-up screen. (The following figure shows a
static IP address configuration; the IP addresses are not related to any other
examples in this manual.)
Figure 33.
The Connection Status screen should show a valid IP address and gateway, and you are
connected to the Internet. If the configuration was not successful, see Troubleshoot the
Note: If your ISP requires MAC authentication and another MAC address
has been previously registered with your ISP, then you need to enter
that address on the WAN Advanced Options screen for the
corresponding WAN interface (see Configure Advanced WAN
IPv4 and IPv6 Internet and WAN Settings
59
Download from Www.Somanuals.com. All Manuals Search And Download.
|