NETGEAR Exium firewall hardward configuration. Let me walk you through the actual implementation of the NETGEAR Exium firewall, step by step. This is where theory becomes practice.
First, you need the right hardware. NETGEAR Exium requires specific NETGEAR firewall appliances:
| Model | Best For | Ports | Approximate Capacity |
|---|---|---|---|
| NETGEAR BR200 | Small offices (10-25 users) | 4 Gigabit ports | 25-50 devices |
| NETGEAR BR500 | Growing offices (25-50 users) | 4 Gigabit ports | 50-75 devices |
Recommendation: Go with the BR500 to give yourself room to grow. The price difference is minimal compared to the headache of outgrowing your hardware in 18 months.
You can actually start this before the hardware arrives:
- Go to https://www.netgear.com/business/services/exium/
- Create your Exium account (use your company email, ideally the same one tied to your Microsoft 365 admin account)
- Verify your email and complete initial profile setup
- The portal will guide you through:
- Setting up your organization profile
- Adding your first site (your office location)
- Creating admin accounts for your IT team
- Your new NETGEAR BR500
- Your existing modem from your ISP
- Ethernet cables (at least 2)
- A laptop to configure (though you'll mainly use cloud portal)
[ISP Modem] --(Ethernet)--> [BR500 WAN Port]
[BR500 LAN Port] --(Ethernet)--> [Your Existing Switch]
[Your Existing Switch] --(Ethernet)--> [All your devices]
- Power down everything - Unplug your modem and any existing routers/firewalls
- Connect the modem to the BR500 - Ethernet from modem to BR500's WAN port (usually yellow or labeled)
- Connect BR500 to your switch - Ethernet from BR500's LAN port to your main network switch
- Power up in order:
- Power on the modem first, wait 2 minutes
- Power on the BR500, wait 3-5 minutes for it to boot
- Your switch should already be on (or power it on now)
- Check the lights - The BR500's status LED should turn solid green when it has internet connectivity
Here's where the magic happens - all configuration is done through the cloud portal:
- Log into the Exium cloud portal from any computer
- The portal should auto-discover your new BR500 (if not, you can add it by serial number)
- Claim the device - This links the physical hardware to your cloud account
- Name your site - e.g., "Main Office" or "Company Headquarters"
-
WAN Settings (how you connect to internet):
- If your ISP uses DHCP (most common): Select "Automatic IP"
- If you have static IPs: Enter the IP, subnet mask, gateway, and DNS provided by your ISP
- If using PPPoE (DSL/fiber sometimes): Enter username/password from ISP
-
LAN Settings (your internal network):
- Default is usually 192.168.1.x or 10.0.0.x
- You can keep defaults unless you have conflicts
- Pro tip: Note this down - you'll need it for step 5
-
DHCP Server (assigns IPs to your devices):
- Should be enabled by default
- Set IP range (e.g., 192.168.1.100 to 192.168.1.250)
- Set DNS servers - Use Microsoft's DNS for better Microsoft 365 performance:
- Primary: 8.8.8.8 (Google, reliable fallback)
- Secondary: 1.1.1.1 (Cloudflare)
This is the moment of truth. Here's how to minimize disruption:
- Keep your old network running alongside the new one initially
- Connect a test computer directly to the BR500's LAN port or a test switch connected to it
- Verify on the test computer:
- Can you browse the internet?
- Can you access Microsoft 365 (portal.office.com)?
- Can you send/receive test emails?
- Check that SharePoint/OneDrive sync works
- Run speed tests to ensure you're getting full bandwidth
Once testing is successful:
- Schedule a maintenance window (after hours or weekend)
- Document current settings (screenshots of your old network config)
- Swap the connection:
- Unplug your old firewall/router
- Ensure all devices are connected to the switch that's now fed by the BR500
- Monitor for issues:
- Watch the Exium dashboard for connected devices
- Have users test access
- Keep a rollback plan (can plug old router back in within minutes if disaster strikes)
Now to make this firewall actually secure:
-
Create Network Zones:
- Corporate LAN: All company devices
- Guest Wi-Fi: Isolated network for visitors (if you have separate APs)
- IoT Devices: Optional, but good for printers/IP cameras
-
Basic Security Rules (in Exium portal):
- Enable Threat Prevention (turns on intrusion detection)
- Enable Web Filtering - block known malicious categories
- Set up Application Control - can block risky apps if desired
- Enable Geo-IP filtering - block traffic from countries you don't do business with
-
Create Access Policies:
- Allow Corporate LAN to access everything (internet + each other)
- Isolate Guest Wi-Fi from Corporate LAN
- Allow Guest Wi-Fi internet access only
In the Exium portal, you can set up SD-WAN policies to prioritize Microsoft 365 traffic:
- Create a rule that identifies Microsoft 365 traffic (Office 365 IP ranges and FQDNs)
- Give it high priority to ensure Teams calls and SharePoint access are smooth
- Exium has pre-defined Microsoft 365 application signatures for this
-
Exium Dashboard - Should show:
- Connected devices (start counting - all 30 should appear)
- Traffic flows
- Any blocked threats
-
From a user perspective:
- Pick 3-5 test users to verify everything works
- Check Microsoft Teams connectivity (if you use it)
- Verify printer access
- Test VPN/remote access if applicable
The Exium cloud portal becomes your new best friend:
- Weekly: Check security events and blocked threats
- Monthly: Review traffic patterns and adjust policies
- As needed: Add new devices, update policies for new requirements
-
Don't forget DNS - If DNS stops working, the internet is "broken" to users. Make sure your DHCP hands out working DNS servers.
-
Double NAT nightmare - Ensure your modem is in bridge mode (ask your ISP if unsure). You want the BR500 to get a public IP, not another private IP.
-
Printer discovery - Some printers use broadcast protocols that might not cross network segments. Keep printers in the same zone as users initially.
-
Don't over-block - Start with a relatively permissive but secure baseline, then tighten over time. Blocking everything day 1 leads to frustrated users and rushed exceptions.
| Step | Time Estimate |
|---|---|
| Portal setup (pre-work) | 30 minutes |
| Physical installation | 1 hour |
| Initial configuration | 1-2 hours |
| Testing | 1-2 hours |
| Full migration | 2-4 hours (including buffer) |
Total: You can realistically complete this in a single day with careful planning.
NETGEAR Exium includes support, and you can always:
- Call NETGEAR Business Support
- Use their online documentation
- Work with a local IT consultant for the physical installation if you're nervous
Would you like me to dive deeper into any specific part of this process, such as configuring the Microsoft 365 traffic prioritization or setting up specific security policies?