Netgear FVS338 User's Manual
Contents
1. Edit Port Triggering Rule aT Operation Susceoded Name Abstracts Enable Protocol Outgoing Trigger Port Range No w TCP v Start Port 1 65534 End Port 1 65534 Incoming Response Port Range Start Port 1 65534 End Port 1 65534 Figure 4 18 From the Protocol pull down menu select either TCP or UDP protocol In the Outgoing Trigger Port Range fields a Enter the Start Port range 1 65534 b Enter the End Port range 1 65534 5 In the Incoming Response Port Range fields a Enter the Start Port range 1 65534 Firewall Protection and Content Filtering v1 0 March 2008 4 29 FVS338 ProSafe VPN Firewall 50 Reference Manual b Enter the End Port range 1 65534 6 Click Add The Port Triggering Rule will be added to the Port Triggering Rules table To edit or modify a rule 1 Click Edit in the Action column opposite the rule you wish to edit The Edit Port Triggering Rule screen will display 2 Modify any of the fields for this rule Click Reset to cancel any changes and return to the previous settings 4 Click Apply to save your modifications Your changes will appear in the Port Triggering Rules table To check the status of the Port Triggering rules click the Status link on the Port Triggering screen Operation succeeded Outgoing Ports Incoming Ports Start P2. gt Note If your ISP assigns a private WAN IP address such as 192 168 x x or 10 x x x the dynamic DNS service will not be available since private addresses cannot be routed on the Internet Dynamic DNS DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names To use DDNS you must setup an account with a DDNS provider such as DynDNS org TZO com or Oray net Once you have registered your domain name to their IP address all FQDN traffic will be directed to your frequently changing IP address For rollover mode you will need a fully qualified domain name to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address 2 16 Connecting the FVS338 to the Internet v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual This router firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address so that the services running on this network can be accessed by others on the Internet After you have configured your account information in the firewall whenever your ISP assigned IP address changes your firewall will automatically contact your dynamic DNS service provider log in to your account and register your new IP address To configure a Dynamic DNS address Step 1 Select Network Configuration from the main menu and Dynamic DNS fro
3. Table 4 2 Inbound Rules Fields Item Description Services Select the desired Service or application to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 4 18 Action Select the desired action for packets covered by this rule BLOCK always BLOCK by schedule otherwise Allow ALLOW always ALLOW by schedule otherwise Block Note Any inbound traffic which is not allowed by rules you create will be blocked by the Default rule Select Schedule LAN Server Select the desired time schedule i e Schedule1 Schedule2 or Schedule3 that will be used by this rule This drop down menu gets activated only when BLOCK by schedule otherwise Allow or ALLOW by schedule otherwise Block is selected as Action Use schedule page to configure the time schedules This LAN address determines which computer on your network is hosting this service rule You can also translate this address to a port number Translate to Port Number WAN Users Check the Translate to Port Number and enter a port number if you want to assign the LAN Server to a specific port These settings determine which Internet locations are covered by the rule based on their IP address Select the desired option e Any All Internet IP address are covered by this rule Single address
4. cccceesceeseeeeeeeees 4 18 Adding Customized Seni OS sariini N 4 18 Specifying Quality of Service QoS Priorities 0 0 cc ee eeceeece ee eneeeeeeeeeeeaeeeeeeeeeeeaeeeeaes 4 20 Setting a Schedule to Block Gr Allow THANG siccisccccaistesissecondcdaingsnninesceesstandcntaatendscetancce 4 21 viii Contents v1 0 March 2008 Seting Block Sites Content Fiteniigy cisscticcccisecsesecaseedacvetanty casina arar a Oa 4 22 v1 0 March 2008 Enabling Source MAC Fitenng irnsisiasuienasui nananana aoaia aian 4 24 IPRA G BINI saaa E 4 26 Sen UP POR TIONG ainar aE NT maten avi 4 28 ET EU e EEA S E E TA A A E A dena damuads 4 30 E Mail Notifications of Event Logs and Alerts ccscsscccccssivececenntisscccesmtscenemmisenentmiiavesnemnes 4 32 Pn raor MnO aa 4 36 Chapter 5 Virtual Private Networking Dini WAN Port Sy GUIS cesna iaa aa aD aa AN iaa 5 1 Setting up a VPN Connection using the VPN Wizard eeeseesseesssssssrsssrrsssinnesrresrnnn 5 2 Greatinga VPN Tunnel toa Gateway spuecsestspeieceisniresnaaa ines s nDNA 5 2 Creating a VPN Tunnel Connection to a VPN Client 0 ceceeeecceeeeeeeeeeeeeeteeeeeees 5 3 IRE POICIOS daianinacmnniai a a 5 4 IKE eel fe eS aloe lol aosonass inina er reer r rrarterrrce Sree rrrer ey repre tr rrr tery 5 4 Ie Polo lee anna ane ek Ree 5 4 VPN POCOS sccisserccstansepnadenanstorsonianieracteesnsepedcuenseteconienseraciessssepadonasanivcanhussertaienasierebonasete 5 5 AO A Pee CS a e a E A E E T E E
5. Figure 5 24 6 Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client 5 32 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual To test the connection 1 Right click on the VPN client icon in the Windows toolbar and select Connect The connection policy you configured will appear in this case My Connections modecfg_test 2 Click on the connection Within 30 seconds the message Successfully connected to MyConnections modecfg_test will display and the VPN client icon in the toolbar will read Opn 3 From the client PC ping a computer on the VPN firewall LAN Certificates Digital Certificates also known as X509 Certificates are used to authenticate the identity of users and systems and are issued by various CAs Certification Authorities Digital Certificates are used by this router during the IKE Internet Key Exchange authentication phase as an alternative authentication method Trusted Certificates are issued to you by various CAs Certification Authorities Trusted Certificates CA Certificates Trusted Certificates are used to verify the validity of certificates issued to an organization and signed by the issuing CA authority When a certificate is generated it is signed by a publicly known authority called the Certificate Authority The Trusted Certificates table shows the Trusted Certificates issued by the variou
6. Auto Rollover When WAN mode is configured to Auto Rollover primary link is active and secondary acts as a backup When primary link goes down secondary becomes active until primary comes up The device monitors the status of the primary link by the configured WAN Failure Detection method This section describes the logs generated when the WAN mode is set to auto rollover System Logs and Error Messages B 5 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual System Logs WAN Status Auto Rollover Message Nov 17 09 59 09 FVS338 wand LBFO WAN1 Test Failed 1 of 3 times_ Nov 17 09 59 39 FVS338 wand LBFO WAN1 Test Failed 2 of 3 times_ Nov 17 10 00 09 FVS338 wand LBFO WAN1 Test Failed 3 of 3 times_ Nov 17 10 01 01 FVS338 wand LBFO WAN1 Test Failed 4 of 3 times_ Nov 17 10 01 35 FVS338 wand LBFO WAN1 Test Failed 5 of 3 times_ Nov 17 10 01 35 FVS338 wand LBFO WAN1 DOWN WAN2 UP ACTIVE WAN2 __ Nov 17 10 02 25 FVS338 wand LBFO WAN1 Test Failed 6 of 3 times_ Nov 17 10 02 25 FVS338 wand LBFO Restarting WAN1_ Nov 17 10 02 57 FVS338 wand LBFO WAN1 Test Failed 7 of 3 times_ Nov 17 10 03 27 FVS338 wand LBFO WAN1 Test Failed 8 of 3 times_ Nov 17 10 03 57 FVS338 wand LBFO WAN1 Test Failed 9 of 3 times_ Nov 17 10 03 57 FVS338 wand LBFO Restarting WAN1_ Explanation The Logs suggest that the fail over was detected after 5 attempts instead of 3 However
7. ALLOW by schedule otherwise Block Note Any outbound traffic which is not blocked by rules you create will be allowed by the Default rule ALLOW tules are only useful if the traffic is already covered by a BLOCK rule That is you wish to allow a subset of traffic that is currently blocked by another rule Select Schedule Select the desired time schedule i e Schedule1 Schedule2 or Schedule3 that will be used by this rule e This drop down menu gets activated only when BLOCK by schedule otherwise Allow or ALLOW by schedule otherwise Block is selected as Action e Use schedule page to configure the time schedules see Setting a Schedule to Block or Allow Traffic on page 4 21 LAN users These settings determine which computers on your network are affected by this rule Select the desired options e Any All PCs and devices on your LAN Single address Enter the required address and the rule will be applied to that particular PC Address range If this option is selected you must enter the start and finish fields Groups Select the Group you wish this rule to apply to You can use the Network Database screen to assign PCs to Groups See Managing Groups and Hosts on page 3 6 WAN Users These settings determine which Internet locations are covered by the rule based on their IP address Select the desired option e Any All Internet IP address are covered by this rule
8. d Under Virtual Adapter pull down menu select Preferred The Internal Network IP Address should be 0 0 0 0 __ Note If no box is displayed for Internal Network IP Address go to Options gt Global Policy Settings and check the box for Allow to Specify Internal Network Address e Select your Internet Interface adapter from the Name pull down menu Ni Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help al NETGEAR Network Security Policy J My Connections My Identity GB modetfg_test My Identity Security Policy None to_tdvg ID Type Qy Other Connections Select Cettificate Pre Shared Key DomainName remote_id com Virtual Adapter Preferred Internal Network IP Address 0 0 0 0 Internet Interface Name 1 Broadcom 440x 10 100 Integrated Contralla_ gt IP Addr 192 168 1 2 Figure 5 22 3 On the left side of the menu select Security Policy a Under Security Policy Phase 1 Negotiation Mode check the Aggressive Mode radio button b Check the Enable Perfect Forward Secrecy PFS radio button and select the Diffie Hellman Group 2 from the PFS Key Group pull down menu c Enable Replay Detection should be checked 4 Click on Authentication Phase 1 on the left side of the menu and select Proposal 1 Enter the Authentication values to match those in the VPN firewall ModeConfig Record
9. Firewall Protection and Content Filtering 4 37 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 4 38 Firewall Protection and Content Filtering v1 0 March 2008 Chapter 5 Virtual Private Networking This chapter describes how to use the Virtual Private Networking VPN features of the VPN firewall VPN tunnels provide secure encrypted communications between your local network and a remote network or computer x Tip When using dual WAN port networks use the VPN Wizard to configure the basic G parameters and then edit the VPN and IKE Policy screens for the various VPN i scenarios Dual WAN Port Systems The dual WAN ports in the VPN firewall can be configured for rollover mode for increased system reliability by specifying the Broadband connection with the Dialup connection as backup This WAN mode choice then impacts how the VPN features must be configured Table 5 1 IP Addressing Requirements for VPN in Dual WAN Port Systems Configuration and WAN IP address Rollover Modea Dedicated Mode VPN Road Warrior Fixed FQDN required Allowed FQDN optional client to gateway Dynamic FQDN required FQDN required VPN Gateway to Gateway Fixed FQDN required Allowed FQDN optional Dynamic FQDN required FQDN required VPN Telecommuter Fixed FQDN required Allowed FQDN optional Na through a Dynamic FQDN required FQDN required a All tunnels must be re established after
10. To modify User or Admin settings 1 Select Administration from the main menu and Set Password from the submenu The Set Password screen will display Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest Settings radio box Change the password by first entering the old password and then entering the new password twice Click Apply to save your settings or Cancel to return to your previous settings Change the Idle Logout Time field to the number of minutes you require The default is 5 minutes Click Apply to save this setting Note If you make the administrator login time out value too large you will have to wait a long time before you are able to log back into the router if your previous login was disrupted i e you did not click Logout on the Main Menu bar to log out Set Password User Selection Edit Admin Settings Edit Guest Settings i Admin Settings Guest Settings Old User Name Old User Name aussi New User Name New User Name ouest Old Password se Old Password E New Password i New Password SI Retype New Password e Retype New Password E Idle Logout Time Administrator login times out after idle for Minutes Figure 6 1 6 8 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual gt Note The password and time out value
11. Enter the required address in the start fields Address range If this option is selected you must enter the start and finish fields WAN Destination IP Address These settings determine the destination IP address applicable to incoming traffic This is the public IP address that will map to the internal server it can either be the address of the WAN1 or WAN2 ports or another public IP address QoS Priority This setting determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall By default the priority shown is that of the selected service The user can change it accordingly If the user does not make a selection i e leaves it as None then the native priority of the service will be applied to the policy See Specifying Quality of Service QoS Priorities on page 4 20 Log This determines whether packets covered by this rule are logged Select the desired action Always always log traffic considered by this rule whether it matches or not This is useful when debugging your rules e Never never log traffic considered by this rule whether it matches or not Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Note Some residential broadband ISP accounts do not allow you to run any server J processes such as a Web or FTP server from you
12. IP Addresses Specify the IP Address for this rule Log Dropped Packets Specify the logging option for this rule The following fields of an existing IP MAC Bind rule can be modified a b c MAC Address Specify the MAC Address for this rule IP Addresses Specify the IP Address for this rule Log Dropped Packets Specify the logging option for this rule Firewall Protection and Content Filtering 4 27 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 4 To remove an entry from the table select the IP MAC Bind entry and click Delete 5 Click Apply to save your settings Setting Up Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall Using this feature requires that you know the port numbers used by the Application Once configured Port Triggering operates as follows 1 A PC makes an outgoing connection using a port number defined in the Port Triggering table 2 The VPN firewall records this connection opens the an INCOMING port or ports associated with this entry in the Port Triggering table and associates them with the PC 3 The remote system receives the PCs request and responds using the different port numbers that you have now opened 4 The VPN firewall matches the response to the previous request and forwards the response to the PC Without Port T
13. Secure Connection Remote Accessibility What is the remote LAN IP Address o What is the remote LAN Subnet Mask M Figure 5 7 Configuring the VPN Client On a remote PC that has a NETGEAR ProSafe VPN Client installed configure the client using the FVS338 VPN Client default parameters displayed in both the IKE Policy table and the VPN Policy table of the FVS338 under the name home Local FQDN the router fvs_local com Remote FQDN the client fvs_remote com Encryption Algorithm 3DES Authentication Algorithm SHA 1 Pre shared key 12345678 defined by user Diffie Hellman DH Group Group 2 1024 bit SA Life Time unspecified Remote LAN IP subnet 192 168 1 0 255 255 255 0 5 14 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual To configure the VPN Client 1 SS or Ee x Right click on the VPN client icon j in your Windows toolbar and select the Security Policy Editor The Security Policy Editor screen will display In the upper left of the Policy Editor window click the New Document icon to open a New Connection N Security Policy Editor NETGEAR ProSafe PN Client iol x File Edit Options Help Bexa Al NETGEAR N Network Security Policy a New Connection Fp Other Connections Figure 5 8 Give the New Connection a name such as to_FVS shown in Figure 5 9 In the Remote Party Identi
14. To create a new inbound service rule 1 Click Add under the Inbound Services Table The Add LAN WAN Inbound Service screen will display 2 Complete the Add WAN LAN Inbound Services screen see Table 4 2 on page 4 5 Click Reset to cancel your settings and return to the previous settings Click Apply to save your changes and reset the fields on this screen The new rule will be listed on the Inbound Services table 5 Click Apply to save your settings The new rule will be added to the Inbound Services table Firewall Protection and Content Filtering 4 9 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Add LAN WAN Inbound Service Operation succeeded D helpl Service ANY v Action BLOCK always v Select Schedule Send to LAN Server A J Translate to Port Number Public Destination IP Address Broadband v LAN Users Start Finish WAN Users Any R Start Finish Log Never Figure 4 4 Attack Checks This screen allows you to specify whether or not the router should be protected against common attacks in the LAN and WAN networks The various types of attack checks are listed on the Attack Checks screen and defined below e WAN Security Checks Respond To Ping On Internet Ports When enabled the router will respond to a Ping from the Internet This can be used as a diagnostic tool and shouldn t be used unless you ha
15. v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e LOG_WARNING Warning conditions e LOG_NOTICE Normal but significant conditions e LOG_INFO Informational messages e LOG_DEBUG Debug level messages 10 Click Reset to cancel your changes and return to the previous settings 11 Click Apply to save your settings To view the Firewall logs 1 Click on the View Log icon opposite the Firewall Logs amp E mail tab The Logs screen will display 2 Ifthe E mail Logs options as been enabled you can send a copy of the log by clicking send log 3 Click refresh log to retrieve the latest update and click clear log to delete all entries Log entries are described in Table 4 3 Refer to Appendix B System Logs and Error Messages for more information about log entry messages Firewall Logs amp E mail Log Identifier FVS338 Accepted Packets LAN to WAN LAN to W WAN to LAN WAN to No Data Available Source MAC Filter refresh tea clear log By send log Figure 4 22 Firewall Protection and Content Filtering 4 35 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4 3 Log Entry Descriptions Field Description Date and Time The date and time the log entry was recorded Description or Action The type of event and what action was taken if any S
16. Because the MAC address is used to identify each PC users cannot avoid these restrictions by changing their IP address e A computer is identified by its MAC address not its IP address Hence changing a computer s IP address does not affect any restrictions applied to that PC The LAN Groups screen contains a list of all known PCs and network devices as well as hosts that are assigned dynamic IP addresses by this router LAN Configuration 3 7 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration LAN Setup EUKITTE i Known PCs and Devices e select all delete Gsave binding DHCP Assigned IP Address Add Known PCs and Devices Name IP Address Type IP Address MAC Address C eae J Network Configuration l 0 i Network Database Group Names Figure 3 3 The Network Database is created by e Using the DHCP Server The router s DHCP server is configured by default to respond to DHCP requests from clients on the LAN Every computer that receives a response from the router will be added to the Network Database Because of this leaving the DHCP Server feature enabled on the LAN Setup screen is strongly recommended e Scanning the Network The router also scans the local network periodically using protocols such as ARP and NetBIOS to detect active computers or devices that are not DHCP clients For
17. Content Filtering 4 22 reducing traffic 6 3 Block Sites screen Content Filtering 4 23 Block TCP Flood Attack Checks 4 10 block traffic scheduling 4 2 Broadband Status monitoring 6 23 Broadband Traffic Meter screen 6 18 Index C CA VPN gateway use with 5 6 CA Certificates about 5 33 Certificate Authority See CA Certificate Identity file 5 37 Certificate Revocation List See CRL Certificates screen 5 33 Self Certificates 5 34 Certification Authorities See CA Client to Gateway VPN tunnel example 5 12 Client VPN Tunnel setting up using VPN Wizard 5 3 common protocols definitions 4 18 configuration automatic by DHCP 1 3 configuration backup 6 14 Content Filtering 1 2 4 1 Block Sites 4 22 enabling 4 23 Keyword Blocking 4 22 Web Components 4 22 content filtering Blocked Sites 4 7 Keyword Blocking 4 1 CRL lists managing 5 37 crossover cable 1 3 7 2 Customized Services 4 2 service port numbers 4 18 Index 1 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual D date troubleshooting 7 7 Daylight Savings Time setting 6 17 Dead Peer Detection 5 5 default configuration restoring 7 7 default firewall rules 4 Inbound 4 Outbound 4 2 Default Outbound Policy LAN WAN 4 7 denial of service attack 4 10 UDP flood 4 11 Denial of Service See DoS DH use with ModeConfig 5 26 DHCP about 3 1 DHCP log 6 25 monitoring 6 25 DHCP Server using VPN firewall as 3
18. FVS338 ProSafe VPN Firewall 50 Reference Manual NETGEAR NETGEAR NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA March 2008 202 10046 06 v1 0 2007 by NETGEAR Inc All rights reserved Trademarks NETGEAR the NETGEAR logo and ProSafe are trademarks and or registered trademarks of NETGEAR Inc Microsoft Windows and Windows NT are registered trademarks of Microsoft Corporation Other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Federal Communications Commission FCC Compliance Notice Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will
19. 1 The VPN Policy Selector determines that some traffic matches an existing VPN Policy If the VPN policy is of type Auto then the Auto Policy Parameters defined in the VPN Policy are accessed which specify which IKE Policy to use 2 Ifthe VPN Policy is a Manual policy then the Manual Policy Parameters defined in the VPN Policy are accessed and the first matching IKE Policy is used to start negotiations with the remote VPN Gateway e If negotiations fail the next matching IKE Policy is used e If none of the matching IKE Policies are acceptable to the remote VPN Gateway then a VPN tunnel cannot be established 3 An IKE session is established using the SA Security Association parameters specified in a matching IKE Policy e Keys and other parameters are exchanged e An IPsec SA Security Association is established using the parameters in the VPN Policy The VPN tunnel is then available for data transfer IKE Policy Table When you use the VPN Wizard to set up a VPN tunnel an IKE Policy is established and populated in the Policy Table and is given the same name as the new VPN connection name You can also edit exiting policies or add new IKE policies directly on the Policy Table Screen Each policy contains the following data 5 4 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Name Uniquely identifies each IKE policy The name is chosen by you and used for
20. DPT Destination port IN Incoming interface for packet OUT Outgoing interface for packet PROTO Protocol used SELF Packet coming from the system only SPT Source port SRC Source IP Address of machine from where the packet is coming TYPE Protocol type System Log Messages This section describes log messages that belong to one of the following categories e Logs generated by traffic that is meant for the device e Logs generated by traffic that is routed or forwarded through the device e Logs generated by system daemons NTP WAN daemon and others System Startup This section describes log messages generated during system startup System Logs and Error Messages B 1 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table B 2 System Logs System Startup Message Jan 1 15 22 28 FVS338 ledTog SYSTEM START UP System Started Explanation Log generated when the system is started Recommended Action None Reboot This section describes log messages generated during system reboot Table B 3 System Logs Reboot Message Nov 25 19 42 57 FVS338 reboot Rebooting in 3 seconds Explanation Log generated when the system is rebooted from the web management Recommended Action None NTP This section describes log messages generated by the NTP daemon during synchronization with the NTP server e The fixed time and date before NTP synchronizes with a
21. INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE Zlib zlib h interface of the zlib general purpose compression library version 1 1 4 March 11th 2002 Copyright C 1995 2002 Jean loup Gailly and Mark Adler This software is provided as is without any express or implied warranty In no event will the authors be held liable for any damages arising from the use of this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgment in the product documentation would be appreciated but is not required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution Jean loup Gailly jloup gzip org Mark Adler madler alumni caltech edu The data format used by the zlib library is described by RFCs Request for Comments 1950 to 1952 in the files ftp ds internic net ric rfc1950 txt zlib format rfc1951 txt deflate format and rfc1952 txt gzip format v1 0 March 2008 Product and Publication Details Model Numbe
22. LAND Attack and IP Spoofing e Blocks unwanted traffic from the Internet to your LAN e Blocks access from your LAN to Internet locations or services that you specify as off limits e Logs security incidents The FVS338 will log security events such as blocked incoming traffic port scans attacks and administrator logins You can configure the firewall to email the log to you at specified intervals You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs e With its URL keyword filtering feature the FVS338 prevents objectionable content from reaching your PCs The firewall allows you to control access to Internet content by screening for keywords within Web addresses You can configure the firewall to log and report attempts to access objectionable Internet sites Security The VPN firewall is equipped with several features designed to maintain security as described in this section e PCs Hidden by NAT NAT opens a temporary path to the Internet for requests originating from the local network Requests originating from outside the LAN are discarded preventing users outside the LAN from finding and directly accessing the PCs on the LAN 1 2 Introduction v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e Port Forwarding with NAT Although NAT prevents Internet locations from directly accessing the PCs on the LAN the firewal
23. Message 9 Data sent and received at the LAN side during the link was up Message 10 PPP connection terminated after idle timeout Recommended Action To reconnect during idle mode initiate traffic from the LAN side PPP Authentication Logs Table B 11 System Logs WAN Status PPE PPP Authentication Message Nov 29 11 29 26 FVS338 pppd Starting link Nov 29 11 29 29 FVS338 pppd Remote message Login incorrect Nov 29 11 29 29 FVS338 pppd PAP authentication failed Nov 29 11 29 29 FVS338 pppd Connection terminated WAN2 DOWN _ Explanation Starting link Starting PPPoE connection process Remote message Login incorrect Message from PPPoE server for incorrect login PAP authentication failed PPP authentication failed due to incorrect login Connection terminated PPP connection terminated Recommended Action If authentication fails then check the login password and enter the correct one Web Filtering and Content Filtering Logs To enable web keyword filtering logs set value of keywordLog to 1 from CLI Command to set this value from CLI monitor firewallLogs logger loggerConfig keywordLog 1 B 8 System Logs and Error Messages v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table B 12 System Logs Web Filtering and Content Filtering Recommended Action Message Jan 23 16 36 35 FVS338 kernel KEYWORD_BLOCKED URL gt www redhat com
24. This information must be submitted in the following format C lt country gt ST lt state gt L lt city gt O lt organization gt OU lt department gt CN lt device name gt In the following example C USA ST CA L Santa Clara O gt NETGEAR OU XxX CN FVS338 e From the pull down menus select the following values Hash Algorithm MD5 or SHA2 Signature Algorithm RSA Signature Key Length 512 1024 2048 Larger key sizes may improve security but may also impact performance 3 Complete the Optional fields if desired with the following information e IP Address If you have a fixed IP address you may enter it here Otherwise you should leave this field blank e Domain Name If you have a Domain name you can enter it here Otherwise you should leave this field blank e E mail Address Enter your e mail address in this field 4 Click Generate Your request will display in the Self Certificate Requests table View the request by clicking View in the Action column The Self Certificate Request screen will display 6 The Self Certificate Request data screen will display the data required for submission to the CA Copy the data in the Data to supply to CA field data into a file including all of the data contained in BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST 7 Following the instructions of the CA to complete the certificate request process Virtual Privat
25. VPN Passthrough Enable this to pass the VPN traffic without any filtering specially used when this firewall is between two VPN tunnel end points Drop fragmented IP packets Enable this to drop the fragmented IP packets UDP Flooding Enable this to limit the number of UDP sessions created from one LAN machine TCP Flooding Enable this to protect the router from Syn flood attack Enable DNS Proxy Enable this to allow the incoming DNS queries Enable Stealth Mode Enable this to set the firewall to operate in stealth mode As you define your firewall rules you can further refine their application according to the following criteria LAN Users These settings determine which computers on your network are affected by this rule Select the desired IP Address in this field WAN Users These settings determine which Internet locations are covered by the rule based on their IP address Any The rule applies to all Internet IP address Single address The rule applies to a single Internet IP address Address range The rule is applied to a range of Internet IP addresses Destination Address These settings determine the destination IP address for this rule which will be applicable to incoming traffic this rule will be applied only when the destination IP address of the incoming packet matches the IP address of the WAN interface selected or Specific IP address entered in this field Selecting ANY enab
26. e If your firewall s IP address has been changed and you don t know the current IP address clear the firewall s configuration to factory defaults This will set the firewall s IP address to 192 168 1 1 This procedure is explained in Restoring the Default Configuration and Password on page 7 7 _ Tip If you don t want to revert to the factory default settings and lose your 3 configuration settings you can reboot the router and use sniffer to capture packets sent during the reboot Look at the ARP packets to locate the router s LAN interface address e Make sure your browser has Java JavaScript or ActiveX enabled If you are using Internet Explorer click Refresh to be sure the Java applet is loaded e Try quitting the browser and launching it again e Make sure you are using the correct login information The factory default login name is admin and the password is password Make sure that CAPS LOCK is off when entering this information If the firewall does not save changes you have made in the Web Configuration Interface check the following e When entering configuration settings be sure to click the APPLY button before moving to another menu or tab or your changes are lost e Click the Refresh or Reload button in the Web browser The changes may have occurred but the Web browser may be caching the old configuration Troubleshooting 7 3 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Ma
27. e Single address Enter the required address in the start fields Address range If this option is selected you must enter the start and finish fields Firewall Protection and Content Filtering 4 3 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4 1 Outbound Rules Fields continued Item Description QoS Priority This setting determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall By default the priority shown is that of the selected service The user can change it accordingly If the user does not make a selection i e leaves it as None then the native priority of the service will be applied to the policy 6 is the highest priority See Specifying Quality of Service QoS Priorities on page 4 20 Log This determines whether packets covered by this rule are logged Select the desired action Always always log traffic considered by this rule whether it matches or not This is useful when debugging your rules Never never log traffic considered by this rule whether it matches or not Inbound Rules Port Forwarding Because the FVS338 uses Network Address Translation NAT your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers However by defining an inbound rule you can make a local server for example
28. firmware upgrade 6 14 FQDN use in VPN tunnels 5 G Gateway VPN Tunnel setting up 5 2 gateway to gateway VPN Tunnel example of 5 8 Generate Self Certificate Request 5 34 Groups managing 3 7 rules covered by 6 3 Groups and Hosts About 3 6 ICMP Destination Unreachable 4 11 IKE Policies auto rules of 5 4 field definitions 5 4 manual rules of 5 4 use with ModeConfig 5 27 IKE Policies screen 5 9 5 10 IKE ISAKMP use in IKE Policy 5 5 Inbound Rules 4 2 about 4 4 configuring DHCP 4 4 examples of 4 13 Fields definition of 4 5 firewall 4 Port Forwarding 4 4 Increased Traffic Port Triggering 6 6 Increased traffic Port Forwarding 6 4 VPN tunnels 6 6 installation 4 Internet configuring the connection manually 2 9 connection configuration 2 2 traffic information 6 25 Internet Protocol Numbers 4 8 IP Address LAN Setup 3 2 rules with VPN tunnels 5 2 IP Address Pool LAN Setup 3 3 use with ModeConfig 5 26 IP addresses auto generated 7 3 reserved 3 10 IP Addressing Requirements VPNs use in Dual WAN Ports 5 IP Subnet Mask LAN Setup 3 3 IP MAC Binding screen 4 26 IPSec Connection Status Fields description of 6 24 VPN Tunnel use with 4 11 IPSec Connection Status screen 5 7 6 24 IPSec Host authentication 5 22 XAUTH use with 5 20 5 22 ISP connection troubleshooting 7 4 K Keep alive 5 6 Keyword Blocking 6 3 Content Filtering 4 22 Index 3 v1 0 March
29. jeeeeeeee Figure 1 5 3 Once the login screen displays Figure 1 5 enter the following e admin for User Name e password for Password 1 8 Introduction v1 0 March 2008 Chapter 2 Connecting the FVS338 to the Internet This section provides instructions for connecting the VPN firewall Setting up VPN tunnels are covered in Chapter 5 Virtual Private Networking 1 Connect the firewall physically to your network Connect the cables turn on your router and wait for the Test LED to go out Make sure your Ethernet and LAN LEDs are lit See the FVS338 ProSafe VPN Firewall 50 Installation Guide on your Resource CD Log in to the firewall After logging in you are ready to set up and configure your firewall You can also change your password and enable remote management at this time Configure the Internet connections to your ISPs During this phase you will connect to your ISPs You can also program the WAN traffic meters at this time if desired Configure the WAN mode Select either Primary Broadband with Dialup as backup or Use only single WAN port and select the WAN port from the pull down menu either Broadband or Dial up Configure dynamic DNS on the WAN ports if needed Configure your fully qualified domain names during this phase if required Configure the WAN options if needed Optionally you can enable each WAN port to respond to a ping You can also change the factory default MTU size port
30. 1 Diagnostics DNS lookup 6 26 Packet Trace 6 28 pinging an IP address 6 26 Reboot the Router 6 28 Diagnostics Fields descriptions of 6 27 Diagnostics screen 6 26 Dialup ISP Status monitoring 6 23 Diffie Hellman Group use in IKE Policy 5 5 Digital 5 33 Digital Certificates 5 33 DNS lookup 6 26 DNS Proxy 1 3 Domain Name Blocking 6 3 domain name blocking See Keyword Blocking DOS protection download firmware steps to 6 15 Dual WAN Port use with VPN firewall 5 7 Dynamic DNS configuration of 2 16 Dynamic Host Configuration Protocol See DHCP E Edge Device XAUTH use with 5 20 Edit Service screen 4 20 E mail alerts configuring 4 34 scheduling 4 34 Enable DHCP Server LAN Setup 3 3 Enable DNS Proxy LAN Setup 3 3 Encapsulating Security Payload See ESP encrypted communication VPN tunnels 5 1 ESP VPN Policies use with 5 7 Ethernet 3 Exposed Host 4 17 Extended Authentication See XAUTH F filtering traffic by MAC address Source MAC filtering 4 24 firewall alerts emailing of 4 32 connecting 2 1 2 2 logging in to 2 1 rear panel 6 security about 4 status 6 22 Index 2 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual technical specifications A 7 firewall access remote management 6 9 Firewall Logs configuring 4 34 emailing of 4 32 Firewall Logs amp E mail screen 4 33 6 19 firewall protection 4 1 firewall rules about 4 1 ordering 4 6
31. 10046 06 1 0 Maintenance release About This Manual XV v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual xvi About This Manual v1 0 March 2008 Chapter 1 Introduction The ProSafe VPN Firewall 50 with 8 port switch connects your local area network LAN to the Internet through an external access device such as a cable modem or DSL modem The FVS338 is a complete security solution that protects your network from attacks and intrusions For example the FVX538 provides support for Stateful Packet Inspection Denial of Service DoS attack protection and multi NAT support The VPN firewall supports multiple Web content filtering options plus browsing activity reporting and instant alerts both via e mail Network administrators can establish restricted access policies based on time of day Website addresses and address keywords and share high speed cable DSL Internet access for a local network The FVS338 is a plug and play device that can be installed and configured within minutes Key Features The VPN firewall provides the following features e One 10 100 Mbps port for an Ethernet connection to a broadband WAN device such as a cable modem or DSL modem and one serial port for a dial up modem connection to the Internet through the public switched telephone network PSTN e Dual WAN ports one broadband and one serial provide for increased system reliability e Support for up to 50 VPN tunnels
32. Browser based configuration allows you to easily configure your firewall from almost any type of personal computer such as Windows Macintosh or Linux A user friendly Setup Wizard is provided and online help documentation is built into the browser based Web Management Interface e Smart Wizard The VPN firewall automatically senses the type of Internet connection asking you only for the information required for your type of ISP account e VPN Wizard The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium VPNC to ensure the VPN tunnels are interoperable with other VPNC compliant VPN routers and clients e SNMP The VPN firewall supports the Simple Network Management Protocol SNMP to let you monitor and manage log resources from an SNMP compliant system manager The SNMP system configuration lets you change the system variables for MIB2 e Diagnostic functions The firewall incorporates built in diagnostic functions such as Ping Trace Route DNS lookup and remote reboot e Remote management The firewall allows you to securely login to the Web Management Interface from a remote location on the Internet For additional security you can limit remote management access to a specified remote IP address or range of addresses and you can choose a nonstandard port number e Visual monitoring The VPN firewall s front panel LEDs provide an ea
33. Connection Status UTDELES RADIUS Client Operation succeeded help User Name Acton o Tester y2 select all delete Add New User User Name Password Confirm Password Add J Tester eevccece eocccces a add Operation succ eded User Name Tester Password jeeeeeese Confirm Password Figure 5 17 To edit the user name or password 1 2 Click Edit opposite the user s name The Edit User screen will display Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to the previous settings The modified user name and password will display in the Configured Users table RADIUS Client Configuration RADIUS Remote Authentication Dial In User Service RFC 2865 is a protocol for managing Authentication Authorization and Accounting AAA of multiple users in a network A RADIUS server will store a database of user information and can validate a user at the request of a gateway or server in the network when a user requests access to network resources During the establishment of a VPN connection the VPN gateway can interrupt the process with an XAUTH eXtended AUTHentication request At that point the remote user must provide authentication Virtual Private Networking 5 23 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual information s
34. DMZ to WAN Logs Table B 21 Routing Logs DMZ to WAN Message Nov 29 09 19 43 FVS338 kernel DMZ2WAN DROP IN DMZ OUT WAN SRC 192 168 20 10 DST 72 14 207 99 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from DMZ to WAN has been dropped by the firewall For other parameters refer to Table B 1 Recommended Action None WAN to LAN Logs Table B 22 Routing Logs WAN to LAN Message Nov 29 10 05 15 FVS338 kernel WAN2LAN ACCEPT IN WAN OUT LAN SRC 192 168 1 214 DST 192 168 10 10 PROTO ICMP TYPE 8 CODE 0 Explanation e This packet from LAN to WAN has been allowed by the firewall For other parameters refer to Table B 1 Recommended Action None System Logs and Error Messages B 15 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual DMZ to LAN Logs Table B 23 Routing Logs DMZ to WAN Message Nov 29 09 44 06 FVS338 kernel DMZ2LAN DROP IN DMZ OUT LAN SRC 192 168 20 10 DST 192 168 10 10 PROTO ICMP TYPE 8 CODE 0 Explanation e This packet from DMZ to LAN has been dropped by the firewall For other parameters refer to Table B 1 Recommended Action None WAN to DMZ Logs Table B 24 Routing Logs WAN to DMZ Message Nov 29 09 19 43 FVS338 kernel WAN2DMZ ACCEPT IN WAN OUT DMZ SRC 192 168 1 214 DST 192 168 20 10 PROTO ICMP TYPE 8 CODE 0 Explanation This packet from WAN to DMZ has been allowed by the firewa
35. Europe 230V 50 Hz input Japan 100V 50 60 Hz input Physical Specifications Dimensions 1 1 x 6 89 x 4 65 in Weight 0 3kg 0 66 lb A 2 Default Settings and Technical Specifications v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table A 2 VPN firewall Default Technical Specifications Feature Specification Environmental Specifications Operating temperature 0 to 40 C 322 to 104 F Operating humidity 90 maximum relative humidity noncondensing Electromagnetic Emissions Meets requirements of FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications LAN 10BASE T or 100BASE Tx RJ 45 WAN 10BASE T or 100BASE Tx and 9 pin DIN Serial Default Settings and Technical Specifications v1 0 March 2008 A 3 FVS338 ProSafe VPN Firewall 50 Reference Manual A 4 Default Settings and Technical Specifications v1 0 March 2008 Appendix B System Logs and Error Messages This appendix uses the following log parameter terms Table B 1 Log Parameter Terms Term Description FVS338 System identifier kernel Message from the kernel CODE Protocol code e g protocol is ICMP type 8 and CODE 0 means successful reply DEST Destination IP Address of the machine to which the packet is destined
36. Figure 6 13 DHCP Log You can view the DHCP log from the LAN Setup screen Select Network Configuration from the main menu and Lan Setup from the submenu When the LAN Setup screen displays click the DHCP Log link Router and Network Management 6 25 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration DHCP Log Subnet Mask 255 IP Address 192 Disable DHCP Server Enable DHCP Server Domain Name Inetgear com Starting IP Address j No Data Available Ending IP Address WINS Server 24 Lease Time Enable DNS Proxy M refresh clear log Figure 6 14 Performing Diagnostics You can perform diagnostics such as pinging an IP address performing a DNS lookup displaying the routing table rebooting the firewall and capturing packets Select Monitoring from the main menu and Diagnostics from the submenu The Diagnostics screen will display E Note For normal operation diagnostics are not required 6 26 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Monitoring Network Configuration Router Status Traffic Meter Firewall Logs amp E mail VPN Logs Diagnostics IP Address Ws mm g
37. Finish loa Log Never w Figure 4 9 Your rule will now appear in the Inbound Services table of the Rules menu see Figure 4 10 This rule is different from a normal inbound port forwarding rule in that the Destination box contains an IP Address other than your normal WAN IP Address LAN wan Rules Default Outbound Policy Allow Always Operation succeeded ii Outbound Services Service Name Filter LAN Users WAN Users Priority select all aclete enable D disable add Inbound Services Service Name Filter LAN Server IP Address LAN Users WAN Users Destination HTTP Allow Always 192 168 1 2 ANY 19 1 9 52 select all delete enable disable add Figure 4 10 4 16 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual To test the connection from a PC on the Internet type http lt IP_address gt where lt IP_address gt is the public IP address you have mapped to your Web server You should see the home page of your Web server Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined To expose one of the PCs on your LAN as this host 1 Create an inbound ru
38. Firewall 50 Reference Manual The Local WAN IP address is the address used in the IKE negotiation phase Automatically the WAN IP address assigned by your ISP may display You can modify the address to use your FQDN required if the WAN Mode you selected is auto rollover Enter the Remote LAN IP Address and Subnet Mask of the remote gateway The information entered here must match the Local LAN IP and Subnet Mask of the remote gateway otherwise the secure tunnel will fail to connect The IP address range used on the remote LAN must be different from the IP address range used on the local LAN Click Apply to save your settings the VPN Policies table will display showing your VPN policy You can click the IKE Policies tab to view the corresponding IKE Policy Creating a VPN Tunnel Connection to a VPN Client You can set up multiple Gateway VPN tunnel policies through the VPN Wizard Multiple remote VPN Client policies can also be set up through the VPN Wizard by changing the default End Point Information settings A remote client policy can support up to 25 clients The remote clients must configure the Local Identity field in their policy as PolicyName fvs_remote com To create a VPN Client Policy using the VPN Wizard 1 Select VPN from the main menu and VPN Wizard from the submenu The VPN Wizard screen will display Select VPN Client as your VPN tunnel connection The wizard needs to know if you are planning to conn
39. IN SELF OUT SELF SRC 192 168 10 210 DST 209 132 177 50 PROTO TCP SPT 4282 DPT 80 Explanation This packet is blocked by keyword blocking The URL blocked due to keyword blocking is shown by URL along with source and destination IP addressed protocol source port and destination port For other parameters refer to Table B 1 None Message Explanation Jan 23 16 53 32 FVS338 kernel JAVA_BLOCKED URL gt www java com js css js IN SELF OUT SELF SRC 192 168 10 210 DST 72 5 124 95 PROTO TCP SPT 4294 DPT 80 This packet is blocked by content filtering with java components The URL blocked due to java content filtering is URL along with source and destination IP addressed protocol source port and destination port For other parameters refer to Table B 1 Recommended Action None Message Explanation Jan 23 16 56 08 FVS338 kernel COOKIE_BLOCKED URL gt www java com en img headline 340x155_sportsforeveryone jpg IN SELF OUT SELF SRC 192 168 10 210 DST 72 5 124 95 PROTO TCP SPT 4321 DPT 80 This packet is blocked by content filtering for cookies The URL blocked due to cookie filtering shown by URL along with source and destination IP addressed protocol source port and destination port For other parameters refer to Table B 1 Recommended Action None Message Jan 23 16 53 32 FVS338 kernel JAVA_BLOCKED URL gt www java com js css js IN SELF O
40. LAN IP setup all outbound traffic is allowed gt and all inbound traffic is discarded To change these traffic rules refer to Chapter 4 Firewall Protection and Content Filtering Configuring Multi Home LAN IPs If you have computers using different IP networks in the LAN for example 172 16 2 0 10 0 0 0 then you can add aliases to the LAN port and give computers on those networks access to the Internet 3 4 LAN Configuration v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration T f i ni LAN Setup LAN Groups P UE Mitty help IP Address Subnet Mask Action select all delete Add Secondary LAN IP Address IP Address Subnet Mask Add CLE m m a Saa Figure 3 2 The Available Secondary LAN IPs table lists the secondary LAN IP addresses added to the router e IP Address The IP address alias added to the LAN port of the router This is the gateway for computers that need to access the Internet e Subnet Mask IPv4 Subnet Mask e Action Edit Click to make changes to the selected entry e Select All Selects all the entries in the Available Secondary LAN IPs table e Delete Deletes selected entries from the Available Secondary LAN IPs table To add a secondary LAN IP address 1 Type in the IP Address and the Subnet Mask in the respective text fields 2 Click Add Note Additional IP addresses cannot be configured in the DHCP server T
41. None WAN Status This section describes the logs generated by the WAN component If there are two ISP links for Internet connectivity the router can be configured either in Auto Rollover Mode or Load Balancing Mode Load Balancing When WAN mode is configured to Load Balancing both the WANs are active simultaneously and the traffic is balanced among them If one of the WAN links goes down the whole traffic is diverted to the WAN link which is active This section describes the logs generation when the WAN mode is set to load balancing B 4 System Logs and Error Messages v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table B 8 System Logs WAN Status Load Balancing Message Dec 1 12 11 27 FVS338 wand LBFO Restarting WAN1_ Dec 1 12 11 31 FVS338 wand LBFO Restarting WAN2_ Dec 1 12 11 35 FVS338 wand LBFO WAN1 UP WAN2 UP _ Dec 1 12 24 12 FVS338 wand LBFO WAN1 UP WAN2 DOWN _ Dec 1 12 29 43 FVS338 wand LBFO Restarting WAN2_ Dec 1 12 29 47 FVS338 wand LBFO WAN1 UP WAN2 DOWN _ Explanation Message 1 and Message 2 indicate that both the WANs are restarted Message 3 This is a message shows that both the WANs are up and the traffic is balanced between the two WAN interfaces Message 4 This message shows that one of the WAN links is down At this point the entire traffic is directed through the WAN which is up Recommended Action None
42. User Name Telephone L Password Oo o Alternative Telephone i Dial up Connection Status Specify Con Connect auto Connect and di Default Custom Internet IP Address Get Dynamically fro Figure 2 6 Manually Configuring Your Internet Connection If you know your Broadband ISP connection type you can bypass the Auto Detect feature and connect your router manually Ensure that you have all of the relevant connection information such as IP Addresses account information type of ISP connection etc before you begin Unless your ISP automatically assigns your configuration automatically via DHCP you will need the configuration parameters from your ISP Connecting the FVS338 to the Internet v1 0 March 2008 2 9 FVS338 ProSafe VPN Firewall 50 Reference Manual Broadband ISP Settings 2 ISP Login QD Advanced lt Q Broadband Status Does Your Internet Connection Require a Login Yes O No toir Password D ii ISP Type Which type of ISP connection do you use Austria PPTP Other PPPoE BigPond Cable Account Name Co o e Domain Name id Login Server Say Idle Timeout Keep Connected Idle Time 5 Minutes My IP Address ie a a Server IP Address Lo e T ii Internet IP Address Domain Name Server DNS Servers Get Dynamically from ISP Use Stati
43. VPN policies LAN WAN settings and other settings will be lost Please backup your settings if you intend on using them Network Configuration Administration onitori Webs i Remote Management SNMP Settings Backup and Firmware Upgrade Save a copy of current settings amp backup Restore saved settings from file Browse GF restore Revert to factory default settings default Q help Locate and select the upgrade file from your hard disk Browse upload Figure 6 4 Router Upgrade You can install a different version of the VPN firewall firmware from the Settings Backup amp Upgrade screen To view the current version of the firmware that your VPN firewall is running select Monitoring from the main menu The Router Status screen on the will display all of the VPN firewall router statistics When you upgrade your firmware the Firmware Version will change to reflect the new version To download a firmware version 1 Go to the NETGEAR Web site at http www netgear com support and click on Downloads 2 From the Product Selection pull down menu select your product Select the software version and follow the To Install steps to download your software After downloading an upgrade file you may need to unzip uncompress it before upgrading the router If Release Notes are included in the download read them before continuing Router and Network Ma
44. Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http www adobe com Printing a PDF Chapter Use the PDF of This Chapter link at the top left of any page e Click the PDF of This Chapter link at the top left of any page in the chapter you want to print The PDF version of the chapter you were viewing opens in a browser window e Click the print icon in the upper left of your browser window Printing a PDF version of the Complete Manual Use the Complete PDF Manual link at the top left of any page e Click the Complete PDF Manual link at the top left of any page in the manual The PDF version of the complete manual opens in a browser window e Click the print icon in the upper left of your browser window Q Tip If your printer supports printing two pages on a single sheet of paper you can g save paper and printer ink by selecting this feature Revision History Part Number Version Number Description 202 10046 02 1 0 Product update New firmware and new user Interface 202 10046 03 1 0 Remove Trend Micro 202 10046 04 1 0 Updated features 202 10046 05 1 0 New features IP MAC Binding Bandwidth Limits Session Limits IKE Keep Alive Dead Peer Detection Oray support 202 10046 05 1 1 Document corrections 202 10046 05 1 2 Document additions to Appendix B 202
45. a Web server or game server visible and available to the Internet The rule tells the firewall to direct inbound traffic for a particular service to one local server based on the destination port number This is also known as port forwarding Whether or not DHCP is enabled and how the PCs will access the server s LAN address impact the Inbound Rules For example e If your external IP address is assigned dynamically by your ISP DHCP enabled the IP address may change periodically as the DHCP lease expires Consider using Dyamic DNS under Network Configuration so that external users can always find your network see Configuring Dynamic DNS If Needed on page 2 16 e If the IP address of the local server PC is assigned by DHCP it may change when the PC is rebooted To avoid this use the Reserved IP address feature in the LAN Groups menu under Network Configuration to keep the PC s IP address constant see Setting Up Address Reservation on page 3 10 e Local PCs must access the local server using the local LAN address of the PC Attempts by local PCs to access the server using the external WAN IP address will fail Note See Setting Up Port Triggering on page 4 28 for yet another way to allow J certain types of inbound traffic that would otherwise be blocked by the firewall 4 4 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual
46. a rollover using the new WAN IP address The use of fully qualified domain names is mandatory when the WAN ports are in rollover mode Configuring the WAN Mode on page 2 15 also required for the VPN tunnels to fail over When using rollover mode you must configure a Dynamic DNS service see Configuring Dynamic DNS If Needed on page 2 16 to select and configure the Dynamic DNS service Virtual Private Networking 5 1 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Setting up a VPN Connection using the VPN Wizard Setting up a VPN tunnel connection requires that all settings and parameters on both sides of the VPN tunnel match or mirror each other precisely which can be a daunting task The VPN Wizard can assist in guiding you through the setup procedure by asking you a series of questions that will determine the IPSec keys and VPN policies it sets up It also will set the parameters for the network connection Security Association traffic selectors authentication algorithm and encryption The parameters used by the VPN wizard are based on the VPNC recommendations Creating a VPN Tunnel to a Gateway You can set up multiple Gateway VPN tunnel policies through the VPN Wizard You can also set up multiple remote VPN Client policies through the VPN Wizard A remote client policy can support up to 25 clients To create a VPN tunnel gateway policy using the VPN Wizard 1 Select VPN from the main
47. and Network Management FF PON ied Managemen cunrannannaiei mauacnn soe elie enatreaieeniaenaats 6 1 VPN Firewall Features That Reduce Traffic cccccceeeeeeecceeeeeneeeeeeeeeneeeneeeeeneenees 6 1 OE BIEKIN sonnis aaa talent 6 2 BOCK OS aaor ceserevaiare ast ona eaartauarsene sapien ane aaet nae ee 6 3 soute MAG FREMI asiansa a AN uation N 6 4 VPN Firewall Features That Increase Traffic cccscccseeeeseeccceeeeeeececeeeeeeeeeeeneeeees 6 4 POR FORMERQUIAG csias 6 4 POTO O rere eee et rr eer re t rrr creer rer ater tettry terre arr Te 6 6 baie Me its cert epeeeeeeer reer Perr cher a a 6 6 Using QoS to Shih We Tatie MIK senisesse 6 7 Tools for Traffic Management sas sacseesiscsdsceeutusssecedvadehseseaudondsceduduel ddeeunasuns Serusualsceddeuains 6 7 eE e E A E A A 6 7 Ghanging Passwords and SetingS srwsiisniisisssiirsisrha r a a Na 6 7 Enabling Remote Management ACCESS cs eccceeeeeeeeceeteeeeeeneeseeeeeeneeeneeseeneeens 6 9 Uenga SNMP AE ocorran n E r Oa aa 6 12 Settings Backup and Firmware Upgrade 0 cceescceseeeeeeeseeeceeeeeeeaaeeeeeeeeenaeeeseeees 6 14 Backup and Restore Seinge ycisiccciecosas cosiniccenassnisaniiagvlecaiiaatadddecmaniemiarlace 6 14 ROUTER UDITE cxanciannionia a a rahi avennce 6 15 Seting me TMe ZONE een eee akana a a 6 16 Montong ToP ONO erasana 6 17 Enabling fie Tait Mola ernen 6 18 Setting Login Failures and Attacks Notification c cccesseeeeseeeeeseeeeeeeeeee
48. certified that the ProSafe VPN Firewall 50 has been suppressed in accordance with the conditions set out in the BMPT AmtsblVfg 243 1991 and Vfg 46 1992 The operation of some equipment for example test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions v1 0 March 2008 Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations Voluntary Control Council for Interference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV receiver it may become the cause of radio interference Read instructions for correct handling Additional Copyrights AES Copyright c 2001 Dr Brian Gladman lt brg gladman uk net gt Worcester UK All rights reserved TERMS Redistribution and use in source and binary forms with or without modification are permitted subject to the following conditions 1 Redistributions of source code must retain the above copyright notice this
49. e Keyword and Domain Name Blocking You can specify up to 32 words that should they appear in the Web site name URL or in a newsgroup name will cause that site or newsgroup to be blocked by the VPN firewall You can apply the keywords to one or more groups Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled Router and Network Management 6 3 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed without any blocking e Web Component Blocking You can block the following Web component types Proxy Java ActiveX and Cookies Sites on the Trusted Domains list are still subject to Web component blocking when the blocking of a particular Web component has been enabled See Setting Block Sites Content Filtering on page 4 22 for the procedure on how to use this feature Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on the LAN you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses By default t
50. e Support for up to 400 internal LAN users and 50K connections e Easy web based setup for installation and management e URL keyword Content Filtering and Site Blocking Security e Quality of Service QoS support for traffic prioritization e Built in 8 port 10 100 Mbps switch e Extensive Protocol Support e Login capability e SNMP for manageability e Front panel LEDs for easy monitoring of status and activity Introduction 1 1 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e Flash memory for firmware upgrade Full Routing on Both the Broadband and Serial WAN Ports You can install configure and operate the FVS338 to take full advantage of a variety of routing options on both the serial and broadband WAN ports including e Internet access via either the serial or broadband port e Auto rollover connectivity fail over through an analog modem connected to the serial port If the broadband Internet connection fails after waiting for an pre specified amount of time the FVS338 can automatically establish a backup dial up Internet connection via the serial port on the firewall A Powerful True Firewall with Content Filtering Unlike simple Internet sharing NAT routers the FVS338 is a true firewall using stateful packet inspection to defend against hacker attacks Its firewall features include e DoS protection Automatically detects and thwarts DoS attacks such as Ping of Death SYN Flood
51. it otherwise would have The QoS priority settings conform to the IEEE 802 1D 1998 formerly 802 1p standard for class of service tag You will not change the WAN bandwidth used by changing any QoS priority settings But you will change the mix of traffic through the WAN ports by granting some services a higher priority than others The quality of a service is impacted by its QoS setting however See Specifying Quality of Service QoS Priorities on page 4 20 for the procedure on how to use this feature Tools for Traffic Management The ProSafe VPN Firewall 50 includes several tools that can be used to monitor the traffic conditions of the firewall and control who has access to the Internet and the types of traffic they are allowed to have See Viewing Router Configuration and System Status on page 6 22 for a discussion of the tools Administration You can change the administrator and guest passwords and settings configure an SNMP manager backup settings and upgrade firmware and enable remote management Administrator access is read write and guest access is read only Changing Passwords and Settings The default passwords for the firewall s Web Configuration Manager is password Netgear recommends that you change this password to a more secure password You can also configure a separate password for guests Router and Network Management 6 7 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual
52. list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The copyright holder s name must not be used to endorse or promote any products derived from this software without his specific prior written permission This software is provided as is with no express or implied warranties of correctness or fitness for purpose iii v1 0 March 2008 Open SSL Copyright c 1998 2000 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote prod
53. menu Virtual Private Networking 5 31 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual NETS Policy Editor NETGEAR ProSafe VPN Client a gt NETGEAR N Network Security Policy My Connections Authentication Method and Algorithms GB modetfg_test G My Identity Authentication Method a Security Policy E E Authentication Phase 1 Ere Shered Key E Proposal 1 S Key Exchange Phase 2 Encryption and Data Integrity Algorithms d to_fdvg 2 Other Connections EneryptAlg Triple DES X Hash lg SHAA bd Seconds SA Life Seconds _y 3600 Key Group Diffie Hellman Group2 v Figure 5 23 5 Click on Key Exchange Phase 2 on the left side of the menu and select Proposal 1 Enter the values to match your configuration of the VPN firewall ModeConfig Record menu The SA Lifetime can be longer such as 8 hours 28800 seconds M Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help ta NETGEAR N Network Security Policy J My Connections IPSec Protocols B modeftg_test Seconds KBytes G My Identity SA Life Seconds 2884d Z as Security Policy E A 2 Authentication Phase 1 compression Noe sst lt CS lt CS S dC Proposal 1 i S Key Exchange Phase 2 IV Encapsulation Protocol ESP m Proposal 1 EnerptAlg Triple DES d to_fdvg Hash Alg SHA 1 Qy Other Connections Encapsulation Tunnel I Authentication Protocol 4H
54. one IP address to you The computers that connect through the router must then be assigned IP addresses from a private subnet for example 192 168 1 0 Classical Routing In this mode the Router performs Routing but without NAT To gain Internet access each PC on your LAN must have a valid Internet IP address If your ISP has allocated many IP addresses to you and you have assigned one of these addresses to each PC you can choose Classical Routing Or you can use Classical Routing for routing private IP addresses within a campus environment Otherwise selecting this method will not allow Internet access through this Router gt Note The router will delete all inbound firewall rules when switching between NAT ss and Classical Routing To configure the WAN Mode Step 1 Select Network Configuration from the main menu and WAN Mode from the submenu The WAN Mode screen will display Check either the NAT or Classical Routing radio box NAT is the default 3 Select the Port Mode The Port Mode settings allow you to configure your router to use only one WAN port or to select the Dialup port as a backup e Ifyou are connected to only one ISP then check the Use only single WAN port and select the WAN port that is connected to your ISP from the pull down menu Connecting the FVS338 to the Internet 2 15 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual If you have both ISP links connected for I
55. p p o p p Apply Reset Figure 6 2 To configure your firewall for Remote Management 1 Select the Turn Remote Management On check box a Specify what external addresses will be allowed to access the firewall s remote management Note For enhanced security restrict access to as few external IP addresses as practical b To allow access from any IP address on the Internet select Everyone c To allow access from a range of IP addresses on the Internet select IP address range Enter a beginning and ending IP address to define the allowed range d To allow access from a single IP address on the Internet select Only this PC Enter the IP address that will be allowed access 6 10 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 2 Specify the Port Number that will be used for accessing the management interface Web browser access normally uses the standard HTTP service port 80 For greater security you can change the remote management Web interface to a custom port by entering that number in the box provided Choose a number between 1024 and 65535 but do not use the number of any common service port The default is 8080 which is a common alternate for HTTP 3 Click Apply to have your changes take effect When accessing your firewall from the Internet the Secure Sockets Layer SSL will be enabled You will enter https and type th
56. router This address will be used to provide Internet access to your LAN PCs through NAT The other addresses are available to map to your servers To configure the FVS338 for additional IP addresses 1 Select Security from the main menu and Firewall Rules from the submenu 2 Click Add under the Inbound Services table The Add LAN WAN Inbound Service screen will display From the service pull down menu select the HTTP service for a Web server 4 From the Action pull down menu select Allow Always 5 Inthe Send to LAN Server field enter the local IP address of your Web server PC Firewall Protection and Content Filtering 4 15 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 6 From the Public Destination IP Address pull down menu choose Other Public IP Address 7 Enter one of your public Internet addresses that will be used by clients on the Internet to reach your Web server 8 Click Apply The rule will display in the Inbound Services table shown in Figure 4 10 Add LAN WAN Inbound Service Operation succeeded ii Inbound Service Service HTTP Action ALLOW always Select Schedule Schedule 1 Send to LAN Server ko Jess Jia Je Translate to Port Number CL Public Destination IP Address Other Public IP Address fio Je Je JBda LAN Users Any Start 4 Finish z WAN Users Start 034
57. that modem If this is the case you must configure your firewall to clone or spoof the MAC address from the authorized PC Refer to Manually Configuring Your Internet Connection on page 2 9 7 6 Troubleshooting v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings changing the firewall s administration password to password and the IP address to 192 168 1 1 You can erase the current configuration and restore factory defaults in two ways e Use the Erase function of the firewall see Backup and Restore Settings on page 6 14 e Use the reset button on the rear panel of the firewall Use this method for cases when the administration password or IP address is not known To restore the factory default configuration settings without knowing the administration password or IP address you must use the reset button on the rear panel of the firewall 1 Press and hold the reset button until the Test LED turns on and begins to blink about 10 seconds 2 Release the reset button and wait for the firewall to reboot Problems with Date and Time The E Mail menu in the Time Zone section displays the current date and time of day The VPN firewall uses the Network Time Protocol NTP to obtain the current time from one of several Network Time Servers on the Internet Eac
58. the purpose of managing your policies it is not supplied to the remote VPN Server If the Policy is a Client Policy it will be prepended by an Mode Two modes are available either Main or Aggressive Main Mode is slower but more secure Aggressive mode is faster but less secure If specifying either a FQDN or a User FQDN name as the Local ID Remote ID aggressive mode is automatically selected Local ID The IKE ISAKMP identify of this device The remote VPN must have this value as their Remote ID Remote ID The IKE ISAKMP identify of the remote VPN Gateway The remote VPN must have this value as their Local ID Encr Encryption Algorithm used for the IKE SA The default setting using the VPN Wizard is 3DES This setting must match the Remote VPN Auth Authentication Algorithm used for the IKE SA The default setting using the VPN Wizard is SHA1 This setting must match the Remote VPN DH Diffie Hellman Group The Diffie Hellman algorithm is used when exchanging keys The DH Group sets the number of bits The VPN Wizard default setting is Group 2 This setting must match the Remote VPN Enable Dead Peer Detection Dead Peer Detection is used to detect whether the peer is alive or not If the peer is detected as dead the IPSec and IKE Security Association are deleted To gain a more complete understanding of the encryption authentication and DH algorithm technologies see Ap
59. the VPN Wizard 1 Select VPN from the main menu The Policies screen will display Click the VPN Wizard link The VPN Wizard screen will display 2 Check the VPN Client radio box to establish a remote VPN client 3 Give the new connection a name such as home 4 Enter a value for the pre shared key 5 Click Apply The VPN Policies screen will display showing a VPN Client policy named home Select the VPN Policies tab to display the corresponding home VPN Policy Note When XAuthentication XAUTH is enabled incoming VPN connections are gt authenticated against the FVS338 Network Database first then if configured a RADIUS server is checked Virtual Private Networking 5 13 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual VPN Wizard Default Values About PN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium PNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This PN tunnel will connect to the following peers O Gateway vpn Client Connection Name and Remote IP Type What is the new Connection Name What is the pre shared key 12345678 Key Length 8 49 Char End Point Information What is the Remote Identifier Information fvs_remote com What is the Local Identifier Information
60. the reason the messages appear as above is because of the WAN state transition logic which is part of the failover algorithm The above logs can be interpreted as below The primary link failure is properly detected after the 3rd attempt Thereafter the algorithm attempts to restart WAN and checks once again to see if WAN1 is still down This results in the 4th failure detection message If it is then it starts secondary link and once secondary link is up secondary link is marked as active Meanwhile secondary link has failed once more and that results 5th failure detection message Please note that the 5th failure detection and the message suggesting secondary link is active have the same timestamp and so they happen in the same algorithm state machine cycle So although it appears that the failover did not happen immediately after 3 failures internally the failover process is triggered after the 3rd failure and transition to secondary link is completed by the 5th failure The primary link is also restarted every 3 failures till it is functional again In the above log primary link was restarted after the 6th failure i e 3 failures after the failover process was triggered Recommended Action Check the WAN settings and WAN failure detection method configured for the primary link PPP Logs This section describes the WAN PPP connection logs The PPP type can be configured from the web management B 6 System Logs and Error
61. this field blank Idle Timeout Check the Keep Connected radio box to keep the connection always on To logout after the connection is idle for a period of time select Idle Time and enter the number of minutes to wait before disconnecting in the timeout field This is useful if your ISP charges you based on the amount of time you have logged in My IP Address IP address assigned by the ISP to make the connection with the ISP server Server IP Address IP address of the PPTP server Other PPPoE If you have installed login software such as WinPoET or Enternet then your connection type is PPPoE Select this connection and configure the following fields Account Name Valid account name for the PPPoE connection Domain Name Name of your ISPs domain or your domain name if your ISP has assigned one You may leave this field blank Idle Timeout Select Keep Connected to keep the connection always on To logout after the connection is idle for a period of time select Idle Time and enter the number of minutes to wait before disconnecting in the timeout field BigPond Cable If your ISP is Telstra BigPond Cable select this option and fill in the Login Server and Idle Timeout fields The Login Server is the IP address of the local BigPond Login Server in your area You can find login server information at http www netgear com sg support bigpond asp If your ISP has assigned a fixed static or permanent IP address select the Use Static
62. to the same firewall rule they will share the same class An exception occurs in the case of an individual type bandwidth profile if the classes are per source IP The source IP is the IP of the first packet of the connection e For the outbound rules the source IP will be LAN side IP e For inbound rules the source IP will be the WAN side IP The class is deleted when all the connections using the class expire To add a Bandwidth Profile 1 Select Security from the main menu and Bandwidth Profile from the submenu The Bandwidth Profile screen will display Security Services Schedule Block Sites Firewall Rules Address Filter Port Triggering Bandwidth Profile Name Bandwidth Range kbps Type Direction WAN Action Packets Dropped due to Bandwidth Limit 0 select all delete add Figure 4 20 The Bandwidth Profile table lists the currently defined bandwidth profiles e Name Displays the user defined name for this bandwidth profile e Bandwidth Range Displays the range for the bandwidth profile e Type Displays the type of bandwidth profile e Direction Displays the direction of the bandwidth profile Firewall Protection and Content Filtering 4 31 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual WAN Displays the WAN interface for the Load Balancing mode 2 Click Add to add a new Bandwidth Profile When the Add New Bandwidth Profile screen displays enter the
63. traffic passing through the VPN firewall A priority is assigned to IP packets using this service Priorities are defined by the Type of Service ToS in the Internet Protocol Suite standards RFC 1349 A ToS priority for traffic passing through the VPN firewall is one of the following 4 20 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Normal Service No special priority given to the traffic The IP packets for services with this priority are marked with a ToS value of 0 Minimize Cost Used when data has to be transferred over a link that has a lower cost The IP packets for services with this priority are marked with a ToS value of 1 Maximize Reliability Used when data needs to travel to the destination over a reliable link and with little or no retransmission The IP packets for services with this priority are marked with a ToS value of 2 Maximize Throughput Used when the volume of data transferred during an interval is important even if the latency over the link is high The IP packets for services with this priority are marked with a ToS value of 4 Minimize Delay Used when the time required latency for the packet to reach the destination must be low The IP packets for services with this priority are marked with a ToS value of 8 Setting a Schedule to Block or Allow Traffic If you defined an outbound or inbound rule to use a schedule you ca
64. you enter will be changed back to password and 5 minutes respectively after a factory defaults reset Enabling Remote Management Access Using the Remote Management page you can allow an administrator on the Internet to configure upgrade and check the status of your VPN firewall You must be logged in locally to enable remote management see Logging in to the VPN Firewall on page 2 1 ____ Note Be sure to change the firewall default configuration password to a very secure _ gt password The ideal password should contain no dictionary words from any language and should be a mixture of letters both upper and lower case numbers and symbols Your password can be up to 30 characters See Changing Passwords and Settings on page 6 7 for the procedure on how to do this Router and Network Management 6 9 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Administration Remote Management Everyone Be sure to change default password IP address range Allow Secure HTTP Management From 0 o p jo p D ia ro a O No Only this PC a SSS Port Number IP Address to connect to this device https 194 177 0 123 8080 Be sure to type https not http n Telnet Management 2 VERE Be sure to change default password Allow Telnet Management IP address range O Yes From 0 fant No To o Only this Pc o o p o o
65. 0 2 PROTO TCP SPT 23 DPT 54899 Explanation Packet with Invalid State 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw rules attackChecks configure dropInvalid 0 System Logs and Error Messages B 13 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table B 18 System Logs Invalid Packets continued Message 2007 Oct 1 00 44 17 FVX538 kernel INVALID REOPEN_CLOSE_CONN DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Attempt to re open close session Recommended Action 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw rules attackChecks configure dropIinvalid 0 Message 2007 Oct 1 00 44 17 FVX538 kernel INVALID OUT_OF_WINDOW DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Packet not in TCP window Recommended Action 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw rules attackChecks configure dropInvalid 0 Message Explanation 2007 Oct 1 00 44 17 FVX53
66. 0 255 255 255 0 192 168 2 0 255 255 255 0 SHA 1 3DES EEL select all aelete enable disable add Figure 5 4 You can view the VPN parameters by clicking Edit in the Actions column adjacent to to_fvx It should not be necessary to make any changes 5 10 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Operation succeeded i General Policy Name Policy Type Auto Policy Remote Endpoint IP Address fo Je o Ime O ropn rc M Enable NetBIOS i Traffic Selection Local IP Subnet Remote IP Subnet Start IP Address E92 Jiss Ji fo Start IP Address Boz Ihes Je Jo End IP Address D F m p End IP Address D E F Subnet Mask fess Jess 255 fo Subnet Mask Lss Mess 2ss fo Manual Policy Parameters SPI Incoming i Hex 3 8 Chars SPI Outgoing a Hes 3 8 Chars Encryption Algorithm D6 gt Integrity Algorithm S41 key In T key In T Key Out as Key Out aaa DES 8 Char amp 3DES 24 Char MD5 16 Char amp SHA 1 20 Char Auto Policy Parameters SA Lifetime sec 86400 SA Lifetime KB Encryption Algorithm 3DES v Integrity Algorithm Cprs Key Group Group 1 768 bit Select IKE Policy to_fvx Dview selected Apply Reset Figure 5 5 Configuring the FVX538 To configure the
67. 1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 1 1 Object Descriptions Object Activity Description Power LED On Green Power is supplied to the router Off Power is not supplied to the router Test LED On Amber Test mode The system is initializing or the initialization has failed Blinking Amber Writing to Flash memory during upgrading or resetting to defaults Off The system has booted successfully MDM LED On Green The serial port has successfully connected to an ISP and received an IP Address Blinking Green Server data is being transmitted or received by the serial port Off The serial port has no link Internet Link Act LED LEDs On Green The WAN port has detected a link with a connected Ethernet device Blinking Green Data is being transmitted or received by the WAN port Off The WAN port has no link 100 LED On Green The WAN port is operating at 100 Mbps Off The WAN port is operating at 10 Mbps Local LEDs _ Link Act LED On Green The LAN port has detected a link with a connected Ethernet device Blinking Green Data is being transmitted or received by the LAN port Off The LAN port has no link 100 LED On Green The LAN port is operating at 100 Mbps Off The LAN port is operating at 10 Mbps Router Rear Panel The rear panel of the ProSafe VPN Firewall 50 Figure 1 2 contains the On Off switch and AC power connection DEFAULTS Figu
68. 16 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Ni Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help a NETGEAR Network Security Policy My Connections My Identity 2B to FVs Select Certificate Pre Shared Key G My Identity E a Security Policy None v a Other Connections ID Type Port Domain Name Jaw Y Virtual Adapter Disabled m Internet Interface Name 1 Broadcom 440x 10 100 Integrated Controlle IP Addr 10 0 0 12 Figure 5 10 12 Before leaving the My Identity menu click Pre Shared Key 13 Click Enter Key and type your preshared key Click OK This key will be shared by all users of the FVS338 policy home A Security Policy Editor NETGEAR ProSafe VPN Client 5X File Edit Options Help NETGEAR Network Security Policy J My Conne amp to FV Pre Shared Key Enter Key r Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared key ESOO o y IP Addr 192 168 1 100 Figure 5 11 Virtual Private Networking 5 17 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 14 In the left frame click Security Policy shown in Figure 5 12 15 Select Phase 1 Negotiation Mode by checking the Aggressive Mode radio box 16 PFS Key Group should be d
69. 168 1 100 e A Metric value of 1 will work since the ISDN firewall is on the LAN e Private is selected only as a precautionary security measure in case RIP is activated RIP Configuration RIP Routing Information Protocol RFC 2453 is an Interior Gateway Protocol IGP and is commonly used in internal networks It allows a router to exchange its routing information automatically with other routers and allows it to dynamically adjust its routing tables and adapt to changes in the network RIP is disabled by default 3 12 LAN Configuration v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration WAN Mode Dynamic DNS LAN Setup LAN Groups amp RIP Configuration Routing Static Routes RIP Direction RIP version Disabled Authentication for RIP 2B 2M First Key Parameters MDS Key Id MDS5 Auth Key Length 16 Char Not Valid Before iann lade lalune Authentication for RIP 2B 2M required Not Valid After O Yes No Second Key Paramet MDS Key Id MDS5 Auth Key Length 16 Char MM DD YYYY HH MM SS a a i N DD YYYY jy Not Valid Before Not Valid After HH MM SS C Apply Reset Figure 3 5 To enable RIP 1 Select Network Configuration from the main menu and Routing from the submenu The Routing screen will display Click the RIP Configuratio
70. 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual examples of 4 23 L L2TP VPN Tunnel 4 LAN configuration 3 1 ports and attached devices 6 25 LAN Security Checks UDP flood 4 11 LAN Setup Enable DHCP Server 3 3 Enable DNS Proxy 3 3 IP Address 3 2 IP Address Pool 3 3 IP Subnet Mask 3 3 WINS Server IP 3 3 LAN Setup screen 3 1 LAN Users Service Blocking 6 2 LAN WAN Inbound Rules configuring 4 9 LAN WAN Outbound Rules configuring 4 8 LAN WAN Rules about 4 7 LAN WAN Rules screen 4 7 LEDs explanation of 1 5 troubleshooting 7 2 LEDs Never Turn Off 7 2 load balancing 5 1 Local Public Web Server 4 13 Log Entry Descriptions 4 36 B 1 Login Failures notification of 6 19 Logs screen 4 35 MAC address 7 6 spoofing 7 5 Manual VPN Policies creating 5 5 Mode Config screen 5 26 ModeConfig about 5 25 5 26 configuration example 5 25 guidelines 5 26 VPN Client configuration example 5 30 modem 2 monitoring devices by DHCP Client Requests 3 8 by Scanning the Network 3 8 multicasting guidelines 3 14 N NAS Identifier use with RADIUS 5 24 NAT 4 1 4 4 NetBIOS 3 6 Network 4 Network Access Server 5 24 Network Address Translation 1 3 Network Address Translation See NAT Network Database creating 3 6 Network Time Protocol See NTP newsgroup 4 23 NTP servers configuring 6 16 troubleshooting 7 7 O One to One NAT Mapping 4 15 Outbound Rules 4 2 examples of 4 18 Fields descr
71. 32 4 P Addre i Router Statistics Subnet Mask 255 255 Gateway 10 1 32 The page will auto refresh in 0 seconds Primary DNS 10 1 1 6 System up Time 6 Days 21 08 10 Secondary DNS 10 1 1 7 MAC Address 00 14 6q help Port Tx Pkts Rx Pkts Collisions Tx B s Rx B s Up Time Broadband 338944 385060 0 14146 31342 0 Days 01 16 28 LAN 2356310 429101 0 399 154 6 Days 21 09 06 Poll Interval 5 Seconds Beet interval stor Figure 6 10 Table 6 2 Router Configuration Status Fields Item Description System Name This is the Account Name that you entered in the Basic Settings page Firmware Version This is the current software the router is using This will change if you upgrade your router LAN Port Displays the current settings for MAC address IP address DHCP role and IP Subnet Mask that you set in the LAN IP Setup page DHCP can be either Server or None 6 22 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6 2 Router Configuration Status Fields Item Description Broadband Configuration Indicates whether the WAN Mode is Single or Rollover and whether the WAN State is UP or DOWN If the WAN State is up it also displays NAT Enabled or Disabled Connection Type DHCP enabled or disabled Connection State Connected or Disconnected WAN IP Address Subnet Mask e Gateway Address e Primary and Se
72. 5 6 VERE O TEMES auan 5 6 VPN Tome COME SIAU siniiiee iar aaa EAAS 5 7 Creating a VPN Gateway Connection Between FVS338 and FVX538 neee 5 8 PUTTIN EG Me FF BOBS casccstasecccicrntnctescvadiueescictandeiacchecasdescensmmeddadaanieieccceaninedacecentene 5 8 COMICON ING FY RSE soinisieaiiehan inn ernie 5 11 Tesino hne CONST m secen E ata des 5 12 Creating a VPN Client Connection VPN Client to FVS338 0 0 ccecceeeeeeetteeeeeeeeeaees 5 12 Conmiouing Ne yates aaa Aa aa 5 13 Ganigunng ihe YPN CIERNE saranno i 5 14 TOS ihe CORSE sets snsatartamnstaaiantinraasimntiee A ER 5 19 Extended Authentication KAUTH Configuration cccccceceeeeceeeeeeeeeeeeeeeetaeeeneneees 5 20 Contiguimg XAUTH for WRN CNIS ccoir sceciatcacdenigrstsnete airy 5 21 Usar Database Gomiguiat ON siponsuiiieca i iha Sa NAA daia 5 22 RADIUS Giient Se PNIPAM sesnvin einasi E ia 5 23 Manually Assigning IP Addresses to Remote Users ModeConfig ccceeeeeeees 5 25 Mode conio HERNIN soannen a e Rae a aAA aa 5 26 Senno Up MOTEGINI rsio S 5 26 Contents ix Configuring the ProSafe VPN Client for ModeContfig eeeeecceseneeeeneeeeeeeeneees 5 30 Se PUN Fett A A ops aa anh diets a Ss Secale naar dapat A AT 5 33 Trusted Certificates CA Certificates 2 00 cesses eeeeeeeeeaeeeeeeeeeeaaeeeeeeeeeeaaeeneaes 5 33 GN ORCE sa a maintenant 5 34 Managing your Certificate Revocation List CRL c cccseceesseeeeseeeeeeteeeeeneeeees 5 37 Chapter 6 Router
73. 50 1 1 12 Alvays Allow 50 1 1 12 WAN1 Always Allow 50 1 1 59 66 120 188 153 Always Allow 50 1 1 59 WAN1 NONE Always Allow 50 1 1 222 WAN1 NONE select all delete Oo Tii O disable add Always Figure 4 2 To make changes to an existing outbound or inbound service rule Firewall Protection and Content Filtering 4 7 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 3 In the Action column adjacent to the rule click Edit to make any changes to the rule definition of an existing rule The Outbound Service screen will display containing the data for the selected rule see Figure 4 3 on page 4 9 Up to move the rule up one position in the table rank Down to move the rule down one position in the table rank Check the radio box adjacent to the rule and click Click Disable to disable the rule The Status icon will change from green to grey indicating that the rule is disabled By default when a rule is added to the table it is automatically enabled Click Delete to delete the rule Click Select All to select all rules A check will appear in the radio box for each rule LAN WAN Outbound Services Rules You may define additional rules that will specify exceptions to the default rules By adding custom rules you can block or allow access based on the service or application source or des
74. 8 kernel INVALID ERR_HELPER_ROUTINE DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Error returned from helper routine Recommended Action 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw rules attackChecks configure dropInvalid 0 Routing Logs This section is used to configure the logging options for each network segment like LAN WAN for debugging purposes This may generate a significant volume of log messages System Logs and Error Messages v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual LAN to WAN Logs Table B 19 Routing Logs LAN to WAN Message Explanation Nov 29 09 19 43 FVS338 kernel LAN2WAN ACCEPT IN LAN OUT WAN SRC 192 168 10 10 DST 72 14 207 99 PROTO ICMP TYPE 8 CODE 0 This packet from LAN to WAN has been allowed by the firewall For other parameters refer to Table B 1 Recommended Action None LAN to DMZ Logs Table B 20 Routing Logs LAN to DMZ Message Nov 29 09 44 06 FVS338 kernel LAN2DMZ ACCEPT IN LAN OUT DMZ SRC 192 168 10 10 DST 192 168 20 10 PROTO ICMP TYPE 8 CODE 0 Explanation e This packet from LAN to DMZ has been allowed by the firewall For other parameters refer to Table B 1 Recommended Action None
75. Data Security Inc All rights reserved License to copy and use this software is granted provided that it is identified as the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing this software or this function License is also granted to make and use derivative works provided that such works are identified as derived from the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing the derived work RSA Data Security Inc makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose It is provided as is without express or implied warranty of any kind These notices must be retained in any copies of any part of this documentation and or software PPP Copyright c 1989 Carnegie Mellon University All rights reserved Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES
76. ERTIFICATE REQUEST 4 Submit the CA form If no problems ensue the Certificate will be issued 5 36 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual When you obtain the certificate from the CA you can then upload it to your computer Click Browse to locate the Certificate file and then click Upload The certificate will display in the Active Self Certificates table see Figure 5 25 Certificates are updated by their issuing CA authority on a regular basis You should track all of your CAs to ensure that you have the latest version and or that your certificate has not been revoked To track your CAs you must upload the Certificate Identify for each CA to the CRL Managing your Certificate Revocation List CRL CRL Certificate Revocation List files show Certificates which are active and certificates which have been revoked and are no longer valid Each CA issues their own CRLs It is important that you keep your CRLs up to date You should obtain the CRL for each CA regularly The CRL table lists your active CAs and their critical release dates e CA Identity The official name of the CA which issued this CRL e Last Update The date when this CRL was released e Next Update The date when the next CRL will be released To upload a Certificate Identity to the CRL 1 Click Browse and then locate the file you previously downloaded from a CA 2 Select the Certifi
77. FVX538 using the VPN Wizard 1 wk WwW oN Select VPN from the main menu The Policies screen will display Click the VPN Wizard link The VPN Wizard screen will display Check the Gateway radio box to establish a remote VPN gateway Give the new connection a name such as to_fvs Enter a value for the pre shared key Enter the WAN IP address or Internet name of the remote WAN Virtual Private Networking 5 11 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 6 Enter the remote LAN IP address and subnet mask 7 Click Apply to create the to_fvs IKE and VPN policies PN Wizard 8 VPN Wizard Default Values About YPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium VPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This PN tunnel will connect to the following peers Gateway vpn Client i Connection Name and Remote IP Type What is the new Connection Name to_fvs What is the pre shared key 12345678 Key Length 8 49 Char This VPN tunnel will use following local WAN Interface WAN1i O wanz i End Point Information What is the Remote WAN s IP Address or Internet Name What is the Local WAN s IP Address or Internet Name 10 1 0 118 i Secure Connection Remote Accessibil
78. IP Address radio box and fill in the following fields IP Address Static IP address assigned to you This will identify the router to your ISP Subnet Mask This is usually provided by the ISP or your network administrator Gateway IP Address IP address of the ISP s gateway This is usually provided by the ISP or your network administrator If your ISP has not assigned a Static IP address select the Get dynamically from ISP radio box The ISP will automatically assign an IP address to the router using DHCP network protocol Connecting the FVS338 to the Internet 2 11 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 4 If your ISP has not assigned any Domain Name Servers DNS addresses select the Get dynamically from ISP radio box If your ISP has assigned DNS addresses select the Use these DNS Servers radio box Ensure that you fill in valid DNS server IP addresses in the fields Incorrect DNS entries may cause connectivity issues Note Domain name servers DNS convert Internet names such as www google com www netgear com etc to Internet addresses called IP addresses Incorrect settings here will result in connectivity problems Click Apply to save the settings or click Cancel to revert to the previous settings Click Test to try and connect to the NETGEAR Web site If you connect successfully and your settings work then you may click Logout or go on and configure additional settin
79. Internet locations are covered by the rule based on their IP address Any The rule applies to all Internet IP address Single address The rule applies to a single Internet IP address Address range The rule is applied to a range of Internet IP addresses Services You can specify the desired Services or applications to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Services Based Rules on page 4 2 Schedule You can specify whether the rule is to be applied on the Schedule 1 Schedule 2 or Schedule 3 time schedule see Setting a Schedule to Block or Allow Traffic on page 4 21 6 2 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual See Using Rules to Block or Allow Specific Kinds of Traffic on page 4 1 for the procedure on how to use this feature Services The Rules menu contains a list of predefined Services for creating firewall rules If a service does not appear in the predefined Services list you can define the service The new service will then appear in the Rules menu s Services list See Services Based Rules on page 4 2 for the procedure on how to use this feature Groups and Hosts You can apply these rules selectively to groups of PCs to reduce the outbound or inbound traffic The Network Database is an automatically maintained list o
80. Lan to WAN C LAN to WAN l E Login attempts C WAN to Lan M WAN to Lan C Secure Login attempts O Reboots E Inbound WAN Packets Dropped g Inbound LAN Packets Dropped Select the segments i Enable E Mail Logs r to track for System E Mail Server Address _ Log events Return E Mail Address LO o Send to E Mail Address j Do you want logs to be emailed to you No Authentication Yes O No Login Plain CRAM MDS _ 2 User Name T Password CO Respond to Identd from SMTP Server Enable email alerts Enable SysLogs Daou antes enable syslog SysLog Server S A i O No SysLog Facility Syslog Server enabled apply Reset Figure 6 8 6 20 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Viewing Port Triggering Status You can view the status of Port Triggering by selecting Security from the main menu and Port Triggering from the submenu When the Port Triggering screen display click the Status link Schedule Block Sites FrewallRules Address Filter Bandwidth Profile RQ Status Port Triggering Operation succeeded Port Triggering Status Outgoing Ports Start Port End Po 1 Abstracts 20 select all delete 22 Rule LAN IP Address Open Ports Time Remaining Sec refresh Add Port Triggering Rule Name Enable Protocol
81. Main mj help helpl Identifier Type Local Wan IP_ Identifier Type Remote Wan IP Identifier i i Identifier help Encryption Algorithm 3DES v Authentication Algorithm SHA 1 Authentication Method Pre shared key ORSA Signature Pre shared key 12345678 Key Length 8 49 Char Diffie Hellman DH Group Group 2 1024 bit SA Lifetime sec 28800 hell XAUTH Configuration O None Edge Device Authentication Type User Database Username Password psec Host Figure 5 16 User Database Configuration The User Database Screen is used to configure and administer VPN Client users for use by the XAUTH server Whether or not you use an external RADIUS server you may want to have some users authenticated locally These users must be added to the User Database Configured Users table To add a new user 1 Select VPN from the main menu and VPN Client from the submenu The User Database screen will display 2 Enter a User Name This is the unique ID of a user which will be used in the User Name field of the VPN client 5 22 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Enter a Password for the user and reenter the password in the Confirm Password field Click Add The User Name will be added to the Configured Hosts table Policies VPN Wizard Certificates Mode Config PN Client
82. Messages v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual PPPoE Idle Timeout Logs Table B 9 System Logs WAN Status PPE PPPoE Idle Timeout Message Nov 29 13 12 46 FVS338 pppd Starting connection Nov 29 13 12 49 FVS338 pppd Remote message Success Nov 29 13 12 49 FVS338 pppd PAP authentication succeeded Nov 29 13 12 49 FVS338 pppd local IP address 50 0 0 62 Nov 29 13 12 49 FVS338 pppd remote IP address 50 0 0 1 Nov 29 13 12 49 FVS338 pppd primary DNS address 202 153 32 3 Nov 29 13 12 49 FVS338 pppd secondary DNS address 202 153 32 3 Nov 29 11 29 26 FVS338 pppd Terminating connection due to lack of activity Nov 29 11 29 28 FVS338 pppd Connect time 8 2 minutes Nov 29 11 29 28 FVS338 pppd Sent 1408 bytes received 0 bytes Nov 29 11 29 29 FVS338 pppd Connection terminated Explanation Message 1 PPPoE connection establishment started Message 2 Message from PPPoE server for correct login Message 3 Authentication for PPP succeeded Message 4 Local IP address assigned by the server Message 5 Server side IP address Message 6 primary DNS configured in WAN status page Message 7 secondary DNS configured in WAN status page Message 8 The PPP link has transitioned to idle mode This event occurs if there is no traffic from the LAN network Message 9 The time in minutes for which the link has been up Message 10 Data sent and received at the LAN s
83. Outgoing Trigger Port Range Figure 6 9 Table 6 1 Port Triggering Status data Item Description Rule The name of the Rule LAN IP Address The IP address of the PC currently using this rule Open Ports The Incoming ports which are associated the this rule Incoming traffic using one of these ports will be sent to the IP address above Time Remaining The time remaining before this rule is released and thus available for other PCs This timer is restarted whenever incoming or outgoing traffic is received Router and Network Management 6 21 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Viewing Router Configuration and System Status The Router Status menu provides status and usage information From the main menu of the browser interface click on Management then select Router Status The Router Status screen will display Netw gura Securit l tration Webs l Traffic Meter Diagnostics Firewall Logs amp E mail VPN Logs aie Router Status ao Show Statistics help i System Name FV S338 MAC Address 00 14 6c 82 85 06 Firmware Version Primary 2 0 b2 50 IP Address 192 168 1 1 Firmware Version Secondary 1 6 47 DHCP Enabled IP Subnet Mask 255 255 255 0 help io help WAN Mode Auto Rollover WAN Mode WAN State UP WAN State DOWN NAT Enabled NAT Connection Type DHCP Connection Type Connection State Connected Connection State IP Address 10 1
84. Policies menu To configure the ModeConfig menu 1 Select VPN from the main menu and Mode Config from the submenu The Mode Config screen will display 2 Click Add The Add Mode Config Record screen will display Enter a descriptive Record Name such as Remote Users 4 Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients Note The IP Pool should not be within your local network IP addresses Use a different range of private IP addresses such as 172 20 xx xx gt 5 Ifyou have a WINS Server on your local network enter its IP address Enter one or two DNS Server IP addresses to be used by remote VPN clients If you enable Perfect Forward Secrecy PFS select DH Group 1 or 2 This setting must match exactly the configuration of the remote VPN client 8 Specify the Local IP Subnet to which the remote client will have access Typically this is your router s LAN subnet such as 192 168 2 1 255 255 255 0 If not specified it will default to the LAN subnet of the device 5 26 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 9 Specify the VPN policy settings These settings must match the configuration of the remote VPN client Recommended settings are e SA Lifetime e Authentication Algorithm SHA 1 3600 seconds e Encryption Algorithm 3DES 10 Click Apply The new record should appear in the
85. R ProSafe PN Client ioj x r Global Statistics Non Secured Packets 319 Secured Packets 14 A Close eset Dropped Packets 2 Secured Data KBytes 1 My Connection 10 0 0 12 255 255 255 255 192 168 1 0 255 255 255 0 10 0 0 11 ALL Figure 5 15 Extended Authentication XAUTH Configuration When connecting many VPN clients to a VPN gateway router an administrator may want a unique user authentication method beyond relying on a single common preshared key for all clients Although the administrator could configure a unique VPN policy for each user it is more convenient for the VPN gateway router to authenticate users from a stored list of user accounts XAUTH provides the mechanism for requesting individual authentication information from the user and a local User Database or an external authentication server such as a RADIUS server provides a method for storing the authentication information centrally in the local network XAUTH is enabled when adding or editing an IKE Policy Two types of XAUTH are available e Edge Device If this is selected the router is used as a VPN concentrator where one or more gateway tunnels terminate If this option is chosen you must specify the authentication type to be used in verifying credentials of the remote VPN gateways User Database RADIUS PAP or RADIUS CHAP e IPSec Host If you want authentication by the remote gateway enter a User Name and Password to be associated with t
86. Reference Manual e When enabled traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table Security dministra i Neb Supp i ogout Services Schedule Block Sites Firewall Rules Port Triggering Bandwidth Profile oe Ga IP MAC Binding bhelp Do you want to enable Source MAC Address Filtering O Yes No Policy for MAC Addresses listed below Block and Permit the rest help MAC Addresses select all delete Add Source MAC Address MAC Address Add add Figure 4 16 Ky Note For additional ways of restricting outbound traffic see LAN WAN Outbound _ Services Rules on page 4 8 To enable MAC filtering and add MAC addresses to be blocked 1 Select Security from the main menu and Source MAC Filter from the sub menu The Source MAC Filter screen will display 2 Check the Yes radio box in the MAC Filtering Enable section 3 Build your list of Source MAC Addresses to be block by entering the first MAC address in the MAC Address field in the form xx xx xx Xx xx Xx where x is a numeric 0 to 9 or an alphabet between and a and f inclusive for example 00 e0 4c 69 0a 4 Click Add The Mac Address will be added to the Available MAC Addresses to be Blocked table You can edit the MAC address by clicking Edit in the Action column adjacent to the MAC Address 5 Click Reset to cancel a MAC address
87. U S Robotics 56K FAX EXT PnP selection should work If this does not work select User Defined Modem and type in the Initial String for your modem The Initial string is usually defined in the modem s user manual Dial up Type Check the Tone radio box if your phone line supports touch tone dialing select Pulse for pulse mode dialing Select Other use Dial String to configure additional options such as Auto Answer etc consult your modem manual for dial strings 2 6 Connecting the FVS338 to the Internet v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Set up the traffic meter for the Dialup ISP if desired see Programming the Traffic Meter if Desired on page 2 12 Note The response time of your serial port Internet connection will be slower o than a broadband Internet connection _ Tip If you experience connectivity problems with the Dialup ISP try a different baud rate setting and ensure that the modem parameters you selected match the modem connected to the FVS338 TIA Tris Setting the Router s MAC Address Advanced Options Each computer or router on your network has a unique 48 bit local Ethernet address This is also referred to as the computer s MAC Media Access Control address The default is set to Use Default Address If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP then you must enter th
88. UT SELF SRC 192 168 10 210 DST 72 5 124 95 PROTO TCP SPT 4294 DPT 80 Explanation e This packet is blocked by content filtering with java components The URL blocked due to java content filtering is URL along with source and destination IP addressed protocol source port and destination port For other parameters refer to Table B 1 Recommended Action None System Logs and Error Messages B 9 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Traffic Metering Logs Table B 13 System Logs Traffic Metering Message Explanation Jan 23 19 03 44 TRAFFIC_METER TRAFFIC_METER Monthly Limit of 10 MB has reached for WAN1 _ Traffic limit to WAN1 that was set as 10Mb has been reached This stops all the incoming and outgoing traffic if configured like that in When Limit is reached on Traffic Meter web page Recommended Action Unicast Logs To start the traffic restart the Traffic Limit Counter Table B 14 System Logs Unicast Message Nov 24 11 52 55 FVS338 kernel UCAST IN SELF OUT WAN SRC 192 168 10 1 DST 192 168 10 10 PROTO UDP SPT 800 DPT 2049 Explanation e This packet Unicast is destined to the device from the WAN network For other parameters refer to Table B 1 Recommended Action None ICMP Redirect Logs Table B 15 System Logs Unicast Redirect Recommended Action Message Feb 2007 22 14 36 07 FVS338 k
89. VPN Remote Host Mode Config Table a sample record is shown below Operation succeeded Client Pool First Pool Second Pool Third Pool WINS Server DNS Server Record Name Rer ote Users Starting IP fizz Meo Vso Ending IP E72 Meo JB J50 Starting Po _ Jo o fo sending ie fo Jo Mo fo starting Po _ o Jo fo Ending Jo o o Primary o Jb Je Jp Secondary b Jb Je Jp Primary fo Jo Je Jp Secondary e Jo Je Jo d i Traffic Tunnel Security Level 2 Clers key Group GH Greup 2 768 bit SA Lifetime 3600 Encryption Algorithm Integrity Algorithm Seconds 3DES he SHA 1 Local IP Address b Io Ho Ho Local Subnet Mask b Ie Ho o Mode Config List of Mode Config Records Figure 5 19 Pool Start IP Pool End IP 172 20 50 1 172 20 50 50 o Remote Users 0 0 0 0 0 0 0 0 0 0 0 0 select all delete add 0 0 0 0 To configure an IKE Policy 1 From the main menu select VPN The IKE Policies screen will display showing the current policies in the List of IKE Policies Table Virtual Private Networking 5 27 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 2 Click Add to configure a new IKE Policy The Add IKE Policy screen will display Enable Mode Config by checking the Yes radio box and selectin
90. ablished to the connected device If a LAN port is connected to a 100 Mbps device verify that the port s LED is green If the port is 10 Mbps the LED will be amber If any of these conditions does not occur refer to the appropriate following section Power LED Not On If the Power and other LEDs are off when your firewall is turned on e Make sure that the power cord is properly connected to your firewall and that the power supply adapter is properly connected to a functioning power outlet e Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product If the error persists you have a hardware problem and should contact technical support Troubleshooting 7 1 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual LEDs Never Turn Off When the firewall is turned on the LEDs turns on for about 10 seconds and then turn off If all the LEDs stay on there is a fault within the firewall If all LEDs are still on one minute after power up e Cycle the power to see if the firewall recovers e Clear the firewall s configuration to factory defaults This will set the firewall s IP address to 192 168 1 1 This procedure is explained in Restoring the Default Configuration and Password on page 7 7 If the error persists you might have a hardware problem and should contact technical support LAN or Internet Port LEDs Not On If either the LAN LEDs or Internet LED do not light whe
91. anation 2007 Oct 1 00 44 17 FVX538 kernel INVALID ICMP_TYPE DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO ICMP TYPE 19 CODE 0 Invalid ICMP Type Recommended Action 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw rules attackChecks configure dropInvalid 0 Message 2007 Oct 1 00 44 17 FVX538 kernel INVALID TCP_FLAG_COMBINATION DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Invalid TCP flag combination Recommended Action 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw rules attackChecks configure dropInvalid 0 Message 2007 Oct 1 00 44 17 FVX538 kernel INVALID BAD_CHECKSUM DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Bad Checksum B 12 System Logs and Error Messages v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table B 18 System Logs Invalid Packets continued Recommended Action 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw ru
92. and Routing Static IP features of your ProSafe VPN Firewall 50 These features can be found under the Network Configuration menu of the router interface Configuring Your LAN Local Area Network By default the firewall will function as a DHCP Dynamic Host Configuration Protocol server allowing it to assign IP DNS server WINS Server and default gateway addresses to all computers connected to the firewall LAN The assigned default gateway address is the LAN address of the firewall IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu The firewall tests each pool address before assigning it to ensure there are no duplicate addresses on the LAN Using the VPN Firewall as a DHCP Server For most applications the default DHCP and TCP IP settings of the firewall are satisfactory See the link to Preparing a Computer for Network Access in Appendix C for an explanation of DHCP and information about how to assign IP addresses for your network The firewall will deliver the following parameters to any LAN device that requests DHCP e An IP Address from the range you have defined e Subnet Mask e Gateway IP Address the firewall s LAN IP address e Primary DNS Server the firewall s LAN IP address e WINS Server if you entered a WINS server address in the DHCP Setup menu e Lease Time date obtained and duration of lease The LAN Setup screen allows you to configure the LAN on yo
93. ansfers respectively For other parameters refer to Table B 1 To enable these logs from CLI command prompt of the router enter this command monitor firewallLogs logger loggerConfig logFtp 1 And to disable it monitor firewallLogs logger loggerConfig logFtp 0 Invalid Packet Logging Table B 18 System Logs Invalid Packets Message 2007 Oct 1 00 44 17 FVX538 kernel INVALID NO_CONNTRACK_ENTRY DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation No Connecrtion Tracking entry exists System Logs and Error Messages B 11 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table B 18 System Logs Invalid Packets continued Recommended Action 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw rules attackChecks configure dropInvalid 0 Message 2007 Oct 1 00 44 17 FVX538 kernel INVALID RST_PACKET DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Invalid RST packet Recommended Action 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw rules attackChecks configure dropInvalid 0 Message Expl
94. are with the figure below No changes should be necessary 19 In the upper left of the window click the disk icon to save the policy IN Security Policy Editor NETGEAR ProSafe VPN Client ile Edit Options Help Ba gt id Network Security Policy My Connections Bh to FVS My Identity a Security Policy Authentication Phase 1 B Proposal 1 a2 Key Exchange Phase 2 I Proposal 1 a Other Connections Figure 5 14 NETGEAR IPSec Protocols SA Life Seconds KBytes Unspecified v Compression None IV Encapsulation Protocol ESP Encrypt Alg Hash Alg Triple DES SHA 1 Encapsulation Tunnel Authentication Protocol AH Testing the Connection To test your VPN connection zi X 1 Right click the VPN client icon in your Windows toolbar and select Connect and then select My Connections to_FVS Within 30 seconds you should receive the message Successfully connected to My Connections to_FVS and the VPN client icon in the toolbar should display On 2 For additional status and troubleshooting information right click the VPN client icon j in your Windows toolbar and select Connection Monitor or Log Viewer or view the VPN Logs and VPN Connection Status of the FVS338 Virtual Private Networking 5 19 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual N Connection Monitor NETGEA
95. ase sensitive password Internet Connection WAN MAC Address Use Default address WAN MTU Size 1500 Port Speed AutoSense Local Network LAN Lan IP 192 168 1 1 Subnet Mask 255 255 255 0 RIP Direction None RIP Version Disabled RIP Authentication Disabled DHCP Server Enabled DHCP Starting IP Address 192 168 1 2 DHCP Ending IP Address 192 168 1 100 DMZ Disabled Default Settings and Technical Specifications v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table A 1 FVS338 Default Settings continued Feature Default Behavior Time Zone GMT Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound communications coming in from the Internet Disabled except traffic on port 80 the http port Outbound communications going out to Enabled all the Internet Source MAC filtering Disabled Stealth Mode Enabled Technical Specifications for the ProSafe VPN Firewall 50 are listed in the following table Table A 2 VPN firewall Default Technical Specifications Feature Specification Data and Routing Protocols Network Protocol and Standards Compatibility TCP IP RIP 1 RIP 2 DHCP PPP over Ethernet PPPoE Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input
96. at address To change the router s default MAC Address Step 1 Select Network Configuration from the main menu Broadband ISP Settings from the submenu and click the Advanced link Check the radio box for either a Use This computer s MAC address if this is the address your ISP expects or b Use this MAC Address and enter the MAC address that your ISP expects The format for the MAC address is XX XX XX XX XX XX where X is a number from 0 to 9 inclusive or an alphabetical letter between A and F inclusive 2 Click Apply to save your settings or Cancel to revert to the previous settings You may also change the default MTU Size and Port Speed for the Broadband link on this screen based on the following criteria e MTU Size The standard MTU Maximum Transmit Unit value for Ethernet networks is either 1500 Bytes or 1492 Bytes for PPPoE connections Some ISPs may ask you to reduce the MTU but this is rarely required and should not be done unless required by your ISP e Port Speed In most cases your router can automatically determine the connection speed of the Internet WAN port If you cannot establish an Internet connection and the Internet LED blinks continuously you may need to manually select the port speed Connecting the FVS338 to the Internet 2 7 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual This could occur on some older broadband modems If you know that the Ethernet port on your broad
97. ateway use with 5 8 W WAN port connection status 6 25 WAN Ports Status monitoring 6 23 WAN Users Service Blocking 6 2 Web Component Blocking 6 4 Web Components content filtering 4 22 Web configuration troubleshooting 7 2 Windows NetBios Server IP See WINS Server IP WINS Server IP LAN Setup 3 3 with 7 2 X XAUTH 5 13 about 5 20 configuring 5 21 Edge Device 5 20 IPSec Host 5 20 RADIUS CHAP 5 27 RADIUS PAP 5 21 User Database 5 21 Index 7 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Index 8 v1 0 March 2008
98. ay Check the Connect using radio button and select Secure Gateway Tunnel from the pull down menu From the ID Type pull down menu select Domain name and enter the FQDN of the VPN firewall in this example it is local_id com Select Gateway IP Address from the second pull down menu and enter the WAN IP address of the VPN firewall in this example it is 172 21 4 1 l Security Policy Editor NETGEAR ProSafe VPN Client Sok File Edit Options Help ia Pol ta NETGEAR N Network Security Policy J My Connections Connection Security d modecia test Secure I Only Connect Manually Qy Other Connections nonse a C Block Remote Party Identity and Addressing ID Type IP Subnet z Subnet 192 168 2 1 Mask 255 255 255 0 Protocol All v Pot i Connect using Secure Gateway Tunnel z ID Type Domain Name Z Gateway IP Address v local_id cor 172 21 4 1 Figure 5 21 2 From the left side of the menu click My Identity and enter the following information a Click Pre Shared Key and enter the key you configured in the FVS338 IKE menu 5 30 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual b From the Select Certificate pull down menu select None c From the ID Type pull down menu select Domain Name and create an identifier based on the name of the IKE policy you created for example remote_id com
99. band modem supports 100BaseT select 100BaseT otherwise select 10BaseT Use the half duplex settings if full duplex modes do not work Network Configuration WAN Mode l Dynamic DNS l LAN Setup r Hee etree Dialup ISP Settings DHCP Server Detected ISP Login Does Yoj Broadband Advanced Options i MTU Size i ISP Type Default O Custom i500 Bytes Port Speed AutoSense Router s MAC Address Use Default Address Use this computer s MAC Use this MAC Address Figure 2 5 You can also change the standard MTU Maximum Transmit Unit value for dialup modems from the Dialup ISP Settings screen THe standard value is 576 bytes but some ISPs may require that you reduce the MTU However this is rarely required and should not be done unless specifically required by the ISP To change the MTU value for your dialup modem Step 1 Select Network Configuration from the main menu WAN Settings from the submenu and the Dialup ISP Settings tab Click the Advanced link on the Dialup ISP Settings screen 2 Select the Custom radio button and enter the MTU value in bytes 3 Click Apply to save your settings 2 8 Connecting the FVS338 to the Internet v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Settings MARCAT Advanced DIAL UP Status Dial up Account Account
100. c IP Address IP Address fo jo jo jo IP Subnet Mask fo jo jo jo Gateway IP Address fo jo Jo jo Figure 2 7 Get Automatically from ISP o Use These DNS Servers Primary DNS Server bo Jo Jo jo Secondary DNS Server e Joe Jo Ho To manually configure your WAN1 ISP settings Step 1 Does your Internet connection require a login If you need to enter login information every time you connect to the Internet through your ISP select Yes Otherwise select No 2 What type of IPS connection do you use If your connection is PPPoE PPTP or BigPond Cable then you must login Check the Yes radio box The text box fields that require data entry will be highlighted based on the connection that you selected If your ISP has not assigned any login information then choose the No radio box and skip this section For example e Austria PPTP If your ISP is Austria Telecom or any other ISP that uses PPTP for login select this Then fill in the following highlighted fields Account Name also known as Host Name or System Name Enter the valid account name for the PPTP connection usually your email ID assigned by your ISP Some ISPs require entering your full email address here 2 10 Connecting the FVS338 to the Internet v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 3 Domain Name Your domain name or workgroup name assigned by your ISP or your ISPs domain name You may leave
101. cate Identity file The name will appear in the File to upload field Click Upload The new Certificate Identity will appear in the Certification Revocation Lists table If you have a previous CA Identity from the same CA it should now be deleted Virtual Private Networking 5 37 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 5 38 Virtual Private Networking v1 0 March 2008 Chapter 6 Router and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 50 These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface The ProSafe VPN Firewall 50 offers many tools for managing the network traffic to optimize its performance You can also control administrator access be alerted to important events requiring prompt action monitor the firewall status perform diagnostics and manage the firewall configuration file Performance Management Performance management consists of controlling the traffic through the VPN firewall so that the necessary traffic gets through when there is a bottleneck and either reducing unnecessary traffic or rescheduling some traffic to low peak times to prevent bottlenecks from occurring in the first place The VPN firewall has the necessary features and tools to help the network manager accomplish these goals VPN Firewall Features That Reduce Traffic Features of the VPN fir
102. computers that do not support the NetBIOS protocol the name will be displayed as Unknown The Known PCs and Devices table lists the entries in the Network Database For each computer or device the following fields are displayed 3 8 LAN Configuration v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Name The name of the computer or device Computers that do not support the NetBIOS protocol will be listed as Unknown In this case the name can be edited manually for easier management If the computer was assigned an IP address by the DHCP server then an asterisk is be appended to the name IP Address The current IP address of the computer For DHCP clients of the router this IP address will not change If a computer is assigned a static IP address you must to update this entry manually when the IP address of the computer changes MAC Address The MAC address of the computer s network interface Group Each PC or device can be assigned to a single group By default a computer is assigned to the first group Group 1 To change the group assignment click Edit Action Edit Allows modification of the selected entry To add known PCs and devices 1 2 To add computers to the network database manually fill in the following fields e Name The name of the PC or device e IP Address Type Select Reserved DHCP Client to direct the router to reserve the IP address for allocation by the DHCP ser
103. condary DNS Server Addresses e MAC Address Dialup Configuration Displays the same details as for WAN1 Configuration gt Note The Router Status screen displays current settings and statistics for your router As this information is read only any changes must be made on other pages Monitoring WAN Ports Status You can monitor the status of both of the WAN connections the Dynamic DNS Server connections and the DHCP Server connections Select Network Configuration from the main menu and WAN Settings from the submenu The Broadband ISP Settings screen will display Click the Broadband Status link to obtain status on the Broadband port Select the Dialup ISP Settings tab and click the Dialup Status link to obtain status on the Dialup port Router and Network Management 6 23 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration l i l l WAN Mode Dynamic DNS LAN Setup LAN Groups Routing Advanced 6 Gaian Status GOEL ELLE ELE LES Dialup ISP Settings DHCP Server Detected i ISP Login Does Your Internet Connection Require a Login Login O Yes No Connection Status Password Connection Time 0 Days 00 11 33 i ISP Type Connection Type DHCP Account Name Connection State Connected Domain Name IP Address 10 1 32 41 Which type of ISP connection do you use Login Se
104. d traffic is normally allowed unless the firewall is configured to disallow it Customized Services Additional services can be added to the list of services in the factory default list These added services can then have rules defined for them to either allow or block that traffic Quality of Service QoS Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays You can change this QoS priority if desired to change the traffic mix through the system Outbound Rules Service Blocking The FVS338 allows you to block the use of certain Internet services by PCs on your network This is called service blocking or port filtering Note See Enabling Source MAC Filtering on page 4 24 for yet another way to block gt outbound traffic from selected PCs that would otherwise be allowed by the firewall 4 2 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4 1 Outbound Rules Fields Item Description Services Select the desired Service or application to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 4 18 Action Select the desired action for outgoing connections covered by this rule BLOCK always BLOCK by schedule otherwise Allow ALLOW always
105. ded Action None Login Logout This section describes logs generated by the administrative interfaces of the device Table B 5 System Logs Login Logout Recommended Action Message Nov 28 14 45 42 FVS338 login Login succeeded user admin from 192 168 10 10 Explanation Login of user admin from host with IP address 192 168 10 10 None Message Nov 28 14 55 09 FVS338 seclogin Logout succeeded for user admin Nov 28 14 55 13 FVS338 seclogin Login succeeded user admin from 192 168 1 214 Explanation Secure login logout of user admin from host with IP address 192 168 1 214 Recommended Action None Firewall Restart This logging is always done System Logs and Error Messages B 3 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table B 6 System Logs Firewall Restart Message Jan 23 16 20 44 FVS338 wand FW Firewall Restarted Explanation Log generated when the firewall is restarted This log is logged when firewall restarts after applying any changes in the configuration Recommended Action None IPSec Restart This logging is always done Table B 7 System Logs IPSec Resiart Message Jan 23 16 20 44 FVS338 wand IPSEC IPSEC Restarted Explanation Log generated when the IPSEC is restarted This log is logged when IPSEC restarts after applying any changes in the configuration Recommended Action
106. e The router will block the traffic coming from Host2 and Host3 but allow the traffic coming from Host1 to any external network The total count of dropped packets will be displayed To invoke the IP MAC Binding Table screen 1 Select Security from the main menu and IP MAC Binding from the sub menu The IP MAC Binding screen will display 4 26 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Security Port Triggering Bandwidth Profile Source MAC Filter BOJTE Set Poll Iterval Do you want to enable E mail Logs for IP MAC Binding Violation O Yes No For this option e mailing of logs must be enabled in Firewall Logs amp E mail page MAC Addresses IP Addresses Log Dropped Packets select all delete Add IP MAC Binding Name MAC Address IP Address Log Dropped Packets Add I a a Disable O Figure 4 17 The IP MAC Binding Table lists the currently defined IP MAC Bind rules a b c d To edit an IP MAC Bind rule click Edit adjacent to the entry Name Displays the user defined name for this rule MAC Addresses Displays the MAC Addresses for this rule IP Addresses Displays the IP Addresses for this rule Log Dropped Packets Displays the logging option for this rule To add an IP MAC Bind rule enter Name Specify easily identifiable name for this rule MAC Address Specify the MAC Address for this rule
107. e application 4 18 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Although the FVS338 already holds a list of many service port numbers you are not limited to these choices Use the Services menu to add additional services and applications to the list for use in defining firewall rules The Services menu shows a list of services that you have defined as shown in Figure 4 13 To define a new service first you must determine which port number or range of numbers is used by the application This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups When you have the port number information you can enter it on the Services screen Security Services Priorit Normal Service TCP TCP ormal Service TCP TCP Normal Service v Edit Service Operation succeeded ii Edit Custom Service 2 Name Type ICMP Type Start Port Finish Port Default QoS Priority Cappy C rese Figure 4 13 Firewall Protection and Content Filtering 4 19 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual To add a service 1 Select Security from the main menu and Services from the submenu The Services screen will display 2 In the Add Custom Service table enter a de
108. e Networking 5 35 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual i Generate Self Certificate Request Name Subject C USA4 ST C L San Hash Algorithm MD5 Signature Algorithm RSA Signature Key Length 512 IP Address Optional B92 Jiss Jio Jao Domain Name Optional CSS E mail Address Optional e e a amp generate i Self Certificate Requests Name Tester select all delete Self Certificate Request Operation succeeded Certificate Details Subject Name Hash Algorithm signature Algorithm Key Length Data to supply to C ese BEGIN CERTIFICATE REQUEST N MIIBLjCB2QIBADBSMQswCQYDVQQIEWIDQTETMBEGALUEBx 4 P MA4GALUECRMHTKVUROVBUJELMAkGALUECXMCWFgxDzANE l Save to file MADGCSqGSIb3DQEBAQUAADSAMEQCQQDGNvdND3rnAdoms XNSv4VebSIQrOqgHZhiqRYodTIgUga7SKQr3bYThwlhISicgils BgkghkiG9wOBCQ4xEzARMASGALUdEQQIMASHBMCoCgowLl QQBYJomIploJogPitObco3cduJIm5S CDnLHnUfoPSjfpCkNxS NSLBKWVFL4h7jZrsIRVhbXSA sasea END CERTIFICATE REQUEST Figure 5 26 To submit your Self Certificate request to a CA 1 Connect to the web site of the CA 2 Start the Self Certificate request procedure 3 When prompted for the requested data copy the data from your saved data file including BEGIN CERTIFICATE REQUEST and END C
109. e Scope This manual is written for the VPN firewall according to these specifications Product Version ProSafe VPN Firewall 50 Manual Publication Date March 2008 For more information about network Internet firewall and VPN technologies see the links to the NETGEAR website in Appendix C Related Documents Note Updates to this product are available on the NETGEAR Inc website at ZA http kbserver netgear com products FVS338 asp How to Use This Manual The HTML version of this manual includes the following e Buttons gt and _ lt _ for browsing forwards or backwards through the manual one page at a time e A button that displays the table of contents and an button Double click on a link in the table of contents or index to navigate directly to where the topic is described in the manual A A button to access the full N ETGEAR Inc online knowledge base for the product model e Links to PDF versions of the full manual and individual chapters How to Print this Manual To print this manual you can choose one of the following options according to your needs e Printing a Page from HTML Each page in the HTML version of the manual is dedicated to a major topic Select File gt Print from the browser menu to print the page contents xiv About This Manual v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e Printing from PDF
110. e WAN IP address of your firewall into your browser followed by a colon and the custom port number For example if your WAN IP address is 134 177 0 123 and you use port number 8080 enter the following in your browser https 134 177 0 123 8080 The remote URL login of the router is https IP_address port_number or https Fully QualifiedDomainName port_number If you do not use the SSL https address but rather use http address the FVS338 will automatically attempt to redirect to https address ____ Note The first time you remotely connect the FVS338 with a browser via SSL you may gt get a message regarding the SSL certificate If you are using a Windows computer with Internet Explorer 5 5 or higher simply click Yes to accept the certificate IP address of your FVS338 by running tracert from the Windows Run menu For example renter tracert yourFVS338 mynetgear net and you will see the IP address your ISP assigned to the FVS338 5 Note If you are using a dynamic DNS service such as TZO you can always identify the To configure your firewall for Telnet Management 1 Select Administration from the main menu and Remote Management from the submenu The Remote Management screen will display 2 Check the Allow Telnet Management radio box Router and Network Management 6 11 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 3 Specify what external addresses
111. e device then responds with an echo reply Troubleshooting a TCP IP network is made very easy by using the Ping utility in your PC or workstation Testing the LAN Path to Your Firewall You can ping the firewall from your PC to verify that the LAN path to your firewall is set up correctly To ping the firewall from a PC running Windows 95 or later 1 From the Windows toolbar click on the Start button and select Run 2 Inthe field provided type Ping followed by the IP address of the firewall as in this example ping 192 168 1 1 3 Click on OK You should see a message like this one Pinging lt IP address gt with 32 bytes of data If the path is working you see this message Reply from lt IP address gt bytes 32 time NN ms TTL xxx If the path is not working you see this message Request timed out Troubleshooting 7 5 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual If the path is not functioning correctly you could have one of the following problems e Wrong physical connections Make sure the LAN port LED is on If the LED is off follow the instructions in LAN or Internet Port LEDs Not On on page 7 2 Check that the corresponding Link LEDs are on for your network interface card and for the hub ports if any that are connected to your workstation and firewall e Wrong network configuration Verify that the Ethernet card driver software and TCP IP software are bot
112. e eee eeees enerreee tt meceeres ere cre ner eeee eer eee ere B 16 CANTO DORE LOO cae aa aie a pi ea i ea ante B 16 Appendix C Related Documents Index xii Contents v1 0 March 2008 About This Manual The NETGEAR ProSafe VPN Firewall 50 FVS338 Reference Manual describes how to install configure and troubleshoot the ProSafe VPN Firewall 50 The information in this manual is intended for readers with intermediate computer and Internet skills Conventions Formats and Scope The conventions formats and scope of this manual are described in the following paragraphs e Typographical Conventions This manual uses the following typographical conventions Italics Emphasis books CDs file and server names extensions Bold User input IP addresses GUI screen text Fixed Command prompt CLI text code italics URL links e Formats This manual uses the following formats to highlight special messages A Note This format is used to highlight information of importance or special interest 3S Tip This format is used to highlight a procedure that will save time or resources A Warning Ignoring this type of note may result in a malfunction or damage to the equipment xiii v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual AY Danger This is a safety warning Failure to take heed of this notice may result in personal injury or death
113. e value gt Note Some protocols such as FTP or RSTP create two sessions per connection SEH which should be considered when configuring Session Limiting Total Number of Packets Dropped due to Session Limit Shows total number of packets dropped when session limit is reached In the Session Timeout section modify TCP UDP and ICMP timeouts as required A session will time out if it does not receive any data for the duration of the specified timeout The default values are 1200 seconds for TCP 180 seconds for UDP and 8 seconds for ICMP Click Apply to save your settings Inbound Rules Examples Hosting A Local Public Web Server If you host a public Web server on your local network you can define a rule to allow inbound Web HTTP requests from any outside IP address to the IP address of your Web server at any time of day This rule is shown in Figure 4 7 Firewall Protection and Content Filtering 4 13 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Add LAN WAN Inbound Service Operation succeeded helpl Service HTTP x Action ALLOW always v Select Schedule Send to LAN Server frs2 fzes o Jeg Translate to Port Number CL Public Destination IP Address Broadband v LAN Users Start Finish WAN Users Any Start Finish Log Never Figure 4 7 Allowing Videoconference from Restricted Addre
114. ect to a remote Gateway or setting up the connection for a remote client PC to establish a secure connection to this device Select a Connection Name Enter an appropriate name for the connection This name is not supplied to the remote VPN Endpoint It is used to help you manage the VPN settings Enter a Pre shared Key The key must be entered both here and on the remote VPN Gateway or the remote VPN Client This key length should be minimum 8 characters and should not exceed 49 characters This method does not require using a CA Certificate Authority The Remote Identifier Information and the Local Identifier Information will display with the default IKE Client Policy values fvs_remote com for the remote end point and fvs_local com for the local end point Click Apply The VPN Client screen will display showing that the VPN Client has been enabled Click the IKE Policies tab to view the corresponding IKE Client Policy Virtual Private Networking 5 3 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual IKE Policies The IKE Internet Key Exchange protocol performs negotiations between the two VPN Gateways and provides automatic management of the Keys used in IPSec It is important to remember that e Auto generated VPN policies must use the IKE negotiation protocol e Manual generated VPN policies cannot use the IKE negotiation protocol IKE Policy Operation IKE Policies are activated when
115. eedeauiniendinnes 3 10 Gonkong Stalle ROUSE parceriers 3 10 Sale ROS EATON saitinin N A danni opetdes 3 11 geala NE a EE TE A T E E T E E 3 12 Chapter 4 Firewall Protection and Content Filtering ABOUT Frowa SOC UIEY saniet E 4 1 Using Rules to Block or Allow Specific Kinds of Traffic cccccseeeeeeeeeeeeeeeeteeeeeeeeeees 4 1 oe Id RUES srini ai a oaii 4 2 Outbound Rules Serice BIogkING sc csccassncecesenscss tantedoccrsdsneddtecentasaaghveneadeeeses 4 2 Inbound Rules Port Forwarding sensssssimrnssmiiieni 4 4 Order of Precedence for Firewall Rules c cccscceeseceeeeceeeeeeeeeseaeseseneesseaeeeseneees 4 6 Seng LOGIT WAN RUIGE coiieach 4 7 LAN WAN Outbound Services Rules c cccceceeeeesecececeeeeeeeececeeeeeeaeeesecaeeeeaaeeeeaes 4 8 LAN WAN Inbound Servicess RUES ss siiscocotassscascesessnccenescstuaactentsaiesss oneiuaaaeteananeaines 4 9 EE EAEE e T E A E A AA AE PAT E E O A E T boast 4 10 e eE a E E N A E E E E E ATE NTT 4 12 Inbetind Rules Examples saccssciscsciscdwiscscdosivesaccsivvancioniepicasoneedanntsimievandionieniaadonaes 4 13 Hosting A Local Public Web Seer s 4 ccieid ustveniiciraeldnvdainieendeene 4 13 Allowing Videoconference from Restricted Addresses ccceceeeeeeeeeeee 4 14 Setting Up One to On NAT Mapping lt iccccancstaccisiaetesciedastetcsenseeiedcteanneeedaconane 4 15 SpedNing ah Exposed HOST assarrar iniinis inis anadan aAA 4 17 Outbound Rules Example Blocking Instant Messenger
116. een your firewall and the cable or DSL line or to check your Router s MAC address see Setting the Router s MAC Address Advanced Options on page 2 7 4 Set up the traffic meter for ISP1 if desired See Programming the Traffic Meter if Desired on page 2 12 _____ Note At this point in the configuration process you are now connected to the Internet gt through the broadband Ethernet WAN Optionally you can continue with the configuration of the dialup ISP serial WAN interface The Dialup Settings screen will assist you in setting up the router to access the Internet connection using a dialup modem Since the Dialup ISP Settings must be configured manually you will need all of your ISP settings information before you begin To configure the Dialup ISP serial WAN port 2 4 Connecting the FVS338 to the Internet v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Step 1 Select Network Configuration from the main menu WAN Settings from the submenu and click the Dialup ISP Settings tab to display the Dialup settings screen gs Dial up ISP Settings Advanced DIAL UP Status 2 Dial up Account Account User Name je __ Telephone D Alternative Telephone CT Password fT Dial up Connection Status ii Internet IP Address Specify Connect and Disconnect Method Connect automatically disconnect after idle for min Connect and disconnect manuall
117. entry before adding it to the table Firewall Protection and Content Filtering 4 25 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 6 When you have completed adding MAC addresses click Apply to save your settings IP MAC Binding IP MAC Binding allows you to bind an IP to a MAC address and vice versa Some machines are configured with static addresses To prevent users from changing their static IP addresses IP MAC Binding must be enabled on the router If the router sees packets with a matching IP address but with an inconsistent MAC address or vice versa it will drop these packets If users have enabled the logging option for IP MAC Binding these packets will be logged before they are dropped The router will then display the total number of dropped packets that violated either the IP to MAC Binding or the MAC to IP Binding Example If three computers on the LAN are set up as follows e Hostl MAC address 00 01 02 03 04 05 and IP address 192 168 10 10 e Host2 MAC address 00 01 02 03 04 06 and IP address 192 168 10 11 e Host3 MAC address 00 01 02 03 04 07 and IP address 192 168 10 12 If all the above host entries are added to the IP MAC Binding table the following scenarios indicate the possible outcome e Host1 Matching IP amp MAC address in IP MAC Table e Host2 Matching IP but inconsistent MAC address in IP MAC Table e Host3 Matching MAC but inconsistent IP address in IP MAC Tabl
118. eply on LAN Ports Figure 4 5 Session Limit Session Limit allows you to specify the total number of sessions per user over an IP Internet Protocol connection allowed across the router This feature can be enabled on the Session Limit screen and is shown below Session Limit is disabled by default Security s 1 Firewall Session Limit 2 Do you want to enable Session Limit Yes No User Limit Parameter Parcenlage Ma Sess one User Limit Total Number of Packets Dropped due to Session Limit 0 Session Timeout TCP Timeout 1200 Seconds UDP Timeout Seconds e Te Figure 4 6 4 12 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual To enable Session Limit 5 Click the Yes radio button under Do you want to enable Session Limit From the User Limit Parameter drop down list define the maximum number of sessions per IP either as a percentage of maximum sessions or as an absolute value The percentage is computed on the total connection capacity of the device Enter the User Limit If the User Limit Parameter is set to Percentage of Max Sessions the limit is the maximum number of sessions allowed from a single source machine as a percentage of the total connection capacity Session Limit is a machine based value Otherwise when the User Limit Parameter is set to Number of Sessions the limit is an absolut
119. equires a login you may have incorrectly set the login name and password e Your ISP may check for your PC s host name Assign the PC Host Name of your ISP account as the Account Name in the Basic Settings menu e Your ISP only allows one Ethernet MAC address to connect to the Internet and may check for your PC s MAC address In this case Inform your ISP that you have bought a new network device and ask them to use the firewall s MAC address or 7 4 Troubleshooting v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Configure your firewall to spoof your PC s MAC address This can be done in the Basic Settings menu Refer to Configuring your Internet Connection on page 2 2 If your firewall can obtain an IP address but your PC is unable to load any Web pages from the Internet e Your PC may not recognize any DNS server addresses A DNS server is a host on the Internet that translates Internet names such as www addresses to numeric IP addresses Typically your ISP will provide the addresses of one or two DNS servers for your use You may configure your PC manually with DNS addresses as explained in your operating system documentation e Your PC may not have the firewall configured as its TCP IP gateway Troubleshooting a TCP IP Network Using a Ping Utility Most TCP IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device Th
120. er this SA State The current status of the SA Phase 1 is Authentication phase and Phase 2 is Key Exchange phase Action Use this button to terminate build the SA connection if required VPN Logs The VPN Logs screen gives log details for recent VPN activity Select Monitoring from the main menu and VPN Logs from the submenu to view the VPN Logs You can refresh the log display to view the most recent entries or clear the log display to delete all the log entries Monitoring Router Status Traffic Meter Diagnostics Firewall Logs amp E mail f 2006 07 06 19 53 41 INFO racoon 20001216 20001216 sakane kame net 2006 07 06 19 53 41 INFO This product linked OpenSSL 0 9 7c 30 Sep 2003 hte 2006 07 06 19 53 42 NOTIFY NAT T is enabled autoconfiguring ports 2006 07 06 19 53 42 INFO 10 1 32 41 500 used as isakmp port fd 7 2006 07 06 19 53 42 INFO 10 1 32 41 4500 used as isakmp port fd 8 2006 07 06 19 53 42 INFO 10 1 32 41 4500 used for NAT T 2006 07 06 19 53 42 INFO 192 168 1 1 500 used as isakmp port fd 9 2006 07 06 19 53 42 INFO 192 168 1 1 4500 used as isakmp port fd 10 2006 07 06 19 53 42 INFO 192 168 1 1 4500 used for NAT T 2006 07 06 19 53 42 INFO 127 0 0 1 500 used as isakmp port fd 11 2006 07 06 19 53 42 INFO 127 0 0 1 4500 used as isakmp port fd 12 2006 07 06 19 53 42 INFO 127 0 0 1 4500 used for NAT T S gt refresh log clear log
121. ernel LOG_PACKET SRC 192 168 1 49 DST 192 168 1 124 PROTO ICMP TYPE 5 CODE 1 Explanation e This packet is ICMP Redirect message sent to the router bye another router For other parameters refer to Table B 1 To enable these logs from CLI command prompt of the router enter this command monitor firewallLogs logger loggerConfig loglcmpRedirect 1 And to disable it monitor firewallLogs logger loggerConfig loglcmpRedirect 0 B 10 System Logs and Error Messages v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Multicast Broadcast Logs Table B 16 System Logs Multicast Broadcast Message Jan 1 07 24 13 FVS338 kernel MCAST BCAST IN WAN OUT SELF SRC 192 168 1 73 DST 192 168 1 255 PROTO UDP SPT 138 DPT 138 Explanation This packet Broadcast is destined to the device from the WAN network For other parameters refer to Table B 1 Recommended Action None FTP Logging Table B 17 System Logs FTP Message Feb 2007 22 14 46 56 FVS338 kernel FTP ACTIVE SRC 192 168 10 211 DST 192 168 1 97 PROTO TCP SPT 1983 DPT 21 Feb 2007 22 14 46 56 FVS338 kernel FTP PASSIVE SRC 192 168 10 211 DST 192 168 1 97 PROTO TCP SPT 1984 DPT 21 Feb 2007 22 19 48 17 FVS338 kernel FTP DATA ACCEPT SRC 192 168 10 10 DST 192 168 20 10 PROTO TCP SPT 54879 DPT 6459 Explanation Recommended Action These packets are active and passive FTP session data tr
122. erver although in some cases it should be left blank on the RADIUS Server Enable a Backup RADIUS Server if required by following steps 2 through 5 Set the Time Out Period in seconds that the router should wait for a response from the RADIUS server Set the Maximum Retry Count This is the number of tries the router will make to the RADIUS server before giving up Click Reset to cancel any changes and revert to the previous settings 10 Click Apply to save the settings gt Note The Authentication Protocol usually PAP or CHAP is configured in the a XAUTH section of the VPN Client screen 5 24 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration 1 PN l Policies VPN Wizard Certificates Mode Config VPN Client Connection Status User Database EEMI UCESNICI help Do you want to enable a Primary RADIUS Primary Server IP Address l Server Secret Phrase O Yes No Primary Server NAS Identifier help Do you want to enable a Backup RADIUS Backup Server IP Address T l Server Secret Phrase O Yes No Backup Server NAS Identifier help Time out period 30 Sec Maximum Retry Count 4 Figure 5 18 Manually Assigning IP Addresses to Remote Users ModeConfig To simply the process of connecting remote VPN clients to the FVS338 the ModeConfig module can be used to assign IP addresse
123. ervice radio box you want to enable The fields corresponding to the selection you have selected will be highlighted Each DNS service provider requires its own parameters 3 Access the Web site of one of the DDNS service providers and set up an account A link to each DDNS provider is near the top right of the window opposite to the DDNS service provider tabs The link is encircled with a dashed line in Figure 2 9 4 After setting up your account return to the Dynamic DNS Configuration screen and fill in the required fields for the DDNS service you selected a In the Host and Domain Name field enter the entire FQDN name that your dynamic DNS service provider gave you for example lt yourname gt dyndns org b Enter the User Name User email Address or Account Name requested by the DDNS Service to identify you when logging into your DDNS account c Enter the Password or User Key for your DDNS account d If your dynamic DNS provider allows the use of wild cards in resolving your URL you may check the Use wildcards radio box to activate this feature For example the wildcard feature will cause yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org 5 Click Apply to save your configuration or click Cancel to revert to the previous settings 2 18 Connecting the FVS338 to the Internet v1 0 March 2008 Chapter 3 LAN Configuration This chapter describes how to configure LAN Setup LAN Groups
124. et Time Date and NTP servers 1 Select Administration from the main menu and Time Zone from the submenu The Time Zone screen will display 2 From the Date Time pull down menu select the Local Time Zone This is required in order for scheduling to work correctly The VPN firewall includes a Real Time Clock RTC which it uses for scheduling 6 16 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 3 If supported in your region check the Automatically Adjust for Daylight Savings Time radio box 4 Select a NTP Server option by checking one of the following radio boxes e Use Default NTP Servers If this is enabled then the RTC Real Time Clock is updated regularly by contacting a Default Netgear NTP Server on the Internet e Use Custom NTP Servers If you prefer to use a particular NTP server enable this instead and enter the name or IP address of an NTP Server in the Server 1 Name IP Address field If required you can also enter the address of another NTP server in the Server 2 Name IP Address field If you select this option and leave either the Server 1 or Server 2 fields empty they will be set to the Default Netgear NTP servers 5 Click Apply to save your settings or click Cancel to revert to your previous settings Administration Remote Management SNMP Settings Backup amp Upgrade Set Password i Time Zone Date Time GMT Gree
125. etering on Date Broadband End Date Monti Yes oO No 5 Incoming Traffic Outgoing Traffic Increase this month Protocol A Total MB MB Per Day Total MB MB Per Day This mo Email o 0 o o HTTP o 0 o o help Others o o o o O Restart Traffic Counter Now Block all Traffic Total o o o o Restart Traffic Counter at Specific Time Block all Traffic E 12 00 lI PM x onthe ist day of Month C Send e mail alert refresh Ml Send e mail rennrt hefnre restarting counter Figure 6 7 Setting Login Failures and Attacks Notification Figure 6 8 shows the Firewall Logs amp E mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs amp E mail from the submenu You can send a System log of firewall activities to an email address or a log of the firewall activities can be viewed saved to a syslog server and then sent to an email address You can view the logs by clicking View Logs Router and Network Management 6 19 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual i l l l Monitoring l l i Firewall Logs amp E mail s s sz Lo s View System Logs Log Options r Send logs according to this schedule Unit Never Log Identifier F S338 Day Sunday Time M100 i Security Logs i ii System Logs Select the types of if Accepted Packets Dropped Back ats 7a Change of time by NTP events to email C
126. ewall that can be called upon to decrease WAN side loading are as follows e Service Blocking e Block Sites e Source MAC Filtering Router and Network Management 6 1 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Service Blocking You can control specific outbound traffic for example from LAN to WAN Outbound Services lists all existing rules for outbound traffic If you have not defined any rules only the default rule will be listed The default rule allows all outgoing traffic A Warning This feature is for Advanced Administrators only Incorrect configuration will cause serious problems Each rule lets you specify the desired action for the connections covered by the rule BLOCK always BLOCK by schedule otherwise Allow ALLOW always ALLOW by schedule otherwise Block As you define your firewall rules you can further refine their application according to the following criteria LAN Users These settings determine which computers on your network are affected by this rule Select the desired options Any All PCs and devices on your LAN Single address The rule will be applied to the address of a particular PC Address range The rule is applied to a range of addresses Groups The rule is applied to a Group you use the Network Database to assign PCs to Groups see Managing Groups and Hosts on page 3 6 WAN Users These settings determine which
127. f all known PCs and network devices PCs and devices become known by the following methods DHCP Client Request By default the DHCP server in this Router is enabled and will accept and respond to DHCP client requests from PCs and other network devices These requests also generate an entry in the Network Database Because of this leaving the DHCP Server feature on the LAN screen enabled is strongly recommended e Scanning the Network The local network is scanned using standard methods such as ARP This will detect active devices which are not DHCP clients However sometimes the name of the PC or device cannot be accurately determined and will be shown as Unknown See Managing Groups and Hosts on page 3 6for the procedure on how to use this feature Schedule If you have set firewall rules on the Rules screen you can configure three different schedules i e schedule 1 schedule 2 and schedule 3 for when a rule is to be applied Once a schedule is configured it affects all Rules that use this schedule You specify the days of the week and time of day for each schedule See Setting a Schedule to Block or Allow Traffic on page 4 21 for the procedure on how to use this feature Block Sites If you want to reduce traffic by preventing access to certain sites on the Internet you can use the VPN firewall s filtering feature By default this feature is disabled all requested traffic from any Web site is allowed
128. fied email address For example your VPN firewall will log security related events such as accepted and dropped packets on different segments of your LAN denied incoming and outgoing service requests hacker probes and Login attempts and 4 32 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual other general information based on the settings you input on the Firewall Logs amp E mail screen In addition if you have set up Content Filtering on the Block Sites screen see Setting Block Sites Content Filtering on page 4 22 a log will be generated when someone on your network tries to access a blocked site You must have e mail notification enabled to receive the logs in an e mail message If you don t have e mail notification enabled you can view the logs on the Logs screen see Figure 4 21 on page 4 33 Selecting all events will increase the size of the log so it is good practice to select only those events which are required Log Options Log Identifier d C 0 Msstmion Accepted Packets Dropped Packets C Change of time by NTP LAN to WAN C LAN to WAN CO Login attempts C wan to LAN C WAN to LAN CO Secure Login attempts O Reboots O All Unicast Traffic O All Broadcast Multicast Traffic C WAN Status A O Source MAC Filter O Session Limit C Bandwidth Limit i Enable E Mail Logs E Mail Server Addres
129. firewall allows several networked PCs to share an Internet account using only a single IP address which may be statically or dynamically assigned by your Internet service provider ISP This technique known as NAT allows the use of an inexpensive single user ISP account e Automatic Configuration of Attached PCs by DHCP The VPN firewall dynamically assigns network configuration information including IP gateway and domain name server DNS addresses to attached PCs on the LAN using the Dynamic Host Configuration Protocol DHCP This feature greatly simplifies configuration of PCs on your local network e DNS Proxy When DHCP is enabled and no DNS addresses are specified the firewall provides its own address as a DNS server to the attached PCs The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN e PPP over Ethernet PPPoE PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial up connection This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC Introduction 1 3 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Easy Installation and Management You can install configure and operate the ProSafe VPN Firewall 50 within minutes after connecting it to the network The following features simplify installation and management tasks e Browser based management
130. following 1 3 a b c d e f Name Specify an easily identifiable name for the profile Minimum Bandwidth Specify the minimum bandwidth value in Kbps for the profile Maximum Bandwidth Specify the maximum bandwidth value in Kbps for the profile Type Specify the type of profile Direction Specify the direction for the profile WAN Specify the WAN interface if in Load Balancing Mode for the profile Click Apply to save your settings Your new Bandwidth Profile will be added to the Bandwidth Profile Table To edit a Bandwidth Profile Click Edit adjacent to the profile you want to edit The Edit Bandwidth Profile screen will display Modify any of the following fields a b c d e Minimum Bandwidth Specify the minimum bandwidth value in Kbps for the profile Maximum Bandwidth Specify the maximum bandwidth value in Kbps for the profile Type Specify the type for the profile Direction Specify the direction for the profile WAN Specify WAN in case of Load Balancing mode for the profile Click Apply Your modified profile will display in the Bandwidth Profile table To remove an entry from the table select the profile and click Delete To remove all the profiles click Select All and then click Delete E Mail Notifications of Event Logs and Alerts The Firewall Logs can be configured to log and then e mail denial of access general attack information and other information to a speci
131. formation is subjected to the rules in the order shown in the Rules Table beginning at the top and proceeding to the default rules at the bottom In some cases the order of precedence of two or more rules may be important in determining the disposition of a packet For example you should place the most strict rules at the top those with the most specific services or addresses The Up and Down buttons allow you to relocate a defined rule to a new position in the table 4 6 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Setting LAN WAN Rules The Default Outbound Policy is to allow all traffic from and to the Internet to pass through Firewall rules can then be applied to block specific types of traffic from either going out from the LAN to the Internet Outbound or coming in from the Internet to the LAN Inbound The default policy can be changed to block all outbound traffic and enable only specific services to pass through the router To change the Default Outbound Policy 1 Select Security from the main menu and Firewall Rules from the submenu The LAN WAN Rules screen will display 2 Change the Default Outbound Policy by selecting Block Always from the drop down menu and click Apply WURIEQE ia Attack Check Service Name Filter LAN Users WAN Users Priority select all delete rare O disable add Allow
132. g the Mode Config record you just created from the pull down menu You can view the parameters of the selected record by clicking the View selected radio box Mode Config works only in Aggressive Mode and Aggressive Mode requires that both ends of the tunnel be defined by a FQDN 4 Inthe General section a Enter a description name in the Policy Name Field such as salesperson This name will be used as part of the remote identifier in the VPN client configuration b Set Direction Type to Responder c By default the Exchange Mode is set to Aggressive 5 For Local information d Select Fully Qualified Domain Name for the Local Identity Type e Enter an identifier in the Remote Identity Data field that is not used by any other IKE policies This identifier will be used as part of the local identifier in the VPN client configuration 6 Specify the IKE SA parameters These settings must be matched in the configuration of the remote VPN client Recommended settings are e Encryption Algorithm 3DES e Authentication Algorithm SHA 1 e Diffie Hellman Group 2 e SA Lifetime 3600 seconds 7 Enter a Pre Shared Key that will also be configured in the VPN client XAUTH is disabled by default To enable XAUTH select e the Edge Device radio button to use this router as a VPN concentrator where one or more gateway tunnels terminate If selected you must specify the Authentication Type to be used in verifying credentials of the re
133. gs You can also click on the Broadband Status link or the Current IP Address link to check on connection status and current IP address Programming the Traffic Meter if Desired The traffic meter is useful when an ISP charges by traffic volume over a given period of time or if you want to look at traffic types over a period of time To enable the traffic meter Step 1 From the primary menu select Monitoring and then select Traffic Meter from the secondary menu The Broadband Traffic Meter screen will display Fill out the information described in Table 2 2 Click Apply to apply the settings or click Cancel to return to the previous settings Select the Dialup Traffic Meter tab and repeat steps 1 through 3 to set the Traffic Meter the the Dialup port if required 2 12 Connecting the FVS338 to the Internet v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration l Traffic Meter ii Enable Traffic Meter nm 5 n Q Traffic by Protocol Monitoring Broadband Traffic Meter i po O Do you want to enable Traffic Metering on Broadband oO Yes No Traffic Counter ii When Limit is reached No Limit Download only Both Directions Monthly Limit MB Increase this month limit by Em MB This month limit O MB Restart Traffic Counter Now Restart Traffic Counter at Specific Time A PM ont
134. h entry in the log is stamped with the date and time of day Problems with the date and time function can include e Date and time shown is Thu Jan 01 00 01 52 GMT 1970 Cause The firewall has not yet successfully reached a Network Time Server Check that your Internet access settings are configured correctly If you have just completed configuring the firewall wait at least five minutes and check the date and time again e Time is off by one hour Cause The firewall does not automatically sense Daylight Savings Time In the E Mail menu check or uncheck the box marked Adjust for Daylight Savings Time Troubleshooting 7 7 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 7 8 v1 0 March 2008 Troubleshooting Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults This is called a hard reset e To perform a hard reset push and hold the reset button for approximately 5 seconds until the TEST LED blinks rapidly Your device will return to the factory configuration settings shown in Table A 1 below e Pressing the reset button for a shorter period of time will simply cause your device to reboot Table A 1 FVS338 Default Settings Feature Default Behavior Router Login User Login URL http 192 168 1 1 User Name case sensitive admin Login Password c
135. h installed and configured on your PC or workstation Verify that the IP address for your firewall and your workstation are correct and that the addresses are on the same subnet Testing the Path from Your PC to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 lt P address gt where lt P address gt is the IP address of a remote device such as your ISP s DNS server If the path is functioning correctly replies as in the previous section are displayed If you do not receive replies e Check that your PC has the IP address of your firewall listed as the default gateway If the IP configuration of your PC is assigned by DHCP this information will not be visible in your PC s Network Control Panel e Check to see that the network address of your PC the portion of the IP address specified by the netmask is different from the network address of the remote device e Check that your cable or DSL modem is connected and functioning e If your ISP assigned a host name to your PC enter that host name as the Account Name in the Basic Settings menu e Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem but some ISPs additionally restrict access to the MAC address of a single PC connected to
136. he hosts on the secondary subnets must be manually configured with the IP addresses gateway IP and DNS server IPs LAN Configuration 3 5 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual f Warning Make sure the secondary IP addresses are different from the LAN WAN DMZ and any other subnet attached to this router Example WANI IP address 10 0 0 1 with subnet 255 0 0 0 WAN2 IP address 20 0 0 1 with subnet 255 0 0 0 DMZ IP address 192 168 10 1 with subnet 255 255 255 0 LAN IP address 192 168 1 1 with subnet 255 255 255 0 Secondary LAN IP 192 168 20 1 with subnet 255 255 255 0 Managing Groups and Hosts The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices as well as hosts that are assigned dynamic IP addresses by this router Collectively these entries make up the Network Database The Network Database is created in two ways Using the DHCP Server The router s DHCP server will accept and respond to DHCP client requests from PCs and other network devices Every computer that is responded to will be added to the Network Database in the Known PCs and Devices table Scanning the Network The router will scan the local network periodically using standard methods such as ARP and NetBIOS to detect active computers or devices which are not DHCP clients For computers that do not support the NetBIOS protocol the
137. he ist day of Month Send e mail report before restarting counter Internet Traffic Statistics Block All Traffic Block All Traffic Except E Mail Send e mail alert Start Date Time Outgoing Traffic Volume Incoming Traffic Volume Total Traffic Volume Average per day of Standard Limit of this Month s Limit Figure 2 8 mB mB mB End Date Incoming Traffic Outgoing Traffic Total MB MB Per Day Total MB MB Per Day Connecting the FVS338 to the Internet v1 0 March 2008 2 13 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2 2 Traffic Meter Settings Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router s Broadband or Dialup port Broadband or Dialup can be selected by clicking the appropriate tap the entire configuration is specific to each interface e No Limit If this is selected specified restriction will not be applied when traffic limit is reached Download only If this is selected the specified restriction will be applied to the incoming traffic only Both Directions If this is selected the specified restriction will be applied to both incoming and outgoing traffic only Enable Monthly Limit Use this if your ISP charges for additional traffic If enabled enter the monthly volume limit and select
138. help Do you want this schedule to be active E Start Time E Hour po Minute AM all day or at specific times during the day ie ES End Time fi2 Hour 00 Minute PM All Day Specific Times Figure 4 14 Setting Block Sites Content Filtering If you want restrict internal LAN users from access to certain sites on the Internet you can use the VPN firewall s Content Filtering and Web Components filtering By default these features are disabled all requested traffic from any Web site is allowed If you enable one or more of these features and users try to access a blocked site they will see a Blocked by NETGEAR message Several types of blocking are available e Web Components blocking You can block the following Web component types Proxy Java ActiveX and Cookies Even sites on the Trusted Domains list will be subject to Web Components blocking when the blocking of a particular Web component is enabled e Keyword and domain name blocking You can specify up to 32 words that should they appear in the Web site name URL or in a newsgroup name will cause that site or newsgroup to be blocked by the VPN firewall You can apply the keywords to one or more groups Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled 4 22 Firewall Protection and Con
139. henever an outbound connection request is made from a computer on the LAN The connection will be terminated if there is no data transfer during the specified time interval Check the Connect and disconnect manually radio box to disable auto dialing and allow manual control over connecting via dial up To connect manually click the DIAL Up Status link at the top and then click Connect or Disconnect Internet IP Address DialUp ISPs usually assign the IP address automatically when connecting a The default setting of Get Dynamically from ISP will configure the router to accept the ISP assigned IP address If your ISP has assigned a static IP address select the Use Static IP Address radio box and enter the IP address in the IP Address field Check the Get Automatically From ISP radio box to use ISP assigned DNS server addresses default To use different DNS addresses check the Use These DNS Servers radio box and type in the DNS server IP addresses in the Primary DNS Server and Secondary DNS Server optional fields Click Apply to save your settings or Cancel to revert to the previous settings Enter any modem specific parameters to tune the router for different modems a Serial Line Speed Select the baud rate with which the serial port of the router and the modem connect Available speeds range from 4 8Kbps to 460 8Kbps Modem Type If your modem type is listed in the pull down menu select it For most 56Kbps modems the
140. his IKE policy If this option is chosen the remote gateway must specify the user name and password used for authenticating this gateway 5 20 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Note If a RADIUS PAP server is enabled for authentication XAUTH will first check the _ gt local User Database for the user credentials If the user account is not present the router will then connect to a RADIUS server Configuring XAUTH for VPN Clients Once the XAUTH has been enabled you must establish user accounts on the Local Database to be authenticated against XAUTH or you must enable a RADIUS CHAP or RADIUS PAP server Note If you are modifying an existing IKE Policy to add XAUTH if it is in use by a gt VPN Policy the VPN policy must be disabled before you can modify the IKE Policy To enable and configure XAUTH 1 Select VPN from the main menu and Policies from the submenu The IKE Policies screen will display 2 You can either modify an existing IKE Policy by clicking Edit adjacent to the policy or create a new IKE Policy by clicking Add Note If the IKE policy is in use by a VPN Policy you must either disable or delete the VPN policy before making changes to the IKE Policy 3 Inthe Extended Authentication section select the Authentication Type from the pull down menu which will be used to verify user account i
141. his feature is disabled all traffic received from PCs with any MAC address is allowed See Enabling Source MAC Filtering on page 4 24 for the procedure on how to use this feature VPN Firewall Features That Increase Traffic Features that tend to increase WAN side loading are as follows e Port forwarding e Port triggering e DMZ port e Exposed hosts e VPN tunnels Port Forwarding The firewall always blocks DoS Denial of Service attacks A DoS attack does not attempt to steal data or damage your PCs but overloads your Internet connection so you can not use it i e the service is unavailable You can also create additional firewall rules that are customized to block or allow specific traffic A Warning This feature is for Advanced Administrators only Incorrect configuration will cause serious problems 6 4 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual You can control specific inbound traffic i e from WAN to LAN and from WAN to DMZ Inbound Services lists all existing rules for inbound traffic If you have not defined any rules only the default rule will be listed The default rule blocks all inbound traffic Each rule lets you specify the desired action for the connections covered by the rule BLOCK always BLOCK by schedule otherwise Allow ALLOW always ALLOW by schedule otherwise Block You can also enable a check on special rules
142. ide during the link was up Message 11 PPP connection terminated after idle timeout Recommended Action To reconnect during idle mode initiate traffic from the LAN side System Logs and Error Messages B 7 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual PPTP Idle Timeout Logs Table B 10 System Logs WAN Status PPE PPTP Idle Timeout Message Nov 29 11 19 02 FVS338 pppd Starting connection Nov 29 11 19 05 FVS338 pppd CHAP authentication succeeded Nov 29 11 19 05 FVS338 pppd local IP address 192 168 200 214 Nov 29 11 19 05 FVS338 pppd remote IP address 192 168 200 1 Nov 29 11 19 05 FVS338 pppd primary DNS address 202 153 32 2 Nov 29 11 19 05 FVS338 pppd secondary DNS address 202 153 32 2 Nov 29 11 20 45 FVS338 pppd No response to 10 echo requests Nov 29 11 20 45 FVS338 pppd Serial link appears to be disconnected Nov 29 11 20 45 FVS338 pppd Connect time 1 7 minutes Nov 29 11 20 45 FVS338 pppd Sent 520 bytes received 80 bytes Nov 29 11 20 51 FVS338 pppd Connection terminated Explanation Message 1 Starting PPP connection process Message 2 Message from server for authentication success Message 3 Local IP address assigned by the server Message 4 Server side IP address Message 5 primary DNS configured in WAN status page Message 6 secondary DNS configured in WAN status page Message 7 Sensing idle link Message 8 Idle link sensed
143. ient to gateway 5 19 time daylight savings 7 7 troubleshooting 7 7 Time Zone setting of 6 16 Time Zone screen 6 16 ToS service levels 4 21 used with QoS 4 20 Traffic features that increase 6 4 management of 6 7 reducing 6 1 Traffic Meter about 6 18 traffic meter programming 2 12 Troubleshooting 7 1 Date and Time 7 7 ISP connection 7 4 LEDs 7 2 Index 6 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual LEDs Never Turn Off 7 2 NTP 7 7 Power LED Not On 7 1 Web configuration 7 2 Trusted Certificates 5 33 about 5 33 U UDP flood denial of service attack 4 11 upgrade firmware 6 14 upgrade router steps to 6 16 User Database configuring 5 22 XAUTH use with 5 2 User Database screen 5 22 V Videoconferencing from restricted addresses 4 14 Virtual Private Networking See VPN VPN 5 12 activity monitoring 6 25 connection testing of 5 12 VPN Client configuration parameters example 5 14 VPN Gateway configuration of example 5 8 VPN Logs screen 6 25 VPN Pass through 4 11 VPN Policies about 5 5 Auto 5 5 fields definitions of 5 6 Manual method 5 5 VPN policy rules of use 5 6 VPN Tunnel Client Policy 5 3 Client to Gateway configuring 5 12 connection status monitoring 6 24 Gateway example configuration 5 8 IP Sec 4 11 L2TP 4 11 PPTP 4 11 VPN tunnel to gateway setting up 5 2 VPN Tunnels 6 6 VPN Wizard use of 5 2 VPN Wizard screen 5 2 Client use with 5 3 G
144. iption of 4 3 firewall 4 2 port filtering 4 2 service blocking 4 2 Index 4 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual P package contents 1 4 Packet Trace 6 28 Passwords changing 6 7 restoring 7 7 performance management 6 1 Ping Troubleshooting TCP IP 7 5 pinging an IP address 6 26 port filtering 4 2 Outbound Rules 4 2 Port Forwarding 4 2 4 4 6 4 Inbound Rules 4 4 port forwarding 6 4 port numbers 4 8 port service numbers common protocols 4 18 Port Triggering 6 6 about 4 28 guidelines 4 28 Status 4 30 status 6 21 Port Triggering screen 4 28 6 21 Power LED Not On 7 1 PPP over Ethernet 3 PPPoE 1 3 PPIP VPN Tunnel 4 11 protocols Routing Information 3 Q QoS 4 2 about 4 20 managing shifting traffic mix 6 7 service levels 4 20 Quality of Service See QoS R rack mounting 1 7 RADIUS Client screen 5 24 RADIUS server configuring 5 23 RADIUS CHAP XAUTH use with 5 2 RADIUS PAP XAUTH use with 5 2 Reboot the Router 6 28 reducing traffic Block Sites 6 1 Service Blocking 6 1 Source MAC filtering 6 remote management 6 9 access 6 9 configuration 6 10 telnet 6 11 Reserved IP address about 3 10 Reserved IP adresses 3 10 Respond To Ping On Internet Ports Attack Checks 4 10 RFC 1349 ToS 4 20 RFC 2453 RIP 3 12 RIP 1 3 about 3 12 enabling 3 13 multicasting guidelines 3 14 RIP Configuration screen 3 13 rollover 5 1 Rou
145. irely The rules for VPN policy use conform to 1 Traffic covered by a policy will automatically be sent via a VPN tunnel 2 The VPN tunnel is created according to the parameters in the SA Security Association 3 The remote VPN Endpoint must have a matching SA or it will refuse the connection VPN Policy Table When you use the VPN Wizard to set up a VPN tunnel both a VPN Policy and an IKE Policy is established and populated in both Tables on the VPN Policies screen The name you selected as the VPN Tunnel connection name during Wizard setup identifies both the VPN Policy and IKE Policy You can also edit exiting policies add new VPN policies directly or change the policy hierarchy to the Policy Table The Policy Table contains the following fields e Status Indicates whether the policy is enabled green circle or disabled grey circle To Enable or Disable a Policy check the radio box adjacent to the circle and click Enable or Disable as required e Name Each policy is given a unique name the Connection Name when using the VPN Wizard Client Policies are annotated by an e Type The Type is Auto or Manual as described previously Auto is used during VPN Wizard configuration e Keep alive It periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive Enable Keep Alive Check to enable Ping IP Address Enter the IP Address to which ping packets need
146. isabled and Enable Replay Detection should be enabled File Edit Options Help Y Security Policy Editor NETGEAR ProSafe VPN Client eles Network Security Policy My Connections Bh to_FvS My Identity a Security Policy E Authentication Phase 1 r Key Exchange Phase 2 2 Other Connections Figure 5 12 NETGEAR N Security Policy Select Phase 1 Negotiation Mode Main Mode Aggressive Mode Use Manual Keys I Enable Perfect Forward Secrecy PFS IV Enable Replay Detection 17 In the left frame expand Authentication Phase 1 and select Proposal 1 Compare with the figure below No changes should be necessary File Edit Options Help IN Security Policy Editor NETGEAR ProSafe VPN Client EJ x ay Network Security Policy J My Connections Gh to_FvS G My Identity a Security Policy E Authentication Phase 1 B G Key Exchange Phase 2 Qs Other Connections Figure 5 13 NETGEAR N Authentication Method and Algorithms Authentication Method Pre Shared Key v Encryption and Data Integrity Algorithms EneryptAlg Triple DES BZ Hash Alg SHA 1 X Seconds SA Life Unspecified Key Group Diffie Hellman Group2 v 5 18 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 18 In the left frame expand Key Exchange Phase 2 and select Proposal 1 Comp
147. ity What is the remote LAN IP Address k2 Jass Ja Ja What is the remote LAN Subnet Mask fess Jess Jess o Figure 5 6 Testing the Connection 1 From aPC on either firewall s LAN try to ping a PC on the other firewall s LAN Establishing the VPN connection may take several seconds 2 For additional status and troubleshooting information view the VPN log and status menu in the FVX538 or FVS338 Creating a VPN Client Connection VPN Client to FVS338 This section describes how to configure a VPN connection between a Windows PC the client installed with the NETGEAR ProSafe VPN Client and the VPN firewall 5 12 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Using the FVS338 VPN Wizard we will create a single set of policies IKE and VPN that will allow up to 50 remote PCs to connect from locations in which their IP addresses are unknown in advance The PCs may be directly connected to the Internet or may be behind NAT routers If more PCs are to be connected an additional policy or policies must be created Each PC will use the NETGEAR VPN Client Since the PC s IP address is assumed to be unknown the PC must always be the Initiator of the connection This procedure was developed and tested using e NETGEAR ProSafe VPN Firewall 50 FVS338 e NETGEAR ProSafe VPN Client e NAT router NETGEAR FR114P Configuring the FVS338 To configure the FVS338 using
148. l allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request You can specify forwarding of single ports or ranges of ports e Exposed Host Software DMZ Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule Instead of discarding this traffic you can have it forwarded to one computer on your network Autosensing Ethernet Connections with Auto Uplink With its internal 8 port 10 100 switch the FVS338 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network Both the LAN and WAN interfaces are autosensing and capable of full duplex or half duplex operation The firewall incorporates Auto Uplink technology Each Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection such as to a PC or an uplink connection such as to a switch or hub That port will then configure itself to the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol Internet Protocol TCP IP and Routing Information Protocol RIP e IP Address Sharing by NAT The VPN
149. le that allows all protocols 2 Place the rule below all other inbound rules _____ Note For security NETGEAR strongly recommends that you avoid creating an exposed host When a computer is designated as the exposed host it loses much of the protection of the firewall and is exposed to many exploits from the Internet If compromised the computer can be used to attack your network Attack Checks Default Outbound Policy Allow Always apply Operation succeeded held Service Name Filter LAN Users WAN Users Priority Log Action select all delete enable oO disable add held Service Name Filter LAN Server IP Address LAN Users WAN Users Destination Log Action LOL ame Lalowalwaus 12246812 2 LL Avias Neel up Qaown eaii C ANY Allow Always 192 168 0 15 ANY WANL Never up down Beal select all delete enable disable add 1 Select All protocols and ALLOW Always or Allow by Schedule 2 Place rule below all other inbound rules Figure 4 11 Firewall Protection and Content Filtering 4 17 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Outbound Rules Example Blocking Instant Messenger Outbound rules let you prevent users from using applications such as AOL Instant Messenger Real Audio or other non essential sites If you want to block AOL Instant Messenger usage by employees during working hours
150. les attackChecks configure dropIinvalid 0 Message 2007 Oct 1 00 44 17 FVX538 kernel INVALID BAD_HW_CHECKSUM DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO ICMP TYPE 3 CODE 0 Explanation Bad Hardware Checksum for ICMP packets Recommended Action 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw rules attackChecks configure dropInvalid 0 Message INVALID MALFORMED_PACKET DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Malformed packet Recommended Action 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw rules attackChecks configure dropInvalid 0 Message 2007 Oct 1 00 44 17 FVX538 kernel INVALID SHORT_PACKET DROP SRC 192 168 20 10 DST 192 168 20 2 PROTO TCP SPT 23 DPT 54899 Explanation Short packet Recommended Action 1 Invalid packets are dropped 2 Use this command to enable dropping and logging of the invalid packets fw rules attackChecks configure dropInvalid 1 To allow invalid packet and disable logging fw rules attackChecks configure dropInvalid 0 Recommended Action Message INVALID INVALID_STATE DROP SRC 192 168 20 10 DST 192 168 2
151. les the rule for any IP in destination field similarly WAN1 and WAN2 corresponds to respective wan interfaces Router and Network Management 6 5 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e Services You can specify the desired Services or applications to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 4 18 e Schedule You can specify whether the rule is to be applied on the Schedule 1 Schedule 2 or Schedule 3 time schedule see Setting a Schedule to Block or Allow Traffic on page 4 21 See Using Rules to Block or Allow Specific Kinds of Traffic on page 4 1 for the procedure on how to use this feature Port Triggering Port triggering allows some applications to function correctly that would otherwise be partially blocked by the firewall Using this feature requires that you know the port numbers used by the Application Once configured operation is as follows e A PC makes an outgoing connection using a port number defined in the Port Triggering table e This Router records this connection opens the additional INCOMING port or ports associated with this entry in the Port Triggering table and associates them with the PC e The remote system receives the PCs request and responds using the different port numbers that you have now opened e This Route
152. ll For other parameters refer to Table B 1 Recommended Action None B 16 System Logs and Error Messages v1 0 March 2008 Appendix C Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product Document Link Internet Networking and TCP IP Addressing Wireless Communications Preparing a Computer for Network Access Virtual Private Networking VPN Glossary http documentation netgear com reference enu tcpip index htm http documentation netgear com reference enu wireless index htm http documentation netgear conVreference enu wsdhcp index htm http documentation netgear com reference enu vpn index htm http documentation netgear convVreference enu glossary index htm Related Documents C 1 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual C 2 v1 0 March 2008 Related Documents A Add LAN WAN Inbound Service screen 4 9 4 15 Add LAN WAN Outbound Service screen 4 8 address reservation 3 10 AH VPN Policies use with 5 7 ARP 3 6 Attack Checks Block TCP Flood 4 10 Respond To Ping On Internet 4 10 Stealth Mode 4 0 Attack Checks screen 4 10 4 11 Attacks Notification 6 19 Authentication Header See AH Auto Uplink 1 3 Auto VPN Policies 5 5 backup and restore settings configuration of 6 14 Bandwidth Profile screen 4 31 Block Sites 6 3
153. m the submenu The Dynamic DNS Configuration screen displays The WAN Mode section displays the currently configured WAN Mode Single Port or Auto Rollover A tab is provided for each supported DNS service provider In the example shown supported DNS providers are DynDNS org Dynamic DNS tab TZO com tab DNS TZO and Oray net tab DNS Oray Network Configuration RE DNS T20 DNS Oray O DynDNS Information i WAN Mode 2 Current WAN Mode Single Port Broadband ee Broadband Dynamic Dns Status service is not enabled Host and Domain Name Configured DONS Example yourname dyndns org none Change DNS to DynDNS org O Yes No Password Use wildcards Update every 30 days User Name A Dial up Dynamic Dns Status service is not enabled 2 Host and Domain Name configured DDNS Example yourname dyndns org User Name Change DNS to DynDNS org Password Yes No Use wildcards Update every 30 days Apply Reset Figure 2 9 Connecting the FVS338 to the Internet 2 17 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual If you have configured Single Port select the tab for a DNS service provider then fill out the DDNS section for that port If you have enabled Auto Rollover choose a service provider and complete both sections Only those options that match the configured WAN Mode will be accessible 2 Check the Dynamic DNS S
154. menu and VPN Wizard from the submenu The VPN Wizard screen will display 2 Select Gateway as your VPN tunnel connection The wizard needs to know if you are planning to connect to a remote Gateway or setting up the connection for a remote client PC to establish a secure connection to this device 3 Select a Connection Name Enter an appropriate name for the connection This name is not supplied to the remote VPN Endpoint It is used to help you manage the VPN settings 4 Enter a Pre shared Key The key must be entered both here and on the remote VPN Gateway or the remote VPN Client This key length should be minimum 8 characters and should not exceed 49 characters This method does not require using a CA Certificate Authority 5 Enter the Remote WAN IP Address or Internet Name of the gateway you want to connect to Both the remote WAN address and the your local WAN address are required When choosing these addresses follow the guidelines in Table 5 1 above The remote WAN IP address of the Gateway must be a public address or the Internet name of the Gateway The Internet name is the Fully Qualified Domain Name FQDN as setup in a Dynamic DNS service Both local and remote ends should be defined as either IP addresses or Internet Names FQDN A combination of IP address and Internet Name is not permissible 6 Enter your Local WAN IP Address or Internet Name 5 2 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN
155. mote VPN gateways e the IPsec Host radio button if you want this gateway to be authenticated by the remote gateway Enter a Username and Password to be associated with the IKE policy When this option is chosen you will need to specify the user name and password to be used in authenticating this gateway by the remote gateway 5 28 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual If Edge Device was enabled select the Authentication Type from the pull down menu which will be used to verify account information User Database RADIUS CHAP or RADIUS PAP Users must be added thorough the User Database screen see User Database Configuration on page 5 22 or RADIUS Client Configuration on page 5 23 Note If RADIUS PAP is selected the router will first check the User Database to see if the user credentials are available If the user account is not present the router will then connect to the RADIUS server below Add New VPN Policy Operation succeeded Do you want to use Mode Config Record Yes O No sales Pview selected Select Mode Config Record i Local Identification General Policy Name Direction Type Responder Exchange Mode Aggressive i Peer IKE Identification Identifier Identifier Type Fadn Identifier Type adn Identifier IKE SA Parameters Encryptio
156. n Algorithm 3DES_ M Authentication Algorithm Authentication Method Pre shared key Diffie Hellman DH Group SA Lifetime sec SHA 1 4 Pre shared key fpzsase7e l Group 2 1024 bit 28800 ORSA Signature i Extended Authentication XAUTH Configuration None O Edge Device IPSec Host Authentication Type User Database Username J Password J vPN wizard 10 Click Apply The new policy will appear in the IKE Policies Table a sample policy is shown Mode Local ID Remote ID Encr salesperson Aggressive local_id com remote_id com 3DES Group 2 1024 bit Figure 5 20 select all eaelete ada Virtual Private Networking v1 0 March 2008 5 29 FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software configure the remote VPN client connection To configure the client PC 1 Right click the VPN client icon in the Windows toolbar In the upper left of the Policy Editor window click the New Policy editor icon a Give the connection a descriptive name such as modecfg_test this name will only be used internally From the ID Type pull down menu select IP Subnet Enter the IP Subnet and Mask of the VPN firewall this is the LAN network IP address of the gatew
157. n a RIP broadcast or multicast Check the Private radio box if you want to limit access to the LAN only The static route will not be advertised in RIP 3 10 LAN Configuration v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 5 Type the Destination IP Address or network of the route s final destination 6 Enter the IP Subnet Mask for this destination If the destination is a single host enter 255 255 255 255 Network Configuration Routing Name Figure 3 4 WAN Settings Destination WAN Mode Dynamic DNS LAN Setup LAN Groups l 8 RIP Configuration help Gateway Interface Metric Active Private Action select all delete 2 Tea Add Static Route N Operation succeeded Route Name Active Private Destination IP Address IP Subnet Mask Interface Broadband Gateway IP Address Metric C Apply Reset 7 From the Interface pull down menu selection the physical network interface Broadband Dialup or LAN through which this route is accessible 8 Enter the Gateway IP Address which must be a firewall on the same LAN segment as the firewall of the gateway through which the destination host or network can be reached 9 Enter the Metric value that determines the priority of the route If multiple routes to the same destination exist the route with the lowest metric is chosen Usually a setting of 2 or 3 works but if
158. n link The RIP Configuration screen will display From the RIP Direction pull down menu select the direction for the router to send and receive RIP packets e Both the router broadcasts its routing table and also processes RIP information received from other routers e Out Only the router broadcasts its routing table periodically but does not accept RIP information from other routers e In Only the router accepts RIP information from other routers but does not broadcast its routing table LAN Configuration 3 13 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e None the router neither broadcasts its route table nor does it accept any RIP packets from other routers This effectively disables RIP 4 Select the RIP Version from the pull down menu e RIP 1 classful routing and does not include subnet information This is the most commonly supported version e RIP 2 supports subnet information Both RIP 2B and RIP 2M send the routing data in RIP 2 format e RIP 2B uses subnet broadcasting e RIP 2M uses multicasting see Note below 5 RIP authentication is disabled by default To enable authentication for RIP 2B or RIP 2M a Check the Yes radio button b Input MDS keys and effective and end dates for the First Key Parameters and Second Key Parameters for MDS based authentication between routers 6 Click Apply to save your settings Note Multicasting can reduce the load on non ro
159. n provided by your ISP Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support When Auto Detect successfully detects an active Internet service it reports which connection type it discovered The options are described in the following table Table 2 1 Internet connection methods Connection Method Data Required PPPoE Login Username Password PPTP Login Username Password Local IP and PPTP Server IP BigPond Cable Login Username Password Account Name and Server IP Connecting the FVS338 to the Internet 2 3 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2 1 Internet connection methods Connection Method Data Required DHCP Dynamic IP No data is required Fixed IP IP address and related data supplied by your ISP 3 Click Broadband Status at the top right of the screen to verify your Broadband connection status Click Connect if connection not already present Connection Status Connection Time 0 Days 02 17 24 Connection Type DHCP Connection State Connected IP Address 10 1 32 41 Subnet Mask 255 255 255 0 Gateway 10 1 32 13 DNS Server 10 1 1 6 DHCP Server 10 1 1 6 Lease Obtained Thu Jun 29 18 32 28 GMT 2006 Lease Duration 1 Day 00 00 00 renew HF release Figure 2 3 If Auto Detect does not find a connection you will be prompted to check the physical connection betw
160. n set up a schedule for when blocking occurs or when access is restricted The firewall allows you to specify when blocking will be enforced by configuring one of the Schedules Schedule 1 Schedule 2 or Schedule 3 To invoke rules and block keywords or Internet domains based on a schedule 1 Select Security from the main menu and Schedule from the sub menu The Schedule 1 screen will display 2 Check the radio button for All Days or Specific Days If you chose Specific Days check the radio button for each day you want the schedule to be in effect 3 Check the radio button to schedule the time of day All Day or Specific Times If you chose Specific Times enter the Start Time and End Time fields Hour Minute AM PM which will limit access during certain times for the selected days 4 Click Reset to cancel your settings and revert to the previous settings 5 Click Apply to save your settings to Schedule 1 Firewall Protection and Content Filtering 4 21 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Repeat these 5 steps to set to a schedule for Schedule 2 and Schedule 3 i e gurat Security i tration oni 5 i Services Block Sites Firewall Rules Address Filter Port Triggering Bandwidth Profile ara MOSE Schedule2 Schedule 3 help Sunday Monday Do you want this schedule to be active on Tuesday Wednesday all days or specific days Thursda Frida All Days O Specific Days X A Saturday
161. n the Ethernet connection is made check the following e Make sure that the Ethernet cable connections are secure at the firewall and at the hub or workstation e Make sure that power is turned on to the connected hub or workstation e Be sure you are using the correct cable When connecting the firewall s Internet port to a cable or DSL modem use the cable that was supplied with the cable or DSL modem This cable could be a standard straight through Ethernet cable or an Ethernet crossover cable Troubleshooting the Web Configuration Interface If you are unable to access the firewall s Web Configuration interface from a PC on your local network check the following e Check the Ethernet connection between the PC and the firewall as described in the previous section 7 2 Troubleshooting v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e Make sure your PC s IP address is on the same subnet as the firewall If you are using the recommended addressing scheme your PC s address should be in the range of 192 168 0 2 to 192 168 0 254 _____ Note If your PC s IP address is shown as 169 254 x x Recent versions of Windows gt and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server These auto generated addresses are in the range of 169 254 x x If your IP address is in this range check the connection from the PC to the firewall and reboot your PC
162. nagement 6 15 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual A Warning Once you click Upload do NOT interrupt the router To upgrade router software 1 Select Administration from the main menu and Settings Backup amp Upgrade from the submenu The Settings Backup and Firmware Upgrade screen will display 2 Click Browse in the Router Upgrade section Locate the downloaded file and click upload This will start the software upgrade to your VPN firewall router This may take some time At the conclusion of the upgrade your router will reboot Warning Do not try to go online turn off the router shutdown the computer or do A anything else to the router until the router finishes the upgrade When the Test light turns off wait a few more seconds before doing anything 4 After the VPN firewall has rebooted select Monitoring and confirm the new firmware version to verify that your router now has the new software installed Note In some cases such as a major upgrade it may be necessary to erase the configuration and manually reconfigure your router after upgrading it Refer to the Release Notes included with the software to find out if this is required Setting the Time Zone Date time and NTP Server designations can be input on the Time Zone screen Network Time Protocol NTP is a protocol that is used to synchronize computer clock times in a network of computers To s
163. nal routing table This information is used most Table often by Technical Support Router and Network Management 6 27 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6 4 Diagnostics Fields Item Description Reboot the Router Used to perform a remote reboot restart You can use this if the Router seems to have become unstable or is not operating normally Note Rebooting will break any existing connections either to the Router such as this one or through the Router for example LAN users accessing the Internet However connections to the Internet will automatically be re established when possible Packet Trace Packet Trace selects the interface and starts the packet capture on that interface 6 28 Router and Network Management v1 0 March 2008 Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 50 After each problem description instructions are provided to help you diagnose and solve the problem Basic Functions After you turn on power to the firewall the following sequence of events should occur 1 When power is first applied verify that the PWR LED is on 2 After approximately 10 seconds verify that a The TEST LED is not lit b The LAN port LEDs are lit for any local ports that are connected c The Internet port LED is lit If a port s LED is lit a link has been est
164. name will be displayed in the known PCs and Devices table as Unknown Creating the Network Database The Network Database offers a number of advantages Generally you do not need to enter either IP address or MAC addresses Instead you can just select the desired PC or device No need to reserve an IP address for a PC in the DHCP Server All IP address assignments made by the DHCP Server will be maintained until the PC or device is removed from the database either by expiry inactive for a long time or by you No need to use a Fixed IP on PCs Because the address allocated by the DHCP Server will never change you don t need to assign a fixed IP to a PC to ensure it always has the same IP address 3 6 LAN Configuration v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e MAC level Control over PCs The Network Database uses the MAC address to identify each PC or device So changing a PC s IP address does not affect any restrictions on that PC e Group and Individual Control over PCs You can assign PCs to Groups and apply restrictions to each Group using the Firewall Rules screen see Services Based Rules on page 4 2 You can also select the Groups to be covered by the Block Sites feature see Setting Block Sites Content Filtering on page 4 22 If necessary you can also create Firewall Rules to apply to a single PC see Enabling Source MAC Filtering on page 4 24
165. nformation Select e Edge Device to use this router as a VPN concentrator where one or more gateway tunnels terminate When this option is chosen you will need to specify the authentication type to be used in verifying credentials of the remote VPN gateways User Database to verify against the router s user database Users must be added through the User Database screen see User Database Configuration on page 5 22 RADIUS CHAP or RADIUS PAP depending on the authentication mode accepted by the RADIUS server to add a RADIUS server If RADIS PAP is selected the router will first check in the User Database to see if the user credentials are available If the user account is not present the router will then connect to the RADIUS server see RADIUS Client Configuration on page 5 23 Virtual Private Networking 5 21 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e IPSec Host if you want to be authenticated by the remote gateway In the adjacent Username and Password fields type in the information user name and password associated with the IKE policy for authenticating this gateway by the remote gateway 4 Click Apply to save your settings Edit IKE Policy Add New VPN Policy Operation succeeded help ol help Do you want to use Mode Config Record oO Policy Name to_fyx Yes No Direction Type Both x Select Mode Config Record RETES Exchange Mode
166. not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures e Reorient or relocate the receiving antenna e Increase the separation between the equipment and receiver e Connect the equipment into an outlet on a circuit different from that to which the receiver is connected e Consult the dealer or an experienced radio TV technician for help EU Regulatory Compliance Statement ProSafe VPN Firewall 50 is compliant with the following EU Council Directives 89 336 EEC and LVD 73 23 EEC Compliance is verified by testing to the following standards EN55022 Class B EN55024 and EN60950 1 Bestatigung des Herstellers Importeurs Es wird hiermit best tigt da das ProSafe VPN Firewall 50 gem der im BMPT AmtsblVfg 243 1991 und Vfg 46 1992 aufgef hrten Bestimmungen entstdrt ist Das vorschriftsmafige Betreiben einiger Ger te z B Testsender kann jedoch gewissen Beschr nkungen unterliegen Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung Das Bundesamt fiir Zulassungen in der Telekommunikation wurde davon unterrichtet da dieses Ger t auf den Markt gebracht wurde und es ist berechtigt die Serie auf die Erf llung der Vorschriften hin zu berpr fen Certificate of the Manufacturer Importer It is hereby
167. nternet connectivity check the Primary Broadband with Dialup as backup for auto rollover 4 The WAN Failure Detection Method must be configured to notify the router of a link failure if you are using Dialup as a backup to engage auto rollover The router checks the connection of the primary link at regular intervals to detect its status Check the radio box of one the following methods to detect link failure Select DNS lookup using configured DNS Servers to detect failure of the Broadband link using the DNS servers configured in the Broadband ISP Settings screen Select DNS lookup using this DNS Server and enter the IP address of the DNS server to specify a DNS server for detecting WAN failure Select Ping to this IP address and enter an IP address to detect WAN failure by pinging to an IP address Ensure that this destination host is reliable If a failure is detected on the primary broadband connection the secondary dialup connection connects to the Internet When the primary connection is detected as back online the secondary dialup connection disconnects 5 Enter a Test Period in seconds to tell the router how often it should run the configured detection method The default is 30 seconds 6 Enter the number of router failures that should occur before the router rolls over to the Dialup port The default is 4 7 Enter Apply to save your settings or Cancel to revert to the previous settings Configuring Dynamic DNS If Needed
168. nual Troubleshooting the ISP Connection If your firewall is unable to access the Internet you should first determine whether the firewall is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your firewall must request an IP address from the ISP You can determine whether the request was successful using the Web Configuration Manager To check the WAN IP address 1 Launch your browser and select an external site such as www netgear com 2 Access the Main Menu of the firewall s configuration at http 192 168 1 1 3 Under the Monitoring menu select Router Status 4 Check that an IP address is shown for the WAN Port If 0 0 0 0 is shown your firewall has not obtained an IP address from your ISP If your firewall is unable to obtain an IP address from the ISP you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure 1 Turn off power to the cable or DSL modem 2 Turn off power to your firewall 3 Wait five minutes and reapply power to the cable or DSL modem 4 When the modem s LEDs indicate that it has reacquired sync with the ISP reapply power to your firewall If your firewall is still unable to obtain an IP address from the ISP the problem may be one of the following e Your ISP may require a login program Ask your ISP whether they require PPP over Ethernet PPPoE or some other type of login e If your ISP r
169. nwich Mean Time Edinburgh London v Automatically Adjust for Daylight Savings Time Use Default NTP Servers Use Custom NTP Servers Server 1 Name IP Address Server 2 Name IP Address Current Time Thu Jul 06 19 16 13 GMT 2006 Apply Reset Figure 6 5 Monitoring the Router You can be alerted to important events such as WAN port rollover WAN traffic limits reached and login failures and attacks You can also view status information about the firewall WAN ports LAN ports and VPN tunnels Router and Network Management 6 17 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Enabling the Traffic Meter To monitor traffic limits on each of the WAN ports select Administration from the main menu and Traffic Meter from the submenu The Broadband Traffic Meter screen will display The Broadband and Dialup ports are programmed separately A WAN port shuts down once its traffic limit is reached if the Block all traffic feature is enabled The Traffic Meter screen also provides the following information Internet Traffic Statistics Displays statistics on Internet Traffic via the WAN port If you have not enabled the Traffic Meter these statistics are not available I 1 l Monitoring l I Router Status Diagnostics Firewall Logs amp E mail VPN Logs TCM Ga Dialup Traffic Meter 8 Traffic by Protocol help Each WAN port No Limit is programmed Do
170. ny of the servers is Thu Jan 01 00 01 52 GMT 1970 e The resynchronization interval is governed by the specification defined in DOC 00045_Ntp_Spec pdf B 2 System Logs and Error Messages v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table B 4 System Logs NTP Message Nov 28 12 31 13 FVS338 ntpdate Looking Up time f netgear com Nov 28 12 31 13 FVS338 ntpdate Requesting time from time f netgear com Nov 28 12 31 14 FVS338 ntpdate adjust time server 69 25 106 19 offset 0 140254 sec Nov 28 12 31 14 FVS338 ntpdate Synchronized time with time f netgear com Nov 28 12 31 16 FVS338 ntpdate Date and Time Before Synchronization Tue Nov 28 12 31 13 GMT 0530 2006 Nov 28 12 31 16 FVS338 ntpdate Date and Time After Synchronization Tue Nov 28 12 31 16 GMT 0530 2006 Nov 28 12 31 16 FVS338 ntpdate Next Synchronization after 2 Hours Explanation Message1 DNS resolution for the NTP server time f netgear com Message2 request for NTP update from the time server Message3 Adjust time by re setting system time Message4 Display date and time before synchronization that is when resynchronization started Message5 Display the new updated date and time Message6 Next synchronization will be after the specified time mentioned Example In the above logs the next synchronization will be after two hours The synchronization time interval is configurable via the CLI Recommen
171. o the entry 6 Build a list of Trusted Domains in the Trusted Domains fields After each entry click Add The Trusted Domain will appear in the Trusted Domains table You can also edit any entry by clicking Edit in the Action column adjacent to the entry Click Reset to cancel your changes and revert to the previous settings 8 Click Apply to save your settings Firewall Protection and Content Filtering 4 23 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual i Content Filtering Turn Content Filtering On O Yes No i Web Components G O Proxy Java O Activex Cookies i Apply Keyword Blocking to 2 Group Name Group Group2 Group3 Group4 Groups Groups Group 7000000 a 0 0 00 0 Group8 QO select at erie sisadie Blocked Keywords Add Blocked Keyword i Trusted Domains select all detete Add Trusted Domain Trusted Domain E Figure 4 15 Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices e By default the source MAC address filter is disabled All the traffic received from PCs with any MAC address is allowed by default 4 24 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50
172. of your ISP for example 172 16 1 10 If you leave this box blank no logs will be sent to you b Return E mail Address Enter the e mail address of the user c Send To E mail Address Enter the e mail address where the logs and alerts should be sent You must use the full e mail address for example ChrisX Y myISP com The No Authentication radio box is checked by default If your SMTP server authenticates users uncheck the radio box by selecting the authentication type either Login Plain or CRAM MD5 based on your SMTP server requirements Then enter the user name and password to be used for authentication If you want to respond to IDENT protocol check the Respond to Identd from SMTP Server radio box The Ident Protocol is an Internet protocol that helps identify the user of a particular TCP connection a common daemon program for providing the ident service is identd You can configure the firewall to send system logs to an external PC that is running a syslog logging program Click the Yes radio box to enable SysLogs and send messages to the syslog server then Enter your Syslog Server IP address b Select the appropriate syslog severity from the SysLog Severity pull down menu The SysLog levels of severity are as follows e LOG_EMERG System is unusable e LOG_ALERT Action must be taken immediately e LOG_CRITICAL Critical conditions e LOG_ERROR Error conditions 4 34 Firewall Protection and Content Filtering
173. on menu LAN Groups submenu see Creating the Network Database on page 3 6 Note The reserved address will not be assigned until the next time the PC contacts the gt firewall s DHCP server Reboot the PC or access its IP configuration and force a DHCP release and renew Configuring Static Routes Static Routes provide additional routing information to your firewall Under normal circumstances the firewall has adequate routing information after it has been configured for Internet access and you do not need to configure additional static routes You must configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network To add or edit a Static Route 1 Select Network Configuration from the main menu and Routing from the submenu The Routing screen will display 2 Click Add The Add Static Route screen will display Enter a name for the static route in the Route Name field for identification purpose only 4 Determine whether the route is e Active or Inactive A route can be added to the table and made inactive if not needed This allows routes to be used as needed without deleting the entry and re adding it An inactive route is not broadcast if RIP is enabled Select the Active radio box to make this route effective e Private Determine whether the route can be shared with other routers when RIP is enabled If Yes then the route will not be shared i
174. on to protect your network from attacks and intrusions NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request but true Stateful Packet Inspection goes far beyond NAT Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other You can configure up to 600 rules on the FVS338 Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and one for outbound The default rules of the FVS338 are e Inbound Block all access from outside except responses to requests from the LAN side Firewall Protection and Content Filtering 4 1 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Outbound Allow all access from the LAN side to the outside Services Based Rules The rules to block traffic are based on the traffic s category of service Inbound Rules port forwarding Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side The firewall can be configured to allow this otherwise blocked traffic Outbound Rules service blocking Outboun
175. ort End Port Start Port End Port 20 select all delete 22 20 Port Triggering Status Add Port Triggering Rule Name Enable Protocol Outgoing Trigger Port Range Rule LAN IP Address Open Ports Time Remaining Sec retresh Start Port End Port 1 65534 Abstracts No 7 TCP v Figure 4 19 Bandwidth Limiting Bandwidth limiting determines the way in which the data is sent to and from your host The purpose of bandwidth limiting is to provide a solution for limiting the outgoing and incoming traffic thus preventing the LAN users from consuming all the bandwidth on your Internet link 4 30 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e Bandwidth limiting for outbound traffic is done on the available WAN interface in both the single port and Auto Rollover modes Bandwidth limiting is handled on the user specified interface in Load Balancing mode e Bandwidth limiting for inbound traffic is handled on the LAN interface for all WAN modes Bandwidth limiting does not apply to the DMZ interface Example When a new connection is established by a device the device will locate the firewall rule corresponding to the following connections e If the rule has a bandwidth profile specification then the device will create a bandwidth class in the kernel e If multiple connections correspond
176. ource IP The IP address of the initiating device for this log entry Source port and The service port number of the initiating device and whether it originated from the interface LAN WAN or DMZ Destination The name or IP address of the destination device or Web site Destination port and The service port number of the destination device and whether it s on the LAN interface WAN or DMZ Administrator Information Consider the following operational items 1 As an option you can enable remote management if you have to manage distant sites from a central location see Enabling Remote Management Access on page 6 9 2 Although setting firewall rules see Using Rules to Block or Allow Specific Kinds of Traffic on page 4 1 is the basic way of managing the traffic through your system you can further refine your control with the following features of the VPN firewall Groups and hosts see Managing Groups and Hosts on page 3 6 Services see Services Based Rules on page 4 2 Schedules see Setting a Schedule to Block or Allow Traffic on page 4 21 Block sites see Setting Block Sites Content Filtering on page 4 22 Source MAC filtering see Enabling Source MAC Filtering on page 4 24 Port triggering see Setting Up Port Triggering on page 4 28 4 36 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual
177. pendix C Related Documents VPN Policies You can create two types of VPN Policies When using the VPN Wizard to create a VPN policy only the Auto method is available Manual All settings including the keys for the VPN tunnel are manually input at each end both VPN endpoints No third party server or organization is involved Auto Some parameters for the VPN tunnel are generated automatically by using the IKE Internet Key Exchange protocol to perform negotiations between the two VPN endpoints the Local ID Endpoint and the Remote ID Endpoint Virtual Private Networking 5 5 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual In addition a CA Certificate Authority can also be used to perform authentication see Certificates on page 5 33 To use a CA each VPN Gateway must have a Certificate from the CA For each Certificate there is both a Public Key and a Private Key The Public Key is freely distributed and is used to encrypt data The receiver then uses their Private Key to decrypt the data without the Private Key decryption is impossible CAs can be beneficial since using them reduces the amount of data entry required on each VPN Endpoint VPN Policy Operation The VPN Policies screen allows you to add additional policies either Auto or Manual and to manage the VPN policies already created You can edit policies enable or disable them or delete them ent
178. ps for example see Figure 6 3 enter an IP Address of for example 192 168 1 100 with a Subnet Mask of 255 255 255 255 e If you want to allow a subnet access to the VPN firewall through SNMP enter an IP address of for example 192 168 1 100 with a Subnet Mask of 255 255 255 0 The traps will still be received on 192 168 1 100 but the entire subnet will have access through the community string 6 12 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e Ifyou want to make the VPN firewall globally accessible using the community string but still receive traps on the host enter 0 0 0 0 as the Subnet Mask and an IP Address for where the traps will be received Enter the trap port number of the configuration in the Port field The default is 162 4 Enter the trap community string of the configuration in the Community field 5 Click Add to create the new configuration The entry will display in the SNMP Configuration table 6 Click Edit in the Action column adjacent to the entry to modify or change the selected configuration Network Configuration U i Administration onii Remote Management Settings Backup amp Upgrade Set Password Time Zone N SNMP SNMP System Info help IP Address Port Community Action select al delete Create New SNMP Configuration Entry IP Address Port Community Add CH H H SSS QI SNMP SysConfiguration Sy
179. r Publication Date Product Family Product Name Home or Business Product Language Publication Part Number Publication Version Number FVS338 March 2008 VPN firewall ProSafe VPN Firewall 50 Business English 202 10046 06 1 0 vi v1 0 March 2008 Contents About This Manual Conventions Formats afd SCOPE n cisiciscesssisceddnceriadedansivsecsnierieadedantinsiedsuierdreeenstinbes xiii How to Use This Manual lt i cccciacccsceintsececannniecememnieyiacecahunesceusmanttccdhembiniatenesnmndsctacamiveuanemiyen xiv Hoio Prnt ini Wiesel na a a xiv PEO 2 0 a aielanieane anaes XV Chapter 1 Introduction We Fo OS dezacd as pares cab aleases Naa 1 1 Full Routing on Both the Broadband and Serial WAN Pors cccsssseeeessereeeees 1 2 A Powerful True Firewall with Content Filtering ccccccecssseeceeeessseeeeeeseesteeeeenens 1 2 COMIC UNALY casts ateedicesneapaiauauiedeiacsesunpiastsasteaaccn tear besadacategdeledauntee sane denee sau E 1 2 Autosensing Ethernet Connections with Auto Uplink oe eee eeeeeseeeneeeereeeneeees 1 3 Extensive Froiocol SUPPONE seirinin E EEE 1 3 Easy Installation and Management scsciissiscsdesietecrsdivanctes Sor aeina i 1 4 Maintenance And SUPPO ane en een eine me nnan aa aoaaa aa aia 1 4 Fr NC iN nonnai E 1 4 Router Hardware Com pone te sussie nnna A A RNN 1 5 aatis aanta 1 A asa ed E A A A T 1 5 Rouler TG ARP ARVN cicssnccisccedenstycncdesired ynesmaresansasskvedcesdaaniyoienes
180. r location Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to the Acceptable Use Policy of your ISP Remember that allowing inbound services opens holes in your VPN firewall Only enable those ports that are necessary for your network It is also advisable to turn on the server application security and invoke the user password or privilege levels if provided Order of Precedence for Firewall Rules As you define new rules they are added to the tables in the Rules menu as shown in Figure 4 1 OOE Attack Checks Default Outbound Policy Allow Always x apply Operation succeeded help Service Name Filter LAN Users WAN Users Priority Log Action AIM Block by schedule 1 else allow ANY ANY Normal Service Never up dwn edit select all edelete enable Q disable add help Service LAN Server IP LAN Filter WAN Users Destination Log Action Name Address Users cu Allow 134 177 88 1 oo 192 168 0 11 WANL Nevern up down edit SEEME UDP Always 134 177 88 254 Allow s a HTTP 192 168 1 2 ANY 19 1 9 52 Never up down edit Always Allow o e ANY 192 168 0 15 ANY WANL Never up down edit Always select all edelete enable Q disable add Figure 4 1 For any traffic attempting to pass through the firewall the packet in
181. r matches the response to the previous request and forwards the response to the PC Without Port Triggering this response would be treated as a new connection request rather than a response As such it would be handled in accordance with the Port Forwarding rules Only one PC can use a Port Triggering application at any time After a PC has finished using a Port Triggering application there is a time out period before the application can be used by another PC This is required because the firewall cannot be sure when the application has terminated See Setting Up Port Triggering on page 4 28 for the procedure on how to use this feature VPN Tunnels The VPN firewall permits up to 200 VPN tunnels at a time Each tunnel requires extensive processing for encryption and authentication See Chapter 5 Virtual Private Networking for the procedure on how to use this feature 6 6 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and in turn the quality of service for the traffic passing through the firewall The QoS is set individually for each service e You can accept the default priority defined by the service itself by not changing its QoS setting e You can change the priority to a higher or lower value than its default setting to give the service higher or lower priority than
182. r will function as a DHCP Dynamic Host Configuration Protocol server providing TCP IP configuration for all computers connected to the router s LAN If another device on your network will be the DHCP server or if you will manually configure all devices check the Disable DHCP Server radio button Enable DHCP Server is the default If Enabled is selected enter the following parameters a b Enter the Domain Name of the router this is optional Enter the Starting IP Address This address specifies the first of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address The IP address 192 168 1 2 is the default start address Enter the Ending IP Address This address specifies the last of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN will be assigned an IP address between the Starting IP address and this IP address The IP address 192 168 1 100 is the default ending address Note The Starting and Ending DHCP addresses should be in the same network _ gt as the LAN TCP IP address of the router the IP Address in LAN TCP IP Setup section Enter a WINS Server IP address This box can specify the Windows NetBios Server IP if one is present in your network This field is optional Enter a Lease Time This specifies the duration for which IP addresses will be leased to clien
183. re 1 2 1 6 Introduction v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Viewed from left to right the rear panel contains the following elements e Modem port serves as the WAN2 Internet port through the public switched telephone network PSTN e Factory Defaults reset button e Local ports 8 port RJ 45 10 100 Mbps Fast Ethernet Switch N way automatic speed negotiation auto MDI MDIX e Internet port serves as the WAN Internet port One RJ 45 WAN port N way automatic speed negotiation Auto MDI MDIX e On Off switch e DC power in 12 VDC 1 2A Rack Mounting Hardware The FVS338 can be mounted either on a desktop using included rubber feet or in a 19 inch rack using the included rack mounting hardware illustrated in Figure 1 3 Figure 1 3 Factory Default Login Check the label on the bottom of the FVS338 s enclosure if you forget the following factory default information e IP Address http 192 168 1 1 to reach the Web based GUI from the LAN e User name admin e Password password Introduction 1 7 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual NETGEAR ProSafe VPN Firewall FVS338 LAN IP Address hitp 192 168 1 1 User Name __gy vse nome odmin Password ae cE o 272 10138 02 Figure 1 4 To log in to the FVS338 once it is connected 1 Open a Web browser 2 Enter http 192 168 1 1 as the URL Password
184. res teenie a 1 6 Rack Mounting PRA I ceiien 1 7 Pac Do UN LOO sa N AT 1 7 Chapter 2 Connecting the FVS338 to the Internet Connecting the VPN Firewall to Your Network sssseivriinisineeiiicsniesnienirinsrininiiniersuninnnnee 2 1 Logging nto ihe YPN Firewall oscccsssornaiusionsteirsneniereerniierbenasietinsecimts 2 1 Configuring your Internet Connection a cowssoncntiancisiecrnirncaddnoostecuseersanaavseaseaauiserie 2 2 Setting the Router s MAC Address Advanced Options seeesssseeessesssessseene 2 7 Manually Configuring Your Internet Connection sesssssesssesssrssssrssrrnesrnnssnnsssnesrne 2 9 Programming the Traffic Meter if Desired cccccceessccceseeeseneeeeeeeseneeeeeeneneee 2 12 Contents vii v1 0 March 2008 Coniguring the WAN Wate isscsicrsises ccsvcanscncnstsbhavenciadasienenctanenscatinnts aueskkesendontetenisaan 2 15 Configuring Dynamic DNS If Needed o cscccsset ase ecen cust ceedennsieseneeueinaaeaaseniaatnnaee 2 16 Chapter 3 LAN Configuration Configuring Your LAN Local Area Network cccccccesseeceeeeeeeeseeeeeeeeeeseeeeeeeaeeeenaeees 3 1 Using the VPN Firewall as DACP Gerygf cssccsitscaccanccsngscditessedascuadendcattannteneisnesaters 3 1 Gonfigunng Muli FHome LAN IPS sisri 3 4 Managing Groups and Pasts ccimnimirioneiios rE e AR 3 6 Creating the Network Database aicciscrissnciimiism airna iaa aaa ai 3 6 Setting Up Address Reservation csccsceccise cece enivieennenecaesnenies
185. riggering this response would be treated as a new connection request rather than a response As such it would be handled in accordance with the Port Forwarding rules e Only one PC can use a Port Triggering application at any time e After a PC has finished using a Port Triggering application there is a Time out period before the application can be used by another PC This is required because this Router cannot be sure when the application has terminated Note For additional ways of allowing inbound traffic see LAN WAN Inbound gt A Services Rules on page 4 9 To add a Port triggering rule 1 Select Security from the main menu and Port Triggering from the submenu The Port Triggering screen will display 1 Enter a user defined name for this rule in the Name field 4 28 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 2 From the Enable pull down menu indicate if the rule is enabled or disabled Port Triggering Operation succeeded i Port Triggering Rules 2 Name Enable Protocol Outgoing Ports Incoming Ports Start Port End Port Start Port End Port 1 Abstracts No TCP 20 2d select an delete Add Port Triggering Rule Name Enable Protocol Outgoing Trigger Port Range Start Port End Port 1 65534 1 65534
186. roblems wiih Date and TITE asiriarren aN a 7 7 Appendix A Default Settings and Technical Specifications Appendix B System Logs and Error Messages System Log MESQSGOS dincienisrineniad okip aai B 1 Srem I aa RE T EA a B 1 Bao cs ase A A E E E E E E E T B 2 INT a a E E E E E T E E T B 2 Wolga i EENE A A EN TA E E AT T A S B 3 Fiona ROSIE pain A A B 3 IP ooe RoTa na ee eRe B 4 US ic 52 S ai a a poner ert terrence T Cloner T ronerr re Teeter B 4 Logd BALANCING sccis B 4 Auro OORT a tsdaxntesia penis i a B 5 PEPLO aI B 6 Web Filtering and Content Filtering Logs wiicncsssteasseresesereostvnins tevin neethet aves B 8 Tame sited 1 2 fl Re oa eee ete eee eer ete EVE EE O B 10 ilies cia Bae E E er rere E reer cre err re E terre B 10 IOMP Pee LODE prenin ar nnna RE NE NANE Sa B 10 a a EE I A A E A N A A A B 11 kwald Fackel LOOG aicvcnccestvedacsstmnctecocseniesbanateminnyandsammieiannemaudonninmievendleamaaccivad B 11 Contents xi v1 0 March 2008 PROUN LOUS wesscstentvanitineevesbantactretseean dusancesceveeimeeaneenesserendveanteeduadehernpeaieaiieebandeetimbtacions B 14 LANIO Wa GS aorin ts daauibensdrooidebeptdatantsbenan B 15 LANTO MLN NL OIE set ras cree de nenie evaaber bipsalnanpek mes aanen neva eadon laennehemeradapen en aNeenctacinics B 15 DRZ te TANLO Seeeerrerer ereerner eer Pern tee rren eT Pe ter Pern errr Peete err ret terre treet B 15 NANIO LAN MS ie satus cates cata ap cakun aE ESA E B 15 DMZ Cod LAN hss eee eeeeee
187. rver 3 Austria PPTP Subnet Mask 255 255 255 0 Idle Timeout Other PPPoE Gateway 10 1 32 13 DNS Server 10 1 1 6 BigPond Cable My IP Address DHCP Server 10 1 1 6 Server IP Address Lease Obtained Thu Jul 6 19 07 31 GMT 2006 Lease Duration 1 Day 00 00 00 renew AF release Internet IP Address ii Domain Name Sery Gate SS ae Sss rl Figure 6 11 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu The IPSec Connection Status screen will display I PN l Policies Certificates PN Client Connection Status IPSec Connection Status 2 Active IPSec SA s B Policy Name Endpoint Tx KB Tx Packets State Action 0 00 o Ipsec SA Not Established l F connect Poll Interval Seconds set interval stop to_fvx Figure 6 12 Table 6 3 IPSec Connection Status Fields Item Description Policy Name The name of the VPN policy associated with this SA Endpoint The IP address on the remote VPN Endpoint 6 24 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6 3 IPSec Connection Status Fields continued Item Description Tx KB The amount of data transmitted over this SA Tx Packets The number of IP packets transmitted ov
188. s Return E Mail Address Send to E Mail Address _ Do you want logs to be emailed to you No Authentication O Yes No Login Plain CRAM MD5 UserName Password Respond to Identd from SMTP Server ee ii Send E mail logs by Schedule Unit Nev Day Time 1s J Do you want to enable syslog SyslogServer sd Yes No SysLog Severity Figure 4 21 Firewall Protection and Content Filtering 4 33 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual To set up Firewall Logs and E mail alerts 1 Select Monitoring from the main menu and then Firewall Logs amp E mail from the submenu The Firewall Logs amp E mail screen will display Enter the name of the log in the Log Identifier field Log Identifier is a mandatory field used to identify the log messages The ID appended to log messages Enter a Schedule for sending the logs From the Unit pull down menu select Never Hourly Daily or Weekly Then fill in the Day and Time fields that correspond to your selection In the Security Logs section check the network segments radio box for which you would like logs to be sent for example LAN to WAN under Dropped Packets In the System Logs section check the radio box for the type of system events to be logged Check the Yes radio box to enable E mail Logs Then enter a E mail Server address Enter the outgoing E mail SMTP mail server address
189. s CAs Certification Authorities For each Certificate the following data is listed in the Trusted Certificates table e CA Identity Subject Name The organization or name to whom the certificate has been issued e Issuer Name The name of the CA that issued the certificate e Expiry Time The date when the certificate becomes invalid New certificates can be uploaded to the router when they are received To upload a Trusted Certificate 1 Select VPN from the main menu and Certificates from the submenu The Certificates screen will display Virtual Private Networking 5 33 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 2 Click Browse to locate the trusted certificate on your computer and then click Upload The certificate will be stored on the router and will display in the Trusted Certificates table Policies VPN Wizard VPN Client Connection Status i Mode Config Certificates help CA Identity Subject Name Issuer Name Expiry Time select all delete Upload Trusted Certificate Trusted Certificate File Browse 4 upload Figure 5 25 Self Certificates Active Self certificates are certificates issued to you by the various Certificate Authorities CAs that are available for presentation to peer IKE servers Each active self certificate is listed in the Active Self Certificates table The data consists of e Name A unique given by you to iden
190. s to remote users including a network access IP address subnet mask and name server addresses from the router Remote users are given IP addresses available in secured network space so that remote users appear as seamless extensions of the network In the following example we configured the VPN firewall using ModeConfig and then configured a PC running ProSafe VPN Client software using these IP addresses e NETGEAR ProSafe VPN Firewall 50 WAN IP address 172 21 4 1 LAN IP address subnet 192 168 2 1 255 255 255 0 e NETGEAR ProSafe VPN Client software IP address 192 168 1 2 Virtual Private Networking 5 25 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual ModeConfig Operation After IKE Phase 1 is complete the VPN connection initiator remote user client asks for IP configuration parameters such as IP address subnet mask and name server addresses The ModeConfig module will allocate an IP address from the configured IP address pool and will activate a temporary IPSec policy using the template security proposal information configured in the ModeConfig record Note After configuring a Mode Config record you must go to the IKE Policies menu gt and configure an IKE policy using the newly created Mode Config record as the Remote Host Configuration Record The VPN Policies menu does not need to be edited Setting Up ModeConfig Two menus must be configured the ModeConfig menu and the IKE
191. sLocation netgear SysName FVS338 Figure 6 3 The SNMP System Info link displays the VPN firewall identification information available to the SNMP Manager System Contact System Location and System name To modify the SNMP System contact information 1 Click the SNMP System Info link The SNMP SysConfiguration screen will display 2 Modify any of the contact information that you want the SNMP Manager to use 3 Click Apply to save your settings Router and Network Management 6 13 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Settings Backup and Firmware Upgrade Once you have installed the VPN firewall and have it working properly you should back up a copy of your setting so that it is if something goes wrong When you backup the settings they are saved as a file on your computer You can then restore the VPN firewall settings from this file The Settings Backup amp Upgrade screen allows you to e Back up and save a copy of your current settings e Restore saved settings from the backed up file e Revert to the factory default settings e Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware version Backup and Restore Settings To backup and restore settings 1 Select Administration from the main menu and Settings Backup amp Upgrade from the submenu THe Settings Backup and Firmware Upgrade screen will display 2 Click backup to save a copy of yo
192. scriptive name for the service this is for your convenience 3 Select the Layer 3 Protocol that the service uses as its transport protocol It can be TCP UDP or ICMP 4 Enter the first TCP or UDP port of the range that the service uses If the service uses only one port then the Start Port and the Finish Port will be the same 5 Enter the last port of the range that the service uses If the service only uses a single port number enter the same number in both fields 6 Click Add The new custom service will be added to the Custom Services Table To edit the parameters of a service 1 Inthe Custom Services Table click the Edit icon adjacent to the service you want to edit The Edit Service screen will display 2 Modify the parameters you wish to change Click Reset to cancel the changes and restore the previous settings Click Apply to confirm your changes The modified service will display in the Custom Services Table Specifying Quality of Service QoS Priorities The Quality of Service QoS Priorities setting determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall The user can change this priority e On the Services screen in the Customer Services Table for customized services see Figure 4 13 e On the LAN WAN Outbound Services screen see Figure 4 12 The QoS priority definition for a service determines the queue that is used for the
193. seeeeeenees 6 19 Viewing POR MOORING SAW coon ont cena eae 6 21 Viewing Router Configuration and System Status ccceecceeeeeeeeeeeeeeeeeeeeeeeeenees 6 22 Montong WAN Pons Status aci a cscoses previ dene nerion oiia 6 23 Monitoring VPN Tunnel Connection Status cscascccsccicisncercicccesteccciarsinepebecssaneiaseraaares 6 24 an Es e E A E A A N T E AE PE E suds 6 25 BHOP EOD criais NN 6 25 X Contents v1 0 March 2008 FPeronning MAGN OGIES sesccccesaretcccstansts coceesmuticaceesnovanstenmoieeatunmueicaieumievendeamiieneaan 6 26 Chapter 7 Troubleshooting BAS PONEIONS iinoa S reecrr reer cer an rer rere tr revert rer 7 1 Pona EED NO Si leomerrren eer rer porerrr rsorerce monrecre mercer mr cert rr reenter tn rete re rcs rerr eT 7 1 LEDS PEt UIT eonna 7 2 LAN or Internet Port LEDS Nol N ssiisnidiiantndantiianin ian aamiaenis 7 2 Troubleshooting the Web Configuration Interface sssssesesseeessseesessrenssrnnsssrnssnnnernnnns 7 2 Tro bleshooting the ISP COninieGho nt cau is cccetestaacvcsorts cance bieetseueateedscbias aa 7 4 Troubleshooting a TCP IP Network Using a Ping Utility eee cette eeeeeeeeetteeeeeeees 7 5 Testing ihe LAN Path to Your Firewall sce inscccccavscschoousaasserclanascetessVacaetneiaussntauniadets 7 5 Testing the Path from Your PC to a Remote Device ccccscccecesssseeeeeessneeeeeseaes 7 6 Restoring the Default Configuration and Password ssessssssssssrsssrrsssrsssssrrrssrrresrnns 7 7 P
194. speed and uplink bandwidth However these are advanced features and changing them is not usually required Connecting the VPN Firewall to Your Network To physically connect your VPN firewall refer to the IFVS338 ProSafe VPN Firewall 50 Installation Guide a copy is also available on your Resource CD Logging in to the VPN Firewall gt Note To connect to the firewall your computer needs to be configured to obtain an IP address automatically via DHCP 2 1 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual To log in to the VPN firewall Step 1 Open a Internet Explorer Netscape Navigator or Firefox browser In the browser window enter http 192 168 1 1 in the address field The FVS338 login screen will display help User Name admin Password jeeeeeeee Figure 2 1 2 Enter admin for the User Name and password for the Password both in lower case letters The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection 3 Click Login The Broadband ISP Settings screen will display ____ Note You might want to enable remote management at this time so that you can log in remotely in the future to manage the firewall See Enabling Remote Management Access on page 6 9 for more information Remote management enable is cleared with a factory default reset If you enable remote management yo
195. ss Jo Figure 5 1 The IKE Policies screen will display showing the new to_fvx policy VPN wizard Name Mode Local ID Remote ID Encr Auth DH action o to_fux Main 10 1 32 41 10 1 0 118 3DES SHA 1 Group 2 1024 bit eait select all delete add Figure 5 2 You can view the IKE parameters by clicking Edit in the Action column adjacent to the to fvs policy It should not be necessary to make any changes Virtual Private Networking 5 9 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Edit IKE Policy Add New VPN Policy Operation succeeded Username password P Policy Name ois Enable XAUTH Direction Type Both v Client Exchange Mode Main v O Yes No 2 Local Identification Peer IKE Identification Identifier Type Local Wan IP Identifier Type Identifier POM G24 Identifier Pomome Encryption Algorithm Authentication Algorithm Authentication Method Pre shared key ORS8A Signature Pre shared key Diffie Hellman DH Group SA Lifetime sec Figure 5 3 Click the IKE Policies tab to view the corresponding IKE Policy The IKE Policies screen will display PN Policies 8 VPN Wizard Operation succeeded ii List of YPN Policies Name Type Local Remote AH ESP action oe to_fux Auto Policy 192 168 1
196. sses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule In the example shown to the right CU SeeMe connections are allowed only from a specified range of external IP addresses 4 14 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Add LAN WAN Inbound Service Operation succeeded Q helpl Service CU SEEME UDP Action ALLOW by schedule otherwise block Select Schedule Schedule 1 v Send to LAN Server 192 168 0 11 Translate to Port Number L Public Destination IP Address Broadband x C ee LAN Users srt ED mim Finish A A WAN Users Address Range v Start 34 Ja77 Mes JE Finish 134 177 Jles s4 Log Never w Figure 4 8 Setting Up One to One NAT Mapping In this example we will configure multi NAT to support multiple public IP addresses on one WAN interface By creating an inbound rule we will configure the firewall to host an additional public IP address and associate this address with a Web server on the LAN vv Tip If your ISP allows you to have more than one public IP address for your use you Q can use the additional public IP addresses to map to servers on your LAN One of these public IP addresses will be used as the primary IP address of the
197. st configure the E mail screen in order for this function to work Internet Traffic Statistics Traffic by Protocol This displays statistics on Internet Traffic via the WAN port If you have not enabled the Traffic Meter these statistics are not available Click this link if you want to know more details of the Internet Traffic The volume of traffic for each protocol will be displayed in a sub window Traffic counters are updated in MBytes scale counter starts only when traffic passed is at least 1MB Connecting the FVS338 to the Internet v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the WAN Mode The WAN Mode screen allows you to configure how your router uses your external Internet connections for example your WAN port or dialup modem connections NAT NAT is the technology which allows all PCs on your LAN to share a single Internet IP address Viewed from the Internet the WAN port on the VPN firewall is configured with a single IP address the public address PCs on your LAN can use any private IP address range and these IP addresses are not visible from the Internet The Router uses NAT to select the correct PC on your LAN to receive any incoming data and hides internal IP addresses from computers on the Internet Ifyou only have a single Internet IP address you MUST use NAT NAT is the default setting Select NAT if your ISP has assigned only
198. sy way to monitor its status and activity Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall e Flash memory for firmware upgrade e Free technical support seven days a week twenty four hours a day Package Contents The product package should contain the following items 1 4 Introduction v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e ProSafe VPN Firewall 50 e AC power adapter e Category 5 Ethernet cable e Resource CD including Application Notes and other helpful information ProSafe VPN Client Software one user license e Warranty and Support Information Card If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the firewall for repair Router Hardware Components Following is a description of the front and rear panels of the FVS338 including instructions for installing the FVS338 using the rack mounting hardware Router Front Panel The ProSafe VPN Firewall 50 front panel shown below contains the port connections status LEDs and the factory defaults reset button NET G E A R ProSafe VPN Firewall we LACT IN RNET Power Test Modem Internet Local LED LED LED LEDs LEDs Figure 1 1 The table below describes each item on the front panel and its operation Introduction 1 5 v
199. t ping traceroute XN Capture Packets packet tr TCR EEE Display the Routing Table EM display Reboot the Router ad reboot Interface Name Destination Mask Gateway Metric LAN 192 168 1 0 255 255 255 0 0 0 0 0 0 BroadBand 10 1 32 0 255 255 255 0 0 0 0 0 0 default 10 1 32 13 0 BroadBand 0 0 0 0 Figure 6 15 Table 6 4 Diagnostics Fields Item Description Ping or Trace an IP Ping Used to send a ping packet request to a specified IP address most often address to test a connection If the request times out no reply is received it usually means that the destination is unreachable However some network devices can be configured not to respond to a ping The ping results will be displayed in a new screen click Back on the Windows menu bar to return to the Diagnostics screen Traceroute often called Trace Route Lists all Routers between the source this device and the destination IP address The Trace Route results will be displayed in anew screen click Back on the Windows menu bar to return to the Diagnostics screen Perform a DNS Lookup A DNS Domain Name Server converts the Internet name e g www netgear com to an IP address If you need the IP address of a Web FTP Mail or other Server on the Internet you can do a DNS lookup to find the IP address Display the Routing This operation will display the inter
200. tent Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual You can bypass Keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains Access to the domains or keywords on this list by PCs even those in the groups for which keyword blocking has been enabled will still be allowed without any blocking Keyword Blocking application examples If the keyword XXX is specified the URL lt http www badstuff com xxx html gt is blocked as is the newsgroup alt pictures XXX If the keyword com is specified only Web sites with other domain suffixes such as edu or gov can be viewed If you wish to block all Internet browsing access enter the keyword To enable Content Filtering 1 Select Security from the main menu and Block Sites from the sub menu The Block Sites screen will display 2 Check the Yes radio button to enable Content Filtering Check the radio boxes of any Web Components you wish to block 4 Check the radio buttons of the groups to which you wish to apply Keyword Blocking Click Enable to activate Keyword blocking or disable to deactivate Keyword Blocking 5 Build your list of blocked Keywords or Domain Names in the Blocked Keyword fields After each entry click Add The Keyword or Domain name will be added to the Blocked Keywords table You can also edit an entry by clicking Edit in the Action column adjacent t
201. ter Status 6 22 Router Status screen 6 22 Router Upgrade 6 15 Routing Information Protocol See RIP Routing log messages B 14 Routing screen 3 10 rules allowing traffic 4 1 Index 5 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual blocking traffic 4 1 service blocking 4 2 services based 4 2 S Schedule blocking traffic 4 21 rules covered by 6 2 Schedule 1 screen 4 27 Security 1 2 Security Policy Editor screen 5 15 Self Certificate format of 5 35 Request generating 5 34 Self Certificate request submitting 5 36 Self Certificates about 5 34 Service Blocking 4 2 6 2 LAN Users 6 2 rules 6 2 WAN Users 6 2 service blocking 4 2 Services common protocol numbers 4 18 rules covered by 6 2 Services screen 4 20 Session Limit screen 4 12 settings backup 6 14 Simple Network Management Protocol See SNMP SMTP server requirements of 4 34 SNMP about 6 12 configuring 6 12 SNMP screen 6 12 SNMP SysConfiguration screen 6 13 Source MAC Filter screen 4 25 Source MAC Filtering 4 24 6 4 enabling 4 25 reducing traffic 6 4 spoof MAC address 7 5 spoofing UDP flood 4 11 stateful packet inspection 1 2 4 1 Static Route example of 3 11 static routes configuring 3 10 example 3 11 Stealth Mode Attack Checks 4 10 SYN flood denial of service attack 4 10 Syslog Server 4 34 System log messages B 1 T TCP IP network Troubleshooting 7 5 Testing VPN connections cl
202. the desired behavior when the limit is reached Note Both incoming and outgoing traffic are included in the limit Increase this month s limit Use this to temporarily increase the Traffic Limit if you have reached the monthly limit but need to continue accessing the Internet Check the checkbox and enter the desired increase The checkbox will automatically be cleared when saved so the increase is only applied once This month s limit This displays the limit for the current month Restart traffic counter Restart Counter at a Specific Time This determines when the traffic counter restarts Choose the desired time and day of the month Check this radio button to restart the Traffic Counter at a specific time and day of the month Fill in the time fields and select AM or PM and the day of the month from the pull down menus Send E mail Report before restarting counter If checked an E mail report will be sent immediately before restarting the counter You must configure the E mail screen in order for this function to work see E Mail Notifications of Event Logs and Alerts on page 4 32 When limit is reached Select the desired option Block all traffic all access to and from the Internet will be blocked Block all traffic except E mail Only E mail traffic will be allowed All other traffic will be blocked If using this option you may also select the Send E mail alert option You mu
203. this is a direct connection set it to 1 10 Click Apply to save the static route to the Static Routes table Static Route Example For example a static route is needed if Your primary Internet access is through a cable modem to an ISP LAN Configuration v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e You have an ISDN firewall on your home network for connecting to the company where you are employed This firewall s address on your LAN is 192 168 1 100 e Your company s network is 134 177 0 0 When you first configured your firewall two implicit static routes were created A default route was created with your ISP as the gateway and a second static route was created to your local network for all 192 168 1 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 network your firewall will forward your request to the ISP The ISP forwards your request to the company where you are employed and the request will likely be denied by the company s firewall In this case you must define a static route telling your firewall that 134 177 0 0 should be accessed through the ISDN firewall at 192 168 1 100 In this example e The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134 177 x x addresses e The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN firewall at 192
204. tify the certificate e Subject Name The name which other organizations will see as the Holder owner of this Certificate This should be your registered business name or official company name Generally all Certificates should have the same value in the Subject field e Serial Number This is the serial number maintained by the CA It is used to identify the certificate with in the CA e Issuer Name The name of the CA which issued the Certificate e Expiry Time The date on which the Certificate expires You should renew the Certificate before it expires To use a Certificate you must first generate and request the certificate from the CA from the computer or device that will be using the CA The Certificate Signing Request CSR file must be filled out and submitted to the CA who will then generate a certificate for this device To request a Certificate from the CA 1 From the main menu under VPN select the Certificates submenu The Certificates screen will display 2 In the Generate Self Certificate Request enter the required data 5 34 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual e Name Enter a name that will identify this Certificate e Subject This is the name which other organizations will see as the Holder owner of the Certificate Since this name will be seen by other organizations you should use your registered business name or official company name
205. tination IP addresses and time of day You can also tailor these rules to your specific needs see Administrator Information on page 4 36 Note This feature is for Advanced Administrators only Incorrect configuration will cause serious problems To create a new outbound service rule Click Add under the Outbound Services Table The Add LAN WAN Outbound Service screen will display 1 2 Complete the Outbound Service screen and save the data see Table 4 1 on page 4 3 Click Reset to cancel your settings and return to the previous settings Click Apply to save your changes and reset the fields on this screen The new rule will be listed on the Outbound Services table 4 8 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Add LAN WAN Outbound Service Operation succeeded help Service ANY v Action BLOCK always E Select Schedule LAN Users Any Start D Finish WAN Users Any Start SS gt Finish J QoS Priority Normal Service vj Log Never w L Apply Reset Figure 4 3 LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic If you have not defined any rules no rules will be listed By default all inbound traffic is blocked WAN Users Whether all WAN addresses or specific IP addresses are included in the rule
206. to be sent Detection period Router sends ping packets periodically at regular intervals of time which is specified by the user 5 6 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Reconnect after failure count Fresh negotiation starts when no acknowledgement is received for the specified number of consecutive packets e Local IP address either a single address range of address or subnet address on your local LAN Traffic must be from or to these addresses to be covered by this policy Subnet address is the default IP address when using the VPN Wizard e Remote IP address or address range of the remote network Traffic must be to or from these addresses to be covered by this policy The VPN Wizard default requires the remote LAN IP address and subnet mask for a gateway policy e AH Authentication Header This specifies the authentication protocol for the VPN header VPN Wizard default is disabled e ESP Encapsulating Security Payload This specifies the encryption protocol used for the VPN data VPN Wizard default is enabled VPN Tunnel Connection Status Recent VPN tunnel activity is shown on the IPSec Connection Status screen accessed by selecting VPN from the main menu and Connection Status from the submenu You can set a Poll Interval in seconds to check the connection status of all active IKE Policies to obtain the latest VPN tunnel activity The Acti
207. ts Check the Enable DNS Proxy radio box This is optional the default is enabled If enabled the VPN firewall will provide a LAN IP Address for DNS address name resolution When enabled the router will act as a proxy for all DNS requests and communicate with the ISP s DNS servers as configured in the WAN settings page When disabled all DHCP clients will receive the DNS IP addresses of the ISP LAN Configuration 3 3 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual The feature is particularly useful in Auto Rollover mode For example if the DNS servers for each connection are different then a link failure may render the DNS servers inaccessible However when the DNS proxy is enabled then clients can make requests to the router and the router in turn sends those requests to the DNS servers of the active connection ____ Note If you change the LAN IP address of the firewall while connected through gt the browser you will be disconnected You must then open a new connection to the new IP address and log in again For example if you change the default IP address 192 168 1 1 to 10 0 0 1 you must enter http 10 0 0 1 in your browser to connect to the web management interface Click Apply to save your settings Click Reset to discard any changes and revert to the previous configuration Click DHCP Log to view the DHCP log of the router Note Once you have completed the
208. ty section from the ID Type pull down menu select IP Subnet Enter the LAN IP Subnet Address and Subnet Mask of the FVS338 LAN Check Connect using radio box and select Connect using Secure Gateway Tunnel from the pull down menu From the ID Type pull down menu select Domain Name and Gateway IP Address For the Domain Name enter fvs_local com and enter the WAN IP Address of the FVS338 Virtual Private Networking 5 15 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual N Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help 2 Ba cs x i Network Security Policy NETGEAR My Connections Connection Security 5 amp to tvs a Secure I Only Connect Manually G My Identity C Non secure o a Security Policy C Block a Other Connections j Remote Party Identity and Addressing ID Type IP Subnet A Subnet 192 168 1 0 Mask 255 255 255 0 Protocol All v Por ja 7 V Use Secure Gateway Tunnel X ID Type Domain Name v Gateway IP Address 10 1 32 41 fvs_local com Figure 5 9 8 In the left frame click on My Identity shown in Figure 5 10 9 From the Select Certificate pull down menu select None 10 From the ID Type pull down menu select Domain Name and enter fvs_remote com in the field provided 11 Leave Virtual Adapter disabled and select your computer s Network Adapter Your current IP address will appear 5
209. u are strongly advised to change your password see Changing Passwords and Settings on page 6 7 Configuring your Internet Connection You can configure both Broadband ISP Settings and Dialup ISP Settings from the WAN Settings menu To configure your Broadband ISP Settings Step 1 Select Network Configuration from the main menu and WAN Settings from the submenu The Broadband ISP Settings screen will display 2 2 Connecting the FVS338 to the Internet v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration WAN Mode Dynamic DNS LAN Setup LAN Groups Routing Petites Dialup ISP Settings 8 Advanced 8 Broadband Status DHCP Server Detected J Does Your Internet Connection Require a Login b Login O Yes No Password Account Name Domain Name Which type of ISP connection do you use Login S rver Austria PPTP Idle Tim out Keep Connected Other PPPoE Idle Time l Minutes BigPond Cable My IP Addre s J Server IP Addres l Current IP Address help help Get Dynamically from ISP Get Automatically from ISP Use Static IP Address Use These DNS Servers IP Address e Primary DNS Serv r IP Subnet Mask A Secondary DNS Server e Gateway IP Address Figure 2 2 2 Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connectio
210. ubmenu The VPN Wizard screen will display Check the Gateway radio box to establish a gateway to gateway VPN tunnel Give the new connection a name such as to_fvx Enter a value for the pre shared key Enter the WAN IP address or Internet name of the remote WAN and the WAN IP Address or Internet name of the local WAN The address type must match Gu Pe E A Enter the remote LAN IP address and subnet mask 7 Click Apply to create the IKE and VPN policies 5 8 Virtual Private Networking v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual l YPN l s n YPN Wizard s s PN Wizard iS VPN Wizard Default Values About PN Wizard The Wizard sets most parameters to defaults as proposed by the YPN Consortium VPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the Parameters through the Policies menu This PN tunnel will connect to the following peers Gateway O vPN Client i Connection Name and Remote IP Type What is the new Connection Name What is the pre shared key 12345678 Key Length 8 49 Char 2 End Point Information What is the Remote WAN s IP Address or Internet Name What is the Local WAN s IP Address or Internet Name 10 1 32 41 ii Secure Connection Remote Accessibility What is the remote LAN IP Address ps2 Jes Je JE What is the remote LAN Subnet Mask fzss Jess Je
211. uch as a username password or some encrypted response using his username password information The gateway will try and verify this information first against a local User Database if RADIUS PAP is enabled and then by relaying the information to a central authentication server such as a RADIUS server To configure the Primary RADIUS Server 1 9 Select VPN from the main menu VPN Client from the submenu and then select the RADIUS Client tab The RADIUS Client screen will display Enable the Primary RADIUS server by checking the Yes radio box Enter the Primary RADIUS Server IP address Enter a Secret Phrase Transactions between the client and the RADIUS server are authenticated using a shared secret phrase so the same Secret Phrase must be configured on both client and server Enter the Primary Server NAS Identifier Network Access Server This Identifier MUST be present in a RADIUS request Ensure that NAS Identifier is configured as the same on both client and server The FVS338 is acting as a NAS Network Access Server allowing network access to external users after verifying their authentication information Ina RADIUS transaction the NAS must provide some NAS Identifier information to the RADIUS Server Depending on the configuration of the RADIUS Server the router s IP address may be sufficient as an identifier or the Server may require a name which you would enter here This name would also be configured on the RADIUS S
212. ucts derived from this software without prior written permission For written permission please contact openss I core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com v1 0 March 2008 MD5 Copyright C 1990 RSA
213. ur current settings If your browser isn t set up to save downloaded files automatically locate where you want to save the file specify file name and click Save If you have your browser set up to save downloaded files automatically the file will be saved to your browser s download location on the hard disk Warning Once you start restoring settings or erasing the router do NOT interrupt A the process Do not try to go online turn off the router shutdown the computer or do anything else to the router until it finishes restarting To restore settings from a backup file 1 Click Browse Locate and select the previously saved backup file by default netgear cfg 2 When you have located the file click restore An Alert page will appear indicating the status of the restore operation You must manually restart the VPN firewall for the restored settings to take effect To reset the router to the original factory default settings click default 6 14 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual You must manually restart the VPN firewall in order for the default settings to take effect After rebooting the router s password will be password and the LAN IP address will be 192 168 1 1 The VPN firewall will act as a DHCP server on the LAN and act as a DHCP client to the Internet Warning When you click default your router settings will be erased All firewall rules A
214. ur router The default values are suitable for most users and situations LAN Configuration 3 1 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual To modify your LAN setup 1 Select Network Configuration from the main menu and LAN Setup from the submenu The LAN Setup screen will display LAN Groups LAN Multi homing DHCP Log IP Address i92 168 Ja JE Subnet Mask 255 255 Jess fo z A Disable DHCP Server Enable DHCP Server Domain Name Starting IP Address fioz2 hss Je Ending IP Address ko2 jiss a _ hoo WINS Server bE hm aa Lease Time Hours Enable DNS Proxy DHCP Log No Data Available refresh clear log Figure 3 1 2 Enter the IP Address of your router factory default 192 168 1 1 The IP address provided is the router s LAN IP address Always make sure that the LAN Port IP address and DMZ port IP address are in different subnets 3 2 LAN Configuration v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual 3 Enter the IP Subnet Mask The subnet mask specifies the network number portion of an IP address Your router will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use 255 255 255 0 as the subnet mask computed by the router 4 Check the Enable DHCP Server radio button By default the route
215. uter machines because they do gt not listen to the RIP multicast address and will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting For RIP 2B and RIP 2M you can select the type of authentication as NONE or MDS If you select MD5 then you need to enter additional parameters 3 14 LAN Configuration v1 0 March 2008 Chapter 4 Firewall Protection and Content Filtering The ProSafe VPN Firewall 50 provides you with Web content filtering options such as Block Sites and Keyword Blocking Parents and network administrators can establish restricted access policies based on time of day Web addresses and Web address keywords You can also block Internet access by applications and services such as chat or games It also provides various firewall activity reports and instant alerts via e mail About Firewall Security A firewall is a special category of router that protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication between the two A firewall incorporates the functions of a NAT Network Address Translation router while adding features for dealing with a hacker intrusion or attack and for controlling the types of traffic that can flow between the two networks Unlike simple Internet sharing NAT routers a firewall uses a process called stateful packet inspecti
216. ve IPSec SA s table also lists current data for each active IPSec SA Security Association e Policy Name The name of the VPN policy associated with this SA e Endpoint The IP address on the remote VPN Endpoint e Tx KBytes The amount of data transmitted over this SA e Tx Packets The number of packets transmitted over this SA e State The current state of the SA Phase 1 is Authentication phase and Phase 2 is Key Exchange phase e Action Allows you to terminate or build the SA connection if required Virtual Private Networking 5 7 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Creating a VPN Gateway Connection Between FVS338 and FVX538 This section describes how to configure a VPN connection between a NETGEAR FVS338 VPN Firewall and a NETGEAR FVX538 VPN Firewall Using each firewall s VPN Wizard we will create a set of policies IKE and VPN that will allow the two firewalls to connect from locations with fixed IP addresses Either firewall can initiate the connection This procedure was developed and tested using e Netgear FVS338 VPN Firewall WAN IP address 10 1 32 41 LAN IP address subnet 192 168 1 1 255 255 255 0 e Netgear FVX538 VPN Firewall WAN IP address 10 1 0 118 LAN IP address subnet 192 168 2 1 255 255 255 0 Configuring the FVS338 To configure the FVS338 using the VPN Wizard 1 Select VPN from the main menu and VPN Wizard from the s
217. ve a specific diagnostic reason to do so Enable Stealth Mode If enabled the router will not respond to port scans from the WAN thus making it less susceptible to discovery and attacks Block TCP Flood A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system When the system responds the attacker doesn t complete the connections thus leaving the connection half open and flooding the server with SYN messages No legitimate connections can then be made When enabled the router will drop all invalid TCP packets and will be protected from a SYN flood attack 4 10 Firewall Protection and Content Filtering v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual LAN Security Checks A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host As a result the distant host will 1 check for the application listening at that port 2 verify that no application is listening at that port and then 3 reply with an ICMP Destination Unreachable packet When the victimized system is flooded it is forced to send many ICMP packets eventually making it unreachable by other clients The attacker may also spoof the IP address of the UDP packets ensuring that the excessive ICMP return packets do not reach him thus making the attacker s network location anon
218. ver Select Fixed Set on PC if the IP address is statically assigned on the computer itself e IP Address The IP address that this computer or device is assigned If the IP Address Type is Reserved DHCP Client the router will reserve the IP address for the associated MAC address e MAC Address The MAC address of the computer s network interface The MAC address should be in the form XX XX XX XX XX XX for example 00 80 48 2a 8b c0 e Group The group to which the computer has to be assigned Click Add to add the new entry to the network database To edit the names of any of the eight available groups 1 2 Select the group by checking the adjacent radio button and typing in a suitable name in the associated field Click Apply to save the settings or click Reset to revert to the previous settings LAN Configuration 3 9 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Setting Up Address Reservation When you specify a reserved IP address for a device on the LAN based on the MAC address of the device that computer or device will always receive the same IP address each time it accesses the firewall s DHCP server Reserved IP addresses should be assigned to servers or access points that require permanent IP settings The Reserved IP address that you select must be outside of the DHCP Server pool To reserve an IP address use the Groups and Hosts screen under the Network Configurati
219. will be allowed to access the firewall s remote management gt Note For enhanced security restrict access to as few external IP addresses as practical To allow access from any IP address on the Internet select Everyone To allow access from a range of IP addresses on the Internet select IP address range Enter a beginning and ending IP address to define the allowed range c To allow access from a single IP address on the Internet select Only this PC Enter the IP address that will be allowed access 4 Click Apply to have your changes take effect Using a SNMP Manager Simple Network Management Protocol SNMP lets you monitor and manage your router from an SNMP Manager It provides a remote means to monitor and control network devices and to manage configurations statistics collection performance and security The SNMP Configuration table lists the SNMP configurations by e IP Address The IP address of the SNMP manager e Port The trap port of the configuration e Community The trap community string of the configuration To create a new SNMP configuration entry 1 Select Administration from the main menu and SNMP from the submenu The SNMP screen will display 2 Under Create New SNMP Configuration Entry enter the IP Address of the SNMP manager in the IP Address field and the Subnet Mask in the Subnet Mask field e Ifyou want to allow only the host address to access the VPN firewall and receive tra
220. wnload only separately Do you want to enable Traffic Metering on serene Both Directions Yes O No Monthly Limit MB Increase this month limit by MB This month limit O MB WAN port shuts help helpl down once traffic _ creer 7 O Restart Traffic Counter Now Block All Traffic q limit reached An Restart Traffic Counter at Specific Time Block All Traffic Except E Mail oe can be fz Jeo Pm v on the ist_ M day of Month a Send e mail alert Py Sent O Send e mail report before restarting counter 7 S lt a Traffic Counter a a a a a a a a _ A settings 2 help EE 7 Start Date Time N Outgoing Traffic Volume MB Incoming Traffic volume MB Total Traffic Volume MB rt Internet Traffic Average per day Statistics of Standard Limit of this Month s Limit Figure 6 6 e Traffic by Protocol Click this button to display Internet Traffic details The volume of traffic for each protocol will be displayed in a sub window Traffic counters are updated in MBytes scale and the counter starts only when traffic passed is at least 1 MB 6 18 Router and Network Management v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Monitoring Diagnostics Firewall Logs amp E mail VPN logs a TCC Me iim Dialup Traffic Meter B Traffic by Protocol help No Limit Start Do you want to enable Traffic M
221. y Get Dynamically from ISP Get Automatically From ISP Use Static IP Address Use These DNS Servers IP Address o_o Jo Jo Primary DNS server o_o Joe Jo Secondary DNS Server 0_ Jo Mo Jo ii Modem Type Serial Line Speed 115200 v Modem Type 26 U S Robotics 56K FAX EXT PnP For User Defined Modem Initial String ize Dialup Type Tone O Pulse O Other use Dial String Figure 2 4 2 Enter the following Dialup Account settings a Account User name Enter the account name or the user name provided by your ISP This name will be used to log in to the ISP server Password The account password for the dialup ISP Telephone The telephone number or access number to dial for connectivity Type in the number using the format described in your modem s user manual Alternative Telephone An alternative number which will be dialed if the first is not available optional Connecting the FVS338 to the Internet 2 5 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Specify the method to use for your Dial up Connection Status The VPN firewall can automatically dial to the ISP when a connection is needed or can be configured to wait for manual intervention a Check the Connect automatically disconnect after idle for __ min radios box for the modem to connect automatically Specify the idle minute amount The router will connect w
222. ymous If enabled the router will not accept more than 20 simultaneous active UDP connections from a single computer on the LAN VPN Pass through When the router is in NAT mode all packets going to the Remote VPN Gateway are first filtered through NAT and then encrypted per the VPN policy For example if a VPN Client or Gateway on the LAN side of this router wants to connect to another VPN endpoint on the WAN placing this router between two VPN end points encrypted packets will be sent to this router Since this router filters the encrypted packets through NAT the packets will become invalid unless VPN Pass through is enabled When enabled the VPN tunnel will pass the VPN traffic without any filtering Tunnels can be IPSec PPIP L2TP To select the appropriate checkbox for your requirement 1 Select Security from the main menu Firewall Rules from the submenu and then the Attack Checks tab The Attack Checks screen will display Check the radio boxes of the Attack Checks you wish to initiate Click Apply to save your settings Firewall Protection and Content Filtering 4 11 v1 0 March 2008 FVS338 ProSafe VPN Firewall 50 Reference Manual Security 3 at Firewall i Attack Checks WAN Security Checks PN Pass through Fi Respond to Ping on Internet Ports ea IPsec E Enable Stealth Mode E Pete C Block TCP flood Late LAN Security Checks C Block UDP flood Oo Disable Ping R
223. you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu You can also have the firewall log any attempt to use Instant Messenger during that blocked period Add LAN WAN Outbound Service Operation succeeded helpl Service AIM v Action Select Schedule LAN Users k Start Finish WAN Users Any o Start Finish QoS Priority Normal Service wj Log Never w Figure 4 12 Adding Customized Services Services are functions performed by server computers at the request of client computers You can configure up to 125 custom services For example Web servers serve Web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified by a service or port number This number appears as the destination port number in the transmitted IP packets For example a packet that is sent with destination port number 80 is an HTTP Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC1700 Assigned Internet Protocol Numbers Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of th
Download Pdf Manuals
Related Search