Netgear PROSAFE FVS338 User's Manual
Contents
1. Configure your firewall to spoof your PC s MAC address This can be done in the Basic Settings menu Refer to Configuring your Internet Connection on page 2 2 If your firewall can obtain an IP address but your PC is unable to load any Web pages from the Internet e Your PC may not recognize any DNS server addresses A DNS server is a host on the Internet that translates Internet names such as www addresses to numeric IP addresses Typically your ISP will provide the addresses of one or two DNS servers for your use You may configure your PC manually with DNS addresses as explained in your operating system documentation e Your PC may not have the firewall configured as its TCP IP gateway Troubleshooting a TCP IP Network Using a Ping Utility Most TCP IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device The device then responds with an echo reply Troubleshooting a TCP IP network is made very easy by using the Ping utility in your PC or workstation Testing the LAN Path to Your Firewall You can ping the firewall from your PC to verify that the LAN path to your firewall is set up correctly To ping the firewall from a PC running Windows 95 or later 1 From the Windows toolbar click on the Start button and select Run 2 Inthe field provided type Ping followed by the IP address of the firewall as in this example ping 192 168 1 1 3 Click on OK Yo2. Blocked Keyword Add i Trusted Domains Trusted Domains Action select all delete Add Trusted Domain Trusted Domain C Figure 4 14 4 22 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices e By default the source MAC address filter is disabled All the traffic received from PCs with any MAC address is allowed by default e When enabled traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table oy Security os dmini al a oring Web Suppo ogout Services Schedule Block Sites Firewall Rules Port Triggering Trend Micro Source MAC Filter Operation succeeded help Do you want to enable Source MAC Address Filtering Yes O No helpl MAC Addresses Action a o 00 ee 00 00 00 30 esit select all delete Add Source MAC Address to be Blocked MAC Address Add S ay __ ret Figure 4 15 Ky Note For additional ways of restricting outbound traffic see LAN WAN Outbound Services Rules on page 4 8 To enable MAC filtering and add MAC addresses to be blocked 1 Select Security from the main menu and Source MAC Filter fro
3. MD5 Copyright C 1990 RSA Data Security Inc All rights reserved License to copy and use this software is granted provided that it is identified as the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing this software or this function License is also granted to make and use derivative works provided that such works are identified as derived from the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing the derived work RSA Data Security Inc makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose It is provided as is without express or implied warranty of any kind These notices must be retained in any copies of any part of this documentation and or software PPP Copyright c 1989 Carnegie Mellon University All rights reserved Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WI
4. gt Note For enhanced security restrict access to as few external IP addresses as practical To allow access from any IP address on the Internet select Everyone To allow access from a range of IP addresses on the Internet select IP address range Enter a beginning and ending IP address to define the allowed range To allow access from a single IP address on the Internet select Only this PC Enter the IP address that will be allowed access 2 Specify the Port Number that will be used for accessing the management interface Web browser access normally uses the standard HTTP service port 80 For greater security you can change the remote management Web interface to a custom port by entering that number in the box provided Choose a number between 1024 and 65535 but do not use the number of any common service port The default is 8080 which is a common alternate for HTTP 3 Click Apply to have your changes take effect When accessing your firewall from the Internet the Secure Sockets Layer SSL will be enabled You will enter https and type the WAN IP address of your firewall into your browser followed by a colon and the custom port number For example if your WAN IP address is 134 177 0 123 and you use port number 8080 enter the following in your browser https 134 177 0 123 8080 The remote URL login of the router is https IP_address port_number or https Fully QualifiedDomainName port_number
5. services i Schedule Block Sites Firewall Rules Source MAC Filter a Port Triggering Operation succeeded help Name Enable Protocol Outgoing Ports Incoming Ports Action Start Port End Port Start Port End Port ol 1 Abstracts No TCP 20 22 20 40 Bedit select all delete Port Triggering Status Add Port Triggering Rule Name Enable Protocol Outgoing Trigger Port Range Start Port End Port 1 65534 Abstracts No TcP Eo 22 Rule LAN IP Address Open Ports Time Remaining Sec refresh Figure 4 17 4 26 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual E Mail Notifications of Event Logs and Alerts The Firewall Logs can be configured to log and then e mail denial of access general attack information and other information to a specified email address For example your VPN firewall will log security related events such as accepted and dropped packets on different segments of your LAN denied incoming and outgoing service requests hacker probes and Login attempts and other general information based on the settings you input on the Firewall Logs amp E mail screen In addition if you have set up Content Filtering on the Block Sites screen see Setting Block Sites Content Filtering on page 4 21 a log will be generated when someone on your network
6. Not Valid Before Not Valid after MM DO HH MM SS ary Gere Figure 3 5 To enable RIP 1 Select Network Configuration from the main menu and Routing from the submenu The Routing screen will display Click the RIP Configuration link The RIP Configuration screen will display From the RIP Direction pull down menu select the direction for the router to send and receive RIP packets e Both the router broadcasts its routing table and also processes RIP information received from other routers e Out Only the router broadcasts its routing table periodically but does not accept RIP information from other routers e In Only the router accepts RIP information from other routers but does not broadcast its routing table LAN Configuration 3 11 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e None the router neither broadcasts its route table nor does it accept any RIP packets from other routers This effectively disables RIP 4 Select the RIP Version from the pull down menu e RIP 1 classful routing and does not include subnet information This is the most commonly supported version e RIP 2 supports subnet information Both RIP 2B and RIP 2M send the routing data in RIP 2 format e RIP 2B uses subnet broadcasting e RIP 2M uses multicasting see Note below 5 RIP authentication is disabled by default To enable authentication for RIP 2B or RIP 2M a C
7. Select VPN from the main menu VPN Client from the submenu and then select the RADIUS Client tab The RADIUS Client screen will display Enable the Primary RADIUS server by checking the Yes radio box Enter the Primary RADIUS Server IP address Enter a Secret Phrase Transactions between the client and the RADIUS server are authenticated using a shared secret phrase so the same Secret Phrase must be configured on both client and server Enter the Primary Server NAS Identifier Network Access Server This Identifier MUST be present in a RADIUS request Ensure that NAS Identifier is configured as the same on both client and server The FVS338 is acting as a NAS Network Access Server allowing network access to external users after verifying their authentication information Ina RADIUS transaction the NAS must provide some NAS Identifier information to the RADIUS Server Depending on the configuration of the RADIUS Server the router s IP address may be sufficient as an identifier or the Server may require a name which you would enter here This name would also be configured on the RADIUS Server although in some cases it should be left blank on the RADIUS Server Enable a Backup RADIUS Server if required by following steps 2 through 5 Set the Time Out Period in seconds that the router should wait for a response from the RADIUS server Set the Maximum Retry Count This is the number of tries the router will make to the RADIUS s
8. Setting LAN WAN Rules The Default Outbound Policy is to allow all traffic from and to the Internet to pass through Firewall rules can then be applied to block specific types of traffic from either going out from the LAN to the Internet Outbound or coming in from the Internet to the LAN Inbound The default policy can be changed to block all outbound traffic and enable only specific services to pass through the router To change the Default Outbound Policy 1 Select Security from the main menu and Firewall Rules from the submenu The LAN WAN Rules screen will display 2 Change the Default Outbound Policy by selecting Block Always from the drop down menu and click Apply EAE ARTEEI Attack Checks Default Outbound Policy Allow Always apply Operation succeeded help Service Name Filter LAN Users WAN Users Priority Log Action oO ANY Block Always ANY ANY Normal Service Never up down edit select all delete enable D disable add help Service Name Filter LAN Server IP Address LAN Users WAN Users Destination Log Action D FTP Block Always ANY WAN1 Never up diown B edit select all delete enable O disable add Figure 4 2 To make changes to an existing outbound or inbound service rule 1 Inthe Action column adjacent to the rule click e Edit to make any changes to the rule definition of an existing rule The Outbo
9. Consider the following operational items 1 Asan option you can enable remote management if you have to manage distant sites from a central location see Enabling Remote Management Access on page 6 9 2 Although setting firewall rules see Using Rules to Block or Allow Specific Kinds of Traffic on page 4 1 is the basic way of managing the traffic through your system you can further refine your control with the following features of the VPN firewall Groups and hosts see Managing Groups and Hosts on page 3 5 Services see Services Based Rules on page 4 2 Schedules see Setting a Schedule to Block or Allow Traffic on page 4 20 Block sites see Setting Block Sites Content Filtering on page 4 21 Source MAC filtering see Enabling Source MAC Filtering on page 4 23 Port triggering see Setting Up Port Triggering on page 4 24 Firewall Protection and Content Filtering 4 31 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 4 32 Firewall Protection and Content Filtering v1 0 September 2006 Chapter 5 Virtual Private Networking This chapter describes how to use the Virtual Private Networking VPN features of the VPN firewall VPN tunnels provide secure encrypted communications between your local network and a remote network or computer parameters and then edit the VPN and IKE Policy screens for the various VPN Se Tip When using dual WA
10. FVS338 ProSafe VPN Firewall 50 Reference Manual To edit an entry in the Known PCs and Devices table 1 Click Edit adjacent to the entry you want to modify The Edit Known PCs and Devices screen will display Make your modifications to the entry 2 Click Apply to save your settings The changes will appear the Known PCs and Devices table To edit a Group Name in the Network Database 1 On the Groups and Hosts screen click the Edit Group Names link 2 Check the radio button by the group name you want to modify and type in a suitable name 3 Click Apply to save the settings Network Configuration IP Address MAC Address 9300UNIT3 192 168 1 2 00 11 43 71 c8 d8 DHCP Assigned IP Address select all delete Add Known PCs and Devices Name IP Address Type 9300UNIT3 Fixed set on PC A Groupi l Operation succeeded 1 Edit Known PC and Device Name 9s00unrT3 IP Address Type Fixed set on PC v IP Address E92 Jase Ja Je MAC Address foor1 43 71 c8 d8 Group Group i Edit Groups oo0oo000000 Figure 3 3 LAN Configuration 3 7 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Setting Up Address Reservation When you specify a reserved IP address for a device on the LAN based on the MAC address of the device that computer or d
11. File to upload field Click Upload The new Certificate Identity will appear in the Certification Revocation Lists table If you have a previous CA Identity from the same CA it should now be deleted Virtual Private Networking 5 37 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 5 38 Virtual Private Networking v1 0 September 2006 Chapter 6 Router and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 50 These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface The ProSafe VPN Firewall 50 offers many tools for managing the network traffic to optimize its performance You can also control administrator access be alerted to important events requiring prompt action monitor the firewall status perform diagnostics and manage the firewall configuration file Performance Management Performance management consists of controlling the traffic through the VPN firewall so that the necessary traffic gets through when there is a bottleneck and either reducing unnecessary traffic or rescheduling some traffic to low peak times to prevent bottlenecks from occurring in the first place The VPN firewall has the necessary features and tools to help the network manager accomplish these goals VPN Firewall Features That Reduce Traffic Features of the VPN firewall that can be called upon to decrea
12. Telephone Password P Alternative Telephone i Dial up Connection Status Specify Connect and Disconnect Method Connect automatically disconnect after idle for E min Connect and disconnect manually i Internet IP Address Get Dynamically from ISP Get Automatically From ISP Use Static IP Address Use These DNS Servers Ip Address o_o Jo Je Primary DNS server o_o Jo Mo Secondary DNS Server fo Je o Jo i Modem Type Serial Line Speed 115200 v Modem Type 26 U S Robotics 56K FAX EXT PnP For User Defined Modem Initial String AE Dialup Type Tone O Pulse Other use Dial String Figure 2 4 2 Enter the following Dialup Account settings a Account User name Enter the account name or the user name provided by your ISP This name will be used to log in to the ISP server b Password The account password for the dialup ISP c Telephone The telephone number or access number to dial for connectivity Type in the number using the format described in your modem s user manual d Alternative Telephone An alternative number which will be dialed if the first is not available optional Connecting the FVS338 to the Internet 2 5 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Specify the method to use for your Dial up Connection Status The VPN firewall can automatically dial to t
13. FVS338 ProSafe VPN Firewall 50 Reference Manual NETGEAR ProSafe VPN Firewal NETGEAR NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA September 2006 202 10046 03 v1 0 2006 by NETGEAR Inc All rights reserved Trademarks NETGEAR the NETGEAR logo and ProSafe are trademarks and or registered trademarks of Netgear Inc Microsoft Windows and Windows NT are registered trademarks of Microsoft Corporation Other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Federal Communications Commission FCC Compliance Notice Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee
14. Use These DNS Servers IP Address Em D p Primary DNS Serv r o A IP Subnet Mask d E Secondary DNS Server Al J Gateway IP Address E E Figure 2 2 2 Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support When Auto Detect successfully detects an active Internet service it reports which connection type it discovered The options are described in the following table Table 2 1 Internet connection methods Connection Method Data Required PPPoE Login Username Password PPTP Login Username Password Local IP and PPTP Server IP BigPond Cable Login Username Password Account Name and Server IP Connecting the FVS338 to the Internet 2 3 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2 1 Internet connection methods Connection Method __ Data Required DHCP Dynamic IP No data is required Fixed IP IP address and related data supplied by your ISP 3 Click Connection Status at the top right of the screen to verify your Broadband connection status Click Connect if connection not already present Connection Status Connection Time 0 Days 02 17 24 Connection Type DHCP Connection State Connected IP Address 10 1 32 41 Subnet Mask 255 255 255 0
15. 192 168 1 1 3 Under the Monitoring menu select Router Status 4 Check that an IP address is shown for the WAN Port If 0 0 0 0 is shown your firewall has not obtained an IP address from your ISP If your firewall is unable to obtain an IP address from the ISP you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure 1 Turn off power to the cable or DSL modem 2 Turn off power to your firewall 3 Wait five minutes and reapply power to the cable or DSL modem 4 When the modem s LEDs indicate that it has reacquired sync with the ISP reapply power to your firewall If your firewall is still unable to obtain an IP address from the ISP the problem may be one of the following e Your ISP may require a login program Ask your ISP whether they require PPP over Ethernet PPPoE or some other type of login e If your ISP requires a login you may have incorrectly set the login name and password e Your ISP may check for your PC s host name Assign the PC Host Name of your ISP account as the Account Name in the Basic Settings menu e Your ISP only allows one Ethernet MAC address to connect to the Internet and may check for your PC s MAC address In this case Inform your ISP that you have bought a new network device and ask them to use the firewall s MAC address or 7 4 Troubleshooting v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual
16. Authentication Phase 1 jompression None be A Proposal 1 7 i S Key Exchange Phase 2 IV Encapsulation Protocol ESP Proposal 1 EncryptAlg Triple DES Qs Other Connections Hash Alg SHA 1 Encapsulation Tunnel I Authentication Protocol AH Figure 5 14 Testing the Connection To test your VPN connection 1 Right click the VPN client icon in your Windows toolbar and select Connect and then select My Connections to_F VS Within 30 seconds you should receive the message Successfully connected to My Connections to_FVS and the VPN client icon in the toolbar should display On fy 2 For additional status and troubleshooting information right click the VPN client icon j in your Windows toolbar and select Connection Monitor or Log Viewer or view the VPN Logs and VPN Connection Status of the FVS338 Virtual Private Networking 5 19 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual N Connection Monitor NETGEAR ProSafe YPN Client iol x m Global Statistics Non Secured Packets 319 Secured Packets 14 F eset Dropped Packets 2 Secured Data KBytes 1 Connection Name Local Address Local Subnet__ Remote Address Remote Modifier GW Address Protocol_ Local Port Rem Port My Connection 10 0 0 12 255 255 255 255 192 168 1 0 255 255 255 0 10 0 0 11 ALL Figure 5 15 Extended Authentication XAUTH Configuration When connecting many VPN cli
17. Identifier Type Local Wan IP Identifier Type Identifier 0 1 2241 0 Identifier KOL 0mo ii IKE SA Parameters Encryption Algorithm 3DES Authentication Algorithm SHA 1 Authentication Method Pre shared key ORS8A Signature Pre shared key Diffie Hellman DH Group Group 2 1024 bit v S4 Lifetime sec 28800 Figure 5 3 Click the IKE Policies tab to view the corresponding IKE Policy The IKE Policies screen will display policies PN Policies 8 VPN Wizard Operation succeeded List of PN Policies Name Type Local Remote AH ESP Action o to_fux Auto Policy 192 168 1 0 255 255 255 0 192 168 2 0 255 255 255 0 SHA 1 apes edit select all aclete enable D disable add Figure 5 4 You can view the VPN parameters by clicking Edit in the Actions column adjacent to to_fvx It should not be necessary to make any changes 5 10 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Operation succeeded General Policy Name Policy Type Auto Policy Remote Endpoint Ip Address ko Je o fate J O FQDN DOme E Enable NetBIOS Traffic Selection Local IP Subnet Remote IP Subnet Start IP Address Esz Jiss Ja Jo Start IP Address Boz fies Je Jo End IP Address J fo End IP Address E
18. gt fal z lhome11 fvs_remote com Virtual Adapter Disabled X Internet Interface Name 1 Broadcom 440x 10 100 Integrated Controlle IP Addr 10 0 0 12 Figure 5 10 12 Before leaving the My Identity menu click Pre Shared Key 13 Click Enter Key and type your preshared key Click OK This key will be shared by all users of the FVS338 policy home Security Policy Editor NETGEAR ProSafe VPN Client Ox File Edit Options Help a NETGEAR N Network Security Policy J My Conne amp to FV Pre Shared Key Enter Key r Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared key ESOO o y IP Addr 192168 1 100 Figure 5 11 Virtual Private Networking 5 17 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 14 In the left frame click Security Policy shown in Figure 5 12 15 Select Phase 1 Negotiation Mode by checking the Aggressive Mode radio box 16 PFS Key Group should be disabled and Enable Replay Detection should be enabled Security Policy Editor NETGEAR ProSafe VPN Client D K Fie Edit Options Help H NETGEAR N Network Security Policy 5 Fe My Connections Security Policy Select Phase 1 Negotiation Mode C Main Mode uthentication Phase 1 Aggressive Mode g Key Exchange Phase 2 C Use Manua
19. 3 7 2 Customized Services 4 2 service port numbers 4 17 D date troubleshooting 7 7 Daylight Savings Time setting 6 15 default configuration restoring 7 7 default firewall rules 4 7 Inbound 4 1 Outbound 4 2 Default Outbound Policy LAN WAN 4 7 denial of service attack 4 10 UDP flood 4 11 Denial of Service See DoS DH use with ModeConfig 5 26 DHCP about 3 1 DHCP client requests monitoring 6 20 DHCP log 6 25 monitoring 6 25 DHCP Server using VPN firewall as 3 1 Diagnostics DNS lookup 6 26 Packet Trace 6 28 pinging an IP address 6 26 Reboot the Router 6 28 Diagnostics Fields descriptions of 6 27 Diagnostics screen 6 26 Dialup ISP Status monitoring 6 23 Diffie Hellman Group use in IKE Policy 5 5 Digital 5 33 Digital Certificates 5 33 DNS lookup 6 26 DNS Proxy 1 3 Domain Name Blocking 6 3 domain name blocking See Keyword Blocking DOS protection download firmware steps to 6 14 Dual WAN Port use with VPN firewall 5 7 Dynamic DNS configuration of 2 16 Dynamic Host Configuration Protocol See DHCP E Edge Device XAUTH use with 5 20 Edit Group Names link 3 7 Edit Known PCs and Devices screen 3 7 Edit Service screen 4 19 E mail alerts configuring 4 28 scheduling 4 28 Enable DHCP Server LAN Setup 3 2 Enable DNS Proxy LAN Setup 3 3 Encapsulating Security Payload See ESP encrypted communication VPN tunnels 5 1 ESP VPN Policies use with 5 7 Ethernet 3 Exp
20. 30 14 26 17 dhcpd Wrote 1 leases to leases file Last output repeated twice Jun 30 18 48 46 dhcpd DHCPINFORM from 192 168 1 100 via ixp Jun 30 18 48 46 dhcpd DHCPACK to 192 168 1 100 w 3 i gt refresh clear log Figure 6 15 Performing Diagnostics You can perform diagnostics such as pinging an IP address performing a DNS lookup displaying the routing table rebooting the firewall and capturing packets Select Monitoring from the main menu and Diagnostics from the submenu The Diagnostics screen will display Note For normal operation diagnostics are not required 6 26 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration YP l dmini J Web Suppo ogout Firewall Logs amp E mail VPN Logs Diagnostics IP Address I gt ping traceroute Q help Internet Name 2 lookup Display the Routing Table display Reboot the Router d reboot Capture Packets packet ti TCR EEE Interface Name Destination Mask Gateway Metric LAN 192 168 1 0 255 255 255 0 0 0 0 0 0 BroadBand 10 1 32 0 255 255 255 0 0 0 0 0 o BroadBand default 0 Figure 6 16 Table 6 4 Diagnostics Fields Item Description Ping or Trace an IP Ping Used to send a ping packet request to a specified IP address most often address to test a co
21. If you do not use the SSL https address but rather use http address the FVS338 will automatically attempt to redirect to https address Note The first time you remotely connect the FVS338 with a browser via SSL you may p get a message regarding the SSL certificate If you are using a Windows computer with Internet Explorer 5 5 or higher simply click Yes to accept the certificate 6 10 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual _ Note If you are using a dynamic DNS service such as TZO you can always identify the IP address of your FVS338 by running tracert from the Windows Run menu as For example renter tracert yourFVS338 mynetgear net and you will see the IP address your ISP assigned to the FVS338 Using a SNMP Manager Simple Network Management Protocol SNMP lets you monitor and manage your router from an SNMP Manager It provides a remote means to monitor and control network devices and to manage configurations statistics collection performance and security The SNMP Configuration table lists the SNMP configurations by e IP Address The IP address of the SNMP manager e Port The trap port of the configuration e Community The trap community string of the configuration To create a new SNMP configuration entry 1 Select Administration from the main menu and SNMP from the submenu The SNMP screen will display 2 U
22. LAN Server koz Jasse Ie Translate to Port Number _J Public Destination IP Address Other Public IP Address fio Ja Me Jsa LAN Users Start aS aS ez Finish ED aa WAN Users Any Start E Finish Em Log Neyer Y Figure 4 8 Your rule will now appear in the Inbound Services table of the Rules menu see Figure 4 9 This rule is different from a normal inbound port forwarding rule in that the Destination box contains an IP Address other than your normal WAN IP Address 4 14 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual PETEA Attack Checks Default Outbound Policy Allow Always apply Operation succeeded help Service Name Filter LAN Users WAN Users Priority Log Action select all delete enable disable add help Service Name Filter LAN Server IP Address LAN Users WAN Users Destination Log Action Oo HTTP Allow Always 192 168 1 2 ANY 19 1 9 52 Never up Qaown edit select all delete enable disable add Figure 4 9 To test the connection from a PC on the Internet type http lt IP_address gt where lt IP_address gt is the public IP address you have mapped to your Web server You should see the home page of your Web server Specifying an Exposed Host Specifying an exposed host allows you to set up a computer
23. VPN Gateway or the remote VPN Client This key length should be minimum 8 characters and should not exceed 49 characters This method does not require using a CA Certificate Authority 5 Enter the Remote WAN IP Address or Internet Name of the gateway you want to connect to Both the remote WAN address and the your local WAN address are required When choosing these addresses follow the guidelines in Table 5 1 above The remote WAN IP address of the Gateway must be a public address or the Internet name of the Gateway The Internet name is the Fully Qualified Domain Name FQDN as setup in a Dynamic DNS service Both local and remote ends should be defined as either IP addresses or Internet Names FQDN A combination of IP address and Internet Name is not permissible 6 Enter your Local WAN IP Address or Internet Name 5 2 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual The Local WAN IP address is the address used in the IKE negotiation phase Automatically the WAN IP address assigned by your ISP may display You can modify the address to use your FQDN required if the WAN Mode you selected is auto rollover 7 Enter the Remote LAN IP Address and Subnet Mask of the remote gateway The information entered here must match the Local LAN IP and Subnet Mask of the remote gateway otherwise the secure tunnel will fail to connect The IP address range used on the remote LAN must be dif
24. __ Note If no box is displayed for Internal Network IP Address go to Options Global Policy Settings and check the box for Allow to Specify Internal Network Address Select your Internet Interface adapter from the Name pull down menu N Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help ial NETGEAR N Network Security Policy 4 My Connections My Identity By modetfa_test My Identity H E Security Policy None x GB to_fdvg ID Type Qy Other Connections Select Certificate Pre Shared Key DomainName x salesperson 1 remote_id com Virtual Adapter Preferred Intemal Network IP Address 0 0 0 0 Internet Interface Name 1 Broadcom 440x 10 100 Integrated Contralla_ gt IP Addr 192 168 1 2 Figure 5 22 3 On the left side of the menu select Security Policy a Under Security Policy Phase 1 Negotiation Mode check the Aggressive Mode radio button b Check the Enable Perfect Forward Secrecy PFS radio button and select the Diffie Hellman Group 2 from the PFS Key Group pull down menu c Enable Replay Detection should be checked 4 Click on Authentication Phase 1 on the left side of the menu and select Proposal 1 Enter the Authentication values to match those in the VPN firewall ModeConfig Record menu Virtual Private Networking 5 31 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Ref
25. added to the Inbound Services table Firewall Protection and Content Filtering 4 9 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Add LAN WAN Inbound Service Operation succeeded helpl Service ANY v Action BLOCK always v Select Schedule B Send to LAN Server Translate to Port Number L Public Destination IP Address Broadband v Ee eS Se E LAN Users Start Dia Finish M WAN Users Any v Start ea a er ee Finish n Log Never Figure 4 4 Attack Checks This screen allows you to specify whether or not the router should be protected against common attacks in the LAN and WAN networks The various types of attack checks are listed on the Attack Checks screen and defined below e WAN Security Checks Respond To Ping On Internet Ports When enabled the router will respond to a Ping from the Internet This can be used as a diagnostic tool and shouldn t be used unless you have a specific diagnostic reason to do so Enable Stealth Mode If enabled the router will not respond to port scans from the WAN thus making it less susceptible to discovery and attacks Block TCP Flood A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system When the system responds the attacker doesn t complete the connections thus leaving the connection half open and flooding the
26. can change it accordingly If the user does not make a selection i e leaves it as None then the native priority of the service will be applied to the policy 6 is the highest priority See Specifying Quality of Service QoS Priorities on page 4 19 Log This determines whether packets covered by this rule are logged Select the desired action Always always log traffic considered by this rule whether it matches or not This is useful when debugging your rules Never never log traffic considered by this rule whether it matches or not Inbound Rules Port Forwarding Because the FVS338 uses Network Address Translation NAT your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers However by defining an inbound rule you can make a local server for example a Web server or game server visible and available to the Internet The rule tells the firewall to direct inbound traffic for a particular service to one local server based on the destination port number This is also known as port forwarding Whether or not DHCP is enabled and how the PCs will access the server s LAN address impact the Inbound Rules For example e If your external IP address is assigned dynamically by your ISP DHCP enabled the IP address may change periodically as the DHCP lease expires Consider using Dyamic DNS under Network Configuration so that external use
27. connection This name is not supplied to the remote VPN Endpoint It is used to help you manage the VPN settings 4 Enter a Pre shared Key The key must be entered both here and on the remote VPN Gateway or the remote VPN Client This key length should be minimum 8 characters and should not exceed 49 characters This method does not require using a CA Certificate Authority 5 The Remote Identifier Information and the Local Identifier Information will display with the default IKE Client Policy values fvs_remote com for the remote end point and fvs_local com for the local end point Virtual Private Networking 5 3 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 6 Click Apply The VPN Client screen will display showing that the VPN Client has been enabled Click the IKE Policies tab to view the corresponding IKE Client Policy IKE Policies The IKE Internet Key Exchange protocol performs negotiations between the two VPN Gateways and provides automatic management of the Keys used in IPSec It is important to remember that e Auto generated VPN policies must use the IKE negotiation protocol e Manual generated VPN policies cannot use the IKE negotiation protocol IKE Policy Operation IKE Policies are activated when 1 The VPN Policy Selector determines that some traffic matches an existing VPN Policy If the VPN policy is of type Auto then the Auto Policy Parameters defined in th
28. empty they will be set to the Default Netgear NTP servers 5 Click Apply to save your settings or click Cancel to revert to your previous settings Administration Remote Management SNMP Settings Backup amp Upgrade Set Password Time Zone Date Time GMT Greenwich Mean Time Edinburgh London Automatically Adjust for Daylight Savings Time Use Default NTP Servers Use Custom NTP Servers Server 1 Name IP Address Server 2 Name IP Address Current Time Thu Jul 06 19 16 13 GMT 2006 Figure 6 5 Monitoring the Router You can be alerted to important events such as WAN port rollover WAN traffic limits reached and login failures and attacks You can also view status information about the firewall WAN ports LAN ports and VPN tunnels Enabling the Traffic Meter To monitor traffic limits on each of the WAN ports select Administration from the main menu and Traffic Meter from the submenu The Broadband Traffic Meter screen will display The Broadband and Dialup ports are programmed separately A WAN port shuts down once its traffic limit is reached if the Block all traffic feature is enabled The Traffic Meter screen also provides the following information e Internet Traffic Statistics Displays statistics on Internet Traffic via the WAN port If you have not enabled the Traffic Meter these statistics are not available 6 16 Router and
29. in destination field similarly WAN1 and WAN2 corresponds to respective wan interfaces Router and Network Management 6 5 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e Services You can specify the desired Services or applications to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 4 17 e Schedule You can specify whether the rule is to be applied on the Schedule 1 Schedule 2 or Schedule 3 time schedule see Setting a Schedule to Block or Allow Traffic on page 4 20 See Using Rules to Block or Allow Specific Kinds of Traffic on page 4 1 for the procedure on how to use this feature Port Triggering Port triggering allows some applications to function correctly that would otherwise be partially blocked by the firewall Using this feature requires that you know the port numbers used by the Application Once configured operation is as follows e A PC makes an outgoing connection using a port number defined in the Port Triggering table e This Router records this connection opens the additional INCOMING port or ports associated with this entry in the Port Triggering table and associates them with the PC e The remote system receives the PCs request and responds using the different port numbers that you have now opened e This Router matches the respo
30. local User Database for the user credentials If the user account is not present the router will then connect to a RADIUS server Configuring XAUTH for VPN Clients Once the XAUTH has been enabled you must establish user accounts on the Local Database to be authenticated against XAUTH or you must enable a RADIUS CHAP or RADIUS PAP server Note If you are modifying an existing IKE Policy to add XAUTH if it is in use by a gt VPN Policy the VPN policy must be disabled before you can modify the IKE Policy To enable and configure XAUTH 1 Select VPN from the main menu and Policies from the submenu The IKE Policies screen will display 2 You can either modify an existing IKE Policy by clicking Edit adjacent to the policy or create a new IKE Policy by clicking Add gt Note If the IKE policy is in use by a VPN Policy you must either disable or delete the VPN policy before making changes to the IKE Policy 3 Inthe Extended Authentication section select the Authentication Type from the pull down menu which will be used to verify user account information Select e Edge Device to use this router as a VPN concentrator where one or more gateway tunnels terminate When this option is chosen you will need to specify the authentication type to be used in verifying credentials of the remote VPN gateways User Database to verify against the router s user database Users must be adde
31. marked Adjust for Daylight Savings Time Troubleshooting 7 7 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 7 8 v1 0 September 2006 Troubleshooting Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults This is called a hard reset e To perform a hard reset push and hold the reset button for approximately 5 seconds until the TEST LED blinks rapidly Your device will return to the factory configuration settings shown in Table A 1 below e Pressing the reset button for a shorter period of time will simply cause your device to reboot Table A 1 FVS338 Default Settings Feature Default Behavior Router Login User Login URL http 192 168 1 1 User Name case sensitive admin Login Password case sensitive password Internet Connection WAN MAC Address Use Default address WAN MTU Size 1500 Port Speed AutoSense Local Network LAN Lan IP 192 168 1 1 Subnet Mask 255 255 255 0 RIP Direction None RIP Version Disabled RIP Authentication Disabled DHCP Server Enabled DHCP Starting IP Address 192 168 1 2 DHCP Ending IP Address 192 168 1 100 DMZ Disabled Default Settings and Technical Specifications v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Ma
32. select all delete Add Custom Service Name Type ICMP Type Start Port Finish Port Default QoS Priority k ait TCP al 20 fzo Normal Service v add Er Service Operation succeeded Name memos Type TCP M ICMP Type Start Port 20 Finish Port 20 Default QoS Priority Normal Service v Figure 4 12 To add a service 1 Select Security from the main menu and Services from the submenu The Services screen will display 2 In the Add Custom Service table enter a descriptive name for the service this is for your convenience Select the Layer 3 Protocol that the service uses as its transport protocol It can be TCP UDP or ICMP Enter the first TCP or UDP port of the range that the service uses If the service uses only one port then the Start Port and the Finish Port will be the same Enter the last port of the range that the service uses If the service only uses a single port number enter the same number in both fields Click Add The new custom service will be added to the Custom Services Table Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual To edit the parameters of a service 1 In the Custom Services Table click the Edit icon adjacent to the service you want to edit The Edit Service screen will display 2 Modify the parameters you wish to change Click Reset to cancel the changes and restore the previous set
33. server on the LAN and act as a DHCP client to the Internet VPN policies LAN WAN settings and other settings will be lost Please backup your settings if you intend on using them i Warning When you click default your router settings will be erased All firewall rules Router and Network Management 6 13 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration 0 I Administration oni eb 1 i Remote Management SNMP Set Password Time Zone Settings Backup and Firmware Upgrade help Save a copy of current settings amp backup Restore saved settings from file Browse restore Revert to factory default settings default help Locate and select the upgrade file from your hard disk Browse 4 upload Figure 6 4 Router Upgrade You can install a different version of the VPN firewall firmware from the Settings Backup amp Upgrade screen To view the current version of the firmware that your VPN firewall is running select Monitoring from the main menu The Router Status screen on the will display all of the VPN firewall router statistics When you upgrade your firmware the Firmware Version will change to reflect the new version To download a firmware version 1 Go to the NETGEAR Web site at http www netgear com support and click on Downloads 2 From the Product Selection pull down menu select your p
34. server with SYN messages No legitimate connections can then be made When enabled the router will drop all invalid TCP packets and will be protected from a SYN flood attack 4 10 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual LAN Security Checks A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host As a result the distant host will 1 check for the application listening at that port 2 verify that no application is listening at that port and then 3 reply with an ICMP Destination Unreachable packet When the victimized system is flooded it is forced to send many ICMP packets eventually making it unreachable by other clients The attacker may also spoof the IP address of the UDP packets ensuring that the excessive ICMP return packets do not reach him thus making the attacker s network location anonymous If enabled the router will not accept more than 20 simultaneous active UDP connections from a single computer on the LAN VPN Pass through When the router is in NAT mode all packets going to the Remote VPN Gateway are first filtered through NAT and then encrypted per the VPN policy For example if a VPN Client or Gateway on the LAN side of this router wants to connect to another VPN endpoint on the WAN placing this router between two VPN end poin
35. shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This PN tunnel will connect to the following peers Gateway vpn Client i Connection Name and Remote IP Type What is the new Connection Name to_fvs What is the pre shared key 12345678 Key Length 8 49 Char This VPN tunnel will use following local WAN Interface WAN1i O wanz i End Point Information What is the Remote WAN s IP Address or Internet Name What is the Local WAN s IP Address or Internet Name 10 1 0 118 i Secure Connection Remote Accessibility What is the remote LAN IP Address k2 Jass Ja Ja What is the remote LAN Subnet Mask fess Jess Jess o Figure 5 6 Testing the Connection 1 From aPC on either firewall s LAN try to ping a PC on the other firewall s LAN Establishing the VPN connection may take several seconds 2 For additional status and troubleshooting information view the VPN log and status menu in the FVX538 or FVS338 Creating a VPN Client Connection VPN Client to FVS338 This section describes how to configure a VPN connection between a Windows PC the client installed with the NETGEAR ProSafe VPN Client and the VPN firewall 5 12 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Using the FVS338 VPN Wizard w
36. shown is that of the selected service The user can change it accordingly If the user does not make a selection i e leaves it as None then the native priority of the service will be applied to the policy See Specifying Quality of Service QoS Priorities on page 4 19 Log This determines whether packets covered by this rule are logged Select the desired action Always always log traffic considered by this rule whether it matches or not This is useful when debugging your rules e Never never log traffic considered by this rule whether it matches or not Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual ____ Note Some residential broadband ISP accounts do not allow you to run any server gt processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to the Acceptable Use Policy of your ISP Remember that allowing inbound services opens holes in your VPN firewall Only enable those ports that are necessary for your network It is also advisable to turn on the server application security and invoke the user password or privilege levels if provided Order of Precedence for Firewall Rules As you define new rules they are added to the tables in the Rules menu a
37. that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures e Reorient or relocate the receiving antenna e Increase the separation between the equipment and receiver e Connect the equipment into an outlet on a circuit different from that to which the receiver is connected e Consult the dealer or an experienced radio TV technician for help EU Regulatory Compliance Statement ProSafe VPN Firewall 50 is compliant with the following EU Council Directives 89 336 EEC and LVD 73 23 EEC Compliance is verified by testing to the following standards EN55022 Class B EN55024 and EN60950 1 Bestatigung des Herstellers Importeurs Es wird hiermit best tigt da das ProSafe VPN Firewall 50 gem der im BMPT AmtsblVfg 243 1991 und Vfg 46 1992 aufgef hrten Bestimmungen entst rt ist Das vorschriftsmafige Betreiben einiger Ger te z B Testsender kann jedoch gewissen Beschr nkungen unterliegen Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung Das Bundesamt f r Zulassungen in der Telekommunikation wurde davon unterrichtet da dieses Ger t auf den Markt gebracht wurde und es ist berechtigt die Serie auf die Erf llung der Vorschriften hin zu berpr fen Certificate of the Manufactu
38. the Network Configuration menu of the router interface Configuring Your LAN Local Area Network By default the firewall will function as a DHCP Dynamic Host Configuration Protocol server allowing it to assign IP DNS server WINS Server and default gateway addresses to all computers connected to the firewall LAN The assigned default gateway address is the LAN address of the firewall IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN Using the VPN Firewall as a DHCP Server For most applications the default DHCP and TCP IP settings of the firewall are satisfactory See the link to Preparing a Computer for Network Access in Appendix B for an explanation of DHCP and information about how to assign IP addresses for your network The firewall will deliver the following parameters to any LAN device that requests DHCP e An IP Address from the range you have defined e Subnet Mask e Gateway IP Address the firewall s LAN IP address e Primary DNS Server the firewall s LAN IP address e WINS Server if you entered a WINS server address in the DHCP Setup menu e Lease Time date obtained and duration of lease The LAN Setup screen allows you to configure the LAN on your router The default values are suitable for most users and situations LAN Configuration 3 1 v1 0 September 20
39. the On Off switch and AC power connection INTERNET 12VDC 1 24 FL J oto Figure 1 2 Viewed from left to right the rear panel contains the following elements e Modem port serves as the WAN2 Internet port through the public switched telephone network PSTN e Factory Defaults reset button e Local ports 8 port RJ 45 10 100 Mbps Fast Ethernet Switch N way automatic speed negotiation auto MDI MDIX e Internet port serves as the WAN Internet port One RJ 45 WAN port N way automatic speed negotiation Auto MDI MDIX e On Off switch e DC power in 12 VDC 1 2A Introduction 1 7 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Rack Mounting Hardware The FVS338 can be mounted either on a desktop using included rubber feet or in a 19 inch rack using the included rack mounting hardware illustrated in Figure 1 3 Figure 1 3 Factory Default Login Check the label on the bottom of the FVS338 s enclosure if you forget the following factory default information e IP Address http 192 168 1 1 to reach the Web based GUI from the LAN e User name admin e Password password NETGEAR ProSafe VPN Firewall FVS338 LAN IP Address hittp 992 168 1 aea odi poed eed Comer gt c ee OS o Made in China 272 10138 02 Figure 1 4 1 8 Introduction v1 0 September 2006 FVS338 ProSafe
40. the Trusted Certificates table e CA Identity Subject Name The organization or name to whom the certificate has been issued e Issuer Name The name of the CA that issued the certificate e Expiry Time The date when the certificate becomes invalid New certificates can be uploaded to the router when they are received To upload a Trusted Certificate 1 Select VPN from the main menu and Certificates from the submenu The Certificates screen will display Virtual Private Networking 5 33 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 2 Click Browse to locate the trusted certificate on your computer and then click Upload The certificate will be stored on the router and will display in the Trusted Certificates table Policies VPN Wizard VPN Client Connection Status i Mode Config Certificates help CA Identity Subject Name Issuer Name Expiry Time select all delete Upload Trusted Certificate Trusted Certificate File Browse 4 upload Figure 5 25 Self Certificates Active Self certificates are certificates issued to you by the various Certificate Authorities CAs that are available for presentation to peer IKE servers Each active self certificate is listed in the Active Self Certificates table The data consists of e Name A unique given by you to identify the certificate e Subject Name The name which other organizations will see
41. the firewall enforce its use When Antivirus Enforcement is selected local PCs will not be allowed Web access unless they have the Trend Micro OfficeScan client installed and updated with the latest virus definitions e The Client Server Messaging Suite for Small and Medium Business protects file servers mail servers and PCs on your network and includes antispam capability The Client Server Suite for Small and Medium Business protects files servers and PCs Both products deliver a layered defense against viruses and other malicious code Unlike competing antivirus products both products work your NETGEAR VPN Firewall to enforce antivirus policies end users cannot access the Internet unless they have antivirus protection with current pattern files installed Both products are specifically built to meet the needs of growing businesses and feature easy installation automatic transparent updates and damage cleanup capability Activate either product for a free trial Easy Installation and Management You can install configure and operate the ProSafe VPN Firewall 50 within minutes after connecting it to the network The following features simplify installation and management tasks e Browser based management Browser based configuration allows you to easily configure your firewall from almost any type of personal computer such as Windows Macintosh or Linux A user friendly Setup Wizard is provided and online help docume
42. 06 FVS338 ProSafe VPN Firewall 50 Reference Manual To modify your LAN setup 1 Select Network Configuration from the main menu and LAN Setup from the submenu The LAN Setup screen will display Network Configuration y P Admini al N oring Web Suppo ogout WAN Settings WAN Mode Dynamic DNS LAN Groups Routing LAN Setup 8 Multi Home LAN IPs Setup 8 DHCP Log help IP Address 192 168 a fa Subnet Mask 255 255 255 Jo help Disable DHCP Server Enable DHCP Server Domain Name netgear com Starting IP Address 192 H168 pi 2 Ending IP Address 192 J168 jJi 100 WINS Server Lease Time 24 _ Hours Enable DNS Proxy v Figure 3 1 2 Enter the IP Address of your router factory default 192 168 1 1 Always make sure that the LAN Port IP address and DMZ port IP address are in different subnets 3 Enter the IP Subnet Mask The subnet mask specifies the network number portion of an IP address Your router will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use 255 255 255 0 as the subnet mask computed by the router 4 Check the Enable DHCP Server radio button By default the router will function as a DHCP Dynamic Host Configuration Protocol server providing TCP IP configuration for all computers connected to the rou
43. 127 0 0 1 4500 used for NAT T Ja lv refresh log clear log Figure 6 14 DHCP Log You can view the DHCP log from the LAN Setup screen Select Network Configuration from the main menu and Lan Setup from the submenu When the LAN Setup screen displays click the DHCP Log link Router and Network Management 6 25 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration WAN Settings WAN Mode Dynamic DNS LAN Groups Routing Multi Home LAN IPs Setup 9 DHCP Log LAN Setup LAN TCP IP Setup IP Address ks Jhs JG Ja DHCP Disable DHCP Server Enable DHCP Server Domain Name netgear com Starting IP Address Last output repeated twice ry r Jun 29 19 28 53 dhcpd DHCPREQUEST for 192 168 1 100 from Ol Ending IP Address Jun 29 19 28 53 dhcpd DHCPACK on 192 168 1 100 to 00 11 43 Jun 29 22 55 20 dhcpd DHCPINFORM from 192 168 1 100 via ixp WINS Server a a Jun 29 22 55 20 dhcpd DHCPACK to 192 168 1 100 Lease Time a Hours Jun 29 22 55 23 dhcpd DHCPINFORM from 192 168 1 100 via ixp Enable DNS Proxy ES Jun 29 22 55 23 dhcpd DHCPACK to 192 168 1 100 Jun 30 04 46 46 dhcpd Wrote 1 leases to leases file Last output repeated twice Jun 30 07 28 59 dhcpd DHCPREQUEST for 192 168 1 100 from Of Jun 30 07 28 59 dhcpd DHCPACK on 192 168 1 100 to 00 11 43 Jun
44. 22 select all delete Rule LAN IP Address Open Ports Time Remaining Sec Add Port Triggering Rule refresh Name Enable Protocol Outgoing Trigger Port Range Figure 6 10 Router and Network Management 6 21 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6 2 Port Triggering Status data Item Description Rule The name of the Rule LAN IP Address The IP address of the PC currently using this rule Open Ports The Incoming ports which are associated the this rule Incoming traffic using one of these ports will be sent to the IP address above Time Remaining The time remaining before this rule is released and thus available for other PCs This timer is restarted whenever incoming or outgoing traffic is received Viewing Router Configuration and System Status The Router Status menu provides status and usage information From the main menu of the browser interface click on Management then select Router Status The Router Status screen will display Monitoring Traffic Meter Diagnostics Firewall Logs amp E mail VPN Logs VE ees Router Status a Show Statistics help System Name FYS338 MAC Address 00 14 6c 82 85 06 Firmware Version Primary 2 0 b2 50 IP Address 192 168 1 1 Firmware Version Secondary 1 6 47 DHCP Enabled IP Subnet Mask 255 255 255 0 help WAN
45. 338 ProSafe VPN Firewall 50 Reference Manual To configure the VPN Client 1 SS or Ee x Right click on the VPN client icon in your Windows toolbar and select the Security Policy Editor The Security Policy Editor screen will display In the upper left of the Policy Editor window click the New Document icon to open a New Connection N Security Policy Editor NETGEAR ProSafe PN Client E 5 xj File Edit Options Help Blea Al NETGEAR N Network Security Policy New Connection Ap Other Connections Figure 5 8 Give the New Connection a name such as to_FVS shown in Figure 5 9 In the Remote Party Identity section from the ID Type pull down menu select IP Subnet Enter the LAN IP Subnet Address and Subnet Mask of the FVS338 LAN Check Connect using radio box and select Connect using Secure Gateway Tunnel from the pull down menu From the ID Type pull down menu select Domain Name and Gateway IP Address For the Domain Name enter fvs_local com and enter the WAN IP Address of the FVS338 Virtual Private Networking 5 15 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual N Security Policy Editor NETGEAR ProSafe VPN Client Folk File Edit Options Help i gt al NETGEAR N Network Security Policy My Connections Connection Security tots 7 Secure I Only Connect Manually G My Identity CN E a Security Policy E ane C Block a Other Connectio
46. 8 bit local Ethernet address This is also referred to as the computer s MAC Media Access Control address The default is set to Use Default Address If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP then you must enter that address To change the router s default MAC Address 1 2 Select Network Configuration from the main menu Broadband ISP Settings from the submenu and click the Advanced link Check the radio box for either a Use This computer s MAC address if this is the address your ISP expects or b Use this MAC Address and enter the MAC address that your ISP expects The format for the MAC address is XX XX XX XX XX XX where X is a number from 0 to 9 inclusive or an alphabetical letter between A and F inclusive Click Apply to save your settings or Cancel to revert to the previous settings You may also change the default MTU Size and Port Speed for the Broadband link on this screen based on the following criteria MTU Size The standard MTU Maximum Transmit Unit value for Ethernet networks is either 1500 Bytes or 1492 Bytes for PPPoE connections Some ISPs may ask you to reduce the MTU but this is rarely required and should not be done unless required by your ISP Port Speed In most cases your router can automatically determine the connection speed of the Internet WAN port If you cannot establish an Internet connection and the Internet LED blink
47. AN Mode LAN Setup WAN Settings Dynamic DNS Groups and Hosts 8 Edit Group Names Name IP Address MAC Address Group Action Fi 9300UNIT3 192 168 1 2 00 11 43 71 c8 d8 Groupi Gedit DHCP Assigned IP Address select all delete Add Known PCs and Devices Name IP Address Type IP Address MAC Address Group Add 9300UNIT3 Fixed set on PC x 192 J168 J1 2 00 11 43 71 c8 d8 Groupi ov add Figure 6 9 The network database is an automatically maintained list of all known PCs and network devices PCs and devices become known by the following methods DHCP Client Requests By default the DHCP server in this Router is enabled and will accept and respond to DHCP client requests from PCs and other network devices These requests also generate an entry in the network database Because of this leaving the DHCP Server feature enabled on the LAN Setup screen is strongly recommended e Scanning the Network The local network is scanned using standard methods such as ARP This will detect active devices which are not DHCP clients However sometimes the name of the PC or device cannot be accurately determined and will be shown as Unknown The Known PCs and Devices table lists all current entries in the network database For each PC or device the following data is displayed 6 20 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6 1 K
48. AN interface address Make sure your browser has Java JavaScript or ActiveX enabled If you are using Internet Explorer click Refresh to be sure the Java applet is loaded Try quitting the browser and launching it again Make sure you are using the correct login information The factory default login name is admin and the password is password Make sure that CAPS LOCK is off when entering this information If the firewall does not save changes you have made in the Web Configuration Interface check the following When entering configuration settings be sure to click the APPLY button before moving to another menu or tab or your changes are lost Click the Refresh or Reload button in the Web browser The changes may have occurred but the Web browser may be caching the old configuration Troubleshooting 7 3 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Troubleshooting the ISP Connection If your firewall is unable to access the Internet you should first determine whether the firewall is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your firewall must request an IP address from the ISP You can determine whether the request was successful using the Web Configuration Manager To check the WAN IP address 1 Launch your browser and select an external site such as www netgear com 2 Access the Main Menu of the firewall s configuration at http
49. Apply to save the settings or click Cancel to revert to the previous settings Click Test to try and connect to the NETGEAR Web site If you connect successfully and your settings work then you may click Logout or go on and configure additional settings You can also click on the Broadband Status link or the Current IP Address link to check on connection status and current IP address Programming the Traffic Meter if Desired The traffic meter is useful when an ISP charges by traffic volume over a given period of time or if you want to look at traffic types over a period of time To enable the traffic meter 1 From the primary menu select Monitoring and then select Traffic Meter from the secondary menu The Broadband Traffic Meter screen will display Fill out the information described in Table 2 2 2 Click Apply to apply the settings or click Cancel to return to the previous settings Select the Dialup Traffic Meter tab and repeat steps 1 through 3 to set the Traffic Meter the the Dialup port if required 2 12 Connecting the FVS338 to the Internet v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual etwork figurat oring i n n lt 2 Traffic by Protocol 3 Traffic Meter n Broadband Traffic Meter Enable Traffic Meter No Limit Download only Do you want to enable Traffic Metering on Broadband O Yes No Monthly Limit 0 MB Increase this month limit by
50. Authentication Method Pre shared key 12345678 Diffie Hellman DH Group Group 2 1024 bit 28800 O RSA Signature i Extended Authentication XAUTH Configuration None O Edge Device psec Host IKE Policies JE Authentication Type ioe Daban Username Password VPN wizard i List of IKE Policies Name Mode Local ID Remote ID Encr Auth oO salesperson Aggressive local_id com remote_id com 3DES Group 2 1024 bit Figure 5 20 select all telete add Virtual Private Networking v1 0 September 2006 5 29 FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software configure the remote VPN client connection To configure the client PC 1 Right click the VPN client icon in the Windows toolbar In the upper left of the Policy Editor window click the New Policy editor icon a Give the connection a descriptive name such as modecfg_test this name will only be used internally From the ID Type pull down menu select IP Subnet Enter the IP Subnet and Mask of the VPN firewall this is the LAN network IP address of the gateway Check the Connect using radio button and select Secure Gateway Tunnel from the pull down menu From the ID Type pull down menu s
51. Confirm Password Figure 5 17 To edit the user name or password 1 Click Edit opposite the user s name The Edit User screen will display 2 Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to the previous settings The modified user name and password will display in the Configured Users table RADIUS Client Configuration RADIUS Remote Authentication Dial In User Service RFC 2865 is a protocol for managing Authentication Authorization and Accounting AAA of multiple users in a network A RADIUS server will store a database of user information and can validate a user at the request of a gateway or server in the network when a user requests access to network resources During the establishment of a VPN connection the VPN gateway can interrupt the process with an XAUTH eXtended AUTHentication request At that point the remote user must provide authentication Virtual Private Networking 5 23 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual information such as a username password or some encrypted response using his username password information The gateway will try and verify this information first against a local User Database if RADIUS PAP is enabled and then by relaying the information to a central authentication server such as a RADIUS server To configure the Primary RADIUS Server 1 9
52. E Subnet Mask fess Jess Jess p Subnet Mask fess Jess Jess o Manual Policy Parameters SPI Incoming Hex 3 8 Chars SPI Outgoing S Hes 3 8 Chars Encryption Algorithm 70E Integrity Algorithm A key In key In Td Key Out E Key Out iR DES 8 Char amp 3DES 24 Char MD5 16 Char amp SHA 1 20 Char i Auto Policy Parameters SA Lifetime sec 86400 SA Lifetime KB w Encryption Algorithm 3DES Integrity Algorithm SHA 1 OFFS Key Group Group 2 785 5 Select IKE Policy to_fyx Pview selected Apply Figure 5 5 Configuring the FVX538 To configure the FVX538 using the VPN Wizard 1 wk WwW oN Select VPN from the main menu The Policies screen will display Click the VPN Wizard link The VPN Wizard screen will display Check the Gateway radio box to establish a remote VPN gateway Give the new connection a name such as to_fvs Enter a value for the pre shared key Enter the WAN IP address or Internet name of the remote WAN Virtual Private Networking 5 11 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 6 Enter the remote LAN IP address and subnet mask 7 Click Apply to create the to_fvs IKE and VPN policies PN Wizard 8 VPN Wizard Default Values About YPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium VPNC and assumes a pre
53. Gateway 10 1 32 13 DNS Server 10 1 1 6 DHCP Server 10 1 1 6 Lease Obtained Thu Jun 29 18 32 28 GMT 2006 Lease Duration 1 Day 00 00 00 renew nd release Figure 2 3 If Auto Detect does not find a connection you will be prompted to check the physical connection between your firewall and the cable or DSL line or to check your Router s MAC address see Setting the Router s MAC Address Advanced Options on page 2 7 4 Set up the traffic meter for ISP1 if desired See Programming the Traffic Meter if Desired on page 2 12 ____ Note At this point in the configuration process you are now connected to the Internet gt through the broadband Ethernet WAN Optionally you can continue with the configuration of the dialup ISP serial WAN interface The Dialup Settings screen will assist you in setting up the router to access the Internet connection using a dialup modem Since the Dialup ISP Settings must be configured manually you will need all of your ISP settings information before you begin To configure the Dialup ISP serial WAN port 2 4 Connecting the FVS338 to the Internet v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 1 Select Network Configuration from the main menu WAN Settings from the submenu and click the Dialup ISP Settings tab to display the Dialup settings screen is TS Cour Advanced DIAL UP Status Dial up Account Account User Name lt
54. Hellman DH Group Group 2 1024 bit 4 SA Lifetime sec 28800 help XAUTH Configuration Oi Authentication Type User Database A one Username Edge Device In Password IPSec Host Figure 5 16 User Database Configuration The User Database Screen is used to configure and administer VPN Client users for use by the XAUTH server Whether or not you use an external RADIUS server you may want to have some users authenticated locally These users must be added to the User Database Configured Users table To add a new user 1 Select VPN from the main menu and VPN Client from the submenu The User Database screen will display 2 Enter a User Name This is the unique ID of a user which will be used in the User Name field of the VPN client 5 22 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 3 Enter a Password for the user and reenter the password in the Confirm Password field 4 Click Add The User Name will be added to the Configured Hosts table Policies VPN Wizard Certificates Mode Config VPN Client Connection Status UTDELT RADIUS Client Operation succeeded User Name EAR Tester y2 select all delete Add New User User Name Password Confirm Password Add Tester ococoooo ecccccee Operation succ eded User Name Tester Password eeeeeese
55. Home LAN IPs Setup link see Figure 3 2 on page 3 4 The Secondary LAN IP Setup screen will display 2 Enter the Secondary IP address and Subnet Mask and click Add The Secondary IP address will be added to the Available Secondary LAN IPs table Note Additional IP addresses cannot be configured in the DHCP server The hosts on the secondary subnets must be manually configured with IP addresses gateway IP and DNS server IP addresses Network Configuration gt WAN Settings WAN Mode Dynamic DNS LAN Setup 7 multi Home LAN IPs Se IP Address koz Jks Ja ME Subnet Mask ess ess Jess Secondary LAN IP Setup Q help IP Address Subnet Mask Action select all delete Add Secondary LAN IP Address IP Address Subnet Mask Add I H I j Figure 3 2 p amp Tip The Secondary LAN IP address will be assigned to the LAN interface of the router and can be used as a gateway by the secondary subnet 3 4 LAN Configuration v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Managing Groups and Hosts The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices as well as hosts that are assigned dynamic IP addresses by this router Collectively these entries make up the Network Database The Network Database is created in two ways Using the DHCP Server
56. MB This month limit O MB i Traffic Counter 2 ii When Limit is reached 2 Restart Traffic Counter Now Block All Traffic Block All Traffic Except E Mail Both Directions Restart Traffic Counter at Specific Time fan a PM onthe 17 day of Month Send e mail report before restarting counter Send e mail alert i Internet Traffic Statistics Start Date Time Outgoing Traffic Volume Incoming Traffic Volume Incoming Traffic Outgoing Traffic Total Traffic volume MB Total MB MB Per Day Total MB MB Per Day Average per day of Standard Limit of this Month s Limit Figure 2 8 Connecting the FVS338 to the Internet 2 13 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2 2 Traffic Meter Settings Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router s Broadband or Dialup port Broadband or Dialup can be selected by clicking the appropriate tap the entire configuration is specific to each interface e No Limit If this is selected specified restriction will not be applied when traffic limit is reached e Download only If this is selected the specified restriction will be applied to the incoming traffic only Both Directions If this is selected the specified restriction will be
57. Mode Auto Rollover WAN Mode WAN State UP WAN State NAT Enabled NAT Connection Type DHCP Connection Type Connection State Connected Connection State IP Address q i Router Statistics Subnet Mask Gateway The page will auto refresh in 0 seconds Primary DNS System up Time 6 Days 21 08 10 Secondary DNS hel MAC Address Pl Port Tx Pkts Rx Pkts Collisions Tx B s Rx B s Up Time Broadband 338944 385060 o 14146 31342 0 Days 01 16 28 4 LAN 2356310 429101 o 399 154 6 Days 21 09 06 Poll Interval 5 Seconds jeetinterval stop Figure 6 11 6 22 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Item System Name Firmware Version LAN Port Broadband Configuration Dialup Configuration Description This is the Account Name that you entered in the Basic Settings page This is the current software the router is using This will change if you upgrade your router Displays the current settings for MAC address IP address DHCP role and IP Subnet Mask that you set in the LAN IP Setup page DHCP can be either Server or None Indicates whether the WAN Mode is Single or Rollover and whether the WAN State is UP or DOWN If the WAN State is up it also displays NAT Enabled or Disabled Connection Type DHCP enabled or disabled e Connection State Connected or Disconnected
58. N Wizard Setting up a VPN tunnel connection requires that all settings and parameters on both sides of the VPN tunnel match or mirror each other precisely which can be a daunting task The VPN Wizard can assist in guiding you through the setup procedure by asking you a series of questions that will determine the IPSec keys and VPN policies it sets up It also will set the parameters for the network connection Security Association traffic selectors authentication algorithm and encryption The parameters used by the VPN wizard are based on the VPNC recommendations Creating a VPN Tunnel to a Gateway You can set up multiple Gateway VPN tunnel policies through the VPN Wizard You can also set up multiple remote VPN Client policies through the VPN Wizard A remote client policy can support up to 25 clients To create a VPN tunnel gateway policy using the VPN Wizard 1 Select VPN from the main menu and VPN Wizard from the submenu The VPN Wizard screen will display 2 Select Gateway as your VPN tunnel connection The wizard needs to know if you are planning to connect to a remote Gateway or setting up the connection for a remote client PC to establish a secure connection to this device 3 Select a Connection Name Enter an appropriate name for the connection This name is not supplied to the remote VPN Endpoint It is used to help you manage the VPN settings 4 Enter a Pre shared Key The key must be entered both here and on the remote
59. N port networks use the VPN Wizard to configure the basic scenarios Dual WAN Port Systems The dual WAN ports in the VPN firewall can be configured for rollover mode for increased system reliability by specifying the Broadband connection with the Dialup connection as backup This WAN mode choice then impacts how the VPN features must be configured Table 5 1 IP Addressing Requirements for VPN in Dual WAN Port Systems Configuration and WAN IP address Rollover Modea Dedicated Mode VPN Road Warrior Fixed FQDN required Allowed FQDN optional client to gateway Dynamic FQDN required FQDN required VPN Gateway to Gateway Fixed FQDN required Allowed FQDN optional Dynamic FQDN required FQDN required VPN Telecommuter Fixed FQDN required Allowed FQDN optional Nae through a Dynamic FQDN required FQDN required a All tunnels must be re established after a rollover using the new WAN IP address The use of fully qualified domain names is mandatory when the WAN ports are in rollover mode Configuring the WAN Mode on page 2 15 also required for the VPN tunnels to fail over When using rollover mode you must configure a Dynamic DNS service see Configuring Dynamic DNS If Needed on page 2 16 to select and configure the Dynamic DNS service Virtual Private Networking 5 1 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Setting up a VPN Connection using the VP
60. N tunnel are manually input at each end both VPN endpoints No third party server or organization is involved e Auto Some parameters for the VPN tunnel are generated automatically by using the IKE Internet Key Exchange protocol to perform negotiations between the two VPN endpoints the Local ID Endpoint and the Remote ID Endpoint In addition a CA Certificate Authority can also be used to perform authentication see Certificates on page 5 33 To use a CA each VPN Gateway must have a Certificate from the CA For each Certificate there is both a Public Key and a Private Key The Public Key is freely distributed and is used to encrypt data The receiver then uses their Private Key to decrypt the data without the Private Key decryption is impossible CAs can be beneficial since using them reduces the amount of data entry required on each VPN Endpoint VPN Policy Operation The VPN Policies screen allows you to add additional policies either Auto or Manual and to manage the VPN policies already created You can edit policies enable or disable them or delete them entirely The rules for VPN policy use conform to 1 Traffic covered by a policy will automatically be sent via a VPN tunnel 2 The VPN tunnel is created according to the parameters in the SA Security Association 3 The remote VPN Endpoint must have a matching SA or it will refuse the connection VPN Policy Table When you use the V
61. Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Enable Traffic Meter Do you want to enable Traffic Metering on Broadband Yes O No No Limit Download only Both Directions Monthly Limit E MB Increase this month limit by MB This month limit O MB N i When Limit is reached if O Restart Traffic Counter Now Restart Traffic Counter at Specific Time fz o0 PM Mjonthe 1st day of Month O Send e mail report before restarting counter S Block All Traffic f Block All Traffic Except E Mail fal Send e mail alert Internet Traffic Statistics Start Date Time Outgoing Traffic Volume Incoming Traffic Volume Total Traffic Volume MB MB Average per day of Standard Limit of this Month s Limit Figure 6 6 Each WAN port is programmed separately WAN port shuts down once traffic limit reached An e mail can be sent Traffic Counter settings Internet Traffic Statistics e Traffic by Protocol Click this button to display Internet Traffic details The volume of traffic for each protocol will be displayed in a sub window Traffic counters are updated in MBytes scale and the counter starts only when traffic passed is at least 1 MB Router and Network Management v1 0 September 2006 6 17 FVS338 ProSafe VPN Firewall 50 Ref
62. PN Wizard you can always update the parameters through the Policies menu This PN tunnel will connect to the following peers Gateway vpn Client ii Connection Name and Remote IP Type What is the new Connection Name What is the pre shared key 12345678 Key Length 8 49 Char i End Point Information What is the Remote WAN s IP Address or Internet Name What is the Local WAN s IP Address or Internet Name 10 1 32 41 i Secure Connection Remote Accessibility What is the remote LAN IP Address fis2 Jaee Je Jue What is the remote LAN Subnet Mask Ess Jess Jess Je Figure 5 1 The IKE Policies screen will display showing the new to_fvx policy i List of IKE Policies Name Mode Local ID Remote ID Encr Auth DH action o 3DES SHA 1 Group 2 1024 bit Besit to_fux Main 10 1 32 41 10 1 0 118 select all selete add Figure 5 2 You can view the IKE parameters by clicking Edit in the Action column adjacent to the to fvs policy It should not be necessary to make any changes Virtual Private Networking 5 9 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Edit IKE Policy Add New VPN Policy Operation succeeded Policy Name to_fvx Enable XAUTH Username Direction Type Client Password T Exchange Mode O Yes No Local Identification i Peer IKE Identification 2
63. PN Wizard to set up a VPN tunnel both a VPN Policy and an IKE Policy is established and populated in both Tables on the VPN Policies screen The name you selected as the VPN Tunnel connection name during Wizard setup identifies both the VPN Policy and IKE Policy You can also edit exiting policies add new VPN policies directly or change the policy hierarchy to the Policy Table The Policy Table contains the following fields e Status Indicates whether the policy is enabled green circle or disabled grey circle To Enable or Disable a Policy check the radio box adjacent to the circle and click Enable or Disable as required e Name Each policy is given a unique name the Connection Name when using the VPN Wizard Client Policies are annotated by an e Type The Type is Auto or Manual as described previously Auto is used during VPN Wizard configuration 5 6 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Local IP address either a single address range of address or subnet address on your local LAN Traffic must be from or to these addresses to be covered by this policy Subnet address is the default IP address when using the VPN Wizard Remote IP address or address range of the remote network Traffic must be to or from these addresses to be covered by this policy The VPN Wizard default requires the remote LAN IP address and subnet mask for a ga
64. PTP VPN Tunnel 4 11 protocols Routing Information 1 3 Q QoS 4 2 about 4 19 managing shifting traffic mix 6 7 service levels 4 19 Quality of Service See QoS R rack mounting 1 8 RADIUS Client screen 5 24 RADIUS server configuring 5 23 RADIUS CHAP XAUTH use with 5 2 RADIUS PAP XAUTH use with 5 2 Reboot the Router 6 28 reducing traffic Block Sites 6 Service Blocking 6 1 Source MAC filtering 6 remote management 6 9 access 6 9 configuration 6 9 Reserved IP address about 3 8 Reserved IP adresses 3 8 Respond To Ping On Internet Ports Attack Checks 4 10 RFC 1349 Index 5 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual ToS 4 19 RFC 2453 RIP 3 10 RIP 1 3 about 3 10 enabling 3 11 multicasting guidelines 3 12 RIP Configuration screen 3 11 rollover 5 1 Router Status 6 22 Router Status screen 6 22 Router Upgrade 6 14 Routing Information Protocol See RIP Routing screen 3 8 rules allowing traffic 4 1 blocking traffic 4 1 service blocking 4 2 services based 4 2 S Schedule blocking traffic 4 20 rules covered by 6 2 Schedule 1 screen 4 20 Security 1 2 Trend Micro use of 3 12 Security Policy Editor screen 5 15 Self Certificate format of 5 35 Request generating 5 34 Self Certificate request submitting 5 36 Self Certificates about 5 34 Service Blocking 4 2 6 2 LAN Users 6 2 rules 6 2 WAN Users 6 2 service blocking 4 2 Services co
65. ST lt state gt L lt city gt O lt organization gt OU lt department gt CN lt device name gt In the following example C USA ST CA L Santa Clara O gt NETGEAR OU XxX CN FVS338 e From the pull down menus select the following values Hash Algorithm MD5 or SHA2 Signature Algorithm RSA Signature Key Length 512 1024 2048 Larger key sizes may improve security but may also impact performance 3 Complete the Optional fields if desired with the following information e IP Address If you have a fixed IP address you may enter it here Otherwise you should leave this field blank e Domain Name If you have a Domain name you can enter it here Otherwise you should leave this field blank e E mail Address Enter your e mail address in this field 4 Click Generate Your request will display in the Self Certificate Requests table View the request by clicking View in the Action column The Self Certificate Request screen will display 6 The Self Certificate Request data screen will display the data required for submission to the CA Copy the data in the Data to supply to CA field data into a file including all of the data contained in BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST 7 Following the instructions of the CA to complete the certificate request process Virtual Private Networking 5 35 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Referen
66. THOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE Zlib zlib h interface of the zlib general purpose compression library version 1 1 4 March 11th 2002 Copyright C 1995 2002 Jean loup Gailly and Mark Adler This software is provided as is without any express or implied warranty In no event will the authors be held liable for any damages arising from the use of this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgment in the product documentation would be appreciated but is not required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution Jean loup Gailly jloup gzip org Mark Adler madler alumni caltech edu The data format used by the zlib library is described by RFCs Request for Comments 1950 to 1952 in the files ftp ds internic net ric rfc1950 txt zlib format rfc1951 txt deflate format and rfc1952 txt gzip format v1 0 September 2006 Pr
67. The router s DHCP server will accept and respond to DHCP client requests from PCs and other network devices Every computer that is responded to will be added to the Network Database in the Known PCs and Devices table Scanning the Network The router will scan the local network periodically using standard methods such as ARP and NetBIOS to detect active computers or devices which are not DHCP clients For computers that do not support the NetBIOS protocol the name will be displayed in the known PCs and Devices table as Unknown Creating the Network Database The Network Database offers a number of advantages Generally you do not need to enter either IP address or MAC addresses Instead you can just select the desired PC or device No need to reserve an IP address for a PC in the DHCP Server All IP address assignments made by the DHCP Server will be maintained until the PC or device is removed from the database either by expiry inactive for a long time or by you No need to use a Fixed IP on PCs Because the address allocated by the DHCP Server will never change you don t need to assign a fixed IP to a PC to ensure it always has the same IP address MAC level Control over PCs The Network Database uses the MAC address to identify each PC or device So changing a PC s IP address does not affect any restrictions on that PC Group and Individual Control over PCs You can assign PCs to Groups and apply restrictions to eac
68. Throughput Used when the volume of data transferred during an interval is important even if the latency over the link is high The IP packets for services with this priority are marked with a ToS value of 4 e Minimize Delay Used when the time required latency for the packet to reach the destination must be low The IP packets for services with this priority are marked with a ToS value of 8 Firewall Protection and Content Filtering 4 19 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Setting a Schedule to Block or Allow Traffic If you defined an outbound or inbound rule to use a schedule you can set up a schedule for when blocking occurs or when access is restricted The firewall allows you to specify when blocking will be enforced by configuring one of the Schedules Schedule 1 Schedule 2 or Schedule 3 To invoke rules and block keywords or Internet domains based on a schedule 1 Select Security from the main menu and Schedule from the sub menu The Schedule 1 screen will display 2 Check the radio button for All Days or Specific Days If you chose Specific Days check the radio button for each day you want the schedule to be in effect 3 Check the radio button to schedule the time of day All Day or Specific Times If you chose Specific Times enter the Start Time and End Time fields Hour Minute AM PM which will limit access during certain times for the selected days 4 Click Reset to c
69. VPN Firewall 50 Reference Manual To log in to the FVS338 once it is connected 1 Open a Web browser 2 Enter http 192 168 1 1 as the URL User Name admin Password jeeeeesee Figure 1 5 3 Once the login screen displays Figure 1 5 enter the following e admin for User Name e password for Password Introduction v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 1 10 Introduction v1 0 September 2006 Chapter 2 Connecting the FVS338 to the Internet This section provides instructions for connecting the VPN firewall Setting up VPN tunnels are covered in Chapter 5 Virtual Private Networking 1 Connect the firewall physically to your network Connect the cables turn on your router and wait for the Test LED to go out Make sure your Ethernet and LAN LEDs are lit See the FVS338 ProSafe VPN Firewall 50 Installation Guide on your Resource CD Log in to the firewall After logging in you are ready to set up and configure your firewall You can also change your password and enable remote management at this time Configure the Internet connections to your ISPs During this phase you will connect to your ISPs You can also program the WAN traffic meters at this time if desired Configure the WAN mode Select either Primary Broadband with Dialup as backup or Use only single WAN port and select the WAN port from the pull down menu either Broadband or Dial up Conf
70. address of the PC s network interface Group Each PC or device can be assigned to a single group By default a computer is assigned to Group 1 unless a different group is selected from the Group pull down menu Action Allows modification of the selected entry by clicking Edit To add computers to the network database manually 1 Select Network Configuration from the main menu and LAN Groups from the submenu The Groups and Hosts screen will display In the Add Known PCs and Devices table enter the name of the PC or device Enter the IP Address Type Select Reserved DHCP Client to direct the router to reserve the IP address for allocation by the DHCP server Select Fixed Set on PC if the IP address is statically assigned on the computer Es Note When specifying a Reserved IP address make sure that you select an IP address outside of the DHCP Server pool of addresses Enter the IP Address that this computer or device is assigned If the IP Address Type is Reserved DHCP Client the router will reserve the IP address for the associated MAC address Enter the MAC Address of the computer The MAC address should be in the form XX XX XX XX XX XX for example 00 80 48 2a 8b cO From the Group pull down menu select the group to which the computer will be assigned Click Add to add the new entry to the network database in the Known PCs and Devices table 3 6 LAN Configuration v1 0 September 2006
71. aes 3 1 Contigu unng MII LAIN UPS disisi a 3 4 Managing Groups and TIONS arsine a aaa a aai ai 3 5 Creating the Network Database acicsssscosatanctadedscssneceaiesees co duaeherecueceetpanidaceraedmeaacts 3 5 Setting Up Address Reservat secccicsssecseceeisancvadetsgarstevavan Ea 3 8 S e e EE T E A A E A O E E E EA 3 8 Stalig Roule EXAME siruen e ened ieee enaa 3 9 PAP a O aiea EAE 3 10 Enabling Trend Micro Antivirus Enforcement sseeessseeessrreseeerreserssrnssrrrnnessrrnnsssrennaes 3 12 Chapter 4 Firewall Protection and Content Filtering About Firewall SSG NY siise ene anora ice AEO 4 1 Using Rules to Block or Allow Specific Kinds of Traffic ccceseceeeeteeeeeeeeeeeeteeeeeneeeees 4 1 Sancos Based MUGS seriatua iaaa A iy iaaedbemaniadaes 4 2 Outbound Rules Service Block issiron aan 4 2 inbound Rules Port Fonwarding sessosiisssnssriessiiiviieinnianoue unenian oain 4 4 Order of Precedence for Firewall Rules ccscceescceceeeeeeeeeeeeeeeeeeeaaeeseeeeeeeeaeeeee 4 6 Setting LAN WAN FUI S greanna n an inten denen GAR 4 7 LAN WAN Outbound Services FUSS ccc nscicstcsssricianssseiseeadearencueenesimnnnascerbaeltteornss 4 8 LAN WAN Inbound Services PUSS ss cccstsessveedeedvcacds tacwtetie tances eetadiednenecennes 4 9 ARa RIS sing cis E Rasa el esi penn ERS 4 10 elect sG Pubs 222 lq cg eP ener prema nt Tr nen per nr rtter R 4 12 Hosting A Local Publie Web SENET cic cdaccianmieicctstncntciciuseeedansiasnrd
72. aieamensesecuadane 4 12 Allowing Videoconference from Restricted Addresses necenesereneennn 4 13 Setting Up One to One NAT Mapping ssssssssssosnsesseessrssssessrssssrnrsssnnossnnesnnens 4 13 PSC VITA AN Expoced HOSE sertesieaseticcrssecsssints satvestin atvacere anise A 4 15 Outbound Rules Example Blocking Instant Messenger n 4 16 Adding Customized SHNICES aisciicicticiatensevesagad cam aeivenccingiccecnunendacsanivad E a E AS 4 17 viii v1 0 September 2006 Specifying Quality of Service QOS POMS ssscescscciscnccesscctansecwiarecueneeacdiaeverewticaneaners 4 19 Setting a Schedule to Block or Allow Traffic ccceeeeceeeeeeteeeeeeeececeeeeeeeeeseeeeeeeaaeeeeens 4 20 Setting Block Sites Contenti Filtering siccciescdecesscectsicdenoasscanses iiien aiia 4 21 Enabling Soues MAG PINGING prugrissioni niaaa ead 4 23 Setoo Un PON TPR AMIN Sissi cs census kiagrada a Eia ANDE aN N 4 24 E Mail Notifications of Event Logs and Alerts osisiiissrsserisnisouisssirnsniisunnninnsinnninosisi 4 27 A ra OO a ere tren re tree crepe rerrre rere rr ert errr reer er terres 4 31 Chapter 5 Virtual Private Networking Dual WAN Pon Syste sustena aaa aa 5 1 Setting up a VPN Connection using the VPN Wizard ccccccesceeceeeeeeeeeeeeeetaeeeeeneees 5 2 Greatinga VPN Tunnel toa Gateway samessstspeieceisnrrenana mies snRNA 5 2 Creating a VPN Tunnel Connection to a VPN Client sesssssesseseessseesseesrseerreessn 5 3 IKE FOCIS ss
73. ancel your settings and revert to the previous settings 5 Click Apply to save your settings to Schedule 1 Repeat these 5 steps to set to a schedule for Schedule 2 and Schedule 3 igurat Security N I ation ionita Services Block Sites Firewall Rules Source MAC Filter Port Triggering Trend Micro UMSE Schedule 2 Schedule 3 hep Sunday Monday Do you want this schedule to be active on Tuesday Wednesday all days or specific days N Thursda Frida All Days Specific Days y y Saturday helpl Do you want this schedule to be active ae z anoo inae am g all day or at specific times during the day VES End Time 12 Hour 00 Minute PM All Day Specific Times Apply Reset Figure 4 13 4 20 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Setting Block Sites Content Filtering If you want restrict internal LAN users from access to certain sites on the Internet you can use the VPN firewall s Content Filtering and Web Components filtering By default these features are disabled all requested traffic from any Web site is allowed If you enable one or more of these features and users try to access a blocked site they will see a Blocked by NETGEAR message Several types of blocking are available Web Components blocking You can block the following Web component types Proxy Java ActiveX and Co
74. anged back to password gt and 5 minutes respectively after a factory defaults reset Enabling Remote Management Access Using the Remote Management page you can allow an administrator on the Internet to configure upgrade and check the status of your VPN firewall You must be logged in locally to enable remote management see Logging in to the VPN Firewall on page 2 1 _ Note Be sure to change the firewall default configuration password to a very secure gt password The ideal password should contain no dictionary words from any language and should be a mixture of letters both upper and lower case numbers and symbols Your password can be up to 30 characters See Changing Passwords and Settings on page 6 7 for the procedure on how to do this I TEYP Administration oring Web Suppo i ogout SNMP Settings Backup amp Upgrade Set Password Time Zone Remote Management help Everyone Be sure to change default password Allow Remote IP address range Management From Al Al To Yes Only this PC fn oi ia O No Port Number 080 Apply Figure 6 2 To configure your firewall for Remote Management 1 Select the Turn Remote Management On check box Router and Network Management 6 9 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Specify what external addresses will be allowed to access the firewall s remote management
75. applied to both incoming and outgoing traffic only Enable Monthly Limit Use this if your ISP charges for additional traffic If enabled enter the monthly volume limit and select the desired behavior when the limit is reached Note Both incoming and outgoing traffic are included in the limit Increase this month s limit Use this to temporarily increase the Traffic Limit if you have reached the monthly limit but need to continue accessing the Internet Check the checkbox and enter the desired increase The checkbox will automatically be cleared when saved so the increase is only applied once This month s limit This displays the limit for the current month Restart traffic counter Restart Counter at a Specific Time This determines when the traffic counter restarts Choose the desired time and day of the month Check this radio button to restart the Traffic Counter at a specific time and day of the month Fill in the time fields and select AM or PM and the day of the month from the pull down menus Send E mail Report before restarting counter If checked an E mail report will be sent immediately before restarting the counter You must configure the E mail screen in order for this function to work see E Mail Notifications of Event Logs and Alerts on page 4 27 When limit is reached Select the desired option Block all traffic all access to and from the Internet will be blocked e B
76. as the Holder owner of this Certificate This should be your registered business name or official company name Generally all Certificates should have the same value in the Subject field e Serial Number This is the serial number maintained by the CA It is used to identify the certificate with in the CA e Issuer Name The name of the CA which issued the Certificate e Expiry Time The date on which the Certificate expires You should renew the Certificate before it expires To use a Certificate you must first generate and request the certificate from the CA from the computer or device that will be using the CA The Certificate Signing Request CSR file must be filled out and submitted to the CA who will then generate a certificate for this device To request a Certificate from the CA 1 From the main menu under VPN select the Certificates submenu The Certificates screen will display 2 In the Generate Self Certificate Request enter the required data 5 34 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e Name Enter a name that will identify this Certificate e Subject This is the name which other organizations will see as the Holder owner of the Certificate Since this name will be seen by other organizations you should use your registered business name or official company name This information must be submitted in the following format C lt country gt
77. be used to endorse or promote products derived from this software without prior written permission For written permission please contact openss I core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com v1 0 September 2006
78. blic switched telephone network PSTN e Dual WAN ports one broadband and one serial provide for increased system reliability e Support for up to 50 VPN tunnels e Easy web based setup for installation and management e URL keyword Content Filtering and Site Blocking Security e Quality of Service QoS support for traffic prioritization e Built in 8 port 10 100 Mbps switch e Extensive Protocol Support e Login capability e SNMP for manageability e Front panel LEDs for easy monitoring of status and activity e Flash memory for firmware upgrade Introduction 1 1 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Full Routing on Both the Broadband and Serial WAN Ports You can install configure and operate the FVS338 to take full advantage of a variety of routing options on both the serial and broadband WAN ports including e Internet access via either the serial or broadband port e Auto rollover connectivity fail over through an analog modem connected to the serial port If the broadband Internet connection fails after waiting for an pre specified amount of time the FVS338 can automatically establish a backup dial up Internet connection via the serial port on the firewall A Powerful True Firewall with Content Filtering Unlike simple Internet sharing NAT routers the FVS338 is a true firewall using stateful packet inspection to defend against hacker attacks Its firewall features inc
79. can paleusdidplaciunisedachndesitvendlendyleattadaetpaateassts 5 4 KE Paley OPEO passonuds iaa rret errr ere tren ty rrr merrr er rere 5 4 8c 9g SL 9 Sree reece tre centr pre rrete terete rer ners eke nine reer errr etre en ter iter tr 5 5 VPN POCOS ccccscivinscccnipmeisnsnsrerancienseeasianat EEEE 5 0 TE PO CS a ID A A E E E T E AE 5 6 VERLE E EMO aaa Mhlegetaes ueme bee lacdaneh newlesaetees Inddaneme ule uehne windsor 5 6 VPN Tene CORO CI SIAU psseccciasipitae dadpecsvetblisnaiea peers NAT 5 7 Creating a VPN Gateway Connection Between FVS338 and FVX538 eneee 5 8 Contiginng Me Fv BOBS cascctasecccicrntnenescvadiueescictandeiaccheaasdescensmmneddadaanieiescceanieebacecentene 5 8 COMICON ING FYXEIE ariii n nn ernie 5 11 Tesino hne CONN LM secen r E E antiaee eee 5 12 Creating a VPN Client Connection VPN Client to FVS338 00 ccceccceessesseeeeeseeeeeees 5 12 eras ITE Ne mk as 2 Pot oraaa aaa a aaa 5 13 Ganigunng ihe YPN CIERNE scaccphcsen cies pocadosetaacsaieooesedeveaarsneaiaanetepavaiounaantiecnementacecs 5 14 TOS ihe Connec sarimaniirurs anki on A ER 5 19 Extended Authentication XAUTH Configuration ssesssssessssnsssrnessnesssnssrsessnessreessens 5 20 Contiguimg XAUTH for VPN Cienie cioni asnicar ay 5 21 Usar Database Goniguiat ON aiposuiiiseiai iha SNN 5 22 RADIUS Client ConmiguratlON sesvirennaseiio nne E 5 23 Manually Assigning IP Addresses to Remote Users ModeConfig 2 eceeeeeeees 5 25 I HERNIN soannen inoia e aaa
80. ce Manual i Generate Self Certificate Request Name Tester Subject C USA ST CA L San Hash Algorithm MD5 v Signature Algorithm RSA vw Signature Key Length 512 IP Address Optional 192 168 ao Jio Domain Name Optional E mail Address Optional amp generate ii Self Certificate Requests Name Status o Tester select all delete Self Certificate Request Operation succeeded Certificate Details Subject Name Hash Algorithm signature Algorithm Key Length Data to supplyto es ea ee E E EA aise BEGIN CERTIFICATE REQUEST J MIIBLjCB2QIBADBSMQswCQYDVQQIEWJIDQTETMBEGALUEBx 4 MA4GALUECRhMHTKVUROVBUJELMAkGALUECXMCWFgxDZzANE Save to file MADGCSqGSIb3D QEBAQUAADSAMEgCQQDGNydNDSrnAoms KNSv4VebSJQrogH2hlqRYodTIgUga7SKQr3byYThwhISicqi ls BgkqhkiG9wOBCQ4xEzARMASGALUdEQQIMASHBMCoCgowLl QQBYJomIploJogPitObco3cduJIm5S CDnLHnUfoPSjfpCkNxS NSLBKWYVFL4h7jZrsIRVAbX9A euses END CERTIFICATE REQUEST Figure 5 26 To submit your Self Certificate request to a CA 1 2 3 4 Connect to the web site of the CA Start the Self Certificate request procedure When prompted for the requested data copy the data from your saved data file including BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST Submit the CA form If n
81. cess the full NETGEAR Inc online knowledge base for the product model e Links to PDF versions of the full manual and individual chapters How to Print this Manual To print this manual you can choose one of the following options according to your needs e Printing a Page from HTML Each page in the HTML version of the manual is dedicated to a major topic Select File gt Print from the browser menu to print the page contents e Printing from PDF Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http www adobe com Printing a PDF Chapter Use the PDF of This Chapter link at the top left of any page xiv v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e Click the PDF of This Chapter link at the top left of any page in the chapter you want to print The PDF version of the chapter you were viewing opens in a browser window e Click the print icon in the upper left of your browser window Printing a PDF version of the Complete Manual Use the Complete PDF Manual link at the top left of any page e Click the Complete PDF Manual link at the top left of any page in the manual The PDF version of the complete manual opens in a browser window e Click the print icon in the upper left of your browser window Q Tip If your printer supports printing two pages on a single sheet o
82. ction e Use schedule page to configure the time schedules see Setting a Schedule to Block or Allow Traffic on page 4 20 LAN users These settings determine which computers on your network are affected by this rule Select the desired options Any All PCs and devices on your LAN Single address Enter the required address and the rule will be applied to that particular PC Address range If this option is selected you must enter the start and finish fields e Groups Select the Group you wish this rule to apply to You can use the Network Database screen to assign PCs to Groups See Managing Groups and Hosts on page 3 5 WAN Users These settings determine which Internet locations are covered by the rule based on their IP address Select the desired option e Any All Internet IP address are covered by this rule e Single address Enter the required address in the start fields Address range If this option is selected you must enter the start and finish fields Firewall Protection and Content Filtering 4 3 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4 1 Outbound Rules Fields continued Item Description QoS Priority This setting determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall By default the priority shown is that of the selected service The user
83. d through the User Database screen see User Database Configuration on page 5 22 RADIUS CHAP or RADIUS PAP depending on the authentication mode accepted by the RADIUS server to add a RADIUS server If RADIS PAP is selected the router will first check in the User Database to see if the user credentials are available If the user account is not present the router will then connect to the RADIUS server see RADIUS Client Configuration on page 5 23 Virtual Private Networking 5 21 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e IPSec Host if you want to be authenticated by the remote gateway In the adjacent Username and Password fields type in the information user name and password associated with the IKE policy for authenticating this gateway by the remote gateway 4 Click Apply to save your settings Edit IKE Policy Add New VPN Policy Operation succeeded help heip Do you want to use Mode Config Record Policy Name to_fvx O Yes no Direction Type Both Select Mode Config Record Dien selected Exchange Mode Main vi help help Identifier Type Local wan IP_ v Identifier Type Remote Wan IP Identifier Identifier help Encryption Algorithm 3DES Authentication Algorithm SHA 1 Authentication Method Pre shared key ORSA Signature Pre shared key 12345678 Key Length 8 49 Char Diffie
84. dio box This is optional the default is enabled If enabled the VPN firewall will provide a LAN IP Address for DNS address name resolution ____ Note If you change the LAN IP address of the firewall while connected through the browser you will be disconnected You must then open a new connection to the new IP address and log in again For example if you change the default IP address 192 168 1 1 to 10 0 0 1 you must enter http 10 0 0 1 in your browser to connect to the web management interface 5 Click Apply to save your settings 6 Click Reset to discard any changes and revert to the previous configuration Note Once you have completed the LAN IP setup all outbound traffic is allowed and all inbound traffic is discarded To change these traffic rules refer to Chapter 4 Firewall Protection and Content Filtering LAN Configuration 3 3 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring Multi Home LAN IPs If you have computers that are using different IP address ranges in the LAN for example 172 16 2 0 or 10 0 0 0 then you can add aliases to the LAN port which give computers on those networks access to the Internet This allows the firewall to act as a gateway to additional logical subnets on your LAN To add a secondary LAN IP address 1 Select Network Configuration from the main menu and LAN Setup from the secondary menu Click the Multi
85. e 4 3 Click Reset to cancel your settings and return to the previous settings 4 Click Apply to save your changes and reset the fields on this screen The new rule will be listed on the Outbound Services table 4 8 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Add LAN WAN Outbound Service Service Action Select Schedule LAN Users WAN Users QoS Priority Log Figure 4 3 Operation succeeded help ANY BLOCK always x Any fa Start a ae rss Finish Tf Any v stat Enh it Finish in a Normal Service v Never v C Apply Reset LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic If you have not defined any rules no rules will be listed By default all inbound traffic is blocked WAN Users Whether all WAN addresses or specific IP addresses are included in the rule To create a new inbound service rule 1 Click Add under the Inbound Services Table The Add LAN WAN Inbound Service screen will display 2 Complete the Add WAN LAN Inbound Services screen see Table 4 2 on page 4 5 Click Reset to cancel your settings and return to the previous settings Click Apply to save your changes and reset the fields on this screen The new rule will be listed on the Inbound Services table 5 Click Apply to save your settings The new rule will be
86. e Timeout Keep Connected Other PPPoE i l Idle Time 5 Minutes BigPond Cable My IP Address f yg i Server IP Address nE Internet IP Address 2 Domain Name Server DNS Servers Get Dynamically from ISP Get Automatically from ISP Use Static IP Address Use These DNS Servers IP Address fo Ho Ho jo Primary DNS Server e Jo Jo Ho IP Subnet Mask fo W p W Secondary DNS Server e Jo Jo Ho Gateway IP Address boe jo jo Figure 2 7 To manually configure your WAN1 ISP settings 1 Does your Internet connection require a login If you need to enter login information every time you connect to the Internet through your ISP select Yes Otherwise select No 2 What type of IPS connection do you use If your connection is PPPoE PPTP or BigPond Cable then you must login Check the Yes radio box The text box fields that require data entry will be highlighted based on the connection that you selected If your ISP has not assigned any login information then choose the No radio box and skip this section For example e Austria PPTP If your ISP is Austria Telecom or any other ISP that uses PPTP for login select this Then fill in the following highlighted fields Account Name also known as Host Name or System Name Enter the valid account name for the PPTP connection usually your email ID assigned by your ISP Some ISPs require entering your full email address
87. e VPN Policy are accessed which specify which IKE Policy to use 2 Ifthe VPN Policy is a Manual policy then the Manual Policy Parameters defined in the VPN Policy are accessed and the first matching IKE Policy is used to start negotiations with the remote VPN Gateway e If negotiations fail the next matching IKE Policy is used e Ifnone of the matching IKE Policies are acceptable to the remote VPN Gateway then a VPN tunnel cannot be established 3 An IKE session is established using the SA Security Association parameters specified in a matching IKE Policy e Keys and other parameters are exchanged e An IPsec SA Security Association is established using the parameters in the VPN Policy The VPN tunnel is then available for data transfer 5 4 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual IKE Policy Table When you use the VPN Wizard to set up a VPN tunnel an IKE Policy is established and populated in the Policy Table and is given the same name as the new VPN connection name You can also edit exiting policies or add new IKE policies directly on the Policy Table Screen Each policy contains the following data Name Uniquely identifies each IKE policy The name is chosen by you and used for the purpose of managing your policies it is not supplied to the remote VPN Server If the Policy is a Client Policy it will be prepended by an Mode Two m
88. e WAN IP Address e Subnet Mask e Gateway Address e Primary and Secondary DNS Server Addresses e MAC Address Displays the same details as for WAN1 Configuration Note The Router Status screen displays current settings and statistics for your router As gt this information is read only any changes must be made on other pages Monitoring WAN Ports Status You can monitor the status of both of the WAN connections the Dynamic DNS Server connections and the DHCP Server connections Select Network Configuration from the main menu and WAN Settings from the submenu The Broadband ISP Settings screen will display Click the Broadband Status link to obtain status on the Broadband port Select the Dialup ISP Settings tab and click the Dialup Status link to obtain status on the Dialup port Router and Network Management 6 23 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual ssaneieiaiieneieieieiaieiaiieiieeieieniennieies rererere EEIEIEE TEE EEIEIEE EEEE EEEE EEEE EEEE Network Configuration urii 1 N i ation onii I eb Sup l WAN Mode Dynamic DNS LAN Setup LAN Groups Routing a GET EUS ELE tE Dialup ISP Settings 8 Advanced 8 Broadband Status DHCP Server Detected i ISP Login help Does Your Internet Connection Require a Login Login i Connection Status O Yes No Password Connection Time 0 Days 00 11 33 i ISP Type Connection Type DHCP Account Name Connection Sta
89. e a aA a Nai 5 26 Senio Hp MOTEGINI rsio S 5 26 v1 0 September 2006 Configuring the ProSafe VPN Client for ModeConfig ce eeesecneeseeeereeteeeeereees 5 30 B Petter caus tsetse seul opts aa ane Gt eda a Ss Seale eater depart A utenahuny 5 33 Trusted Certificates CA Certificates 0 cccccececceceseeceseeeeeeaeeeeeeeeeeaaeeeeeeeeesiaaeeteaes 5 33 SGN ORCE sa a maintenant 5 34 Managing your Certificate Revocation List CRL sessseesseesseesseessrssrrsssrrssrnrsess 5 37 Chapter 6 Router and Network Management FF UO ied Managemen conrannannaiei mauacmn sen ielieeenadenieewiaenaats 6 1 VPN Firewall Features That Reduce Traffic cccccceeeeseecceeeeeeeeeeeeeeeneeeneeeeeneenees 6 1 RU BIEK sponsis tlanaiiiwe cn sauivanasiuninden aa talent 6 2 BOCK OS saor cedereviiaressd oncateaareauar enero ane aaet ae ete 6 3 ree MAG FREMI giarra a qatar E inane 6 4 VPN Firewall Features That Increase Traffic cccecccseeeesseccceeeeeeeceeeeeeeeceeeeneneeee 6 4 Pon FONRO sinaia a 6 4 POT O ener ree rece err emer re errr cr recr rrr ater tater ere Treen Te 6 6 ee Me cis eet epeeeeeeer reer peer eter enter reer ner err tee cfr errrentrnr errr ctrrrrt rreerir treet i rrrrcert ttre 6 6 Using QoS to Shin We THAME MIK srneci sraao 6 7 Tools for Traffic Management erososiesrivircesirooek inienn aaa i a 6 7 P AON aain R aes 6 7 Ghanging Passwords and Settings sriwsiieniisissiirsisrhin n Din Na 6 7 Enabling Remo
90. e will create a single set of policies IKE and VPN that will allow up to 50 remote PCs to connect from locations in which their IP addresses are unknown in advance The PCs may be directly connected to the Internet or may be behind NAT routers If more PCs are to be connected an additional policy or policies must be created Each PC will use the NETGEAR VPN Client Since the PC s IP address is assumed to be unknown the PC must always be the Initiator of the connection This procedure was developed and tested using e NETGEAR ProSafe VPN Firewall 50 FVS338 e NETGEAR ProSafe VPN Client e NAT router NETGEAR FR114P Configuring the FVS338 To configure the FVS338 using the VPN Wizard 1 Select VPN from the main menu The Policies screen will display Click the VPN Wizard link The VPN Wizard screen will display 2 Check the VPN Client radio box to establish a remote VPN client 3 Give the new connection a name such as home 4 Enter a value for the pre shared key 5 Click Apply The VPN Policies screen will display showing a VPN Client policy named home Select the VPN Policies tab to display the corresponding home VPN Policy _____ Note When XAuthentication XAUTH is enabled incoming VPN connections are authenticated against the FVS338 Network Database first then if configured a RADIUS server is checked Virtual Private Networking 5 13 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Refere
91. eet inn aaa A OA 1 5 POUT IP PAVE Ur cali csrss treo iceistacge coataiotae econ neseinceitanetuatgeat dene te tautaamnceliseanetuete tauseeueecoanctaels 1 6 Rouler Rear PR BIW sisien ean 1 7 Rack Mounting PUI os crash sa caesasusssacedneniicccsuaunsddansibus EEE aaa 1 8 PP tice DOUN LOAN 3 5 acc otsee cca iannee es aecuad ecb laams cee thcuge nce eluates paca des racatae seme 1 8 Chapter 2 Connecting the FVS338 to the Internet Connecting the VPN Firewall to Your Network 0 cccccceeeeceececeeeeeeneeeeeaaeeeeeeeeeeaeeeeeneees 2 1 Logging into the VPN Firewall os focessziaiatesceecunecssernaglakecanuionuesss moclan imine ations 2 1 Contiguring Your Interet Connection sirsie niidina iR 2 2 Setting the Router s MAC Address Advanced Options e seeseeesesseesssressseeee 2 7 vii v1 0 September 2006 Manually Configuring Your Internet Connection cceceeeeeeeeeeeeeeeeeeeeeeeteaeeeteneeeeees 2 9 Programming the Traffic Meter if Desired 2 0 2 0 cesses eeeeeeeeeeeeeeeeeneeteeeeeneeees 2 12 Gonigurng Me WAN MOOS ser cena cat deweenmaanucaacnncadaawoia oneal oat twpuacaauna cia ddagtbeceaneatesmancens 2 15 Gorniguring Dynamic DNS f Needed is ncteccssssrsisaannisinacninv matali eienniaren 2 16 Chapter 3 LAN Configuration Configuring Your LAN Local Area Network ccecccecseeeeceeeeeeeeeeeeeeeeeeseeeeeeeaeeteaeeees 3 1 Using the VPN Firewall as a DHCP Server 0 0 cecccececeeeeeeeeeeeeeeeeeeaaeeeeceeeeeneeeee
92. elect Domain name and enter the FQDN of the VPN firewall in this example it is local_id com Select Gateway IP Address from the second pull down menu and enter the WAN IP address of the VPN firewall in this example it is 172 21 4 1 Security Policy Editor NETGEAR ProSafe VPN Client Behe File Edit Options Help iB e o x ta NETGEAR N Network Security Policy J My Connections Connection Security modecfg_test Secure Only Connect Manually Fp Other Connections E C Non secure C Block Remote Party Identity and Addressing ID Type IP Subnet hd Subnet 192 168 2 1 Mask 255 255 255 0 Protocol All v Pot il Connect using Secure Gateway Tunnel z ID Type Domain Name Z Gateway IP Address v local_id com 172 21 4 1 Figure 5 21 2 From the left side of the menu click My Identity and enter the following information a Click Pre Shared Key and enter the key you configured in the FVS338 IKE menu 5 30 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual b From the Select Certificate pull down menu select None c From the ID Type pull down menu select Domain Name and create an identifier based on the name of the IKE policy you created for example salesperson11 remote_id com d Under Virtual Adapter pull down menu select Preferred The Internal Network IP Address should be 0 0 0 0
93. ems C Serial Line Speed Select the baud rate with which the serial port of the router and the modem connect Available speeds range from 4 8Kbps to 460 8Kbps Modem Type If your modem type is listed in the pull down menu select it For most 56Kbps modems the U S Robotics 56K FAX EXT PnP selection should work If this does not work select User Defined Modem and type in the Initial String for your modem The Initial string is usually defined in the modem s user manual Dial up Type Check the Tone radio box if your phone line supports touch tone dialing select Pulse for pulse mode dialing Select Other use Dial String to configure additional options such as Auto Answer etc consult your modem manual for dial strings 2 6 Connecting the FVS338 to the Internet v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Set up the traffic meter for the Dialup ISP if desired see Programming the Traffic Meter if Desired on page 2 12 Note The response time of your serial port Internet connection will be slower e than a broadband Internet connection _ Tip If you experience connectivity problems with the Dialup ISP try a different baud rate setting and ensure that the modem parameters you selected match the modem connected to the FVS338 TIA Tris Setting the Router s MAC Address Advanced Options Each computer or router on your network has a unique 4
94. enable Content Filtering Check the radio boxes of any Web Components you wish to block Check the radio buttons of the groups to which you wish to apply Keyword Blocking Click Enable to activate Keyword blocking or disable to deactivate Keyword Blocking Firewall Protection and Content Filtering 4 21 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 5 Build your list of blocked Keywords or Domain Names in the Blocked Keyword fields After each entry click Add The Keyword or Domain name will be added to the Blocked Keywords table You can also edit an entry by clicking Edit in the Action column adjacent to the entry 6 Build a list of Trusted Domains in the Trusted Domains fields After each entry click Add The Trusted Domain will appear in the Trusted Domains table You can also edit any entry by clicking Edit in the Action column adjacent to the entry Click Reset to cancel your changes and revert to the previous settings Click Apply to save your settings i Content Filtering Turn Content Filtering On O Yes No i Web Components Proxy Java Activex Cookies J Apply Keyword Blocking to 1 Group Name G Grou Gi Grou Groups Groups Group o e o o ololo Groups select all enable Oo disable Blocked Keywords Blocked Keyword Action QO select at delete Add Blocked Keyword
95. ents to a VPN gateway router an administrator may want a unique user authentication method beyond relying on a single common preshared key for all clients Although the administrator could configure a unique VPN policy for each user it is more convenient for the VPN gateway router to authenticate users from a stored list of user accounts XAUTH provides the mechanism for requesting individual authentication information from the user and a local User Database or an external authentication server such as a RADIUS server provides a method for storing the authentication information centrally in the local network XAUTH is enabled when adding or editing an IKE Policy Two types of XAUTH are available e Edge Device If this is selected the router is used as a VPN concentrator where one or more gateway tunnels terminate If this option is chosen you must specify the authentication type to be used in verifying credentials of the remote VPN gateways User Database RADIUS PAP or RADIUS CHAP e IPSec Host If you want authentication by the remote gateway enter a User Name and Password to be associated with this IKE policy If this option is chosen the remote gateway must specify the user name and password used for authenticating this gateway 5 20 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Note If a RADIUS PAP server is enabled for authentication XAUTH will first check the _ gt
96. enu The Firewall Logs amp E mail screen will display 2 Enter the name of the log in the Log Identifier field Log Identifier is a mandatory field used to identify the log messages The ID appended to log messages 3 Enter a Schedule for sending the logs From the Unit pull down menu select Never Hourly Daily or Weekly Then fill in the Day and Time fields that correspond to your selection 4 28 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 4 Inthe Security Logs section check the network segments radio box for which you would like logs to be sent for example LAN to WAN under Dropped Packets In the System Logs section check the radio box for the type of system events to be logged 6 Check the Yes radio box to enable E mail Logs Then enter a E mail Server address Enter the outgoing E mail SMTP mail server address of your ISP for example 172 16 1 10 If you leave this box blank no logs will be sent to you b Return E mail Address Enter the e mail address of the user c Send To E mail Address Enter the e mail address where the logs and alerts should be sent You must use the full e mail address for example ChrisX Y myISP com 7 The No Authentication radio box is checked by default If your SMTP server authenticates users uncheck the radio box by selecting the authentication type either Login Plain
97. er supplied by NETGEAR for this product If the error persists you have a hardware problem and should contact technical support Troubleshooting 7 1 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual LEDs Never Turn Off When the firewall is turned on the LEDs turns on for about 10 seconds and then turn off If all the LEDs stay on there is a fault within the firewall If all LEDs are still on one minute after power up e Cycle the power to see if the firewall recovers e Clear the firewall s configuration to factory defaults This will set the firewall s IP address to 192 168 1 1 This procedure is explained in Restoring the Default Configuration and Password on page 7 7 If the error persists you might have a hardware problem and should contact technical support LAN or Internet Port LEDs Not On If either the LAN LEDs or Internet LED do not light when the Ethernet connection is made check the following e Make sure that the Ethernet cable connections are secure at the firewall and at the hub or workstation e Make sure that power is turned on to the connected hub or workstation e Be sure you are using the correct cable When connecting the firewall s Internet port to a cable or DSL modem use the cable that was supplied with the cable or DSL modem This cable could be a standard straight through Ethernet cable or an Ethernet crossover cable Troubleshooting the Web Configuration Int
98. erence Manual dmini f Monitoring Diagnostics Firewall Logs amp E mail VENoos a Dialup Traffic Meter 8 Traffic by Protocol Broadband Traffic Meter help No Limit Start Do you want to enable Traffic Metering on Date Broadband End Date Mont Yes 0 No J Incoming Traffic Outgoing Traffic Increase this month Protocol t Total MB MB Per Day Total MB MB Per Day This mo l Email o 0 o o HTTP oO 0 0 o help i Others o o o o O Restart Traffic Counter Now Block All Traffic j T ji T Total o 0 o o Restart Traffic Counter at Specific Time O Block all Traffic E 12 o0 PM v onthe ist day of Month ED S nd e mail alert Ginn MI Send e mail renort hefnre ractartinn enuunter Figure 6 7 Setting Login Failures and Attacks Notification Figure 6 8 shows the Firewall Logs amp E mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs amp E mail from the submenu You can send a System log of firewall activities to an email address or a log of the firewall activities can be viewed saved to a syslog server and then sent to an email address You can view the logs by clicking View Logs 6 18 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Firewall Logs amp E mail KI View Log i Send logs according to this schedule Log Options n Firewall L
99. erence Manual NETS Policy Editor NETGEAR ProSafe VPN Client xE Network Security Policy J My Connections GB modeffg_test G My Identity a Security Policy E Authentication Phase 1 Proposal 1 Y Key Exchange Phase 2 Bh to_fdvg Qy Other Connections Figure 5 23 NETGEAR N Authentication Method and Algorithms Authentication Method Pre Shared Key X Encryption and Data Integrity Algorithms Encrypt Alg Triple DES Zi Hash4lg SHAA z Seconds SA Life Seconds _ 3600 Key Group Diffie Hellman Group2 v 5 Click on Key Exchange Phase 2 on the left side of the menu and select Proposal 1 Enter the values to match your configuration of the VPN firewall ModeConfig Record menu The SA Lifetime can be longer such as 8 hours 28800 seconds NI Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help Bal gt i Network Security Policy My Connections B modetfg_test NETGEAR S IPSec Protocols Seconds KBytes G My Identity SA Life a Security Policy E Authentication Phase 1 Seconds x Compression None v Key Exchange Phase 2 IV Encapsulation Protocol ESP BZ Proposal 1 EnerptAlg Triple DES ad d tofdvg Hash Alg SHA 1 i e3 Other Connections Encapsulation Tunnel gt z T Authentication Protocol 4H Proposal 1 mam Figure 5 24 6 Click the Save icon to save the Security Policy and close the VPN P
100. erface If you are unable to access the firewall s Web Configuration interface from a PC on your local network check the following e Check the Ethernet connection between the PC and the firewall as described in the previous section 7 2 Troubleshooting v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Make sure your PC s IP address is on the same subnet as the firewall If you are using the recommended addressing scheme your PC s address should be in the range of 192 168 0 2 to 192 168 0 254 Note If your PC s IP address is shown as 169 254 x x Recent versions of Windows and gt MacOS will generate and assign an IP address if the computer cannot reach a DHCP server These auto generated addresses are in the range of 169 254 x x If your IP address is in this range check the connection from the PC to the firewall and reboot your PC If your firewall s IP address has been changed and you don t know the current IP address clear the firewall s configuration to factory defaults This will set the firewall s IP address to 192 168 1 1 This procedure is explained in Restoring the Default Configuration and Password on page 7 7 _ Tip If you don t want to revert to the factory default settings and lose your 3 configuration settings you can reboot the router and use sniffer to capture packets sent during the reboot Look at the ARP packets to locate the router s L
101. erver before giving up Click Reset to cancel any changes and revert to the previous settings 10 Click Apply to save the settings Note The Authentication Protocol usually PAP or CHAP is configured in the s XAUTH section of the VPN Client screen 5 24 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration 2 VPN ation onii eb i Policies VPN Wizard Certificates Mode Config PN Client Connection Status User Database EE UENIG help E E Do you want to enable a Primary RADIUS Primary Server IP Address ri i Server Secret Phrase O Yes No Primary Server NAS Identifier help Do you want to enable a Backup RADIUS Backup Server IP Address d l Server Secret Phrase O Yes No Backup Server NAS Identifier help Time out period 30 Sec Maximum Retry Count 4 Figure 5 18 Manually Assigning IP Addresses to Remote Users ModeConfig To simply the process of connecting remote VPN clients to the FVS338 the ModeConfig module can be used to assign IP addresses to remote users including a network access IP address subnet mask and name server addresses from the router Remote users are given IP addresses available in secured network space so that remote users appear as seamless extensions of the network In the following example we configured the VPN firewall using ModeConfig and t
102. es To view the Firewall logs 1 Click on the View Log icon opposite the Firewall Logs amp E mail tab The Logs screen will display 2 If the E mail Logs options as been enabled you can send a copy of the log by clicking send log 3 Click refresh log to retrieve the latest update and click clear log to delete all entries Log entries are described in Table 4 4 Router Status Traffic Meter Diagnostics Firewall Logs amp E mail FYS338 Log Identifier No Data Available Accepted Packets Droppeq C LAN to WAN C LAN to C WAN to LAN C WAN to refresh wa clear log E send log Figure 4 19 4 30 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4 4 Log Entry Descriptions Field Description Date and Time The date and time the log entry was recorded Description or Action The type of event and what action was taken if any Source IP The IP address of the initiating device for this log entry Source port and The service port number of the initiating device and whether it originated from the interface LAN WAN or DMZ Destination The name or IP address of the destination device or Web site Destination port and The service port number of the destination device and whether it s on the LAN interface WAN or DMZ Administrator Information
103. escriptions Object Activity Description Power LED On Green Power is supplied to the router Off Power is not supplied to the router Test LED On Amber Test mode The system is initializing or the initialization has failed Blinking Amber Writing to Flash memory during upgrading or resetting to defaults Off The system has booted successfully MDM LED On Green The serial port has successfully connected to an ISP and received an IP Address Blinking Green Server data is being transmitted or received by the serial port Off The serial port has no link Internet Link Act LED LEDs On Green The WAN port has detected a link with a connected Ethernet device Blinking Green Data is being transmitted or received by the WAN port Off The WAN port has no link 100 LED On Green The WAN port is operating at 100 Mbps Off The WAN port is operating at 10 Mbps 1 6 Introduction v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 1 1 Object Descriptions continued Object Activity Description Local LEDs _ Link Act LED On Green The LAN port has detected a link with a connected Ethernet device Blinking Green Data is being transmitted or received by the LAN port Off The LAN port has no link 100 LED On Green The LAN port is operating at 100 Mbps Off The LAN port is operating at 10 Mbps Router Rear Panel The rear panel of the ProSafe VPN Firewall 50 Figure 1 2 contains
104. evice will always receive the same IP address each time it accesses the firewall s DHCP server Reserved IP addresses should be assigned to servers or access points that require permanent IP settings The Reserved IP address that you select must be outside of the DHCP Server pool To reserve an IP address use the Groups and Hosts screen under the Network Configuration menu LAN Groups submenu see Creating the Network Database on page 3 5 Note The reserved address will not be assigned until the next time the PC contacts the gt firewall s DHCP server Reboot the PC or access its IP configuration and force a DHCP release and renew Configuring Static Routes Static Routes provide additional routing information to your firewall Under normal circumstances the firewall has adequate routing information after it has been configured for Internet access and you do not need to configure additional static routes You must configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network To add or edit a Static Route 1 Select Network Configuration from the main menu and Routing from the submenu The Routing screen will display 2 Click Add The Add Static Route screen will display Enter a name for the static route in the Route Name field for identification purpose only 4 Determine whether the route is e Active or Inactive A route can be added to the tab
105. ewall In this case you must define a static route telling your firewall that 134 177 0 0 should be accessed through the ISDN firewall at 192 168 1 100 In this example e The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134 177 x x addresses e The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN firewall at 192 168 1 100 e A Metric value of 1 will work since the ISDN firewall is on the LAN e Private is selected only as a precautionary security measure in case RIP is activated RIP Configuration RIP Routing Information Protocol RFC 2453 is an Interior Gateway Protocol IGP and is commonly used in internal networks It allows a router to exchange its routing information automatically with other routers and allows it to dynamically adjust its routing tables and adapt to changes in the network RIP is disabled by default 3 10 LAN Configuration v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration RIP Direction RIP Version Disabled Authentication for RIP 2B 2M First Key Parameters MDS Key Id MDS Auth Key Length 16 Char Not Valid Before Authentication for RIP 2B 2M required Not Valid after M O Yes No Second Key Paramet MD5 Key Id MDS5 Auth Key Length 16 Char MM DD YvYY HH MM ss LH O H
106. example a packet that is sent with destination port number 80 is an HTTP Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC1700 Assigned Internet Protocol Numbers Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application Although the FVS338 already holds a list of many service port numbers you are not limited to these choices Use the Services menu to add additional services and applications to the list for use in defining firewall rules The Services menu shows a list of services that you have defined as shown in Figure 4 12 To define a new service first you must determine which port number or range of numbers is used by the application This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups When you have the port number information you can enter it on the Services screen Firewall Protection and Content Filtering 4 17 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual etwo ont ation Security I dministrai I oring Web Suppo i o Schedule Block Sites Firewall Rules Source MAC Filter Port Triggering Trend Micro Services Operation succeeded t help Name Type Start Port Finish Port Priority cian O ss memos TCP 20 20 Normal Servi N edit
107. f paper you can A save paper and printer ink by selecting this feature Revision History Part Number Version Description Number 202 10046 02 1 0 Product update New firmware and new user Interface XV v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual xvi v1 0 September 2006 Chapter 1 Introduction The ProSafe VPN Firewall 50 with 8 port switch connects your local area network LAN to the Internet through an external access device such as a cable modem or DSL modem The FVS338 is a complete security solution that protects your network from attacks and intrusions For example the FVX538 provides support for Stateful Packet Inspection Denial of Service DoS attack protection and multi NAT support The VPN firewall supports multiple Web content filtering options plus browsing activity reporting and instant alerts both via e mail Network administrators can establish restricted access policies based on time of day Website addresses and address keywords and share high speed cable DSL Internet access for a local network The FVS338 is a plug and play device that can be installed and configured within minutes Key Features The VPN firewall provides the following features e One 10 100 Mbps port for an Ethernet connection to a broadband WAN device such as a cable modem or DSL modem and one serial port for a dial up modem connection to the Internet through the pu
108. ferent from the IP address range used on the local LAN 8 Click Apply to save your settings the VPN Policies table will display showing your VPN policy You can click the IKE Policies tab to view the corresponding IKE Policy Creating a VPN Tunnel Connection to a VPN Client You can set up multiple Gateway VPN tunnel policies through the VPN Wizard Multiple remote VPN Client policies can also be set up through the VPN Wizard by changing the default End Point Information settings A remote client policy can support up to 25 clients The remote clients must configure the Local Identity field in their policy as PolicyName lt X gt fvs_remote com where X stands for a number from 1 to 25 As an example if the client type policy on the router is configured with home as the policy name and if two users are required to connect using this policy then the Local Identity in their policy should be configured as home1 fvs_remote com and home2 fvs_remote com respectively To create a VPN Client Policy using the VPN Wizard 1 Select VPN from the main menu and VPN Wizard from the submenu The VPN Wizard screen will display 2 Select VPN Client as your VPN tunnel connection The wizard needs to know if you are planning to connect to a remote Gateway or setting up the connection for a remote client PC to establish a secure connection to this device 3 Select a Connection Name Enter an appropriate name for the
109. fore the router rolls over to the Dialup port The default is 4 7 Enter Apply to save your settings or Cancel to revert to the previous settings Configuring Dynamic DNS If Needed gt Note If your ISP assigns a private WAN IP address such as 192 168 x x or 10 x x x the dynamic DNS service will not be available since private addresses cannot be routed on the Internet Dynamic DNS DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names To use DDNS you must setup an account with a DDNS provider such as DynDNS org TZO com or Iego net Once you have registered your domain name to their IP address all FQDN traffic will be directed to your frequently changing IP address For rollover mode you will need a fully qualified domain name to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address 2 16 Connecting the FVS338 to the Internet v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual This router firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address so that the services running on this network can be accessed by others on the Internet After you have configured your account information in the firewall whenever your ISP assigned IP address changes your firewall will automatically contact your dynamic DNS
110. gh which this route is accessible 8 Enter the Gateway IP Address which must be a firewall on the same LAN segment as the firewall of the gateway through which the destination host or network can be reached 9 Enter the Metric value that determines the priority of the route If multiple routes to the same destination exist the route with the lowest metric is chosen Usually a setting of 2 or 3 works but if this is a direct connection set it to 1 10 Click Apply to save the static route to the Static Routes table Static Route Example For example a static route is needed if Your primary Internet access is through a cable modem to an ISP LAN Configuration 3 9 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e You have an ISDN firewall on your home network for connecting to the company where you are employed This firewall s address on your LAN is 192 168 1 100 e Your company s network is 134 177 0 0 When you first configured your firewall two implicit static routes were created A default route was created with your ISP as the gateway and a second static route was created to your local network for all 192 168 1 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 network your firewall will forward your request to the ISP The ISP forwards your request to the company where you are employed and the request will likely be denied by the company s fir
111. h Group using the Firewall Rules screen see Services Based Rules on page 4 2 You can also select the Groups to be covered by the Block Sites feature see Setting Block Sites Content Filtering on page 4 21 If necessary you can also create Firewall Rules to apply to a single PC see Enabling Source MAC Filtering on page 4 23 Because the MAC address is used to identify each PC users cannot avoid these restrictions by changing their IP address LAN Configuration 3 5 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual A computer is identified by its MAC address not its IP address Hence changing a computer s IP address does not affect any restrictions applied to that PC This Known PCs and Devices table lists entries in the Network Database For each computer or device the following fields are displayed Name The name of the PC or device For computers that do not support the NetBIOS protocol this will be listed as Unknown you can edit the entry manually to add a meaningful name If the computer was assigned an IP address by the DHCP server then the Name will be appended by an asterisk IP Address The current IP address of the computer For DHCP clients of the router this IP address will not change If a computer is assigned a static IP addresses you will need to update this entry manually if the IP address on the computer has been changed MAC Address The MAC
112. he Default rule Select the desired time schedule i e Schedule1 Schedule2 or Schedule3 that will be used by this rule This drop down menu gets activated only when BLOCK by schedule otherwise Allow or ALLOW by schedule otherwise Block is selected as Action Use schedule page to configure the time schedules This LAN address determines which computer on your network is hosting this service rule You can also translate this address to a port number Translate to Port Number WAN Users Check the Translate to Port Number and enter a port number if you want to assign the LAN Server to a specific port These settings determine which Internet locations are covered by the rule based on their IP address Select the desired option e Any All Internet IP address are covered by this rule Single address Enter the required address in the start fields Address range If this option is selected you must enter the start and finish fields WAN Destination IP Address These settings determine the destination IP address applicable to incoming traffic This is the public IP address that will map to the internal server it can either be the address of the WAN1 or WAN2 ports or another public IP address QoS Priority This setting determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall By default the priority
113. he ISP when a connection is needed or can be configured to wait for manual intervention a Check the Connect automatically disconnect after idle for __ min radios box for the modem to connect automatically Specify the idle minute amount The router will connect whenever an outbound connection request is made from a computer on the LAN The connection will be terminated if there is no data transfer during the specified time interval Check the Connect and disconnect manually radio box to disable auto dialing and allow manual control over connecting via dial up To connect manually click the DIAL Up Status link at the top and then click Connect or Disconnect Internet IP Address DialUp ISPs usually assign the IP address automatically when connecting a The default setting of Get Dynamically from ISP will configure the router to accept the ISP assigned IP address If your ISP has assigned a static IP address select the Use Static IP Address radio box and enter the IP address in the IP Address field Check the Get Automatically From ISP radio box to use ISP assigned DNS server addresses default To use different DNS addresses check the Use These DNS Servers radio box and type in the DNS server IP addresses in the Primary DNS Server and Secondary DNS Server optional fields Click Apply to save your settings or Cancel to revert to the previous settings Enter any modem specific parameters to tune the router for different mod
114. he rule based on their IP address Any The rule applies to all Internet IP address Single address The rule applies to a single Internet IP address Address range The rule is applied to a range of Internet IP addresses Services You can specify the desired Services or applications to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Services Based Rules on page 4 2 Schedule You can specify whether the rule is to be applied on the Schedule 1 Schedule 2 or Schedule 3 time schedule see Setting a Schedule to Block or Allow Traffic on page 4 20 6 2 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual See Using Rules to Block or Allow Specific Kinds of Traffic on page 4 1 for the procedure on how to use this feature Services The Rules menu contains a list of predefined Services for creating firewall rules If a service does not appear in the predefined Services list you can define the service The new service will then appear in the Rules menu s Services list See Services Based Rules on page 4 2 for the procedure on how to use this feature Groups and Hosts You can apply these rules selectively to groups of PCs to reduce the outbound or inbound traffic The Network Database is an automatically maintained list of all known PCs and network de
115. heck the Yes radio button b Input MDS keys and effective and end dates for the First Key Parameters and Second Key Parameters for MDS based authentication between routers 6 Click Apply to save your settings _____ Note Multicasting can reduce the load on non router machines because they do _ gt not listen to the RIP multicast address and will not receive the RIP packets However if one router uses multicasting then all routers on your network must use multicasting For RIP 2B and RIP 2M you can select the type of authentication as NONE or MDS If you select MD5 then you need to enter additional parameters Enabling Trend Micro Antivirus Enforcement If you have installed the Trend Micro Client Server Messaging Suite for SMB on your local network the firewall can enforce antivirus scanning When Antivirus Enforcement is selected local PCs will not be allowed web access unless they have the Trend Micro OfficeScan client installed and updated with the latest virus definitions To enable Trend Micro Antivirus Enforcement 1 Select Security from the main menu and Trend Micro from the submenu The Trend Micro screen sill display 2 Check the Yes radio box for Do you want to enable antivirus Enforcement 3 12 LAN Configuration v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 3 Enter the IP address of the OfficeScan Server on your local network 4 Enter the 5 digit port number u
116. hen configured a PC running ProSafe VPN Client software using these IP addresses e NETGEAR ProSafe VPN Firewall 50 WAN IP address 172 21 4 1 LAN IP address subnet 192 168 2 1 255 255 255 0 e NETGEAR ProSafe VPN Client software IP address 192 168 1 2 Virtual Private Networking 5 25 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual ModeConfig Operation After IKE Phase 1 is complete the VPN connection initiator remote user client asks for IP configuration parameters such as IP address subnet mask and name server addresses The ModeConfig module will allocate an IP address from the configured IP address pool and will activate a temporary IPSec policy using the template security proposal information configured in the ModeConfig record Note After configuring a Mode Config record you must go to the IKE Policies menu gt and configure an IKE policy using the newly created Mode Config record as the Remote Host Configuration Record The VPN Policies menu does not need to be edited Setting Up ModeConfig Two menus must be configured the ModeConfig menu and the IKE Policies menu To configure the ModeConfig menu 1 Select VPN from the main menu and Mode Config from the submenu The Mode Config screen will display 2 Click Add The Add Mode Config Record screen will display Enter a descriptive Record Name such as Remote Users 4 Assign at least one range of IP Pool addres
117. here 2 10 Connecting the FVS338 to the Internet v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 3 Domain Name Your domain name or workgroup name assigned by your ISP or your ISPs domain name You may leave this field blank Idle Timeout Check the Keep Connected radio box to keep the connection always on To logout after the connection is idle for a period of time select Idle Time and enter the number of minutes to wait before disconnecting in the timeout field This is useful if your ISP charges you based on the amount of time you have logged in My IP Address IP address assigned by the ISP to make the connection with the ISP server Server IP Address IP address of the PPTP server Other PPPoE If you have installed login software such as WinPoET or Enternet then your connection type is PPPoE Select this connection and configure the following fields Account Name Valid account name for the PPPoE connection Domain Name Name of your ISPs domain or your domain name if your ISP has assigned one You may leave this field blank Idle Timeout Select Keep Connected to keep the connection always on To logout after the connection is idle for a period of time select Idle Time and enter the number of minutes to wait before disconnecting in the timeout field BigPond Cable If your ISP is Telstra BigPond Cable select this option and fill in the Login Server and Idle Timeout fields The Login Se
118. his SA Tx Packets The number of IP packets transmitted over this SA State The current status of the SA Phase 1 is Authentication phase and Phase 2 is Key Exchange phase Action Use this button to terminate build the SA connection if required VPN Logs The VPN Logs screen gives log details for recent VPN activity Select Monitoring from the main menu and VPN Logs from the submenu to view the VPN Logs You can refresh the log display to view the most recent entries or clear the log display to delete all the log entries I AG Admin at Web Support Logout Router Status Traffic Meter Diagnostics Firewall Logs amp E mail PN Logs help 2006 07 06 19 53 41 INFO racoon 20001216 20001216 sakane kame net 2006 07 06 19 53 41 INFO This product linked OpenSSL 0 9 7c 30 Sep 2003 http 2006 07 06 19 53 42 NOTIFY NAT T is enabled autoconfiguring ports 2006 07 06 19 53 42 INFO 10 1 32 41 500 used as isakmp port fd 7 2006 07 06 19 53 42 INFO 10 1 32 41 4500 used as isakmp port fd 8 2006 07 06 19 53 42 INFO 10 1 32 41 4500 used for NAT T 2006 07 06 19 53 42 INFO 192 168 1 1 500 used as isakmp port fd 9 2006 07 06 19 53 42 INFO 192 168 1 1 4500 used as isakmp port fd 10 2006 07 06 19 53 42 INFO 192 168 1 1 4500 used for NAT T 2006 07 06 19 53 42 INFO 127 0 0 1 500 used as isakmp port fd 11 2006 07 06 19 53 42 INFO 127 0 0 1 4500 used as isakmp port fd 12 2006 07 06 19 53 42 INFO
119. his manual uses the following formats to highlight special messages Note This format is used to highlight information of importance or special interest Tip This format is used to highlight a procedure that will save time or resources equipment Danger This is a safety warning Failure to take heed of this notice may result in A Warning Ignoring this type of note may result in a malfunction or damage to the A personal injury or death xiii v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e Scope This manual is written for the VPN firewall according to these specifications Product Version ProSafe VPN Firewall 50 Manual Publication Date September 2006 For more information about network Internet firewall and VPN technologies see the links to the NETGEAR website in Appendix B Related Documents Note Updates to this product are available on the NETGEAR Inc website at lt http kbserver netgear com products F VS338 asp How to Use This Manual The HTML version of this manual includes the following e Buttons gt and lt for browsing forwards or backwards through the manual one page at a time e A button that displays the table of contents and an button Double click on a link in the table of contents or index to navigate directly to where the topic is described in the manual e A button to ac
120. ify User or Admin settings 1 Select Administration from the main menu and Set Password from the submenu The Set Password screen will display Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest Settings radio box Change the password by first entering the old password and then entering the new password twice Click Apply to save your settings or Cancel to return to your previous settings Change the Idle Logout Time field to the number of minutes you require The default is 5 minutes Click Apply to save this setting Note If you make the administrator login time out value too large you will have to wait a long time before you are able to log back into the router if your previous login was disrupted i e you did not click Logout on the Main Menu bar to log out Set Password User Selection Edit Admin Settings Edit Guest Settings i Admin Settings Guest Settings Old User Name Old User Name aussi New User Name New User Name ouest Old Password se Old Password E New Password i New Password SI Retype New Password e Retype New Password E Idle Logout Time Administrator login times out after idle for Minutes Figure 6 1 6 8 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Note The password and time out value you enter will be ch
121. igure dynamic DNS on the WAN ports if needed Configure your fully qualified domain names during this phase if required Configure the WAN options if needed Optionally you can enable each WAN port to respond to a ping You can also change the factory default MTU size port speed and uplink bandwidth However these are advanced features and changing them is not usually required Connecting the VPN Firewall to Your Network To physically connect your VPN firewall refer to the IFVS338 ProSafe VPN Firewall 50 Installation Guide a copy is also available on your Resource CD Logging in to the VPN Firewall gt Note To connect to the firewall your computer needs to be configured to obtain an IP address automatically via DHCP 2 1 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual To log in to the VPN firewall 1 Open a Internet Explorer Netscape Navigator or Firefox browser In the browser window enter http 192 168 1 1 in the address field The FVS338 login screen will display O help User Name admin Password jeeeeeeee Figure 2 1 2 Enter admin for the User Name and password for the Password both in lower case letters The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection 3 Click Login The Broadband ISP Settings screen will display ____ Note You might want to enab
122. ious section are displayed If you do not receive replies Check that your PC has the IP address of your firewall listed as the default gateway If the IP configuration of your PC is assigned by DHCP this information will not be visible in your PC s Network Control Panel Check to see that the network address of your PC the portion of the IP address specified by the netmask is different from the network address of the remote device Check that your cable or DSL modem is connected and functioning If your ISP assigned a host name to your PC enter that host name as the Account Name in the Basic Settings menu Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem If this is the case you must configure your firewall to clone or spoof the MAC address from the authorized PC Refer to Manually Configuring Your Internet Connection on page 2 9 7 6 Troubleshooting v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings changing the firewall s administration password to password and the IP address to 192 168 1 1 You can erase the c
123. l Internet Protocol TCP IP and Routing Information Protocol RIP e IP Address Sharing by NAT The VPN firewall allows several networked PCs to share an Internet account using only a single IP address which may be statically or dynamically assigned by your Internet service provider ISP This technique known as NAT allows the use of an inexpensive single user ISP account e Automatic Configuration of Attached PCs by DHCP The VPN firewall dynamically assigns network configuration information including IP gateway and domain name server DNS addresses to attached PCs on the LAN using the Dynamic Host Configuration Protocol DHCP This feature greatly simplifies configuration of PCs on your local network e DNS Proxy When DHCP is enabled and no DNS addresses are specified the firewall provides its own address as a DNS server to the attached PCs The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN e PPP over Ethernet PPPoE PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial up connection This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC Introduction 1 3 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Trend Micro Integration If you have installed the Trend Micro Client Server Messaging Suite for SMB on your local network you can have
124. l Keys D Other Connections I Enable Perfect Forward Secrecy PFS ffie H F IV Enable Replay Detection Figure 5 12 17 In the left frame expand Authentication Phase 1 and select Proposal 1 Compare with the figure below No changes should be necessary Security Policy Editor NETGEAR ProSafe VPN Client Ole File Edit Options Help NETGEAR N Network Security Policy E J My Connections Authentication Method and Algorithms to FVS 3 My Identity Authentication Method EA Security Policy Pre Shared Key E Authentication Phase 1 Bs Key Exchange Phase 2 Encryption and Data Integrity Algorithms Qs Other Connections Encrypt Alg Triple DES X Hash Alg SHA 1 X Seconds SA Life Unspecified Key Group Diffie Hellman Group v Figure 5 13 5 18 v1 0 September 2006 Virtual Private Networking FVS338 ProSafe VPN Firewall 50 Reference Manual 18 In the left frame expand Key Exchange Phase 2 and select Proposal 1 Compare with the figure below No changes should be necessary 19 In the upper left of the window click the disk icon to save the policy INI Security Policy Editor NETGEAR ProSafe VPN Client ile Edit Options Help sa NETGEAR Network Security Policy J My Connections IPSec Protocols Seconds KBytes amp to_FVS G My Identity SA Life Unspecified x a Security Policy C 3 E
125. l traffic received from PCs with any MAC address is allowed See Enabling Source MAC Filtering on page 4 23 for the procedure on how to use this feature VPN Firewall Features That Increase Traffic Features that tend to increase WAN side loading are as follows e Port forwarding e Port triggering e DMZ port e Exposed hosts e VPN tunnels Port Forwarding The firewall always blocks DoS Denial of Service attacks A DoS attack does not attempt to steal data or damage your PCs but overloads your Internet connection so you can not use it i e the service is unavailable You can also create additional firewall rules that are customized to block or allow specific traffic A Warning This feature is for Advanced Administrators only Incorrect configuration will cause serious problems 6 4 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual You can control specific inbound traffic i e from WAN to LAN and from WAN to DMZ Inbound Services lists all existing rules for inbound traffic If you have not defined any rules only the default rule will be listed The default rule blocks all inbound traffic Each rule lets you specify the desired action for the connections covered by the rule BLOCK always BLOCK by schedule otherwise Allow ALLOW always ALLOW by schedule otherwise Block You can also enable a check on special rules VPN Passthrough E
126. le and made inactive if not needed This allows routes to be used as needed without deleting the entry and re adding it An inactive route is not broadcast if RIP is enabled Select the Active radio box to make this route effective e Private Determine whether the route can be shared with other routers when RIP is enabled If Yes then the route will not be shared in a RIP broadcast or multicast Check the Private radio box if you want to limit access to the LAN only The static route will not be advertised in RIP 3 8 LAN Configuration v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 5 Type the Destination IP Address or network of the route s final destination 6 Enter the IP Subnet Mask for this destination If the destination is a single host enter 255 255 255 255 Network Configuration Securit Routing Name Figure 3 4 WAN Settings Destination 1 i stration onito l Sup l WAN Mode Dynamic DNS LAN Setup LAN Groups i 8 RIP Configuration help Gateway Interface Metic Active Private Jj Action select all delete add Y Add Static Route N Operation succeeded Route Name Active Private Destination IP Address IP Subnet Mask Interface Broadband v Gateway IP Address Metric Apply Reset 7 From the Interface pull down menu selection the physical network interface Broadband Dialup or LAN throu
127. le remote management at this time so that you can log in remotely in the future to manage the firewall See Enabling Remote Management Access on page 6 9 for more information Remote management enable is cleared with a factory default reset If you enable remote management you are strongly advised to change your password see Changing Passwords and Settings on page 6 7 Configuring your Internet Connection You can configure both Broadband ISP Settings and Dialup ISP Settings from the WAN Settings menu To configure your Broadband ISP Settings 1 Select Network Configuration from the main menu and WAN Settings from the submenu The Broadband ISP Settings screen will display 2 2 Connecting the FVS338 to the Internet v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Configuration WAN Mode Dynamic DNS LAN Setup LAN Groups Routing HCP tie iehcrs Dialup ISP Settings 8 Advanced 8 Broadband Status ZA DHCP Server Detected 7 Does Your Internet Connection Require a Login b Login O Yes No Password Account Name Domain Name Which type of ISP connection do you use 3 R Login S rver Austria PPTP Idle Timeout Keep Connected Other PPPoE Idle Time Minutes My IP Addreks 4 BigPond Cable Server IP Addres Current IP Address help help Get Dynamically from ISP Get Automatically from ISP Use Static IP Address
128. ll s VPN Wizard we will create a set of policies IKE and VPN that will allow the two firewalls to connect from locations with fixed IP addresses Either firewall can initiate the connection This procedure was developed and tested using e Netgear FVS338 VPN Firewall WAN IP address 10 1 32 41 LAN IP address subnet 192 168 1 1 255 255 255 0 e Netgear FVX538 VPN Firewall WANT IP address 10 1 0 118 LAN IP address subnet 192 168 2 1 255 255 255 0 Configuring the FVS338 To configure the FVS338 using the VPN Wizard 1 Select VPN from the main menu and VPN Wizard from the submenu The VPN Wizard screen will display Check the Gateway radio box to establish a gateway to gateway VPN tunnel Give the new connection a name such as to_fvx Enter a value for the pre shared key Enter the WAN IP address or Internet name of the remote WAN and the WAN IP Address or Internet name of the local WAN The address type must match Gu Pe E A Enter the remote LAN IP address and subnet mask 7 Click Apply to create the IKE and VPN policies 5 8 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual n n VPN Wizard 1 j z PN Wizard 8 VPN Wizard Default Values i About YPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium PNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the V
129. lock all traffic except E mail Only E mail traffic will be allowed All other traffic will be blocked If using this option you may also select the Send E mail alert option You must configure the E mail screen in order for this function to work Internet Traffic Statistics Traffic by Protocol This displays statistics on Internet Traffic via the WAN port If you have not enabled the Traffic Meter these statistics are not available Click this link if you want to know more details of the Internet Traffic The volume of traffic for each protocol will be displayed in a sub window Traffic counters are updated in MBytes scale counter starts only when traffic passed is at least 1MB Connecting the FVS338 to the Internet v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the WAN Mode The WAN Mode screen allows you to configure how your router uses your external Internet connections for example your WAN port or dialup modem connections NAT NAT is the technology which allows all PCs on your LAN to share a single Internet IP address Viewed from the Internet the WAN port on the VPN firewall is configured with a single IP address the public address PCs on your LAN can use any private IP address range and these IP addresses are not visible from the Internet The Router uses NAT to select the correct PC on your LAN to receive any incoming data and hides in
130. lude e DoS protection Automatically detects and thwarts DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing e Blocks unwanted traffic from the Internet to your LAN e Blocks access from your LAN to Internet locations or services that you specify as off limits e Logs security incidents The FVS338 will log security events such as blocked incoming traffic port scans attacks and administrator logins You can configure the firewall to email the log to you at specified intervals You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs e With its URL keyword filtering feature the FVS338 prevents objectionable content from reaching your PCs The firewall allows you to control access to Internet content by screening for keywords within Web addresses You can configure the firewall to log and report attempts to access objectionable Internet sites Security The VPN firewall is equipped with several features designed to maintain security as described in this section e PCs Hidden by NAT NAT opens a temporary path to the Internet for requests originating from the local network Requests originating from outside the LAN are discarded preventing users outside the LAN from finding and directly accessing the PCs on the LAN 1 2 Introduction v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e Port Forwardi
131. m the sub menu The Source MAC Filter screen will display 2 Check the Yes radio box in the MAC Filtering Enable section Firewall Protection and Content Filtering 4 23 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Build your list of Source MAC Addresses to be block by entering the first MAC address in the MAC Address field in the form xx xx xx xXx xx xx where x is a numeric 0 to 9 or an alphabet between and a and f inclusive for example 00 e0 4c 69 0a Click Add The Mac Address will be added to the Available MAC Addresses to be Blocked table You can edit the MAC address by clicking Edit in the Action column adjacent to the MAC Address Click Reset to cancel a MAC address entry before adding it to the table When you have completed adding MAC addresses click Apply to save your settings Setting Up Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall Using this feature requires that you know the port numbers used by the Application Once configured Port Triggering operates as follows 1 2 A PC makes an outgoing connection using a port number defined in the Port Triggering table The VPN firewall records this connection opens the an INCOMING port or ports associated with this entry in the Port Triggering table and associates them with the PC The rem
132. mmon protocol numbers 4 17 rules covered by 6 2 Services screen 4 18 settings backup 6 12 Simple Network Management Protocol See SNMP SMTP server requirements of 4 29 SNMP about 6 11 configuring 6 11 SNMP screen 6 11 SNMP SysConfiguration screen 6 12 Source MAC Filter screen 4 23 Source MAC Filtering 4 23 6 4 enabling 4 23 reducing traffic 6 4 spoof MAC address 7 5 spoofing UDP flood 4 11 stateful packet inspection 2 4 1 Static Route example of 3 9 static routes configuring 3 8 example 3 9 Stealth Mode Attack Checks 4 10 SYN flood denial of service attack 4 10 SysLog Facility Message Levels 4 29 Syslog Server 4 29 T TCP IP network Troubleshooting 7 5 Testing VPN connections client to gateway 5 19 time daylight savings 7 7 troubleshooting 7 7 Time Zone Index 6 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual setting of 6 15 Time Zone screen 6 15 ToS service levels 4 19 used with QoS 4 19 Traffic features that increase 6 4 management of 6 7 reducing 6 1 Traffic Meter about 6 16 traffic meter programming 2 2 Trend Micro 3 2 Trend Micro integration 2 Trend Micro screen 3 12 Troubleshooting 7 1 Date and Time 7 7 ISP connection 7 4 LEDs 7 2 LEDs Never Turn Off 7 2 NTP 7 7 Power LED Not On 7 1 Web configuration 7 2 Trusted Certificates 5 33 about 5 33 U UDP flood denial of service attack 4 11 upgrade firmware 6 12 upgrade router s
133. n bytes Click Apply to save your settings 2 8 Connecting the FVS338 to the Internet v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual g 5 Dial up ISP Settings Advanced DIAL UP Status i Dial up Account Account User Name E Password Loo Telephone SS SI Alternative Telephone OY 2 Dial up Connection Status B I Dialup TAT EAA Ooo EFE Con Connect auto Connect and di Default Custom 7500 Bytes Internet IP Address Get Dynamically fro Figure 2 6 Manually Configuring Your Internet Connection If you know your Broadband ISP connection type you can bypass the Auto Detect feature and connect your router manually Ensure that you have all of the relevant connection information such as IP Addresses account information type of ISP connection etc before you begin Unless your ISP automatically assigns your configuration automatically via DHCP you will need the configuration parameters from your ISP Connecting the FVS338 to the Internet 2 9 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Broadband ISP Settings Di P Setting J Advanced Broadband Status ISP Login Does Your Internet Connection Require a Login b Login ell Yes O No Password i ISP Type Account Name LY Domainname L Which type of ISP connection do you use Login Server austria PPTP Idl
134. nable The fields corresponding to the selection you have selected will be highlighted Each DNS service provider requires its own parameters 3 Access the Web site of one of the DDNS service providers and set up an account A link to each DDNS provider is opposite the DNS Configuration screen name 4 After setting up your account return to the Dynamic DNS Configuration screen and fill in the required fields for the DDNS service you selected a In the Host and Domain Name field enter the entire FQDN name that your dynamic DNS service provider gave you for example lt yourname gt dyndns org b Enter the User Name User email Address or Account Name requested by the DDNS Service to identify you when logging into your DDNS account c Enter the Password or User Key for your DDNS account d If your dynamic DNS provider allows the use of wild cards in resolving your URL you may check the Use wildcards radio box to activate this feature For example the wildcard feature will cause yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org 5 Click Apply to save your configuration or click Cancel your settings and revert to the previous settings 2 18 Connecting the FVS338 to the Internet v1 0 September 2006 Chapter 3 LAN Configuration This chapter describes how to configure LAN Setup LAN Groups and Routing Static IP features of your ProSafe VPN Firewall 50 These features can be found under
135. nable this to pass the VPN traffic without any filtering specially used when this firewall is between two VPN tunnel end points Drop fragmented IP packets Enable this to drop the fragmented IP packets UDP Flooding Enable this to limit the number of UDP sessions created from one LAN machine TCP Flooding Enable this to protect the router from Syn flood attack Enable DNS Proxy Enable this to allow the incoming DNS queries Enable Stealth Mode Enable this to set the firewall to operate in stealth mode As you define your firewall rules you can further refine their application according to the following criteria LAN Users These settings determine which computers on your network are affected by this rule Select the desired IP Address in this field WAN Users These settings determine which Internet locations are covered by the rule based on their IP address Any The rule applies to all Internet IP address Single address The rule applies to a single Internet IP address Address range The rule is applied to a range of Internet IP addresses Destination Address These settings determine the destination IP address for this rule which will be applicable to incoming traffic this rule will be applied only when the destination IP address of the incoming packet matches the IP address of the WAN interface selected or Specific IP address entered in this field Selecting ANY enables the rule for any IP
136. nce Manual it About YPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium PNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This PN tunnel will connect to the following peers O Gateway vpn Client Connection Name and Remote IP Type What is the new Connection Name What is the pre shared key 12345678 Key Length 8 49 Char End Point Information What is the Remote Identifier Information vs_remote com What is the Local Identifier Information Secure Connection Remote Accessibility What is the remote LAN IP Address Wo What is the remote LAN Subnet Mask A A Figure 5 7 Configuring the VPN Client On a remote PC that has a NETGEAR ProSafe VPN Client installed configure the client using the FVS338 VPN Client default parameters displayed in both the IKE Policy table and the VPN Policy table of the FVS338 under the name home Local FQDN the router fvs_local com Remote FQDN the client fvs_remote com Encryption Algorithm 3DES Authentication Algorithm SHA 1 Pre shared key 12345678 defined by user Diffie Hellman DH Group Group 2 1024 bit SA Life Time unspecified Remote LAN IP subnet 192 168 1 0 255 255 255 0 5 14 Virtual Private Networking v1 0 September 2006 FVS
137. nder Create New SNMP Configuration Entry enter the IP Address of the SNMP manager in the IP Address field and the Subnet Mask in the Subnet Mask field e Ifyou want to allow only the host address to access the VPN firewall and receive traps for example see Figure 6 3 enter an IP Address of for example 192 168 1 100 with a Subnet Mask of 255 255 255 255 e If you want to allow a subnet access to the VPN firewall through SNMP enter an IP address of for example 192 168 1 100 with a Subnet Mask of 255 255 255 0 The traps will still be received on 192 168 1 100 but the entire subnet will have access through the community string e If you want to make the VPN firewall globally accessible using the community string but still receive traps on the host enter 0 0 0 0 as the Subnet Mask and an IP Address for where the traps will be received Enter the trap port number of the configuration in the Port field The default is 162 4 Enter the trap community string of the configuration in the Community field 5 Click Add to create the new configuration The entry will display in the SNMP Configuration table Router and Network Management 6 11 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 6 Click Edit in the Action column adjacent to the entry to modify or change the selected configuration Network Configuration T N Administration onii l i Remote Management Settings Backup amp Upgrade Set Pass
138. ng with NAT Although NAT prevents Internet locations from directly accessing the PCs on the LAN the firewall allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request You can specify forwarding of single ports or ranges of ports e Exposed Host Software DMZ Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule Instead of discarding this traffic you can have it forwarded to one computer on your network Autosensing Ethernet Connections with Auto Uplink With its internal 8 port 10 100 switch the FVS338 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network Both the LAN and WAN interfaces are autosensing and capable of full duplex or half duplex operation The firewall incorporates Auto Uplink technology Each Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection such as to a PC or an uplink connection such as to a switch or hub That port will then configure itself to the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection Extensive Protocol Support The VPN firewall supports the Transmission Control Protoco
139. nnection If the request times out no reply is received it usually means that the destination is unreachable However some network devices can be configured not to respond to a ping The ping results will be displayed in a new screen click Back on the Windows menu bar to return to the Diagnostics screen Traceroute often called Trace Route Lists all Routers between the source this device and the destination IP address The Trace Route results will be displayed in anew screen click Back on the Windows menu bar to return to the Diagnostics screen Perform a DNS Lookup A DNS Domain Name Server converts the Internet name e g www netgear com to an IP address If you need the IP address of a Web FTP Mail or other Server on the Internet you can do a DNS lookup to find the IP address Display the Routing This operation will display the internal routing table This information is used most Table often by Technical Support Router and Network Management 6 27 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6 4 Diagnostics Fields Item Description Reboot the Router Used to perform a remote reboot restart You can use this if the Router seems to have become unstable or is not operating normally Note Rebooting will break any existing connections either to the Router such as this one or through the Router for example LAN users accessing
140. nnection manually 2 9 connection configuration 2 2 traffic information 6 25 Internet Protocol Numbers 4 17 IP Address LAN Setup 3 2 rules with VPN tunnels 5 2 IP Address Pool LAN Setup 3 3 use with ModeConfig 5 26 IP addresses auto generated 7 3 reserved 3 8 IP Addressing Requirements VPNs use in Dual WAN Ports 5 IP Subnet Mask LAN Setup 3 2 Index 3 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual IPSec Connection Status Fields description of 6 24 VPN Tunnel use with 4 11 IPSec Connection Status screen 5 7 6 24 IPSec Host authentication 5 22 XAUTH use with 5 20 5 22 ISP connection troubleshooting 7 4 K Keyword Blocking 6 3 Content Filtering 4 21 examples of 4 21 Known PCs and Devices 3 6 adding entry 3 7 L L2TP VPN Tunnel 4 LAN configuration 3 1 ports and attached devices 6 25 LAN IP address ranges adding aliases 3 4 LAN Security Checks UDP flood 4 11 LAN Setup Enable DHCP Server 3 2 Enable DNS Proxy 3 3 IP Address 3 2 IP Address Pool 3 3 about 4 7 LAN WAN Rules screen 4 7 LEDs explanation of 1 6 troubleshooting 7 2 LEDs Never Turn Off 7 2 load balancing 5 1 local network monitoring 6 20 Local Public Web Server 4 12 Log Entry Descriptions 4 31 Login Failures notification of 6 18 Logs screen 4 30 MAC address 7 6 spoofing 7 5 Manual VPN Policies creating 5 6 Mode Config screen 5 26 ModeConfig about 5 25 5 26 configura
141. nown PCs and Devices Item Description Name The name of the PC or device Sometimes this can not be determined and will be listed as Unknown In this case you can edit the entry to add a meaningful name IP Address The current IP address For DHCP clients where the IP address is allocated by the DHCP Server in this device this IP address will not change Where the IP address is set on the PC as a fixed IP address you may need to update this entry manually if the IP address on the PC is changed MAC Address The MAC address of the PC The MAC address is a low level network identifier which is fixed at manufacture Group Each PC or device must be in a single group The Group column indicates which group each entry is in By default all entries are in the Group1 Ky Note If the VPN firewall is rebooted the table data is lost until the VPN firewall rediscovers the devices Viewing Port Triggering Status You can view the status of Port Triggering by selecting Security from the main menu and Port Triggering from the submenu When the Port Triggering screen display click the Status link Security Services Schedule Block Sites Firewall Rules Source MAC Filter Trend Micro Stains Port Triggering Operation succeeded Port Triggering Status Name Enable Protocol Outgoing Ports Start Port End Por Mji Abstracts No TCP 20
142. ns Remote Party Identity and Addressing ID Type IP Subnet x Subnet 192 168 1 0 Mask 255 255 255 0 eee IV Use Secure Gateway Tunnel X Protocol Al ID Type Domain Name x Gateway IP Address fvs_local com 10 1 0 111 Figure 5 9 8 Inthe left frame click on My Identity shown in Figure 5 10 9 From the Select Certificate pull down menu select None 10 From the ID Type pull down menu select Domain Name The value entered under Domain Name will be in the form lt name gt lt XY gt fvs_remote com where each user must use a different variation on the Domain Name entered here The lt name gt is the policy name used in the FVS338 configuration In this example it is home X and Y are an arbitrary pair of numbers chosen for each user Note X may not be zero In this example we entered home11 fvs_remote com Up to 25 user variations can be served by one policy 11 Leave Virtual Adapter disabled and select your computer s Network Adapter Your current IP address will appear 5 16 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual N Security Policy Editor NETGEAR ProSafe VPN Client a NETGEAR Network Security Policy My Connections r My Identity Bh to_FvS as Pre Shared Key G My identity Select Certificate E a Security Policy None X Qs Other Connections ID Type Port Domain Name
143. nse to the previous request and forwards the response to the PC Without Port Triggering this response would be treated as a new connection request rather than a response As such it would be handled in accordance with the Port Forwarding rules Only one PC can use a Port Triggering application at any time After a PC has finished using a Port Triggering application there is a time out period before the application can be used by another PC This is required because the firewall cannot be sure when the application has terminated See Setting Up Port Triggering on page 4 24 for the procedure on how to use this feature VPN Tunnels The VPN firewall permits up to 200 VPN tunnels at a time Each tunnel requires extensive processing for encryption and authentication See Chapter 5 Virtual Private Networking for the procedure on how to use this feature 6 6 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and in turn the quality of service for the traffic passing through the firewall The QoS is set individually for each service e You can accept the default priority defined by the service itself by not changing its QoS setting e You can change the priority to a higher or lower value than its default setting to give the service higher or lower priority than it otherwise w
144. ntation is built into the browser based Web Management Interface e Smart Wizard The VPN firewall automatically senses the type of Internet connection asking you only for the information required for your type of ISP account e VPN Wizard The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium VPNC to ensure the VPN tunnels are interoperable with other VPNC compliant VPN routers and clients e SNMP The VPN firewall supports the Simple Network Management Protocol SNMP to let you monitor and manage log resources from an SNMP compliant system manager The SNMP system configuration lets you change the system variables for MIB2 e Diagnostic functions The firewall incorporates built in diagnostic functions such as Ping Trace Route DNS lookup and remote reboot 1 4 Introduction v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e Remote management The firewall allows you to securely login to the Web Management Interface from a remote location on the Internet For additional security you can limit remote management access to a specified remote IP address or range of addresses and you can choose a nonstandard port number e Visual monitoring The VPN firewall s front panel LEDs provide an easy way to monitor its status and activity Maintenance and Support NETGEAR offers the following features to help y
145. nual Table A 1 FVS338 Default Settings continued Feature Default Behavior Time Zone GMT Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound communications coming in from the Internet Disabled except traffic on port 80 the http port Outbound communications going out to Enabled all the Internet Source MAC filtering Disabled Stealth Mode Enabled Technical Specifications for the ProSafe VPN Firewall 50 are listed in the following table Table A 2 VPN firewall Default Technical Specifications Feature Specification Data and Routing Protocols Network Protocol and Standards Compatibility TCP IP RIP 1 RIP 2 DHCP PPP over Ethernet PPPoE Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input Europe 230V 50 Hz input Japan 100V 50 60 Hz input Physical Specifications Dimensions 1 1 x 6 89 x 4 65 in Weight 0 3kg 0 66 lb A 2 Default Settings and Technical Specifications v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table A 2 VPN firewall Default Technical Specifications Feature Specification Environmental Specifications Operating temperature 0 to 40 C 322 to 104 F Operating humidity 90 maximum relati
146. o problems ensue the Certificate will be issued 5 36 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual When you obtain the certificate from the CA you can then upload it to your computer Click Browse to locate the Certificate file and then click Upload The certificate will display in the Active Self Certificates table see Figure 5 25 Certificates are updated by their issuing CA authority on a regular basis You should track all of your CAs to ensure that you have the latest version and or that your certificate has not been revoked To track your CAs you must upload the Certificate Identify for each CA to the CRL Managing your Certificate Revocation List CRL CRL Certificate Revocation List files show Certificates which are active and certificates which have been revoked and are no longer valid Each CA issues their own CRLs It is important that you keep your CRLs up to date You should obtain the CRL for each CA regularly The CRL table lists your active CAs and their critical release dates e CA Identity The official name of the CA which issued this CRL e Last Update The date when this CRL was released e Next Update The date when the next CRL will be released To upload a Certificate Identity to the CRL 1 Click Browse and then locate the file you previously downloaded from a CA 2 Select the Certificate Identity file The name will appear in the
147. ociate this address with a Web server on the LAN vv Tip If your ISP allows you to have more than one public IP address for your use you G can use the additional public IP addresses to map to servers on your LAN One of these public IP addresses will be used as the primary IP address of the router This address will be used to provide Internet access to your LAN PCs through NAT The other addresses are available to map to your servers To configure the FVS338 for additional IP addresses 1 Select Security from the main menu and Firewall Rules from the submenu 2 Click Add under the Inbound Services table The Add LAN WAN Inbound Service screen will display Firewall Protection and Content Filtering 4 13 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual From the service pull down menu select the HTTP service for a Web server From the Action pull down menu select Allow Always In the Send to LAN Server field enter the local IP address of your Web server PC From the Public Destination IP Address pull down menu choose Other Public IP Address aA MS w Enter one of your public Internet addresses that will be used by clients on the Internet to reach your Web server 8 Click Apply The rule will display in the Inbound Services table shown in Figure 4 9 Add LAN WAN Inbound Service Operation succeeded helpl Service HTTP w Action ALLOW always v Select Schedule Send to
148. ocking You can specify up to 32 words that should they appear in the Web site name URL or in a newsgroup name will cause that site or newsgroup to be blocked by the VPN firewall You can apply the keywords to one or more groups Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled Router and Network Management 6 3 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed without any blocking e Web Component Blocking You can block the following Web component types Proxy Java ActiveX and Cookies Sites on the Trusted Domains list are still subject to Web component blocking when the blocking of a particular Web component has been enabled See Setting Block Sites Content Filtering on page 4 21 for the procedure on how to use this feature Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on the LAN you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses By default this feature is disabled al
149. odes are available either Main or Aggressive Main Mode is slower but more secure Aggressive mode is faster but less secure If specifying either a FQDN or a User FQDN name as the Local ID Remote ID aggressive mode is automatically selected Local ID The IKE ISAKMP identify of this device The remote VPN must have this value as their Remote ID Remote ID The IKE ISAKMP identify of the remote VPN Gateway The remote VPN must have this value as their Local ID Encr Encryption Algorithm used for the IKE SA The default setting using the VPN Wizard is 3DES This setting must match the Remote VPN Auth Authentication Algorithm used for the IKE SA The default setting using the VPN Wizard is SHA1 This setting must match the Remote VPN DH Diffie Hellman Group The Diffie Hellman algorithm is used when exchanging keys The DH Group sets the number of bits The VPN Wizard default setting is Group 2 This setting must match the Remote VPN To gain a more complete understanding of the encryption authentication and DH algorithm technologies see Appendix B Related Documents VPN Policies You can create two types of VPN Policies When using the VPN Wizard to create a VPN policy only the Auto method is available Virtual Private Networking 5 5 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e Manual All settings including the keys for the VP
150. oduct and Publication Details Model Number FVS338 Publication Date September 2006 Product Family VPN firewall Product Name ProSafe VPN Firewall 50 Home or Business Product Business Language English Publication Part Number 202 10046 03 Publication Version Number 1 0 vi v1 0 September 2006 Contents About This Manual GCGonventions Formats and SCOpe asinine amiaisiimmnmiuamnimniamniie xiii Pow EUS ME Iya aa xiv How to Frim Mis Manual cccsctescctcesaresecusceuedvotedeaits lacaseave sytney iuesbad ious ladeebeiveumeniiie xiv Ren O epee ene reentry Pererrnn etre eer ys Penner ee Teeny mart ret TTT XV Chapter 1 Introduction ey T scans ade A E E A A A E A E tetas eds 1 1 Full Routing on Both the Broadband and Serial WAN Pors c csesseeeeesssrteeees 1 2 A Powerful True Firewall with Content Filtering ccccccecssseeceeeeesseeeeeeesssteeeeenees 1 2 SOCON 25 caicaeendelebiecs E 1 2 Autosensing Ethernet Connections with Auto Uplink ssssssssessssessriererrerrrernrnn 1 3 Extensive Protocol SUPPO Meera ment rerren me a 1 3 Hie ed aede Garret peer ner rete Tree cnr ttn terre er ree E reer errr rer E er rrtrr 1 4 Easy Installation and ManageMeni sesssnssnrsrssnn uence aseeeaNiamaemaas 1 4 PLIAGE ama SUPROT cn seciantanseassisnranisensduainiiash seats usec star sadeesieis muinsSucbaantieduasits 1 5 ge 2 tele oe 0 k Seer eee tee eee eet eee eee een ee rer eer eee 1 5 Router Para ware SOMONE sissaechp
151. ogs amp E mail 33 Log Identifier F S338 i Security Logs Unit Never Day Sunday Time M00 ii System Logs Accepted Packets C Lan to WAN C Lan to WAN C wan to LAN MM WAN to LAN Dropped parkaa O Change of time by NTP Login attempts CO Secure Login attempts C Reboots E Inbound WAN Packets Dropped g Inbound LAN Packets Dropped 2 Enable E Mail Logs Do youa want nt logs to be emailed to you oe O No E Mail Server Address mas Return E Mail Address Send to E Mail Address o EIA No Authentication Login Plain CRAM MD5 Soe ii Enable SysLogs User Name Password C Respond to Identd from SMTP Server Do you want to enable syslog aoe TERS 7 SysLog Facility Localo v Ue Ja O No Figure 6 8 View System Logs Select the types of events to email Select the segments to track for System Log events Enable email alerts Syslog Server enabled Router and Network Management v1 0 September 2006 6 19 FVS338 ProSafe VPN Firewall 50 Reference Manual Monitoring Attached Devices The Groups and Hosts menu contains a table of all IP devices that the VPN firewall has discovered on the local network Select Network Configuration from the main menu and LAN Groups from the submenu The Groups and Hosts screen will display Network Configuration Routing W
152. okies Even sites on the Trusted Domains list will be subject to Web Components blocking when the blocking of a particular Web component is enabled Keyword and domain name blocking You can specify up to 32 words that should they appear in the Web site name URL or in a newsgroup name will cause that site or newsgroup to be blocked by the VPN firewall You can apply the keywords to one or more groups Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled You can bypass Keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains Access to the domains or keywords on this list by PCs even those in the groups for which keyword blocking has been enabled will still be allowed without any blocking Keyword Blocking application examples If the keyword XXX is specified the URL lt http www badstuff com xxx html gt is blocked as is the newsgroup alt pictures XXX If the keyword com is specified only Web sites with other domain suffixes such as edu or gov can be viewed If you wish to block all Internet browsing access enter the keyword To enable Content Filtering 1 Select Security from the main menu and Block Sites from the sub menu The Block Sites screen will display 2 Check the Yes radio button to
153. om the pull down menu Connecting the FVS338 to the Internet 2 15 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual If you have both ISP links connected for Internet connectivity check the Primary Broadband with Dialup as backup for auto rollover 4 The WAN Failure Detection Method must be configured to notify the router of a link failure if you are using Dialup as a backup to engage auto rollover The router checks the connection of the primary link at regular intervals to detect its status Check the radio box of one the following methods to detect link failure Select DNS lookup using configured DNS Servers to detect failure of the Broadband link using the DNS servers configured in the Broadband ISP Settings screen Select DNS lookup using this DNS Server and enter the IP address of the DNS server to specify a DNS server for detecting WAN failure Select Ping to this IP address and enter an IP address to detect WAN failure by pinging to an IP address Ensure that this destination host is reliable If a failure is detected on the primary broadband connection the secondary dialup connection connects to the Internet When the primary connection is detected as back online the secondary dialup connection disconnects 5 Enter a Test Period in seconds to tell the router how often it should run the configured detection method The default is 30 seconds 6 Enter the number of router failures that should occur be
154. or CRAM MD5 based on your SMTP server requirements Then enter the user name and password to be used for authentication 8 If you want to respond to IDENT protocol check the Respond to Identd from SMTP Server radio box The Ident Protocol is an Internet protocol that helps identify the user of a particular TCP connection a common daemon program for providing the ident service is identd 9 You can configure the firewall to send system logs to an external PC that is running a syslog logging program Click the Yes radio box to enable SysLogs and send messages to the syslog server then a Enter your Syslog Server IP address b Select the appropriate syslog facility from the SysLog Facility pull down menu he SysLog Facility levels of severity are described in Table 4 3 below 10 Click Reset to cancel your changes and return to the previous settings 11 Click Apply to save your settings Table 4 3 SysLog Facility Message Levels Numerical Code Severity 0 Emergency System is unusable 1 Alert Action must be taken immediately 2 Critical Critical conditions 3 Error Error conditions 4 Warning Warning conditions Firewall Protection and Content Filtering 4 29 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4 3 SysLog Facility Message Levels continued Numerical Code Severity 5 Notice Normal but significant conditions 6 Informational Informational messages 7 Debug Debug level messag
155. or server that is available to anyone on the Internet for services that you have not yet defined To expose one of the PCs on your LAN as this host 1 Create an inbound rule that allows all protocols 2 Place the rule below all other inbound rules Note For security NETGEAR strongly recommends that you avoid creating an exposed _ gt host When a computer is designated as the exposed host it loses much of the protection of the firewall and is exposed to many exploits from the Internet If compromised the computer can be used to attack your network Firewall Protection and Content Filtering 4 15 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Attack Checks Default Outbound Policy Allow Always apply Operation succeeded help Service Name Filter LAN Users WAN Users Priority Log Action select all delete enable D disable add help Service Name Filter LAN Server IP Address LAN Users WAN Users Destination Log Action LOL Hameo Lalowalwaus oo tgzt6an20 Lo LL any 12 1 957 eve O vp Qeown O eaf ANY Allow Always 192 168 0 15 ANY WANL Never up Qeown esit select all delete enable D disable add 1 Select All protocols and ALLOW Always or Allow by Schedule 2 Place rule below all other inbound rules Figure 4 10 Outbound Rules Example Blocking Instant Messenger Outbound rules let you pre
156. osed Host 4 5 Extended Authentication See XAUTH F filtering traffic Index 2 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual by MAC address Source MAC filtering 4 23 firewall alerts emailing of 4 27 connecting 2 1 2 2 features 1 2 logging in to 2 1 rear panel 1 7 security about 4 1 status 6 22 technical specifications A 1 firewall access remote management 6 9 Firewall Logs configuring 4 28 emailing of 4 27 Firewall Logs amp E mail screen 4 27 6 18 firewall protection 4 1 firewall rules about 4 ordering 4 6 firmware upgrade 6 12 FQDN use in VPN tunnels 5 G Gateway VPN Tunnel setting up 5 2 gateway to gateway VPN Tunnel example of 5 8 Generate Self Certificate Request 5 34 Group Names 3 7 editing 3 7 Groups managing 3 5 rules covered by 6 3 Groups and Hosts About 3 5 Groups and Hosts screen 3 6 3 7 6 20 H Host Exclusion List Trend Micro use with 3 13 ICMP Destination Unreachable 4 11 IKE Policies auto rules of 5 4 field definitions 5 5 manual rules of 5 4 use with ModeConfig 5 27 IKE Policies screen 5 9 5 10 IKE ISAKMP use in IKE Policy 5 5 Inbound Rules 4 2 about 4 4 configuring DHCP 4 4 examples of 4 12 Fields definition of 4 5 firewall 4 1 Port Forwarding 4 4 Increased Traffic Port Triggering 6 6 Increased traffic Port Forwarding 6 4 VPN tunnels 6 6 installation 4 Internet configuring the co
157. ote system receives the PCs request and responds using the different port numbers that you have now opened The VPN firewall matches the response to the previous request and forwards the response to the PC Without Port Triggering this response would be treated as a new connection request rather than a response As such it would be handled in accordance with the Port Forwarding rules Only one PC can use a Port Triggering application at any time After a PC has finished using a Port Triggering application there is a Time out period before the application can be used by another PC This is required because this Router cannot be sure when the application has terminated Note For additional ways of allowing inbound traffic see LAN WAN Inbound Services Rules on page 4 9 4 24 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual To add a Port triggering rule 1 Select Security from the main menu and Port Triggering from the submenu The Port Triggering screen will display 1 Enter a user defined name for this rule in the Name field 2 From the Enable pull down menu indicate if the rule is enabled or disabled Security Name Enable Outgoing Ports Start Port End Port Ell 1 Abstracts 20 22 select all m Add Port Triggering Rule Name Enable Protocol Outgoing Trigger Port Range oming Res
158. ou maximize your use of the VPN firewall e Flash memory for firmware upgrade e Free technical support seven days a week twenty four hours a day Package Contents The product package should contain the following items e ProSafe VPN Firewall 50 e AC power adapter e Category 5 Ethernet cable e Resource CD including Application Notes and other helpful information ProSafe VPN Client Software one user license Trend Micro software evaluation e Warranty and Support Information Card If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the firewall for repair Router Hardware Components Following is a description of the front and rear panels of the FVS338 including instructions for installing the FVS338 using the rack mounting hardware Introduction 1 5 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Router Front Panel The ProSafe VPN Firewall 50 front panel shown below contains the port connections status LEDs and the factory defaults reset button Figure 1 1 NETGEAR Power LED LED ProSafe VPN Firewall Test Modem LED MODEL FVS 100 100 LNK ACT LNK ACT INTERNET Internet LEDs Local LEDs The table below describes each item on the front panel and its operation Table 1 1 Object D
159. ould have The QoS priority settings conform to the IEEE 802 1D 1998 formerly 802 1p standard for class of service tag You will not change the WAN bandwidth used by changing any QoS priority settings But you will change the mix of traffic through the WAN ports by granting some services a higher priority than others The quality of a service is impacted by its QoS setting however See Specifying Quality of Service QoS Priorities on page 4 19 for the procedure on how to use this feature Tools for Traffic Management The ProSafe VPN Firewall 50 includes several tools that can be used to monitor the traffic conditions of the firewall and control who has access to the Internet and the types of traffic they are allowed to have See Viewing Router Configuration and System Status on page 6 22 for a discussion of the tools Administration You can change the administrator and guest passwords and settings configure an SNMP manager backup settings and upgrade firmware and enable remote management Administrator access is read write and guest access is read only Changing Passwords and Settings The default passwords for the firewall s Web Configuration Manager is password Netgear recommends that you change this password to a more secure password You can also configure a separate password for guests Router and Network Management 6 7 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual To mod
160. ponse Port Ran Start Port End Port End Port 1 65534 1 65534 J 1765534 Bemas ve vl re E 2 Operation succeeded Name Abstracts i Edit Port Triggering Rule Enable Protocol Outgoing Trigge Port Range Start Port 20 1 655324 End Port 22 1 65534 Incoming Response Rort Range 20 1 65534 40 1 65534 Figure 4 16 3 From the Protocol pull down menu select either TCP or UDP protocol 4 Inthe Outgoing Trigger Port Range fields a Enter the Start Port range 1 65534 Firewall Protection and Content Filtering 4 25 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual b Enter the End Port range 1 65534 5 Inthe Incoming Response Port Range fields a Enter the Start Port range 1 65534 b Enter the End Port range 1 65534 6 Click Add The Port Triggering Rule will be added to the Port Triggering Rules table To edit or modify a rule 1 Click Edit in the Action column opposite the rule you wish to edit The Edit Port Triggering Rule screen will display 2 Modify any of the fields for this rule Click Reset to cancel any changes and return to the previous settings 4 Click Apply to save your modifications Your changes will appear in the Port Triggering Rules table To check the status of the Port Triggering rules click the Status link on the Port Triggering screen Security
161. rer Importer It is hereby certified that the ProSafe VPN Firewall 50 has been suppressed in accordance with the conditions set out in the BMPT AmtsblVfg 243 1991 and Vfg 46 1992 The operation of some equipment for example test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions v1 0 September 2006 Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations Voluntary Control Council for Interference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV receiver it may become the cause of radio interference Read instructions for correct handling Additional Copyrights AES Copyright c 2001 Dr Brian Gladman lt brg gladman uk net gt Worcester UK All rights reserved TERMS Redistribution and use in source and binary forms with or without modification are permitted subject to the following conditions 1 Redistributions of source code must retain
162. reservation 3 8 AH VPN Policies use with 5 7 antivirus scanning Trend Micro 3 12 ARP 3 5 Attached Devices monitoring of 6 20 Attack Checks Block TCP Flood 4 10 Respond To Ping On Internet 4 10 Stealth Mode 4 0 Attack Checks screen 4 10 4 11 Attacks Notification 6 18 Authentication Header See AH Auto Uplink 1 3 Auto VPN Policies 5 6 Available Secondary LAN IPs 3 4 backup and restore settings configuration of 6 13 Block Sites 6 3 Content Filtering 4 21 reducing traffic 6 3 Block Sites screen Content Filtering 4 21 Block TCP Flood Attack Checks 4 10 block traffic Index scheduling 4 20 Broadband Status monitoring 6 23 Broadband Traffic Meter screen 6 16 C CA VPN gateway use with 5 6 CA Certificates about 5 33 Certificate Authority See CA Certificate Identity file 5 37 Certificate Revocation List See CRL Certificates screen 5 33 Self Certificates 5 34 Certification Authorities See CA Client to Gateway VPN tunnel example 5 12 Client VPN Tunnel setting up using VPN Wizard 5 3 common protocols definitions 4 17 configuration automatic by DHCP 1 3 configuration backup 6 12 Content Filtering 1 2 4 1 Block Sites 4 21 enabling 4 21 Keyword Blocking 4 21 Web Components 4 21 content filtering Blocked Sites 4 Keyword Blocking 4 1 CRL lists Index 1 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual managing 5 37 crossover cable
163. resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and one for outbound The default rules of the FVS338 are e Inbound Block all access from outside except responses to requests from the LAN side Firewall Protection and Content Filtering 4 1 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Outbound Allow all access from the LAN side to the outside Services Based Rules The rules to block traffic are based on the traffic s category of service Inbound Rules port forwarding Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side The firewall can be configured to allow this otherwise blocked traffic Outbound Rules service blocking Outbound traffic is normally allowed unless the firewall is configured to disallow it Customized Services Additional services can be added to the list of services in the factory default list These added services can then have rules defined for them to either allow or block that traffic Quality of Service QoS Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays You can change this QoS priority if desired to change the traffic mix through the system Outbound Rules Service Blocking The FVS338 allows you to block the use of ce
164. roSafe VPN client 5 32 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual To test the connection 1 Right click on the VPN client icon in the Windows toolbar and select Connect The connection policy you configured will appear in this case My Connections modecfg_test 2 Click on the connection Within 30 seconds the message Successfully connected to MyConnections modecfg_test will display and the VPN client icon in the toolbar will read Opn 3 From the client PC ping a computer on the VPN firewall LAN Certificates Digital Certificates also known as X509 Certificates are used to authenticate the identity of users and systems and are issued by various CAs Certification Authorities Digital Certificates are used by this router during the IKE Internet Key Exchange authentication phase as an alternative authentication method Trusted Certificates are issued to you by various CAs Certification Authorities Trusted Certificates CA Certificates Trusted Certificates are used to verify the validity of certificates issued to an organization and signed by the issuing CA authority When a certificate is generated it is signed by a publicly known authority called the Certificate Authority The Trusted Certificates table shows the Trusted Certificates issued by the various CAs Certification Authorities For each Certificate the following data is listed in
165. roduct Select the software version and follow the To Install steps to download your software After downloading an upgrade file you may need to unzip uncompress it before upgrading the router If Release Notes are included in the download read them before continuing A Warning Once you click Upload do NOT interrupt the router To upgrade router software 1 Select Administration from the main menu and Settings Backup amp Upgrade from the submenu The Settings Backup and Firmware Upgrade screen will display 6 14 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Click Browse in the Router Upgrade section Locate the downloaded file and click upload This will start the software upgrade to your VPN firewall router This may take some time At the conclusion of the upgrade your router will reboot Warning Do not try to go online turn off the router shutdown the computer or do A anything else to the router until the router finishes the upgrade When the Test light turns off wait a few more seconds before doing anything After the VPN firewall has rebooted select Monitoring and confirm the new firmware version to verify that your router now has the new software installed Note In some cases such as a major upgrade it may be necessary to erase the configuration and manually reconfigure your router after upgrading it Refer to the Relea
166. rs can always find your network see Configuring Dynamic DNS If Needed on page 2 16 e If the IP address of the local server PC is assigned by DHCP it may change when the PC is rebooted To avoid this use the Reserved IP address feature in the LAN Groups menu under Network Configuration to keep the PC s IP address constant see Setting Up Address Reservation on page 3 8 e Local PCs must access the local server using the local LAN address of the PC Attempts by local PCs to access the server using the external WAN IP address will fail Note See Setting Up Port Triggering on page 4 24 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall 4 4 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4 2 Inbound Rules Fields Item Description Services Select the desired Service or application to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 4 17 Action Select the desired action for packets covered by this rule Select Schedule LAN Server BLOCK always BLOCK by schedule otherwise Allow ALLOW always ALLOW by schedule otherwise Block Note Any inbound traffic which is not allowed by rules you create will be blocked by t
167. rsion Backup and Restore Settings To backup and restore settings 1 Select Administration from the main menu and Settings Backup amp Upgrade from the submenu THe Settings Backup and Firmware Upgrade screen will display 2 Click backup to save a copy of your current settings If your browser isn t set up to save downloaded files automatically locate where you want to save the file specify file name and click Save If you have your browser set up to save downloaded files automatically the file will be saved to your browser s download location on the hard disk Warning Once you start restoring settings or erasing the router do NOT interrupt A the process Do not try to go online turn off the router shutdown the computer or do anything else to the router until it finishes restarting To restore settings from a backup file 1 Click Browse Locate and select the previously saved backup file by default netgear cfg 2 When you have located the file click restore An Alert page will appear indicating the status of the restore operation You must manually restart the VPN firewall for the restored settings to take effect To reset the router to the original factory default settings click default You must manually restart the VPN firewall in order for the default settings to take effect After rebooting the router s password will be password and the LAN IP address will be 192 168 1 1 The VPN firewall will act as a DHCP
168. rtain Internet services by PCs on your network This is called service blocking or port filtering Note See Enabling Source MAC Filtering on page 4 23 for yet another way to block gt outbound traffic from selected PCs that would otherwise be allowed by the firewall 4 2 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4 1 Outbound Rules Fields Item Description Services Select the desired Service or application to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 4 17 Action Select the desired action for outgoing connections covered by this rule BLOCK always BLOCK by schedule otherwise Allow ALLOW always ALLOW by schedule otherwise Block Note Any outbound traffic which is not blocked by rules you create will be allowed by the Default rule ALLOW tules are only useful if the traffic is already covered by a BLOCK rule That is you wish to allow a subset of traffic that is currently blocked by another rule Select Schedule Select the desired time schedule i e Schedule1 Schedule2 or Schedule3 that will be used by this rule e This drop down menu gets activated only when BLOCK by schedule otherwise Allow or ALLOW by schedule otherwise Block is selected as A
169. rting IP b o Io o Ending IP b Io Jo Jo WINS Server Primary o Jo Je Jp Secondary e Ie Jb Jp DNS Server Primary b Ho Ho W Secondary e Jo Je Jo A i Traffic Tunnel Security Level gt Ors Key Group DH Group 768 bit SA Lifetime Seconds Encryption Algorithm 3DES ov Integrity Algorithm SHA 1 1 Local IP Address b Ie Mo e Local Subnet Mask b Ie Ho He Mode Config List of Mode Config Records Record Name Pool Start IP Pool End IP Action 172 20 50 1 172 20 50 50 o Remote Users 0 0 0 0 0 0 0 0 eait 0 0 0 0 select all delete add 0 0 0 0 Figure 5 19 To configure an IKE Policy 1 From the main menu select VPN The IKE Policies screen will display showing the current policies in the List of IKE Policies Table Virtual Private Networking 5 27 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 2 Click Add to configure a new IKE Policy The Add IKE Policy screen will display Enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull down menu You can view the parameters of the selected record by clicking the View selected radio box Mode Config works only in Aggressive Mode and Aggressive Mode requires that both ends of the tunnel be defined by a FQDN 4 Inthe General section a Enter a de
170. rver is the IP address of the local BigPond Login Server in your area You can find login server information at http www netgear com sg support bigpond asp If your ISP has assigned a fixed static or permanent IP address select the Use Static IP Address radio box and fill in the following fields IP Address Static IP address assigned to you This will identify the router to your ISP Subnet Mask This is usually provided by the ISP or your network administrator Gateway IP Address IP address of the ISP s gateway This is usually provided by the ISP or your network administrator If your ISP has not assigned a Static IP address select the Get dynamically from ISP radio box The ISP will automatically assign an IP address to the router using DHCP network protocol Connecting the FVS338 to the Internet 2 11 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 4 If your ISP has not assigned any Domain Name Servers DNS addresses select the Get dynamically from ISP radio box If your ISP has assigned DNS addresses select the Use these DNS Servers radio box Ensure that you fill in valid DNS server IP addresses in the fields Incorrect DNS entries may cause connectivity issues Note Domain name servers DNS convert Internet names such as www google com www netgear com etc to Internet addresses called IP addresses Incorrect settings here will result in connectivity problems Click
171. s continuously you may need to manually select the port speed Connecting the FVS338 to the Internet 2 7 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual This could occur on some older broadband modems If you know that the Ethernet port on your broadband modem supports 100BaseT select 100BaseT otherwise select 10BaseT Use the half duplex settings if full duplex modes do not work Network Configuration LAN Setup LAN Groups 8 Advanced 3 Broadband Status Broadband ISP Settings i ISP Login Does Yor Broadband Advanced Options i MTU Size 2 Default al Port Speed AutoSense vj Custom E00 Bytes A ii ISP Type Router s MAC Address Use Default Address Use this computer s MAC Use this MAC Address Figure 2 5 You can also change the standard MTU Maximum Transmit Unit value for dialup modems from the Dialup ISP Settings screen THe standard value is 576 bytes but some ISPs may require that you reduce the MTU However this is rarely required and should not be done unless specifically required by the ISP To change the MTU value for your dialup modem 1 Select Network Configuration from the main menu WAN Settings from the submenu and the Dialup ISP Settings tab Click the Advanced link on the Dialup ISP Settings screen Select the Custom radio box and enter the MTU value i
172. s shown in Figure 4 1 ONE Attack Checks Default Outbound Policy Allow Always apply Operation succeeded rep Service Name Filter LAN Users WAN Users Priority Log Action O e AIM Block by schedule 1 else allow ANY ANY Normal Service Never up Qeown edit select all delete enable disable add help Service LAN Server IP LAN Filter WAN Users Destination Log Action Name Address Users cu Allow 134 177 88 1 192 168 0 11 WAN Never up Qeown edit SEEME UDP Always 134 177 889 254 Allow O e HTTP 192 168 1 2 ANY 19 1 9 52 Never up down edit Always Allow ANY 192 168 0 15 ANY WANI Never up Qaown edit Always select all edelete enable O disable add Figure 4 1 For any traffic attempting to pass through the firewall the packet information is subjected to the rules in the order shown in the Rules Table beginning at the top and proceeding to the default rules at the bottom In some cases the order of precedence of two or more rules may be important in determining the disposition of a packet For example you should place the most strict rules at the top those with the most specific services or addresses The Up and Down buttons allow you to relocate a defined rule to a new position in the table 4 6 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual
173. scription name in the Policy Name Field such as salesperson This name will be used as part of the remote identifier in the VPN client configuration b Set Direction Type to Responder c By default the Exchange Mode is set to Aggressive 5 For Local information d Select Fully Qualified Domain Name for the Local Identity Type e Enter an identifier in the Remote Identity Data field that is not used by any other IKE policies This identifier will be used as part of the local identifier in the VPN client configuration 6 Specify the IKE SA parameters These settings must be matched in the configuration of the remote VPN client Recommended settings are e Encryption Algorithm 3DES e Authentication Algorithm SHA 1 e Diffie Hellman Group 2 e SA Lifetime 3600 seconds 7 Enter a Pre Shared Key that will also be configured in the VPN client XAUTH is disabled by default To enable XAUTH select e the Edge Device radio button to use this router as a VPN concentrator where one or more gateway tunnels terminate If selected you must specify the Authentication Type to be used in verifying credentials of the remote VPN gateways e the IPsec Host radio button if you want this gateway to be authenticated by the remote gateway Enter a Username and Password to be associated with the IKE policy When this option is chosen you will need to specify the user name and password to be used in authenticating this gateway by the remote gatewa
174. se Notes included with the software to find out if this is required Setting the Time Zone Date time and NTP Server designations can be input on the Time Zone screen Network Time Protocol NTP is a protocol that is used to synchronize computer clock times in a network of computers To set Time Date and NTP servers 1 Select Administration from the main menu and Time Zone from the submenu The Time Zone screen will display From the Date Time pull down menu select the Local Time Zone This is required in order for scheduling to work correctly The VPN firewall includes a Real Time Clock RTC which it uses for scheduling If supported in your region check the Automatically Adjust for Daylight Savings Time radio box 4 Select a NTP Server option by checking one of the following radio boxes e Use Default NTP Servers If this is enabled then the RTC Real Time Clock is updated regularly by contacting a Default Netgear NTP Server on the Internet e Use Custom NTP Servers If you prefer to use a particular NTP server enable this instead and enter the name or IP address of an NTP Server in the Server 1 Name IP Address field Router and Network Management 6 15 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual If required you can also enter the address of another NTP server in the Server 2 Name IP Address field If you select this option and leave either the Server or Server 2 fields
175. se WAN side loading are as follows e Service Blocking e Block Sites e Source MAC Filtering Router and Network Management 6 1 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Service Blocking You can control specific outbound traffic for example from LAN to WAN Outbound Services lists all existing rules for outbound traffic If you have not defined any rules only the default rule will be listed The default rule allows all outgoing traffic A Warning This feature is for Advanced Administrators only Incorrect configuration will cause serious problems Each rule lets you specify the desired action for the connections covered by the rule BLOCK always BLOCK by schedule otherwise Allow ALLOW always ALLOW by schedule otherwise Block As you define your firewall rules you can further refine their application according to the following criteria LAN Users These settings determine which computers on your network are affected by this rule Select the desired options Any All PCs and devices on your LAN Single address The rule will be applied to the address of a particular PC Address range The rule is applied to a range of addresses Groups The rule is applied to a Group you use the Network Database to assign PCs to Groups see Managing Groups and Hosts on page 3 5 WAN Users These settings determine which Internet locations are covered by t
176. sed for communications between the OfficeScan clients and the server 5 Click Apply to enable Trend Micro The Host Exclusion List table lists PCs that are allowed to access the WAN without OfficeScan client E Note The OfficeScan Server must appear in the exclusion list To allow a PC to access the web without the OfficeScan client Enter the IP address of the PC in the Host field in the Add Host section and click Add The address will be added to the Host Exclusion List table jy Security dmini at oring Web Suppo l ogout Services Schedule Block Sites Firewall Rules Source MAC Filter Port Triggering Trend Micro Q help Do you want to enable Antivirus Office Scan Server IP Address A Enforcement Office Scan Client Communication Port i O Yes No Office Scan Server HTTP Port D help Host select all delete Add Host Host Add 1 add Figure 3 6 Note Follow the instructions in the Trend Micro documentation to complete the installation and configuration of the Trend Micro OfficeScan Server LAN Configuration 3 13 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 3 14 v1 0 September 2006 LAN Configuration Chapter 4 Firewall Protection and Content Filtering The ProSafe VPN Firewall 50 provides you with Web content filtering options such as Block Sites and Keyword Blocking Parents and network adminis
177. service provider log in to your account and register your new IP address To configure a Dynamic DNS address 1 Select Network Configuration from the main menu and Dynamic DNS from the submenu The Dynamic DNS Configuration screen displays The WAN Mode section displays the currently configured WAN Mode Single Port or Auto Rollover Network Configuration i y VP Admi iia oring Web ppo ogout WAN Settings WAN Mode LAN Setup LAN Groups Routing J oae nans a aoa a a Dynamic DNS Configuration 8 DynDNS Information 8 TZO Information 8 lego Registration J help Current WAN Mode Auto Rollover with Primary Broadband help Select the Dynamic DNS Service Host and Domain Name None Example DynDNS org User Name TZO com Password lego net Use wildcards Update every 30 days help Select the Dynamic DNS Service Host and Domain Name None Example DynDNS org User Name TZO com Password Iego net Use wildcards Update every 30 days Figure 2 9 If you have configured Single Port choose a DNS service provider then fill out the DDNS section for that port If you have enabled Auto Rollover choose a service provider and complete both sections Only those options that match the configured WAN Mode will be accessible Connecting the FVS338 to the Internet 2 17 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 2 Check the Dynamic DNS Service radio box you want to e
178. ses in the First IP Pool field to give to remote VPN clients Note The IP Pool should not be within your local network IP addresses Use a e different range of private IP addresses such as 172 20 xx xx 5 If you have a WINS Server on your local network enter its IP address Enter one or two DNS Server IP addresses to be used by remote VPN clients If you enable Perfect Forward Secrecy PFS select DH Group 1 or 2 This setting must match exactly the configuration of the remote VPN client 8 Specify the Local IP Subnet to which the remote client will have access Typically this is your router s LAN subnet such as 192 168 2 1 255 255 255 0 If not specified it will default to the LAN subnet of the device 5 26 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 9 Specify the VPN policy settings These settings must match the configuration of the remote VPN client Recommended settings are e SA Lifetime 3600 seconds e Authentication Algorithm SHA 1 e Encryption Algorithm 3DES 10 Click Apply The new record should appear in the VPN Remote Host Mode Config Table a sample record is shown below Eiiimicnd Operation succeeded i Client Pool Record Name Remote Users First Pool Starting IP 172 20 50 t ending ip fizz feo so 50 Second Pool Starting IP fo Io Io o Ending IP b Ib Jo fo Third Pool Sta
179. te Connected Domain Name IP Address 10 1 32 41 Which type of ISP connection do you use Login Server s Austria PPTP Subnet Mask 255 255 255 0 Idle Timeout Gateway 10 1 32 13 Other PPPoE DNS Server 10 1 1 6 BigPond Cable My IP Address DHCP Server 10 1 1 6 Server IP Address Lease Obtained Thu Jul 6 19 07 31 GMT 2006 Lease Duration 1 Day 00 00 00 2 Internet IP Address P ress help EROE TENETI Serv renew k release Figure 6 12 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu The IPSec Connection Status screen will display Policies Certificates VPN Client Connection Status IPSec Connection Status i Active IPSec SA s Policy Name Endpoint Tx KB Tx Packets State Action to_fux 10 10 13 14 0 00 o Ipsec SA Not Established F connect Poll Interval Seconds set interval stop Figure 6 13 Table 6 3 IPSec Connection Status Fields Item Description Policy Name The name of the VPN policy associated with this SA Endpoint The IP address on the remote VPN Endpoint 6 24 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6 3 IPSec Connection Status Fields continued Item Description Tx KB The amount of data transmitted over t
180. te Management ACCESS cs eccceteeeeeeceeteeeeeeneeseeeeeeneeeneeeeenenens 6 9 Uenga SNMP ASE ocorran iaaa aE r Oa nAaR 6 11 Settings Backup and Firmware Upgrade sesssseessesssesesssssrsssrnssrrnesnnnsrnnersnennnee 6 12 Backup and Resiore SelingE jcisiccciecasias sinicceeassnisaniiagnlecsiaiaddjecmanleuianlace 6 13 ROUTER UDIrOdE sxancon a aa 6 14 Seting me TMe ZONE doroine a aa 6 15 Montong ToP ONO erssannan n 6 16 Enabling Hie Tait Melai eerus a 6 16 Setting Login Failures and Attacks Notification c ccccsseeeeeeeeeeeeeeeeeeeeeeeeeeenees 6 18 Monitoring Altached Devies ccs secsctscarienieircardetecencveneprasiebetacnisiceendiientenienine 6 20 Viewing Pon miggen SAWS sirmiiarskinaii anea ENN pac 6 21 Viewing Router Configuration and System Status cceccceeeeeeeseeeseeeeeeseeeeeeeees 6 22 Montong WAN PONE SAUS orisiirisii aeaaaee 6 23 Monitoring VPN Tunnel Connection Status 0 ccccecesceeeeeeeeeeeceeseeeeeeteneeeenenneees 6 24 SER LOO S aaa picdanben ies nei n alacane niiaeean nameMntiias 6 25 v1 0 September 2006 DHCP EOU vorrai a haavecbioed caacsehuea ceaaleaee rte ure 6 25 PTI ING DISCO SIGS sessao enuie al Muni naai ones 6 26 Chapter 7 Troubleshooting ES FUG IG ona a amature Wwicien i 7 1 Fonet LED NO O cicio S 7 1 LEDs Naver Tum J cnicnccisnion eran Ie bE 7 2 LAN or Internet Port LEDs Not On siciscccccsiciacercanctasadecanssesaadadtusoonladinssoandiasesadanaarss 7 2 Troubleshoo
181. teps to 6 14 User Database configuring 5 22 XAUTH use with 5 21 User Database screen 5 22 V Videoconferencing from restricted addresses 4 13 Virtual Private Networking See VPN VPN 5 12 activity monitoring 6 25 connection testing of 5 12 VPN Client configuration parameters example 5 14 VPN Gateway configuration of example 5 8 VPN Logs screen 6 25 VPN Pass through 4 11 VPN Policies about 5 5 Auto 5 6 fields definitions of 5 6 Manual method 5 6 VPN policy rules of use 5 6 VPN Tunnel Client to Gateway configuring 5 12 connection status monitoring 6 24 Gateway example configuration 5 8 IP Sec 4 11 L2TP 4 11 PPTP 4 11 VPN tunnel to gateway setting up 5 2 VPN Tunnels 6 6 VPN Wizard use of 5 2 VPN Wizard screen 5 2 Client use with 5 3 Gateway use with 5 8 W WAN port connection status 6 25 WAN Ports Status monitoring 6 23 WAN Users Service Blocking 6 2 Web Component Blocking 6 4 Web Components Index 7 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual content filtering 4 21 Web configuration troubleshooting 7 2 Windows NetBios Server IP See WINS Server IP WINS Server IP LAN Setup 3 3 with 7 2 X XAUTH 5 13 about 5 20 configuring 5 21 Edge Device 5 20 IPSec Host 5 20 RADIUS CHAP 5 21 RADIUS PAP 5 21 User Database 5 21 Index 8 v1 0 September 2006
182. ter s LAN If another device on your network will be the DHCP server or if you will manually configure all devices check the Disable DHCP Server radio button Enable DHCP Server is the default If Enabled is selected enter the following parameters a Enter the Domain Name of the router this is optional 3 2 LAN Configuration v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual b Enter the Starting IP Address This address specifies the first of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address The IP address 192 168 1 2 is the default start address c Enter the Ending IP Address This address specifies the last of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN will be assigned an IP address between the Starting IP address and this IP address The IP address 192 168 1 100 is the default ending address Note The Starting and Ending DHCP addresses should be in the same network gt as the LAN TCP IP address of the router the IP Address in LAN TCP IP Setup section d Enter a WINS Server IP address This box can specify the Windows NetBios Server IP if one is present in your network This field is optional e Enter a Lease Time This specifies the duration for which IP addresses will be leased to clients f Check the Enable DNS Proxy ra
183. ternal IP addresses from computers on the Internet Ifyou only have a single Internet IP address you MUST use NAT NAT is the default setting Select NAT if your ISP has assigned only one IP address to you The computers that connect through the router must then be assigned IP addresses from a private subnet for example 192 168 1 0 Classical Routing In this mode the Router performs Routing but without NAT To gain Internet access each PC on your LAN must have a valid Internet IP address If your ISP has allocated many IP addresses to you and you have assigned one of these addresses to each PC you can choose Classical Routing Or you can use Classical Routing for routing private IP addresses within a campus environment Otherwise selecting this method will not allow Internet access through this Router Note The router will delete all inbound firewall rules when switching between NAT 25 and Classical Routing To configure the WAN Mode 1 Select Network Configuration from the main menu and WAN Mode from the submenu The WAN Mode screen will display 2 Check either the NAT or Classical Routing radio box NAT is the default 3 Select the Port Mode The Port Mode settings allow you to configure your router to use only one WAN port or to select the Dialup port as a backup e Ifyou are connected to only one ISP then check the Use only single WAN port and select the WAN port that is connected to your ISP fr
184. teway policy AH Authentication Header This specifies the authentication protocol for the VPN header VPN Wizard default is disabled ESP Encapsulating Security Payload This specifies the encryption protocol used for the VPN data VPN Wizard default is enabled VPN Tunnel Connection Status Recent VPN tunnel activity is shown on the IPSec Connection Status screen accessed by selecting VPN from the main menu and Connection Status from the submenu You can set a Poll Interval in seconds to check the connection status of all active IKE Policies to obtain the latest VPN tunnel activity The Active IPSec SA s table also lists current data for each active IPSec SA Security Association Policy Name The name of the VPN policy associated with this SA Endpoint The IP address on the remote VPN Endpoint Tx KBytes The amount of data transmitted over this SA Tx Packets The number of packets transmitted over this SA State The current state of the SA Phase 1 is Authentication phase and Phase 2 is Key Exchange phase Action Allows you to terminate or build the SA connection if required Virtual Private Networking 5 7 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Creating a VPN Gateway Connection Between FVS338 and FVX538 This section describes how to configure a VPN connection between a NETGEAR FVS338 VPN Firewall and a NETGEAR FVX538 VPN Firewall Using each firewa
185. the Internet However connections to the Internet will automatically be re established when possible Packet Trace Packet Trace selects the interface and starts the packet capture on that interface 6 28 Router and Network Management v1 0 September 2006 Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 50 After each problem description instructions are provided to help you diagnose and solve the problem Basic Functions After you turn on power to the firewall the following sequence of events should occur 1 When power is first applied verify that the PWR LED is on 2 After approximately 10 seconds verify that a The TEST LED is not lit b The LAN port LEDs are lit for any local ports that are connected c The Internet port LED is lit If a port s LED is lit a link has been established to the connected device If a LAN port is connected to a 100 Mbps device verify that the port s LED is green If the port is 10 Mbps the LED will be amber If any of these conditions does not occur refer to the appropriate following section Power LED Not On If the Power and other LEDs are off when your firewall is turned on e Make sure that the power cord is properly connected to your firewall and that the power supply adapter is properly connected to a functioning power outlet e Check that you are using the 12 V DC power adapt
186. the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The copyright holder s name must not be used to endorse or promote any products derived from this software without his specific prior written permission This software is provided as is with no express or implied warranties of correctness or fitness for purpose ii v1 0 September 2006 Open SSL Copyright c 1998 2000 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not
187. ting the Web Configuration Interface cccsccececseeeeeneeeeeceeeeeeeeeeteaeeeeeneees 7 2 Troubleshooting the ISP Connection uso eisnasicetasasteeeutsstesdysieineeneutiniehadatingeccuiieie 7 4 Troubleshooting a TCP IP Network Using a Ping Utility cc eeceeeceeeeeeeeeeeeesteeeeeeeees 7 5 Testing the LAN Path to Your Firewall seissrssdsnsnnsnisnin 7 5 Testing the Path from Your PC to a Remote Device cccccccseceeeeseseteeeeeessteeeeeees 7 6 Restoring the Default Configuration and Password cccceeeeeeeeeeeeteeeeeeeeeeeaeeteeeeeees 7 7 Problems wilh Dale and TIME sivcendpssargesisaaientiin pap ana uaniians aaa aa 7 7 Appendix A Default Settings and Technical Specifications Appendix B Related Documents Index v1 0 September 2006 xii v1 0 September 2006 About This Manual The NETGEAR ProSafe VPN Firewall 50 FVS338 Reference Manual describes how to install configure and troubleshoot the ProSafe VPN Firewall 50 The information in this manual is intended for readers with intermediate computer and Internet skills Conventions Formats and Scope The conventions formats and scope of this manual are described in the following paragraphs Typographical Conventions This manual uses the following typographical conventions Italics Emphasis books CDs URL names Bold User input Fixed Screen text file and server names extensions commands IP addresses e Formats T
188. tings 4 Click Apply to confirm your changes The modified service will display in the Custom Services Table Specifying Quality of Service QoS Priorities The Quality of Service QoS Priorities setting determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall The user can change this priority e On the Services screen in the Customer Services Table for customized services see Figure 4 12 e On the LAN WAN Outbound Services screen see Figure 4 11 The QoS priority definition for a service determines the queue that is used for the traffic passing through the VPN firewall A priority is assigned to IP packets using this service Priorities are defined by the Type of Service ToS in the Internet Protocol Suite standards RFC 1349 A ToS priority for traffic passing through the VPN firewall is one of the following e Normal Service No special priority given to the traffic The IP packets for services with this priority are marked with a ToS value of 0 e Minimize Cost Used when data has to be transferred over a link that has a lower cost The IP packets for services with this priority are marked with a ToS value of 1 e Maximize Reliability Used when data needs to travel to the destination over a reliable link and with little or no retransmission The IP packets for services with this priority are marked with a ToS value of 2 e Maximize
189. tion IP Address Schedule 1 oz Hss Yo Hes Broadband LAN Users Ani WAN Users Log Figure 4 6 Any Never Y Start Finish Start Finish 4 12 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule In the example shown to the right CU SeeMe connections are allowed only from a specified range of external IP addresses Add LAN WAN Inbound Service Operation succeeded Q help Service CU SEEME UDP vj Action ALLOW by schedule otherwise block Select Schedule Schedule 1 Send to LAN Server 192 168 Jlo faa Translate to Port Number Public Destination IP Address Broadband v LAN Users set M iit Finish i WAN Users Address Range start 134 a77 as Finish 134 i77 ee_ 25q1 Log Neyer v Figure 4 7 Setting Up One to One NAT Mapping In this example we will configure multi NAT to support multiple public IP addresses on one WAN interface By creating an inbound rule we will configure the firewall to host an additional public IP address and ass
190. tion example 5 25 guidelines 5 26 VPN Client configuration example 5 30 modem 1 2 Multi Home LAN IPs Setup link 3 4 multicasting guidelines 3 12 IP Subnet Mask 3 2 N WINS Server IP 3 3 LAN Setup screen 3 1 NaS Identifier use with RADIUS 5 24 LAN Users Service Blocking 6 2 NAT 4 1 4 4 LAN WAN Inbound Rules NetBIOS 3 5 configuring 4 9 Network 4 1 LAN WAN Outbound Rules Network Access Server 5 24 configuring 4 8 Network Address Translation 1 3 LAN WAN Rules Network Address Translation See NAT Index 4 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Network Database adding computers 3 6 creating 3 5 Network Time Protocol See NTP newsgroup 4 21 NTP servers configuring 6 15 troubleshooting 7 7 O OfficeScan Server 3 13 One to One NAT Mapping 4 13 Outbound Rules 4 2 examples of 4 16 Fields description of 4 3 firewall 4 2 port filtering 4 2 service blocking 4 2 P package contents 1 5 Packet Trace 6 28 Passwords changing 6 7 restoring 7 7 performance management 6 1 Ping Troubleshooting TCP IP 7 5 pinging an IP address 6 26 port filtering 4 2 Outbound Rules 4 2 Port Forwarding 4 2 4 4 6 4 Inbound Rules 4 4 port forwarding 6 4 port numbers 4 7 port service numbers common protocols 4 17 Port Triggering 6 6 about 4 24 guidelines 4 24 Status 4 26 status 6 2 Port Triggering screen 4 25 6 2 Power LED Not On 7 1 PPP over Ethernet 3 PPPoE 3 P
191. trators can establish restricted access policies based on time of day Web addresses and Web address keywords You can also block Internet access by applications and services such as chat or games It also provides various firewall activity reports and instant alerts via e mail About Firewall Security A firewall is a special category of router that protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication between the two A firewall incorporates the functions of a NAT Network Address Translation router while adding features for dealing with a hacker intrusion or attack and for controlling the types of traffic that can flow between the two networks Unlike simple Internet sharing NAT routers a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request but true Stateful Packet Inspection goes far beyond NAT Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other You can configure up to 600 rules on the FVS338 Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific
192. tries to access a blocked site You must have e mail notification enabled to receive the logs in an e mail message If you don t have e mail notification enabled you can view the logs on the Logs screen see Figure 4 18 on page 4 28 Selecting all events will increase the size of the log so it is good practice to select only those events which are required Firewall Protection and Content Filtering 4 27 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Firewall Logs amp E mail i Log Options 2 i Send logs according to this schedule Unit Never Log Identifier F S338 Day Sunday Time E00 J 2 Security Logs 2 System Logs Accepted Packets Dropped Packets O Change of time by NTP C Lan to wan CI Lan to wan C Login attempts C wan to Lan C wan to Lan Secure Login attempts O Reboots CO Inbound WAN Packets Dropped C Inbound LAN Packets Dropped A i Enable E Mail Logs CS Ln Return E Mail Address Send to E Mail Address Do you want logs to be emailed to you No Authentication Yes No Login Plain CRAM MDS User Name Password Respond to Identd from SMTP Server Enable SysLogs Do you want to enable syslog SysLog Server Yes No SysLog Facility 909 Figure 4 18 To set up Firewall Logs and E mail alerts 1 Select Monitoring from the main menu and then Firewall Logs amp E mail from the subm
193. ts encrypted packets will be sent to this router Since this router filters the encrypted packets through NAT the packets will become invalid unless VPN Pass through is enabled When enabled the VPN tunnel will pass the VPN traffic without any filtering Tunnels can be IPSec PPIP L2TP To select the appropriate checkbox for your requirement 1 Select Security from the main menu Firewall Rules from the submenu and then the Attack Checks tab The Attack Checks screen will display 2 Check the radio boxes of the Attack Checks you wish to initiate Click Apply to save your settings Firewall Protection and Content Filtering 4 11 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Attack Checks WAN Security Checks LAN Security Checks o Respond to Ping on Internet Ports F Block UDP flood Enable Stealth Mode PN Pass through Mw IPsec pete M vet C Block TCP flood Figure 4 5 Inbound Rules Examples Hosting A Local Public Web Server If you host a public Web server on your local network you can define a rule to allow inbound Web HTTP requests from any outside IP address to the IP address of your Web server at any time of day This rule is shown in Figure 4 6 Operation succeeded i Inbound Service Service HTTP Action ALLOW always Select Schedule Send to LAN Server Translate to Port Number C Public Destina
194. u should see a message like this one Pinging lt IP address gt with 32 bytes of data If the path is working you see this message Reply from lt IP address gt bytes 32 time NN ms TTL xxx If the path is not working you see this message Request timed out Troubleshooting 7 5 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual If the path is not functioning correctly you could have one of the following problems Wrong physical connections Make sure the LAN port LED is on If the LED is off follow the instructions in LAN or Internet Port LEDs Not On on page 7 2 Check that the corresponding Link LEDs are on for your network interface card and for the hub ports if any that are connected to your workstation and firewall Wrong network configuration Verify that the Ethernet card driver software and TCP IP software are both installed and configured on your PC or workstation Verify that the IP address for your firewall and your workstation are correct and that the addresses are on the same subnet Testing the Path from Your PC to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 lt P address gt where lt P address gt is the IP address of a remote device such as your ISP s DNS server If the path is functioning correctly replies as in the prev
195. und Service screen will display containing the data for the selected rule see Figure 4 3 on page 4 9 e Up to move the rule up one position in the table rank Firewall Protection and Content Filtering 4 7 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e Down to move the rule down one position in the table rank 2 Check the radio box adjacent to the rule and click e Click Disable to disable the rule The Status icon will change from green to grey indicating that the rule is disabled By default when a rule is added to the table it is automatically enabled e Click Delete to delete the rule 3 Click Select All to select all rules A check will appear in the radio box for each rule LAN WAN Outbound Services Rules You may define additional rules that will specify exceptions to the default rules By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day You can also tailor these rules to your specific needs see Administrator Information on page 4 31 Ky Note This feature is for Advanced Administrators only Incorrect configuration will cause serious problems To create a new outbound service rule 1 Click Add under the Outbound Services Table The Add LAN WAN Outbound Service screen will display 2 Complete the Outbound Service screen and save the data see Table 4 1 on pag
196. urrent configuration and restore factory defaults in two ways e Use the Erase function of the firewall see Backup and Restore Settings on page 6 13 e Use the reset button on the rear panel of the firewall Use this method for cases when the administration password or IP address is not known To restore the factory default configuration settings without knowing the administration password or IP address you must use the reset button on the rear panel of the firewall 1 Press and hold the reset button until the Test LED turns on and begins to blink about 10 seconds 2 Release the reset button and wait for the firewall to reboot Problems with Date and Time The E Mail menu in the Content Filtering section displays the current date and time of day The VPN firewall uses the Network Time Protocol NTP to obtain the current time from one of several Network Time Servers on the Internet Each entry in the log is stamped with the date and time of day Problems with the date and time function can include e Date shown is January 1 2000 Cause The firewall has not yet successfully reached a Network Time Server Check that your Internet access settings are configured correctly If you have just completed configuring the firewall wait at least five minutes and check the date and time again e Time is off by one hour Cause The firewall does not automatically sense Daylight Savings Time In the E Mail menu check or uncheck the box
197. ve humidity noncondensing Electromagnetic Emissions Meets requirements of FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications LAN 10BASE T or 100BASE Tx RJ 45 WAN 10BASE T or 100BASE Tx and 9 pin DIN Serial Default Settings and Technical Specifications v1 0 September 2006 A 3 FVS338 ProSafe VPN Firewall 50 Reference Manual A 4 Default Settings and Technical Specifications v1 0 September 2006 Appendix B Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product Document Link Internet Networking and TCP IP Addressing Wireless Communications Preparing a Computer for Network Access Virtual Private Networking VPN Glossary http documentation netgear com reference enu tcpip index htm http documentation netgear com reference enu wireless index htm http documentation netgear com reference enu wsdhcp index htm http documentation netgear com reference enu vpn index htm http documentation netgear com reference enu glossary index htm Related Documents B 1 v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual B 2 Related Documents v1 0 September 2006 A Add LAN WAN Inbound Service screen 4 9 4 13 Add LAN WAN Outbound Service screen 4 8 address
198. vent users from using applications such as AOL Instant Messenger Real Audio or other non essential sites If you want to block AOL Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu You can also have the firewall log any attempt to use Instant Messenger during that blocked period 4 16 Firewall Protection and Content Filtering v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual Add LAN WAN Outbound Service Operation succeeded Q re Service Action Select Schedule Schedule 1 LAN Users Any v Start ee ee a ee Finish es fae WAN Users Any v Start a ant Finish i im QoS Priority Normal Service v Log Never v C Apply Reset Figure 4 11 Adding Customized Services Services are functions performed by server computers at the request of client computers You can configure up to 125 custom services For example Web servers serve Web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified by a service or port number This number appears as the destination port number in the transmitted IP packets For
199. vices PCs and devices become known by the following methods DHCP Client Request By default the DHCP server in this Router is enabled and will accept and respond to DHCP client requests from PCs and other network devices These requests also generate an entry in the Network Database Because of this leaving the DHCP Server feature on the LAN screen enabled is strongly recommended e Scanning the Network The local network is scanned using standard methods such as ARP This will detect active devices which are not DHCP clients However sometimes the name of the PC or device cannot be accurately determined and will be shown as Unknown See Managing Groups and Hosts on page 3 5for the procedure on how to use this feature Schedule If you have set firewall rules on the Rules screen you can configure three different schedules i e schedule 1 schedule 2 and schedule 3 for when a rule is to be applied Once a schedule is configured it affects all Rules that use this schedule You specify the days of the week and time of day for each schedule See Setting a Schedule to Block or Allow Traffic on page 4 20 for the procedure on how to use this feature Block Sites If you want to reduce traffic by preventing access to certain sites on the Internet you can use the VPN firewall s filtering feature By default this feature is disabled all requested traffic from any Web site is allowed e Keyword and Domain Name Bl
200. word Time Zone n SNMP SNMP System Info help IP Address Port Community Action select all delete Create New SNMP Configuration Entry IP Address Port Community Add LE SNMP SysConfiguration SysLocation netgear SysName F S338 Figure 6 3 The SNMP System Info link displays the VPN firewall identification information available to the SNMP Manager System Contact System Location and System name To modify the SNMP System contact information 1 Click the SNMP System Info link The SNMP SysConfiguration screen will display 2 Modify any of the contact information that you want the SNMP Manager to use 3 Click Apply to save your settings Settings Backup and Firmware Upgrade Once you have installed the VPN firewall and have it working properly you should back up a copy of your setting so that it is if something goes wrong When you backup the settings they are saved as a file on your computer You can then restore the VPN firewall settings from this file The Settings Backup amp Upgrade screen allows you to e Back up and save a copy of your current settings e Restore saved settings from the backed up file 6 12 Router and Network Management v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual e Revert to the factory default settings e Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware ve
201. y 5 28 Virtual Private Networking v1 0 September 2006 FVS338 ProSafe VPN Firewall 50 Reference Manual 9 If Edge Device was enabled select the Authentication Type from the pull down menu which will be used to verify account information User Database RADIUS CHAP or RADIUS PAP Users must be added thorough the User Database screen see User Database Configuration on page 5 22 or RADIUS Client Configuration on page 5 23 Note If RADIUS PAP is selected the router will first check the User Database to see if the user credentials are available If the user account is not present the router will then connect to the RADIUS server 10 Click Apply The new policy will appear in the IKE Policies Table a sample policy is shown below Add New VPN Policy Operation succeeded i Do you want to use Mode Config Record ves O No Select Mode Config Record sales v J view se lectea i Local Identification Mode Config Record i General Policy Name Direction Type Responder Exchange Mode i Peer IKE Identification Aggressive Identifier Type So05 Identifier Identifier Type Fado Identifier IKE SA Parameters Encryption Algorithm 3DES Authentication Algorithm Pre shared key SA Lifetime sec SHA 1 i4
Download Pdf Manuals
Related Search