NETGEAR FVX538 Network Card User Manual
Contents
1. Service Action BLOCK always Select Sch dule Schedule 1 DMZ Uskrs start ff Finish Eee Start i Ti iia iis Ei WAN Users QoS Priority Noymal Service Figure 4 5 Firewall Protection and Content Filtering 4 11 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual To change the Default Outbound Policy 1 Select Security from the main menu Firewall Rules from the submenu and then select the DMZ WAN Rules tab The DMZ WAN Rules screen will display 2 Click Add under the Outbound Services table The Add DMZ WAN Outbound Services screen will display 3 Accept the default settings to block all services or select a specific service to block from the Services pull down menu 4 Click Apply The Block Always rule will appear in the Outbound Services table The rule is automatically enabled The procedures described in Setting LAN WAN Rules on page 4 7 for setting inbound and outbound rules on the standard LAN firewall are the same as the procedures used for setting inbound and outbound rules on the DMZ port firewall Setting LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ The Default Outbound and Inbound Policies is to allow all traffic between the local LAN and DMZ network Firewall rules can then be applied to block specific types of2. Destination Gateway Interface Active Private Action select all del add RIP Direction Both v RIP Version RIP 2B J First Key Parameters MDS Key Id _ MDS Auth Key se Length 16 Char Not Valid Before if ee 1 al Ez x cki Authentication for RIP 2B 2M required Not Valid after MM 7 DD 1 HH ss O Yes i Second Key Parameters No MDS Key Id MDS Auth Key Length 16 Char 7 MM DD YYYY HH MM SS Not Valid Before 1 hn a Not Valid after MM 2P ih leish EE ye a Figure 3 7 3 From the RIP Version pull down menu select the version RIP 1 A classful routing that does not include subnet information This is the most commonly supported version RIP 2 Supports subnet information Both RIP 2B and RIP 2M send the routing data in RIP 2 format RIP 2B Sends the routing data in RIP 2 format and uses subnet broadcasting RIP 2M Sends the routing data in RIP 2 format and uses multicasting 3 14 v1 0 August 2006 LAN Configuration ProSafe VPN Firewall 200 FVX538 Reference Manual 4 Authentication for RIP2B 2M required If you selected RIP 2B or RIP 2M check the YES radio box to enable the feature and input the First Key Parameters and Second Key Parameters MD 5 keys to authenticate between routers 5 Click Reset to discard any changes and revert to the previous settings 6 Click Save to save your settings Static Route Example For exam
3. Figure 4 2 on page 4 8 To manually configure your WAN1 ISP Settings 1 Does your Internet connection require a login If you need to enter login information every time you connect to the Internet through your ISP select Yes Otherwise select No 2 What type of IPS connection do you use If your connection is PPPoE PPTP or BigPond Cable then you must login Check the Yes radio box The text box fields that require data entry will be highlighted based on the connection that you selected If your ISP has not assigned any login information then choose the No radio box and skip this section For example e Austria PPTP If your ISP is Austria Telecom or any other ISP that uses PPTP for login select this Then fill in the following highlighted fields Connecting the FVX538 to the Internet 2 5 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 3 Account Name also known as Host Name or System Name Enter the valid account name for the PPTP connection usually your email ID assigned by your ISP Some ISPs require entering your full email address here Domain Name Your domain name or workgroup name assigned by your ISP or your ISPs domain name You may leave this field blank Idle Timeout Check the Keep Connected radio box to keep the connection always on To logout after the connection is idle for a period of time select Idle Time and enter the number of minutes to wait befor
4. Policy Type Auto Policy Local IP Subnet Remote IP Any Start IP Address 92 hes Ja Jo Start IP Address lee eo 20 0 End IP Address 7 0 0 End IP Address i 000 9 Subnet Mask 255 zs5 o Subnet Mask ESEE Manual Policy Parameters gt SPI Incoming Hex 3 8 Chars SPI Outgoing Hex 3 8 Chars Figure 5 8 You can also view the status of your IKE Policies by clicking the IKE Policies tab The IKE Policies screen will display Then view or edit the parameters of the Home policy by clicking Edit in the Action column adjacent to the policy The Edit VPN Policy screen will display Virtual Private Networking 5 9 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Operation succeeded Local ID Remote ID oO Offsite Main 10 1 31 40 10 1 1 150 3DES SHA 1 Group 2 1024 bit Oo horne Aggressive fux_local com fux_remote com 3DES SHA 1 Group 2 1024 bit Client Policy OO CETATE Operation succeeded Do you want to use Mode Config Record Policy Name home O Yes no Direction Type Responder Select Mode Config Record modeconfia iw selected Exchange Mode Aggressive J Select Local Gateway wAN1 O wanz Identifier Type
5. SysContact admin SysLocation netgear SysName F X538 Figure 6 3 The SNMP System Info link displays the VPN firewall identification information available to the SNMP Manager System Contact System Location and System name To modify the SNMP System contact information 1 Click the SNMP System Info link The SNMP SysConfiguration screen will display 2 Modify any of the contact information that you want the SNMP Manager to use 3 Click Apply to save your settings Settings Backup and Firmware Upgrade Once you have installed the VPN firewall and have it working properly you should back up a copy of your setting so that it is if something goes wrong When you backup the settings they are saved as a file on your computer You can then restore the VPN firewall settings from this file The Settings Backup and Firmware Upgrade screen allows you to e Back up and save a copy of your current settings e Restore saved settings from the backed up file e Revert to the factory default settings Router and Network Management 6 13 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware version Backup and Restore Settings To backup and restore settings 1 Select Administration from the main menu and Settings Backup amp Upgrade from the submenu The Settings Backup and Firmware Upgrade scre
6. Te Groups and Hosts Edit Group Names Name IP Address 9300UNIT3 192 168 1 2 Bee Assigned IP Address Network Database Group Names select all Add Known PCs and Devices Name IP Address Type IP Warehouse Fixed set on PC OO000800 Figure 3 4 Setting Up Address Reservation When you specify a reserved IP address for a device on the LAN based on the MAC address of the device that computer or device will always receive the same IP address each time it accesses the firewall s DHCP server Reserved IP addresses should be assigned to servers or access points that require permanent IP settings The Reserved IP address that you select must be outside of the DHCP Server pool LAN Configuration 3 9 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address use the Groups and Hosts screen under the Network Configuration menu LAN Groups submenu see Creating the Network Database on page 3 6 Note The reserved address will not be assigned until the next time the PC contacts the gt firewall s DHCP server Reboot the PC or access its IP configuration and force a DHCP release and renew Configuring and Enabling the DMZ Port The De Militarized Zone DMZ is a network which when compared to the LAN has fewer firewall restrictions by default This zone can be used to host serv
7. delete enable O disable _ add Figure 5 11 To view the VPN Policy parameters 1 Click Edit in the Action column adjacent to the to_fvs policy The Edit VPN Policy screen will display It should not be necessary to make any changes 2 View the IKE Policy statistics associated with this policy by clicking View Selected 5 16 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Edit PN Policy Operation succeeded ii General ii Traffic Selection Policy Type Policy Name Auto Policy Select Local Gateway want O wanz Remote Endpoint IP Address O FQDN m Enable NetBIOS Local IP Subnet Start IP Address End IP Address E Subnet Mask i Manual Policy Parameters Remote IP Start IP Address End IP Address Subnet Mask Encryption Algorithm 3DES lt v i Auto Policy Parameters SPI Incoming Hex 3 8 Chars SPI Outgoing Hex 3 8 Chars key In I Key out I DES 8 Char amp 3DES 24 Char Integrity Algorithm HA1 key In yn Key Out MDS 16 Char amp SHA 1 20 Char SA Lifetime sec 86400 Encryption Algorithm 3DES PFs key Group Biip 1 750 BI Select IKE Policy to_fys Figure 5 12 SA Lifetime kB
8. gt __ Integrity Algorithm SHA 1 w f Piiewsetected selected IKE Policy View ee Operation succeeded Policy Name i Local Identification Identifier Type IP Address Identifier Direction Type 10 1 31 52 Exchange Mode Enable XAUTH Client eer IKE Identification i IKE SA Parameters Identifier Type IP Address Identifier Encryption Algorithm 3DES 10 1 1 150 SHA 1 Authentication Algorithm Authentication Method Pre shared key Pre shared key 12345678 Diffie Hellman DH Group Group 2 1024 bit SA Lifetime sec 28800 To view the IKE Policy Configuration parameters 1 Select the IKE Policies tab The IKE Policies table will display Virtual Private Networking 5 17 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 2 Select to_FVS and click Edit It should not be necessary to make any changes Name Mode Local ID Remote ID Encr Auth DH Action O home Aggressive fux_local com fux_remote com 3DES SHA 1 Group 2 1024 bit edit O to_fus Main 10 1 31 40 10 1 1 150 3DES SHA 1 Group 2 1024 bit edit T Client Policy Figure 5 13 Add New VPN Policy Operation succeeded Yes Select Mode Config Record i Local Identification Do you want to use Mode Co
9. 2006 07 07 20 18 45 INFO racoon 20001216 20001216 sakane kame net 2006 07 07 20 18 45 INFO This product linked OpenSSL 0 9 7c 30 Sep 2003 http 2006 07 07 20 18 45 NOTIFY NAT T is enabled autoconfiguring ports 2006 07 07 20 18 45 INFO 192 168 1 1 500 used as isakmp port fd 7 ay 20 18 45 INFO 192 168 1 1 4500 used as isakmp port fd 8 2206704707 20 18 45 INFO 192 168 1 1 4500 used for NAT T 2006 07 07 20 18 45 INFO 10 1 32 40 500 used as isakmp port fd 9 2006 07 07 20 18 45 INFO 10 1 32 40 4500 used as isakmp port fd 10 eae 20 18 45 INFO 10 1 32 40 4500 used for NAT T 2006 007 20 18 45 INFO 127 0 0 1 500 used as isakmp port fd 11 2006 07 07 20 18 45 INFO 127 0 0 1 4500 used as isakmp port fd 12 2006 07 07 20 18 45 INFO 127 0 0 1 4500 used for NAT T 2006 07 07 20 18 49 INFO IPsec SA request for 10 1 1 150 queued due to no phasel 2006 07 07 20 18 49 INFO initiate new phase 1 negotiation 10 1 32 40 500 lt gt 10 1 2006 07 07 20 18 49 INFO begin Identity Protection mode E gt refresh teal clear log Figure 6 14 6 26 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual DHCP Log You can view the DHCP log from the LAN Setup screen Select Network Configuration from the main menu and LAN Setup from the submenu When the LAN Setup screen displays click the DHCP Log link Network Co
10. Each rule lets you specify the desired action for the connections covered by the rule e BLOCK always e BLOCK by schedule otherwise Allow e ALLOW always e ALLOW by schedule otherwise Block You can also enable a check on special rules e VPN Passthrough Enable this to pass the VPN traffic without any filtering specially used when this firewall is between two VPN tunnel end points e Drop fragmented IP packets Enable this to drop the fragmented IP packets e UDP Flooding Enable this to limit the number of UDP sessions created from one LAN machine e TCP Flooding Enable this to protect the router from Syn flood attack Router and Network Management 6 5 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Enable DNS Proxy Enable this to allow incoming DNS queries e Enable Stealth Mode Enable this to set the firewall to operate in stealth mode As you define your firewall rules you can further refine their application according to the following criteria e LAN Users These settings determine which computers on your network are affected by this rule Select the desired IP Address in this field e WAN Users These settings determine which Internet locations are covered by the rule based on their IP address Any The rule applies to all Internet IP address Single address The rule applies to a single Internet IP address Address range The rule is applied to
11. FQDN w FQDN Identifier Identifier fyx_remote com A i IKE SA Parameters Encryption Algorithm 3DES v Identifier Type bA Authentication Algorithm SHA 1 Authentication Method Pre shared key ORSS Signature Pre shared key 12345678 Key Length 8 49 Char Diffie Hellman DH Group Group 2 1024 bit SA Lifetime sec 28800 itt Extended Authentication Figure 5 9 VPN Tunnel Policies When you use the VPN Wizard to set up a VPN tunnel both a VPN Policy and an IKE Policy are established and populated in both Policy Tables The name you selected as the VPN Tunnel connection name during Wizard setup identifies both the VPN Policy and IKE Policy You can edit existing policies or add new VPN and IKE policies directly in the Policy Tables IKE Policy The IKE Internet Key Exchange protocol performs negotiations between the two VPN Gateways and provides automatic management of the Keys used in IPSec It is important to remember that e Auto generated VPN policies must use the IKE negotiation protocol 5 10 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Manual generated VPN policies cannot use the IKE negotiation protocol Managing IKE Policies IKE Policies are activated when 1 The
12. Name Abstracts Enable No Protocol Tcr Start Port 1 65534 End Port 1765534 Start Port 165534 End Port 1 65534 Figure 4 19 From the Protocol pull down menu select either TCP or UDP protocol In the Outgoing Trigger Port Range fields a Enter the Start Port range 1 65534 b Enter the End Port range 1 65534 5 In the Incoming Response Port Range fields a Enter the Start Port range 1 65534 b Enter the End Port range 1 65534 4 30 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 6 Click Add The Port Triggering Rule will be added to the Port Triggering Rules table To edit or modify a rule 1 Click Edit in the Action column opposite the rule you wish to edit The Edit Port Triggering Rule screen will display 2 Modify any of the fields for this rule Click Reset to cancel any changes and return to the previous settings 4 Click Apply to save your modifications Your changes will appear in the Port Triggering Rules table To check the status of the Port Triggering rules click the Status link on the Port Triggering screen 0 ont yo Security 06 l dmini i bic oring Web ppo j go Services Schedule Block Sites Firewall Rules Source MAC Filter Trend Micro Port Triggering Status Operation succeeded help Name Enable Protocol Outgoing Ports Inco
13. gt T ReaL aupro Block Always ANY WANI Nevgf up Qeown ND eait Block by schedule 1 else AIM 192 168 10 2 ANY WANL Ne up Qeown Ag eai allow select all delete enable C disable add Figure 4 1 For any traffic attempting to pass through the firewall the packet information is subjected to the rules in the order shown in the Rules Table beginning at the top and proceeding to the bottom In some cases the order of precedence of two or more rules may be important in determining the disposition of a packet For example you should place the most strict rules at the top those with the most specific services or addresses The Up and Down button allows you to relocate a defined rule to a new position in the table Setting LAN WAN Rules The Default Outbound Policy is to allow all traffic to the Internet to pass through Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet Outbound The default policy of Allow Always can be changed to block all outbound traffic which then allows you to enable only specific services to pass through the router To change the Default Outbound Policy 1 Select Security from the main menu and Firewall Rules from the submenu The LAN WAN Rules screen will display Firewall Protection and Content Filtering 4 7 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 2 Cha
14. i Generate Self Certificate Request 2 Name NETGEAR Subject C USA ST CA L x Q Hash Algorithm MDS Signature Algorithm RSA Signature Key Length 512 4 IP Address Optional Domain Name Optional ee r E mail Address Optional eeu amp generate Self Certificate Requests Name Status Action O NETGEAR o Priew select all delete Upload certificate corresponding to a request above Certificate File Browse G8 upload Figure 5 24 e Domain Name If you have a Domain name you can enter it here Otherwise you should leave this field blank e E mail Address Enter your e mail address in this field 4 Click Generate A new certificate request is created and added to the Self Certificate requests table 5 Click View under the Action column to view the request Virtual Private Networking 5 29 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 6 Copy the contents of the Data to supply to CA text box into a file including all of the data contained in BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST Click Done You will return to the Certificate screen and your Request details will be displayed in the Self Certificates Requests table showing a Status of Waiting for Certificate upload To submit your Certificate request to a CA 1 Connect
15. Default Outbound Policy Allow Always v apply Operation succeeded 2 help Service Name Filter LAN Users WAN Users Priority Log Action select all delete enable C disable add help Service Name Filter LAN Server IP Address LAN Users WAN Users Destination Log Action HTTP Allow Always 192 168 1 2 ANY 10 1 10 52 Never up Qeown edit A Gre S a ER ia Ea E TE E OE AE S ER a a et ANY Allow Always 192 168 0 50 ANY WANI Never up Qeown edit J select all delete enable disable add 1 Select Any and Allow Always or Allow by Schedule Place rule below all other inbound rules Figure 4 13 Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger Real Audio or other non essential sites LAN WAN Outbound Rule Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu You can also have the firewall log any attempt to use Instant Messenger during that blocked period 4 20 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual add Lan wan outbound Service Operation succeeded 2 help Service Action Selec
16. ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA August 2006 202 10062 04 v1 0 2006 by NETGEAR Inc All rights reserved Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR Inc Microsoft Windows and Windows NT are registered trademarks of Microsoft Corporation Other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Federal Communications Commission FCC Compliance Notice Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur
17. ProSafe VPN Firewall 200 FVX538 Reference Manual Groups The rule is applied to a Group see Managing Groups and Hosts LAN Groups on page 3 6to assign PCs to a Group using Network Database e WAN Users These settings determine which Internet locations are covered by the rule based on their IP address Any The rule applies to all Internet IP address Single address The rule applies to a single Internet IP address Address range The rule is applied to a range of Internet IP addresses e Services You can specify the desired Services or applications to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Services Based Rules on page 4 2 and Adding Customized Services on page 4 21 e Schedule You can specify whether the rule is to be applied on the Schedule 1 Schedule 2 or Schedule 3 time schedule see Setting a Schedule to Block or Allow Specific Traffic on page 4 24 See Using Rules to Block or Allow Specific Kinds of Traffic on page 4 1 for the procedure on how to use this feature Services The Rules menu contains a list of predefined Services for creating firewall rules If a service does not appear in the predefined Services list you can define the service The new service will then appear in the Rules menu s Services list See Services Based Rules on page 4 2 for the proce
18. v1 0 August 2006 5 25 ProSafe VPN Firewall 200 FVX538 Reference Manual 11 In the left frame expand Key Exchange Phase 2 and select Proposal 1 The fields in this proposal should also mirror those in the following figure No changes should be necessary 12 In the upper left of the window click the disk icon to save the policy N Security Policy Editor NETGEAR ProSafe PN Client 5 x File Edit Options Help alexa 1 Network Security Policy E L My Connections Gh to_Fvx G My Identity 8 a Security Policy E E Authentication Phase 1 A Proposal 1 B gs Key Exchange Phase 2 Mi Proposal 1 a Other Connections NETGEAR S r IPSec Protocols Seconds KBytes SA Life Unspecified Compression None z IV Encapsulation Protocol ESP Encypt lg Triple DES X Hash Alg SHA 1 X Encapsulation Tunnel X JT Authentication Protocol AH HasiAla SHAA z Encap ulation Tune z Figure 5 22 Testing the Connection 1 From your PC right click on the VPN client icon in your Windows toolbar and select Connect then My Connections to_FVX Within 30 seconds you should receive the message Successfully connected to My Connections to_FVX and the VPN client icon in the toolbar should say On 5 26 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 2 For additional status and troubleshooting
19. 3 Wait five minutes and reapply power to the cable or DSL modem 4 When the modem s LEDs indicate that it has reacquired sync with the ISP reapply power to your firewall If your firewall is still unable to obtain an IP address from the ISP the problem may be one of the following e Your ISP may require a login program Ask your ISP whether they require PPP over Ethernet PPPoE or some other type of login e If your ISP requires a login you may have incorrectly set the login name and password e Your ISP may check for your PC s host name Assign the PC Host Name of your ISP account as the Account Name in the Basic Settings menu e Your ISP only allows one Ethernet MAC address to connect to the Internet and may check for your PC s MAC address In this case Inform your ISP that you have bought a new network device and ask them to use the firewall s MAC address or 7 4 Troubleshooting v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Configure your firewall to spoof your PC s MAC address This can be done in the Basic Settings menu Refer to Manually Configuring Your Internet Connection on page 2 5 If your firewall can obtain an IP address but your PC is unable to load any Web pages from the Internet Your PC may not recognize any DNS server addresses A DNS server is a host on the Internet that translates Internet names such as www addresses to numeric IP addresses Typ
20. Appendix C Network Planning for Dual WAN Ports What You Will Need to Do Before YoU Begin ccceesccccceeeseeccceeesneeceeeersnseeeeeeeeneeees C 1 Cabling and Computer Hardware Requirement ccccceeeeseeeeseeeeeeseeeseaeeeeneees C 3 Computer Network Configuration Requirements cc cccesceeceeeeeeeeneeeeeeeeeeeeeeees C 3 v1 0 August 2006 Internet Configuration Requirements s ccecnicsscscciteccsntderansinnerteccaseie teenedenetadeoesadees C 3 Where Do Get the Internet Configuration Parameters cccceseeeeeeeeeeeeeees C 4 internet Connection Information Formi sccciccsscctasaciesscsieansecevadccteecssuenseteesvdadeescaanagees C 5 COvermiaw of ihe Planning Probe 8S ienuiscraisissiacnisaccitl mansniiotnidenen anders C 6 EOUME T AE aes taiteststne dan wis eaaseaiu ad A EEE EE C 6 Virtual Private Networks VPNG tssscicccscentnrceversastvacedsntpletesieetventiemdveneenerrecteenient C 6 The Roll over Case for Firewalls With Dual WAN Ports o on C 7 The Load Balancing Case for Firewalls With Dual WAN Ports 0 cccssseeeeeeee C 7 WOU raiO scrissi anecon Ea A C 8 Inbound Traffic to Single WAN Port Reference Case ccccseeseseeeseteeeeeeeees C 8 Inbound Traffic to Dual WAN Port Systems a ccssiccccsstedesntsaavicccteanedeasdereazeiecnesccunaaaes C 8 Inbound Traffic Dual WAN Ports for Improved Reliability eee C 9 Inbound Traffic Dual WAN Ports for Load Balancing s C
21. BKE POT ese ties tatu tea ss eanianis S 6 7 TERN TONNO lea ais ccretactn sue tanta scecate nee is atue tacer eee ncegseutetan Uuasueneoiascitnaccmiatnetaeeauets 6 7 Weng igs to Shit the MANE MIR siriani niian RN 6 7 Tool for Traffic Management ss saesdedscssscerasusrsacke waders coaruuesssdeedwuuisscoanusutesaruauurbaeddxeunsis 6 8 AAMINS ANON ccc cascessuceecaesnteneddaes ian anda turd ncagdahtiedancahtinlaaddstantycaedehitylaadieindvandbntaaaineds 6 8 Ghanging Passwords and SAIS sy c3s iret ainvehieiativenarae ante eeatiatianns i 6 8 Enabling Remote Management ACCOSS sciccicscccevsssssicessatueteceiscaetacessuonedeessataetconvnnns 6 10 Using a SNMP MAGEE cc cancescdacc tenets satel eaae niaar manag dada a E in 6 11 Settings Backup and Firmware Upgrad ccscssecrcsisasawdersscsreesitcene nines ddeanivesesninses 6 13 Backup and Restore Senin iscc caisecedini ceiniccnentolouiiatviedticiiuiadncsaenlonii eevee 6 14 v1 0 August 2006 Rouler LAOGIAOE ccce aa 6 15 Seting he TIME ZOnE sisan aa aa a aa 6 16 Kontonno Mo ROUE onana aa 6 17 renin Tale Maloi sabria anna R 6 17 Setting Login Failures and Attacks Notification cccceesceeeeeeeeeeeeeeeeseeeeeneeees 6 19 Monitoring Altached Devices ciecciecicircncdosienivcacdeniredent pened eainareene wealeante 6 20 Vea Pon Tggenng AUE apaiia darth aeatuetaa aan aaa aie mated pee 6 22 Viewing Router Configuration and System Status ccccceceeeeeeeeeeeeeeeeeeeeeeneeees 6 23 Montong WA
22. Password Login Server No data is required Static IP address Subnet and Gateway IP and related data supplied by your ISP If Auto Detect does not find a connection you will be prompted to check the physical connection between your firewall and the cable or DSL line or to check your Router s MAC address see Setting the Router s MAC Address on page 2 5 Click WAN Status at the top right of the screen to verify WAN Port 1 connection status Click Connect if connection not already present Connection Status Connection Time Connection Type Connection State IP Address Subnet Mask Gateway DNS Server DHCP Server Lease Obtained Lease Duration renew Figure 2 2 Operation succeeded 0 Days 01 18 55 DHCP Connected 10 1 31 40 255 255 255 0 10 1 31 13 10 1 1 6 10 1 1 6 Mon Sep 18 22 31 00 GMT 2006 1 Day 00 00 00 kA release 4 Setup the traffic meter for WAN 1 ISP if desired See Programming the Traffic Meter if Desired on page 2 7 Note At this point of the configuration process you are now connected to the Internet through WAN port 1 But you must continue with the configuration process to get the complete functionality of the dual WAN interface 2 4 Connecting the FVX538 to the Internet v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual The configure the WAN2 ISP settings 1 Repeat the above steps to
23. RNA Exchange Mode Main v help helpl Identifier Type Local Wan IP_ Identifier Type Remote Wan IP Identifier Identifier help Encryption Algorithm 3DES v Authentication Algorithm SHA 1 Figure 5 6 Creating a VPN Tunnel Connection to a VPN Client You can set up multiple Gateway VPN tunnel policies through the VPN Wizard Multiple remote VPN Client policies can also be set up through the VPN Wizard by changing the default End Point Information settings A remote client policy can support up to 200 clients The remote clients must configure the Local Identity field in their policy as PolicyName lt X gt fvx_remote com where X stands for a number from 1 to 200 As an example if the client type policy on the router is configured with home as the policy name and if two users are required to connect using this policy then the Local Identity in their policy should be configured as home1 fvx_remote com and home2 fvx_remote com respectively To configure the VPN client 1 Select VPN from the main menu and VPN Wizard from the submenu The VPN Wizard screen will display 2 Check the VPN Client radio box as your VPN tunnel connection The wizard needs to know if you are planning to connect to a remote Gateway or setting up the connection for a remote client PC to establish a secure connection to this device Virtual Private Networking 5 7 v1 0 August 2006 ProS
24. To remove an entry from the table select the MAC address entry and click Delete To select all the list of MAC addresses click Select All A checkmark will appear in the box to the left of each MAC address in the Available MAC Addresses to be Blocked table Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall Using this feature requires that you know the port numbers used by the Application Once configured Port Triggering operates as follows 1 A PC makes an outgoing connection using a port number defined in the Port Triggering table 2 The VPN firewall records this connection opens the additional INCOMING port or ports associated with this entry in the Port Triggering table and associates them with the PC 3 The remote system receives the PCs request and responds using the different port numbers that you have now opened 4 The VPN firewall matches the response to the previous request and forwards the response to the PC Without Port Triggering this response would be treated as a new connection request rather than a response As such it would be handled in accordance with the Port Forwarding rules e Only one PC can use a Port Triggering application at any time 4 28 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Aft
25. all day or at specific times during the day E End Time 12 Hour O0 Minute PM v O AllDay Specific Times Figure 4 16 4 24 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Block Sites Content Filtering If you want to restrict internal LAN users from access to certain sites on the Internet you can use the VPN firewall s Content Filtering and Web Components filtering By default these features are disabled all requested traffic from any Web site is allowed If you enable one or more of these features and users try to access a blocked site they will see a Blocked by NETGEAR message Several types of blocking are available Web Components blocking You can block the following Web component types Proxy Java ActiveX and Cookies Even sites on the Trusted Domains list will be subject to Web Components blocking when the blocking of a particular Web component is enabled Keyword Blocking Domain Name Blocking You can specify up to 32 words that should they appear in the Web site name URL or in a newsgroup name will cause that site or newsgroup to be blocked by the VPN firewall You can apply the keywords to one or more groups Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled
26. e Typographical Conventions This manual uses the following typographical conventions Italics Emphasis books CDs URL names Bold User input Fixed Screen text file and server names extensions commands IP addresses e Formats This manual uses the following formats to highlight special messages Note This format is used to highlight information of importance or special interest Tip This format is used to highlight a procedure that will save time or resources Warning Ignoring this type of note may result in a malfunction or damage to the equipment A A Danger This is a safety warning Failure to take heed of this notice may result in personal injury or death xiii v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Scope This manual is written for the VPN firewall according to the following specifications Product Version ProSafe VPN Firewall 200 Manual Publication Date August 2006 For more information about network Internet firewall and VPN technologies see the links to the NETGEAR website in Appendix B Related Documents Note Updates to this product are available on the NETGEAR Inc website at T http kbserver netgear com products FVX538 asp How to Use This Manual The HTML version of this manual includes the following e Buttons gt and lt for browsing forward or backward
27. screen Perform a DNS Lookup A DNS Domain Name Server converts the Internet name e g www netgear com to an IP address If you need the IP address of a Web FTP Mail or other Server on the Internet you can do a DNS lookup to find the IP address 6 28 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6 5 Diagnostics continued Item Description Display the Routing This operation will display the internal routing table This information is used most Table often by Technical Support Reboot the Router Used to perform a remote reboot restart You can use this if the Router seems to have become unstable or is not operating normally Note Rebooting will break any existing connections either to the Router such as this one or through the Router for example LAN users accessing the Internet However connections to the Internet will automatically be re established when possible Packet Trace Packet Trace selects the interface and starts the packet capture on that interface Router and Network Management 6 29 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 6 30 Router and Network Management v1 0 August 2006 Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 200 After each problem description instructions are pro
28. traffic will be routed through the WAN1 port Load Balancing can be used to segregate traffic between links that are not of the same speed High volume traffic can be routed through the port connected to a high speed link and low volume traffic can be routed through the port connected to the low speed link To configure the dual WAN ports for load balancing with protocol binding 1 Check the Load Balancing radio button on the WAN Mode screen shown in Figure 2 4 above and click view protocol bindings if protocol binding is needed The WAN1 Protocol Bindings screen will display help Auto Rollover using WAN port TF TY Load Balancing P view protocol bindings lt Ea O Use only single WAN port PGI ntintte ANZ Protocol Bindings Operation succeeded help Service Source Network Destination Network Action o FTP Groupi ANY Qesit Protocol Binding is used when Load Balancing option is selected in WAN Mode select all delete enable O disable Add Protocol Binding Service Destination Network Source Network Add Any v Any wal ANY v Start Address A J Start Address J 4 add End Address A 5 5 End Address Figure 2 5 2 Enter the following data in the Add Protocol Binding section Connecting the FVX538 to the Internet 2 13 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual a Service From the pull down menu selec
29. 2 Introduction v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Keyword Filtering With its URL keyword filtering feature the FVX538 prevents objectionable content from reaching your PCs The firewall allows you to control access to Internet content by screening for keywords within Web addresses You can configure the firewall to log and report attempts to access objectionable Internet sites Security Features The VPN firewall is equipped with several features designed to maintain security as described in this section e PCs Hidden by NAT NAT opens a temporary path to the Internet for requests originating from the local network Requests originating from outside the LAN are discarded preventing users outside the LAN from finding and directly accessing the PCs on the LAN e Port Forwarding with NAT Although NAT prevents Internet locations from directly accessing the PCs on the LAN the firewall allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request You can specify forwarding of single ports or ranges of ports e DMZ port Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule Instead of discarding this traffic you can have it forwarded to one computer on your network Autosensing Ethernet Connections with Auto Upl
30. 3 13 static routes use with 3 13 versions of 3 14 RIP Configuration screen 3 13 Rollover mode bandwidth capacity 6 1 router upgrade software 6 16 router administration tips on 4 35 router broadcast RIP use with 3 3 Router Status 2 Router Status screen 6 23 Router Upgrade about 6 15 Router s MAC Address 2 19 Routing Information Protocol 1 3 Routing Information Protocol See RIP Routing screen 3 12 rules blocking traffic 4 1 inbound 4 4 inbound example 4 17 order of precedence 4 27 outbound 4 2 service blocking 4 2 services based 4 2 running tracert 6 11 S schedule blocking traffic 4 24 Schedule 1 screen 4 24 secondary IP addresses DHCP use with 3 5 Secondary LAN IPs see Multi Home LAN IPs 3 4 Security features of 1 3 Self Certificate Request generating 5 28 Send To E mail Address 4 33 Service Index 7 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Add Protocol Binding 2 14 Service Based Rules 4 2 Service Blocking reducing traffic 6 2 service blocking 4 2 Outbound Rules 4 2 port filtering 4 2 service numbers common protocols 4 2 Services screen 4 21 4 22 Setting Up One to One NAT Mapping example of 4 17 Settings Backup amp Upgrade screen 6 13 Settings Backup and Firmware Upgrade 6 14 Simple Network Management Protocol See SNMP Single WAN Port inbound traffic C 8 sniffer 7 3 SNMP about 6 11 configuring 6 12 global
31. 9 Virtual Private Networks VPING csisciescccsssiencssnssmesennncssuvsnncensnreeienromeessnrontensssnreosensneneas C 10 VPN Road Warrior Client to Gateway cccceecccesesceceseeeeeeneeeeeaeeseeaeeesecaeeeeeneees C 11 VPN Road Warrior Single Gateway WAN Port Reference Case C 12 VPN Road Warrior Dual Gateway WAN Ports for Improved Reliability C 12 VPN Road Warrior Dual Gateway WAN Ports for Load Balancing C 13 VPN Gateway OMS SLOW AY orcarina ireanii C 14 VPN Gateway to Gateway Single Gateway WAN Ports Reference Case C 14 VPN Gateway to Gateway Dual Gateway WAN Ports for Improved Reliability C 15 VPN Gateway to Gateway Dual Gateway WAN Ports for Load Balancing C 17 VPN Telecommuter Client to Gateway Through a NAT Router aseeseen C 17 VPN Telecommuter Single Gateway WAN Port Reference Case C 18 VPN Telecommuter Dual Gateway WAN Ports for Improved Reliability C 18 VPN Telecommuter Dual Gateway WAN Ports for Load Balancing C 20 Index xii v1 0 August 2006 About This Manual The NETGEAR ProSafe VPN Firewall 200 describes how to install configure and troubleshoot the ProSafe VPN Firewall 200 The information in this manual is intended for readers with intermediate computer and Internet skills Conventions Formats and Scope The conventions formats and scope of this manual are described in the following paragraphs
32. Block Sites Firewall Rules Port Triggering Trend Micro Source MAC Filter Operation succeeded help Do you want to enable Source MAC Address Filtering Yes O No help MAC Addresses Action 00 ee 00 00 00 00 edit select all G delete Add Source MAC Address to be Blocked MAC Address Add o0 ee 00 00 00 00 axs C Apply Reset Figure 4 18 Note For additional ways of restricting outbound traffic see Outbound Rules Service Blocking on page 4 2 To enable MAC filtering and add MAC addresses to be blocked 1 Select Security from the main menu and Source MAC Filter from the sub menu The Source MAC Filter screen will display 2 Check the Yes radio box in the MAC Filtering Enable section Firewall Protection and Content Filtering 4 27 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 3 Build your list of Source MAC Addresses to be block by entering the first MAC address in the MAC Address field in the form xx xx xx xx Xx xx where x is a numeric 0 to 9 or an alphabet between and a and f inclusive for example 00 e0 4c 69 0a 4 Click Add The Mac Address will be added to the Available MAC Addresses to be Blocked table You can edit the MAC address by clicking Edit in the Action column adjacent to the MAC Address 5 Click Reset to cancel a MAC address entry before adding it to the table 6 Click Apply to save your settings
33. Configuration Displays the same details as for WAN1 Configuration Note The Router Status screen displays current settings and statistics for your router As this information is read only any changes must be made on other pages gt Monitoring WAN Ports Status You can monitor the status of both of the WAN connections the Dynamic DNS Server connections and the DHCP Server connections Select Network Configuration from the main menu and WAN Settings from the submenu The WANI ISP Settings screen will display Click the WAN Status link to obtain status on the WAN port Select the WAN2 IAP Settings tab and click the WAN Status link to obtain status on the WAN2 port 6 24 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Does Your Internet Connection Require a Login O Yes No Connection Time 0 Days 05 09 32 Connection Type DHCP i ISP Type Connected Connection State IP Address 10 1 32 43 Which type of ISP connection do you use Austria PPTP Subnet Mask 255 255 255 0 Gateway 10 1 32 13 Other PPPoE DNS Server 10 1 1 6 BigPond Cable DHCP Server 10 1 1 6 Lease Obtained Tue Jun 27 19 30 11 GMT 2006 Lease Duration 1 Day 00 00 00 renew XF release Figure 6 12 Monitoring VPN Tunnel Co
34. Connected Idle TImeout 2 6 Idle Timeout 2 6 Keyword Blocking 4 25 applying 4 25 Keyword Filtering 1 3 Known PCs and Devices list of 3 7 Index 4 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual L L2TP 4 15 LAN configuration 3 1 using LAN IP setup options 3 2 LAN DMZ Inbound Services adding rule 4 14 LAN DMZ Outbound Services adding rule 4 13 LAN DMZ Rules 4 2 LAN DMZ Rules screen 4 12 LAN DMZ service rule modifying 4 13 LAN Security Checks 4 15 LAN Setup screen 3 2 6 27 LAN side bandwidth capacity 6 1 LAN WAN Inbound Rule example of 4 16 4 17 4 19 LAN WAN Inbound Services Rules about 4 10 add 4 10 LAN WAN Outbound Rule example of 4 20 LAN WAN Outbound Rules about 4 9 LAN WAN Rule example of 4 17 LAN WAN Rules default outbound 4 7 LAN WAN Rules screen 4 7 LEDs explanation of 1 6 troubleshooting 7 1 7 2 Load Balancing configuration of 2 13 definition of 2 10 use with DDNS 2 16 view protocol bindings 2 13 Load balancing mode bandwidth capacity 6 1 logging in default login 2 1 logging into the router default login 1 10 MAC Address format 3 8 format of 4 28 MAC address 7 6 configuring 2 4 2 5 format of 2 19 spoofing 7 5 MAC addresses blocked adding 4 27 Maximum Failover 2 2 ModeConfig 5 37 about 5 37 assigning remote addresses example 5 37 Client Configuration 5 4 IKE Policies menu configuring 5 38 menu configuring 5 38 te
35. Destination Gateway Interface Metric Active Private Action Q select al delt add Add Static Route Operation succeeded Route Name v Active Private Destination IP Address I l IP Subnet Mask M I Interface WAN1L Gateway IP Address i i i Metric Figure 3 6 3 12 LAN Configuration v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 10 11 12 Select Active to make this route effective Select Private if you want to limit access to the LAN only The static route will not be advertised in RIP Enter the Destination IP Address to the host or network to which the route leads Enter the IP Subnet Mask for this destination If the destination is a single host enter 255 255 255 255 Enter the Interface which is the physical network interface WAN1 WAN2 or LAN through which this route is accessible Enter the Gateway IP Address through which the destination host or network can be reached must be a firewall on the same LAN segment as the firewall Enter the Metric priority for this route If multiple routes to the same destination exit the route with the lowest metric is chosen value must be between 1 and 15 Click Reset to discard any changes and revert to the previous settings Click Apply to save your settings The new static route will be added to Route table You can edit the route s
36. EAN ASA Pon Syetan sarc anus ine Sinai guar undue tan baa ea a ka AEAEE 5 1 Setting up a VPN Connection using the VPN Wizard 0 cccccceeeeeeeeeeeeeeneeeeeteeeeeeeees 5 3 Creating a YPN Tunnel to a GIOWwWaAY so ssicets i aecennt pried ninan DNN 5 4 Creating a VPN Tunnel Connection to a VPN Client esessseeseeeeeeseeesrsssrssersen 5 7 VPN TUM FOIOS siasii A 5 10 ME PONCY ani EE N 5 10 MaN F E FOO S onana 5 11 IKE POMC TIDIG osii 5 11 SETI POR I dneni A 5 12 Kamoona YPN FOIOS anan O 5 12 VPN FON TRO ea a 5 13 VPN Tunnel Comecon NaS a adi essa seuss cand aaea AS 5 13 Creating a VPN Gateway Connection Between FVX538 and FVS338 ceeeee 5 14 Conigunno Ne FVAT IE iiinn A AAAA ASN 5 14 EOIN ihe FP Se serna aae R AN R 5 19 Tesino Me COMMGCNO seriam eian a E EAEE AES 5 20 Creating a VPN Client Connection VPN Client to FVX538 ccccsseceecsssteeeeesseeeees 5 20 Conionnng ME FY ADIS orinn re eE i aiai 5 20 v1 0 August 2006 Contigunng Me PIE reraosan aden eee aeceeae 5 22 Testno ihe COSC HOM isis sce crsotvisnsrscestnemiunatectn a 5 26 RICO EOS URGE PAULIN VONAEISS 2 oc oiicvavenCennesimaueoesay abe tiene vaaautn suicairmpnnseagu dant pec aadens aiauapiascaec em ypoctaaee 5 27 Generating a Self Certificate Request ccccecteeeeeeeeeeeeeeeeeeeeeeaeeeseneeetaaeseeneees 5 28 Uploading a Trusted Certificate airsan nakanio aaan 5 30 Managing your Certificate Revocation List CRL s sissirissinssireriiniirien
37. Gateway address of the FVX538 5 22 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Security Policy Editor NETGEAR ProSafe VPN Client EJ File Edit Options Help amp 0 NETGEAR Network Security Policy My Connections Connection Security a eer i Secure A I Only Connect Manually er Lonnections C Non secure ep C Block Remote Party Identity and Addressing ID Type IP Subnet gt Subnet 19216810 Mask 255 255 255 0 Protocol fan x Port xil M Connect using Secure Gateway Tunnel x ID Type Domain Name x Gateway IP Address x fvxT cal com 10 1 32 13 Figure 5 17 7 Inthe left frame click My Identity 8 From the Select Certificate pull down menu select None 9 From the ID Type pull down menu select Domain Name The value entered under Domain Name will be of the form lt name gt lt XY gt fvx_remote com where each user must use a different variation on the Domain Name entered here The lt name gt is the policy name used in the FVX538 configuration In this example it is home X and Y are an arbitrary pair of numbers chosen for each user A Note X may not be zero In this example we have entered home11 fvx_remote com Up to 200 user variations can be served by one policy 10 Leave Virtual Adapter disabled and select your computer s Network Adapter Your current I
38. LAN port of the router This will be the gateway for computers that need to access the Internet The Subnet Mask is the IPv4 Subnet Mask To add a secondary LAN IP address 1 Enter the IP Address and the Subnet Mask in the respective fields of the Add Secondary LAN IP Address section Click Add The new Secondary LAN IP address will appear in the Available Secondary LAN IPs table Click Select all to select all the entries in the Available Secondary LAN IPs table All the radio buttons are selected Click Delete to delete only those entries with checked radio buttons from the Available Secondary LAN IPs table 3 4 LAN Configuration v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual LAN Setup Available Secondary LAN IPs Subnet Mask select all delete Add Secondary LAN IP Address IP Address Subnet Mask ps Aad Subnet Mask D 10 10 1 13 255 255 255 0 select all dai Add Secondary LAN IP Address IP Address Subnet Mask IP Address fio Mo Hra Subnet Mask fess Jess Jess Jo Figure 3 2 Note Additional IP addresses cannot be configured in the DHCP server The hosts on the secondary subnets must be manually configured with IP addresses gateway IP and DNS server IPs To make changes to the selected entry 1 Click Edit in the Action column adjacent to the s
39. PN Client ioj xj File Edit Options Help alexa 1 Network Security Policy E L My Connections Ee to_Fvx My Identity a Security Policy E Authentication Phase 1 ie Ss Key Exchange Phase 2 Ap Other Connections Figure 5 20 r Security Policy For the Phase 1 Negotiation Mode check the Aggressive Mode radio box PFS should be disabled and Enable Replay Detection should be enabled NETGEAR h Select Phase 1 Negotiation Mode C Main Mode Aggressive Mode C Use Manual Keys I Enable Perfect Forward Secrecy PFS PFS Key Group Diffie Hellman Group 2 d I Enable Replay Detection 10 In the left frame expand Authentication Phase 1 and select Proposal 1 The Proposal 1 fields should mirror those in the following figure No changes should be necessary N Security Policy Editor NETGEAR ProSafe PN Client sib x File Edit Options Help alexa 1 Network Security Policy E L My Connections to_Fvx G My Identity B a Security Policy D E Authentication Phase 1 E Key Exchange Phase 2 Proposal 1 Ap Other Connections Figure 5 21 NETGEAR S m Authentication Method and Algorithms Authentication Method Pre Shared Key bd Encryption and Data Integrity Algorithms Encrypt Alg Triple DES Hash Alg SHa fad Seconds SA Life Unspecified z Key Group Diffie Hellman Group 2 x Virtual Private Networking
40. Reference Manual 4 Inthe General section a b c Enter a description name in the Policy Name Field such as salesperson This name will be used as part of the remote identifier in the VPN client configuration Set Direction Type to Responder The Exchange Mode will automatically be set to Aggressive 5 For Local information d e Select Fully Qualified Domain Name for the Local Identity Type Enter an identifier in the Remote Identity Data field that is not used by any other IKE policies This identifier will be used as part of the local identifier in the VPN client configuration 6 Specify the IKE SA parameters These settings must be matched in the configuration of the remote VPN client Recommended settings are Encryption Algorithm 3DES Authentication Algorithm SHA 1 Diffie Hellman Group 2 SA Lifetime 3600 seconds 7 Enter a Pre Shared Key that will also be configured in the VPN client XAUTH is disabled by default To enable XAUTH select Edge Device to use this router as a VPN concentrator where one or more gateway tunnels terminate If selected you must specify the Authentication Type to be used in verifying credentials of the remote VPN gateways IPsec Host if you want this gateway to be authenticated by the remote gateway Enter a Username and Password to be associated with the IKE policy When this option is chosen you will need to specify the user name and password to be used in
41. Reset Figure 2 8 3 Edit the default information you want to change 2 18 Connecting the FVX538 to the Internet v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e MTU Size The normal MTU Maximum Transmit Unit value for most Ethernet networks is 1500 Bytes or 1492 Bytes for PPPoE connections For some ISPs you may have to reduce the MTU But this is rarely required and should not be done unless you are sure it is necessary for your ISP connection e Port Speed In most cases your router can automatically determine the connection speed of the Internet WAN port If you cannot establish an Internet connection and the Internet LED blinks continuously you may have to manually select the port speed AutoSense is the default If you know that the Ethernet port on your broadband modem supports 100BaseT select 100M otherwise select 10M Use the half duplex settings unless you are sure you need full duplex e Router s MAC Address Each computer or router on your network has a unique 32 bit local Ethernet address This is also referred to as the computer s MAC Media Access Control address The default is Use default address However if your ISP requires MAC authentication then select either Use this Computer s MAC address to have the router use the MAC address of the computer you are now using or Use This MAC Address to manually type in the MAC address that your ISP expects The forma
42. Rules ssiipismirmarssniiganain n a 4 13 LAN DMZ Inbound Services Rules isc cscciec ete teesteieceesue eee 4 14 PUI GOS E E E E E atu baisvunaeed A E nance 4 14 viii v1 0 August 2006 Inbound Rules Examples cccccascscccdssactsceccssmdncaccesnivateteaninencttnaedonnteamivencleaadaccenin 4 16 LAN WAN Inbound Rule Hosting A Local Public Web Server n 4 16 LAN WAN Inbound Rule Allowing Videoconference from Restricted Addresses 4 17 LAN WAN or DMZ WAN Inbound Rule Setting Up One to One NAT Mapping 4 17 LAN WAN or DMZ WAN Inbound Rule Specifying an Exposed Host 4 19 Quibound Rules ab es g 6 asrnane peniana reenter nee e ty etree 4 20 LAN WAN Outbound Rule Blocking Instant Messenger csccecceeeeeees 4 20 Adding Customized SUG G arneman e E R 4 21 Setting Quality of Service QOS PHOMUSS ssiri coenen 4 23 Setting a Schedule to Block or Allow Specific Traffic cccsseeeeeseeeeeteeeeeeeeeeseeeeeaes 4 24 Setting Block Sites Content FiItering s sccccassecccncicsvicscenssccsenascatiaacoteeanasvasenecaanessseansunuaee 4 25 Enabling Source MAG Piller sis ce aeianend eaneniaehna and eaves ies 4 27 POr T PUI Gata oas ch act cenit toa cert sch tumr et tatiten tioes ciatay a Seinen es iainaen tice snaninns Anda tuaaivats 4 28 E Mail Notifications of Event Logs and Alerts issincccccssecccccsnserrcccsmsmnrccnennserccceissernecnessve 4 31 P a US ea ai pA Ee eee 4 35 Chapter 5 Virtual Private Networking
43. Upgrade Set Password Time Zone Date Time GMT Greenwich Mean Time Edinburgh London v C Automatically Adjust for Daylight Savings Time Use Default NTP Servers Use Custom NTP Servers Server 1 Name IP Address Server 2 Name IP Address Current Time Wed Jun 28 02 01 49 GMT 2006 Figure 6 5 Monitoring the Router You can be alerted to important events such as WAN port rollover WAN traffic limits reached and login failures and attacks You can also view status information about the firewall WAN ports LAN ports and VPN tunnels and program SNMP connections Enabling the Traffic Meter To monitor traffic limits on each of the WAN ports select Administration from the main menu and Traffic Meter from the submenu The Wan1 Traffic Meter screen will display The WAN1 and WAN ports are programmed separately A WAN port shuts down once its traffic limit is reached if the Block all traffic feature is enabled The Traffic Meter screen also provides the following information Router and Network Management 6 17 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Internet Traffic Statistics Displays statistics on Internet Traffic via the WAN port If you have not enabled the Traffic Meter these statistics are not available e Traffic by Protocol Click this button to display Internet Traffic details The volume of traffic for each protocol will be displayed
44. VPN Policy Selector determines that some traffic matches an existing VPN Policy If the VPN policy is of type Auto then the Auto Policy Parameters defined in the VPN Policy are accessed which specify which IKE Policy to use If the VPN Policy is a Manual policy then the Manual Policy Parameters defined in the VPN Policy are accessed and the first matching IKE Policy is used to start negotiations with the remote VPN Gateway e If negotiations fail the next matching IKE Policy is used e Ifnone of the matching IKE Policies are acceptable to the remote VPN Gateway then a VPN tunnel cannot be established An IKE session is established using the SA Security Association parameters specified in a matching IKE Policy e Keys and other parameters are exchanged e An IPSec SA Security Association is established using the parameters in the VPN Policy The VPN tunnel is then available for data transfer IKE Policy Table When you use the VPN Wizard to set up a VPN tunnel an IKE Policy is established and populated in the Policy Table and is given the same name as the new VPN connection name You can also edit exiting policies or add new IKE policies directly on the Policy Table Screen Each policy contains the following data Name Uniquely identifies each IKE policy The name is chosen by you and used for the purpose of managing your policies it is not supplied to the remote VPN Server Mode Two modes are available eit
45. VPN firewall will provide a LAN IP Address for DNS address name resolution ___ Note If you change the LAN IP address of the firewall while connected through the browser you will be disconnected You must then open a new connection to the new IP address and log in again For example if you change the default IP address 192 168 1 1 to 10 0 0 1 you must enter http 10 0 0 1 in your browser to reconnect to the web management interface 5 Click Apply to save your settings LAN Configuration 3 3 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 6 Click Reset to discard any changes and revert to the previous configuration Note Once you have completed the LAN IP setup all outbound traffic is allowed Chapter 4 Firewall Protection and Content Filtering and all inbound traffic is discarded To change these traffic rules refer to Configuring Multi Home LAN IPs If you have computers on your LAN using different IP address ranges for example 172 16 2 0 or 10 0 0 0 then you can add aliases to the LAN port thereby giving computers on those networks access to the Internet This allows the firewall to act as a gateway to additional logical subnets on your LAN You can assign the firewall an IP address on each additional logical subnet The Available Secondary LAN IPs table lists the secondary LAN IP addresses added to the router The IP Address is the alias added to the
46. WAN port always changes Hence the use of a fully qualified domain name is always required even when the IP address of each WAN port is fixed Dual WAN Ports Before Rollover Dual WAN Ports After Rollover WAN1 IP WANT IP N A Router WAN port active Router WAN1 port inactive m WAN2 port inactive OO WANZ port active WAN2Z IP N A WAN2 IP IP address of active WAN port changes after a rollover o use of fully qualified domain names always required o features requiring fixed IP address blocks not supported Figure C 2 Features such as multiple exposed hosts are not supported when using dual WAN port rollover because the IP addresses of each WAN port must be in the identical range of fixed addresses The Load Balancing Case for Firewalls With Dual WAN Ports Load balancing Figure C 3 for the dual WAN port case is similar to the single WAN port case when specifying the IP address Each IP address is either fixed or dynamic based on the ISP fully qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static Dual WAN Ports Load Balancing WAN1 IP Router netgear1 dyndns org Use of fully qualified domain names for IP addresses of WAN ports o t oe D o required for dynamic IP addresses gt o optional for fixed IP addresses netgear2 dyndns org WAN2 IP Figure C 3 Network Planning for Dual WAN Ports C 7 v1 0 August 2006 ProSafe VPN Firewa
47. You can bypass Keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains Access to the domains or keywords on this list by PCs even those in the groups for which keyword blocking has been enabled will still be allowed without any blocking Keyword application examples If the keyword XXX is specified the URL lt http www badstuff com xxx html gt is blocked as is the newsgroup alt pictures XXX If the keyword com is specified only Web sites with other domain suffixes such as edu or gov can be viewed If you wish to block all Internet browsing access enter the keyword To enable Content Filtering 1 Select Security from the main menu and Block Sites from the sub menu The Block Sites screen will display Check the Yes radio button to enable Content Filtering Check the radio boxes of any Web Components you wish to block Check the radio buttons of the groups to which you wish to apply Keyword Blocking Click Enable to activate Keyword blocking or disable to deactivate Keyword Blocking Firewall Protection and Content Filtering 4 25 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 5 Build your list of blocked Keywords or Domain Names in the Blocked Keyword fields After each entry click Add The Keyword or Domain name will be added to the Blocked Keywords table You can also edit an entry by clicking Edit in the Action
48. a range of Internet IP addresses e Destination Address These settings determine the destination IP address for this rule which will be applicable to incoming traffic This rule will be applied only when the destination IP address of the incoming packet matches the IP address of the selected WAN interface Selecting ANY enables the rule for any LAN IP destination WAN1 and WAN2 corresponds to the respective WAN interface governed by this rule e Services You can specify the desired Services or applications to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 4 21 e Schedule You can specify whether the rule is to be applied on the Schedule 1 Schedule 2 or Schedule 3 time schedule see Setting a Schedule to Block or Allow Specific Traffic on page 4 24 See Using Rules to Block or Allow Specific Kinds of Traffic on page 4 1 for the procedure on how to use this feature Port Triggering Port triggering allows some applications to function correctly that would otherwise be partially blocked by the firewall Using this feature requires that you know the port numbers used by the Application Once configured Port Triggering operates as follows e A PC makes an outgoing connection using a port number defined in the Port Triggering table e This Router records this connection opens the additiona
49. access 6 12 host only access 6 12 subnet access 6 12 SNMP screen 6 2 Source MAC Filter screen 4 27 Source MAC Filtering enabling 4 27 reducing traffic 6 4 Source Network Add Protocol Binding 2 14 Specifying an Exposed Host example of 4 19 spoof MAC address 7 5 Starting IP Address DHCP Address Pool 3 3 Stateful Packet Inspection firewall use with 4 stateful packet inspection 1 2 Static IP 2 4 static IP 2 6 Static Route example of 3 15 Static Routes about 3 12 static routes add or edit 3 12 configuring 3 12 example 3 5 Stealth Mode 4 14 SYN flood 4 14 SysLog Facility Message Levels 4 33 SysLog Server IP Address 4 33 T TCP IP network troubleshooting 7 5 Test Period 2 12 Time setting 6 16 troubleshooting 7 7 time daylight savings troubleshooting 7 7 Time Zone setting of 6 16 Time Zone screen 6 16 ToS See QoS tracert use with DDNS 6 11 traffic increasing 6 5 reducing 6 2 Traffic by Protocol 6 18 traffic management 6 8 Traffic Meter 2 7 traffic meter 2 4 programming 2 7 WAN2Z ISP settings 2 5 Traffic Meter screen router monitoring 6 17 Traffic Meter Settings 2 9 Index 8 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual definitions 2 9 Trend Micro enabling 3 15 Office Scan Server 3 16 OfficeScan client exclusion list 3 16 requirements for use 3 15 Trend Micro integration 1 4 Trend Micro screen 3 16 Trend Micro security 1 4 troublesho
50. administrator To modify your LAN setup 1 Select Network Configuration from the primary menu and LAN Setup from the submenu The LAN Setup screen will display Network Configuration VYP dmin at isi oring Web Suppo 1 ogout WAN Settings WAN Mode Protocol Binding Dynamic DNS LAN Groups DMZ Setup Routing LAN Setup Multi Home LAN IPs Setup GJ DHCP Log help IP Address ko hss Ja Ja Subnet Mask Ess J zss ss Jo Q help Disable DHCP Server Enable DHCP Server Domain Name netgear com Starting IP Address 192 168 Jia 2 Ending IP Address isz Jiss a ioo WINS Server Al A A Lease Time 24 Hours Enable DNS Proxy v Apply Reset Figure 3 1 2 Enter the IP Address of your router factory default 192 168 1 1 Always make sure that the LAN Port IP address and DMZ port IP address are in different subnets 3 Enter the IP Subnet Mask The subnet mask specifies the network number portion of an IP address Your router will automatically calculate the subnet mask based on the IP address that you assign Unless you are implementing subnetting use 255 255 255 0 as the subnet mask computed by the router 3 2 LAN Configuration v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 4 Check the Enable DHCP Server radio button By default the router will function as a DHCP Dynamic Host Configuration Protocol server providing TCP IP config
51. and hold the reset button for approximately 5 seconds until the TEST LED blinks rapidly Your device will return to the factory configuration settings shown in Table A 1 below e Pressing the reset button for a shorter period of time will simply cause your device to reboot Table A 1 VPN firewall Default Configuration Settings Feature Default Behavior Router Login User Login URL http 192 168 1 1 User Name case sensitive admin Login Password case sensitive password Internet Connection WAN MAC Address Use Default address WAN MTU Size 1500 Port Speed AutoSense Local Network LAN Lan IP 192 168 1 1 Subnet Mask 255 255 255 0 RIP Direction None RIP Version Disabled RIP Authentication Disabled DHCP Server Enabled DHCP Starting IP Address 192 168 1 2 DHCP Ending IP Address 192 168 1 100 DMZ Disabled Default Settings and Technical Specifications v1 0 August 2006 A 1 ProSafe VPN Firewall 200 FVX538 Reference Manual Table A 1 VPN firewall Default Configuration Settings continued Feature Default Behavior Time Zone GMT Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound communications coming in from the Internet Disabled except traffic on port 80 the http port Outbound communications going out t
52. as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point Each IP address is either fixed or dynamic based on the ISP fully qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static Dual WAN Ports Load Balancing WAN1 IP Gateway netgear dyndns org IP addresses of WAN ports same as single ne WAN port case use of fully qualified domain INT names required for dynamic IP addresses netgear2 dyndns org and optional for fixed IP addresses VPN Router WAN2 IP Figure C 8 VPN Road Warrior Client to Gateway The following situations exemplify the requirements for a remote PC client with no firewall to establish a VPN tunnel with a gateway VPN firewall e Single gateway WAN port e Redundant dual gateway WAN ports for increased reliability before and after rollover e Dual gateway WAN ports used for load balancing Network Planning for Dual WAN Ports C 11 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Road Warrior Single Gateway WAN Port Reference Case In the case of the single WAN port on the gateway VPN firewall Figure C 9 the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance The gateway WAN port must act as the responder 10 5 6 0 24 Road Warrior Example Single WAN Port Client B Gateway A WAN IP WAN IP LAN I
53. authenticating this gateway by the remote gateway 9 If Edge Device was enabled select the Authentication Type from the pull down menu which will be used to verify account information User Database RADIUS CHAP or RADIUS PAP Users must be added through the User Database screen see User Database Configuration on page 5 34 or RADIUS Client Configuration on page 5 35 Note If RADIUS PAP is selected the router will first check the User Database to see if the user credentials are available If the user account is not present the router will then connect to the RADIUS server 5 40 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 10 Click Apply The new policy will appear in the IKE Policies Table a sample policy is shown below add IKE Policy Add New VPN Policy Do you want to use Mode Config Record Policy Name alespersen ves O no Select Mode Config Record sales pron re Responder RA Exchange Mode Aggrecine I Ss SSS i Local Identification i Peer IKE Identification 2 Identifier Type Farn Identifier Type adn Identifier local_id com Identifier rernote_id com H IKE SA Parameters 2 Encryption Algorithm 3DES vy Authentication Algorithm SHA 1 Authentication Method Pre shared key O RSA Signature Pre shared key 2345673 __ Jey L
54. can make a local server for example a Web server or game server visible and available to the Internet The rule tells the firewall to direct inbound traffic for a particular service to one local server based on the destination port number This is also known as port forwarding Whether or not DHCP is enabled how the PCs will access the server s LAN address impacts the Inbound Rules For example e If your external IP address is assigned dynamically by your ISP DHCP enabled the IP address may change periodically as the DHCP lease expires Consider using Dyamic DNS under Network Configuration so that external users can always find your network see Configuring Dynamic DNS If Needed on page 2 15 e If the IP address of the local server PC is assigned by DHCP it may change when the PC is rebooted To avoid this use the Reserved IP address feature in the LAN Groups menu under Network Configuration to keep the PC s IP address constant see Setting Up Address Reservation on page 3 9 e Local PCs must access the local server using the PCs local LAN address Attempts by local PCs to access the server using the external WAN IP address will fail gt Note See Port Triggering on page 4 28 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall 4 4 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 R
55. domain and restores DNS requests for the resulting FQDN to your frequently changing IP address After you have configured your account information in the firewall whenever your ISP assigned IP address changes your firewall will automatically contact your DDNS service provider log in to your account and register your new IP address e For auto rollover mode you will need a fully qualified domain name FQDN to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address e For load balancing mode you may still need a fully qualified domain name FQDN either for convenience or if you have a dynamic IP address ____ Note If your ISP assigns a private WAN IP address such as 192 168 x x or 10 x x x the _ gt dynamic DNS service will not work because private addresses will not be routed on the Internet To configure Dynamic DNS 1 Select Network Configuration from the primary menu and Dynamic DNS from the sub menu The Dynamic DNS Configuration screen will display The WAN Mode section displays the currently configured WAN mode for example Single Port WAN1 Load Balancing or Auto Rollover Only those options that match the configured WAN Mode will be accessible 2 16 Connecting the FVX538 to the Internet v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Network Configuration Dynamic DNS Configuration DynD
56. e Never Never log traffic considered by this rule whether it matches or not 4 Note Some residential broadband ISP accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to the Acceptable Use Policy of your ISP Remember that allowing inbound services opens holes in your VPN firewall Only enable those ports that are necessary for your network It is also advisable to turn on the server application security and invoke the user password or privilege levels if provided Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Order of Precedence for Rules As you define new rules they are added to the tables in the Rules menu as the last item in the list as shown in Figure 4 1 LAN WAN Rules PETA LAEM LAN DMZ Rules Attack Checks Operation succeeded B help Service Name Filter DMZ Users WAN Users Priority Log Action REAL AUDIO Block Always ANY ANY osne never up Qiong eat C le TACACS Block Always ANY ANY Normal Service Never up Qeoun edit select all delete enable O disable add help Service DMZ Server IP DMZ WAN Filter Destination Log Action Name Address Users Users
57. e Unlike competing antivirus products both products work your NETGEAR VPN Firewall to enforce antivirus policies end users cannot access the Internet unless they have antivirus protection with current pattern files installed e Both products are specifically built to meet the needs of growing businesses and feature easy installation automatic transparent updates and damage cleanup capability e Activate either product for a free trial Easy Installation and Management You can install configure and operate the ProSafe VPN Firewall 200 within minutes after connecting it to the network The following features simplify installation and management tasks 1 4 Introduction v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Browser Based Management Browser based configuration allows you to easily configure your firewall from almost any type of personal computer such as Windows Macintosh or Linux A user friendly Setup Wizard is provided and online help documentation is built into the browser based Web Management Interface e Auto Detect The VPN firewall automatically senses the type of Internet connection asking you only for the information required for your type of ISP account e VPN Wizard The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium VPNC to ensure the VPN tunnels are interoperable with other
58. for the VPN tunnel are manually input at each end both VPN Endpoints No third party server or organization is involved e Auto Some parameters for the VPN tunnel are generated automatically by using the IKE Internet Key Exchange protocol to perform negotiations between the two VPN Endpoints the Local ID Endpoint and the Remote ID Endpoint In addition a CA Certificate Authority can also be used to perform authentication see Certificate Authorities on page 5 27 To use a CA each VPN Gateway must have a Certificate from the CA For each Certificate there is both a Public Key and a Private Key The Public Key is freely distributed and is used to encrypt data The receiver then uses their Private Key to decrypt the data without the Private Key decryption is impossible CAs can be beneficial since using them reduces the amount of data entry required on each VPN Endpoint Managing VPN Policies The VPN Policies screen allows you to add additional policies either Auto or Manual and to manage the VPN policies already created You can edit policies enable or disable policies or delete them entirely The rules for VPN policy use are 1 Traffic covered by a policy will automatically be sent via a VPN tunnel 2 When traffic is covered by two or more policies the first matching policy will be used In this situation the order of the policies is important However if you have only one policy for each
59. helps identify the user of a particular TCP connection a common daemon program for providing the ident service is identd You can configure the firewall to send system logs to an external PC that is running a syslog logging program Click the Yes radio box to enable SysLogs and send messages to the syslog server then a Enter your SysLog Server IP address b Select the appropriate syslog facility from the SysLog Facility pull down menu The SysLog Facility levels of severity are described in Table 4 3 below Click Reset to cancel your changes and return to the previous settings Click Apply to save your settings Table 4 3 SysLog Facility Message Levels Numerical Code Severity 0 Emergency System is unusable Alert Action must be taken immediately 1 2 Critical Critical conditions 3 Error Error conditions Firewall Protection and Content Filtering 4 33 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4 3 SysLog Facility Message Levels continued Numerical Code Severity 4 Warning Warning conditions 5 Notice Normal but significant conditions 6 Informational Informational messages 7 Debug Debug level messages To view the Firewall logs 1 Click on the View Log icon opposite the Firewall Logs amp E mail tab The Logs screen will display 2 If the E mail Logs options as been enabled you can send a copy of the log b
60. in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures e Reorient or relocate the receiving antenna e Increase the separation between the equipment and receiver e Connect the equipment into an outlet on a circuit different from that to which the receiver is connected e Consult the dealer or an experienced radio TV technician for help EU Regulatory Compliance Statement ProSafe VPN Firewall 200 is compliant with the following EU Council Directives 89 336 EEC and LVD 73 23 EEC Compliance is verified by testing to the following standards EN55022 Class B EN55024 and EN60950 1 Bestatigung des Herstellers Importeurs Es wird hiermit best tigt da das ProSafe VPN Firewall 200 gem der im BMPT AmtsblVfg 243 1991 und Vfg 46 1992 aufgef hrten Bestimmungen entstort ist Das vorschriftsmaBige Betreiben einiger Ger te z B Testsender kann jedoch gewissen Beschr nkungen unterliegen Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung Das Bundesamt fiir Zulassungen in der Telekommunikation wurde davon unterrichtet da dieses Ger t auf den Markt gebracht wurde und es ist berechtigt die Serie auf die Erf llung der Vorschriften hin zu berpr fen Certificate of the Manufacturer Importer It is hereby ce
61. operation diagnostics are not required Router and Network Management 6 27 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Diagnostics Figure 6 16 Router Status Monitoring Traffic Meter Firewall Logs amp E mail VPN Logs IP Address ES ES a Se ping traceroute SAS helpl Internet Name lookup e ee help Display the Routing Table E display Reboot the Router reboot Capture Packets packet trace Route Display Interface Name Destination Mask Gateway Metric LAN 192 168 1 0 255 255 255 0 0 0 0 0 o 10 1 32 0 255 255 255 0 0 0 0 0 o default 0 0 0 0 10 1 32 13 o Table 6 5 Diagnostics Item Description Ping or Trace an IP address Ping Used to send a ping packet request to a specified IP address most often to test a connection If the request times out no reply is received it usually means that the destination is unreachable However some network devices can be configured not to respond to a ping The ping results will be displayed in a new screen click Back on the Windows menu bar to return to the Diagnostics screen Traceroute often called Trace Route Lists all Routers between the source this device and the destination IP address The Trace Route results will be displayed in a new screen click Back on the Windows menu bar to return to the Diagnostics
62. port Figure C 19 the previously inactive gateway WAN port becomes the active port port WAN2 in this example and the remote PC must re establish the VPN tunnel The gateway WAN port must act as the responder 10 5 6 0 24 Telecommuter Example Dual WAN Ports After Rollover Client B Gateway yalWANTIPINA an o NATRouterB LAN IP aX oe a 10 5 6 1 bzrouter2 dyndns org 0 00 09 VPN Router WANZ IP NAT Router atemployer s Fully Qualified Domain Names FQDN at telecommuter s Remote PC main office required for Fixed IP addresses homeaftics running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Remote PC must re establish VPN tunnel after a rollover Figure C 19 The purpose of the fully qualified domain name is this case is to toggle the domain name of the gateway router between the IP addresses of the active WAN port i e WAN1 and WAN2 so that the remote PC client can determine the gateway IP address to establish or re establish a VPN tunnel Network Planning for Dual WAN Ports C 19 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall Figure C 20 the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port 1 e port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports because the IP address of the remote NAT rout
63. remote VPN Endpoint then the policy order is not important 5 12 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 3 The VPN tunnel is created according to the parameters in the SA Security Association 4 The remote VPN Endpoint must have a matching SA or it will refuse the connection VPN Policy Table Only one Client Policy may configured at a time noted by an next to the policy name The Policy Table contains the following fields e Status Indicates whether the policy is enabled green circle or disabled grey circle To Enable or Disable a Policy check the radio box adjacent to the circle and click Enable or Disable as required e Name Each policy is given a unique name the Connection Name when using the VPN Wizard e Type The Type is Auto or Manual as described previously Auto is used during VPN Wizard configuration e Local IP address either a single address range of address or subnet address on your local LAN Traffic must be from or to these addresses to be covered by this policy The Subnet address is supplied as the default IP address when using the VPN Wizard e Remote IP address or address range of the remote network Traffic must be to or from these addresses to be covered by this policy The VPN Wizard default requires the remote LAN IP address and subnet mask e AH Authentication Header This specifies the aut
64. the WAN2 port To Edit or Add additional Protocol Binding settings 1 Select Network Configuration from the main menu and Protocol Binding from the submenu The WAN1 Protocol Bindings screen will display You can add or edit protocol bindings to either the WAN1 port or click the WAN2 Protocol Bindings tab to access the WAN2 Protocol Bindings screen To add a new protocol binding following the preceding procedure 2 Check the radio button adjacent to the protocol binding rule you want to modify Click Edit in the Action column adjacent to the rule The Edit Protocol Binding screen will display 2 14 Connecting the FVX538 to the Internet v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Network Configuration T Ne on onii l l WAN Settings WAN Mode Protocol Binding Dynamic DNS LAN Setup LAN Groups DMZ Setup Routing EDOM WANZ Protocol Bindings help Service pE Nakori Destination Network ition ol e FTP Group1 ANY Besit Protocol Binding is used when Load Balancing option is selected in WAN Mode select all delete enable oO disable Add Protocol Binding Seance Destination Network Source Network Add any E Any ANY v Start Address L Start Address J D a g eae End PEPER m End EER a ee pa E WAN1 Protocol Binding Operation succeeded v Service FTI v Destination Network Any Start Address En
65. the time you enable remote management You make these selections during Logging into the VPN Firewall on page 2 1 C 2 Network Planning for Dual WAN Ports v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e There are a variety of WAN options you can choose when the factory default settings are not applicable to your installation These include enabling a WAN port to respond to a ping and setting MTU size port speed and upload bandwidth You will make these choices in Configuring the Advanced WAN Options If Needed on page 2 18 4 Prepare to physically connect the firewall to cable or DSL modems and a computer Instruction for connecting your VPN firewall are in Installation Guide FVX538 ProSafe VPN Firewall 200 Cabling and Computer Hardware Requirements To use the VPN firewall on your network each computer must have an installed Ethernet Network Interface Card NIC and an Ethernet cable If the computer will connect to your network at 100 Mbps you must use a Category 5 CATS cable such as the one provided with your firewall Computer Network Configuration Requirements The FVX538 includes a built in Web Configuration Manager To access the configuration menus on the FVX538 your must use a Java enabled Web browser program that supports HTTP uploads such as Microsoft Internet Explorer or Netscape Navigator NETGEAR recommends using Internet Explorer or Netscape Navigator 4 0 or above Free br
66. through the manual one page at a time e A button that displays the table of contents and a button that displays the Index Double click on a link in the table of contents or index to navigate directly to where the topic is described in the manual e A i button to access the full NETGEAR Inc online knowledge base for the product model e Links to PDF versions of the full manual and individual chapters How to Print this Manual To print this manual you can choose one of the following options according to your needs e Printing a Page from HTML Each page in the HTML version of the manual is dedicated to a major topic Select File gt Print from the browser menu to print the page contents e Printing from PDF Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http www adobe com Printing a PDF Chapter Use the PDF of This Chapter link at the top left of any page xiv v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Click the PDF of This Chapter link at the top left of any page in the chapter you want to print The PDF version of the chapter you were viewing opens in a browser window e Click the print icon in the upper left of your browser window Printing a PDF version of the Complete Manual Use the Complete PDF Manual link at the top left of any page e Click the Comp
67. to save your changes and reset the fields on this screen The new rule will be listed on the Inbound Services table Setting DMZ WAN Rules The firewall rules for traffic between the DMZ and the WAN Internet are configured on the DMZ WAN Rules screen The Default Outbound Policy is to allow all traffic from and to the Internet to pass through Firewall rules can then be applied to block specific types of traffic from either going 4 10 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual out from the DMZ to the Internet Outbound or coming in from the Internet to the DMZ Inbound The default outbound policy can be changed to block all outbound traffic and enable only specific services to pass through the router by adding an Outbound services Rule DMZ WAN Rules ff LAN Operation succeeded Outbound Services 2 Service Name Filter DMZ Users WAN Users Priority Log Action oe REAL AUDIO Block Always ANY ANY Normal Service Never up Deown Qaiit Oo TACACS Block Always ANY ANY Normal Service Never up Qeown esit select all delete enable oO CE Inbound Services Service Name Fitter DMZ Server IP Address DMZ Users WAN Users Destination tog delete enable S disable add Operation succeeded Outbound Service
68. using this service Priorities are defined by the Type of Service ToS in the Internet Protocol Suite standards RFC 1349 A ToS priority for traffic passing through the VPN firewall is one of the following e Normal Service No special priority given to the traffic The IP packets for services with this priority are marked with a ToS value of 0 e Minimize Cost Used when data has to be transferred over a link that has a lower cost The IP packets for services with this priority are marked with a ToS value of 1 e Maximize Reliability Used when data needs to travel to the destination over a reliable link and with little or no retransmission The IP packets for services with this priority are marked with a ToS value of 2 e Maximize Throughput Used when the volume of data transferred during an interval is important even if the latency over the link is high The IP packets for services with this priority are marked with a ToS value of 4 e Minimize Delay Used when the time required latency for the packet to reach the destination must be low The IP packets for services with this priority are marked with a ToS value of 8 Firewall Protection and Content Filtering 4 23 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Setting a Schedule to Block or Allow Specific Traffic If you enabled Content Filtering in the Block Sites menu or if you defined an outbound or inbound rule to use a schedule you
69. 1 Select Security from the main menu Firewall Rules from the submenu and then the Attack Checks tab The Attack Checks screen will display 2 Check the radio boxes of the Attack Checks you wish to initiate Firewall Protection and Content Filtering 4 15 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 3 Click Apply to save your settings Security LAN WAN Rules DMZ WAN Rules LAN DMZ Rules Attack Checks Attack Checks WAN Security Checks LAN Security Checks C Respond to Ping on Internet Ports CO Block UDP flood Enable Stealth Mode PN Pass through o Block TCP flood IPsec PPTP M L2TP Figure 4 8 Inbound Rules Examples LAN WAN inbound Rule Hosting A Local Public Web Server If you host a public Web server on your local network you can define a rule to allow inbound Web HTTP requests from any outside IP address to the IP address of your Web server at any time of day This rule is shown in Figure 4 9 dd LAN WAN Inbound Service lll Operation succeeded i Inbound Service Service HTTP Action ALLOW always Select Schedule ed 1 Send to LAN Server E92 Jiss Jo Jpg Translate to Port Number L Public Destination IP Address LAN Users A Start Finish WAN Users Start Finish i Log Never Figure 4 9 4 16 Firewall Protection and Content Filtering v
70. 1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Rule Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule In the example CU SeeMe connections are allowed only from a specified range of external IP addresses Add LAN WAN Inbound Service Operation succeeded Service CU SEEME UDP sj Action BLOCK by schedule otherwise allow Select Schedule Schedule 1 Send to LAN Server 192 1ea o f1 Translate to Port Number L Public Destination IP Address WAN1 v LAN Users Start SS a a Finish Eo el WAN Users Address Range Start 134 J177 88 1 Finish 134 177 H88 _ 254 Log Never Figure 4 10 LAN WAN or DMZ WAN Inbound Rule Setting Up One to One NAT Mapping In this example we will configure multi NAT to support multiple public IP addresses on one WAN interface By creating an inbound rule we will configure the firewall to host an additional public IP address and associate this address with a Web server on the LAN If you arrange with your ISP to have more than one public IP address for your use you can use the additional public IP addresses to map to servers on your LAN or DMZ One of these public IP addresses wil
71. 1P 172 20 Jo Ji ending ip E72 Jeo o Ios Second IP Pool Starting IP o Jo Jo Jo endingipfo Jo o fo Third IP Pool Starting iro Jo Jo Jo Endinge Jo fo fo WINS Server Primary Secondary o Wo HW W DNS Server Primary fio W H We Secondary b M Ho Ha j i Traffic Tunnel Security Level PFS Key Group Group 2 1024 bit SA Lifetime sec 8600 SA Lifetime ke Encryption Algorithm 3DES ov Integrity Algorithm SHA 1 Local IP Address ke2 ines e a Local Subnet Mask fess Jess Iess Jo Operation succeded i List of Mode Config Records Pool Star IP Pool End IP 172 20 0 1 172 20 0 99 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Geeta Giit Gaa Figure 5 29 To configure an IKE Policy 1 From the main menu select VPN The IKE Policies screen will display showing the current policies in the List of IKE Policies Table Click Add to configure a new IKE Policy The Add IKE Policy screen will display Enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull down menu You can view the parameters of the selected record by clicking the View selected radio box Mode Config works only in Aggressive Mode and Aggressive Mode requires that both ends of the tunnel be defined by a FQDN Virtual Private Networking 5 39 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538
72. 3 2 Complete the Outbound Service screen and save the data see Table 4 1 on page 4 3 Click Reset to cancel your settings and return to the previous settings Click Apply to save your changes and reset the fields on this screen The new rule will be listed on the Outbound Services table Firewall Protection and Content Filtering 4 9 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic If you have not defined any rules no rules will be listed By default all inbound traffic is blocked Remember that allowing inbound services opens holes in your firewall Only enable those ports that are necessary for your network To create a new inbound service rule 1 Click Add under the Inbound Services Table The Add LAN WAN Inbound Service screen will display Edit LAN WAN Inbound Service Operation succeeded 2 help Service ANY v Action BLOCK by schedule otherwise allow v Select Schedule Schedule 1 Send to LAN Server E92 Jass e Ie Translate to Port NumberL WAN Destination IP Address WAN1 v m LAN Users WAN Users Any j v Start Finish J Log Never v Figure 4 4 2 Complete the Add WAN LAN Inbound Services screen see Table 4 2 on page 4 5 Click Reset to cancel your settings and return to the previous settings Click Apply
73. 38 VPN Firewall Using the VPN Wizard for each VPN firewall we will create a set of policies IKE and VPN that will allow the two firewalls to connect from locations with fixed IP addresses Either firewall can initiate the connection This procedure was developed using e Netgear FVX538 VPN Firewall WANT IP address is 10 1 32 40 LAN IP address subnet is 192 168 1 1 255 255 255 0 e Netgear FVS338 VPN Firewall remote gateway WAN IP address is 10 1 1 150 LAN IP address subnet is 192 168 2 1 255 255 255 0 Configuring the FVX538 To configure the FVX538 VPN Wizard 1 Select VPN from the main menu The Policies submenu will display showing the IKE Policies screen 2 Select VPN Wizard The VPN Wizard screen will display 3 Select the VPN Tunnel connection type in this case the Gateway radio box is selected 4 Give the client connection a name such as to_fvs 5 Enter a value for the pre shared key 5 14 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 6 Select the local WAN interface to bind this connection to the WAN port for the VPN tunnel PN Wizard VPN Wizard Default Values About VPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium VPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Po
74. 68 1 100 with a Subnet Mask of 255 255 255 255 e If you want to allow a subnet access to the VPN firewall through SNMP enter an IP address of for example 192 168 1 100 with a Subnet Mask of 255 255 255 0 The traps will still be received on 192 168 1 100 but the entire subnet will have access through the community string e Ifyou want to make the VPN firewall globally accessible using the community string but still receive traps on the host enter 0 0 0 0 as the Subnet Mask and an IP Address for where the traps will be received Enter the trap port number of the configuration in the Port field The default is 162 4 Enter the trap community string of the configuration in the Community field 5 Click Add to create the new configuration The entry will display in the SNMP Configuration table 6 Click Edit in the Action column adjacent to the entry to modify or change the selected configuration 6 12 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual i Je ork Coni on Se y P Administration oring Web Suppo ogout Remote Management Settings Backup amp Upgrade Set Password Time cong SR SNMP 6 NMP System Info help IP Address Subnet Mask Port Community Action select all delete Create New SNMP Configuration Entry IP Address Subnet Mask Port Community Add k92 Mass Ha Jho Sass Jess Jess fo 162 12345678 add SNMP SysConfiguration
75. 8 VPN Wizard Default Values About PN Wizard 2 The Wizard sets most parameters to defaults as proposed by the VPN Consortium VPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This PN tunnel will connect to the following peers Gateway VPN Client Connection Name and Remote IP Type What is the new Connection Name What is the pre shared key 12345678 Key Length 8 49 Char i End Point Information What is the Remote WAN s IP Address or Internet Name 10 1 32 40 What is the Local WAN s IP Address or Internet Name 10 1 1 150 Secure Connection Remote Accessibility What is the remote LAN IP Address k2 Jass a Mo What is the remote LAN Subnet Mask fess ess Jess Jo Figure 5 14 Enter a value for the pre shared key Enter the WAN IP address of the remote FVX538 Enter the WAN IP address of the FVS338 NN wn Ss Enter the LAN IP address and subnet mask of the remote FVX538 Virtual Private Networking 5 19 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 8 Click Apply to create the to_fvx IKE and VPN policies The VPN Policies screen will display Testing the Connection To test the VPN gateway tunnel 1 From a PC on either LAN firewall try to ping a PC on the LAN of the other firewall Establishing the VPN conne
76. 9 3 10 groups managing 3 6 H hardware requirements C 3 Hosting A Local Public Web Server example of 4 16 hosts managing 3 6 Iego net 2 15 IGP 3 13 IKE Policies management of 5 11 IKE Policies screen 5 9 IKE Policy about 5 10 ModeConfig configuring with 5 39 XAUTH adding to 5 32 Inbound Rules default definition 4 2 field descriptions 4 5 order of precedence 4 7 Port Forwarding 4 2 4 4 rules for use 4 4 inbound rules 4 4 example 4 17 Inbound Service Rule modifying 4 8 Inbound Services field descriptions 4 5 inbound traffic C 6 C 8 dual WAN ports C 8 C 9 single WAN port reference case C 8 increasing traffic 6 5 DMZ Port 6 7 Port Forwarding 6 5 Port Triggering 6 6 VPN Tunnels 6 7 installation 1 4 Installation instructions for 2 Interior Gateway Protocol See IGP Internet configuration requirements C 3 C 4 C 5 configuring the connection manually 2 5 connecting to 2 7 Internet connection configuring 2 2 manual configuration 2 5 Internet service connection types 2 3 Internet Service Provider See ISP Internet Traffic Statistics 6 18 IP Address router default 3 2 IP addresses auto generated 7 3 DHCP address pool 3 how to assign 3 1 multi home LAN 3 4 reserved 3 9 IP Subnet Mask router default 3 2 IPsec 4 15 IPSec Connection Status screen 6 25 IPSec Host 5 32 5 33 IPsec Host XAUTH with ModeConfig 5 40 ISP connection troubleshooting 7 4 K Keep
77. AR ProSafe VPN Client ta NETGEAR Network Security Policy J My Connections Authentication Method and Algorithms Bb modeffg_test My Identity Authentication Method Security Policy E E Authentication Phase 1 Rie fered be El ie Proposal 1 a S Key Exchange Phase 2 Encryption and Data Integrity Algorithms d tofdvg Q Other Connections Encrypt Alg Triple DES X HashAlg SHAA x Seconds SA Life Seconds 3600 Key Group Diffie Hellman Group2 v Figure 5 33 5 Click on Key Exchange Phase 2 on the left side of the menu and select Proposal 1 Enter the values to match your configuration of the VPN firewall ModeConfig Record menu The SA Lifetime can be longer such as 8 hours 28800 seconds N Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help gt NETGEAR N Network Security Policy LJ My Connections IPSec Protocols aaa B modetfa_test econ ytes G My Identity SA Lite Seconds v 28840 Security Policy E E Authentication Phase 1 ompression None Ra Proposal 1 f a 5 S Key Exchange Phase 2 IV Encapsulation Protocol ESP P Proposal 1 Encypt lg Triple DES Zi dB to_fdvg Hash Alg SHA 1 Qy Other Connections A Encapsulation Tunnel ha IIT Authentication Protocol AH OE Figure 5 34 6 Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client 5 44 Virtual Private Net
78. Address select all delete Add Known PCs and Devices Name IP Address Type IP Address MAC Addkess Group Fixed set on PC iy Elbelle Ie I Group1 IN baa Edit Groups and Hosts Operation succeeded jame 9300UNIT3 IP Address Type Fixed set on PC v IP Address 192 J68 JE 200 MAC Addresk 00 11 43 71 c8 d8 Group Groupi Gnas Ieee Figure 3 3 To edit the information of any of the Known PCs or Devices 1 Click Edit in the Action column opposite the name of the device The Edit Groups and Hosts screen will display 2 Modify any of the fields on this screen 3 Click Reset to cancel your settings and return to the previous settings 3 8 LAN Configuration v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 4 Click Apply to save your new settings The modified record will appear in the Know PCs and Devices table To edit the names of any of the eight available groups 1 Click Edit Group Names at the upper right of the Groups and Hosts screen The Network Database Group Names screen will display 2 Check the radio button opposite the Group Name you want to change and type a suitable name in the field Click Reset to discard any changes and revert to the previous settings 4 Click Apply to save the settings Network Configuration WAN Mode Protocol Binding Dynamic DNS LAN Setup DMZ Setup Routing _ lt
79. Authority The table lists the certificates of each CA and contains the following data e CA Identity Subject Name The organization or person to whom the certificate is issued e Issuer Name The name of the CA that issued the certificate Expiry Time The date after which the certificate becomes invalid Virtual Private Networking 5 27 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual The Active Self Certificates table shows the Certificates issued to you by the various CAs Certification Authorities and available for use For each Certificate the following data is listed Name The name you used to identify this Certificate Subject Name This is the name which other organizations will see as the Holder owner of this Certificate This should be your registered business name or official company name Generally all Certificates should have the same value in the Subject field Serial Number It is a serial number maintained by the CA It is used to identify the certificate with in the CA Issuer Name The name of the CA which issued the Certificate Expiry Time The date on which the Certificate expires You should renew the Certificate before it expires Generating a Self Certificate Request To use a Certificate you must first request the certificate from the CA then download and activate the certificate on your system To request a Certificate from the CA 1 From the main menu under VP
80. CP clients where the IP address is allocated by the DHCP Server in this device this IP address will not change Where the IP address is set on the PC as a fixed IP address you may need to update this entry manually if the IP address on the PC is changed Router and Network Management 6 21 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6 1 Known PCs and Devices continued Item Description MAC Address The MAC address of the PC The MAC address is a low level network identifier which is fixed at manufacture Group Each PC or device must be in a single group The Group column indicates which group each entry is in By default all entries are in the Group1 Note If the VPN firewall is rebooted the table data is lost until the VPN firewall rediscovers the devices Viewing Port Triggering Status You can view the status of Port Triggering by selecting Security from the main menu and Port Triggering from the submenu When the Port Triggering screen display click the Status link gt curt Schedule Block Sites Firewall Rules Source MAC Filter Trend Micro_ al Port Triggering 6 Status Operation succeeded Port Triggering Status Name Enable Protocol Outgoing Ports Start Port End Po 2 Abstracts No TCP 20 22 Rule LAN IP Address Open Ports Time Remaining Sec select all delete Add Port Triggering Rule r
81. Check the radio box of the WAN interface that will act as one end of this VPN tunnel WAN 1 or WAN 2 6 Enter the public WAN IP address of the gateway to which you want to connect Alternatively you can provide the Internet name of the gateway The Internet name is the Fully Qualified Domain Name FQDN for example vpn netgear com 7 Enter the Local WAN IP Address or Internet name Both local and remote ends should be defined as either IP addresses or Internet Names FQDN A combination of IP address and Internet Name is not permissible 5 8 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 8 Click Apply The VPN Policies screen will display showing that the Client policy home has been added and enabled Click Edit in the Action column adjacent to the home policy to view the home policy parameters It should not be necessary to make any changes Operation succeeded ii List of VPN Policies Name Type Local Remote AH ESP Action o Offsite Auto Policy 192 168 1 0 255 255 255 0 192 168 10 1 255 255 255 0 SHA 1 3DES Besef home Auto Policy 192 168 1 0 255 255 255 0 Any SHA 1 3DE Client Policy Policy Name home si Select Local Gateway want O wanz Remote Endpoint IP Address aaa Ss ron C Enable NetBIOS Traffic Selection
82. FVX538 Publication Date August 2006 Product Family VPN Firewall Product Name ProSafe VPN Firewall 200 Home or Business Product Business Language English Publication Part Number 202 10062 04 Publication Version Number 1 0 vi 1 0 August 2006 Contents About This Manual GCGonventions Formats and SCOpe asinine amiaisiimmnmiuamnimniamniie xiii Pow EUS ME Iya aa xiv How to Frim Mis Manual cccsctescctcesaresecusceuedvotedeaits lacaseave sytney iuesbad ious ladeebeiveumeniiie xiv Ren O epee ene reentry Pererrnn etre eer ys Penner ee Teeny mart ret TTT XV Chapter 1 Introduction Be OS sisi iso ada tasivscteiutirtoowlatintesadegustycacquauanindeci gant ea eautnenas ulate tala nqudieeeiuGriss aed 1 1 Dual WAN Ports for Increased Reliability or Outbound Load Balancing 1 2 A Powerful True Firewall with Content Filtering cccccecssseceeeeeessneeeeeesssneeeeenens 1 2 Soco FAIS ncn E 1 3 Autosensing Ethernet Connections with Auto Uplink ssssssssssserserrieresrrrrrrererne 1 3 Extensive Protocol GUppar See eemer eet ment serene nmnnch en nomen mtr en tet rr renters 1 3 Been Sear ELLS Qepreeet peer ner E nr ttn terete ree E r rer nner ret errr rr rer reer rrere etter 1 4 Easy Installation and Management sesssrnsnrsrssnn uence dabeneariamaemaas 1 4 Mamonance GI SURDO saistosaas AE a kaa ae 1 5 Package COMES oriei S aed 1 5 Pouer FIn FP RGN ia 1 6 euler eek FEl enaa 1 8 Rack Mounting ISRO WEARS scissione
83. N select the Certificates submenu The Certificates screen will display 2 Inthe Generate Self Certificate Request enter the required data e Name Enter a name that will identify this Certificate e Subject This is the name which other organizations will see as the Holder owner of the Certificate Since this name will be seen by other organizations you should use your registered business name or official company name Using the same name or a derivation of the name in the Title field would be useful e From the pull down menus select the following values Hash Algorithm MD5 or SHA2 Signature Algorithm RSA Signature Key Length 512 1024 2048 Larger key sizes may improve security but may also impact performance 3 Complete the Optional fields if desired with the following information e IP Address If you have a fixed IP address you may enter it here Otherwise you should leave this field blank 5 28 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Certificates Operation succeeded i Trusted Certificates CA Certificate CA Identity Subject Name Issuer Name Expiry Time select all delete Upload Trusted Certificate Trusted Certificate File upload i Active Self Certificates Name Subject Name Serial Number Issuer Name Expiry Time select all delete
84. N PONS DAUG ace sccccoice dace snmtdcscnncdentasnce sbiede a EE aas 6 24 Monitoring VPN Tunnel Connection SAIS sissccaceeusetseee stirs scam atessanenanne ensues 6 25 APU IH UAOUIES 9 Zea subeanicuekcisk induct 6 26 PPGP Bes eR ere tere Peer TTe EAEN 6 27 ae RUST UALS Diagnostios een eee ee Repent Te Reber einen cere nett herent eine tear 6 27 Chapter 7 Troubleshooting Eo e PONT ceca eas tcsseauepecnicaucen E ae acct emceeteraens 7 1 Power LED NOU CI cccccccsentaiccancatsscnesaneedane tonne tassnsaningacdedaneatangesnmegesecsaisegiaicaremponnendanee 7 1 LEDS Nera IGN OI oaia a Gates ania eaS da ARAE 7 2 LAN or internet Port LEDS NO OM cisctccuiscectenedbiedieteevinaaedvoiudediatasgiaamesumceaeaaane 7 2 Troubleshooting the Web Configuration Interface ccecscceeeceeeeeeneeeeeceeeeeeeeessaeeeeennees 7 2 Tr ubleshooting the ISP Connect g ee eee cone inann ener e rTPOr Nee e i pont Tes 7 4 Troubleshooting a TCP IP Network Using a Ping Utility eee cece eeeeeeeeeeeteeeeeeees 7 5 Testing tie LAN Path to Your Firewall sissssssssinsenssecnaneiiienisaviseimawass 7 5 Testing the Path from Your PC to a Remote Device ccccseececeesteeeeeesesteeeeseeaes 7 6 Restoring the Default Configuration and Password cccceeeeeeeeeeeeeeeeeeeeeeseaeeteeeeeees 7 7 Probleme wiii Date a00 TIME geeeeret meer ere coer tere eaa er err tert errr ye 7 7 Appendix A Default Settings and Technical Specifications Appendix B Related Documents
85. N1 Yes O No End Date Increase this m Incoming Traffic Outgoing Traffic This Protocol T Total MB MB Per Day Total MB MB Per Day Email 0 0 0 o HTTP o 0 ji 0 j 0 O Restart Traffic Counter Now Block all Traff others 0 o o o Restart Traffic Counter at Specific Time O Block All Traff Total 0 0 0 o E2 Joo PM on the 1st day of Month Send e mail a O Send e mail report before restarting counter refresh Figure 6 7 Setting Login Failures and Attacks Notification Figure 6 8 shows the Firewall Logs amp E mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs amp E mail from the submenu You can send a System log of firewall activities to an email address or a log of the firewall activities can be viewed saved to a Syslog server and then sent to an e mail address You can view the logs by clicking View Logs Router and Network Management 6 19 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual ing Savas 2 A p gt iaiia a Firewall Logs amp E mail view Log View System Logs i Log Options 2 Send logs according to this schedule 2 l l Monitor Unit Never Y Log Identifier Day Sunds Time 2 00 a m p m H i Security Logs 2 i System Logs 2 Accepted Packets Drop
86. NCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE Zlib zlib h interface of the zlib general purpose compression library version 1 1 4 March 11th 2002 Copyright C 1995 2002 Jean loup Gailly and Mark Adler This software is provided as is without any express or implied warranty In no event will the authors be held liable for any damages arising from the use of this software Permission is granted to anyone to use this software for any purpose including commercial applications and to alter it and redistribute it freely subject to the following restrictions 1 The origin of this software must not be misrepresented you must not claim that you wrote the original software If you use this software in a product an acknowledgment in the product documentation would be appreciated but is not required 2 Altered source versions must be plainly marked as such and must not be misrepresented as being the original software 3 This notice may not be removed or altered from any source distribution Jean loup Gailly jloup gzip org Mark Adler madler alumni caltech edu The data format used by the zlib library is described by RFCs Request for Comments 1950 to 1952 in the files ftp ds internic net ric rfc1950 txt zlib format rfc1951 txt deflate format and rfc1952 txt gzip format 1 0 August 2006 Product and Publication Details Model Number
87. NS Information 8 TZO Information 6 Tego Registration i WAN Mode Current WAN Mode Single Port WANL ii WAN1 DDNS Status service is not enabled Select the Dynamic DNS Service Host and Domain Name None Example DynDNS org User Name O TZO com Password Iego net Use wildcards Update every 30 days WAN2 DDNS Status service is not enabled Select the Dynamic DNS Service Host and Domain Name None Example DynDNS org User Name TZ0 com Password Tego net Use wildcards Update every 30 days Figure 2 7 2 Check the Dynamic DNS Service radio box you want to enable The fields corresponding to the selection you have chosen will be highlighted Each DNS service provider requires its own parameters 3 Access the Web site of one of the DDNS service providers and set up an account A link to each DDNS provider is opposite the DNS Configuration screen name 4 After setting up your account return to the Dynamic DNS Configuration screen and fill in the required fields for the DDNS service you selected a Inthe Host and Domain Name field enter the entire FQDN name that your dynamic DNS service provider gave you for example lt yourname gt dyndns org b Enter the User Name User email Address or Account Name requested by the DDNS Service to identify you when logging into your DDNS account c Enter the Password or User Key for your DDNS account Connecting th
88. Name Filter LAN Users WAN Users Priority Log Action select all delete enable disable add help Service Name Filter LAN Server IP Address LAN Users WAN Users Destination Log Action HTTP Allow Always 192 168 1 2 ANY 10 1 10 52 Never up sown Pedit select all delete enable disable add Figure 4 12 To test the connection from a PC on the Internet type http lt IP_address gt where lt IP_address gt is the public IP address you have mapped to your Web server You should see the home page of your Web server LAN WAN or DMZ WAN Inbound Rule Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined To expose one of the PCs on your LAN or DMZ as this host 1 Create an inbound rule that allows all protocols Firewall Protection and Content Filtering 4 19 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 2 Place the rule below all other inbound rules ____ Note For security NETGEAR strongly recommends that you avoid creating an exposed ed host When a computer is designated as the exposed host it loses much of the protection of the firewall and is exposed to many exploits from the Internet If compromised the computer can be used to attack your network PRETO ey DMZ WAN Rules LANDMZRules Attack Checks
89. Name Password Confirm Password Add Tester oceccee ecvccee Operation succekded User Name Tester l Password jeeeeeeee Confirm Password Apply Reset Figure 5 27 5 34 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual To edit the user name or password 1 Click Edit opposite the user s name The Edit User screen will display 2 Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to the previous settings The modified user name and password will display in the Configured Users table RADIUS Client Configuration RADIUS Remote Authentication Dial In User Service RFC 2865 is a protocol for managing Authentication Authorization and Accounting AAA of multiple users in a network A RADIUS server will store a database of user information and can validate a user at the request of a gateway or server in the network when a user requests access to network resources During the establishment of a VPN connection the VPN gateway can interrupt the process with an XAUTH eXtended AUTHentication request At that point the remote user must provide authentication information such as a username password or some encrypted response using his username password information The gateway will try and verify this information first against a local User Database if RADIUS PAP is enabled and then by relaying the infor
90. P E O Oe 10 5 6 1 FQDN 0 0 0 0 bzrouter dyndns org VPN Router at employer s R main office Fully Qualified Domain Names FQDN Remote PC optional for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure C 9 The IP address of the gateway WAN port can be either fixed or dynamic If the IP address is dynamic a fully qualified domain name must be used If the IP address is fixed a fully qualified domain name is optional VPN Road Warrior Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall Figure C 10 the remote PC client initiates the VPN tunnel with the active gateway WAN port port WANI1 in this example because the IP address of the remote PC client is not known in advance The gateway WAN port must act as a responder 10 5 6 0 24 Road Warrior Example Dual WAN Ports Before Rollover Client B Gateway A orosta I i zrouter dyndns org WAN IP LAN IP X y m 10 561 WANZ port inactive 0 0 0 0 WAN2 IP N A VPN Router at employer s main office Fully Qualified Domain Names FQDN Remote PC required for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure C 10 C 12 Network Planning for Dual WAN Ports v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or d
91. P address will appear Virtual Private Networking 5 23 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual N Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help NETGEAR N Network Security Policy J My Connections My Identity e TG to FX Select Certificate Gresheed hey G My Identity Security Policy None x Qs Other Connections ID Type Port Domain Name 7 J Al Y fhomett fvx_remotecom Virtual Adapter Disabled X Internet Interface Name In Broadcom 440x 10 100 Integrated Controlle v IP Addr 192 168 1 100 Figure 5 18 Before leaving the My Identity menu click Pre Shared Key 6 Click Enter Key and then enter your preshared key and click OK This key will be shared by all users of the FVX538 policy home N Security Policy Editor NETGEAR ProSafe VPN Client J ioj x File Edit Options Help alexa tl Network Security Policy B L My Connections 2 8 to FLG M S gee Mu Identity Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared key ted Controlle v IP Addr 10 0 0 12 Figure 5 19 7 In the left frame select Security Policy 5 24 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual N Security Policy Editor NETGEAR ProSafe
92. Type pull down menu select Reserved DHCP Client to direct the router to reserve the IP address for allocation by the DHCP server or select Fixed Set on PC if the IP address is statically assigned on the computer gt Note When assigning a Reserved IP address to a client the IP address selected must oe be outside the range of addresses allocated to the DHCP Server pool LAN Configuration 3 7 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 4 Enter the IP Address that this computer or device is assigned in the IP Address field If the IP Address Type is Reserved DHCP Client the router will reserve the IP address for the associated MAC address 5 Enter the MAC Address of the computer s network interface in the MAC Address field The MAC address should be in the form xx xx xx xx xx xx for example 00 80 48 2a 8b cO that contain numbers 0 9 and letters a f 6 From the Group pull down menu enter the Group to which the computer will be assigned Group 1 is the default group 7 Click Add The device will be added to the Known PCs and Devices table Network Configuration y WP dmini a I oring Web Suppo ogout WAN Mode Protocol Binding Dynamic DNS LAN Setup DMZ Setup Routing Groups and Hosts 8 Edit Group Names help Name IP Address MAC Address Group ns 9300UNIT3 192 168 1 2 00 11 43 71 c8 d8 Groupi an DHCP Assigned IP
93. VPN Firewall 200 FVX538 Reference Manual 2 When prompted enter admin for the firewall user name and password for the firewall password both in lower case letters The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection 3 Click Login _____ Note You might want to enable remote management at this time so that you can log in remotely in the future to manage the firewall see Enabling Remote Management Access on page 6 10 If you enable remote management you are strongly advised to change your password see Changing Passwords and Settings on page 6 8 Configuring the Internet Connections to Your ISPs You should first configure your Internet connections to your ISPs on WAN port 1 and then configure WAN port 2 second To automatically configure the WAN ports and connect to the Internet 1 The WANL ISP Settings screen similar to the one shown in Figure 2 1 should display when you log in If the screen does not display select the primary menu option Network Configuration and the sub menu option WAN Settings 2 2 Connecting the FVX538 to the Internet v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Network Configuration 8 Advanced 8 WAN Status ISP Login O Yes No Does Your Internet Connection Require a Login Login Password ISP Type Ackount Name Domain N
94. VPNC compliant VPN routers and clients e SNMP The VPN firewall supports the Simple Network Management Protocol SNMP to let you monitor and manage log resources from an SNMP compliant system manager The SNMP system configuration lets you change the system variables for MIB2 e Diagnostic Functions The firewall incorporates built in diagnostic functions such as Ping Trace Route DNS lookup and remote reboot e Remote Management The firewall allows you to login to the Web Management Interface from a remote location on the Internet For security you can limit remote management access to a specified remote IP address or range of addresses and you can choose a nonstandard port number e Visual monitoring The VPN firewall s front panel LEDs provide an easy way to monitor its status and activity Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall e Flash memory for firmware upgrade e Free technical support seven days a week 24 hours a day according to the terms identified in the Warranty and Support information card provided with your product Package Contents The product package should contain the following items e ProSafe VPN Firewall 200 e AC power cable Introduction 1 5 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e 19 inch rack mounting hardware and rubber feet e Category 5 Cat5 Ethernet cable e Installation Guide F
95. VX538 ProSafe VPN Firewall 200 e Resource CD including Application Notes and other helpful information ProSafe VPN Client Software five user licenses Trend Micro software evaluation e Warranty and Support Information Card If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the firewall for repair Router Front Panel The ProSafe VPN Firewall 200 front panel shown below contains the port connections status LEDs and the factory defaults reset button NETGEAR ProSafe VPN Firewall Router Figure 1 1 Table 1 1 describes each item on the front panel and its operation Table 1 1 Object Descriptions Object Activity Description 1 Power On Green Power is supplied to the firewall LED Off Power is not supplied to the firewall On Amber Test mode The system is initializing or the initialization has failed 2 Test LED Blinking Amber Writing to Flash memory during upgrading or resetting to defaults Off The system has booted successfully 1 6 Introduction v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1 1 Object Descriptions continued Object Activity Description Two RJ 45 WAN ports N way automatic speed negotiation Auto MDI MDIX Link Act LED On Green The WAN port has det
96. WAN port you may need a fully qualified domain name either for convenience or if you have a dynamic IP address b If you are going to use both WAN ports determine whether you are going to use them in rollover mode for increased system reliability or load balancing mode for maximum bandwidth efficiency See the topics in this appendix for more information Your decision has the following implications e Fully qualified domain name For rollover mode you are going to need a fully qualified domain name to implement features such as exposed hosts and virtual private networks For load balancing mode you may still need a fully qualified domain name either for convenience or if you have a dynamic IP address e Protocol binding For rollover mode protocol binding does not apply For load balancing mode you need to decide which protocols you want to bind to a specific WAN port if you are going to take advantage of this option you will make these selections in Configuring the WAN Mode Required for Dual WAN on page 2 10 Network Planning for Dual WAN Ports C 1 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual You can also add your own service protocols to the list see Services Based Rules on page 4 2 for information on how to do this 3 Set up your accounts a Have active Internet services such as that provided by cable or DSL broadband accounts and locate the Internet Servi
97. X XX Eo a 10339A WAN_A2 port inactive WAN_B2 port inactive VPN Router WAN_A2 IP N A WAN_B2 IP N A VPN Router at office A Fully Qualified Domain Names FQDN at office B required for Fixed IP addresses required for Dynamic IP addresses Figure C 14 Network Planning for Dual WAN Ports C 15 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic but a fully qualified domain name must always be used because the active WAN ports could be either WAN_A1 WAN_A2 WAN_B1 or WAN_B2 i e the IP address of the active WAN port is not known in advance After a rollover of a gateway WAN port Figure C 15 the previously inactive gateway WAN port becomes the active port port WAN_A2 in this example and one of the gateway VPN firewalls must re establish the VPN tunnel 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0 24 Dual WAN Ports After Rollover WAN_A 1 IP N A WAN_B1 IP Gateway A WAN_A port inactive netgearB dyndns org Gateway B ss x x D a LAN IP 10 5 6 1 172 23 9 1 netgear dyndns org WAN_B2 port inactive VPN Router WAN_A2 IP WAN_B2 IP N A VPN Router at office A Fully Qualified Domain Names FQDN at office B required for Fixed IP addresses required for Dynamic IP addresses One of the gateway routers must re establish VPN tunnel after a rollover Figure C 15 The purpose of the fu
98. a Security Inc All rights reserved License to copy and use this software is granted provided that it is identified as the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing this software or this function License is also granted to make and use derivative works provided that such works are identified as derived from the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing the derived work RSA Data Security Inc makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose It is provided as is without express or implied warranty of any kind These notices must be retained in any copies of any part of this documentation and or software PPP Copyright c 1989 Carnegie Mellon University All rights reserved Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation advertising materials and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES I
99. afe VPN Firewall 200 FVX538 Reference Manual 3 Select a Connection Name Enter an appropriate name for the connection This name is not supplied to the remote VPN Endpoint It is used to help you manage the VPN settings PN Wizard VPN Wizard Default Values About YPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium YPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the Policies menu This PN tunnel will connect to the following peers O Gateway vpn Client 1 Connection Name and Remote IP Type What is the new Connection Name home What is the pre shared key 12345678 Key Length 8 49 Char This VPN tunnel will use following local WAN Interface WAN1 O wanz i End Point Information What is the Remote Identifier Information fvx_remote com What is the Local Identifier Information fvx_local com i Secure Connection Remote Accessibility What is the remote LAN IP Address AD 4 J What is the remote LAN Subnet Mask i a Figure 5 7 4 Enter a Pre shared Key The key must be entered both here and on the remote VPN Gateway or the remote VPN Client This key length should be minimum 8 characters and should not exceed 49 characters This method does not require using a CA Certificate Authority 5
100. alance the load for outgoing traffic These two categories of considerations interact to make the planning process more challenging Inbound Traffic Unrequested incoming traffic can be directed to a PC on your LAN rather than being discarded The mechanism for making the IP address public depends on whether the dual WAN ports are configured to either roll over or balance the loads See Inbound Traffic on page C 8 for further discussion Virtual Private Networks VPNs A virtual private network VPN tunnel provides a secure communication channel between either two gateway VPN firewalls or between a remote PC client and gateway VPN firewall As a result the IP address of at least one of the tunnel end points must be known in advance in order for the other tunnel end point to establish or re establish the VPN tunnel See Virtual Private Networks VPNs on page C 10 for further discussion Note Once the gateway firewall WAN port rolls over the VPN tunnel collapses and must gt be re established using the new WAN IP address C 6 Network Planning for Dual WAN Ports v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual The Roll over Case for Firewalls With Dual WAN Ports Rollover Figure C 2 for the dual WAN port case is different from the single gateway WAN port case when specifying the IP address Only one WAN port is active at a time and when it rolls over the IP address of the active
101. all Protection and Content Filtering 4 1 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual A firewall has two default rules one for inbound traffic and one for outbound The default rules of the FVX538 are e Inbound Block all access from outside except responses to requests from the LAN side e Outbound Allow all access from the LAN side to the outside The firewall rules for blocking allowing traffic on the VPN firewall can be applied to LAN WAN traffic DMZ WAN traffic and LAN DMZ traffic Services Based Rules The rules to block traffic are based on the traffic s category of service e Outbound Rules service blocking Outbound traffic is normally allowed unless the firewall is configured to disallow it Inbound Rules port forwarding Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side The firewall can be configured to allow this otherwise blocked traffic e Customized Services Additional services can be added to the list of services in the factory default list These added services can then have rules defined for them to either allow or block that traffic see Adding Customized Services on page 4 21 e Quality of Service QoS priorities Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays You can change this QoS priority if desired to change the traffi
102. ame Which type of ISP connection do you use Austria PPTP Other PPPoE Logih Server Idle Nmeout Keep Connected Idle Time E Minutes My IP Addvess 1 Server IP Addr amp ss A Internet IP Address 2 Domain Name Server DNS Servers Get Dynamically from ISP Get Automatically from ISP BigPond Cable Use Static IP Address Use These DNS Servers IP Address E m p a Primary DNS Server 0a IP Subnet Mask D p p Gateway IP Address ee ce et Figure 2 1 2 Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support When Auto Detect successfully detects an active Internet service it reports which connection type it discovered The options are described in the following table Table 2 1 Internet connection methods Connection Method Data Required PPPoE Login Username Password Account Name Domain Name PPTP Login Username Password Account Name Local IP address and PPTP Server IP address Connecting the FVX538 to the Internet 2 3 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 2 1 Internet connection methods continued Connection Method Data Required BigPond Cable DHCP Dynamic IP Fixed Static IP Login Username
103. ation For example 169 254 141 148 could be a valid IP address Fixed or Static Internet IP Address Gateway IP Address Subnet Mask ISP DNS Server Addresses If you were given DNS server addresses fill in the following Primary DNS Server IP Address Secondary DNS Server IP Address Host and Domain Names Some ISPs use a specific host or domain name like CCA7324 A or home If you haven t been given host or domain names you can use the following examples as a guide e If your main e mail account with your ISP is aaa yyy com then use aaa as your host name Your ISP might call this your account user host computer or system name e If your ISP s mail server is mail xxx yyy com then use xxx yyy com as the domain name ISP Host Name ISP Domain Name Fully Qualified Domain Name Some organizations use a fully qualified domain name FQDN from a dynamic DNS service provider for their IP addresses Dynamic DSN Service Provider FQDN Network Planning for Dual WAN Ports C 5 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include e Inbound traffic e g port forwarding port triggering DMZ port e Virtual private networks VPNs The two WAN ports can be configured on a mutually exclusive basis to either e Rollover for increased reliability or e B
104. ation of 2 15 Dynamic DNS Configuration screen 2 16 Dynamic DNS See DDNS DynDNS org 2 15 E Edge Device 5 32 XAUTH with ModeConfig 5 40 Edit Group Names 2 14 3 9 Edit IKE Policy screen 5 6 Edit Protocol Binding 2 14 Edit VPN Policy screen 5 9 E mail alerts 4 32 e mail logs enabling notification 4 32 E mail Server address 4 33 Enable DHCP Server 3 3 Enable DHCP server 3 1 Enable DNS Proxy 3 3 Enable the DHCP Server DMZ port 3 11 Encapsulating Security Payload VPN Policy 5 13 Ending IP Address DHCP Address Pool 3 3 Ethernet Auto Uplink 3 Event Logs emailing of 4 31 Extended Authentication See XAUTH F factory default login 1 9 factory default settings revert to 6 13 firewall connecting to the Internet 2 1 C 3 features 1 1 1 2 1 3 1 4 front panel 1 6 rear panel 8 technical specifications A 1 viewing activity 6 25 Firewall Log Field Description 4 35 Firewall Logs emailing of 4 31 setting up 4 32 viewing 4 34 Firewall Logs amp E mail screen 4 31 4 32 6 19 Firewall Protection Content Filtering about 4 firewall protection 4 1 firmware downloading 6 15 upgrade 6 15 Fixed IP 2 4 Fixed IP Address 3 7 FQDN 2 16 fully qualified domain name See FQDN FVX538 features of 1 1 G Gateway VPN Tunnel creating 5 4 Gigabit Switch port 1 1 Group Names Index 3 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual editing 3 9 Groups and Hosts screen 3 7 3
105. c mix through the system see Setting Quality of Service QoS Priorities on page 4 23 Outbound Rules Service Blocking The FVX538 allows you to block the use of certain Internet services by PCs on your network This is called service blocking or port filtering Note See Enabling Source MAC Filtering on page 4 27 for yet another way to block gt outbound traffic from selected PCs that would otherwise be allowed by the firewall 4 2 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4 1 Outbound Rules Item Description Service Name Select the desired Service or application to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 4 21 Action Filter Select the desired action for outgoing connections covered by this rule BLOCK always BLOCK by schedule otherwise Allow ALLOW always ALLOW by schedule otherwise Block Note Any outbound traffic which is not blocked by rules you create will be allowed by the Default rule ALLOW rules are only useful if the traffic is already covered by a BLOCK rule That is you wish to allow a subset of traffic that is currently blocked by another rule Action Select Schedule Select the desired time schedule i e Schedule1 Schedu
106. can set up a schedule for when blocking occurs or when access is restricted The firewall allows you to specify when blocking will be enforced by configuring one of the Schedules Schedule 1 Schedule 2 or Schedule 3 To invoke rules and block keywords or Internet domains based on a schedule 1 Select Security from the main menu and Schedule from the sub menu The Schedule 1 screen will display 2 Check the radio button for All Days or Specific Days If you chose Specific Days check the radio button for each day you want the schedule to be in effect 3 Check the radio button to schedule the time of day All Day or Specific Times If you chose Specific Times enter the Start Time and End Time fields Hour Minute AM PM which will limit access during certain times for the selected days 4 Click Reset to cancel your settings and revert to the previous settings 5 Click Apply to save your settings to Schedule 1 Repeat these 5 steps to set to a schedule for Schedule 2 and Schedule 3 u Security ios dmini Block Sites Firewall Rules Source MAC Filter Port Triggering Trend Micro ULGMOCES Schedule2 Schedule 3 help Sunday Monday Do you want this schedule to be active on Tuesday Wednesday all days or specific days a Thursda Frida All Days Specific Days fg 2 Saturday 2 help D t thi hedule to b ti o you want this schedule to be active Start times i2 Hourloo minutelam B
107. ce Both local and remote ends should be defined as either IP addresses or Internet Names FQDN A combination of IP address and Internet Name is not permissible 6 Enter the Local WAN IP Address or Internet Name of your gateway The Local WAN IP address is used in the IKE negotiation phase Automatically the WAN IP address assigned by your ISP may display You can modify the address to use your FQDN required if the WAN Mode you selected is auto rollover 5 4 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual es _VPN Wizard i T PN Wizard VPN Wizard Default Values Remote Tunnel EndPoint Already Exists ii About YPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium VPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the VPN Wizard you can always update the parameters through the VPN setting links on the left menu This PN tunnel will connect to the following peers Gateway ven Client ii Connection Name and Remote IP Type What is the new Connection Name offsite o What is the pre shared key 12345678 Key Length 8 49 Char This VPN tunnel will use following local WAN Interface WAN1 O wanz ii Remote IP address or Internet name 2 What is the Remote WAN s IP Address or Internet Name 10 1 10 118 What is the Local WAN s IP Address or Inter
108. ce Provider ISP configuration information In this document the WAN side of the network is presumed to be provisioned as shown in Figure C 1 with two ISPs connected to the VPN firewall through separate physical facilities Each FVX538 WAN port must be configured separately however whether you are using a separate ISP for each WAN port or are having the traffic of both WAN ports routed through the same ISP You will need your ISP information for Configuring the Internet Connections to Your ISPs on page 2 2 customer premises route diversity WAN port 1 hysical facility 1 p pny y ISP 1 gence Internet firewall wan port2 physical facility 2 ISP 2 Figure C 1 If your ISPs charge by the amount of bandwidth you use each month you may want to consider setting up a traffic meter to keep track of your traffic see To manually configure your WAN1 ISP Settings on page 2 5 if you want to do this Contact a Dynamic DNS Service and set up your fully qualified domain names if you need or want them You will need your fully qualified domain names for Configuring Dynamic DNS If Needed on page 2 15 3 Plan your network management approach The VPN firewall is capable of being managed remotely but this feature must be enabled locally after each factory default reset You are strongly advised to change the default password password to something that is more secure at
109. cessary traffic or rescheduling some traffic to low peak times to prevent bottlenecks from occurring in the first place The VPN firewall has the necessary features and tools to help the network manager accomplish these goals Bandwidth Capacity The maximum bandwidth capacity of the VPN firewall in each direction is as follows e LAN side 1 800 Mbps eight LAN ports at 100 Mbps each plus one Gigabit LAN port e WAN side 200 Mbps load balancing mode two WAN ports at 100 Mbps each or 100 Mbps rollover mode one active WAN port at 100 Mbps In practice the WAN side bandwidth capacity will be much lower when DSL or cable modems are used to connect to the Internet At 1 5 Mbps the WAN ports will support the following traffic rates e Load balancing mode 3 Mbps two WAN ports at 1 5 Mbps each e Rollover mode 1 5 Mbps one active WAN port at 1 5 Mbps As a result and depending on the traffic being carried the WAN side of the firewall will be the limiting factor to throughput for most installations Router and Network Management 6 1 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall But there is no backup in case one of the WAN ports fail In such an event and with one exception the traffic that would have been sent on the failed WAN port gets diverted to the WAN port that is still working th
110. chronize computer clock times in a network of computers Select Administration from the main menu and Time Zone from the submenu The Time Zone screen will display To set Time Date and NTP servers 1 From the Date Time pull down menu select the Local Time Zone This is required in order for scheduling to work correctly The VPN firewall includes a Real Time Clock RTC which it uses for scheduling 2 If supported in your region check the Automatically Adjust for Daylight Savings Time radio box 3 Select a NTP Server option by checking one of the following radio boxes e Use Default NTP Servers If this is enabled then the RTC Real Time Clock is updated regularly by contacting a Default Netgear NTP Server on the Internet 6 16 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Use Custom NTP Servers If you prefer to use a particular NTP server enable this instead and enter the name or IP address of an NTP Server in the Server 1 Name IP Address field If required you can also enter the address of another NTP server in the Server 2 Name IP Address field If you select this option and leave either the Server 1 or Server 2 fields empty they will be set to the Default Netgear NTP servers 4 Click Apply to save your settings or click Cancel to revert to your previous settings Securit Administration onito l eb S l Remote Management SNMP Settings Backup amp
111. column adjacent to the entry 6 Build a list of Trusted Domains in the Trusted Domains fields After each entry click Add The Trusted Domain will appear in the Trusted Domains table You can also edit any entry by clicking Edit in the Action column adjacent to the entry Click Reset to cancel your changes and revert to the previous settings Click Apply to save your settings Turn Content Filtering On O Yes No Proxy Java Activex Cookies J O Group1 4 Group2 1 Group3 QO Group4 le Group Group oO Group oO Groups select all enable O disable Blocked Keyword Action select att setete Add Blocked Keyword Blocked Keyword Add add Trusted Domains Action select an delete Add Trusted Domain Trusted Domain m apply Reset Figure 4 17 4 26 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices e By default the source MAC address filter is disabled All the traffic received from PCs with any MAC address is allowed e When enabled traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table Services Schedule
112. ction may take several seconds 2 For additional status and troubleshooting information view VPN Logs and VPN Connections Status screens in the FVX538 or FVS338 Creating a VPN Client Connection VPN Client to FVX538 This section describes how to configure a VPN connection between a Windows PC and the VPN firewall Using the FVX538 s VPN Wizard we will create a single set of VPN Client policies IKE and VPN that will allow up to 200 remote PCs to connect from locations in which their IP addresses are unknown in advance The PCs may be directly connected to the Internet or may be behind NAT routers If more PCs are to be connected an additional policy or policies must be created Each PC will use Netgear s ProSafe VPN Client software Since the PC s IP address is assumed to be unknown the PC must always be the Initiator of the connection This procedure was developed and tested using e Netgear ProSafe VPN Firewall 200 e Netgear ProSafe VPN Client e NAT router Netgear FR114P Configuring the FVX538 1 Select the VPN Wizard 2 Select the VPN Client radio button for type of VPN connection 3 Give the client connection a name such as home 4 Enter a value for the pre shared key 5 20 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 5 Check either the WAN1 or WAN 2 radio box to select the WAN interface tunnel Policies Cert
113. d Each CA issues their own CRLs It is important that you keep your CRLs up to date You should obtain the CRL for each CA regularly The CRL table lists your active CAs and their critical release dates 5 30 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e CA Identify The official name of the CA which issued this CRL e Last Update The date when this CRL was released e Next Update The date when the next CRL will be released To upload a Certificate Identify to the CRL 1 From the main menu under VPN select Certificates The Certificates screen will display showing the CRL Certificate Revocation List table at the bottom of the screen 2 Click Browse and then locate the file you previously downloaded from a CA 3 Select the Certificate Identify file The name will appear in the File to upload field Click Upload Click Back to return to the CRL list The new Certificate Identify will appear in the CRL Table If you have a previous CA Identity from the same CA it should now be deleted help CA Identity Last Update Next Update select all delete Figure 5 25 Extended Authentication XAUTH Configuration When connecting many VPN clients to a VPN gateway router an administrator may want a unique user authentication method beyond relying on a single common preshared key for all clients Although the administrator could configure a
114. d Address Source Network x Start Address End Address Apply Reset Figure 2 6 Modify the parameters for the protocol binding service you selected Click Apply The modified rule will be enabled and appear in the Protocol Binding table Click Reset to return to the previously configured settings Configuring Dynamic DNS If Needed Dynamic DNS DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names To use DDNS you must setup an account with a DDNS provider such as DynDNS org TZO com or Iego net Links to DynDNS TZO and Iego Connecting the FVX538 to the Internet 2 15 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual are provided for your convenience on the Dynamic DNS Configuration screen The VPN firewall firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address so that the services running on this network can be accessed by others on the Internet If your network has a permanently assigned IP address you can register a domain name and have that name linked with your IP address by public Domain Name Servers DNS However if your Internet account uses a dynamically assigned IP address you will not know in advance what your IP address will be and the address can change frequently hence the need for a commercial DDNS service which allows you to register an extension to its
115. d Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 6 Click Apply to save this setting Note If you make the administrator login time out value too large you will have to wait a long time before you are able to log back into the router if your previous login was disrupted i e you did not click Logout on the Main Menu bar to log out Administration Set Password User Selection Edit Admin Settings Edit Guest Settings Old User Name New User Name Old Password New Password pe Retype New Password e Old UserName joes ooo New User Name C Old Password e New Password LF Retype New Password Idle Logout Time Administrator login times out after idle for BH Minutes C Apply Reset Figure 6 1 Note The password and time out value you enter will be changed back to password and 5 minutes respectively after a factory defaults reset Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Enabling Remote Management Access Using the Remote Management page you can allow an administrator on the Internet to configure upgrade and check the status of your VPN firewall You must be logged in locally to enable remote management see Logging into the VPN Firewall on page 2 1 _____ Note Be sure to change the default configuration pas
116. d the Trend Micro Client Server Messaging Suite for SMB on your local network the firewall can enforce antivirus scanning When Antivirus Enforcement is selected local PCs LAN Configuration 3 15 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual will not be allowed web access unless they have the Trend Micro OfficeScan client installed and updated with the latest virus definitions To enable Trend Micro 1 5 6 Select Security from the main menu and Trend Micro from the submenu The Trend Micro screen will display In the Do you want to enable the Antivirus Enforcement section check the Yes radio box Services Schedule Block Sites Firewall Rules Source MAC Filter Port Triggering l Trend Micro help Do you want to enable Antivirus Office Scan Server IP Address 0 o fo o Enforcement Office Scan Client Communication Port 0 Yes O No Office Scan Server HTTP Port 8080 9 help Host select all delete Add Host Host Add add Figure 3 8 Enter the Office Scan Server IP Address on the LAN Then enter the 5 digit port number used for communications between the Office Scan clients and the server in the Office Scan Client Communication Port Finally enter the Office Scan Server HTTP Port by default port 8080 Click Apply To allow a PC to access the web without the OfficeScan client 1 Enter the IP address o
117. denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host As a result the distant host will 1 check for the application listening at that port 2 see that no application is listening at that port and 3 reply with an ICMP Destination Unreachable packet When the victimized system is flooded it is forced to send many ICMP packets eventually making it unreachable by other clients The attacker may also spoof the IP address of the UDP packets ensuring that the excessive ICMP return packets do not reach him thus making the attacker s network location anonymous If enabled the router will not accept more than 20 simultaneous active UDP connections from a single computer on the LAN e VPN Pass through When the router is in NAT mode all packets going to the Remote VPN Gateway are first filtered through NAT and then encrypted per the VPN policy For example if a VPN Client or Gateway on the LAN side of this router wants to connect to another VPN endpoint on the WAN placing this router between two VPN end points encrypted packets are sent to this router Since this router filters the encrypted packets through NAT the packets become invalid unless VPN Pass through is enabled When enabled the VPN tunnel will pass the VPN traffic without any filtering Tunnels can be IPSec PPIP L2TP To enable the appropriate Attack Checks for your environment
118. dure on how to use this feature Groups and Hosts You can apply these rules selectively to groups of PCs to reduce the outbound or inbound traffic The Network Database is an automatically maintained list of all known PCs and network devices PCs and devices become known by the following methods e DHCP Client Request By default the DHCP server in this Router is enabled and will accept and respond to DHCP client requests from PCs and other network devices These requests also generate an entry in the Network Database Because of this leaving the DHCP Server feature on the LAN screen enabled is strongly recommended e Scanning the Network The local network is scanned using standard methods such as ARP This will detect active devices which are not DHCP clients However sometimes the name of the PC or device cannot be accurately determined and will be shown as Unknown See Managing Groups and Hosts LAN Groups on page 3 6 for the procedure on how to use this feature Router and Network Management 6 3 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Schedule If you have set firewall rules on the Rules screen you can configure three different schedules i e schedule 1 schedule 2 and schedule 3 for when a rule is to be applied Once a schedule is configured it affects all Rules that use this schedule You specify the days of the week and time of day for each schedule See Setting a Schedu
119. e Connec Ippaimehnaliniaebiaebeta IP Address 10 1 3 The page will auto refresh in 1 seconds Subnet Mask 255 259 System up Time 0 Days 04 48 28 Gateway 10 1 32 Primary DNS 10 1 1 help Secondary DNS 10 1 1 Port Tx Pkts Rx Pkts Collisions Tx B s Rx B s Up Time MAC Address 00 14 4 wani 8109 18580 o 68 143 0 Days 04 45 09 WAN2 o o o N A N A NA LAN 69228 12883 0 390 121 0 Days 04 48 42 Poll Interval Seconds eet interval stop Figure 6 11 Table 6 3 Router Status Fields Item Description System Name This is the Account Name that you entered in the Basic Settings page Firmware Version This is the current software the router is using This will change if you upgrade your router LAN Port Displays the current settings for MAC address IP address DHCP role and IP Subnet Mask that you set in the LAN IP Setup page DHCP can be either Server or None Router and Network Management 6 23 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6 3 Router Status Fields Item Description WAN1 Configuration Indicates whether the WAN Mode is Single Dual or Rollover and whether the WAN State is UP or DOWN It also displays if NAT is Enabled or Disabled Connection Type DHCP enabled or disabled e Connection State WAN IP Address e Subnet Mask e Gateway Address e Primary and Secondary DNS Server Addresses e MAC Address WAN2
120. e your PC s address should be in the range of 192 168 0 2 to 192 168 0 254 ___ Note If your PC s IP address is shown as 169 254 x x Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server These auto generated addresses are in the range of 169 254 x x If your IP address is in this range check the connection from the PC to the firewall and reboot your PC e If your firewall s IP address has been changed and you don t know the current IP address clear the firewall s configuration to factory defaults This will set the firewall s IP address to 192 168 1 1 This procedure is explained in Restoring the Default Configuration and Password on page 7 7 Tip If you don t want to revert to the factory default settings and lose your configuration settings you can reboot the router and use sniffer to capture packets sent during the reboot Look at the ARP packets to locate the router s LAN interface address e Make sure your browser has Java JavaScript or ActiveX enabled If you are using Internet Explorer click Refresh to be sure the Java applet is loaded e Try quitting the browser and launching it again e Make sure you are using the correct login information The factory default login name is admin and the password is password Make sure that CAPS LOCK is off when entering this information If the firewall does not save changes you hav
121. e 4 4 Click Reset to cancel your settings and return to the previous settings Click Apply to save your settings The new rule will be added to the Inbound Services table Attack Checks This screen allows you to specify whether or not the router should be protected against common attacks in the DMZ LAN and WAN networks The various types of attack checks are listed on the Attack Checks screen and defined below WAN Security Checks Respond To Ping On Internet Ports If you want the router to respond to a Ping from the Internet click this check box This can be used as a diagnostic tool You shouldn t check this box unless you have a specific reason to do so Enable Stealth Mode If enabled the router will not respond to port scans from the WAN thus making it less susceptible to discovery and attacks Block TCP Flood A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system When the system responds the attacker doesn t complete the connections thus leaving the connection half open and flooding the server with SYN messages No legitimate connections can then be made When enabled the router will drop all invalid TCP packets and will be protected from a SYN flood attack 4 14 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e LAN Security Checks A UDP flood is a form of
122. e FVX538 to the Internet 2 17 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual d If your dynamic DNS provider allows the use of wild cards in resolving your URL you may check the Use wildcards radio box to activate this feature For example the wildcard feature will cause yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org 5 Click Apply to save your configuration 6 Click Reset to return to the previous settings Configuring the Advanced WAN Options If Needed To configure the Advanced WAN options 1 Ifyou haven t already log in to the firewall at the default LAN address of http 192 168 1 1 default user name of admin and default password of password or whatever password and LAN address you have chosen for the firewall 2 Select Network Configuration from the primary menu and WAN Settings from the sub menu The WAN Settings screen will display Click Advanced to access the WAN1 Advanced Options screen Network Configuration N stration oni eb S og l WAN Mode Protocol Binding Dynamic DNS LAN Setup LAN Groups DMZ Setup Routing r L 2 CANTEC ETSA WAN2 ISP Settings Advanced WAN Status help 5 i CENE TERTA WAN2 Advanced Options oel help help Default sx Port Speed AutoSense v Custom Bytes help Use Default Address a Use this computer s MAC Use this MAC Address fi i Apply
123. e IP addresses are known in advance C 14 Network Planning for Dual WAN Ports v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 10 5 6 0 24 172 23 9 0 24 Gateway to Gateway Example Single WAN Ports Gateway A WANE WAN IP Gateway B LAN IP oe En m e 10 5 61 FQDN SS 172 23 9 1 VPN Router etgear dyndns org 2223A 2S VPN Router at office A Fully Qualified Domain Names FQDN at office B optional for Fixed IP addresses required for Dynamic IP addresses Figure C 13 The IP address of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic a fully qualified domain name must be used If an IP address is fixed a fully qualified domain name is optional VPN Gateway to Gateway Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall Figure C 14 either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance In this example port WAN_A1 is active and port WAN_A2 is inactive at Gateway A port WAN_B1 is active and port WAN_B2 is inactive at Gateway B 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0 24 Dual WAN Ports Before Rollover WAN_A 1 IP WAN_B1 IP Gateway A _netgearA dyndns org 3 netgearB dyndns org Gateway B 5 X e
124. e detection Method section select the detection failure method radio box from one of the following choices DNS lookup using configured DNS Servers ISP DNS Servers In this case DNS queries are sent to the DNS server configured on the WAN ISP pages see Configuring the Internet Connections to Your ISPs on page 2 2 e DNS lookup using this DNS Server for example a public DNS Server Enter any public DNS server DNS queries are sent to this server through the WAN interface being monitored Connecting the FVX538 to the Internet 2 11 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Ping to this IP address Enter a public IP address that will not reject the Ping request or will not consider the traffic abuse Queries are sent to this server through the WAN interface being monitored 5 Enter a Test Period in seconds DNS query is sent periodically after every test period The default test period is 30 seconds Network Configuration Yo PONE Admini 1 fog oring Web Suppo l pgout WAN Settings Protocol Binding Dynamic DNS LAN Setup LAN Groups DMZ Setup Routing WAN Mode help Use NAT or Classical Routing between WAN amp LAN interfaces NAT Classical Routing help 2 help DNS lookup using configured DNS Servers DNS lookup using this DNS Server Auto Rollover using WAN port WAN1 eS E B Load Balancing 2 view protocol bindings Pi
125. e disconnecting in the timeout field This is useful if your ISP charges you based on the amount of time you have logged in My IP Address IP address assigned by the ISP to make the connection with the ISP server Server IP Address IP address of the PPTP server Other PPPoE If you have installed login software such as WinPoET or Enternet then your connection type is PPPoE Select this connection and configure the following fields Account Name Valid account name for the PPPoE connection Domain Name Name of your ISPs domain or your domain name if your ISP has assigned one You may leave this field blank Idle Timeout Select Keep Connected to keep the connection always on To logout after the connection is idle for a period of time select Idle Time and enter the number of minutes to wait before disconnecting in the timeout field BigPond Cable If your ISP is Telstra BigPond Cable select this option and fill in the Login Server and Idle Timeout fields The Login Server is the IP address of the local BigPond Login Server in your area You can find login server information at http www netgear com s g support bigpond asp If your ISP has assigned a fixed static or permanent IP address select the Use Static IP Address radio box and fill in the following fields IP Address Static IP address assigned to you This will identify the router to your ISP Subnet Mask This is usually provided by the ISP or your network administrat
126. e made in the Web Configuration Interface check the following e When entering configuration settings be sure to click the APPLY button before moving to another menu or tab or your changes are lost e Click the Refresh or Reload button in the Web browser The changes may have occurred but the Web browser may be caching the old configuration Troubleshooting 7 3 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Troubleshooting the ISP Connection If your firewall is unable to access the Internet you should first determine whether the firewall is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your firewall must request an IP address from the ISP You can determine whether the request was successful using the Web Configuration Manager To check the WAN IP address 1 Launch your browser and select an external site such as www netgear com 2 Access the Main Menu of the firewall s configuration at http 192 168 1 1 3 Under the Monitoring menu select Router Status 4 Check that an IP address is shown for the WAN Port If 0 0 0 0 is shown your firewall has not obtained an IP address from your ISP If your firewall is unable to obtain an IP address from the ISP you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure 1 Turn off power to the cable or DSL modem 2 Turn off power to your firewall
127. ead them before continuing A Warning Once you click Upload do NOT interrupt the router Router and Network Management 6 15 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual To upgrade router software 1 Select Administration from the main menu and Settings Backup and Firmware Upgrade from the submenu The Settings Backup and Firmware Upgrade screen will display 2 Click Browse in the Router Upgrade section Locate the downloaded file and click Upload This will start the software upgrade to your VPN firewall router This may take some time At the conclusion of the upgrade your router will reboot Warning Do not try to go online turn off the router shutdown the computer or do A anything else to the router until the router finishes the upgrade When the Test light turns off wait a few more seconds before doing anything 4 After the VPN firewall has rebooted select Monitoring and confirm the new firmware version to verify that your router now has the new software installed Note In some cases such as a major upgrade it may be necessary to erase the configuration and manually reconfigure your router after upgrading it Refer to the Release Notes included with the software to find out if this is required Setting the Time Zone Date time and NTP Server designations can be input on the Time Zone screen Network Time Protocol NTP is a protocol that is used to syn
128. ected a link with a connected Ethernet device Blinking Green Data is being transmitted or received by the WAN port Off The WAN port has no link 3 WAN 100 LED Ports On Green The WAN port is operating at 100 Mbps and Off The WAN port is operating at 10 Mbps LEDs Active LED On Green The WAN port has a valid Internet connection On Amber The Internet connection is down or not being used because the port is available for failover in case the connection on other WAN port fails Off The WAN port is either not enabled or has no link 8 port RJ 45 10 100 N way automatic speed negotiation auto MDI MDIX Mbps Fast Ethernet Switch Link Act LED On Green The LAN port has detected a link with a connected Ethernet device 4 LAN Blinking Green Data is being transmitted or received by the LAN port Ports Off The LAN port has no link and LEDs 100 LED On Green The LAN port is operating at 100 Mbps Off The LAN port is operating at 10 Mbps DMZ port 8 On Green Port 8 is operating as a dedicated hardware DMZ port Off Port 8 is operating as a normal LAN port Gbit RJ 45 connector Port for connecting to a gigabit Ethernet device Link Act LED On Green The LAN port has detected a link with a connected Ethernet device 5 Gigabit Blinking Green Data is being transmitted or received by the LAN port Port and Off The LAN port has no link LEDs Speed LED On Green The LAN port is operating at 1 000 Mbps On Amber The LAN por
129. ed the Traffic Meter these statistics are not available Click this link if you want to know more details of the Internet Traffic The volume of traffic for each protocol will be displayed in a sub window Traffic counters are updated in MBytes scale counter starts only when traffic passed is at least 1MB Connecting the FVX538 to the Internet 2 9 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the WAN Mode Required for Dual WAN The dual WAN ports of the ProSafe VPN Firewall 200 can be configured on a mutually exclusive basis for either auto rollover for increased system reliability or load balancing for maximum bandwidth efficiency Auto Rollover Mode In this mode the selected WAN interface is made primary and the other is the rollover link As long as the primary link is up all traffic is sent over the primary link Once the primary WAN interface goes down the rollover link is brought up to send the traffic Traffic will automatically roll back to the original primary link once the original primary link is back up and running again If you want to use a redundant ISP link for backup purposes select the WAN port that will act as the primary link for this mode Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto Rollover Load Balancing Mode In this mode the router distributes the outbound traffic equall
130. eference Manual Table 4 2 Inbound Rules Item Description Services Select the desired Service or application to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Adding Customized Services on page 4 21 Action Filter Action Select Schedule Select the desired action for packets covered by this rule BLOCK always BLOCK by schedule otherwise Allow ALLOW always ALLOW by schedule otherwise Block Note Any inbound traffic which is not allowed by rules you create will be blocked by the Default rule Select the desired time schedule i e Schedule1 Schedule2 or Schedule3 that will be used by this rule see Setting a Schedule to Block or Allow Specific Traffic on page 4 24 e This drop down menu gets activated only when BLOCK by schedule otherwise Allow or ALLOW by schedule otherwise Block is selected as Action Use schedule page to configure the time schedules LAN Server or DMZ Server This LAN address or DMZ Server address determines which computer on your network is hosting this service rule You can also translate this address to a port number Translate to Port Number Check the Translate to Port Number and enter a port number if you want to assign the LAN Server to a specific port WAN Users These settings determine which Internet locations are cov
131. efresh Name Enable Protocol Outgoing Trigger Port Range Figure 6 10 Table 6 2 Port Triggering Status data Item Description Rule The name of the Rule LAN IP Address The IP address of the PC currently using this rule Open Ports The Incoming ports which are associated the this rule Incoming traffic using one of these ports will be sent to the IP address above Time Remaining The time remaining before this rule is released and thus available for other PCs This timer is restarted whenever incoming or outgoing traffic is received 6 22 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Router Configuration and System Status The Router Status screen provides status and usage information Select Monitoring from the main menu and Router Status from the submenu The Router Status screen will display i etwo igurat Securit I PNA ilu Monitoring eb l Traffic Meter Diagnostics Firewall Logs amp E mail VPN Logs l Router Status LO show Statistics T help hiel System Name FYX538 MAC Address 00 14 6c 32 8a 3e Firmware Version Primary 2 0 b2 50 IP Address 192 168 1 1 Firmware Version Secondary 2 0 b2 50 DHCP Enabled IP Subnet Mask 255 255 255 0 help helpl WAN Mode Single Port WAN Mode Single Port WAN State UP WAN State DOWN NAT Enabled NAT Enabled Connection Type DHCP Connection Type DHCP Connection Stat
132. elected entry The Edit Secondary LAN IP Setup screen will display 2 Modify the IP Address and Subnet Mask fields and click Apply LAN Configuration 3 5 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 3 Click Reset to discard any changes and revert to the previous settings y Tip The Secondary LAN IP address will be assigned to the LAN interface of the ns router and can be used as a gateway by the secondary subnet Managing Groups and Hosts LAN Groups The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices as well as hosts that are assigned dynamic IP addresses by this router Collectively these entries make up the Network Database The Network Database is created in two ways e DHCP Client Requests By default the DHCP server in this Router is enabled and will accept and respond to DHCP client requests from PCs and other network devices These requests also generate an entry in the Network Database Because of this leaving the DHCP Server feature on the LAN screen enabled is strongly recommended e Scanning the Network The local network is scanned using standard methods such as ARP This will detect active devices which are not DHCP clients However sometimes the name of the PC or device cannot be accurately determined and will be shown as Unknown Creating the Network Database Some advantages of the Netw
133. em is connected and functioning If your ISP assigned a host name to your PC enter that host name as the Account Name in the Basic Settings menu Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem If this is the case you must configure your firewall to clone or spoof the MAC address from the authorized PC Refer to Manually Configuring Your Internet Connection on page 2 5 7 6 Troubleshooting v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings changing the firewall s administration password to password and the IP address to 192 168 1 1 You can erase the current configuration and restore factory defaults in two ways e Use the Erase function of the firewall see Backup and Restore Settings on page 6 14 e Use the reset button on the rear panel of the firewall Use this method for cases when the administration password or IP address is not known To restore the factory default configuration settings without knowing the administration password or IP address you must use the reset button on the rear panel of the firewal
134. en enabled you must establish user accounts on the Local Database to be authenticated against XAUTH or you must enable a RADIUS CHAP or RADIUS PAP server Note If you are modifying an existing IKE Policy to add XAUTH if it is in use by a VPN Policy the VPN policy must be disabled before you can modify the IKE Policy To enable and configure XAUTH 1 Select VPN from the main menu and Policies from the submenu The IKE Policies screen will display 2 You can add XAUTH to an existing IKE Policy by clicking Edit adjacent to the policy to be modified or you can create a new IKE Policy incorporating XAUTH by clicking Add 3 Inthe Extended Authentication section check the Edge Device radio box to use this router as a VPN concentrator where one or more gateway tunnels terminate You then must specify the authentication type to be used in verifying credentials of the remote VPN gateways Either the User Database or RADIUS Client must be configured when XAUTH is enabled 4 Inthe Extended Authentication section select the Authentication Type from the pull down menu which will be used to verify user account information Select e Edge Device to use this router as a VPN concentrator where one or more gateway tunnels terminate When this option is chosen you will need to specify the authentication type to be used in verifying credentials of the remote VPN gateways User Database to verify against the router s user databa
135. en will display 2 Click backup to save a copy of your current settings If your browser isn t set up to save downloaded files automatically locate where you want to save the file specify file name and click Save If you have your browser set up to save downloaded files automatically the file will be saved to your browser s download location on the hard disk the process Do not try to go online turn off the router shutdown the computer or do anything else to the router until it finishes restarting j Warning Once you start restoring settings or erasing the router do NOT interrupt To restore settings from a backup file 1 Click Browse Locate and select the previously saved backup file by default netgear cfg 2 When you have located the file click restore An Alert page will appear indicating the status of the restore operation You must manually restart the VPN firewall for the restored settings to take effect To reset the router to the original factory default settings Click default You must manually restart the VPN firewall in order for the default settings to take effect After rebooting the router s password will be password and the LAN IP address will be 192 168 1 1 The VPN firewall will act as a DHCP server on the LAN and act as a DHCP client to the Internet VPN policies LAN WAN settings and other settings will be lost Please backup your settings if you intend on using them i Warning W
136. ength 8 49 Char Diffie Hellman DH Group Group 2 1024 bit w SA Lifetime sec A i Extended Authentication XAUTH Configuration Authentication Type Use Ostsbase None Username O Edge Device Password IPsec Host IKE Policies VPN wizard i List of IKE Policies Name Mode Local ID Remote ID Encr Auth DH Action salesperson Aggressive jocal_id com remote_id com 3DES SHA 1 Group 2 1024 bi i local_id d 2 bit edit select all telete add Figure 5 30 Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software configure the remote VPN client connection To configure the client PC 1 Right click the VPN client icon in the Windows toolbar In the upper left of the Policy Editor window click the New Policy editor icon a Give the connection a descriptive name such as modecfg_test this name will only be used internally Virtual Private Networking 5 41 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual b From the ID Type pull down menu select IP Subnet c Enter the IP Subnet and Mask of the VPN firewall this is the LAN network IP address of the gateway d Check the Connect using radio button and select Secure Gateway Tunnel from the pull down menu e From the ID Type pull down menu select Domain name and enter the FQDN of
137. er a PC has finished using a Port Triggering application there is a Time out period before the application can be used by another PC This is required because this Router cannot be sure when the application has terminated m Note For additional ways of allowing inbound traffic see Inbound Rules Port Forwarding on page 4 4 To add a Port Triggering Rule 1 Select Security from the main menu and Port Triggering from the submenu The Port Triggering screen will display Enter a user defined name for this rule in the Name field 2 From the Enable pull down menu indicate if the rule is enabled or disabled Firewall Protection and Content Filtering 4 29 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Operation succeeded Name Outgoing Ports Incoming Ports Start Port End Port Start Port End Port o 2 Abstracts No TCP 20 22 40 40 select all 3 delete Add Port Triggering Rule Name Enable Protocol Outgoing Trigger Port Range Incpming Response Port Range dd End Port 1 65534 Start Port 1 65534 End Port 1765534 No m TcrP w 22 Operation succeeded Edit Port Triggering Rule Outgoing Trigger Port Range Incoming Response Port Range
138. er control of WAN port traffic Dual WAN Ports Load Balancing Router net api Te r IP addresses of WAN ports g oy nih use of fully qualified domain names Z INTI required for dynamic IP addresses netgear2 dyndns org and optional for fixed IP addresses WAN2 IP Figure C 6 Network Planning for Dual WAN Ports C 9 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks VPNs When implementing virtual private network VPN tunnels a mechanism must be used for determining the IP addresses of the tunnel end points The addressing of the firewall s dual WAN port depends on the configuration being implemented Table C 2 IP addressing requirements for VPNs in dual WAN port systems Dual WAN Port Cases Configuration and WAN IP address PEN a non reference case Rollover Load Balancing VPN Road Warrior Fixed Allowed FQDN required Allowed client to gateway FQDN optional FQDN optional Dynamic FQDN required FQDN required FQDN required VPN Gateway to Gateway Fixed Allowed FQDN required Allowed FQDN optional FQDN optional Dynamic FQDN required FQDN required FQDN required VPN Telecommuter Fixed Allowed FQDN required Allowed client to gateway through FQDN optional FQDN optional ANAT TOUIEN Dynamic FQDN required FQDN required FQDN required a All tunnels must be re established after a rollover using the new WAN IP add
139. er is not known in advance The chosen gateway WAN port must act as the responder 10 5 6 0 24 Telecommuter Example Dual WAN Ports Load Balancing Client B WAN1 IP NAT Router B 7 Gateway A bzrouter1 dyndns org WAN IP LAN IP a a i 0 0 0 0 z 10 5 6 1 bzrouter2 dyndns org g VPN Router WAN2 IP NAT Router atemployer s Fully Qualified Domain Names FQDN at telecommuter s Remote PC main office optional for Fixed IP addresses home office running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure C 20 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic a fully qualified domain name must be used If an IP address is fixed a fully qualified domain name is optional C 20 Network Planning for Dual WAN Ports v1 0 August 2006 A access remote management 6 0 Active Self Certificates 5 27 Add DMZ WAN Outbound Services screen 4 12 Add LAN DMZ Inbound Service screen 4 14 Add LAN DMZ Outbound Service screen 4 13 Add LAN WAN Inbound Service 4 0 Add LAN WAN Outbound Service screen 4 9 Add Mode Config Record screen 5 38 Add Protocol Binding Destination Network 2 3 Service 2 13 address reservation 3 9 Advanced Options MTU Size 2 19 Port Speed 2 19 Router s MAC Address 2 19 Allowing Videoconference from Restricted Addresses example of 4 17 Attack Checks about 4 14 Attack Checks screen 4 15 Authentication Alg
140. ered by the rule based on their IP addresses Select the desired option Any All Internet IP address are covered by this rule e Single address Enter the required address in the start field Address range If this option is selected you must enter the start and end fields WAN Destination IP Address This setting determines the destination IP address applicable to incoming traffic This is the public IP address that will map to the internal LAN server it can either be the address of the WAN1 or WAN2 ports or another public IP address Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4 2 Inbound Rules continued Item Description QoS Priority Log This setting determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall By default the priority shown is that of the selected service The user can change it accordingly If the user does not make a selection i e leaves it as None then the native priority of the service will be applied to the policy See Setting Quality of Service QoS Priorities on page 4 23 This determines whether packets covered by this rule are logged Select the desired action Always Always log traffic considered by this rule whether it matches or not This is useful when debugging your rules
141. ermine which port number or range of numbers is used by the application This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups When you have the port number information you can enter it on the Services screen Firewall Protection and Content Filtering 4 21 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Security dn i oring Web ppo ogout Schedule Block Sites Firewall Rules Source MAC Filter Port Triggering Trend Micro Services help Name Type Start Port Finish Port L Priority Anman KN E ss memos TCP 20 20 Normal Servic x Deait select all delete Add Custom Service Name Type ICMP Type Start Port Finish Port Default QoS Priority Aad TCP 20 20 Normal Service v add Edit Service Operation succeeded Type TCP ICMP Typ E Sd Start Port 20 __ Finish Port B o Default QoS Priority Normal Service im Figure 4 15 To add a customized service 1 2 Select Security from the main menu and Services from the submenu The Services screen will display In the Add Custom Service table enter a descriptive name for the service this is for your convenience Select the Layer 3 Protocol that the service uses as its transport protocol It can be TCP UDP or ICMP Enter the first TCP or UDP port of the range that the service uses If the service uses onl
142. ers such as a web server ftp server or email server for example and give public access to them The eighth LAN port on the router can be dedicated as a hardware DMZ port for safely providing services to the Internet without compromising security on your LAN The DMZ port feature is also helpful when using some online games and videoconferencing applications that are incompatible with NAT The firewall is programmed to recognize some of these applications and to work properly with them but there are other applications that may not function well In some cases local PCs can run the application properly if those PCs are used on the DMZ port gt Note A separate firewall security profile is provided for the DMZ port that is a independent of the standard firewall security used for the LAN The DMZ Setup screen allows you to set up the DMZ port It permits you to enable or disable the hardware DMZ port LAN port 8 see Router Front Panel on page 1 6 and configure an IP address and Mask for the DMZ port To enable and configure the DMZ port 1 From the main menu select Network Configuration and then select DMZ Setup from the submenu The DMZ Setup screen will display 2 Check the Do you want to enable DMA Port radio box Enter an IP Address and the Subnet mask for the DMZ port Make sure that the DMZ port IP address and LAN Port IP address are in different subnets for example an address outside the LAN Addre
143. ethod will not allow Internet access through this Router To learn the status of the WAN ports you can view the Router Status page see Viewing Router Configuration and System Status on page 6 23 or look at the LEDs on the front panel see Router Front Panel on page 1 6 Setting Up Auto Rollover Mode If you want to use a redundant ISP link for backup purposes ensure that the backup WAN port has already been configured Then you select the WAN port that will act as the primary link for this mode and configure the WAN Failure Detection Method to support Auto Rollover When the router is configured in Auto Rollover Mode the router uses the WAN Failure Detection Method to check the connection of the primary link at regular intervals to detect router status Link failure is detected in one of the following ways e By using DNS queries to a DNS server or e By a Ping to an IP address For each WAN interface DNS queries or Ping requests are sent to the specified IP address If replies are not received the corresponding WAN interface is considered down To configure the dual WAN ports for Auto Rollover 1 Select Network Configuration from the primary menu and WAN Mode from the secondary menu The WAN Mode screen will display 2 Inthe Port Mode section check the Auto Rollover Using WAN port radio box 3 Selection the WAN port that will act as the primary link for this mode from the pull down menu 4 From the WAN Failur
144. f Needed on page 2 15 for how to select and configure the Dynamic DNS service FVX538 Functional Block Diagram Auto Rollover FVX538 Firewall WAN 1 Port Rest of FVX538 FVX538 FVX538 t WAN Port Rollover Internet Functions Functions Control WAN 2 Port FQDN required same for BOTH WAN ports Figure 5 2 FVX538 Functional Block Diagram Load Balancing FVX538 Firewall WAN 1 Port Rest of FVX538 Load FVX538 WAN Port Balancing WAN 2 Port Internet Functions Functions Control FQDN required dynamic IP addresses FQDN optional static IP addresses Figure 5 3 Setting up a VPN Connection using the VPN Wizard Setting up a VPN tunnel connection requires that all settings and parameters on both sides of the VPN tunnel match or mirror each other precisely which can be a daunting task The VPN Wizard can assist in guiding you through the setup procedure by asking you a series of questions that will Virtual Private Networking 5 3 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual determine the IPSec keys and VPN policies it sets up It also will set the parameters for the network connection Security Association traffic selectors authentication algorithm and encryption The parameters used by the VPN wizard are based on the VPNC recommendations Creating a VPN Tunnel to a Gateway You ca
145. f a PC to be excluded in the Add Host table and then click Add The PC address will appear in the Host Exclusion List table Add additional PCs one at a time until all of the PCs to be excluded are contained in the Host Exclusion List 3 16 LAN Configuration v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 3 Click Apply to submit your changes ual Note The Office Scan Server must also appear in the exclusion list Note Follow the instructions in the Trend Micro documentation to complete the installation and configuration of the Trend Micro OfficeScan Server LAN Configuration 3 17 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 3 18 v1 0 August 2006 LAN Configuration Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 to protect your network These features can be found by selecting Security from the main menu and selecting Block Sites from the submenu of the browser interface About Firewall Protection and Content Filtering The ProSafe VPN Firewall 200 provides you with Web content filtering options plus browsing activity reporting and instant alerts via e mail Parents and network administrators can establish restricted access policies based on time of day Web addresses and Web address keywords You can also block Internet access by app
146. fine the allowed range c To allow access from a single IP address on the Internet select Only this PC Enter the IP address that will be allowed access 4 Specify the Port Number that will be used for accessing the management interface Web browser access normally uses the standard HTTP service port 80 For greater security you can change the remote management Web interface to a custom port by entering that number in the box provided Choose a number between 1024 and 65535 but do not use the number of any common service port The default is 8080 which is a common alternate for HTTP 5 Click Apply to have your changes take effect When accessing your firewall from the Internet the Secure Sockets Layer SSL will be enabled You will enter https and type your firewall s WAN IP address into your browser followed by a colon and the custom port number For example if your WAN IP address is 134 177 0 123 and you use port number 8080 type the following in your browser https 134 177 0 123 8080 The router s remote login URL is https IP_address port_number or https FullyQualifiedDomainName port_number If you do not use the SSL https address but rather use http address the FVX538 will automatically attempt to redirect to the https address Note The first time you remotely connect the FVX538 with a browser via SSL you may gt get a message regarding the SSL certificate If you are using a Windows com
147. firewall provides the following features e Dual 10 100 Mbps Ethernet WAN ports for load balancing or failover protection providing increased system reliability load balancing or link aggregation The WAN ports do not respond at all to unsolicited traffic stealth mode e Support for up to 200 simultaneous IPSec VPN tunnels e Bundled with the 5 user license of the NETGEAR ProSafe VPN Client software VPNOSL e Proactive policy enforcement for anti virus and anti spam security with integrated Trend Micro support e Quality of Service QoS and SIP 2 0 support for traffic prioritization voice and multimedia e Built in 10 100 Mbps ports plus 1 Gigabit Switch port e One console port for local management e SNMP Manageable optimized for the NETGEAR ProSafe Network Management Software NMS 100 e Easy web based setup for installation and management e Advanced SPI Firewall and Multi NAT support e Extensive Protocol Support Introduction 1 1 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Login capability e Front panel LEDs for easy monitoring of status and activity e Flash memory for firmware upgrade e One U Rack mountable Dual WAN Ports for Increased Reliability or Outbound Load Balancing The FVX538 has two broadband WAN ports WAN1 and WAN2 each capable of operating independently at speeds of either 10 Mbps or 100 Mbps The two WAN ports let you connect a second broadband Internet
148. for Internal Network IP Address go to Options gt Global Policy Settings and check the box for Allow to Specify Internal Network Address e Select your Internet Interface adapter from the Name pull down menu M Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help ia NETGEAR N Network Security Policy 4 My Connections My Identity By modetfg_test My Identity Security Policy None x to fdvg ID Type Fp Other Connections Select Certificate Pre Shared Key Domain Name zi salesperson11 remote_id com Virtual Adapter Preferred Intemal Network IP Address 0 0 0 0 Intenet Interface Name 1 Broadcom 440x 10 100 Integrated Controlld _ IP Addr 192 168 1 2 Figure 5 32 3 On the left side of the menu select Security Policy a Under Security Policy Phase 1 Negotiation Mode check the Aggressive Mode radio button b Check the Enable Perfect Forward Secrecy PFS radio button and select the Diffie Hellman Group 2 from the PFS Key Group pull down menu c Enable Replay Detection should be checked 4 Click on Authentication Phase 1 on the left side of the menu and select Proposal 1 Enter the Authentication values to match those in the VPN firewall ModeConfig Record menu Virtual Private Networking 5 43 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual N Security Policy Editor NETGE
149. g physical connections Make sure the LAN port LED is on If the LED is off follow the instructions in LAN or Internet Port LEDs Not On on page 7 2 Check that the corresponding Link LEDs are on for your network interface card and for the hub ports if any that are connected to your workstation and firewall Wrong network configuration Verify that the Ethernet card driver software and TCP IP software are both installed and configured on your PC or workstation Verify that the IP address for your firewall and your workstation are correct and that the addresses are on the same subnet Testing the Path from Your PC to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 lt P address gt where lt P address gt is the IP address of a remote device such as your ISP s DNS server If the path is functioning correctly replies as in the previous section are displayed If you do not receive replies Check that your PC has the IP address of your firewall listed as the default gateway If the IP configuration of your PC is assigned by DHCP this information will not be visible in your PC s Network Control Panel Check to see that the network address of your PC the portion of the IP address specified by the netmask is different from the network address of the remote device Check that your cable or DSL mod
150. gs and Technical Specifications v1 0 August 2006 Appendix B Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product Document Link Internet Networking and TCP IP Addressing Wireless Communications Preparing a Computer for Network Access Virtual Private Networking VPN Glossary http documentation netgear com reference enu tcpip index htm http documentation netgear com reference enu wireless index htm http documentation netgear com reference enu wsdhcp index htm http documentation netgear com reference enu vpn index hitm http documentation netgear com reference enu glossary index htm Related Documents v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual B 2 Related Documents v1 0 August 2006 Appendix C Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports What You Will Need to Do Before You Begin The ProSafe VPN Firewall 200 is a powerful and versatile solution for your networking needs But to make the configuration process easier and to understand all of the choices available to you you need to think through the following items before you begin 1 Plan your network a Determine whether you are going to use one or both WAN ports For one
151. he firewall After logging in you are ready to set up and configure your firewall You can also change your password and enable remote management at this time 3 Configure the Internet connections to your ISP s During this phase you will connect to your ISPs You can also program the WAN traffic meters at this time if desired 4 Configure the WAN mode required for dual WAN operation Select either auto rollover mode or load balancing mode on a mutually exclusive basis For load balancing you can also select the protocol bindings 5 Configure dynamic DNS on the WAN ports if needed Configure your fully qualified domain names during this phase if required 6 Configure the WAN options if needed Optionally you can enable each WAN port to respond to a ping You can also change the factory default MTU size port speed and uplink bandwidth However these are advanced features and changing them is not usually required Logging into the VPN Firewall To connect to the firewall your computer needs to be configured to obtain an IP address automatically via DHCP If you need instructions on how to configure you computer for DHCP refer to the link in Appendix B Related Documents To log in to the VPN firewall 1 Connect to the firewall by typing http 192 168 1 1 in the address field of Internet Explorer Mozilla Firefox or Netscape Navigator Connecting the FVX538 to the Internet 2 1 v1 0 August 2006 ProSafe
152. hen you click default your router settings will be erased All firewall rules 6 14 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Securit I Administration onii eb S l i Remote Management SNMP Set Password Time Zone Settings Backup and Firmware Upgrade help Save a copy of current settings backup Restore saved settings from file Browse g restore Revert to factory default settings default help Locate and select the upgrade file from your hard disk Browse R upload Figure 6 4 Router Upgrade You can install a different version of the VPN firewall firmware from the Settings Backup and Firmware Upgrade screen To view the current version of the firmware that your VPN firewall is running select Monitoring from the main menu The Router Status screen on the will display all of the VPN firewall router statistics When you upgrade your firmware the Firmware Version will change to reflect the new version To download a firmware version 1 Go to the NETGEAR Web site at http www netgear com support and click on Downloads 2 From the Product Selection pull down menu select your product Select the software version and follow the To Install steps to download your software After downloading an upgrade file you may need to unzip uncompress it before upgrading the router If Release Notes are included in the download r
153. hentication protocol for the VPN header VPN Wizard default is disabled e ESP Encapsulating Security Payload This specifies the encryption protocol used for the VPN data VPN Wizard default is enabled e Action Allows you to access individual policies to make any changes or modifications VPN Tunnel Connection Status Recent VPN tunnel activity is shown on the IPSec Connection Status screen accessed by selecting VPN from the main menu and Connection Status from the submenu You can set a Poll Interval in seconds to check the connection status of all active IKE Policies to obtain the latest VPN tunnel activity The Active IPSec SA s table also lists current data for each active IPSec SA Security Association e Policy Name The name of the VPN policy associated with this SA e Endpoint The IP address on the remote VPN Endpoint Virtual Private Networking 5 13 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Tx KBytes The amount of data transmitted over this SA Tx Packets The number of packets transmitted over this SA e State The current state of the SA Phase 1 is Authentication phase and Phase 2 is Key Exchange phase e Action Allows you to terminate or build the SA connection if required Creating a VPN Gateway Connection Between FVX538 and FVS338 This section describes how to configure a VPN connection between a NETGEAR FVX538 VPN Firewall and a NETGEAR FVS3
154. her Main or Aggressive Main Mode is slower but more secure Aggressive mode is faster but less secure If specifying either a FQDN or a User FQDN name as the Local ID Remote ID aggressive mode is automatically selected Local ID The IKE ISAKMP identify of this device The remote VPN must have this value as their Remote ID Virtual Private Networking 5 11 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Remote ID The IKE ISAKMP identify of the remote VPN Gateway The remote VPN must have this value as their Local ID e Encr Encryption Algorithm used for the IKE SA The default setting using the VPN Wizard is 3DES This setting must match the Remote VPN e Auth Authentication Algorithm used for the IKE SA The default setting using the VPN Wizard is SHA1 This setting must match the Remote VPN e DH Diffie Hellman Group The Diffie Hellman algorithm is used when exchanging keys The DH Group sets the number of bits The VPN Wizard default setting is Group 2 This setting must match the Remote VPN To gain a more complete understanding of the encryption authentication and DH algorithm technologies see Appendix B Related Documents for a link to the NETGEAR website VPN Policy You can create two types of VPN Policies When using the VPN Wizard to create a VPN policy only the Auto method is available e Manual All settings including the keys
155. ically your ISP will provide the addresses of one or two DNS servers for your use You may configure your PC manually with DNS addresses as explained in your operating system documentation Your PC may not have the firewall configured as its TCP IP gateway Troubleshooting a TCP IP Network Using a Ping Utility Most TCP IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device The device then responds with an echo reply Troubleshooting a TCP IP network is made very easy by using the Ping utility in your PC or workstation Testing the LAN Path to Your Firewall You can ping the firewall from your PC to verify that the LAN path to your firewall is set up correctly To ping the firewall from a PC running Windows 95 or later 1 2 From the Windows toolbar click Start and select Run In the field provided type ping followed by the IP address of the firewall for example ping 192 168 1 1 Click OK A message similar to the following should display Pinging lt IP address gt with 32 bytes of data If the path is working you will see this message Reply from lt IP address gt bytes 32 time NN ms TTL xxx If the path is not working you will see this message Request timed out If the path is not functioning correctly you could have one of the following problems Troubleshooting 7 5 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Wron
156. ick Add under the Inbound Services table The Add LAN WAN Inbound Service screen will display 4 From the Service pull down menu select the HTTP service for a Web server Add LAN WAN Inbound Service Operation succeeded help Service HTTP v Action ALLOW always v Select Schedule Send to LAN Server 192 168 a Me Translate to Port Number Public Destination IP Address Other Public IP Address ko Je Jo E LAN Users Start P Finish a a WAN Users Any v Start m Finish EE 7 fea oa Log Never C apply Reset Figure 4 11 5 From the Action pull down menu select Allow Always 4 18 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 6 Inthe Send to LAN Server field enter the local IP address of your Web server PC From the Public Destination IP Address pull down menu choose Other Public IP Address Enter one of your public Internet addresses that will be used by clients on the Internet to reach your Web server 9 Click Apply Your rule will now appear in the Inbound Services table of the Rules menu see Figure 4 12 This rule is different from a normal inbound port forwarding rule in that the Destination box contains an IP Address other than your normal WAN IP Address r POE TOETET DMZ WAN Rules LAN DMZ Rules Attack Checks Default Outbound Policy Allow Always apply Operation succeeded help Service
157. ificates Mode Config PN Client Connection Status PN Wizard VPN Wizard Default Values helpl The Wizard sets most parameters to defaults as proposed by the VPN Consortium YPNC and assumes a pre shared key which greatly simplifies setup After creating the policies through the YPN Wizard you can always update the parameters through the Policies menu This PN tunnel will connect to the following peers Gateway ven Client helpl What is the new Connection Name home What is the pre shared key 12345678 Key Length 8 49 Char This VPN tunnel will use following local WAN Interface WAN 1 O wan2 helpl What is the Remote Identifier Information fvx_remote com What is the Local Identifier Information fvx_local com helpl What is the remote LAN IP Address a What is the remote LAN Subnet Mask f apply Reset Figure 5 15 6 Enter he remote WAN s IP Address or Internet Name and then enter the local WAN s IP Address or Internet Name In this example we are using their FQDNs Both the local and remote addresses must be of the same type either both must be FQDN or both must be an IP address 7 Click Apply to create the home VPN Client The VPN Policies screen will display showing the VPN Client policy as enabled 8 Click the IKE Policies tab to display the IKE Policies table and click Edit adjacent to the home policy to view the home policy details You can also augme
158. iinnsnsessnn 5 30 Extended Authentication KAUTH Configuration cccccceseeeeeeeeeeeeeeeeeeeeeaeeeeeneees 5 31 Goniig ring XAUTH for VPN CNS ssaicirmeiicaiennnn 5 32 User Database ConigutralON ciasccondicesaiectscendstscbesedascianteasece soidegadcuenlaedscttanniedaee connie 5 34 RADIUS Client ConniguiratiO sesiissiieniasa rianan a aaa AAA 5 35 Manually Assigning IP Addresses to Remote Users ModeConfig cecceeeeeees 5 37 Vode Conio BOs sis 1c 1 91 ame nereeer en reper een errPrert ce area ry Oereer tr ee ererer er err rere ere trey ere 5 37 Contg nng the YPN Firewall soc ccuuss sic ceascisaaaieeueiy ai iadedivaedn dale deaaas aaa 5 38 Configuring the ProSafe VPN Client for ModeConfig c cccceceeeseeeeeteeeeeneeeees 5 41 Chapter 6 Router and Network Management PRAMOFMANCES MIGNGGRINGNE secccccccnsccscccessseovconssecconranmrentdansenrccekussertechianseiradunsireameanses 6 1 Eea elka ta eie I a A ceca sss ANTE E E E T N A ua 6 1 VPN Firewall Features That Reduce Traffic cisccsiccccoiaissdccetsssisnteonsadsenecedidadseneeedadasnecs 6 2 RNC BIOG KIRI givers tia ana NEN AN 6 2 BIDO GUE tt kt teas Sn a Nn Sie eG 6 4 OURS MAC FINGIN riro a r E aa EE 6 4 VPN Firewall Features That Increase Traffic ccccsccccceeeseeccceeseseececeeseeeeeeeereneeee 6 5 OF ON UNIT sad cabenbialeasenneinidataceideddaiuienaincmibeeiuidedseabd viedintsaatucsinemansgueeeeniewtls 6 5 Pon Lele i eee eee ee eee reer ee ee ee ee ee 6 6
159. in a sub window Traffic counters are updated in MBytes scale and the counter starts only when traffic passed is at least 1 MB Moni toring Traffic by Protocol Enable Traffic Meter Each WAN port No Limit is programmed separately Download only Do you want to enable Traffic Metering on WAN1 Both Directions Yes O No Monthly Limit 0 MB Increase this month limit by 0 MB This month limit O MB WAN port shuts E When Limits reached down once traffic N limit reached An i Restart Traffic Counter Now Block all Traffic af e mail can be Restart Traffic Counter at Specific Time Block All Traffic Except E Mail sent Coss gt x2 fo0 Pm onthe 1st day of Month T send e mail alert_ O Send e mail report before restarting counter get aa wich as Traffic Counter ii Internet Traffic Statistics settings vA Start Date Time N Outgoing Traffic Volume MB Incoming Traffic Volume MB Internet Traffic Total Traffic volume MB Statistics l Average per day of Standard Limit of this Month s Limit Figure 6 6 6 18 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Firewall Logs amp E mail Diagnostics VPN ioys o WAN2 Traffic Meter Traffic by Protocol WAN1 Traffic Meter Date Do you want to enable Traffic Metering on WA
160. increasing traffic 6 7 L2TP 4 15 VPN tunnels about 5 IPsec 4 15 PPTP 4 15 VPN Wizard Gateway tunnel 5 4 VPN Client configuring 5 7 VPN Wizard Default Values 5 5 Index 9 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual VPNs C 6 C 10 about C 10 creating a VPN Gateway connection 5 14 gateway to gateway C 14 C 15 C 17 road warrior C 11 C 12 C 13 telecommuter C 18 C 20 viewing VPN tunnel status 6 25 W WAN configuring Advanced options 2 18 configuring WAN Mode 2 10 WAN Failure Detection Method 2 10 2 11 WAN Mode 2 11 WAN Mode setup 5 2 WAN Port 1 status 2 4 WAN Ports monitoring status 6 24 WAN ports status of 2 11 WAN Security Check about 4 14 WAN Settings screen 2 18 WAN side bandwidth capacity 6 1 WAN Status 2 4 WAN Advanced Options 2 18 WANL ISP Settings manual setup 2 5 WANL ISP Settings screen 2 2 WAN Protocol Bindings 2 13 WAN Protocol Bindings screen 2 14 WAN I Traffic Meter 2 7 WAN2 ISP settings 2 5 WAN2 ISP Settings manual setup 2 7 WAN2 Protocol Bindings 2 14 WAN2 Protocol Bindings screen 2 14 WAN2 Traffic Meter 2 8 Web Components 4 25 blocking 4 25 filtering about 4 25 Web configuration troubleshooting 7 2 WinPoET 2 6 X XAUTH IPSec Host 5 32 types of 5 31 Index 10 v1 0 August 2006
161. information right click on the VPN client icon Logs and Connection Status screens in the FVX538 N Connection Monitor NETGEAR ProSafe PN Client E Ioj x r Global Statistics Non Secured Packets 319 Secured Packets 14 Close Reset Dropped Packets 2 Secured Data KBytes 1 Details Local Address Local Subnet__ Remote Address Remote Modifier GW Address gt My Connection 10 0 0 12 255 255 255 255 192 168 1 0 255 255 255 0 10 0 0 11 Figure 5 23 Certificate Authorities Digital Self Certificates are used to authenticate the identity of users and systems and are issued by various CAs Certification Authorities Digital Certificates are used by this router during the IKE Internet Key Exchange authentication phase as an alternative authentication method Self Certificates are issued to you by various CAs Certification Authorities Each CA also issues a CA Identity certificate shown in the Trusted Certificates CA Certificates table This Certificate is required in order to validate communication with the CA It is a three step process First you generate a CA request then when the request is granted you upload the Self Certificate shown in the Active Self Certificates table and then you upload the CA Identity certificate shown in the Trusted Certificates table The Trusted Certificates table lists the certificates generated and signed by a publicly known organization or authority called the Certificate
162. ink With its internal 8 port 10 100 switch the FVX538 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network Both the LAN and WAN interfaces are autosensing and capable of full duplex or half duplex operation The firewall incorporates Auto Uplink technology Each Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection such as to a PC or an uplink connection such as to a switch or hub That port will then configure itself to the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol Internet Protocol TCP IP and Routing Information Protocol RIP For further information about TCP IP refer to Internet Configuration Requirements in Appendix C Introduction 1 3 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e IP Address Sharing by NAT The VPN firewall allows several networked PCs to share an Internet account using only a single IP address which may be statically or dynamically assigned by your Internet service provider ISP This technique known as NAT allows the use of an inexpensive single user ISP account e Automatic Configuration of Attached PCs by DHCP The VPN firewall dy
163. ion restoring 7 7 default IP Address 7 9 default password 7 9 2 2 default user name 9 2 2 denial of service attack 4 14 4 15 Denial of Service See DoS Destination Network Add Protocol Binding 2 14 DHCP 2 4 DHCP Address Pool 3 3 DHCP IP Address pool 3 1 DHCP log monitoring 6 27 DHCP server about 3 1 configuring secondary IP addresses 3 5 diagnostics DNS lookup 6 27 packet capture 6 27 ping 6 27 rebooting 6 27 routing table 6 27 Diagnostics screen 6 27 Diffie Hellman Group IKE Policy 5 12 Disable DHCP Server 3 1 3 3 DMZ about 3 10 firewall security 3 10 DMZ Port increasing traffic 6 7 DMZ port 1 3 setting up 3 10 DMZ Setup screen 3 10 DMZ WAN Inbound Rule example of 4 19 DMZ WAN Rule example of 4 17 DMZ WAN Rules about 4 10 modifying 4 12 DMZ WAN Rules screen 4 10 DNS definition of 2 7 DNS addresses 2 7 DNS lookup 2 11 DNS Proxy 1 4 DNS queries Auto Rollover 2 11 Domain Name router 3 3 Domain Name Blocking 4 25 Domain Name Servers See DNS DoS Index 2 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual about protection 2 Dual WAN configuration of 2 10 Dual WAN Port inbound traffic C 8 load balancing inbound traffic C 9 Dual WAN Port systems VPN Tunnel addresses 5 Dual WAN Ports features of 1 2 network planning C J Dual WAN ports Auto Rollover configuration of 2 11 Load Balancing configuration of 2 13 Dynamic DNS configur
164. iorities on page 4 23 for the procedure on how to use this feature Tools for Traffic Management The ProSafe VPN Firewall 200 includes several tools that can be used to monitor the traffic conditions of the firewall and control who has access to the Internet and the types of traffic they are allowed to have See Monitoring the Router on page 6 17 for a discussion of the tools Administration You can change the administrator and guest passwords and settings configure an SNMP manager backup settings and upgrade firmware and enable remote management Administrator access is read write and guest access is read only Changing Passwords and Settings The default passwords for the firewall s Web Configuration Manager is password Netgear recommends that you change this password to a more secure password You can also configure a separate password for guests To modify User or Admin settings 1 Select Administration from the main menu and Set Password from the submenu The Set Password screen will display 2 Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest Settings radio box 3 Change the password by first entering the old password and then entering the new password twice 4 Click Apply to save your settings or Cancel to return to your previous settings 5 Change the Idle Logout Time field to the number of minutes you require The default is 5 minutes 6 8 Router an
165. ired The traffic meter is useful when an ISP charges by traffic volume over a given period of time or if you want to look at traffic types over a period of time To enable the traffic meter 1 From the primary menu select Monitoring and then select Traffic Meter from the secondary menu The WAN1 Traffic Meter screen will display Fill out the information described in Table 2 2 Connecting the FVX538 to the Internet 2 7 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual WAN1 Traffic Meter JAY 8 Traffic by Protocol ii Enable Traffic Meter 2 No Limit Download o Do you want to enable Traffic Metering on WAN1 Both Directio Yes O No Monthly Limit gt cma Increase this month limit by MB This month limit O MB i Traffic Counter 2 i When Limit is reached Block All Traffic O Block All Traffic Except E Mail O Restart Traffic Counter Now Restart Traffic Counter at Specific Time Ezeo on the day of Month O Send e mail report before restarting counter CO Send e mail alert i Internet Traffic Statistics Start Date Time Outgoing Traffic Volume Start Date Total Traffic Volume MB End Date Incoming Traffic Volume MB Average per day Incoming Traffic Outgoing Traffic Protocol of Standard Limit Total MB MB Per Day Total MB MB Per Day of this M
166. l To restore the factory defaults 1 Press and hold the reset button until the Test LED turns on and begins to blink about 10 seconds 2 Release the reset button and wait for the firewall to reboot Problems with Date and Time The E Mail menu in the Content Filtering section displays the current date and time of day The VPN firewall uses the Network Time Protocol NTP to obtain the current time from one of several Network Time Servers on the Internet Each entry in the log is stamped with the date and time of day Problems with the date and time function can include e Date shown is January 1 2000 Cause The firewall has not yet successfully reached a Network Time Server Check that your Internet access settings are configured correctly If you have just completed configuring the firewall wait at least five minutes and check the date and time again e Time is off by one hour Cause The firewall does not automatically sense Daylight Savings Time Check the Time Zone menu and check or uncheck the box marked Adjust for Daylight Savings Time Troubleshooting 7 7 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 7 8 v1 0 August 2006 Troubleshooting Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults This is called a hard reset e To perform a hard reset push
167. l INCOMING port or ports associated with this entry in the Port Triggering table and associates them with the PC 6 6 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e The remote system receives the PCs request and responds using the different port numbers that you have now opened e This Router matches the response to the previous request and forwards the response to the PC Without Port Triggering this response would be treated as a new connection request rather than a response As such it would be handled in accordance with the Port Forwarding rules Only one PC can use a Port Triggering application at any time After a PC has finished using a Port Triggering application there is a time out period before the application can be used by another PC This is required because the firewall cannot be sure when the application has terminated See Port Triggering on page 4 28 for the procedure on how to use this feature DMZ Port The DMZ Port allows you to set up the DMZ port Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven t defined The default setting of the rules is that the DMZ port and both inbound and outbound traffic is disabled Enabling the DMZ port increases the traffic through the WAN ports The VPN firewall makes LAN port 8 a dedicated hardware DMZ port whe
168. l be used as the primary IP address of the router This address will be used to provide Internet access to your LAN PCs through NAT The other addresses are available to map to your servers The following addressing scheme is used to illustrate this procedure e Netgear FVX538 ProSafe VPN Firewall WANT IP address 10 1 0 118 LAN IP address subnet 192 168 1 1 subnet 255 255 255 0 DMZIP address subnet 192 168 10 1 subnet 255 255 255 0 Firewall Protection and Content Filtering 4 17 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Web server PC on the firewall s LAN LAN IP address 192 168 1 2 DMZIP Address 192 168 10 2 Access to Web server is simulated public IP address 10 1 0 52 Q DMZ One of these public IP addresses will be used as the primary IP address of the Tip If you arrange with your ISP to have more than one public IP address for your use you can use the additional public IP addresses to map to servers on your LAN or router which will be used to provide Internet access to your LAN PCs through NAT The other addresses are available to map to your servers To configure the FVX538 for additional IP addresses 1 Select Security from the main menu and Firewall Rules from the submenu 2 If your server is to be on your LAN select LAN WAN Rules If your server is to be on your DMZ select DMZ WAN Rules 3 Cl
169. le is disabled By default when a rule is added to the table it is automatically enabled e Click Delete to delete the rule 3 Click Select All to select all rules A check will appear in the radio box for each rule 4 8 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day The outbound rule will block the selected application from any internal IP LAN address to any external WAN IP address according to the schedule created in the Schedule menu You can also tailor these rules to your specific needs see Administrator Tips on page 4 35 Ky Note This feature is for Advanced Administrators only Incorrect configuration will cause serious problems To create a new outbound service rule 1 Click Add under the Outbound Services Table The Add LAN WAN Outbound Service screen will display Add LAN WAN Outbound Service Operation succeeded help Service ANY y Action BLOCK always v Select Schedule LAN Users Any v Start J Finish Ss E A r WAN Users Any v Start Finish ee pal sed QoS Priority Normal Service v Log Never Apply Reset Figure 4
170. le to Block or Allow Specific Traffic on page 4 24 for the procedure on how to use this feature Block Sites If you want to reduce traffic by preventing access to certain sites on the Internet you can use the VPN firewall s filtering feature By default this feature is disabled all requested traffic from any Web site is allowed e Keyword and Domain Name Blocking You can specify up to 32 words that should they appear in the Web site name i e URL or in a newsgroup name will cause that site or newsgroup to be blocked by the VPN firewall You can apply the keywords to one or more groups Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed without any blocking e Web Component blocking You can block the following Web component types Proxy Java ActiveX and Cookies Sites on the Trusted Domains list are still subject to Web component blocking when the blocking of a particular Web component has been enabled See Setting Block Sites Content Filtering on page 4 25 for the procedure on how to use this feature Source MAC Fil
171. le2 or Schedule3 that will be used by this rule e This drop down menu gets activated only when BLOCK by schedule otherwise Allow or ALLOW by schedule otherwise Block is selected as Action e Use schedule page to configure the time schedules see Setting a Schedule to Block or Allow Specific Traffic on page 4 24 LAN users These settings determine which computers on your network are affected by this rule Select the desired options Any All PCs and devices on your LAN Single address Enter the required address and the rule will be applied to that particular PC Address range If this option is selected you must enter the start and finish fields Groups Select the Group to which this rule will apply Use the LAN Groups screen under Network Configuration to assign PCs to Groups See Managing Groups and Hosts LAN Groups on page 3 6 WAN Users These settings determine which Internet locations are covered by the rule based on their IP address Select the desired option Any All Internet IP address are covered by this rule e Single address Enter the required address in the start field Address range If this option is selected you must enter the start and end fields DMZ Users These settings determine which DMZ computers on DMZ network are affected by this rule Select the desired options Any All PCs and devices on your DMZ network e Si
172. lete PDF Manual link at the top left of any page in the manual The PDF version of the complete manual opens in a browser window e Click the print icon in the upper left of your browser window 4 Tip If your printer supports printing two pages on a single sheet of paper you can nos save paper and printer ink by selecting this feature Revision History Part Number Version Description Number 202 10062 04 1 0 Product update New firmware and a new user interface XV v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual xvi v1 0 August 2006 Chapter 1 Introduction The ProSafe VPN Firewall 200 with eight 10 100 ports and one 1 100 1000 port connects your local area network LAN to the Internet through an external access device such as a cable modem or DSL modem The FVX538 is a complete security solution that protects your network from attacks and intrusions For example the FV X538 provides support for Stateful Packet Inspection Denial of Service DoS attack protection and multi NAT support The VPN firewall supports multiple Web content filtering options plus browsing activity reporting and instant alerts both via e mail Network administrators can establish restricted access policies based on time of day Website addresses and address keywords The FVX538 is a plug and play device that can be installed and configured within minutes Key Features The VPN
173. lications and services such as chat or games A firewall is a special category of router that protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication between the two You can further segment keyword blocking to certain known groups see Managing Groups and Hosts LAN Groups on page 3 6 to set up LAN Groups A firewall incorporates the functions of a NAT Network Address Translation router while adding features for dealing with a hacker intrusion or attack and for controlling the types of traffic that can flow between the two networks Unlike simple Internet sharing NAT routers a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request but true Stateful Packet Inspection goes far beyond NAT Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other You can configure up to 600 rules on the FVX538 Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to Firew
174. licies menu This PN tunnel will connect to the following peers Gateway ven Client i Connection Name and Remote IP Type 2 What is the new Connection Name What is the pre shared key 12345678 Key Length 8 49 Char This VPN tunnel will use following local WAN Interface WAN1 O wanz End Point Information 2 What is the Remote WAN s IP Address or Internet Name 10 1 1 150 What is the Local WAN s IP Address or Internet Name 10 1 31 40 i Secure Connection Remote Accessibility What is the remote LAN IP Address What is the remote LAN Subnet Mask Figure 5 10 Enter the WAN IP address of the remote FVS338 and then enter the WAN IP address of the local FVX538 Both local and remote ends must define the address as either an IP address or a FQDN A combination of IP address and FQDN is not permissible Enter the LAN IP address and subnet mask of the remote FVS338 Click Apply to create the to_fvs IKE and VPN policies The VPN Policies screen will display showing the to_fvs policy as enabled in the List of VPN Policies table Virtual Private Networking 5 15 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual IKE Policies KEDEZ CH Operation succeeded ii List of YPN Policies 2 3 if Name Typa l Tar i Fj 5 to_fus Auto Policy Client Policy m home Auto Policy 192 168 1 0 255 255 255 0 select all
175. line that can be configured on a mutually exclusive basis to e Provide backup and rollover if one line is inoperable ensuring you are never disconnected e Load balance or use both Internet lines simultaneously for the outgoing traffic The firewall balances users between the two lines for maximum bandwidth efficiency See Network Planning for Dual WAN Ports on page C 1 for the planning factors to consider when implementing the following capabilities with dual WAN port gateways e Single or multiple exposed hosts e Virtual private networks A Powerful True Firewall with Content Filtering Unlike simple Internet sharing NAT routers the FVX538 is a true firewall using stateful packet inspection to defend against hacker attacks Its firewall features include e DoS protection Automatically detects and thwarts DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing e Secure Firewall Blocks unwanted traffic from the Internet to your LAN e Block Sites Blocks access from your LAN to Internet locations or services that you specify as off limits e Logs security incidents The FVX538 will log security events such as blocked incoming traffic port scans attacks and administrator logins You can configure the firewall to email the log to you at specified intervals You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs 1
176. ll 200 FVX538 Reference Manual Inbound Traffic Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Inbound Rules menu Instead of discarding this traffic you can have it forwarded to one or more LAN hosts on your network The addressing of the firewall s dual WAN port depends on the configuration being implemented Table C 1 IP addressing requirements for exposed hosts in dual WAN port systems Configuration and Single WAN Port Dual WAN Port Cases WAN IP address reference case Rollover Load Balancing Inbound traffic Fixed Allowed FQDN required Allowed Port forwarding FQDN optional FQDN optional Port triggering f DMZ port Dynamic FQDN required FQDN required FQDN required Inbound Traffic to Single WAN Port Reference Case The Internet IP address of the firewall s WAN port must be known to the public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled In the single WAN case Figure C 4 the WAN s Internet address is either fixed IP or a fully qualified domain name if the IP address is dynamic Router WAN IP INT netgear dyndns org IP address of WAN port CJ FQDN is required for dynamic IP address and is optional for fixed IP address Figure C 4 Inbound Traffic to Dual WAN P
177. lly qualified domain names is this case is to toggle the domain name of the failed over gateway firewall between the IP addresses of the active WAN port 1 e WAN_A1 and WAN _A2 in this example so that the other end of the tunnel has a known gateway IP address to establish or re establish a VPN tunnel C 16 Network Planning for Dual WAN Ports v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Gateway to Gateway Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall Figure C 16 either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance 10 5 6 0 24 Gateway to Gateway Example 172 23 9 0 24 Dual WAN Ports Load Balancing WAN_A 1 IP WAN_B1 IP Gateway A netgear1 dyndns org 3 22 23 24 25 Gateway B a INT O netgear2 dyndns org D 22 23 24 26 VPN Router WAN_A2 IP WAN_B2 IP VPN Router at office A at office B LAN IP 10 5 6 1 172 23 9 1 Fully Qualified Domain Names FQDN optional for Fixed IP addresses required for Dynamic IP addresses Figure C 16 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic a fully qualified domain name must be used If an IP addres
178. low Specific Kinds of Traffic on page 4 1 is the basic way of managing the traffic through your system you can further refine your control with the following optional features of the VPN firewall Groups and hosts see Managing Groups and Hosts LAN Groups on page 3 6 Services see Services Based Rules on page 4 2 Schedules see Setting a Schedule to Block or Allow Specific Traffic on page 4 24 Block sites see Setting Block Sites Content Filtering on page 4 25 Source MAC filtering see Enabling Source MAC Filtering on page 4 27 Port triggering see Port Triggering on page 4 28 Firewall Protection and Content Filtering 4 35 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 4 36 Firewall Protection and Content Filtering v1 0 August 2006 Chapter 5 Virtual Private Networking This chapter describes how to use the virtual private networking VPN features of the VPN firewall VPN tunnels provide secure encrypted communications between your local network and a remote network or computer parameters and them edit the VPN and IKE Policy screens for the various VPN F CO Tip When using dual WAN port networks use the VPN Wizard to configure the basic scenarios Dual WAN Port Systems The dual WAN ports in the VPN firewall can be configured for either Auto Rollover mode for increased system reliability or Load Balanci
179. mation to a central authentication server such as a RADIUS server To configure the Primary RADIUS Server 1 Select VPN from the main menu VPN Client from the submenu and then select the RADIUS Client tab The RADIUS Client screen will display 2 Enable the Primary RADIUS server by checking the Yes radio box Virtual Private Networking 5 35 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual urii PN on oni go Policies VPN Wizard Certificates Mode Config VPN Client Connection Status l User Database REWI OLANI help Do you want to enable a Primary RADIUS Primary Server IP Address Server Secret Phrase O Yes No Primary Server NAS Identifier help Do you want to enable a Backup RADIUS Backup Server IP Address Server Secret Phrase O Yes No Backup Server NAS Identifier help Time out period 30 Sec Maximum Retry Count 4 Figure 5 28 Enter the Primary RADIUS Server IP address 4 Enter a Secret Phrase Transactions between the client and the RADIUS server are authenticated using a shared secret phrase so the same Secret Phrase must be configured on both client and server 5 Enter the Primary Server NAS Identifier Network Access Server This Identifier MUST be present in a RADIUS request Ensure that NAS Identifier is configured as the same on both client and server The FV X538 is acting as a NAS Network Access Server allowing network access
180. ming Ports Action Start Port ci Port Triggering Status 2 Abstracts No TCP 20 select all D de Add Port Triggering Rule Name Enable Protocol Outgoing Trigger Port Rai Rule LAN IP Address Open Ports Time Remaining Sec Start Port End Po F gt j 1 65534 1 6553 Abstracts No TCP v refresh Figure 4 20 E Mail Notifications of Event Logs and Alerts The Firewall Logs can be configured to log and then e mail denial of access general attack information and other information to a specified e mail address For example your VPN firewall will log security related events such as accepted and dropped packets on different segments of your LAN or DMZ denied incoming and outgoing service requests hacker probes and Login attempts and other general information based on the settings you input on the Firewall Logs amp E mail screen In addition if you have set up Content Filtering on the Block Sites screen see Setting Block Sites Content Filtering on page 4 25 a log will be generated when someone on your network tries to access a blocked site Firewall Protection and Content Filtering 4 31 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual You must have e mail notification enabled to receive the logs in an e mail message If you don t have e mail notification enabled you can view the logs on the Logs screen see Figure 4 22 on page 4 34 Selecting all e
181. n DMZ is enabled see Router Front Panel on page 1 6 See Configuring and Enabling the DMZ Port on page 3 10 and Setting DMZ WAN Rules on page 4 10 for the procedure on how to use this feature VPN Tunnels The VPN firewall permits up to 200 VPN tunnels at a time Each tunnel requires extensive processing for encryption and authentication See Chapter 5 Virtual Private Networking for the procedure on how to use this feature Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and in turn the quality of service for the traffic passing through the firewall The QoS is set individually for each service e You can accept the default priority defined by the service itself by not changing its QoS setting e You can change the priority to a higher or lower value than its default setting to give the service higher or lower priority than it otherwise would have Router and Network Management 6 7 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual The QoS priority settings conform to the IEEE 802 1D 1998 formerly 802 1p standard for class of service tag You will not change the WAN bandwidth used by changing any QoS priority settings But you will change the mix of traffic through the WAN ports by granting some services a higher priority than others The quality of a service is impacted by its QoS setting however See Setting Quality of Service QoS Pr
182. n set up multiple Gateway VPN tunnel policies through the VPN Wizard You can also set up multiple remote VPN Client policies through the VPN Wizard A remote client policy can support up to 200 clients To set up a Gateway VPN Tunnel using the VPN Wizard 1 Select Gateway as your VPN tunnel connection The wizard needs to know if you are planning to connect to a remote Gateway or setting up the connection for a remote client PC to establish a secure connection to this device 2 Select a Connection Name Enter an appropriate name for the connection This name is not supplied to the remote VPN Endpoint It is used to help you manage the VPN settings 3 Enter a Pre shared Key The key must be entered both here and on the remote VPN Gateway or the remote VPN Client This key length should be minimum 8 characters and should not exceed 49 characters This method does not require using a CA Certificate Authority 4 Check the radio box for the WAN interface that will act as one end of this VPN tunnel WAN 1 or WAN 2 5 Enter the Remote WAN IP Address or Internet Name of the gateway you want to connect to e Both the remote WAN address and your local WAN address are required When choosing these addresses follow the guidelines in Table 5 1 above e The remote WAN IP address of the Gateway must be a public address or the Internet name of the Gateway The Internet name is the Fully Qualified Domain Name FQDN as setup in a Dynamic DNS servi
183. namically assigns network configuration information including IP gateway and domain name server DNS addresses to attached PCs on the LAN using the Dynamic Host Configuration Protocol DHCP This feature greatly simplifies configuration of PCs on your local network e DNS Proxy When DHCP is enabled and no DNS addresses are specified the firewall provides its own address as a DNS server to the attached PCs The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN e PPP over Ethernet PPPoE PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial up connection This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC Trend Micro Integration If you have installed the Trend Micro Client Server Messaging Suite for SMB on your local network you can have the firewall enforce its use When Antivirus Enforcement is selected local PCs will not be allowed Web access unless they have the Trend Micro OfficeScan client installed and updated with the latest virus definitions The Client Server Messaging Suite for Small and Medium Business protects file servers mail servers and PCs on your network including antispam capability The Client Server Suite for Small and Medium Business protects files servers and PCs e Both products deliver a layered defense against viruses and other malicious code
184. nenia AEE 1 9 The Router s IP Address Login Name and Password ccccceeeeeeeeeeeeeeeeeees 1 9 Beant Lag Moom mere tee etree reer ee Per tcc e R 1 10 Chapter 2 Connecting the FVX538 to the Internet Legging into tre VPN PGW sicsciscncdsstiresiiucdiniiuaduendpeiusinbecuerdivvenddeniielaniieiaitvencdoniines 2 1 Configuring the Internet Connections to Your ISPS c ccececeeeseeeeeeeeeeeeeeseeeeeeenaeeeeeaees 2 2 Setting the Routers MAC Address ci ccsesescescasiviacoes cauzegensessiscuese iiei iea 2 5 Manually Configuring Your Internet Connection ccceeeeeeeeeeeeeeeeseeeeeteaeeeteneeeeees 2 5 vii v1 0 August 2006 Programming the Trattie Meter if Desired s ccccccsseccicenivsccessmesscenemaisencremmis conse 2 7 Configuring the WAN Mode Required for Dual WAN cscccceeeeeeeeeeeeeteeeeeeeetees 2 10 Setting Up Pit FN Na Mode as since scion ceainr Sou bacatend ypravtddaass caaatuohepacsn aia 2 11 Seine Up Load Balanini ieerdascetesist qandeniviaicand N R a 2 13 Configuring Dynamic DNS If Needed sisissinirnaisinneinunniranaa nnii iaat 2 15 Configuring the Advanced WAN Options If Needed cecceececeeeeeneeeeeeeeeeteeeetees 2 18 Chapter 3 LAN Configuration Using the Firewall as a DACP gerv sicciscsvcantcnrcaveosniaccadesentandevticdieaidahiiereotebeedreacdenents 3 1 Config ring the LAN Setup OPONIS cciwic cusela ses cunsinn Masini iene inaanod iaaa 3 2 Conig rmg Muli Home LAN IPE
185. net Name 10 1 32 46 Secure Connection Remote Accessibility What is the remote LAN IP Address 192 What is the remote LAN Subnet Mask fess Jess Jess Jo Figure 5 4 Enter the Remote LAN IP Address and Subnet Mask of the remote gateway The information entered here must match the Local LAN IP and Subnet Mask of the remote gateway otherwise the secure tunnel will fail to connect The IP address range used on the remote LAN must be different from the IP address range used on the local LAN Click the VPN Wizard Default Values link at the top right of the screen to view the recommended VPNC parameters see Figure 5 4 Click Apply to save your settings The VPN Policies screen will display showing the policy Offsite as enabled Click Edit in the Action column adjacent to the policy to confirm your policy settings Virtual Private Networking 5 5 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Operation succeeded ii List of VPN Policies 2 Name Type Local Remote AH Fj Offsite Auto Policy 192 168 1 0 255 255 255 0 192 168 10 1 255 255 255 0 SHA 1 o home Auto Policy 192 168 1 0 255 255 255 0 Any SHA 1 Client Policy k C 73273SCRT Operation succeeded i General Policy Name Policy Type Auto Policy Selec
186. nfig Record wo i Peer IKE Identification Policy Name to_fys Direction Type Both Exchange Mode Main Identifier Type Identifier Local WanIP Remote Wan IP Identifier Type Identifier i IKE SA Parameters B Diffie Hellman DH Group Encryption Algorithm 3DES Authentication Algorithm SHA 1 Authentication Method Pre shared key ORS4 Signature Pre shared key 12345678 i Key Length 8 49 Char Group 2 1024 bit SA Lifetime sec 26800 Extended Authentication None XAUTH Configuration Authentication Type eo Dateless Edge Device psec Host Username Password Note When XAUTH is enabled as an Edge Device incoming VPN connections are authenticated against the FVX538 User Database first then if configured a RADIUS server is checked If IPSec Host is enabled users are authenticated by the remote host v1 0 August 2006 Virtual Private Networking ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the FVS338 To configure the FVS338 VPN Wizard 1 Select VPN from the main menu and VPN Wizard from the submenu The VPN Wizard screen will display 2 Check the Gateway radio box for the type of VPN tunnel connection 3 Give the new connection a name such as to_fvx PN Wizard
187. nfiguration WAN Settings WAN Mode Protocol Binding Dynamic DNS LAN Groups DMZ Setup Routing LAN Setup Multi Home LAN IPs Setupy DHCP Log help Subnet Mask lss Jess z55 Jo IP Address fisz Jass Ja Je help Disable DHCP Server DHCP Log Enable DHCP Server Domain Name _ Jun 27 19 29 15 dhepd DHCPREQUEST for 10 1 32 41 from 00 11 Jun 27 19 29 15 dhcpd DHCPNAK on 10 1 32 41 to 00 11 43 741 Jun 27 19 29 19 dhcpd DHCPREQUEST for 10 1 32 41 from 00 11 Jun 27 19 29 19 dhcpd DHCPNAK on 10 1 32 41 to 00 11 43 71 Jun 27 19 29 20 dhcpd DHCPDISCOVER from 00 11 43 71 c8 d8 Jun 27 19 29 21 dhcpd DHCPOFFER on 192 168 1 100 to 00 11 lt Jun 27 19 29 21 dhepd Wrote 1 leases to leases file Jun 27 19 29 21 dhepd DHCPREQUEST for 192 168 1 100 192 1 Jun 27 19 29 21 dhepd DHCPACK on 192 168 1 100 to 00 11 43 Jun 27 19 30 15 dhcpd Wrote 1 leases to leases file Starting IP Address Ending IP Address WINS Server Lease Time Enable DNS Proxy refresh clear log Figure 6 15 Performing Diagnostics You can perform diagnostics such as pinging an IP address performing a DNS lookup displaying the routing table rebooting the firewall and capturing packets Select Monitoring from the main menu and Diagnostics from the submenu The Diagnostics screen will display A Note For normal
188. ng Inbound Rules 4 2 4 4 increasing traffic 6 5 rules about 4 4 port forwarding 6 5 Port Mode 2 1 port numbers 4 2 Port Speed 2 19 Port Triggering about 4 28 adding arule 4 29 increasing traffic 6 6 modifying a rule 4 31 rules of use 4 28 port triggering 6 6 status 6 22 Port Triggering screen 4 29 6 22 ports explanation of WAN and LAN 1 6 PPP over Ethernet See PPPoE PPPoE 1 4 2 3 2 5 Internet connection 2 6 PPTP 2 3 2 5 4 15 precedence order of for rules 4 27 protocol numbers assigned 4 2 protocols Routing Information Protocol 1 3 Q QoS 4 2 about 4 23 Index 6 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual priority definitions 4 23 shifting traffic mix 6 7 SIP 2 0 support 2 1 Quality of Service See QoS Quality of Service See Qos R rack mounting 1 9 rack mounting hardware 1 9 RADIUS Server configuring 5 35 RADIUS CHAP 5 31 5 33 AUTH using with 5 32 RADIUS PAP 5 31 XAUTH using with 5 32 reducing traffic 6 2 Block Sites 6 4 Service Blocking 6 2 Source MAC Filtering 6 4 remote management 6 10 access 6 10 configuration 6 10 remote users assigning addresses 5 37 ModeConfig 5 37 requirements hardware C 3 Reserved IP Address 3 7 Reserved IP address restrictions 3 7 Reserved IP Addresses 3 9 Restore saved settings 6 13 Return E mail Address 4 33 RFC 1349 4 23 RFC1700 protocol numbers 4 2 RIP 3 13 about 3 13 configuring parameters
189. ng mode for optimum bandwidth efficiency This WAN mode choice then impacts how the VPN features must be configured Refer to Virtual Private Networks VPNs on page C 10 for an overview of the IP addressing requirements for VPN in the two WAN modes To aid in determining the addressing requirements for your VPN Tunnel in either rollover mode or load balancing mode see Table 5 1 Table 5 1 IP Addressing for VPNs in Dual WAN Port Systems Configuration and WAN IP address Rollover Mode Load Balancing Mode VPN Road Warrior Fixed FQDN required Allowed FQDN optional client to gateway Dynamic FQDN required FQDN required VPN Gateway to Gateway Fixed FQDN required Allowed FQDN optional Dynamic FQDN required FQDN required VPN Telecommuter Fixed FQDN required Allowed FQDN optional ert aired through Dynamic FQDN required FQDN required a All tunnels must be re established after a rollover using the new WAN IP address Virtual Private Networking 5 1 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5 1 shows the WAN Mode setup screen for Auto Rollover Mode using WAN port 1 It also shows the Protocol Bindings screen that displays if Load Balancing is selected When Load Balancing is selected no WAN Failure Detection Method fields are selectable This setup is accomplished in Configuring the WAN Mode Required for Dual WAN on page 2 10 Rollove
190. ng to this IP address i A Use only single WAN port Test Period is 30 Seconds Failover after 4 Failures Figure 2 4 6 Enter the Maximum Failover amount The WAN interface is considered down after the configured number of queries have failed to elicit a reply The rollover link is brought up after this The Failover default is 4 failures The default time to roll over after the primary WAN interface fails is 2 minutes a 30 second minimum test period times a minimum of 4 tests 7 Click Apply to save your settings 8 Click Reset to revert to the previous settings Once a rollover occurs an alert will be generated see E Mail Notifications of Event Logs and Alerts on page 4 31 When notified that the failed WAN interface has been restored you can force traffic back on the original primary WAN interface by reapplying the Auto Rollover settings in the WAN Port Mode menu 2 12 Connecting the FVX538 to the Internet v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Load Balancing To use multiple ISP links simultaneously select Load Balancing In Load Balancing mode both links will carry data for the protocols that are bound to them For example if the HTTP protocol is bound to WAN and the FTP protocol is bound to WAN2 then the router will automatically channel FTP data from and to the computers on the LAN through the WAN2 port All HTTP
191. nge the Default Outbound Policy by selecting Block Always from the drop down menu and click Apply l etwork Coni ation 7 yP j dmin 3 ee oring Web Suppo l ogou l Services Schedule Block Sites Source MAC Filter Port Triggering Trend Micro Price DMZ WAN Rules LAN DMZ Rules Attack Checks ee Default Outbound Policy Allow Always apply e Operation succeeded help Service Name Filter LAN Users WAN Users Priority Log Action oe ANY Block by schedule 1 else allow Groupi ANY Normal Service Never up Qeown Besit select all delete enable Oo disable add help Service Name Filter LAN Server IP Address LAN Users WAN Users Destination Log Action ANY Block Always 192 168 1 2 WAN1 Never up Qeown Besit select all delete enable disable add Figure 4 2 To make changes to an existing outbound or inbound service rule 1 Inthe Action column adjacent to the rule click e Edit to make any changes to the rule definition of an existing rule The Outbound Service screen will display containing the data for the selected rule see Figure 4 3 on page 4 9 e Up to move the rule up one position in the table rank e Down to move the rule down one position in the table rank 2 Check the radio box adjacent to the rule and click e Click Disable to disable the rule The Status icon will change from green to grey indicating that the ru
192. ngle address Enter the required address and the rule will be applied to that particular PC on the DMZ network Address range If this option is selected you must enter the start and finish fields of the DMZ computers Firewall Protection and Content Filtering 4 3 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4 1 Outbound Rules continued Item Description QoS Priority This setting determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall By default the priority shown is that of the selected service The user can change it accordingly If the user does not make a selection i e leaves it as None then the native priority of the service will be applied to the policy See Setting Quality of Service QoS Priorities on page 4 23 Log This determines whether packets covered by this rule are logged Select the desired action Always always log traffic considered by this rule whether it matches or not This is useful when debugging your rules Never never log traffic considered by this rule whether it matches or not Inbound Rules Port Forwarding Because the FVX538 uses Network Address Translation NAT your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers However by defining an inbound rule you
193. nnection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu The IPSec Connection Status screen will display IPSec Connection Status _Opsration succeeded i Active IPSec SA s Policy Name Endpoint Tx KB Tx Packets State Action 1 to_fys 10 1 1 150 0 00 o Ipsec SA Not Established F connect Poll Interval E Seconds set interval sto Figure 6 13 Router and Network Management 6 25 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6 4 VPN Status data Item Description Policy Name The name of the VPN policy associated with this SA Endpoint The IP address on the remote VPN Endpoint Tx KB The amount of data transmitted over this SA Tx Packets The number of IP packets transmitted over this SA State The current status of the SA Phase 1 is Authentication phase and Phase 2 is Key Exchange phase Action Use this button to terminate build the SA connection if required VPN Logs The VPN Logs screen gives log details for recent VPN activity Select Monitoring from the main menu and VPN Logs from the submenu to view the VPN Logs You can refresh the log display to view the most recent entries or clear the log display to delete all the log entries Monitoring Router Status Traffic Meter Diagnostics Firewall Logs amp E mail
194. nt Panel on page 1 6 will light up indicating that the DMZ port has been enabled If another device on your DMZ network will be the DHCP server or if you will manually configure all devices leave the Disable option default checked To define the DMZ WAN Rules and LAN DMZ Rules see Setting DMZ WAN Rules on page 4 10 and Setting LAN DMZ Rules on page 4 12 respectively LAN Configuration 3 11 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Static Routes Static Routes provide additional routing information to your firewall Under normal circumstances the firewall has adequate routing information after it has been configured for Internet access and you do not need to configure additional static routes You should configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network Configuring Static Routes To add or edit a static route 1 Select Network Configuration from the main menu and Routing from the submenu The Routing screen will display 2 Click Add The Add Static Route menu shown below will display 3 Enter a route name for this static route in the Route Name field for identification and management Network Configuration y PN dmin at i oring Web Suppo I ogout WAN Settings WAN Mode Protocol Binding Dynamic DNS LAN Setup LAN Groups DMZ Setup Routing 8 RIP Configuration help Name
195. nt user authentication security by enabling the XAUTH server by selecting the Edge Device radio box and then adding users to the User Database see Extended Authentication XAUTH Configuration on page 5 31 and User Database Configuration on page 5 34 respectively Alternatively you can also choose to selection either a RADIUS CHAP or RADIUS PAP server Virtual Private Networking 5 21 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the VPN Client From a PC with the Netgear Prosafe VPN Client installed you can configure a VPN client policy to connect to the FVX538 To configure your VPN client 1 Right click on the VPN client icon K in your Windows toolbar and select Security Policy Editor In the upper left of the Policy Editor window click the New Document icon to open a New Connection Give the New Connection a name such as to_FVX File Edt Options Help T Biex tl NETGEAR S Network Security Policy E da New Connection Qs Other Connections Figure 5 16 From the ID Type pull down menu select IP Subnet Enter the LAN IP Subnet Address and Subnet Mask of the FVX538 LAN Check the Connect using radio box and select Secure Gateway Tunnel from the pull down menu From the first ID Type pull down menus select Domain Name and enter the FQDN address of the FVX538 From the second ID Type pull down menu select Gateway IP Address and enter the WAN IP
196. o Enabled all the Internet Source MAC filtering Disabled Stealth Mode Enabled Technical specifications for the ProSafe VPN Firewall 200 are listed in the following table Table A 2 VPN firewall Technical Specifications Feature Specifications Network Protocol and Standards Compatibility Data and Routing Protocols TCP IP RIP 1 RIP 2 DHCP PPP over Ethernet PPPoE Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input Europe 230V 50 Hz input Japan 100V 50 60 Hz input Physical Specifications Dimensions 1 7 x 13 x 8 2 in Weight 2kg 4 5 lb A 2 Default Settings and Technical Specifications v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table A 2 VPN firewall Technical Specifications continued Feature Specifications Environmental Specifications Operating temperature 0 to 40 C 32 to 104 F Operating humidity 90 maximum relative humidity noncondensing Electromagnetic Emissions Meets requirements of FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications LAN 10BASE T or 100BASE Tx RJ 45 WAN 10BASE T or 100BASE Tx 1000BASE T Default Settings and Technical Specifications A 3 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual A 4 Default Settin
197. om the submenu The Mode Config screen will display Click Add The Add Mode Config Record screen will display Enter a descriptive Record Name such as Sales Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients gt Note The IP Pool should not be within your local network IP addresses Use a B different range of private IP addresses such as 172 20 xx xx If you have a WINS Server on your local network enter its IP address Enter one or two DNS Server IP addresses to be used by remote VPN clients If you enable Perfect Forward Secrecy PFS select DH Group 1 or 2 This setting must match exactly the configuration of the remote VPN client Specify the Local IP Subnet to which the remote client will have access Typically this is your router s LAN subnet such as 192 168 2 1 255 255 255 0 If not specified it will default to the LAN subnet of the router Specify the VPN policy settings These settings must match the configuration of the remote VPN client Recommended settings are e SA Lifetime 3600 seconds e Authentication Algorithm SHA 1 e Encryption Algorithm 3DES Click Apply The new record should appear in the VPN Remote Host Mode Config Table a sample record is shown below 5 38 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual ii Client Pool Record Name First IP Pool Starting
198. on Method Pre shared key ORSA Signature Pre shared key 12345678 Key Length 8 49 Char Diffie Hellman DH Group Group 2 1024 bit SA Lifetime sec 28800 i Extended Authentication XAUTH Configuration O None Edge Device Authentication Type User Database Username Password psec Host Figure 5 26 Virtual Private Networking 5 33 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual User Database Configuration The User Database screen is used to configure and administer users when Extended Authentication is enabled as an Edge Device Whether or not you use an external RADIUS server you may want some users to be authenticated locally These users must be added to the User Database Configured Users table To add a new user 1 Select VPN from the main menu and VPN Client from the submenu The User Database screen will display 2 Enter a User Name This is the unique ID of a user which will be added to the User Name database Enter a Password for the user and reenter the password in the Confirm Password field 4 Click Add The User Name will be added to the Configured Users table Policies VPN Wizard Certificates Mode Config PN Client UIEIL ERA RADIUS Client Operation succeeded help User Name Action o Tester J SE select all delete E Add New User User
199. on will change from green to grey indicating that the rule is disabled By default when a rule is added to the table it is automatically enabled e Click Delete to delete the rule 3 Click Select All to select all rules A check will appear in the radio box for each rule LAN DMZ Outbound Services Rules To create a new outbound LAN DMZ service rule 1 Click Add under the Outbound Services Table The Add LAN DMZ Outbound Service screen will display ff add LaN DM2 outbound Service Figure 4 7 Service Action Select Schedule LAN Users DMZ Users Log Operation succeeded ANY v BLOCK always v Any v Start SS a aw Finish O E y Any v sat EE lt iz Finish i Never help Firewall Protection and Content Filtering v1 0 August 2006 4 13 ProSafe VPN Firewall 200 FVX538 Reference Manual Complete the Outbound Service screen and save the data see Outbound Rules Service Blocking on page 4 2 Click Reset to cancel your settings and return to the previous settings Click Apply to save your changes and reset the fields on this screen The new rule will be listed on the Outbound Services table LAN DMZ Inbound Services Rules To define an Inbound LAN DMZ Rule 1 Click Add under the Inbound Services table The Add LAN DMZ Inbound Service screen will display Complete the Inbound Service screen and save the data see Inbound Rules Port Forwarding on pag
200. onth s Limit Email o o Do appi Others Total o o it o o o o HTTP Figure 2 3 2 Click Apply to apply the settings Click Reset to return to the previous settings 3 Select the WAN2 Traffic Meter tab and repeat steps 1 through 3 to set the Traffic Meter the the WAN2 port 2 8 Connecting the FVX538 to the Internet v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 2 2 Traffic Meter Settings Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router s WAN1 or WAN2 port WAN1 or WAN2 can be selected by clicking the appropriate tab the entire configuration is specific to each wan interface e No Limit If this is selected specified restriction will not be applied when traffic limit is reached e Download only If this is selected the specified restriction will be applied to the incoming traffic only Both Directions If this is selected the specified restriction will be applied to both incoming and outgoing traffic only Enable Monthly Limit Use this if your ISP charges for additional traffic If enabled enter the monthly volume limit and select the desired behavior when the limit is reached Note Both incoming and outgoing traffic are included in the limit Increase this month s limit Use this to temporarily increase the Traffic Limit if you ha
201. or Gateway IP Address IP address of the ISP s gateway This is usually provided by the ISP or your network administrator If your ISP has not assigned a Static IP address select the Get dynamically from ISP radio box The ISP will automatically assign an IP address to the router using DHCP network protocol 2 6 Connecting the FVX538 to the Internet v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 4 If your ISP has not assigned any Domain Name Servers DNS addresses select the Get dynamically from ISP radio box If your ISP has assigned DNS addresses select the Use these DNS Servers radio box Ensure that you fill in valid DNS server IP addresses in the fields Incorrect DNS entries may cause connectivity issues Note Domain Name Servers DNS convert Internet names such as www google com www netgear com etc to Internet addresses called IP addresses Incorrect settings here will result in connectivity problems 5 Click Apply to save the settings 6 Click Reset to discard any changes and revert to the previous settings Click Test to try and connect to the NETGEAR Web site If you connect successfully and your settings work then you may click Logout or go on and configure additional settings To configure your WAN2 ISP settings 1 Select the WAN2 ISP Settings tab The WAN2 ISP Settings screen will display 2 Repeat steps 1 through 7 above Programming the Traffic Meter if Des
202. orithm IKE Policy 5 12 Auto Detect 2 3 Auto Uplink 1 3 Auto Rollover configuration of 2 1 definition of 2 10 Dual WAN ports 5 1 restoring WAN interface 2 12 use with DDNS 2 16 Using WAN port 2 11 Index Back up settings 6 13 backup and restore settings 6 14 bandwidth capacity 6 1 LAN side 6 Load balancing mode 6 1 Rollover mode 6 1 WAN side 6 1 BigPond Cable 2 4 2 5 Internet connection 2 6 Block Sites 7 2 Content Filtering 4 25 reducing traffic 6 4 Block Sites screen 4 25 Block TCP Flood 4 4 block traffic with schedule 4 24 Blocking Instant Messenger example of 4 20 C CA about 5 27 Cat5 cable C 3 Certificate Authority See CA Classical Routing definition of 2 10 command line interface 6 11 configuration automatic by DHCP 1 4 connecting the VPN firewall 2 Connection Status VPN Tunnels 5 3 Content 4 25 Index 1 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Content Filtering 4 about 4 25 Block Sites 4 25 enabling 4 25 firewall protection about 4 1 content filtering 1 2 4 1 crossover cable 3 7 2 Customized Service editing 4 23 customized service adding 4 22 Customized Services adding 4 2 4 21 D Date setting 6 16 troubleshooting 7 7 Daylight Savings Time adjusting for 6 16 DDNS about 2 15 configuration of 2 16 links to 2 17 providers of 2 15 services examples 2 17 DDNS providers links to 2 17 default configurat
203. ork Database are e Generally you do not need to enter either IP address or MAC addresses Instead you can just select the desired PC or device e No need to reserve an IP address for a PC in the DHCP Server All IP address assignments made by the DHCP Server will be maintained until the PC or device is removed from the database either by expiry inactive for a long time or by you e No need to use a Fixed IP on PCs Because the address allocated by the DHCP Server will never change you don t need to assign a fixed IP to a PC to ensure it always has the same IP address e MAC level control over PCs The Network Database uses the MAC address to identify each PC or device So changing a PC s IP address does not affect any restrictions on that PC e Group and individual control over PCs 3 6 LAN Configuration v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual You can assign PCs to Groups and apply restrictions to each Group using the Firewall Rules screen see Using Rules to Block or Allow Specific Kinds of Traffic on page 4 1 You can also select the Groups to be covered by the Block Sites feature see Setting Block Sites Content Filtering on page 4 25 If necessary you can also create Firewall Rules to apply to a single PC see Enabling Source MAC Filtering on page 4 27 Because the MAC address is used to identify each PC users cannot avoid these restrictions by changing
204. ort Systems The IP address range of the firewall s WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled C 8 Network Planning for Dual WAN Ports v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover Figure C 5 the WAN s IP address will always change at rollover A fully qualified domain name must be used that toggles between the IP addresses of the WAN ports i e WAN1 or WAN2 Dual WAN Ports Before Rollover Dual WAN Ports After Rollover WAN IP WANT IP N A Router netgear dyndns org Router WAN port inactive O o i X r INTI J O i xi INT ee N2 port inactive netgear dyndns org WAN2Z IP N A WANZ IP a IP address of active WAN port changes after a rollover use of fully qualified domain names always required Figure C 5 Inbound Traffic Dual WAN Ports for Load Balancing In the dual WAN port case for load balancing Figure C 6 the Internet address of each WAN port is either fixed if the IP address is fixed or a fully qualified domain name if the IP address is dynamic Note Load balancing is implemented for outgoing traffic and not for incoming traffic Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain bett
205. otection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 10 11 Enter a Schedule for sending the logs From the Unit pull down menu select Never Hourly Daily or Weekly Then fill in the Day and Time fields that correspond to your selection In the Security Logs section check the network segments radio box for which you would like logs to be sent for example LAN to WAN under Dropped Packets In the System Logs section check the radio box for the type of system events to be logged Check the Yes radio box to enable E mail Logs Then enter a E mail Server address Enter the outgoing E mail SMTP mail server address of your ISP for example 172 16 1 10 If you leave this box blank no logs will be sent to you b Return E mail Address Enter the e mail address of the user c Send To E mail Address Enter the e mail address where the logs and alerts should be sent You must use the full e mail address for example ChrisX Y myISP com The No Authentication radio box is checked by default If your SMTP server authenticates users uncheck the radio box by selecting the authentication type either Login Plain or CRAM MD5 based on your SMTP server requirements Then enter the user name and password to be used for authentication If you want to respond to IDENT protocol check the Respond to Identd from SMTP Server radio box The Ident Protocol is an Internet protocol that
206. oting 7 1 browsers 7 3 configuration settings using sniffer 7 3 defaults 7 3 ISP connection 7 4 NTP 7 7 testing your setup 7 6 Web configuration 7 2 Trusted Certificates 5 27 Trusted Domains building list of 4 26 TZO com 2 15 U UDP flood 4 15 Use Default Address 2 5 User Database 5 32 adding user 5 34 editing user 5 35 User Database screen 5 34 V view protocol bindings Load Balancing 2 13 viewing logs 6 19 VPN gateway to gateway about C 14 gateway to gateway Dual gateway C 15 gateway to gateway single gateway C 14 Load Balancing examples of C 11 load balancing with dual WAN ports C 7 Road Warrior dual gateway C 12 Road Warrior examples of C 11 Road Warrior single gateway C 12 Rollover examples of C 10 rollover with dual WAN ports C 7 telecommuter about C 17 telecommuter Dual gateway C 18 telecommuter single gateway C 18 VPN Client configuring 5 7 configuring PC example 5 22 VPN Wizard example 5 20 VPN firewall connecting 2 1 VPN Logs monitoring 6 26 VPN Logs screen 6 26 VPN Pass through 4 15 VPN Policies screen 5 5 5 9 VPN Policy Auto 5 12 Auto generated 5 10 field definitions 5 3 Manual 5 2 VPN Tunnel Client Policy 5 7 FVS338 configuring example of 5 19 FVX538 configuration example 5 14 load balancing mode 5 1 rollover mode 5 1 VPN Tunnel addresses Dual WAN Port systems 5 VPN Tunnel Connection monitoring status 6 25 VPN Tunnels Connection Status 5 13
207. owser programs are readily available for Windows Macintosh or UNIX Linux For the initial connection to the Internet and configuration of your firewall you will need to connect a computer to the firewall that is set to automatically get its TCP IP configuration from the firewall via DHCP Note For help with DHCP configuration please refer to the link in Appendix B Related Documents The cable or DSL modem broadband access device must provide a standard 10 Mbps LOBASE T Ethernet interface Internet Configuration Requirements Depending on how your ISPs set up your Internet accounts you will need one or more of these configuration parameters to connect your firewall to the Internet e Host and Domain Names e ISP Login Name and Password e ISP Domain Name Server DNS Addresses Network Planning for Dual WAN Ports C 3 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Fixed IP Address which is also known as Static IP Address Where Do Get the Internet Configuration Parameters There are several ways you can gather the required Internet connection information e Your ISPs provide all the information needed to connect to the Internet If you cannot locate this information you can ask your ISPs to provide it or you can try one of the options below e Ifyou have a computer already connected using the active Internet access account you can gather the configuration information from
208. ped Raskens fa Change of time by NTP D Select the types of jo LAN to WAN C LAN to WAN l Login attempts events to email M LAN to DMZ CI LAN to DMZ Secure Login attempts C DMZ to WAN CO DMZ to WAN C Reboots C wan to LAN WAN to LAN l l Z Inbound WAN Packets Dropped CO DMZ to LAN O DMZ to Lan C Inbound LAN Packets Dropped YD wan to omz sce y ae yeaa Select the segments E a es 4 y j to track for System Enable E Mail Logs Log events E Mail Server Address E Return E Mail Address M Send to E Mail Address ER Do you want logs to be emailed to you No Authentication U O Yes Ja e E Senatcnes Enable email alerts St ae UserName CS Password E C Respond to Identd from SMTP Server i Enable SysLogs Do you want to enable syslog SysLog Server ves ja O Wa b ee cao Syslog Server Sees enabled Figure 6 8 Monitoring Attached Devices The Groups and Hosts menu contains a table of all IP devices that the VPN firewall has discovered on the local network Select Network Configuration from the main menu and LAN Groups from the submenu The Groups and Hosts screen will display 6 20 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual l Network Configuration y VPN dministrat DMZ Setup Routing _ 6 Edit Group Names LAN Setup Dynamic DNS Groups and Hosts Name IP Address MAC Address G
209. ple you may require a static route if e Your primary Internet access is through a cable modem to an ISP e You have an ISDN firewall on your home network for connecting to the company where you are employed This firewall s address on your LAN is 192 168 1 100 e Your company s network is 134 177 0 0 When you first configured your firewall two implicit static routes were created A default route was created with your ISP as the gateway and a second static route was created to your local network for all 192 168 1 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 network your firewall will forward your request to the ISP The ISP forwards your request to the company where you are employed and the request will likely be denied by the company s firewall In this case you must define a static route telling your firewall that 134 177 0 0 should be accessed through the ISDN firewall at 192 168 1 100 In this example e The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134 177 x x addresses e The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN firewall at 192 168 1 100 e A Metric value of 1 will work since the ISDN firewall is on the LAN e Private is selected only as a precautionary security measure in case RIP is activated Enabling Trend Micro Antivirus Enforcement If you installe
210. puter with Internet Explorer 5 5 or higher simply click Yes to accept the certificate Tip If you are using a dynamic DNS service such as TZO you can identify the IP ne address of your FVX538 by running tracert from the Windows Run menu option For example enter tracert your FVX538 mynetgear net and the IP address that your ISP assigned to the FVX538 will display Using a SNMP Manager Simple Network Management Protocol SNMP lets you monitor and manage your router from an SNMP Manager It provides a remote means to monitor and control network devices and to manage configurations statistics collection performance and security Router and Network Management 6 11 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual The SNMP Configuration table lists the SNMP configurations by e IP Address The IP address of the SNMP manager e Port The trap port of the configuration e Community The trap community string of the configuration To create a new SNMP configuration entry 1 Select Administration from the main menu and SNMP from the submenu The SNMP screen will display 2 Under Create New SNMP Configuration Entry enter the IP Address of the SNMP manager in the IP Address field and the Subnet Mask in the Subnet Mask field e Ifyou want to allow only the host address to access the VPN firewall and receive traps for example see Figure 6 3 enter an IP Address of for example 192 1
211. r Mode Setup Screen Use NAT or Classical Routing between WAN amp LAN interfaces NAT Classical Routing Port Mode 2 A a e D DNS lookup using configured DNS Servers DNS lookup using this DNS Server Auto Rollover using WAN port WANL 7 r g pas aa G A Ale Alp Load Balancing ae protocol bindings Ping to this IP address _ om 9 46 Use only single WAN port ANT Test Period is Seconds Failover after k Failures a g x i Operation succeeded j Service Source Network Destination Network Action select all telete enable D disable Add Protocol Binding Service Destination Network Source Network Add Any ba Any w ANY v Start Address 0 start address aaa End Address ae ae el End Address ES a ia Load Balancing Setup Screen Figure 5 1 The use of fully qualified domain names is e Mandatory when the WAN ports are in rollover mode Figure 5 2 on page 5 3 also required for the VPN tunnels to fail over 5 2 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Mandatory when the WAN ports are in load balancing mode and the IP addresses are dynamic Figure 5 3 on page 5 3 e Optional when the WAN ports are in load balancing mode if the IP addresses are static Figure 5 3 on page 5 3 See Configuring Dynamic DNS I
212. ress For the single gateway WAN port case the mechanism is to use a fully qualified domain name FQDN when the IP address is dynamic and to use either an FQDN or the IP address itself when the IP address is fixed The situation is different when dual gateway WAN ports are used in a rollover based system e Rollover Case for Dual Gateway WAN Ports Rollover Figure C 7 for the dual gateway WAN port case is different from the single gateway WAN port case when specifying the IP address of the VPN tunnel end point Only one WAN port is active at a time and when it rolls over the IP address of the active WAN port always changes Hence the use of a fully qualified domain name is always required even when the IP address of each WAN port is fixed Note Once the gateway router WAN port rolls over the VPN tunnel collapses and must be re established using the new WAN IP address C 10 Network Planning for Dual WAN Ports v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Dual WAN Ports Before Rollover Dual WAN Ports After Rollover WAN IP WANT IP N A Gateway _netgear dyndns org Gateway WAN1 port inactive _ eae WAN2 port inactive netgear dyndns org IP address of active WAN port changes after a rollover use of fully qualified domain names always required Figure C 7 e Load Balancing Case for Dual Gateway WAN Ports Load balancing Figure C 8 for the dual gateway WAN port case is the same
213. roup Action o 9300UNIT3 192 168 1 2 00 11 43 71 c8 d8 Groupi edit DHCP Assigned IP Address select all delete Add Known PCs and Devices Name IP Address Type IP Address MAC Address Group Add sd Fixed set on PC E92 Jhesa dle J Groupa w add Figure 6 9 The network database is an automatically maintained list of all known PCs and network devices PCs and devices become known by the following methods DHCP Client Requests By default the DHCP server in this Router is enabled and will accept and respond to DHCP client requests from PCs and other network devices These requests also generate an entry in the network database Because of this leaving the DHCP Server feature enabled on the LAN Setup screen is strongly recommended e Scanning the Network The local network is scanned using standard methods such as ARP This will detect active devices which are not DHCP clients However sometimes the name of the PC or device cannot be accurately determined and will be shown as Unknown The Known PCs and Devices table lists all current entries in the network database For each PC or device the following data is displayed Table 6 1 Known PCs and Devices Item Description Name The name of the PC or device Sometimes this can not be determined and will be listed as Unknown In this case you can edit the entry to add a meaningful name IP Address The current IP address For DH
214. rtified that the ProSafe VPN Firewall 200 has been suppressed in accordance with the conditions set out in the BMPT AmtsblVfg 243 1991 and Vfg 46 1992 The operation of some equipment for example test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions 1 0 August 2006 Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations Voluntary Control Council for Interference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV receiver it may become the cause of radio interference Read instructions for correct handling Additional Copyrights AES Copyright c 2001 Dr Brian Gladman lt brg gladman uk net gt Worcester UK All rights reserved TERMS Redistribution and use in source and binary forms with or without modification are permitted subject to the following conditions 1 Redistributions of source code must retain the above copyright notice this li
215. ry to balance the loads of the two gateway WAN ports because the IP address of the remote PC is not known in advance The chosen gateway WAN port must act as the responder Network Planning for Dual WAN Ports C 13 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 10 5 6 0 24 Road Warrior Example Dual WAN Ports Load Balancing Client B WANT IP Gateway A bzrouteri dyndns org WAN IP LAN IP lt am ae 10 5 6 1 SERBS a ep 0 0 0 0 VPN Router at employer s ia main office Fully Qualified Domain Names FQDN Remote PC optional for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure C 12 The IP addresses of the gateway WAN ports can be either fixed or dynamic If an IP address is dynamic a fully qualified domain name must be used If an IP address is fixed a fully qualified domain name is optional VPN Gateway to Gateway The following situations exemplify the requirements for a gateway VPN firewall to establish a VPN tunnel with another gateway VPN firewall e Single gateway WAN ports e Redundant dual gateway WAN ports for increased reliability before and after rollover e Dual gateway WAN ports used for load balancing VPN Gateway to Gateway Single Gateway WAN Ports Reference Case In the case of single WAN ports on the gateway VPN firewalls Figure C 13 either gateway WAN port can initiate the VPN tunnel with the other gateway WAN port because th
216. s derived from this software without prior written permission For written permission please contact openss I core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com 1 0 August 2006 MD5 Copyright C 1990 RSA Dat
217. s is fixed a fully qualified domain name is optional VPN Telecommuter Client to Gateway Through a NAT Router Note The telecommuter case presumes the home office has a dynamic IP address and NAT router The following situations exemplify the requirements for a remote PC client connected to the Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway VPN firewall at the company office e Single gateway WAN port e Redundant dual gateway WAN ports for increased reliability before and after rollover e Dual gateway WAN ports used for load balancing Network Planning for Dual WAN Ports C 17 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter Single Gateway WAN Port Reference Case In the case of the single WAN port on the gateway VPN firewall Figure C 17 the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance The gateway WAN port must act as the responder 10 5 6 0 24 Telecommuter Example Single WAN Port Client B Gateway A NAT Router B WAN IP WAN IP 10 5 61 oi FaN 0 0 0 0 VPN Router a en pee NAT Router at employer s Fully Qualified Domain Names FQDN at telecommuteris Remote PC main office optional for Fixed IP addresses homeoffice running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure C 17 The IP address of the gate
218. saiamos 3 4 Managing Groups and Hosts LAN Groups swcsresnnimisnian 3 6 Creating the Network Database irssissiisu rasinius aannam aaisa ka 3 6 Setting Up Address ReservallOM sointiin innuni aei 3 9 Contiguring and Enabling ihe DMZ POTI is ssctcssscsatverts eatetis atineasiaa edi aa 3 10 Statie FOUSS arnei cere tenes tere pert Perr er reerrecener Ty ercer rr rr rere merrerCe errr rere tree rarer 3 12 Configunng Stalig PUTS siriana ae aAA EE AaS 3 12 Routing WCET Prolocol RIFI eccmuis aa 3 13 Slano RE EKIPIE scscescsdcductecnidavdentudadeucesuiesm uae ladeaeeandaisseebaeiienteminlouuiarwesss 3 15 Enabling Trend Micro Antivirus Enforcement esisiisiissinsiinisi 3 15 Chapter 4 Firewall Protection and Content Filtering Using Rules to Block or Allow Specific Kinds of Traffic ecccccesseeeeeeeeesteeeeeteeeteneeees 4 1 Sevice s Based PIET rianan i R 4 2 Outbound Rules Service BlOGKING carrura 4 2 Inbound Rules Poit Forwarding sc scouessstieeccesdinanceteqrnoucesscdidnaresdciecaseestuaniunss 4 4 Order of Precedence Tor RUES ccc casstas cca scapcnseee acs acntatitnaae eed aae aea IR aaa 4 7 Seting LAN WAN RUS sasigurrna ianea aA EEAO 4 7 LAN WAN Outbound Services Rules cicscceisicscrccccncesssessuiccsensetazessnteesvaccereceeanaaners 4 9 LAN WAN Inbound Services RULES sscciscciciatesinictoneniedcasnineadiaratiniedaaanetecciecnnce 4 10 Seting DMZ VAN RUIGE anaieri aaa aaa 4 10 Sening LAN DMZ FUNG craris aar e E 4 12 LAN DMZ Outbound Services
219. se Users must be added through the User Database screen see User Database Configuration on page 5 34 5 32 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual RADIUS CHAP or RADIUS PAP depending on the authentication mode accepted by the RADIUS server to add a RADIUS server If RADIUS PAP is selected the router will first check in the User Database to see if the user credentials are available If the user account is not present the router will then connect to the RADIUS server see RADIUS Client Configuration on page 5 35 e IPSec Host if you want to be authenticated by the remote gateway In the adjacent Username and Password fields type in the information user name and password associated with the IKE policy for authenticating this gateway by the remote gateway 5 Click Apply to save your settings Edit 1KE Policy Operation succeeded Do you want to use Mode Config Record Policy Name Yes no Direction Type Select Mode Config Record modecontig P view selected Exchange Mode voce i Remote z Select Local Gateway want O wanz Identifier Type Local Wan IP w Identifier Type Remote Wan IP Identifier 0 1 51 40 Identifier 10 1 0 150 H ii IKE SA Parameters Encryption Algorithm 3DES 5a Authentication Algorithm SH4 1 Authenticati
220. set up the parameters for WAN2 ISP Start by selecting the WAN2 ISP Settings tab Next click Auto Detect on the WAN2 ISP Settings screen and then confirm the connection by clicking the WAN Status link 2 Set up the traffic meter for WAN2 ISP if desired See Programming the Traffic Meter if Desired on page 2 7 Setting the Router s MAC Address Each computer or router on your network has a unique 48 bit local Ethernet address This is also referred to as the computer s MAC Media Access Control address The default is set to Use Default Address If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP then you must enter that address Setting the router s MAC address is controlled through the Advanced options on the WAN1 ISP Settings and WAN2 ISP Settings screen see Configuring the Advanced WAN Options If Needed on page 2 18 Manually Configuring Your Internet Connection If you know your ISP connection type you can bypass the Auto Detect feature and connect your router manually Ensure that you have all of the relevant connection information such as IP Addresses account information type of ISP connection etc before you begin Unless your ISP automatically assigns your configuration automatically via DHCP you will need the configuration parameters from your ISP see Figure 2 1 Note To enable a WAN port to respond to a Ping from the Internet use the Rules menu
221. settings by clicking Edit in the Action column adjacent to the route Routing Information Protocol RIP RIP Routing Information Protocol RFC 2453 is an Interior Gateway Protocol IGP that is commonly used in internal networks LANs It allows a router to exchange its routing information automatically with other routers and allows it to dynamically adjust its routing tables and adapt to changes in the network RIP is disabled by default To configure RIP parameters 1 Select Network Configuration from the main menu and Routing from the submenu When the Routing screen displays click RIP Configuration The RIP Configuration screen will display From the RIP Direction pull down menu select the direction in which the router will send and receives RIP packets The choices are e None The router neither broadcasts its route table nor does it accept any RIP packets from other routers This effectively disables RIP e Both The router broadcasts its routing table and also processes RIP information received from other routers LAN Configuration 3 13 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Out Only The router broadcasts its routing table periodically but does not accept RIP information from other routers In Only The router accepts RIP information from other routers but does not broadcast its routing table
222. ss pool such as 192 168 1 101 3 10 LAN Configuration v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual WAN Settings DMZ Setup Network Configuration i YPN Admin a oring Web Support Logoul WAN Mode Protocol Binding Dynamic DNS LAN Setup LAN Groups Do you want to enable DMZ Port IP Address i Yes No R i Subnet Mask Disable DHCP Server Enable DHCP Server Domain Name Starting IP Address Ending IP Address oh WINS Server Lease Time Hours Enable DNS Proxy Figure 3 5 4 If desired Enable the DHCP Server Dynamic Host Configuration Protocol which will provide TCP IP configuration for all computers connected to the router s DMZ network Then configure the following items a c d e Starting IP Address This box specifies the first of the contiguous addresses in the IP address pool Ending IP Address This box specifies the last of the contiguous addresses in the IP address pool WINS Server This box specifies the Windows Internet Naming Service Server IP Lease Time This box specifies the Lease time to be given to the DHCP Clients Enable DNS Proxy If enabled the VPN firewall will as a DNS for address resolution 5 Click Reset to cancel changes made on this screen and revert to the previous settings 6 Click Apply to save your settings The DMZ LED next to LAN port 8 see Router Fro
223. sses available in secured network space so that remote users appear as seamless extensions of the network In the following example we configured the VPN firewall using ModeConfig and then configured a PC running ProSafe VPN Client software using these IP addresses e NETGEAR ProSafe VPN Firewall 200 WAN IP address 172 21 4 1 LAN IP address subnet 192 168 2 1 255 255 255 0 e NETGEAR ProSafe VPN Client software IP address 192 168 1 2 Mode Config Operation After IKE Phase 1 is complete the VPN connection initiator remote user client asks for IP configuration parameters such as IP address subnet mask and name server addresses The Mode Config module will allocate an IP address from the configured IP address pool and will activate a temporary PSec policy using the template security proposal information configured in the Mode Config record Note After configuring a Mode Config record you must go to the IKE Policies menu _ and configure an IKE policy using the newly created Mode Config record as the Remote Host Configuration Record The VPN Policies menu does not need to be edited Virtual Private Networking 5 37 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the VPN Firewall Two menus must be configured the Mode Config menu and the IKE Policies menu To configure the Mode Config menu 1 10 From the main menu select VPN and then select Mode Config fr
224. st of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The copyright holder s name must not be used to endorse or promote any products derived from this software without his specific prior written permission This software is provided as is with no express or implied warranties of correctness or fitness for purpose iii 1 0 August 2006 Open SSL Copyright c 1998 2000 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote product
225. sting Client 5 45 monitoring devices 6 20 by DHCP Client Requests 6 21 by Scanning the Network 6 21 MTU Size 2 19 Multi Home LAN IPs about 3 4 multi home LAN IPs 3 4 N NAS Identifier 5 36 NAT definition of 2 10 features of 3 firewall use with 4 Network Access Server See NAS Network Address Translation See NAT Network Address Translation See NAT Network Configuration 2 11 Index 5 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual network configuration requirements C 3 Network Database about 3 6 advantages of 3 6 fields 3 7 Network Database Group Names screen 3 9 network planning Dual WAN Ports C Network Time Protocol See NTP newsgroup 4 25 NTP 6 16 troubleshooting 7 7 NTP Servers custom 6 17 default 6 16 NTP servers setting 6 16 O Outbound Rules default definition 4 2 field descriptions 4 3 order of precedence 4 7 service blocking 4 2 outbound rules 4 2 Outbound Service Rule modifying 4 8 Outbound Services field descriptions 4 3 Outbound Services Rules adding 4 9 P package contents 1 5 passwords and login timeout changing 6 8 passwords restoring 7 7 performance management 6 1 Ping responding to 2 5 troubleshooting TCP IP 7 5 Ping On Internet Ports 4 14 Ping to an IP address Auto Rollover 2 11 Ping to this IP address 2 72 planning inbound traffic C 6 C 8 VPNs C 6 port filtering service blocking 4 2 Port Forwardi
226. sword NETGEAR ProSafe VPN Firewall FVX538 v2 LAN IP Address we User Name 9 gt tps 192 168 0 1 so ammm c SL us usten X sword rd Sates te tow y Dii mei a CE ce Figure 1 4 Introduction 1 9 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Default Log In Settings To log in to the FVX538 once it is connected 1 Open a Web browser 2 Enter http 192 168 1 1 as the URL User Name admin Password jeeeceeeee Figure 1 5 3 Once the login screen displays Figure 1 5 enter the following information e admin for User Name e password for Password v1 0 August 2006 Introduction ProSafe VPN Firewall 200 FVX538 Reference Manual Introduction 1 11 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 1 12 Introduction v1 0 August 2006 Chapter 2 Connecting the FVX538 to the Internet Typically six steps are required to complete the basic connection of your firewall Setting up VPN tunnels are covered in Chapter 5 Virtual Private Networking 1 Connect the firewall physically to your network Connect the cables turn on your router and wait for the Test LED to go out Make sure your Ethernet and LAN LEDs are lit See the Installation Guide FVX538 ProSafe VPN Firewall 200 for complete steps A PDF of the Installation Guide is on the NETGEAR website at hittp kbserver netgear com 2 Log in to t
227. sword of the firewall to a very _ secure password The ideal password should contain no dictionary words from any language and should be a mixture of letters both upper and lower case numbers and symbols Your password can be up to 30 characters See Changing Passwords and Settings on page 6 8 for the procedure on how to do this Ne gura Securit I Administration onii eb SNMP Settings Backup amp Upgrade Set Password Time Zone l Remote Management help Everyone Be sure to change default password Allow Remote IP address range Management Erami al J ra as l Se E 2 Only this PC moe Gn Ne Port Number Apply C Reset Figure 6 2 To configure your firewall for Remote Management 1 Select Administration from the main menu and Remote Management from the submenu The Remote Management screen will display 2 Check Allow Remote Management radio box 3 Specify what external addresses will be allowed to access the firewall s remote management gt Note For enhanced security restrict access to as few external IP addresses as practical a To allow access from any IP address on the Internet select Everyone 6 10 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual b To allow access from a range of IP addresses on the Internet select IP address range Enter a beginning and ending IP address to de
228. t Local Gateway wani O wanz Remote Endpoint Ip Address ko JE Iko Jir OFQDN E Enable NetBIOS i Traffic Selection gt Local IP Subnet Remote IP Subnet Start IP Address 192 aes Ja Mo Start IP Address 192 aes Jao JE End IP Address m End IP Address hm ia Subnet Mask fess Jess Hess Jo Subnet Mask fess Jess Jess Jo Figure 5 5 Manual Policy Parameters SPI Incoming a tex 3 8 Chars Encryption Algorithm 9055 SPI Outgoing Hex 3 8 Chars Integrity Algorithm 914 1 You can also view the status of your IKE Policies by clicking the IKE Policies tab The IKE Policies screen will display Then view or edit the parameters of the Offsite policy by clicking Edit in the Action column adjacent to the policy The Edit IKE Policy screen will display v1 0 August 2006 Virtual Private Networking ProSafe VPN Firewall 200 FVX538 Reference Manual J ike Policies Operation succeeded help Name Mode Local ID Remote ID Encr Auth DH Action edit Fa home Aggressive fvx_local com fux_remote com 3DES SHA 1 Group 2 1024 bit fedit Operation succeeded Offsite Main 10 1 31 40 10 1 1 150 3DES SHA 1 Group 2 1024 bit Client Policy Add New VPN Policy help help Do you want to use Mode Config Record an Policy Name Offsite O Yes No Direction Type Both ball Select Mode Config Record
229. t Schedule LAN Users Any amp Start SSE gt Finish i J i a WAN Users Any v Start SS a Sy Finish Sa QoS Priority Normal Service v Log Never Figure 4 14 Adding Customized Services Services are functions performed by server computers at the request of client computers You can configure up to 125 custom services For example Web servers serve Web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified by a service or port number This number appears as the destination port number in the transmitted IP packets For example a packet that is sent with destination port number 80 is an HTTP Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC1700 Assigned Numbers Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application Although the FVX538 already holds a list of many service port numbers you are not limited to these choices Use the Services screen to add additional services and applications to the list for use in defining firewall rules The Services menu shows a list of services that you have defined as shown in Figure 4 15 To define a new service first you must det
230. t for the MAC address is XX XX XX XX XX XX numbers 0 9 and either uppercase or lowercase letters A F If you select Use This MAC Address and then type in a MAC address your entry will be overwritten Connecting the FVX538 to the Internet 2 19 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 2 20 Connecting the FVX538 to the Internet v1 0 August 2006 Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe VPN Firewall 200 These features can be found by selecting Network Configuration from the primary menu and LAN Setup from the submenu of the browser interface Using the Firewall as a DHCP server By default the firewall will function as a DHCP Dynamic Host Configuration Protocol server allowing it to assign IP DNS server WINS Server and default gateway addresses to all computers connected to the firewall LAN The assigned default gateway address is the LAN address of the firewall IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the default DHCP and TCP IP settings of the firewall are satisfactory See the link to Preparing a Computer for Network Access in Appendix B Related Documents for an explanation of DHCP and information about how to assign IP addresses for your net
231. t is operating at 100 Mbps Off The LAN port is operating at 10 Mbps Introduction 1 7 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1 1 Object Descriptions continued Object Activity Description 6 Console DB9 male connector Port for connecting to an optional console terminal Default baud rate Port is 115 2K pinouts 2 Tx 3 Rx 5 and 7 Gnd 7 Factory gt Push in with a Factory Defaults reset push button see Appendix A Default Defaults Sharp object Settings and Technical Specifications for the factory defaults Router Rear Panel The rear panel of the ProSafe VPN Firewall 200 Figure 1 2 contains the On Off switch and AC power connection 1 2 Figure 1 2 Viewed from left to right the rear panel contains the following elements 1 AC power in 2 On Off switch 1 8 Introduction v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Rack Mounting Hardware The FVX538 can be mounted either on a desktop using included rubber feet or in a 19 inch rack using the included rack mounting hardware illustrated in Figure 1 3 ae Figure 1 3 The Router s IP Address Login Name and Password Check the label on the bottom of the FVX538 s enclosure if you forget the following factory default information e IP Address http 192 168 1 1 to reach the Web based GUI from the LAN e User name admin e Password pas
232. t the desired Services or applications to be covered by this rule If the desired service or application does not appear in the list you must define it using the Services menu see Services Based Rules on page 4 2 b Destination Network These settings determine which Internet locations are covered by the rule based on their IP address Select the desired option e Any All Internet IP address are covered by this rule e Single address Enter the required address in the start fields e Address range If this option is selected you must enter the start and finish fields c Source Network These settings determine which computers on your network are affected by this rule Select the desired options e Any All PCs and devices on your LAN e Single address Enter the required address and the rule will be applied to that particular PC e Address range If this option is selected you must enter the start and finish fields e Group 1 Group 8 If this option is selected the devices assigned to this group will be affected You may also assign a customized name to the group See Edit Group Names on the Groups and Hosts menu in the LAN Groups sub menu 3 Click Add in the Add column adjacent to the rule The new Protocol Binding Rule will be enabled and added to the Protocol Binding Table for the WAN1 port Select the WAN2 Protocol Bindings tab and repeat steps 1 through 9 to set protocol bindings for
233. tering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on the LAN you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses By default this feature is disabled all traffic received from PCs with any MAC address is allowed See Enabling Source MAC Filtering on page 4 27 for the procedure on how to use this feature 6 4 Router and Network Management v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Firewall Features That Increase Traffic Features that tend to increase WAN side loading are as follows e Port forwarding e Port triggering e DMZ port e Exposed hosts e VPN tunnels Port Forwarding The firewall always blocks DoS Denial of Service attacks A DoS attack does not attempt to steal data or damage your PCs but overloads your Internet connection so you can not use it i e the service is unavailable You can also create additional firewall rules that are customized to block or allow specific traffic A Warning This feature is for Advanced Administrators only Incorrect configuration will cause serious problems You can control specific inbound traffic i e from WAN to LAN and from WAN to DMZ Inbound Services lists all existing rules for inbound traffic If you have not defined any rules only the default rule will be listed The default rule blocks all inbound traffic
234. that computer For Windows 95 98 ME open the Network control panel select the TCP IP entry for the Ethernet adapter and click Properties Record all the settings for each tab page For Windows 2000 XP open the Local Area Network Connection select the TCP IP entry for the Ethernet adapter and click Properties Record all the settings for each tab page For Macintosh computers open the TCP IP or Network control panel Record all the settings for each section e You may also refer to the FVX538 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs Once you locate your Internet configuration parameters you may want to record them on the page below C 4 Network Planning for Dual WAN Ports v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Internet Connection Information Form Print this page Fill in the configuration parameters from your Internet Service Provider ISP ISP Login Name The login name and password are case sensitive and must be entered exactly as given by your ISP For AOL customers the login name is their primary screen name Some ISPs use your full e mail address as the login name The Service Name is not required by all ISPs If you connect using a login name and password then fill in the following Login Name Password Service Name Fixed or Static IP Address If you have a static IP address record the following inform
235. the VPN firewall in this example it is local_id com f Select Gateway IP Address from the second pull down menu and enter the WAN IP address of the VPN firewall in this example it is 172 21 4 1 X Security Policy Editor NETGEAR ProSafe VPN Client fe nik File Edt Options Help i Po NETGEAR S Network Security Policy My Connections Connection Security B modecfg test Secure I Only Connect Manually Qy Other Connections CN A onsecue 65 C Block Remote Party Identity and Addressing ID Type IP Subnet z Subnet 192 168 2 1 Mask 255 255 255 0 x Pot zf Protocol All I Connect using Secure Gateway Tunnel z ID Type Domain Name x Gateway IP Address _y local_id com 172 21 4 1 Figure 5 31 2 From the left side of the menu click My Identity and enter the following information Click Pre Shared Key and enter the key you configured in the FVX538 IKE menu From the Select Certificate pull down menu select None c From the ID Type pull down menu select Domain Name and create an identifier based on the name of the IKE policy you created for example salesperson11 remote_id com 5 42 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual d Under Virtual Adapter pull down menu select Preferred The Internal Network IP Address should be 0 0 0 0 Note If no box is displayed
236. their IP address A computer is identified by its MAC address not its IP address Hence changing a computer s IP address does not affect any restrictions applied to that PC This Known PCs and Devices table lists entries in the Network Database For each computer or device the following fields are displayed Name The name of the PC or device For computers that do not support the NetBIOS protocol this will be listed as Unknown you can edit the entry manually to add a meaningful name If the computer was assigned an IP address by the DHCP server then the Name will be appended by an asterisk IP Address The current IP address of the computer For DHCP clients of the router this IP address will not change If a computer is assigned a static IP addresses you will need to update this entry manually if the IP address on the computer has been changed MAC Address The MAC address of the PC s network interface Group Each PC or device can be assigned to a single group By default a computer is assigned to Group 1 unless a different group is selected from the Group pull down menu Action Allows modification of the selected entry by clicking Edit To add computers to the network database manually 1 Select Network Configuration from the main menu and LAN Groups from the submenu The Groups and Hosts screen will display In the Add Known PCs and Devices table enter the name of the PC or device From the IP Address
237. to external users after verifying their authentication information Ina RADIUS transaction the NAS must provide some NAS Identifier information to the RADIUS Server Depending on the configuration of the RADIUS Server the router s IP address may be sufficient as an identifier or the Server may require a name which you would enter here This name would also be configured on the RADIUS Server although in some cases it should be left blank on the RADIUS Server Enable a Backup RADIUS Server if required by following steps 2 through 5 7 Set the Time Out Period in seconds that the router should wait for a response from the RADIUS server 8 Set the Maximum Retry Count This is the number of tries the router will make to the RADIUS server before giving up 5 36 Virtual Private Networking v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 9 Click Reset to cancel any changes and revert to the previous settings 10 Click Apply to save the settings mr Note Selection of the Authentication Protocol usually PAP or CHAP is configured on the individual IKE policy screens Manually Assigning IP Addresses to Remote Users ModeConfig To simply the process of connecting remote VPN clients to the FVX538 the ModeConfig module can be used to assign IP addresses to remote users including a network access IP address subnet mask and name server addresses from the router Remote users are given IP addre
238. to the Website of the CA 2 Start the Self Certificate request procedure 3 When prompted for the requested data copy the data from your saved data file including BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST 4 Submit the CA form If no problems ensue the Certificate will be issued Uploading a Trusted Certificate After obtaining a new Certificate from the CA you must upload the certificate to this device and add it to your Trusted Certificates To upload your new certificate 1 From the main menu under VPN select Certificates The Certificates screen will display Scroll down to the Self Certificate Requests section 2 Click Browse and locate the certificate file on your PC Select the file name in the File to upload field and click Upload The certificate file will be uploaded to this device 3 Scroll back to the Active Self Certificates table The new Certificate will appear in the Active Self Certificates list Certificates are updated by their issuing CA authority on a regular basis You should track all of your CAs to ensure that you have the latest version and or that your certificate has not been revoked To track your CAs you must upload the Certificate Identify for each CA to the CRL Managing your Certificate Revocation List CRL CRL Certificate Revocation List files show Certificates which are active and certificates which have been revoked and are no longer vali
239. traffic from either going out from the LAN to the DMZ Outbound or coming in from the DMZ to the LAN Inbound To access the LAN DMZ Rules screen 1 Select Security on the main menu then select Firewall Rules and click the LAN DMZ Rules tab The LAN DMZ Rules screen will display showing the both the Outbound Services and Inbound Services tables Security ation oni i eb Services Schedule Block Sites Source MAC Filter Port Triggering Trend Micro f LAN WAN Rules DMZ WAN Rules EE DPEIA TIS Attack Checks help Service Name Filter LAN Users DMZ Users Log Action select all delete enable oO disable add help Service Name Filter DMZ Users LAN Users Log Action select all delete enable O disable add Figure 4 6 4 12 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual To make changes to an existing outbound or inbound LAN DMZ service rule 1 In the Action column adjacent to the rule click e Edit to make any changes to the rule definition The Outbound Service screen will display containing the data for the selected rule Outbound Rules Service Blocking on page 4 2 e Up to move the rule up one position in the table rank e Down to move the rule down one position in the table rank 2 Check the radio box adjacent to the rule and e Click Disable to disable the rule The Status ic
240. unique VPN policy for each user it is more convenient for the VPN gateway router to authenticate users from a stored list of user accounts XAUTH provides the mechanism for requesting individual authentication information from the user and a local User Database or an external authentication server such as a RADIUS server provides a method for storing the authentication information centrally in the local network XAUTH is enabled when adding or editing an IKE Policy Two types of XAUTH are available e Edge Device If this is selected the router is used as a VPN concentrator where one or more gateway tunnels terminate If this option is chosen you must specify the authentication type to be used in verifying credentials of the remote VPN gateways User Database RADIUS PAP or RADIUS CHAP Virtual Private Networking 5 31 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e IPSec Host If you want authentication by the remote gateway enter a User Name and Password to be associated with this IKE policy If this option is chosen the remote gateway must specify the user name and password used for authenticating this gateway ____ Note Ifa RADIUS PAP server is enabled for authentication XAUTH will first check the J local User Database for the user credentials If the user account is not present the router will then connect to a RADIUS server Configuring XAUTH for VPN Clients Once the XAUTH has be
241. uration for all computers connected to the router s LAN If another device on your network will be the DHCP server or if you will manually configure all devices check the Disable DHCP Server radio button Enable DHCP Server is the default If Enabled is selected enter the following parameters a Enter the Domain Name of the router this is optional b Enter the Starting IP Address This address specifies the first of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address The IP address 192 168 1 2 is the default start address c Enter the Ending IP Address This address specifies the last of the contiguous addresses in the IP address pool Any new DHCP client joining the LAN will be assigned an IP address between the Starting IP address and this IP address The IP address 192 168 1 100 is the default ending address Note The Starting and Ending DHCP addresses should be in the same network as the LAN TCP IP address of the router the IP Address in LAN TCP IP Setup section d Enter a WINS Server IP address This box can specify the Windows NetBios Server IP if one is present in your network This field is optional e Enter a Lease Time This specifies the duration for which IP addresses will be leased to clients f Check the Enable DNS Proxy radio box This is optional the default is enabled If enabled the
242. us increasing its loading The exception is traffic that is bound by protocol to the WAN port that failed This protocol bound traffic is not diverted VPN Firewall Features That Reduce Traffic Features of the VPN firewall that can be called upon to decrease WAN side loading are as follows e Service blocking e Block sites e Source MAC filtering Service Blocking You can control specific outbound traffic for example from LAN to WAN and from DMZ to WAN Outbound Services lists all existing rules for outbound traffic If you have not defined any rules only the default rule will be listed The default rule allows all outgoing traffic A Warning This feature is for Advanced Administrators only Incorrect configuration will cause serious problems Each rule lets you specify the desired action for the connections covered by the rule e BLOCK always e BLOCK by schedule otherwise Allow e ALLOW always e ALLOW by schedule otherwise Block As you define your firewall rules you can further refine their application according to the following criteria e LAN Users These settings determine which computers on your network are affected by this rule Select the desired options Any All PCs and devices on your LAN Single address The rule will be applied to the address of a particular PC Address range The rule is applied to a range of addresses 6 2 Router and Network Management v1 0 August 2006
243. ve reached the monthly limit but need to continue accessing the Internet Check the checkbox and enter the desired increase The checkbox will automatically be cleared when saved so the increase is only applied once This month s limit This displays the limit for the current month Restart traffic counter Restart Counter at a Specific Time This determines when the traffic counter restarts Choose the desired time and day of the month Check this radio button to restart the Traffic Counter at a specific time and day of the month Fill in the time fields and select AM or PM and the day of the month from the pull down menus Send E mail Report before restarting counter If checked an E mail report will be sent immediately before restarting the counter You must configure the E mail screen in order for this function to work see E Mail Notifications of Event Logs and Alerts on page 4 31 When limit is reached Select the desired option e Block all traffic all access to and from the Internet will be blocked e Block all traffic except E mail Only E mail traffic will be allowed All other traffic will be blocked e If using this option you may also select the Send E mail alert option You must configure the E mail screen in order for this function to work Internet Traffic Statistics Traffic by Protocol This displays statistics on Internet Traffic via the WAN port If you have not enabl
244. vents will increase the size of the log so it is good practice to select only those events which are required Monitoring Log Options Send logs according to this schedule Unit Never Log Identifier F x538 Day Sinda Time M00 Security Logs 2 i System Logs Accepted Packets Dropped Packets CO Change of time by NTP LAN to WAN C Lan to WAN o Login attempts LAN to DMZ C LAN to DMZ C Secure Login attempts DMZ to WAN CO DMZ to wan CO Reboots WAN to LAN C wan to LAN C Inbound WAN Packets Dropped DMZ to LAN CO DMZ to LAN C Inbound LAN Packets Dropped WAN to DMZ C wan to DMZ Enable E Mail Logs E Mail Server Address E Return E Mail Address Send to E Mail Addres S S N Do you want logs to be emailed to you No Authentication Yes O No Login Plain CRAM MD5 User Name Password o Respond to Identd from SMTP Server i Enable SysLogs Do you want to enable syslog SysLog Server Yes O No SysLog Facility Localo w Figure 4 21 To set up Firewall Logs and E mail alerts 1 Select Monitoring from the main menu and then Firewall Logs amp E mail from the submenu The Firewall Logs amp E mail screen will display 2 Enter the name of the log in the Log Identifier field Log Identifier is a mandatory field used to identify the log messages The ID appended to log messages 4 32 Firewall Pr
245. vided to help you diagnose and solve the problem Basic Functions After you turn on power to the firewall the following sequence of events should occur 1 When power is first applied verify that the PWR LED is on 2 After approximately 2 minutes verify that a The TEST LED is not lit b The LAN port LEDs are lit for any local ports that are connected c The Internet port LED is lit If a port s LED is lit a link has been established to the connected device If a LAN port is connected to a 100 Mbps device verify that the port s LED is green If the port is 10 Mbps the LED will be amber If any of these conditions does not occur refer to the appropriate following section Power LED Not On If the Power and other LEDs are off when your firewall is turned on e Make sure that the power cord is properly connected to your firewall and that the power supply adapter is properly connected to a functioning power outlet e Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product If the error persists you have a hardware problem and should contact technical support Troubleshooting 7 1 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual LEDs Never Turn Off When the firewall is turned on the LEDs turns on for about 10 seconds and then turn off If all the LEDs stay on there is a fault within the firewall If all LEDs are still on one minute after power up e C
246. way WAN port can be either fixed or dynamic If the IP address is dynamic a fully qualified domain name must be used If the IP address is fixed a fully qualified domain name is optional VPN Telecommuter Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall Figure C 18 the remote PC client initiates the VPN tunnel with the active gateway WAN port port WAN in this example because the IP address of the remote NAT router is not known in advance The gateway WAN port must act as the responder 10 5 6 0 24 Telecommuter Example Dual WAN Ports Before Rollover Client B Gateway A WAN1 IP NAT Router B i ii y bzrouter1 dyndns org WAN IP o E _ ie o x X 0 0 0 0 10 5 6 1 WAN2Z port inactive VPN Router WANZ IP N A NAT Router atemployer s Fully Qualified Domain Names FQDN at telecommuteris Remote PC main office required for Fixed IP addresses home office running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Figure C 18 C 18 Network Planning for Dual WAN Ports v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic but a fully qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 i e the IP address of the active WAN port is not known in advance After a rollover of the gateway WAN
247. work If another device on your network will be the DHCP server or if you will manually configure the network settings of all of your computers clear the Enable DHCP server radio box by selecting the Disable DHCP Server radio box Otherwise leave it checked Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP Address These addresses should be part of the same IP address subnet as the firewall s LAN IP address Using the default addressing scheme you should define a range between 192 168 1 2 and 192 168 1 100 although you may wish to save part of the range for devices with fixed addresses The firewall will deliver the following parameters to any LAN device that requests DHCP e An IP Address from the range you have defined e Subnet Mask e Gateway IP Address the firewall s LAN IP address e Primary DNS Server the firewall s LAN IP address e WINS Server if you entered a WINS server address in the DHCP Setup menu e Lease Time date obtained and duration of lease LAN Configuration 3 1 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the LAN Setup Options The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and allows you to configure a secondary or multi home LAN IP setup in the LAN The default values are suitable for most users and situations These are advanced settings most usually configured by a network
248. working v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual To test the connection 1 Right click on the VPN client icon in the Windows toolbar and select Connect The connection policy you configured will appear in this case My Connections modecfg_test 2 Click on the connection Within 30 seconds the message Successfully connected to MyConnections modecfg_test will display and the VPN client icon in the toolbar will read Opn 3 From the client PC ping a computer on the VPN firewall LAN Virtual Private Networking 5 45 v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual 5 46 Virtual Private Networking v1 0 August 2006 Chapter 6 Router and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 200 These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface The ProSafe VPN Firewall 200 offers many tools for managing the network traffic to optimize its performance You can also control administrator access be alerted to important events requiring prompt action monitor the firewall status perform diagnostics and manage the firewall configuration file Performance Management Performance management consists of controlling the traffic through the VPN firewall so that the necessary traffic gets through when there is a bottleneck and either reducing unne
249. y among the WAN interfaces that are functional ______ Note Scenarios could arise when load balancing needs to be bypassed for certain traffic or applications Here the traffic needs to go on a specific WAN interface This is done with the protocol binding rules of that WAN interface The rule should match the desired traffic For both alternatives you must also set up Network Address Translation NAT NAT NAT is the technology which allows all PCs on your LAN to share a single Internet IP address From the Internet there is only a single device the Router and a single IP address PCs on your LAN can use any private IP address range and these IP addresses are not visible from the Internet The Router uses NAT to select the correct PC on your LAN to receive any incoming data Ifyou only have a single Internet IP address you MUST use NAT NAT is the default setting Classical Routing In this mode the Router performs Routing but without NAT To gain Internet access each PC on your LAN must have a valid Internet IP address 2 10 Connecting the FVX538 to the Internet v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual If your ISP has allocated many IP addresses to you and you have assigned one of these addresses to each PC you can choose Classical Routing Or you can use Classical Routing for routing private IP addresses within a campus environment Otherwise selecting this m
250. y clicking send log 3 Click refresh log to retrieve the latest update and click clear log to delete all entries Log entries are described in Table 4 4 Monitoring Router Status Traffic Meter Diagnostics Firewall Logs amp E mail unit Never No Data Available G refresh log clear log E send log Figure 4 22 4 34 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4 4 Firewall Log Field Descriptions Field Description Date and Time The date and time the log entry was recorded Description or Action The type of event and what action was taken if any Source IP The IP address of the initiating device for this log entry Source port and interface The service port number of the initiating device and whether it originated from the LAN WAN or DMZ Destination The name or IP address of the destination device or Web site Destination port and interface The service port number of the destination device and whether it s on the LAN WAN or DMZ Administrator Tips Consider the following operational items 1 Asan option you can enable remote management if you have to manage distant sites from a central location see Enabling Remote Management Access on page 6 10 2 Although rules see Using Rules to Block or Al
251. y one port then the Start Port and the Finish Port will be the same Enter the last port of the range that the service uses If the service only uses a single port number enter the same number in both fields Click Add The new custom service will be added to the Custom Services Table 4 22 Firewall Protection and Content Filtering v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual To edit the parameters of a service 1 In the Custom Services Table click the Edit icon adjacent to the service you want to edit The Edit Service screen will display 2 Modify the parameters you wish to change Click Reset to cancel the changes and restore the previous settings 4 Click Apply to confirm your changes The modified service will display in the Custom Services Table Setting Quality of Service QoS Priorities The Quality of Service QoS Priorities setting determines the priority of a service which in turn determines the quality of that service for the traffic passing through the firewall The user can change this priority e On the Services screen in the Custom Services Table for customized services see Figure 4 15 e On the Add LAN WAN Outbound Services screen see Figure 4 3 e On the Add DMZ WAN Outbound Services screen see Figure 4 5 The QoS priority definition for a service determines the queue that is used for the traffic passing through the VPN firewall A priority is assigned to IP packets
252. ycle the power to see if the firewall recovers e Clear the firewall s configuration to factory defaults This will set the firewall s IP address to 192 168 1 1 This procedure is explained in Restoring the Default Configuration and Password on page 7 7 If the error persists you might have a hardware problem and should contact technical support LAN or Internet Port LEDs Not On If either the LAN LEDs or Internet LED do not light when the Ethernet connection is made check the following e Make sure that the Ethernet cable connections are secure at the firewall and at the hub or workstation e Make sure that power is turned on to the connected hub or workstation e Be sure you are using the correct cable When connecting the firewall s Internet port to a cable or DSL modem use the cable that was supplied with the cable or DSL modem This cable could be a standard straight through Ethernet cable or an Ethernet crossover cable Troubleshooting the Web Configuration Interface If you are unable to access the firewall s Web Configuration interface from a PC on your local network check the following e Check the Ethernet connection between the PC and the firewall as described in the previous section 7 2 Troubleshooting v1 0 August 2006 ProSafe VPN Firewall 200 FVX538 Reference Manual e Make sure your PC s IP address is on the same subnet as the firewall If you are using the recommended addressing schem
253. ynamic but a fully qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 i e the IP address of the active WAN port is not known in advance After a rollover of the gateway WAN port Figure C 11 the previously inactive gateway WAN port becomes the active port port WAN2 in this example and the remote PC client must re establish the VPN tunnel The gateway WAN port must act as the responder 10 5 6 0 24 Road Warrior Example Dual WAN Ports After Rollover Client B WAN1 IP N A Gateway A WAN1 port iN ey WAN IP LAN IP A i crm Lert bzrouter dyndns org 0 0 0 0 10 5 6 1 WAN2 IP VPN Router at employer s main office Fully Qualified Domain Names FQDN Remote PC required for Fixed IP addresses running NETGEAR required for Dynamic IP addresses ProSafe VPN Client Remote PC must re establish VPN tunnel after a rollover Figure C 11 The purpose of the fully qualified domain name in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port i e WAN1 and WAN2 so that the remote PC client can determine the gateway IP address to establish or re establish a VPN tunnel VPN Road Warrior Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall Figure C 12 the remote PC initiates the VPN tunnel with the appropriate gateway WAN port i e port WAN1 or WAN2 as necessa
Download Pdf Manuals
Related Search