ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 202-10257-05 v1.
© 2007–2010 by NETGEAR, Inc. All rights reserved. Technical Support Please refer to the support information card that shipped with your product. By registering your product at http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of product and software upgrades. NETGEAR, INC. Support Information Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card. E-mail: support@netgear.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN gemäß der im BMPTAmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. 2.
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
vi v1.
Contents ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual About This Manual Conventions, Formats, and Scope .................................................................................. xv How to Print This Manual ................................................................................................xvi Revision History ...............................................................................................................
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring the WAN Mode (Required for Dual WAN) ................................................. 2-11 Network Address Translation .................................................................................2-12 Classical Routing ...................................................................................................2-12 Configuring Auto-Rollover Mode .............................................................
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Session Limits .....................................................................................4-17 Managing the Application Level Gateway for SIP Sessions ..................................4-18 Creating Services, QoS Profiles, and Bandwidth Profiles ............................................4-19 Adding Customized Services .................................................................................
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Dead Peer Detection ..........................................................................5-33 Configuring NetBIOS Bridging with VPN ......................................................................5-34 Chapter 6 Virtual Private Networking Using SSL Understanding the Portal Options ...................................................................................6-1 Planning for SSL VPN ....................
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Chapter 8 VPN Firewall and Network Management Performance Management .............................................................................................8-1 Bandwidth Capacity .................................................................................................8-1 Features That Reduce Traffic ...................................................................................
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Troubleshooting the ISP Connection ............................................................................10-4 Troubleshooting a TCP/IP Network Using a Ping Utility ...............................................10-5 Testing the LAN Path to Your VPN Firewall ...........................................................10-5 Testing the Path from Your PC to a Remote Device ..............................................
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Appendix D Related Documents Index xiii v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual xiv v1.
About This Manual The NETGEAR® ProSafe™ Dual WAN Gigabit Firewall with SSL & IPsec VPN Reference Manual describes how to install, configure and troubleshoot a ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. The information in this manual is intended for readers with intermediate computer and networking skills. Conventions, Formats, and Scope The conventions, formats, and scope of this manual are described in the following paragraphs: • • Typographical Conventions.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Scope. This manual is written for the VPN firewall according to these specifications: Product Version ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN Manual Publication Date January 2010 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix D, “Related Documents.” Note: Product updates are available on the NETGEAR, Inc. website at http://kb.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 202-10257-04 1.3 March 2009 Added these corrections and topics for the March 2009 firmware maintenance release: • WIKID 2 factor authentication • SIP AGL support • DHCP Relay support • Updated VPN configuration procedure topics • Updated the Certificate management topic • Corrected the firewall scheduling topic 202-10257-05 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 202-10257-05 (continued) 1.0 January 2010 (continued) • Updated the “Attack Checks” section and screen (Figure 4-8) to show that you can specify an IP address that is allowed to respond to a ping. • Added the “Managing the Application Level Gateway for SIP Sessions” section. • Updated the “Creating Bandwidth Profiles” section, including Figure 4-13 and Figure 4-14.
Chapter 1 Introduction The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable modems or DSL modems. Dual wide area network (WAN) ports allow you to increase throughput to the Internet by using both ports together, or to maintain a backup connection in case of failure of your primary Internet connection.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Easy, web-based setup for installation and management. • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. • Internal universal switching power supply. Dual WAN Ports for Increased Reliability or Outbound Load Balancing The FVS336G has two broadband WAN ports.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – Browser based, platform-independent, remote access through a number of popular browsers, such as Microsoft Internet Explorer or Apple Safari. – Provides granular access to corporate resources based upon user type or group membership. – Supports 10 concurrent SSL VPN sessions.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Extensive Protocol Support The FVS336G supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to “Internet Configuration Requirements” on page B-3. • IP Address Sharing by NAT.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • SNMP. The FVS336G supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2. • Diagnostic Functions. The FVS336G incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot. • Remote Management.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the FVS336G for repair.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 1-1. LED Descriptions (continued) Object LINK/ACT (Link and Activity) Activity Description On (Green) The WAN port has detected a link with a connected Ethernet device. Blinking (Green) Data is being transmitted or received by the WAN port. Off The WAN port has no link. On (Green) The LAN port is operating at 1,000 Mbps. On (Amber) The LAN port is operating at 100 Mbps. Off The LAN port is operating at 10 Mbps.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • • AC power receptacle: Universal AC input (100-240 VAC, 50-60 Hz). On/off power switch.
Chapter 2 Connecting the FVS336G to the Internet The initial Internet configuration of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G, hereafter referred to as the VPN firewall, is described in this chapter.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on page 2-16. 6. Configure the WAN options (optional). Optionally, you can enable each WAN port to respond to a ping, and you can change the factory default MTU size and port speed.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Click Login. The Web Configuration Manager appears, displaying the Router Status screen: Figure 2-2 Connecting the FVS336G to the Internet v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Navigating the Menus The Web Configuration Manager menus are organized in a layered structure of main categories and submenus: • Main menu. The horizontal orange bar near the top of the page is the main menu, containing the primary configuration categories. Clicking on a primary category changes the contents of the submenu bar. • Submenu.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Automatically Detecting and Connecting To automatically configure the WAN ports for connection to the Internet: Figure 2-3 1. Select Network Configuration > WAN Settings from the menu. The WAN Settings tabs appear, with the WAN1 ISP Settings screen in view. 2. Click Auto Detect at the bottom of the menu. Auto Detect will probe the WAN port for a range of connection methods and suggest one that your ISP appears to support.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 2-4 a. If Auto Detect is successful, a status bar at the top of the screen will display the results. b. If Auto Detect senses a connection method that requires input from you, it will prompt you for the information. All methods with their required settings are detailed in the following table. Table 2-1. Internet connection methods Connection Method Data Required DHCP (Dynamic IP) No data is required.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 2-5 The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, go to “Manually Configuring the Internet Connection” on page 2-7 following this section, or see “Troubleshooting the ISP Connection” on page 10-4. Note: If the configuration process was successful, you are connected to the Internet through WAN port 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To manually configure the WAN1 ISP settings: 1. Select Network Configuration > WAN Settings from the menu. The WAN Settings tabs appear, with the WAN1 ISP Settings screen in view. 2. In the ISP Login options, choose one of these options: Figure 2-6 • If your ISP requires an initial login to establish an Internet connection, click Yes (this is the default).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual b. Configure the following fields: • Account Name. Valid account name for the PPPoE connection. • Domain Name. Name of your ISP’s domain or your domain name if your ISP has assigned one. In most cases, you may leave this field blank. • Idle Timeout. Select Keep Connected, to keep the connection always on.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 7. Review the Internet (IP) Address options. Figure 2-8 8. If your ISP has not assigned a static IP address, click Get dynamically from ISP. The ISP will automatically assign an IP address to the VPN firewall using DHCP network protocol. The IP address and subnet mask fields will be inactivated. As an option, you can select the following checkboxes: • Client Identifier.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 10. Review the Domain Name Server (DNS) server options. Figure 2-9 • If your ISP has not assigned any Domain Name Servers (DNS) addresses, click Get dynamically from ISP. • If your ISP (or your IT department) has assigned DNS addresses, click Use these DNS Servers and enter the DNS server IP addresses provided to you in the fields. 11. Click Apply to save any changes to the WAN1 ISP Settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Load Balancing Mode. The VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional. Note: Scenarios could arise when load balancing needs to be bypassed for certain traffic or applications. If certain traffic needs to travel on a specific WAN interface, configure protocol binding rules for that WAN interface. The rule should match the desired traffic. • Single WAN Port Mode.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Auto-Rollover Mode To use a redundant ISP link for backup purposes, ensure that the backup WAN port has already been configured. Then select the WAN port that will act as the primary link for this mode and configure the WAN Failure Detection Method to support Auto-Rollover.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. In the Port Mode section, select Auto-Rollover Using WAN port. 3. From the pull-down menu, choose which WAN port will act as the primary link for this mode. 4. In the WAN Failure Detection Method section, select one of the following detection failure methods: • DNS lookup using ISP DNS Servers. DNS queries are sent to the DNS server configured on the WAN ISP screens (see “Configuring the Internet Connections” on page 2-4).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Protocol binding Protocol binding addresses two issues: • Segregation of traffic between links that are not of the same speed. High volume traffic can be routed through the WAN port connected to a high speed link and low volume traffic can be routed through the WAN port connected to the low speed link. • Continuity of source IP address for secure connections.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • • • Single address. Enter the required address and the rule will be applied to that particular PC. Address range. If this option is selected, you must enter the start and finish fields. Group 1-Group 8. If this option is selected, the devices assigned to this group will be affected. (You may also assign a customized name to the group. See Edit Group Names on the Groups and Hosts screen in the LAN Groups submenu.) c.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual You may need to use a fully qualified domain name (FQDN): • For auto-rollover mode, you will need a FQDN to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address. • For load balancing mode, you may still need a FQDN either for convenience or if you have a dynamic IP address. Note: If your ISP assigns a private WAN IP address such as 192.168.x.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Current WAN Mode section reports the currently configured WAN mode. (For example, Single Port WAN1, Load Balancing or Auto Rollover.) Only those options that match the configured WAN Mode will be accessible. 2. Select the tab for the DDNS service provider you will use. 3. Click the information or registration link in the upper right corner for registration information. Figure 2-13: 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 2-14 3. Edit the default information you want to change. a. MTU Size. The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs, you may need to reduce the MTU. This is rarely required, and should not be done unless you are sure it is necessary for your ISP connection. b. Port Speed.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Additional WAN Related Configuration • If you want the ability to manage the VPN firewall remotely, enable remote management at this time (see “Enabling Remote Management Access” on page 8-10). If you enable remote management, we strongly recommend that you change your password (see “Changing Passwords and Administrator Settings” on page 8-8). • At this point, you can set up the traffic meter for each WAN.
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The VPN firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP address from the range you have defined. • Subnet mask. • Gateway IP address (the VPN firewall’s LAN IP address). • Primary DNS server (the VPN firewall’s LAN IP address). • WINS server (if you entered a WINS server address on the DHCP section of the LAN Setup screen). • Lease time (date obtained and duration of lease).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: If you enable the DNS Relay feature, you will not use the VPN firewall as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network. 1. Go to Network Configuration > LAN Setup to display the LAN Setup screen. Figure 3-1 2. In the LAN TCP/IP Setup section, configure the following settings: • IP Address. The LAN address of your VPN firewall (factory default: 192.168.1.1).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: If you change the LAN IP address of the VPN firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. For example, if you change the default IP address 192.168.1.1 to 10.0.0.1, you must now enter https://10.0.0.1 in your browser to reconnect to the Web Configuration Manager. • IP Subnet Mask.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • WINS Server. (Optional) Specifies the IP address of a local Windows NetBIOS Server if one is present in your network. • Lease Time. This specifies the duration for which IP addresses will be leased to clients.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Managing Groups and Hosts (LAN Groups) The Known PCs and Devices table on the LAN Groups screen contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the VPN firewall, or have been discovered by other means. Collectively, these entries make up the LAN Groups Database. The LAN Groups Database is updated by these methods: • DHCP Client Requests.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • A computer is identified by its MAC address—not its IP address. Hence, changing a computer’s IP address does not affect any restrictions applied to that PC. Viewing the LAN Groups Database To view the LAN Groups Database, follow these steps: 1. Select Network Configuration > LAN Settings from the menu. The LAN Setup screen is displayed. 2. Click the LAN Groups tab. The LAN Groups screen is displayed.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Adding Devices to the LAN Groups Database To add devices manually to the LAN Groups Database, follow these steps: 1. In the Add Known PCs and Devices section, make the following entries: • Name. Enter the name of the PC or device. • IP Address Type. From the pull-down menu, choose how this device receives its IP address. The choices are: – Fixed (Set on PC). The IP address is statically assigned on the computer.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To edit the names of any of the eight available groups: 1. From the LAN Groups tab, click the Edit Group Names link to the right of the tabs. The Network Database Group Names screen appears. Figure 3-3 2. Select the radio button next to any group name to make that name active for editing. 3. Type a new name in the field. 4. Select and edit other group names if desired. 5. Click Apply to save your settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Multi Home LAN IP Addresses If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the VPN firewall. This allows the VPN firewall to act as a gateway to additional logical subnets on your LAN.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Click Add. The new Secondary LAN IP address will appear in the Available Secondary LAN IPs table. Note: IP addresses on these secondary subnets cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP addresses, and DNS server IP addresses.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Click Add. The Add Static Route screen is displayed. Figure 3-6 3. Enter a route name for this static route in the Route Name field (for identification and management). 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network to which the route leads. 7.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network. RIP is disabled by default. To configure RIP parameters: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Both. The VPN firewall broadcasts its routing table and also processes RIP information received from other routers. • Out Only. The VPN firewall broadcasts its routing table periodically but does not accept RIP information from other routers. • In Only. The VPN firewall accepts RIP information from other routers, but does not broadcast its routing table. 4.
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G to protect your network.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual About Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Outbound Rules (service blocking). Outbound traffic is normally allowed unless the VPN firewall is configured to disallow it. • Inbound Rules (port forwarding). Inbound traffic is normally blocked by the VPN firewall unless the traffic is in response to a request from the LAN side.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-1. Outbound Rules (continued) Item Description Select Schedule Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be used by this rule. • This pull-down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: See “Configuring Source MAC Filtering” on page 4-28 for yet another way to block outbound traffic from selected PCs that would otherwise be allowed by the VPN firewall. Inbound Rules (Port Forwarding) When the VPN firewall uses Network Address Translation (NAT), your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-2. Inbound Rules Item Description Service Select the desired service or application to be covered by this rule. If the desired service or application does not appear in the table, you must define it using the Services screen (see “Adding Customized Services” on page 4-19).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-2. Inbound Rules (continued) Item Description Log Specifies whether packets covered by this rule are logged. Select the desired action: • Always – Always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules. • Never – Never log traffic considered by this rule, whether it matches or not.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Viewing the Rules To view the firewall rules: Select Security > Firewall from the menu. The LAN WAN Rules screen is displayed (Figure 4-1 shows some examples). Figure 4-1 Order of Precedence for Rules As you define new rules, they are added to the tables in the LAN WAN Rules screen as the last item in the table, as shown in Figure 4-1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To change the default outbound policy, follow these steps: 1. Go to the LAN WAN Rules screen, shown in Figure 4-1 on page 4-8. 2. Change the Default Outbound Policy by selecting Block Always from the pull-down menu. 3. Click Apply.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Configure the parameters based on the descriptions in Table 4-1 on page 4-3. 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table. Creating a LAN WAN Inbound Services Rule This Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Modifying Rules To make changes to an existing outbound or inbound service rule on the the LAN WAN Rules screen, in the Action column to the right of to the rule, click on of the following table buttons: • edit. Allows you to make any changes to the rule definition of an existing rule.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-4 LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 4-5, CU-SeeMe connections are allowed to a local host only from a specified range of external IP addresses.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN. One of these public IP addresses will be used as the primary IP address of the VPN firewall. This address will be used to provide Internet access to your LAN PCs through NAT.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To test the connection from a PC on the WAN side, type http://10.1.0.5. The home page of the Web server should appear. LAN WAN Inbound Rule: Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined. To expose one of the PCs on your LAN as this host: 1. Create an inbound rule that allows all protocols. 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-7 Configuring Other Firewall Features You can configure attack checks, set session limits, and manage the Application Level Gateway (ALG) for SIP sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the LAN and WAN networks. To enable the appropriate Attack Checks for your environment: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-8 The various types of attack checks listed on the Attack Checks screen are: • WAN Security Checks – Respond To Ping On Internet Ports. By default, the VPN firewall responds to an ICMP Echo (ping) packet coming from the Internet or WAN side. Responding to a ping can be a useful diagnostic tool when there are connectivity problems.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • LAN Security Checks. – Block UDP flood. A UDP flood is a form of denial of service attack in which the attacking machine sends a large number of UDP packets to random ports to the victim host. As a result, the victim host will check for the application listening at that port, see that no application is listening at that port, and reply with an ICMP Destination Unreachable packet.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To configure session limits: 1. Select Security > Firewall > Session Limit to display the Session Limit screen. Figure 4-9 2. Click Yes to enable Session Limits. 3. From the pull-down menu, select whether you will limit sessions by percentage or by absolute number. The percentage is computed based on the total connection capacity of the device.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To enable ALG for SIP: 1. Select Security > Firewall > Advanced to display the Advanced screen. Figure 4-10 2. Select the Enable SIP ALG checkbox. 3. Click Apply to save your settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual service to a server computer, the requested service is identified by a service or port number. This number appears as the destination port number in the transmitted IP packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web server) request. The service numbers for many common protocols are defined by the Internet Engineering Task Force (IETF) and published in RFC1700, “Assigned Numbers.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 6. Click Add. The new custom service will be added to the Custom Services Table. Modifying a Service To edit the parameters of an existing service: 1. In the Custom Services Table, click the Edit button adjacent to the service you want to edit. The Edit Service screen is displayed. 2. Modify the parameters you wish to change. 3. Click Apply to confirm your changes. The modified service is displayed in the Custom Services Table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The QoS priority definition for a service determines the queue that is used for the traffic passing through the VPN firewall. A priority is assigned to IP packets using this service. Priorities are defined by the “Type of Service (ToS) in the Internet Protocol Suite” standards, RFC 1349. A ToS priority for traffic passing through the VPN firewall is one of the following: • Normal-Service.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The List of Bandwidth Profiles table displays existing profiles. 2. To create a new bandwidth profile, click Add. The Add Bandwidth Profile screen is displayed. Figure 4-14 3. Enter the following information: a. Enter a Profile Name. This name will become available in the firewall rules definition menus. b.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Click Apply. The new bandwidth profile will be added to the List of Bandwidth Profiles table. To edit a bandwidth profile: 1. Click the Edit link adjacent to the profile you want to edit. The Edit Bandwidth Profile screen is displayed. (This screen shows the same fields as the Add New Bandwidth Profile screen.) 2. Modify the settings that you wish to change. 3. Click Apply.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To invoke rules based on a schedule, follow these steps: 1. Select Security > Schedule to display the Schedule 1 screen. 2. Check the radio button for All Days or Specific Days. If you chose Specific Days, check the radio button for each day you want the schedule to be in effect. 3. Check the radio button to schedule the time of day: All Day, or Specific Times.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – Cookies. Cookies are used to store session information by websites that usually require login. However, several websites use cookies to store tracking information and browsing habits. Enabling this option filters out cookies from being created by a website. Note: Many websites require that cookies be accepted in order for the site to be accessed properly.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To enable Content Filtering: 1. Select Security > Block Sites to display the Block Sites screen. Figure 4-16 2. Select Yes to enable content filtering. 3. Click Apply to activate the screen controls. Firewall Protection and Content Filtering v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Select any Web Components you wish to block and click Apply. 5. Select the groups to which keyword blocking will apply, then click Enable to activate keyword blocking (or disable to deactivate keyword blocking). 6. Enter your list of blocked keywords or domain names in the Blocked Keyword fields. After each entry, click Add. The keyword or domain name will be added to the Blocked Keywords table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-17 3. Click Yes to enable Source MAC Filtering. 4. Select the action to be taken on outbound traffic from the listed MAC addresses: – Block this list and permit all other MAC addresses. – Permit this list and block all other MAC addresses. 5. Enter a MAC Address in the Add Source MAC Address checkbox and click Add. The MAC address will appear in the MAC Addresses table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring IP/MAC Address Binding You can configure the VPN firewall to drop packets and generate an alert when a device appears to have hijacked or spoofed another device’s IP address. An IP address can be bound to a specific MAC address either by using a DHCP reserved address (see “Configuring DHCP Address Reservation” on page 3-9) or by manually binding on the IP/MAC Binding screen.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual b. Enter the MAC Address and IP Address to be bound. A valid MAC address is six colonseparated pairs of hexadecimal digits (0 to 9 and a to f). For example: 01:23:45:ab:cd:ef. c. From the pull-down list, select whether dropped packets should be logged to a special counter. 6. Click Apply. The specified binding will be added to the IP/MAC Bindings table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note these restrictions with port triggering: • Only one PC can use a port triggering application at any time. • After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC. This is required because the VPN firewall cannot be sure when the application has terminated.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 7. Click Add. The port triggering rule will be added to the Port Triggering Rules table. To check the status of the port triggering rules, click the Status option arrow to the right of the tab on the Port Triggering screen. The following data is displayed: • Rule – The name of the port triggering rule. • LAN IP Address – The IP address of the PC currently using this rule.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – Schedules (see “Setting a Schedule to Block or Allow Specific Traffic” on page 4-24) – Block sites (see “Blocking Internet Sites (Content Filtering)” on page 4-25) – Source MAC filtering (see “Configuring Source MAC Filtering” on page 4-28) – Port triggering (see “Configuring Port Triggering” on page 4-31) 4-34 Firewall Protection and Content Filtering v1.
Chapter 5 Virtual Private Networking Using IPsec This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G to provide secure, encrypted communications between your local network and a remote network or computer.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The diagrams and table below show how the WAN mode selection relates to VPN configuration.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-4 3. Select Gateway as your connection type. 4. Create a Connection Name. Enter a descriptive name for the connection. This name used to help you manage the VPN settings; is not supplied to the remote VPN endpoint. 5. Enter a Pre-shared Key. The key must be entered both here and on the remote VPN gateway, or the remote VPN client. This key must be a minimum of 8 characters and should not exceed 49 characters. 6.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 7. Enter the Remote and Local WAN IP Addresses or Internet Names of the gateways which will connect. • Both the remote WAN address and your local WAN address are required. Tip: To assure tunnels stay active, after completing the wizard, manually edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 10. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured. After both firewalls are configured, go to VPN > IPsec VPN > Connection Status to display the status of your VPN connections.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to the gateway. Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. Select VPN > IPsec VPN from the menu. 2. Click the VPN Wizard tab to display the VPN Wizard screen. Figure 5-8 3. Select VPN Client as your VPN tunnel connection. 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Enter a Pre-shared Key; in this example, we are using r3m0+eC1ient, which must also be entered in the VPN client software. The key length must be 8 characters minimum and cannot exceed 49 characters. 6. Choose which WAN port to use as the VPN tunnel end point. Note: If you are using a dual WAN rollover configuration, after completing the wizard, you must manually update the VPN policy to enable VPN rollover.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Follow these steps to configure your VPN client. 1. Right-click on the VPN client icon in your Windows toolbar, choose Security Policy Editor, and verify that the Options > Secure > Specified Connections selection is enabled. Figure 5-10 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Fill in the other options according to the instructions below. • Under Connection Security, verify that the Secure radio button is selected. • From the ID Type pull-down menu, choose IP Subnet. • Enter the LAN IP Subnet Address and Subnet Mask of the VPN firewall LAN; in this example, we are using 192.168.2.0. • Check the Use checkbox and choose Secure Gateway Tunnel from the pull-down menu.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Verify the Security Policy settings; no changes are needed. Figure 5-13 Virtual Private Networking Using IPsec 5-11 v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • • • On the left, click Security Policy to view the settings: no changes are needed. On the left, expand Authentication (Phase 1) and click Proposal 1: no changes are needed. On the left, expand Key Exchange (Phase 2) and click Proposal 1. No changes are needed. 5. In the upper left of the window, click the disk icon to save the policy.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Within 30 seconds you should receive the message “Successfully connected to My Connections\gw1”. Figure 5-15 The VPN client icon in the system tray should state On: 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-16 Virtual Private Networking Using IPsec 5-13 v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-17 The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client policy is deactivated. The client policy is deactivated but not connected. The client policy is activated and connected. A flashing vertical bar indicates traffic on the tunnel.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual You can set a poll interval (in seconds) to check the connection status of all active IKE policies to obtain the latest VPN tunnel activity. The Active IPSec SA(s) table also lists current data for each active IPsec SA (security association): • • • • • Policy Name. The name of the VPN policy associated with this SA. Endpoint. The IP address on the remote VPN endpoint. Tx (KBytes). The amount of data transmitted over this SA.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual You can edit existing policies, or add new VPN and IKE policies directly in the policy tables. Note: You cannot modify an IKE policy that is associated with an enabled VPN policy. To modify the IKE policy, first disable the VPN policy. After you have modified and saved the IKE policy, you can then re-enable the VPN policy.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Go to VPN > Policies to view the IKE Policies screen. (The example policies that are listed in the List of IKE Policies table do not correspond to the IKE policies that were created using the VPN Wizard earlier in this chapter.) Figure 5-20 Each policy that is listed in the List of IKE Policies table contains the following data: • Name. Uniquely identifies each IKE policy.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • DH. The Diffie-Hellman (DH) group used when exchanging keys. The DH group sets the number of bits. The VPN Wizard default setting is Group 2. (This setting must match the remote VPN.) To gain a more complete understanding of the encryption, authentication and DH algorithm technologies, see Appendix D, “Related Documents” for a link to the NETGEAR website. Configuring VPN Policies You can create two types of VPN policies.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Only one client policy may configured at a time (noted by an “*” next to the policy name). The List of VPN Policies table contains the following fields: • ! (Status). Indicates whether the policy is enabled (green circle) or disabled (grey circle). To Enable or Disable a Policy, check the box adjacent to the circle and click Enable or Disable, as required. • Name.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual XAUTH can be enabled when adding or editing an IKE Policy. Two types of XAUTH are available: • Edge Device. If this is selected, the VPN firewall is used as a VPN concentrator where one or more gateway tunnels terminate. If this option is chosen, you must specify the authentication type to be used in verifying credentials of the remote VPN gateways: User Database, RADIUS-PAP, or RADIUS-CHAP. • IPsec Host.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. You can add XAUTH to an existing IKE Policy by clicking Edit adjacent to the policy to be modified or you can create a new IKE Policy incorporating XAUTH by clicking Add. Figure 5-22 4. In the Extended Authentication section, choose the Authentication Type from the pull-down menu which will be used to verify user account information.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Specify one of the following authentication types: • – User Database to verify against the VPN firewall’s user database. Users must be added through the User Database screen (see “User Database Configuration” on page 5-22). – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-23 3. To activate (enable) the primary RADIUS server, click the Yes radio button. The primary server options become active. 4. Configure the following entries: • Primary RADIUS Server IP address. The IP address of the RADIUS server. • Secret Phrase.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Enable a backup RADIUS server (if required). 6. Set the Time Out Period, in seconds, that the VPN firewall should wait for a response from the RADIUS server. 7. Set the Maximum Retry Count. This is the number of attempts that the VPN firewall will make to contact the RADIUS server. 8. Click Apply to save the settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual IP address from the configured IP address pool and activates a temporary IPsec policy, using the information that is specified in the Traffic Tunnel Security Level section of the Mode Config record (on the Add Mode Config Record screen that is shown in Figure 5-25 on page 5-26).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Click Add. The Add Mode Config Record screen is displayed. Figure 5-25 4. Enter a descriptive Record Name such as “Sales”. 5. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients. Note: The IP Pool should not be within your local network IP addresses. Use a different range of private IP addresses such as 172.20.xx.xx. 6.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 10. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 11. Click Apply. The new record should appear in the List of Mode Config Records table on the Mode Config screen.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-26 3. In the Mode Config Record section, enable Mode Config by checking the Yes radio button and selecting the Mode Config record you just created from the pull-down menu. (You can view the parameters of the selected record by clicking the view selected button.) Mode Config works only in Aggressive Mode, and Aggressive Mode requires that both ends of the tunnel are defined by an FQDN.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. In the General section: • Enter a descriptive name in the Policy Name field such as “salesperson”. This name will be used as part of the remote identifier in the VPN client configuration. • Set Direction/Type to Responder. • The Exchange Mode will automatically be set to Aggressive. 5. In the Local section, select FQDN for the Identity Type. 6.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: If RADIUS-PAP is selected, the VPN firewall will first check the User Database to see if the user credentials are available. If the user account is not present, the VPN firewall will then connect to the RADIUS server. 12. Click Apply. The new policy will appear in the List of IKE Policies table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual d. Under Virtual Adapter pull-down menu, choose Preferred. The Internal Network IP Address should be 0.0.0.0. Note: If no box is displayed for Internal Network IP Address, go to Options/ Global Policy Settings, and check the box for “Allow to Specify Internal Network Address.” e. Select your Internet Interface adapter from the Name pull-down menu. 3. On the left-side of the menu, choose Security Policy. a.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Keepalives and Dead Peer Detection In some cases, it may not be desirable to have a VPN tunnel drop when traffic is idle; for example, when client-server applications over the tunnel cannot tolerate the tunnel establishment time.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. In the Ping IP Address boxes, enter an IP address on the remote LAN. This must be the address of a host that can respond to ICMP ping requests. 6. Enter the Detection Period to set the time between ICMP ping requests. The default is 10 seconds. 7. In Reconnect after failure count, set the number of consecutive missed responses that will be considered a tunnel connection failure. The default is 3 missed responses.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 6. In Reconnect after failure count, set the number of DPD failures allowed before tearing down the connection. The default is 3 failures. When the VPN firewall senses an IKE connection failure, it deletes the IPSec and IKE Security Association and forces a reestablishment of the connection. 7. Click Apply at the bottom of the screen.
Chapter 6 Virtual Private Networking Using SSL The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G provides a hardwarebased SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a pre-installed VPN client on their computers.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote PC that will allow the remote user to virtually join the corporate network. The SSL VPN Client provides a PPP (point-to-point) connection between the client and the VPN firewall, and a virtual network interface is created on the user’s PC.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual When you define the SSL VPN policies that determine network resource access for your SSL VPN users, you can define global policies, group policies, or individual policies. Because you must assign an authentication domain when creating a group, the group is created after you have created the domain. 4. Create one or more SSL VPN user accounts.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Portal Layouts are applied by selecting from available portal layouts in the configuration of a Domain. When you have completed your Portal Layout, you can apply the Portal Layout to one or more authentication domains (see “Creating a Domain” on page 7-1 to apply a Portal Layout to a Domain).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 6-2 3. In the Portal Layout and Theme Name section of the screen, configure the following entries: a. Enter a descriptive name for the portal layout in the Portal Layout Name field. This name will be part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 6-3 As shown in the figure, the banner title text is displayed in the orange header bar. The banner message text is displayed in the grey header bar. d. Check the Enable HTTP meta tags for cache control checkbox to apply HTTP meta tag cache control directives to this Portal Layout.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The web cache cleaner will prompt the user to delete all temporary Internet files, cookies and browser history when the user logs out or closes the web browser window. The ActiveX web cache control will be ignored by web browsers that don't support ActiveX. 4. In the SSL VPN Portal Pages to Display section, check the checkboxes for the portal pages you wish users to access.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Adding Servers To configure Port Forwarding, you must define the internal host machines (servers) and TCP applications available to remote users. To add servers, follow these steps: 1. Select VPN > SSL VPN from the menu, and then select the Port Forwarding tab. The Port Forwarding screen is displayed.. Figure 6-4 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 6-1. Port Forwarding Applications/TCP Port Numbers (continued) TCP Application Port Number POP3 (receive mail) 110 NTP (network time protocol) 123 Citrix 1494 Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 a. Users can specify the port number together with the host name or IP address. 4. Click Add.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring the SSL VPN Client The SSL VPN Client within the VPN firewall will assign IP addresses to remote VPN tunnel clients. Because the VPN tunnel connection is a point-to-point connection, you can assign IP addresses from the corporate subnet to the remote VPN tunnel clients.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring the Client IP Address Range Determine the address range to be assigned to VPN tunnel clients, then define the address range. To configure the client IP address range: 1. Select VPN > SSL VPN from the menu, and then select the SSL VPN Client tab. The SSL VPN Client screen is displayed.. Figure 6-5 2. Select Enable Full Tunnel Support unless you want split tunneling. 3.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Adding Routes for VPN Tunnel Clients The VPN Tunnel Clients assume that the following networks are located across the VPN over SSL tunnel: • The subnet containing the client IP address (PPP interface), as determined by the class of the address (Class A, B, or C). • Subnets specified in the Configured Client Routes table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Using Network Resource Objects to Simplify Policies Network resources are groups of IP addresses, IP address ranges, and services. By defining resource objects, you can more quickly create and configure network policies. You will not need to redefine the same set of IP addresses or address ranges when configuring the same access policies for multiple users.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Click Add. The “Operation Successful” message appears at the top of the tab, and the newly-added resource name appears on the Defined Resource Addresses table. 5. Adjacent to the new resource, click the Edit button. The Add Resource Addresses screen is displayed. Figure 6-7 6. From the Object Type pull-down menu, select one of the following: • IP Address.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring User, Group, and Global Policies An administrator can define and apply user, group and global policies to predefined network resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN services. A specific hierarchy is invoked over which policies take precedence. The VPN firewall policy hierarchy is defined as: 1. User Policies take precedence over all group policies. 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: The user would not be able to access ftp.company.com using its IP address 10.0.1.3. The VPN firewall policy engine does not perform reverse DNS lookups. Viewing SSL VPN Policies To view the existing SSL VPN policies, follow these steps: 1. Select VPN > SSL VPN from the menu, and then select the Policies tab. The Policies screen is displayed. Figure 6-8 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: Global policies are displayed in the List of SSL VPN Policies table. Policies that apply only to groups or users are displayed in the Related Policies Table but not in the List of SSL VPN Policies table. Adding an SSL VPN Policy To add a policy, follow these steps: 1. Select VPN > SSL VPN from the menu, and select the Policies tab. The Policies screen is displayed. Figure 6-9 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. In the Add SSL VPN Policies section of the screen, review the Apply Policy To options and click one. Depending upon your selection, specific options to the right are activated or inactivated as noted in the following: • If you choose Network Resource, you will need to enter a descriptive Policy Name, then choose a Defined Resource and relevant Permission (PERMIT or DENY) from the pulldown menus.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • If you choose IP Network, you will need to enter a descriptive Policy Name, IP Address, Subnet Mask, then choose the Service and relevant Permission from the pull-down menus. Figure 6-12 • If you choose All Addresses, you will need to enter a descriptive Policy Name, then choose the Service and relevant Permission from the pull-down menus. Figure 6-13 5. When you are finished making your selections, click Apply.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 6-20 Virtual Private Networking Using SSL v1.
Chapter 7 Managing Users, Authentication, and Certificates This chapter contains the following sections: • • “Adding Authentication Domains, Groups, and Users” on this page “Managing Certificates” on page 7-11 Adding Authentication Domains, Groups, and Users You must create name and password accounts for all users who will connect to the VPN firewall. This includes administrators and SSL VPN clients.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 7-1 summarizes the authentication protocols and methods that the VPN firewall supports. Table 7-1.Authentication Protocols and Methods Authentication Description (or Subfield and Description) Protocol or Method PAP Password Authentication Protocol (PAP) is a simple protocol in which the client sends a password in clear text.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To create a domain: 1. Select Users > Domains from the menu. The Domains screen is displayed. Figure 7-1 2. Click Add. The Add Domain screen is displayed. Figure 7-2 Managing Users, Authentication, and Certificates v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Configure the following fields: a. Enter a descriptive name for the domain in the Domain Name field. b. Select the Authentication Type. The required fields are activated in varying combinations according to your selection of Authentication Type: Table 7-2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Creating a Group The use of groups simplifies the configuration of VPN policies when different sets of users will have different restrictions and access controls. Note: Groups that are defined in the User screen are used for setting SSL VPN policies. These groups should not be confused with LAN Groups that are defined in the Network Configuration | LAN Settings | LAN Groups tab, which are used to simplify firewall policies.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Creating a New User Account To add individual user accounts: 1. Select Users > Users from the menu. The Users screen is displayed. Figure 7-4 2. Click Add. The Add User screen is displayed. Figure 7-5 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Administrator, SSL VPN User, or IPsec VPN User.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual c. Select Group. Select from a list of configured groups. The user will be associated with the domain that is associated with that group. d. Password/Confirm Password. The password can contain alphanumeric characters, dash, and underscore. e. Idle Timeout. For an Administrator, this is the period at which an idle user will be automatically logged out of the Web Configuration Manager. 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To restrict logging in based on IP address: 1. In the Action column of the List of Users table, click Policies adjacent to the user policy you want to configure. The Login Policies screen is displayed. 2. Select the by Source IP Address tab. The by Source IP Address screen is displayed. Figure 7-7 3.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To restrict logging in based on the user’s browser: 1. In the Action column of the List of Users table, click Policies adjacent to the user policy you want to configure. The Login Policies screen is displayed. 2. Select the by Client Browser tab. The by Client Browser screen is displayed. Figure 7-8 3.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To modify user settings, including administrative user settings: 1. Select Users > Users from the menu. The Users screen is displayed (see Figure 7-4 on page 7-6). 2. In the Action column of the List of Users table, click Edit for the user for which you want to modify the settings. The Edit User screen is displayed. Figure 7-9 3. Configure the following fields: a. Select User Type.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Click Apply to save your settings or Cancel to return to your previous settings. Note: The password and time-out value you enter will be changed back to password and 10 minutes, respectively, after a factory defaults reset.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • A digital signature confirming the identity of the operator of the server. Ideally, the signature is from a trusted third party whose identity can be verified absolutely. You can obtain a certificate from a well-known commercial Certificate Authority (CA) such as Verisign or Thawte, or you can generate and sign your own certificate.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-10 When you obtain a self certificate from a CA, you will also receive the CA certificate. In addition, many CAs make their certificates available on their Websites. To load a CA certificate into your VPN firewall: 1. Store the CA certificate file on your computer. 2. Under Upload Trusted Certificates in the Certificates menu, click Browse and locate the CA certificate file. 3. Click Upload.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Subject Name. This is the name that other organizations will see as the holder (owner) of this certificate. This should be your registered business name or official company name. Generally, all of your certificates should have the same value in the Subject field. • Serial Number. This is a serial number maintained by the CA. It is used to identify the certificate with in the CA. • Issuer Name.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Configure the following fields: • Name – Enter a descriptive name that will identify this certificate. • Subject – This is the name which other organizations will see as the holder (owner) of the certificate. Since this name will be seen by other organizations, you should use your registered business name or official company name. (Using the same name, or a derivation of the name, in the Title field would be useful.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. In the Self Certificate Requests table, click view in the Action column to view the request. Figure 7-14 6. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from “----BEGIN CERTIFICATE REQUEST---” to “---END CERTIFICATE REQUEST---”. 7. Submit your certificate request to a CA: a. Connect to the website of the CA. b. Start the Self Certificate request procedure. c.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 9. Return to the Certificates screen and locate the Self Certificate Requests section. Figure 7-15 10. Select the checkbox next to the certificate request, then click Browse and locate the certificate file on your PC. 11. Click Upload. The certificate file will be uploaded to this device and will appear in the Active Self Certificates table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-16 The CRL table lists your active CAs and their critical release dates: • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. 2. Click Browse and locate the CRL file you previously downloaded from a CA. 3. Click Upload.
Chapter 8 VPN Firewall and Network Management This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G. The VPN firewall offers many tools for managing the network traffic to optimize its performance. You can also control administrator access, be alerted to important events requiring prompt action, monitor the VPN firewall status, perform diagnostics, and manage the VPN firewall configuration file.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual In practice, the WAN side bandwidth capacity will be much lower when DSL or cable modems are used to connect to the Internet. At 1.5 Mbps, the WAN ports will support the following traffic rates: • Load balancing mode: 3 Mbps (two WAN ports at 1.5 Mbps each) • Rollover mode: 1.5 Mbps (one active WAN port at 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual As you define your firewall rules, you can further refine their application according to the following criteria: • • LAN Users. These settings determine which computers on your network are affected by this rule. Select the desired options: – Any. All PCs and devices on your LAN. – Single address. The rule will be applied to the address of a particular PC. – Address range. The rule is applied to a range of addresses.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Schedule. If you have set firewall rules on the LAN WAN Rules screen, you can configure three different schedules (for example, schedule 1, schedule 2, and schedule 3) for when a rule is to be applied. Once a schedule is configured, it affects all rules that use this schedule. You specify the days of the week and time of day for each schedule.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Features That Increase Traffic Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • Exposed hosts • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (that is, the service is unavailable).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Enable Stealth Mode. Prevents the VPN firewall from responding to incoming requests for unsupported services. As you define your firewall rules, you can further refine their application according to the following criteria: • LAN Users. These settings determine which computers on your network are affected by this rule. Select the desired IP Address in this field. • WAN Users.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • The remote system receives the PCs request and responds using the different port numbers that you have now opened. • The VPN firewall matches the response to the previous request and forwards the response to the PC. Without port triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Tools for Traffic Management The VPN firewall includes several tools that can be used to monitor the traffic conditions and control who has access to the Internet and the types of traffic they are allowed to have. See Chapter 9, “Monitoring System Performance” for a discussion of the tools. Changing Passwords and Administrator Settings Note: See also “Changing Passwords and Other User Settings” on page 7-9.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Edit User screen is displayed, with the current settings for Administrator displayed in the Select User Type pull-down menu (for more information about the different types of users, see “Changing Passwords and Other User Settings” on page 7-9). Figure 8-2 3. Select the Check to Edit Password checkbox. The password fields become active. 4. Enter the old password, then enter the new password twice. 5.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Enabling Remote Management Access Using the Remote Management screen, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging into the VPN Firewall” on page 2-2). Note: Be sure to change the default configuration password of the VPN firewall to a very secure password.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Click the Yes radio button to enable secure HTTP management (enabled by default), and configure the external IP addresses that will be allowed to connect. a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: The first time you remotely connect to the VPN firewall with a browser via SSL, you may get a warning message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 5.5 or higher, simply click Yes to accept the certificate.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Using an SNMP Manager Simple Network Management Protocol (SNMP) lets you monitor and manage your VPN firewall from an SNMP Manager. It provides a remote means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security. The SNMP Configuration table lists the SNMP configurations by: • IP Address. The IP address of the SNMP manager. • Port.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – To make the VPN firewall globally accessible using the community string, but still receive traps on the host, enter 0.0.0.0 as the subnet mask and an IP address for where the traps will be received. b. Enter the trap port number of the configuration in the Port field. The default is 162. c. Enter the trap community string of the configuration in the Community field. 3. Click Add to create the new configuration.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Once you have installed the VPN firewall and have it working properly, you should back up a copy of your settings to a file on your computer. If necessary, you can later restore the VPN firewall settings from this file. The Settings Backup and Firmware Upgrade screen allows you to: • Back up and save a copy of your current settings • Restore saved settings from the backed-up file. • Revert to the factory default settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • If you have your browser set up to save downloaded files automatically, the file will be saved to your browser’s download location on the hard disk. Warning: Once you start restoring settings or erasing the VPN firewall, do NOT interrupt the process.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To download a firmware version: 1. Go to the NETGEAR website at http://www.netgear.com/support and click Downloads. 2. From the Product Selection pull-down menu, choose the FVS336G. 3. Click on the desired firmware version to reach the download page. Be sure to read the release notes on the download page before upgrading the VPN firewall’s software. To upgrade the VPN firewall’s software: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To set time, date, and NTP servers: 1. Select Administration > Time Zone from the menu. The Time Zone screen is displayed. Figure 8-7 2. From the Date/Time pull-down menu, choose the local time zone. This is required in order for scheduling to work correctly. The VPN firewall includes a real-time clock (RTC), which it uses for scheduling. 3. If supported in your region, select Automatically Adjust for Daylight Savings Time.
Chapter 9 Monitoring System Performance This chapter describes the full set of system monitoring features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G. You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, and login failures and attacks. You can also view status information about the VPN firewall, WAN ports, LAN ports, and VPN tunnels.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-1 2. Enable the traffic meter by clicking the Yes radio button under Do you want to enable Traffic Metering on WAN1? The traffic meter will record the volume of Internet traffic passing through the WAN1. Select the following options: • No Limit. Any specified restrictions will not be applied when traffic limit is reached. • Download only.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: Both incoming and outgoing traffic are included in the limit • Increase this month limit by. Temporarily increase the traffic limit if you have reached the monthly limit, but need to continue accessing the Internet. Select the checkbox and enter the desired increase. (The checkbox will automatically be cleared when saved so that the increase is only applied once.) • This month limit.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Activating Notification of Events and Alerts The Firewall Logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-2 Monitoring System Performance 9-5 v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 7. To respond to IDENT protocol messages, check the Respond to Identd from SMTP Server box. The Ident Protocol is a weak scheme to verify the sender of e-mail (a common daemon program for providing the ident service is identd). 8. In the Send E-mail logs by Schedule section , enter a Schedule for sending the logs. From the Unit pull-down menu, choose: Never, Hourly, Daily, or Weekly.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-3 If the E-mail Logs option has been enabled on the Firewall Logs & E-mail screen, you can send a copy of the log by clicking Send Log. Click Refresh Log to retrieve the latest update; click Clear Log to delete all entries. Log entries are described in Table 9-2. Table 9-2. Firewall Logs Field Descriptions Field Description Date and Time The date and time the log entry was recorded.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Viewing VPN Firewall Configuration and System Status The Router Status screen provides status and usage information. To view the VPN firewall configuration and system status: Select Monitoring > Router Status from the menu. The Router Status screen is displayed Figure 9-4 The following information is displayed. Table 9-3.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 9-3. Router Status Information (continued) Item Description WAN1 Configuration • • • • • • • • • • WAN Mode: Single, Dual, or Rollover. WAN State: UP or DOWN. NAT: Enabled or Disabled. Connection Type: Static IP, DHCP, PPPoE, or PPTP. Connection State: Connected or Disconnected. WAN IP Address: The IP address of the WAN interface. Subnet Mask: The IP subnet mask of the WAN interface.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To set the poll interval: 1. Click the Stop button. 2. From the Poll Interval pull-down menu, select a new interval (the minimum is 5 seconds, the maximum is 5 minutes). 3. Click the Set Interval button. Monitoring the Status of WAN Ports You can monitor the status of both of the WAN connections, the Dynamic DNS Server connections, and the DHCP Server connections. To monitor the status of the WAN ports: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Monitoring Attached Devices The LAN Groups screen contains a table of all IP devices that the VPN firewall has discovered on the local network. To view the LAN Groups screen: 1. Select Network Configuration > LAN Settings from the menu, and then select the LAN Groups tab. The LAN Groups screen is displayed. Figure 9-7 2. The Known PCs and Devices database is an automatically-maintained list of LAN-attached devices.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Table 9-4. Known PCs and Devices options Item Description Name The name of the PC or device. Sometimes, this can not be determined, and will be listed as Unknown. In this case, you can edit the entry to add a meaningful name. IP Address The current IP address.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Click the DHCP Log link to the right of the tabs. The DHCP Log appears in a popup window. Figure 9-9 3. To view the most recent entries, click refresh. To delete all the existing log entries, click clear log. Monitoring Active Users The Active Users screen displays a list of administrators and SSL VPN users currently logged into the device. To display the list of active users: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Viewing Port Triggering Status To view the status of port triggering: 1. Select Security > Port Triggering from the menu. The Port Triggering screen is displayed. Figure 9-11 2. When the Port Triggering screen is displayed, click the Status link to the right of the tab to display the Port Triggering Status screen. Figure 9-12 The status window displays the information that is shown in Table 9-5. Table 9-5.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 9-5. Port Triggering Status Information (continued) Item Description Open Ports The Incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above. Time Remaining The time remaining before this rule is released and made available for other PCs. This timer is restarted whenever incoming or outgoing traffic is received.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Select the SSL VPN Connection Status tab. The SLL VPN Connection Status screen is displayed Figure 9-14 The active SSL VPN user’s user name, group, and IP address are listed in the table with a timestamp indicating the time and date that the user connected. You can disconnect an active SSL VPN user by clicking Disconnect to the right of the user’s list entry.
Chapter 10 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G. After each problem description, instructions are provided to help you diagnose and solve the problem.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Power LED Not On If the Power and other LEDs are off when your VPN firewall is turned on: • Make sure that the power cord is properly connected to your VPN firewall and that the power supply adapter is properly connected to a functioning power outlet. • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the VPN firewall as described in the previous section. • Make sure your PC’s IP address is on the same subnet as the VPN firewall.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual If the VPN firewall does not save changes you have made in the Web Configuration Interface, check the following: • When entering configuration settings, be sure to click the APPLY button before moving to another screen, or your changes are lost. • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name on the WAN1 ISP Settings or WAN2 ISP Settings screen (see Figure 2-3 on page 2-5). • Your ISP only allows one Ethernet MAC address to connect to the Internet, and may check for your PC’s MAC address.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Click OK.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • If your ISP assigned a host name to your PC, enter that host name as the Account Name on the WAN1 ISP Settings or WAN2 ISP Settings screen (see Figure 2-3 on page 2-5). – Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Problems with the date and time function can include: • Date shown is January 1, 2000. Cause: The VPN firewall has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly. If you have just completed configuring the VPN firewall, wait at least five minutes and check the date and time again. • Time is off by one hour.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 10-1. Diagnostics Item Description Ping or trace an IP address Ping – Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 10-10 Troubleshooting v1.
Appendix A Default Settings and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, press and hold the reset button for approximately 10 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below. • Pressing the reset button for a shorter period of time will simply cause your device to reboot.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table A-1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table A-2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual A-4 Default Settings and Technical Specifications v1.
Appendix B Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Protocol binding – For rollover mode, protocol binding does not apply. – For load balancing mode, decide which protocols should be bound to a specific WAN port. – You can also add your own service protocols to the list. 3. Set up your accounts a. Obtain active Internet services such as cable or DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • You can choose a variety of WAN options if the factory default settings are not suitable for your installation. These options include enabling a WAN port to respond to a ping, and setting MTU size, port speed, and upload bandwidth. 4. Prepare to physically connect the VPN firewall to your cable or DSL modems and a computer.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Fixed IP Address which is also known as Static IP Address Where Do I Get the Internet Configuration Parameters? There are several ways you can gather the required Internet connection information. • Your ISPs provide all the information needed to connect to the Internet. If you cannot locate this information, you can ask your ISPs to provide it or you can try one of the options below.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following: Primary DNS Server IP Address: ______.______.______.______ Secondary DNS Server IP Address: ______.______.______.______ Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or home.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Virtual Private Networks (VPNs) A virtual private network (VPN) tunnel provides a secure communication channel between either two gateway VPN firewalls or between a remote PC client and gateway VPN firewall. As a result, the IP address of at least one of the tunnel end points must be known in advance in order for the other tunnel end point to establish (or re-establish) the VPN tunnel.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Load Balancing Case for Firewalls With Dual WAN Ports Load balancing for the dual WAN port case is similar to the single WAN port case when specifying the IP address. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual In the single WAN case, the WAN’s Internet address is either fixed IP or a fully-qualified domain name if the IP address is dynamic. Figure B-4 Inbound Traffic to Dual WAN Port Systems The IP address range of the VPN firewall’s WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure B-6 Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the VPN firewall’s dual WAN port depends on the configuration being implemented: Table B-2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Rollover Case for Dual Gateway WAN Ports Rollover for the dual gateway WAN port case is different from the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Only one WAN port is active at a time and when it rolls over, the IP address of the active WAN port always changes.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Road Warrior (Client-to-Gateway) The following situations exemplify the requirements for a remote PC client with no firewall to establish a VPN tunnel with a gateway VPN firewall: • Single gateway WAN port • Redundant dual gateway WAN ports for increased reliability (before and after rollover) • Dual gateway WAN ports used for load balancing VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the singl
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP address of the remote PC client is not known in advance. The gateway WAN port must act as a responder.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The purpose of the fully-qualified domain name in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or re-establish a VPN tunnel.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure B-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual After a rollover of a gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN_A2 in this example) and one of the gateway VPN firewalls must reestablish the VPN tunnel. Figure B-15 The purpose of the fully-qualified domain names is this case is to toggle the domain name of the failed-over gateway firewall between the IP addresses of the active WAN port (i.e.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional. VPN Telecommuter (Client-to-Gateway Through a NAT Router) Note: The telecommuter case presumes the home office has a dynamic IP address and NAT router.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The purpose of the fully-qualified domain name is this case is to toggle the domain name of the gateway router between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or re-establish a VPN tunnel.
Appendix C Two Factor Authentication This appendix provides an overview of Two-Factor Authentication, and an example of how to implement the WiKID solution. This appendix contains the following sections: • • “Why do I need Two-Factor Authentication?” on this page.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products. • Proven regulatory compliance. Two-Factor Authentication has been used as a mandatory authentication process for many corporations and enterprises worldwide.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token software, enter the PIN that has been given to them (something they know) and then press “continue” to receive the OTP from the WiKID authentication server: Figure C-1 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time. If a user does not use this passcode before it is expired, the user must go through the request process again to generate a new OTP. 3. The user then proceeds to the Two-Factor Authentication login screen and enters the generated one-time passcode as the login password.
Appendix D Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.com/reference/enu/wsdhcp/index.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual D-2 Related Documents v1.
Index Numerics Dual WAN ports 5-1 restoring WAN interface 2-14 use with DDNS 2-17 Using WAN port 2-14 3322.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Challenge Handshake Authentication Protocol. See CHAP. DHCP log monitoring 9-12 CHAP. See also RADIUS-CHAP, MIAS-CHAP, or WiKID-CHAP.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Dual WAN ports Auto-Rollover, configuration of 2-13 inbound traffic B-8 Load Balancing, configuration of 2-15 load balancing, inbound traffic B-8 network planning B-1 viewing activity 9-15 Firewall Log Field Description 9-7 Firewall Logs e-mailing of 4-33, 9-4 viewing 9-6 Dynamic DNS configuration of 2-16 Firewall Logs & E-mail screen 4-33, 9-4 Dynamic DNS Configuration screen 2-16, 2-17 Firewall Protection Content Filterin
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual XAUTH, adding to 5-21 Inbound Rules default definition 4-2 field descriptions 4-6 order of precedence 4-8 Port Forwarding 4-3, 4-5 rules for use 4-5 inbound rules 4-5 example 4-13 Inbound Service Rule modifying 4-11 Inbound Services field descriptions 4-6 inbound traffic B-5, B-7 dual WAN ports B-8 single WAN port reference case B-7 increasing traffic 8-5 Port Forwarding 8-5 Port Triggering 8-6 VPN Tunnels 8-7 installation 1-4 I
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual N troubleshooting 10-2 Lightweight Directory Access Protocol. See LDAP.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Portal Site Title 6-5 modifying 4-11 ports explanation of WAN and LAN 1-6 Outbound Services field descriptions 4-3 PPP connection 6-2 P PPP over Ethernet. See PPPoE. package contents 1-5 PPPoE 1-4, 2-6, 2-8 Account Name 2-9 Domain Name 2-9 Internet connection 2-8 packet capture 10-9 PAP. See also RADIUS-PAP, MIAS-PAP, or WiKIDPAP. 7-2 Password Authentication Protocol. See PAP.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual reducing traffic 8-2 Block Sites 8-4 service blocking 8-2 Source MAC Filtering 8-4 remote management 8-10 access 8-10 configuration 8-10 remote users assigning addresses 5-24 ModeConfig 5-24 requirements hardware B-3 reserved IP address configuring 3-9 in LAN groups database 3-8 restrictions 3-8 resources defining 6-13 restore saved settings 8-15 retry interval 2-14 Routing Information Protocol. See RIP.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Simple Network Management Protocol. See SNMP.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual User Policies 6-15 V view protocol bindings Load Balancing 2-15 VPNs B-6, B-9 about B-9 gateway-to-gateway B-13, B-14, B-15 road warrior B-11, B-13 telecommuter B-17, B-18 viewing VPN tunnel status 9-15 VoIP (voice over IP) sessions 4-18 VPN gateway to gateway, about B-13 gateway-to-gateway, Dual gateway B-14 gateway-to-gateway, single gateway B-13 Load Balancing, examples of B-10 load balancing, with dual WAN ports B-7 Road
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual X XAUTH IPsec host 5-20 types of 5-20 Index-10 v1.
