ProSafe VPN Firewall 50 FVS338 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 202-10046-09 v1.
© 2006–2010 by NETGEAR, Inc.. All rights reserved. Technical Support Please refer to the support information card that shipped with your product. By registering your product at http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of product and software upgrades. NETGEAR, Inc. Support Information Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card. E-mail: support@netgear.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe VPN Firewall 50 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. 2.
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
vi v1.
Contents ProSafe VPN Firewall 50 FVS338 Reference Manual About This Manual Conventions, Formats and Scope ...................................................................................xiii How to Print This Manual ................................................................................................xiv Revision History ...............................................................................................................xiv Chapter 1 Introduction Key Features ........................
ProSafe VPN Firewall 50 FVS338 Reference Manual Configuring Advanced WAN Options (Optional) ...........................................................2-16 Additional WAN Related Configuration ..................................................................2-18 Chapter 3 LAN Configuration Choosing the VPN Firewall DHCP Options ....................................................................3-1 Configuring the LAN Setup Options ...........................................................................
ProSafe VPN Firewall 50 FVS338 Reference Manual Specifying Quality of Service (QoS) Priorities ........................................................4-22 Creating Bandwidth Profiles ...................................................................................4-23 Setting a Schedule to Block or Allow Specific Traffic ....................................................4-25 Blocking Internet Sites (Content Filtering) ....................................................................
ProSafe VPN Firewall 50 FVS338 Reference Manual Configuring Keepalives ..........................................................................................5-42 Configuring Dead Peer Detection ..........................................................................5-43 Configuring NetBIOS Bridging with VPN ......................................................................5-44 Chapter 6 VPN Firewall and Network Management Performance Management .....................................................
ProSafe VPN Firewall 50 FVS338 Reference Manual LEDs Never Turn Off ................................................................................................7-2 LAN or Internet Port LEDs Not On ...........................................................................7-2 Troubleshooting the Web Configuration Interface ..........................................................7-3 Troubleshooting the ISP Connection ..............................................................................
ProSafe VPN Firewall 50 FVS338 Reference Manual NETGEAR Two-Factor Authentication Solutions ........................................................... C-2 Appendix D Related Documents Index xii Contents v1.
About This Manual The NETGEAR® ProSafe™ VPN Firewall 50 FVS338 Reference Manual describes how to install, configure and troubleshoot the ProSafe VPN Firewall 50. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs. • • Typographical Conventions. This manual uses the following typographical conventions.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Scope. This manual is written for the VPN firewall according to these specifications: Product Version ProSafe VPN Firewall 50 Manual Publication Date January 2010 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix D, “Related Documents.” Note: Updates to this product are available on the NETGEAR, Inc. website at http://kb.netgear.com/app/home.
ProSafe VPN Firewall 50 FVS338 Reference Manual 202-10046-08 1.0 202-10046-09 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual 202-10046-09 (continued) 1.0 January 2010 (continued) • Reorganized Chapter 4, “Firewall Protection and Content Filtering.” In addition: * Revised all sections in this chapter. * Added the “Configuring Other Firewall Features” section (which includes the new “Managing the Application Level Gateway for SIP Sessions” subsection). * Added the “Creating Services, QoS Profiles, and Bandwidth Profiles” section.
Chapter 1 Introduction The ProSafe VPN Firewall 50 FVS338 integrates an 8-port switch that connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FVS338 is a complete security solution that protects your network from attacks and intrusions. For example, the FVS338 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support.
ProSafe VPN Firewall 50 FVS338 Reference Manual • • • • • • • Quality of Service (QoS) support for traffic prioritization. Built in 8-port 10/100 Mbps switch. Extensive Protocol Support. Login capability. SNMP for manageability. Front panel LEDs for easy monitoring of status and activity. Flash memory for firmware upgrade.
ProSafe VPN Firewall 50 FVS338 Reference Manual Security The VPN firewall is equipped with several features designed to maintain security, as described in this section. • PCs Hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the PCs on the LAN. • Port Forwarding with NAT.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Automatic Configuration of Attached PCs by DHCP. The FVS338 dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network. • DNS Proxy.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Visual monitoring. The FVS338’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FVS338: • • Flash memory for firmware upgrade. Technical support seven days a week, 24 hours a day, according to the terms identified in the Warranty and Support information card provided with your product.
ProSafe VPN Firewall 50 FVS338 Reference Manual Front Panel The FVS338 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. Power LED Test Modem Internet LED LED LEDs Local LEDs Figure 1-1 The table below describes each item on the front panel and its operation. Table 1-1. Object Descriptions Object Power LED Test LED MDM LED Activity Description On (Green) Power is supplied to the FVS338. Off Power is not supplied to the FVS338.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table 1-1. Object Descriptions (continued) Object Internet LEDs (continued) Activity Description 100 LED On (Green) The WAN port is operating at 100 Mbps. Off The WAN port is operating at 10 Mbps. Link/Act LED Local LEDs On (Green) The LAN port has detected a link with a connected Ethernet device. Blinking (Green) Data is being transmitted or received by the LAN port. Off The LAN port has no link.
ProSafe VPN Firewall 50 FVS338 Reference Manual Factory Default Login Check the label on the bottom of the FVS338’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN • User name: admin • Password: password LAN IP Address User Name Password Figure 1-3 To log in to the FVS338 once it is connected: 1. Go to http://192.168.1.1. Figure 1-4 2. Enter admin for User Name and password for Password. 1-8 Introduction v1.
Chapter 2 Connecting the VPN Firewall to the Internet This section provides instructions for connecting the ProSafe VPN Firewall 50 FVS338, including these topics: • • • • • • • • “Understanding the Connection Steps” on this page “Logging in to the VPN Firewall” on page 2-2 “Navigating the Menus” on page 2-3 “Configuring your Internet Connection” on page 2-3 “Manually Configuring Your Broadband Internet Connection” on page 2-9 “Configuring the WAN Mode” on page 2-11 “Configuring Dynamic DNS (Optional)” on
ProSafe VPN Firewall 50 FVS338 Reference Manual 5. Configure dynamic DNS on the WAN ports (optional). If required, configure your fully qualified domain names during this phase. See “Configuring Dynamic DNS (Optional)” on page 2-14. 6. Configure the WAN options (optional). Optionally, you can change the MAC address, the default MTU size, and the port speed. However, these are relatively advanced features and changing them is not usually required.
ProSafe VPN Firewall 50 FVS338 Reference Manual Note: See “Enabling Remote Management Access” on page 6-14 for information on remote management. If you enable remote management, change your password to a more secure one than the standard factory default (see “Changing Passwords and Settings” on page 6-8). Navigating the Menus The Web Configuration Manager menus are organized in a layered structure of main categories and submenus: • Main menu.
ProSafe VPN Firewall 50 FVS338 Reference Manual Broadband ISP WAN Port Settings To automatically configure the broadband ISP connection: 1. Select Network Configuration from the main menu and WAN Settings from the submenu. The Broadband ISP Settings screen will display. Figure 2-2 2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP.
ProSafe VPN Firewall 50 FVS338 Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the Table 2-1. Table 2-1. Internet connection methods Connection Method Data Required PPPoE Login (Requires username and password). PPTP Login (Requires username and password, local IP address, and PPTP server IP address). DHCP (Dynamic IP) No data is required.
ProSafe VPN Firewall 50 FVS338 Reference Manual Dial-up ISP Serial WAN port Settings The Dialup Settings screen will assist you in setting up the VPN firewall to access the Internet connection using a dial-up modem. Since the Dialup ISP Settings must be configured manually, you will need all of your ISP settings information before you begin. To configure the dial-up ISP connection: 1. Select Network Configuration from the main menu and WAN Settings from the submenu. 2.
ProSafe VPN Firewall 50 FVS338 Reference Manual 3. In the Dial-up Account section of the screen, enter the following settings: • Account/User name. The account name or the user name provided by your ISP. This name will be used to log in to the ISP server. • Password. The account password for the dial-up ISP. • Telephone. The telephone number or access number to dial for connectivity. Enter the number using the format described in your modem’s user manual. • Alternative Telephone.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Select the DNS servers by selecting one of the following radio boxes: – Get Automatically From ISP. Enables the VPN firewall to accept the DNS servers that are dynamically assigned by the ISP. This is the default setting. – Use These DNS Servers. Requires the VPN firewall to function with the static DNS servers that were assigned by the ISP. Enter the IP addresses of the DNS servers in the Primary DNS Server and Secondary DNS Server fields.
ProSafe VPN Firewall 50 FVS338 Reference Manual Manually Configuring Your Broadband Internet Connection If you know your broadband ISP connection type, you can bypass the Auto Detect feature and connect your VPN firewall manually. Ensure that you have all of the relevant connection information such as IP addresses, account information, type of ISP connection, and so on, before you begin.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. Does your Internet connection require a login? If you need to enter login information every time you connect to the Internet through your ISP, select Yes. Otherwise, select No. 3. What type of IPS connection do you use? If your connection is PPTP or PPPoE, then you must log in (select the Yes radio box in the previous step). The text box fields that require data entry will be highlighted, based on the connection that you selected.
ProSafe VPN Firewall 50 FVS338 Reference Manual 4. If your ISP has assigned a fixed (static or permanent) IP address, select the Use Static IP Address radio box and fill in the following fields: • IP Address. Static IP address assigned to you. This will identify the VPN firewall to your ISP. • Subnet Mask. This is usually provided by the ISP or your network administrator. • Gateway IP Address. IP address of the ISP’s gateway. This is usually provided by the ISP or your network administrator.
ProSafe VPN Firewall 50 FVS338 Reference Manual NAT is the default setting. Select NAT if your ISP has assigned only one IP address to you. The computers that connect through the VPN firewall must then be assigned IP addresses from a private subnet (for example: 192.168.1.0). • Classical Routing. In this mode, the VPN firewall performs routing, but without NAT. To gain Internet access, each PC on your LAN must have a valid Internet IP address.
ProSafe VPN Firewall 50 FVS338 Reference Manual 3. In the Port Mode section of the screen, select the port mode settings to configure your VPN firewall to use only one WAN port (either the broadband port or the dial-up port) or to select the dial-up port as a backup. • If you are connected to only one ISP, then select the Use only single WAN port radio box and select the WAN port that is connected to your ISP from the pull-down menu.
ProSafe VPN Firewall 50 FVS338 Reference Manual Configuring Dynamic DNS (Optional) Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not be available since private addresses cannot be routed on the Internet. Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS.org, TZO.com, Oray.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 2-7 A tab is provided for each supported DNS service provider. The WAN Mode section on the screen displays the currently configured WAN Mode: Single Port Broadband, Single Port Dial-up, or Auto Rollover with Primary Broadband. If you have configured Single Port, select the tab for a DNS service provider, then fill out the DDNS section for that port.
ProSafe VPN Firewall 50 FVS338 Reference Manual 4. After setting up your account, return to the Dynamic DNS Configuration screen and fill in the required fields for the DDNS service that you selected: a. In the Host and Domain Name field, enter the entire FQDN name that your dynamic DNS service provider gave you (for example: .dyndns.org). b. Enter the user name, user e-mail address, or account name requested by the DDNS service to identify you when logging into your DDNS account. c.
ProSafe VPN Firewall 50 FVS338 Reference Manual 3. Edit the default information that you want to change in the following sections of the screen: • MTU Size. The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs you may have to reduce the MTU. But this is rarely required, and should not be done unless you are sure it is necessary for your ISP connection. • Speed.
ProSafe VPN Firewall 50 FVS338 Reference Manual Additional WAN Related Configuration • If you want the ability to manage the VPN firewall remotely, enable remote management at this time (see “Enabling Remote Management Access” on page 6-14). If you enable remote management, we strongly recommend that you change your password (see “Changing Passwords and Settings” on page 6-8). • At this point, you can set up the traffic meter for the WAN, if desired. See “Enabling the Traffic Meter” on page 6-27.
Chapter 3 LAN Configuration This chapter describes how to configure the LAN settings, LAN groups, and routing features of your ProSafe VPN Firewall 50 FVS338, including the following sections: • • • • • • “Choosing the VPN Firewall DHCP Options” on this page “Configuring the LAN Setup Options” on page 3-2 “Managing Groups and Hosts” on page 3-6 “Configuring Multi-Home LAN IPs Addresses” on page 3-10 “Configuring Static Routes” on page 3-11 “Configuring Routing Information Protocol (RIP)” on page 3-14 Cho
ProSafe VPN Firewall 50 FVS338 Reference Manual The VPN firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP address from the range that you have defined. • Subnet mask. • Gateway IP address (the VPN firewall’s LAN IP address). • Primary DNS server (the VPN firewall’s LAN IP address). • WINS server (if you entered a WINS server address in the DHCP section of the LAN Setup screen). • Lease time (date obtained and duration of lease).
ProSafe VPN Firewall 50 FVS338 Reference Manual Note: If you enable the DNS Relay feature, you will not use the FVS338 as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network. To configure the LAN options: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen will display. Figure 3-1 2. In the LAN TCP/IP Setup section, configure the following settings: • IP Address.
ProSafe VPN Firewall 50 FVS338 Reference Manual Note: If you change the LAN IP address of the VPN firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. For example, if you change the default IP address 192.168.1.1 to 10.0.0.1, you must now enter https://10.0.0.1 in your browser to reconnect to the Web Configuration Manager. • IP Subnet Mask. The subnet mask specifies the network number portion of an IP address.
ProSafe VPN Firewall 50 FVS338 Reference Manual • WINS Server. (Optional) Specifies the IP address of a local Windows NetBIOS Server if one is present in your network. • Lease Time. This specifies the duration for which IP addresses will be leased to clients. If you will use a Lightweight Directory Access Protocol (LDAP) authentication server for network-validated domain-based authentication, select Enable LDAP Information to enable the DHCP server to provide LDAP server information.
ProSafe VPN Firewall 50 FVS338 Reference Manual Managing Groups and Hosts The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices, as well as hosts, that are assigned dynamic IP addresses by this VPN firewall. Collectively, these entries make up the Network Database. The Network Database is updated by these methods: • Using the DHCP Server.
ProSafe VPN Firewall 50 FVS338 Reference Manual – • If necessary, you can also create firewall rules to apply to a single PC (see “Configuring Source MAC Filtering” on page 4-29). Because the MAC address is used to identify each PC, users cannot avoid these restrictions by changing their IP address. A computer is identified by its MAC address—not its IP address. Hence, changing a computer’s IP address does not affect any restrictions applied to that PC.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Group. Each PC or device can be assigned to a single group. By default, a computer is assigned to the first group (Group 1). To change the group assignment, click edit. • Action/edit. Allows modification of the selected entry. Adding Devices to the Network Database To add devices manually to the Network Database: 1. To add computers to the network database manually, fill in the following fields: • Name. The name of the PC or device.
ProSafe VPN Firewall 50 FVS338 Reference Manual Changing Group Names in the LAN Groups Database By default, the LAN Groups are named Group1 through Group8. You can rename these group names to be more descriptive, such as Engineering or Marketing. To edit the names of any of the eight available groups: 1. From the LAN Groups screen, click the Edit Group Names link to the right of the tabs. The Network Database Group Names screen appears. Figure 3-3 2.
ProSafe VPN Firewall 50 FVS338 Reference Manual Note: The reserved address will not be assigned until the next time the PC contacts the VPN firewall's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew. Configuring Multi-Home LAN IPs Addresses If you have computers using different IP networks in the LAN, (for example., 172.16.2.0, 10.0.0.
ProSafe VPN Firewall 50 FVS338 Reference Manual • select all. Selects all the entries in the Available Secondary LAN IPs table. • delete. Deletes selected entries from the Available Secondary LAN IPs table. 3. Type in the IP Address and the Subnet Mask in the respective text fields. 4. Click add. The Secondary LAN IP address will be added to the Secondary LAN IPs table. Note: Additional IP addresses cannot be configured in the DHCP server.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 3-5 2. Click Add. The Add Static Route screen will display. Figure 3-6 3. Enter a name for the static route in the Route Name field (for identification purpose only). 4. Determine whether the route is: • Active or Inactive. A route can be added to the Static Routes table and made inactive, if not needed. This allows routes to be used as needed without deleting the entry and readding it. An inactive route is not broadcast if RIP is enabled.
ProSafe VPN Firewall 50 FVS338 Reference Manual 7. Interface. From the pull-down menu, select the physical network interface (BroadbandVirtual, Broadband-Ethernet, Dialup, or LAN) through which this route is accessible. 8. Gateway IP Address. Enter the IP address of the gateway through which the destination host or network can be reached. (This must be a device on the same LAN segment as the VPN firewall.) 9. Metric. Enter the metric value that determines the priority of the route.
ProSafe VPN Firewall 50 FVS338 Reference Manual Configuring Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network. RIP is disabled by default. To configure RIP: 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual • In Only. The VPN firewall accepts RIP information from other routers, but does not broadcast its routing table. • None. The VPN firewall neither broadcasts its route table nor does it accept any RIP packets from other routers. This effectively disables RIP. 4. Select the RIP Version from the pull-down menu: • Disabled. The default section disables RIP versions. • RIP-1. A class-based routing that does not include subnet information.
ProSafe VPN Firewall 50 FVS338 Reference Manual 3-16 LAN Configuration v1.
Chapter 4 Firewall Protection and Content Filtering The ProSafe VPN Firewall 50 FVS338 provides you with Web content filtering options such as block sites and keyword blocking.
ProSafe VPN Firewall 50 FVS338 Reference Manual intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Outbound Rules (service blocking). Outbound traffic is normally allowed unless the VPN firewall is configured to disallow it. • Customized Services. Additional services can be added to the list of services in the factory default list. These added services can then have rules defined for them to either allow or block that traffic (see “Adding Customized Services” on page 4-20). • Quality of Service (QoS).
ProSafe VPN Firewall 50 FVS338 Reference Manual Table 4-1. Outbound Rules (continued) Item Description LAN Users These settings determine which computers on your network are affected by this rule. Select the desired options: • Any – All PCs and devices on your LAN. • Single address - Enter the required address and the rule will be applied to that particular PC. • Address range – If this option is selected, you must enter the start and finish fields.
ProSafe VPN Firewall 50 FVS338 Reference Manual server or game server) visible and available to the Internet. The rule tells the VPN firewall to direct inbound traffic for a particular service to one local server based on the destination port number. This is also known as port forwarding. Whether or not DHCP is enabled and how the PCs will access the server’s LAN address impact the inbound rules.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table 4-2. Inbound Rules Fields Item Description Send to LAN Server This field appears only with NAT routing (not classical routing). This LAN address or range of LAN addresses determines which computer or computers on your network are hosting this service rule. (You can also translate these addresses to a port number.) Translate to Port Number Check this box and enter a port number to assign the LAN server to a different service port number.
ProSafe VPN Firewall 50 FVS338 Reference Manual Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP. Remember that allowing inbound services opens holes in your VPN firewall.
ProSafe VPN Firewall 50 FVS338 Reference Manual Order of Precedence for Firewall Rules As you define new rules, they are added to the tables on the LAN WAN Rules screen, as shown in Figure 4-1 on page 4-7 For any traffic attempting to pass through the VPN firewall, the packet information is subjected to the rules in the order shown in the Outbound Services and Inbound Services rules tables, beginning at the top and proceeding to the default rules at the bottom.
ProSafe VPN Firewall 50 FVS338 Reference Manual To create a new outbound service rule: 1. In the LAN WAN Rules screen, click add under the Outbound Services table. The Add LAN WAN Outbound Service screen will display. Figure 4-2 2. Configure the settings as explained in Table 4-1 on page 4-3. 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table on the LAN WAN Rules screen.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 4-3 2. Configure the settings as explained in Table 4-2 on page 4-5. 3. Click Apply to save your settings. The new rule will be added to the Inbound Services table on the LAN WAN Rules screen. Modifying Rules To make changes to an existing outbound or inbound service rule on the the LAN WAN Rules screen, in the Action column to the right of to the rule, click on of the following table buttons: • edit.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. Click one of the following table buttons: • enable. Enables the rule or rules. The “!” status icon changes from a grey circle to a green circle, indicating that the rule is or rules are enabled. (By default, when a rule is added to the table, it is automatically enabled.) • disable. Disables the rule or rules. The “!” status icon changes from a green circle to a grey circle, indicating that the rule is or rules are disabled. • delete.
ProSafe VPN Firewall 50 FVS338 Reference Manual LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 4-5, CU-SeeMe connections are allowed only from a specified range of external IP addresses. Connections are blocked during the period specified by Schedule 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual The following addressing scheme is used in this example: • VPN firewall: – WAN primary public IP address: 10.1.0.1 – WAN additional public IP address: 10.1.0.5 – LAN IP address 192.168.1.1 • Web server PC on the VPN firewall’s LAN – LAN IP address: 192.168.1.75 – Port number for Web service: 8080 Figure 4-6 To test the connection from a PC on the WAN side, type http://10.1.0.5. The home page of the Web server should appear.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. Place the rule below all other inbound rules. Figure 4-7 shows the bottom part of the LAN WAN Rules screen with an example of the Inbound Services table. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network.
ProSafe VPN Firewall 50 FVS338 Reference Manual . Figure 4-8 Configuring Other Firewall Features You can configure attack checks, set session limits, and manage the Application Level Gateway (ALG) for SIP sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the LAN and WAN networks. To enable the appropriate Attack Checks for your environment: 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 4-9 3. Check the boxes for the attack checks that you wish to monitor. The various types of attack checks are listed and defined below. 4. Click Apply to save your settings. The various types of attack checks listed on the Attack Checks screen are: • WAN Security Checks – Respond To Ping On Internet Ports. By default, the VPN firewall responds to an ICMP Echo (ping) packet coming from the Internet or WAN side.
ProSafe VPN Firewall 50 FVS338 Reference Manual When blocking is enabled,, the VPN firewall will drop all invalid TCP packets and will be protected from a SYN flood attack. • LAN Security Checks. – A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host.
ProSafe VPN Firewall 50 FVS338 Reference Manual To configure session limits: 1. Select Security from the main menu and Firewall from the submenu. The LAN WAN Rules screen displays. 2. Click the Session Limit tab. The Session Limits screen will display. Figure 4-10 To enable session limits: 3. Click the Yes radio button under Do you want to enable Session Limit? 4.
ProSafe VPN Firewall 50 FVS338 Reference Manual The Total Number of Packets Dropped due to Session Limit field shows total number of packets dropped when session limit is reached. 6. In the Session Timeout section, modify the TCP, UDP and ICMP timeout values as you require. A session will expire if no data for the session is received for the duration of the timeout value. The default timeout values are 1200 seconds for TCP sessions, 180 seconds for UDP sessions, and 8 seconds for ICMP sessions. 7.
ProSafe VPN Firewall 50 FVS338 Reference Manual Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: • Services. A service narrows down the firewall rule to an application and a port number. For information about adding services, see “Adding Customized Services” on page 4-20. • QoS profiles.
ProSafe VPN Firewall 50 FVS338 Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, you can enter it on the Services screen. To add a service: 1. Select Security from the main menu and Services from the submenu. The Services screen will display. Figure 4-12 2.
ProSafe VPN Firewall 50 FVS338 Reference Manual Modifying a Service To edit the parameters of a service: 1. In the Custom Services Table, click the edit icon adjacent to the service you want to edit. The Edit Service screen will display. 2. Modify the parameters you wish to change. 3. Click Apply to confirm your changes. The modified service will display in the Custom Services Table.
ProSafe VPN Firewall 50 FVS338 Reference Manual Creating Bandwidth Profiles Bandwidth limiting determines the way in which the data is communicated with your host. The purpose of bandwidth limiting is to provide a solution for limiting the traffic, thus preventing the LAN users from consuming all the bandwidth on your WAN link.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 4-14 3. Enter the following data: a. Enter a Profile Name. This name will become available in the firewall rules definition menus. b. From the Direction pull-down box, select whether the profile will apply to outbound, inbound, or both outbound and inbound traffic. c. Depending on the direction that you selected, enter the minimum and maximum bandwidths to be allowed: • Enter the Outbound Minimum Bandwidth and Outbound Maximum Bandwidth in Kbps.
ProSafe VPN Firewall 50 FVS338 Reference Manual To edit a bandwidth profile: 1. Click the edit link adjacent to the profile you want to edit. The Edit Bandwidth Profile screen is displayed. (This screen shows the same fields as the Add New Bandwidth Profile screen.) 2. Modify the settings that you wish to change. 3. Click Apply. Your modified profile will display in the Bandwidth Profile table. To remove an entry from the table, select the profile and click delete.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. Check the radio button for All Days or Specific Days. If you chose Specific Days, check the radio button for each day you want the schedule to be in effect. 3. Check the radio button to schedule the time of day: All Day, or Specific Times. If you chose Specific Times, enter the Start Time and End Time fields (Hour, Minute, AM/PM), which will limit access during certain times for the selected days. 4. Click Apply to save your settings to Schedule 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual – Cookies. Cookies are used to store session information by websites that usually require login. However, several websites use cookies to store tracking information and browsing habits. Enabling this option filters out cookies from being created by a website. Note: Many websites require that cookies be accepted in order for the site to be accessed properly. Blocking cookies may interfere with useful functions provided by these websites.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 4-16 4-28 Firewall Protection and Content Filtering v1.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. Check the Yes radio button to enable content filtering. 3. Click Apply to activate the screen controls. 4. Check the radio boxes of any web components that you wish to block. 5. Check the radio buttons of the groups to which you wish to apply keyword blocking. Click enable to activate keyword blocking (or disable to deactivate keyword blocking). 6. Build your list of blocked keywords or domain names in the Blocked Keyword fields.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 4-17 2. Check the Yes radio box in the MAC Filtering Enable section. 3. Select the action to be taken on outbound traffic from the listed MAC addresses: • Block this list and permit all other MAC addresses. • Permit this list and block all other MAC addresses. 4. Enter a MAC Address in the Add Source MAC Address checkbox and click add. The MAC address will appear in the MAC Addresses table. Repeat this process to add additional MAC addresses.
ProSafe VPN Firewall 50 FVS338 Reference Manual Configuring IP/MAC Address Binding IP/MAC binding allows you to bind an IP address to a MAC address and the other way around. Some devices are configured with static addresses. To prevent users from changing their static IP addresses, IP/MAC binding must be enabled on the VPN firewall. If the VPN firewall detects packets with a matching IP address, but with the inconsistent MAC address (or the other way around), it will drop these packets.
ProSafe VPN Firewall 50 FVS338 Reference Manual To enable IP/MAC Binding and add IP and MAC address for binding: 1. Select Security from the main menu and IP/MAC Binding from the submenu. The IP/MAC Binding screen will display. Figure 4-18 2. Select the Yes radio box and click Apply. Make sure that you have enabled the e-maling of logs (see “Activating Notification of Events and Alerts” on page 6-23). 3. Add an IP/MAC Bind rule by entering: a. Name. Specify an easily identifiable name for this rule. b.
ProSafe VPN Firewall 50 FVS338 Reference Manual To edit an IP/MAC Bind rule, click edit adjacent to the entry. The following fields of an existing IP/MAC Bind rule can be modified: • • • MAC Address. Specify the MAC Address for this rule. IP Addresses. Specify the IP Address for this rule. Log Dropped Packets. Specify the logging option for this rule. To remove an entry from the table, select the IP/MAC Bind entry and click delete.
ProSafe VPN Firewall 50 FVS338 Reference Manual Note these restrictions with port triggering: • Only one PC can use a port triggering application at any time. • After a PC has finished using a port triggering application, there is a Time-out period before the application can be used by another PC. This is required because this VPN firewall cannot be sure when the application has terminated.
ProSafe VPN Firewall 50 FVS338 Reference Manual 6. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 7. Click add. The port triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display. Figure 4-20 2. Modify any of the fields for this rule. 3.
ProSafe VPN Firewall 50 FVS338 Reference Manual E-Mail Notifications of Event Logs and Alerts The firewall logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address.
Chapter 5 Virtual Private Networking This chapter describes how to use the Virtual Private Networking (VPN) features of the ProSafe VPN Firewall 50 FVS338.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table 5-1 summarizes the WAN addressing requirements for Auto-Rollover mode. Table 5-1. IP Addressing for VPNs in Dual WAN Port Systems Configuration WAN IP address Rollover Modea VPN Road Warrior (client-to-gateway) Fixed or DHCP FQDN required VPN Gateway-to-Gateway Fixed or DHCP FQDN required VPN Telecommuter (client-to-gateway NAT router) Fixed or DHCP FQDN required a.
ProSafe VPN Firewall 50 FVS338 Reference Manual Follow these steps to set up a gateway VPN tunnel using the VPN Wizard. 1. Select VPN from the main menu and VPN Wizard from the submenu. The VPN Wizard screen will display. To view the wizard default settings, click the VPN Wizard Default Values link. You can modify these settings after completing the wizard. Figure 5-3 2. Select Gateway as your connection type. 3. Create a Connection Name. Enter a descriptive name for the connection.
ProSafe VPN Firewall 50 FVS338 Reference Manual 5. Choose which WAN port (broadband or dialup) to use as the VPN tunnel end point. Note: If you are using a dual WAN rollover configuration, after completing the wizard, you must manually update the VPN policy to enable VPN rollover. This allows the VPN tunnel to roll over when the WAN Mode is set to Auto Rollover. The wizard will not set up the VPN policy with rollover enabled. 6.
ProSafe VPN Firewall 50 FVS338 Reference Manual 8. Click Apply to save your settings: the VPN Policies screen shows that the policy is now enabled. Figure 5-4 9. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured. To display the status of your VPN connections, select VPN from the main menu and Connection Status from the submenu. The Connection Status screen will display.
ProSafe VPN Firewall 50 FVS338 Reference Manual Creating a Client to Gateway VPN Tunnel Figure 5-6 Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway (see “Use the VPN Wizard Configure the Gateway for a Client Tunnel” on this page). • Configure the VPN client to connect to the gateway (see “Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection” on page 5-8).
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 5-7 2. Select VPN Client as your VPN tunnel connection. 3. Create a Connection Name such as “Client to GW1”. This descriptive name is not supplied to the remote VPN client; it is only for your reference. 4. Enter a Pre-shared Key; in this example, we are using r3m0+eC1ient, which must also be entered in the VPN client software. The key length must be 8 characters minimum and cannot exceed 49 characters. 5.
ProSafe VPN Firewall 50 FVS338 Reference Manual 6. The public Remote and Local Identifier are automatically filled in by pre-pending the first several letters of the model number of your gateway to form FQDNs used in the VPN policies. In this example, we are using GW1_remote.com, and GW1_local.com. 7. Click Apply to save your settings: the VPN Policies screen shows that the policy is now enabled. Figure 5-8 To view or modify the VPN policy, see “Managing VPN Policies” on page 5-15.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using gw1. Figure 5-10 Fill in the other options according to the instructions below. • Under Connection Security, verify that the Secure radio button is selected. • From the ID Type pull-down menu, choose IP Subnet.
ProSafe VPN Firewall 50 FVS338 Reference Manual 3. In the left frame, click My Identity. Fill in the options according to the instructions below. Figure 5-11 • • • • • From the Select Certificate pull-down menu, choose None. Click Pre-Shared Key to enter the key you provided in the VPN Wizard; in this example, we are using “r3m0+eClient.” From the ID Type pull-down menu, choose Domain Name. Leave Virtual Adapter disabled.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 5-12 Virtual Private Networking 5-11 v1.
ProSafe VPN Firewall 50 FVS338 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection. NETGEAR VPN Client Status and Log Information To test a client connection and view the status and log information, follow these steps. 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-15 • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-16 Virtual Private Networking 5-13 v1.
ProSafe VPN Firewall 50 FVS338 Reference Manual The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client policy is deactivated. The client policy is deactivated but not connected. The client policy is activated and connected. A flashing vertical bar indicates traffic on the tunnel.
ProSafe VPN Firewall 50 FVS338 Reference Manual • • State. The current state of the SA. Phase 1 is “Authentication phase” and Phase 2 is “Key Exchange phase”. Action. Allows you to terminate or build the SA (connection), if required. To view VPN firewall VPN logs, select Monitoring from the main menu and VPN Logs from the submenu. The VPN Logs screen will display.
ProSafe VPN Firewall 50 FVS338 Reference Manual Configuring IKE Policies The IKE (Internet Key Exchange) protocol performs negotiations between the two VPN gateways, and provides automatic management of the Keys used in IPSec. It is important to remember that: • “Auto” generated VPN policies must use the IKE negotiation protocol. • “Manual” generated VPN policies cannot use the IKE negotiation protocol. IKE policies are activated when: 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 5-19 Each policy that is listed in the List of IKE Policies table contains the following data: • Name. Uniquely identifies each IKE policy. The name is chosen by you and used for the purpose of managing your policies; it is not supplied to the remote VPN Server. If the policy is a client policy, it will be prepended by an “*”. • Mode. Two modes are available: either “Main” or “Aggressive”. – Main Mode is slower but more secure.
ProSafe VPN Firewall 50 FVS338 Reference Manual To gain a more complete understanding of the encryption, authentication and DH algorithm technologies, see Appendix D, “Related Documents.” Configuring VPN Policies You can create two types of VPN Policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available. • Manual. All settings (including the keys) for the VPN tunnel are manually entered at each end (both VPN endpoints). No third-party server or organization is involved.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Name. Each policy is given a unique name (the Connection Name when using the VPN Wizard). Client policies are annotated by an “*”. • Type. The type is “Auto” or “Manual” as described previously (Auto is used during VPN Wizard configuration). • Local. IP address (either a single address, range of address or subnet address) on your local LAN. Traffic must be from (or to) these addresses to be covered by this policy.
ProSafe VPN Firewall 50 FVS338 Reference Manual The extKeyUsage would govern the certificate acceptance criteria in the FVS338 when the same digital certificate is being used for secure web management. In the VPN firewall, the uploaded digital certificate is checked for validity and also the purpose of the certificate is verified. Upon passing the validity test and the purpose matches its use (has to be SSL and VPN) the digital certificate is accepted.
ProSafe VPN Firewall 50 FVS338 Reference Manual Viewing and Loading CA Certificates The Trusted Certificates (CA Certificates) table lists the certificates of CAs and contains the following data: • • • CA Identity (Subject Name). The organization or person to whom the certificate is issued. Issuer Name. The name of the CA that issued the certificate. Expiry Time. The date after which the certificate becomes invalid.
ProSafe VPN Firewall 50 FVS338 Reference Manual Viewing Active Self Certificates The Active Self Certificates table on the Certificates screen shows the certificates issued to you by a CA and available for use. Figure 5-21 For each self certificate, the following data is listed: • Name. The name you used to identify this certificate. • Subject Name. This is the name that other organizations will see as the holder (owner) of this certificate.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 5-22 2. Configure the following fields: • Name. Enter a descriptive name that will identify this certificate. • Subject. This is the name which other organizations will see as the holder (owner) of the certificate. Since this name will be seen by other organizations, you should use your registered business name or official company name. (Using the same name, or a derivation of the name, in the Title field would be useful.
ProSafe VPN Firewall 50 FVS338 Reference Manual 4. Click generate. A new certificate request is created and added to the Self Certificate Requests table. Figure 5-23 5. In the Self Certificate Requests table, click view in the Action column to view the request. Figure 5-24 6. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from “----BEGIN CERTIFICATE REQUEST---” to “---END CERTIFICATE REQUEST---”. 7.
ProSafe VPN Firewall 50 FVS338 Reference Manual d. Submit the CA form. If no problems occur, the certificate will be issued. 8. Store the certificate file from the CA on your computer and backup the certificate file from the CA in another location. 9. Return to the Certificates screen and locate the Self Certificate Requests section. Figure 5-25 10. Select the checkbox next to the certificate request, then click Browse and locate the certificate file on your PC. 11. Click upload.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 5-26 The Certificate Revocation Lists (CRL) table lists your active CAs and their critical release dates: • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. 2. Click Browse and locate the CRL file you previously downloaded from a CA. 3. Click upload.
ProSafe VPN Firewall 50 FVS338 Reference Manual • IPSec Host. If you want authentication by the remote gateway, enter a user name and password to be associated with this IKE policy. If this option is chosen, the remote gateway must specify the user name and password used for authenticating this gateway. . Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the local User Database for the user credentials.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 5-28 3. In the Extended Authentication section of the Add IKE Policy (or Edit IKE Policy) screen, select the Authentication Type from the pull-down menu which will be used to verify user account information. Select one of the following options: • Edge Device. Use the VPN firewall as a VPN concentrator where one or more gateway tunnels terminate.
ProSafe VPN Firewall 50 FVS338 Reference Manual Specify one of the following authentication types: • – User Database to verify against the VPN firewall’s user database. Users must be added through the User Database screen (see “User Database Configuration” on page 5-29). – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. Enter a User Name. This is the unique ID of a user which will be added to the User Name database. 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4. Click add. The User Name will be added to the Configured Users table. To edit the user name or password: 1. Click edit opposite the user’s name. The Edit User screen will display. 2. Make the required changes to the User Name or Password. 3.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 5-30 3. Enable the primary RADIUS server by checking the Yes radio box. 4. Enter the primary RADIUS Server IP address. 5. Enter a Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server. 6. Enter the Primary Server NAS Identifier (Network Access Server). This identifier must be present in a RADIUS request.
ProSafe VPN Firewall 50 FVS338 Reference Manual 8. Set the Time Out Period, in seconds, that the VPN firewall should wait for a response from the RADIUS server. 9. Set the Maximum Retry Count. This is the number of attempts that the VPN firewall will make to contact the RADIUS server before giving up. 10. Click Apply to save the settings. Note: The Authentication Protocol, usually PAP or CHAP, is configured in the XAUTH section of the VPN Client screen.
ProSafe VPN Firewall 50 FVS338 Reference Manual Note: After configuring a Mode Config record, you must manually configure an IKE policy and select the newly-created Mode Config record from the Select Mode Config Record pull-down menu (see “Configuring Mode Config Operation on the VPN Firewall.” You do not need to make changes to any VPN policy.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. Click add. The Add Mode Config Record screen will display. Figure 5-32 3. Enter a descriptive Record Name such as “Remote Users”. 4. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients. Note: The IP Pool should not be within your local network IP addresses. Use a different range of private IP addresses such as 172.20.xx.xx. 5. If you have a WINS server on your local network, enter its IP address. 6.
ProSafe VPN Firewall 50 FVS338 Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10. Click Apply. The new record should appear in the List of Mode Config Records on the Mode Config screen. Configuring an IKE Policy for Mode Config Operation Next, you must configure an IKE Policy: 1. From the main menu, select VPN.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. Click add to configure a new IKE policy. The Add IKE Policy screen will display. Figure 5-34 3. In the Mode Config Record section, enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down menu. (You can view the parameters of the selected record by clicking the view selected radio box.
ProSafe VPN Firewall 50 FVS338 Reference Manual 4. In the General section: • Enter a description name in the Policy Name field such as “SalesPerson”. This name will be used as part of the remote identifier in the VPN client configuration. • Set Direction/Type to Responder. • The Exchange Mode will automatically be set to Aggressive. 5. In the Local section, select FQDN for the Identity Type. 6. In the Local section, choose which WAN port to use as the VPN tunnel end point. 7.
ProSafe VPN Firewall 50 FVS338 Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon. Figure 5-35 a. Give the connection a descriptive name such as “modecfg_test” (this name will only be used internally). b.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. From the left side of the menu, click My Identity. Figure 5-36 Enter the following information: a. Click Pre-Shared Key and enter the key you configured on the VPN firewall’s Add IKE Policy screen. b. From the Select Certificate pull-down menu, select None. c. From the ID Type pull-down menu, select Domain Name and create an identifier based on the name of the IKE policy you created; for example “remote_id.com”. d.
ProSafe VPN Firewall 50 FVS338 Reference Manual Enter the following information: a. Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio button. b. Check the Enable Perfect Forward Secrecy (PFS) radio button, and select the DiffieHellman Group 2 from the PFS Key Group pull-down menu. c. Enable Replay Detection should be checked. 4. Click on Authentication (Phase 1) on the left-side of the menu and select Proposal 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Figure 5-38 Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds). 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. Testing the Mode Config Connection To test the connection: 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual Configuring Keepalives and Dead Peer Detection In some cases, it may not be desirable to have a VPN tunnel drop when traffic is idle; for example, when client-server applications over the tunnel cannot tolerate the tunnel establishment time. If you require your VPN tunnel to remain connected, you can use the Keepalive and Dead Peer Detection features to prevent the tunnel from dropping and to force a reconnection if the tunnel drops for any reason.
ProSafe VPN Firewall 50 FVS338 Reference Manual 5. In the Ping IP Address boxes, enter an IP address on the remote LAN. This must be the address of a host that can respond to ICMP ping requests. 6. Enter the Detection Period to set the time between ICMP ping requests. The default is 10 seconds. 7. In Reconnect after failure count, set the number of consecutive missed responses that will be considered a tunnel connection failure. The default is 3 missed responses.
ProSafe VPN Firewall 50 FVS338 Reference Manual 6. In Reconnect after failure count, set the number of DPD failures allowed before tearing down the connection. The default is 3 failures. When the VPN firewall senses an IKE connection failure, it deletes the IPSec and IKE Security Association and forces a reestablishment of the connection. 7. Click Apply at the bottom of the screen.
Chapter 6 VPN Firewall and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 50 FVS338.
ProSafe VPN Firewall 50 FVS338 Reference Manual VPN Firewall Features That Reduce Traffic Features of the VPN firewall that can be called upon to decrease WAN-side loading are as follows: • Service blocking • Blocking sites • Source MAC filtering Service Blocking You can control specific outbound traffic (for example, from LAN to WAN). The LAN WAN Rules screen lists all existing rules for outbound traffic. If you have not defined any rules, only the default rule will be listed.
ProSafe VPN Firewall 50 FVS338 Reference Manual – Single address. The rule applies to a single Internet IP address. – Address range. The rule is applied to a range of Internet IP addresses. • Services. You can specify the desired services or applications to be covered a rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see “Services-Based Rules” on page 4-2 and “Adding Customized Services” on page 4-20). • Groups and Hosts.
ProSafe VPN Firewall 50 FVS338 Reference Manual You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed without any blocking. • Web Component Blocking. You can block the following Web component types: Proxy, Java, ActiveX, and Cookies.
ProSafe VPN Firewall 50 FVS338 Reference Manual You can control specific inbound traffic (that is, from WAN to LAN). The LAN WAN Rules screen lists all existing rules for inbound traffic If you have not defined any rules, only the default rule will be listed. The default rule blocks all inbound traffic.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Services. You can specify the desired services or applications to be covered a rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see “Adding Customized Services” on page 4-20). • Schedule. If you have set firewall rules on the LAN WAN Rules screen, you can configure three different schedules (that is, schedule 1, schedule 2, and schedule 3) for when a rule is to be applied.
ProSafe VPN Firewall 50 FVS338 Reference Manual Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and, in turn, the quality of service for the traffic passing through the VPN firewall. The QoS is set individually for each service. • You can accept the default priority defined by the service itself by not changing its QoS setting.
ProSafe VPN Firewall 50 FVS338 Reference Manual • • “Managing the Configuration File” on page 6-18 “Configuring Date and Time Service” on page 6-21 Changing Passwords and Settings The default administrator and guest password for the Web Configuration Manager is password. NETGEAR recommends that you change this password to a more secure password. You can also configure a separate password for the guest account. To modify the Administrator user account settings, including the password: 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. In the Enable Local Authentication section of the screen: a. Enable local authentication by selecting the Yes radio box. b. Click Apply to save your settings. 3. In the User Selection section of the screen, select either the Edit Admin Settings or Edit Guest Settings radio box. 4. In either the Admin Settings or the Guest Settings section of the screen: a. change the password by first entering the old password, and then entering the new password twice. b.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. Click Add. The Add External User screen will display. Figure 6-3 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Admin or Guest. c. Idle Timeout. This is the period after which an idle user will be automatically logged out of the Web Configuration Manager. 4. Click Apply to save and apply your entries.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table 6-1.Authentication Protocols Authentication Protocol Description RADIUS A network-validated PAP or CHAP password-based authentication method that functions with Remote Authentication Dial In User Service (RADIUS). MIAS A network-validated PAP or CHAP password-based authentication method that functions with Microsoft Internet Authentication Service (MIAS), which is a component of Microsoft Windows 2003 Server.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 6-4 3. In the Enable External Authentication section of the screen, select the Yes radio button. 4. Click Apply to save the settings and enable external authentication. 5. In the RADIUS Server Configuration section of the screen, configure the following fields: • Primary RADIUS Server IP address. The IP address of the RADIUS server. • Secret Phrase.
ProSafe VPN Firewall 50 FVS338 Reference Manual The VPN firewall is acting as a NAS, allowing network access to external users after verifying their authentication information. In a RADIUS transaction, the NAS must provide some NAS Identifier information to the RADIUS server. Depending on the configuration of the RADIUS server, the VPN firewall’s IP address may be sufficient as an identifier, or the server may require a name, which you would enter here.
ProSafe VPN Firewall 50 FVS338 Reference Manual Enabling Remote Management Access Using the Remote Management screen, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging in to the VPN Firewall” on page 2-2). Note: Be sure to change the VPN firewall default configuration password to a very secure password.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. Check Allow Remote Management radio box. 3. Click the Yes radio button to enable secure HTTP management (enabled by default), and configure the external IP addresses that will be allowed to connect. a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c.
ProSafe VPN Firewall 50 FVS338 Reference Manual . Note: To maintain security, the VPN firewall will reject a login that uses http://address rather than the SSL https://address. Note: The first time you remotely connect to the VPN firewall with a browser via SSL, you may get a warning message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 5.5 or higher, simply click Yes to accept the certificate.
ProSafe VPN Firewall 50 FVS338 Reference Manual To create a new SNMP configuration entry: 1. Select Administration from the main menu and SNMP from the submenu. The SNMP screen will display. Figure 6-6 2. Under Create New SNMP Configuration Entry, enter the IP Address of the SNMP manager in the IP Address field and the subnet mask in the Subnet Mask field.
ProSafe VPN Firewall 50 FVS338 Reference Manual When you click on the SNMP System Info link on the SNMP screen, the VPN firewall’s identification information is displayed. This following identification information is available to the SNMP Manager: system contact, system location, and system name. To modify the SNMP identification information: 1. Click the SNMP System Info link on the SNMP screen. The SNMP SysConfiguration screen will display. Figure 6-7 2.
ProSafe VPN Firewall 50 FVS338 Reference Manual Backing Up Settings To back up settings: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. Figure 6-8 2. Click backup to save a copy of your current settings. If your browser is not set up to save downloaded files automatically, locate where you want to save the file, specify file name, and click Save.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. Locate and select the previously saved backup file (by default, netgear.cfg). 3. When you have located the file, click restore. An Alert page will appear indicating the status of the restore operation. You must manually restart the VPN firewall for the restored settings to take effect. Reverting to Factory Default Settings To reset the VPN firewall to the original factory default settings: 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual 6. Locate the downloaded file and click upload. This will start the software upgrade to your VPN firewall. The software upgrade process might take some time. At the conclusion of the upgrade, your VPN firewall will reboot.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 6-9 2. From the Date/Time pull-down menu, select the local time zone. This is required in order for scheduling to work correctly. The VPN firewall includes a Real-Time Clock (RTC), which it uses for scheduling. 3. If supported in your region, check the Automatically Adjust for Daylight Savings Time radio box. 4. Select an NTP Server option by checking one of the following radio boxes: • Use Default NTP Servers.
ProSafe VPN Firewall 50 FVS338 Reference Manual Monitoring System Performance You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, login failures, and attacks. You can also view status information about the VPN firewall, WAN ports, LAN ports, and VPN tunnels. This section includes the following subsections: • • • • • • • • • • • “Activating Notification of Events and Alerts” on this page.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 6-10 6-24 VPN Firewall and Network Management v1.
ProSafe VPN Firewall 50 FVS338 Reference Manual 2. In the Log Options section, enter the name of the log in the Log Identifier field. The Log Identifier is a mandatory field used to identify which device sent the log messages. The identifier is appended to log messages. 3. In the Routing Logs section, select the network segments for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets). 4.
ProSafe VPN Firewall 50 FVS338 Reference Manual • • • LOG_NOTICE (Normal but significant conditions) LOG_INFO (Informational messages) LOG_DEBUG (Debug level messages) 10. Click Apply to save your settings. Viewing the Logs To view the logs: 1. Select Monitoring from the main menu and then Firewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen will display. 2. Click the View Log link in the upper right-hand section of the screen. The Logs screen will display.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table 6-2. Log Entry Descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and interface The service port number of the initiating device, and whether it originated from the LAN, WAN or DMZ.
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 6-12 2. Enable the traffic meter by clicking the Yes radio button under Do you want to enable Traffic Metering on Broadband? The traffic meter will record the volume of Internet traffic passing through the broadband port. Select from the following options: • No Limit. Any specified restrictions will not be applied when traffic limit is reached. • Download only.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Monthly Limit. Use this option if your ISP charges for additional traffic. Enter the monthly volume limit and select the desired behavior when the limit is reached. If enabled, enter the monthly volume limit and select the desired behavior when the limit is reached. Note: Both incoming and outgoing traffic are included in the limit. • Increase this month limit by.
ProSafe VPN Firewall 50 FVS338 Reference Manual To configure the traffic meter for the dial-up port, select the Dial-upTraffic Meter tab and repeat this process. The Internet Traffic Statistics section of the screen displays statistics on Internet traffic through the WAN port. If you have not enabled the traffic meter, these statistics are not available. To display a report of Internet traffic by type, click the Traffic by Protocol link in the upper righthand section of the Traffic Meter screen .
ProSafe VPN Firewall 50 FVS338 Reference Manual Figure 6-14 Table 6-3. Router Configuration Status Fields Item Description System Name This is the Account Name that you entered on the Broadband ISP Settings screen. Firmware Version This is the current software the VPN firewall is using. This will change if you upgrade your VPN firewall. LAN Port Displays the current settings for MAC address, IP address, DHCP status and IP subnet mask that you set on the LAN Setup screen.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table 6-3. Router Configuration Status Fields (continued) Item Description Broadband Configuration • • • • • • • • • • Dialup Configuration Displays the same details as for the broadband configuration with the exception that the Connection Type is always Dialup. WAN Mode: Single, or Rollover. WAN State: UP or DOWN. NAT: Enabled or Disabled. Connection Type: Static IP, DHCP, PPPoE, or PPTP. Connection State: Connected or Disconnected.
ProSafe VPN Firewall 50 FVS338 Reference Manual To set the poll interval: 1. Click the Stop button. 2. From the Poll Interval pull-down menu, select a new interval (the minimum is 5 seconds, the maximum is 5 minutes). 3. Click the Set Interval button. Monitoring WAN Ports Status You can monitor the status of both of the WAN connections (broadband and dialup), the dynamic DNS server connections, and the DHCP server connections. To monitor the status of the WAN ports: 1.
ProSafe VPN Firewall 50 FVS338 Reference Manual Monitoring Attached Devices The LAN Groups screen contains a table of all IP devices that the VPN firewall has discovered on the local network. To view the LAN Groups screen: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. 2. Select the LAN Groups tab. The LAN Groups screen will display. Figure 6-17 The Known PCs and Devices table lists the entries in the Network Database.
ProSafe VPN Firewall 50 FVS338 Reference Manual The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Table 6-4. Known PCs and Devices options Item Description Name The name of the PC or device. Sometimes, this can not be determined, and will be listed as Unknown. In this case, you can edit the entry to add a meaningful name. IP Address The current IP address.
ProSafe VPN Firewall 50 FVS338 Reference Manual The Active IPsec (SA)s table lists each active connection with the following information Table 6-5. IPsec Connection Status Fields Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN endpoint. Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA.
ProSafe VPN Firewall 50 FVS338 Reference Manual Viewing the DHCP Log To display the DHCP log: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen will displays. 2. Click the DHCP Log link in the upper right-hand section of the screen. The DHCP Log popup screen will display. Figure 6-20 To view the most recent entries, click refresh. To delete all the existing log entries, click clear log.
ProSafe VPN Firewall 50 FVS338 Reference Manual To view the most recent entries, click refresh. Table 6-6. Port Triggering Status data Item Description Rule The name of the rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above. Time Remaining The time remaining before this rule is released, and thus available for other PCs.
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 50 FVS338.
ProSafe VPN Firewall 50 FVS338 Reference Manual Power LED Not On If the Power and other LEDs are off when your VPN firewall is turned on: • Make sure that the power cord is properly connected to your VPN firewall and that the power supply adapter is properly connected to a functioning power outlet. • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
ProSafe VPN Firewall 50 FVS338 Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the VPN firewall as described in the previous section. • Make sure your PC’s IP address is on the same subnet as the VPN firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.
ProSafe VPN Firewall 50 FVS338 Reference Manual If the VPN firewall does not save changes you have made in the Web Configuration Interface, check the following: • When entering configuration settings, be sure to click the Apply button before moving to another screen or tab, or your changes are lost. • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name on the Broadband ISP Settings screen (see Figure 2-5 on page 2-9) or Dialup ISP Settings screen (see Figure 2-4 on page 2-6). • Your ISP only allows one Ethernet MAC address to connect to the Internet, and may check for your PC’s MAC address.
ProSafe VPN Firewall 50 FVS338 Reference Manual 3. Click on OK. You should see a message like this one: Pinging with 32 bytes of data If the path is working, you see this message: Reply from < IP address >: bytes=32 time=NN ms TTL=xxx If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • • Wrong physical connections – Make sure the LAN port LED is on.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Check that your cable or DSL modem is connected and functioning. • If your ISP assigned a host name to your PC, enter that host name as the Account Name on the Broadband ISP Settings screen (see Figure 2-5 on page 2-9) or Dialup ISP Settings screen (see Figure 2-4 on page 2-6). • Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs.
ProSafe VPN Firewall 50 FVS338 Reference Manual Problems with the date and time function can include: • Date and time shown is Thu Jan 01 00:01:52 GMT 1970. Cause: The VPN firewall has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly. If you have just completed configuring the VPN firewall, wait at least five minutes and check the date and time again. • Time is off by one hour.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table 7-1. Diagnostics Fields Item Description Ping or Trace an IP address Ping. Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
ProSafe VPN Firewall 50 FVS338 Reference Manual 7-10 Troubleshooting v1.
Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below. • Pressing the reset button for a shorter period of time will simply cause your device to reboot.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table A-1.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table A-2.
ProSafe VPN Firewall 50 FVS338 Reference Manual A-4 Default Settings and Technical Specifications v1.
Appendix B System Logs and Error Messages This appendix uses the following log parameter terms. Table B-1. Log Parameter Terms Term Description [FVS338] System identifier [kernel] Message from the kernel. CODE Protocol code (e.g., protocol is ICMP, type 8) and CODE=0 means successful reply. DEST Destination IP Address of the machine to which the packet is destined. DPT Destination port. IN Incoming interface for packet. OUT Outgoing interface for packet. PROTO Protocol used.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table B-2. System Logs: System Startup Message Jan 1 15:22:28 [FVS338] [ledTog] [SYSTEM START-UP] System Started Explanation Log generated when the system is started. Recommended Action None Reboot This section describes log messages generated during system reboot. Table B-3. System Logs: Reboot Message Nov 25 19:42:57 [FVS338] [reboot] Rebooting in 3 seconds Explanation Log generated when the system is rebooted from the web management.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table B-4. System Logs: NTP (continued) Explanation Message1: DNS resolution for the NTP server (time-f.netgear.com) Message2: request for NTP update from the time server. Message3: Adjust time by re-setting system time. Message4: Display date and time before synchronization, that is when resynchronization started Message5: Display the new updated date and time. Message6: Next synchronization will be after the specified time mentioned.
ProSafe VPN Firewall 50 FVS338 Reference Manual IPSec Restart This logging is always done. Table B-7. System Logs: IPSec Restart Message Jan 23 16:20:44 [FVS338] [wand] [IPSEC] IPSEC Restarted Explanation Log generated when the IPSEC is restarted. This log is logged when IPSEC restarts after applying any changes in the configuration. Recommended Action None WAN Status This section describes the logs generated by the WAN component.
ProSafe VPN Firewall 50 FVS338 Reference Manual System Logs: WAN Status, Auto Rollover (continued) Explanation The Logs suggest that the fail-over was detected after 5 attempts instead of 3. However, the reason the messages appear as above is because of the WAN state transition logic which is part of the failover algorithm. The above logs can be interpreted as below. The primary link failure is properly detected after the 3rd attempt.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table B-8. System Logs: WAN Status, PPPoE Idle-Timeout (continued) Explanation Message 1: PPPoE connection establishment started. Message 2: Message from PPPoE server for correct login Message 3: Authentication for PPP succeeded. Message 4: Local IP address assigned by the server. Message 5: Server side IP address. Message 6: primary DNS configured in WAN status page. Message 7: secondary DNS configured in WAN status page.
ProSafe VPN Firewall 50 FVS338 Reference Manual PPP Authentication Logs. Table B-10. System Logs: WAN Status, PPP Authentication Message Nov 29 11:29:26 [FVS338] [pppd] Starting link Nov 29 11:29:29 [FVS338] [pppd] Remote message: Login incorrect Nov 29 11:29:29 [FVS338] [pppd] PAP authentication failed Nov 29 11:29:29 [FVS338] [pppd] Connection terminated.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table B-11. System Logs: Web Filtering and Content Filtering (continued) Explanation • This packet is blocked by content filtering for cookies • The URL blocked due to cookie filtering shown by [URL] along with source and destination IP addressed, protocol, source port and destination port. • For other parameters, refer to Table B-1. Recommended Action None Message Jan 23 16:53:32 [FVS338] [kernel] [JAVA_BLOCKED] [URL]==>[ www.java.com/js/css.
ProSafe VPN Firewall 50 FVS338 Reference Manual ICMP Redirect Logs Table B-14. System Logs: Unicast, Redirect Message Feb 2007 22 14:36:07 [FVS338] [kernel] [LOG_PACKET] SRC=192.168.1.49 DST=192.168.1.124 PROTO=ICMP TYPE=5 CODE=1 Explanation • This packet is ICMP Redirect message sent to the router bye another router. • For other parameters, refer to Table B-1.
ProSafe VPN Firewall 50 FVS338 Reference Manual Invalid Packet Logging Table B-17. System Logs: Invalid Packets Message 2007 Oct 1 00:44:17 [FVS338] [kernel] [INVALID] [NO_CONNTRACK_ENTRY] [DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation No Connection Tracking entry exists Recommended Action 1. Invalid packets are dropped. 2.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table B-17. System Logs: Invalid Packets (continued) Message 2007 Oct 1 00:44:17 [FVS338] [kernel] [INVALID][BAD_CHECKSUM]DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation Bad Checksum Recommended Action 1. Invalid packets are dropped. 2.
ProSafe VPN Firewall 50 FVS338 Reference Manual Table B-17. System Logs: Invalid Packets (continued) Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message 2007 Oct 1 00:44:17 [FVS338] [kernel] [INVALID][REOPEN_CLOSE_CONN][DROP] SRC=192.168.20.10 DST=192.168.20.
ProSafe VPN Firewall 50 FVS338 Reference Manual LAN to WAN Logs Table B-18. Routing Logs: LAN to WAN Message Nov 29 09:19:43 [FVS338] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to WAN has been allowed by the firewall. • For other parameters, refer to Table B-1. Recommended Action None WAN to LAN Logs Table B-19.
ProSafe VPN Firewall 50 FVS338 Reference Manual B-14 System Logs and Error Messages v1.
Appendix C Two Factor Authentication This appendix provides an overview of Two-Factor Authentication, and an example of how to implement the WiKID solution. This appendix contains the following sections: • • “Why do I need Two-Factor Authentication?” on this page.
ProSafe VPN Firewall 50 FVS338 Reference Manual • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products. • Proven regulatory compliance. Two-Factor Authentication has been used as a mandatory authentication process for many corporations and enterprises worldwide.
ProSafe VPN Firewall 50 FVS338 Reference Manual The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token software, enter the PIN that has been given to them (something they know) and then press “continue” to receive the OTP from the WiKID authentication server: Figure C-1 2.
ProSafe VPN Firewall 50 FVS338 Reference Manual Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time. If a user does not use this passcode before it is expired, the user must go through the request process again to generate a new OTP. 3. The user then proceeds to the Two-Factor Authentication login screen and enters the generated one-time passcode as the login password.
Appendix D Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.com/reference/enu/wsdhcp/index.
ProSafe VPN Firewall 50 FVS338 Reference Manual D-2 Related Documents v1.
Index Numerics 3322.
ProSafe VPN Firewall 50 FVS338 Reference Manual Content Filtering 1-2, 4-1 Block Sites 4-26 enabling 4-27 Keyword Blocking 4-27 Web Components 4-26 content filtering Blocked Sites 4-1 Keyword Blocking 4-1 crossover cable 1-3, 7-2 CSR 5-22 address pool 3-4 enable 3-4 lease time 3-5 Diagnostics DNS lookup 7-8 Packet Trace 7-9 pinging an IP address 7-8 Reboot the Router 7-9 Diagnostics Fields descriptions of 7-9 Customized Services 4-3 service port numbers 4-20 Diagnostics screen 7-8 D Dial-up Traffic Met
ProSafe VPN Firewall 50 FVS338 Reference Manual about 4-2 ordering 4-8 Edit Group Names 3-9 Edit Service screen 4-22 E-mail alerts 6-23 fragmented IP packets 6-5 E-mail logs, enabling notification 4-36 E-mail Server address 6-25 Enable ARP Broadcast 3-5 Enable DHCP server 3-1 Enable LDAP Information 3-5 Encapsulating Security Payload. See ESP. Ending IP Address DHCP Address Pool 3-4 ESP VPN Policies, use with 5-19 Ethernet 1-3 Event Logs emailing of 6-23 Exposed Host 4-13 Extended Authentication.
ProSafe VPN Firewall 50 FVS338 Reference Manual LAN side bandwidth capacity 6-1 Internet Protocol Numbers 4-20 IP Address Pool use with ModeConfig 5-34 LAN Users Service Blocking 6-2 IP addresses auto-generated 7-3 DHCP address pool 3-1 how to assign 3-1 reserved 3-9 LAN WAN Inbound Rules configuring 4-9 IP/MAC Binding screen 4-32 LAN WAN Inbound Services Rules about 4-9 add 4-9 IPSec 4-17 Connection Status Fields, description of 6-36 LAN WAN Rules about 4-8 IPSec Connection Status screen 6-35 LAN
ProSafe VPN Firewall 50 FVS338 Reference Manual MTU Size 2-17 multi-NAT 4-12 N NAS Identifier 5-31, 6-12 NAT 4-1, 4-4 multi-NAT 4-12 NetBIOS bridging over VPN 5-44 P package contents 1-5 Packet Trace 7-9 Passwords restoring 7-7 passwords and login timeout changing 6-8 performance management 6-1 Network 4-1 Ping Troubleshooting TCP/IP 7-5 Network Access Server. See NAS. ping 7-9 Network Address Translation 1-3 pinging an IP address 7-8 Network Address Translation. See NAT.
ProSafe VPN Firewall 50 FVS338 Reference Manual R RADIUS description 6-11 WiKID 6-11 RADIUS Client screen 5-30 RADIUS server configuring 5-30 RADIUS-CHAP XAUTH, use with 5-27, 5-29 RADIUS-PAP XAUTH, use with 5-27, 5-29 Reboot the Router 7-9 Routing log messages B-12 Routing screen 3-11 rules allowing traffic 4-2 blocking traffic 4-2 service blocking 4-3 services-based 4-2 running tracert 6-16 S Schedule rules, covered by 6-3 reducing traffic Block Sites 6-2 Service Blocking 6-2 Source MAC filtering 6-2
ProSafe VPN Firewall 50 FVS338 Reference Manual management of 6-7 reducing 6-2 enabling 4-29 reducing traffic 6-4 spoof MAC address 7-5 traffic meter 2-18 spoofing UDP flood 4-17 Troubleshooting 7-1 Date and Time 7-8 ISP connection 7-4 LEDs 7-2 LEDs Never Turn Off 7-2 NTP 7-7 Power LED Not On 7-2 Web configuration 7-3 Starting IP Address DHCP Address Pool 3-4 stateful packet inspection 1-2, 4-1 Static Route example of 3-13 static routes configuring 3-11 example 3-13 Stealth Mode Attack Checks 4-16 Tru
ProSafe VPN Firewall 50 FVS338 Reference Manual VPN Logs screen 6-36 VPN Pass through 4-17 VPN Policies about 5-18 Auto 5-18 Manual method 5-18 VPN Policies screen 5-5, 5-8 VPN policy rules of use 5-18 X XAUTH about 5-26 configuring 5-27 Edge Device 5-26 IPSec Host 5-27 RADIUS-CHAP 5-27 RADIUS-PAP 5-27 User Database 5-29 VPN Tunnel connection status, monitoring 6-35 VPN Tunnel addresses Dual WAN Port systems 5-2 VPN Tunnels 6-6 VPN tunnels IPSec 4-17 L2TP 4-17 PPTP 4-17 VPN Wizard Gateway tunnel 5-2 VPN C
