FVS338 ProSafe VPN Firewall 50 Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA March 2008 202-10046-06 v1.
© 2007 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR, the NETGEAR logo and ProSafe are trademarks and/or registered trademarks of NETGEAR, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc.
Product and Publication Details Model Number: FVS338 Publication Date: March 2008 Product Family: VPN firewall Product Name: ProSafe VPN Firewall 50 Home or Business Product: Business Language: English Publication Part Number: 202-10046-06 Publication Version Number 1.0 vi v1.
Contents About This Manual Conventions, Formats and Scope ...................................................................................xiii How to Use This Manual ..................................................................................................xiv How to Print this Manual ..................................................................................................xiv Revision History ................................................................................................
Configuring the WAN Mode ..........................................................................................2-15 Configuring Dynamic DNS (If Needed) .........................................................................2-16 Chapter 3 LAN Configuration Configuring Your LAN (Local Area Network) ..................................................................3-1 Using the VPN Firewall as a DHCP Server ..............................................................3-1 Configuring Multi-Home LAN IPs .
Setting Block Sites (Content Filtering) ..........................................................................4-22 Enabling Source MAC Filtering ....................................................................................4-24 IP/MAC Binding ............................................................................................................4-26 Setting Up Port Triggering ............................................................................................4-28 Bandwidth Limiting ...
Configuring the ProSafe VPN Client for ModeConfig .............................................5-30 Certificates ....................................................................................................................5-33 Trusted Certificates (CA Certificates) .....................................................................5-33 Self Certificates ......................................................................................................
Performing Diagnostics ..........................................................................................6-26 Chapter 7 Troubleshooting Basic Functions ..............................................................................................................7-1 Power LED Not On ...................................................................................................7-1 LEDs Never Turn Off ................................................................................................
Routing Logs ............................................................................................................... B-14 LAN to WAN Logs ................................................................................................. B-15 LAN to DMZ Logs .................................................................................................. B-15 DMZ to WAN Logs ................................................................................................ B-15 WAN to LAN Logs .........
About This Manual The NETGEAR® ProSafe™ VPN Firewall 50 FVS338 Reference Manual describes how to install, configure and troubleshoot the ProSafe VPN Firewall 50. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs. • • Typographical Conventions.
FVS338 ProSafe VPN Firewall 50 Reference Manual Danger: This is a safety warning. Failure to take heed of this notice may result in personal injury or death. • Scope. This manual is written for the VPN firewall according to these specifications: Product Version ProSafe VPN Firewall 50 Manual Publication Date March 2008 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix C, “Related Documents” .
FVS338 ProSafe VPN Firewall 50 Reference Manual • Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe Web site at http://www.adobe.com. – Printing a PDF Chapter. Use the PDF of This Chapter link at the top left of any page. – • Click the PDF of This Chapter link at the top left of any page in the chapter you want to print.
FVS338 ProSafe VPN Firewall 50 Reference Manual xvi About This Manual v1.
Chapter 1 Introduction The ProSafe VPN Firewall 50 with 8 port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FVS338 is a complete security solution that protects your network from attacks and intrusions. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Flash memory for firmware upgrade. Full Routing on Both the Broadband and Serial WAN Ports You can install, configure, and operate the FVS338 to take full advantage of a variety of routing options on both the serial and broadband WAN ports, including: • Internet access via either the serial or broadband port.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Port Forwarding with NAT. Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the firewall allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request. You can specify forwarding of single ports or ranges of ports. • Exposed Host (Software DMZ).
FVS338 ProSafe VPN Firewall 50 Reference Manual Easy Installation and Management You can install, configure, and operate the ProSafe VPN Firewall 50 within minutes after connecting it to the network. The following features simplify installation and management tasks: • Browser-based management. Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux.
FVS338 ProSafe VPN Firewall 50 Reference Manual • • • • • ProSafe VPN Firewall 50. AC power adapter. Category 5 Ethernet cable. Resource CD, including: – Application Notes and other helpful information. – ProSafe VPN Client Software – one user license. Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 1-1. Object Descriptions Object Activity Description Power LED On (Green) Off Power is supplied to the router. Power is not supplied to the router. Test LED On (Amber) Blinking (Amber) Off Test mode: The system is initializing or the initialization has failed. Writing to Flash memory (during upgrading or resetting to defaults). The system has booted successfully.
FVS338 ProSafe VPN Firewall 50 Reference Manual Viewed from left to right, the rear panel contains the following elements: • Modem port – serves as the WAN2 Internet port through the public switched telephone network (PSTN). • Factory Defaults reset button. • Local ports – 8-port RJ-45 10/100 Mbps Fast Ethernet Switch, N-way automatic speed negotiation, auto MDI/MDIX. • Internet port – serves as the WAN1 Internet port. One RJ-45 WAN port, N-way automatic speed negotiation, Auto MDI/MDIX.
FVS338 ProSafe VPN Firewall 50 Reference Manual LAN IP Address User Name Password Figure 1-4 To log in to the FVS338 once it is connected: 1. Open a Web browser. 2. Enter http://192.168.1.1 as the URL. Figure 1-5 3. Once the login screen displays (Figure 1-5), enter the following: • admin for User Name • password for Password 1-8 Introduction v1.
Chapter 2 Connecting the FVS338 to the Internet This section provides instructions for connecting the VPN firewall. Setting up VPN tunnels are covered in Chapter 5, “Virtual Private Networking”: 1. Connect the firewall physically to your network. Connect the cables, turn on your router and wait for the Test LED to go out. Make sure your Ethernet and LAN LEDs are lit. (See the FVS338 ProSafe VPN Firewall 50 Installation Guide on your Resource CD.) 2. Log in to the firewall.
FVS338 ProSafe VPN Firewall 50 Reference Manual To log in to the VPN firewall: Step 1.Open a Internet Explorer, Netscape® Navigator, or Firefox browser. In the browser window, enter http://192.168.1.1 in the address field. The FVS338 login screen will display. Figure 2-1 2. Enter admin for the User Name and password for the Password, both in lower case letters.The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection. 3.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-2 2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP. Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support. When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the following table. Table 2-1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2-1. Internet connection methods Connection Method Data Required DHCP (Dynamic IP) No data is required. Fixed IP IP address and related data supplied by your ISP. 3. Click Broadband Status at the top right of the screen to verify your Broadband connection status. Click Connect if connection not already present.
FVS338 ProSafe VPN Firewall 50 Reference Manual Step 1.Select Network Configuration from the main menu, WAN Settings from the submenu and click the Dialup ISP Settings tab to display the Dialup settings screen. Figure 2-4 2. Enter the following Dialup Account settings: a. Account/User name: Enter the account name or the user name provided by your ISP. This name will be used to log in to the ISP server. b. Password: The account password for the dialup ISP c.
FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Specify the method to use for your Dial-up Connection Status. The VPN firewall can automatically dial to the ISP when a connection is needed or can be configured to wait for manual intervention.: a. Check the Connect automatically disconnect after idle for ___ min. radios box for the modem to connect automatically. Specify the idle minute amount. The router will connect whenever an outbound connection request is made from a computer on the LAN.
FVS338 ProSafe VPN Firewall 50 Reference Manual Set up the traffic meter for the Dialup ISP if desired (see “Programming the Traffic Meter (if Desired)” on page 2-12). Note: The response time of your serial port Internet connection will be slower than a broadband Internet connection. Tip: If you experience connectivity problems with the Dialup ISP, try a different baud rate setting and ensure that the modem parameters you selected match the modem connected to the FVS338.
FVS338 ProSafe VPN Firewall 50 Reference Manual This could occur on some older broadband modems. If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100BaseT; otherwise, select 10BaseT. Use the half-duplex settings if full-duplex modes do not work. Figure 2-5 You can also change the standard MTU (Maximum Transmit Unit) value for dialup modems from the Dialup ISP Settings screen. THe standard value is 576 bytes, but some ISPs may require that you reduce the MTU.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 2-6 Manually Configuring Your Internet Connection If you know your Broadband ISP connection type, you can bypass the Auto Detect feature and connect your router manually. Ensure that you have all of the relevant connection information such as IP Addresses, account information, type of ISP connection, etc., before you begin.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-7 To manually configure your WAN1 ISP settings: Step 1.Does your Internet connection require a login? If you need to enter login information every time you connect to the Internet through your ISP, select Yes. Otherwise, select No. 2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box.
FVS338 ProSafe VPN Firewall 50 Reference Manual • • – Domain Name: Your domain name or workgroup name assigned by your ISP, or your ISPs domain name. You may leave this field blank. – Idle Timeout: Check the Keep Connected radio box to keep the connection always on. To logout after the connection is idle for a period of time, select Idle Time and enter the number of minutes to wait before disconnecting in the timeout field.
FVS338 ProSafe VPN Firewall 50 Reference Manual 4. If your ISP has not assigned any Domain Name Servers (DNS) addresses, select the Get dynamically from ISP radio box. If your ISP has assigned DNS addresses, select the Use these DNS Servers radio box. Ensure that you fill in valid DNS server IP addresses in the fields. Incorrect DNS entries may cause connectivity issues. Note: Domain name servers (DNS) convert Internet names such as www.google.com, www.netgear.com, etc.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-8 Connecting the FVS338 to the Internet 2-13 v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2-2. Traffic Meter Settings Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's Broadband or Dialup port. Broadband or Dialup can be selected by clicking the appropriate tap; the entire configuration is specific to each interface. • No Limit - If this is selected specified restriction will not be applied when traffic limit is reached.
FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the WAN Mode The WAN Mode screen allows you to configure how your router uses your external Internet connections; for example, your WAN port or dialup modem connections. • NAT. NAT is the technology which allows all PCs on your LAN to share a single Internet IP address. Viewed from the Internet, the WAN port on the VPN firewall is configured with a single IP address—the “public” address.
FVS338 ProSafe VPN Firewall 50 Reference Manual • If you have both ISP links connected for Internet connectivity, check the Primary Broadband with Dialup as backup for auto-rollover. 4. The WAN Failure Detection Method must be configured to notify the router of a link failure if you are using Dialup as a backup to engage auto-rollover. The router checks the connection of the primary link at regular intervals to detect its status.
FVS338 ProSafe VPN Firewall 50 Reference Manual This router firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet. After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your dynamic DNS service provider, log in to your account, and register your new IP address.
FVS338 ProSafe VPN Firewall 50 Reference Manual If you have configured Single Port, select the tab for a DNS service provider, then fill out the DDNS section for that port. If you have enabled Auto-Rollover, choose a service provider and complete both sections. (Only those options that match the configured WAN Mode will be accessible.) 2. Check the Dynamic DNS Service radio box you want to enable. The fields corresponding to the selection you have selected will be highlighted.
Chapter 3 LAN Configuration This chapter describes how to configure LAN Setup, LAN Groups and Routing (Static IP) features of your ProSafe VPN Firewall 50. These features can be found under the Network Configuration menu of the router interface.
FVS338 ProSafe VPN Firewall 50 Reference Manual To modify your LAN setup: 1. Select Network Configuration from the main menu and LAN Setup from the submenu. The LAN Setup screen will display. Figure 3-1 2. Enter the IP Address of your router (factory default: 192.168.1.1). The IP address provided is the router's LAN IP address. (Always make sure that the LAN Port IP address and DMZ port IP address are in different subnets.) 3-2 LAN Configuration v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Enter the IP Subnet Mask. The subnet mask specifies the network number portion of an IP address. Your router will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask (computed by the router). 4. Check the Enable DHCP Server radio button.
FVS338 ProSafe VPN Firewall 50 Reference Manual The feature is particularly useful in Auto Rollover mode. For example, if the DNS servers for each connection are different, then a link failure may render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make requests to the router and the router, in turn, sends those requests to the DNS servers of the active connection.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 3-2 The Available Secondary LAN IPs table lists the secondary LAN IP addresses added to the router. • IP Address: The IP address alias added to the LAN port of the router. This is the gateway for computers that need to access the Internet. • Subnet Mask: IPv4 Subnet Mask. • Action/Edit: Click to make changes to the selected entry. • Select All: Selects all the entries in the Available Secondary LAN IPs table.
FVS338 ProSafe VPN Firewall 50 Reference Manual Warning: Make sure the secondary IP addresses are different from the LAN, WAN, DMZ, and any other subnet attached to this router. Example: WAN1 IP address: 10.0.0.1 with subnet 255.0.0.0 WAN2 IP address: 20.0.0.1 with subnet 255.0.0.0 DMZ IP address: 192.168.10.1 with subnet 255.255.255.0 LAN IP address: 192.168.1.1 with subnet 255.255.255.0 Secondary LAN IP: 192.168.20.1 with subnet 255.255.255.
FVS338 ProSafe VPN Firewall 50 Reference Manual • MAC-level Control over PCs. The Network Database uses the MAC address to identify each PC or device. So changing a PC's IP address does not affect any restrictions on that PC. • Group and Individual Control over PCs • – You can assign PCs to Groups and apply restrictions to each Group using the Firewall Rules screen (see “Services-Based Rules” on page 4-2).
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 3-3 The Network Database is created by: • Using the DHCP Server: The router’s DHCP server is configured, by default, to respond to DHCP requests from clients on the LAN. Every computer that receives a response from the router will be added to the Network Database. Because of this, leaving the DHCP Server feature enabled (on the LAN Setup screen) is strongly recommended.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Name: The name of the computer or device. Computers that do not support the NetBIOS protocol will be listed as Unknown. In this case, the name can be edited manually for easier management. If the computer was assigned an IP address by the DHCP server, then an asterisk is be appended to the name. • IP Address: The current IP address of the computer. For DHCP clients of the router, this IP address will not change.
FVS338 ProSafe VPN Firewall 50 Reference Manual Setting Up Address Reservation When you specify a reserved IP address for a device on the LAN (based on the MAC address of the device), that computer or device will always receive the same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be assigned to servers or access points that require permanent IP settings. The Reserved IP address that you select must be outside of the DHCP Server pool.
FVS338 ProSafe VPN Firewall 50 Reference Manual 5. Type the Destination IP Address or network of the route’s final destination. 6. Enter the IP Subnet Mask for this destination. If the destination is a single host, enter 255.255.255.255. Figure 3-4 7. From the Interface pull-down menu, selection the physical network interface (Broadband, Dialup, or LAN) through which this route is accessible. 8.
FVS338 ProSafe VPN Firewall 50 Reference Manual • You have an ISDN firewall on your home network for connecting to the company where you are employed. This firewall’s address on your LAN is 192.168.1.100. • Your company’s network is 134.177.0.0. When you first configured your firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.1.x addresses.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 3-5 To enable RIP: 1. Select Network Configuration from the main menu and Routing from the submenu. The Routing screen will display. 2. Click the RIP Configuration link. The RIP Configuration screen will display. 3. From the RIP Direction pull-down menu, select the direction for the router to send and receive RIP packets: • Both – the router broadcasts its routing table and also processes RIP information received from other routers.
FVS338 ProSafe VPN Firewall 50 Reference Manual • None – the router neither broadcasts its route table nor does it accept any RIP packets from other routers. This effectively disables RIP. 4. Select the RIP Version from the pull-down menu: • RIP-1 – classful routing and does not include subnet information. This is the most commonly supported version. • RIP-2 – supports subnet information. Both RIP-2B and RIP-2M send the routing data in RIP-2 format: • RIP-2B – uses subnet broadcasting.
Chapter 4 Firewall Protection and Content Filtering The ProSafe VPN Firewall 50 provides you with Web content filtering options such as Block Sites and Keyword Blocking. Parents and network administrators can establish restricted access policies based on time-of-day, Web addresses and Web address keywords. You can also block Internet access by applications and services, such as chat or games. It also provides various firewall activity reports and instant alerts via e-mail.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Outbound: Allow all access from the LAN side to the outside. Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Inbound Rules (port forwarding). Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side. The firewall can be configured to allow this otherwise blocked traffic. • Outbound Rules (service blocking).
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-1. Outbound Rules Fields Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-18).
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-1. Outbound Rules Fields (continued) Item Description QoS Priority This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change it accordingly. If the user does not make a selection (i.e, leaves it as None), then the native priority of the service will be applied to the policy.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-2. Inbound Rules Fields Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-18).
FVS338 ProSafe VPN Firewall 50 Reference Manual Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP. Remember that allowing inbound services opens holes in your VPN firewall.
FVS338 ProSafe VPN Firewall 50 Reference Manual Setting LAN WAN Rules The Default Outbound Policy is to allow all traffic from and to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from either going out from the LAN to the Internet (Outbound) or coming in from the Internet to the LAN (Inbound). The default policy can be changed to block all outbound traffic and enable only specific services to pass through the router.
FVS338 ProSafe VPN Firewall 50 Reference Manual 1. In the Action column adjacent to the rule click: • Edit – to make any changes to the rule definition of an existing rule. The Outbound Service screen will display containing the data for the selected rule (see Figure 4-3 on page 4-9). • Up – to move the rule up one position in the table rank. • Down – to move the rule down one position in the table rank. 2. Check the radio box adjacent to the rule and click: • Click Disable to disable the rule.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 4-3 LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. WAN Users: Whether all WAN addresses or specific IP addresses are included in the rule. To create a new inbound service rule: 1. Click Add under the Inbound Services Table. The Add LAN WAN Inbound Service screen will display. 2.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-4 Attack Checks This screen allows you to specify whether or not the router should be protected against common attacks in the LAN and WAN networks. The various types of attack checks are listed on the Attack Checks screen and defined below: • WAN Security Checks – Respond To Ping On Internet Ports. When enabled, the router will respond to a “Ping” from the Internet.
FVS338 ProSafe VPN Firewall 50 Reference Manual • LAN Security Checks. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application listening at that port, (2) verify that no application is listening at that port, and then (3) reply with an ICMP Destination Unreachable packet.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 4-5 Session Limit Session Limit allows you to specify the total number of sessions per user over an IP (Internet Protocol) connection allowed across the router. This feature can be enabled on the Session Limit screen and is shown below (Session Limit is disabled by default): . Figure 4-6 4-12 Firewall Protection and Content Filtering v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual To enable Session Limit: 1. Click the Yes radio button under Do you want to enable Session Limit? 2. From the User Limit Parameter drop-down list, define the maximum number of sessions per IP either as a percentage of maximum sessions or as an absolute value. The percentage is computed on the total connection capacity of the device. 3. Enter the User Limit.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-7 Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown to the right, CU-SeeMe connections are allowed only from a specified range of external IP addresses. 4-14 Firewall Protection and Content Filtering v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-8 Setting Up One-to-One NAT Mapping In this example, we will configure multi-NAT to support multiple public IP addresses on one WAN interface. By creating an inbound rule, we will configure the firewall to host an additional public IP address and associate this address with a Web server on the LAN.
FVS338 ProSafe VPN Firewall 50 Reference Manual 6. From the Public Destination IP Address pull down menu, choose Other Public IP Address. 7. Enter one of your public Internet addresses that will be used by clients on the Internet to reach your Web server. 8. Click Apply. The rule will display in the Inbound Services table shown in Figure 4-10. Figure 4-9 Your rule will now appear in the Inbound Services table of the Rules menu (see Figure 4-10).
FVS338 ProSafe VPN Firewall 50 Reference Manual To test the connection from a PC on the Internet, type http://, where is the public IP address you have mapped to your Web server. You should see the home page of your Web server. Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined. To expose one of the PCs on your LAN as this host: 1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Outbound Rules Example – Blocking Instant Messenger Outbound rules let you prevent users from using applications such as AOL Instant Messenger, Real Audio or other non-essential sites. If you want to block AOL Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.
FVS338 ProSafe VPN Firewall 50 Reference Manual Although the FVS338 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules. The Services menu shows a list of services that you have defined, as shown in Figure 4-13. To define a new service, first you must determine which port number or range of numbers is used by the application.
FVS338 ProSafe VPN Firewall 50 Reference Manual To add a service: 1. Select Security from the main menu and Services from the submenu. The Services screen will display. 2. In the Add Custom Service table, enter a descriptive name for the service (this is for your convenience). 3. Select the Layer 3 Protocol that the service uses as its transport protocol. It can be TCP, UDP or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Normal-Service: No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0. • Minimize-Cost: Used when data has to be transferred over a link that has a lower “cost”. The IP packets for services with this priority are marked with a ToS value of 1. • Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission.
FVS338 ProSafe VPN Firewall 50 Reference Manual Repeat these 5 steps to set to a schedule for Schedule 2 and Schedule 3. Figure 4-14 Setting Block Sites (Content Filtering) If you want restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any Web site is allowed.
FVS338 ProSafe VPN Firewall 50 Reference Manual You can bypass Keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains or keywords on this list by PCs, even those in the groups for which keyword blocking has been enabled, will still be allowed without any blocking. Keyword Blocking application examples: • If the keyword “XXX” is specified, the URL is blocked, as is the newsgroup alt.pictures.XXX.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-15 Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed by default. 4-24 Firewall Protection and Content Filtering v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual • When enabled, traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table. Figure 4-16 Note: For additional ways of restricting outbound traffic, see “LAN WAN Outbound Services Rules” on page 4-8. To enable MAC filtering and add MAC addresses to be blocked: 1. Select Security from the main menu and Source MAC Filter from the sub-menu. The Source MAC Filter screen will display.
FVS338 ProSafe VPN Firewall 50 Reference Manual 6. When you have completed adding MAC addresses, click Apply to save your settings. IP/MAC Binding IP/MAC Binding allows you to bind an IP to a MAC address and vice-versa. Some machines are configured with static addresses. To prevent users from changing their static IP addresses, IP/MAC Binding must be enabled on the router.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-17 The IP/MAC Binding Table lists the currently defined IP/MAC Bind rules: • Name: Displays the user-defined name for this rule. • MAC Addresses: Displays the MAC Addresses for this rule. • IP Addresses: Displays the IP Addresses for this rule. • Log Dropped Packets: Displays the logging option for this rule. 2. To add an IP/MAC Bind rule, enter: a. Name: Specify easily identifiable name for this rule. b.
FVS338 ProSafe VPN Firewall 50 Reference Manual 4. To remove an entry from the table, select the IP/MAC Bind entry and click Delete. 5. Click Apply to save your settings. Setting Up Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the Application. Once configured, Port Triggering operates as follows: 1.
FVS338 ProSafe VPN Firewall 50 Reference Manual 2. From the Enable pull-down menu, indicate if the rule is enabled or disabled. Figure 4-18 3. From the Protocol pull-down menu, select either TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields; a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 5. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). Firewall Protection and Content Filtering v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual b. Enter the End Port range (1 - 65534). 6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display. 2. Modify any of the fields for this rule. 3. Click Reset to cancel any changes and return to the previous settings. 4. Click Apply to save your modifications.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Bandwidth limiting for outbound traffic is done on the available WAN interface in both the single port and Auto Rollover modes. Bandwidth limiting is handled on the user-specified interface in Load Balancing mode. • Bandwidth limiting for inbound traffic is handled on the LAN interface for all WAN modes. Bandwidth limiting does not apply to the DMZ interface.
FVS338 ProSafe VPN Firewall 50 Reference Manual • WAN: Displays the WAN interface for the Load Balancing mode. 2. Click Add to add a new Bandwidth Profile. When the Add New Bandwidth Profile screen displays, enter the following: a. Name: Specify an easily identifiable name for the profile. b. Minimum Bandwidth: Specify the minimum bandwidth value in Kbps for the profile. c. Maximum Bandwidth: Specify the maximum bandwidth value in Kbps for the profile. d. Type: Specify the type of profile. e.
FVS338 ProSafe VPN Firewall 50 Reference Manual other general information based on the settings you input on the Firewall Logs & E-mail screen. In addition, if you have set up Content Filtering on the Block Sites screen (see “Setting Block Sites (Content Filtering)” on page 4-22), a log will be generated when someone on your network tries to access a blocked site. You must have e-mail notification enabled to receive the logs in an e-mail message.
FVS338 ProSafe VPN Firewall 50 Reference Manual To set up Firewall Logs and E-mail alerts: 1. Select Monitoring from the main menu and then Firewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen will display. 2. Enter the name of the log in the Log Identifier field. Log Identifier is a mandatory field used to identify the log messages. The ID appended to log messages. 3. Enter a Schedule for sending the logs. From the Unit pull-down menu, select: Never, Hourly, Daily, or Weekly.
FVS338 ProSafe VPN Firewall 50 Reference Manual • • • • LOG_WARNING (Warning conditions) LOG_NOTICE (Normal but significant conditions) LOG_INFO (Informational messages) LOG_DEBUG (Debug level messages) 10. Click Reset to cancel your changes and return to the previous settings. 11. Click Apply to save your settings. To view the Firewall logs: 1. Click on the View Log icon opposite the Firewall Logs & E-mail tab. The Logs screen will display. 2.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-3. Log Entry Descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and interface The service port number of the initiating device, and whether it originated from the LAN, WAN or DMZ.
FVS338 ProSafe VPN Firewall 50 Reference Manual Firewall Protection and Content Filtering v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual 4-38 Firewall Protection and Content Filtering v1.
Chapter 5 Virtual Private Networking This chapter describes how to use the Virtual Private Networking (VPN) features of the VPN firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Tip: When using dual WAN port networks, use the VPN Wizard to configure the basic parameters and then edit the VPN and IKE Policy screens for the various VPN scenarios.
FVS338 ProSafe VPN Firewall 50 Reference Manual Setting up a VPN Connection using the VPN Wizard Setting up a VPN tunnel connection requires that all settings and parameters on both sides of the VPN tunnel match or mirror each other precisely, which can be a daunting task. The VPN Wizard can assist in guiding you through the setup procedure by asking you a series of questions that will determine the IPSec keys and VPN policies it sets up.
FVS338 ProSafe VPN Firewall 50 Reference Manual The Local WAN IP address is the address used in the IKE negotiation phase. Automatically, the WAN IP address assigned by your ISP may display. You can modify the address to use your FQDN; required if the WAN Mode you selected is auto-rollover. 7. Enter the Remote LAN IP Address and Subnet Mask of the remote gateway. The information entered here must match the Local LAN IP and Subnet Mask of the remote gateway; otherwise the secure tunnel will fail to connect.
FVS338 ProSafe VPN Firewall 50 Reference Manual IKE Policies The IKE (Internet Key Exchange) protocol performs negotiations between the two VPN Gateways, and provides automatic management of the Keys used in IPSec. It is important to remember that: • “Auto” generated VPN policies must use the IKE negotiation protocol. • “Manual” generated VPN policies cannot use the IKE negotiation protocol. IKE Policy Operation IKE Policies are activated when: 1.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Name. Uniquely identifies each IKE policy. The name is chosen by you and used for the purpose of managing your policies; it is not supplied to the remote VPN Server. If the Policy is a Client Policy, it will be prepended by an “*”. • Mode. Two modes are available: either “Main” or “Aggressive”. – Main Mode is slower but more secure. – Aggressive mode is faster but less secure.
FVS338 ProSafe VPN Firewall 50 Reference Manual In addition, a CA (Certificate Authority) can also be used to perform authentication (see “Certificates” on page 5-33). To use a CA, each VPN Gateway must have a Certificate from the CA. For each Certificate, there is both a “Public Key” and a “Private Key”. The “Public Key” is freely distributed, and is used to encrypt data. The receiver then uses their “Private Key” to decrypt the data (without the Private Key, decryption is impossible).
FVS338 ProSafe VPN Firewall 50 Reference Manual – Reconnect after failure count: Fresh negotiation starts when no acknowledgement is received for the specified number of consecutive packets. • Local. IP address (either a single address, range of address or subnet address) on your local LAN. Traffic must be from (or to) these addresses to be covered by this policy. (Subnet address is the default IP address when using the VPN Wizard). • Remote. IP address or address range of the remote network.
FVS338 ProSafe VPN Firewall 50 Reference Manual Creating a VPN Gateway Connection: Between FVS338 and FVX538 This section describes how to configure a VPN connection between a NETGEAR FVS338 VPN Firewall and a NETGEAR FVX538 VPN Firewall. Using each firewall's VPN Wizard, we will create a set of policies (IKE and VPN) that will allow the two firewalls to connect from locations with fixed IP addresses. Either firewall can initiate the connection.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-1 The IKE Policies screen will display showing the new “to_fvx” policy. Figure 5-2 You can view the IKE parameters by clicking Edit in the Action column adjacent to the “tofvs” policy. It should not be necessary to make any changes. Virtual Private Networking 5-9 v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-3 Click the IKE Policies tab to view the corresponding IKE Policy. The IKE Policies screen will display. Figure 5-4 You can view the VPN parameters by clicking Edit in the Actions column adjacent to “to_fvx”. It should not be necessary to make any changes 5-10 Virtual Private Networking v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-5 Configuring the FVX538 To configure the FVX538 using the VPN Wizard: 1. Select VPN from the main menu. The Policies screen will display. Click the VPN Wizard link. The VPN Wizard screen will display. 2. Check the Gateway radio box to establish a remote VPN gateway. 3. Give the new connection a name such as to_fvs. 4. Enter a value for the pre-shared key. 5. Enter the WAN IP address or Internet name of the remote WAN.
FVS338 ProSafe VPN Firewall 50 Reference Manual 6. Enter the remote LAN IP address and subnet mask. 7. Click Apply to create the “to_fvs” IKE and VPN policies. Figure 5-6 Testing the Connection 1. From a PC on either firewall’s LAN, try to ping a PC on the other firewall’s LAN. Establishing the VPN connection may take several seconds. 2. For additional status and troubleshooting information, view the VPN log and status menu in the FVX538 or FVS338.
FVS338 ProSafe VPN Firewall 50 Reference Manual Using the FVS338 VPN Wizard, we will create a single set of policies (IKE and VPN) that will allow up to 50 remote PCs to connect from locations in which their IP addresses are unknown in advance. The PCs may be directly connected to the Internet or may be behind NAT routers. If more PCs are to be connected, an additional policy or policies must be created. Each PC will use the NETGEAR VPN Client.
FVS338 ProSafe VPN Firewall 50 Reference Manual fvs_remote.com fvs_local.com Figure 5-7 Configuring the VPN Client On a remote PC that has a NETGEAR ProSafe VPN Client installed, configure the client using the FVS338 VPN Client default parameters (displayed in both the IKE Policy table and the VPN Policy table of the FVS338 under the name “home”): • Local FQDN (the router): fvs_local.com • Remote FQDN (the client): fvs_remote.
FVS338 ProSafe VPN Firewall 50 Reference Manual To configure the VPN Client: 1. Right-click on the VPN client icon in your Windows toolbar and select the Security Policy Editor. The Security Policy Editor screen will display. 2. In the upper left of the Policy Editor window, click the New Document icon to open a New Connection. Figure 5-8 3. Give the New Connection a name, such as to_FVS (shown in Figure 5-9). 4. In the Remote Party Identity section, from the ID Type pull-down menu, select IP Subnet. 5.
FVS338 ProSafe VPN Firewall 50 Reference Manual fvs_local.com 10.1.32.41 Figure 5-9 8. In the left frame, click on My Identity (shown in Figure 5-10). 9. From the Select Certificate pull-down menu, select None. 10. From the ID Type pull-down menu, select Domain Name and enter fvs_remote.com in the field provided. 11. Leave Virtual Adapter disabled, and select your computer’s Network Adapter. Your current IP address will appear. 5-16 Virtual Private Networking v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual fvs_remote.com 10.0.0.12 Figure 5-10 12. Before leaving the My Identity menu, click Pre-Shared Key. 13. Click Enter Key, and type your preshared key. Click OK. This key will be shared by all users of the FVS338 policy “home”. 10.0.0.12 Figure 5-11 Virtual Private Networking 5-17 v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual 14. In the left frame, click Security Policy (shown in Figure 5-12). 15. Select Phase 1 Negotiation Mode by checking the Aggressive Mode radio box. 16. PFS Key Group should be disabled, and Enable Replay Detection should be enabled. Figure 5-12 17. In the left frame, expand Authentication (Phase 1) and select Proposal 1. Compare with the figure below. No changes should be necessary. Figure 5-13 5-18 Virtual Private Networking v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual 18. In the left frame, expand Key Exchange (Phase 2) and select Proposal 1. Compare with the figure below. No changes should be necessary. 19. In the upper left of the window, click the disk icon to save the policy. Figure 5-14 Testing the Connection To test your VPN connection: 1. Right-click the VPN client icon in your Windows toolbar and select Connect..., and then select My Connections\to_FVS.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-15 Extended Authentication (XAUTH) Configuration When connecting many VPN clients to a VPN gateway router, an administrator may want a unique user authentication method beyond relying on a single common preshared key for all clients. Although the administrator could configure a unique VPN policy for each user, it is more convenient for the VPN gateway router to authenticate users from a stored list of user accounts.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the local User Database for the user credentials. If the user account is not present, the router will then connect to a RADIUS server. Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the Local Database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server.
FVS338 ProSafe VPN Firewall 50 Reference Manual • IPSec Host if you want to be authenticated by the remote gateway. In the adjacent Username and Password fields, type in the information user name and password associated with the IKE policy for authenticating this gateway (by the remote gateway). 4. Click Apply to save your settings. Figure 5-16 User Database Configuration The User Database Screen is used to configure and administer VPN Client users for use by the XAUTH server.
FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4. Click Add. The User Name will be added to the Configured Hosts table. Figure 5-17 To edit the user name or password: 1. Click Edit opposite the user’s name. The Edit User screen will display. 2. Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to the previous settings.
FVS338 ProSafe VPN Firewall 50 Reference Manual information such as a username/password or some encrypted response using his username/ password information. The gateway will try and verify this information first against a local User Database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server. To configure the Primary RADIUS Server: 1. Select VPN from the main menu, VPN Client from the submenu and then select the RADIUS Client tab.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-18 Manually Assigning IP Addresses to Remote Users (ModeConfig) To simply the process of connecting remote VPN clients to the FVS338, the ModeConfig module can be used to assign IP addresses to remote users, including a network access IP address, subnet mask, and name server addresses from the router. Remote users are given IP addresses available in secured network space so that remote users appear as seamless extensions of the network.
FVS338 ProSafe VPN Firewall 50 Reference Manual ModeConfig Operation After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP configuration parameters such as IP address, subnet mask and name server addresses. The ModeConfig module will allocate an IP address from the configured IP address pool and will activate a temporary IPSec policy using the template security proposal information configured in the ModeConfig record.
FVS338 ProSafe VPN Firewall 50 Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10. Click Apply. The new record should appear in the VPN Remote Host Mode Config Table (a sample record is shown below). Figure 5-19 To configure an IKE Policy: 1. From the main menu, select VPN.
FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. 3. Enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down menu. (You can view the parameters of the selected record by clicking the View selected radio box.) Mode Config works only in Aggressive Mode, and Aggressive Mode requires that both ends of the tunnel be defined by a FQDN. 4. In the General section: a.
FVS338 ProSafe VPN Firewall 50 Reference Manual 9. If Edge Device was enabled, select the Authentication Type from the pull down menu which will be used to verify account information: User Database, RADIUS-CHAP or RADIUS-PAP. Users must be added thorough the User Database screen (see “User Database Configuration” on page 5-22 or “RADIUS Client Configuration” on page 5-23). Note: If RADIUS-PAP is selected, the router will first check the User Database to see if the user credentials are available.
FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon. a. Give the connection a descriptive name such as “modecfg_test” (this name will only be used internally). b.
FVS338 ProSafe VPN Firewall 50 Reference Manual b. From the Select Certificate pull-down menu, select None. c. From the ID Type pull-down menu, select Domain Name and create an identifier based on the name of the IKE policy you created; for example “remote_id.com”. d. Under Virtual Adapter pull-down menu, select Preferred. The Internal Network IP Address should be 0.0.0.0.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-23 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds)). Figure 5-24 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. 5-32 Virtual Private Networking v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; in this case “My Connections\modecfg_test”. 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test will display and the VPN client icon in the toolbar will read “On”. 3. From the client PC, ping a computer on the VPN firewall LAN.
FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Click Browse to locate the trusted certificate on your computer and then click Upload. The certificate will be stored on the router and will display in the Trusted Certificates table. Figure 5-25 Self Certificates Active Self certificates are certificates issued to you by the various Certificate Authorities (CAs) that are available for presentation to peer IKE servers. Each active self certificate is listed in the Active Self Certificates table.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Name – Enter a name that will identify this Certificate. • Subject – This is the name which other organizations will see as the Holder (owner) of the Certificate. Since this name will be seen by other organizations, you should use your registered business name or official company name. This information must be submitted in the following format: C=, ST=, L=, O=, OU=, CN=.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Save to file Figure 5-26 To submit your Self Certificate request to a CA: 1. Connect to the web site of the CA. 2. Start the Self Certificate request procedure. 3. When prompted for the requested data, copy the data from your saved data file (including “---BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST’). 4. Submit the CA form. If no problems ensue, the Certificate will be issued. 5-36 Virtual Private Networking v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual When you obtain the certificate from the CA, you can then upload it to your computer. Click Browse to locate the Certificate file and then click Upload. The certificate will display in the Active Self Certificates table (see Figure 5-25). Certificates are updated by their issuing CA authority on a regular basis. You should track all of your CAs to ensure that you have the latest version and/or that your certificate has not been revoked.
FVS338 ProSafe VPN Firewall 50 Reference Manual 5-38 Virtual Private Networking v1.
Chapter 6 Router and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 50. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface. The ProSafe VPN Firewall 50 offers many tools for managing the network traffic to optimize its performance.
FVS338 ProSafe VPN Firewall 50 Reference Manual Service Blocking You can control specific outbound traffic (for example., from LAN to WAN). Outbound Services lists all existing rules for outbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule allows all outgoing traffic. Warning: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems.
FVS338 ProSafe VPN Firewall 50 Reference Manual See “Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-1 for the procedure on how to use this feature. Services. The Rules menu contains a list of predefined Services for creating firewall rules. If a service does not appear in the predefined Services list, you can define the service. The new service will then appear in the Rules menu's Services list. See “Services-Based Rules” on page 4-2 for the procedure on how to use this feature.
FVS338 ProSafe VPN Firewall 50 Reference Manual You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed without any blocking. • Web Component Blocking – You can block the following Web component types: Proxy, Java, ActiveX, and Cookies.
FVS338 ProSafe VPN Firewall 50 Reference Manual You can control specific inbound traffic (i.e., from WAN to LAN and from WAN to DMZ). Inbound Services lists all existing rules for inbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule blocks all inbound traffic.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Services – You can specify the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-18). • Schedule – You can specify whether the rule is to be applied on the Schedule 1, Schedule 2, or Schedule 3 time schedule (see “Setting a Schedule to Block or Allow Traffic” on page 4-21).
FVS338 ProSafe VPN Firewall 50 Reference Manual Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and, in turn, the quality of service for the traffic passing through the firewall. The QoS is set individually for each service. • You can accept the default priority defined by the service itself by not changing its QoS setting.
FVS338 ProSafe VPN Firewall 50 Reference Manual To modify User or Admin settings: 1. Select Administration from the main menu and Set Password from the submenu. The Set Password screen will display. 2. Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest Settings radio box. 3. Change the password by first entering the old password, and then entering the new password twice. 4. Click Apply to save your settings or Cancel to return to your previous settings. 5.
FVS338 ProSafe VPN Firewall 50 Reference Manual Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. Enabling Remote Management Access Using the Remote Management page, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging in to the VPN Firewall” on page 2-1).
FVS338 ProSafe VPN Firewall 50 Reference Manual https://194.177.0.123:8080 Figure 6-2 To configure your firewall for Remote Management: 1. Select the Turn Remote Management On check box. a. Specify what external addresses will be allowed to access the firewall’s remote management. Note: For enhanced security, restrict access to as few external IP addresses as practical. b. To allow access from any IP address on the Internet, select Everyone. c.
FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Specify the Port Number that will be used for accessing the management interface. Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management Web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but do not use the number of any common service port. The default is 8080, which is a common alternate for HTTP. 3.
FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Specify what external addresses will be allowed to access the firewall’s remote management. Note: For enhanced security, restrict access to as few external IP addresses as practical. a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c.
FVS338 ProSafe VPN Firewall 50 Reference Manual • If you want to make the VPN firewall globally accessible using the community string, but still receive traps on the host, enter 0.0.0.0 as the Subnet Mask and an IP Address for where the traps will be received. 3. Enter the trap port number of the configuration in the Port field. The default is 162. 4. Enter the trap community string of the configuration in the Community field. 5. Click Add to create the new configuration.
FVS338 ProSafe VPN Firewall 50 Reference Manual Settings Backup and Firmware Upgrade Once you have installed the VPN firewall and have it working properly, you should back up a copy of your setting so that it is if something goes wrong. When you backup the settings, they are saved as a file on your computer. You can then restore the VPN firewall settings from this file.
FVS338 ProSafe VPN Firewall 50 Reference Manual You must manually restart the VPN firewall in order for the default settings to take effect. After rebooting, the router's password will be password and the LAN IP address will be 192.168.1.1. The VPN firewall will act as a DHCP server on the LAN and act as a DHCP client to the Internet. Warning: When you click default, your router settings will be erased. All firewall rules, VPN policies, LAN/WAN settings and other settings will be lost.
FVS338 ProSafe VPN Firewall 50 Reference Manual Warning: Once you click Upload do NOT interrupt the router! To upgrade router software: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. 2. Click Browse in the Router Upgrade section. 3. Locate the downloaded file and click upload. This will start the software upgrade to your VPN firewall router. This may take some time.
FVS338 ProSafe VPN Firewall 50 Reference Manual 3. If supported in your region, check the Automatically Adjust for Daylight Savings Time radio box. 4. Select a NTP Server option by checking one of the following radio boxes: • Use Default NTP Servers: If this is enabled, then the RTC (Real-Time Clock) is updated regularly by contacting a Default Netgear NTP Server on the Internet.
FVS338 ProSafe VPN Firewall 50 Reference Manual Enabling the Traffic Meter To monitor traffic limits on each of the WAN ports, select Administration from the main menu and Traffic Meter from the submenu. The Broadband Traffic Meter screen will display. (The Broadband and Dialup ports are programmed separately.) A WAN port shuts down once its traffic limit is reached if the Block all traffic feature is enabled.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-7 Setting Login Failures and Attacks Notification Figure 6-8 shows the Firewall Logs & E-mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs & E-mail from the submenu. You can send a System log of firewall activities to an email address or a log of the firewall activities can be viewed, saved to a syslog server, and then sent to an email address. You can view the logs by clicking View Logs.
FVS338 ProSafe VPN Firewall 50 Reference Manual View System Logs Select the types of events to email. Select the segments to track for System Log events. Enable email alerts. Syslog Server enabled Figure 6-8 6-20 Router and Network Management v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Viewing Port Triggering Status You can view the status of Port Triggering by selecting Security from the main menu and Port Triggering from the submenu. When the Port Triggering screen display, click the Status link. Figure 6-9 Table 6-1. Port Triggering Status data Item Description Rule The name of the Rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule.
FVS338 ProSafe VPN Firewall 50 Reference Manual Viewing Router Configuration and System Status The Router Status menu provides status and usage information. From the main menu of the browser interface, click on Management, then select Router Status, The Router Status screen will display. Figure 6-10 Table 6-2. Router Configuration Status Fields Item Description System Name This is the Account Name that you entered in the Basic Settings page.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-2. Router Configuration Status Fields Item Description Broadband Configuration Indicates whether the WAN Mode is Single or Rollover, and whether the WAN State is UP or DOWN. If the WAN State is up, it also displays • NAT: Enabled or Disabled. • Connection Type: DHCP enabled or disabled. • Connection State: Connected or Disconnected • WAN IP Address • Subnet Mask • Gateway Address • Primary and Secondary DNS Server Addresses • MAC Address.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 6-11 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu. The IPSec Connection Status screen will display. Figure 6-12 Table 6-3. IPSec Connection Status Fields Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN Endpoint. 6-24 Router and Network Management v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-3. IPSec Connection Status Fields (continued) Item Description Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase. Action Use this button to terminate/build the SA (connection) if required. VPN Logs The VPN Logs screen gives log details for recent VPN activity.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-14 Performing Diagnostics You can perform diagnostics such as pinging an IP address, performing a DNS lookup, displaying the routing table, rebooting the firewall, and capturing packets. Select Monitoring from the main menu and Diagnostics from the submenu. The Diagnostics screen will display. Note: For normal operation, diagnostics are not required. 6-26 Router and Network Management v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-15 Table 6-4. Diagnostics Fields Item Description Ping or Trace an IP address Ping – Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-4. Diagnostics Fields Item Description Reboot the Router Used to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally. Note: Rebooting will break any existing connections either to the Router (such as this one) or through the Router (for example, LAN users accessing the Internet). However, connections to the Internet will automatically be re-established when possible.
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 50. After each problem description, instructions are provided to help you diagnose and solve the problem. Basic Functions After you turn on power to the firewall, the following sequence of events should occur: 1. When power is first applied, verify that the PWR LED is on. 2. After approximately 10 seconds, verify that: a. The TEST LED is not lit. b.
FVS338 ProSafe VPN Firewall 50 Reference Manual LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: • Cycle the power to see if the firewall recovers. • Clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to 192.168.1.1.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.2 to 192.168.0.254. Note: If your PC’s IP address is shown as 169.254.x.x: Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server. These auto-generated addresses are in the range of 169.254.x.x.
FVS338 ProSafe VPN Firewall 50 Reference Manual Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1.
FVS338 ProSafe VPN Firewall 50 Reference Manual – Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Configuring your Internet Connection” on page 2-2. If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: • Your PC may not recognize any DNS server addresses. A DNS server is a host on the Internet that translates Internet names (such as www addresses) to numeric IP addresses.
FVS338 ProSafe VPN Firewall 50 Reference Manual If the path is not functioning correctly, you could have one of the following problems: • • Wrong physical connections – Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On” on page 7-2. – Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and firewall.
FVS338 ProSafe VPN Firewall 50 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall’s administration password to password and the IP address to 192.168.1.1. You can erase the current configuration and restore factory defaults in two ways: • Use the Erase function of the firewall (see “Backup and Restore Settings” on page 6-14). • Use the reset button on the rear panel of the firewall.
FVS338 ProSafe VPN Firewall 50 Reference Manual 7-8 Troubleshooting v1.
Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below. • Pressing the reset button for a shorter period of time will simply cause your device to reboot.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table A-1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table A-2.
FVS338 ProSafe VPN Firewall 50 Reference Manual A-4 Default Settings and Technical Specifications v1.
Appendix B System Logs and Error Messages This appendix uses the following log parameter terms. Table B-1. Log Parameter Terms Term Description [FVS338] System identifier [kernel] Message from the kernel. CODE Protocol code (e.g., protocol is ICMP, type 8) and CODE=0 means successful reply. DEST Destination IP Address of the machine to which the packet is destined. DPT Destination port. IN Incoming interface for packet. OUT Outgoing interface for packet. PROTO Protocol used.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-2. System Logs: System Startup Message Jan 1 15:22:28 [FVS338] [ledTog] [SYSTEM START-UP] System Started Explanation Log generated when the system is started. Recommended Action None Reboot This section describes log messages generated during system reboot. Table B-3. System Logs: Reboot Message Nov 25 19:42:57 [FVS338] [reboot] Rebooting in 3 seconds Explanation Log generated when the system is rebooted from the web management.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-4. System Logs: NTP Message Nov 28 12:31:13 [FVS338] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [FVS338] [ntpdate] Requesting time from time-f.netgear.com Nov 28 12:31:14 [FVS338] [ntpdate] adjust time server 69.25.106.19 offset 0.140254 sec Nov 28 12:31:14 [FVS338] [ntpdate] Synchronized time with time-f.netgear.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-6. System Logs: Firewall Restart Message Jan 23 16:20:44 [FVS338] [wand] [FW] Firewall Restarted Explanation Log generated when the firewall is restarted. This log is logged when firewall restarts after applying any changes in the configuration. Recommended Action None IPSec Restart This logging is always done. Table B-7.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-8.
FVS338 ProSafe VPN Firewall 50 Reference Manual System Logs: WAN Status, Auto Rollover Message Nov 17 09:59:09 [FVS338] [wand] [LBFO] WAN1 Test Failed 1 of 3 times_ Nov 17 09:59:39 [FVS338] [wand] [LBFO] WAN1 Test Failed 2 of 3 times_ Nov 17 10:00:09 [FVS338] [wand] [LBFO] WAN1 Test Failed 3 of 3 times_ Nov 17 10:01:01 [FVS338] [wand] [LBFO] WAN1 Test Failed 4 of 3 times_ Nov 17 10:01:35 [FVS338] [wand] [LBFO] WAN1 Test Failed 5 of 3 times_ Nov 17 10:01:35 [FVS338] [wand] [LBFO] WAN1(DOWN), WAN2(UP), ACTI
FVS338 ProSafe VPN Firewall 50 Reference Manual PPPoE Idle-Timeout Logs. Table B-9. System Logs: WAN Status, PPE, PPPoE Idle-Timeout Message Nov 29 13:12:46 [FVS338] [pppd] Starting connection Nov 29 13:12:49 [FVS338] [pppd] Remote message: Success Nov 29 13:12:49 [FVS338] [pppd] PAP authentication succeeded Nov 29 13:12:49 [FVS338] [pppd] local IP address 50.0.0.62 Nov 29 13:12:49 [FVS338] [pppd] remote IP address 50.0.0.1 Nov 29 13:12:49 [FVS338] [pppd] primary DNS address 202.153.32.
FVS338 ProSafe VPN Firewall 50 Reference Manual PPTP Idle-Timeout Logs. Table B-10. System Logs: WAN Status, PPE, PPTP Idle-Timeout Message Nov 29 11:19:02 [FVS338] [pppd] Starting connection Nov 29 11:19:05 [FVS338] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVS338] [pppd] local IP address 192.168.200.214 Nov 29 11:19:05 [FVS338] [pppd] remote IP address 192.168.200.1 Nov 29 11:19:05 [FVS338] [pppd] primary DNS address 202.153.32.2 Nov 29 11:19:05 [FVS338] [pppd] secondary DNS address 202.153.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-12. System Logs: Web Filtering and Content Filtering Message Jan 23 16:36:35 [FVS338] [kernel] [KEYWORD_BLOCKED] [URL]==>[ www.redhat.com/ ] IN=SELF OUT=SELF SRC=192.168.10.210 DST=209.132.177.50 PROTO=TCP SPT=4282 DPT=80 Explanation • This packet is blocked by keyword blocking • The URL blocked due to keyword blocking is shown by [URL] along with source and destination IP addressed, protocol, source port and destination port.
FVS338 ProSafe VPN Firewall 50 Reference Manual Traffic Metering Logs Table B-13. System Logs: Traffic Metering Message Jan 23 19:03:44 [TRAFFIC_METER] TRAFFIC_METER: Monthly Limit of 10 MB has reached for WAN1._ Explanation Traffic limit to WAN1 that was set as 10Mb has been reached. This stops all the incoming and outgoing traffic if configured like that in “When Limit is reached” on Traffic Meter web page. Recommended Action To start the traffic, restart the Traffic Limit Counter.
FVS338 ProSafe VPN Firewall 50 Reference Manual Multicast/Broadcast Logs Table B-16. System Logs: Multicast/Broadcast Message Jan 1 07:24:13 [FVS338] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC=192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 Explanation • This packet (Broadcast) is destined to the device from the WAN network. • For other parameters, refer to Table B-1. Recommended Action None FTP Logging Table B-17.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-18. System Logs: Invalid Packets (continued) Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][RST_PACKET][DROP] SRC=192.168.20.10 DST=192.168.20.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-18. System Logs: Invalid Packets (continued) Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][BAD_HW_CHECKSUM][DROP] SRC=192.168.20.10 DST=192.168.20.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-18. System Logs: Invalid Packets (continued) Message 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][REOPEN_CLOSE_CONN][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation Attempt to re-open/close session Recommended Action 1. Invalid packets are dropped. 2.
FVS338 ProSafe VPN Firewall 50 Reference Manual LAN to WAN Logs Table B-19. Routing Logs: LAN to WAN Message Nov 29 09:19:43 [FVS338] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to WAN has been allowed by the firewall. • For other parameters, refer to Table B-1. Recommended Action None LAN to DMZ Logs Table B-20.
FVS338 ProSafe VPN Firewall 50 Reference Manual DMZ to LAN Logs Table B-23. Routing Logs: DMZ to WAN Message Nov 29 09:44:06 [FVS338] [kernel] DMZ2LAN[DROP] IN=DMZ OUT=LAN SRC=192.168.20.10 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from DMZ to LAN has been dropped by the firewall. • For other parameters, refer to Table B-1. Recommended Action None WAN to DMZ Logs Table B-24.
Appendix C Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP Addressing: http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for http://documentation.netgear.com/reference/enu/wsdhcp/index.
FVS338 ProSafe VPN Firewall 50 Reference Manual C-2 Related Documents v1.
Index A C Add LAN WAN Inbound Service screen 4-9, 4-15 CA VPN gateway, use with 5-6 Add LAN WAN Outbound Service screen 4-8 address reservation 3-10 AH VPN Policies, use with 5-7 CA Certificates about 5-33 Certificate Authority. See CA ARP 3-6 Certificate Identity file 5-37 Attack Checks Block TCP Flood 4-10 Respond To Ping On Internet 4-10 Stealth Mode 4-10 Certificate Revocation List. See CRL.
FVS338 ProSafe VPN Firewall 50 Reference Manual D date troubleshooting 7-7 Daylight Savings Time setting 6-17 Dead Peer Detection 5-5 default configuration restoring 7-7 domain name blocking. See Keyword Blocking DOS protection download firmware steps to 6-15 Dual WAN Port use with VPN firewall 5-1 Dynamic DNS configuration of 2-16 Dynamic Host Configuration Protocol.
FVS338 ProSafe VPN Firewall 50 Reference Manual technical specifications A-1 Fields, definition of 4-5 firewall 4-1 Port Forwarding 4-4 firewall access remote management 6-9 Firewall Logs configuring 4-34 emailing of 4-32 Firewall Logs & E-mail screen 4-33, 6-19 firewall protection 4-1 firewall rules about 4-1 ordering 4-6 firmware upgrade 6-14 FQDN use in VPN tunnels 5-1 G Gateway VPN Tunnel setting up 5-2 gateway-to-gateway VPN Tunnel, example of 5-8 Generate Self Certificate Request 5-34 Increased Tr
FVS338 ProSafe VPN Firewall 50 Reference Manual examples of 4-23 L L2TP VPN Tunnel 4-11 LAN configuration 3-1 ports and attached devices 6-25 LAN Security Checks UDP flood 4-11 LAN Setup Enable DHCP Server 3-3 Enable DNS Proxy 3-3 IP Address 3-2 IP Address Pool 3-3 IP Subnet Mask 3-3 WINS Server IP 3-3 Manual VPN Policies creating 5-5 Mode Config screen 5-26 ModeConfig about 5-25, 5-26 configuration example 5-25 guidelines 5-26 VPN Client configuration, example 5-30 modem 1-2 monitoring devices by DHCP Cl
FVS338 ProSafe VPN Firewall 50 Reference Manual P R package contents 1-4 rack mounting 1-7 Packet Trace 6-28 RADIUS Client screen 5-24 Passwords changing 6-7 restoring 7-7 RADIUS server configuring 5-23 performance management 6-1 RADIUS-CHAP XAUTH, use with 5-21 Ping Troubleshooting TCP/IP 7-5 RADIUS-PAP XAUTH, use with 5-21 pinging an IP address 6-26 Reboot the Router 6-28 port filtering 4-2 Outbound Rules 4-2 reducing traffic Block Sites 6-1 Service Blocking 6-1 Source MAC filtering 6-1 P
FVS338 ProSafe VPN Firewall 50 Reference Manual spoof MAC address 7-5 blocking traffic 4-1 service blocking 4-2 services-based 4-2 spoofing UDP flood 4-11 stateful packet inspection 1-2, 4-1 S Static Route example of 3-11 Schedule blocking traffic 4-21 rules, covered by 6-2 static routes configuring 3-10 example 3-11 Schedule 1 screen 4-21 Stealth Mode Attack Checks 4-10 Security 1-2 Security Policy Editor screen 5-15 SYN flood denial of service attack 4-10 Self Certificate format of 5-35 Request
FVS338 ProSafe VPN Firewall 50 Reference Manual Gateway, example configuration 5-8 IP Sec 4-11 L2TP 4-11 PPTP 4-11 LEDs Never Turn Off 7-2 NTP 7-7 Power LED Not On 7-1 Web configuration 7-2 Trusted Certificates 5-33 about 5-33 VPN tunnel to gateway, setting up 5-2 VPN Tunnels 6-6 U UDP flood denial of service attack 4-11 upgrade firmware 6-14 upgrade router steps to 6-16 User Database configuring 5-22 XAUTH, use with 5-21 VPN Wizard use of 5-2 VPN Wizard screen 5-2 Client, use with 5-3 Gateway, use with
FVS338 ProSafe VPN Firewall 50 Reference Manual Index-8 v1.
