ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.
© 2009 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe and ProSecure are trademarks of NETGEAR, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc.
Product and Publication Details Model Number: FVX538 Publication Date: March 2009 Product Family: VPN Firewall Product Name: ProSafe VPN Firewall 200 Home or Business Product: Business Language: English Publication Part Number: 202-10062-09 Publication Version Number 1.0 vi 1.
Contents About This Manual Conventions, Formats and Scope ................................................................................... xv Revision History ...............................................................................................................xvi Chapter 1 Introduction Key Features ..................................................................................................................1-1 Dual WAN Ports for Increased Reliability or Outbound Load Balancing ............
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options ............................................................................3-1 Configuring the LAN Setup Options .........................................................................3-2 Configuring Multi Home LAN IPs .............................................................................3-5 Managing Groups and Hosts (LAN Groups) ..........................................................
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example ......................................................................................4-24 LAN WAN Outbound Rule: Blocking Instant Messenger .................................4-25 Adding Customized Services .................................................................................4-25 Setting Quality of Service (QoS) Priorities .............................................................
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration .........................................................5-23 Configuring XAUTH for VPN Clients ......................................................................5-24 User Database Configuration .................................................................................5-25 RADIUS Client Configuration .................................................................................
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status ...............................................................................6-24 Viewing Router Configuration and System Status .................................................6-25 Monitoring WAN Ports Status .................................................................................6-26 Monitoring VPN Tunnel Connection Status ............................................................6-27 VPN Logs ...................
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ............................................................................................................... B-8 Inbound Traffic to Single WAN Port (Reference Case) ........................................... B-8 Inbound Traffic to Dual WAN Port Systems ............................................................ B-8 Inbound Traffic: Dual WAN Ports for Improved Reliability ................................
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs ................................................................................. C-9 FTP Logging .......................................................................................................... C-10 Invalid Packet Logging .......................................................................................... C-10 Routing Logs ................................................................................................
ProSafe VPN Firewall 200 FVX538 Reference Manual xiv Contents v1.
About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs. • • Typographical Conventions.
ProSafe VPN Firewall 200 FVX538 Reference Manual Danger: This is a safety warning. Failure to take heed of this notice may result in personal injury or death. For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix D, “Related Documents.” Note: Updates to this product are available on the NETGEAR, Inc. website at http://kbserver.netgear.com/products/FVX538.asp.
Chapter 1 Introduction The ProSafe VPN Firewall 200 with eight 10/100 ports and one 1/100/1000 port connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FVX538 is a complete security solution that protects your network from attacks and intrusions. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • • • • • • • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). Easy, web-based setup for installation and management. Advanced SPI Firewall and Multi-NAT support. Extensive Protocol Support. Login capability. Front panel LEDs for easy monitoring of status and activity. Flash memory for firmware upgrade. One U Rack mountable.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. The FVX538 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs. • Keyword Filtering.
ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to “Internet Configuration Requirements” in Appendix B.” • IP Address Sharing by NAT.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Diagnostic Functions. The firewall incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot. • Remote Management. The firewall allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number. • Visual monitoring.
ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. 1 2 3 4 5 6 7 Figure 1-1 Table 1-1 describes each item on the front panel and its operation. Table 1-1. Object Descriptions Object Activity Description 1. Power LED On (Green) Off Power is supplied to the firewall. Power is not supplied to the firewall. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description 4. LAN Ports and LEDs 8-port RJ-45 10/100 Mbps Fast Ethernet Switch N-way automatic speed negotiation, auto MDI/MDIX. Link/Act LED On (Green) Blinking (Green) Off The LAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the LAN port. The LAN port has no link. 100 LED On (Green) Off The LAN port is operating at 100 Mbps.
ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection. 1 2 Figure 1-2 Viewed from left to right, the rear panel contains the following elements: 1. AC power in 2. On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in Figure 1-3).
ProSafe VPN Firewall 200 FVX538 Reference Manual The Router’s IP Address, Login Name, and Password Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN • User name: admin • Password: password LAN IP Address User Name Password Figure 1-4 To log in to the FVX538 once it is connected, go to http://192.168.1.1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 1-10 Introduction v1.
Chapter 2 Connecting the FVX538 to the Internet This chapter includes these topics: • “Logging into the VPN Firewall” on page 2-1 • “Configuring the Internet Connections to Your ISPs” on page 2-2 • “Configuring the WAN Mode (Required for Dual WAN)” on page 2-8 • “Configuring Dynamic DNS (If Needed)” on page 2-14 • “Configuring the Advanced WAN Options (If Needed)” on page 2-17 Setting up VPN tunnels are covered in Chapter 5, “Virtual Private Networking.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the Internet Connections to Your ISPs You should first configure your Internet connections to your ISPs on WAN port 1, and then configure WAN port 2 second. To automatically configure the WAN ports and connect to the Internet: 1. The WAN1 ISP Settings screen similar to the one shown in Figure 2-1 should display when you log in.
ProSafe VPN Firewall 200 FVX538 Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the following table. Table 2-1. Internet connection methods Connection Method Data Required PPPoE Login (Username, Password); Account Name, Domain Name PPTP Login (Username, Password), Account Name, Local IP address, and PPTP Server IP address; DHCP (Dynamic IP) No data is required.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Set up the traffic meter for WAN 1 ISP if desired. See “Programming the Traffic Meter (if Desired)” on page 2-6. Note: At this point of the configuration process, you are now connected to the Internet through WAN port 1. But you must continue with the configuration process to get the complete functionality of the dual WAN interface. The configure the WAN2 ISP settings: 1. Repeat the above steps to set up the parameters for WAN2 ISP.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box. The text box fields that require data entry will be highlighted, based on the connection that you selected. If your ISP has not assigned any login information, then choose the No radio box and skip this section.
ProSafe VPN Firewall 200 FVX538 Reference Manual If your ISP has not assigned a Static IP address, select the Get dynamically from ISP radio box. The ISP will automatically assign an IP address to the router using DHCP network protocol. 4. If your ISP has not assigned any Domain Name Servers (DNS) addresses, select the Get dynamically from ISP radio box. If your ISP has assigned DNS addresses, select the Use these DNS Servers radio box. Ensure that you fill in valid DNS server IP addresses in the fields.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-3 2. Click Apply to apply the settings. Click Reset to return to the previous settings. 3. Select the WAN2 Traffic Meter tab and repeat steps 1 through 3 to set the Traffic Meter the the WAN2 port. Table 2-2. Traffic Meter Settings Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's WAN1 or WAN2 port.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 2-2. Traffic Meter Settings Parameter Description Increase this month's limit Use this to temporarily increase the Traffic Limit if you have reached the monthly limit, but need to continue accessing the Internet. Check the checkbox and enter the desired increase. (The checkbox will automatically be cleared when saved so the increase is only applied once.) This month's limit This displays the limit for the current month.
ProSafe VPN Firewall 200 FVX538 Reference Manual If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover. • Load Balancing Mode. In this mode the router distributes the outbound traffic equally among the WAN interfaces that are functional.
ProSafe VPN Firewall 200 FVX538 Reference Manual When the router is configured in Auto-Rollover Mode, the router uses the WAN Failure Detection Method to check the connection of the primary link at regular intervals to detect router status. Link failure is detected in one of the following ways: • By using DNS queries to a DNS server, or • By a Ping to an IP address. For each WAN interface, DNS queries or Ping requests are sent to the specified IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-4 6. Enter the Maximum Failover amount. The WAN interface is considered down after the configured number of queries have failed to elicit a reply. The rollover link is brought up after this. The Failover default is 4 failures. The default time to roll over after the primary WAN interface fails is 2 minutes (a 30-second minimum test period, times a minimum of 4 tests). 7. Click Apply to save your settings. 8.
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Load Balancing To use multiple ISP links simultaneously, select Load Balancing. In Load Balancing mode, both links will carry data for the protocols that are bound to them. For example, if the HTTP protocol is bound to WAN1 and the FTP protocol is bound to WAN2, then the router will automatically channel FTP data from and to the computers on the LAN through the WAN2 port. All HTTP traffic will be routed through the WAN1 port.
ProSafe VPN Firewall 200 FVX538 Reference Manual a. Service – From the pull-down menu, select the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services-Based Rules” on page 4-2). b. Destination Network – These settings determine which Internet locations are covered by the rule, based on their IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-6 3. Modify the parameters for the protocol binding service you selected. 4. Click Apply. The modified rule will be enabled and appear in the Protocol Binding table. 5. Click Reset to return to the previously configured settings. Configuring Dynamic DNS (If Needed) Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names.
ProSafe VPN Firewall 200 FVX538 Reference Manual IP address will be, and the address can change frequently—hence, the need for a commercial DDNS service, which allows you to register an extension to its domain, and restores DNS requests for the resulting FQDN to your frequently-changing IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-7 2. Click the tab of the Dynamic DNS Service you want to enable. Each DNS service provider requires registration and you then configure its parameters on the corresponding tab page. 3. Access the Web site of one of the DDNS service providers and set up an account. A link to each DDNS provider is to the right of the tab pages. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org 5. Click Apply to save your configuration. 6. Click Reset to return to the previous settings. Configuring the Advanced WAN Options (If Needed) To configure the Advanced WAN options: 1. If you haven’t already, log in to the firewall at the default LAN address of http://192.168.1.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Port Speed – In most cases, your router can automatically determine the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may have to manually select the port speed. AutoSense is the default. If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100M; otherwise, select 10M.
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe VPN Firewall 200, including the following sections: • “Choosing the Firewall DHCP Options” on page 3-1 • “Managing Groups and Hosts (LAN Groups)” on page 3-6 • “Configuring and Enabling the DMZ Port” on page 3-10 • “Static Routes” on page 3-12 Choosing the Firewall DHCP Options By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP,
ProSafe VPN Firewall 200 FVX538 Reference Manual • • • Primary DNS Server (the firewall’s LAN IP address). WINS Server (if you entered a WINS server address in the DHCP Setup menu). Lease Time (date obtained and duration of lease). DHCP Relay options allow you to make the firewall a dhcp relay agent. The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages.
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Network Configuration from the primary menu and LAN Setup from the submenu. The LAN Setup screen will display. Figure 3-1 2. Enter the IP Address of your router (factory default: 192.168.1.1). (Always make sure that the LAN Port IP address and DMZ port IP address are in different subnets.) 3. Enter the IP Subnet Mask. The subnet mask specifies the network number portion of an IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual b. Enter the Starting IP Address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address. The IP address 192.168.1.2 is the default start address. c. Enter the Ending IP Address. This address specifies the last of the contiguous addresses in the IP address pool.
ProSafe VPN Firewall 200 FVX538 Reference Manual The feature is particularly useful in Auto Rollover mode. For example, if the DNS servers for each connection are different, then a link failure may render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make requests to the router and the router, in turn, sends those requests to the DNS servers of the active connection.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Action: The Edit link allows you to make changes to the selected entry. • Select All: Selects all the entries in the Available Secondary LAN IPs table. • Delete: Deletes selected entries from the Available Secondary LAN IPs table. To add a secondary LAN IP address: 1. Type in the IP Address and the Subnet Mask in the respective text fields. 2. Click Add. The Secondary LAN IP address will be added to the Secondary LAN IPs table.
ProSafe VPN Firewall 200 FVX538 Reference Manual Creating the Network Database Some advantages of the Network Database are: • Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the desired PC or device. • No need to reserve an IP address for a PC in the DHCP Server. All IP address assignments made by the DHCP Server will be maintained until the PC or device is removed from the database, either by expiry (inactive for a long time) or by you.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-3 The Network Database is created by: • Using the DHCP Server: The router’s DHCP server is configured, by default, to respond to DHCP requests from clients on the LAN. Every computer that receives a response from the router will be added to the Network Database. Because of this, leaving the DHCP Server feature enabled (on the LAN Setup screen) is strongly recommended.
ProSafe VPN Firewall 200 FVX538 Reference Manual • MAC Address: The MAC address of the computer’s network interface. • Group: Each PC or device can be assigned to a single group. By default, a computer is assigned to the first group (Group 1). To change the group assignment by selecting the Edit link in the Action column. • Action/Edit: Allows modification of the selected entry. To add known PCs and devices: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address, use the Groups and Hosts screen under the Network Configuration menu, LAN Groups submenu (see “Creating the Network Database” on page 3-7). Note: The reserved address will not be assigned until the next time the PC contacts the firewall's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-4 4. If desired, Enable the DHCP Server (Dynamic Host Configuration Protocol), which will provide TCP/IP configuration for all computers connected to the router’s DMZ network. Note: If you enable the DNS Relay feature, you will not use the FVX538 as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network. Then configure the following items: a.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings. The DMZ LED next to LAN port 8 (see “Router Front and Rear Panels” on page 1-6) will light up indicating that the DMZ port has been enabled. If another device on your DMZ network will be the DHCP server, or if you will manually configure all devices, leave the Disable option (default) checked.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-5 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network to which the route leads. 7. Enter the IP Subnet Mask for this destination. If the destination is a single host, enter 255.255.255.255. 8.
ProSafe VPN Firewall 200 FVX538 Reference Manual Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network. RIP is disabled by default. To configure RIP parameters: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-6 3. From the RIP Version pull-down menu, select the version: • RIP-1 – A classful routing that does not include subnet information. This is the most commonly supported version. • RIP-2 – Supports subnet information. Both RIP-2B and RIP-2M send the routing data in RIP-2 format: • RIP-2B Sends the routing data in RIP-2 format and uses subnet broadcasting. • RIP-2M Sends the routing data in RIP-2 format and uses multicasting. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Save to save your settings. Static Route Example For example, you may require a static route if: • Your primary Internet access is through a cable modem to an ISP. • You have an ISDN firewall on your home network for connecting to the company where you are employed. This firewall’s address on your LAN is 192.168.1.100. • Your company’s network is 134.177.0.0. When you first configured your firewall, two implicit static routes were created.
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 to protect your network.
ProSafe VPN Firewall 200 FVX538 Reference Manual intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT. Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other. You can configure up to 600 rules on the FVX538.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Customized Services – Additional services can be added to the list of services in the factory default list. These added services can then have rules defined for them to either allow or block that traffic (see “Adding Customized Services” on page 4-25. • Quality of Service (QoS) priorities – Each service has its own native priority that impacts its quality of performance and tolerance for jitter or delays.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description LAN users These settings determine which computers on your network are affected by this rule. Select the desired options: • Any – All PCs and devices on your LAN. • Single address – Enter the required address and the rule will be applied to that particular PC. • Address range – If this option is selected, you must enter the start and finish fields.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description QoS Priority The priority assigned to IP packets of this service. The priorities are defined by “Type of Service (TOS) in the Internet Protocol Suite” standards, RFC 1349. The router marks the Type Of Service (TOS) field as defined below: • Normal-Service: No special priority given to the traffic. The IP packets for services with this priority are marked with a TOS value of 0.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description Bandwidth Profile Bandwidth Limiting determines the way in which the data is sent to/from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing/ incoming traffic, thus preventing the LAN users for consuming all the bandwidth of our internet link.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Local PCs must access the local server using the PCs’ local LAN address. Attempts by local PCs to access the server using the external WAN IP address will fail. Note: See “Port Triggering” on page 4-35 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall. Table 4-3. Inbound Rules Item Description Services Select the desired Service or application to be covered by this rule.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules (continued) Item Description Bandwidth Profile Bandwidth Limiting determines the way in which the data is sent to/from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing/ incoming traffic, thus preventing the LAN users for consuming all the bandwidth of our internet link.
ProSafe VPN Firewall 200 FVX538 Reference Manual Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu as the last item in the list, as shown in Figure 4-1: Figure 4-1 For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the bottom.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Change the Default Outbound Policy by selecting Block Always from the drop-down menu and click Apply. Figure 4-2 To make changes to an existing outbound or inbound service rule: 1. In the Action column adjacent to the rule click: • Edit – to make any changes to the rule definition of an existing rule. The Outbound Service screen will display containing the data for the selected rule (see Figure 4-3 on page 4-11).
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. The outbound rule will block the selected application from any internal IP LAN address to any external WAN IP address according to the schedule created in the Schedule menu.
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound services opens holes in your firewall. Only enable those ports that are necessary for your network. To create a new inbound service rule: 1. Click Add under the Inbound Services Table.
ProSafe VPN Firewall 200 FVX538 Reference Manual out from the DMZ to the Internet (Outbound) or coming in from the Internet to the DMZ (Inbound). The default outbound policy can be changed to block all outbound traffic and enable only specific services to pass through the router by adding an Outbound services Rule. Figure 4-5 Firewall Protection and Content Filtering v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual To change the Default Outbound Policy: 1. Select Security from the main menu, Firewall Rules from the submenu and then select the DMZ WAN Rules tab. The DMZ WAN Rules screen will display. 2. Click Add under the Outbound Services table. The Add DMZ WAN Outbound Services screen will display. 3. Accept the default settings to block all services or select a specific service to block from the Services pull-down menu. 4. Click Apply.
ProSafe VPN Firewall 200 FVX538 Reference Manual To make changes to an existing outbound or inbound LAN DMZ service rule: 1. In the Action column adjacent to the rule click: • Edit – to make any changes to the rule definition. The Outbound Service screen will display containing the data for the selected rule “Outbound Rules (Service Blocking)” on page 4-3). • Up – to move the rule up one position in the table rank. • Down – to move the rule down one position in the table rank. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Complete the Outbound Service screen, and save the data (see “Outbound Rules (Service Blocking)” on page 4-3). 3. Click Reset to cancel your settings and return to the previous settings. 4. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table. LAN DMZ Inbound Services Rules To define an Inbound LAN DMZ Rule: 1. Click Add under the Inbound Services table.
ProSafe VPN Firewall 200 FVX538 Reference Manual • LAN Security Checks. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application listening at that port, (2) see that no application is listening at that port and (3) reply with an ICMP Destination Unreachable packet.
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 4-8 Session Limit Session Limit allows you to specify the total number of sessions allowed, per user, over an IP (Internet Protocol) connection across the router. This feature is enabled on the Session Limit screen and shown below in Figure 4-9. Session Limit is disabled by default. . Figure 4-9 4-18 Firewall Protection and Content Filtering v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual To enable Session Limit: 1. Click the Yes radio button under Do you want to enable Session Limit? 2. From the User Limit Parameter drop-down list, define the maximum number of sessions per IP either as a percentage of maximum sessions or as an absolute. The percentage is computed on the total connection capacity of the device. 3. Enter the User Limit.
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Rules Examples LAN WAN Inbound Rule: Hosting A Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day.
ProSafe VPN Firewall 200 FVX538 Reference Manual In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses. LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping In this example, we will configure multi-NAT to support multiple public IP addresses on one WAN interface. By creating an inbound rule, we will configure the firewall to host an additional public IP address and associate this address with a Web server on the LAN.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. From the Service pull-down menu, select the HTTP service for a Web server. Figure 4-12 5. From the Action pull-down menu, select Allow Always. 6. In the Send to LAN Server field, enter the local IP address of your Web server PC. 7. From the Public Destination IP Address pull down menu, choose Other Public IP Address. 8. Enter one of your public Internet addresses that will be used by clients on the Internet to reach your Web server. 9. Click Apply.
ProSafe VPN Firewall 200 FVX538 Reference Manual Your rule will now appear in the Inbound Services table of the Rules menu (see Figure 4-13). This rule is different from a normal inbound port forwarding rule in that the Destination box contains an IP Address other than your normal WAN IP Address. Figure 4-13 To test the connection from a PC on the Internet, type http://, where is the public IP address you have mapped to your Web server.
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Any and Allow Always (or Allow by Schedule) 2. Place rule below all other inbound rules Figure 4-14 Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio or other non-essential sites. 4-24 Firewall Protection and Content Filtering v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu. Figure 4-15 You can also have the firewall log any attempt to use Instant Messenger during that blocked period.
ProSafe VPN Firewall 200 FVX538 Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, you can enter it on the Services screen. Figure 4-16 To add a customized service: 1. Select Security from the main menu and Services from the submenu.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Select the Layer 3 Protocol that the service uses as its transport protocol. It can be TCP, UDP or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses. If the service uses only one port, then the Start Port and the Finish Port will be the same. 5. Enter the last port of the range that the service uses. If the service only uses a single port number, enter the same number in both fields. 6. Click Add.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a ToS value of 2. • Maximize-Throughput: Used when the volume of data transferred during an interval is important even if the latency over the link is high. The IP packets for services with this priority are marked with a ToS value of 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Check the radio button for All Days or Specific Days. If you chose Specific Days, check the radio button for each day you want the schedule to be in effect. 3. Check the radio button to schedule the time of day: All Day, or Specific Times. If you chose Specific Times, enter the Start Time and End Time fields (Hour, Minute, AM/PM), which will limit access during certain times for the selected days. 4. Click Apply to save your settings to Schedule 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual • If you wish to block all Internet browsing access, enter the keyword “.”. To enable Content Filtering: 1. Select Security from the main menu and Block Sites from the sub-menu. The Block Sites screen will display. 2. Check the Yes radio button to enable Content Filtering. 3. Check the radio boxes of any Web Components you wish to block. 4. Check the radio buttons of the groups to which you wish to apply Keyword Blocking.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-18 Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed. Firewall Protection and Content Filtering v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual • When enabled, traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table. Figure 4-19 Note: For additional ways of restricting outbound traffic, see “Outbound Rules (Service Blocking)” on page 4-3 To enable MAC filtering and add MAC addresses to be blocked: 1. Select Security from the main menu and Source MAC Filter from the sub-menu.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings. To remove an entry from the table, select the MAC address entry and click Delete. To select all the list of MAC addresses, click Select All. A checkmark will appear in the box to the left of each MAC address in the Available MAC Addresses to be Blocked table. IP/MAC Binding IP/MAC Binding allows you to bind an IP address to a MAC address and vice-versa. Some machines are configured with static addresses.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-20 3. Add an IP/MAC Bind rule by entering: a. Name: Specify an easily identifiable name for this rule. b. MAC Address: Specify the MAC Address for this rule. c. IP Addresses: Specify the IP Address for this rule. d. Log Dropped Packets: Select the logging option for this rule from the pull-down menu. 4. Click Add. The new IP/MAC rule will be appear the IP/MAC Binding Table.
ProSafe VPN Firewall 200 FVX538 Reference Manual To remove an entry from the table, select the IP/MAC Bind entry and click Delete. Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the Application. Once configured, Port Triggering operates as follows: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-21 3. From the Protocol pull-down menu, select either the TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 5. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 4-36 Firewall Protection and Content Filtering v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display. 2. Modify any of the fields for this rule. 3. Click Reset to cancel any changes and return to the previous settings. 4. Click Apply to save your modifications. Your changes will appear in the Port Triggering Rules table.
ProSafe VPN Firewall 200 FVX538 Reference Manual For example, when a new connection is established by a device, the device will locate the firewall rule corresponding to the connection. • If the rule has a bandwidth profile specification, then the device will create a bandwidth class in the kernel. • If multiple connections correspond to the same firewall rule, they will share the same class. An exception occurs for an individual bandwidth profile if the classes are per source IP.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • • • Name: Displays the user-defined name for this bandwidth profile. Bandwidth Range: Displays the range for the bandwidth profile. Type: Displays the type of bandwidth profile. Direction: Displays the direction of the bandwidth profile. • WAN: Displays the WAN interface for the Load Balancing mode. To edit a Bandwidth Profile: 1. Click the Edit link adjacent to the profile you want to edit. The Edit Bandwidth Profile screen will display. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs on the Logs screen (see Figure 4-25 on page 4-42). Selecting all events will increase the size of the log, so it is good practice to select only those events which are required. Figure 4-24 To set up Firewall Logs and E-mail alerts: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter a Schedule for sending the logs. From the Unit pull-down menu, select: Never, Hourly, Daily, or Weekly. Then fill in the Day and Time fields that correspond to your selection. 4. In the Security Logs section, check the network segments radio box for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets). 5. In the System Logs section, check the radio box for the type of system events to be logged. 6.
ProSafe VPN Firewall 200 FVX538 Reference Manual 11. Click Apply to save your settings. To view the Firewall logs: 1. Click on the View Log icon opposite the Firewall Logs & E-mail tab. The Logs screen will display. 2. If the E-mail Logs options as been enabled, you can send a copy of the log by clicking send log. 3. Click refresh log to retrieve the latest update; and click clear log to delete all entries. Log entries are described in Table 4-4.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-4. Firewall Log Field Descriptions (continued) Field Description Source port and interface The service port number of the initiating device, and whether it originated from the LAN, WAN or DMZ. Destination The name or IP address of the destination device or Web site. Destination port and interface The service port number of the destination device, and whether it’s on the LAN, WAN or DMZ.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4-44 Firewall Protection and Content Filtering v1.
Chapter 5 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the VPN firewall.
ProSafe VPN Firewall 200 FVX538 Reference Manual The diagrams and table below show how the WAN mode selection relates to VPN configuration.
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies.
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select VPN > IPsec VPN > VPN Wizard to display the VPN Wizard tab page. To view the wizard default settings, click the VPN Default values link. You can modify these settings after completing the wizard. • Gateway connection • • Connection name Pre-shared key • Remote and local WAN addresses • Remote LAN IP address and subnet Figure 5-4 2. Select Gateway as your connection type. 3. Create a Connection Name.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Both the remote WAN address and your local WAN address are required. Tip: To assure tunnels stay active, after completing the wizard, manually edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive. • The remote WAN IP address must be a public address or the Internet name of the remote gateway.
ProSafe VPN Firewall 200 FVX538 Reference Manual After both firewalls are configured, go to VPN > IPsec VPN > Connection Status to display the status of your VPN connections.
ProSafe VPN Firewall 200 FVX538 Reference Manual Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. From the main menu, go to VPN > IPSec VPN > VPN Wizard. The VPN Wizard displays. • VPN Client connection • • Connection name Pre-shared key: r3m0+eC1ient • • Remote identifier Local identifier Figure 5-8 2. Select VPN Client as your VPN tunnel connection. 3. Create a Connection Name like “Client to GW1”.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings: the VPN Policies page shows the policy is now enabled. Figure 5-9 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR Prosafe VPN Client installed, configure a VPN client policy to connect to the FVX538. Follow these steps to configure your VPN client. 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using gw1. Figure 5-11 Fill in the other options according to the instructions below. • Under Connection Security, verify that the Secure radio button is selected. • From the ID Type pull-down menu, choose IP Subnet.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. In the left frame, click My Identity. Fill in the options according to the instructions below. r3m0+eC1ient Figure 5-12 • • • • • From the Select Certificate pull-down menu, choose None. Click Pre-Shared Key to enter the key you provided in the VPN Wizard; in this example, we are using r3m0+eC1ient. From the ID Type pull-down menu, choose Domain Name. Leave Virtual Adapter disabled.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Verify the Security Policy settings; no changes are needed. Figure 5-13 • • • On the left, click Security Policy to view the settings: no changes are needed. On the left, expand Authentication (Phase 1) and click Proposal 1: no changes are needed. On the left, expand Key Exchange (Phase 2) and click Proposal 1. No changes are needed. 5. In the upper left of the window, click the disk icon to save the policy. Virtual Private Networking 5-11 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the FVX538 provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection. NETGEAR VPN Client Status and Log Information To test a client connection and view the status and log information, follow these steps. 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-16 • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-17 Virtual Private Networking 5-13 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client policy is deactivated. The client policy is deactivated but not connected. The client policy is activated and connected. A flashing vertical bar indicates traffic on the tunnel. FVX538 VPN Connection Status and Logs To view FVX538 VPN connection status, go to VPN > Connection Status.
ProSafe VPN Firewall 200 FVX538 Reference Manual To view FVX538 VPN logs, go to Monitoring > VPNLogs. Figure 5-19 VPN Tunnel Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN Policy and an IKE Policy are established and populated in both Policy Tables. The name you selected as the VPN Tunnel connection name during Wizard setup identifies both the VPN Policy and IKE Policy. You can edit existing policies, or add new VPN and IKE policies directly in the Policy Tables.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. If the VPN Policy is a “Manual” policy, then the Manual Policy Parameters defined in the VPN Policy are accessed and the first matching IKE Policy is used to start negotiations with the remote VPN Gateway. • If negotiations fail, the next matching IKE Policy is used. • If none of the matching IKE Policies are acceptable to the remote VPN Gateway, then a VPN tunnel cannot be established. 3.
ProSafe VPN Firewall 200 FVX538 Reference Manual • DH. Diffie-Hellman Group. The Diffie-Hellman algorithm is used when exchanging keys. The DH Group sets the number of bits. The VPN Wizard default setting is Group 2. (This setting must match the Remote VPN.) • Enable Dead Peer Detection: Dead Peer Detection is used to detect whether the peer is alive or not. If the peer is detected as dead, the IPSec and IKE Security Association are deleted.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Policy Table Only one Client Policy may configured at a time (noted by an “*” next to the policy name). The Policy Table contains the following fields: • ! (Status). Indicates whether the policy is enabled (green circle) or disabled (grey circle). To Enable or Disable a Policy, check the radio box adjacent to the circle and click Enable or Disable, as required. • Name. Each policy is given a unique name (the Connection Name when using the VPN Wizard).
ProSafe VPN Firewall 200 FVX538 Reference Manual Certificate Authorities Digital Self Certificates are used to authenticate the identity of users and systems, and are issued by various CAs (Certification Authorities). Digital Certificates are used by this router during the IKE (Internet Key Exchange) authentication phase as an alternative authentication method. Self Certificates are issued to you by various CAs (Certification Authorities).
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identity (Subject Name). The organization or person to whom the certificate is issued. • Issuer Name. The name of the CA that issued the certificate. • Expiry Time. The date after which the certificate becomes invalid The Active Self Certificates table shows the Certificates issued to you by the various CAs (Certification Authorities), and available for use. For each Certificate, the following data is listed: • Name.
ProSafe VPN Firewall 200 FVX538 Reference Manual – Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but may also impact performance.) 3. Complete the Optional fields, if desired, with the following information: Figure 5-20 • IP Address – If you have a fixed IP address, you may enter it here. Otherwise, you should leave this field blank. • Domain Name – If you have a Domain name, you can enter it here. Otherwise, you should leave this field blank.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Copy the contents of the Data to supply to CA text box into a file, including all of the data contained in “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST---”Click Done. You will return to the Certificate screen and your Request details will be displayed in the Self Certificates Requests table showing a Status of “Waiting for Certificate upload” To submit your Certificate request to a CA: 1. Connect to the Website of the CA. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. To upload a Certificate Identify to the CRL: 1. From the main menu under VPN, select Certificates. The Certificates screen will display showing the CRL (Certificate Revocation List) table at the bottom of the screen. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual • IPSec Host. If you want authentication by the remote gateway, enter a User Name and Password to be associated with this IKE policy. If this option is chosen, the remote gateway must specify the user name and password used for authenticating this gateway. Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the local User Database for the user credentials.
ProSafe VPN Firewall 200 FVX538 Reference Manual – • RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the router will first check in the User Database to see if the user credentials are available. If the user account is not present, the router will then connect to the RADIUS server (see “RADIUS Client Configuration” on page 5-27). IPSec Host if you want to be authenticated by the remote gateway.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4. Click Add. The User Name will be added to the Configured Users table. Figure 5-23 5-26 Virtual Private Networking v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual To edit the user name or password: 1. Click Edit opposite the user’s name. The Edit User screen will display. 2. Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to the previous settings. The modified user name and password will display in the Configured Users table.
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 5-24 3. Enter the Primary RADIUS Server IP address. 4. Enter a Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server. 5. Enter the Primary Server NAS Identifier (Network Access Server). This Identifier MUST be present in a RADIUS request. Ensure that NAS Identifier is configured as the same on both client and server.
ProSafe VPN Firewall 200 FVX538 Reference Manual 9. Click Reset to cancel any changes and revert to the previous settings. 10. Click Apply to save the settings. Note: Selection of the Authentication Protocol, usually PAP or CHAP, is configured on the individual IKE policy screens.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the VPN Firewall Two menus must be configured—the Mode Config menu and the IKE Policies menu. To configure the Mode Config menu: 1. From the main menu, select VPN, and then select Mode Config from the submenu. The Mode Config screen will display. 2. Click Add. The Add Mode Config Record screen will display. 3. Enter a descriptive Record Name such as “Sales”. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-25 To configure an IKE Policy: 1. From the main menu, select VPN. The IKE Policies screen will display showing the current policies in the List of IKE Policies Table. 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. 3. Enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down menu.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the General section: a. Enter a description name in the Policy Name Field such as “salesperson”. This name will be used as part of the remote identifier in the VPN client configuration. b. Set Direction/Type to Responder. c. The Exchange Mode will automatically be set to Aggressive. 5. For Local information: d. Select Fully Qualified Domain Name for the Local Identity Type. e.
ProSafe VPN Firewall 200 FVX538 Reference Manual 10. Click Apply. The new policy will appear in the IKE Policies Table (a sample policy is shown below) Figure 5-26 Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon. a.
ProSafe VPN Firewall 200 FVX538 Reference Manual b. From the ID Type pull-down menu, select IP Subnet. c. Enter the IP Subnet and Mask of the VPN firewall (this is the LAN network IP address of the gateway). d. Check the Connect using radio button and select Secure Gateway Tunnel from the pulldown menu. e. From the ID Type pull-down menu, select Domain name and enter the FQDN of the VPN firewall; in this example it is “local_id.com”. f.
ProSafe VPN Firewall 200 FVX538 Reference Manual d. Under Virtual Adapter pull-down menu, select Preferred. The Internal Network IP Address should be 0.0.0.0. Note: If no box is displayed for Internal Network IP Address, go to Options/ Global Policy Settings, and check the box for “Allow to Specify Internal Network Address.” e. Select your Internet Interface adapter from the Name pull-down menu. remote_id.com Figure 5-28 3. On the left-side of the menu, select Security Policy. a.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-29 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds)). Figure 5-30 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. 5-36 Virtual Private Networking v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; in this case “My Connections\modecfg_test”. 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test will display and the VPN client icon in the toolbar will read “On”. 3. From the client PC, ping a computer on the VPN firewall LAN.
ProSafe VPN Firewall 200 FVX538 Reference Manual 5-38 Virtual Private Networking v1.
Chapter 6 Router and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 200.
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall. But there is no backup in case one of the WAN ports fail. In such an event and with one exception, the traffic that would have been sent on the failed WAN port gets diverted to the WAN port that is still working, thus increasing its loading. The exception is traffic that is bound by protocol to the WAN port that failed.
ProSafe VPN Firewall 200 FVX538 Reference Manual – • Groups: The rule is applied to a Group (see “Managing Groups and Hosts (LAN Groups)” on page 3-6to assign PCs to a Group using Network Database). WAN Users – These settings determine which Internet locations are covered by the rule, based on their IP address. – Any: The rule applies to all Internet IP address. – Single address: The rule applies to a single Internet IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual Schedule. If you have set firewall rules on the Rules screen, you can configure three different schedules (i.e., schedule 1, schedule 2, and schedule 3) for when a rule is to be applied. Once a schedule is configured, it affects all Rules that use this schedule. You specify the days of the week and time of day for each schedule. See “Setting a Schedule to Block or Allow Specific Traffic” on page 4-28 for the procedure on how to use this feature.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Firewall Features That Increase Traffic Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • DMZ port • Exposed hosts • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (i.e., the service is unavailable).
ProSafe VPN Firewall 200 FVX538 Reference Manual • Enable DNS Proxy – Enable this to allow incoming DNS queries. • Enable Stealth Mode – Enable this to set the firewall to operate in stealth mode. As you define your firewall rules, you can further refine their application according to the following criteria: • LAN Users – These settings determine which computers on your network are affected by this rule. Select the desired IP Address in this field.
ProSafe VPN Firewall 200 FVX538 Reference Manual • The remote system receives the PCs request and responds using the different port numbers that you have now opened. • This Router matches the response to the previous request and forwards the response to the PC. Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.
ProSafe VPN Firewall 200 FVX538 Reference Manual The QoS priority settings conform to the IEEE 802.1D-1998 (formerly 802.1p) standard for class of service tag. You will not change the WAN bandwidth used by changing any QoS priority settings. But you will change the mix of traffic through the WAN ports by granting some services a higher priority than others. The quality of a service is impacted by its QoS setting, however.
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Users from the main menu and Local Authentication from the submenu. Figure 6-1 2. Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest Settings radio box. 3. Change the password by first entering the old password, and then entering the new password twice. 4. Click Apply to save your settings or Cancel to return to your previous settings. 5.
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. RADIUS Server External Authentication For authentication to RADIUS or WIKID, you can define the authentication type. Figure 6-2 When a user logs in, the VPN firewall will validate with the appropriate RADIUS or WIKID server that the user is authorized to log in. 6-10 Router and Network Management v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual When specifying RADIUS domain authentication, you are presented with several authentication protocol choices, as summarized in the following table: Table 6-1. Authentication Protocol Description PAP Password Authentication Protocol (PAP) is a simple protocol in which the client sends a password in clear text.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-3 To configure your firewall for Remote Management: 1. Select Administration from the main menu and Remote Management from the submenu. The Remote Management screen will display. 2. Check Allow Remote Management radio box. 3. Specify what external addresses will be allowed to access the firewall’s remote management. Note: For enhanced security, restrict access to as few external IP addresses as practical. a.
ProSafe VPN Firewall 200 FVX538 Reference Manual Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management Web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but do not use the number of any common service port. The default is 8080, which is a common alternate for HTTP. 5. Click Apply to have your changes take effect.
ProSafe VPN Firewall 200 FVX538 Reference Manual • To allow access from any IP address on the Internet, select Everyone. • To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. • To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access. 4. Click Apply to have your changes take effect.
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Click Add to create the new configuration. The entry will display in the SNMP Configuration table. 6. Click Edit in the Action column adjacent to the entry to modify or change the selected configuration. Figure 6-4 The SNMP System Info link displays the VPN firewall identification information available to the SNMP Manager: System Contact, System Location, and System name. To modify the SNMP System contact information: 1. Click the SNMP System Info link.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Back up and save a copy of your current settings • Restore saved settings from the backed-up file. • Revert to the factory default settings. • Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware version. Backup and Restore Settings To backup and restore settings: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu.
ProSafe VPN Firewall 200 FVX538 Reference Manual You must manually restart the VPN firewall in order for the default settings to take effect. After rebooting, the router's password will be password and the LAN IP address will be 192.168.1.1. The VPN firewall will act as a DHCP server on the LAN and act as a DHCP client to the Internet. Warning: When you click default, your router settings will be erased. All firewall rules, VPN policies, LAN/WAN settings and other settings will be lost.
ProSafe VPN Firewall 200 FVX538 Reference Manual Warning: Once you click Upload do NOT interrupt the router! 6-18 Router and Network Management v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual To upgrade router software: 1. Select Administration from the main menu and Settings Backup and Firmware Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. 2. Click Browse in the Router Upgrade section. 3. Locate the downloaded file and click Upload. This will start the software upgrade to your VPN firewall router. This may take some time. At the conclusion of the upgrade, your router will reboot.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Use Custom NTP Servers: If you prefer to use a particular NTP server, enable this instead and enter the name or IP address of an NTP Server in the Server 1 Name/IP Address field. If required, you can also enter the address of another NTP server in the Server 2 Name/IP Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the Default Netgear NTP servers. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Internet Traffic Statistics – Displays statistics on Internet Traffic via the WAN port. If you have not enabled the Traffic Meter, these statistics are not available. • Traffic by Protocol – Click this button to display Internet Traffic details. The volume of traffic for each protocol will be displayed in a sub-window. Traffic counters are updated in MBytes scale and the counter starts only when traffic passed is at least 1 MB.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-8 Setting Login Failures and Attacks Notification Figure 6-9 shows the Firewall Logs & E-mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs & E-mail from the submenu. You can send a System log of firewall activities to an email address or a log of the firewall activities can be viewed, saved to a Syslog server, and then sent to an e-mail address. You can view the logs by clicking View Logs.
ProSafe VPN Firewall 200 FVX538 Reference Manual View System Logs Select the types of events to email. Select the segments to track for System Log events. Enable email alerts. Syslog Server enabled Figure 6-9 Router and Network Management 6-23 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status You can view the status of Port Triggering by selecting Security from the main menu and Port Triggering from the submenu. When the Port Triggering screen display, click the Status link. Figure 6-10 Table 6-2. Port Triggering Status Data Item Description Rule The name of the Rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule.
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Router Configuration and System Status The Router Status screen provides status and usage information. Select Monitoring from the main menu and Router Status from the submenu. The Router Status screen will display. Figure 6-11 Table 6-3. Router Status Fields Item Description System Name This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-3. Router Status Fields Item Description WAN1 Configuration Indicates whether the WAN Mode is Single, Dual, or Rollover, and whether the WAN State is UP or DOWN. It also displays if: • NAT is Enabled or Disabled. • Connection Type: DHCP enabled or disabled. • Connection State • WAN IP Address • Subnet Mask • Gateway Address • Primary and Secondary DNS Server Addresses • MAC Address.
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 6-12 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu. The IPSec Connection Status screen will display. Figure 6-13 Table 6-4. VPN Status data Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN Endpoint. Router and Network Management 6-27 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-4. VPN Status data Item Description Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase. Action Use this button to terminate/build the SA (connection) if required. VPN Logs The VPN Logs screen gives log details for recent VPN activity.
ProSafe VPN Firewall 200 FVX538 Reference Manual DHCP Log You can view the DHCP log from the LAN Setup screen. Select Network Configuration from the main menu and LAN Setup from the submenu. When the LAN Setup screen displays, click the DHCP Log link. Figure 6-15 Performing Diagnostics You can perform diagnostics such as pinging an IP address, performing a DNS lookup, displaying the routing table, rebooting the firewall, and capturing packets.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-16 Table 6-5. Diagnostics Item Description Ping or Trace an IP address Ping – Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-5. Diagnostics (continued) Item Description Display the Routing Table This operation will display the internal routing table. This information is used, most often, by Technical Support. Reboot the Router Used to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6-32 Router and Network Management v1.
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 200.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support. LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: • Cycle the power to see if the firewall recovers.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.2 to 192.168.0.254. Note: If your PC’s IP address is shown as 169.254.x.x: Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server. These auto-generated addresses are in the range of 169.254.x.x.
ProSafe VPN Firewall 200 FVX538 Reference Manual Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual – Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring Your Internet Connection” on page 2-4. If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: • Your PC may not recognize any DNS server addresses. A DNS server is a host on the Internet that translates Internet names (such as www addresses) to numeric IP addresses.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • Wrong physical connections – Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On” on page 7-2. – Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and firewall.
ProSafe VPN Firewall 200 FVX538 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall’s administration password to password and the IP address to 192.168.1.1. You can erase the current configuration and restore factory defaults in two ways: • Use the Erase function of the firewall (see “Backup and Restore Settings” on page 6-16). • Use the reset button on the rear panel of the firewall.
ProSafe VPN Firewall 200 FVX538 Reference Manual 7-8 Troubleshooting v1.
Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below. • Pressing the reset button for a shorter period of time will simply cause your device to reboot.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-2.
ProSafe VPN Firewall 200 FVX538 Reference Manual A-4 Default Settings and Technical Specifications v1.
Appendix B Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports. What You Will Need to Do Before You Begin The ProSafe VPN Firewall 200 is a powerful and versatile solution for your networking needs. But to make the configuration process easier and to understand all of the choices available to you, you need to think through the following items before you begin: 1. Plan your network a.
ProSafe VPN Firewall 200 FVX538 Reference Manual a. Have active Internet services such as that provided by cable or DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information. • In this document, the WAN side of the network is presumed to be provisioned as shown in Figure B-1with two ISPs connected to the VPN firewall through separate physical facilities.
ProSafe VPN Firewall 200 FVX538 Reference Manual Cabling and Computer Hardware Requirements To use the VPN firewall on your network, each computer must have an installed Ethernet Network Interface Card (NIC) and an Ethernet cable. If the computer will connect to your network at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your firewall. Computer Network Configuration Requirements The FVX538 includes a built-in Web Configuration Manager.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • If you have a computer already connected using the active Internet access account, you can gather the configuration information from that computer. – For Windows 95/98/ME, open the Network control panel, select the TCP/IP entry for the Ethernet adapter, and click Properties. Record all the settings for each tab page. – For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry for the Ethernet adapter, and click Properties.
ProSafe VPN Firewall 200 FVX538 Reference Manual Internet Connection Information Form Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. For AOL customers, the login name is their primary screen name. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs.
ProSafe VPN Firewall 200 FVX538 Reference Manual Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: • Inbound traffic (e.g., port forwarding, port triggering, DMZ port) • Virtual private networks (VPNs) The two WAN ports can be configured on a mutually-exclusive basis to either: • Rollover for increased reliability, or • Balance the load for outgoing traffic.
ProSafe VPN Firewall 200 FVX538 Reference Manual The Roll-over Case for Firewalls With Dual WAN Ports Rollover for the dual WAN port case is different from the single gateway WAN port case when specifying the IP address. Only one WAN port is active at a time and when it rolls over, the IP address of the active WAN port always changes. Hence, the use of a fully-qualified domain name is always required, even when the IP address of each WAN port is fixed.
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Inbound Rules menu. Instead of discarding this traffic, you can have it forwarded to one or more LAN hosts on your network. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table B-1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover, the WAN’s IP address will always change at rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the WAN ports (i.e., WAN1 or WAN2).
ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table B-2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-7 • Load Balancing Case for Dual Gateway WAN Ports Load balancing for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway WAN port must act as the responder. Figure B-9 The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, a fully-qualified domain name must be used.
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance). After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC client must re-establish the VPN tunnel.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-12 The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port is not known in advance).
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder. Figure B-17 The IP address of the gateway WAN port can be either fixed or dynamic.
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance). After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC must re-establish the VPN tunnel.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance. The chosen gateway WAN port must act as the responder.
Appendix C System Logs and Error Messages This appendix uses the following log parameter terms. Table C-1. Log Parameter Terms Term Description [FVX538] System identifier [kernel] Message from the kernel. CODE Protocol code (e.g., protocol is ICMP, type 8) and CODE=0 means successful reply. DEST Destination IP Address of the machine to which the packet is destined. DPT Destination port. IN Incoming interface for packet. OUT Outgoing interface for packet. PROTO Protocol used.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-2. System Logs: System Startup Message Jan 1 15:22:28 [FVX538] [ledTog] [SYSTEM START-UP] System Started Explanation Log generated when the system is started. Recommended Action None Reboot This section describes log messages generated during system reboot. Table C-3. System Logs: Reboot Message Nov 25 19:42:57 [FVX538] [reboot] Rebooting in 3 seconds Explanation Log generated when the system is rebooted from the web management.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-4. System Logs: NTP (continued) Explanation Message1: DNS resolution for the NTP server (time-f.netgear.com) Message2: request for NTP update from the time server. Message3: Adjust time by re-setting system time. Message4: Display date and time before synchronization, that is when resynchronization started Message5: Display the new updated date and time. Message6: Next synchronization will be after the specified time mentioned.
ProSafe VPN Firewall 200 FVX538 Reference Manual IPSec Restart This logging is always done. Table C-7. System Logs: IPSec Restart Message Jan 23 16:20:44 [FVX538] [wand] [IPSEC] IPSEC Restarted Explanation Log generated when the IPSEC is restarted. This log is logged when IPSEC restarts after applying any changes in the configuration. Recommended Action None WAN Status This section describes the logs generated by the WAN component.
ProSafe VPN Firewall 200 FVX538 Reference Manual Auto Rollover When the WAN mode is configured for Auto Rollover, the primary link is active and secondary acts only as a backup. When the primary link goes down, the secondary link becomes active only until the primary link comes back up. The device monitors the status of the primary link using the configured WAN Failure Detection method. This section describes the logs generated when the WAN mode is set to Auto Rollover.
ProSafe VPN Firewall 200 FVX538 Reference Manual PPP Logs This section describes the WAN PPP connection logs. The PPP type can be configured from the web management. PPPoE Idle-Timeout Logs. Table C-9. System Logs: WAN Status, PPE, PPPoE Idle-Timeout Message Nov 29 13:12:46 [FVX538] [pppd] Starting connection Nov 29 13:12:49 [FVX538] [pppd] Remote message: Success Nov 29 13:12:49 [FVX538] [pppd] PAP authentication succeeded Nov 29 13:12:49 [FVX538] [pppd] local IP address 50.0.0.
ProSafe VPN Firewall 200 FVX538 Reference Manual PPTP Idle-Timeout Logs. Table C-10. System Logs: WAN Status, PPE, PPTP Idle-Timeout Message Nov 29 11:19:02 [FVX538] [pppd] Starting connection Nov 29 11:19:05 [FVX538] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVX538] [pppd] local IP address 192.168.200.214 Nov 29 11:19:05 [FVX538] [pppd] remote IP address 192.168.200.1 Nov 29 11:19:05 [FVX538] [pppd] primary DNS address 202.153.32.2 Nov 29 11:19:05 [FVX538] [pppd] secondary DNS address 202.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-12. System Logs: Web Filtering and Content Filtering Message Jan 23 16:36:35 [FVX538] [kernel] [KEYWORD_BLOCKED] [URL]==>[ www.redhat.com/ ] IN=SELF OUT=SELF SRC=192.168.10.210 DST=209.132.177.50 PROTO=TCP SPT=4282 DPT=80 Explanation • This packet is blocked by keyword blocking • The URL blocked due to keyword blocking is shown by [URL] along with source and destination IP addressed, protocol, source port and destination port.
ProSafe VPN Firewall 200 FVX538 Reference Manual Traffic Metering Logs Table C-13. System Logs: Traffic Metering Message Jan 23 19:03:44 [TRAFFIC_METER] TRAFFIC_METER: Monthly Limit of 10 MB has reached for WAN1._ Explanation Traffic limit to WAN1 that was set as 10Mb has been reached. This stops all the incoming and outgoing traffic if configured like that in “When Limit is reached” on Traffic Meter web page. Recommended Action To start the traffic, restart the Traffic Limit Counter.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-16. System Logs: Multicast/Broadcast (continued) Explanation • This packet (Broadcast) is destined to the device from the WAN network. • For other parameters, refer to Table C-1. Recommended Action None FTP Logging Table C-17. System Logs: FTP Message Feb 2007 22 14:46:56 [FVX538] [kernel] [FTP-ACTIVE] SRC=192.168.10.211 DST=192.168.1.97 PROTO=TCP SPT=1983 DPT=21 Feb 2007 22 14:46:56 [FVX538] [kernel] [FTP-PASSIVE] SRC=192.168.10.211 DST=192.168.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Explanation Invalid RST packet Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][ICMP_TYPE][DROP] SRC=192.168.20.10 DST=192.168.20.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message [INVALID][MALFORMED_PACKET][DROP] SRC=192.168.20.10 DST=192.168.20.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Message 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][OUT_OF_WINDOW][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation Packet not in TCP window Recommended Action 1. Invalid packets are dropped. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN to DMZ Logs Table C-20. Routing Logs: LAN to DMZ Message Nov 29 09:44:06 [FVX538] [kernel] LAN2DMZ[ACCEPT] IN=LAN OUT=DMZ SRC=192.168.10.10 DST=192.168.20.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to DMZ has been allowed by the firewall. • For other parameters, refer to Table C-1. Recommended Action None DMZ to WAN Logs Table C-21.
ProSafe VPN Firewall 200 FVX538 Reference Manual WAN to DMZ Logs Table C-24. Routing Logs: WAN to DMZ Message Nov 29 09:19:43 [FVX538] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=DMZ SRC=192.168.1.214 DST=192.168.20.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from WAN to DMZ has been allowed by the firewall. • For other parameters, refer to Table C-1. Recommended Action None System Logs and Error Messages C-15 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual C-16 System Logs and Error Messages v1.
Appendix D Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP Addressing: http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for Network Access: http://documentation.netgear.com/reference/enu/wsdhcp/index.
ProSafe VPN Firewall 200 FVX538 Reference Manual D-2 Related Documents v1.
Appendix E Two Factor Authentication This appendix provides an overview of two factor authentication, and an example of how to implement the WiKID solution.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products. • Proven regulatory compliance. Two-Factor Authentication has been used as a mandatory authentication process for many corporations and enterprises worldwide.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The WiKID solution is based on a request-response architecture where a one-time passcode (OTP), that is time synchronized with the authentication server, is generated and sent to the user once the validity of a user credential has been confirmed by the server. The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. A one-time passcode (something they have) is generated for this user. Figure E-2 Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time. If a user does not use this passcode before it is expired, the user will need to go through the request process again to generate a new OTP. E-4 Two Factor Authentication v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. The user then goes to the two factor login page and enters the generated one-time passcode as the login password. Figure E-3 Two-Factor Authentication is a new and easy way to enhance networking security products without having to replace the existing hardware. To obtain and try the new Two-Factor Authentication solution on your products, visit NETGEAR Support website at http://kbserver.netgear.com.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual E-6 Two Factor Authentication v1.
Index A use with DDNS 2-15 Using WAN port 2-10 access remote management 6-11 Active Self Certificates 5-19 B Add DMZ WAN Outbound Services screen 4-14 Back up settings 6-16 Add LAN DMZ Inbound Service screen 4-16 backup and restore settings 6-16 Add LAN DMZ Outbound Service screen 4-15 bandwidth capacity 6-1 LAN side 6-1 Load balancing mode 6-1 Rollover mode 6-1 WAN side 6-1 Add LAN WAN Inbound Service 4-12 Add LAN WAN Outbound Service screen 4-11 Add Mode Config Record screen 5-30 Add Protocol B
ProSafe VPN Firewall 200 FVX538 Reference Manual Content Filtering 4-1 about 4-29 Block Sites 4-29 enabling 4-30 firewall protection, about 4-1 content filtering 1-2, 4-1 crossover cable 1-3, 7-2 Customized Service editing 4-27 customized service adding 4-26 DHCP IP Address pool 3-1 DHCP log monitoring 6-29 DHCP server about 3-1 diagnostics DNS lookup 6-29 packet capture 6-29 ping 6-29 rebooting 6-29 routing table 6-29 Customized Services adding 4-3, 4-26 Diagnostics screen 6-29 D Disable DHCP Server 3
ProSafe VPN Firewall 200 FVX538 Reference Manual DHCP Address Pool 3-4 Domain Name Servers. See DNS. DoS about protection 1-2 Dual WAN configuration of 2-8 Dual WAN Port inbound traffic B-8 load balancing, inbound traffic B-9 Dual WAN Port systems VPN Tunnel addresses 5-2 Dual WAN Ports features of 1-2 network planning B-1 Dual WAN ports Auto-Rollover, configuration of 2-10 Load Balancing, configuration of 2-12 Dynamic DNS configuration of 2-14 Dynamic DNS Configuration screen 2-14, 2-15 Dynamic DNS.
ProSafe VPN Firewall 200 FVX538 Reference Manual H hardware requirements B-3 Hosting A Local Public Web Server example of 4-20 hosts, managing 3-6 I IGP 3-14 IKE Policies management of 5-15 IKE Policy about 5-15 ModeConfig, configuring with 5-31 XAUTH, adding to 5-24 Inbound Rules default definition 4-2 field descriptions 4-7 order of precedence 4-9 Port Forwarding 4-2, 4-6 rules for use 4-6 inbound rules 4-6 example 4-21 Inbound Service Rule modifying 4-10 Inbound Services field descriptions 4-7 manual
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN DMZ Outbound Services adding rule 4-15 LAN DMZ Rules 4-14 LAN DMZ Rules screen 4-14 LAN DMZ service rule modifying 4-15 LAN Security Checks 4-17 LAN Setup screen 3-3, 6-29 LAN side bandwidth capacity 6-1 LAN WAN Inbound Rule example of 4-20, 4-23 LAN WAN Inbound Services Rules about 4-12 add 4-12 MAC address 7-6 configuring 2-3, 2-4 format of 2-18 spoofing 7-5 MAC addresses blocked, adding 4-32 Maximum Failover 2-11 ModeConfig 5-29 about 5-29 assigning r
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Rules 4-2, 4-6 increasing traffic 6-5 rules, about 4-6 troubleshooting 7-7 NTP Servers custom 6-20 default 6-19 NTP servers setting 6-19 port forwarding 6-5 Port Mode 2-10 port numbers 4-25 Port Speed 2-18 O Oray.
ProSafe VPN Firewall 200 FVX538 Reference Manual RADIUS WiKID 6-11 RADIUS Server configuring 5-27 Router Status screen 6-25 Router Upgrade about 6-17 Router’s MAC Address 2-18 RADIUS-CHAP 5-23, 5-25 AUTH, using with 5-24 Routing Information Protocol 1-4 RADIUS-PAP 5-23 XAUTH, using with 5-24 Routing log messages C-13 reducing traffic 6-2 Block Sites 6-4 Service Blocking 6-2 Source MAC Filtering 6-4 remote management 6-10 access 6-11 configuration 6-12 telnet 6-13 remote users assigning addresses 5-29
ProSafe VPN Firewall 200 FVX538 Reference Manual System log messages C-1 Settings Backup & Upgrade screen 6-15 Settings Backup and Firmware Upgrade 6-16 Simple Network Management Protocol. See SNMP.
ProSafe VPN Firewall 200 FVX538 Reference Manual two-factor authentication WiKID 6-11 VPN Tunnel addresses Dual WAN Port systems 5-2 TZO.
ProSafe VPN Firewall 200 FVX538 Reference Manual manual setup 2-4 WAN1 ISP Settings screen 2-2 WAN1 Protocol Bindings 2-12 WAN1 Protocol Bindings screen 2-13 WAN1 Traffic Meter 2-6 WAN2 ISP settings 2-4 WAN2 ISP Settings manual setup 2-6 WAN2 Protocol Bindings 2-13 WAN2 Protocol Bindings screen. 2-13 WAN2 Traffic Meter 2-7 Web Components 4-29 blocking 4-30 filtering, about 4-29 Web configuration troubleshooting 7-2 WiKID 6-11 WinPoET 2-5 X XAUTH IPSec Host 5-24 types of 5-23 Index-10 v1.
