ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 202-10062-10 v1.
© 2006–2010 by NETGEAR, Inc. All rights reserved. Technical Support Please refer to the support information card that shipped with your product. By registering your product at http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of product and software upgrades. NETGEAR, INC. Support Information Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card. E-mail: support@netgear.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe VPN Firewall 200 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/ 1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. 2.
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
vi v1.
Contents ProSafe VPN Firewall 200 FVX538 Reference Manual About This Manual Conventions, Formats and Scope ...................................................................................xiii How to Print This Manual ................................................................................................xiv Revision History ...............................................................................................................xiv Chapter 1 Introduction Key Features .......................
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Load Balancing ..................................................................................... 2-11 Configuring Dynamic DNS (Optional) ...........................................................................2-14 Configuring the Advanced WAN Options (Optional) .....................................................2-16 Additional WAN Related Configuration ..................................................................
ProSafe VPN Firewall 200 FVX538 Reference Manual Adding Customized Services .................................................................................4-24 Specifying Quality of Service (QoS) Priorities ........................................................4-26 Creating Bandwidth Profiles ...................................................................................4-27 Setting a Schedule to Block or Allow Specific Traffic ....................................................
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring Keepalives and Dead Peer Detection .......................................................5-42 Configuring Keepalives ..........................................................................................5-42 Configuring Dead Peer Detection ..........................................................................5-43 Configuring NetBIOS Bridging with VPN ......................................................................
ProSafe VPN Firewall 200 FVX538 Reference Manual Power LED Not On ...................................................................................................7-2 LEDs Never Turn Off ................................................................................................7-2 LAN or Internet Port LEDs Not On ...........................................................................7-2 Troubleshooting the Web Configuration Interface ..........................................................
ProSafe VPN Firewall 200 FVX538 Reference Manual Appendix C System Logs and Error Messages System Log Messages .................................................................................................. C-1 System Startup ........................................................................................................ C-1 Reboot ..................................................................................................................... C-2 NTP .........................................
About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs. • • Typographical Conventions.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Scope. This manual is written for the VPN firewall according to these specifications. Product Version ProSafe VPN Firewall 200 Manual Publication Date January 2010 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix E, “Related Documents.” Note: Product updates are available on the NETGEAR, Inc. website at http://kb.netgear.com/app/home.
ProSafe VPN Firewall 200 FVX538 Reference Manual 202-10062-09 1.0 Mar. 09 Adds these corrections and topics for the March 2009 firmware maintenance release: • WIKID 2 factor authentication • SIP ALG support • DHCP Relay support • Update VPN configuration procedure topics • Update the Certificate management topic • Correct the firewall scheduling topic 202-10062-10 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 202-10062-10 (continued) 1.0 January 2010 (continued) • Updated the LAN Multi-homing screen (Figure 3-4) and revised the “Configuring Multi Home LAN IP Addresses” section for more clarity. • Revised the “Configuring and Enabling the DMZ Port” section for more clarity. • Updated the RIP Configuration screen (Figure 3-8). • Revised the “Viewing Rules and Order of Precedence for Rules” section and updated the LAN WAN Rules screen (Figure 4-2).
Chapter 1 Introduction The ProSafe VPN Firewall 200 FVX538 with eight 10/100 ports and one 1/100/1000 port connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FVX538 is a complete security solution that protects your network from attacks and intrusions. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • • • • • • • • One console port for local management. SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). Easy, web-based setup for installation and management. Advanced SPI Firewall and Multi-NAT support. Extensive Protocol Support. Login capability. Front panel LEDs for easy monitoring of status and activity. Flash memory for firmware upgrade. One U Rack mountable.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. The FVX538 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the VPN firewall to e-mail the log to you at specified intervals. You can also configure the VPN firewall to send immediate alert messages to your e-mail address or e-mail pager whenever a significant event occurs. • Keyword Filtering.
ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The FVX538 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, see the “TCP/IP Networking Basics” document that you can access from the link in “Related Documents” in Appendix E. • IP Address Sharing by NAT.
ProSafe VPN Firewall 200 FVX538 Reference Manual • SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2. • Diagnostic Functions. The VPN firewall incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot. • Remote Management.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Firewall Front and Rear Panels The FVX538 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. 1 2 3 4 5 6 7 Figure 1-1 Table 1-1 describes each item on the front panel and its operation. Table 1-1. Object Descriptions Object 1. Power LED 2. Test LED LED Activity Description On (Green) Power is supplied to the VPN firewall. Off Power is not supplied to the VPN firewall.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object LED Activity 3, WAN Ports and Active LEDs LED (continued) Description On (Green) The WAN port has a valid Internet connection. On (Amber) The Internet connection is down or not being used because the port is available for failover in case the connection on other WAN port fails. Off The WAN port is either not enabled or has no link.
ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the FVX538 contains the On/Off switch and AC power connection. 1 2 Figure 1-2 Viewed from left to right, the rear panel contains the following elements: 1. AC power in 2. On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in Figure 1-3). Figure 1-3 1-8 Introduction v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN Firewall’s IP Address, Login Name, and Password Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN • User name: admin • Password: password LAN IP Address User Name Password Figure 1-4 To log in to the FVX538 once it is connected, go to http://192.168.1.1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Qualified Web Browsers To configure the FVX538, you must use a Web browser such as Microsoft Internet Explorer 6 or higher, Mozilla Firefox 3 or higher, or Apple Safari 3 or higher with JavaScript, cookies, and you must have SSL enabled. 1-10 Introduction v1.
Chapter 2 Connecting the VPN Firewall to the Internet This section provides instructions for connecting the ProSafe VPN Firewall 200 FVX538, including these topics: • • • • • • “Understanding the Connection Steps” on this page “Logging into the VPN Firewall” on page 2-2 “Configuring the Internet Connections to Your ISPs” on page 2-2 “Configuring the WAN Mode (Required for Dual WAN)” on page 2-7 “Configuring Dynamic DNS (Optional)” on page 2-14 “Configuring the Advanced WAN Options (Optional)” on page 2-16
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on page 2-14. 6. Configure the WAN options (optional). Optionally, you can enable each WAN port to respond to a ping, and you can change the factory default MTU size and port speed. However, these are advanced features and changing them is not usually required.
ProSafe VPN Firewall 200 FVX538 Reference Manual To automatically configure the WAN ports and connect to the Internet: 1. Select the primary menu option Network Configuration and the submenu option WAN Settings. WAN1 ISP Settings screen will display. Figure 2-1 2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP. Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support.
ProSafe VPN Firewall 200 FVX538 Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in Table 2-1. Note: When you click Auto Detect while the WAN port already has a connection, you might lose the connection because the VPN firewall will enter its detection mode. Table 2-1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Set up the traffic meter for WAN 1 ISP if desired. See “Enabling the Traffic Meter” on page 627. Note: At this point of the configuration process, you are now connected to the Internet through WAN port 1. But you must continue with the configuration process to get the complete functionality of the dual WAN interface. The configure the WAN2 ISP settings: 1. Repeat the above steps to set up the parameters for WAN2 ISP.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box. The text box fields that require data entry will be highlighted, based on the connection that you selected. If your ISP has not assigned any login information, then choose the No radio box and skip this section.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. If your ISP has assigned a fixed (static or permanent) IP address, select the Use Static IP Address radio box and fill in the following fields: • IP Address. Static IP address assigned to you. This will identify the VPN firewall to your ISP. • IP Subnet Mask. This is usually provided by the ISP or your network administrator. • Gateway IP Address. IP address of the ISP’s gateway. This is usually provided by the ISP or your network administrator.
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN firewall supports the following modes: • Auto-Rollover Mode. In this mode, the selected WAN interface is made primary and the other is the rollover link. As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic. Traffic will automatically roll back to the original primary link once the original primary link is back up and running again.
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Auto-Rollover Mode If you want to use a redundant ISP link for backup purposes, ensure that the backup WAN port has already been configured. Then you select the WAN port that will act as the primary link for this mode and configure the WAN Failure Detection Method to support Auto-Rollover.
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Enter a Test Period in seconds. DNS query is sent periodically after every test period. The default test period is 30 seconds. Figure 2-3 6. Enter the Maximum Failover amount. The WAN interface is considered down after the configured number of queries have failed to elicit a reply. The rollover link is brought up after this. The Failover default is 4 failures.
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Load Balancing To use multiple ISP links simultaneously, select Load Balancing. In Load Balancing mode, both links will carry data for the protocols that are bound to them. For example, if the HTTP protocol is bound to WAN1 and the FTP protocol is bound to WAN2, then the VPN firewall will automatically channel FTP data from and to the computers on the LAN through the WAN2 port. All HTTP traffic will be routed through the WAN1 port.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter the following data in the Add Protocol Binding section: a. Service – From the pull-down menu, select the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services-Based Rules” on page 4-3). b. Destination Network – These settings determine which Internet locations are covered by the rule, based on their IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-5 3. Modify the parameters for the protocol binding service you selected. 4. Click Apply. The modified rule will be enabled and appear in the Protocol Binding table. 5. Click Reset to return to the previously configured settings. Connecting the VPN Firewall to the Internet v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring Dynamic DNS (Optional) Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS.org, TZO.com, Oray.net, or 3322.org. Links to DynDNS, TZO, Oray, and 3322 are provided for your convenience on the Dynamic DNS Configuration screen.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-6 2. Click the tab of the Dynamic DNS Service you want to enable. Each DNS service provider requires registration and you then configure its parameters on the corresponding screen. 3. Access the website of one of the DDNS service providers and set up an account. A link to each DDNS provider is to the right of the tabs. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual d. If your dynamic DNS provider allows the use of wild cards in resolving your URL, you may check the Use wildcards radio box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org 5. Click Apply to save your configuration. 6. Click Reset to return to the previous settings.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Edit the default information you want to change. • MTU Size. The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs you may have to reduce the MTU. But this is rarely required, and should not be done unless you are sure it is necessary for your ISP connection. • Port Speed.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2-18 Connecting the VPN Firewall to the Internet v1.
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe VPN Firewall 200 FVX538, including the following sections: • “Choosing the VPN Firewall DHCP Options” on this page • “Managing Groups and Hosts (LAN Groups)” on page 3-6 • “Managing Groups and Hosts (LAN Groups)” on page 3-6 • “Configuring Multi Home LAN IP Addresses” on page 3-10 • “Configuring and Enabling the DMZ Port” on page 3-11 • “Configuring Static Routes” on page 3-14 • “Configuring Routin
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP address from the range that you have defined. • Subnet mask. • Gateway IP address (the VPN firewall’s LAN IP address). • Primary DNS server (the VPN firewall’s LAN IP address). • WINS server (if you entered a WINS server address in the DHCP section of the LAN Setup screen). Lease time (date obtained and duration of lease).
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: If you enable the DNS Relay feature, you will not use the VPN firewall as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network. To configure the LAN Setup options: 1. Select Network Configuration from the primary menu and LAN Settings from the submenu. The LAN Setup screen will display. Figure 3-1 2. In the LAN TCP/IP Setup section, configure the following settings: • IP Address.
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: If you change the LAN IP address of the VPN firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. For example, if you change the default IP address 192.168.1.1 to 10.0.0.1, you must now enter https://10.0.0.1 in your browser to reconnect to the Web Configuration Manager. • IP Subnet Mask. The subnet mask specifies the network number portion of an IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual • WINS Server. (Optional) Specifies the IP address of a local Windows NetBIOS Server if one is present in your network. • Lease Time. This specifies the duration for which IP addresses will be leased to clients. If you will use a Lightweight Directory Access Protocol (LDAP) authentication server for network-validated domain-based authentication, select Enable LDAP Information to enable the DHCP server to provide LDAP server information.
ProSafe VPN Firewall 200 FVX538 Reference Manual Managing Groups and Hosts (LAN Groups) The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices, as well as hosts, that are assigned dynamic IP addresses by this VPN firewall. Collectively, these entries make up the Network Database. The Network Database is updated by these methods: • DHCP Client Requests.
ProSafe VPN Firewall 200 FVX538 Reference Manual – • If necessary, you can also create firewall rules to apply to a single PC (see “Configuring Source MAC Filtering” on page 4-33). Because the MAC address is used to identify each PC, users cannot avoid these restrictions by changing their IP address. A computer is identified by its MAC address—not its IP address. Hence, changing a computer’s IP address does not affect any restrictions applied to that PC.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • • MAC Address. The MAC address of the computer’s network interface. Group. Each PC or device can be assigned to a single group. By default, a computer is assigned to the first group (Group 1). To change the group assignment by selecting the Edit link in the Action column. Action/Edit. Allows modification of the selected entry. Adding Devices to the Network Database To add devices manually to the Network Database: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Changing Group Names in the LAN Groups Database By default, the LAN Groups are named Group1 through Group8. You can rename these group names to be more descriptive, such as Engineering or Marketing. To edit the names of any of the eight available groups: 1. From the LAN Groups screen, click the Edit Group Names link to the right of the tabs. The Network Database Group Names screen appears. Figure 3-3 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address, manually enter the device on the LAN Groups screen, specifying Reserved (DHCP Client), as described in “Adding Devices to the Network Database” on page 38. Note: The reserved address will not be assigned until the next time the PC contacts the VPN firewall's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew.
ProSafe VPN Firewall 200 FVX538 Reference Manual • IP Address. The IP address alias added to the LAN port of the VPN firewall. This is the gateway for computers that need to access the Internet. • • • • Subnet Mask. IPv4 Subnet Mask. Action. The Edit link allows you to make changes to the selected entry. Select All. Selects all the entries in the Available Secondary LAN IPs table. Delete. Deletes selected entries from the Available Secondary LAN IPs table. 3.
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: A separate firewall security profile is provided for the DMZ port that is hardware independent of the standard firewall security used for the LAN. The DMZ Setup screen allows you to set up the DMZ port. It permits you to enable or disable the hardware DMZ port (LAN port 8, see “VPN Firewall Front and Rear Panels” on page 1-6) and configure an IP address and Mask for the DMZ port. To enable and configure the DMZ port: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual If desired, select Enable DHCP Server, which will provide TCP/IP configuration for all computers connected to the VPN firewall’s DMZ network. If another device on your DMZ network will be the DHCP server, or if you will manually configure all devices, leave the Disable DHCP Server radio box selected, which is the default setting. If the DHCP server is enabled, enter the following parameters: • Domain Name.
ProSafe VPN Firewall 200 FVX538 Reference Manual • port. Specifies the port number that the LDAP server is using. Leave this field blank for the default port. 4. In the Advanced Settings section, select Enable DNS Proxy if you want to enabled the DNS proxy, which is the default setting. The DHCP server will provide the VPN firewall’s LAN IP address as the DNS server for address name resolution. If this box is unchecked, the DHCP server will provide the ISP’s DNS server IP addresses.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add. The Add Static Route screen will display. Figure 3-7 3. Enter a route name for this static route in the Route Name field (for identification and management). 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the destination IP Address to the host or network to which the route leads. 7.
ProSafe VPN Firewall 200 FVX538 Reference Manual Static Route Example For example, you may require a static route if: • Your primary Internet access is through a cable modem to an ISP. • You have an ISDN firewall on your home network for connecting to the company where you are employed. This firewall’s address on your LAN is 192.168.1.100. • Your company’s network is 134.177.0.0. When you first configured your VPN firewall, two implicit static routes were created.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click RIP Configuration link to the right of the Routing tab. The RIP Configuration screen will display. Figure 3-8 3. From the RIP Direction pull-down menu, select the direction in which the VPN firewall will send and receives RIP packets. The choices are: • None. The VPN firewall neither broadcasts its route table nor does it accept any RIP packets from other routers. This effectively disables RIP. • Both.
ProSafe VPN Firewall 200 FVX538 Reference Manual • RIP-2. This includes all the functionality of RIPv1 plus it supports subnet information. Though the data is sent in RIP-2 format for both RIP-2B and RIP-2M, the modes in which packets are sent are different. – – RIP-2B. Sends the routing data in RIP-2 format and uses subnet broadcasting. RIP-2M. Sends the routing data in RIP-2 format and uses multicasting. 5.
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 FVX538 to protect your network.
ProSafe VPN Firewall 200 FVX538 Reference Manual intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT.
ProSafe VPN Firewall 200 FVX538 Reference Manual Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Outbound Rules (service blocking). Outbound traffic is normally allowed unless the VPN firewall is configured to disallow it. • Inbound Rules (port forwarding). Inbound traffic is normally blocked by the VPN firewall unless the traffic is in response to a request from the LAN side. The VPN firewall can be configured to allow this otherwise blocked traffic.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description Select Schedule Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be used by this rule. • This pull-down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block” is selected as Action. • Use schedule screen to configure the time schedules (see “Setting a Schedule to Block or Allow Specific Traffic” on page 4-29).
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description Bandwidth Profile Bandwidth Limiting determines the way in which the data is sent to/from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing/incoming traffic, thus preventing the LAN users for consuming all the bandwidth of our internet link.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules Item Description Services Select the desired service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see “Adding Customized Services” on page 4-24).
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules (continued) Item Description Log This determines whether packets covered by this rule are logged. Select the desired action: • Always – Always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules. • Never – Never log traffic considered by this rule, whether it matches or not. Bandwidth Profile Bandwidth Limiting determines the way in which the data is sent to/from your host.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-1 For LAN WAN rules, DMZ WAN rules, and LAN DMZ rules, for any traffic attempting to pass through the VPN firewall, the packet information is subjected to the rules in the order shown in the Outbound Services and Inbound Services rules tables rules tables, beginning at the top and proceeding to the bottom. In some cases, the order of precedence of two or more rules may be important in determining the disposition of a packet.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click one of the following table buttons: • enable. Enables the rule or rules. The “!” status icon changes from a grey circle to a green circle, indicating that the rule is or rules are enabled. (By default, when a rule is added to the table, it is automatically enabled.) • disable. Disables the rule or rules. The “!” status icon changes from a green circle to a grey circle, indicating that the rule is or rules are disabled. • delete.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply. LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. The outbound rule will block the selected application from any internal IP LAN address to any external WAN IP address according to the schedule created in the Schedule menu.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed in the Outbound Services table. LAN WAN Inbound Services Rules This Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound services opens holes in your VPN firewall.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring DMZ WAN Rules The firewall rules for traffic between the DMZ and the WAN/Internet are configured on the DMZ WAN Rules screen. The Default Outbound Policy is to allow all traffic from and to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from either going out from the DMZ to the Internet (outbound) or coming in from the Internet to the DMZ (inbound).
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-6 4. Configure the parameters based on the descriptions in Table 4-2 on page 4-3. 5. Click Apply. The new rule will appear in the Outbound Services table. The rule is automatically enabled.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Select the LAN DMZ Rules tab. The LAN DMZ Rules screen will display. Figure 4-7 3. Click Add under the Outbound Services Table. The Add LAN DMZ Outbound Service screen will display. Figure 4-8 4. Configure the parameters based on the descriptions in Table 4-2 on page 4-3. 5. Click Apply. The new rule will appear in the Outbound Services table. The rule is automatically enabled. 4-14 Firewall Protection and Content Filtering v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual The procedure to add a new LAN DMZ inbound service policy is similar to the procedure described above with the exception that you click Add under the Inbound Services table, you configure the parameters based on the descriptions in Table 4-3 on page 4-6, and the policy is added to the Inbound Services table.
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. Figure 4-10 In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-11 The following addressing scheme is used in this example: • • VPN firewall FVX538 – WAN1 primary public IP address: 10.1.0.1 – WAN1 additional public IP address: 10.1.0.5 – LAN IP address 192.168.1.1 Web server PC on the VPN firewall’s LAN – LAN IP address: 192.168.1.11 – Port number for Web service: 8080 To test the connection from a PC on the WAN side, type http://10.1.0.5. The home page of the Web server should appear.
ProSafe VPN Firewall 200 FVX538 Reference Manual To expose one of the PCs on your LAN or DMZ as this host: 1. Create an inbound rule that allows all protocols. 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio or other non-essential sites. LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.
ProSafe VPN Firewall 200 FVX538 Reference Manual Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the DMZ, LAN and WAN networks. To enable the appropriate attack checks for your environment: 1. Select Security from the main menu and Firewall Rules from the submenu. The LAN WAN Rules screen will display. 2. Click the Attack Checks tab. The Attack Checks screen will display. Figure 4-14 3.
ProSafe VPN Firewall 200 FVX538 Reference Manual – Enable Stealth Mode. In stealth mode, the VPN firewall will not respond to port scans from the WAN or Internet, which makes it less susceptible to discovery and attacks. – Block TCP Flood. A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system. When the system responds, the attacker does not complete the connection, thus saturating the server with half-open connections.
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Session Limits Session Limit allows you to specify the total number of sessions allowed, per user, over an IP (Internet Protocol) connection across the VPN firewall. This feature is enabled on the Session Limit screen and shown below in Figure 4-15. Session Limit is disabled by default. To set session limits: 1. Select Security from the main menu and Firewall Rules from the submenu. The LAN WAN Rules screen will display. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: Some protocols (such as FTP or RSTP) create two sessions per connection which should be considered when configuring Session Limiting. The Total Number of Packets Dropped due to Session Limit field shows total number of packets dropped when session limit is reached. 6. In the Session Timeout section, modify the TCP, UDP and ICMP timeout values as you require.
ProSafe VPN Firewall 200 FVX538 Reference Manual Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: • Services. A service narrows down the firewall rule to an application and a port number. For information about adding services, see “Adding Customized Services” on page 4-24. • QoS profiles.
ProSafe VPN Firewall 200 FVX538 Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, you can enter it on the Services screen. To add a customized service: 1. Select Security from the main menu and Services from the submenu. The Services screen will display.
ProSafe VPN Firewall 200 FVX538 Reference Manual Modifying a Service To edit the parameters of a service: 1. In the Custom Services Table, click the Edit icon adjacent to the service you want to edit. The Edit Service screen will display. Figure 4-18 2. Modify the parameters you wish to change. 3. Click Reset to cancel the changes and restore the previous settings or click Apply to confirm your changes. The modified service will display in the Custom Services Table.
ProSafe VPN Firewall 200 FVX538 Reference Manual A ToS priority for traffic passing through the VPN firewall is one of the following: • Normal-Service. No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0. • Minimize-Cost. Used when data has to be transferred over a link that has a lower “cost”. The IP packets for services with this priority are marked with a ToS value of 1. • Maximize-Reliability.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-19 2. Click Add to add a new bandwidth profile. The Add New Bandwidth Profile screen displays. Figure 4-20 3. Enter the following information: a. Enter a Profile Name. This name will become available in the firewall rules definition menus. b. From the Direction pull-down box, select whether the profile will apply to outbound, inbound, or both outbound and inbound traffic. 4-28 Firewall Protection and Content Filtering v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual c. Depending on the direction that you selected, enter the minimum and maximum bandwidths to be allowed: • Enter the Outbound Minimum Bandwidth and Outbound Maximum Bandwidth in Kbps. • Enter the Inbound Minimum Bandwidth and Inbound Maximum Bandwidth in Kbps. The minimum bandwidth can range from 0 Kbps to the maximum bandwidth that you specify. The maximum bandwidth can range from 100 Kbps to 100,000 Kbps. d.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-21 2. Check the radio button for All Days or Specific Days. If you chose Specific Days, check the radio button for each day you want the schedule to be in effect. 3. Check the radio button to schedule the time of day: All Day, or Specific Times. If you chose Specific Times, enter the Start Time and End Time fields (Hour, Minute, AM/PM), which will limit access during certain times for the selected days. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual Several types of blocking are available: • Web Components blocking. You can block the following Web component types: Proxy, Java, ActiveX, and Cookies. Some of these components are can be used by malicious Websites to infect computers that access them. Even sites on the Trusted Domains list will be subject to Web Components blocking when the blocking of a particular Web component is enabled. – Proxy.
ProSafe VPN Firewall 200 FVX538 Reference Manual Keyword application examples: • If the keyword “XXX” is specified, the URL is blocked, as is the newsgroup alt.pictures.XXX. • If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or .gov) can be viewed. • If you wish to block all Internet browsing access, enter the keyword “.”. To enable Content Filtering: 1. Select Security from the main menu and Block Sites from the submenu.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Check the Yes radio button to enable content filtering. 3. Click Apply to activate the screen controls. 4. Check the radio boxes of any web components you wish to block. 5. Check the radio buttons of the groups to which you wish to apply keyword blocking. Click Enable to activate keyword blocking (or disable to deactivate keyword blocking). 6. Build your list of blocked keywords or domain names in the Blocked Keyword fields. After each entry, click Add.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-23 2. Check the Yes radio box in the MAC Filtering Enable section. 3. Select the action to be taken on outbound traffic from the listed MAC addresses: • Block this list and permit all other MAC addresses. • Permit this list and block all other MAC addresses. 4. Enter a MAC Address in the Add Source MAC Address checkbox and click Add. The MAC address will appear in the MAC Addresses table. Repeat this process to add additional MAC addresses.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring IP/MAC Address Binding IP/MAC binding allows you to bind an IP address to a MAC address and the other way around. Some devices are configured with static addresses. To prevent users from changing their static IP addresses, IP/MAC binding must be enabled on the VPN firewall. If the VPN firewall detects packets with a matching IP address, but with the inconsistent MAC address (or the other way around), it will drop these packets.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-24 3. Select the Yes radio box and click Apply. Make sure that you have enabled the e-maling of logs (see “Activating Notification of Events and Alerts” on page 6-23). 4. Add an IP/MAC Bind rule by entering: a. Name. Specify an easily identifiable name for this rule. b. MAC Address. Specify the MAC Address for this rule. c. IP Addresses. Specify the IP Address for this rule. d. Log Dropped Packets.
ProSafe VPN Firewall 200 FVX538 Reference Manual To edit an IP/MAC Bind rule, click Edit adjacent to the entry. The following fields of an existing IP/MAC Bind rule can be modified: • • • MAC Address. Specify the MAC Address for this rule. IP Addresses. Specify the IP Address for this rule. Log Dropped Packets. Specify the logging option for this rule. To remove an entry from the table, select the IP/MAC Bind entry and click Delete.
ProSafe VPN Firewall 200 FVX538 Reference Manual Note these restrictions with port triggering: • Only one PC can use a port triggering application at any time. • After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC. This is required because the VPN firewall cannot detect when the application has terminated. Note: For additional ways of allowing inbound traffic, see “Inbound Rules (Port Forwarding)” on page 4-5.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 7. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display. Figure 4-26 2. Modify any of the fields for this rule. 3.
ProSafe VPN Firewall 200 FVX538 Reference Manual E-Mail Notifications of Event Logs and Alerts The firewall logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address.
Chapter 5 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the ProSafe VPN Firewall 200 FVX538.
ProSafe VPN Firewall 200 FVX538 Reference Manual The diagrams and table below show how the WAN mode selection relates to VPN configuration.
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-4 2. Select Gateway as your connection type. 3. Create a Connection Name. Enter a descriptive name for the connection. This name used to help you manage the VPN settings; is not supplied to the remote VPN endpoint. 4. Enter a Pre-shared Key. The key must be entered both here and on the remote VPN gateway, or the remote VPN client. This key must be a minimum of 8 characters and should not exceed 49 characters. 5.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Enter the Remote and Local WAN IP Addresses or Internet Names of the gateways which will connect. • Both the remote WAN address and your local WAN address are required. Tip: To assure tunnels stay active, after completing the wizard, manually edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive.
ProSafe VPN Firewall 200 FVX538 Reference Manual 9. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured. To display the status of your VPN connections, select VPN from the main menu and Connection Status from the submenu. The Connection Status screen will display.
ProSafe VPN Firewall 200 FVX538 Reference Manual Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to the gateway. Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. Select VPN from the main menu and VPN Wizard from the submenu. The VPN Wizard screen will display. To view the wizard default settings, click the VPN Wizard Default Values link.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Enter a Pre-shared Key; in this example, we are using r3m0+eC1ient, which must also be entered in the VPN client software. The key length must be 8 characters minimum and cannot exceed 49 characters. 5. Choose which WAN port to use as the VPN tunnel end point. Note: If you are using a dual WAN rollover configuration, after completing the wizard, you must manually update the VPN policy to enable VPN rollover.
ProSafe VPN Firewall 200 FVX538 Reference Manual Follow these steps to configure your VPN client. 1. Right-click on the VPN client icon in your Windows toolbar, choose Security Policy Editor, and verify that the Options > Secure > Specified Connections selection is enabled. Figure 5-10 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using gw1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Fill in the other options according to the instructions below. • Under Connection Security, verify that the Secure radio button is selected. • From the ID Type pull-down menu, choose IP Subnet. • Enter the LAN IP Subnet Address and Subnet Mask of the VPN firewall LAN; in this example, we are using 192.168.2.0. • Check the Use checkbox and choose Secure Gateway Tunnel from the pull-down menu. • From the first ID Type pull-down menus, choose Domain Name.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-13 Virtual Private Networking 5-11 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • • On the left, click Security Policy to view the settings: no changes are needed. On the left, expand Authentication (Phase 1) and click Proposal 1: no changes are needed. On the left, expand Key Exchange (Phase 2) and click Proposal 1. No changes are needed. 5. In the upper left of the window, click the disk icon to save the policy.
ProSafe VPN Firewall 200 FVX538 Reference Manual Within 30 seconds you should receive the message “Successfully connected to My Connections\gw1”. Figure 5-15 The VPN client icon in the system tray should state On: 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-16 Virtual Private Networking 5-13 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-17 The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client policy is deactivated. The client policy is deactivated but not connected. The client policy is activated and connected. A flashing vertical bar indicates traffic on the tunnel.
ProSafe VPN Firewall 200 FVX538 Reference Manual You can set a Poll Interval (in seconds) to check the connection status of all active IKE policies to obtain the latest VPN tunnel activity. The Active IPSec SA(s) table also lists current data for each active IPsec SA (security association): • • • • • Policy Name. The name of the VPN policy associated with this SA. Endpoint. The IP address on the remote VPN endpoint. Tx (KBytes). The amount of data transmitted over this SA. Tx (Packets).
ProSafe VPN Firewall 200 FVX538 Reference Manual Managing VPN Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN policy and an IKE policy are established and populated in both policy tables. The name you selected as the VPN Tunnel connection name during Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or add new VPN and IKE policies directly in the policy tables.
ProSafe VPN Firewall 200 FVX538 Reference Manual The IKE Policies Screen When you use the VPN Wizard to set up a VPN tunnel, an IKE Policy is established and populated in the List of IKE Policies table on the IKE Policies screen and is given the same name as the new VPN connection name. You can also edit exiting policies or add new IKE policies directly on the IKE Policies screen. To view the IKE Policies screen, select VPN from the main menu and Policies from the submenu.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Auth. Authentication Algorithm used for the IKE SA. The default setting using the VPN Wizard is SHA1. (This setting must match the remote VPN.) • DH. Diffie-Hellman Group. The Diffie-Hellman algorithm is used when exchanging keys. The DH Group sets the number of bits. The VPN Wizard default setting is Group 2. (This setting must match the remote VPN.) • Enable Dead Peer Detection: Dead Peer Detection is used to detect whether the peer is alive or not.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. The remote VPN Endpoint must have a matching SA, or it will refuse the connection. Only one client policy may configured at a time (noted by an “*” next to the policy name). The List of VPN Policies contains the following fields: • ! (Status). Indicates whether the policy is enabled (green circle) or disabled (grey circle). To enable or disable a policy, check the radio box adjacent to the circle and click Enable or Disable, as required. • Name.
ProSafe VPN Firewall 200 FVX538 Reference Manual Digital Certificates can be either self signed or can be issued by Certification Authorities (CA) such as via an in-house Windows server, or by an external organization such as Verisign or Thawte. However, if the Digital Certificates contain the extKeyUsage extension then the certificate must be used for one of the purposes defined by the extension.
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA certificate. Each CA issues its own CA identity certificate in order to validate communication with the CA and to verify the validity of certificates signed by the CA. • Self certificate. The certificate issued to you by a CA identifying your device. Viewing and Loading CA Certificates The Trusted Certificates (CA Certificates) table lists the certificates of CAs and contains the following data: • • • CA Identity (Subject Name).
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Active Self Certificates The Active Self Certificates table on the Certificates screen shows the certificates issued to you by a CA and available for use. Figure 5-22 For each self certificate, the following data is listed: • Name. The name you used to identify this certificate. • Subject Name. This is the name that other organizations will see as the holder (owner) of this certificate.
ProSafe VPN Firewall 200 FVX538 Reference Manual To generate a new Certificate Signing Request (CSR) file: 1. Locate the Generate Self Certificate Request section of the Certificates screen. Figure 5-23 2. Configure the following fields: • Name – Enter a descriptive name that will identify this certificate. • Subject – This is the name which other organizations will see as the holder (owner) of the certificate.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Domain Name – If you have an Internet domain name, you can enter it here. Otherwise, you should leave this field blank. • E-mail Address – Enter the e-mail address of a technical contact in your organization. 4. Click Generate. A new certificate request is created and added to the Self Certificate Requests table. Figure 5-24 5. In the Self Certificate Requests table, click view in the Action column to view the request. Figure 5-25 6.
ProSafe VPN Firewall 200 FVX538 Reference Manual 7. Submit your certificate request to a CA: a. Connect to the website of the CA. b. Start the Self Certificate request procedure. c. When prompted for the requested data, copy the data from your saved text file (including “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST”). d. Submit the CA form. If no problems ensue, the certificate will be issued. 8. Store the certificate file from the CA on your computer. 9.
ProSafe VPN Firewall 200 FVX538 Reference Manual The CRL table lists your active CAs and their critical release dates: • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. 2. Click Browse and locate the CRL file you previously downloaded from a CA. 3. Click Upload. The CRL file will be uploaded and the CA Identity will appear in the Certificate Revocation Lists (CRL) table.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the local database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server. Note: If you are modifying an existing IKE policy to add XAUTH, if it is in use by a VPN policy, the VPN policy must be disabled before you can modify the IKE policy. To enable and configure XAUTH: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-28 3. In the Extended Authentication section of the Add IKE Policy (or Edit IKE Policy) screen, select the Authentication Type from the pull-down menu which will be used to verify user account information. Select one of the following options: • Edge Device. Use the VPN firewall as a VPN concentrator where one or more gateway tunnels terminate.
ProSafe VPN Firewall 200 FVX538 Reference Manual • – User Database to verify against the VPN firewall’s user database. Users must be added through the User Database screen (see “User Database Configuration” on page 5-29). – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the VPN firewall will first check in the User Database to see if the user credentials are available.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Enter a User Name. This is the unique ID of a user which will be added to the User Name database. 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4. Click Add. The user name will be added to the Configured Users table. To edit the user name or password: 1. Click Edit opposite the user’s name. The Edit User screen will display. 2. Make the required changes to the User Name or Password. 3.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Select the RADIUS Client tab. The RADIUS Client screen will display. Figure 5-30 3. Enable the primary RADIUS server by checking the Yes radio box. 4. Enter the primary RADIUS Server IP address. 5. Enter a Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server. 6.
ProSafe VPN Firewall 200 FVX538 Reference Manual 8. Set the Time Out Period, in seconds, that the VPN firewall should wait for a response from the RADIUS server. 9. Set the Maximum Retry Count. This is the number of attempts that the VPN firewall will make to contact the RADIUS server before giving up. 10. Click Reset to cancel any changes and revert to the previous settings or click Apply to save the settings.
ProSafe VPN Firewall 200 FVX538 Reference Manual IP address from the configured IP address pool and activates a temporary IPsec policy, using the information that is specified in the Traffic Tunnel Security Level section of the Mode Config record (on the Add Mode Config Record screen that is shown in Figure 5-32 on page 5-34).
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add. The Add Mode Config Record screen will display. Figure 5-32 3. Enter a descriptive Record Name such as “Sales”. 4. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients. Note: The IP Pool should not be within your local network IP addresses. Use a different range of private IP addresses such as 172.20.xx.xx. 5. If you have a WINS server on your local network, enter its IP address. 6.
ProSafe VPN Firewall 200 FVX538 Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10. Click Apply. The new record should appear in the List of Mode Config Records on the Mode Config screen. Configuring an IKE Policy for Mode Config Operation Next, you must configure an IKE policy: 1. From the main menu, select VPN.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. Figure 5-34 3. In the Mode Config Record section, enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down menu. (You can view the parameters of the selected record by clicking the view selected button.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the General section: • Enter a description name in the Policy Name field such as “SalesPerson”. This name will be used as part of the remote identifier in the VPN client configuration. • Set Direction/Type to Responder. • The Exchange Mode will automatically be set to Aggressive. 5. In the Local section, select FQDN for the Identity Type. 6. In the Local section, choose which WAN port to use as the VPN tunnel end point. 7.
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: If RADIUS-PAP is selected, the VPN firewall will first check the User Database to see if the user credentials are available. If the user account is not present, the VPN firewall will then connect to the RADIUS server. 12. Click Apply. The new policy will appear in the List of IKE Policies table. Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection.
ProSafe VPN Firewall 200 FVX538 Reference Manual d. Check the Connect using radio button and select Secure Gateway Tunnel from the pulldown menu. e. From the ID Type pull-down menu, select Domain name and enter the FQDN of the VPN firewall; in this example it is “local_id.com”. f. Select Gateway IP Address from the second pull-down menu and enter the WAN IP address of the VPN firewall; in this example it is “172.21.4.1”. 2. From the left side of the menu, click My Identity.
ProSafe VPN Firewall 200 FVX538 Reference Manual e. Select your Internet Interface adapter from the Name pull-down menu. 3. On the left-side of the menu, select Security Policy. Enter the following information: a. Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio button. b. Check the Enable Perfect Forward Secrecy (PFS) radio button, and select the DiffieHellman Group 2 from the PFS Key Group pull-down menu. c. Enable Replay Detection should be checked. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Figure 5-38 Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds). 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. Testing the Mode Config Connection To test the connection: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring Keepalives and Dead Peer Detection In some cases, it may not be desirable to have a VPN tunnel drop when traffic is idle; for example, when client-server applications over the tunnel cannot tolerate the tunnel establishment time. If you require your VPN tunnel to remain connected, you can use the Keepalive and Dead Peer Detection features to prevent the tunnel from dropping and to force a reconnection if the tunnel drops for any reason.
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. In the Ping IP Address boxes, enter an IP address on the remote LAN. This must be the address of a host that can respond to ICMP ping requests. 6. Enter the Detection Period to set the time between ICMP ping requests. The default is 10 seconds. 7. In Reconnect after failure count, set the number of consecutive missed responses that will be considered a tunnel connection failure. The default is 3 missed responses.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. In Reconnect after failure count, set the number of DPD failures allowed before tearing down the connection. The default is 3 failures. When the VPN firewall senses an IKE connection failure, it deletes the IPSec and IKE Security Association and forces a reestablishment of the connection. 7. Click Apply at the bottom of the screen.
Chapter 6 VPN Firewall and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 200 FVX538.
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall. But there is no backup in case one of the WAN ports fail. In such an event and with one exception, the traffic that would have been sent on the failed WAN port gets diverted to the WAN port that is still working, thus increasing its loading. The exception is traffic that is bound by protocol to the WAN port that failed.
ProSafe VPN Firewall 200 FVX538 Reference Manual – • • • Groups. The rule is applied to a group (see “Managing Groups and Hosts (LAN Groups)” on page 3-6to assign PCs to a group using Network Database). WAN Users. These settings determine which Internet locations are covered by the rule, based on their IP address. – Any. The rule applies to all Internet IP address. – – Single address. The rule applies to a single Internet IP address. Address range.
ProSafe VPN Firewall 200 FVX538 Reference Manual Blocking Sites If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall’s filtering feature. By default, this feature is disabled; all requested traffic from any website is allowed. • Keyword (and Domain Name) Blocking. You can specify up to 32 words that, should they appear in the website name (that is, URL) or in a newsgroup name, will cause that site or newsgroup to be blocked by the VPN firewall.
ProSafe VPN Firewall 200 FVX538 Reference Manual Port Forwarding The VPN firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (that is, the service is unavailable). You can also create additional firewall rules that are customized to block or allow specific traffic.
ProSafe VPN Firewall 200 FVX538 Reference Manual • WAN Users. These settings determine which Internet locations are covered by the rule, based on their IP address. – Any. The rule applies to all Internet IP address. – Single address. The rule applies to a single Internet IP address. – Address range. The rule is applied to a range of Internet IP addresses. • Destination Address.
ProSafe VPN Firewall 200 FVX538 Reference Manual As such, it would be handled in accordance with the Port Forwarding rules. – Only one PC can use a port triggering application at any time. – After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC. This is required because the firewall cannot be sure when the application has terminated.
ProSafe VPN Firewall 200 FVX538 Reference Manual You will not change the WAN bandwidth used by changing any QoS priority settings. But you will change the mix of traffic through the WAN ports by granting some services a higher priority than others. The quality of a service is impacted by its QoS setting, however. See “Specifying Quality of Service (QoS) Priorities” on page 4-26 for the procedure on how to use this feature.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-1 2. In the Enable Local Authentication section of the screen: a. Enable local authentication by selecting the Yes radio box. b. Click Apply to save your settings. 3. In the User Selection section of the screen, select either the Edit Admin Settings or Edit Guest Settings radio box. 4. In either the Admin Settings or the Guest Settings section of the screen: a.
ProSafe VPN Firewall 200 FVX538 Reference Manual b. Click Apply to save your settings. Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. Adding External Users You can add external users for which you then can configure an authentication method (see “Configuring an External Server for Authentication” on page 6-11). To add an external users: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Admin or Guest. c. Idle Timeout. This is the period after which an idle user will be automatically logged out of the Web Configuration Manager. 4. Click Apply to save and apply your entries. The new user appears in the Users table on the External Users screen.
ProSafe VPN Firewall 200 FVX538 Reference Manual To configure external authentication: 1. Select Users from the main menu and External Authentication from the submenu. The External Users screen will display. 2. Select the External Authentication tab. The External Authentication screen will display. Figure 6-4 3. In the Enable External Authentication section of the screen, select the Yes radio button. 4. Click Apply to save the settings and enable external authentication. 5.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Primary Server NAS Identifier. The identifier for the Network Access Server (NAS) must be present in a RADIUS request. Ensure that NAS identifier is configured identically on both client and server. The VPN firewall is acting as a NAS, allowing network access to external users after verifying their authentication information. In a RADIUS transaction, the NAS must provide some NAS Identifier information to the RADIUS server.
ProSafe VPN Firewall 200 FVX538 Reference Manual Enabling Remote Management Access Using the Remote Management screen, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging into the VPN Firewall” on page 2-2). Note: Be sure to change the default configuration password of the VPN firewall to a very secure password.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Check Allow Remote Management radio box. 3. Click the Yes radio button to enable secure HTTP management (enabled by default), and configure the external IP addresses that will be allowed to connect. a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c.
ProSafe VPN Firewall 200 FVX538 Reference Manual . Note: To maintain security, the VPN firewall will reject a login that uses http://address rather than the SSL https://address. Note: The first time you remotely connect to the VPN firewall with a browser via SSL, you may get a warning message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 5.5 or higher, simply click Yes to accept the certificate.
ProSafe VPN Firewall 200 FVX538 Reference Manual To create a new SNMP configuration entry: 1. Select Administration from the main menu and SNMP from the submenu. The SNMP screen will display. Figure 6-6 2. Under Create New SNMP Configuration Entry, enter the IP address of the SNMP manager in the IP Address field and the subnet mask in the Subnet Mask field.
ProSafe VPN Firewall 200 FVX538 Reference Manual When you click on the SNMP System Info link on the SNMP screen, the VPN firewall’s identification information is displayed. This following identification information is available to the SNMP Manager: system contact, system location, and system name. To modify the SNMP identification information: 1. Click the SNMP System Info link on the SNMP screen. The SNMP SysConfiguration screen will display. Figure 6-7 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Backing Up Settings To back up settings: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. Figure 6-8 2. Click backup to save a copy of your current settings. If your browser is not set up to save downloaded files automatically, locate where you want to save the file, specify file name, and click Save.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Locate and select the previously saved backup file (by default, netgear.cfg). 3. When you have located the file, click restore. An Alert screen will appear indicating the status of the restore operation. You must manually restart the VPN firewall for the restored settings to take effect. Reverting to Factory Default Settings To reset the VPN firewall to the original factory default settings: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Locate the downloaded file and click Upload. This will start the software upgrade to your VPN firewall. The software upgrade process might take some time. At the conclusion of the upgrade, your VPN firewall will reboot.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-9 2. From the Date/Time pull-down menu, select the local time zone. This is required in order for scheduling to work correctly. The VPN firewall includes a Real-Time Clock (RTC), which it uses for scheduling. 3. If supported in your region, check the Automatically Adjust for Daylight Savings Time radio box. 4. Select a NTP Server option by checking one of the following radio boxes: • Use Default NTP Servers.
ProSafe VPN Firewall 200 FVX538 Reference Manual Monitoring System Performance You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, login failures, and attacks. You can also view status information about the VPN firewall, WAN ports, LAN ports, and VPN tunnels.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-10 6-24 VPN Firewall and Network Management v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. In the Log Options section, enter the name of the log in the Log Identifier field. The Log Identifier is a mandatory field used to identify which device sent the log messages. The identifier is appended to log messages. 3. In the Routing Logs section, select the network segments for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets). 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • • LOG_NOTICE (Normal but significant conditions) LOG_INFO (Informational messages) LOG_DEBUG (Debug level messages) 10. Click Reset to cancel your changes and return to the previous settings or click Apply to save your settings. Viewing the Logs To view the logs: 1. Select Monitoring from the main menu and then Firewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen will display. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-2. Firewall Log Field Descriptions (continued) Field Description Source IP The IP address of the initiating device for this log entry. Source port and interface The service port number of the initiating device, and whether it originated from the LAN, WAN or DMZ. Destination The name or IP address of the destination device or website.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Enable the traffic meter by clicking the Yes radio button under Do you want to enable Traffic Metering on WAN1? The traffic meter will record the volume of Internet traffic passing through the WAN1. Select from the following options: • No Limit. Any specified restrictions will not be applied when traffic limit is reached. • Download only. The specified restrictions will be applied to the incoming traffic only • Both Directions.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the When limit is reached section, make the following choice: • Block All Traffic. All access to and from the Internet will be blocked. Warning: If the Block All Traffic radio button is selected, the WAN port shuts down once its traffic limit is reached • Block all traffic except E-mail. Only e-mail traffic will be allowed. All other traffic will be blocked. • Send E-mail alert.
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing the VPN Firewall Configuration and System Status The Router Status screen provides status and usage information. Select Monitoring from the main menu and Router Status from the submenu. The Router Status screen will display (see Figure 613 on page 6-29). The Router Status screen displays current settings and statistics for your VPN firewall. Because this information is read-only, any changes must be made on other screens. Figure 6-14 Table 6-3.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-3. Router Status Fields (continued) Item Description WAN1 Configuration • • • • • • • • • • WAN2 Configuration Displays the same details as for the WAN1 Configuration. WAN Mode: Single, Dual, or Rollover. WAN State: UP or DOWN. NAT: Enabled or Disabled. Connection Type: Static IP, DHCP, PPPoE, or PPTP. Connection State: Connected or Disconnected. WAN IP Address.: The IP address of the WAN interface.
ProSafe VPN Firewall 200 FVX538 Reference Manual To set the poll interval: 1. Click the Stop button. 2. From the Poll Interval pull-down menu, select a new interval (the minimum is 5 seconds, the maximum is 5 minutes). 3. Click the Set Interval button. Monitoring WAN Ports Status You can monitor the status of both of the WAN connections, the dynamic DNS server connections, and the DHCP server connections. To monitor the status of the WAN ports: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Monitoring Attached Devices The LAN Groups screen contains a table of all IP devices that the VPN firewall has discovered on the local network. To view the LAN Groups screen: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. 2. Select the LAN Groups tab. The LAN Groups screen will display. Figure 6-17 The Known PCs and Devices table lists the entries in the Network Database.
ProSafe VPN Firewall 200 FVX538 Reference Manual The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Table 6-4. Known PCs and Devices options Item Description Name The name of the PC or device. Sometimes, this can not be determined, and will be listed as Unknown. In this case, you can edit the entry to add a meaningful name. IP Address The current IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual The Active IPsec (SA)s table lists each active connection with the following information Table 6-5. IPsec Connection Status Fields Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN endpoint. Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA.
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing the DHCP Log To display the DHCP log: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen will displays. 2. Click the DHCP Log link in the upper right-hand section of the screen. The DHCP Log popup screen will display. Figure 6-20 To view the most recent entries, click refresh. To delete all the existing log entries, click clear log.
ProSafe VPN Firewall 200 FVX538 Reference Manual To view the most recent entries, click refresh. Table 6-6. Port Triggering Status Data Item Description Rule The name of the rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above. Time Remaining The time remaining before this rule is released, and thus available for other PCs.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6-38 VPN Firewall and Network Management v1.
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 200 FVX538.
ProSafe VPN Firewall 200 FVX538 Reference Manual Power LED Not On If the Power and other LEDs are off when your VPN firewall is turned on: • Make sure that the power cord is properly connected to your VPN firewall and that the power supply adapter is properly connected to a functioning power outlet. • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
ProSafe VPN Firewall 200 FVX538 Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the VPN firewall as described in the previous section. • Make sure your PC’s IP address is on the same subnet as the VPN firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.
ProSafe VPN Firewall 200 FVX538 Reference Manual If the VPN firewall does not save changes you have made in the Web Configuration Interface, check the following: • When entering configuration settings, be sure to click the Apply button before moving to another menu or tab, or your changes are lost. • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name on the WAN1 ISP Settings or WAN2 ISP Settings screen (see Figure 2-1 on page 2-3). • Your ISP only allows one Ethernet MAC address to connect to the Internet, and may check for your PC’s MAC address.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click OK. A message, similar to the following, should display: Pinging with 32 bytes of data If the path is working, you will see this message: Reply from : bytes=32 time=NN ms TTL=xxx If the path is not working, you will see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • • Wrong physical connections – Make sure the LAN port LED is on.
ProSafe VPN Firewall 200 FVX538 Reference Manual – If your ISP assigned a host name to your PC, enter that host name as the Account Name on the WAN1 ISP Settings or WAN2 ISP Settings screen (see Figure 2-1 on page 2-3). – Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs.
ProSafe VPN Firewall 200 FVX538 Reference Manual Problems with the date and time function can include: • Date and time shown is Thu Jan 01 00:01:52 GMT 1970. Cause: The VPN firewall has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly. If you have just completed configuring the VPN firewall, wait at least five minutes and check the date and time again. • Time is off by one hour.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 7-1. Diagnostics Item Description Ping or Trace an IP Address Ping. Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
ProSafe VPN Firewall 200 FVX538 Reference Manual 7-10 Troubleshooting v1.
Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below. • Pressing the reset button for a shorter period of time will simply cause your device to reboot.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-2.
ProSafe VPN Firewall 200 FVX538 Reference Manual A-4 Default Settings and Technical Specifications v1.
Appendix B Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a VPN firewall that has dual WAN ports.
ProSafe VPN Firewall 200 FVX538 Reference Manual – For rollover mode, protocol binding does not apply. – For load balancing mode, you need to decide which protocols you want to bind to a specific WAN port if you are going to take advantage of this option. – You can also add your own service protocols to the list. 3. Set up your accounts a. Have active Internet services such as that provided by cable or DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information.
ProSafe VPN Firewall 200 FVX538 Reference Manual • There are a variety of WAN options you can choose when the factory default settings are not applicable to your installation. These include enabling a WAN port to respond to a ping and setting MTU size, port speed, and upload bandwidth. 4. Prepare to physically connect the VPN firewall to cable or DSL modems and a computer. Instruction for connecting your VPN firewall are in Installation Guide, FVX538 ProSafe VPN Firewall 200.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Fixed IP Address which is also known as Static IP Address Where Do I Get the Internet Configuration Parameters? There are several ways you can gather the required Internet connection information. • Your ISPs provide all the information needed to connect to the Internet. If you cannot locate this information, you can ask your ISPs to provide it or you can try one of the options below.
ProSafe VPN Firewall 200 FVX538 Reference Manual Subnet Mask: ______.______.______.______ ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following: Primary DNS Server IP Address: ______.______.______.______ Secondary DNS Server IP Address: ______.______.______.______ Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or home.
ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks (VPNs) A virtual private network (VPN) tunnel provides a secure communication channel between either two gateway VPN firewalls or between a remote PC client and gateway VPN firewall. As a result, the IP address of at least one of the tunnel end points must be known in advance in order for the other tunnel end point to establish (or re-establish) the VPN tunnel.
ProSafe VPN Firewall 200 FVX538 Reference Manual The Load Balancing Case for Firewalls With Dual WAN Ports Load balancing for the dual WAN port case is similar to the single WAN port case when specifying the IP address. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
ProSafe VPN Firewall 200 FVX538 Reference Manual In the single WAN case, the WAN’s Internet address is either fixed IP or a fully-qualified domain name if the IP address is dynamic. Figure B-4 Inbound Traffic to Dual WAN Port Systems The IP address range of the VPN firewall’s WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled.
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic: Dual WAN Ports for Load Balancing In the dual WAN port case for load balancing, the Internet address of each WAN port is either fixed if the IP address is fixed or a fully-qualified domain name if the IP address is dynamic. Note: Load balancing is implemented for outgoing traffic and not for incoming traffic.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table B-2. IP Addressing Requirements for VPNs in Dual WAN Port Systems Configuration and WAN IP address VPN Telecommuter Fixed (client-to-gateway through a NAT router) Dynamic Single WAN Port (reference case) Dual WAN Port Cases Rollovera Load Balancing Allowed (FQDN optional) FQDN required Allowed (FQDN optional) FQDN required FQDN required FQDN required a. All tunnels must be re-established after a rollover using the new WAN IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual Load balancing for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified domain name is optional.
ProSafe VPN Firewall 200 FVX538 Reference Manual After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC client must re-establish the VPN tunnel. The gateway WAN port must act as the responder.
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall, either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
ProSafe VPN Firewall 200 FVX538 Reference Manual The purpose of the fully-qualified domain names is this case is to toggle the domain name of the failed-over gateway firewall between the IP addresses of the active WAN port (i.e., WAN_A1 and WAN _A2 in this example) so that the other end of the tunnel has a known gateway IP address to establish or re-establish a VPN tunnel.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Dual gateway WAN ports used for load balancing VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder. Figure B-17 The IP address of the gateway WAN port can be either fixed or dynamic.
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance). After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC must re-establish the VPN tunnel.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance. The chosen gateway WAN port must act as the responder.
ProSafe VPN Firewall 200 FVX538 Reference Manual B-20 Network Planning for Dual WAN Ports v1.
Appendix C System Logs and Error Messages This appendix uses the following log parameter terms. Table C-1. Log Parameter Terms Term Description [FVX538] System identifier [kernel] Message from the kernel. CODE Protocol code (e.g., protocol is ICMP, type 8) and CODE=0 means successful reply. DEST Destination IP Address of the machine to which the packet is destined. DPT Destination port. IN Incoming interface for packet. OUT Outgoing interface for packet. PROTO Protocol used.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-2. System Logs: System Startup Message Jan 1 15:22:28 [FVX538] [ledTog] [SYSTEM START-UP] System Started Explanation Log generated when the system is started. Recommended Action None Reboot This section describes log messages generated during system reboot. Table C-3. System Logs: Reboot Message Nov 25 19:42:57 [FVX538] [reboot] Rebooting in 3 seconds Explanation Log generated when the system is rebooted from the web management.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-4. System Logs: NTP (continued) Explanation Message1: DNS resolution for the NTP server (time-f.netgear.com) Message2: request for NTP update from the time server. Message3: Adjust time by re-setting system time. Message4: Display date and time before synchronization, that is when resynchronization started Message5: Display the new updated date and time. Message6: Next synchronization will be after the specified time mentioned.
ProSafe VPN Firewall 200 FVX538 Reference Manual IPSec Restart This logging is always done. Table C-7. System Logs: IPSec Restart Message Jan 23 16:20:44 [FVX538] [wand] [IPSEC] IPSEC Restarted Explanation Log generated when the IPSEC is restarted. This log is logged when IPSEC restarts after applying any changes in the configuration. Recommended Action None WAN Status This section describes the logs generated by the WAN component.
ProSafe VPN Firewall 200 FVX538 Reference Manual Auto Rollover When the WAN mode is configured for Auto Rollover, the primary link is active and secondary acts only as a backup. When the primary link goes down, the secondary link becomes active only until the primary link comes back up. The device monitors the status of the primary link using the configured WAN Failure Detection method. This section describes the logs generated when the WAN mode is set to Auto Rollover.
ProSafe VPN Firewall 200 FVX538 Reference Manual PPP Logs This section describes the WAN PPP connection logs. The PPP type can be configured from the web management. PPPoE Idle-Timeout Logs. Table C-9. System Logs: WAN Status, PPPoE Idle-Timeout Message Nov 29 13:12:46 [FVX538] [pppd] Starting connection Nov 29 13:12:49 [FVX538] [pppd] Remote message: Success Nov 29 13:12:49 [FVX538] [pppd] PAP authentication succeeded Nov 29 13:12:49 [FVX538] [pppd] local IP address 50.0.0.
ProSafe VPN Firewall 200 FVX538 Reference Manual PPTP Idle-Timeout Logs. Table C-10. System Logs: WAN Status, PPTP Idle-Timeout Message Nov 29 11:19:02 [FVX538] [pppd] Starting connection Nov 29 11:19:05 [FVX538] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVX538] [pppd] local IP address 192.168.200.214 Nov 29 11:19:05 [FVX538] [pppd] remote IP address 192.168.200.1 Nov 29 11:19:05 [FVX538] [pppd] primary DNS address 202.153.32.2 Nov 29 11:19:05 [FVX538] [pppd] secondary DNS address 202.153.32.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-12. System Logs: Web Filtering and Content Filtering Message Jan 23 16:36:35 [FVX538] [kernel] [KEYWORD_BLOCKED] [URL]==>[ www.redhat.com/ ] IN=SELF OUT=SELF SRC=192.168.10.210 DST=209.132.177.50 PROTO=TCP SPT=4282 DPT=80 Explanation • This packet is blocked by keyword blocking • The URL blocked due to keyword blocking is shown by [URL] along with source and destination IP addressed, protocol, source port and destination port.
ProSafe VPN Firewall 200 FVX538 Reference Manual Traffic Metering Logs Table C-13. System Logs: Traffic Metering Message Jan 23 19:03:44 [TRAFFIC_METER] TRAFFIC_METER: Monthly Limit of 10 MB has reached for WAN1._ Explanation Traffic limit to WAN1 that was set as 10Mb has been reached. This stops all the incoming and outgoing traffic if configured like that in “When Limit is reached” on Traffic Meter web page. Recommended Action To start the traffic, restart the Traffic Limit Counter.
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs Table C-16. System Logs: Multicast/Broadcast Message Jan 1 07:24:13 [FVX538] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC=192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 Explanation • This packet (Broadcast) is destined to the device from the WAN network. • For other parameters, refer to Table C-1. Recommended Action None FTP Logging Table C-17.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Message 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][RST_PACKET][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation Invalid RST packet Recommended Action 1. Invalid packets are dropped. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Explanation Bad Hardware Checksum for ICMP packets Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message [INVALID][MALFORMED_PACKET][DROP] SRC=192.168.20.10 DST=192.168.20.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][OUT_OF_WINDOW][DROP] SRC=192.168.20.10 DST=192.168.20.
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN to WAN Logs Table C-19. Routing Logs: LAN to WAN Message Nov 29 09:19:43 [FVX538] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to WAN has been allowed by the firewall. • For other parameters, refer to Table C-1. Recommended Action None LAN to DMZ Logs Table C-20.
ProSafe VPN Firewall 200 FVX538 Reference Manual DMZ to LAN Logs Table C-23. Routing Logs: DMZ to WAN Message Nov 29 09:44:06 [FVX538] [kernel] DMZ2LAN[DROP] IN=DMZ OUT=LAN SRC=192.168.20.10 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from DMZ to LAN has been dropped by the firewall. • For other parameters, refer to Table C-1. Recommended Action None WAN to DMZ Logs Table C-24.
ProSafe VPN Firewall 200 FVX538 Reference Manual C-16 System Logs and Error Messages v1.
Appendix D Two Factor Authentication This appendix provides an overview of Two-Factor Authentication, and an example of how to implement the WiKID solution. This appendix contains the following sections: • • “Why do I need Two-Factor Authentication?” on this page.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products. • Proven regulatory compliance. Two-Factor Authentication has been used as a mandatory authentication process for many corporations and enterprises worldwide.
ProSafe VPN Firewall 200 FVX538 Reference Manual The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token software, enter the PIN that has been given to them (something they know) and then press “continue” to receive the OTP from the WiKID authentication server: Figure D-1 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time. If a user does not use this passcode before it is expired, the user must go through the request process again to generate a new OTP. 3. The user then proceeds to the Two-Factor Authentication login page and enters the generated one-time passcode as the login password.
Appendix E Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.com/reference/enu/wsdhcp/index.
ProSafe VPN Firewall 200 FVX538 Reference Manual E-2 Related Documents v1.
Index Numerics VPN Policy 5-19 Auto Detect 2-3 3322.
ProSafe VPN Firewall 200 FVX538 Reference Manual Cat5 cable B-3 certificate generate new CSR 5-22 Certificate Authority. See CA. Certificate Revocation List. See CRL.
ProSafe VPN Firewall 200 FVX538 Reference Manual Load Balancing, configuration of 2-11 firewall security 3-12 DMZ Port increasing traffic 6-7 Dynamic DNS configuration of 2-14 DMZ port 1-3 setting up 3-12 Dynamic DNS Configuration screen 2-14 DMZ Setup screen 3-12 DynDNS.org 2-14 DMZ WAN Inbound Rule example of 4-17 DMZ WAN Rule example of 4-16 DMZ WAN Rules about 4-12 modifying 4-12, 4-13 DMZ WAN Rules screen 4-12 DNS definition of 2-7 server IP address 3-4, 3-13 DNS addresses 2-7 Dynamic DNS.
ProSafe VPN Firewall 200 FVX538 Reference Manual connecting to the Internet 2-1, B-3 features 1-1, 1-2, 1-4 front panel 1-6 rear panel 1-6 technical specifications A-1 viewing activity 6-34 Firewall Log Field Description 6-26 Firewall Logs emailing of 4-40, 6-23 setting up 6-23 viewing 6-26 Firewall Logs & E-mail screen 4-40, 6-23 Firewall Protection Content Filtering, about 4-1 firewall protection 4-1 firmware downloading 6-20 upgrade 6-20 Fixed IP 2-4 FQDN 2-14, 5-2 fragmented IP packets 6-5 fully qualifi
ProSafe VPN Firewall 200 FVX538 Reference Manual DHCP address pool 3-1 how to assign 3-1 multi home LAN 3-6 reserved 3-9 router default 3-3 IP Subnet Mask router default 3-4 IP/MAC Binding screen 4-35 add 4-11 LAN WAN Outbound Rule example of 4-19 LAN WAN Outbound Rules about 4-10 LAN WAN Rule example of 4-16 IPSec Connection Status screen 6-34 LAN WAN Rules default outbound 4-9 IPSec Host 5-26, 5-29 LAN WAN Rules screen 4-9 IPsec Host XAUTH, with ModeConfig 5-37 LDAP overview 3-5, 3-13 ISP connecti
ProSafe VPN Firewall 200 FVX538 Reference Manual testing Client 5-41 monitoring devices 6-33 by DHCP Client Requests 3-6, 6-33 by Scanning the Network 3-6, 6-33 O one-time passcode. See OTP. Oray.
ProSafe VPN Firewall 200 FVX538 Reference Manual port numbers 4-24 rack mounting hardware 1-8 Port Speed 2-17 RADIUS description 6-11 WiKID 6-11 Port Triggering about 4-37 adding a rule 4-38 increasing traffic 6-6 modifying a rule 4-39 rules of use 4-37 RADIUS Server about 5-30 configuring 5-30 Edge Device 5-26 port triggering 6-6 status 6-36 RADIUS-CHAP 5-26, 5-29 AUTH, using with 5-27 Port Triggering screen 4-38, 6-36 RADIUS-PAP 5-26, 5-29 XAUTH, using with 5-27 ports explanation of WAN and LAN
ProSafe VPN Firewall 200 FVX538 Reference Manual router administration tips on 4-40 Services screen 4-25 router broadcast RIP, use with 3-17 Session Limit screen 4-22 Session Initiation Protocol. See SIP. Router Status 2-8 Setting Up One-to-One NAT Mapping example of 4-16 Router Status screen 6-30 Settings Backup & Upgrade screen 6-18 Router Upgrade about 6-20 Settings Backup and Firmware Upgrade 6-19 Router’s MAC Address 2-17 Simple Network Management Protocol. See SNMP.
ProSafe VPN Firewall 200 FVX538 Reference Manual stealth mode 4-21, 6-5 SYN flood 4-21, 6-5 SysLog Server IP Address 6-25 two-factor authentication WiKID 6-11 Two-Factor Authentication. See WiKID. TZO.com 2-14 System log messages C-1 U T TCP flood special rule 6-5 TCP/IP network, troubleshooting 7-5 Test Period 2-10 Time setting 6-21 time daylight savings, troubleshooting 7-8 troubleshooting 7-7 Time Zone setting of 6-21 Time Zone screen 6-21 ToS. See QoS.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Policy Auto 5-18 Auto generated 5-16 Manual 5-18 VPN Tunnel addresses Dual WAN Port systems 5-2 VPN Tunnel Connection monitoring status 6-34 VPN Tunnels increasing traffic 6-7 VPN tunnels load balancing mode 5-2 rollover mode 5-2 WAN1 ISP Settings manual setup 2-5 WAN1 ISP Settings screen 2-3 WAN1 Protocol Bindings 2-11 WAN1 Protocol Bindings screen 2-12 WAN2 ISP settings 2-5 WAN2 ISP Settings manual setup 2-7 WAN2 Protocol Bindings 2-12 WAN2 Protocol Bi
