ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA June 2008 202-10257-02 v1.
© 2008 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions. Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
vi 1.
Contents About This Manual Conventions, Formats, and Scope ..................................................................................xiii How to Use This Manual ..................................................................................................xiv How to Print this Manual ..................................................................................................xiv Revision History ................................................................................................
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Network Address Translation .................................................................................2-12 Classical Routing ...................................................................................................2-12 Configuring Auto-Rollover Mode ............................................................................2-13 Configuring Load Balancing .........................................................
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Source MAC Filtering ................................................................................4-24 Configuring IP/MAC Address Binding Alerts ................................................................4-26 Configuring Port Triggering ...........................................................................................4-27 Setting a Schedule to Block or Allow Specific Traffic .........................
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Chapter 6 Virtual Private Networking Using SSL Connections Understanding the Portal Options ...................................................................................6-1 Planning for SSL VPN ....................................................................................................6-2 Creating the Portal Layout ..............................................................................................
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Features That Reduce Traffic ...................................................................................8-2 Features That Increase Traffic .................................................................................8-5 Using QoS to Shift the Traffic Mix ............................................................................8-8 Tools for Traffic Management ........................................................
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Restoring the Default Configuration and Password ......................................................10-7 Problems with Date and Time .......................................................................................10-7 Using the Diagnostics Utilities ......................................................................................
About This Manual The NETGEAR® ProSafe™ Dual WAN Gigabit Firewall with SSL & IPsec VPN Reference Manual describes how to install, configure and troubleshoot a ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. The information in this manual is intended for readers with intermediate computer and networking skills. Conventions, Formats, and Scope The conventions, formats, and scope of this manual are described in the following paragraphs: • • Typographical Conventions.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Danger: This is a safety warning. Failure to take heed of this notice may result in personal injury or death. • Scope.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe Web site at http://www.adobe.com. – Printing a PDF Chapter. Use the PDF of This Chapter link at the top left of any page. – • Click the PDF of This Chapter link at the top left of any page in the chapter you want to print.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual xvi v1.
Chapter 1 Introduction The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable modems or DSL modems. Dual wide area network (WAN) ports allow you to increase throughput to the Internet by using both ports together, or to maintain a backup connection in case of failure of your primary Internet connection.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Easy, web-based setup for installation and management. • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. • Internal universal switching power supply. Dual WAN Ports for Increased Reliability or Outbound Load Balancing The FVS336G has two broadband WAN ports.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – Browser based, platform-independent, remote access through a number of popular browsers, such as Microsoft Internet Explorer or Apple Safari. – Provides granular access to corporate resources based upon user type or group membership. – Supports 10 concurrent SSL VPN sessions.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to “Internet Configuration Requirements” on page C-4. • IP Address Sharing by NAT.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure IPsec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the IPsec VPN tunnels are interoperable with other VPNCcompliant VPN routers and clients. • SNMP.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • – ProSafe VPN Client Software – one user license. Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 1-1. LED Descriptions (continued) Object Activity Description LINK/ACT (Link and Activity) On (Green) Blinking (Green) Off The WAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the WAN port. The WAN port has no link. SPEED On (Green) On (Amber) Off The LAN port is operating at 1,000 Mbps. The LAN port is operating at 100 Mbps.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors. 4. Cable security lock receptacle. 5. AC power receptacle. Universal AC input (100-240 VAC, 50-60 Hz). 6. On/off power switch.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications. Note that Java is only required for the SSL VPN portal, not the Web Management Interface. Introduction 1-9 v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1-10 Introduction v1.
Chapter 2 Connecting the FVS336G to the Internet The initial Internet configuration of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN is described in this chapter.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on page 2-17. 6. Configure the WAN options (optional). Optionally, you can enable each WAN port to respond to a ping, and you can change the factory default MTU size and port speed.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Click Login. The Web Configuration Manager appears, displaying the Router Status menu: Figure 2-2 Connecting the FVS336G to the Internet 2-3 v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Navigating the Menus The Web Configuration Manager menus are organized in a layered structure of main categories and submenus: • Main menu. The horizontal orange bar near the top of the page is the main menu, containing the primary configuration categories. Clicking on a primary category changes the contents of the submenu bar. • Submenu.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Select Network Configuration > WAN Settings from the menu. The WAN Settings tabs appear, with the WAN1 ISP Settings tab in view. Figure 2-3 2. Click Auto Detect at the bottom of the menu. Auto Detect will probe the WAN port for a range of connection methods and suggest one that your ISP appears to support. a. If Auto Detect is successful, a status bar at the top of the menu will display the results:.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual b. If Auto Detect senses a connection method that requires input from you, it will prompt you for the information. All methods with their required settings are detailed in the following table. Table 2-1. Internet connection methods Connection Method Data Required DHCP (Dynamic IP) No data is required. PPPoE Login (Username, Password); Account Name, Domain Name (sometimes required).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual A popup window appears, displaying the connection status of WAN port 1. Figure 2-5 The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, skip ahead to “Manually Configuring the Internet Connection” following this section, or see “Troubleshooting the ISP Connection” on page 10-4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Manually Configuring the Internet Connection Unless your ISP automatically assigns your configuration automatically via DHCP, you will need to obtain configuration parameters from your ISP in order to manually establish an Internet connection. The necessary parameters for various connection types are listed in Table 2-1. To manually configure your WAN1 ISP Settings: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual a. Select Other (PPPoE). Figure 2-8 b. Configure the following fields: • Account Name. Valid account name for the PPPoE connection • Domain Name. Name of your ISP’s domain or your domain name if your ISP has assigned one. In most cases, you may leave this field blank. • Idle Timeout. Select Keep Connected, to keep the connection always on.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual a. Select BigPond Cable. b. Configure the Login Server and Idle Timeout fields. The Login Server is the IP address of the local BigPond Login Server in your area. 8. Review the Internet (IP) Address options. Figure 2-9 These options are inactive if BigPond Cable is selected. 9. If your ISP has assigned a fixed (static) IP address, select Use Static IP Address, and configure the following fields: • IP Address.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 11. Review the Domain Name Server (DNS) Servers options. Figure 2-10 • If your ISP has not assigned any Domain Name Servers (DNS) addresses, click Get dynamically from ISP. • If your ISP (or your IT department) has assigned DNS addresses, click Use these DNS Servers and enter the DNS server IP addresses provided to you in the fields. 12. Click Apply to save any changes to the WAN1 ISP Settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover. • Load Balancing Mode. The VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To learn the status of the WAN ports, you can view the Router Status page (see “Monitoring VPN Tunnel Connection Status” on page 9-14) or look at the LEDs on the front panel (see “Front Panel Features” on page 1-6). Configuring Auto-Rollover Mode To use a redundant ISP link for backup purposes, ensure that the backup WAN port has already been configured.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 2-11 2. In the Port Mode section, select Auto-Rollover Using WAN port. 3. From the pull-down menu, choose which WAN port will act as the primary link for this mode. 4. In the WAN Failure Detection Method section, select one of the following detection failure methods: • DNS lookup using ISP DNS Servers.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 6. Enter the Failover after count. The WAN interface is considered down after the configured number of queries have failed to elicit a reply. The rollover link is brought up after this. The Failover default is 4 failures. The default time to roll over after the primary WAN interface fails is 2 minutes (a 30-second minimum test period for a minimum of 4 tests). 7. Click Apply to save your settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Click view protocol bindings (if required). The WAN1 Protocol Bindings screen is displayed. Figure 2-12 Enter the following data in the Add Protocol Binding options: a. Service. From the pull-down menu, choose the desired Service or application to be covered by this rule.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Address range. If this option is selected, you must enter the start and finish fields. 4. Click Add to save this rule. The new Protocol Binding Rule will be enabled and added to the Protocol Binding Table for the WAN1 port. 5. Open the WAN2 Protocol Bindings tab and repeat the previous steps to set protocol bindings for the WAN2 port.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To configure Dynamic DNS: 1. Select Network Configuration > Dynamic DNS from the main menu and click the Dynamic DNS Configuration tab. The Dynamic DNS Configuration screen is displayed. Figure 2-13 The Current WAN Mode section reports the currently configured WAN mode. (For example, Single Port WAN1, Load Balancing or Auto Rollover.) Only those options that match the configured WAN Mode will be accessible. 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Click the information or registration link in the upper right corner for registration information. Figure 2-14: 4. Access the Web site of the DDNS service provider and register for an account (for example, for dyndns.org, go to http://www.dyndns.org). 5. For each WAN port, click the Yes radio button for Change DNS to and configure the active fields: a.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Click the Advanced link to the right of the tabs. The WAN1 Advanced Options tab is displayed (along with the WAN2 Advanced Options tab). Figure 2-15 3. Edit the default information you want to change. a. MTU Size. The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs, you may need to reduce the MTU.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The format for the MAC address is 01:23:45:67:89:AB (numbers 0-9 and either uppercase or lowercase letters A-F). If you select Use This MAC Address and then type in a MAC address, your entry will be overwritten. 4. Click Apply to save your changes.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2-22 Connecting the FVS336G to the Internet v1.
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The VPN firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP Address from the range you have defined. • Subnet Mask. • Gateway IP Address (the VPN firewall’s LAN IP address). • Primary DNS Server (the VPN firewall’s LAN IP address or a user-specified DNS server IP address in the LAN Setup menu).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 3-1 2. In the LAN TCP/IP Setup section, configure the following settings: • IP Address. The LAN address of your VPN firewall (factory default: 192.168.1.1). Note: If you change the LAN IP address of the firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. For example, if you change the default IP address 192.168.1.1 to 10.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. In the DHCP section, select Enable or Disable DHCP Server. By default, the VPN firewall will function as a DHCP server, providing TCP/IP configuration settings for all computers connected to the VPN firewall's LAN. If another device on your network will be the DHCP server, or if you will manually configure all devices, click Disable DHCP Server. If the DHCP server is enabled, enter the following parameters: • Domain Name.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Managing Groups and Hosts (LAN Groups) The Known PCs and Devices table in the LAN Groups menu contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the VPN firewall, or have been discovered by other means. Collectively, these entries make up the LAN Groups Database. The LAN Groups Database is updated by these methods: • DHCP Client Requests.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • A computer is identified by its MAC address—not its IP address. Hence, changing a computer’s IP address does not affect any restrictions applied to that PC. Viewing the LAN Groups Database To view the LAN Groups Database, follow these steps: 1. Select Network Configuration > LAN Settings from the main menu. The LAN Setup tab displays. 2. Click the LAN Groups tab. The LAN Groups tab is displayed.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Action. Allows modification of the selected entry by clicking Edit. Adding Devices to the LAN Groups Database To add devices manually to the LAN Groups Database, follow these steps: 1. In the Add Known PCs and Devices section, make the following entries: • Name. Enter the name of the PC or device. • IP Address Type. From the pull-down menu, choose how this device receives its IP address.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. From the LAN Groups tab, click the Edit Group Names link to the right of the tabs. The Network Database Group Names tab appears. Figure 3-3 2. Select the radio button next to any group name to make that name active for editing. 3. Type a new name in the field. 4. Select and edit other group names if desired. 5. Click Apply to save your settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Multi Home LAN IP Addresses If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the VPN firewall. This allows the VPN firewall to act as a gateway to additional logical subnets on your LAN.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Tip: The secondary LAN IP address will be assigned to the LAN interface of the VPN firewall and can be used as a gateway by computers on the secondary subnet. Configuring Static Routes Static Routes provide additional routing information to your VPN firewall.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Click Add. The Add Static Route tab is displayed. Figure 3-6 3. Enter a route name for this static route in the Route Name field (for identification and management). 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network to which the route leads. 7.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network. RIP is disabled by default. To configure RIP parameters: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Both. The VPN firewall broadcasts its routing table and also processes RIP information received from other routers. • Out Only. The VPN firewall broadcasts its routing table periodically but does not accept RIP information from other routers. • In Only. The VPN firewall accepts RIP information from other routers, but does not broadcast its routing table. 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3-14 LAN Configuration v1.
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to protect your network.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual About Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Outbound Rules (service blocking). Outbound traffic is normally allowed unless the firewall is configured to disallow it. • Inbound Rules (port forwarding). Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-1. Outbound Rules (continued) Item Description Action (Select Schedule) Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be used by this rule. • This drop down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: See “Configuring Source MAC Filtering” on page 4-24 for yet another way to block outbound traffic from selected PCs that would otherwise be allowed by the firewall. Inbound Rules (Port Forwarding) When the FVS336G uses Network Address Translation (NAT), your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-2. Inbound Rules Item Description Service Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-15).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-2. Inbound Rules (continued) Item Description Log Specifies whether packets covered by this rule are logged. Select the desired action: • Always – Always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules. • Never – Never log traffic considered by this rule, whether it matches or not. Bandwidth Profile Specifies the name of a bandwidth limiting profile.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-1 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu as the last item in the list, as shown in Figure 4-1. For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the bottom, before applying the default rule.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To change the Default Outbound Policy, follow these steps: 1. Click the LAN WAN Rules tab, shown in Figure 4-1. 2. Change the Default Outbound Policy by choosing Block Always from the drop-down menu. 3. Click Apply.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Click Add under the Outbound Services Table. The Add LAN WAN Outbound Service screen is displayed... Figure 4-2 2. Configure the parameters based on the descriptions in Table 4-1 on page 4-3. 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-3 2. Configure the parameters based on the descriptions in Table 4-2 on page 4-6. 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Inbound Services table. Modifying Rules To make changes to an existing outbound or inbound service rule: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Check the box adjacent to the rule, then do any of the following: • Click Enable to enable the rule. The “!” Status icon will turn green. • Click Disable to disable the policy. A rule can be disabled if not in use and enabled as needed. Disabling a rule does not delete the configuration, but merely de-activates the rule. The status circle will change from green to grey, indicating that the rule is disabled.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 4-5, CU-SeeMe connections are allowed to a local host only from a specified range of external IP addresses.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual In the example shown in Figure 4-6, we have configured multi-NAT to support multiple public IP addresses on one WAN interface. The inbound rule instructs the VPN firewall to host an additional public IP address (10.1.0.5) and to associate this address with the Web server on the LAN (at 192.168.1.2). We also instruct the VPN firewall to translate the incoming HTTP port number (port 80) to a different port number (port 8080).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To test the connection from a PC on the WAN side, type http://10.1.0.5. The home page of the Web server should appear. LAN WAN Inbound Rule: Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined. To expose one of the PCs on your LAN as this host: 1. Create an inbound rule that allows all protocols. 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Although the FVS336G already holds a list of many service port numbers, you are not limited to these choices. Use the Services screen to add additional services and applications to the list for use in defining firewall rules. The Services menu shows a list of services that you have defined, as shown in Figure 4-7. To define a new service, you must first determine which port number or range of numbers is used by the application.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. In the Custom Services Table, click the Edit button adjacent to the service you want to edit. The Edit Service screen is displayed. 2. Modify the parameters you wish to change. 3. Click Apply to confirm your changes. The modified service is displayed in the Custom Services Table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Normal-Service. No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0. • Minimize-Cost. Used when the data must be transferred over a link that has a low transmission cost. The IP packets for this service priority are marked with a ToS value of 1. • Maximize-Reliability.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 4-9 3. Check the boxes for the Attack Checks you wish to monitor. The various types of attack checks are listed and defined below. 4. Click Apply to save your settings. The various types of attack checks listed on the Attack Checks screen are: • WAN Security Checks – Respond To Ping On Internet Ports—By default, the VPN firewall does not respond to an ICMP Echo (ping) packet coming from the Internet or WAN side.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – Block UDP flood—A UDP flood is a form of denial of service attack in which the attacking machine sends a large number of UDP packets to random ports to the victim host. As a result, the victim host will check for the application listening at that port, see that no application is listening at that port, and reply with an ICMP Destination Unreachable packet.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Web Components blocking. You can filter the following Web Component types: Proxy, Java, ActiveX, and Cookies. For example, by enabling Java filtering, “Java” files will be blocked. Certain commonly used web components can be blocked for increased security. Some of these components are can be used by malicious websites to infect computers that access them. – Proxy.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Keyword application examples: • If the keyword “XXX” is specified, the URL is blocked, as is the newsgroup alt.pictures.XXX. • If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or .gov) can be viewed. • To block all Internet browsing access, enter the keyword “.”. To enable Content Filtering: 1. Select Security > Block Sites from the main menu.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 4-10 2. Select Yes to enable Content Filtering. 3. Click Apply to activate the menu controls. Firewall Protection and Content Filtering 4-23 v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Select any Web Components you wish to block and click Apply. 5. Select the groups to which Keyword Blocking will apply, then click Enable to activate Keyword blocking (or disable to deactivate Keyword Blocking). 6. Enter your list of blocked Keywords or Domain Names in the Blocked Keyword fields. After each entry, click Add. The Keyword or Domain name will be added to the Blocked Keywords table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-11 2. Click Yes to enable Source MAC Filtering. 3. Select the action to be taken on outbound traffic from the listed MAC addresses: – Block this list and permit all other MAC addresses – Permit this list and block all other MAC addresses 4. Enter a MAC Address in the Add Source MAC Address box and click Add. The MAC address will appear in the MAC Addresses table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring IP/MAC Address Binding Alerts You can configure the FVS336G to drop packets and generate an alert when a device appears to have hijacked or spoofed another device’s IP address. An IP address can be bound to a specific MAC address either by using a DHCP reserved address (see “Configuring DHCP Address Reservation” on page 3-8) or by manually binding in the IP/MAC Binding menu.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. To add a manual binding entry, enter the following data in the Add IP/MAC Bindings section: a. Enter a Name for the bound host device. b. Enter the MAC Address and IP Address to be bound. A valid MAC address is six colonseparated pairs of hexadecimal digits (0 to 9 and a to f). For example: 01:23:45:ab:cd:ef. c. From the pull-down list, select whether dropped packets should be logged to a special counter.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note these restrictions with Port Triggering: • Only one PC can use a port triggering application at any time. • After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC. This is required because the VPN firewall cannot be sure when the application has terminated.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 7. Click Add. The port triggering rule will be added to the Port Triggering Rules table. To check the status of the port triggering rules, click the Status option arrow to the right of the tab on the Port Triggering screen. The following data is displayed: • Rule – The name of the port triggering rule.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 4-14 2. Schedule days by selecting either the All Days radio button or the Specific Days radio button. If you selected Specific Days, specify which days. 3. Select the time of day radio button: either All Day to limit access completely for the selected days, or Specific Times to limit access for a period during the selected days.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Select Security from the main menu and Bandwidth Profile from the submenu. The Bandwidth Profile menu will display. Figure 4-15 The List of Bandwidth Profiles displays existing profiles. 2. To create a new bandwidth profile, click add. The Add Bandwidth Profile menu will display. Figure 4-16 3. Enter the following data in the Add IP/MAC Bindings section: a. Enter a Profile Name.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual d. From the Direction pull-down box, select whether the profile will apply to outbound or inbound traffic. 4. Click Apply. The new bandwidth profile will be added to the list. Configuring Session Limits To prevent one user or group from using excessive system resources, you can limit the total number of IP sessions allowed through the FVS336G for an individual or group.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. In the pull-down menu, select whether you will limit sessions by percentage or by absolute number. The percentage is computed based on the total connection capacity of the device.When setting a limit based on absolute number, note that some protocols (for example, FTP and RSTP) create two sessions per connection. 6. Click Apply.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Block sites (see “Blocking Internet Sites (Content Filtering)” on page 4-20) • Source MAC filtering (see “Configuring Source MAC Filtering” on page 4-24) • Port triggering (see “Configuring Port Triggering” on page 4-27) 4-34 Firewall Protection and Content Filtering v1.
Chapter 5 Virtual Private Networking Using IPsec This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to provide secure, encrypted communications between your local network and a remote network or computer.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 5-1. IP Addressing for VPNs in Dual WAN Port Systems Configuration and WAN IP address Rollover Modea Load Balancing Mode VPN Gateway-to-Gateway Fixed FQDN required Allowed (FQDN optional) Dynamic FQDN required FQDN required VPN Telecommuter Fixed (client-to-gateway through Dynamic a NAT router) FQDN required Allowed (FQDN optional) FQDN required FQDN required a.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The use of fully qualified domain names is: • Mandatory when the WAN ports are in rollover mode (Figure 5-2 on page 5-3); also required for the VPN tunnels to fail over.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring an IPsec VPN Connection using the VPN Wizard Configuring a VPN tunnel connection requires that all settings and parameters on both sides of the VPN tunnel match or mirror each other precisely, which can be a daunting task. The VPN Wizard efficiently guides you through the setup procedure with a series of questions that will determine the IPsec keys and VPN policies it sets up.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-4 1. Select Gateway as your VPN tunnel connection. The wizard needs to know whether you are planning to connect to a remote gateway or setting up the connection for a remote client PC to establish a secure connection to this device. 2. Create a Connection Name. Enter an appropriate name for the connection. This name is not supplied to the remote VPN endpoint. It is used to help you manage the VPN settings. 3.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Both the remote WAN address and your local WAN address are required. When choosing these addresses, follow the guidelines in Table 5-1 above. • The remote WAN IP address must be a public address or the Internet name of the remote gateway. The Internet name is the Fully Qualified Domain Name (FQDN) as registered in a Dynamic DNS service.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-5 You can also view the status of your IKE Policies by clicking the IKE Policies tab. The IKE Policies screen is displayed. Then view or edit the parameters of the new policy by clicking Edit in the Action column adjacent to the policy. The Edit IKE Policy screen will display. Virtual Private Networking Using IPsec 5-7 v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-6 Creating a VPN Tunnel Connection to a VPN Client You can set up multiple remote VPN Client policies through the VPN Wizard by changing the default End Point Information settings created for each policy by the wizard. A remote client policy can support up to 200 clients. The remote clients must configure the “Local Identity” field in their policy as “fvs_remote.com”. To configure the VPN client: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 5-7 5. Select which WAN interface (WAN1 or WAN2) will act as this endpoint of the VPN tunnel. 6. Enter the public Remote WAN IP address of the gateway to which you want to connect. Alternatively, you can provide the Internet name of the gateway. The Internet name is the Fully Qualified Domain Name (FQDN); for example, vpn.netgear.com. 7. Enter the Local WAN IP Address or Internet name.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-8 To view the “home” policy: Click Edit in the Action column adjacent to the “home” policy to view the “home” policy parameters. The Edit VPN Policy screen is displayed. It should not be necessary to make any changes. 5-10 Virtual Private Networking Using IPsec v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 5-9 You can also view the status of your IKE Policies by clicking the IKE Policies tab. The IKE Policies screen is displayed. Virtual Private Networking Using IPsec 5-11 v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 5-10 To see the detailed settings of the IKE Policy, click the Edit button next to the policy. The Edit IKE Policy tab is displayed . Figure 5-11 5-12 Virtual Private Networking Using IPsec v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Managing VPN Tunnel Policies After you use the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name you selected as the VPN tunnel connection name during Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or add new VPN and IKE policies directly in the policy tables.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual About the IKE Policy Table When you use the VPN Wizard to set up a VPN tunnel, an IKE policy is established and populated in the List of IKE Policies and is given the same name as the new VPN connection name. You can also edit exiting policies or add new IKE policies directly on the List of IKE Policies. Each policy contains the following data: • Name. Uniquely identifies each IKE policy.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual In addition, a Certificate Authority (CA) can also be used to perform authentication (see “Managing Certificates” on page 7-8). To use a CA, each VPN gateway must have a certificate from the CA. For each certificate, there is both a public key and a private key. The public key is freely distributed, and is used by any sender to encrypt data intended for the receiver (the key owner).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Auth. Authentication Algorithm used for the VPN tunnel. The default setting using the VPN Wizard is SHA1. (This setting must match the Remote VPN.) • Encr. Encryption algorithm used for the VPN tunnel. The default setting using the VPN Wizard is 3DES. (This setting must match the Remote VPN.) • Action. Allows you to access individual policies to make any changes or modifications.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • NETGEAR ProSafe VPN Client • NAT router: NETGEAR FR114P Configuring the FVS336G 1. Select VPN > IPsec VPN in the main menu. Select the VPN Wizard tab. 2. Select the VPN Client radio button for type of VPN connection. 3. Give the client connection a name, such as “home”. 4. Enter a value for the pre-shared key. 5. Check either the WAN1 or WAN2 radio button to select the WAN interface tunnel. 6.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Enter the LAN IP Subnet Address and Subnet Mask of the FVS336G LAN. Check the Connect using radio button and choose Secure Gateway Tunnel from the pull-down menu. 5. From the first ID Type pull-down menus, choose Domain Name and enter the FQDN address of the FVS336G. 6. From the second ID Type pull-down menu, choose Gateway IP Address and enter the WAN IP Gateway address of the FVS336G. 7.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Testing the Connection 1. From your PC, right-click on the VPN client icon in your Windows toolbar and choose Connect..., then My Connections\to_FVG. Within 30 seconds you should receive the message “Successfully connected to My Connections\to_FVG” and the VPN client icon in the toolbar should say On: 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the User Database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server. Note: You cannot modify an existing IKE policy to add XAUTH while the IKE policy is in use by a VPN policy. The VPN policy must be disabled before you can modify the IKE policy. To enable and configure XAUTH: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – • RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the VPN firewall will first check in the user database to see if the user credentials are available. If the user account is not present, the VPN firewall will then connect to the RADIUS server (see “RADIUS Client Configuration” on page 5-21).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-13 3. To activate (enable) the Primary RADIUS server, click the Yes radio button. The primary server options become active. 4. Configure the following entries: • Primary RADIUS Server IP address. The IP address of the RADIUS server. • Secret Phrase.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Enable a Backup RADIUS Server (if required). 6. Set the Time Out Period, in seconds, that the VPN firewall should wait for a response from the RADIUS server. 7. Set the Maximum Retry Count. This is the number of tries the VPN firewall will make to the RADIUS server before giving up. 8. Click Apply to save the settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual temporary IPsec policy using the template security proposal information configured in the Mode Config record. Note: After configuring a Mode Config record, you must go to the IKE Policies menu and configure an IKE policy using the newly-created Mode Config record as the Remote Host Configuration Record. The VPN Policies menu does not need to be edited.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 5-15 5. Enter a descriptive Record Name such as “Sales”. 6. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients. Note: The IP Pool should not be within your local network IP addresses. Use a different range of private IP addresses such as 172.20.xx.xx. 7. If you have a WINS Server on your local network, enter its IP address. 8.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 11. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 12. Click Apply. The new record should appear in the VPN Remote Host Mode Config Table. Next, you must configure an IKE Policy: 1. Click VPN > IPsec VPN in the main menu.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • SA Lifetime: 3600 seconds 7. Enter a Pre-Shared Key that will also be configured in the VPN client. 8. XAUTH is disabled by default. To enable XAUTH, choose one of the following: • Edge Device to use this VPN firewall as a VPN concentrator where one or more gateway tunnels terminate. (If selected, you must specify the Authentication Type to be used in verifying credentials of the remote VPN gateways.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual d. Check the Connect using radio button and choose Secure Gateway Tunnel from the pulldown menu. e. From the ID Type pull-down menu, choose Domain name and enter the FQDN of the VPN firewall; in this example it is “local_id.com”. f. Choose Gateway IP Address from the second pull-down menu and enter the WAN IP address of the VPN firewall; in this example it is “172.21.4.1”. 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Right-click on the VPN client icon in the Windows toolbar and click Connect. The connection policy you configured will appear; in this case “My Connections\modecfg_test”. 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test is displayed and the VPN client icon in the toolbar will read “On”. 3. From the client PC, ping a computer on the VPN firewall LAN.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. In the General menu frame of the Edit VPN Policy menu, locate the keepalive configuration settings, as shown in Figure 5-16: Figure 5-16 4. Click the Yes radio button to enable keepalive. 5. In the Ping IP Address boxes, enter an IP address on the remote LAN. This must be the address of a host that can respond to ICMP ping requests. 6. Enter the Detection Period to set the time between ICMP ping requests.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. In the IKE SA Parameters menu frame of the Edit IKE Policy menu, locate the Dead Peer Detection configuration settings, as shown in Figure 5-17. Figure 5-17 4. Click the Yes radio button to Enable Dead Peer Detection. 5. Enter the Detection Period to set the interval between consecutive DPD R-U-THERE messages. DPD R-U-THERE messages are sent only when the IPSec traffic is idle. The default is 10 seconds. 6.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. In the General menu frame of the Edit VPN Policy menu, click the Enable NetBIOS check box, as shown in Figure 5-18. Figure 5-18 4. Click Apply at the bottom of the menu. 5-32 Virtual Private Networking Using IPsec v1.
Chapter 6 Virtual Private Networking Using SSL Connections The FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN provides a hardwarebased SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a pre-installed VPN client on their computers.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual firewall. Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote PC that will allow the remote user to virtually join the corporate network. The SSL VPN Client provides a PPP (point-to-point) connection between the client and the VPN firewall, and a virtual network interface is created on the user’s PC.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual When you define the SSL VPN policies that determine network resource access for your SSL VPN users, you can define global policies, group policies, or individual policies. Because you must assign an authentication domain when creating a group, the group is created after you have created the domain. 4. Create one or more SSL VPN user accounts.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Portal Layouts are applied by selecting from available portal layouts in the configuration of a Domain. When you have completed your Portal Layout, you can apply the Portal Layout to one or more authentication domains (see XREF to apply a Portal Layout to a Domain). You can also make the new portal the default portal for the SSL VPN gateway by selecting the default radio button adjacent to the portal layout name.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 6-2 3. In the Portal Layout and Theme Name section of the menu, configure the following entries: a. Enter a descriptive name for the portal layout in the Portal Layout Name field. This name will be part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual on login page checkbox to show the banner title and banner message text on the Login screen as shown below Figure 6-3 As shown in the figure, the banner title text is displayed in the orange header bar. The banner message text is displayed in the grey header bar. d. Check the Enable HTTP meta tags for cache control checkbox to apply HTTP meta tag cache control directives to this Portal Layout.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The web cache cleaner will prompt the user to delete all temporary Internet files, cookies and browser history when the user logs out or closes the web browser window. The ActiveX web cache control will be ignored by web browsers that don't support ActiveX. 4. In the SSL VPN Portal Pages to Display section, check the checkboxes for the portal pages you wish users to access.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Adding Servers To configure Port Forwarding, you must define the internal host machines (servers) and TCP applications available to remote users. To add servers, follow these steps: 1. Select VPN > SSL VPN from the main menu, and then select the Port Forwarding tab. The Port Forwarding screen will display.. Figure 6-4 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 6-1. Port Forwarding Applications/TCP Port Numbers (continued) TCP Application Port Number POP3 (receive mail) 110 NTP (network time protocol) 123 Citrix 1494 Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 a. Users can specify the port number together with the host name or IP address. 4. Click Add.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Remote users can now securely access network applications once they have logged into the SSL VPN portal and launched Port Forwarding. Configuring the SSL VPN Client The SSL VPN Client within the FVS336G will assign IP addresses to remote VPN tunnel clients. Because the VPN tunnel connection is a point-to-point connection, you can assign IP addresses from the corporate subnet to the remote VPN tunnel clients.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring the Client IP Address Range Determine the address range to be assigned to VPN tunnel clients, then define the address range. To configure the client IP address range: 1. Select VPN > SSL VPN from the main menu, and then select the SSL VPN Client tab. The SSL VPN Client screen will display.. Figure 6-5 2. Select Enable Full Tunnel Support unless you want split tunneling. 3.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN tunnel clients are now able to connect to the VPN firewall and receive a virtual IP address in the client address range. Adding Routes for VPN Tunnel Clients The VPN Tunnel Clients assume that the following networks are located across the VPN over SSL tunnel: • The subnet containing the client IP address (PPP interface), as determined by the class of the address (Class A, B, or C).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. If an existing route is no longer needed for any reason, you can delete it. Using Network Resource Objects to Simplify Policies Network resources are groups of IP addresses, IP address ranges, and services. By defining resource objects, you can more quickly create and configure network policies.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. In the Service pull-down menu, select the type of service to which the resource will apply: either VPN Tunnel or Port Forwarding. 4. Click Add. The “Operation Successful” message appears at the top of the tab, and the newly-added resource name appears on the List of Resources table. 5. Adjacent to the new resource, click the Edit button. The Add Resource Addresses screen displays. Figure 6-7 6.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring User, Group, and Global Policies An administrator can define and apply user, group and global policies to predefined network resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN services. A specific hierarchy is invoked over which policies take precedence. The VPN firewall policy hierarchy is defined as: 1. User Policies take precedence over all Group Policies. 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • An FTP server at ftp.company.com, the user would be granted access by Policy 3. A single host name is more specific than the IP address range configured in Policy 2. Note: The user would not be able to access ftp.company.com using its IP address 10.0.1.3. The VPN firewall policy engine does not perform reverse DNS lookups. Viewing Policies To view the existing policies, follow these steps: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Adding a Policy To add a policy, follow these steps: 1. Select VPN > SSL VPN from the main menu, and select the Policies tab. The Policies screen will display. Figure 6-9 2. Make your selection from the following Query options: • Click Global if this new policy is to exclude all users and groups. • Click Group if this new policy is to be limited to a selected group.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • If you choose Network Resource, you’ll need to enter a descriptive Policy Name, then choose a Defined Resource and relevant Permission (PERMIT or DENY) from the pulldown menus. Figure 6-10 If a needed network resource has not been defined, you can add it before proceeding with this new policy. See “Adding New Network Resources ” on page 6-13.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 6-12 • If you choose All Addresses, you’ll need to enter a descriptive Policy Name, then choose the Service and relevant Permission from the pull-down menus. Figure 6-13 5. When you are finished making your selections, click Apply. The Policies screen reappears. Your policy goes into effect immediately and is added to the policies in the List of SSL VPN Policies table on this screen.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 6-20 Virtual Private Networking Using SSL Connections v1.
Chapter 7 Managing Users, Authentication, and Certificates This chapter contains the following sections: • “Adding Authentication Domains, Groups, and Users” on page 7-1 • “Managing Certificates” on page 7-8 Adding Authentication Domains, Groups, and Users You must create name and password accounts for all users who will connect to the VPN firewall. This includes administrators and SSL VPN clients.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-1 2. Click Add. The Add Domain screen displays. Figure 7-2 3. Configure the following fields: a. Enter a descriptive name for the domain in the Domain Name field. b. Select the Authentication Type. 7-2 Managing Users, Authentication, and Certificates v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The required fields are activated in varying combinations according to your selection of Authentication Type: Authentication Type Required Authentication Information Fields Local User Database None Radius-PAP Authentication Server, Authentication Secret Radius-CHAP Authentication Server, Authentication Secret Radius-MSCHAP Authentication Server, Authentication Secret Radius-MSCHAPv2 Authentication Server, Authenticat
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-3 2. Configure the new group settings in the Add New Group section of the menu: a. Name. Enter a descriptive name for the group. b. Domain. Select the appropriate domain (only for Administrator or SSL VPN User). c. Timeout. For an Administrator, this is the period at which an idle user will be automatically logged out of the Web Configuration Manager 3. Click Add.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 7-4 2. Click Add. The Add User tab screen is displayed. Figure 7-5 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Administrator, SSL VPN User, or IPsec VPN User. c. Select Group. Select from a list of configured groups. The user will be associated with the domain that is associated with that group. d.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual e. Idle Timeout. For an Administrator, this is the period at which an idle user will be automatically logged out of the Web Configuration Manager. 4. Click Apply to save and apply your entries. The new user appears in the List of Users. Setting User Login Policies You can restrict the ability of defined users to log into the Web Configuration Manager.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To restrict logging in based on IP address: 1. Select the by Source IP Address tab. The by Source IP Address screen will display. Figure 7-7 2. In the Defined Addresses Status section, select: • the Deny Login from Defined Addresses to deny logging in from the IP addresses that you will specify • the Allow Login only from Defined Addresses to allow logging in from the IP addresses that you will specify. 3. Click Apply. 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To restrict logging in based on the user’s browser: 1. Select the by Client Browser tab. The by Client Browser screen will display. Figure 7-8 2. In the Defined Browsers Status section, select> • the Deny Login from Defined Browsers to deny logging in from browsers that you will specify • the Allow Login only from Defined Browsers to allow logging in from browsers that you will specify. 3.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • A public encryption key to be used by clients for encrypting messages to the server. • Information identifying the operator of the server. • A digital signature confirming the identity of the operator of the server. Ideally, the signature is from a trusted third party whose identity can be verified absolutely.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To view the VPN Certificates: Select VPN > Certificates from the main menu. The Certificates screen displays. The top section of the Certificates screen displays the Trusted Certificates (CA Certificates). Figure 7-9 When you obtain a self certificate from a CA, you will also receive the CA certificate. In addition, many CAs make their certificates available on their websites.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual For each self certificate, the following data is listed: • Name. The name you used to identify this certificate. • Subject Name. This is the name that other organizations will see as the holder (owner) of this certificate. This should be your registered business name or official company name. Generally, all of your certificates should have the same value in the Subject field. • Serial Number.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-11 3. Complete the Optional fields, if desired, with the following information: • IP Address – If you have a fixed IP address, you may enter it here. Otherwise, you should leave this field blank. • Domain Name – If you have an Internet domain name, you can enter it here. Otherwise, you should leave this field blank. • E-mail Address – Enter the e-mail address of a technical contact in your organization. 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. In the Self Certificate Requests table, click View under the Action column to view the request. Figure 7-13 6. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from “----BEGIN CERTIFICATE REQUEST---” to “---END CERTIFICATE REQUEST---”. 7. Submit your certificate request to a CA: a. Connect to the website of the CA. b. Start the Self Certificate request procedure.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 9. Return to the Certificates screen and locate the Self Certificate Requests section.. Figure 7-14 10. Select the checkbox next to the certificate request, then click Browse and locate the certificate file on your PC. 11. Click Upload. The certificate file will be uploaded to this device and will appear in the Active Self Certificates list.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-15 The CRL table lists your active CAs and their critical release dates: • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. 2. Click Browse and locate the CRL file you previously downloaded from a CA. 3. Click Upload.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 7-16 Managing Users, Authentication, and Certificates v1.
Chapter 8 Router and Network Management This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface. The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN offers many tools for managing the network traffic to optimize its performance.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • WAN side: 2000 Mbps (load balancing mode, two WAN ports at 1000 Mbps each) or 1000 Mbps (rollover mode, one active WAN port at 1000 Mbps) In practice, the WAN side bandwidth capacity will be much lower when DSL or cable modems are used to connect to the Internet. At 1.5 Mbps, the WAN ports will support the following traffic rates: • Load balancing mode: 3 Mbps (two WAN ports at 1.5 Mbps each) • Rollover mode: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • ALLOW by schedule, otherwise Block As you define your firewall rules, you can further refine their application according to the following criteria: • • LAN Users. These settings determine which computers on your network are affected by this rule. Select the desired options: – Any. All PCs and devices on your LAN. – Single address. The rule will be applied to the address of a particular PC. – Address range.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Groups and Hosts You can apply these rules selectively to groups of PCs to reduce the outbound or inbound traffic. The LAN Groups Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: • DHCP Client Request.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed without any blocking. • Web Component blocking. You can block the following Web component types: Proxy, Java, ActiveX, and Cookies.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual You can control specific inbound traffic (from WAN to LAN). Inbound Services lists all existing rules for inbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule blocks all inbound traffic.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Services. You can specify the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-15). • Schedule.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual See Chapter 5, “Virtual Private Networking Using IPsec” for the procedure on how to use IPsec VPN, and Chapter 6, “Virtual Private Networking Using SSL Connections for the procedure on how to use SSL VPN. Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and, in turn, the quality of service for the traffic passing through the firewall. The QoS is set individually for each service.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 8-1 2. Select the checkbox adjacent to admin in the Name column, then click Edit in the Action column. The Edit User screen is displayed, with the current settings for Administrator displayed in the Select User Type pull-down menu. Figure 8-2 3. Select the Check to Edit Password checkbox. The password fields become active. 4. Enter the old password, then enter the new password twice.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. (Optional) To change the idle timeout for an administrator login session, enter a new number of minutes in the Idle Timeout field. 6. Click Apply to save your settings or Reset to return to your previous settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 8-3 2. Click the Yes radio button to enable HTTPS remote management (enabled by default). 3. To enable remote management by the command line interface (CLI) over Telnet, click Yes to Allow Telnet Management, and configure the external IP addresses that will be allowed to connect. a. To allow access from any IP address on the Internet, select Everyone. b.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The VPN firewall’s remote login URL is https:// or https://.. Note: To maintain security, the FVS336G will reject a login that uses http://address rather than the SSL https://address. Note: The first time you remotely connect to the FVS336G with a browser via SSL, you may get a warning message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 5.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To access the CLI from a communications terminal when the VPN firewall is still set to its factory defaults (or use your own settings if you have changed them), do the following: 1. From your computer’s command line prompt, enter the following command: telnet 192.168.1.1 2. Enter admin and password when prompted for the login and password information (or enter guest and password to log in as a read-only guest). 3.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 8-4 2. Configure the following fields in the Create New SNMP Configuration Entry section: a. Enter the IP Address of the SNMP manager in the IP Address field and the Subnet Mask in the Subnet Mask field. – To allow only the host address to access the VPN firewall and receive traps, enter an IP Address of, for example, 192.168.1.101 with a Subnet Mask of 255.255.255.255.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 8-5 You can edit the System Contact, System Location, and System name. Configuration File Management The configuration settings of the VPN firewall are stored within the firewall in a configuration file. This file can be saved (backed up) to a user’s PC, retrieved (restored) from the user’s PC, or cleared to factory default settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Select Administration > Settings Backup and Firmware Upgrade from the main menu. The Settings Backup and Firmware Upgrade screen is displayed. Figure 8-6 2. Click Backup to save a copy of your current settings. • If your browser isn’t set up to save downloaded files automatically, locate where you want to save the file, specify file name, and click Save.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Revert to Factory Default Settings To reset the VPN firewall to the original factory default settings: 1. Click default. 2. You must manually restart the VPN firewall in order for the default settings to take effect. After rebooting, the VPN firewall’s password will be password and the LAN IP address will be 192.168.1.1. The VPN firewall will act as a DHCP server on the LAN and act as a DHCP client to the Internet.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Locate the downloaded file and click upload. This will start the software upgrade to your VPN firewall. This may take some time. At the conclusion of the upgrade, your VPN firewall will reboot.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 8-7 2. From the Date/Time pull-down menu, choose the Local Time Zone. This is required in order for scheduling to work correctly. The VPN firewall includes a real-time clock (RTC), which it uses for scheduling. 3. If supported in your region, select Automatically Adjust for Daylight Savings Time. 4. Select an NTP Server option: • Use Default NTP Servers.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 8-20 Router and Network Management v1.
Chapter 9 Monitoring System Performance This chapter describes the full set of system monitoring features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, and login failures and attacks. You can also view status information about the firewall, WAN ports, LAN ports, and VPN tunnels.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-1 2. Enable the traffic meter by clicking the Yes radio button under Do you want to enable Traffic Metering on WAN1? The traffic meter will record the volume of Internet traffic passing through the WAN1. Select the following options: • No Limit. Any specified restrictions will not be applied when traffic limit is reached. • Download only.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: Both incoming and outgoing traffic are included in the limit • Increase this month limit by. Temporarily increase the Traffic Limit if you have reached the monthly limit, but need to continue accessing the Internet. Select the checkbox and enter the desired increase. (The checkbox will automatically be cleared when saved so that the increase is only applied once.) • This month limit.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Activating Notification of Events and Alerts The Firewall Logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-2 7. To respond to IDENT protocol messages, check the Respond to Identd from SMTP Server box. The Ident Protocol is a weak scheme to verify the sender of e-mail (a common daemon program for providing the ident service is identd). Monitoring System Performance 9-5 v1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 8. Enter a Schedule for sending the logs. From the Unit pull-down menu, choose: Never, Hourly, Daily, or Weekly. Then set the Day and Time fields that correspond to your selection. 9. You can configure the firewall to send system logs to an external PC that is running a syslog logging program. Click Yes to enable SysLogs and send messages to the syslog server, then: a. Enter your SysLog Server IP address b.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Log entries are described in Table 9-1. Table 9-1. Firewall Logs Field Descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-3 The following information is displayed: Item Description System Name This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using. This will change if you upgrade your router. LAN Port Displays the current settings for MAC address, IP address, DHCP role and IP Subnet Mask that you set in the LAN IP Setup page.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Item Description WAN1 Configuration Indicates whether the WAN Mode is Single, Dual, or Rollover, and whether the WAN State is UP or DOWN. It also is displayed if: • NAT is Enabled or Disabled. • Connection Type: DHCP enabled or disabled. • Connection State • WAN IP Address • Subnet Mask • Gateway Address • Primary and Secondary DNS Server Addresses • MAC Address.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual . Figure 9-4 Monitoring Attached Devices The LAN Groups screen contains a table of all IP devices that the VPN firewall has discovered on the local network. To view the LAN Groups screen: 1. Select Network Configuration > LAN Settings from the main menu, and then select the LAN Groups tab. The LAN Groups screen will display. 2. The Known PCs and Devices database is an automatically-maintained list of LAN-attached devices.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-5 The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Table 9-2. Known PCs and Devices options Item Description Name The name of the PC or device. Sometimes, this can not be determined, and will be listed as Unknown. In this case, you can edit the entry to add a meaningful name. IP Address The current IP address.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Reviewing the DHCP Log To review the most recent entries in the DHCP log: 1. Select Network Configuration > LAN Settings from the main menu, and then click the LAN Setup tab. The LAN Setup screen will display. Figure 9-6 2. Click the DHCP Log link to the right of the tabs. The DHCP Log appears in a popup window. Figure 9-7 3. To view the most recent entries, click refresh.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To display the list of active users: 1. Select Monitoring > Active Users from the main menu. The Active Users screen is displayed. Figure 9-8 The active user’s username, group, and IP address are listed in the table with a timestamp indicating the time and date that the user logged in. 2. You can disconnect an active user by clicking Disconnect to the right of the user’s list entry.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. When the Port Triggering screen is displayed, click the Status link to the right of the tab to display the Port Triggering Status. Figure 9-10 The status window displays the following information: Item Description Rule The name of the port triggering rule associated with this entry. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Active IPsec SAs table lists each active connection with the following information. Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN endpoint. Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Select Monitoring > VPN Logs from the main menu, and select the IPsec VPN Logs tab. The IPsec VPN Logs screen will display. Figure 9-13 2. To view the most recent entries, click refresh log. To delete all the existing log entries, click clear log. 3. Select the SSL VPN Logs tab to view SSL VPN log details. 9-16 Monitoring System Performance v1.
Chapter 10 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. After each problem description, instructions are provided to help you diagnose and solve the problem.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Power LED Not On If the Power and other LEDs are off when your VPN firewall is turned on: • Make sure that the power cord is properly connected to your VPN firewall and that the power supply adapter is properly connected to a functioning power outlet. • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the VPN firewall as described in the previous section. • Make sure your PC’s IP address is on the same subnet as the VPN firewall.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • When entering configuration settings, be sure to click the APPLY button before moving to another menu or tab, or your changes are lost. • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Your ISP only allows one Ethernet MAC address to connect to the Internet, and may check for your PC’s MAC address. In this case: – Inform your ISP that you have bought a new network device, and ask them to use the VPN firewall’s MAC address; or – Configure your VPN firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring the Internet Connection” on page 28.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Reply from : bytes=32 time=NN ms TTL=xxx If the path is not working, you will see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • • Wrong physical connections – Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or WAN Port LEDs Not On” on page 10-2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem. If this is the case, you must configure your VPN firewall to “clone” or “spoof” the MAC address from the authorized PC.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Time is off by one hour. Cause: The VPN firewall does not automatically sense Daylight Savings Time. Check the Time Zone menu, and check or uncheck the box marked “Adjust for Daylight Savings Time”. Using the Diagnostics Utilities You can perform diagnostics such as pinging an IP address, performing a DNS lookup, displaying the routing table, rebooting the firewall, and capturing packets.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 10-1. Diagnostics Item Description Ping or trace an IP address Ping – Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 10-10 Troubleshooting v1.
Appendix A Default Settings and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, press and hold the reset button for approximately 10 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below. • Pressing the reset button for a shorter period of time will simply cause your device to reboot.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table A-1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table A-2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual A-4 Default Settings and Technical Specifications v1.
Appendix B Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP http://documentation.netgear.com/reference/enu/tcpip/index.htm Addressing: Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for Network Access: http://documentation.netgear.com/reference/enu/wsdhcp/index.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual B-2 Related Documents v1.
Appendix C Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – For rollover mode, protocol binding does not apply. – For load balancing mode, decide which protocols should be bound to a specific WAN port (you will make these selections in “Configuring the WAN Mode (Required for Dual WAN)” on page 2-11). – You can also add your own service protocols to the list (see “About ServicesBased Rules” on page 4-3 for information on how to do this). 3. Set up your accounts a.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • The VPN firewall is capable of being managed remotely, but this feature must be enabled locally after each factory default reset. You are strongly advised to change the default management password to a strong password before enabling remote management. You make these selections during “Logging into the VPN Firewall Router” on page 2-2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Internet Configuration Requirements Depending on how your ISPs set up your Internet accounts, you will need one or more of these configuration parameters to connect your firewall to the Internet: • Host and Domain Names • ISP Login Name and Password • ISP Domain Name Server (DNS) Addresses • Fixed IP Address which is also known as Static IP Address Where Do I Get the Internet Configuration Parameters? There are several ways yo
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Internet Connection Information Form Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. For AOL customers, the login name is their primary screen name. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: • Inbound traffic (port forwarding, port triggering) • Outbound traffic (protocol binding) • Virtual private networks (VPNs) The two WAN ports can be configured on a mutually-exclusive basis to either: • Rollover for increased reliability, or • Balance the load for outgoing traffic.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Roll-over Case for Firewalls With Dual WAN Ports Rollover (Figure C-2) for the dual WAN port case is different from the single gateway WAN port case when specifying the IP address. Only one WAN port is active at a time and when it rolls over, the IP address of the active WAN port always changes. Hence, the use of a fully-qualified domain name is always required, even when the IP address of each WAN port is fixed.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Inbound Traffic Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Inbound Rules menu. Instead of discarding this traffic, you can have it forwarded to one or more LAN hosts on your network. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table C-1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover (Figure C-5), the WAN’s IP address will always change at rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the WAN ports (i.e., WAN1 or WAN2).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table C-2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure C-7 • Load Balancing Case for Dual Gateway WAN Ports Load balancing (Figure C-8) for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall (Figure C-9), the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway WAN port must act as the responder. Figure C-9 The IP address of the gateway WAN port can be either fixed or dynamic.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure C-12 The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure C-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port is not known in advance).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall (Figure C-16), either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall (Figure C-17), the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder. Figure C-17 The IP address of the gateway WAN port can be either fixed or dynamic.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall (Figure C-20), the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance.
Index A B access remote management 8-10 backup and restore settings 8-15 bandwidth capacity 8-1 LAN side 8-1 Load balancing mode 8-2 Rollover mode 8-2 WAN side 8-2 ActiveX web cache control 6-6 Add LAN WAN Inbound Service 4-10 Add LAN WAN Outbound Service 4-10 Add Mode Config Record screen 5-24 Banner Message 6-5 Add Protocol Binding Destination Network 2-16 Service 2-16 Banner Title 6-5 BigPond Cable 2-6, 2-8 Internet connection 2-10 Add Resource Addresses menu 6-14 address reservation 3-8 Block
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual by Telnet 8-11 command line interface 8-12, 8-13 configuration automatic by DHCP 1-4 connecting the VPN firewall 2-1 Connection Status VPN Tunnels 5-16 Content 4-20 DHCP log monitoring 9-12 DHCP server about 3-1 address pool 3-1, 3-4 configuring secondary IP addresses 3-9 enable 3-4 lease time 3-4 Content Filtering 4-1 about 4-20 Block Sites 4-20 enabling 4-22 firewall protection, about 4-1 diagnostics DNS lookup 10-8 packet
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Dual WAN Ports features of 1-2 Dual WAN ports Auto-Rollover, configuration of 2-13 inbound traffic C-8 Load Balancing, configuration of 2-15 load balancing, inbound traffic C-9 network planning C-1 Dynamic DNS configuration of 2-17 rear panel 1-7 technical specifications A-1 viewing activity 9-14 Firewall Log Field Description 9-7 Firewall Logs emailing of 4-33, 9-4 viewing 9-6 Firewall Logs & E-mail screen 4-33, 9-4 Dynamic D
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual IGP 3-12 IKE Policies menu 5-11 IKE Policy about 5-13 management of 5-13 ModeConfig, configuring with 5-26 XAUTH, adding to 5-20 Inbound Rules default definition 4-2 field descriptions 4-6 order of precedence 4-8 Port Forwarding 4-3, 4-5 rules for use 4-5 IP Subnet Mask router default 3-3 IPsec Connection Status screen 9-14 IPSec Host 5-21 IPsec Host XAUTH, with ModeConfig 5-27 IPsec host 5-19 ISP connection troubleshooting 10-
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual example of 4-13 LAN WAN Rules default outbound 4-8 multi home LAN IPs 3-5 about 3-9 multi-NAT 4-14 lease time 3-4 LEDs explanation of 1-6 troubleshooting 10-2 Load Balancing bandwidth capacity 8-2 configuration of 2-15 definition of 2-12 use with DDNS 2-17 view protocol bindings 2-16 logging in default login 2-2 login policy restrict by browser 7-8 restrict by IP address 7-7 restrict by port 7-6 N NAS Identifier 5-22 NAT conf
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual adding 4-9 modifying 4-11 Outbound Services field descriptions 4-3 explanation of WAN and LAN 1-6 PPP connection 6-2 PPP over Ethernet. See PPPoE.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual in LAN groups database 3-7 restrictions 3-7 resources defining 6-13 restore saved settings 8-15 schedule blocking traffic 4-29 Schedule 1 screen 4-29 secondary IP addresses DHCP, use with 3-9 Return E-mail Address 9-4 Secondary LAN IPs see Multi Home LAN IPs 3-9 RFC 1349 4-17 self certificate request 7-11 RFC1700 protocol numbers 4-15 Send To E-mail Address 9-4 retry interval 2-14 RIP about 3-12 advertising static route
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual setting of 8-18 Add Protocol Binding 2-16 Specifying an Exposed Host example of 4-15 Time Zone screen 8-18 split tunnel configuring 6-11 description 6-10 ToS. See QoS. spoof MAC address 10-5 SSL VPN Client description 6-2 SSL VPN Logs 9-16 Starting IP Address DHCP Address Pool 3-4 Stateful Packet Inspection firewall, use with 4-2 stateful packet inspection. See SPI.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual rollover, with dual WAN ports C-7 telecommuter, about C-17 telecommuter, Dual gateway C-18 telecommuter, single gateway C-18 VPN Client configuring 5-8 configuring PC, example 5-17 VPN Wizard example 5-17 WAN Failure Detection Method 2-12, 2-13 WAN Mode setup 5-2 WAN Port 1 status 2-7 WAN Ports monitoring status 9-9 WAN ports status of 2-13 VPN firewall connecting 2-1 WAN Security Check about 4-19 VPN Logs screen 9-15 WAN s
