ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Referenc e M anual 350 East Plumeria Drive San Jose, CA 95134 USA July 2013 202-10619-02 v2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual © 2010 NETGEAR, Inc.© 2010 by NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc. P/N: Part Number TBD v2.0 Technical Support When you register your product at http://www.netgear.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).” 4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alumni.caltech.edu The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.
Table of Contents Chapter 1 Introduction Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Front Panel Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rear Panel Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default IP Address, Login Name, and Password Location . . . . . . . . . . . . Qualified Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Using Rules to Block or Allow Specific Kinds of Traffic . . . . . . . . . . . . . . .43 About Services-Based Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43 Viewing the Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Order of Precedence for Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Setting the Default Outbound Policy. . . . . .
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring Keepalives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Configuring Dead Peer Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Configuring NetBIOS Bridging with VPN . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Chapter 6 Virtual Private Networking Using SSL Understanding the Portal Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Using an SNMP Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Managing the Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Reverting to Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . .145 Configuring Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The Roll-over Case for Firewalls With Dual WAN Ports . . . . . . . . . . . . 177 The Load Balancing Case for Firewalls with Dual WAN Ports . . . . . . . 178 Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Inbound Traffic to Single WAN Port (Reference Case) . . . . . . . . . . . . 179 Inbound Traffic to Dual WAN Port Systems . . . . . . . . . . . . . . . . . . . . .
Introduction 1 The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 connects your LAN to the Internet through one or two external broadband modems. Dual WAN ports allow you to increase throughput to the Internet by using both ports together, or to maintain a backup connection in case your primary Internet connection fails.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual If any parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the FVS336Gv2 for repair.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table 1-1. LED Descriptions (Continued) Object Activity Description LINK/ACT (Link and Activity) On (Green) The WAN port has detected a link with a connected Ethernet device. Blinking (Green) Data is being transmitted or received by the WAN port. Off The WAN port has no link. On (Green) The LAN port is operating at 1,000 Mbps. On (Amber) The LAN port is operating at 100 Mbps.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual the following factory default information: IP address User name Password Figure 1-3 Product Lable Qualified Web Browsers To configure the network storage, you must use a Web browser such as Microsoft Internet Explorer 6 or higher, Mozilla Firefox 3 or higher, or Apple Safari 3 or higher with JavaScript, cookies, and you must have SSL enabled.
2 Connecting the VPN Firewall to the Internet The initial Internet configuration of the VPN firewall, is described in this chapter. This chapter contains the following sections: • Understanding the Connection Steps” on this page. • “Logging into the VPN Firewall” on page 15. • “Navigating the Menus” on page 16. • “Configuring the Internet Connections” on page 17. • “Configuring the WAN Mode (Required for Dual WAN)” on page 22. • “Configuring Dynamic DNS (Optional)” on page 26.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on page 26. 6. Configure the WAN options (optional). Optionally, you can enable each WAN port to respond to a ping, and you can change the factory default MTU size and port speed.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 5. Click Login. The Web Configuration Manager screen appears, displaying Router Status: Navigating the Menus The Web Configuration Manager menus are organized in a layered structure of main categories and submenus: • Main menu. The horizontal orange bar near the top of the page is the main menu, containing the primary configuration categories. Clicking on a primary category changes the contents of the submenu bar.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring the Internet Connections To set up your VPN firewall for secure Internet connections, you configure WAN port 1 and WAN port 2. The Web Configuration Manager offers two connection configuration options: • Automatic detection and configuration of the network connection. • Manual configuration of the network connection. Each option is detailed in the sections following.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: If you click Auto Detect while the WAN port already has a connection, you might lose the connection because the VPN firewall will enter its detection mode. a. If Auto Detect is successful, a status bar at the top of the screen will display the results. b. If Auto Detect senses a connection method that requires input from you, it will prompt you for the information.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, go to “Manually Configuring the Internet Connection” on page 19 following this section, or see “Troubleshooting the ISP Connection” on page 165. Note: If the configuration process was successful, you are connected to the Internet through WAN port 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 4. In the ISP Type options, select the type of ISP connection you use from the three listed options. By default, “Other (PPPoE)” is selected, as shown below. (If your connection is PPPoE or PPTP, your ISP will require an initial login.) 5. If you have installed login software such as WinPoET or Ethernet, then your connection type is PPPoE. If your ISP uses PPPoE as a login protocol: a. Select Other (PPPoE). b.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • My IP Address. IP address assigned by the ISP to make the connection with the ISP server. • Server IP Address. IP address of the PPTP server. 7. Review the Internet (IP) Address options. 8. If your ISP has not assigned a static IP address, click Get dynamically from ISP. The ISP will automatically assign an IP address to the network storage using DHCP network protocol.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The VPN firewall will attempt to connect to the NETGEAR website. If a successful connection is made, NETGEAR’s website appears. 13. If you intend to use a dual WAN mode, click the WAN2 ISP Settings tab and configure the WAN2 ISP settings using the same steps as WAN1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • If you only have a single public Internet IP address, you MUST use NAT. (the default setting). • If your ISP has provided you with multiple public IP addresses, you can use one address as the primary shared address for Internet access by your PCs, and you can map incoming traffic on the other public IP addresses to specific PCs on your LAN. This one-to-one inbound mapping is configured using an inbound firewall rule.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To configure the dual WAN ports for Auto-Rollover: 1. Select Network Configuration > WAN Settings from the menu, and click the WAN Mode tab. The WAN Mode screen is displayed 2. In the Port Mode section, select Auto-Rollover Using WAN port. 3. From the drop-down list, choose which WAN port will act as the primary link for this mode. 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Once a rollover occurs, an alert will be generated (see “E-Mail Notifications of Event Logs and Alerts” on page 4-68). When the VPN firewall detects that the failed primary WAN interface has been restored, it will automatically rollover again to the primary WAN interface.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Enter the following data in the Add Protocol Binding section on screen: a. Service. From the drop-down list, choose the desired service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see “Adding Customized Services” on page 57). b. Source Network.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual After you have configured your account information in the network storage, whenever your ISP-assigned IP address changes, your network storage will automatically contact your DDNS service provider, log in to your account, and register your new IP address.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3. Click the information or registration link in the upper right corner for registration information. 4. Access the website of the DDNS service provider and register for an account (for example, for dyndns.org, go to http://www.dyndns.org). 5. For each WAN port, click the Yes radio button for Change DNS to and configure the active fields: a.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual a. MTU Size. The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs, you may need to reduce the MTU. This is rarely required, and should not be done unless you are sure it is necessary for your ISP connection. b. Port Speed. In most cases, your VPN firewall can automatically determine the connection speed of the WAN port.
LAN Configuration 3 This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2. This chapter contains the following sections • Choosing the VPN Firewall DHCP Options” on this page. • “Configuring the LAN Setup Options” on page 31. • “Managing Groups and Hosts (LAN Groups)” on page 34. • “Configuring Multi Home LAN IP Addresses” on page 38. • “Configuring Static Routes” on page 39.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual between 192.168.1.2 and 192.168.1.100, although you may wish to save part of the range for devices with fixed addresses. The network storage will deliver the following parameters to any LAN device that requests DHCP: • An IP address from the range you have defined. • Subnet mask. • Gateway IP address (the network storage’s LAN IP address). • Primary DNS server (the network storage’s LAN IP address).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: If you enable the DNS Relay feature, you will not use the network storage as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network. 1. Go to Network Configuration > LAN Settings to display the LAN Setup screen. 2. In the LAN TCP/IP Setup section, configure the following settings: • IP Address. The LAN address of your VPN firewall (factory default: 192.168.1.1).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3. In the DHCP section, select Disable DHCP Server, Enable DHCP Server, or DHCP Relay. By default, the VPN firewall will function as a DHCP server, providing TCP/IP configuration settings for all computers connected to the VPN firewall's LAN. If another device on your network will be the DHCP server, or if you will manually configure all devices, click Disable DHCP Server.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual commas and without any blank spaces. For most users, the search base is a variation of the domain name. For example, if your domain is yourcompany.com, your search base dn might be as follows: dc=yourcompany,dc=com. • port. Specifies the port number that the LDAP server is using. Leave this field blank for the default port. 4. In the Advanced Settings section, configure the following settings: • Enable DNS Proxy.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Some advantages of the LAN Groups Database are: • Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the desired PC or device. • No need to reserve an IP address for a PC in the DHCP server. All IP address assignments made by the DHCP server will be maintained until the PC or device is removed from the database, either by expiry (inactive for a long time) or by you.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The Known PCs and Devices table lists the entries in the LAN Groups Database. For each computer or device, the following fields are displayed: • Name. The name of the PC or device. For computers that do not support the NetBIOS protocol, this will be listed as “Unknown” (you can edit the entry manually to add a meaningful name).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3. (Optional) To enable DHCP Address Reservation after the entry is in the table, select the checkbox for the new table entry and click Save Binding to bind the IP address to the MAC address for DHCP assignment. Changing Group Names in the LAN Groups Database By default, the LAN Groups are named Group1 through Group8. You can rename these group names to be more descriptive, such as Engineering or Marketing.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring Multi Home LAN IP Addresses If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the VPN firewall. This allows the VPN firewall to act as a gateway to additional logical subnets on your LAN.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring Static Routes Static Routes provide additional routing information to your VPN firewall. Under normal circumstances, the VPN firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You should configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 10. Enter the Metric priority for this route. If multiple routes to the same destination exit, the route with the lowest metric is chosen (value must be between 1 and 15). 11. Click Apply to save your settings. The new static route will be added to the Static Routes table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • In Only. The VPN firewall accepts RIP information from other routers, but does not broadcast its routing table. 4. From the RIP Version drop-down list, choose the version from the following options: • Disabled. The default section disables RIP versions. • RIP-1. A classful routing that does not include subnet information. This is the most commonly supported version. • RIP-2. Supports subnet information.
Firewall Protection and Content Filtering 4 This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 to protect your network. This chapter contains the following sections: • About Firewall Protection and Content Filtering” on this page. • “Using Rules to Block or Allow Specific Kinds of Traffic” on page 43. • “Configuring Other Firewall Features” on page 54.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Customized Services. Additional services can be added to the list of services in the factory default list. These added services can then have rules defined for them to either allow or block that traffic (see “Adding Customized Services” on page 57). • Quality of Service (QoS) priorities. Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table 4-3. Outbound Rules (Continued) Item Description WAN Users Specifies which Internet locations are covered by the rule, based on their IP address. Select the desired option: • Any – All Internet IP address are covered by this rule. • Single address – Enter the required address in the start field. • Address range – If this option is selected, you must enter the start and end fields.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual DNS so that external users can always find your network (see “Configuring Dynamic DNS (Optional)” on page 26). • If the IP address of the local server PC is assigned by DHCP, it may change when the PC is rebooted. To avoid this, use the Reserved IP address feature to keep the PC’s IP address constant (see “Configuring DHCP Address Reservation” on page 37).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table 4-4. Inbound Rules (Continued) Item Description LAN users This field appears only with NAT routing (not classical routing). Specifies which computers on your network are affected by this rule. Select the desired options: • Any – All PCs and devices on your LAN. • Single address – Enter the required address and the rule will be applied to that particular PC.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing the Rules To view the firewall rules: Select Security > Firewall from the menu. The LAN WAN Rules screen is displayed. The following figure shows some examples: Order of Precedence for Rules As you define new rules, they are added to the tables in the LAN WAN Rules screen as the last item in the table, as shown in the previous example, Viewing the Rules.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Creating a LAN WAN Outbound Services Rule An outbound rule will block or allow the selected application from an internal IP LAN address to an external WAN IP address according to the schedule created on the Schedule screen. You can also tailor these rules to your specific needs (see “Administrator Tips” on page 69). Note: This feature is for advanced administrators only! Incorrect configuration will cause serious problems.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To create a new inbound service rule in the LAN WAN Rules screen: 1. Click Add under the Inbound Services table to display the Add LAN WAN Inbound Service screen. 2. Configure the parameters based on the descriptions in Table 4-4 on page 46. 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed in the Inbound Services table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Inbound Rules Examples LAN WAN Inbound Rule: Hosting a Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day. In the example shown in , unrestricted access is provided from the Internet to the local Web server at LAN IP address 192.168.1.99.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN. One of these public IP addresses will be used as the primary IP address of the VPN firewall. This address will be used to provide Internet access to your LAN PCs through NAT.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To expose one of the PCs on your LAN as this host: 1. Create an inbound rule that allows all protocols. 2. Place the new rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer on your LAN is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring Other Firewall Features You can configure attack checks, set session limits, and manage the Application Level Gateway (ALG) for SIP sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the LAN and WAN networks. To enable the appropriate Attack Checks for your environment: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual When blocking is enabled, the VPN firewall will limit the lifetime of partial connections and will be protected from a SYN flood attack. • LAN Security Checks. - Block UDP flood. A UDP flood is a form of denial of service attack in which the attacking machine sends a large number of UDP packets to random ports to the victim host.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To configure session limits: 1. Select Security > Firewall > Session Limit to display the Session Limit screen. 2. Click Yes to enable Session Limits. 3. From the drop-down list, select whether you will limit sessions by percentage or by absolute number. The percentage is computed based on the total connection capacity of the device.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: • Services. A service narrows down the firewall rule to an application and a port number. For information about adding services, see “Adding Customized Services” on page 57. • QoS profiles.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To add a custom service: 1. Select Security > Services from the menu. The Services screen is displayed. 2. In the Add Custom Services section, enter a descriptive name for the service (this name is for your convenience). 3. Select the Layer 3 transport protocol of the service: TCP, UDP, or ICMP. 4. For TCP or UDP services, enter the first port of the range that the service uses. For ICMP services, enter the ICMP Type number.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Select Security > Firewall > LAN WAN Rules, and then click Add for Outbound Services. On the Add LAN WAN Outbound Services screen. The QoS priority definition for a service determines the queue that is used for the traffic passing through the VPN firewall. A priority is assigned to IP packets using this service. Priorities are defined by the “Type of Service (ToS) in the Internet Protocol Suite” standards, RFC 1349.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To create a bandwidth profile: 1. Select Security > Bandwidth Profile from the menu. The List of Bandwidth Profiles table displays existing profiles. 2. To create a new bandwidth profile, click Add to open the Add Bandwidth Profile screen. 3. Enter the following information: a. Enter a Profile Name. This name will be available in the firewall rules definition screens. b.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To edit a bandwidth profile: 1. Click the Edit link adjacent to the profile you want to edit. The Edit Bandwidth Profile screen is displayed. (This screen shows the same fields as the Add New Bandwidth Profile screen.) 2. Modify the settings that you wish to change. 3. Click Apply. Your modified profile is displayed in the Bandwidth Profile table. To remove an entry from the table, select the profile and click delete.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Blocking Internet Sites (Content Filtering) To restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any website is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual You can bypass Keyword blocking for trusted domains by adding the exact matching domain to the Trusted Domains table. Access to the domains or keywords in the Trusted Domains table by PCs, even those in the groups for which keyword blocking has been enabled, will still be allowed without any blocking. Keyword application examples: • If the keyword “XXX” is specified, the URL
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 2. Select Yes to enable content filtering. 3. Click Apply to activate the screen controls. 4. Select any Web Components you wish to block and click Apply. 5. Select the groups to which keyword blocking will apply, then click Enable to activate keyword blocking (or disable to deactivate keyword blocking). 6. Enter your list of blocked keywords or domain names in the Blocked Keyword fields. After each entry, click Add.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 2. Select the Source MAC Filter tab. 3. Click Yes to enable Source MAC Filtering. 4. Select the action to be taken on outbound traffic from the listed MAC addresses: - Block this list and permit all other MAC addresses. - Permit this list and block all other MAC addresses. 5. Enter a MAC Address in the Add Source MAC Address checkbox and click Add. The MAC address will appear in the MAC Addresses table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To enable IP/MAC address binding enforcement and alerts: 1. Select Security > Address Filter from the menu. 2. Select the IP/MAC Binding tab to display the Source MAC Filter screen. 3. In the Email IP/MAC Violations section of the screen, check the Yes radio button to enable IP/MAC address binding enforcement and alerts. E-mail alerts must be enabled (see “E-Mail Notifications of Event Logs and Alerts” on page 68). 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual range of ports. Using this feature requires that you know the port numbers used by the application. Port triggering allows computers on the private network (LAN) to request that one or more ports be forwarded to them. Unlike basic port forwarding which forwards ports to only one preconfigured IP address, port triggering waits for an outbound request from the private network on one of the defined outgoing ports.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To add a port triggering rule: 1. Select Security > Port Triggering to display the Port Triggering screen. 2. Enter a user-defined name for this rule in the Name field. 3. In the Enable field, indicate if the rule is enabled or disabled. 4. in the Protocol field, choose either TCP or UDP transport protocol. 5. In the Outgoing (Trigger) Port Range fields: a. Enter the Start Port range (1 - 65534). b.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Firewall Logs & E-mail screen. To configure e-mail or syslog notification, or to view the logs, see “Activating Notification of Events and Alerts” on page 150. Administrator Tips Consider the following operational items: • As an option, you can enable remote management if you have to manage distant sites from a central location (see “Enabling Remote Management Access” on page 139).
Virtual Private Networking Using IPsec 5 This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 to provide secure, encrypted communications between your local network and a remote network or computer. This chapter contains the following sections: • Considerations for Dual WAN Port Systems” on this page. • “Using the VPN Wizard for Client and Gateway Configurations” on page 72.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The following diagrams and table show how the WAN mode selection relates to VPN configuration.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 2. Click the VPN Wizard tab. To view the wizard default settings, click the VPN Wizard Default Values link. You can modify these settings after completing the wizard. 3. Select Gateway as your connection type. 4. Create a Connection Name. Enter a descriptive name for the connection. This name used to help you manage the VPN settings; is not supplied to the remote VPN endpoint. 5. Enter a Pre-shared Key.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Tip: To assure tunnels stay active, after completing the wizard, edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive. • The remote WAN IP address must be a public address or the Internet name of the remote gateway. The Internet name is the Fully Qualified Domain Name (FQDN) as registered in a Dynamic DNS service.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual After both firewalls are configured, go to VPN > IPsec VPN > Connection Status to display the status of your VPN connections.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. Select VPN > IPsec VPN from the menu. 2. Click the VPN Wizard tab to display the VPN Wizard screen. 3. Select VPN Client as your VPN tunnel connection. 4. Create a Connection Name such as “Client to GW1”. This descriptive name is not supplied to the remote VPN client; it is only for your reference. 5.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 7. The public Remote and Local Identifier are automatically filled in by pre-pending the first several letters of the model number of your gateway to form FQDNs used in the VPN policies. In this example, we are using GW1_remote.com, and GW1_local.com.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using gw1. Fill in the other options according to the instructions below. • Under Connection Security, verify that the Secure radio button is selected. • In the ID Type field, choose IP Subnet.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3. In the left frame, click My Identity. Fill in the options according to the instructions below. • From the Select Certificate drop-down list, choose None. • Click Pre-Shared Key to enter the key you provided in the VPN Wizard; in this example, we are using “r3m0+eClient”. • From the ID Type drop-down list, choose Domain Name. • Leave Virtual Adapter disabled.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • On the left, expand Authentication (Phase 1) and click Proposal 1: no changes are needed. • On the left, expand Key Exchange (Phase 2) and click Proposal 1. No changes are needed. 5. In the upper left of the window, click the disk icon to save the policy. Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the VPN firewall provide VPN connection and status information.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-9 Log Viewer • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-10 Connection Monitor The VPN client system tray icon provides status indications, which are listed below. Table 5-6. System Tray Icon Status The client policy is deactivated. The client policy is deactivated but not connected.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual VPN Firewall VPN Connection Status and Logs To view VPN firewall VPN connection status, go to VPN > Connection Status. You can set a poll interval (in seconds) to check the connection status of all active IKE policies to obtain the latest VPN tunnel activity. The Active IPSec SA(s) table also lists current data for each active IPsec SA (security association): • Policy Name.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Managing VPN Policies After you use the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name you selected as the VPN tunnel connection name during Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or add new VPN and IKE policies directly in the policy tables.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The IKE Policies Screen When you use the VPN Wizard to set up a VPN tunnel, an IKE policy is established and populated in the List of IKE Policies table on the IKE Policies screen and is given the same name as the new VPN connection name. You can also edit exiting policies or add new IKE policies directly on the IKE Policies screen. Go to VPN > IKE Policies to view the IKE Policies screen.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring VPN Policies You can create two types of VPN policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available. • Manual. All settings (including the keys) for the VPN tunnel are manually entered at each end (both VPN Endpoints). No third-party server or organization is involved. • Auto.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Auth. Authentication Algorithm used for the VPN tunnel. The default setting using the VPN Wizard is SHA1. (This setting must match the remote VPN.) • Encr. Encryption algorithm used for the VPN tunnel. The default setting using the VPN Wizard is 3DES. (This setting must match the remote VPN.) • Action. Allows you to access individual policies to make any changes or modifications.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To enable and configure XAUTH: 1. Select VPN > IPsec VPN from the menu. 2. Click the IKE Policies tab. The IKE Policies screen is displayed. 3. You can add XAUTH to an existing IKE Policy by clicking Edit adjacent to the policy to be modified or you can create a new IKE Policy incorporating XAUTH by clicking Add.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 4. In the Extended Authentication section, choose the Authentication Type from the drop-down list which will be used to verify user account information. Select one of the following: • Edge Device to use this VPN firewall as a VPN concentrator where one or more gateway tunnels terminate. When this option is chosen, you will need to specify the authentication type to be used in verifying credentials of the remote VPN gateways.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To configure RADIUS servers: 1. Select VPN > IPsec VPN from the menu, and then click the RADIUS Client tab. 2. To activate (enable) the primary RADIUS server, click the Yes radio button. The primary server options become active. 3. Configure the following entries: • Primary RADIUS Server IP address. The IP address of the RADIUS server. • Secret Phrase.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: Selection of the Authentication Protocol, usually PAP or CHAP, is configured on the individual IKE policy screens. Assigning IP Addresses to Remote Users (ModeConfig) To simply the process of connecting remote VPN clients to the VPN firewall, you can use the ModeConfig screen to assign IP addresses to remote users, including a network access IP address, subnet mask, and name server addresses from the VPN firewall.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring Mode Config Operation on the VPN Firewall You need to configure two screens to configure Mode Config operation on the VPN firewall: the Mode Config screen and the IKE Policies screen. To configure the Mode Config screen: 1. Select VPN > IPsec VPN from the menu. 2. Click the Mode Config tab. The Mode Config screen is displayed. 3. Click Add. The Add Mode Config Record screen is displayed. 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 6. If you have a WINS Server on your local network, enter its IP address. 7. Enter one or two DNS Server IP addresses to be used by remote VPN clients. 8. If you enable Perfect Forward Secrecy (PFS), choose DH Group 1 or 2. This setting must match exactly the configuration of the remote VPN client, 9. Specify the Local IP Subnet to which the remote client will have access.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3. In the Mode Config Record section, enable Mode Config by checking the Yes radio button and selecting the Mode Config record you just created from the drop-down list. (To view the parameters of the selected record, click the view selected button.) Mode Config works only in Aggressive Mode, and Aggressive Mode requires that both ends of the tunnel are defined by an FQDN. 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: If RADIUS-PAP is selected, the VPN firewall first checks the User Database to see if the user credentials are available. If the user account is not present, the VPN firewalll then connects to the RADIUS server. 12. Click Apply. The new policy will appear in the List of IKE Policies table.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual e. Select your Internet Interface adapter in the Name field. 3. On the left-side of the menu, choose Security Policy. a. Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio button. b. Check the Enable Perfect Forward Secrecy (PFS) box, and choose the Diffie-Hellman Group 2 from the PFS Key Group drop-down list. c. Enable Replay Detection should be checked. 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 2. Click the VPN Policies tab, then click the Edit button next to the desired VPN policy. 3. In the General section of the Edit VPN Policy screen, locate the keepalive configuration settings, as shown in . 4. Click the Yes radio button to enable keepalive. 5. In the Ping IP Address boxes, enter an IP address on the remote LAN. This must be the address of a host that can respond to ICMP ping requests. 6.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3. In the IKE SA Parameters section of the Edit IKE Policy screen, locate the Dead Peer Detection configuration settings, as shown in . 4. Click the Yes radio button to Enable Dead Peer Detection. 5. Enter the Detection Period to set the interval between consecutive DPD R-U-THERE messages. DPD R-U-THERE messages are sent only when the IPSec traffic is idle. The default is 10 seconds. 6.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3. In the General section of the Edit VPN Policy screen, click the Enable NetBIOS checkbox. 4. Click Apply at the bottom of the screen.
Virtual Private Networking Using SSL 6 The NETGEAR provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a pre-installed VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the network storage can authenticate itself to an SSL-enabled client, such as a standard web browser.
New Template Style Guide Reference Manual Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote PC that will allow the remote user to virtually join the corporate network. The SSL VPN Client provides a PPP (point-to-point) connection between the client and the , and a virtual network interface is created on the user’s PC.
New Template Style Guide Reference Manual 5. For port forwarding, declare the servers and services. Create a list of servers and services that can be made available through user, group, or global policies. You can also associate fully qualified domain names with these servers. The will resolve the names to the servers using the list you have created. 6. For VPN tunnel service, configure the virtual network adapter.
New Template Style Guide Reference Manual by clicking the default button in the Action column of the List of Layouts table, to the right of the desired portal layout. To create a new Portal Layout: 1. Select VPN > SSL VPN from the menu, and then select the Portal Layouts tab. 2. Click Add. The Add Portal Layout screen is displayed. 3. In the Portal Layout and Theme Name section of the screen, configure these entries: a.
New Template Style Guide Reference Manual Only alphanumeric characters, hyphen (-), and underscore (_) are accepted for the Portal Layout Name. If you enter other types of characters or spaces, the layout name will be truncated before the first non-alphanumeric character. Note that unlike most other URLs, this name is case sensitive. b. In the Portal Site Title field, enter a title that will appear at the top of the user’s web browser window. c.
New Template Style Guide Reference Manual Note: NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out-of-date web pages, themes, and data being stored in a user’s web browser cache. e. Check the “ActiveX web cache cleaner checkbox to load an ActiveX cache control when users log in to the SSL VPN portal. The web cache cleaner will prompt the user to delete all temporary Internet files, cookies and browser history when the user logs out or closes the web browser window.
New Template Style Guide Reference Manual Adding Servers To configure Port Forwarding, you must define the internal host machines (servers) and TCP applications available to remote users. To add servers, follow these steps: 1. Select VPN > SSL VPN from the menu, and then select the Port Forwarding tab. 2. In the Add New Application for Port Forwarding section of the screen, enter the IP address of an internal server or host computer. 3.
New Template Style Guide Reference Manual 4. Click Add. The “Operation Succeeded” message appears at the top of the tab, and the new application entry is listed in the List of Configured Applications for Port Forwarding table. 5. Repeat this process to add other applications for use in port forwarding. Adding A New Host Name Once the server IP address and port information has been configured, remote users will be able to access the private network servers using Port Forwarding.
New Template Style Guide Reference Manual • • If you assign an entirely different subnet to the VPN tunnel clients than the subnet used by the corporate network, you must: - Add a client route to configure the VPN tunnel client to connect to the corporate network using the VPN tunnel. - Create a static route on the corporate network’s firewall to forward local traffic intended for the VPN tunnel clients to the .
New Template Style Guide Reference Manual 5. In the Client Address Range Begin field, enter the first IP address of the IP address range. 6. In the Client Address Range End field, enter the last IP address of the IP address range. 7. Click Apply. The “Operation Successful” message appears at the top of the tab. VPN tunnel clients are now able to connect to the and receive a virtual IP address in the client address range.
New Template Style Guide Reference Manual Replacing and Deleting Client Routes If an existing route is no longer needed, or if the specifications of an existing route need to be changed, follow these steps: 1. Make a new entry with the correct specifications. (This step is not applicable if you only want to delete the route.) 2. In the Configured Client Routes table, click the Delete button adjacent to the out-of-date route entry.
New Template Style Guide Reference Manual The “Operation Successful” message appears at the top of the tab, and the newly-added resource name appears on the Defined Resource Addresses table. 5. Next to the new resource, click the Edit button. The Add Resource Addresses screen is displayed. 6. From the Object Type drop-down list, select one of the following: • IP Address. Enter an IP address or fully qualified domain name in the IP Address/Name field. • IP Network.
New Template Style Guide Reference Manual takes precedence over a policy applied to all IP addresses. If two or more IP address ranges are configured, then the smallest address range takes precedence. Hostnames are treated the same as individual IP addresses. Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource.
New Template Style Guide Reference Manual Viewing SSL VPN Policies To view the existing SSL VPN policies: 1. Select VPN > SSL VPN from the menu, and then select the Policies tab. 2. Make your selection from the following Query options: • Click Global to view all global policies. • Click Group to view group policies, and choose the relevant group’s name from the drop-down list. • Click User to view group policies, and choose the relevant user’s name from the drop-down list. 3. Click the Display button.
New Template Style Guide Reference Manual Adding an SSL VPN Policy To add an SSL VPN Policy: 1. Select VPN > SSL VPN from the menu, and select the Policies tab. The Policies screen is displayed. 2. Make your selection from the following Query options: • Click Global if this new policy is to exclude all users and groups. • Click Group if this new policy is to be limited to a selected group. Open the drop-down list and choose the relevant group’s name.
New Template Style Guide Reference Manual • If you choose Network Resource, you will need to enter a descriptive Policy Name, then choose a Defined Resource and relevant Permission (PERMIT or DENY) from the pull-down lists. If a needed network resource has not been defined, you can add it before proceeding with this new policy. See “Adding New Network Resources ” on page 109.
New Template Style Guide Reference Manual • If you choose All Addresses, you will need to enter a descriptive Policy Name, then choose the Service and relevant Permission from the drop-down lists. 5. When you are finished making your selections, click Apply. The Policies screen reappears. Your policy goes into effect immediately and is added to the policies in the List of SSL VPN Policies table on this screen.
Managing Users, Authentication, and Certificates 7 This chapter contains the following sections: • Adding Authentication Domains, Groups, and Users” on this page. • “Managing Certificates” on page 124. Adding Authentication Domains, Groups, and Users You must create name and password accounts for all users who will connect to the VPN firewall. This includes administrators and SSL VPN clients.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Creating a Domain The domain determines the authentication method to be used for associated users. For SSL VPN connections, the domain also determines the portal layout that will be presented, which in turn determines the network resources to which the associated users will have access. The default domain of the network storage is named geardomain. You cannot delete the default domain.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To create a domain: 1. Select Users > Domains from the menu. The Domains screen is displayed. 2. Click Add. The Add Domain screen is displayed. 3. Configure the following fields: a. Enter a descriptive name for the domain in the Domain Name field. b. Select the Authentication Type. The required fields are activated in varying combinations according to your selection of Authentication Type: Table 7-9.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table 7-9.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To create a group: 1. Select Users > Groups from the menu. The Groups screen is displayed. 2. Configure the new group settings in the Add New Group section of the screen: a. Name. Enter a descriptive name for the group. b. Domain. Select the appropriate domain (only for Administrator or SSL VPN User). c. Timeout.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 2. Click Add. The Add User screen is displayed. 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Administrator, SSL VPN User, or IPsec VPN User. c. Select Group. Select from a list of configured groups. The user will be associated with the domain that is associated with that group. d. Password/Confirm Password.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3. To prohibit this user from logging in from the WAN interface, select the Deny Login from WAN Interface checkbox. In this case, the user can log in only from the LAN interface. Note: For security reasons, Deny Login from WAN Interface is checked by default for admin and guest. 4. Click Apply to save your settings. To restrict logging in based on IP address: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 8. Repeat these steps to add additional addresses or subnets. To restrict logging in based on the user’s browser: 1. In the Action column of the List of Users table, click Policies adjacent to the user policy you want to configure. The Login Policies screen is displayed. 2. Select the by Client Browser tab. The by Client Browser screen is displayed. 3.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 2. In the Action column of the List of Users table, click Edit for the user for which you want to modify the settings. The Edit User screen is displayed. 3. Configure the following fields: a. Select User Type. From the drop-down list, select one of the pre-defined user types that determines the access credentials: • Administrator.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual or clients, or to be authenticated by remote entities. The same Digital Certificates are extended for secure web access connections over HTTPS. Digital Certificates can be either self signed or can be issued by Certification Authorities (CA) such as via an in-house Windows server, or by an external organization such as Verisign or Thawte.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing and Loading CA Certificates The Trusted Certificates (CA Certificates) table lists the certificates of CAs and contains the following data: • CA Identity (Subject Name). The organization or person to whom the certificate is issued. • Issuer Name. The name of the CA that issued the certificate. • Expiry Time. The date after which the certificate becomes invalid.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual For each self certificate, the following data is listed: • Name. The name you used to identify this certificate. • Subject Name. This is the name that other organizations will see as the holder (owner) of this certificate. This should be your registered business name or official company name. Generally, all of your certificates should have the same value in the Subject field. • Serial Number.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual your registered business name or official company name. (Using the same name, or a derivation of the name, in the Title field would be useful.) • From the drop-down lists, choose the following values: - Hash Algorithm: MD5 or SHA1. - Signature Algorithm: RSA. - Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but may also decrease performance.) 3.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 7. Submit your certificate request to a CA: a. Connect to the website of the CA. b. Start the Self Certificate request procedure. c. When prompted for the requested data, copy the data from your saved text file (including “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST”). d. Submit the CA form. If no problems ensue, the certificate will be issued. 8. Store the certificate file from the CA on your computer.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To view your currently-loaded CRLs and upload a new CRL: 1. Locate the Certificate Revocation Lists (CRL) table at the bottom of the Certificates screen. The CRL table lists your active CAs and their critical release dates: • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. 2.
VPN Firewall and Network Management 8 This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2. The VPN firewall offers many tools for managing the network traffic to optimize its performance. You can also control administrator access, be alerted to important events requiring prompt action, monitor the VPN firewall status, perform diagnostics, and manage the VPN firewall configuration file.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Bandwidth Capacity The maximum bandwidth capacity of the VPN firewall in each direction is as follows: • LAN side: 4000 Mbps (four LAN ports at 1000 Mbps each) • WAN side: 2000 Mbps (load balancing mode, two WAN ports at 1000 Mbps each) or 1000 Mbps (rollover mode, one active WAN port at 1000 Mbps) In practice, the WAN side bandwidth capacity will be much lower when DSL or cable modems are used to connect to the Internet.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always • BLOCK by schedule, otherwise Allow • ALLOW always • ALLOW by schedule, otherwise Block As you define your firewall rules, you can further refine their application according to the following criteria: • • LAN Users. These settings determine which computers on your network are affected by this rule.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3) for when a rule is to be applied. Once a schedule is configured, it affects all rules that use this schedule. You specify the days of the week and time of day for each schedule. (See “Setting a Schedule to Block or Allow Specific Traffic” on page 61 for the procedure on how to use this feature.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Port Forwarding The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (that is, the service is unavailable). You can also create additional firewall rules that are customized to block or allow specific traffic.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Destination Address. These settings determine the destination IP address for this rule which will be applicable to incoming traffic This rule will be applied only when the destination IP address of the incoming packet matches the IP address of the selected WAN interface Selecting ANY enables the rule for any LAN IP destination. WAN1 and WAN2 corresponds to the respective WAN interface governed by this rule. • Services.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and, in turn, the quality of service for the traffic passing through the VPN firewall. The QoS is set individually for each service. • You can accept the default priority defined by the service itself by not changing its QoS setting.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To modify the Admin user account settings, including the password: 1. Select Users > Users from the menu. 2. Select the checkbox next to admin in the Name column, then click Edit in the Action column.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Enabling Remote Management Access Using the Remote Management screen, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging into the VPN Firewall” on page 15). Note: Be sure to change the default configuration password of the VPN firewall to a very secure password.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access. 3. Configure the port number that will be used for secure HTTP management. The default port number is 443. 4.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Tip: If you are using a dynamic DNS service such as TZO, you can identify the WAN IP address of your VPN firewall by running tracert from the Windows Run menu option. Trace the route to your registered FQDN. For example, enter tracert FVS336Gv2.mynetgear.net, and the WAN IP address that your ISP assigned to the VPN firewall is displayed.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To create a new SNMP configuration entry: 1. Select Administration > SNMP from the menu. The SNMP screen is displayed. 2. Configure the following fields in the Create New SNMP Configuration Entry section: a. Enter the IP address of the SNMP manager in the IP Address field and the subnet mask in the Subnet Mask field.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To modify the SNMP identification information: 1. The SNMP System Info option arrow at the top of the tab opens the SNMP SysConfiguration screen that displays the SNMP system contact information available to the SNMP manager. 2. Modify any of the information that you want the SNMP Manager to use. You can edit the system contact, system location, and system name. 3. Click Apply to save your settings.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To back up settings: 1. Select Administration > Settings Backup and Firmware Upgrade from the menu. The Settings Backup and Firmware Upgrade screen is displayed. 2. Click Backup to save a copy of your current settings. • If your browser is not set up to save downloaded files automatically, locate where you want to save the file, specify file name, and click Save.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Reverting to Factory Default Settings To reset the VPN firewall to the original factory default settings: 1. Click default. 2. Manually restart the VPN firewall in order for the default settings to take effect. After rebooting, the VPN firewall’s password will be password and the LAN IP address will be 192.168.1.1. The VPN firewall will act as a DHCP server on the LAN and act as a DHCP client to the Internet.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual WARNING! Do not try to go online, turn off the VPN firewall, shutdown the computer or do anything else to the VPN firewall until the VPN firewall finishes the upgrade! When the Test light turns off, wait a few more seconds before continuing. 4. After the VPN firewall has rebooted, check the firmware version in the Router Status screen to verify that your VPN firewall now has the new firmware installed.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 4. Select an NTP Server option: • Use Default NTP Servers. The RTC is updated regularly by contacting a NETGEAR NTP server on the Internet. A primary and secondary (backup) server are preloaded. • Use Custom NTP Servers. To use a particular NTP server, enter the name or IP address of the NTP Server in the Server 1 Name/IP Address field. You can enter the address of a backup NTP server in the Server 2 Name/IP Address field.
Monitoring System Performance 9 This chapter describes the full set of system monitoring features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2. You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, and login failures and attacks. You can also view status information about the network storage, WAN ports, LAN ports, and VPN tunnels. This chapter contains the following sections: • Enabling the Traffic Meter” on this page.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Enabling the Traffic Meter If your ISP charges by traffic volume over a given period of time, or if you want to study traffic types over a period of time, you can activate the Traffic Meter for one or both WAN ports. To monitor traffic limits on each of the WAN ports: 1. Select Monitoring > Traffic Meter from the menu, and then the WAN1 Traffic Meter tab. The WAN1 Traffic Meter screen is displayed: 2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: Both incoming and outgoing traffic are included in the limit • Increase this month limit by. Temporarily increase the traffic limit if you have reached the monthly limit, but need to continue accessing the Internet. Select the checkbox and enter the desired increase. (The checkbox will automatically be cleared when saved so that the increase is only applied once.) • This month limit.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual login attempts; and other general information based on the settings that you enter on the Firewall Logs & E-mail screen. You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs by clicking the View Logs option arrow to the right of the tab.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 8. In the Send E-mail logs by Schedule section , enter a Schedule for sending the logs. From the Unit drop-down list, choose: Never, Hourly, Daily, or Weekly. Then set the Day and Time fields that correspond to your selection. 9. In the Enable SysLogs section, you can configure the network storage to send system logs to an external PC that is running a syslog logging program.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing the Logs To view the logs, select Monitoring > Firewall Logs & E-mail from the menu, and then click the View Log link in the upper right-hand section of the screen. The Logs screen is displayed. If the E-mail Logs option has been enabled on the Firewall Logs & E-mail screen, you can send a copy of the log by clicking Send Log. Click Refresh Log to retrieve the latest update; click Clear Log to delete all entries.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing VPN Firewall Configuration and System Status The Router Status screen provides status and usage information. To view the network storage configuration and system status: Select Monitoring > Router Status from the menu. The following information is displayed. Table 9-3. Router Status Information Item Description System Name This is the Account Name that you entered on the WAN ISP Settings screen.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table 9-3. Router Status Information (Continued) Item Description WAN1 Configuration • • • • • • • • • • • WAN Mode: Single, Dual, or Rollover. WAN State: UP or DOWN. NAT: Enabled or Disabled. Connection Type: Static IP, DHCP, PPPoE, or PPTP. Connection State: Connected or Disconnected. WAN IP Address: The IP address of the WAN interface. Subnet Mask: The IP subnet mask of the WAN interface.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Monitoring the Status of WAN Ports You can monitor the status of both of the WAN connections, the Dynamic DNS Server connections, and the DHCP Server connections. To monitor the status of the WAN ports: 1. Select Network Configuration > WAN Settings from the menu. The WAN1 ISP Settings screen is displayed. 2. Click the WAN Status link in the upper right-hand section of the screen.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual PCs and other LAN devices become known by these methods: • DHCP Client Requests. By default, the DHCP server in the VPN firewall is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the database. Because of this, leaving the DHCP Server feature enabled (on the LAN Setup screen) is strongly recommended. • Scanning the Network.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 2. Click the DHCP Log link to the right of the tabs. The DHCP Log appears in a popup window. 3. To view the most recent entries, click refresh. To delete all the existing log entries, click clear log. Monitoring Active Users The Active Users screen displays a list of administrators and SSL VPN users currently logged into the device. To display the list of active users: 1. Select Monitoring > Active Users from the menu.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing Port Triggering Status To view the status of port triggering: 1. Select Security > Port Triggering from the menu. 2. When the Port Triggering screen is displayed, click the Status link to the right of the tab to display the Port Triggering Status screen. The status window displays the information that is shown in the following table. Table 9-5.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Monitoring VPN Tunnel Connection Status To review the status of current VPN tunnels: 1. Select VPN > Connection Status from the menu, and then select the IPsec VPN Connection Status tab. The IPsec Connection Status screen is displayed. The Active IPsec SAs table lists each active connection with the following information. Table 9-6.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing the VPN Logs The VPN Logs screen gives log details for recent VPN activity. 1. Select Monitoring > VPN Logs from the menu, and select the IPsec VPN Logs tab. The IPsec VPN Logs screen is displayed. 2. Select the SSL VPN Logs tab to view SSL VPN log details. To view the most recent entries, click refresh log. To delete all the existing log entries, click clear log.
Troubleshooting 10 This chapter provides troubleshooting tips and information for your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2. After each problem description, instructions are provided to help you diagnose and solve the problem. This chapter contains the following sections: • Basic Functions” on this page. • “Troubleshooting the Web Configuration Interface” on page 164. • “Troubleshooting the ISP Connection” on page 165.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Power LED Not On If the Power and other LEDs are off when your VPN firewall is turned on: • Make sure that the power cord is properly connected to your VPN firewall and that the power supply adapter is properly connected to a functioning power outlet. • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the VPN firewall as described in the previous section. • Make sure your PC’s IP address is on the same subnet as the VPN firewall.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Troubleshooting the ISP Connection If your VPN firewall is unable to access the Internet, you should first determine whether the VPN firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your VPN firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual If your VPN firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: • Your PC may not recognize any DNS server addresses. A DNS server is a host on the Internet that translates Internet names (such as www addresses) to numeric IP addresses. Typically your ISP will provide the addresses of one or two DNS servers for your use.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual - • Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and VPN firewall. Wrong network configuration - Verify that the Ethernet card driver software and TCP/IP software are both installed and configured on your PC or workstation.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Use the reset button on the rear panel of the VPN firewall. Use this method for cases when the administration password or IP address is not known. To restore the factory default configuration settings without knowing the administration password or IP address, you must use the reset button on the rear panel of the VPN firewall. To restore the factory defaults: 1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Select Monitoring > Diagnostics from the menu. Table 10-7. Diagnostics Item Description Ping or trace an IP address Ping – Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
Default Settings and Technical Specifications A You can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, press and hold the reset button for approximately 10 seconds (until the Test LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1. • Pressing the reset button for a shorter period of time will simply reboots your device. Table A-1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table A-1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table A-3. SSL VPN Technical Specifications Parameter Specification Network Management Web-based configuration and status monitoring Concurrent Users Supported 10 tunnels Encryption DES, 3DES, AES, MD5, SHA-1 Authentication Local User database, RADIUS, LDAP, MS Active Directory Certificates supported X.
Network Planning for Dual WAN Ports B his appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports. This appendix contains the following sections: • What You Need to Do Before You Begin” on this page. • “Overview of the Planning Process” on page 177. • “Inbound Traffic” on page 178. • “Virtual Private Networks (VPNs)” on page 181. What You Need to Do Before You Begin The VPN firewall is a powerful and versatile solution for your networking needs.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual - For load balancing mode, decide which protocols should be bound to a specific WAN port. - You can also add your own service protocols to the list. 2. Set up your accounts a. Obtain active Internet services such as cable or DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual network at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your VPN firewall. Computer Network Configuration Requirements The VPN firewall includes a built-in Web Configuration Manager.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual - For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry for the Ethernet adapter, and click Properties. Record all the settings for each screen. - For Macintosh computers, open the TCP/IP or Network control panel. Record all the settings for each section. Once you locate your Internet configuration parameters, you may want to print this Internet Connection Information form and record them.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: • Inbound traffic (port forwarding, port triggering) • Outbound traffic (protocol binding) • Virtual private networks (VPNs) The two WAN ports can be configured on a mutually-exclusive basis to either: • Rollover for increased reliability, or • Balance the load for outgoing traffic.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual address of the active WAN port always changes. Hence, the use of a fully-qualified domain name is always required, even when the IP address of each WAN port is fixed. Figure B-2 Features such as multiple exposed hosts are not supported when using dual WAN port rollover because the IP addresses of each WAN port must be in the identical range of fixed addresses.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The addressing of the VPN firewall’s dual WAN port depends on the configuration being implemented: Table B-1.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover, the WAN’s IP address will always change at rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the WAN ports (that is, WAN1 or WAN2).
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the VPN firewall’s dual WAN port depends on the configuration being implemented: Table B-2.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: Once the gateway router WAN port rolls over, the VPN tunnel collapses and must be re-established using the new WAN IP address. Figure B-7 Rollover with Dual WAN Ports • Load Balancing Case for Dual Gateway WAN Ports Load balancing for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway WAN port must act as the responder. Figure B-9 Road Warrior, Single WAN Port The IP address of the gateway WAN port can be either fixed or dynamic.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC client must re-establish the VPN tunnel. The gateway WAN port must act as the responder.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual VPN Gateway-to-Gateway The following situations exemplify the requirements for a gateway VPN firewall to establish a VPN tunnel with another gateway VPN firewall: • Single gateway WAN ports • Redundant dual gateway WAN ports for increased reliability (before and after rollover) • Dual gateway WAN ports used for load balancing VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case) In the case of single WAN por
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual and port WAN_A2 is inactive at Gateway A; port WAN_B1 is active and port WAN_B2 is inactive at Gateway B. Figure B-14 Gateway-to-Gateway, Dual WAN Ports The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (i.e.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance. Figure B-16 Gateway-to-Gateway, Dual WAN Ports, Load Balancing The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC must re-establish the VPN tunnel. The gateway WAN port must act as the responder.
Two Factor Authentication C This appendix provides an overview of Two-Factor Authentication, and an example of how to implement the WiKID solution. This appendix contains the following sections: • Why do I need Two-Factor Authentication?” on this page.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • No need to replace existing hardware. Two-Factor Authentication can be added to existing NETGEAR products through via firmware upgrade. • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and network storage products. • Proven regulatory compliance. Two-Factor Authentication has been used as a mandatory authentication process for many corporations and enterprises worldwide.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 1. The user launches the WiKID token software, enter the PIN that has been given to them (something they know) and then press “continue” to receive the OTP from the WiKID authentication server: 2. A one-time passcode (something they have) is generated for this user. Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time.
Related Documents D This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.com/reference/enu/wsdhcp/index.
Notification of Compliance E Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Voluntary Control Council for Interference (VCCI) Statement This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
Index Numerics 3322.org 26 A Active Directory 117 ActiveX web cache control 104 Add LAN WAN Inbound Service 50 Add LAN WAN Outbound Service 49 Add Mode Config Record screen 91 Add Protocol Binding Destination Network 26 Service 26 Add Resource Addresses screen 110 Address reservation 37 Advanced Options MTU Size 29 Port Speed 29 Router’s MAC Address 29 ALG 56 Allowing Videoconference from Restricted Addresses example of 51 Application Level Gateway. See ALG.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual editing 58 D Date setting 146 troubleshooting 168 Daylight Savings Time adjusting for 146 DDNS about 26 configuration of 27 providers of 26 Dead Peer Detection 96 Default Configuration restoring 167 Default Password 15 Destination Network, Add Protocol Binding 26 DHCP 18 DNS server address 33 DHCP Address Pool 33 DHCP IP Address pool 30 DHCP log monitoring 157 DHCP server about 30 address pool 33 configuring secondary IP add
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Firewall Logs & E-mail screen 69, 151 Firewall Protection Content Filtering, about 42 firewall protection 42 firmware downloading 145 upgrade 145 fixed IP address 18, 36 FQDN 27, 71 fragmented IP packets 135 fully qualified domain name. See FQDN.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual about 49 add 50 LAN WAN Outbound Rule example of 53 LAN WAN Rule example of 52 LAN WAN Rules default outbound 48 LDAP 117 overview 33 lease time 33 LEDs explanation of 11 troubleshooting 163 Lightweight Directory Access Protocol. See LDAP.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 117 Password Authentication Protocol. See PAP.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual router upgrade software 145 router administration tips on 69 Router Status 23 Router Status screen 154 Router Upgrade about 145 Router’s MAC Address 29 Routing Information Protocol. See RIP.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Time Zone setting of 146 Time Zone screen 146 ToS. See QoS. traceroute 169 tracert use with DDNS 141 traffic increasing 134 reducing 132 traffic management 137 traffic meter 29 troubleshooting 162 browsers 164 configuration settings, using sniffer 164 defaults 164 ISP connection 165 NTP 168 testing your setup 167 Web configuration 164 Trusted Certificates 126 Two-Factor Authentication. See WiKID. TZO.
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Web Components 62 blocking 64 filtering, about 62 Web configuration troubleshooting 164 WiKID authentication, overview 190 description 117 WinPoET 20 WINS server 33 X XAUTH IPsec host 86 types of 86 Index | 203
