ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 202-10521-02 v1.
© 2009–2010 by NETGEAR, Inc. All rights reserved. Technical Support Please refer to the support information card that shipped with your product. By registering your product at http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of product and software upgrades. NETGEAR, INC. Support Information Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card. Email: support@netgear.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Gigabit 8 Port VPN Firewall FVS318G gemäß der im BMPT-AmtsblVfg 243/ 1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. 2.
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
vi v1.
Contents ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual About This Manual Conventions, Formats and Scope ...................................................................................xiii How to Print This Manual ............................................................................................... xiv Chapter 1 Introduction Key Features ..................................................................................................................
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Chapter 3 LAN Configuration Choosing the VPN Firewall DHCP Options ....................................................................3-1 Configuring the LAN Setup Options ...............................................................................3-2 Managing Groups and Hosts (LAN Groups) ...................................................................3-5 Creating the Network Database .......................................................
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Blocking Internet Sites (Content Filtering) ....................................................................4-30 Configuring Source MAC Filtering ................................................................................4-33 Configuring IP/MAC Address Binding ...........................................................................4-35 Configuring Port Triggering .........................................................................
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring NetBIOS Bridging with VPN ......................................................................5-55 Chapter 6 VPN Firewall and Network Management Performance Management .............................................................................................6-1 Bandwidth Capacity .................................................................................................6-1 VPN Firewall Features That Reduce Traffic ..........
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Troubleshooting the Web Configuration Interface ..........................................................7-3 Troubleshooting the ISP Connection ..............................................................................7-4 Troubleshooting a TCP/IP Network Using a Ping Utility .................................................7-5 Testing the LAN Path to Your VPN Firewall .............................................................
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual xii Contents v1.
About This Manual The NETGEAR® ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual describes how to install, configure and troubleshoot the ProSafe Gigabit 8 Port VPN Firewall FVS318G. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs. • • Typographical Conventions.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Scope. This manual is written for the VPN firewall according to these specifications. Product Version ProSafe Gigabit 8 Port VPN Firewall FVS318G Manual Publication Date August 2010 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix C, “Related Documents.” Note: Product updates are available on the NETGEAR, Inc. website at http://kb.netgear.com/app/home.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 202-10521-02 1.0 April 2010 Added the following new features for the April 2010 firmware maintenance release: • Connection reset and delay options on the Broadband ISP Settings screen (see “Manually Configuring Your Internet Connection”). • Support for an address range for inbound LAN rules on the Add LAN WAN Inbound Service screen (see “Inbound Rules (Port Forwarding)” and “Inbound Rules Examples”).
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual xvi About This Manual v1.
Chapter 1 Introduction The ProSafe Gigabit 8 Port VPN Firewall FVS318G with eight 10/100/1000 Mbps Gigabit Ethernet LAN ports and one 10/100/1000 Mbps Gigabit Ethernet WAN port connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FVS318G is a complete security solution that protects your network from attacks and intrusions.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • • • • • • • • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). Easy, Web-based setup for installation and management. Advanced SPI Firewall and Multi-NAT support. Extensive Protocol Support. Login capability. One console port for local management. Front panel LEDs for easy monitoring of status and activity. Flash memory for firmware upgrade.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Keyword Filtering. With its URL keyword filtering feature, the FVS318G prevents objectionable content from reaching your PCs. The VPN firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the VPN firewall to log and report attempts to access objectionable Internet sites.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Extensive Protocol Support The FVS318G supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, see the “TCP/IP Networking Basics” document that you can access from the link in “Related Documents” in Appendix C. • IP Address Sharing by NAT.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2. • Diagnostic Functions. The VPN firewall incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot. • Remote Management.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual VPN Firewall Front and Rear Panels The FVS318G front panel includes eight LAN ports, one WAN port, and four groups of status indicator light-emitting diodes (LEDs), including Power and Test, LAN, and WAN LEDs. 4 6 1 7 1 2 5 3 Figure 1-1 Table 1-1 describes each item on the front panel and its operation. Table 1-1. LED Descriptions Object Activity Description 1. Power On (Green) Off Power is supplied to the VPN firewall.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 1-1. LED Descriptions (continued) Object Activity Description On (Green) Off) The WAN port is connected. The Internet connection is down The WAN port is either not enabled or has no link. On (Green) On (Amber) Off The port is operating at 1,000 Mbps. The port is operating at 100 Mbps. The port is operating at 10 Mbps. One WAN Port 6. Active (left side of port) 7.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Default IP Address, Login Name, and Password Check the label on the bottom of the FVS318G’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 • User name: admin • Password: password LAN IP Address User Name Password Figure 1-3 When FVS318G is connected, log in by going to go to http://192.168.1.1.
Chapter 2 Connecting the VPN Firewall to the Internet This section provides instructions for connecting the ProSafe Gigabit 8 Port VPN Firewall FVS318G, including these topics: • • • • • • • “Understanding the Connection Steps” on this page “Logging into the VPN Firewall” on page 2-2 “Navigating the Menus” on page 2-3 “Configuring the Internet Connection to Your ISP” on page 2-4 “Configuring the WAN Mode” on page 2-9 “Configuring Dynamic DNS” on page 2-11 “Configuring the Advanced Broadband Options” on pa
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 6. Configure the WAN options (optional). As an option, change the VPN firewall’s Media Access Control (MAC) address, the factory default MTU size, and the port speed. However, these are advanced features and changing them is not usually required. See “Configuring the Advanced Broadband Options” on page 2-13. Each of these tasks is detailed separately in this chapter. The configuration of firewall and VPN features is described in later chapters.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. Click Login. The Router Status screen displays. For more information about this screen, see “Viewing the VPN Firewall Configuration and System Status” on page 6-30. Note: You might want to enable remote management at this time so that you can log in remotely in the future to manage the VPN firewall (see “Configuring an External Server for Authentication” on page 6-11).
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring the Internet Connection to Your ISP To automatically configure the broadband port and connect to the Internet: 1. Select Network Configuration from the main menu and Broadband ISP Settings from the submenu. The Broadband ISP Settings screen displays. Figure 2-2 2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in Table 2-1. Note: When you click Auto Detect while the WAN port already has a connection, you might lose the connection because the VPN firewall will enter its detection mode. Table 2-1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The Connection Status window should show a valid IP address and gateway. If the configuration was not successful, skip ahead to “Manually Configuring Your Internet Connection following this section, or see “Troubleshooting the ISP Connection” on page 7-4. Note: If the configuration process was successful, you are connected to the Internet through the WAN port.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 4. In the ISP Type section, select the type of ISP connection you use from the two listed options. (By default, “Other (PPPoE)” is selected.) Figure 2-5 • • Other (PPPoE). If you have installed login software such as WinPoET or Ethernet, then your connection type is PPPoE. Configure the following fields: – Account Name. Valid account name for the PPPoE connection. – Domain Name.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual – Idle Timeout. Check the Keep Connected radio box to keep the connection always on. To logout after the connection is idle for a period of time, click Idle Time and enter the number of minutes to wait before disconnecting in the timeout field. This is useful if your ISP charges you based on the amount of time you have logged in. – My IP Address. IP address assigned by the ISP to make the connection with the ISP server. – Server IP Address.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 6. Review the Domain Name Server (DNS) server options. Figure 2-7 • If your ISP has not assigned any Domain Name Servers (DNS) addresses, click Get Dynamically from ISP. • If your ISP (or your IT department) has assigned DNS addresses, click Use These DNS Servers and enter the DNS server IP addresses provided to you in the fields. 7. Click Apply to save any changes to the broadband settings.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The WAN Mode screen allows you to configure how the VPN firewalll uses the external Internet connection. This screen gives you two choices for accessing the external Internet connection. • Network Address Translation (NAT). This technique allows several computers on a LAN to share the same Internet connection (IP address) while using private IP address on the LAN, which are hidden from the Internet. • Classical Routing.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring Dynamic DNS Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS.org, TZO.com, Oray.net, or 3322.org. Links to DynDNS, TZO, Oray, and 3322 are provided for your convenience on the Dynamic DNS Configuration screen.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 2-9 2. Click the tab of the DNS service you want to enable. Each DNS service provider requires registration. After registration you can configure the required settings on the corresponding screen for the DNS service. 3. Access the website of one of the DNS service providers and set up an account. A link to each DNS service provider is located to the right of the tabs (see the option arrow).
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring the Advanced Broadband Options To configure the advanced broadband options: 1. Select Network Configuration from the main menu and Broadband ISP Settings from the submenu. The Broadband ISP Settings screen displays. 2. Click the Advanced option arrow at the right of the tabs to display the Broadband Advanced Options screen. Figure 2-10 3. Edit the default information you want to change. • MTU Size.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Router's MAC Address. Each computer or router on your network has a unique 32-bit local Ethernet address. This is also referred to as the computer's MAC (Media Access Control) address. The default is Use Default Address.
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Gigabit 8 Port VPN Firewall FVS318G, including the following sections: • “Choosing the VPN Firewall DHCP Options” on this page • “Configuring the LAN Setup Options” on page 3-2 • “Managing Groups and Hosts (LAN Groups)” on page 3-5 • “Configuring Multi Home LAN IP Addresses” on page 3-10 • “Configuring and Enabling the DMZ Port” on page 3-11 • “Configuring Static Routes” on page 3-14 • “Configuring
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The VPN firewall will deliver the following settings to any LAN device that requests DHCP: • An IP address from the range that you have defined. • Subnet mask. • Gateway IP address (the VPN firewall’s LAN IP address). • Primary DNS server (the VPN firewall’s LAN IP address). • WINS server (if you entered a WINS server address in the DHCP section of the LAN Setup screen). Lease time (date obtained and duration of lease).
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To configure the LAN Setup options: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen displays. Figure 3-1 2. In the LAN TCP/IP Setup section, configure the following settings: • IP Address. The LAN address of your VPN firewall (factory default: 192.168.1.1). Note: If you change the LAN IP address of the VPN firewall while connected through the browser, you will be disconnected.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • IP Subnet Mask. The subnet mask specifies the network number portion of an IP address. Your VPN firewall will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask. (Always make sure that the LAN port IP address and DMZ port IP address are in different subnets.) 3.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual If you will use a Lightweight Directory Access Protocol (LDAP) authentication server for network-validated domain-based authentication, select Enable LDAP Information to enable the DHCP server to provide LDAP server information. Enter the following settings: • LDAP Server. Specifies the name or the IP address of the device that hosts the LDAP server. • Search Base.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The Network Database is updated by these methods: • DHCP Client Requests. By default, the DHCP server in this VPN firewall is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the Network Database. Because of this, leaving the DHCP Server feature (on the LAN screen) enabled is strongly recommended. • Scanning the Network.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Viewing the Network Database To view the Network Database, follow these steps: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen displays. 2. Click the LAN Groups tab. The LAN Groups screen displays. Figure 3-2 The Known PCs and Devices table lists the entries in the Network Database. For each computer or device, the following fields are displayed: • • • • • Name.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Adding Devices to the Network Database To add devices manually to the network database: 1. To add computers to the network database manually, make the following selections: • Name: The name of the PC or device. • IP Address Type. From the pull-down menu, choose how this device receives its IP address: – Select Fixed (Set on PC) if the IP address is statically assigned on the computer.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Changing Group Names in the LAN Groups Database By default, the LAN Groups are named Group1 through Group8. You can rename these group names to be more descriptive, such as Engineering or Marketing. To edit the names of any of the eight available groups: 1. From the LAN Groups screen, click the Edit Group Names option arrow to the right of the tabs. The Network Database Group Names screen appears. Figure 3-3 2.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Note: The reserved address will not be assigned until the next time the PC contacts the VPN firewall's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew. Configuring Multi Home LAN IP Addresses If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. In the Add Secondary LAN IP Address section, enter the additional IP address and subnet mask to be assigned to the LAN port of the VPN firewall. 4. Click Add. The secondary LAN IP address will be added to the Available Secondary LAN IPs table. To make changes to the Available Secondary LAN IPs table, use the following buttons: • Select All. Selects all the entries in the Available Secondary LAN IPs table. • Delete.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The DMZ Setup screen allows you to set up the DMZ port. It permits you to enable or disable the hardware DMZ port (LAN port 8, see “VPN Firewall Front and Rear Panels” on page 1-6) and configure an IP address and Mask for the DMZ port. To enable and configure the DMZ port: 1. From the main menu, select Network Configuration and then select DMZ Setup from the submenu. The DMZ Setup screen displays. 2.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 4. In the DHCP for DMZ Connected Computers section, select one of the following three radio buttons: • Disable DHCP Server. The DHCP server is disabled, which is the default setting. Select this radio button if another device on your DMZ network will be the DHCP server, or if you will manually configure all devices. • Enable DHCP Server.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual If you will use a Lightweight Directory Access Protocol (LDAP) authentication server for network-validated domain-based authentication, select Enable LDAP Information to enable the DHCP server to provide LDAP server information. Enter the following settings: • – LDAP Server. Specifies the name or the IP address of the device that hosts the LDAP server. – Search Base.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To add a static route: 1. Select Network Configuration from the main menu and Routing from the submenu. The Routing screen displays. Figure 3-6 2. Click Add. The Add Static Route screen displays. Figure 3-7 3. Enter a route name for this static route in the Route Name field (for identification and management). 4. Select the Active checkbox to make this route effective.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 6. In the Destination IP Address field, enter the destination IP address to the host or network to which the route leads. 7. In the IP Subnet Mask field, enter the IP subnet mask for this destination. If the destination is a single host, enter 255.255.255.255. 8. From the Interface pull-down menu, select the physical network interface (Broadband, DMZ, or LAN) through which this route is accessible. 9.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • • • The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN firewall at 192.168.1.100. A Metric value of 1 will work since the ISDN firewall is on the LAN. Private is selected only as a precautionary security measure in case RIP is activated.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. From the RIP Direction pull-down menu, select the direction in which the VPN firewall will send and receives RIP packets. The choices are: • None. The VPN firewall neither broadcasts its routing table nor does it accept any RIP packets from other routers. This effectively disables RIP. • Both. The VPN firewall broadcasts its routing table and also processes RIP information received from other routers. • Out Only.
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Gigabit 8 Port VPN Firewall FVS318G to protect your network.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Outbound Rules (service blocking). Outbound traffic is normally allowed unless the VPN firewall is configured to disallow it. • Inbound Rules (port forwarding). Inbound traffic is normally blocked by the VPN firewall unless the traffic is in response to a request from the LAN side.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 4-1. Outbound Rules (continued) Item Description Select Schedule Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be used by this rule. • This pull-down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block” is selected as Action. • Use schedule screen to configure the time schedules (see “Setting a Schedule to Block or Allow Specific Traffic” on page 4-29).
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 4-1. Outbound Rules (continued) Item Description Bandwidth Profile Bandwidth Limiting determines the way in which the data is sent to or from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing or incoming traffic, thus preventing the LAN users for consuming all the bandwidth of your Internet connection. For more information, see See “Creating Bandwidth Profiles” on page 4-27.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 4-2. Inbound Rules Item Description Services Select the desired service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see “Adding Customized Services” on page 4-24). Action Select the desired action for packets covered by this rule: • BLOCK always. • BLOCK by schedule, otherwise Allow. • ALLOW always.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 4-2. Inbound Rules (continued) Item Description Log This determines whether packets covered by this rule are logged. Select the desired action: • Always. Always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules. • Never. Never log traffic considered by this rule, whether it matches or not.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Viewing Rules and Order of Precedence for Rules To view the firewall rules, select Security from the main menu and Firewall from the submenu. The LAN WAN Rules screen appears (Figure 4-1 shows some examples). As you define new rules, they are added to the tables in the Rules menu as the last item in the list.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To make changes to an existing outbound or inbound service rule on the the LAN WAN Rules, DMZ WAN Rules, or LAN DMZ Rules screen, in the Action column to the right of to the rule, click on of the following table buttons: • edit. Allows you to make any changes to the rule definition of an existing rule.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. The outbound rule will block the selected application from any internal IP LAN address to any external WAN IP address according to the schedule created in the Schedule menu.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual LAN WAN Inbound Services Rules This Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound services opens holes in your VPN firewall. Only enable those ports that are necessary for your network. To create a new LAN WAN inbound service rule: 1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring DMZ WAN Rules The firewall rules for traffic between the DMZ and the WAN/Internet are configured on the DMZ WAN Rules screen. The Default Outbound Policy is to allow all traffic from and to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from either going out from the DMZ to the Internet (outbound) or coming in from the Internet to the DMZ (inbound).
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 4-5 4. Configure the settings based on the descriptions in Table 4-1 on page 4-3. 5. Click Apply. The new rule will appear in the Outbound Services table. The rule is automatically enabled.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To create a new LAN DMZ outbound service policy: 1. Select Security from the main menu and Firewall Rules from the submenu. The LAN WAN Rules screen displays. 2. Select the LAN DMZ Rules tab. The LAN DMZ Rules screen displays. Figure 4-6 3. Click Add under the Outbound Services table. The Add LAN DMZ Outbound Service screen displays. Figure 4-7 4. Configure the settings based on the descriptions in Table 4-1 on page 4-3.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 5. Click Apply. The new rule will appear in the Outbound Services table. The rule is automatically enabled. The procedure to add a new LAN DMZ inbound service policy is similar to the procedure described above with the exception that you click Add under the Inbound Services table, you configure the settings based on the descriptions in Table 4-2 on page 4-6, and the policy is added to the Inbound Services table.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. Figure 4-9 In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 4-10 The following addressing scheme is used in this example: • • VPN firewall FVS318G – WAN primary public IP address: 10.1.0.1 – WAN additional public IP address: 10.1.0.5 – LAN IP address 192.168.1.1 Web server PC on the VPN firewall’s LAN – LAN IP address: 192.168.1.11 – Port number for Web service: 8080 To test the connection from a PC on the WAN side, type http://10.1.0.5. The home page of the Web server should appear.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To expose one of the PCs on your LAN or DMZ as this host: 1. Create an inbound rule that allows all protocols. 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio or other non-essential sites.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the DMZ, LAN and WAN networks. To enable the appropriate attack checks for your environment: 1. Select Security from the main menu and Firewall Rules from the submenu. The LAN WAN Rules screen displays. 2. Click the Attack Checks tab. The Attack Checks screen displays. Figure 4-13 3.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual – Block TCP Flood. A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system. When the system responds, the attacker does not complete the connection, thus saturating the server with half-open connections. No legitimate connections can then be made.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Setting Session Limits Session Limit allows you to specify the total number of sessions allowed, per user, over an IP (Internet Protocol) connection across the VPN firewall. This feature is enabled on the Session Limit screen and shown below in Figure 4-14. Session Limit is disabled by default. To set session limits: 1. Select Security from the main menu and Firewall Rules from the submenu. The LAN WAN Rules screen displays. 2.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Note: Some protocols (such as FTP or RSTP) create two sessions per connection which should be considered when configuring Session Limiting. The Total Number of Packets Dropped due to Session Limit field shows total number of packets dropped when session limit is reached. 6. In the Session Timeout section, modify the TCP, UDP and ICMP timeout values as you require.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: • Services. A service narrows down the firewall rule to an application and a port number. For information about adding services, see “Adding Customized Services” on page 4-24. • QoS profiles.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, you can enter it on the Services screen. To add a customized service: 1. Select Security from the main menu and Services from the submenu.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Modifying a Service To edit the settings of a service: 1. In the Custom Services Table, click the Edit icon adjacent to the service you want to edit. The Edit Service screen displays. Figure 4-17 2. Modify the settings you wish to change. 3. Click Reset to cancel the changes and restore the previous settings or click Apply to confirm your changes. The modified service displays in the Custom Services Table.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual A ToS priority for traffic passing through the VPN firewall is one of the following: • Normal-Service. No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0. • Minimize-Cost. Used when data has to be transferred over a link that has a lower “cost”. The IP packets for services with this priority are marked with a ToS value of 1. • Maximize-Reliability.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To add a bandwidth profile: 1. Select Security from the main menu and Bandwidth Profile from the submenu. The Bandwidth Profile screen displays. Figure 4-18 2. Click Add to add a new bandwidth profile. The Add New Bandwidth Profile screen displays. Figure 4-19 3. Enter the following information: a. Enter a Profile Name. This name will become available in the firewall rules definition menus. b.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual c. Depending on the direction that you selected, enter the minimum and maximum bandwidths to be allowed: • Enter the Outbound Minimum Bandwidth and Outbound Maximum Bandwidth in Kbps. • Enter the Inbound Minimum Bandwidth and Inbound Maximum Bandwidth in Kbps. The minimum bandwidth can range from 0 Kbps to the maximum bandwidth that you specify. The maximum bandwidth can range from 100 Kbps to 100,000 Kbps. d.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 4-20 2. Check the radio button for All Days or Specific Days. If you chose Specific Days, check the radio button for each day you want the schedule to be in effect. 3. Check the radio button to schedule the time of day: All Day, or Specific Times. If you chose Specific Times, enter the Start Time and End Time fields (Hour, Minute, AM/PM), which will limit access during certain times for the selected days. 4.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual – Proxy. A proxy server (or simply, proxy) allows computers to route connections to other computers through the proxy, thus circumventing certain firewall rules. For example, if connections to a specific IP address are blocked by a firewall rule, the requests can be routed through a proxy that is not blocked by the rule, rendering the restriction ineffective. Enabling this feature blocks proxy servers. – Java.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To enable Content Filtering: 1. Select Security from the main menu and Block Sites from the submenu. The Block Sites screen displays. Figure 4-21 4-32 Firewall Protection and Content Filtering v1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Check the Yes radio button to enable content filtering. 3. Click Apply to activate the screen controls. 4. Check the radio boxes of any Web components you wish to block. 5. Check the radio buttons of the groups to which you wish to apply keyword blocking. Click Enable to activate keyword blocking (or disable to deactivate keyword blocking). 6. Build your list of blocked keywords or domain names in the Blocked Keyword fields.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 4-22 2. Check the Yes radio box in the MAC Filtering Enable section. 3. Select the action to be taken on outbound traffic from the listed MAC addresses: • Block this list and permit all other MAC addresses. • Permit this list and block all other MAC addresses. 4. Enter a MAC Address in the Add Source MAC Address checkbox and click Add. The MAC address will appear in the MAC Addresses table.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring IP/MAC Address Binding IP/MAC binding allows you to bind an IP address to a MAC address and the other way around. Some devices are configured with static addresses. To prevent users from changing their static IP addresses, IP/MAC binding must be enabled on the VPN firewall. If the VPN firewall detects packets with a matching IP address, but with the inconsistent MAC address (or the other way around), it will drop these packets.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 4-23 3. Select the Yes radio box and click Apply. Make sure that you have enabled the e-maling of logs (see “Activating Notification of Events and Alerts” on page 6-23). 4. Add an IP/MAC Bind rule by entering: a. Name. Specify an easily identifiable name for this rule. b. MAC Address. Specify the MAC Address for this rule. c. IP Addresses. Specify the IP Address for this rule. d. Log Dropped Packets.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To edit an IP/MAC binding rule, click Edit adjacent to the entry. The following fields of an existing IP/MAC binding rule can be modified: • MAC Address. Specify the MAC Address for this rule. • IP Addresses. Specify the IP Address for this rule. • Log Dropped Packets. Specify the logging option for this rule. To remove an entry from the table, select the IP/MAC binding entry and click Delete.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Without port triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the port forwarding rules. Note these restrictions with port triggering: • Only one PC can use a port triggering application at any time. • After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 6. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 7. Click Add. The Port Triggering Rule will be added to the Port Triggering table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen displays.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To check the status of the port triggering rules, click the Status option arrow on the Port Triggering screen. Figure 4-26 Configuring UPnP (Universal Plug and Play) The UPnP (Universal Plug and Play) feature allows the VPN Firewall to automatically discover and configure the devices when it searches over LAN and WAN. 1. To access the UPnP screen, click Security > UPnP in the main/submenu. The UPnP screen is displayed. Figure 4-27 2.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. Configure the following fields: – Advertisement Period. Enter the period in minutes that specified how often the VPN firewall should broadcast its UPnP information to all devices within its range. – Advertisement Time to Live. Enter a number that specifies how many steps (hops) each UPnP packet is allowed to propagate before being discarded. Small values will limit the UPnP broadcast range. 4. Click Apply to save your settings.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Administrator Tips Consider the following operational items: • As an option, you can enable remote management if you have to manage distant sites from a central location (see “Configuring an External Server for Authentication” on page 6-11).
Chapter 5 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the ProSafe Gigabit 8 Port VPN Firewall FVS318G.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Creating Gateway to Gateway VPN Tunnels with the Wizard Figure 5-1 Follow these steps to set up a gateway VPN tunnel using the VPN Wizard. 1. Select VPN from the main menu and VPN Wizard from the submenu. The VPN Wizard screen displays. Figure 5-2 5-2 Virtual Private Networking v1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To view the wizard default settings, click the VPN Wizard Default Values option arrow. You can modify these settings after completing the wizard. 2. Select Gateway as your connection type. 3. Create a Connection Name. Enter a descriptive name for the connection. This name used to help you manage the VPN settings; is not supplied to the remote VPN endpoint. 4. Enter a Pre-shared Key.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 8. Click Apply to save your settings. The VPN Policies screen shows that the policy is now enabled. Figure 5-3 9. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured. To display the status of your VPN connections, select VPN from the main menu and Connection Status from the submenu. The Connection Status screen displays.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Creating a Client to Gateway VPN Tunnel Figure 5-5 Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to the gateway. Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. Select VPN from the main menu and VPN Wizard from the submenu. The VPN Wizard screen displays (see Figure 5-6 on page 5-6).
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Tip: To assure tunnels stay active, after completing the wizard, manually edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive. Figure 5-6 7. Click Apply to save your settings. The VPN Policies screen (see Figure 5-7 on page 5-7) shows that the policy is now enabled. To view or modify the VPN policy, see “Managing VPN Policies” on page 5-15.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 5-7 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR ProSafe VPN Client installed, configure a VPN client policy to connect to the VPN firewall. Follow these steps to configure your VPN client. 1. Right-click on the VPN client icon in your Windows toolbar, choose Security Policy Editor, and verify that the Options > Secure > Specified Connections selection is enabled.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using gw1. Figure 5-9 Fill in the other options according to the instructions below. • Under Connection Security, verify that the Secure radio button is selected. • From the ID Type pull-down menu, choose IP Subnet.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. In the left frame, click My Identity. Fill in the options according to the instructions below. Figure 5-10 • • • • • From the Select Certificate pull-down menu, choose None. Click Pre-Shared Key to enter the key you provided in the VPN Wizard; in this example, we are using “r3m0+eC1ient.” From the ID Type pull-down menu, choose Domain Name. Leave Virtual Adapter disabled.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 5-11 5-10 Virtual Private Networking v1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • • • In the left frame, click Security Policy to view the settings: no changes are needed. In the left frame, expand Authentication (Phase 1) and click Proposal 1: no changes are needed. In the left frame, expand Key Exchange (Phase 2) and click Proposal 1. No changes are needed. 5. In the upper left of the window, click the disk icon to save the policy.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Within 30 seconds you should receive the message “Successfully connected to My Connections\gw1”. Figure 5-13 The VPN client icon in the system tray should state On: 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-15 Note: The information in the Connection Monitor screen in Figure 5-15 does not correspond to the configuration that is presented in the “Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection” on page 5-7. The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual VPN Firewall VPN Connection Status and Logs To view VPN firewall VPN connection status, select VPN from the main menu and Connection Status from the submenu. The VPN Connection Status screen displays. Figure 5-16 Note: The information in the VPN Connection Status screen in Figure 5-16 does not correspond to the example configurations that are presented in this chapter.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To view VPN firewall VPN logs, select Monitoring from the main menu and VPN Logs from the submenu. The VPN Logs screen displays. Figure 5-17 Managing VPN Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN policy and an IKE policy are established and populated in both policy tables. The name you selected as the VPN tunnel connection name during Wizard setup identifies both the VPN policy and IKE policy.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual IKE policies are activated when: 1. The VPN Policy Selector determines that some traffic matches an existing VPN policy. If the VPN policy is of type “Auto”, then the auto policy settings that are defined in the VPN policy are accessed which specify which IKE policy to use. 2.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Each policy that is listed in the List of IKE Policies table contains the following data: • Name. Uniquely identifies each IKE policy. The name is chosen by you and used for the purpose of managing your policies; it is not supplied to the remote VPN Server. • Mode. Two modes are available: either “Main” or “Aggressive”. – Main Mode is slower but more secure. – Aggressive mode is faster but less secure.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Manually Adding or Editing an IKE Policy To manually add an IKE policy: 1. Select VPN from the main menu and Policies from the submenu. The Policies submenu tabs appear with the IKE Policies screen in view (see Figure 5-18 on page 5-16). 2. Under the List of IKE Policies table, click the add button. The Add IKE Policy screen is displayed. Figure 5-19 5-18 Virtual Private Networking v1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. Complete the fields, select the radio buttons, and make your selections from the pull-down menus as explained Table 5-2. Table 5-2. Add IKE Policy Settings Item Description (or Subfield and Description) Mode Config Record Do you want to use Mode Config Record? Specify whether or not the IKE policy uses a Mode Config Record. For information about how to define a Mode Config Record, see “Mode Config Operation” on page 5-44.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-2. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Local Identifier Type From the pull-down menu, select one of the following ISAKMP identifiers to be used by the VPN firewall, and then specify the identifier in the field below: • Local Wan IP. The WAN IP address of the VPN firewall. When you select this option, the Identifier field automatically shows the IP address of the selected WAN interface.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-2. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the VPN firewall and the remote endpoint. • RSA-Signature. Uses the active Self Certificate that you uploaded on the Certificates screen (see “Managing Certificates” on page 5-30).
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-2. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Extended Authentication XAUTH Configuration Note: For more information about XAUTH and its authentication modes, see “Configuring XAUTH for VPN Clients” on page 5-39.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 4. Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE Policies table. Configuring VPN Policies You can create two types of VPN policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available. • Manual. All settings (including the keys) for the VPN tunnel are manually entered at each end (both VPN Endpoints). No third-party server or organization is involved. • Auto.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Click the VPN Policies tab. The VPN Policies screen is displayed. Figure 5-20 Only one client policy may configured at a time (noted by an “*” next to the policy name). The List of VPN Policies contains the following fields: • ! (Status). Indicates whether the policy is enabled (green circle) or disabled (grey circle). To enable or disable a policy, check the radio box adjacent to the circle and click Enable or Disable, as required.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To delete one or more VPN polices: 1. Select the checkbox to the left of the policy that you want to delete or click the select all table button to select all VPN policies. 2. Click the delete table button. To enable or disable one ore more VPN policies: 1. Select the checkbox to the left of the policy that you want to delete or click the select all table button to select all IKE policies. 2. Click the enable or disable table button.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 5-21 4. Complete the fields, select the radio buttons and checkboxes, and make your selections from the pull-down menus as explained Table 5-3 on page 5-27. 5-26 Virtual Private Networking v1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-3. Add VPN Policy Settings Item Description (or Subfield and Description) General Policy Name A descriptive name of the VPN policy for identification and management purposes. Note: The name is not supplied to the remote VPN endpoint. Policy Type From the pull-down menu, select one of the following policy types: • Auto Policy.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-3. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Traffic Selection Local IP From the pull-down menu, select the address or addresses that are part of the VPN tunnel on the VPN firewall: • Any. All PCs and devices on the network. Note: You cannot select Any for both the VPN firewall and the remote endpoint. • Single. A single IP address on the network.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-3. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Integrity Algorithm From the pull-down menu, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest. Key-In The integrity key for the inbound policy.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-3. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) PFS Key Group Select this checkbox to enable Perfect Forward Secrecy (PFS), and then select a Diffie-Hellman (DH) group from the pull-down menu. The DH Group sets the strength of the algorithm in bits. The higher the group, the more secure the exchange. From the pull-down menu, select one of the following three strengths: • Group 1 (768 bit).
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Digital Certificates can be either self signed or can be issued by Certification Authorities (CA) such as via an in-house Windows server, or by an external organization such as Verisign or Thawte. However, if the Digital Certificates contain the extKeyUsage extension then the certificate must be used for one of the purposes defined by the extension.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Understanding the Certificates Screen To display the Certificates screen, select VPN form the main menu and Certificates from the submenu. Because of the large size of this screen, and because of the way the information is presented, the Certificates screen is divided and presented in this manual in different figures.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To view the VPN certificates: Select VPN from the main menu and Certificates from the submenu. The Certificates screen displays. The top section of the Certificates screen displays the Trusted Certificates (CACertificates) section. Figure 5-22 When you obtain a self certificate from a CA, you will also receive the CA certificate. In addition, many CAs make their certificates available on their Websites.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual There can be three reasons why a security alert is generated for a security certificate: • • • The security certificate was issued by a company you have not chosen to trust. The date of the security certificate is invalid. The name on the security certificate is invalid or does not match the name of the site. When a security alert is generated, the user can decide whether or not to trust the host.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Issuer Name. The name of the CA that issued the certificate. • Expiry Time. The date on which the certificate expires. You should renew the certificate before it expires. Obtaining a Self Certificate from a Certificate Authority To use a self certificate, you must first request the certificate from the CA, then download and activate the certificate on your system.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Configure the following fields: • Name. Enter a descriptive name that will identify this certificate. • Subject. This is the name which other organizations will see as the holder (owner) of the certificate. Since this name will be seen by other organizations, you should use your registered business name or official company name. (Using the same name, or a derivation of the name, in the Title field would be useful.) 3.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 6. In the Self Certificate Requests table, click view in the Action column to view the request. Figure 5-27 7. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from “----BEGIN CERTIFICATE REQUEST---” to “---END CERTIFICATE REQUEST---”. 8. Submit your certificate request to a CA: a. Connect to the website of the CA. b. Start the Self Certificate request procedure. c.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual If you have not already uploaded the CA certificate, do so now, as described in “Viewing and Loading CA Certificates” on page 5-32. You should also periodically check the Certificate Revocation Lists (CRL) table, as described in the following section. Managing your Certificate Revocation List (CRL) A CRL (Certificate Revocation List) file shows certificates that have been revoked and are no longer valid. Each CA issues their own CRLs.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring Extended Authentication (XAUTH) When connecting many VPN clients to a VPN gateway router, an administrator may want a unique user authentication method beyond relying on a single common preshared key for all clients. Although the administrator could configure a unique VPN policy for each user, it is more convenient for the VPN gateway router to authenticate users from a stored list of user accounts.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. You can add XAUTH to an existing IKE policy by clicking the edit button adjacent to the policy to be modified or you can create a new IKE policy incorporating XAUTH by clicking add. (Figure 5-29 shows the Add IKE Policy screen.) Figure 5-29 3. In the Extended Authentication section of the Add IKE Policy (or Edit IKE Policy) screen, select the Authentication Type from the pull-down menu which will be used to verify user account information.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • – User Database to verify against the VPN firewall’s user database. Users must be added through the User Database screen (see “Configuring the User Database for XAUTH” on page 5-41). – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the VPN firewall will first check in the User Database to see if the user credentials are available.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Enter a User Name. This is the unique ID of a user which will be added to the User Name database. 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4. Click add. The user name will be added to the Configured Users table. To edit the user name or password: 1. Click the edit button adjacent to the user that you want to modify. The Edit User screen displays. 2.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 5-31 3. Enable the primary RADIUS server by checking the Yes radio box. 4. Enter the primary RADIUS Server IP Address. 5. Enter a Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server. 6. Enter the Primary Server NAS Identifier (Network Access Server). This identifier must be present in a RADIUS request.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 8. Set the Time Out Period, in seconds, that the VPN firewall should wait for a response from the RADIUS server. 9. Set the Maximum Retry Count. This is the number of attempts that the VPN firewall will make to contact the RADIUS server before giving up. 10. Click Reset to cancel any changes and revert to the previous settings or click Apply to save the settings.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Note: After configuring a Mode Config record, you must manually configure an IKE policy and select the newly-created Mode Config record from the Select Mode Config Record pull-down menu (see “Configuring Mode Config Operation on the VPN Firewall.” You do not need to make changes to any VPN policy.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 5-33 3. Enter a descriptive Record Name such as “Sales”. 4. Assign at least one range of IP pool addresses in the First IP Pool field to give to remote VPN clients. Note: The IP pool should not be within your local network IP addresses. Use a different range of private IP addresses such as 172.20.xx.xx. 5. If you have a WINS server on your local network, enter its IP address. 6.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10. Click Apply. The new record should appear in the List of Mode Config Records on the Mode Config screen. Configuring an IKE Policy for Mode Config Operation Next, you must configure an IKE policy: 1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Recommended settings are: • Encryption Algorithm: 3DES • Authentication Algorithm: SHA-1 • Diffie-Hellman: Group 2 • SA Lifetime: 3600 seconds Figure 5-34 5-48 Virtual Private Networking v1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 9. Enter a Pre-Shared Key that will also be configured in the VPN client. 10. XAUTH is disabled by default. To enable XAUTH, in the Extended Authentication section, select one of the following:: • Edge Device to use the VPN firewall as a VPN concentrator where one or more gateway tunnels terminate. (If selected, you must specify the Authentication Type to be used in verifying credentials of the remote VPN gateways.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon. Figure 5-35 Enter the following information: a.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. From the left side of the menu, click My Identity. Figure 5-36 Enter the following information: a. Click Pre-Shared Key and enter the key you configured in the VPN firewall’s Add IKE Policy screen b. From the Select Certificate pull-down menu, select None. c. From the ID Type pull-down menu, select Domain Name and create an identifier based on the name of the IKE policy you created; for example “remote_id.com”. d.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual b. Check the Enable Perfect Forward Secrecy (PFS) radio button, and select the DiffieHellman Group 2 from the PFS Key Group pull-down menu. c. Enable Replay Detection should be checked. 4. Click on Authentication (Phase 1) on the left-side of the menu and select Proposal 1. Figure 5-37 Enter the authentication values to match those in the VPN firewall ModeConfig Record screen. 5.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds). 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. Testing the Mode Config Connection To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 4. In the General section of the Edit VPN Policy screen, locate the keepalive configuration settings. Figure 5-39 5. Click the Yes radio button to enable keepalive. 6. In the Ping IP Address boxes, enter an IP address on the remote LAN. This must be the address of a host that can respond to ICMP ping requests. 7. Enter the Detection Period to set the time between ICMP ping requests. The default is 10 seconds. 8.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. In the IKE SA Parameters section of the Edit IKE Policy screen, locate the Dead Peer Detection configuration settings. Figure 5-40 4. Click the Yes radio button to Enable Dead Peer Detection. 5. Enter the Detection Period to set the interval between consecutive DPD R-U-THERE messages. DPD R-U-THERE messages are sent only when the IPSec traffic is idle. The default is 10 seconds. 6.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Click the VPN Policies tab. The VPN Policies screen displays (see Figure 5-20 on page 5-24). 3. In the List of VPN Policies table, click the edit button to the right of the VPN policy that you want to edit. The Edit VPN Policy screen displays. 4. In the General section of the Edit VPN Policy screen, click the Enable NetBIOS checkbox. Figure 5-41 5. Click Apply at the bottom of the screen. 5-56 Virtual Private Networking v1.
Chapter 6 VPN Firewall and Network Management This chapter describes how to use the network management features of your ProSafe Gigabit 8 Port VPN Firewall FVS318G.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual VPN Firewall Features That Reduce Traffic You can adjust the following features of the VPN firewall in such a way that the traffic load on the WAN side decreases: • LAN WAN outbound rules (also referred to as service blocking) • DMZ WAN outbound rules (also referred to as service blocking) • Content filtering (blocking sites) • Source MAC filtering Service Blocking You can control specific outbound traffic (for example, from LAN to WAN and from D
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • • • WAN Users. These settings determine which Internet locations are covered by the rule, based on their IP address. – Any. The rule applies to all Internet IP address. – – Single address. The rule applies to a single Internet IP address. Address range. The rule is applied to a range of Internet IP addresses. Services. You can specify the desired services or applications to be covered a rule.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Keyword (and Domain Name) Blocking. You can specify up to 32 words that, should they appear in the website name (that is, URL) or in a newsgroup name, will cause that site or newsgroup to be blocked by the VPN firewall. You can apply the keywords to one or more groups. Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Port Forwarding The VPN firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (that is, the service is unavailable). You can also create additional firewall rules that are customized to block or allow specific traffic.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • WAN Users. These settings determine which Internet locations are covered by the rule, based on their IP address. – Any. The rule applies to all Internet IP address. – Single address. The rule applies to a single Internet IP address. – Address range. The rule is applied to a range of Internet IP addresses. • Destination Address.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual – After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC. This is required because the firewall cannot be sure when the application has terminated. See “Configuring Port Triggering” on page 4-37 for the procedure on how to use this feature. DMZ Port The DMZ Setup screen allows you to set up the DMZ port.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual See “Specifying Quality of Service (QoS) Priorities” on page 4-26 for the procedure on how to use this feature. Tools for Traffic Management The VPN firewall includes several tools that can be used to monitor the traffic conditions and control who has access to the Internet and the types of traffic they are allowed to have. See “Monitoring System Performance” on page 6-23 for a discussion of the tools.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. In the User Selection section of the screen, select either the Edit Admin Settings or Edit Guest Settings radio box. Figure 6-1 4. In either the Admin Settings or the Guest Settings section of the screen: a. change the password by first entering the old password, and then entering the new password twice. b. Click Apply to save your settings. 5. In the Local Authentication Settings section of the screen: a.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Note: After a factory defaults reset, the password and time-out value will be changed back to password and 5 minutes, respectively. Adding External Users You can add external users for which you then can configure an authentication method (see “Configuring an External Server for Authentication” on page 6-11). To add an external users: 1. Select Users from the main menu and External Authentication from the submenu.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Admin or Guest. c. Idle Timeout. This is the period after which an idle user will be automatically logged out of the Web Configuration Manager. 4. Click Apply to save and apply your entries. The new user appears in the Users table on the External Users screen.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To configure external authentication: 1. Select Users from the main menu and External Authentication from the submenu. The External Users screen displays. 2. Select the External Authentication tab. The External Authentication screen displays. Figure 6-4 3. In the Enable External Authentication section of the screen, select the Yes radio button. 4. Click Apply to save the settings and enable external authentication. 5.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same secret phrase must be configured on both client and server. • Primary Server NAS Identifier. The identifier for the Network Access Server (NAS) must be present in a RADIUS request. Ensure that NAS identifier is configured identically on both client and server.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Enabling Remote Management Access Using the Remote Management screen, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging into the VPN Firewall” on page 2-2). Note: Be sure to change the default configuration password of the VPN firewall to a very secure password.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Check Allow Remote Management radio box. 3. Click the Yes radio button to enable secure HTTP management (enabled by default), and configure the external IP addresses that will be allowed to connect. a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual . Note: To maintain security, the VPN firewall will reject a login that uses http://address rather than the SSL https://address. Note: The first time that you remotely connect to the VPN firewall with a browser via SSL, you may get a warning message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 5.5 or higher, simply click Yes to accept the certificate.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To create a new SNMP configuration entry: 1. Select Administration from the main menu and SNMP from the submenu. The SNMP screen displays. Figure 6-6 2. Under Create New SNMP Configuration Entry, enter the IP address of the SNMP manager in the IP Address field and the subnet mask in the Subnet Mask field.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual When you click on the SNMP System Info option arrow on the SNMP screen, the VPN firewall’s identification information is displayed. This following identification information is available to the SNMP Manager: system contact, system location, and system name. To modify the SNMP identification information: 1. Click the SNMP System Info option arrow on the SNMP screen. The SNMP SysConfiguration screen displays. Figure 6-7 2.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Backing Up Settings To back up settings: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen displays. Figure 6-8 2. Click backup to save a copy of your current settings. If your browser is not set up to save downloaded files automatically, locate where you want to save the file, specify file name, and click Save.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Restoring Settings To restore settings from a backup file: 1. On the Settings Backup and Firmware Upgrade screen, next to Restore save settings from file, click Browse. 2. Locate and select the previously saved backup file (by default, netgear.cfg). 3. When you have located the file, click restore. An Alert screen will appear indicating the status of the restore operation.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual After downloading an upgrade file, you may need to unzip (uncompress) it before upgrading the VPN firewall. If Release Notes are included in the download, read them before continuing. 4. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen displays. 5. Click Browse in the Router Upgrade section. 6. Locate the downloaded file and click Upload.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 6-9 2. From the Date/Time pull-down menu, select the local time zone. This is required in order for scheduling to work correctly. The VPN firewall includes a Real-Time Clock (RTC), which it uses for scheduling. 3. If supported in your region, check the Automatically Adjust for Daylight Savings Time radio box. 4. Select a NTP Server option by checking one of the following radio boxes: • Use Default NTP Servers.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Monitoring System Performance You can be alerted to important events such as WAN traffic limits reached, login failures, and attacks. You can also view status information about the VPN firewall, broadband port, LAN ports, and VPN tunnels.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 6-10 6-24 VPN Firewall and Network Management v1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. In the Log Options section, enter the name of the log in the Log Identifier field. The Log Identifier is a mandatory field used to identify which device sent the log messages. The identifier is appended to log messages. 3. In the Routing Logs section, select the network segments for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets). 4.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • • • • • LOG_ERROR (Error conditions) LOG_WARNING (Warning conditions) LOG_NOTICE (Normal but significant conditions) LOG_INFO (Informational messages) LOG_DEBUG (Debug level messages) 10. Click Reset to cancel your changes and return to the previous settings or click Apply to save your settings. Viewing the Logs To view the logs: 1. Select Monitoring from the main menu and then Firewall Logs & E-mail from the submenu.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 6-2. Firewall Log Field Descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and interface The service port number of the initiating device, and whether it originated from the LAN, WAN or DMZ.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Increase this month limit by. Temporarily increase the traffic limit if you have reached the monthly limit, but need to continue accessing the Internet. Select the checkbox and enter the desired increase. (The checkbox will automatically be cleared when saved so that the increase is only applied once.) • This month limit. Displays the limit for the current month. Figure 6-12 3.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Restart Traffic Counter at a Specific Time. Restart the traffic counter at a specific time and day of the month. Fill in the time fields and choose AM or PM and the day of the month from the pull-down menus. • Send e-mail report before restarting counter. An email report will be sent just before restarting the counter.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Viewing the VPN Firewall Configuration and System Status The Router Status screen provides status and usage information. Select Monitoring from the main menu and Router Status from the submenu. The Router Status screen displays. This screen displays current settings and statistics for your VPN firewall. Because this information is readonly, any changes must be made on other screens. Figure 6-14 Table 6-3.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 6-3. Router Status Fields (continued) Item Description LAN Port Displays the current settings for MAC address, IP address, DHCP status and IP subnet mask that you set in the LAN IP Setup screen. DHCP can be either Enabled or Disabled. Broadband Configuration • • • • • • • • • • WAN Mode: Single Port is the only possible option. WAN State: UP or DOWN. NAT: Enabled or Disabled. Connection Type: Static IP, DHCP, PPPoE, or PPTP.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual For each interface (Broadband, LAN, and DMZ), the number of transmitted (Tx Pkts) and received (Rx Pkts) packets, the number of collided packets, the transmitted (Tx B/s) and received (Rx B/s) bytes per second, and the interface up-time are shown. To set the poll interval: 1. Click the Stop button. 2. From the Poll Interval pull-down menu, select a new interval (the minimum is 5 seconds, the maximum is 5 minutes). 3.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Monitoring Attached Devices The LAN Groups screen contains a table of all IP devices that the VPN firewall has discovered on the local network. To view the LAN Groups screen: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. 2. Select the LAN Groups tab. The LAN Groups screen displays. Figure 6-17 The Known PCs and Devices table lists the entries in the Network Database.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Table 6-4. Known PCs and Devices options Item Description Name The name of the PC or device. Sometimes, this can not be determined, and will be listed as Unknown. In this case, you can edit the entry to add a meaningful name. IP Address The current IP address.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The Active IPsec (SA)s table lists each active connection with the following information Table 6-5. IPsec Connection Status Fields Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN endpoint. Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Viewing the DHCP Log To display the DHCP log: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen displays. 2. Click the DHCP Log option arrow in the upper right-hand section of the screen. The DHCP Log popup screen displays. Figure 6-20 To view the most recent entries, click refresh. To delete all the existing log entries, click clear log.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To view the most recent entries, click refresh. Table 6-6. Port Triggering Status Data Item Description Rule The name of the rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above. Time Remaining The time remaining before this rule is released, and thus available for other PCs.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 6-38 VPN Firewall and Network Management v1.
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe Gigabit 8 Port VPN Firewall FVS318G.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Power LED Not On If the Power and other LEDs are off when your VPN firewall is turned on: • Make sure that the power cord is properly connected to your VPN firewall and that the power supply adapter is properly connected to a functioning power outlet. • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the VPN firewall as described in the previous section. • Make sure your PC’s IP address is on the same subnet as the VPN firewall.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual If the VPN firewall does not save changes you have made in the Web Configuration Interface, check the following: • When entering configuration settings, be sure to click the Apply button before moving to another menu or tab, or your changes are lost. • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name on the Broadband ISP Settings screen (see Figure 2-2 on page 2-4). • Your ISP only allows one Ethernet MAC address to connect to the Internet, and may check for your PC’s MAC address.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Pinging with 32 bytes of data If the path is working, you will see this message: Reply from : bytes=32 time=NN ms TTL=xxx If the path is not working, you will see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • • Wrong physical connections – Make sure the LAN port LED is on.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual – If your ISP assigned a host name to your PC, enter that host name as the Account Name on the Broadband ISP Settings screen (see Figure 2-2 on page 2-4). – Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Problems with the date and time function can include: • Date and time shown is Thu Jan 01 00:01:52 GMT 1970. Cause: The VPN firewall has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly. If you have just completed configuring the VPN firewall, wait at least five minutes and check the date and time again. • Time is off by one hour.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 7-1. Diagnostics Item Description Ping or Trace an IP Address Ping. Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 7-10 Troubleshooting v1.
Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below. • Pressing the reset button for a shorter period of time will simply cause your device to reboot.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table A-1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table A-2.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual A-4 Default Settings and Technical Specifications v1.
Appendix B Two Factor Authentication This appendix provides an overview of Two-Factor Authentication, and an example of how to implement the WiKID solution. This appendix contains the following sections: • • “Why do I need Two-Factor Authentication?” on this page.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products. • Proven regulatory compliance. Two-Factor Authentication has been used as a mandatory authentication process for many corporations and enterprises worldwide.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token software, enter the PIN that has been given to them (something they know) and then press “continue” to receive the OTP from the WiKID authentication server: Figure B-1 2.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time. If a user does not use this passcode before it is expired, the user must go through the request process again to generate a new OTP. 3. The user then proceeds to the Two-Factor Authentication login page and enters the generated one-time passcode as the login password.
Appendix C Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.com/reference/enu/wsdhcp/index.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual C-2 Related Documents v1.
Index Numerics IKE Policy 5-17 Authentication Header VPN Policy 5-24 3322.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual certificates CRL 5-32 management of 5-35 trusted (CA certificates) 5-32 default user name 1-8, 2-2 denial of service attack 4-21 Denial of Service. See DoS.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Domain Name router 3-4, 3-13 factory default settings revert to 6-18 Domain Name Blocking 4-31 Firewall Logs emailing of 4-41, 6-23 field descriptions 6-27 setting up 6-23 viewing 6-26 Domain Name Servers. See DNS. DoS about protection 1-2 attack 4-21 DPD 5-21 Firewall Logs & E-mail screen 4-41, 6-23 Dynamic DNS. See DDNS firmware downloading 6-20 upgrade 6-20 DynDNS.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual default definition 4-2 example 4-16 field descriptions 4-6 order of precedence 4-8 Port Forwarding 4-3, 4-5 rules for use 4-5 Inbound Services field descriptions 4-6 increasing traffic 6-4 DMZ port 6-7 Port Forwarding 6-5 Port Triggering 6-6 VPN tunnels 6-7 installation 1-4 Installation, instructions for 2-1 Interior Gateway Protocol. See IGP.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual M MAC address 7-7 blocked, adding 4-33 configuring 2-5 format of 2-14 spoofing 7-5 main menu 2-3 MD5 IKE polices 5-20 VPN policies 5-29 ModeConfig 5-44 about 5-44 assigning remote addresses, example 5-44 Client Configuration 5-50 IKE Policies menu, configuring 5-45 menu, configuring 5-45 record 5-19 testing Client 5-53 monitoring devices 6-33 by DHCP Client Requests 3-6, 6-33 by Scanning the Network 3-6, 6-33 MTU Size 2-13 advantages of 3-6 Netw
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual service blocking 4-3 WiKID 6-11 Port Forwarding Inbound Rules 4-3, 4-5 increasing traffic 6-5 rules, about 4-5 RADIUS Server about 5-42 configuring 5-42 Edge Device 5-39 port numbers 4-24 RADIUS-CHAP 5-39, 5-41 AUTH, using with 5-39 Port Speed 2-13 Port Triggering about 4-37 adding a rule 4-38 increasing traffic 6-6 modifying a rule 4-39 rules of use 4-38 status 6-36 RADIUS-PAP 5-39, 5-41 XAUTH, using with 5-39 Port Triggering screen 4-38,
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Routing Information Protocol. See RIP. Simple Network Management Protocol. See SNMP.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual TCP/IP network, troubleshooting 7-5 technical specifications A-1 Time daylight savings, troubleshooting 7-8 setting 6-21 troubleshooting 7-7 V VoIP (voice over IP) sessions 4-23 VPN Client configuring 5-5 VPN firewall Connecting 2-1 Time Zone setting of 6-21 VPN Logs monitoring 6-35 Time Zone screen 6-21 VPN Logs screen 6-35 ToS. See QoS.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Web Components 4-30 blocking 4-33 filtering, about 4-30 Web configuration troubleshooting 7-3 WiKID 6-11 authentication, overview B-1 WinPoET 2-7 WINS server 3-4, 3-13 X XAUTH IKE policies 5-22 IPSec Host 5-39 types of 5-39 Index-9 v1.
ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Index-10 v1.
