ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA August 2006 202-10062-04 v1.
© 2006 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc.
Product and Publication Details Model Number: FVX538 Publication Date: August 2006 Product Family: VPN Firewall Product Name: ProSafe VPN Firewall 200 Home or Business Product: Business Language: English Publication Part Number: 202-10062-04 Publication Version Number 1.0 vi 1.
Contents About This Manual Conventions, Formats and Scope ...................................................................................xiii How to Use This Manual ..................................................................................................xiv How to Print this Manual ..................................................................................................xiv Revision History ................................................................................................
Programming the Traffic Meter (if Desired) ..............................................................2-7 Configuring the WAN Mode (Required for Dual WAN) .................................................2-10 Setting Up Auto-Rollover Mode .............................................................................. 2-11 Setting Up Load Balancing .....................................................................................2-13 Configuring Dynamic DNS (If Needed) ..................................
Inbound Rules Examples .......................................................................................4-16 LAN WAN Inbound Rule: Hosting A Local Public Web Server ........................4-16 LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses 4-17 LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping 4-17 LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host .............4-19 Outbound Rules Example .............................................................
Configuring the VPN Client ....................................................................................5-22 Testing the Connection ...........................................................................................5-26 Certificate Authorities ...................................................................................................5-27 Generating a Self Certificate Request ....................................................................5-28 Uploading a Trusted Certificate ......
Router Upgrade ...............................................................................................6-15 Setting the Time Zone ............................................................................................6-16 Monitoring the Router ...................................................................................................6-17 Enabling the Traffic Meter ......................................................................................
Internet Configuration Requirements ...................................................................... C-3 Where Do I Get the Internet Configuration Parameters? ........................................ C-4 Internet Connection Information Form .................................................................... C-5 Overview of the Planning Process ................................................................................. C-6 Inbound Traffic .........................................................
About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs. • • Typographical Conventions.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Scope. This manual is written for the VPN firewall according to the following specifications: Product Version ProSafe VPN Firewall 200 Manual Publication Date August 2006 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix B, “Related Documents.” Note: Updates to this product are available on the NETGEAR, Inc. website at http://kbserver.netgear.com/products/FVX538.asp.
ProSafe VPN Firewall 200 FVX538 Reference Manual – • Click the PDF of This Chapter link at the top left of any page in the chapter you want to print. The PDF version of the chapter you were viewing opens in a browser window. • Click the print icon in the upper left of your browser window. Printing a PDF version of the Complete Manual. Use the Complete PDF Manual link at the top left of any page. • Click the Complete PDF Manual link at the top left of any page in the manual.
ProSafe VPN Firewall 200 FVX538 Reference Manual xvi v1.
Chapter 1 Introduction The ProSafe VPN Firewall 200 with eight 10/100 ports and one 1/100/1000 port connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FVX538 is a complete security solution that protects your network from attacks and intrusions. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • • • Login capability. Front panel LEDs for easy monitoring of status and activity. Flash memory for firmware upgrade. One U Rack mountable. Dual WAN Ports for Increased Reliability or Outbound Load Balancing The FVX538 has two broadband WAN ports, WAN1 and WAN2, each capable of operating independently at speeds of either 10 Mbps or 100 Mbps.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Keyword Filtering. With its URL keyword filtering feature, the FVX538 prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.
ProSafe VPN Firewall 200 FVX538 Reference Manual • IP Address Sharing by NAT. The VPN firewall allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account. • Automatic Configuration of Attached PCs by DHCP.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Browser-Based Management. Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface. • Auto Detect.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • • • • 19-inch rack mounting hardware and rubber feet. Category 5 (Cat5) Ethernet cable. Installation Guide, FVX538 ProSafe VPN Firewall 200 Resource CD, including: – Application Notes and other helpful information. – ProSafe VPN Client Software – five user licenses. – Trend Micro software evaluation. Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. 3. WAN Ports and LEDs Link/Act LED On (Green) Blinking (Green) Off The WAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the WAN port. The WAN port has no link. 100 LED On (Green) Off The WAN port is operating at 100 Mbps. The WAN port is operating at 10 Mbps.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description 6. Console Port DB9 male connector Port for connecting to an optional console terminal. Default baud rate is 115.2K; pinouts: (2) Tx, (3) Rx, (5) and (7) Gnd. 7. Factory Defaults —> push in with a sharp object Factory Defaults reset push button (see Appendix A, “Default Settings and Technical Specifications” for the factory defaults).
ProSafe VPN Firewall 200 FVX538 Reference Manual Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in Figure 1-3). Figure 1-3 The Router’s IP Address, Login Name, and Password Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Default Log In Settings To log in to the FVX538 once it is connected: 1. Open a Web browser. 2. Enter http://192.168.1.1 as the URL. Figure 1-5 3. Once the login screen displays (Figure 1-5), enter the following information: • admin for User Name • password for Password 1-10 Introduction v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Introduction 1-11 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 1-12 Introduction v1.
Chapter 2 Connecting the FVX538 to the Internet Typically, six steps are required to complete the basic connection of your firewall. Setting up VPN tunnels are covered in Chapter 5, “Virtual Private Networking.” 1. Connect the firewall physically to your network. Connect the cables, turn on your router and wait for the Test LED to go out. Make sure your Ethernet and LAN LEDs are lit. (See the Installation Guide, FVX538 ProSafe VPN Firewall 200 for complete steps.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. When prompted, enter admin for the firewall user name and password for the firewall password, both in lower case letters. (The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection.) 3. Click Login. Note: You might want to enable remote management at this time so that you can log in remotely in the future to manage the firewall (see “Enabling Remote Management Access” on page 6-10).
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-1 2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP. Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support. When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the following table. Table 2-1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 2-1. Internet connection methods (continued) Connection Method Data Required BigPond Cable Login Username, Password), Login Server. DHCP (Dynamic IP) No data is required. Fixed (Static) IP Static IP address, Subnet, and Gateway IP; and related data supplied by your ISP.
ProSafe VPN Firewall 200 FVX538 Reference Manual The configure the WAN2 ISP settings: 1. Repeat the above steps to set up the parameters for WAN2 ISP. Start by selecting the WAN2 ISP Settings tab. Next click Auto Detect on the WAN2 ISP Settings screen and then confirm the connection by clicking the WAN Status link. 2. Set up the traffic meter for WAN2 ISP, if desired. See “Programming the Traffic Meter (if Desired)” on page 2-7.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • – Account Name (also known as Host Name or System Name): Enter the valid account name for the PPTP connection (usually your email “ID” assigned by your ISP). Some ISPs require entering your full email address here. – Domain Name: Your domain name or workgroup name assigned by your ISP, or your ISPs domain name. You may leave this field blank. – Idle Timeout: Check the Keep Connected radio box to keep the connection always on.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. If your ISP has not assigned any Domain Name Servers (DNS) addresses, select the Get dynamically from ISP radio box. If your ISP has assigned DNS addresses, select the Use these DNS Servers radio box. Ensure that you fill in valid DNS server IP addresses in the fields. Incorrect DNS entries may cause connectivity issues. Note: Domain Name Servers (DNS) convert Internet names such as www.google.com, www.netgear.com, etc.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-3 2. Click Apply to apply the settings. Click Reset to return to the previous settings. 3. Select the WAN2 Traffic Meter tab and repeat steps 1 through 3 to set the Traffic Meter the the WAN2 port. 2-8 Connecting the FVX538 to the Internet v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 2-2. Traffic Meter Settings Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's WAN1 or WAN2 port. WAN1 or WAN2 can be selected by clicking the appropriate tab; the entire configuration is specific to each wan interface. • No Limit - If this is selected specified restriction will not be applied when traffic limit is reached.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the WAN Mode (Required for Dual WAN) The dual WAN ports of the ProSafe VPN Firewall 200 can be configured on a mutually exclusive basis for either auto-rollover (for increased system reliability) or load balancing (for maximum bandwidth efficiency). • Auto-Rollover Mode. In this mode, the selected WAN interface is made primary and the other is the rollover link. As long as the primary link is up, all traffic is sent over the primary link.
ProSafe VPN Firewall 200 FVX538 Reference Manual If your ISP has allocated many IP addresses to you, and you have assigned one of these addresses to each PC, you can choose Classical Routing. Or, you can use Classical Routing for routing private IP addresses within a campus environment. Otherwise, selecting this method will not allow Internet access through this Router.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Ping to this IP address – Enter a public IP address that will not reject the Ping request or will not consider the traffic abuse. Queries are sent to this server through the WAN interface being monitored. 5. Enter a Test Period in seconds. DNS query is sent periodically after every test period. The default test period is 30 seconds. Figure 2-4 6. Enter the Maximum Failover amount.
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Load Balancing To use multiple ISP links simultaneously, select Load Balancing. In Load Balancing mode, both links will carry data for the protocols that are bound to them. For example, if the HTTP protocol is bound to WAN1 and the FTP protocol is bound to WAN2, then the router will automatically channel FTP data from and to the computers on the LAN through the WAN2 port. All HTTP traffic will be routed through the WAN1 port.
ProSafe VPN Firewall 200 FVX538 Reference Manual a. Service – From the pull-down menu, select the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services-Based Rules” on page 4-2). b. Destination Network – These settings determine which Internet locations are covered by the rule, based on their IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-6 3. Modify the parameters for the protocol binding service you selected. 4. Click Apply. The modified rule will be enabled and appear in the Protocol Binding table. 5. Click Reset to return to the previously configured settings. Configuring Dynamic DNS (If Needed) Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names.
ProSafe VPN Firewall 200 FVX538 Reference Manual are provided for your convenience on the Dynamic DNS Configuration screen.) The VPN firewall firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet. If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS).
ProSafe VPN Firewall 200 FVX538 Reference Manual DDNS links Figure 2-7 2. Check the Dynamic DNS Service radio box you want to enable. The fields corresponding to the selection you have chosen will be highlighted. Each DNS service provider requires its own parameters. 3. Access the Web site of one of the DDNS service providers and set up an account. A link to each DDNS provider is opposite the DNS Configuration screen name. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual d. If your dynamic DNS provider allows the use of wild cards in resolving your URL, you may check the Use wildcards radio box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org 5. Click Apply to save your configuration. 6. Click Reset to return to the previous settings.
ProSafe VPN Firewall 200 FVX538 Reference Manual • MTU Size – The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs you may have to reduce the MTU. But this is rarely required, and should not be done unless you are sure it is necessary for your ISP connection. • Port Speed – In most cases, your router can automatically determine the connection speed of the Internet (WAN) port.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2-20 Connecting the FVX538 to the Internet v1.
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe VPN Firewall 200. These features can be found by selecting Network Configuration from the primary menu and LAN Setup from the submenu of the browser interface.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the LAN Setup Options The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and allows you to configure a secondary or “multi-home” LAN IP setup in the LAN. The default values are suitable for most users and situations. These are advanced settings most usually configured by a network administrator. To modify your LAN setup: 1. Select Network Configuration from the primary menu and LAN Setup from the submenu.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Check the Enable DHCP Server radio button. By default, the router will function as a DHCP (Dynamic Host Configuration Protocol) server, providing TCP/IP configuration for all computers connected to the router's LAN. If another device on your network will be the DHCP server, or if you will manually configure all devices, check the Disable DHCP Server radio button. Enable DHCP Server is the default. If Enabled is selected, enter the following parameters: a.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Reset to discard any changes and revert to the previous configuration. Note: Once you have completed the LAN IP setup, all outbound traffic is allowed and all inbound traffic is discarded. To change these traffic rules, refer to Chapter 4, “Firewall Protection and Content Filtering. Configuring Multi Home LAN IPs If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 3-2 Note: Additional IP addresses cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP and DNS server IPs. To make changes to the selected entry: 1. Click Edit in the Action column adjacent to the selected entry. The Edit Secondary LAN IP Setup screen will display. 2. Modify the IP Address and Subnet Mask fields and click Apply. LAN Configuration 3-5 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Reset to discard any changes and revert to the previous settings. Tip: The Secondary LAN IP address will be assigned to the LAN interface of the router and can be used as a gateway by the secondary subnet. Managing Groups and Hosts (LAN Groups) The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices, as well as hosts, that are assigned dynamic IP addresses by this router.
ProSafe VPN Firewall 200 FVX538 Reference Manual • – You can assign PCs to Groups and apply restrictions to each Group using the Firewall Rules screen (see “Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-1). – You can also select the Groups to be covered by the Block Sites feature (see “Setting Block Sites (Content Filtering)” on page 4-25). – If necessary, you can also create Firewall Rules to apply to a single PC (see “Enabling Source MAC Filtering” on page 4-27).
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Enter the IP Address that this computer or device is assigned in the IP Address field. If the IP Address Type is Reserved (DHCP Client), the router will reserve the IP address for the associated MAC address. 5. Enter the MAC Address of the computer’s network interface in the MAC Address field. The MAC address should be in the form: xx:xx:xx:xx:xx:xx (for example: 00:80:48:2a:8b:c0 that contain numbers 0-9 and letters a-f). 6.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Click Apply to save your new settings. The modified record will appear in the Know PCs and Devices table. To edit the names of any of the eight available groups: 1. Click Edit Group Names at the upper right of the Groups and Hosts screen. The Network Database Group Names screen will display. 2. Check the radio button opposite the Group Name you want to change and type a suitable name in the field. 3.
ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address, use the Groups and Hosts screen under the Network Configuration menu, LAN Groups submenu (see “Creating the Network Database” on page 3-6). Note: The reserved address will not be assigned until the next time the PC contacts the firewall's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-5 4. If desired, Enable the DHCP Server (Dynamic Host Configuration Protocol), which will provide TCP/IP configuration for all computers connected to the router’s DMZ network. Then configure the following items: a. Starting IP Address – This box specifies the first of the contiguous addresses in the IP address pool. b. Ending IP Address – This box specifies the last of the contiguous addresses in the IP address pool. c.
ProSafe VPN Firewall 200 FVX538 Reference Manual Static Routes Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You should configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network. Configuring Static Routes To add or edit a static route: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network to which the route leads. 7. Enter the IP Subnet Mask for this destination. If the destination is a single host, enter 255.255.255.255. 8.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Out Only – The router broadcasts its routing table periodically but does not accept RIP information from other routers. • In Only – The router accepts RIP information from other routers, but does not broadcast its routing table. Figure 3-7 3. From the RIP Version pull-down menu, select the version: • RIP-1 – A classful routing that does not include subnet information. This is the most commonly supported version.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Authentication for RIP2B/2M required? If you selected RIP-2B or RIP-2M, check the YES radio box to enable the feature, and input the First Key Parameters and Second Key Parameters MD-5 keys to authenticate between routers. 5. Click Reset to discard any changes and revert to the previous settings. 6. Click Save to save your settings.
ProSafe VPN Firewall 200 FVX538 Reference Manual will not be allowed web access unless they have the Trend Micro OfficeScan client installed and updated with the latest virus definitions. To enable Trend Micro: 1. Select Security from the main menu and Trend Micro from the submenu. The Trend Micro screen will display. 2. In the Do you want to enable the Antivirus Enforcement? section, check the Yes radio box. Figure 3-8 3. Enter the Office Scan Server IP Address on the LAN. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply to submit your changes. Note: The Office Scan Server must also appear in the exclusion list! Note: Follow the instructions in the Trend Micro documentation to complete the installation and configuration of the Trend Micro OfficeScan Server. LAN Configuration 3-17 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3-18 LAN Configuration v1.
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 to protect your network. These features can be found by selecting Security from the main menu and selecting Block Sites from the submenu of the browser interface. About Firewall Protection and Content Filtering The ProSafe VPN Firewall 200 provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail.
ProSafe VPN Firewall 200 FVX538 Reference Manual A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FVX538 are: • Inbound: Block all access from outside except responses to requests from the LAN side. • Outbound: Allow all access from the LAN side to the outside. The firewall rules for blocking/allowing traffic on the VPN firewall can be applied to LAN/WAN traffic, DMZ/WAN traffic and LAN/DMZ traffic.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-1. Outbound Rules Item Description Service Name Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-21).
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-1. Outbound Rules (continued) Item Description QoS Priority This setting determines the priority of a service which, in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change it accordingly. If the user does not make a selection (i.e., leaves it as None), then the native priority of the service will be applied to the policy.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Inbound Rules Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-21).
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Inbound Rules (continued) Item Description QoS Priority This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change it accordingly. If the user does not make a selection (i.e., leaves it as None), then the native priority of the service will be applied to the policy.
ProSafe VPN Firewall 200 FVX538 Reference Manual Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu as the last item in the list, as shown in Figure 4-1: Figure 4-1 For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the bottom.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Change the Default Outbound Policy by selecting Block Always from the drop-down menu and click Apply.. Figure 4-2 To make changes to an existing outbound or inbound service rule: 1. In the Action column adjacent to the rule click: • Edit – to make any changes to the rule definition of an existing rule. The Outbound Service screen will display containing the data for the selected rule (see Figure 4-3 on page 4-9).
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. The outbound rule will block the selected application from any internal IP LAN address to any external WAN IP address according to the schedule created in the Schedule menu.
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound services opens holes in your firewall. Only enable those ports that are necessary for your network. To create a new inbound service rule: 1. Click Add under the Inbound Services Table.
ProSafe VPN Firewall 200 FVX538 Reference Manual out from the DMZ to the Internet (Outbound) or coming in from the Internet to the DMZ (Inbound). The default outbound policy can be changed to block all outbound traffic and enable only specific services to pass through the router by adding an Outbound services Rule. Figure 4-5 Firewall Protection and Content Filtering v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual To change the Default Outbound Policy: 1. Select Security from the main menu, Firewall Rules from the submenu and then select the DMZ WAN Rules tab. The DMZ WAN Rules screen will display. 2. Click Add under the Outbound Services table. The Add DMZ WAN Outbound Services screen will display. 3. Accept the default settings to block all services or select a specific service to block from the Services pull-down menu. 4. Click Apply.
ProSafe VPN Firewall 200 FVX538 Reference Manual To make changes to an existing outbound or inbound LAN DMZ service rule: 1. In the Action column adjacent to the rule click: • Edit – to make any changes to the rule definition. The Outbound Service screen will display containing the data for the selected rule “Outbound Rules (Service Blocking)” on page 4-2). • Up – to move the rule up one position in the table rank. • Down – to move the rule down one position in the table rank. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Complete the Outbound Service screen, and save the data (see “Outbound Rules (Service Blocking)” on page 4-2). 3. Click Reset to cancel your settings and return to the previous settings. 4. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table. LAN DMZ Inbound Services Rules To define an Inbound LAN DMZ Rule: 1. Click Add under the Inbound Services table.
ProSafe VPN Firewall 200 FVX538 Reference Manual • LAN Security Checks. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application listening at that port, (2) see that no application is listening at that port and (3) reply with an ICMP Destination Unreachable packet.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply to save your settings. Figure 4-8 Inbound Rules Examples LAN WAN Inbound Rule: Hosting A Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day. This rule is shown in Figure 4-9. Figure 4-9 4-16 Firewall Protection and Content Filtering v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example, CUSeeMe connections are allowed only from a specified range of external IP addresses.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Web server PC on the firewall’s LAN – LAN IP address: 192.168.1.2 – DMZ IP Address: 192.168.10.2 – Access to Web server is (simulated) public IP address: 10.1.0.52 Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. In the Send to LAN Server field, enter the local IP address of your Web server PC. 7. From the Public Destination IP Address pull down menu, choose Other Public IP Address. 8. Enter one of your public Internet addresses that will be used by clients on the Internet to reach your Web server. 9. Click Apply. Your rule will now appear in the Inbound Services table of the Rules menu (see Figure 4-12).
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network. 1. Select Any and Allow Always (or Allow by Schedule) 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-14 Adding Customized Services Services are functions performed by server computers at the request of client computers. You can configure up to 125 custom services. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-15 To add a customized service: 1. Select Security from the main menu and Services from the submenu. The Services screen will display. 2. In the Add Custom Service table, enter a descriptive name for the service (this is for your convenience). 3. Select the Layer 3 Protocol that the service uses as its transport protocol. It can be TCP, UDP or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses.
ProSafe VPN Firewall 200 FVX538 Reference Manual To edit the parameters of a service: 1. In the Custom Services Table, click the Edit icon adjacent to the service you want to edit. The Edit Service screen will display. 2. Modify the parameters you wish to change. 3. Click Reset to cancel the changes and restore the previous settings. 4. Click Apply to confirm your changes. The modified service will display in the Custom Services Table.
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting a Schedule to Block or Allow Specific Traffic If you enabled Content Filtering in the Block Sites menu, or if you defined an outbound or inbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall allows you to specify when blocking will be enforced by configuring one of the Schedules—Schedule 1, Schedule 2 or Schedule 3.
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Block Sites (Content Filtering) If you want to restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any Web site is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message.
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Build your list of blocked Keywords or Domain Names in the Blocked Keyword fields. After each entry, click Add. The Keyword or Domain name will be added to the Blocked Keywords table. (You can also edit an entry by clicking Edit in the Action column adjacent to the entry.) 6. Build a list of Trusted Domains in the Trusted Domains fields. After each entry, click Add. The Trusted Domain will appear in the Trusted Domains table.
ProSafe VPN Firewall 200 FVX538 Reference Manual Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed. • When enabled, traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Build your list of Source MAC Addresses to be block by entering the first MAC address in the MAC Address field in the form xx:xx:xx:xx:xx:xx where x is a numeric (0 to 9) or an alphabet between and a and f (inclusive), for example: 00:e0:4c:69:0a: 4. Click Add. The Mac Address will be added to the Available MAC Addresses to be Blocked table. (You can edit the MAC address by clicking Edit in the Action column adjacent to the MAC Address.) 5.
ProSafe VPN Firewall 200 FVX538 Reference Manual • After a PC has finished using a Port Triggering application, there is a Time-out period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated. Note: For additional ways of allowing inbound traffic, see “Inbound Rules (Port Forwarding)” on page 4-4. To add a Port Triggering Rule: 1. Select Security from the main menu and Port Triggering from the submenu.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-19 3. From the Protocol pull-down menu, select either TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 5. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 4-30 Firewall Protection and Content Filtering v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display. 2. Modify any of the fields for this rule. 3. Click Reset to cancel any changes and return to the previous settings. 4. Click Apply to save your modifications. Your changes will appear in the Port Triggering Rules table.
ProSafe VPN Firewall 200 FVX538 Reference Manual You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs on the Logs screen (see Figure 4-22 on page 4-34). Selecting all events will increase the size of the log, so it is good practice to select only those events which are required. Figure 4-21 To set up Firewall Logs and E-mail alerts: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter a Schedule for sending the logs. From the Unit pull-down menu, select: Never, Hourly, Daily, or Weekly. Then fill in the Day and Time fields that correspond to your selection. 4. In the Security Logs section, check the network segments radio box for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets). 5. In the System Logs section, check the radio box for the type of system events to be logged. 6.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. SysLog Facility Message Levels (continued) Numerical Code Severity 4 Warning: Warning conditions 5 Notice: Normal but significant conditions 6 Informational: Informational messages 7 Debug: Debug level messages To view the Firewall logs: 1. Click on the View Log icon opposite the Firewall Logs & E-mail tab. The Logs screen will display. 2. If the E-mail Logs options as been enabled, you can send a copy of the log by clicking send log. 3.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-4. Firewall Log Field Descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and interface The service port number of the initiating device, and whether it originated from the LAN, WAN or DMZ.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4-36 Firewall Protection and Content Filtering v1.
Chapter 5 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the VPN firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Tip: When using dual WAN port networks, use the VPN Wizard to configure the basic parameters and them edit the VPN and IKE Policy screens for the various VPN scenarios.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-1 shows the WAN Mode setup screen for Auto-Rollover Mode using WAN port 1. It also shows the Protocol Bindings screen that displays if Load Balancing is selected. (When Load Balancing is selected, no WAN Failure Detection Method fields are selectable.) This setup is accomplished in “Configuring the WAN Mode (Required for Dual WAN)” on page 2-10.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Mandatory when the WAN ports are in load balancing mode and the IP addresses are dynamic (Figure 5-3 on page 5-3) • Optional when the WAN ports are in load balancing mode if the IP addresses are static (Figure 5-3 on page 5-3) See “Configuring Dynamic DNS (If Needed)” on page 2-15 for how to select and configure the Dynamic DNS service.
ProSafe VPN Firewall 200 FVX538 Reference Manual determine the IPSec keys and VPN policies it sets up. It also will set the parameters for the network connection: Security Association, traffic selectors, authentication algorithm, and encryption. The parameters used by the VPN wizard are based on the VPNC recommendations. Creating a VPN Tunnel to a Gateway You can set up multiple Gateway VPN tunnel policies through the VPN Wizard.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-4 7. Enter the Remote LAN IP Address and Subnet Mask of the remote gateway. The information entered here must match the Local LAN IP and Subnet Mask of the remote gateway; otherwise the secure tunnel will fail to connect.The IP address range used on the remote LAN must be different from the IP address range used on the local LAN. 8.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-5 You can also view the status of your IKE Policies by clicking the IKE Policies tab. The IKE Policies screen will display. Then view or edit the parameters of the “Offsite” policy by clicking Edit in the Action column adjacent to the policy. The Edit IKE Policy screen will display. 5-6 Virtual Private Networking v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-6 Creating a VPN Tunnel Connection to a VPN Client You can set up multiple Gateway VPN tunnel policies through the VPN Wizard. Multiple remote VPN Client policies can also be set up through the VPN Wizard by changing the default End Point Information settings. A remote client policy can support up to 200 clients. The remote clients must configure the “Local Identity” field in their policy as “PolicyName.fvx_remote.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Select a Connection Name. Enter an appropriate name for the connection. This name is not supplied to the remote VPN Endpoint. It is used to help you manage the VPN settings. Figure 5-7 4. Enter a Pre-shared Key. The key must be entered both here and on the remote VPN Gateway, or the remote VPN Client. This key length should be minimum 8 characters and should not exceed 49 characters. This method does not require using a CA (Certificate Authority). 5.
ProSafe VPN Firewall 200 FVX538 Reference Manual 8. Click Apply. The VPN Policies screen will display showing that the Client policy “home” has been added and enabled. Click Edit in the Action column adjacent to the “home” policy to view the “home” policy parameters. It should not be necessary to make any changes Figure 5-8 You can also view the status of your IKE Policies by clicking the IKE Policies tab. The IKE Policies screen will display.
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 5-9 VPN Tunnel Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN Policy and an IKE Policy are established and populated in both Policy Tables. The name you selected as the VPN Tunnel connection name during Wizard setup identifies both the VPN Policy and IKE Policy. You can edit existing policies, or add new VPN and IKE policies directly in the Policy Tables.
ProSafe VPN Firewall 200 FVX538 Reference Manual • “Manual” generated VPN policies cannot use the IKE negotiation protocol. Managing IKE Policies IKE Policies are activated when: 1. The VPN Policy Selector determines that some traffic matches an existing VPN Policy. If the VPN policy is of type “Auto”, then the Auto Policy Parameters defined in the VPN Policy are accessed which specify which IKE Policy to use. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Remote ID. The IKE/ISAKMP identify of the remote VPN Gateway. (The remote VPN must have this value as their “Local ID”.) • Encr. Encryption Algorithm used for the IKE SA. The default setting using the VPN Wizard is 3DES. (This setting must match the Remote VPN.) • Auth. Authentication Algorithm used for the IKE SA. The default setting using the VPN Wizard is SHA1. (This setting must match the Remote VPN.) • DH. Diffie-Hellman Group.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. The VPN tunnel is created according to the parameters in the SA (Security Association). 4. The remote VPN Endpoint must have a matching SA, or it will refuse the connection. VPN Policy Table Only one Client Policy may configured at a time (noted by an “*” next to the policy name). The Policy Table contains the following fields: • ! (Status). Indicates whether the policy is enabled (green circle) or disabled (grey circle).
ProSafe VPN Firewall 200 FVX538 Reference Manual • Tx (KBytes). The amount of data transmitted over this SA. • Tx (Packets). The number of packets transmitted over this SA. • State. The current state of the SA. Phase 1 is “Authentication phase” and Phase 2 is “Key Exchange phase”. • Action. Allows you to terminate or build the SA (connection), if required.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Select the local WAN interface to bind this connection to the WAN port for the VPN tunnel. Figure 5-10 7. Enter the WAN IP address of the remote FVS338 and then enter the WAN IP address of the local FVX538. (Both local and remote ends must define the address as either an IP address or a FQDN. A combination of IP address and FQDN is not permissible.) 8. Enter the LAN IP address and subnet mask of the remote FVS338. 9.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-11 To view the VPN Policy parameters: 1. Click Edit in the Action column adjacent to the “to_fvs” policy. The Edit VPN Policy screen will display. (It should not be necessary to make any changes. 2. View the IKE Policy statistics associated with this policy by clicking View Selected. 5-16 Virtual Private Networking v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-12 To view the IKE Policy Configuration parameters: 1. Select the IKE Policies tab. The IKE Policies table will display. Virtual Private Networking 5-17 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Select “to_FVS” and click Edit. It should not be necessary to make any changes) Figure 5-13 Note: When XAUTH is enabled as an Edge Device, incoming VPN connections are authenticated against the FVX538 User Database first; then, if configured, a RADIUS server is checked. If IPSec Host is enabled, users are authenticated by the remote host. 5-18 Virtual Private Networking v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the FVS338 To configure the FVS338 VPN Wizard: 1. Select VPN from the main menu and VPN Wizard from the submenu. The VPN Wizard screen will display. 2. Check the Gateway radio box for the type of VPN tunnel connection. 3. Give the new connection a name, such as to_fvx.. Figure 5-14 4. Enter a value for the pre-shared key. 5. Enter the WAN IP address of the remote FVX538. 6. Enter the WAN IP address of the FVS338. 7.
ProSafe VPN Firewall 200 FVX538 Reference Manual 8. Click Apply to create the “to_fvx” IKE and VPN policies. The VPN Policies screen will display. Testing the Connection To test the VPN gateway tunnel: 1. From a PC on either LAN firewall, try to ping a PC on the LAN of the other firewall. Establishing the VPN connection may take several seconds. 2. For additional status and troubleshooting information, view VPN Logs and VPN Connections Status screens in the FVX538 or FVS338.
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Check either the WAN1 or WAN 2 radio box to select the WAN interface tunnel. Figure 5-15 6. Enter he remote WAN’s IP Address or Internet Name and then enter the local WAN’s IP Address or Internet Name. In this example, we are using their FQDNs. (Both the local and remote addresses must be of the same type—either both must be FQDN or both must be an IP address.) 7. Click Apply to create the “home” VPN Client.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the VPN Client From a PC with the Netgear Prosafe VPN Client installed, you can configure a VPN client policy to connect to the FVX538. To configure your VPN client: 1. Right-click on the VPN client icon Editor. in your Windows toolbar and select Security Policy 2. In the upper left of the Policy Editor window, click the New Document icon to open a New Connection.Give the New Connection a name, such as to_FVX. Figure 5-16 3.
ProSafe VPN Firewall 200 FVX538 Reference Manual . fvx_local.com Figure 5-17 7. In the left frame, click My Identity. 8. From the Select Certificate pull-down menu, select None. 9. From the ID Type pull-down menu, select Domain Name. The value entered under Domain Name will be of the form “.fvx_remote.com”, where each user must use a different variation on the Domain Name entered here. The is the policy name used in the FVX538 configuration. In this example, it is “home”.
ProSafe VPN Firewall 200 FVX538 Reference Manual . home11.fvx_remote.com Figure 5-18 5. Before leaving the My Identity menu, click Pre-Shared Key. 6. Click Enter Key and then enter your preshared key, and click OK. This key will be shared by all users of the FVX538 policy “home”. Figure 5-19 7. In the left frame, select Security Policy. 5-24 Virtual Private Networking v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 8. For the Phase 1 Negotiation Mode, check the Aggressive Mode radio box. 9. PFS should be disabled, and Enable Replay Detection should be enabled. Figure 5-20 10. In the left frame, expand Authentication (Phase 1) and select Proposal 1. The Proposal 1 fields should mirror those in the following figure. No changes should be necessary. Figure 5-21 Virtual Private Networking 5-25 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 11. In the left frame, expand Key Exchange (Phase 2) and select Proposal 1. The fields in this proposal should also mirror those in the following figure. No changes should be necessary. 12. In the upper left of the window, click the disk icon to save the policy. Figure 5-22 Testing the Connection 1. From your PC, right-click on the VPN client icon Connect..., then My Connections\to_FVX.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. For additional status and troubleshooting information, right-click on the VPN client icon Logs and Connection Status screens in the FVX538. Figure 5-23 Certificate Authorities Digital Self Certificates are used to authenticate the identity of users and systems, and are issued by various CAs (Certification Authorities).
ProSafe VPN Firewall 200 FVX538 Reference Manual The Active Self Certificates table shows the Certificates issued to you by the various CAs (Certification Authorities), and available for use. For each Certificate, the following data is listed: • Name. The name you used to identify this Certificate. • Subject Name. This is the name which other organizations will see as the Holder (owner) of this Certificate. This should be your registered business name or official company name.
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 5-24 • Domain Name – If you have a Domain name, you can enter it here. Otherwise, you should leave this field blank. • E-mail Address – Enter your e-mail address in this field. 4. Click Generate. A new certificate request is created and added to the Self Certificate requests table. 5. Click View under the Action column to view the request. Virtual Private Networking 5-29 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Copy the contents of the Data to supply to CA text box into a file, including all of the data contained in “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST---”Click Done. You will return to the Certificate screen and your Request details will be displayed in the Self Certificates Requests table showing a Status of “Waiting for Certificate upload” To submit your Certificate request to a CA: 1. Connect to the Website of the CA. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. To upload a Certificate Identify to the CRL: 1. From the main menu under VPN, select Certificates. The Certificates screen will display showing the CRL (Certificate Revocation List) table at the bottom of the screen. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual • IPSec Host. If you want authentication by the remote gateway, enter a User Name and Password to be associated with this IKE policy. If this option is chosen, the remote gateway must specify the user name and password used for authenticating this gateway. Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the local User Database for the user credentials.
ProSafe VPN Firewall 200 FVX538 Reference Manual – • RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the router will first check in the User Database to see if the user credentials are available. If the user account is not present, the router will then connect to the RADIUS server (see “RADIUS Client Configuration” on page 5-35). IPSec Host if you want to be authenticated by the remote gateway.
ProSafe VPN Firewall 200 FVX538 Reference Manual User Database Configuration The User Database screen is used to configure and administer users when Extended Authentication is enabled as an Edge Device. Whether or not you use an external RADIUS server, you may want some users to be authenticated locally. These users must be added to the User Database Configured Users table. To add a new user: 1. Select VPN from the main menu and VPN Client from the submenu. The User Database screen will display. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual To edit the user name or password: 1. Click Edit opposite the user’s name. The Edit User screen will display. 2. Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to the previous settings. The modified user name and password will display in the Configured Users table.
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 5-28 3. Enter the Primary RADIUS Server IP address. 4. Enter a Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server. 5. Enter the Primary Server NAS Identifier (Network Access Server). This Identifier MUST be present in a RADIUS request. Ensure that NAS Identifier is configured as the same on both client and server.
ProSafe VPN Firewall 200 FVX538 Reference Manual 9. Click Reset to cancel any changes and revert to the previous settings. 10. Click Apply to save the settings. Note: Selection of the Authentication Protocol, usually PAP or CHAP, is configured on the individual IKE policy screens.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the VPN Firewall Two menus must be configured—the Mode Config menu and the IKE Policies menu. To configure the Mode Config menu: 1. From the main menu, select VPN, and then select Mode Config from the submenu. The Mode Config screen will display. 2. Click Add. The Add Mode Config Record screen will display. 3. Enter a descriptive Record Name such as “Sales”. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-29 To configure an IKE Policy: 1. From the main menu, select VPN. The IKE Policies screen will display showing the current policies in the List of IKE Policies Table. 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. 3. Enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down menu.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the General section: a. Enter a description name in the Policy Name Field such as “salesperson”. This name will be used as part of the remote identifier in the VPN client configuration. b. Set Direction/Type to Responder. c. The Exchange Mode will automatically be set to Aggressive. 5. For Local information: d. Select Fully Qualified Domain Name for the Local Identity Type. e.
ProSafe VPN Firewall 200 FVX538 Reference Manual 10. Click Apply. The new policy will appear in the IKE Policies Table (a sample policy is shown below) Figure 5-30 Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon. a.
ProSafe VPN Firewall 200 FVX538 Reference Manual b. From the ID Type pull-down menu, select IP Subnet. c. Enter the IP Subnet and Mask of the VPN firewall (this is the LAN network IP address of the gateway). d. Check the Connect using radio button and select Secure Gateway Tunnel from the pulldown menu. e. From the ID Type pull-down menu, select Domain name and enter the FQDN of the VPN firewall; in this example it is “local_id.com”. f.
ProSafe VPN Firewall 200 FVX538 Reference Manual d. Under Virtual Adapter pull-down menu, select Preferred. The Internal Network IP Address should be 0.0.0.0. Note: If no box is displayed for Internal Network IP Address, go to Options/ Global Policy Settings, and check the box for “Allow to Specify Internal Network Address.” e. Select your Internet Interface adapter from the Name pull-down menu. Figure 5-32 3. On the left-side of the menu, select Security Policy. a.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-33 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds)). Figure 5-34 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. 5-44 Virtual Private Networking v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; in this case “My Connections\modecfg_test”. 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test will display and the VPN client icon in the toolbar will read “On”. 3. From the client PC, ping a computer on the VPN firewall LAN. .
ProSafe VPN Firewall 200 FVX538 Reference Manual 5-46 Virtual Private Networking v1.
Chapter 6 Router and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 200. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface. The ProSafe VPN Firewall 200 offers many tools for managing the network traffic to optimize its performance.
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall. But there is no backup in case one of the WAN ports fail. In such an event and with one exception, the traffic that would have been sent on the failed WAN port gets diverted to the WAN port that is still working, thus increasing its loading. The exception is traffic that is bound by protocol to the WAN port that failed.
ProSafe VPN Firewall 200 FVX538 Reference Manual – • Groups: The rule is applied to a Group (see “Managing Groups and Hosts (LAN Groups)” on page 3-6to assign PCs to a Group using Network Database). WAN Users – These settings determine which Internet locations are covered by the rule, based on their IP address. – Any: The rule applies to all Internet IP address. – Single address: The rule applies to a single Internet IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual Schedule. If you have set firewall rules on the Rules screen, you can configure three different schedules (i.e., schedule 1, schedule 2, and schedule 3) for when a rule is to be applied. Once a schedule is configured, it affects all Rules that use this schedule. You specify the days of the week and time of day for each schedule. See “Setting a Schedule to Block or Allow Specific Traffic” on page 4-24 for the procedure on how to use this feature.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Firewall Features That Increase Traffic Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • DMZ port • Exposed hosts • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (i.e., the service is unavailable).
ProSafe VPN Firewall 200 FVX538 Reference Manual • Enable DNS Proxy – Enable this to allow incoming DNS queries. • Enable Stealth Mode – Enable this to set the firewall to operate in stealth mode. As you define your firewall rules, you can further refine their application according to the following criteria: • LAN Users – These settings determine which computers on your network are affected by this rule. Select the desired IP Address in this field.
ProSafe VPN Firewall 200 FVX538 Reference Manual • The remote system receives the PCs request and responds using the different port numbers that you have now opened. • This Router matches the response to the previous request and forwards the response to the PC. Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.
ProSafe VPN Firewall 200 FVX538 Reference Manual The QoS priority settings conform to the IEEE 802.1D-1998 (formerly 802.1p) standard for class of service tag. You will not change the WAN bandwidth used by changing any QoS priority settings. But you will change the mix of traffic through the WAN ports by granting some services a higher priority than others. The quality of a service is impacted by its QoS setting, however.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save this setting.. Note: If you make the administrator login time-out value too large, you will have to wait a long time before you are able to log back into the router if your previous login was disrupted (i.e., you did not click Logout on the Main Menu bar to log out). Figure 6-1 Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset.
ProSafe VPN Firewall 200 FVX538 Reference Manual Enabling Remote Management Access Using the Remote Management page, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging into the VPN Firewall” on page 2-1). Note: Be sure to change the default configuration password of the firewall to a very secure password.
ProSafe VPN Firewall 200 FVX538 Reference Manual b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access. 4. Specify the Port Number that will be used for accessing the management interface. Web browser access normally uses the standard HTTP service port 80.
ProSafe VPN Firewall 200 FVX538 Reference Manual The SNMP Configuration table lists the SNMP configurations by: • IP Address: The IP address of the SNMP manager. • Port: The trap port of the configuration. • Community: The trap community string of the configuration. To create a new SNMP configuration entry: 1. Select Administration from the main menu and SNMP from the submenu. The SNMP screen will display. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-3 The SNMP System Info link displays the VPN firewall identification information available to the SNMP Manager: System Contact, System Location, and System name. To modify the SNMP System contact information: 1. Click the SNMP System Info link. The SNMP SysConfiguration screen will display. 2. Modify any of the contact information that you want the SNMP Manager to use. 3. Click Apply to save your settings.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware version. Backup and Restore Settings To backup and restore settings: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. 2. Click backup to save a copy of your current settings.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-4 Router Upgrade You can install a different version of the VPN firewall firmware from the Settings Backup and Firmware Upgrade screen. To view the current version of the firmware that your VPN firewall is running, select Monitoring from the main menu. The Router Status screen on the will display all of the VPN firewall router statistics. When you upgrade your firmware, the Firmware Version will change to reflect the new version.
ProSafe VPN Firewall 200 FVX538 Reference Manual To upgrade router software: 1. Select Administration from the main menu and Settings Backup and Firmware Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. 2. Click Browse in the Router Upgrade section. 3. Locate the downloaded file and click Upload. This will start the software upgrade to your VPN firewall router. This may take some time. At the conclusion of the upgrade, your router will reboot.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Use Custom NTP Servers: If you prefer to use a particular NTP server, enable this instead and enter the name or IP address of an NTP Server in the Server 1 Name/IP Address field. If required, you can also enter the address of another NTP server in the Server 2 Name/IP Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the Default Netgear NTP servers. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Internet Traffic Statistics – Displays statistics on Internet Traffic via the WAN port. If you have not enabled the Traffic Meter, these statistics are not available. • Traffic by Protocol – Click this button to display Internet Traffic details. The volume of traffic for each protocol will be displayed in a sub-window. Traffic counters are updated in MBytes scale and the counter starts only when traffic passed is at least 1 MB.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-7 Setting Login Failures and Attacks Notification Figure 6-8 shows the Firewall Logs & E-mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs & E-mail from the submenu. You can send a System log of firewall activities to an email address or a log of the firewall activities can be viewed, saved to a Syslog server, and then sent to an e-mail address. You can view the logs by clicking View Logs.
ProSafe VPN Firewall 200 FVX538 Reference Manual View System Logs Select the types of events to email. Select the segments to track for System Log events. Enable email alerts. Syslog Server enabled Figure 6-8 Monitoring Attached Devices The Groups and Hosts menu contains a table of all IP devices that the VPN firewall has discovered on the local network. Select Network Configuration from the main menu and LAN Groups from the submenu. The Groups and Hosts screen will display.
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 6-9 The network database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: • DHCP Client Requests – By default, the DHCP server in this Router is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the network database.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-1. Known PCs and Devices (continued) Item Description MAC Address The MAC address of the PC. The MAC address is a low-level network identifier which is fixed at manufacture. Group Each PC or device must be in a single group. The Group column indicates which group each entry is in. By default, all entries are in the Group1. Note: If the VPN firewall is rebooted, the table data is lost until the VPN firewall rediscovers the devices.
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Router Configuration and System Status The Router Status screen provides status and usage information. Select Monitoring from the main menu and Router Status from the submenu. The Router Status screen will display. Figure 6-11 Table 6-3. Router Status Fields Item Description System Name This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-3. Router Status Fields Item Description WAN1 Configuration Indicates whether the WAN Mode is Single, Dual, or Rollover, and whether the WAN State is UP or DOWN. It also displays if: • NAT is Enabled or Disabled. • Connection Type: DHCP enabled or disabled. • Connection State • WAN IP Address • Subnet Mask • Gateway Address • Primary and Secondary DNS Server Addresses • MAC Address.
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 6-12 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu. The IPSec Connection Status screen will display. Figure 6-13 Router and Network Management 6-25 v1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-4. VPN Status data Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN Endpoint. Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase.
ProSafe VPN Firewall 200 FVX538 Reference Manual DHCP Log You can view the DHCP log from the LAN Setup screen. Select Network Configuration from the main menu and LAN Setup from the submenu. When the LAN Setup screen displays, click the DHCP Log link. Figure 6-15 Performing Diagnostics You can perform diagnostics such as pinging an IP address, performing a DNS lookup, displaying the routing table, rebooting the firewall, and capturing packets.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-16 Table 6-5. Diagnostics Item Description Ping or Trace an IP address Ping – Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-5. Diagnostics (continued) Item Description Display the Routing Table This operation will display the internal routing table. This information is used, most often, by Technical Support. Reboot the Router Used to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6-30 Router and Network Management v1.
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 200. After each problem description, instructions are provided to help you diagnose and solve the problem. Basic Functions After you turn on power to the firewall, the following sequence of events should occur: 1. When power is first applied, verify that the PWR LED is on. 2. After approximately 2 minutes, verify that: a. The TEST LED is not lit. b.
ProSafe VPN Firewall 200 FVX538 Reference Manual LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: • Cycle the power to see if the firewall recovers. • Clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to 192.168.1.1.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.2 to 192.168.0.254. Note: If your PC’s IP address is shown as 169.254.x.x: Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server. These auto-generated addresses are in the range of 169.254.x.x.
ProSafe VPN Firewall 200 FVX538 Reference Manual Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual – Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring Your Internet Connection” on page 2-5. If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: • Your PC may not recognize any DNS server addresses. A DNS server is a host on the Internet that translates Internet names (such as www addresses) to numeric IP addresses.
ProSafe VPN Firewall 200 FVX538 Reference Manual • • Wrong physical connections – Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On” on page 7-2. – Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and firewall.
ProSafe VPN Firewall 200 FVX538 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall’s administration password to password and the IP address to 192.168.1.1. You can erase the current configuration and restore factory defaults in two ways: • Use the Erase function of the firewall (see “Backup and Restore Settings” on page 6-14). • Use the reset button on the rear panel of the firewall.
ProSafe VPN Firewall 200 FVX538 Reference Manual 7-8 Troubleshooting v1.
Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below. • Pressing the reset button for a shorter period of time will simply cause your device to reboot.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-2.
ProSafe VPN Firewall 200 FVX538 Reference Manual A-4 Default Settings and Technical Specifications v1.
Appendix B Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP Addressing: http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for Network Access: http://documentation.netgear.com/reference/enu/wsdhcp/index.
ProSafe VPN Firewall 200 FVX538 Reference Manual B-2 Related Documents v1.
Appendix C Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports. What You Will Need to Do Before You Begin The ProSafe VPN Firewall 200 is a powerful and versatile solution for your networking needs. But to make the configuration process easier and to understand all of the choices available to you, you need to think through the following items before you begin: 1. Plan your network a.
ProSafe VPN Firewall 200 FVX538 Reference Manual – You can also add your own service protocols to the list (see “Services-Based Rules” on page 4-2 for information on how to do this). 3. Set up your accounts a. Have active Internet services such as that provided by cable or DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information.
ProSafe VPN Firewall 200 FVX538 Reference Manual • There are a variety of WAN options you can choose when the factory default settings are not applicable to your installation. These include enabling a WAN port to respond to a ping and setting MTU size, port speed, and upload bandwidth. You will make these choices in “Configuring the Advanced WAN Options (If Needed)” on page 2-18. 4. Prepare to physically connect the firewall to cable or DSL modems and a computer.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Fixed IP Address which is also known as Static IP Address Where Do I Get the Internet Configuration Parameters? There are several ways you can gather the required Internet connection information. • Your ISPs provide all the information needed to connect to the Internet. If you cannot locate this information, you can ask your ISPs to provide it or you can try one of the options below.
ProSafe VPN Firewall 200 FVX538 Reference Manual Internet Connection Information Form Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. For AOL customers, the login name is their primary screen name. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs.
ProSafe VPN Firewall 200 FVX538 Reference Manual Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: • Inbound traffic (e.g., port forwarding, port triggering, DMZ port) • Virtual private networks (VPNs) The two WAN ports can be configured on a mutually-exclusive basis to either: • Rollover for increased reliability, or • Balance the load for outgoing traffic.
ProSafe VPN Firewall 200 FVX538 Reference Manual The Roll-over Case for Firewalls With Dual WAN Ports Rollover (Figure C-2) for the dual WAN port case is different from the single gateway WAN port case when specifying the IP address. Only one WAN port is active at a time and when it rolls over, the IP address of the active WAN port always changes. Hence, the use of a fully-qualified domain name is always required, even when the IP address of each WAN port is fixed.
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Inbound Rules menu. Instead of discarding this traffic, you can have it forwarded to one or more LAN hosts on your network. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table C-1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover (Figure C-5), the WAN’s IP address will always change at rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the WAN ports (i.e., WAN1 or WAN2). Dual WAN Ports (Before Rollover) Router WAN1 IP netgear.dyndns.org Dual WAN Ports (After Rollover) Router WAN1 IP (N/A) WAN1 port inactive X X X X netgear.dyndns.
ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table C-2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Dual WAN Ports (Before Rollover) Gateway Dual WAN Ports (After Rollover) WAN1 IP Gateway netgear.dyndns.org WAN1 IP (N/A) WAN1 port inactive X X VPN Router X WAN2 port inactive WAN2 IP (N/A) VPN Router X netgear.dyndns.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall (Figure C-9), the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway WAN port must act as the responder. 10.5.6.0/24 Road Warrior Example (Single WAN Port) Gateway A LAN IP 10.5.6.1 VPN Router (at employer's main office) Client B WAN IP WAN IP FQDN bzrouter.
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance). After a rollover of the gateway WAN port (Figure C-11), the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC client must reestablish the VPN tunnel.
ProSafe VPN Firewall 200 FVX538 Reference Manual 10.5.6.0/24 Road Warrior Example (Dual WAN Ports, Load Balancing) Gateway A LAN IP WAN1 IP bzrouter1.dyndns.org bzrouter2.dyndns.org 10.5.6.1 VPN Router (at employer's main office) Client B WAN2 IP Fully-Qualified Domain Names (FQDN) - optional for Fixed IP addresses - required for Dynamic IP addresses WAN IP 0.0.0.
ProSafe VPN Firewall 200 FVX538 Reference Manual 10.5.6.0/24 172.23.9.0/24 Gateway-to-Gateway Example (Single WAN Ports) Gateway A LAN IP 10.5.6.1 VPN Router (at office A) Gateway B WAN IP WAN IP FQDN netgear.dyndns.org LAN IP 172.23.9.1 22.23.24.25 VPN Router (at office B) Fully-Qualified Domain Names (FQDN) - optional for Fixed IP addresses - required for Dynamic IP addresses Figure C-13 The IP address of the gateway WAN ports can be either fixed or dynamic.
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port is not known in advance).
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall (Figure C-16), either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance. 10.5.6.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall (Figure C-17), the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder. 10.5.6.0/24 Telecommuter Example (Single WAN Port) Gateway A LAN IP 10.5.6.
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance). After a rollover of the gateway WAN port (Figure C-19), the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC must re-establish the VPN tunnel.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall (Figure C-20), the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance. The chosen gateway WAN port must act as the responder. 10.5.6.
Index A B access remote management 6-10 Back up settings 6-13 Active Self Certificates 5-27 bandwidth capacity 6-1 LAN side 6-1 Load balancing mode 6-1 Rollover mode 6-1 WAN side 6-1 backup and restore settings 6-14 Add DMZ WAN Outbound Services screen 4-12 Add LAN DMZ Inbound Service screen 4-14 Add LAN DMZ Outbound Service screen 4-13 Add LAN WAN Inbound Service 4-10 BigPond Cable 2-4, 2-5 Internet connection 2-6 Add LAN WAN Outbound Service screen 4-9 Add Mode Config Record screen 5-38 Block S
ProSafe VPN Firewall 200 FVX538 Reference Manual Content Filtering 4-1 about 4-25 Block Sites 4-25 enabling 4-25 firewall protection, about 4-1 content filtering 1-2, 4-1 crossover cable 1-3, 7-2 Customized Service editing 4-23 monitoring 6-27 DHCP server about 3-1 configuring secondary IP addresses 3-5 diagnostics DNS lookup 6-27 packet capture 6-27 ping 6-27 rebooting 6-27 routing table 6-27 customized service adding 4-22 Diagnostics screen 6-27 Customized Services adding 4-2, 4-21 Diffie-Hellman Gro
ProSafe VPN Firewall 200 FVX538 Reference Manual about protection 1-2 Ethernet, Auto Uplink 1-3 Dual WAN configuration of 2-10 Event Logs emailing of 4-31 Dual WAN Port inbound traffic C-8 load balancing, inbound traffic C-9 Extended Authentication. See XAUTH.
ProSafe VPN Firewall 200 FVX538 Reference Manual editing 3-9 Installation, instructions for 2-1 Groups and Hosts screen 3-7, 3-9, 3-10 Interior Gateway Protocol. See IGP.
ProSafe VPN Firewall 200 FVX538 Reference Manual L L2TP 4-15 LAN configuration 3-1 using LAN IP setup options 3-2 LAN DMZ Inbound Services adding rule 4-14 LAN DMZ Outbound Services adding rule 4-13 LAN DMZ Rules 4-12 LAN DMZ Rules screen 4-12 LAN DMZ service rule modifying 4-13 logging in default login 2-1 logging into the router default login 1-10 M MAC Address format 3-8 format of 4-28 MAC address 7-6 configuring 2-4, 2-5 format of 2-19 spoofing 7-5 LAN Security Checks 4-15 MAC addresses blocked, ad
ProSafe VPN Firewall 200 FVX538 Reference Manual network configuration requirements C-3 Ping On Internet Ports 4-14 Network Database about 3-6 advantages of 3-6 fields 3-7 Ping to an IP address Auto-Rollover 2-11 Network Database Group Names screen 3-9 network planning Dual WAN Ports C-1 Network Time Protocol. See NTP.
ProSafe VPN Firewall 200 FVX538 Reference Manual priority definitions 4-23 shifting traffic mix 6-7 SIP 2.0 support 1-1 Quality of Service. See QoS Quality of Service. See Qos.
ProSafe VPN Firewall 200 FVX538 Reference Manual Service Based Rules 4-2 Static Route example of 3-15 Service Blocking reducing traffic 6-2 Static Routes about 3-12 service blocking 4-2 Outbound Rules 4-2 port filtering 4-2 static routes add or edit 3-12 configuring 3-12 example 3-15 Add Protocol Binding 2-14 service numbers common protocols 4-21 Stealth Mode 4-14 Services screen 4-21, 4-22 SYN flood 4-14 Setting Up One-to-One NAT Mapping example of 4-17 SysLog Facility Message Levels 4-33 SysL
ProSafe VPN Firewall 200 FVX538 Reference Manual definitions 2-9 Trend Micro enabling 3-15 Office Scan Server 3-16 OfficeScan client, exclusion list 3-16 requirements for use 3-15 Trend Micro integration 1-4 Trend Micro screen 3-16 Trend Micro security 1-4 troubleshooting 7-1 browsers 7-3 configuration settings, using sniffer 7-3 defaults 7-3 ISP connection 7-4 NTP 7-7 testing your setup 7-6 Web configuration 7-2 Trusted Certificates 5-27 Trusted Domains building list of 4-26 TZO.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPNs C-6, C-10 about C-10 creating a VPN Gateway connection 5-14 gateway-to-gateway C-14, C-15, C-17 road warrior C-11, C-12, C-13 telecommuter C-18, C-20 viewing VPN tunnel status 6-25 W WAN configuring Advanced options 2-18 configuring WAN Mode 2-10 Web Components 4-25 blocking 4-25 filtering, about 4-25 Web configuration troubleshooting 7-2 WinPoET 2-6 X XAUTH IPSec Host 5-32 types of 5-31 WAN Failure Detection Method 2-10, 2-11 WAN Mode 2-11 WAN Mode
