FVS338 ProSafe VPN Firewall 50 Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA September 2006 202-10046-03 v1.
© 2006 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR, the NETGEAR logo and ProSafe are trademarks and/or registered trademarks of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc.
Product and Publication Details Model Number: FVS338 Publication Date: September 2006 Product Family: VPN firewall Product Name: ProSafe VPN Firewall 50 Home or Business Product: Business Language: English Publication Part Number: 202-10046-03 Publication Version Number 1.0 vi v1.
Contents About This Manual Conventions, Formats and Scope ...................................................................................xiii How to Use This Manual ..................................................................................................xiv How to Print this Manual ..................................................................................................xiv Revision History ................................................................................................
Manually Configuring Your Internet Connection .......................................................2-9 Programming the Traffic Meter (if Desired) ............................................................2-12 Configuring the WAN Mode ..........................................................................................2-15 Configuring Dynamic DNS (If Needed) .........................................................................
Specifying Quality of Service (QoS) Priorities ..............................................................4-19 Setting a Schedule to Block or Allow Traffic .................................................................4-20 Setting Block Sites (Content Filtering) ..........................................................................4-21 Enabling Source MAC Filtering ....................................................................................4-23 Setting Up Port Triggering ..................
Configuring the ProSafe VPN Client for ModeConfig .............................................5-30 Certificates ....................................................................................................................5-33 Trusted Certificates (CA Certificates) .....................................................................5-33 Self Certificates ......................................................................................................
DHCP Log ..............................................................................................................6-25 Performing Diagnostics ..........................................................................................6-26 Chapter 7 Troubleshooting Basic Functions ..............................................................................................................7-1 Power LED Not On .................................................................................................
xii v1.
About This Manual The NETGEAR® ProSafe™ VPN Firewall 50 FVS338 Reference Manual describes how to install, configure and troubleshoot the ProSafe VPN Firewall 50. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs. • • Typographical Conventions.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Scope. This manual is written for the VPN firewall according to these specifications: Product Version ProSafe VPN Firewall 50 Manual Publication Date September 2006 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix B, “Related Documents”. Note: Updates to this product are available on the NETGEAR, Inc. website at http://kbserver.netgear.com/products/FVS338.asp.
FVS338 ProSafe VPN Firewall 50 Reference Manual – • Click the PDF of This Chapter link at the top left of any page in the chapter you want to print. The PDF version of the chapter you were viewing opens in a browser window. • Click the print icon in the upper left of your browser window. Printing a PDF version of the Complete Manual. Use the Complete PDF Manual link at the top left of any page. • Click the Complete PDF Manual link at the top left of any page in the manual.
FVS338 ProSafe VPN Firewall 50 Reference Manual xvi v1.
Chapter 1 Introduction The ProSafe VPN Firewall 50 with 8 port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FVS338 is a complete security solution that protects your network from attacks and intrusions. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support.
FVS338 ProSafe VPN Firewall 50 Reference Manual Full Routing on Both the Broadband and Serial WAN Ports You can install, configure, and operate the FVS338 to take full advantage of a variety of routing options on both the serial and broadband WAN ports, including: • Internet access via either the serial or broadband port.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Port Forwarding with NAT. Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the firewall allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request. You can specify forwarding of single ports or ranges of ports. • Exposed Host (Software DMZ).
FVS338 ProSafe VPN Firewall 50 Reference Manual Trend Micro Integration If you have installed the Trend Micro Client/Server/Messaging Suite for SMB on your local network, you can have the firewall enforce its use. When Antivirus Enforcement is selected, local PCs will not be allowed Web access unless they have the Trend Micro OfficeScan client installed and updated with the latest virus definitions.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Remote management. The firewall allows you to securely login to the Web Management Interface from a remote location on the Internet. For additional security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number. • Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity.
FVS338 ProSafe VPN Firewall 50 Reference Manual Router Front Panel The ProSafe VPN Firewall 50 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. Power LED Test Modem Internet LED LED LEDs Local LEDs Figure 1-1 The table below describes each item on the front panel and its operation. Table 1-1. Object Descriptions Object Activity Description Power LED On (Green) Off Power is supplied to the router. Power is not supplied to the router.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description Local LEDs Link/Act LED On (Green) Blinking (Green) Off The LAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the LAN port. The LAN port has no link. 100 LED On (Green) Off The LAN port is operating at 100 Mbps. The LAN port is operating at 10 Mbps.
FVS338 ProSafe VPN Firewall 50 Reference Manual Rack Mounting Hardware The FVS338 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in Figure 1-3). Figure 1-3 Factory Default Login Check the label on the bottom of the FVS338’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.
FVS338 ProSafe VPN Firewall 50 Reference Manual To log in to the FVS338 once it is connected: 1. Open a Web browser. 2. Enter http://192.168.1.1 as the URL. Figure 1-5 3. Once the login screen displays (Figure 1-5), enter the following: • admin for User Name • password for Password Introduction 1-9 v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual 1-10 Introduction v1.
Chapter 2 Connecting the FVS338 to the Internet This section provides instructions for connecting the VPN firewall. Setting up VPN tunnels are covered in Chapter 5, “Virtual Private Networking”: 1. Connect the firewall physically to your network. Connect the cables, turn on your router and wait for the Test LED to go out. Make sure your Ethernet and LAN LEDs are lit. (See the FVS338 ProSafe VPN Firewall 50 Installation Guide on your Resource CD.) 2. Log in to the firewall.
FVS338 ProSafe VPN Firewall 50 Reference Manual To log in to the VPN firewall: 1. Open a Internet Explorer, Netscape® Navigator, or Firefox browser. In the browser window, enter http://192.168.1.1 in the address field. The FVS338 login screen will display. Figure 2-1 2. Enter admin for the User Name and password for the Password, both in lower case letters.The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection. 3. Click Login.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-2 2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP. Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support. When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the following table. Table 2-1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2-1. Internet connection methods Connection Method Data Required DHCP (Dynamic IP) No data is required. Fixed IP IP address and related data supplied by your ISP. 3. Click Connection Status at the top right of the screen to verify your Broadband connection status. Click Connect if connection not already present.
FVS338 ProSafe VPN Firewall 50 Reference Manual 1. Select Network Configuration from the main menu, WAN Settings from the submenu and click the Dialup ISP Settings tab to display the Dialup settings screen. Figure 2-4 2. Enter the following Dialup Account settings: a. Account/User name: Enter the account name or the user name provided by your ISP. This name will be used to log in to the ISP server. b. Password: The account password for the dialup ISP c.
FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Specify the method to use for your Dial-up Connection Status. The VPN firewall can automatically dial to the ISP when a connection is needed or can be configured to wait for manual intervention.: a. Check the Connect automatically disconnect after idle for ___ min. radios box for the modem to connect automatically. Specify the idle minute amount. The router will connect whenever an outbound connection request is made from a computer on the LAN.
FVS338 ProSafe VPN Firewall 50 Reference Manual Set up the traffic meter for the Dialup ISP if desired (see “Programming the Traffic Meter (if Desired)” on page 2-12). Note: The response time of your serial port Internet connection will be slower than a broadband Internet connection. Tip: If you experience connectivity problems with the Dialup ISP, try a different baud rate setting and ensure that the modem parameters you selected match the modem connected to the FVS338.
FVS338 ProSafe VPN Firewall 50 Reference Manual This could occur on some older broadband modems. If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100BaseT; otherwise, select 10BaseT. Use the half-duplex settings if full-duplex modes do not work. Figure 2-5 You can also change the standard MTU (Maximum Transmit Unit) value for dialup modems from the Dialup ISP Settings screen. THe standard value is 576 bytes, but some ISPs may require that you reduce the MTU.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 2-6 Manually Configuring Your Internet Connection If you know your Broadband ISP connection type, you can bypass the Auto Detect feature and connect your router manually. Ensure that you have all of the relevant connection information such as IP Addresses, account information, type of ISP connection, etc., before you begin.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-7 To manually configure your WAN1 ISP settings: 1. Does your Internet connection require a login? If you need to enter login information every time you connect to the Internet through your ISP, select Yes. Otherwise, select No. 2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box.
FVS338 ProSafe VPN Firewall 50 Reference Manual • • – Domain Name: Your domain name or workgroup name assigned by your ISP, or your ISPs domain name. You may leave this field blank. – Idle Timeout: Check the Keep Connected radio box to keep the connection always on. To logout after the connection is idle for a period of time, select Idle Time and enter the number of minutes to wait before disconnecting in the timeout field.
FVS338 ProSafe VPN Firewall 50 Reference Manual 4. If your ISP has not assigned any Domain Name Servers (DNS) addresses, select the Get dynamically from ISP radio box. If your ISP has assigned DNS addresses, select the Use these DNS Servers radio box. Ensure that you fill in valid DNS server IP addresses in the fields. Incorrect DNS entries may cause connectivity issues. Note: Domain name servers (DNS) convert Internet names such as www.google.com, www.netgear.com, etc.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-8 Connecting the FVS338 to the Internet v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2-2. Traffic Meter Settings Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's Broadband or Dialup port. Broadband or Dialup can be selected by clicking the appropriate tap; the entire configuration is specific to each interface. • No Limit - If this is selected specified restriction will not be applied when traffic limit is reached.
FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the WAN Mode The WAN Mode screen allows you to configure how your router uses your external Internet connections; for example, your WAN port or dialup modem connections. • NAT. NAT is the technology which allows all PCs on your LAN to share a single Internet IP address. Viewed from the Internet, the WAN port on the VPN firewall is configured with a single IP address—the “public” address.
FVS338 ProSafe VPN Firewall 50 Reference Manual • If you have both ISP links connected for Internet connectivity, check the Primary Broadband with Dialup as backup for auto-rollover. 4. The WAN Failure Detection Method must be configured to notify the router of a link failure if you are using Dialup as a backup to engage auto-rollover. The router checks the connection of the primary link at regular intervals to detect its status.
FVS338 ProSafe VPN Firewall 50 Reference Manual This router firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet. After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your dynamic DNS service provider, log in to your account, and register your new IP address.
FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Check the Dynamic DNS Service radio box you want to enable. The fields corresponding to the selection you have selected will be highlighted. Each DNS service provider requires its own parameters. 3. Access the Web site of one of the DDNS service providers and set up an account. A link to each DDNS provider is opposite the DNS Configuration screen name. 4.
Chapter 3 LAN Configuration This chapter describes how to configure LAN Setup, LAN Groups and Routing (Static IP) features of your ProSafe VPN Firewall 50. These features can be found under the Network Configuration menu of the router interface.
FVS338 ProSafe VPN Firewall 50 Reference Manual To modify your LAN setup: 1. Select Network Configuration from the main menu and LAN Setup from the submenu. The LAN Setup screen will display. Figure 3-1 2. Enter the IP Address of your router (factory default: 192.168.1.1). (Always make sure that the LAN Port IP address and DMZ port IP address are in different subnets.) 3. Enter the IP Subnet Mask. The subnet mask specifies the network number portion of an IP address.
FVS338 ProSafe VPN Firewall 50 Reference Manual b. Enter the Starting IP Address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address. The IP address 192.168.1.2 is the default start address. c. Enter the Ending IP Address. This address specifies the last of the contiguous addresses in the IP address pool.
FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring Multi-Home LAN IPs If you have computers that are using different IP address ranges in the LAN (for example, 172.16.2.0 or 10.0.0.0), then you can add “aliases” to the LAN port which give computers on those networks access to the Internet. This allows the firewall to act as a gateway to additional logical subnets on your LAN. To add a secondary LAN IP address: 1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Managing Groups and Hosts The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices, as well as hosts, that are assigned dynamic IP addresses by this router. Collectively, these entries make up the Network Database. The Network Database is created in two ways: • Using the DHCP Server. The router’s DHCP server will accept and respond to DHCP client requests from PCs and other network devices.
FVS338 ProSafe VPN Firewall 50 Reference Manual • A computer is identified by its MAC address—not its IP address. Hence, changing a computer’s IP address does not affect any restrictions applied to that PC. This Known PCs and Devices table lists entries in the Network Database. For each computer or device, the following fields are displayed: • Name: The name of the PC or device.
FVS338 ProSafe VPN Firewall 50 Reference Manual To edit an entry in the Known PCs and Devices table: 1. Click Edit adjacent to the entry you want to modify. The Edit Known PCs and Devices screen will display. Make your modifications to the entry. 2. Click Apply to save your settings. The changes will appear the Known PCs and Devices table. To edit a Group Name in the Network Database: 1. On the Groups and Hosts screen, click the Edit Group Names link. 2.
FVS338 ProSafe VPN Firewall 50 Reference Manual Setting Up Address Reservation When you specify a reserved IP address for a device on the LAN (based on the MAC address of the device), that computer or device will always receive the same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be assigned to servers or access points that require permanent IP settings. The Reserved IP address that you select must be outside of the DHCP Server pool.
FVS338 ProSafe VPN Firewall 50 Reference Manual 5. Type the Destination IP Address or network of the route’s final destination. 6. Enter the IP Subnet Mask for this destination. If the destination is a single host, enter 255.255.255.255. Figure 3-4 7. From the Interface pull-down menu, selection the physical network interface (Broadband, Dialup, or LAN) through which this route is accessible. 8.
FVS338 ProSafe VPN Firewall 50 Reference Manual • You have an ISDN firewall on your home network for connecting to the company where you are employed. This firewall’s address on your LAN is 192.168.1.100. • Your company’s network is 134.177.0.0. When you first configured your firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.1.x addresses.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 3-5 To enable RIP: 1. Select Network Configuration from the main menu and Routing from the submenu. The Routing screen will display. 2. Click the RIP Configuration link. The RIP Configuration screen will display. 3. From the RIP Direction pull-down menu, select the direction for the router to send and receive RIP packets: • Both – the router broadcasts its routing table and also processes RIP information received from other routers.
FVS338 ProSafe VPN Firewall 50 Reference Manual • None – the router neither broadcasts its route table nor does it accept any RIP packets from other routers. This effectively disables RIP. 4. Select the RIP Version from the pull-down menu: • RIP-1 – classful routing and does not include subnet information. This is the most commonly supported version. • RIP-2 – supports subnet information. Both RIP-2B and RIP-2M send the routing data in RIP-2 format: • RIP-2B – uses subnet broadcasting.
FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Enter the IP address of the OfficeScan Server on your local network. 4. Enter the 5-digit port number used for communications between the OfficeScan clients and the server. 5. Click Apply to enable Trend Micro. The Host Exclusion List table lists PCs that are allowed to access the WAN without OfficeScan client. Note: The OfficeScan Server must appear in the exclusion list.
FVS338 ProSafe VPN Firewall 50 Reference Manual 3-14 LAN Configuration v1.
Chapter 4 Firewall Protection and Content Filtering The ProSafe VPN Firewall 50 provides you with Web content filtering options such as Block Sites and Keyword Blocking. Parents and network administrators can establish restricted access policies based on time-of-day, Web addresses and Web address keywords. You can also block Internet access by applications and services, such as chat or games. It also provides various firewall activity reports and instant alerts via e-mail.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Outbound: Allow all access from the LAN side to the outside. Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Inbound Rules (port forwarding). Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side. The firewall can be configured to allow this otherwise blocked traffic. • Outbound Rules (service blocking).
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-1. Outbound Rules Fields Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-17).
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-1. Outbound Rules Fields (continued) Item Description QoS Priority This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change it accordingly. If the user does not make a selection (i.e, leaves it as None), then the native priority of the service will be applied to the policy.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-2. Inbound Rules Fields Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-17).
FVS338 ProSafe VPN Firewall 50 Reference Manual Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP. Remember that allowing inbound services opens holes in your VPN firewall.
FVS338 ProSafe VPN Firewall 50 Reference Manual Setting LAN WAN Rules The Default Outbound Policy is to allow all traffic from and to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from either going out from the LAN to the Internet (Outbound) or coming in from the Internet to the LAN (Inbound). The default policy can be changed to block all outbound traffic and enable only specific services to pass through the router.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Down – to move the rule down one position in the table rank. 2. Check the radio box adjacent to the rule and click: • Click Disable to disable the rule. The “!” Status icon will change from green to grey, indicating that the rule is disabled. (By default, when a rule is added to the table it is automatically enabled.) • Click Delete to delete the rule. 3. Click Select All to select all rules. A check will appear in the radio box for each rule.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 4-3 LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. WAN Users: Whether all WAN addresses or specific IP addresses are included in the rule. To create a new inbound service rule: 1. Click Add under the Inbound Services Table. The Add LAN WAN Inbound Service screen will display. 2.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-4 Attack Checks This screen allows you to specify whether or not the router should be protected against common attacks in the LAN and WAN networks. The various types of attack checks are listed on the Attack Checks screen and defined below: • WAN Security Checks – Respond To Ping On Internet Ports. When enabled, the router will respond to a “Ping” from the Internet.
FVS338 ProSafe VPN Firewall 50 Reference Manual • LAN Security Checks. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application listening at that port, (2) verify that no application is listening at that port, and then (3) reply with an ICMP Destination Unreachable packet.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 4-5 Inbound Rules Examples Hosting A Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day. This rule is shown in Figure 4-6: Figure 4-6 4-12 Firewall Protection and Content Filtering v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown to the right, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
FVS338 ProSafe VPN Firewall 50 Reference Manual 3. From the service pull-down menu, select the HTTP service for a Web server. 4. From the Action pull-down menu, select Allow Always. 5. In the Send to LAN Server field, enter the local IP address of your Web server PC. 6. From the Public Destination IP Address pull down menu, choose Other Public IP Address. 7. Enter one of your public Internet addresses that will be used by clients on the Internet to reach your Web server. 8. Click Apply.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 4-9 To test the connection from a PC on the Internet, type http://, where is the public IP address you have mapped to your Web server. You should see the home page of your Web server. Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined. To expose one of the PCs on your LAN as this host: 1.
FVS338 ProSafe VPN Firewall 50 Reference Manual 1. Select All protocols and ALLOW Always (or Allow by Schedule) 2. Place rule below all other inbound rules Figure 4-10 Outbound Rules Example – Blocking Instant Messenger Outbound rules let you prevent users from using applications such as AOL Instant Messenger, Real Audio or other non-essential sites.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 4-11 Adding Customized Services Services are functions performed by server computers at the request of client computers. You can configure up to 125 custom services. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-12 To add a service: 1. Select Security from the main menu and Services from the submenu. The Services screen will display. 2. In the Add Custom Service table, enter a descriptive name for the service (this is for your convenience). 3. Select the Layer 3 Protocol that the service uses as its transport protocol. It can be TCP, UDP or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses.
FVS338 ProSafe VPN Firewall 50 Reference Manual To edit the parameters of a service: 1. In the Custom Services Table, click the Edit icon adjacent to the service you want to edit. The Edit Service screen will display. 2. Modify the parameters you wish to change. 3. Click Reset to cancel the changes and restore the previous settings. 4. Click Apply to confirm your changes. The modified service will display in the Custom Services Table.
FVS338 ProSafe VPN Firewall 50 Reference Manual Setting a Schedule to Block or Allow Traffic If you defined an outbound or inbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall allows you to specify when blocking will be enforced by configuring one of the Schedules—Schedule 1, Schedule 2 or Schedule 3. To invoke rules and block keywords or Internet domains based on a schedule: 1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Setting Block Sites (Content Filtering) If you want restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any Web site is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message.
FVS338 ProSafe VPN Firewall 50 Reference Manual 5. Build your list of blocked Keywords or Domain Names in the Blocked Keyword fields. After each entry, click Add. The Keyword or Domain name will be added to the Blocked Keywords table. (You can also edit an entry by clicking Edit in the Action column adjacent to the entry.) 6. Build a list of Trusted Domains in the Trusted Domains fields. After each entry, click Add. The Trusted Domain will appear in the Trusted Domains table.
FVS338 ProSafe VPN Firewall 50 Reference Manual Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed by default. • When enabled, traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table.
FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Build your list of Source MAC Addresses to be block by entering the first MAC address in the MAC Address field in the form xx:xx:xx:xx:xx:xx where x is a numeric (0 to 9) or an alphabet between and a and f (inclusive), for example: 00:e0:4c:69:0a: 4. Click Add. The Mac Address will be added to the Available MAC Addresses to be Blocked table. (You can edit the MAC address by clicking Edit in the Action column adjacent to the MAC Address.) 5.
FVS338 ProSafe VPN Firewall 50 Reference Manual To add a Port triggering rule: 1. Select Security from the main menu and Port Triggering from the submenu. The Port Triggering screen will display. 1. Enter a user-defined name for this rule in the Name field. 2. From the Enable pull-down menu, indicate if the rule is enabled or disabled. Figure 4-16 3. From the Protocol pull-down menu, select either TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields; a.
FVS338 ProSafe VPN Firewall 50 Reference Manual b. Enter the End Port range (1 - 65534). 5. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display. 2. Modify any of the fields for this rule. 3.
FVS338 ProSafe VPN Firewall 50 Reference Manual E-Mail Notifications of Event Logs and Alerts The Firewall Logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified email address.
FVS338 ProSafe VPN Firewall 50 Reference Manual : Figure 4-18 To set up Firewall Logs and E-mail alerts: 1. Select Monitoring from the main menu and then Firewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen will display. 2. Enter the name of the log in the Log Identifier field. Log Identifier is a mandatory field used to identify the log messages. The ID appended to log messages. 3. Enter a Schedule for sending the logs.
FVS338 ProSafe VPN Firewall 50 Reference Manual 4. In the Security Logs section, check the network segments radio box for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets). 5. In the System Logs section, check the radio box for the type of system events to be logged. 6. Check the Yes radio box to enable E-mail Logs. Then enter: a. E-mail Server address – Enter the outgoing E-mail SMTP mail server address of your ISP (for example, 172.16.1.10).
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-3. SysLog Facility Message Levels (continued) Numerical Code Severity 5 Notice: Normal but significant conditions 6 Informational: Informational messages 7 Debug: Debug level messages To view the Firewall logs: 1. Click on the View Log icon opposite the Firewall Logs & E-mail tab. The Logs screen will display. 2. If the E-mail Logs options as been enabled, you can send a copy of the log by clicking send log. 3.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-4. Log Entry Descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and interface The service port number of the initiating device, and whether it originated from the LAN, WAN or DMZ.
FVS338 ProSafe VPN Firewall 50 Reference Manual 4-32 Firewall Protection and Content Filtering v1.
Chapter 5 Virtual Private Networking This chapter describes how to use the Virtual Private Networking (VPN) features of the VPN firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Tip: When using dual WAN port networks, use the VPN Wizard to configure the basic parameters and then edit the VPN and IKE Policy screens for the various VPN scenarios.
FVS338 ProSafe VPN Firewall 50 Reference Manual Setting up a VPN Connection using the VPN Wizard Setting up a VPN tunnel connection requires that all settings and parameters on both sides of the VPN tunnel match or mirror each other precisely, which can be a daunting task. The VPN Wizard can assist in guiding you through the setup procedure by asking you a series of questions that will determine the IPSec keys and VPN policies it sets up.
FVS338 ProSafe VPN Firewall 50 Reference Manual The Local WAN IP address is the address used in the IKE negotiation phase. Automatically, the WAN IP address assigned by your ISP may display. You can modify the address to use your FQDN; required if the WAN Mode you selected is auto-rollover. 7. Enter the Remote LAN IP Address and Subnet Mask of the remote gateway. The information entered here must match the Local LAN IP and Subnet Mask of the remote gateway; otherwise the secure tunnel will fail to connect.
FVS338 ProSafe VPN Firewall 50 Reference Manual 6. Click Apply. The VPN Client screen will display showing that the VPN Client has been enabled. Click the IKE Policies tab to view the corresponding IKE Client Policy. IKE Policies The IKE (Internet Key Exchange) protocol performs negotiations between the two VPN Gateways, and provides automatic management of the Keys used in IPSec. It is important to remember that: • “Auto” generated VPN policies must use the IKE negotiation protocol.
FVS338 ProSafe VPN Firewall 50 Reference Manual IKE Policy Table When you use the VPN Wizard to set up a VPN tunnel, an IKE Policy is established and populated in the Policy Table and is given the same name as the new VPN connection name. You can also edit exiting policies or add new IKE policies directly on the Policy Table Screen. Each policy contains the following data: • Name. Uniquely identifies each IKE policy.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Manual. All settings (including the keys) for the VPN tunnel are manually input at each end (both VPN endpoints). No third party server or organization is involved. • Auto. Some parameters for the VPN tunnel are generated automatically by using the IKE (Internet Key Exchange) protocol to perform negotiations between the two VPN endpoints (the Local ID Endpoint and the Remote ID Endpoint).
FVS338 ProSafe VPN Firewall 50 Reference Manual • Local. IP address (either a single address, range of address or subnet address) on your local LAN. Traffic must be from (or to) these addresses to be covered by this policy. (Subnet address is the default IP address when using the VPN Wizard). • Remote. IP address or address range of the remote network. Traffic must be to (or from) these addresses to be covered by this policy.
FVS338 ProSafe VPN Firewall 50 Reference Manual Creating a VPN Gateway Connection: Between FVS338 and FVX538 This section describes how to configure a VPN connection between a NETGEAR FVS338 VPN Firewall and a NETGEAR FVX538 VPN Firewall. Using each firewall's VPN Wizard, we will create a set of policies (IKE and VPN) that will allow the two firewalls to connect from locations with fixed IP addresses. Either firewall can initiate the connection.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-1 The IKE Policies screen will display showing the new “to_fvx” policy. Figure 5-2 You can view the IKE parameters by clicking Edit in the Action column adjacent to the “tofvs” policy. It should not be necessary to make any changes. Virtual Private Networking 5-9 v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-3 Click the IKE Policies tab to view the corresponding IKE Policy. The IKE Policies screen will display. Figure 5-4 You can view the VPN parameters by clicking Edit in the Actions column adjacent to “to_fvx”. It should not be necessary to make any changes 5-10 Virtual Private Networking v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-5 Configuring the FVX538 To configure the FVX538 using the VPN Wizard: 1. Select VPN from the main menu. The Policies screen will display. Click the VPN Wizard link. The VPN Wizard screen will display. 2. Check the Gateway radio box to establish a remote VPN gateway. 3. Give the new connection a name such as to_fvs. 4. Enter a value for the pre-shared key. 5. Enter the WAN IP address or Internet name of the remote WAN.
FVS338 ProSafe VPN Firewall 50 Reference Manual 6. Enter the remote LAN IP address and subnet mask. 7. Click Apply to create the “to_fvs” IKE and VPN policies. Figure 5-6 Testing the Connection 1. From a PC on either firewall’s LAN, try to ping a PC on the other firewall’s LAN. Establishing the VPN connection may take several seconds. 2. For additional status and troubleshooting information, view the VPN log and status menu in the FVX538 or FVS338.
FVS338 ProSafe VPN Firewall 50 Reference Manual Using the FVS338 VPN Wizard, we will create a single set of policies (IKE and VPN) that will allow up to 50 remote PCs to connect from locations in which their IP addresses are unknown in advance. The PCs may be directly connected to the Internet or may be behind NAT routers. If more PCs are to be connected, an additional policy or policies must be created. Each PC will use the NETGEAR VPN Client.
FVS338 ProSafe VPN Firewall 50 Reference Manual fvs_remote.com fvs_local.com Figure 5-7 Configuring the VPN Client On a remote PC that has a NETGEAR ProSafe VPN Client installed, configure the client using the FVS338 VPN Client default parameters (displayed in both the IKE Policy table and the VPN Policy table of the FVS338 under the name “home”): • Local FQDN (the router): fvs_local.com • Remote FQDN (the client): fvs_remote.
FVS338 ProSafe VPN Firewall 50 Reference Manual To configure the VPN Client: 1. Right-click on the VPN client icon in your Windows toolbar and select the Security Policy Editor. The Security Policy Editor screen will display. 2. In the upper left of the Policy Editor window, click the New Document icon to open a New Connection. Figure 5-8 3. Give the New Connection a name, such as to_FVS (shown in Figure 5-9). 4. In the Remote Party Identity section, from the ID Type pull-down menu, select IP Subnet. 5.
FVS338 ProSafe VPN Firewall 50 Reference Manual fvs_local.com Figure 5-9 8. In the left frame, click on My Identity (shown in Figure 5-10). 9. From the Select Certificate pull-down menu, select None. 10. From the ID Type pull-down menu, select Domain Name. The value entered under Domain Name will be in the form “.fvs_remote.com”, where each user must use a different variation on the Domain Name entered here. The is the policy name used in the FVS338 configuration.
FVS338 ProSafe VPN Firewall 50 Reference Manual home11.fvs_remote.com 10.0.0.12 Figure 5-10 12. Before leaving the My Identity menu, click Pre-Shared Key. 13. Click Enter Key, and type your preshared key. Click OK. This key will be shared by all users of the FVS338 policy “home”. 10.0.0.12 Figure 5-11 Virtual Private Networking 5-17 v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual 14. In the left frame, click Security Policy (shown in Figure 5-12). 15. Select Phase 1 Negotiation Mode by checking the Aggressive Mode radio box. 16. PFS Key Group should be disabled, and Enable Replay Detection should be enabled. Figure 5-12 17. In the left frame, expand Authentication (Phase 1) and select Proposal 1. Compare with the figure below. No changes should be necessary. Figure 5-13 5-18 Virtual Private Networking v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual 18. In the left frame, expand Key Exchange (Phase 2) and select Proposal 1. Compare with the figure below. No changes should be necessary. 19. In the upper left of the window, click the disk icon to save the policy. Figure 5-14 Testing the Connection To test your VPN connection: 1. Right-click the VPN client icon in your Windows toolbar and select Connect..., and then select My Connections\to_FVS.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-15 Extended Authentication (XAUTH) Configuration When connecting many VPN clients to a VPN gateway router, an administrator may want a unique user authentication method beyond relying on a single common preshared key for all clients. Although the administrator could configure a unique VPN policy for each user, it is more convenient for the VPN gateway router to authenticate users from a stored list of user accounts.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the local User Database for the user credentials. If the user account is not present, the router will then connect to a RADIUS server. Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the Local Database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server.
FVS338 ProSafe VPN Firewall 50 Reference Manual • IPSec Host if you want to be authenticated by the remote gateway. In the adjacent Username and Password fields, type in the information user name and password associated with the IKE policy for authenticating this gateway (by the remote gateway). 4. Click Apply to save your settings. Figure 5-16 User Database Configuration The User Database Screen is used to configure and administer VPN Client users for use by the XAUTH server.
FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4. Click Add. The User Name will be added to the Configured Hosts table. Figure 5-17 To edit the user name or password: 1. Click Edit opposite the user’s name. The Edit User screen will display. 2. Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to the previous settings.
FVS338 ProSafe VPN Firewall 50 Reference Manual information such as a username/password or some encrypted response using his username/ password information. The gateway will try and verify this information first against a local User Database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server. To configure the Primary RADIUS Server: 1. Select VPN from the main menu, VPN Client from the submenu and then select the RADIUS Client tab.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-18 Manually Assigning IP Addresses to Remote Users (ModeConfig) To simply the process of connecting remote VPN clients to the FVS338, the ModeConfig module can be used to assign IP addresses to remote users, including a network access IP address, subnet mask, and name server addresses from the router. Remote users are given IP addresses available in secured network space so that remote users appear as seamless extensions of the network.
FVS338 ProSafe VPN Firewall 50 Reference Manual ModeConfig Operation After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP configuration parameters such as IP address, subnet mask and name server addresses. The ModeConfig module will allocate an IP address from the configured IP address pool and will activate a temporary IPSec policy using the template security proposal information configured in the ModeConfig record.
FVS338 ProSafe VPN Firewall 50 Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10. Click Apply. The new record should appear in the VPN Remote Host Mode Config Table (a sample record is shown below). Figure 5-19 To configure an IKE Policy: 1. From the main menu, select VPN.
FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. 3. Enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down menu. (You can view the parameters of the selected record by clicking the View selected radio box.) Mode Config works only in Aggressive Mode, and Aggressive Mode requires that both ends of the tunnel be defined by a FQDN. 4. In the General section: a.
FVS338 ProSafe VPN Firewall 50 Reference Manual 9. If Edge Device was enabled, select the Authentication Type from the pull down menu which will be used to verify account information: User Database, RADIUS-CHAP or RADIUS-PAP. Users must be added thorough the User Database screen (see “User Database Configuration” on page 5-22 or “RADIUS Client Configuration” on page 5-23). Note: If RADIUS-PAP is selected, the router will first check the User Database to see if the user credentials are available.
FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon. a. Give the connection a descriptive name such as “modecfg_test” (this name will only be used internally). b.
FVS338 ProSafe VPN Firewall 50 Reference Manual b. From the Select Certificate pull-down menu, select None. c. From the ID Type pull-down menu, select Domain Name and create an identifier based on the name of the IKE policy you created; for example “salesperson11.remote_id.com”. d. Under Virtual Adapter pull-down menu, select Preferred. The Internal Network IP Address should be 0.0.0.0.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-23 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds)). Figure 5-24 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. 5-32 Virtual Private Networking v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; in this case “My Connections\modecfg_test”. 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test will display and the VPN client icon in the toolbar will read “On”. 3. From the client PC, ping a computer on the VPN firewall LAN.
FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Click Browse to locate the trusted certificate on your computer and then click Upload. The certificate will be stored on the router and will display in the Trusted Certificates table. Figure 5-25 Self Certificates Active Self certificates are certificates issued to you by the various Certificate Authorities (CAs) that are available for presentation to peer IKE servers. Each active self certificate is listed in the Active Self Certificates table.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Name – Enter a name that will identify this Certificate. • Subject – This is the name which other organizations will see as the Holder (owner) of the Certificate. Since this name will be seen by other organizations, you should use your registered business name or official company name. This information must be submitted in the following format: C=, ST=, L=, O=, OU=, CN=.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Save to file Figure 5-26 To submit your Self Certificate request to a CA: 1. Connect to the web site of the CA. 2. Start the Self Certificate request procedure. 3. When prompted for the requested data, copy the data from your saved data file (including “---BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST’). 4. Submit the CA form. If no problems ensue, the Certificate will be issued. 5-36 Virtual Private Networking v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual When you obtain the certificate from the CA, you can then upload it to your computer. Click Browse to locate the Certificate file and then click Upload. The certificate will display in the Active Self Certificates table (see Figure 5-25). Certificates are updated by their issuing CA authority on a regular basis. You should track all of your CAs to ensure that you have the latest version and/or that your certificate has not been revoked.
FVS338 ProSafe VPN Firewall 50 Reference Manual 5-38 Virtual Private Networking v1.
Chapter 6 Router and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 50. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface. The ProSafe VPN Firewall 50 offers many tools for managing the network traffic to optimize its performance.
FVS338 ProSafe VPN Firewall 50 Reference Manual Service Blocking You can control specific outbound traffic (for example., from LAN to WAN). Outbound Services lists all existing rules for outbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule allows all outgoing traffic. Warning: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems.
FVS338 ProSafe VPN Firewall 50 Reference Manual See “Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-1 for the procedure on how to use this feature. Services. The Rules menu contains a list of predefined Services for creating firewall rules. If a service does not appear in the predefined Services list, you can define the service. The new service will then appear in the Rules menu's Services list. See “Services-Based Rules” on page 4-2 for the procedure on how to use this feature.
FVS338 ProSafe VPN Firewall 50 Reference Manual You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed without any blocking. • Web Component Blocking – You can block the following Web component types: Proxy, Java, ActiveX, and Cookies.
FVS338 ProSafe VPN Firewall 50 Reference Manual You can control specific inbound traffic (i.e., from WAN to LAN and from WAN to DMZ). Inbound Services lists all existing rules for inbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule blocks all inbound traffic.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Services – You can specify the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-17). • Schedule – You can specify whether the rule is to be applied on the Schedule 1, Schedule 2, or Schedule 3 time schedule (see “Setting a Schedule to Block or Allow Traffic” on page 4-20).
FVS338 ProSafe VPN Firewall 50 Reference Manual Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and, in turn, the quality of service for the traffic passing through the firewall. The QoS is set individually for each service. • You can accept the default priority defined by the service itself by not changing its QoS setting.
FVS338 ProSafe VPN Firewall 50 Reference Manual To modify User or Admin settings: 1. Select Administration from the main menu and Set Password from the submenu. The Set Password screen will display. 2. Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest Settings radio box. 3. Change the password by first entering the old password, and then entering the new password twice. 4. Click Apply to save your settings or Cancel to return to your previous settings. 5.
FVS338 ProSafe VPN Firewall 50 Reference Manual Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. Enabling Remote Management Access Using the Remote Management page, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging in to the VPN Firewall” on page 2-1).
FVS338 ProSafe VPN Firewall 50 Reference Manual a. Specify what external addresses will be allowed to access the firewall’s remote management. Note: For enhanced security, restrict access to as few external IP addresses as practical. b. To allow access from any IP address on the Internet, select Everyone. c. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. d.
FVS338 ProSafe VPN Firewall 50 Reference Manual Note: If you are using a dynamic DNS service such as TZO, you can always identify the IP address of your FVS338 by running tracert from the Windows Run menu. For example, renter tracert yourFVS338.mynetgear.net and you will see the IP address your ISP assigned to the FVS338. Using a SNMP Manager Simple Network Management Protocol (SNMP) lets you monitor and manage your router from an SNMP Manager.
FVS338 ProSafe VPN Firewall 50 Reference Manual 6. Click Edit in the Action column adjacent to the entry to modify or change the selected configuration. Figure 6-3 The SNMP System Info link displays the VPN firewall identification information available to the SNMP Manager. System Contact, System Location, and System name. To modify the SNMP System contact information: 1. Click the SNMP System Info link. The SNMP SysConfiguration screen will display. 2.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Revert to the factory default settings. • Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware version. Backup and Restore Settings To backup and restore settings: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. THe Settings Backup and Firmware Upgrade screen will display. 2. Click backup to save a copy of your current settings.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-4 Router Upgrade You can install a different version of the VPN firewall firmware from the Settings Backup & Upgrade screen. To view the current version of the firmware that your VPN firewall is running, select Monitoring from the main menu. The Router Status screen on the will display all of the VPN firewall router statistics. When you upgrade your firmware, the Firmware Version will change to reflect the new version.
FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Click Browse in the Router Upgrade section. 3. Locate the downloaded file and click upload. This will start the software upgrade to your VPN firewall router. This may take some time. At the conclusion of the upgrade, your router will reboot.
FVS338 ProSafe VPN Firewall 50 Reference Manual If required, you can also enter the address of another NTP server in the Server 2 Name/IP Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the Default Netgear NTP servers. 5. Click Apply to save your settings or click Cancel to revert to your previous settings.
FVS338 ProSafe VPN Firewall 50 Reference Manual Each WAN port is programmed separately. WAN port shuts down once traffic limit reached. An e-mail can be sent. Traffic Counter settings Internet Traffic Statistics Figure 6-6 • Traffic by Protocol – Click this button to display Internet Traffic details. The volume of traffic for each protocol will be displayed in a sub-window.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-7 Setting Login Failures and Attacks Notification Figure 6-8 shows the Firewall Logs & E-mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs & E-mail from the submenu. You can send a System log of firewall activities to an email address or a log of the firewall activities can be viewed, saved to a syslog server, and then sent to an email address. You can view the logs by clicking View Logs.
FVS338 ProSafe VPN Firewall 50 Reference Manual View System Logs Select the types of events to email. Select the segments to track for System Log events. Enable email alerts. Syslog Server enabled Figure 6-8 Router and Network Management 6-19 v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Monitoring Attached Devices The Groups and Hosts menu contains a table of all IP devices that the VPN firewall has discovered on the local network. Select Network Configuration from the main menu and LAN Groups from the submenu. The Groups and Hosts screen will display. Figure 6-9 The network database is an automatically-maintained list of all known PCs and network devices.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-1. Known PCs and Devices Item Description Name The name of the PC or device. Sometimes, this can not be determined, and will be listed as Unknown. In this case, you can edit the entry to add a meaningful name. IP Address The current IP address. For DHCP clients, where the IP address is allocated by the DHCP Server in this device, this IP address will not change.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-2. Port Triggering Status data Item Description Rule The name of the Rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above. Time Remaining The time remaining before this rule is released, and thus available for other PCs.
FVS338 ProSafe VPN Firewall 50 Reference Manual Item Description System Name This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using. This will change if you upgrade your router. LAN Port Displays the current settings for MAC address, IP address, DHCP role and IP Subnet Mask that you set in the LAN IP Setup page. DHCP can be either Server or None.
FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 6-12 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu. The IPSec Connection Status screen will display. Figure 6-13 Table 6-3. IPSec Connection Status Fields Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN Endpoint. 6-24 Router and Network Management v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-3. IPSec Connection Status Fields (continued) Item Description Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase. Action Use this button to terminate/build the SA (connection) if required. VPN Logs The VPN Logs screen gives log details for recent VPN activity.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-15 Performing Diagnostics You can perform diagnostics such as pinging an IP address, performing a DNS lookup, displaying the routing table, rebooting the firewall, and capturing packets. Select Monitoring from the main menu and Diagnostics from the submenu. The Diagnostics screen will display. Note: For normal operation, diagnostics are not required. 6-26 Router and Network Management v1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-16 Table 6-4. Diagnostics Fields Item Description Ping or Trace an IP address Ping – Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-4. Diagnostics Fields Item Description Reboot the Router Used to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally. Note: Rebooting will break any existing connections either to the Router (such as this one) or through the Router (for example, LAN users accessing the Internet). However, connections to the Internet will automatically be re-established when possible.
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 50. After each problem description, instructions are provided to help you diagnose and solve the problem. Basic Functions After you turn on power to the firewall, the following sequence of events should occur: 1. When power is first applied, verify that the PWR LED is on. 2. After approximately 10 seconds, verify that: a. The TEST LED is not lit. b.
FVS338 ProSafe VPN Firewall 50 Reference Manual LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: • Cycle the power to see if the firewall recovers. • Clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to 192.168.1.1.
FVS338 ProSafe VPN Firewall 50 Reference Manual • Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.2 to 192.168.0.254. Note: If your PC’s IP address is shown as 169.254.x.x: Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server. These auto-generated addresses are in the range of 169.254.x.x.
FVS338 ProSafe VPN Firewall 50 Reference Manual Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1.
FVS338 ProSafe VPN Firewall 50 Reference Manual – Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Configuring your Internet Connection” on page 2-2. If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: • Your PC may not recognize any DNS server addresses. A DNS server is a host on the Internet that translates Internet names (such as www addresses) to numeric IP addresses.
FVS338 ProSafe VPN Firewall 50 Reference Manual If the path is not functioning correctly, you could have one of the following problems: • • Wrong physical connections – Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On” on page 7-2. – Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and firewall.
FVS338 ProSafe VPN Firewall 50 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall’s administration password to password and the IP address to 192.168.1.1. You can erase the current configuration and restore factory defaults in two ways: • Use the Erase function of the firewall (see “Backup and Restore Settings” on page 6-13). • Use the reset button on the rear panel of the firewall.
FVS338 ProSafe VPN Firewall 50 Reference Manual 7-8 Troubleshooting v1.
Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below. • Pressing the reset button for a shorter period of time will simply cause your device to reboot.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table A-1.
FVS338 ProSafe VPN Firewall 50 Reference Manual Table A-2.
FVS338 ProSafe VPN Firewall 50 Reference Manual A-4 Default Settings and Technical Specifications v1.
Appendix B Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP Addressing: http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for Network Access: http://documentation.netgear.com/reference/enu/wsdhcp/index.
FVS338 ProSafe VPN Firewall 50 Reference Manual B-2 Related Documents v1.
Index A scheduling 4-20 Add LAN WAN Inbound Service screen 4-9, 4-13 Add LAN WAN Outbound Service screen 4-8 address reservation 3-8 Broadband Status monitoring 6-23 Broadband Traffic Meter screen 6-16 AH VPN Policies, use with 5-7 C antivirus scanning Trend Micro 3-12 CA VPN gateway, use with 5-6 ARP 3-5 CA Certificates about 5-33 Attached Devices monitoring of 6-20 Attack Checks Block TCP Flood 4-10 Respond To Ping On Internet 4-10 Stealth Mode 4-10 Attack Checks screen 4-10, 4-11 Attacks Notif
FVS338 ProSafe VPN Firewall 50 Reference Manual managing 5-37 Digital 5-33 crossover cable 1-3, 7-2 Digital Certificates 5-33 Customized Services 4-2 service port numbers 4-17 DNS lookup 6-26 DNS Proxy 1-3 Domain Name Blocking 6-3 D date troubleshooting 7-7 Daylight Savings Time setting 6-15 default configuration restoring 7-7 default firewall rules 4-1 Inbound 4-1 Outbound 4-2 domain name blocking.
FVS338 ProSafe VPN Firewall 50 Reference Manual Trend Micro, use with 3-13 by MAC address Source MAC filtering 4-23 firewall alerts, emailing of 4-27 connecting 2-1, 2-2 features 1-2 logging in to 2-1 rear panel 1-7 security, about 4-1 status 6-22 technical specifications A-1 I firewall access remote management 6-9 IKE/ISAKMP use in IKE Policy 5-5 Firewall Logs configuring 4-28 emailing of 4-27 Inbound Rules 4-2 about 4-4 configuring DHCP 4-4 examples of 4-12 Fields, definition of 4-5 firewall 4-1 Por
FVS338 ProSafe VPN Firewall 50 Reference Manual IPSec Connection Status Fields, description of 6-24 VPN Tunnel, use with 4-11 IPSec Connection Status screen 5-7, 6-24 IPSec Host authentication 5-22 XAUTH, use with 5-20, 5-22 ISP connection troubleshooting 7-4 K Keyword Blocking 6-3 Content Filtering 4-21 examples of 4-21 Known PCs and Devices 3-6 adding entry 3-7 L L2TP VPN Tunnel 4-11 LAN configuration 3-1 ports and attached devices 6-25 LAN IP address ranges adding aliases 3-4 LAN Security Checks UDP fl
FVS338 ProSafe VPN Firewall 50 Reference Manual Network Database adding computers 3-6 creating 3-5 Network Time Protocol. See NTP.
FVS338 ProSafe VPN Firewall 50 Reference Manual common protocol numbers 4-17 rules, covered by 6-2 ToS 4-19 RFC 2453 RIP 3-10 RIP 1-3 about 3-10 enabling 3-11 multicasting guidelines 3-12 RIP Configuration screen 3-11 Services screen 4-18 settings backup 6-12 Simple Network Management Protocol. See SNMP.
FVS338 ProSafe VPN Firewall 50 Reference Manual setting of 6-15 Time Zone screen 6-15 ToS service levels 4-19 used with QoS 4-19 Traffic features that increase 6-4 management of 6-7 reducing 6-1 Traffic Meter about 6-16 traffic meter programming 2-12 Trend Micro 3-12 Trend Micro integration 1-2 Trend Micro screen 3-12 Troubleshooting 7-1 Date and Time 7-7 ISP connection 7-4 LEDs 7-2 LEDs Never Turn Off 7-2 NTP 7-7 Power LED Not On 7-1 Web configuration 7-2 Trusted Certificates 5-33 about 5-33 Virtual Priva
FVS338 ProSafe VPN Firewall 50 Reference Manual content filtering 4-21 Web configuration troubleshooting 7-2 Windows NetBios Server IP. See WINS Server IP. WINS Server IP LAN Setup 3-3 with 1-2 X XAUTH 5-13 about 5-20 configuring 5-21 Edge Device 5-20 IPSec Host 5-20 RADIUS-CHAP 5-21 RADIUS-PAP 5-21 User Database 5-21 Index-8 v1.
