Page 1 ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0...
Page 2 In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations. Voluntary Control Council for Interference (VCCI) Statement This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
Page 4 Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
Page 6 Product and Publication Details Model Number: FVX538 Publication Date: March 2009 Product Family: VPN Firewall Product Name: ProSafe VPN Firewall 200 Home or Business Product: Business Language: English Publication Part Number: 202-10062-09 Publication Version Number 1.0, March 2009...
Page 7: Table Of Contents
Contents About This Manual Conventions, Formats and Scope ................... xv Revision History .......................xvi Chapter 1 Introduction Key Features ........................1-1 Dual WAN Ports for Increased Reliability or Outbound Load Balancing ....1-2 A Powerful, True Firewall with Content Filtering ............1-2 Security Features .....................1-3 Autosensing Ethernet Connections with Auto Uplink ..........1-3 Extensive Protocol Support ..................1-4 Easy Installation and Management ................1-4...
Page 8 ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options ................3-1 Configuring the LAN Setup Options .................3-2 Configuring Multi Home LAN IPs ................3-5 Managing Groups and Hosts (LAN Groups) ..............3-6 Creating the Network Database ................3-7 Setting Up Address Reservation ................3-9 Configuring and Enabling the DMZ Port ...............3-10 Static Routes ........................3-12...
Page 9 Creating a Client to Gateway VPN Tunnel ...............5-6 Use the VPN Wizard Configure the Gateway for a Client Tunnel ......5-7 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection Testing the Connections and Viewing Status Information ..........5-12 NETGEAR VPN Client Status and Log Information ..........5-12...
Page 10 ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration ............5-23 Configuring XAUTH for VPN Clients ..............5-24 User Database Configuration .................5-25 RADIUS Client Configuration .................5-27 Assigning IP Addresses to Remote Users (ModeConfig) ..........5-29 Mode Config Operation ..................5-29 Configuring the VPN Firewall .................5-30 Configuring the ProSafe VPN Client for ModeConfig ..........5-33 Chapter 6 Router and Network Management...
Page 11 ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status ................6-24 Viewing Router Configuration and System Status ..........6-25 Monitoring WAN Ports Status .................6-26 Monitoring VPN Tunnel Connection Status ............6-27 VPN Logs .......................6-28 DHCP Log ......................6-29 Performing Diagnostics ..................6-29 Chapter 7 Troubleshooting Basic Functions ......................7-1 Power LED Not On ....................7-1...
Page 12 ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ....................... B-8 Inbound Traffic to Single WAN Port (Reference Case) ........... B-8 Inbound Traffic to Dual WAN Port Systems ............B-8 Inbound Traffic: Dual WAN Ports for Improved Reliability ........ B-9 Inbound Traffic: Dual WAN Ports for Load Balancing ........
Page 13 Appendix E Two Factor Authentication Why do I need Two-Factor Authentication? ..............E-1 What are the benefits of Two-Factor Authentication? ..........E-1 What is Two-Factor Authentication ................. E-2 NETGEAR Two-Factor Authentication Solutions ............E-2 Index Contents xiii v1.0, March 2009...
Page 14 ProSafe VPN Firewall 200 FVX538 Reference Manual Contents v1.0, March 2009...
Page 15: About This Manual
About This Manual The NETGEAR ® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs.
Page 16: Revision History
For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix D, “Related Documents.” Note: Updates to this product are available on the NETGEAR, Inc. website at http://kbserver.netgear.com/products/FVX538.asp. Revision History Version Part Number...
Page 17: Introduction
Support for up to 400 internal LAN users (and 50K connections). • Bundled with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and multimedia.
Page 18: Dual Wan Ports For Increased Reliability Or Outbound Load Balancing
ProSafe VPN Firewall 200 FVX538 Reference Manual • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation and management. • Advanced SPI Firewall and Multi-NAT support. • Extensive Protocol Support. • Login capability.
Page 19: Security Features
ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. The FVX538 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.
Page 20: Extensive Protocol Support
ISP account. • VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
Page 21: Maintenance And Support
ProSafe VPN Client Software – five user licenses. • Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. Introduction...
Page 22: Router Front And Rear Panels
ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. Figure 1-1 Table 1-1 describes each item on the front panel and its operation. Table 1-1.
Page 23 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description 8-port RJ-45 10/100 N-way automatic speed negotiation, auto MDI/MDIX. 4. LAN Mbps Fast Ethernet Ports Switch LEDs Link/Act LED On (Green) The LAN port has detected a link with a connected Ethernet device. Blinking (Green) Data is being transmitted or received by the LAN port.
Page 24: Rack Mounting Hardware
ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection. Figure 1-2 Viewed from left to right, the rear panel contains the following elements: 1.
Page 25: The Router's Ip Address, Login Name, And Password
ProSafe VPN Firewall 200 FVX538 Reference Manual The Router’s IP Address, Login Name, and Password Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information: • IP Address: to reach the Web-based GUI from the LAN http://192.168.1.1 •...
Page 26 ProSafe VPN Firewall 200 FVX538 Reference Manual 1-10 Introduction v1.0, March 2009...
Page 27: Connecting The Fvx538 To The Internet
Chapter 2 Connecting the FVX538 to the Internet This chapter includes these topics: • “Logging into the VPN Firewall” on page 2-1 • “Configuring the Internet Connections to Your ISPs” on page 2-2 • “Configuring the WAN Mode (Required for Dual WAN)” on page 2-8 •...
Page 28: Configuring The Internet Connections To Your Isps
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the Internet Connections to Your ISPs You should first configure your Internet connections to your ISPs on WAN port 1, and then configure WAN port 2 second. To automatically configure the WAN ports and connect to the Internet: 1.
Page 29 ProSafe VPN Firewall 200 FVX538 Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the following table. Table 2-1. Internet connection methods Connection Method Data Required PPPoE Login (Username, Password);...
Page 30: Setting The Router's Mac Address
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Set up the traffic meter for WAN 1 ISP if desired. See “Programming the Traffic Meter (if Desired)” on page 2-6. Note: At this point of the configuration process, you are now connected to the Internet through WAN port 1.
Page 31 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box. The text box fields that require data entry will be highlighted, based on the connection that you selected.
Page 32: Programming The Traffic Meter (If Desired)
6. Click Reset to discard any changes and revert to the previous settings. 7. Click Test to try and connect to the NETGEAR Web site. If you connect successfully and your settings work, then you may click Logout or go on and configure additional settings.
Page 33 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-3 2. Click Apply to apply the settings. Click Reset to return to the previous settings. 3. Select the WAN2 Traffic Meter tab and repeat steps 1 through 3 to set the Traffic Meter the the WAN2 port.
Page 34: Configuring The Wan Mode (Required For Dual Wan)
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 2-2. Traffic Meter Settings Parameter Description Increase this Use this to temporarily increase the Traffic Limit if you have reached the monthly month's limit limit, but need to continue accessing the Internet. Check the checkbox and enter the desired increase.
Page 35: Setting Up Auto-Rollover Mode
ProSafe VPN Firewall 200 FVX538 Reference Manual If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover.
Page 36 ProSafe VPN Firewall 200 FVX538 Reference Manual When the router is configured in Auto-Rollover Mode, the router uses the WAN Failure Detection Method to check the connection of the primary link at regular intervals to detect router status. Link failure is detected in one of the following ways: •...
Page 37 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-4 6. Enter the Maximum Failover amount. The WAN interface is considered down after the configured number of queries have failed to elicit a reply. The rollover link is brought up after this.
Page 38: Setting Up Load Balancing
FTP data from and to the computers on the LAN through the WAN2 port. All HTTP traffic will be routed through the WAN1 port. Note: NETGEAR recommends that all specific traffic (for example, HTTP) be configured for the WAN2 port. The only way to make certain traffic goes out one port and all other traffic goes out the other port is to use WAN2 for specified traffic.
Page 39 ProSafe VPN Firewall 200 FVX538 Reference Manual a. Service – From the pull-down menu, select the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services-Based Rules”...
Page 40: Configuring Dynamic Dns (If Needed)
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-6 3. Modify the parameters for the protocol binding service you selected. 4. Click Apply. The modified rule will be enabled and appear in the Protocol Binding table. 5. Click Reset to return to the previously configured settings. Configuring Dynamic DNS (If Needed) Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names.
Page 41 ProSafe VPN Firewall 200 FVX538 Reference Manual IP address will be, and the address can change frequently—hence, the need for a commercial DDNS service, which allows you to register an extension to its domain, and restores DNS requests for the resulting FQDN to your frequently-changing IP address. After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your DDNS service provider, log in to your account, and register your new IP address.
Page 42 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-7 2. Click the tab of the Dynamic DNS Service you want to enable. Each DNS service provider requires registration and you then configure its parameters on the corresponding tab page. 3. Access the Web site of one of the DDNS service providers and set up an account. A link to each DDNS provider is to the right of the tab pages.
Page 43: Configuring The Advanced Wan Options (If Needed)
ProSafe VPN Firewall 200 FVX538 Reference Manual For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org 5. Click Apply to save your configuration. 6. Click Reset to return to the previous settings. Configuring the Advanced WAN Options (If Needed) To configure the Advanced WAN options: 1.
Page 44 ProSafe VPN Firewall 200 FVX538 Reference Manual • Port Speed – In most cases, your router can automatically determine the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may have to manually select the port speed. AutoSense is the default.
Page 45: Lan Configuration
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe VPN Firewall 200, including the following sections: • “Choosing the Firewall DHCP Options” on page 3-1 • “Managing Groups and Hosts (LAN Groups)” on page 3-6 •...
Page 46: Configuring The Lan Setup Options
ProSafe VPN Firewall 200 FVX538 Reference Manual • Primary DNS Server (the firewall’s LAN IP address). • WINS Server (if you entered a WINS server address in the DHCP Setup menu). • Lease Time (date obtained and duration of lease). DHCP Relay options allow you to make the firewall a dhcp relay agent.
Page 47 ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Network Configuration from the primary menu and LAN Setup from the submenu. The LAN Setup screen will display. Figure 3-1 2. Enter the IP Address of your router (factory default: 192.168.1.1). (Always make sure that the LAN Port IP address and DMZ port IP address are in different subnets.) 3.
Page 48 ProSafe VPN Firewall 200 FVX538 Reference Manual b. Enter the Starting IP Address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address. The IP address 192.168.1.2 is the default start address.
Page 49: Configuring Multi Home Lan Ips
ProSafe VPN Firewall 200 FVX538 Reference Manual The feature is particularly useful in Auto Rollover mode. For example, if the DNS servers for each connection are different, then a link failure may render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make requests to the router and the router, in turn, sends those requests to the DNS servers of the active connection.
Page 50: Managing Groups And Hosts (Lan Groups)
ProSafe VPN Firewall 200 FVX538 Reference Manual • Action: The Edit link allows you to make changes to the selected entry. • Select All: Selects all the entries in the Available Secondary LAN IPs table. • Delete: Deletes selected entries from the Available Secondary LAN IPs table. To add a secondary LAN IP address: 1.
Page 51: Creating The Network Database
ProSafe VPN Firewall 200 FVX538 Reference Manual Creating the Network Database Some advantages of the Network Database are: • Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the desired PC or device. •...
Page 52 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-3 The Network Database is created by: • Using the DHCP Server: The router’s DHCP server is configured, by default, to respond to DHCP requests from clients on the LAN. Every computer that receives a response from the router will be added to the Network Database.
Page 53: Setting Up Address Reservation
ProSafe VPN Firewall 200 FVX538 Reference Manual • MAC Address: The MAC address of the computer’s network interface. • Group: Each PC or device can be assigned to a single group. By default, a computer is assigned to the first group (Group 1). To change the group assignment by selecting the Edit link in the Action column.
Page 54: Configuring And Enabling The Dmz Port
ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address, use the Groups and Hosts screen under the Network Configuration menu, LAN Groups submenu (see “Creating the Network Database” on page 3-7). Note: The reserved address will not be assigned until the next time the PC contacts the firewall's DHCP server.
Page 55 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-4 4. If desired, Enable the DHCP Server (Dynamic Host Configuration Protocol), which will provide TCP/IP configuration for all computers connected to the router’s DMZ network. Note: If you enable the DNS Relay feature, you will not use the FVX538 as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network.
Page 56: Static Routes
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings. The DMZ LED next to LAN port 8 (see “Router Front and Rear Panels” on page 1-6) will light up indicating that the DMZ port has been enabled. If another device on your DMZ network will be the DHCP server, or if you will manually configure all devices, leave the Disable option (default) checked.
Page 57 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-5 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network to which the route leads. 7.
Page 58: Routing Information Protocol (Rip)
ProSafe VPN Firewall 200 FVX538 Reference Manual Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network.
Page 59 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-6 3. From the RIP Version pull-down menu, select the version: • RIP-1 – A classful routing that does not include subnet information. This is the most commonly supported version. • RIP-2 – Supports subnet information. Both RIP-2B and RIP-2M send the routing data in RIP-2 format: •...
Page 60: Static Route Example
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Save to save your settings. Static Route Example For example, you may require a static route if: • Your primary Internet access is through a cable modem to an ISP. • You have an ISDN firewall on your home network for connecting to the company where you are employed.
Page 61: Firewall Protection And Content Filtering
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 to protect your network. This chapter includes the following sections: • “About Firewall Protection and Content Filtering” on page 4-1 •...
Page 62: Using Rules To Block Or Allow Specific Kinds Of Traffic
ProSafe VPN Firewall 200 FVX538 Reference Manual intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT. Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other.
Page 63: Outbound Rules (Service Blocking)
ProSafe VPN Firewall 200 FVX538 Reference Manual • Customized Services – Additional services can be added to the list of services in the factory default list. These added services can then have rules defined for them to either allow or block that traffic (see “Adding Customized Services”...
Page 64 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description LAN users These settings determine which computers on your network are affected by this rule. Select the desired options: • Any – All PCs and devices on your LAN. •...
Page 65 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description QoS Priority The priority assigned to IP packets of this service. The priorities are defined by “Type of Service (TOS) in the Internet Protocol Suite” standards, RFC 1349. The router marks the Type Of Service (TOS) field as defined below: •...
Page 66: Inbound Rules (Port Forwarding)
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description Bandwidth Profile Bandwidth Limiting determines the way in which the data is sent to/from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing/ incoming traffic, thus preventing the LAN users for consuming all the bandwidth of our internet link.
Page 67 ProSafe VPN Firewall 200 FVX538 Reference Manual • Local PCs must access the local server using the PCs’ local LAN address. Attempts by local PCs to access the server using the external WAN IP address will fail. Note: See “Port Triggering” on page 4-35 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall.
Page 68 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules (continued) Item Description Bandwidth Profile Bandwidth Limiting determines the way in which the data is sent to/from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing/ incoming traffic, thus preventing the LAN users for consuming all the bandwidth of our internet link.
Page 69: Order Of Precedence For Rules
ProSafe VPN Firewall 200 FVX538 Reference Manual Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu as the last item in the list, as shown in Figure 4-1: Figure 4-1 For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the bottom.
Page 70 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Change the Default Outbound Policy by selecting Block Always from the drop-down menu and click Apply. Figure 4-2 To make changes to an existing outbound or inbound service rule: 1. In the Action column adjacent to the rule click: •...
Page 71: Lan Wan Outbound Services Rules
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
Page 72: Lan Wan Inbound Services Rules
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound services opens holes in your firewall.
Page 73 ProSafe VPN Firewall 200 FVX538 Reference Manual out from the DMZ to the Internet (Outbound) or coming in from the Internet to the DMZ (Inbound). The default outbound policy can be changed to block all outbound traffic and enable only specific services to pass through the router by adding an Outbound services Rule. Figure 4-5 Firewall Protection and Content Filtering 4-13...
Page 74: Setting Lan Dmz Rules
ProSafe VPN Firewall 200 FVX538 Reference Manual To change the Default Outbound Policy: 1. Select Security from the main menu, Firewall Rules from the submenu and then select the DMZ WAN Rules tab. The DMZ WAN Rules screen will display. 2.
Page 75: Lan Dmz Outbound Services Rules
ProSafe VPN Firewall 200 FVX538 Reference Manual To make changes to an existing outbound or inbound LAN DMZ service rule: 1. In the Action column adjacent to the rule click: • Edit – to make any changes to the rule definition. The Outbound Service screen will display containing the data for the selected rule “Outbound Rules (Service Blocking)”...
Page 76: Lan Dmz Inbound Services Rules
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Complete the Outbound Service screen, and save the data (see “Outbound Rules (Service Blocking)” on page 4-3). 3. Click Reset to cancel your settings and return to the previous settings. 4. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table.
Page 77 ProSafe VPN Firewall 200 FVX538 Reference Manual • LAN Security Checks. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application listening at that port, (2) see that no application is listening at that port and (3) reply with an ICMP Destination Unreachable packet.
Page 78: Session Limit
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-8 Session Limit Session Limit allows you to specify the total number of sessions allowed, per user, over an IP (Internet Protocol) connection across the router. This feature is enabled on the Session Limit screen and shown below in Figure 4-9.
Page 79 ProSafe VPN Firewall 200 FVX538 Reference Manual To enable Session Limit: 1. Click the Yes radio button under Do you want to enable Session Limit? 2. From the User Limit Parameter drop-down list, define the maximum number of sessions per IP either as a percentage of maximum sessions or as an absolute.
Page 80: Inbound Rules Examples
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Rules Examples LAN WAN Inbound Rule: Hosting A Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day.
Page 81: Lan Wan Or Dmz Wan Inbound Rule: Setting Up One-To-One Nat Mapping
Internet access to your LAN PCs through NAT. The other addresses are available to map to your servers. The following addressing scheme is used to illustrate this procedure: • Netgear FVX538 ProSafe VPN Firewall – WAN1 IP address: 10.1.0.118 –...
Page 82 ProSafe VPN Firewall 200 FVX538 Reference Manual 4. From the Service pull-down menu, select the HTTP service for a Web server. Figure 4-12 5. From the Action pull-down menu, select Allow Always. 6. In the Send to LAN Server field, enter the local IP address of your Web server PC. 7.
Page 83: Lan Wan Or Dmz Wan Inbound Rule: Specifying An Exposed Host
1. Create an inbound rule that allows all protocols. 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
Page 84: Outbound Rules Example
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Any and Allow Always (or Allow by Schedule) 2. Place rule below all other inbound rules Figure 4-14 Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio or other non-essential sites.
Page 85: Lan Wan Outbound Rule: Blocking Instant Messenger
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.
Page 86 ProSafe VPN Firewall 200 FVX538 Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups.
Page 87: Setting Quality Of Service (Qos) Priorities
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Select the Layer 3 Protocol that the service uses as its transport protocol. It can be TCP, UDP or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses. If the service uses only one port, then the Start Port and the Finish Port will be the same.
Page 88: Setting A Schedule To Block Or Allow Specific Traffic
ProSafe VPN Firewall 200 FVX538 Reference Manual • Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a ToS value of 2. •...
Page 89: Setting Block Sites (Content Filtering)
Web site is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message. Several types of blocking are available: •...
Page 90 ProSafe VPN Firewall 200 FVX538 Reference Manual • If you wish to block all Internet browsing access, enter the keyword “.”. To enable Content Filtering: 1. Select Security from the main menu and Block Sites from the sub-menu. The Block Sites screen will display.
Page 91: Enabling Source Mac Filtering
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-18 Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed.
Page 92 ProSafe VPN Firewall 200 FVX538 Reference Manual • When enabled, traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table. Figure 4-19 Note: For additional ways of restricting outbound traffic, see “Outbound Rules (Service Blocking)”...
Page 93: Ip/Mac Binding
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings. To remove an entry from the table, select the MAC address entry and click Delete. To select all the list of MAC addresses, click Select All. A checkmark will appear in the box to the left of each MAC address in the Available MAC Addresses to be Blocked table IP/MAC Binding IP/MAC Binding allows you to bind an IP address to a MAC address and vice-versa.
Page 94 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-20 3. Add an IP/MAC Bind rule by entering: a. Name: Specify an easily identifiable name for this rule. b. MAC Address: Specify the MAC Address for this rule. c. IP Addresses: Specify the IP Address for this rule. d.
Page 95: Port Triggering
ProSafe VPN Firewall 200 FVX538 Reference Manual To remove an entry from the table, select the IP/MAC Bind entry and click Delete. Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the Application.
Page 96 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-21 3. From the Protocol pull-down menu, select either the TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 5.
Page 97: Bandwidth Limiting
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display.
Page 98 ProSafe VPN Firewall 200 FVX538 Reference Manual For example, when a new connection is established by a device, the device will locate the firewall rule corresponding to the connection. • If the rule has a bandwidth profile specification, then the device will create a bandwidth class in the kernel.
Page 99: E-Mail Notifications Of Event Logs And Alerts
ProSafe VPN Firewall 200 FVX538 Reference Manual • Name: Displays the user-defined name for this bandwidth profile. • Bandwidth Range: Displays the range for the bandwidth profile. • Type: Displays the type of bandwidth profile. • Direction: Displays the direction of the bandwidth profile. •...
Page 100 ProSafe VPN Firewall 200 FVX538 Reference Manual You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs on the Logs screen (see Figure 4-25 on page 4-42).
Page 101 ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter a Schedule for sending the logs. From the Unit pull-down menu, select: Never, Hourly, Daily, or Weekly. Then fill in the Day and Time fields that correspond to your selection. 4. In the Security Logs section, check the network segments radio box for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets).
Page 102 ProSafe VPN Firewall 200 FVX538 Reference Manual 11. Click Apply to save your settings. To view the Firewall logs: 1. Click on the View Log icon opposite the Firewall Logs & E-mail tab. The Logs screen will display. 2. If the E-mail Logs options as been enabled, you can send a copy of the log by clicking send log.
Page 103: Administrator Tips
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-4. Firewall Log Field Descriptions (continued) Field Description Source port and The service port number of the initiating device, and whether it originated from the interface LAN, WAN or DMZ. Destination The name or IP address of the destination device or Web site. Destination port and The service port number of the destination device, and whether it’s on the LAN, interface...
Page 104 ProSafe VPN Firewall 200 FVX538 Reference Manual 4-44 Firewall Protection and Content Filtering v1.0, March 2009...
Page 105: Virtual Private Networking
Chapter 5 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the VPN firewall. This chapter includes the following sections: • “Considerations for Dual WAN Port Systems” on page 5-1 • “Using the VPN Wizard for Client and Gateway Configurations” on page 5-3 •...
Page 106 ProSafe VPN Firewall 200 FVX538 Reference Manual The diagrams and table below show how the WAN mode selection relates to VPN configuration. WAN Auto-Rollover: FQDN Required for VPN Firewall WAN 1 Port Rest of Firewall Firewall Internet Firewall WAN Port Rollover WAN 2 Port Control...
Page 107: Using The Vpn Wizard For Client And Gateway Configurations
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR VPN Client configuration procedures for the following scenarios: •...
Page 108 ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select VPN > IPsec VPN > VPN Wizard to display the VPN Wizard tab page. To view the wizard default settings, click the VPN Default values link. You can modify these settings after completing the wizard. •...
Page 109 8. Click Apply to save your settings: the VPN Policies page shows the policy is now enabled. Figure 5-5 9. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured.
Page 110: Creating A Client To Gateway Vpn Tunnel
ProSafe VPN Firewall 200 FVX538 Reference Manual After both firewalls are configured, go to VPN > IPsec VPN > Connection Status to display the status of your VPN connections. Figure 5-6 The tunnel will automatically establish when both the local and target gateway policies are appropriately configured and enabled, Note: When using FQDN, if the dynamic DNS service is slow to update their servers when your DHCP WAN address changes, the VPN tunnel will fail because the...
Page 111: Use The Vpn Wizard Configure The Gateway For A Client Tunnel
ProSafe VPN Firewall 200 FVX538 Reference Manual Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. From the main menu, go to VPN > IPSec VPN > VPN Wizard. The VPN Wizard displays. • VPN Client connection •...
Page 112: Use The Netgear Vpn Client Security Policy Editor To Create A Secure Connection
Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR Prosafe VPN Client installed, configure a VPN client policy to connect to the FVX538. Follow these steps to configure your VPN client.
Page 113 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using gw1.
Page 114 ProSafe VPN Firewall 200 FVX538 Reference Manual 3. In the left frame, click My Identity. Fill in the options according to the instructions below. r3m0+eC1ient Figure 5-12 • From the Select Certificate pull-down menu, choose None. • Click Pre-Shared Key to enter the key you provided in the VPN Wizard; in this example, we are using r3m0+eC1ient.
Page 115 ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Verify the Security Policy settings; no changes are needed. Figure 5-13 • On the left, click Security Policy to view the settings: no changes are needed. • On the left, expand Authentication (Phase 1) and click Proposal 1: no changes are needed.
Page 116: Testing The Connections And Viewing Status Information
ProSafe VPN Firewall 200 FVX538 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the FVX538 provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.
Page 117 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-16 •...
Page 118: Fvx538 Vpn Connection Status And Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client policy is deactivated. The client policy is deactivated but not connected. The client policy is activated and connected.
Page 119: Vpn Tunnel Policies
ProSafe VPN Firewall 200 FVX538 Reference Manual To view FVX538 VPN logs, go to Monitoring > VPNLogs. Figure 5-19 VPN Tunnel Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN Policy and an IKE Policy are established and populated in both Policy Tables.
Page 120: Ike Policy Table
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. If the VPN Policy is a “Manual” policy, then the Manual Policy Parameters defined in the VPN Policy are accessed and the first matching IKE Policy is used to start negotiations with the remote VPN Gateway.
Page 121: Vpn Policy
To gain a more complete understanding of the encryption, authentication and DH algorithm technologies, see Appendix D, “Related Documents” for a link to the NETGEAR website. VPN Policy You can create two types of VPN Policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available.
Page 122: Vpn Policy Table
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Policy Table Only one Client Policy may configured at a time (noted by an “*” next to the policy name). The Policy Table contains the following fields: • ! (Status). Indicates whether the policy is enabled (green circle) or disabled (grey circle). To Enable or Disable a Policy, check the radio box adjacent to the circle and click Enable or Disable, as required.
Page 123: Certificate Authorities
ProSafe VPN Firewall 200 FVX538 Reference Manual Certificate Authorities Digital Self Certificates are used to authenticate the identity of users and systems, and are issued by various CAs (Certification Authorities). Digital Certificates are used by this router during the IKE (Internet Key Exchange) authentication phase as an alternative authentication method. Self Certificates are issued to you by various CAs (Certification Authorities).
Page 124: Generating A Self Certificate Request
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identity (Subject Name). The organization or person to whom the certificate is issued. • Issuer Name. The name of the CA that issued the certificate. • Expiry Time. The date after which the certificate becomes invalid The Active Self Certificates table shows the Certificates issued to you by the various CAs (Certification Authorities), and available for use.
Page 125 ProSafe VPN Firewall 200 FVX538 Reference Manual – Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but may also impact performance.) 3. Complete the Optional fields, if desired, with the following information: Figure 5-20 • IP Address – If you have a fixed IP address, you may enter it here. Otherwise, you should leave this field blank.
Page 126: Uploading A Trusted Certificate
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Copy the contents of the Data to supply to CA text box into a file, including all of the data contained in “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST---”Click Done. You will return to the Certificate screen and your Request details will be displayed in the Self Certificates Requests table showing a Status of “Waiting for Certificate upload”...
Page 127: Extended Authentication (Xauth) Configuration
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. To upload a Certificate Identify to the CRL: 1.
Page 128: Configuring Xauth For Vpn Clients
ProSafe VPN Firewall 200 FVX538 Reference Manual • IPSec Host. If you want authentication by the remote gateway, enter a User Name and Password to be associated with this IKE policy. If this option is chosen, the remote gateway must specify the user name and password used for authenticating this gateway. Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the local User Database for the user credentials.
Page 129: User Database Configuration
ProSafe VPN Firewall 200 FVX538 Reference Manual – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the router will first check in the User Database to see if the user credentials are available. If the user account is not present, the router will then connect to the RADIUS server (see “RADIUS Client Configuration”...
Page 130 ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4. Click Add. The User Name will be added to the Configured Users table. Figure 5-23 5-26 Virtual Private Networking v1.0, March 2009...
Page 131: Radius Client Configuration
ProSafe VPN Firewall 200 FVX538 Reference Manual To edit the user name or password: 1. Click Edit opposite the user’s name. The Edit User screen will display. 2. Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to the previous settings.
Page 132 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-24 3. Enter the Primary RADIUS Server IP address. 4. Enter a Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server.
Page 133: Assigning Ip Addresses To Remote Users (Modeconfig)
– LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Mode Config Operation After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP configuration parameters such as IP address, subnet mask and name server addresses. The Mode...
Page 134: Configuring The Vpn Firewall
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the VPN Firewall Two menus must be configured—the Mode Config menu and the IKE Policies menu. To configure the Mode Config menu: 1. From the main menu, select VPN, and then select Mode Config from the submenu. The Mode Config screen will display.
Page 135 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-25 To configure an IKE Policy: 1. From the main menu, select VPN. The IKE Policies screen will display showing the current policies in the List of IKE Policies Table. 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. 3.
Page 136 ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the General section: a. Enter a description name in the Policy Name Field such as “salesperson”. This name will be used as part of the remote identifier in the VPN client configuration. b.
Page 137: Configuring The Prosafe Vpn Client For Modeconfig
Figure 5-26 Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon.
Page 138 ProSafe VPN Firewall 200 FVX538 Reference Manual b. From the ID Type pull-down menu, select IP Subnet. c. Enter the IP Subnet and Mask of the VPN firewall (this is the LAN network IP address of the gateway). d. Check the Connect using radio button and select Secure Gateway Tunnel from the pull- down menu.
Page 139 ProSafe VPN Firewall 200 FVX538 Reference Manual d. Under Virtual Adapter pull-down menu, select Preferred. The Internal Network IP Address should be 0.0.0.0. Note: If no box is displayed for Internal Network IP Address, go to Options/ Global Policy Settings, and check the box for “Allow to Specify Internal Network Address.”...
Page 140 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-29 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds)).
Page 141 ProSafe VPN Firewall 200 FVX538 Reference Manual To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; in this case “My Connections\modecfg_test”. 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test will display and the VPN client icon in the toolbar will read “On”.
Page 142 ProSafe VPN Firewall 200 FVX538 Reference Manual 5-38 Virtual Private Networking v1.0, March 2009...
Page 143: Router And Network Management
Chapter 6 Router and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 200. This chapter includes the following sections: • “Performance Management” on page 6-1 • “Administration” on page 6-8 • “Monitoring the Router”...
Page 144: Vpn Firewall Features That Reduce Traffic
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall. But there is no backup in case one of the WAN ports fail. In such an event and with one exception, the traffic that would have been sent on the failed WAN port gets diverted to the WAN port that is still working, thus increasing its loading.
Page 145 ProSafe VPN Firewall 200 FVX538 Reference Manual – Groups: The rule is applied to a Group (see “Managing Groups and Hosts (LAN Groups)” on page 3-6to assign PCs to a Group using Network Database). • WAN Users – These settings determine which Internet locations are covered by the rule, based on their IP address.
Page 146: Block Sites
ProSafe VPN Firewall 200 FVX538 Reference Manual Schedule. If you have set firewall rules on the Rules screen, you can configure three different schedules (i.e., schedule 1, schedule 2, and schedule 3) for when a rule is to be applied. Once a schedule is configured, it affects all Rules that use this schedule.
Page 147: Vpn Firewall Features That Increase Traffic
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Firewall Features That Increase Traffic Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • DMZ port • Exposed hosts • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks.
Page 148: Port Triggering
ProSafe VPN Firewall 200 FVX538 Reference Manual • Enable DNS Proxy – Enable this to allow incoming DNS queries. • Enable Stealth Mode – Enable this to set the firewall to operate in stealth mode. As you define your firewall rules, you can further refine their application according to the following criteria: •...
Page 149: Dmz Port
ProSafe VPN Firewall 200 FVX538 Reference Manual • The remote system receives the PCs request and responds using the different port numbers that you have now opened. • This Router matches the response to the previous request and forwards the response to the PC. Without Port Triggering, this response would be treated as a new connection request rather than a response.
Page 150: Tools For Traffic Management
Changing Passwords and Settings The default passwords for the firewall’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. You can also configure a separate password for guests.
Page 151 ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Users from the main menu and Local Authentication from the submenu. Figure 6-1 2. Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest Settings radio box.
Page 152: Radius Server External Authentication
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. RADIUS Server External Authentication For authentication to RADIUS or WIKID, you can define the authentication type. Figure 6-2 When a user logs in, the VPN firewall will validate with the appropriate RADIUS or WIKID server that the user is authorized to log in.
Page 153: Enabling Remote Management Access
ProSafe VPN Firewall 200 FVX538 Reference Manual When specifying RADIUS domain authentication, you are presented with several authentication protocol choices, as summarized in the following table: Table 6-1. Authentication Description Protocol Password Authentication Protocol (PAP) is a simple protocol in which the client sends a password in clear text.
Page 154 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-3 To configure your firewall for Remote Management: 1. Select Administration from the main menu and Remote Management from the submenu. The Remote Management screen will display. 2. Check Allow Remote Management radio box. 3.
Page 155 ProSafe VPN Firewall 200 FVX538 Reference Manual Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management Web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but do not use the number of any common service port.
Page 156: Using A Snmp Manager
ProSafe VPN Firewall 200 FVX538 Reference Manual • To allow access from any IP address on the Internet, select Everyone. • To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. •...
Page 157: Settings Backup And Firmware Upgrade
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Click Add to create the new configuration. The entry will display in the SNMP Configuration table. 6. Click Edit in the Action column adjacent to the entry to modify or change the selected configuration.
Page 158: Backup And Restore Settings
To restore settings from a backup file: 1. Click Browse. Locate and select the previously saved backup file (by default, netgear.cfg). 2. When you have located the file, click restore.
Page 159: Router Upgrade
To download a firmware version: 1. Go to the NETGEAR Web site at http://www.netgear.com/support and click on Downloads. 2. From the Product Selection pull-down menu, select your product. Select the software version and follow the To Install steps to download your software.
Page 160 ProSafe VPN Firewall 200 FVX538 Reference Manual Warning: Once you click Upload do NOT interrupt the router! 6-18 Router and Network Management v1.0, March 2009...
Page 161: Setting The Time Zone
3. Select a NTP Server option by checking one of the following radio boxes: • Use Default NTP Servers: If this is enabled, then the RTC (Real-Time Clock) is updated regularly by contacting a Default Netgear NTP Server on the Internet. Router and Network Management 6-19...
Page 162: Monitoring The Router
Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the Default Netgear NTP servers. 4. Click Apply to save your settings or click Cancel to revert to your previous settings.
Page 163 ProSafe VPN Firewall 200 FVX538 Reference Manual • Internet Traffic Statistics – Displays statistics on Internet Traffic via the WAN port. If you have not enabled the Traffic Meter, these statistics are not available. • Traffic by Protocol – Click this button to display Internet Traffic details. The volume of traffic for each protocol will be displayed in a sub-window.
Page 164: Setting Login Failures And Attacks Notification
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-8 Setting Login Failures and Attacks Notification Figure 6-9 shows the Firewall Logs & E-mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs & E-mail from the submenu. You can send a System log of firewall activities to an email address or a log of the firewall activities can be viewed, saved to a Syslog server, and then sent to an e-mail address.
Page 165 ProSafe VPN Firewall 200 FVX538 Reference Manual View System Logs Select the types of events to email. Select the segments to track for System Log events. Enable email alerts. Syslog Server enabled Figure 6-9 Router and Network Management 6-23 v1.0, March 2009...
Page 166: Viewing Port Triggering Status
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status You can view the status of Port Triggering by selecting Security from the main menu and Port Triggering from the submenu. When the Port Triggering screen display, click the Status link. Figure 6-10 Table 6-2.
Page 167: Viewing Router Configuration And System Status
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Router Configuration and System Status The Router Status screen provides status and usage information. Select Monitoring from the main menu and Router Status from the submenu. The Router Status screen will display. Figure 6-11 Table 6-3.
Page 168: Monitoring Wan Ports Status
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-3. Router Status Fields Item Description WAN1 Configuration Indicates whether the WAN Mode is Single, Dual, or Rollover, and whether the WAN State is UP or DOWN. It also displays if: • NAT is Enabled or Disabled. •...
Page 169: Monitoring Vpn Tunnel Connection Status
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-12 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu. The IPSec Connection Status screen will display. Figure 6-13 Table 6-4.
Page 170: Vpn Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-4. VPN Status data Item Description Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase.
Page 171: Dhcp Log
ProSafe VPN Firewall 200 FVX538 Reference Manual DHCP Log You can view the DHCP log from the LAN Setup screen. Select Network Configuration from the main menu and LAN Setup from the submenu. When the LAN Setup screen displays, click the DHCP Log link.
Page 172 “Back” on the Windows menu bar to return to the Diagnostics screen. Perform a DNS A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to Lookup an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
Page 173 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-5. Diagnostics (continued) Item Description Display the Routing This operation will display the internal routing table. This information is used, most Table often, by Technical Support. Reboot the Router Used to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally.
Page 174 ProSafe VPN Firewall 200 FVX538 Reference Manual 6-32 Router and Network Management v1.0, March 2009...
Page 175: Troubleshooting
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 200. This chapter includes the following sections: • “Basic Functions” on page 7-1 • “Troubleshooting the Web Configuration Interface” on page 7-2 • “Troubleshooting the ISP Connection” on page 7-4 •...
Page 176: Leds Never Turn Off
ProSafe VPN Firewall 200 FVX538 Reference Manual • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support. LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off.
Page 177 ProSafe VPN Firewall 200 FVX538 Reference Manual • Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.2 to 192.168.0.254.
Page 178: Troubleshooting The Isp Connection
Web Configuration Manager. To check the WAN IP address: 1. Launch your browser and select an external site such as www.netgear.com 2. Access the Main Menu of the firewall’s configuration at http://192.168.1.1 3. Under the Monitoring menu, select Router Status 4.
Page 179: Troubleshooting A Tcp/Ip Network Using A Ping Utility
ProSafe VPN Firewall 200 FVX538 Reference Manual – Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring Your Internet Connection” on page 2-4. If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: •...
Page 180: Testing The Path From Your Pc To A Remote Device
ProSafe VPN Firewall 200 FVX538 Reference Manual • Wrong physical connections – Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On” on page 7-2. – Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and firewall.
Page 181: Restoring The Default Configuration And Password
ProSafe VPN Firewall 200 FVX538 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall’s administration password to password and the IP address to 192.168.1.1. You can erase the current configuration and restore factory defaults in two ways: •...
Page 182 ProSafe VPN Firewall 200 FVX538 Reference Manual Troubleshooting v1.0, March 2009...
Page 183: Default Settings And Technical Specifications
Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly).
Page 184 ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) Feature Default Behavior Time Zone Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound (communications coming in from Disabled (except traffic on port 80, the http port) the Internet) Outbound (communications going out to Enabled (all)
Page 185 ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-2. VPN firewall Technical Specifications (continued) Feature Specifications Environmental Specifications Operating temperature: 0 to 40 C (32º to 104º F) Operating humidity: 90% maximum relative humidity, noncondensing Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B...
Page 186 ProSafe VPN Firewall 200 FVX538 Reference Manual Default Settings and Technical Specifications v1.0, March 2009...
Page 187: Network Planning For Dual Wan Ports
Appendix B Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports. What You Will Need to Do Before You Begin The ProSafe VPN Firewall 200 is a powerful and versatile solution for your networking needs. But to make the configuration process easier and to understand all of the choices available to you, you need to think through the following items before you begin: 1.
Page 188 ProSafe VPN Firewall 200 FVX538 Reference Manual a. Have active Internet services such as that provided by cable or DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information. • In this document, the WAN side of the network is presumed to be provisioned as shown in Figure B-1with two ISPs connected to the VPN firewall through separate...
Page 189: Cabling And Computer Hardware Requirements
FVX538, your must use a Java-enabled Web browser program that supports HTTP uploads such as Microsoft Internet Explorer or Netscape Navigator. NETGEAR recommends using Internet Explorer or Netscape Navigator 4.0 or above. Free browser programs are readily available for Windows, Macintosh, or UNIX/Linux.
Page 190 • You may also refer to the FVX538 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs. Once you locate your Internet configuration parameters, you may want to record them on the page below.
Page 191: Internet Connection Information Form
ProSafe VPN Firewall 200 FVX538 Reference Manual Internet Connection Information Form Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP.
Page 192: Overview Of The Planning Process
ProSafe VPN Firewall 200 FVX538 Reference Manual Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: • Inbound traffic (e.g., port forwarding, port triggering, DMZ port) • Virtual private networks (VPNs) The two WAN ports can be configured on a mutually-exclusive basis to either: •...
Page 193: The Roll-Over Case For Firewalls With Dual Wan Ports
ProSafe VPN Firewall 200 FVX538 Reference Manual The Roll-over Case for Firewalls With Dual WAN Ports Rollover for the dual WAN port case is different from the single gateway WAN port case when specifying the IP address. Only one WAN port is active at a time and when it rolls over, the IP address of the active WAN port always changes.
Page 194: Inbound Traffic
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Inbound Rules menu.
Page 195: Inbound Traffic: Dual Wan Ports For Improved Reliability
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover, the WAN’s IP address will always change at rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the WAN ports (i.e., WAN1 or WAN2).
Page 196: Virtual Private Networks (Vpns
ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table B-2.
Page 197: Vpn Road Warrior (Client-To-Gateway
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-7 • Load Balancing Case for Dual Gateway WAN Ports Load balancing for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
Page 198: Vpn Road Warrior: Single Gateway Wan Port (Reference Case
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway WAN port must act as the responder.
Page 199: Vpn Road Warrior: Dual Gateway Wan Ports For Load Balancing
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance).
Page 200: Vpn Gateway-To-Gateway
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-12 The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
Page 201: Vpn Gateway-To-Gateway: Dual Gateway Wan Ports For Improved Reliability
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
Page 202 ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port is not known in advance).
Page 203: Vpn Gateway-To-Gateway: Dual Gateway Wan Ports For Load Balancing
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
Page 204: Vpn Telecommuter: Single Gateway Wan Port (Reference Case
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance.
Page 205 ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance).
Page 206: Vpn Telecommuter: Dual Gateway Wan Ports For Load Balancing
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance.
Page 207: System Logs And Error Messages
Appendix C System Logs and Error Messages This appendix uses the following log parameter terms. Table C-1. Log Parameter Terms Term Description [FVX538] System identifier [kernel] Message from the kernel. CODE Protocol code (e.g., protocol is ICMP, type 8) and CODE=0 means successful reply. DEST Destination IP Address of the machine to which the packet is destined.
Page 208: Reboot
Table C-4. System Logs: NTP Message Nov 28 12:31:13 [FVX538] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [FVX538] [ntpdate] Requesting time from time-f.netgear.com Nov 28 12:31:14 [FVX538] [ntpdate] adjust time server 69.25.106.19 offset 0.140254 sec Nov 28 12:31:14 [FVX538] [ntpdate] Synchronized time with time-f.netgear.com...
Page 209: Login/Logout
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-4. System Logs: NTP (continued) Explanation Message1: DNS resolution for the NTP server (time-f.netgear.com) Message2: request for NTP update from the time server. Message3: Adjust time by re-setting system time. Message4: Display date and time before synchronization, that is when resynchronization started Message5: Display the new updated date and time.
Page 210: Ipsec Restart
ProSafe VPN Firewall 200 FVX538 Reference Manual IPSec Restart This logging is always done. Table C-7. System Logs: IPSec Restart Message Jan 23 16:20:44 [FVX538] [wand] [IPSEC] IPSEC Restarted Explanation Log generated when the IPSEC is restarted. This log is logged when IPSEC restarts after applying any changes in the configuration.
Page 211: Auto Rollover
ProSafe VPN Firewall 200 FVX538 Reference Manual Auto Rollover When the WAN mode is configured for Auto Rollover, the primary link is active and secondary acts only as a backup. When the primary link goes down, the secondary link becomes active only until the primary link comes back up.
Page 212: Ppp Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual PPP Logs This section describes the WAN PPP connection logs. The PPP type can be configured from the web management. PPPoE Idle-Timeout Logs. Table C-9. System Logs: WAN Status, PPE, PPPoE Idle-Timeout Message Nov 29 13:12:46 [FVX538] [pppd] Starting connection Nov 29 13:12:49 [FVX538] [pppd] Remote message: Success Nov 29 13:12:49 [FVX538] [pppd] PAP authentication succeeded...
Page 213: Web Filtering And Content Filtering Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual PPTP Idle-Timeout Logs. Table C-10. System Logs: WAN Status, PPE, PPTP Idle-Timeout Message Nov 29 11:19:02 [FVX538] [pppd] Starting connection Nov 29 11:19:05 [FVX538] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVX538] [pppd] local IP address 192.168.200.214 Nov 29 11:19:05 [FVX538] [pppd] remote IP address 192.168.200.1 Nov 29 11:19:05 [FVX538] [pppd] primary DNS address 202.153.32.2 Nov 29 11:19:05 [FVX538] [pppd] secondary DNS address 202.153.32.2...
Page 214 ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-12. System Logs: Web Filtering and Content Filtering Message Jan 23 16:36:35 [FVX538] [kernel] [KEYWORD_BLOCKED] [URL]==>[ www.redhat.com/ ] IN=SELF OUT=SELF SRC=192.168.10.210 DST=209.132.177.50 PROTO=TCP SPT=4282 DPT=80 Explanation • This packet is blocked by keyword blocking •...
Page 215: Traffic Metering Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual Traffic Metering Logs Table C-13. System Logs: Traffic Metering Message Jan 23 19:03:44 [TRAFFIC_METER] TRAFFIC_METER: Monthly Limit of 10 MB has reached for WAN1._ Explanation Traffic limit to WAN1 that was set as 10Mb has been reached. This stops all the incoming and outgoing traffic if configured like that in “When Limit is reached”...
Page 216: Ftp Logging
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-16. System Logs: Multicast/Broadcast (continued) Explanation • This packet (Broadcast) is destined to the device from the WAN network. • For other parameters, refer to Table C-1. Recommended Action None FTP Logging Table C-17.
Page 217 ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Explanation Invalid RST packet Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message...
Page 218 ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message [INVALID][MALFORMED_PACKET][DROP] SRC=192.168.20.10...
Page 219: Routing Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Message 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][OUT_OF_WINDOW][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation Packet not in TCP window Recommended Action 1. Invalid packets are dropped. 2.
Page 220: Lan To Dmz Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN to DMZ Logs Table C-20. Routing Logs: LAN to DMZ Message Nov 29 09:44:06 [FVX538] [kernel] LAN2DMZ[ACCEPT] IN=LAN OUT=DMZ SRC=192.168.10.10 DST=192.168.20.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to DMZ has been allowed by the firewall. •...
Page 221: Wan To Dmz Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual WAN to DMZ Logs Table C-24. Routing Logs: WAN to DMZ Message Nov 29 09:19:43 [FVX538] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=DMZ SRC=192.168.1.214 DST=192.168.20.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from WAN to DMZ has been allowed by the firewall. •...
Page 222 ProSafe VPN Firewall 200 FVX538 Reference Manual C-16 System Logs and Error Messages v1.0, March 2009...
Page 223: Appendix D Related Documents
Appendix D Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP ttp://documentation.netgear.com/reference/enu/tcpip/index.htm Addressing: Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for http://documentation.netgear.com/reference/enu/wsdhcp/index.htm...
Page 224 ProSafe VPN Firewall 200 FVX538 Reference Manual Related Documents v1.0, March 2009...
Page 225: Two Factor Authentication
NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. As part the new maintenance firmware release,...
Page 226: What Is Two-Factor Authentication
NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 Two-Factor Authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to do Two-Factor Authentication on NETGEAR SSL and VPN firewall products.
Page 227 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The WiKID solution is based on a request-response architecture where a one-time passcode (OTP), that is time synchronized with the authentication server, is generated and sent to the user once the validity of a user credential has been confirmed by the server.
Page 228 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. A one-time passcode (something they have) is generated for this user. Figure E-2 Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time.
Page 229 Two-Factor Authentication is a new and easy way to enhance networking security products without having to replace the existing hardware. To obtain and try the new Two-Factor Authentication solution on your products, visit NETGEAR Support website at http://kbserver.netgear.com. Two Factor Authentication...
Page 230 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Two Factor Authentication v1.3, March 2009...
Page 231: Index
Index use with DDNS 2-15 Using WAN port 2-10 access remote management 6-11 Active Self Certificates 5-19 Back up settings 6-16 Add DMZ WAN Outbound Services screen 4-14 backup and restore settings 6-16 Add LAN DMZ Inbound Service screen 4-16 bandwidth capacity 6-1 Add LAN DMZ Outbound Service screen 4-15 LAN side 6-1...
Page 232 ProSafe VPN Firewall 200 FVX538 Reference Manual Content Filtering 4-1 DHCP IP Address pool 3-1 about 4-29 DHCP log Block Sites 4-29 monitoring 6-29 enabling 4-30 DHCP server firewall protection, about 4-1 about 3-1 content filtering 1-2, 4-1 diagnostics crossover cable 1-3, 7-2 DNS lookup 6-29 Customized Service packet capture 6-29...
Page 233 ProSafe VPN Firewall 200 FVX538 Reference Manual Domain Name Servers. See DNS. DHCP Address Pool 3-4 Ethernet, Auto Uplink 1-3 about protection 1-2 Event Logs Dual WAN emailing of 4-39 configuration of 2-8 Extended Authentication. See XAUTH. Dual WAN Port inbound traffic B-8 load balancing, inbound traffic B-9 factory default login 1-9...
Page 234 ProSafe VPN Firewall 200 FVX538 Reference Manual manual configuration 2-4 Internet service hardware requirements B-3 connection types 2-3 Hosting A Local Public Web Server Internet Service Provider. See ISP. example of 4-20 Internet Traffic Statistics 6-21 hosts, managing 3-6 IP Address router default 3-3 IP addresses IGP 3-14...
Page 235 ProSafe VPN Firewall 200 FVX538 Reference Manual LAN DMZ Outbound Services MAC address 7-6 adding rule 4-15 configuring 2-3, 2-4 format of 2-18 LAN DMZ Rules 4-14 spoofing 7-5 LAN DMZ Rules screen 4-14 MAC addresses LAN DMZ service rule blocked, adding 4-32 modifying 4-15 Maximum Failover 2-11...
Page 236 ProSafe VPN Firewall 200 FVX538 Reference Manual troubleshooting 7-7 Inbound Rules 4-2, 4-6 increasing traffic 6-5 NTP Servers rules, about 4-6 custom 6-20 default 6-19 port forwarding 6-5 NTP servers Port Mode 2-10 setting 6-19 port numbers 4-25 Port Speed 2-18 Port Triggering about 4-35 Oray.net 2-14...
Page 237: Routing Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual RADIUS Router Status screen 6-25 WiKID 6-11 Router Upgrade RADIUS Server about 6-17 configuring 5-27 Router’s MAC Address 2-18 RADIUS-CHAP 5-23, 5-25 Routing Information Protocol 1-4 AUTH, using with 5-24 Routing Information Protocol. See RIP. RADIUS-PAP 5-23 Routing log messages C-13 XAUTH, using with 5-24...
Page 238 ProSafe VPN Firewall 200 FVX538 Reference Manual Settings Backup & Upgrade screen 6-15 System log messages C-1 Settings Backup and Firmware Upgrade 6-16 Simple Network Management Protocol. See SNMP. Single WAN Port TCP/IP inbound traffic B-8 network, troubleshooting 7-5 sniffer 7-3 Test Period 2-10 SNMP Time...
Page 239 ProSafe VPN Firewall 200 FVX538 Reference Manual two-factor authentication VPN Tunnel addresses WiKID 6-11 Dual WAN Port systems 5-2 TZO.com 2-14 VPN Tunnel Connection monitoring status 6-27 VPN Tunnels increasing traffic 6-7 UDP flood 4-17 L2TP 4-17 Use Default Address 2-4 VPN tunnels IPsec 4-17 User Database 5-24...
Page 240 ProSafe VPN Firewall 200 FVX538 Reference Manual manual setup 2-4 WAN1 ISP Settings screen 2-2 WAN1 Protocol Bindings 2-12 WAN1 Protocol Bindings screen 2-13 WAN1 Traffic Meter 2-6 WAN2 ISP settings 2-4 WAN2 ISP Settings manual setup 2-6 WAN2 Protocol Bindings 2-13 WAN2 Protocol Bindings screen.

This manual is also suitable for:

Fvx538v1 - prosafe vpn firewall dual wan Prosafe fvx538

NETGEAR FVX538 - ProSafe VPN Firewall 200 Router Reference Manual

About this Manual

Chapter 1 Introduction

Chapter 2 Connecting the FVX538 to the Internet

Chapter 3 LAN Configuration

Chapter 4 Firewall Protection and Content Filtering

Chapter 5 Virtual Private Networking

Chapter 6 Router and Network Management

Chapter 7 Troubleshooting

Appendix A

Default Settings and Technical Specifications

Appendix B Network Planning for Dual WAN Ports

Appendix C System Logs and Error Messages

Appendix D Related Documents

Appendix E Two Factor Authentication

Index

Quick Links

Troubleshooting

Related Manuals for NETGEAR FVX538 - ProSafe VPN Firewall 200 Router

Summary of Contents for NETGEAR FVX538 - ProSafe VPN Firewall 200 Router