Vpn firewall 200 with 8-port 10/100 and 1 gigabit lan and dual wan port switch (2 pages)
Summary of Contents for NETGEAR FVX538 - ProSafe VPN Firewall 200 Router
Page 1
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0...
Page 2
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations. Voluntary Control Council for Interference (VCCI) Statement This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
Page 4
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 5
Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
Page 6
Product and Publication Details Model Number: FVX538 Publication Date: March 2009 Product Family: VPN Firewall Product Name: ProSafe VPN Firewall 200 Home or Business Product: Business Language: English Publication Part Number: 202-10062-09 Publication Version Number 1.0, March 2009...
Contents About This Manual Conventions, Formats and Scope ................... xv Revision History .......................xvi Chapter 1 Introduction Key Features ........................1-1 Dual WAN Ports for Increased Reliability or Outbound Load Balancing ....1-2 A Powerful, True Firewall with Content Filtering ............1-2 Security Features .....................1-3 Autosensing Ethernet Connections with Auto Uplink ..........1-3 Extensive Protocol Support ..................1-4 Easy Installation and Management ................1-4...
Page 8
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options ................3-1 Configuring the LAN Setup Options .................3-2 Configuring Multi Home LAN IPs ................3-5 Managing Groups and Hosts (LAN Groups) ..............3-6 Creating the Network Database ................3-7 Setting Up Address Reservation ................3-9 Configuring and Enabling the DMZ Port ...............3-10 Static Routes ........................3-12...
Page 9
Creating a Client to Gateway VPN Tunnel ...............5-6 Use the VPN Wizard Configure the Gateway for a Client Tunnel ......5-7 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection Testing the Connections and Viewing Status Information ..........5-12 NETGEAR VPN Client Status and Log Information ..........5-12...
Page 10
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration ............5-23 Configuring XAUTH for VPN Clients ..............5-24 User Database Configuration .................5-25 RADIUS Client Configuration .................5-27 Assigning IP Addresses to Remote Users (ModeConfig) ..........5-29 Mode Config Operation ..................5-29 Configuring the VPN Firewall .................5-30 Configuring the ProSafe VPN Client for ModeConfig ..........5-33 Chapter 6 Router and Network Management...
Page 11
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status ................6-24 Viewing Router Configuration and System Status ..........6-25 Monitoring WAN Ports Status .................6-26 Monitoring VPN Tunnel Connection Status ............6-27 VPN Logs .......................6-28 DHCP Log ......................6-29 Performing Diagnostics ..................6-29 Chapter 7 Troubleshooting Basic Functions ......................7-1 Power LED Not On ....................7-1...
Page 12
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ....................... B-8 Inbound Traffic to Single WAN Port (Reference Case) ........... B-8 Inbound Traffic to Dual WAN Port Systems ............B-8 Inbound Traffic: Dual WAN Ports for Improved Reliability ........ B-9 Inbound Traffic: Dual WAN Ports for Load Balancing ........
Page 13
Appendix E Two Factor Authentication Why do I need Two-Factor Authentication? ..............E-1 What are the benefits of Two-Factor Authentication? ..........E-1 What is Two-Factor Authentication ................. E-2 NETGEAR Two-Factor Authentication Solutions ............E-2 Index Contents xiii v1.0, March 2009...
About This Manual The NETGEAR ® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs.
For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix D, “Related Documents.” Note: Updates to this product are available on the NETGEAR, Inc. website at http://kbserver.netgear.com/products/FVX538.asp. Revision History Version Part Number...
Support for up to 400 internal LAN users (and 50K connections). • Bundled with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and multimedia.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. The FVX538 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.
ISP account. • VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
ProSafe VPN Client Software – five user licenses. • Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. Introduction...
ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. Figure 1-1 Table 1-1 describes each item on the front panel and its operation. Table 1-1.
Page 23
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description 8-port RJ-45 10/100 N-way automatic speed negotiation, auto MDI/MDIX. 4. LAN Mbps Fast Ethernet Ports Switch LEDs Link/Act LED On (Green) The LAN port has detected a link with a connected Ethernet device. Blinking (Green) Data is being transmitted or received by the LAN port.
ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection. Figure 1-2 Viewed from left to right, the rear panel contains the following elements: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual The Router’s IP Address, Login Name, and Password Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information: • IP Address: to reach the Web-based GUI from the LAN http://192.168.1.1 •...
Chapter 2 Connecting the FVX538 to the Internet This chapter includes these topics: • “Logging into the VPN Firewall” on page 2-1 • “Configuring the Internet Connections to Your ISPs” on page 2-2 • “Configuring the WAN Mode (Required for Dual WAN)” on page 2-8 •...
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the Internet Connections to Your ISPs You should first configure your Internet connections to your ISPs on WAN port 1, and then configure WAN port 2 second. To automatically configure the WAN ports and connect to the Internet: 1.
Page 29
ProSafe VPN Firewall 200 FVX538 Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the following table. Table 2-1. Internet connection methods Connection Method Data Required PPPoE Login (Username, Password);...
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Set up the traffic meter for WAN 1 ISP if desired. See “Programming the Traffic Meter (if Desired)” on page 2-6. Note: At this point of the configuration process, you are now connected to the Internet through WAN port 1.
Page 31
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box. The text box fields that require data entry will be highlighted, based on the connection that you selected.
6. Click Reset to discard any changes and revert to the previous settings. 7. Click Test to try and connect to the NETGEAR Web site. If you connect successfully and your settings work, then you may click Logout or go on and configure additional settings.
Page 33
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-3 2. Click Apply to apply the settings. Click Reset to return to the previous settings. 3. Select the WAN2 Traffic Meter tab and repeat steps 1 through 3 to set the Traffic Meter the the WAN2 port.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 2-2. Traffic Meter Settings Parameter Description Increase this Use this to temporarily increase the Traffic Limit if you have reached the monthly month's limit limit, but need to continue accessing the Internet. Check the checkbox and enter the desired increase.
ProSafe VPN Firewall 200 FVX538 Reference Manual If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover.
Page 36
ProSafe VPN Firewall 200 FVX538 Reference Manual When the router is configured in Auto-Rollover Mode, the router uses the WAN Failure Detection Method to check the connection of the primary link at regular intervals to detect router status. Link failure is detected in one of the following ways: •...
Page 37
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-4 6. Enter the Maximum Failover amount. The WAN interface is considered down after the configured number of queries have failed to elicit a reply. The rollover link is brought up after this.
FTP data from and to the computers on the LAN through the WAN2 port. All HTTP traffic will be routed through the WAN1 port. Note: NETGEAR recommends that all specific traffic (for example, HTTP) be configured for the WAN2 port. The only way to make certain traffic goes out one port and all other traffic goes out the other port is to use WAN2 for specified traffic.
Page 39
ProSafe VPN Firewall 200 FVX538 Reference Manual a. Service – From the pull-down menu, select the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services-Based Rules”...
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-6 3. Modify the parameters for the protocol binding service you selected. 4. Click Apply. The modified rule will be enabled and appear in the Protocol Binding table. 5. Click Reset to return to the previously configured settings. Configuring Dynamic DNS (If Needed) Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names.
Page 41
ProSafe VPN Firewall 200 FVX538 Reference Manual IP address will be, and the address can change frequently—hence, the need for a commercial DDNS service, which allows you to register an extension to its domain, and restores DNS requests for the resulting FQDN to your frequently-changing IP address. After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your DDNS service provider, log in to your account, and register your new IP address.
Page 42
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-7 2. Click the tab of the Dynamic DNS Service you want to enable. Each DNS service provider requires registration and you then configure its parameters on the corresponding tab page. 3. Access the Web site of one of the DDNS service providers and set up an account. A link to each DDNS provider is to the right of the tab pages.
ProSafe VPN Firewall 200 FVX538 Reference Manual For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org 5. Click Apply to save your configuration. 6. Click Reset to return to the previous settings. Configuring the Advanced WAN Options (If Needed) To configure the Advanced WAN options: 1.
Page 44
ProSafe VPN Firewall 200 FVX538 Reference Manual • Port Speed – In most cases, your router can automatically determine the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may have to manually select the port speed. AutoSense is the default.
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe VPN Firewall 200, including the following sections: • “Choosing the Firewall DHCP Options” on page 3-1 • “Managing Groups and Hosts (LAN Groups)” on page 3-6 •...
ProSafe VPN Firewall 200 FVX538 Reference Manual • Primary DNS Server (the firewall’s LAN IP address). • WINS Server (if you entered a WINS server address in the DHCP Setup menu). • Lease Time (date obtained and duration of lease). DHCP Relay options allow you to make the firewall a dhcp relay agent.
Page 47
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Network Configuration from the primary menu and LAN Setup from the submenu. The LAN Setup screen will display. Figure 3-1 2. Enter the IP Address of your router (factory default: 192.168.1.1). (Always make sure that the LAN Port IP address and DMZ port IP address are in different subnets.) 3.
Page 48
ProSafe VPN Firewall 200 FVX538 Reference Manual b. Enter the Starting IP Address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address. The IP address 192.168.1.2 is the default start address.
ProSafe VPN Firewall 200 FVX538 Reference Manual The feature is particularly useful in Auto Rollover mode. For example, if the DNS servers for each connection are different, then a link failure may render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make requests to the router and the router, in turn, sends those requests to the DNS servers of the active connection.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Action: The Edit link allows you to make changes to the selected entry. • Select All: Selects all the entries in the Available Secondary LAN IPs table. • Delete: Deletes selected entries from the Available Secondary LAN IPs table. To add a secondary LAN IP address: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual Creating the Network Database Some advantages of the Network Database are: • Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the desired PC or device. •...
Page 52
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-3 The Network Database is created by: • Using the DHCP Server: The router’s DHCP server is configured, by default, to respond to DHCP requests from clients on the LAN. Every computer that receives a response from the router will be added to the Network Database.
ProSafe VPN Firewall 200 FVX538 Reference Manual • MAC Address: The MAC address of the computer’s network interface. • Group: Each PC or device can be assigned to a single group. By default, a computer is assigned to the first group (Group 1). To change the group assignment by selecting the Edit link in the Action column.
ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address, use the Groups and Hosts screen under the Network Configuration menu, LAN Groups submenu (see “Creating the Network Database” on page 3-7). Note: The reserved address will not be assigned until the next time the PC contacts the firewall's DHCP server.
Page 55
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-4 4. If desired, Enable the DHCP Server (Dynamic Host Configuration Protocol), which will provide TCP/IP configuration for all computers connected to the router’s DMZ network. Note: If you enable the DNS Relay feature, you will not use the FVX538 as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings. The DMZ LED next to LAN port 8 (see “Router Front and Rear Panels” on page 1-6) will light up indicating that the DMZ port has been enabled. If another device on your DMZ network will be the DHCP server, or if you will manually configure all devices, leave the Disable option (default) checked.
Page 57
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-5 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network to which the route leads. 7.
ProSafe VPN Firewall 200 FVX538 Reference Manual Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network.
Page 59
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-6 3. From the RIP Version pull-down menu, select the version: • RIP-1 – A classful routing that does not include subnet information. This is the most commonly supported version. • RIP-2 – Supports subnet information. Both RIP-2B and RIP-2M send the routing data in RIP-2 format: •...
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Save to save your settings. Static Route Example For example, you may require a static route if: • Your primary Internet access is through a cable modem to an ISP. • You have an ISDN firewall on your home network for connecting to the company where you are employed.
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 to protect your network. This chapter includes the following sections: • “About Firewall Protection and Content Filtering” on page 4-1 •...
ProSafe VPN Firewall 200 FVX538 Reference Manual intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT. Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Customized Services – Additional services can be added to the list of services in the factory default list. These added services can then have rules defined for them to either allow or block that traffic (see “Adding Customized Services”...
Page 64
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description LAN users These settings determine which computers on your network are affected by this rule. Select the desired options: • Any – All PCs and devices on your LAN. •...
Page 65
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description QoS Priority The priority assigned to IP packets of this service. The priorities are defined by “Type of Service (TOS) in the Internet Protocol Suite” standards, RFC 1349. The router marks the Type Of Service (TOS) field as defined below: •...
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description Bandwidth Profile Bandwidth Limiting determines the way in which the data is sent to/from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing/ incoming traffic, thus preventing the LAN users for consuming all the bandwidth of our internet link.
Page 67
ProSafe VPN Firewall 200 FVX538 Reference Manual • Local PCs must access the local server using the PCs’ local LAN address. Attempts by local PCs to access the server using the external WAN IP address will fail. Note: See “Port Triggering” on page 4-35 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall.
Page 68
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules (continued) Item Description Bandwidth Profile Bandwidth Limiting determines the way in which the data is sent to/from your host. The purpose of bandwidth limiting is to provide a solution for limiting the outgoing/ incoming traffic, thus preventing the LAN users for consuming all the bandwidth of our internet link.
ProSafe VPN Firewall 200 FVX538 Reference Manual Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu as the last item in the list, as shown in Figure 4-1: Figure 4-1 For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the bottom.
Page 70
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Change the Default Outbound Policy by selecting Block Always from the drop-down menu and click Apply. Figure 4-2 To make changes to an existing outbound or inbound service rule: 1. In the Action column adjacent to the rule click: •...
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound services opens holes in your firewall.
Page 73
ProSafe VPN Firewall 200 FVX538 Reference Manual out from the DMZ to the Internet (Outbound) or coming in from the Internet to the DMZ (Inbound). The default outbound policy can be changed to block all outbound traffic and enable only specific services to pass through the router by adding an Outbound services Rule. Figure 4-5 Firewall Protection and Content Filtering 4-13...
ProSafe VPN Firewall 200 FVX538 Reference Manual To change the Default Outbound Policy: 1. Select Security from the main menu, Firewall Rules from the submenu and then select the DMZ WAN Rules tab. The DMZ WAN Rules screen will display. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual To make changes to an existing outbound or inbound LAN DMZ service rule: 1. In the Action column adjacent to the rule click: • Edit – to make any changes to the rule definition. The Outbound Service screen will display containing the data for the selected rule “Outbound Rules (Service Blocking)”...
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Complete the Outbound Service screen, and save the data (see “Outbound Rules (Service Blocking)” on page 4-3). 3. Click Reset to cancel your settings and return to the previous settings. 4. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table.
Page 77
ProSafe VPN Firewall 200 FVX538 Reference Manual • LAN Security Checks. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application listening at that port, (2) see that no application is listening at that port and (3) reply with an ICMP Destination Unreachable packet.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-8 Session Limit Session Limit allows you to specify the total number of sessions allowed, per user, over an IP (Internet Protocol) connection across the router. This feature is enabled on the Session Limit screen and shown below in Figure 4-9.
Page 79
ProSafe VPN Firewall 200 FVX538 Reference Manual To enable Session Limit: 1. Click the Yes radio button under Do you want to enable Session Limit? 2. From the User Limit Parameter drop-down list, define the maximum number of sessions per IP either as a percentage of maximum sessions or as an absolute.
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Rules Examples LAN WAN Inbound Rule: Hosting A Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day.
Internet access to your LAN PCs through NAT. The other addresses are available to map to your servers. The following addressing scheme is used to illustrate this procedure: • Netgear FVX538 ProSafe VPN Firewall – WAN1 IP address: 10.1.0.118 –...
Page 82
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. From the Service pull-down menu, select the HTTP service for a Web server. Figure 4-12 5. From the Action pull-down menu, select Allow Always. 6. In the Send to LAN Server field, enter the local IP address of your Web server PC. 7.
1. Create an inbound rule that allows all protocols. 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Any and Allow Always (or Allow by Schedule) 2. Place rule below all other inbound rules Figure 4-14 Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio or other non-essential sites.
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.
Page 86
ProSafe VPN Firewall 200 FVX538 Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups.
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Select the Layer 3 Protocol that the service uses as its transport protocol. It can be TCP, UDP or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses. If the service uses only one port, then the Start Port and the Finish Port will be the same.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a ToS value of 2. •...
Web site is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message. Several types of blocking are available: •...
Page 90
ProSafe VPN Firewall 200 FVX538 Reference Manual • If you wish to block all Internet browsing access, enter the keyword “.”. To enable Content Filtering: 1. Select Security from the main menu and Block Sites from the sub-menu. The Block Sites screen will display.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-18 Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed.
Page 92
ProSafe VPN Firewall 200 FVX538 Reference Manual • When enabled, traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table. Figure 4-19 Note: For additional ways of restricting outbound traffic, see “Outbound Rules (Service Blocking)”...
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings. To remove an entry from the table, select the MAC address entry and click Delete. To select all the list of MAC addresses, click Select All. A checkmark will appear in the box to the left of each MAC address in the Available MAC Addresses to be Blocked table IP/MAC Binding IP/MAC Binding allows you to bind an IP address to a MAC address and vice-versa.
Page 94
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-20 3. Add an IP/MAC Bind rule by entering: a. Name: Specify an easily identifiable name for this rule. b. MAC Address: Specify the MAC Address for this rule. c. IP Addresses: Specify the IP Address for this rule. d.
ProSafe VPN Firewall 200 FVX538 Reference Manual To remove an entry from the table, select the IP/MAC Bind entry and click Delete. Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the Application.
Page 96
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-21 3. From the Protocol pull-down menu, select either the TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 5.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display.
Page 98
ProSafe VPN Firewall 200 FVX538 Reference Manual For example, when a new connection is established by a device, the device will locate the firewall rule corresponding to the connection. • If the rule has a bandwidth profile specification, then the device will create a bandwidth class in the kernel.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Name: Displays the user-defined name for this bandwidth profile. • Bandwidth Range: Displays the range for the bandwidth profile. • Type: Displays the type of bandwidth profile. • Direction: Displays the direction of the bandwidth profile. •...
Page 100
ProSafe VPN Firewall 200 FVX538 Reference Manual You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs on the Logs screen (see Figure 4-25 on page 4-42).
Page 101
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter a Schedule for sending the logs. From the Unit pull-down menu, select: Never, Hourly, Daily, or Weekly. Then fill in the Day and Time fields that correspond to your selection. 4. In the Security Logs section, check the network segments radio box for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets).
Page 102
ProSafe VPN Firewall 200 FVX538 Reference Manual 11. Click Apply to save your settings. To view the Firewall logs: 1. Click on the View Log icon opposite the Firewall Logs & E-mail tab. The Logs screen will display. 2. If the E-mail Logs options as been enabled, you can send a copy of the log by clicking send log.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-4. Firewall Log Field Descriptions (continued) Field Description Source port and The service port number of the initiating device, and whether it originated from the interface LAN, WAN or DMZ. Destination The name or IP address of the destination device or Web site. Destination port and The service port number of the destination device, and whether it’s on the LAN, interface...
Page 104
ProSafe VPN Firewall 200 FVX538 Reference Manual 4-44 Firewall Protection and Content Filtering v1.0, March 2009...
Chapter 5 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the VPN firewall. This chapter includes the following sections: • “Considerations for Dual WAN Port Systems” on page 5-1 • “Using the VPN Wizard for Client and Gateway Configurations” on page 5-3 •...
Page 106
ProSafe VPN Firewall 200 FVX538 Reference Manual The diagrams and table below show how the WAN mode selection relates to VPN configuration. WAN Auto-Rollover: FQDN Required for VPN Firewall WAN 1 Port Rest of Firewall Firewall Internet Firewall WAN Port Rollover WAN 2 Port Control...
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR VPN Client configuration procedures for the following scenarios: •...
Page 108
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select VPN > IPsec VPN > VPN Wizard to display the VPN Wizard tab page. To view the wizard default settings, click the VPN Default values link. You can modify these settings after completing the wizard. •...
Page 109
8. Click Apply to save your settings: the VPN Policies page shows the policy is now enabled. Figure 5-5 9. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured.
ProSafe VPN Firewall 200 FVX538 Reference Manual After both firewalls are configured, go to VPN > IPsec VPN > Connection Status to display the status of your VPN connections. Figure 5-6 The tunnel will automatically establish when both the local and target gateway policies are appropriately configured and enabled, Note: When using FQDN, if the dynamic DNS service is slow to update their servers when your DHCP WAN address changes, the VPN tunnel will fail because the...
ProSafe VPN Firewall 200 FVX538 Reference Manual Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. From the main menu, go to VPN > IPSec VPN > VPN Wizard. The VPN Wizard displays. • VPN Client connection •...
Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR Prosafe VPN Client installed, configure a VPN client policy to connect to the FVX538. Follow these steps to configure your VPN client.
Page 113
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using gw1.
Page 114
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. In the left frame, click My Identity. Fill in the options according to the instructions below. r3m0+eC1ient Figure 5-12 • From the Select Certificate pull-down menu, choose None. • Click Pre-Shared Key to enter the key you provided in the VPN Wizard; in this example, we are using r3m0+eC1ient.
Page 115
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Verify the Security Policy settings; no changes are needed. Figure 5-13 • On the left, click Security Policy to view the settings: no changes are needed. • On the left, expand Authentication (Phase 1) and click Proposal 1: no changes are needed.
ProSafe VPN Firewall 200 FVX538 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the FVX538 provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.
Page 117
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-16 •...
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client policy is deactivated. The client policy is deactivated but not connected. The client policy is activated and connected.
ProSafe VPN Firewall 200 FVX538 Reference Manual To view FVX538 VPN logs, go to Monitoring > VPNLogs. Figure 5-19 VPN Tunnel Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN Policy and an IKE Policy are established and populated in both Policy Tables.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. If the VPN Policy is a “Manual” policy, then the Manual Policy Parameters defined in the VPN Policy are accessed and the first matching IKE Policy is used to start negotiations with the remote VPN Gateway.
To gain a more complete understanding of the encryption, authentication and DH algorithm technologies, see Appendix D, “Related Documents” for a link to the NETGEAR website. VPN Policy You can create two types of VPN Policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Policy Table Only one Client Policy may configured at a time (noted by an “*” next to the policy name). The Policy Table contains the following fields: • ! (Status). Indicates whether the policy is enabled (green circle) or disabled (grey circle). To Enable or Disable a Policy, check the radio box adjacent to the circle and click Enable or Disable, as required.
ProSafe VPN Firewall 200 FVX538 Reference Manual Certificate Authorities Digital Self Certificates are used to authenticate the identity of users and systems, and are issued by various CAs (Certification Authorities). Digital Certificates are used by this router during the IKE (Internet Key Exchange) authentication phase as an alternative authentication method. Self Certificates are issued to you by various CAs (Certification Authorities).
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identity (Subject Name). The organization or person to whom the certificate is issued. • Issuer Name. The name of the CA that issued the certificate. • Expiry Time. The date after which the certificate becomes invalid The Active Self Certificates table shows the Certificates issued to you by the various CAs (Certification Authorities), and available for use.
Page 125
ProSafe VPN Firewall 200 FVX538 Reference Manual – Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but may also impact performance.) 3. Complete the Optional fields, if desired, with the following information: Figure 5-20 • IP Address – If you have a fixed IP address, you may enter it here. Otherwise, you should leave this field blank.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Copy the contents of the Data to supply to CA text box into a file, including all of the data contained in “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST---”Click Done. You will return to the Certificate screen and your Request details will be displayed in the Self Certificates Requests table showing a Status of “Waiting for Certificate upload”...
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. To upload a Certificate Identify to the CRL: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual • IPSec Host. If you want authentication by the remote gateway, enter a User Name and Password to be associated with this IKE policy. If this option is chosen, the remote gateway must specify the user name and password used for authenticating this gateway. Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the local User Database for the user credentials.
ProSafe VPN Firewall 200 FVX538 Reference Manual – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the router will first check in the User Database to see if the user credentials are available. If the user account is not present, the router will then connect to the RADIUS server (see “RADIUS Client Configuration”...
Page 130
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4. Click Add. The User Name will be added to the Configured Users table. Figure 5-23 5-26 Virtual Private Networking v1.0, March 2009...
ProSafe VPN Firewall 200 FVX538 Reference Manual To edit the user name or password: 1. Click Edit opposite the user’s name. The Edit User screen will display. 2. Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to the previous settings.
Page 132
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-24 3. Enter the Primary RADIUS Server IP address. 4. Enter a Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server.
– LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Mode Config Operation After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP configuration parameters such as IP address, subnet mask and name server addresses. The Mode...
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the VPN Firewall Two menus must be configured—the Mode Config menu and the IKE Policies menu. To configure the Mode Config menu: 1. From the main menu, select VPN, and then select Mode Config from the submenu. The Mode Config screen will display.
Page 135
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-25 To configure an IKE Policy: 1. From the main menu, select VPN. The IKE Policies screen will display showing the current policies in the List of IKE Policies Table. 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. 3.
Page 136
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the General section: a. Enter a description name in the Policy Name Field such as “salesperson”. This name will be used as part of the remote identifier in the VPN client configuration. b.
Figure 5-26 Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon.
Page 138
ProSafe VPN Firewall 200 FVX538 Reference Manual b. From the ID Type pull-down menu, select IP Subnet. c. Enter the IP Subnet and Mask of the VPN firewall (this is the LAN network IP address of the gateway). d. Check the Connect using radio button and select Secure Gateway Tunnel from the pull- down menu.
Page 139
ProSafe VPN Firewall 200 FVX538 Reference Manual d. Under Virtual Adapter pull-down menu, select Preferred. The Internal Network IP Address should be 0.0.0.0. Note: If no box is displayed for Internal Network IP Address, go to Options/ Global Policy Settings, and check the box for “Allow to Specify Internal Network Address.”...
Page 140
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-29 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds)).
Page 141
ProSafe VPN Firewall 200 FVX538 Reference Manual To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; in this case “My Connections\modecfg_test”. 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test will display and the VPN client icon in the toolbar will read “On”.
Chapter 6 Router and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 200. This chapter includes the following sections: • “Performance Management” on page 6-1 • “Administration” on page 6-8 • “Monitoring the Router”...
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall. But there is no backup in case one of the WAN ports fail. In such an event and with one exception, the traffic that would have been sent on the failed WAN port gets diverted to the WAN port that is still working, thus increasing its loading.
Page 145
ProSafe VPN Firewall 200 FVX538 Reference Manual – Groups: The rule is applied to a Group (see “Managing Groups and Hosts (LAN Groups)” on page 3-6to assign PCs to a Group using Network Database). • WAN Users – These settings determine which Internet locations are covered by the rule, based on their IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual Schedule. If you have set firewall rules on the Rules screen, you can configure three different schedules (i.e., schedule 1, schedule 2, and schedule 3) for when a rule is to be applied. Once a schedule is configured, it affects all Rules that use this schedule.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Firewall Features That Increase Traffic Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • DMZ port • Exposed hosts • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Enable DNS Proxy – Enable this to allow incoming DNS queries. • Enable Stealth Mode – Enable this to set the firewall to operate in stealth mode. As you define your firewall rules, you can further refine their application according to the following criteria: •...
ProSafe VPN Firewall 200 FVX538 Reference Manual • The remote system receives the PCs request and responds using the different port numbers that you have now opened. • This Router matches the response to the previous request and forwards the response to the PC. Without Port Triggering, this response would be treated as a new connection request rather than a response.
Changing Passwords and Settings The default passwords for the firewall’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. You can also configure a separate password for guests.
Page 151
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Users from the main menu and Local Authentication from the submenu. Figure 6-1 2. Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest Settings radio box.
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. RADIUS Server External Authentication For authentication to RADIUS or WIKID, you can define the authentication type. Figure 6-2 When a user logs in, the VPN firewall will validate with the appropriate RADIUS or WIKID server that the user is authorized to log in.
ProSafe VPN Firewall 200 FVX538 Reference Manual When specifying RADIUS domain authentication, you are presented with several authentication protocol choices, as summarized in the following table: Table 6-1. Authentication Description Protocol Password Authentication Protocol (PAP) is a simple protocol in which the client sends a password in clear text.
Page 154
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-3 To configure your firewall for Remote Management: 1. Select Administration from the main menu and Remote Management from the submenu. The Remote Management screen will display. 2. Check Allow Remote Management radio box. 3.
Page 155
ProSafe VPN Firewall 200 FVX538 Reference Manual Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management Web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but do not use the number of any common service port.
ProSafe VPN Firewall 200 FVX538 Reference Manual • To allow access from any IP address on the Internet, select Everyone. • To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. •...
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Click Add to create the new configuration. The entry will display in the SNMP Configuration table. 6. Click Edit in the Action column adjacent to the entry to modify or change the selected configuration.
To restore settings from a backup file: 1. Click Browse. Locate and select the previously saved backup file (by default, netgear.cfg). 2. When you have located the file, click restore.
To download a firmware version: 1. Go to the NETGEAR Web site at http://www.netgear.com/support and click on Downloads. 2. From the Product Selection pull-down menu, select your product. Select the software version and follow the To Install steps to download your software.
Page 160
ProSafe VPN Firewall 200 FVX538 Reference Manual Warning: Once you click Upload do NOT interrupt the router! 6-18 Router and Network Management v1.0, March 2009...
3. Select a NTP Server option by checking one of the following radio boxes: • Use Default NTP Servers: If this is enabled, then the RTC (Real-Time Clock) is updated regularly by contacting a Default Netgear NTP Server on the Internet. Router and Network Management 6-19...
Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the Default Netgear NTP servers. 4. Click Apply to save your settings or click Cancel to revert to your previous settings.
Page 163
ProSafe VPN Firewall 200 FVX538 Reference Manual • Internet Traffic Statistics – Displays statistics on Internet Traffic via the WAN port. If you have not enabled the Traffic Meter, these statistics are not available. • Traffic by Protocol – Click this button to display Internet Traffic details. The volume of traffic for each protocol will be displayed in a sub-window.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-8 Setting Login Failures and Attacks Notification Figure 6-9 shows the Firewall Logs & E-mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs & E-mail from the submenu. You can send a System log of firewall activities to an email address or a log of the firewall activities can be viewed, saved to a Syslog server, and then sent to an e-mail address.
Page 165
ProSafe VPN Firewall 200 FVX538 Reference Manual View System Logs Select the types of events to email. Select the segments to track for System Log events. Enable email alerts. Syslog Server enabled Figure 6-9 Router and Network Management 6-23 v1.0, March 2009...
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status You can view the status of Port Triggering by selecting Security from the main menu and Port Triggering from the submenu. When the Port Triggering screen display, click the Status link. Figure 6-10 Table 6-2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Router Configuration and System Status The Router Status screen provides status and usage information. Select Monitoring from the main menu and Router Status from the submenu. The Router Status screen will display. Figure 6-11 Table 6-3.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-3. Router Status Fields Item Description WAN1 Configuration Indicates whether the WAN Mode is Single, Dual, or Rollover, and whether the WAN State is UP or DOWN. It also displays if: • NAT is Enabled or Disabled. •...
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-12 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu. The IPSec Connection Status screen will display. Figure 6-13 Table 6-4.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-4. VPN Status data Item Description Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase.
ProSafe VPN Firewall 200 FVX538 Reference Manual DHCP Log You can view the DHCP log from the LAN Setup screen. Select Network Configuration from the main menu and LAN Setup from the submenu. When the LAN Setup screen displays, click the DHCP Log link.
Page 172
“Back” on the Windows menu bar to return to the Diagnostics screen. Perform a DNS A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to Lookup an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
Page 173
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-5. Diagnostics (continued) Item Description Display the Routing This operation will display the internal routing table. This information is used, most Table often, by Technical Support. Reboot the Router Used to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally.
Page 174
ProSafe VPN Firewall 200 FVX538 Reference Manual 6-32 Router and Network Management v1.0, March 2009...
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 200. This chapter includes the following sections: • “Basic Functions” on page 7-1 • “Troubleshooting the Web Configuration Interface” on page 7-2 • “Troubleshooting the ISP Connection” on page 7-4 •...
ProSafe VPN Firewall 200 FVX538 Reference Manual • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support. LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off.
Page 177
ProSafe VPN Firewall 200 FVX538 Reference Manual • Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.2 to 192.168.0.254.
Web Configuration Manager. To check the WAN IP address: 1. Launch your browser and select an external site such as www.netgear.com 2. Access the Main Menu of the firewall’s configuration at http://192.168.1.1 3. Under the Monitoring menu, select Router Status 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual – Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring Your Internet Connection” on page 2-4. If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: •...
ProSafe VPN Firewall 200 FVX538 Reference Manual • Wrong physical connections – Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On” on page 7-2. – Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and firewall.
ProSafe VPN Firewall 200 FVX538 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall’s administration password to password and the IP address to 192.168.1.1. You can erase the current configuration and restore factory defaults in two ways: •...
Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly).
Page 184
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) Feature Default Behavior Time Zone Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound (communications coming in from Disabled (except traffic on port 80, the http port) the Internet) Outbound (communications going out to Enabled (all)
Page 185
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-2. VPN firewall Technical Specifications (continued) Feature Specifications Environmental Specifications Operating temperature: 0 to 40 C (32º to 104º F) Operating humidity: 90% maximum relative humidity, noncondensing Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B...
Page 186
ProSafe VPN Firewall 200 FVX538 Reference Manual Default Settings and Technical Specifications v1.0, March 2009...
Appendix B Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports. What You Will Need to Do Before You Begin The ProSafe VPN Firewall 200 is a powerful and versatile solution for your networking needs. But to make the configuration process easier and to understand all of the choices available to you, you need to think through the following items before you begin: 1.
Page 188
ProSafe VPN Firewall 200 FVX538 Reference Manual a. Have active Internet services such as that provided by cable or DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information. • In this document, the WAN side of the network is presumed to be provisioned as shown in Figure B-1with two ISPs connected to the VPN firewall through separate...
FVX538, your must use a Java-enabled Web browser program that supports HTTP uploads such as Microsoft Internet Explorer or Netscape Navigator. NETGEAR recommends using Internet Explorer or Netscape Navigator 4.0 or above. Free browser programs are readily available for Windows, Macintosh, or UNIX/Linux.
Page 190
• You may also refer to the FVX538 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs. Once you locate your Internet configuration parameters, you may want to record them on the page below.
ProSafe VPN Firewall 200 FVX538 Reference Manual Internet Connection Information Form Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP.
ProSafe VPN Firewall 200 FVX538 Reference Manual Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: • Inbound traffic (e.g., port forwarding, port triggering, DMZ port) • Virtual private networks (VPNs) The two WAN ports can be configured on a mutually-exclusive basis to either: •...
ProSafe VPN Firewall 200 FVX538 Reference Manual The Roll-over Case for Firewalls With Dual WAN Ports Rollover for the dual WAN port case is different from the single gateway WAN port case when specifying the IP address. Only one WAN port is active at a time and when it rolls over, the IP address of the active WAN port always changes.
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Inbound Rules menu.
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover, the WAN’s IP address will always change at rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the WAN ports (i.e., WAN1 or WAN2).
ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table B-2.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-7 • Load Balancing Case for Dual Gateway WAN Ports Load balancing for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway WAN port must act as the responder.
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance).
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-12 The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
Page 202
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port is not known in advance).
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance.
Page 205
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance).
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance.
Appendix C System Logs and Error Messages This appendix uses the following log parameter terms. Table C-1. Log Parameter Terms Term Description [FVX538] System identifier [kernel] Message from the kernel. CODE Protocol code (e.g., protocol is ICMP, type 8) and CODE=0 means successful reply. DEST Destination IP Address of the machine to which the packet is destined.
Table C-4. System Logs: NTP Message Nov 28 12:31:13 [FVX538] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [FVX538] [ntpdate] Requesting time from time-f.netgear.com Nov 28 12:31:14 [FVX538] [ntpdate] adjust time server 69.25.106.19 offset 0.140254 sec Nov 28 12:31:14 [FVX538] [ntpdate] Synchronized time with time-f.netgear.com...
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-4. System Logs: NTP (continued) Explanation Message1: DNS resolution for the NTP server (time-f.netgear.com) Message2: request for NTP update from the time server. Message3: Adjust time by re-setting system time. Message4: Display date and time before synchronization, that is when resynchronization started Message5: Display the new updated date and time.
ProSafe VPN Firewall 200 FVX538 Reference Manual IPSec Restart This logging is always done. Table C-7. System Logs: IPSec Restart Message Jan 23 16:20:44 [FVX538] [wand] [IPSEC] IPSEC Restarted Explanation Log generated when the IPSEC is restarted. This log is logged when IPSEC restarts after applying any changes in the configuration.
ProSafe VPN Firewall 200 FVX538 Reference Manual Auto Rollover When the WAN mode is configured for Auto Rollover, the primary link is active and secondary acts only as a backup. When the primary link goes down, the secondary link becomes active only until the primary link comes back up.
ProSafe VPN Firewall 200 FVX538 Reference Manual PPP Logs This section describes the WAN PPP connection logs. The PPP type can be configured from the web management. PPPoE Idle-Timeout Logs. Table C-9. System Logs: WAN Status, PPE, PPPoE Idle-Timeout Message Nov 29 13:12:46 [FVX538] [pppd] Starting connection Nov 29 13:12:49 [FVX538] [pppd] Remote message: Success Nov 29 13:12:49 [FVX538] [pppd] PAP authentication succeeded...
ProSafe VPN Firewall 200 FVX538 Reference Manual Traffic Metering Logs Table C-13. System Logs: Traffic Metering Message Jan 23 19:03:44 [TRAFFIC_METER] TRAFFIC_METER: Monthly Limit of 10 MB has reached for WAN1._ Explanation Traffic limit to WAN1 that was set as 10Mb has been reached. This stops all the incoming and outgoing traffic if configured like that in “When Limit is reached”...
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-16. System Logs: Multicast/Broadcast (continued) Explanation • This packet (Broadcast) is destined to the device from the WAN network. • For other parameters, refer to Table C-1. Recommended Action None FTP Logging Table C-17.
Page 217
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Explanation Invalid RST packet Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message...
Page 218
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message [INVALID][MALFORMED_PACKET][DROP] SRC=192.168.20.10...
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN to DMZ Logs Table C-20. Routing Logs: LAN to DMZ Message Nov 29 09:44:06 [FVX538] [kernel] LAN2DMZ[ACCEPT] IN=LAN OUT=DMZ SRC=192.168.10.10 DST=192.168.20.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to DMZ has been allowed by the firewall. •...
ProSafe VPN Firewall 200 FVX538 Reference Manual WAN to DMZ Logs Table C-24. Routing Logs: WAN to DMZ Message Nov 29 09:19:43 [FVX538] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=DMZ SRC=192.168.1.214 DST=192.168.20.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from WAN to DMZ has been allowed by the firewall. •...
Page 222
ProSafe VPN Firewall 200 FVX538 Reference Manual C-16 System Logs and Error Messages v1.0, March 2009...
Appendix D Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP ttp://documentation.netgear.com/reference/enu/tcpip/index.htm Addressing: Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for http://documentation.netgear.com/reference/enu/wsdhcp/index.htm...
Page 224
ProSafe VPN Firewall 200 FVX538 Reference Manual Related Documents v1.0, March 2009...
NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 Two-Factor Authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to do Two-Factor Authentication on NETGEAR SSL and VPN firewall products.
Page 227
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The WiKID solution is based on a request-response architecture where a one-time passcode (OTP), that is time synchronized with the authentication server, is generated and sent to the user once the validity of a user credential has been confirmed by the server.
Page 228
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. A one-time passcode (something they have) is generated for this user. Figure E-2 Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time.
Page 229
Two-Factor Authentication is a new and easy way to enhance networking security products without having to replace the existing hardware. To obtain and try the new Two-Factor Authentication solution on your products, visit NETGEAR Support website at http://kbserver.netgear.com. Two Factor Authentication...
Page 230
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Two Factor Authentication v1.3, March 2009...
Index use with DDNS 2-15 Using WAN port 2-10 access remote management 6-11 Active Self Certificates 5-19 Back up settings 6-16 Add DMZ WAN Outbound Services screen 4-14 backup and restore settings 6-16 Add LAN DMZ Inbound Service screen 4-16 bandwidth capacity 6-1 Add LAN DMZ Outbound Service screen 4-15 LAN side 6-1...
Page 232
ProSafe VPN Firewall 200 FVX538 Reference Manual Content Filtering 4-1 DHCP IP Address pool 3-1 about 4-29 DHCP log Block Sites 4-29 monitoring 6-29 enabling 4-30 DHCP server firewall protection, about 4-1 about 3-1 content filtering 1-2, 4-1 diagnostics crossover cable 1-3, 7-2 DNS lookup 6-29 Customized Service packet capture 6-29...
Page 233
ProSafe VPN Firewall 200 FVX538 Reference Manual Domain Name Servers. See DNS. DHCP Address Pool 3-4 Ethernet, Auto Uplink 1-3 about protection 1-2 Event Logs Dual WAN emailing of 4-39 configuration of 2-8 Extended Authentication. See XAUTH. Dual WAN Port inbound traffic B-8 load balancing, inbound traffic B-9 factory default login 1-9...
Page 234
ProSafe VPN Firewall 200 FVX538 Reference Manual manual configuration 2-4 Internet service hardware requirements B-3 connection types 2-3 Hosting A Local Public Web Server Internet Service Provider. See ISP. example of 4-20 Internet Traffic Statistics 6-21 hosts, managing 3-6 IP Address router default 3-3 IP addresses IGP 3-14...
Page 235
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN DMZ Outbound Services MAC address 7-6 adding rule 4-15 configuring 2-3, 2-4 format of 2-18 LAN DMZ Rules 4-14 spoofing 7-5 LAN DMZ Rules screen 4-14 MAC addresses LAN DMZ service rule blocked, adding 4-32 modifying 4-15 Maximum Failover 2-11...
Page 236
ProSafe VPN Firewall 200 FVX538 Reference Manual troubleshooting 7-7 Inbound Rules 4-2, 4-6 increasing traffic 6-5 NTP Servers rules, about 4-6 custom 6-20 default 6-19 port forwarding 6-5 NTP servers Port Mode 2-10 setting 6-19 port numbers 4-25 Port Speed 2-18 Port Triggering about 4-35 Oray.net 2-14...
ProSafe VPN Firewall 200 FVX538 Reference Manual RADIUS Router Status screen 6-25 WiKID 6-11 Router Upgrade RADIUS Server about 6-17 configuring 5-27 Router’s MAC Address 2-18 RADIUS-CHAP 5-23, 5-25 Routing Information Protocol 1-4 AUTH, using with 5-24 Routing Information Protocol. See RIP. RADIUS-PAP 5-23 Routing log messages C-13 XAUTH, using with 5-24...
Page 238
ProSafe VPN Firewall 200 FVX538 Reference Manual Settings Backup & Upgrade screen 6-15 System log messages C-1 Settings Backup and Firmware Upgrade 6-16 Simple Network Management Protocol. See SNMP. Single WAN Port TCP/IP inbound traffic B-8 network, troubleshooting 7-5 sniffer 7-3 Test Period 2-10 SNMP Time...
Page 239
ProSafe VPN Firewall 200 FVX538 Reference Manual two-factor authentication VPN Tunnel addresses WiKID 6-11 Dual WAN Port systems 5-2 TZO.com 2-14 VPN Tunnel Connection monitoring status 6-27 VPN Tunnels increasing traffic 6-7 UDP flood 4-17 L2TP 4-17 Use Default Address 2-4 VPN tunnels IPsec 4-17 User Database 5-24...