Page 1 ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 202-10062-10 v1.0 January 2010...
Page 2: Technical Support
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe VPN Firewall 200 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/ 1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung. Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß...
Page 4 Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
Page 5 Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
Page 6 v1.0, January 2010...
Page 7: Table Of Contents
Contents ProSafe VPN Firewall 200 FVX538 Reference Manual About This Manual Conventions, Formats and Scope ...................xiii How to Print This Manual ....................xiv Revision History .......................xiv Chapter 1 Introduction Key Features ........................1-1 Dual WAN Ports for Increased Reliability or Outbound Load Balancing ....1-2 A Powerful, True Firewall with Content Filtering ............1-2 Security Features .....................1-3 Autosensing Ethernet Connections with Auto Uplink ..........1-3...
Page 8 ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Load Balancing ..................2-11 Configuring Dynamic DNS (Optional) ................2-14 Configuring the Advanced WAN Options (Optional) .............2-16 Additional WAN Related Configuration ..............2-17 Chapter 3 LAN Configuration Choosing the VPN Firewall DHCP Options ..............3-1 Configuring the LAN Setup Options ................3-2 Managing Groups and Hosts (LAN Groups) ..............3-6 Creating the Network Database ................3-6...
Page 9 Creating Gateway to Gateway VPN Tunnels with the Wizard .........5-3 Creating a Client to Gateway VPN Tunnel ...............5-6 Testing the Connections and Viewing Status Information ..........5-12 NETGEAR VPN Client Status and Log Information ..........5-12 VPN Firewall VPN Connection Status and Logs ............5-14 Managing VPN Policies ....................5-16 Configuring IKE Policies ..................5-16...
Page 10: Prosafe Vpn Firewall 200 Fvx538 Reference Manual
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring Keepalives and Dead Peer Detection ............5-42 Configuring Keepalives ..................5-42 Configuring Dead Peer Detection ................5-43 Configuring NetBIOS Bridging with VPN ..............5-44 Chapter 6 VPN Firewall and Network Management Performance Management .....................6-1 Bandwidth Capacity ....................6-1 VPN Firewall Features That Reduce Traffic .............6-2 VPN Firewall Features That Increase Traffic ............6-4 Using QoS to Shift the Traffic Mix ................6-7...
Page 11 ProSafe VPN Firewall 200 FVX538 Reference Manual Power LED Not On ....................7-2 LEDs Never Turn Off ....................7-2 LAN or Internet Port LEDs Not On ................7-2 Troubleshooting the Web Configuration Interface ............7-3 Troubleshooting the ISP Connection ................7-4 Troubleshooting a TCP/IP Network Using a Ping Utility ..........7-5 Testing the LAN Path to Your VPN Firewall .............7-5 Testing the Path from Your PC to a Remote Device ..........7-6 Restoring the Default Configuration and Password ............7-7...
Page 12 Appendix D Two Factor Authentication Why do I need Two-Factor Authentication? ..............D-1 What are the benefits of Two-Factor Authentication? ..........D-1 What is Two-Factor Authentication ................. D-2 NETGEAR Two-Factor Authentication Solutions ............D-2 Appendix E Related Documents Index Contents...
Page 13: About This Manual
About This Manual The NETGEAR ® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs.
Page 14: How To Print This Manual
NETGEAR website in Appendix E, “Related Documents.” Note: Product updates are available on the NETGEAR, Inc. website at http://kb.netgear.com/app/home. How to Print This Manual To print this manual, your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files.
Page 15 ProSafe VPN Firewall 200 FVX538 Reference Manual 202-10062-09 Mar. 09 Adds these corrections and topics for the March 2009 firmware maintenance release: • WIKID 2 factor authentication • SIP ALG support • DHCP Relay support • Update VPN configuration procedure topics •...
Page 16 ProSafe VPN Firewall 200 FVX538 Reference Manual 202-10062-10 January (continued) (continued) 2010 • Updated the LAN Multi-homing screen (Figure 3-4) and revised “Configuring Multi Home LAN IP Addresses” section for more clarity. • Revised the “Configuring and Enabling the DMZ Port”...
Page 17: Introduction
Support for up to 400 internal LAN users (and 50K connections). • Bundled with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and multimedia.
Page 18: Dual Wan Ports For Increased Reliability Or Outbound Load Balancing
ProSafe VPN Firewall 200 FVX538 Reference Manual • One console port for local management. • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation and management. • Advanced SPI Firewall and Multi-NAT support.
Page 19: Security Features
ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. The FVX538 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the VPN firewall to e-mail the log to you at specified intervals. You can also configure the VPN firewall to send immediate alert messages to your e-mail address or e-mail pager whenever a significant event occurs.
Page 20: Extensive Protocol Support
ISP account. • VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
Page 21: Maintenance And Support
ProSafe VPN Client Software – five user licenses. • Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the VPN firewall for repair.
Page 22: Vpn Firewall Front And Rear Panels
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Firewall Front and Rear Panels The FVX538 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. Figure 1-1 Table 1-1 describes each item on the front panel and its operation. Table 1-1.
Page 23 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object LED Activity Description On (Green) The WAN port has a valid Internet connection. On (Amber) The Internet connection is down or not being used WAN Ports and Active because the port is available for failover in case the LEDs...
Page 24: Rack Mounting Hardware
ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the FVX538 contains the On/Off switch and AC power connection. Figure 1-2 Viewed from left to right, the rear panel contains the following elements: 1. AC power in 2. On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in...
Page 25: The Vpn Firewall's Ip Address, Login Name, And Password
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN Firewall’s IP Address, Login Name, and Password Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN •...
Page 26: Qualified Web Browsers
ProSafe VPN Firewall 200 FVX538 Reference Manual Qualified Web Browsers To configure the FVX538, you must use a Web browser such as Microsoft Internet Explorer 6 or higher, Mozilla Firefox 3 or higher, or Apple Safari 3 or higher with JavaScript, cookies, and you must have SSL enabled.
Page 27: Connecting The Vpn Firewall To The Internet
FVX538 ProSafe VPN Firewall 200 for complete steps. A PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com. 2. Log in to the VPN Firewall. After logging in, you are ready to set up and configure your VPN firewall.
Page 28: Logging Into The Vpn Firewall
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on page 2-14. 6. Configure the WAN options (optional). Optionally, you can enable each WAN port to respond to a ping, and you can change the factory default MTU size and port speed.
Page 29 ProSafe VPN Firewall 200 FVX538 Reference Manual To automatically configure the WAN ports and connect to the Internet: 1. Select the primary menu option Network Configuration and the submenu option WAN Settings. WAN1 ISP Settings screen will display. Figure 2-1 2.
Page 30 ProSafe VPN Firewall 200 FVX538 Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in Table 2-1. Note: When you click Auto Detect while the WAN port already has a connection, you might lose the connection because the VPN firewall will enter its detection mode.
Page 31: Setting The Vpn Firewall's Mac Address
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Set up the traffic meter for WAN 1 ISP if desired. See “Enabling the Traffic Meter” on page 6- Note: At this point of the configuration process, you are now connected to the Internet through WAN port 1.
Page 32 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box. The text box fields that require data entry will be highlighted, based on the connection that you selected.
Page 33: Configuring The Wan Mode (Required For Dual Wan)
5. Click Apply to save the settings or click Reset to discard any changes and revert to the previous settings. 6. Click Test to try and connect to the NETGEAR website. If you connect successfully and your settings work, then you may click Logout or go on and configure additional settings.
Page 34 ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN firewall supports the following modes: • Auto-Rollover Mode. In this mode, the selected WAN interface is made primary and the other is the rollover link. As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic.
Page 35: Setting Up Auto-Rollover Mode
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Auto-Rollover Mode If you want to use a redundant ISP link for backup purposes, ensure that the backup WAN port has already been configured. Then you select the WAN port that will act as the primary link for this mode and configure the WAN Failure Detection Method to support Auto-Rollover.
Page 36 ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Enter a Test Period in seconds. DNS query is sent periodically after every test period. The default test period is 30 seconds. Figure 2-3 6. Enter the Maximum Failover amount. The WAN interface is considered down after the configured number of queries have failed to elicit a reply.
Page 37: Setting Up Load Balancing
FTP data from and to the computers on the LAN through the WAN2 port. All HTTP traffic will be routed through the WAN1 port. Note: NETGEAR recommends that all specific traffic (for example, HTTP) be configured for the WAN2 port. The only way to make certain traffic goes out one port and all other traffic goes out the other port is to use WAN2 for specified traffic.
Page 38 ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter the following data in the Add Protocol Binding section: a. Service – From the pull-down menu, select the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services-Based Rules”...
Page 39 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-5 3. Modify the parameters for the protocol binding service you selected. 4. Click Apply. The modified rule will be enabled and appear in the Protocol Binding table. 5. Click Reset to return to the previously configured settings. Connecting the VPN Firewall to the Internet 2-13 v1.0, January 2010...
Page 40: Configuring Dynamic Dns (Optional)
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring Dynamic DNS (Optional) Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS.org, TZO.com, Oray.net, or 3322.org.
Page 41 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-6 2. Click the tab of the Dynamic DNS Service you want to enable. Each DNS service provider requires registration and you then configure its parameters on the corresponding screen. 3. Access the website of one of the DDNS service providers and set up an account. A link to each DDNS provider is to the right of the tabs.
Page 42: Configuring The Advanced Wan Options (Optional)
ProSafe VPN Firewall 200 FVX538 Reference Manual d. If your dynamic DNS provider allows the use of wild cards in resolving your URL, you may check the Use wildcards radio box to activate this feature. For example, the wildcard feature will cause to be aliased to *.yourhost.dyndns.org the same IP address as...
Page 43: Additional Wan Related Configuration
If you want the ability to manage the VPN firewalll remotely, enable remote management at this time (see “Enabling Remote Management Access” on page 6-14). If you enable remote management, NETGEAR strongly recommends that you change your password (see “Changing Passwords and Settings” on page 6-8). •...
Page 44 ProSafe VPN Firewall 200 FVX538 Reference Manual 2-18 Connecting the VPN Firewall to the Internet v1.0, January 2010...
Page 45: Lan Configuration
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe VPN Firewall 200 FVX538, including the following sections: • “Choosing the VPN Firewall DHCP Options” on this page • “Managing Groups and Hosts (LAN Groups)” on page 3-6 •...
Page 46: Configuring The Lan Setup Options
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP address from the range that you have defined. • Subnet mask. • Gateway IP address (the VPN firewall’s LAN IP address). •...
Page 47 ProSafe VPN Firewall 200 FVX538 Reference Manual Note: If you enable the DNS Relay feature, you will not use the VPN firewall as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network.
Page 48 ProSafe VPN Firewall 200 FVX538 Reference Manual Note: If you change the LAN IP address of the VPN firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. For example, if you change the default IP address 192.168.1.1 to 10.0.0.1, you must now enter https://10.0.0.1 in your browser to reconnect to the Web Configuration Manager.
Page 49 ProSafe VPN Firewall 200 FVX538 Reference Manual • WINS Server. (Optional) Specifies the IP address of a local Windows NetBIOS Server if one is present in your network. • Lease Time. This specifies the duration for which IP addresses will be leased to clients. If you will use a Lightweight Directory Access Protocol (LDAP) authentication server for network-validated domain-based authentication, select Enable LDAP Information to enable the DHCP server to provide LDAP server information.
Page 50: Managing Groups And Hosts (Lan Groups)
ProSafe VPN Firewall 200 FVX538 Reference Manual Managing Groups and Hosts (LAN Groups) The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices, as well as hosts, that are assigned dynamic IP addresses by this VPN firewall.
Page 51: Viewing The Network Database
ProSafe VPN Firewall 200 FVX538 Reference Manual – If necessary, you can also create firewall rules to apply to a single PC (see “Configuring Source MAC Filtering” on page 4-33). Because the MAC address is used to identify each PC, users cannot avoid these restrictions by changing their IP address. •...
Page 52: Adding Devices To The Network Database
ProSafe VPN Firewall 200 FVX538 Reference Manual • MAC Address. The MAC address of the computer’s network interface. • Group. Each PC or device can be assigned to a single group. By default, a computer is assigned to the first group (Group 1). To change the group assignment by selecting the Edit link in the Action column.
Page 53: Changing Group Names In The Lan Groups Database
ProSafe VPN Firewall 200 FVX538 Reference Manual Changing Group Names in the LAN Groups Database By default, the LAN Groups are named Group1 through Group8. You can rename these group names to be more descriptive, such as Engineering or Marketing. To edit the names of any of the eight available groups: 1.
Page 54: Configuring Multi Home Lan Ip Addresses
ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address, manually enter the device on the LAN Groups screen, specifying Reserved (DHCP Client), as described in “Adding Devices to the Network Database” on page 3- Note: The reserved address will not be assigned until the next time the PC contacts the VPN firewall's DHCP server.
Page 55: Configuring And Enabling The Dmz Port
ProSafe VPN Firewall 200 FVX538 Reference Manual • IP Address. The IP address alias added to the LAN port of the VPN firewall. This is the gateway for computers that need to access the Internet. • Subnet Mask. IPv4 Subnet Mask. •...
Page 56 ProSafe VPN Firewall 200 FVX538 Reference Manual Note: A separate firewall security profile is provided for the DMZ port that is hardware independent of the standard firewall security used for the LAN. The DMZ Setup screen allows you to set up the DMZ port. It permits you to enable or disable the hardware DMZ port (LAN port 8, see “VPN Firewall Front and Rear Panels”...
Page 57 ProSafe VPN Firewall 200 FVX538 Reference Manual If desired, select Enable DHCP Server, which will provide TCP/IP configuration for all computers connected to the VPN firewall’s DMZ network. If another device on your DMZ network will be the DHCP server, or if you will manually configure all devices, leave the Disable DHCP Server radio box selected, which is the default setting.
Page 58: Configuring Static Routes
ProSafe VPN Firewall 200 FVX538 Reference Manual • port. Specifies the port number that the LDAP server is using. Leave this field blank for the default port. 4. In the Advanced Settings section, select Enable DNS Proxy if you want to enabled the DNS proxy, which is the default setting.
Page 59 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add. The Add Static Route screen will display. Figure 3-7 3. Enter a route name for this static route in the Route Name field (for identification and management). 4. Select Active to make this route effective. 5.
Page 60: Static Route Example
ProSafe VPN Firewall 200 FVX538 Reference Manual Static Route Example For example, you may require a static route if: • Your primary Internet access is through a cable modem to an ISP. • You have an ISDN firewall on your home network for connecting to the company where you are employed.
Page 61 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click RIP Configuration link to the right of the Routing tab. The RIP Configuration screen will display. Figure 3-8 3. From the RIP Direction pull-down menu, select the direction in which the VPN firewall will send and receives RIP packets.
Page 62 ProSafe VPN Firewall 200 FVX538 Reference Manual • RIP-2. This includes all the functionality of RIPv1 plus it supports subnet information. Though the data is sent in RIP-2 format for both RIP-2B and RIP-2M, the modes in which packets are sent are different. –...
Page 63: Firewall Protection And Content Filtering
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 FVX538 to protect your network. This chapter includes the following sections: • “About Firewall Protection and Content Filtering”...
Page 64: Using Rules To Block Or Allow Specific Kinds Of Traffic
ProSafe VPN Firewall 200 FVX538 Reference Manual intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT. Using Rules to Block or Allow Specific Kinds of Traffic This section includes the following topics: •...
Page 65: Services-Based Rules
ProSafe VPN Firewall 200 FVX538 Reference Manual Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Outbound Rules (service blocking). Outbound traffic is normally allowed unless the VPN firewall is configured to disallow it. •...
Page 66 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description Select Schedule Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be used by this rule. • This pull-down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block”...
Page 67 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description Bandwidth Bandwidth Limiting determines the way in which the data is sent to/from your host. The Profile purpose of bandwidth limiting is to provide a solution for limiting the outgoing/incoming traffic, thus preventing the LAN users for consuming all the bandwidth of our internet link.
Page 68 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules Item Description Services Select the desired service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see “Adding Customized Services”...
Page 69: Viewing Rules And Order Of Precedence For Rules
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules (continued) Item Description This determines whether packets covered by this rule are logged. Select the desired action: • Always – Always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules.
Page 70 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-1 For LAN WAN rules, DMZ WAN rules, and LAN DMZ rules, for any traffic attempting to pass through the VPN firewall, the packet information is subjected to the rules in the order shown in the Outbound Services and Inbound Services rules tables rules tables, beginning at the top and proceeding to the bottom.
Page 71: Configuring Lan Wan Rules
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click one of the following table buttons: • enable. Enables the rule or rules. The “!” status icon changes from a grey circle to a green circle, indicating that the rule is or rules are enabled. (By default, when a rule is added to the table, it is automatically enabled.) •...
Page 72 ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply. LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
Page 73 ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed in the Outbound Services table. LAN WAN Inbound Services Rules This Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed.
Page 74: Configuring Dmz Wan Rules
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring DMZ WAN Rules The firewall rules for traffic between the DMZ and the WAN/Internet are configured on the DMZ WAN Rules screen. The Default Outbound Policy is to allow all traffic from and to the Internet to pass through.
Page 75: Configuring Lan Dmz Rules
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-6 4. Configure the parameters based on the descriptions in Table 4-2 on page 4-3. 5. Click Apply. The new rule will appear in the Outbound Services table. The rule is automatically enabled. The procedure to add a new DMZ WAN inbound service policy is similar to the procedure described above with the exception that you click Add under the Inbound Services table, you configure the parameters based on the descriptions in...
Page 76 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Select the LAN DMZ Rules tab. The LAN DMZ Rules screen will display. Figure 4-7 3. Click Add under the Outbound Services Table. The Add LAN DMZ Outbound Service screen will display. Figure 4-8 4.
Page 77: Inbound Rules Examples
ProSafe VPN Firewall 200 FVX538 Reference Manual The procedure to add a new LAN DMZ inbound service policy is similar to the procedure described above with the exception that you click Add under the Inbound Services table, you configure the parameters based on the descriptions in Table 4-3 on page 4-6, and the policy is added to the Inbound Services table.
Page 78 ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. Figure 4-10 In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
Page 79 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-11 The following addressing scheme is used in this example: • VPN firewall FVX538 – WAN1 primary public IP address: 10.1.0.1 – WAN1 additional public IP address: 10.1.0.5 – LAN IP address 192.168.1.1 •...
Page 80 1. Create an inbound rule that allows all protocols. 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
Page 81: Outbound Rules Example
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio or other non-essential sites. LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.
Page 82: Attack Checks
ProSafe VPN Firewall 200 FVX538 Reference Manual Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the DMZ, LAN and WAN networks. To enable the appropriate attack checks for your environment: 1.
Page 83 ProSafe VPN Firewall 200 FVX538 Reference Manual – Enable Stealth Mode. In stealth mode, the VPN firewall will not respond to port scans from the WAN or Internet, which makes it less susceptible to discovery and attacks. – Block TCP Flood. A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system.
Page 84: Setting Session Limits
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Session Limits Session Limit allows you to specify the total number of sessions allowed, per user, over an IP (Internet Protocol) connection across the VPN firewall. This feature is enabled on the Session Limit screen and shown below in Figure 4-15.
Page 85: Managing The Application Level Gateway For Sip Sessions
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: Some protocols (such as FTP or RSTP) create two sessions per connection which should be considered when configuring Session Limiting. The Total Number of Packets Dropped due to Session Limit field shows total number of packets dropped when session limit is reached.
Page 86: Creating Services, Qos Profiles, And Bandwidth Profiles
ProSafe VPN Firewall 200 FVX538 Reference Manual Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: •...
Page 87 ProSafe VPN Firewall 200 FVX538 Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups.
Page 88: Specifying Quality Of Service (Qos) Priorities
ProSafe VPN Firewall 200 FVX538 Reference Manual Modifying a Service To edit the parameters of a service: 1. In the Custom Services Table, click the Edit icon adjacent to the service you want to edit. The Edit Service screen will display. Figure 4-18 2.
Page 89: Creating Bandwidth Profiles
ProSafe VPN Firewall 200 FVX538 Reference Manual A ToS priority for traffic passing through the VPN firewall is one of the following: • Normal-Service. No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0. •...
Page 90 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-19 2. Click Add to add a new bandwidth profile. The Add New Bandwidth Profile screen displays. Figure 4-20 3. Enter the following information: a. Enter a Profile Name. This name will become available in the firewall rules definition menus.
Page 91: Setting A Schedule To Block Or Allow Specific Traffic
ProSafe VPN Firewall 200 FVX538 Reference Manual c. Depending on the direction that you selected, enter the minimum and maximum bandwidths to be allowed: • Enter the Outbound Minimum Bandwidth and Outbound Maximum Bandwidth in Kbps. • Enter the Inbound Minimum Bandwidth and Inbound Maximum Bandwidth in Kbps.
Page 92: Blocking Internet Sites (Content Filtering)
VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any website is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message. 4-30 Firewall Protection and Content Filtering v1.0, January 2010...
Page 93 ProSafe VPN Firewall 200 FVX538 Reference Manual Several types of blocking are available: • Web Components blocking. You can block the following Web component types: Proxy, Java, ActiveX, and Cookies. Some of these components are can be used by malicious Websites to infect computers that access them.
Page 94 ProSafe VPN Firewall 200 FVX538 Reference Manual Keyword application examples: • If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is blocked, as is the newsgroup alt.pictures.XXX. • If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or .gov) can be viewed.
Page 95: Configuring Source Mac Filtering
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Check the Yes radio button to enable content filtering. 3. Click Apply to activate the screen controls. 4. Check the radio boxes of any web components you wish to block. 5. Check the radio buttons of the groups to which you wish to apply keyword blocking. Click Enable to activate keyword blocking (or disable to deactivate keyword blocking).
Page 96 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-23 2. Check the Yes radio box in the MAC Filtering Enable section. 3. Select the action to be taken on outbound traffic from the listed MAC addresses: • Block this list and permit all other MAC addresses. •...
Page 97: Configuring Ip/Mac Address Binding
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring IP/MAC Address Binding IP/MAC binding allows you to bind an IP address to a MAC address and the other way around. Some devices are configured with static addresses. To prevent users from changing their static IP addresses, IP/MAC binding must be enabled on the VPN firewall.
Page 98 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-24 3. Select the Yes radio box and click Apply. Make sure that you have enabled the e-maling of logs (see “Activating Notification of Events and Alerts” on page 6-23). 4. Add an IP/MAC Bind rule by entering: a.
Page 99: Configuring Port Triggering
ProSafe VPN Firewall 200 FVX538 Reference Manual To edit an IP/MAC Bind rule, click Edit adjacent to the entry. The following fields of an existing IP/MAC Bind rule can be modified: • MAC Address. Specify the MAC Address for this rule. •...
Page 100 ProSafe VPN Firewall 200 FVX538 Reference Manual Note these restrictions with port triggering: • Only one PC can use a port triggering application at any time. • After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC.
Page 101 ProSafe VPN Firewall 200 FVX538 Reference Manual 6. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 7. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1.
Page 102: E-Mail Notifications Of Event Logs And Alerts
ProSafe VPN Firewall 200 FVX538 Reference Manual E-Mail Notifications of Event Logs and Alerts The firewall logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address. For example, your VPN firewall will log security-related events such as: accepted and dropped packets on different segments of your LAN;...
Page 103: Virtual Private Networking
Chapter 5 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the ProSafe VPN Firewall 200 FVX538. This chapter includes the following sections: • “Considerations for Dual WAN Port Systems” on this page •...
Page 104 ProSafe VPN Firewall 200 FVX538 Reference Manual The diagrams and table below show how the WAN mode selection relates to VPN configuration. WAN Auto-Rollover: FQDN Required for VPN Firewall WAN 1 Port Rest of Firewall Firewall Internet Firewall WAN Port Rollover WAN 2 Port Control...
Page 105: Using The Vpn Wizard For Client And Gateway Configurations
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR VPN Client configuration procedures for the following scenarios: •...
Page 106 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-4 2. Select Gateway as your connection type. 3. Create a Connection Name. Enter a descriptive name for the connection. This name used to help you manage the VPN settings; is not supplied to the remote VPN endpoint. 4.
Page 107 ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Enter the Remote and Local WAN IP Addresses or Internet Names of the gateways which will connect. • Both the remote WAN address and your local WAN address are required. Tip: To assure tunnels stay active, after completing the wizard, manually edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive.
Page 108: Creating A Client To Gateway Vpn Tunnel
ProSafe VPN Firewall 200 FVX538 Reference Manual 9. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured. To display the status of your VPN connections, select VPN from the main menu and Connection Status from the submenu.
Page 109 ProSafe VPN Firewall 200 FVX538 Reference Manual Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to the gateway. Use the VPN Wizard Configure the Gateway for a Client Tunnel 1.
Page 110 5-16.) Figure 5-9 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR ProSafe VPN Client installed, configure a VPN client policy to connect to the VPN firewall. Virtual Private Networking...
Page 111 ProSafe VPN Firewall 200 FVX538 Reference Manual Follow these steps to configure your VPN client. 1. Right-click on the VPN client icon in your Windows toolbar, choose Security Policy Editor, and verify that the Options > Secure > Specified Connections selection is enabled. Figure 5-10 2.
Page 112 ProSafe VPN Firewall 200 FVX538 Reference Manual Fill in the other options according to the instructions below. • Under Connection Security, verify that the Secure radio button is selected. • From the ID Type pull-down menu, choose IP Subnet. • Enter the LAN IP Subnet Address and Subnet Mask of the VPN firewall LAN;...
Page 113 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-13 Virtual Private Networking 5-11 v1.0, January 2010...
Page 114: Testing The Connections And Viewing Status Information
5. In the upper left of the window, click the disk icon to save the policy. Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.
Page 115 Connections\gw1”. Figure 5-15 The VPN client icon in the system tray should state On: 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer.
Page 116: Vpn Firewall Vpn Connection Status And Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-17 The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client policy is deactivated.
Page 117 ProSafe VPN Firewall 200 FVX538 Reference Manual You can set a Poll Interval (in seconds) to check the connection status of all active IKE policies to obtain the latest VPN tunnel activity. The Active IPSec SA(s) table also lists current data for each active IPsec SA (security association): •...
Page 118: Managing Vpn Policies
ProSafe VPN Firewall 200 FVX538 Reference Manual Managing VPN Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN policy and an IKE policy are established and populated in both policy tables. The name you selected as the VPN Tunnel connection name during Wizard setup identifies both the VPN policy and IKE policy.
Page 119 ProSafe VPN Firewall 200 FVX538 Reference Manual The IKE Policies Screen When you use the VPN Wizard to set up a VPN tunnel, an IKE Policy is established and populated in the List of IKE Policies table on the IKE Policies screen and is given the same name as the new VPN connection name.
Page 120: Configuring Vpn Policies
To gain a more complete understanding of the encryption, authentication and DH algorithm technologies, see Appendix E, “Related Documents” for a link to the NETGEAR website. Configuring VPN Policies You can create two types of VPN policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available.
Page 121: Managing Certificates
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. The remote VPN Endpoint must have a matching SA, or it will refuse the connection. Only one client policy may configured at a time (noted by an “*” next to the policy name). The List of VPN Policies contains the following fields: •...
Page 122 A self-signed certificate will trigger a warning from most browsers as it provides no protection against identity theft of the server. The VPN firewall contains a self-signed certificate from NETGEAR. We recommend that you replace this certificate prior to deploying the VPN firewall in your network.
Page 123: Viewing And Loading Ca Certificates
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA certificate. Each CA issues its own CA identity certificate in order to validate communication with the CA and to verify the validity of certificates signed by the CA. • Self certificate. The certificate issued to you by a CA identifying your device. Viewing and Loading CA Certificates The Trusted Certificates (CA Certificates) table lists the certificates of CAs and contains the following data:...
Page 124: Viewing Active Self Certificates
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Active Self Certificates The Active Self Certificates table on the Certificates screen shows the certificates issued to you by a CA and available for use. Figure 5-22 For each self certificate, the following data is listed: •...
Page 125 ProSafe VPN Firewall 200 FVX538 Reference Manual To generate a new Certificate Signing Request (CSR) file: 1. Locate the Generate Self Certificate Request section of the Certificates screen. Figure 5-23 2. Configure the following fields: • Name – Enter a descriptive name that will identify this certificate. •...
Page 126 ProSafe VPN Firewall 200 FVX538 Reference Manual • Domain Name – If you have an Internet domain name, you can enter it here. Otherwise, you should leave this field blank. • E-mail Address – Enter the e-mail address of a technical contact in your organization. 4.
Page 127: Managing Your Certificate Revocation List (Crl)
ProSafe VPN Firewall 200 FVX538 Reference Manual 7. Submit your certificate request to a CA: a. Connect to the website of the CA. b. Start the Self Certificate request procedure. c. When prompted for the requested data, copy the data from your saved text file (including “----BEGIN CERTIFICATE REQUEST---”...
Page 128: Extended Authentication (Xauth) Configuration
ProSafe VPN Firewall 200 FVX538 Reference Manual The CRL table lists your active CAs and their critical release dates: • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. •...
Page 129: Configuring Xauth For Vpn Clients
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the local database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server. Note: If you are modifying an existing IKE policy to add XAUTH, if it is in use by a VPN policy, the VPN policy must be disabled before you can modify the IKE policy.
Page 130 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-28 3. In the Extended Authentication section of the Add IKE Policy (or Edit IKE Policy) screen, select the Authentication Type from the pull-down menu which will be used to verify user account information.
Page 131: User Database Configuration
ProSafe VPN Firewall 200 FVX538 Reference Manual – User Database to verify against the VPN firewall’s user database. Users must be added through the User Database screen (see “User Database Configuration” on page 5-29). – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server.
Page 132: Radius Client Configuration
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Enter a User Name. This is the unique ID of a user which will be added to the User Name database. 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4.
Page 133 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Select the RADIUS Client tab. The RADIUS Client screen will display. Figure 5-30 3. Enable the primary RADIUS server by checking the Yes radio box. 4. Enter the primary RADIUS Server IP address. 5.
Page 134: Assigning Ip Addresses To Remote Users (Modeconfig)
– LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Mode Config Operation After the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the remote user with a VPN client) requests the IP configuration settings such as the IP address, subnet mask and name server addresses.
Page 135: Configuring Mode Config Operation On The Vpn Firewall
ProSafe VPN Firewall 200 FVX538 Reference Manual IP address from the configured IP address pool and activates a temporary IPsec policy, using the information that is specified in the Traffic Tunnel Security Level section of the Mode Config record (on the Add Mode Config Record screen that is shown in Figure 5-32 on page 5-34).
Page 136 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add. The Add Mode Config Record screen will display. Figure 5-32 3. Enter a descriptive Record Name such as “Sales”. 4. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients.
Page 137 ProSafe VPN Firewall 200 FVX538 Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10.
Page 138 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. Figure 5-34 3. In the Mode Config Record section, enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down menu.
Page 139 ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the General section: • Enter a description name in the Policy Name field such as “SalesPerson”. This name will be used as part of the remote identifier in the VPN client configuration. •...
Page 140: Configuring The Prosafe Vpn Client For Modeconfig
12. Click Apply. The new policy will appear in the List of IKE Policies table. Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1.
Page 141 ProSafe VPN Firewall 200 FVX538 Reference Manual d. Check the Connect using radio button and select Secure Gateway Tunnel from the pull- down menu. e. From the ID Type pull-down menu, select Domain name and enter the FQDN of the VPN firewall;...
Page 142 ProSafe VPN Firewall 200 FVX538 Reference Manual e. Select your Internet Interface adapter from the Name pull-down menu. 3. On the left-side of the menu, select Security Policy. Enter the following information: a. Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio button.
Page 143 ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Figure 5-38 Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds).
Page 144: Configuring Keepalives And Dead Peer Detection
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring Keepalives and Dead Peer Detection In some cases, it may not be desirable to have a VPN tunnel drop when traffic is idle; for example, when client-server applications over the tunnel cannot tolerate the tunnel establishment time. If you require your VPN tunnel to remain connected, you can use the Keepalive and Dead Peer Detection features to prevent the tunnel from dropping and to force a reconnection if the tunnel drops for any reason.
Page 145: Configuring Dead Peer Detection
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. In the Ping IP Address boxes, enter an IP address on the remote LAN. This must be the address of a host that can respond to ICMP ping requests. 6. Enter the Detection Period to set the time between ICMP ping requests. The default is 10 seconds.
Page 146: Configuring Netbios Bridging With Vpn
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. In Reconnect after failure count, set the number of DPD failures allowed before tearing down the connection. The default is 3 failures. When the VPN firewall senses an IKE connection failure, it deletes the IPSec and IKE Security Association and forces a reestablishment of the connection.
Page 147: Vpn Firewall And Network Management
Chapter 6 VPN Firewall and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 200 FVX538. This chapter includes the following sections: • “Performance Management” on this page • “Configuring Users, Administrative Settings, and Remote Management” on page 6-8 •...
Page 148: Vpn Firewall Features That Reduce Traffic
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall. But there is no backup in case one of the WAN ports fail. In such an event and with one exception, the traffic that would have been sent on the failed WAN port gets diverted to the WAN port that is still working, thus increasing its loading.
Page 149 ProSafe VPN Firewall 200 FVX538 Reference Manual – Groups. The rule is applied to a group (see “Managing Groups and Hosts (LAN Groups)” on page 3-6to assign PCs to a group using Network Database). • WAN Users. These settings determine which Internet locations are covered by the rule, based on their IP address.
Page 150: Vpn Firewall Features That Increase Traffic
ProSafe VPN Firewall 200 FVX538 Reference Manual Blocking Sites If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall’s filtering feature. By default, this feature is disabled; all requested traffic from any website is allowed.
Page 151 ProSafe VPN Firewall 200 FVX538 Reference Manual Port Forwarding The VPN firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (that is, the service is unavailable).
Page 152 ProSafe VPN Firewall 200 FVX538 Reference Manual • WAN Users. These settings determine which Internet locations are covered by the rule, based on their IP address. – Any. The rule applies to all Internet IP address. – Single address. The rule applies to a single Internet IP address. –...
Page 153: Using Qos To Shift The Traffic Mix
ProSafe VPN Firewall 200 FVX538 Reference Manual As such, it would be handled in accordance with the Port Forwarding rules. – Only one PC can use a port triggering application at any time. – After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC.
Page 154: Tools For Traffic Management
“Configuring Date and Time Service” on page 6-21 Changing Passwords and Settings The default passwords for the VPN firewall’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. You can also configure a separate password for guests.
Page 155 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-1 2. In the Enable Local Authentication section of the screen: a. Enable local authentication by selecting the Yes radio box. b. Click Apply to save your settings. 3. In the User Selection section of the screen, select either the Edit Admin Settings or Edit Guest Settings radio box.
Page 156: Adding External Users
ProSafe VPN Firewall 200 FVX538 Reference Manual b. Click Apply to save your settings. Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. Adding External Users You can add external users for which you then can configure an authentication method (see “Configuring an External Server for Authentication”...
Page 157: Configuring An External Server For Authentication
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Admin or Guest. c. Idle Timeout. This is the period after which an idle user will be automatically logged out of the Web Configuration Manager.
Page 158 ProSafe VPN Firewall 200 FVX538 Reference Manual To configure external authentication: 1. Select Users from the main menu and External Authentication from the submenu. The External Users screen will display. 2. Select the External Authentication tab. The External Authentication screen will display. Figure 6-4 3.
Page 159 ProSafe VPN Firewall 200 FVX538 Reference Manual • Primary Server NAS Identifier. The identifier for the Network Access Server (NAS) must be present in a RADIUS request. Ensure that NAS identifier is configured identically on both client and server. The VPN firewall is acting as a NAS, allowing network access to external users after verifying their authentication information.
Page 160: Enabling Remote Management Access
ProSafe VPN Firewall 200 FVX538 Reference Manual Enabling Remote Management Access Using the Remote Management screen, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging into the VPN Firewall”...
Page 161 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Check Allow Remote Management radio box. 3. Click the Yes radio button to enable secure HTTP management (enabled by default), and configure the external IP addresses that will be allowed to connect. a.
Page 162: Using An Snmp Manager
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: To maintain security, the VPN firewall will reject a login that uses http://address rather than the SSL https://address. Note: The first time you remotely connect to the VPN firewall with a browser via SSL, you may get a warning message regarding the SSL certificate.
Page 163 ProSafe VPN Firewall 200 FVX538 Reference Manual To create a new SNMP configuration entry: 1. Select Administration from the main menu and SNMP from the submenu. The SNMP screen will display. Figure 6-6 2. Under Create New SNMP Configuration Entry, enter the IP address of the SNMP manager in the IP Address field and the subnet mask in the Subnet Mask field.
Page 164: Managing The Configuration File
ProSafe VPN Firewall 200 FVX538 Reference Manual When you click on the SNMP System Info link on the SNMP screen, the VPN firewall’s identification information is displayed. This following identification information is available to the SNMP Manager: system contact, system location, and system name. To modify the SNMP identification information: 1.
Page 165 ProSafe VPN Firewall 200 FVX538 Reference Manual Backing Up Settings To back up settings: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. Figure 6-8 2.
Page 166 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Locate and select the previously saved backup file (by default, netgear.cfg). 3. When you have located the file, click restore. An Alert screen will appear indicating the status of the restore operation. You must manually restart the VPN firewall for the restored settings to take effect.
Page 167: Configuring Date And Time Service
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Locate the downloaded file and click Upload. This will start the software upgrade to your VPN firewall. The software upgrade process might take some time. At the conclusion of the upgrade, your VPN firewall will reboot. Warning: After you have clicked Upload, do not try to go online, turn off the VPN firewall, shutdown the computer or do anything else to the VPN firewall until the VPN firewall finishes the upgrade! When the Test light turns off,...
Page 168 NTP Server in the Server 1 Name/IP Address field. You can enter the address of a backup NTP server in the Server 2 Name/IP Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the default Netgear NTP servers.
Page 169: Monitoring System Performance
ProSafe VPN Firewall 200 FVX538 Reference Manual Monitoring System Performance You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, login failures, and attacks. You can also view status information about the VPN firewall, WAN ports, LAN ports, and VPN tunnels.
Page 170 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-10 6-24 VPN Firewall and Network Management v1.0, January 2010...
Page 171 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. In the Log Options section, enter the name of the log in the Log Identifier field. The Log Identifier is a mandatory field used to identify which device sent the log messages. The identifier is appended to log messages.
Page 172: Viewing The Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual • LOG_NOTICE (Normal but significant conditions) • LOG_INFO (Informational messages) • LOG_DEBUG (Debug level messages) 10. Click Reset to cancel your changes and return to the previous settings or click Apply to save your settings.
Page 173: Enabling The Traffic Meter
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-2. Firewall Log Field Descriptions (continued) Field Description Source IP The IP address of the initiating device for this log entry. Source port and The service port number of the initiating device, and whether it originated from the interface LAN, WAN or DMZ.
Page 174 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Enable the traffic meter by clicking the Yes radio button under Do you want to enable Traffic Metering on WAN1? The traffic meter will record the volume of Internet traffic passing through the WAN1. Select from the following options: •...
Page 175 ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the When limit is reached section, make the following choice: • Block All Traffic. All access to and from the Internet will be blocked. Warning: If the Block All Traffic radio button is selected, the WAN port shuts down once its traffic limit is reached •...
Page 176: Viewing The Vpn Firewall Configuration And System Status
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing the VPN Firewall Configuration and System Status The Router Status screen provides status and usage information. Select Monitoring from the main menu and Router Status from the submenu. The Router Status screen will display (see Figure 6- 13 on page 6-29).
Page 177: Monitoring Vpn Firewall Statistics
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-3. Router Status Fields (continued) Item Description WAN1 Configuration • WAN Mode: Single, Dual, or Rollover. • WAN State: UP or DOWN. • NAT: Enabled or Disabled. • Connection Type: Static IP, DHCP, PPPoE, or PPTP. •...
Page 178: Monitoring Wan Ports Status
ProSafe VPN Firewall 200 FVX538 Reference Manual To set the poll interval: 1. Click the Stop button. 2. From the Poll Interval pull-down menu, select a new interval (the minimum is 5 seconds, the maximum is 5 minutes). 3. Click the Set Interval button. Monitoring WAN Ports Status You can monitor the status of both of the WAN connections, the dynamic DNS server connections, and the DHCP server connections.
Page 179: Monitoring Attached Devices
ProSafe VPN Firewall 200 FVX538 Reference Manual Monitoring Attached Devices The LAN Groups screen contains a table of all IP devices that the VPN firewall has discovered on the local network. To view the LAN Groups screen: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. 2.
Page 180: Monitoring Vpn Tunnel Connection Status
ProSafe VPN Firewall 200 FVX538 Reference Manual The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Table 6-4. Known PCs and Devices options Item Description Name The name of the PC or device.
Page 181: Viewing The Vpn Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual The Active IPsec (SA)s table lists each active connection with the following information Table 6-5. IPsec Connection Status Fields Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN endpoint.
Page 182: Viewing The Dhcp Log
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing the DHCP Log To display the DHCP log: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen will displays. 2. Click the DHCP Log link in the upper right-hand section of the screen. The DHCP Log popup screen will display.
Page 183 ProSafe VPN Firewall 200 FVX538 Reference Manual To view the most recent entries, click refresh. Table 6-6. Port Triggering Status Data Item Description Rule The name of the rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule.
Page 184 ProSafe VPN Firewall 200 FVX538 Reference Manual 6-38 VPN Firewall and Network Management v1.0, January 2010...
Page 185: Troubleshooting
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 200 FVX538. This chapter includes the following sections: • “Basic Functions” on this page • “Troubleshooting the Web Configuration Interface” on page 7-3 • “Troubleshooting the ISP Connection” on page 7-4 •...
Page 186: Power Led Not On
• Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
Page 187: Troubleshooting The Web Configuration Interface
ProSafe VPN Firewall 200 FVX538 Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the VPN firewall as described in the previous section.
Page 188: Troubleshooting The Isp Connection
Web Configuration Manager. To check the WAN IP address: 1. Launch your browser and select an external site such as www.netgear.com. 2. Access the Main Menu of the VPN firewall’s configuration at http://192.168.1.1. 3. Select Monitoring from the main menu and Router Status from the submenu.
Page 189: Troubleshooting A Tcp/Ip Network Using A Ping Utility
ProSafe VPN Firewall 200 FVX538 Reference Manual • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name on the WAN1 ISP Settings or WAN2 ISP Settings screen (see Figure 2-1 on page 2-3).
Page 190: Testing The Path From Your Pc To A Remote Device
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click OK. A message, similar to the following, should display: Pinging <IP address> with 32 bytes of data If the path is working, you will see this message: Reply from <IP address>: bytes=32 time=NN ms TTL=xxx If the path is not working, you will see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems:...
Page 191: Restoring The Default Configuration And Password
ProSafe VPN Firewall 200 FVX538 Reference Manual – If your ISP assigned a host name to your PC, enter that host name as the Account Name on the WAN1 ISP Settings or WAN2 ISP Settings screen (see Figure 2-1 on page 2-3).
Page 192: Using The Diagnostics Utilities
ProSafe VPN Firewall 200 FVX538 Reference Manual Problems with the date and time function can include: • Date and time shown is Thu Jan 01 00:01:52 GMT 1970. Cause: The VPN firewall has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly.
Page 193 “Back” on the Windows menu bar to return to the Diagnostics screen. Perform a DNS A DNS (Domain Name Server) converts the Internet name such as www.netgear.com Lookup to an IP address. If you need the IP address of a Web, FTP, Mail or other server on the Internet, you can do a DNS lookup to find the IP address.
Page 194 ProSafe VPN Firewall 200 FVX538 Reference Manual 7-10 Troubleshooting v1.0, January 2010...
Page 195: Default Settings And Technical Specifications
Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly).
Page 196 ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) Feature Default Behavior Management Time Zone Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound (communications coming in from Disabled (except traffic on port 80, the http port) the Internet) Outbound (communications going out to...
Page 197 ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-2. VPN firewall Technical Specifications (continued) Feature Specifications Environmental Specifications Operating temperature: 0° to 40° C (32º to 104º F) Operating humidity: 90% maximum relative humidity, noncondensing Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B...
Page 198 ProSafe VPN Firewall 200 FVX538 Reference Manual Default Settings and Technical Specifications v1.0, January 2010...
Page 199: Network Planning For Dual Wan Ports
Appendix B Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a VPN firewall that has dual WAN ports. This appendix contains the following sections: • “What You Will Need to Do Before You Begin” on page B-1 •...
Page 200 ProSafe VPN Firewall 200 FVX538 Reference Manual – For rollover mode, protocol binding does not apply. – For load balancing mode, you need to decide which protocols you want to bind to a specific WAN port if you are going to take advantage of this option. –...
Page 201: Cabling And Computer Hardware Requirements
ProSafe VPN Firewall 200 FVX538 Reference Manual • There are a variety of WAN options you can choose when the factory default settings are not applicable to your installation. These include enabling a WAN port to respond to a ping and setting MTU size, port speed, and upload bandwidth. 4.
Page 202: Where Do I Get The Internet Configuration Parameters
ProSafe VPN Firewall 200 FVX538 Reference Manual • Fixed IP Address which is also known as Static IP Address Where Do I Get the Internet Configuration Parameters? There are several ways you can gather the required Internet connection information. • Your ISPs provide all the information needed to connect to the Internet.
Page 203: Overview Of The Planning Process
ProSafe VPN Firewall 200 FVX538 Reference Manual Subnet Mask: ______.______.______.______ ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following: Primary DNS Server IP Address: ______.______.______.______ Secondary DNS Server IP Address: ______.______.______.______ Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or home .
Page 204: Virtual Private Networks (Vpns
ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks (VPNs) A virtual private network (VPN) tunnel provides a secure communication channel between either two gateway VPN firewalls or between a remote PC client and gateway VPN firewall. As a result, the IP address of at least one of the tunnel end points must be known in advance in order for the other tunnel end point to establish (or re-establish) the VPN tunnel.
Page 205: The Load Balancing Case For Firewalls With Dual Wan Ports
ProSafe VPN Firewall 200 FVX538 Reference Manual The Load Balancing Case for Firewalls With Dual WAN Ports Load balancing for the dual WAN port case is similar to the single WAN port case when specifying the IP address. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
Page 206: Inbound Traffic To Dual Wan Port Systems
ProSafe VPN Firewall 200 FVX538 Reference Manual In the single WAN case, the WAN’s Internet address is either fixed IP or a fully-qualified domain name if the IP address is dynamic. Figure B-4 Inbound Traffic to Dual WAN Port Systems The IP address range of the VPN firewall’s WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled.
Page 207: Virtual Private Networks (Vpns
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic: Dual WAN Ports for Load Balancing In the dual WAN port case for load balancing, the Internet address of each WAN port is either fixed if the IP address is fixed or a fully-qualified domain name if the IP address is dynamic. Note: Load balancing is implemented for outgoing traffic and not for incoming traffic.
Page 208 ProSafe VPN Firewall 200 FVX538 Reference Manual Table B-2. IP Addressing Requirements for VPNs in Dual WAN Port Systems Dual WAN Port Cases Single WAN Port Configuration and WAN IP address (reference case) Rollover Load Balancing VPN Telecommuter Fixed Allowed FQDN required Allowed (client-to-gateway through...
Page 209: Vpn Road Warrior (Client-To-Gateway
ProSafe VPN Firewall 200 FVX538 Reference Manual Load balancing for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
Page 210 ProSafe VPN Firewall 200 FVX538 Reference Manual The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified domain name is optional.
Page 211 ProSafe VPN Firewall 200 FVX538 Reference Manual After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC client must re-establish the VPN tunnel. The gateway WAN port must act as the responder. Figure B-11 The purpose of the fully-qualified domain name in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (such as WAN1 and WAN2) so...
Page 212: Vpn Gateway-To-Gateway
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
Page 213 ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall, either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
Page 214: Vpn Telecommuter (Client-To-Gateway Through A Nat Router
ProSafe VPN Firewall 200 FVX538 Reference Manual The purpose of the fully-qualified domain names is this case is to toggle the domain name of the failed-over gateway firewall between the IP addresses of the active WAN port (i.e., WAN_A1 and WAN _A2 in this example) so that the other end of the tunnel has a known gateway IP address to establish or re-establish a VPN tunnel.
Page 215 ProSafe VPN Firewall 200 FVX538 Reference Manual • Dual gateway WAN ports used for load balancing VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance.
Page 216 ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance).
Page 217 ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance.
Page 218 ProSafe VPN Firewall 200 FVX538 Reference Manual B-20 Network Planning for Dual WAN Ports v1.0, January 2010...
Page 219: System Logs And Error Messages
Appendix C System Logs and Error Messages This appendix uses the following log parameter terms. Table C-1. Log Parameter Terms Term Description [FVX538] System identifier [kernel] Message from the kernel. CODE Protocol code (e.g., protocol is ICMP, type 8) and CODE=0 means successful reply. DEST Destination IP Address of the machine to which the packet is destined.
Page 220: Reboot
Table C-4. System Logs: NTP Message Nov 28 12:31:13 [FVX538] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [FVX538] [ntpdate] Requesting time from time-f.netgear.com Nov 28 12:31:14 [FVX538] [ntpdate] adjust time server 69.25.106.19 offset 0.140254 sec Nov 28 12:31:14 [FVX538] [ntpdate] Synchronized time with time-f.netgear.com...
Page 221: Login/Logout
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-4. System Logs: NTP (continued) Explanation Message1: DNS resolution for the NTP server (time-f.netgear.com) Message2: request for NTP update from the time server. Message3: Adjust time by re-setting system time. Message4: Display date and time before synchronization, that is when resynchronization started Message5: Display the new updated date and time.
Page 222: Ipsec Restart
ProSafe VPN Firewall 200 FVX538 Reference Manual IPSec Restart This logging is always done. Table C-7. System Logs: IPSec Restart Message Jan 23 16:20:44 [FVX538] [wand] [IPSEC] IPSEC Restarted Explanation Log generated when the IPSEC is restarted. This log is logged when IPSEC restarts after applying any changes in the configuration.
Page 223 ProSafe VPN Firewall 200 FVX538 Reference Manual Auto Rollover When the WAN mode is configured for Auto Rollover, the primary link is active and secondary acts only as a backup. When the primary link goes down, the secondary link becomes active only until the primary link comes back up.
Page 224 ProSafe VPN Firewall 200 FVX538 Reference Manual PPP Logs This section describes the WAN PPP connection logs. The PPP type can be configured from the web management. PPPoE Idle-Timeout Logs. Table C-9. System Logs: WAN Status, PPPoE Idle-Timeout Message Nov 29 13:12:46 [FVX538] [pppd] Starting connection Nov 29 13:12:49 [FVX538] [pppd] Remote message: Success Nov 29 13:12:49 [FVX538] [pppd] PAP authentication succeeded Nov 29 13:12:49 [FVX538] [pppd] local IP address 50.0.0.62...
Page 225: Web Filtering And Content Filtering Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual PPTP Idle-Timeout Logs. Table C-10. System Logs: WAN Status, PPTP Idle-Timeout Message Nov 29 11:19:02 [FVX538] [pppd] Starting connection Nov 29 11:19:05 [FVX538] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVX538] [pppd] local IP address 192.168.200.214 Nov 29 11:19:05 [FVX538] [pppd] remote IP address 192.168.200.1 Nov 29 11:19:05 [FVX538] [pppd] primary DNS address 202.153.32.2 Nov 29 11:19:05 [FVX538] [pppd] secondary DNS address 202.153.32.2...
Page 226 ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-12. System Logs: Web Filtering and Content Filtering Message Jan 23 16:36:35 [FVX538] [kernel] [KEYWORD_BLOCKED] [URL]==>[ www.redhat.com/ ] IN=SELF OUT=SELF SRC=192.168.10.210 DST=209.132.177.50 PROTO=TCP SPT=4282 DPT=80 Explanation • This packet is blocked by keyword blocking •...
Page 227: Traffic Metering Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual Traffic Metering Logs Table C-13. System Logs: Traffic Metering Message Jan 23 19:03:44 [TRAFFIC_METER] TRAFFIC_METER: Monthly Limit of 10 MB has reached for WAN1._ Explanation Traffic limit to WAN1 that was set as 10Mb has been reached. This stops all the incoming and outgoing traffic if configured like that in “When Limit is reached”...
Page 228: Ftp Logging
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs Table C-16. System Logs: Multicast/Broadcast Message Jan 1 07:24:13 [FVX538] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC=192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 Explanation • This packet (Broadcast) is destined to the device from the WAN network. •...
Page 229 ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Message 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][RST_PACKET][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation Invalid RST packet Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0...
Page 230 ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Explanation Bad Hardware Checksum for ICMP packets Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0...
Page 231: Routing Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message 2007 Oct 1 00:44:17 [FVX538] [kernel]...
Page 232: Lan To Wan Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN to WAN Logs Table C-19. Routing Logs: LAN to WAN Message Nov 29 09:19:43 [FVX538] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to WAN has been allowed by the firewall. •...
Page 233: Dmz To Lan Logs
ProSafe VPN Firewall 200 FVX538 Reference Manual DMZ to LAN Logs Table C-23. Routing Logs: DMZ to WAN Message Nov 29 09:44:06 [FVX538] [kernel] DMZ2LAN[DROP] IN=DMZ OUT=LAN SRC=192.168.20.10 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from DMZ to LAN has been dropped by the firewall. •...
Page 234 ProSafe VPN Firewall 200 FVX538 Reference Manual C-16 System Logs and Error Messages v1.0, January 2010...
Page 235: Two Factor Authentication
NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. As part the new maintenance firmware release, NETGEAR has...
Page 236: What Is Two-Factor Authentication
NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 Two-Factor Authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to perform Two-Factor Authentication on NETGEAR SSL and VPN firewall products.
Page 237 ProSafe VPN Firewall 200 FVX538 Reference Manual The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token software, enter the PIN that has been given to them (something they know) and then press “continue”...
Page 238 ProSafe VPN Firewall 200 FVX538 Reference Manual Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time. If a user does not use this passcode before it is expired, the user must go through the request process again to generate a new OTP.
Page 239: Appendix E Related Documents
Appendix E Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.com/reference/enu/wsdhcp/index.htm...
Page 240 ProSafe VPN Firewall 200 FVX538 Reference Manual Related Documents v1.0, January 2010...
Page 241: Index
Index Numerics VPN Policy 5-19 Auto Detect 3322.org 2-14 Auto Uplink Auto-Rollover configuration of access definition of remote management 6-14 Dual WAN ports restoring WAN interface 2-10 Add DMZ WAN Outbound Services screen 4-12 use with DDNS 2-14 Add LAN DMZ Outbound Service screen 4-14 Using WAN port Add LAN WAN Inbound Service...
Page 242 ProSafe VPN Firewall 200 FVX538 Reference Manual Cat5 cable DDNS about 2-14 certificate configuration of 2-14 generate new CSR 5-22 links to 2-15 Certificate Authority. See CA. providers of 2-14 Certificate Revocation List. See CRL. services, examples 2-15 Certificate Signing Request, see CSR DDNS providers links to 2-15...
Page 243 ProSafe VPN Firewall 200 FVX538 Reference Manual firewall security 3-12 Load Balancing, configuration of 2-11 DMZ Port Dynamic DNS increasing traffic configuration of 2-14 DMZ port Dynamic DNS Configuration screen 2-14 setting up 3-12 Dynamic DNS. See DDNS DMZ Setup screen 3-12 DynDNS.org 2-14...
Page 244 ProSafe VPN Firewall 200 FVX538 Reference Manual connecting to the Internet 2-1, B-3 features 1-1, 1-2, 1-4 3-16 front panel rear panel IKE Policies technical specifications management of 5-16 viewing activity 6-34 IKE Policies screen 5-27 Firewall Log IKE Policy Field Description 6-26 about...
Page 245 ProSafe VPN Firewall 200 FVX538 Reference Manual DHCP address pool 4-11 how to assign LAN WAN Outbound Rule multi home LAN example of 4-19 reserved LAN WAN Outbound Rules router default about 4-10 IP Subnet Mask LAN WAN Rule router default example of 4-16 IP/MAC Binding screen...
Page 246 ProSafe VPN Firewall 200 FVX538 Reference Manual testing Client 5-41 monitoring devices 6-33 one-time passcode. See OTP. by DHCP Client Requests 3-6, 6-33 Oray.net 2-14 by Scanning the Network 3-6, 6-33 D-1, D-2 MTU Size 2-17 Outbound Rules Multi Home LAN IPs default definition about 3-10...
Page 247 ProSafe VPN Firewall 200 FVX538 Reference Manual port numbers 4-24 rack mounting hardware Port Speed 2-17 RADIUS description 6-11 Port Triggering WiKID 6-11 about 4-37 adding a rule 4-38 RADIUS Server increasing traffic about 5-30 modifying a rule 4-39 configuring 5-30 rules of use 4-37...
Page 248 ProSafe VPN Firewall 200 FVX538 Reference Manual router administration Services screen 4-25 tips on 4-40 Session Initiation Protocol. See SIP. router broadcast Session Limit screen 4-22 RIP, use with 3-17 Setting Up One-to-One NAT Mapping Router Status example of 4-16 Router Status screen 6-30 Settings Backup &...
Page 249 ProSafe VPN Firewall 200 FVX538 Reference Manual stealth mode 4-21, 6-5 two-factor authentication WiKID 6-11 SYN flood 4-21, 6-5 Two-Factor Authentication. See WiKID. SysLog Server IP Address 6-25 TZO.com 2-14 System log messages UDP flood 4-21 special rule TCP flood special rule Use Default Address TCP/IP...
Page 250 ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Policy WAN1 ISP Settings Auto 5-18 manual setup Auto generated 5-16 WAN1 ISP Settings screen Manual 5-18 WAN1 Protocol Bindings 2-11 VPN Tunnel addresses WAN1 Protocol Bindings screen 2-12 Dual WAN Port systems WAN2 ISP VPN Tunnel Connection settings...

This manual is also suitable for:

Fvx538

NETGEAR FVX538v2 - ProSafe VPN Firewall Dual WAN Reference Manual

About this Manual

Chapter 1 Introduction

Chapter 2 Connecting the VPN Firewall to the Internet

Chapter 3 LAN Configuration

Chapter 4 Firewall Protection and Content Filtering

Chapter 5 Virtual Private Networking

Chapter 6 VPN Firewall and Network Management

Chapter 7 Troubleshooting

Appendix A

Default Settings and Technical Specifications

Appendix B Network Planning for Dual WAN Ports

Appendix C System Logs and Error Messages

Appendix D Two Factor Authentication

Appendix E Related Documents

Index

Quick Links

Troubleshooting

Related Manuals for NETGEAR FVX538v2 - ProSafe VPN Firewall Dual WAN

Summary of Contents for NETGEAR FVX538v2 - ProSafe VPN Firewall Dual WAN