In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe VPN Firewall 200 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/ 1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung. Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß...
Page 4
Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
Page 5
Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
Contents ProSafe VPN Firewall 200 FVX538 Reference Manual About This Manual Conventions, Formats and Scope ...................xiii How to Print This Manual ....................xiv Revision History .......................xiv Chapter 1 Introduction Key Features ........................1-1 Dual WAN Ports for Increased Reliability or Outbound Load Balancing ....1-2 A Powerful, True Firewall with Content Filtering ............1-2 Security Features .....................1-3 Autosensing Ethernet Connections with Auto Uplink ..........1-3...
Page 8
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Load Balancing ..................2-11 Configuring Dynamic DNS (Optional) ................2-14 Configuring the Advanced WAN Options (Optional) .............2-16 Additional WAN Related Configuration ..............2-17 Chapter 3 LAN Configuration Choosing the VPN Firewall DHCP Options ..............3-1 Configuring the LAN Setup Options ................3-2 Managing Groups and Hosts (LAN Groups) ..............3-6 Creating the Network Database ................3-6...
Page 9
Creating Gateway to Gateway VPN Tunnels with the Wizard .........5-3 Creating a Client to Gateway VPN Tunnel ...............5-6 Testing the Connections and Viewing Status Information ..........5-12 NETGEAR VPN Client Status and Log Information ..........5-12 VPN Firewall VPN Connection Status and Logs ............5-14 Managing VPN Policies ....................5-16 Configuring IKE Policies ..................5-16...
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring Keepalives and Dead Peer Detection ............5-42 Configuring Keepalives ..................5-42 Configuring Dead Peer Detection ................5-43 Configuring NetBIOS Bridging with VPN ..............5-44 Chapter 6 VPN Firewall and Network Management Performance Management .....................6-1 Bandwidth Capacity ....................6-1 VPN Firewall Features That Reduce Traffic .............6-2 VPN Firewall Features That Increase Traffic ............6-4 Using QoS to Shift the Traffic Mix ................6-7...
Page 11
ProSafe VPN Firewall 200 FVX538 Reference Manual Power LED Not On ....................7-2 LEDs Never Turn Off ....................7-2 LAN or Internet Port LEDs Not On ................7-2 Troubleshooting the Web Configuration Interface ............7-3 Troubleshooting the ISP Connection ................7-4 Troubleshooting a TCP/IP Network Using a Ping Utility ..........7-5 Testing the LAN Path to Your VPN Firewall .............7-5 Testing the Path from Your PC to a Remote Device ..........7-6 Restoring the Default Configuration and Password ............7-7...
Page 12
Appendix D Two Factor Authentication Why do I need Two-Factor Authentication? ..............D-1 What are the benefits of Two-Factor Authentication? ..........D-1 What is Two-Factor Authentication ................. D-2 NETGEAR Two-Factor Authentication Solutions ............D-2 Appendix E Related Documents Index Contents...
About This Manual The NETGEAR ® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs.
NETGEAR website in Appendix E, “Related Documents.” Note: Product updates are available on the NETGEAR, Inc. website at http://kb.netgear.com/app/home. How to Print This Manual To print this manual, your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files.
Page 15
ProSafe VPN Firewall 200 FVX538 Reference Manual 202-10062-09 Mar. 09 Adds these corrections and topics for the March 2009 firmware maintenance release: • WIKID 2 factor authentication • SIP ALG support • DHCP Relay support • Update VPN configuration procedure topics •...
Page 16
ProSafe VPN Firewall 200 FVX538 Reference Manual 202-10062-10 January (continued) (continued) 2010 • Updated the LAN Multi-homing screen (Figure 3-4) and revised “Configuring Multi Home LAN IP Addresses” section for more clarity. • Revised the “Configuring and Enabling the DMZ Port”...
Support for up to 400 internal LAN users (and 50K connections). • Bundled with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and multimedia.
ProSafe VPN Firewall 200 FVX538 Reference Manual • One console port for local management. • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation and management. • Advanced SPI Firewall and Multi-NAT support.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. The FVX538 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the VPN firewall to e-mail the log to you at specified intervals. You can also configure the VPN firewall to send immediate alert messages to your e-mail address or e-mail pager whenever a significant event occurs.
ISP account. • VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
ProSafe VPN Client Software – five user licenses. • Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the VPN firewall for repair.
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Firewall Front and Rear Panels The FVX538 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. Figure 1-1 Table 1-1 describes each item on the front panel and its operation. Table 1-1.
Page 23
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object LED Activity Description On (Green) The WAN port has a valid Internet connection. On (Amber) The Internet connection is down or not being used WAN Ports and Active because the port is available for failover in case the LEDs...
ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the FVX538 contains the On/Off switch and AC power connection. Figure 1-2 Viewed from left to right, the rear panel contains the following elements: 1. AC power in 2. On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in...
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN Firewall’s IP Address, Login Name, and Password Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN •...
ProSafe VPN Firewall 200 FVX538 Reference Manual Qualified Web Browsers To configure the FVX538, you must use a Web browser such as Microsoft Internet Explorer 6 or higher, Mozilla Firefox 3 or higher, or Apple Safari 3 or higher with JavaScript, cookies, and you must have SSL enabled.
FVX538 ProSafe VPN Firewall 200 for complete steps. A PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com. 2. Log in to the VPN Firewall. After logging in, you are ready to set up and configure your VPN firewall.
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on page 2-14. 6. Configure the WAN options (optional). Optionally, you can enable each WAN port to respond to a ping, and you can change the factory default MTU size and port speed.
Page 29
ProSafe VPN Firewall 200 FVX538 Reference Manual To automatically configure the WAN ports and connect to the Internet: 1. Select the primary menu option Network Configuration and the submenu option WAN Settings. WAN1 ISP Settings screen will display. Figure 2-1 2.
Page 30
ProSafe VPN Firewall 200 FVX538 Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in Table 2-1. Note: When you click Auto Detect while the WAN port already has a connection, you might lose the connection because the VPN firewall will enter its detection mode.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Set up the traffic meter for WAN 1 ISP if desired. See “Enabling the Traffic Meter” on page 6- Note: At this point of the configuration process, you are now connected to the Internet through WAN port 1.
Page 32
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box. The text box fields that require data entry will be highlighted, based on the connection that you selected.
5. Click Apply to save the settings or click Reset to discard any changes and revert to the previous settings. 6. Click Test to try and connect to the NETGEAR website. If you connect successfully and your settings work, then you may click Logout or go on and configure additional settings.
Page 34
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN firewall supports the following modes: • Auto-Rollover Mode. In this mode, the selected WAN interface is made primary and the other is the rollover link. As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic.
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Auto-Rollover Mode If you want to use a redundant ISP link for backup purposes, ensure that the backup WAN port has already been configured. Then you select the WAN port that will act as the primary link for this mode and configure the WAN Failure Detection Method to support Auto-Rollover.
Page 36
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Enter a Test Period in seconds. DNS query is sent periodically after every test period. The default test period is 30 seconds. Figure 2-3 6. Enter the Maximum Failover amount. The WAN interface is considered down after the configured number of queries have failed to elicit a reply.
FTP data from and to the computers on the LAN through the WAN2 port. All HTTP traffic will be routed through the WAN1 port. Note: NETGEAR recommends that all specific traffic (for example, HTTP) be configured for the WAN2 port. The only way to make certain traffic goes out one port and all other traffic goes out the other port is to use WAN2 for specified traffic.
Page 38
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter the following data in the Add Protocol Binding section: a. Service – From the pull-down menu, select the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services-Based Rules”...
Page 39
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-5 3. Modify the parameters for the protocol binding service you selected. 4. Click Apply. The modified rule will be enabled and appear in the Protocol Binding table. 5. Click Reset to return to the previously configured settings. Connecting the VPN Firewall to the Internet 2-13 v1.0, January 2010...
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring Dynamic DNS (Optional) Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS.org, TZO.com, Oray.net, or 3322.org.
Page 41
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-6 2. Click the tab of the Dynamic DNS Service you want to enable. Each DNS service provider requires registration and you then configure its parameters on the corresponding screen. 3. Access the website of one of the DDNS service providers and set up an account. A link to each DDNS provider is to the right of the tabs.
ProSafe VPN Firewall 200 FVX538 Reference Manual d. If your dynamic DNS provider allows the use of wild cards in resolving your URL, you may check the Use wildcards radio box to activate this feature. For example, the wildcard feature will cause to be aliased to *.yourhost.dyndns.org the same IP address as...
If you want the ability to manage the VPN firewalll remotely, enable remote management at this time (see “Enabling Remote Management Access” on page 6-14). If you enable remote management, NETGEAR strongly recommends that you change your password (see “Changing Passwords and Settings” on page 6-8). •...
Page 44
ProSafe VPN Firewall 200 FVX538 Reference Manual 2-18 Connecting the VPN Firewall to the Internet v1.0, January 2010...
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe VPN Firewall 200 FVX538, including the following sections: • “Choosing the VPN Firewall DHCP Options” on this page • “Managing Groups and Hosts (LAN Groups)” on page 3-6 •...
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP address from the range that you have defined. • Subnet mask. • Gateway IP address (the VPN firewall’s LAN IP address). •...
Page 47
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: If you enable the DNS Relay feature, you will not use the VPN firewall as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network.
Page 48
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: If you change the LAN IP address of the VPN firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. For example, if you change the default IP address 192.168.1.1 to 10.0.0.1, you must now enter https://10.0.0.1 in your browser to reconnect to the Web Configuration Manager.
Page 49
ProSafe VPN Firewall 200 FVX538 Reference Manual • WINS Server. (Optional) Specifies the IP address of a local Windows NetBIOS Server if one is present in your network. • Lease Time. This specifies the duration for which IP addresses will be leased to clients. If you will use a Lightweight Directory Access Protocol (LDAP) authentication server for network-validated domain-based authentication, select Enable LDAP Information to enable the DHCP server to provide LDAP server information.
ProSafe VPN Firewall 200 FVX538 Reference Manual Managing Groups and Hosts (LAN Groups) The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices, as well as hosts, that are assigned dynamic IP addresses by this VPN firewall.
ProSafe VPN Firewall 200 FVX538 Reference Manual – If necessary, you can also create firewall rules to apply to a single PC (see “Configuring Source MAC Filtering” on page 4-33). Because the MAC address is used to identify each PC, users cannot avoid these restrictions by changing their IP address. •...
ProSafe VPN Firewall 200 FVX538 Reference Manual • MAC Address. The MAC address of the computer’s network interface. • Group. Each PC or device can be assigned to a single group. By default, a computer is assigned to the first group (Group 1). To change the group assignment by selecting the Edit link in the Action column.
ProSafe VPN Firewall 200 FVX538 Reference Manual Changing Group Names in the LAN Groups Database By default, the LAN Groups are named Group1 through Group8. You can rename these group names to be more descriptive, such as Engineering or Marketing. To edit the names of any of the eight available groups: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address, manually enter the device on the LAN Groups screen, specifying Reserved (DHCP Client), as described in “Adding Devices to the Network Database” on page 3- Note: The reserved address will not be assigned until the next time the PC contacts the VPN firewall's DHCP server.
ProSafe VPN Firewall 200 FVX538 Reference Manual • IP Address. The IP address alias added to the LAN port of the VPN firewall. This is the gateway for computers that need to access the Internet. • Subnet Mask. IPv4 Subnet Mask. •...
Page 56
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: A separate firewall security profile is provided for the DMZ port that is hardware independent of the standard firewall security used for the LAN. The DMZ Setup screen allows you to set up the DMZ port. It permits you to enable or disable the hardware DMZ port (LAN port 8, see “VPN Firewall Front and Rear Panels”...
Page 57
ProSafe VPN Firewall 200 FVX538 Reference Manual If desired, select Enable DHCP Server, which will provide TCP/IP configuration for all computers connected to the VPN firewall’s DMZ network. If another device on your DMZ network will be the DHCP server, or if you will manually configure all devices, leave the Disable DHCP Server radio box selected, which is the default setting.
ProSafe VPN Firewall 200 FVX538 Reference Manual • port. Specifies the port number that the LDAP server is using. Leave this field blank for the default port. 4. In the Advanced Settings section, select Enable DNS Proxy if you want to enabled the DNS proxy, which is the default setting.
Page 59
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add. The Add Static Route screen will display. Figure 3-7 3. Enter a route name for this static route in the Route Name field (for identification and management). 4. Select Active to make this route effective. 5.
ProSafe VPN Firewall 200 FVX538 Reference Manual Static Route Example For example, you may require a static route if: • Your primary Internet access is through a cable modem to an ISP. • You have an ISDN firewall on your home network for connecting to the company where you are employed.
Page 61
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click RIP Configuration link to the right of the Routing tab. The RIP Configuration screen will display. Figure 3-8 3. From the RIP Direction pull-down menu, select the direction in which the VPN firewall will send and receives RIP packets.
Page 62
ProSafe VPN Firewall 200 FVX538 Reference Manual • RIP-2. This includes all the functionality of RIPv1 plus it supports subnet information. Though the data is sent in RIP-2 format for both RIP-2B and RIP-2M, the modes in which packets are sent are different. –...
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 FVX538 to protect your network. This chapter includes the following sections: • “About Firewall Protection and Content Filtering”...
ProSafe VPN Firewall 200 FVX538 Reference Manual intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT. Using Rules to Block or Allow Specific Kinds of Traffic This section includes the following topics: •...
ProSafe VPN Firewall 200 FVX538 Reference Manual Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Outbound Rules (service blocking). Outbound traffic is normally allowed unless the VPN firewall is configured to disallow it. •...
Page 66
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description Select Schedule Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be used by this rule. • This pull-down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block”...
Page 67
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description Bandwidth Bandwidth Limiting determines the way in which the data is sent to/from your host. The Profile purpose of bandwidth limiting is to provide a solution for limiting the outgoing/incoming traffic, thus preventing the LAN users for consuming all the bandwidth of our internet link.
Page 68
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules Item Description Services Select the desired service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see “Adding Customized Services”...
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules (continued) Item Description This determines whether packets covered by this rule are logged. Select the desired action: • Always – Always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules.
Page 70
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-1 For LAN WAN rules, DMZ WAN rules, and LAN DMZ rules, for any traffic attempting to pass through the VPN firewall, the packet information is subjected to the rules in the order shown in the Outbound Services and Inbound Services rules tables rules tables, beginning at the top and proceeding to the bottom.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click one of the following table buttons: • enable. Enables the rule or rules. The “!” status icon changes from a grey circle to a green circle, indicating that the rule is or rules are enabled. (By default, when a rule is added to the table, it is automatically enabled.) •...
Page 72
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply. LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
Page 73
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed in the Outbound Services table. LAN WAN Inbound Services Rules This Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed.
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring DMZ WAN Rules The firewall rules for traffic between the DMZ and the WAN/Internet are configured on the DMZ WAN Rules screen. The Default Outbound Policy is to allow all traffic from and to the Internet to pass through.
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-6 4. Configure the parameters based on the descriptions in Table 4-2 on page 4-3. 5. Click Apply. The new rule will appear in the Outbound Services table. The rule is automatically enabled. The procedure to add a new DMZ WAN inbound service policy is similar to the procedure described above with the exception that you click Add under the Inbound Services table, you configure the parameters based on the descriptions in...
Page 76
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Select the LAN DMZ Rules tab. The LAN DMZ Rules screen will display. Figure 4-7 3. Click Add under the Outbound Services Table. The Add LAN DMZ Outbound Service screen will display. Figure 4-8 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual The procedure to add a new LAN DMZ inbound service policy is similar to the procedure described above with the exception that you click Add under the Inbound Services table, you configure the parameters based on the descriptions in Table 4-3 on page 4-6, and the policy is added to the Inbound Services table.
Page 78
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. Figure 4-10 In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
Page 79
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-11 The following addressing scheme is used in this example: • VPN firewall FVX538 – WAN1 primary public IP address: 10.1.0.1 – WAN1 additional public IP address: 10.1.0.5 – LAN IP address 192.168.1.1 •...
Page 80
1. Create an inbound rule that allows all protocols. 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio or other non-essential sites. LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.
ProSafe VPN Firewall 200 FVX538 Reference Manual Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the DMZ, LAN and WAN networks. To enable the appropriate attack checks for your environment: 1.
Page 83
ProSafe VPN Firewall 200 FVX538 Reference Manual – Enable Stealth Mode. In stealth mode, the VPN firewall will not respond to port scans from the WAN or Internet, which makes it less susceptible to discovery and attacks. – Block TCP Flood. A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system.
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Session Limits Session Limit allows you to specify the total number of sessions allowed, per user, over an IP (Internet Protocol) connection across the VPN firewall. This feature is enabled on the Session Limit screen and shown below in Figure 4-15.
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: Some protocols (such as FTP or RSTP) create two sessions per connection which should be considered when configuring Session Limiting. The Total Number of Packets Dropped due to Session Limit field shows total number of packets dropped when session limit is reached.
ProSafe VPN Firewall 200 FVX538 Reference Manual Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: •...
Page 87
ProSafe VPN Firewall 200 FVX538 Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups.
ProSafe VPN Firewall 200 FVX538 Reference Manual Modifying a Service To edit the parameters of a service: 1. In the Custom Services Table, click the Edit icon adjacent to the service you want to edit. The Edit Service screen will display. Figure 4-18 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual A ToS priority for traffic passing through the VPN firewall is one of the following: • Normal-Service. No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0. •...
Page 90
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-19 2. Click Add to add a new bandwidth profile. The Add New Bandwidth Profile screen displays. Figure 4-20 3. Enter the following information: a. Enter a Profile Name. This name will become available in the firewall rules definition menus.
ProSafe VPN Firewall 200 FVX538 Reference Manual c. Depending on the direction that you selected, enter the minimum and maximum bandwidths to be allowed: • Enter the Outbound Minimum Bandwidth and Outbound Maximum Bandwidth in Kbps. • Enter the Inbound Minimum Bandwidth and Inbound Maximum Bandwidth in Kbps.
VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any website is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message. 4-30 Firewall Protection and Content Filtering v1.0, January 2010...
Page 93
ProSafe VPN Firewall 200 FVX538 Reference Manual Several types of blocking are available: • Web Components blocking. You can block the following Web component types: Proxy, Java, ActiveX, and Cookies. Some of these components are can be used by malicious Websites to infect computers that access them.
Page 94
ProSafe VPN Firewall 200 FVX538 Reference Manual Keyword application examples: • If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is blocked, as is the newsgroup alt.pictures.XXX. • If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or .gov) can be viewed.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Check the Yes radio button to enable content filtering. 3. Click Apply to activate the screen controls. 4. Check the radio boxes of any web components you wish to block. 5. Check the radio buttons of the groups to which you wish to apply keyword blocking. Click Enable to activate keyword blocking (or disable to deactivate keyword blocking).
Page 96
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-23 2. Check the Yes radio box in the MAC Filtering Enable section. 3. Select the action to be taken on outbound traffic from the listed MAC addresses: • Block this list and permit all other MAC addresses. •...
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring IP/MAC Address Binding IP/MAC binding allows you to bind an IP address to a MAC address and the other way around. Some devices are configured with static addresses. To prevent users from changing their static IP addresses, IP/MAC binding must be enabled on the VPN firewall.
Page 98
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-24 3. Select the Yes radio box and click Apply. Make sure that you have enabled the e-maling of logs (see “Activating Notification of Events and Alerts” on page 6-23). 4. Add an IP/MAC Bind rule by entering: a.
ProSafe VPN Firewall 200 FVX538 Reference Manual To edit an IP/MAC Bind rule, click Edit adjacent to the entry. The following fields of an existing IP/MAC Bind rule can be modified: • MAC Address. Specify the MAC Address for this rule. •...
Page 100
ProSafe VPN Firewall 200 FVX538 Reference Manual Note these restrictions with port triggering: • Only one PC can use a port triggering application at any time. • After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC.
Page 101
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 7. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1.
ProSafe VPN Firewall 200 FVX538 Reference Manual E-Mail Notifications of Event Logs and Alerts The firewall logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address. For example, your VPN firewall will log security-related events such as: accepted and dropped packets on different segments of your LAN;...
Chapter 5 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the ProSafe VPN Firewall 200 FVX538. This chapter includes the following sections: • “Considerations for Dual WAN Port Systems” on this page •...
Page 104
ProSafe VPN Firewall 200 FVX538 Reference Manual The diagrams and table below show how the WAN mode selection relates to VPN configuration. WAN Auto-Rollover: FQDN Required for VPN Firewall WAN 1 Port Rest of Firewall Firewall Internet Firewall WAN Port Rollover WAN 2 Port Control...
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR VPN Client configuration procedures for the following scenarios: •...
Page 106
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-4 2. Select Gateway as your connection type. 3. Create a Connection Name. Enter a descriptive name for the connection. This name used to help you manage the VPN settings; is not supplied to the remote VPN endpoint. 4.
Page 107
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Enter the Remote and Local WAN IP Addresses or Internet Names of the gateways which will connect. • Both the remote WAN address and your local WAN address are required. Tip: To assure tunnels stay active, after completing the wizard, manually edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive.
ProSafe VPN Firewall 200 FVX538 Reference Manual 9. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured. To display the status of your VPN connections, select VPN from the main menu and Connection Status from the submenu.
Page 109
ProSafe VPN Firewall 200 FVX538 Reference Manual Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to the gateway. Use the VPN Wizard Configure the Gateway for a Client Tunnel 1.
Page 110
5-16.) Figure 5-9 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR ProSafe VPN Client installed, configure a VPN client policy to connect to the VPN firewall. Virtual Private Networking...
Page 111
ProSafe VPN Firewall 200 FVX538 Reference Manual Follow these steps to configure your VPN client. 1. Right-click on the VPN client icon in your Windows toolbar, choose Security Policy Editor, and verify that the Options > Secure > Specified Connections selection is enabled. Figure 5-10 2.
Page 112
ProSafe VPN Firewall 200 FVX538 Reference Manual Fill in the other options according to the instructions below. • Under Connection Security, verify that the Secure radio button is selected. • From the ID Type pull-down menu, choose IP Subnet. • Enter the LAN IP Subnet Address and Subnet Mask of the VPN firewall LAN;...
5. In the upper left of the window, click the disk icon to save the policy. Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.
Page 115
Connections\gw1”. Figure 5-15 The VPN client icon in the system tray should state On: 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-17 The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client policy is deactivated.
Page 117
ProSafe VPN Firewall 200 FVX538 Reference Manual You can set a Poll Interval (in seconds) to check the connection status of all active IKE policies to obtain the latest VPN tunnel activity. The Active IPSec SA(s) table also lists current data for each active IPsec SA (security association): •...
ProSafe VPN Firewall 200 FVX538 Reference Manual Managing VPN Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN policy and an IKE policy are established and populated in both policy tables. The name you selected as the VPN Tunnel connection name during Wizard setup identifies both the VPN policy and IKE policy.
Page 119
ProSafe VPN Firewall 200 FVX538 Reference Manual The IKE Policies Screen When you use the VPN Wizard to set up a VPN tunnel, an IKE Policy is established and populated in the List of IKE Policies table on the IKE Policies screen and is given the same name as the new VPN connection name.
To gain a more complete understanding of the encryption, authentication and DH algorithm technologies, see Appendix E, “Related Documents” for a link to the NETGEAR website. Configuring VPN Policies You can create two types of VPN policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available.
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. The remote VPN Endpoint must have a matching SA, or it will refuse the connection. Only one client policy may configured at a time (noted by an “*” next to the policy name). The List of VPN Policies contains the following fields: •...
Page 122
A self-signed certificate will trigger a warning from most browsers as it provides no protection against identity theft of the server. The VPN firewall contains a self-signed certificate from NETGEAR. We recommend that you replace this certificate prior to deploying the VPN firewall in your network.
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA certificate. Each CA issues its own CA identity certificate in order to validate communication with the CA and to verify the validity of certificates signed by the CA. • Self certificate. The certificate issued to you by a CA identifying your device. Viewing and Loading CA Certificates The Trusted Certificates (CA Certificates) table lists the certificates of CAs and contains the following data:...
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Active Self Certificates The Active Self Certificates table on the Certificates screen shows the certificates issued to you by a CA and available for use. Figure 5-22 For each self certificate, the following data is listed: •...
Page 125
ProSafe VPN Firewall 200 FVX538 Reference Manual To generate a new Certificate Signing Request (CSR) file: 1. Locate the Generate Self Certificate Request section of the Certificates screen. Figure 5-23 2. Configure the following fields: • Name – Enter a descriptive name that will identify this certificate. •...
Page 126
ProSafe VPN Firewall 200 FVX538 Reference Manual • Domain Name – If you have an Internet domain name, you can enter it here. Otherwise, you should leave this field blank. • E-mail Address – Enter the e-mail address of a technical contact in your organization. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual 7. Submit your certificate request to a CA: a. Connect to the website of the CA. b. Start the Self Certificate request procedure. c. When prompted for the requested data, copy the data from your saved text file (including “----BEGIN CERTIFICATE REQUEST---”...
ProSafe VPN Firewall 200 FVX538 Reference Manual The CRL table lists your active CAs and their critical release dates: • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. •...
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the local database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server. Note: If you are modifying an existing IKE policy to add XAUTH, if it is in use by a VPN policy, the VPN policy must be disabled before you can modify the IKE policy.
Page 130
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-28 3. In the Extended Authentication section of the Add IKE Policy (or Edit IKE Policy) screen, select the Authentication Type from the pull-down menu which will be used to verify user account information.
ProSafe VPN Firewall 200 FVX538 Reference Manual – User Database to verify against the VPN firewall’s user database. Users must be added through the User Database screen (see “User Database Configuration” on page 5-29). – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server.
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Enter a User Name. This is the unique ID of a user which will be added to the User Name database. 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4.
Page 133
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Select the RADIUS Client tab. The RADIUS Client screen will display. Figure 5-30 3. Enable the primary RADIUS server by checking the Yes radio box. 4. Enter the primary RADIUS Server IP address. 5.
– LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Mode Config Operation After the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the remote user with a VPN client) requests the IP configuration settings such as the IP address, subnet mask and name server addresses.
ProSafe VPN Firewall 200 FVX538 Reference Manual IP address from the configured IP address pool and activates a temporary IPsec policy, using the information that is specified in the Traffic Tunnel Security Level section of the Mode Config record (on the Add Mode Config Record screen that is shown in Figure 5-32 on page 5-34).
Page 136
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add. The Add Mode Config Record screen will display. Figure 5-32 3. Enter a descriptive Record Name such as “Sales”. 4. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients.
Page 137
ProSafe VPN Firewall 200 FVX538 Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10.
Page 138
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. Figure 5-34 3. In the Mode Config Record section, enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down menu.
Page 139
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the General section: • Enter a description name in the Policy Name field such as “SalesPerson”. This name will be used as part of the remote identifier in the VPN client configuration. •...
12. Click Apply. The new policy will appear in the List of IKE Policies table. Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1.
Page 141
ProSafe VPN Firewall 200 FVX538 Reference Manual d. Check the Connect using radio button and select Secure Gateway Tunnel from the pull- down menu. e. From the ID Type pull-down menu, select Domain name and enter the FQDN of the VPN firewall;...
Page 142
ProSafe VPN Firewall 200 FVX538 Reference Manual e. Select your Internet Interface adapter from the Name pull-down menu. 3. On the left-side of the menu, select Security Policy. Enter the following information: a. Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio button.
Page 143
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Figure 5-38 Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds).
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring Keepalives and Dead Peer Detection In some cases, it may not be desirable to have a VPN tunnel drop when traffic is idle; for example, when client-server applications over the tunnel cannot tolerate the tunnel establishment time. If you require your VPN tunnel to remain connected, you can use the Keepalive and Dead Peer Detection features to prevent the tunnel from dropping and to force a reconnection if the tunnel drops for any reason.
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. In the Ping IP Address boxes, enter an IP address on the remote LAN. This must be the address of a host that can respond to ICMP ping requests. 6. Enter the Detection Period to set the time between ICMP ping requests. The default is 10 seconds.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. In Reconnect after failure count, set the number of DPD failures allowed before tearing down the connection. The default is 3 failures. When the VPN firewall senses an IKE connection failure, it deletes the IPSec and IKE Security Association and forces a reestablishment of the connection.
Chapter 6 VPN Firewall and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 200 FVX538. This chapter includes the following sections: • “Performance Management” on this page • “Configuring Users, Administrative Settings, and Remote Management” on page 6-8 •...
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall. But there is no backup in case one of the WAN ports fail. In such an event and with one exception, the traffic that would have been sent on the failed WAN port gets diverted to the WAN port that is still working, thus increasing its loading.
Page 149
ProSafe VPN Firewall 200 FVX538 Reference Manual – Groups. The rule is applied to a group (see “Managing Groups and Hosts (LAN Groups)” on page 3-6to assign PCs to a group using Network Database). • WAN Users. These settings determine which Internet locations are covered by the rule, based on their IP address.
ProSafe VPN Firewall 200 FVX538 Reference Manual Blocking Sites If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall’s filtering feature. By default, this feature is disabled; all requested traffic from any website is allowed.
Page 151
ProSafe VPN Firewall 200 FVX538 Reference Manual Port Forwarding The VPN firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (that is, the service is unavailable).
Page 152
ProSafe VPN Firewall 200 FVX538 Reference Manual • WAN Users. These settings determine which Internet locations are covered by the rule, based on their IP address. – Any. The rule applies to all Internet IP address. – Single address. The rule applies to a single Internet IP address. –...
ProSafe VPN Firewall 200 FVX538 Reference Manual As such, it would be handled in accordance with the Port Forwarding rules. – Only one PC can use a port triggering application at any time. – After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC.
“Configuring Date and Time Service” on page 6-21 Changing Passwords and Settings The default passwords for the VPN firewall’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. You can also configure a separate password for guests.
Page 155
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-1 2. In the Enable Local Authentication section of the screen: a. Enable local authentication by selecting the Yes radio box. b. Click Apply to save your settings. 3. In the User Selection section of the screen, select either the Edit Admin Settings or Edit Guest Settings radio box.
ProSafe VPN Firewall 200 FVX538 Reference Manual b. Click Apply to save your settings. Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. Adding External Users You can add external users for which you then can configure an authentication method (see “Configuring an External Server for Authentication”...
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Admin or Guest. c. Idle Timeout. This is the period after which an idle user will be automatically logged out of the Web Configuration Manager.
Page 158
ProSafe VPN Firewall 200 FVX538 Reference Manual To configure external authentication: 1. Select Users from the main menu and External Authentication from the submenu. The External Users screen will display. 2. Select the External Authentication tab. The External Authentication screen will display. Figure 6-4 3.
Page 159
ProSafe VPN Firewall 200 FVX538 Reference Manual • Primary Server NAS Identifier. The identifier for the Network Access Server (NAS) must be present in a RADIUS request. Ensure that NAS identifier is configured identically on both client and server. The VPN firewall is acting as a NAS, allowing network access to external users after verifying their authentication information.
ProSafe VPN Firewall 200 FVX538 Reference Manual Enabling Remote Management Access Using the Remote Management screen, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging into the VPN Firewall”...
Page 161
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Check Allow Remote Management radio box. 3. Click the Yes radio button to enable secure HTTP management (enabled by default), and configure the external IP addresses that will be allowed to connect. a.
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: To maintain security, the VPN firewall will reject a login that uses http://address rather than the SSL https://address. Note: The first time you remotely connect to the VPN firewall with a browser via SSL, you may get a warning message regarding the SSL certificate.
Page 163
ProSafe VPN Firewall 200 FVX538 Reference Manual To create a new SNMP configuration entry: 1. Select Administration from the main menu and SNMP from the submenu. The SNMP screen will display. Figure 6-6 2. Under Create New SNMP Configuration Entry, enter the IP address of the SNMP manager in the IP Address field and the subnet mask in the Subnet Mask field.
ProSafe VPN Firewall 200 FVX538 Reference Manual When you click on the SNMP System Info link on the SNMP screen, the VPN firewall’s identification information is displayed. This following identification information is available to the SNMP Manager: system contact, system location, and system name. To modify the SNMP identification information: 1.
Page 165
ProSafe VPN Firewall 200 FVX538 Reference Manual Backing Up Settings To back up settings: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. Figure 6-8 2.
Page 166
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Locate and select the previously saved backup file (by default, netgear.cfg). 3. When you have located the file, click restore. An Alert screen will appear indicating the status of the restore operation. You must manually restart the VPN firewall for the restored settings to take effect.
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Locate the downloaded file and click Upload. This will start the software upgrade to your VPN firewall. The software upgrade process might take some time. At the conclusion of the upgrade, your VPN firewall will reboot. Warning: After you have clicked Upload, do not try to go online, turn off the VPN firewall, shutdown the computer or do anything else to the VPN firewall until the VPN firewall finishes the upgrade! When the Test light turns off,...
Page 168
NTP Server in the Server 1 Name/IP Address field. You can enter the address of a backup NTP server in the Server 2 Name/IP Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the default Netgear NTP servers.
ProSafe VPN Firewall 200 FVX538 Reference Manual Monitoring System Performance You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, login failures, and attacks. You can also view status information about the VPN firewall, WAN ports, LAN ports, and VPN tunnels.
Page 170
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-10 6-24 VPN Firewall and Network Management v1.0, January 2010...
Page 171
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. In the Log Options section, enter the name of the log in the Log Identifier field. The Log Identifier is a mandatory field used to identify which device sent the log messages. The identifier is appended to log messages.
ProSafe VPN Firewall 200 FVX538 Reference Manual • LOG_NOTICE (Normal but significant conditions) • LOG_INFO (Informational messages) • LOG_DEBUG (Debug level messages) 10. Click Reset to cancel your changes and return to the previous settings or click Apply to save your settings.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-2. Firewall Log Field Descriptions (continued) Field Description Source IP The IP address of the initiating device for this log entry. Source port and The service port number of the initiating device, and whether it originated from the interface LAN, WAN or DMZ.
Page 174
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Enable the traffic meter by clicking the Yes radio button under Do you want to enable Traffic Metering on WAN1? The traffic meter will record the volume of Internet traffic passing through the WAN1. Select from the following options: •...
Page 175
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the When limit is reached section, make the following choice: • Block All Traffic. All access to and from the Internet will be blocked. Warning: If the Block All Traffic radio button is selected, the WAN port shuts down once its traffic limit is reached •...
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing the VPN Firewall Configuration and System Status The Router Status screen provides status and usage information. Select Monitoring from the main menu and Router Status from the submenu. The Router Status screen will display (see Figure 6- 13 on page 6-29).
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-3. Router Status Fields (continued) Item Description WAN1 Configuration • WAN Mode: Single, Dual, or Rollover. • WAN State: UP or DOWN. • NAT: Enabled or Disabled. • Connection Type: Static IP, DHCP, PPPoE, or PPTP. •...
ProSafe VPN Firewall 200 FVX538 Reference Manual To set the poll interval: 1. Click the Stop button. 2. From the Poll Interval pull-down menu, select a new interval (the minimum is 5 seconds, the maximum is 5 minutes). 3. Click the Set Interval button. Monitoring WAN Ports Status You can monitor the status of both of the WAN connections, the dynamic DNS server connections, and the DHCP server connections.
ProSafe VPN Firewall 200 FVX538 Reference Manual Monitoring Attached Devices The LAN Groups screen contains a table of all IP devices that the VPN firewall has discovered on the local network. To view the LAN Groups screen: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Table 6-4. Known PCs and Devices options Item Description Name The name of the PC or device.
ProSafe VPN Firewall 200 FVX538 Reference Manual The Active IPsec (SA)s table lists each active connection with the following information Table 6-5. IPsec Connection Status Fields Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN endpoint.
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing the DHCP Log To display the DHCP log: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen will displays. 2. Click the DHCP Log link in the upper right-hand section of the screen. The DHCP Log popup screen will display.
Page 183
ProSafe VPN Firewall 200 FVX538 Reference Manual To view the most recent entries, click refresh. Table 6-6. Port Triggering Status Data Item Description Rule The name of the rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule.
Page 184
ProSafe VPN Firewall 200 FVX538 Reference Manual 6-38 VPN Firewall and Network Management v1.0, January 2010...
Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 200 FVX538. This chapter includes the following sections: • “Basic Functions” on this page • “Troubleshooting the Web Configuration Interface” on page 7-3 • “Troubleshooting the ISP Connection” on page 7-4 •...
• Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
ProSafe VPN Firewall 200 FVX538 Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the VPN firewall as described in the previous section.
Web Configuration Manager. To check the WAN IP address: 1. Launch your browser and select an external site such as www.netgear.com. 2. Access the Main Menu of the VPN firewall’s configuration at http://192.168.1.1. 3. Select Monitoring from the main menu and Router Status from the submenu.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name on the WAN1 ISP Settings or WAN2 ISP Settings screen (see Figure 2-1 on page 2-3).
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click OK. A message, similar to the following, should display: Pinging <IP address> with 32 bytes of data If the path is working, you will see this message: Reply from <IP address>: bytes=32 time=NN ms TTL=xxx If the path is not working, you will see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems:...
ProSafe VPN Firewall 200 FVX538 Reference Manual – If your ISP assigned a host name to your PC, enter that host name as the Account Name on the WAN1 ISP Settings or WAN2 ISP Settings screen (see Figure 2-1 on page 2-3).
ProSafe VPN Firewall 200 FVX538 Reference Manual Problems with the date and time function can include: • Date and time shown is Thu Jan 01 00:01:52 GMT 1970. Cause: The VPN firewall has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly.
Page 193
“Back” on the Windows menu bar to return to the Diagnostics screen. Perform a DNS A DNS (Domain Name Server) converts the Internet name such as www.netgear.com Lookup to an IP address. If you need the IP address of a Web, FTP, Mail or other server on the Internet, you can do a DNS lookup to find the IP address.
Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly).
Page 196
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) Feature Default Behavior Management Time Zone Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound (communications coming in from Disabled (except traffic on port 80, the http port) the Internet) Outbound (communications going out to...
Page 197
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-2. VPN firewall Technical Specifications (continued) Feature Specifications Environmental Specifications Operating temperature: 0° to 40° C (32º to 104º F) Operating humidity: 90% maximum relative humidity, noncondensing Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B...
Page 198
ProSafe VPN Firewall 200 FVX538 Reference Manual Default Settings and Technical Specifications v1.0, January 2010...
Appendix B Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a VPN firewall that has dual WAN ports. This appendix contains the following sections: • “What You Will Need to Do Before You Begin” on page B-1 •...
Page 200
ProSafe VPN Firewall 200 FVX538 Reference Manual – For rollover mode, protocol binding does not apply. – For load balancing mode, you need to decide which protocols you want to bind to a specific WAN port if you are going to take advantage of this option. –...
ProSafe VPN Firewall 200 FVX538 Reference Manual • There are a variety of WAN options you can choose when the factory default settings are not applicable to your installation. These include enabling a WAN port to respond to a ping and setting MTU size, port speed, and upload bandwidth. 4.
ProSafe VPN Firewall 200 FVX538 Reference Manual • Fixed IP Address which is also known as Static IP Address Where Do I Get the Internet Configuration Parameters? There are several ways you can gather the required Internet connection information. • Your ISPs provide all the information needed to connect to the Internet.
ProSafe VPN Firewall 200 FVX538 Reference Manual Subnet Mask: ______.______.______.______ ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following: Primary DNS Server IP Address: ______.______.______.______ Secondary DNS Server IP Address: ______.______.______.______ Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or home .
ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks (VPNs) A virtual private network (VPN) tunnel provides a secure communication channel between either two gateway VPN firewalls or between a remote PC client and gateway VPN firewall. As a result, the IP address of at least one of the tunnel end points must be known in advance in order for the other tunnel end point to establish (or re-establish) the VPN tunnel.
ProSafe VPN Firewall 200 FVX538 Reference Manual The Load Balancing Case for Firewalls With Dual WAN Ports Load balancing for the dual WAN port case is similar to the single WAN port case when specifying the IP address. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
ProSafe VPN Firewall 200 FVX538 Reference Manual In the single WAN case, the WAN’s Internet address is either fixed IP or a fully-qualified domain name if the IP address is dynamic. Figure B-4 Inbound Traffic to Dual WAN Port Systems The IP address range of the VPN firewall’s WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled.
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic: Dual WAN Ports for Load Balancing In the dual WAN port case for load balancing, the Internet address of each WAN port is either fixed if the IP address is fixed or a fully-qualified domain name if the IP address is dynamic. Note: Load balancing is implemented for outgoing traffic and not for incoming traffic.
Page 208
ProSafe VPN Firewall 200 FVX538 Reference Manual Table B-2. IP Addressing Requirements for VPNs in Dual WAN Port Systems Dual WAN Port Cases Single WAN Port Configuration and WAN IP address (reference case) Rollover Load Balancing VPN Telecommuter Fixed Allowed FQDN required Allowed (client-to-gateway through...
ProSafe VPN Firewall 200 FVX538 Reference Manual Load balancing for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
Page 210
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified domain name is optional.
Page 211
ProSafe VPN Firewall 200 FVX538 Reference Manual After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC client must re-establish the VPN tunnel. The gateway WAN port must act as the responder. Figure B-11 The purpose of the fully-qualified domain name in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (such as WAN1 and WAN2) so...
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
Page 213
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall, either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
ProSafe VPN Firewall 200 FVX538 Reference Manual The purpose of the fully-qualified domain names is this case is to toggle the domain name of the failed-over gateway firewall between the IP addresses of the active WAN port (i.e., WAN_A1 and WAN _A2 in this example) so that the other end of the tunnel has a known gateway IP address to establish or re-establish a VPN tunnel.
Page 215
ProSafe VPN Firewall 200 FVX538 Reference Manual • Dual gateway WAN ports used for load balancing VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance.
Page 216
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance).
Page 217
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance.
Page 218
ProSafe VPN Firewall 200 FVX538 Reference Manual B-20 Network Planning for Dual WAN Ports v1.0, January 2010...
Appendix C System Logs and Error Messages This appendix uses the following log parameter terms. Table C-1. Log Parameter Terms Term Description [FVX538] System identifier [kernel] Message from the kernel. CODE Protocol code (e.g., protocol is ICMP, type 8) and CODE=0 means successful reply. DEST Destination IP Address of the machine to which the packet is destined.
Table C-4. System Logs: NTP Message Nov 28 12:31:13 [FVX538] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [FVX538] [ntpdate] Requesting time from time-f.netgear.com Nov 28 12:31:14 [FVX538] [ntpdate] adjust time server 69.25.106.19 offset 0.140254 sec Nov 28 12:31:14 [FVX538] [ntpdate] Synchronized time with time-f.netgear.com...
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-4. System Logs: NTP (continued) Explanation Message1: DNS resolution for the NTP server (time-f.netgear.com) Message2: request for NTP update from the time server. Message3: Adjust time by re-setting system time. Message4: Display date and time before synchronization, that is when resynchronization started Message5: Display the new updated date and time.
ProSafe VPN Firewall 200 FVX538 Reference Manual IPSec Restart This logging is always done. Table C-7. System Logs: IPSec Restart Message Jan 23 16:20:44 [FVX538] [wand] [IPSEC] IPSEC Restarted Explanation Log generated when the IPSEC is restarted. This log is logged when IPSEC restarts after applying any changes in the configuration.
Page 223
ProSafe VPN Firewall 200 FVX538 Reference Manual Auto Rollover When the WAN mode is configured for Auto Rollover, the primary link is active and secondary acts only as a backup. When the primary link goes down, the secondary link becomes active only until the primary link comes back up.
Page 224
ProSafe VPN Firewall 200 FVX538 Reference Manual PPP Logs This section describes the WAN PPP connection logs. The PPP type can be configured from the web management. PPPoE Idle-Timeout Logs. Table C-9. System Logs: WAN Status, PPPoE Idle-Timeout Message Nov 29 13:12:46 [FVX538] [pppd] Starting connection Nov 29 13:12:49 [FVX538] [pppd] Remote message: Success Nov 29 13:12:49 [FVX538] [pppd] PAP authentication succeeded Nov 29 13:12:49 [FVX538] [pppd] local IP address 50.0.0.62...
ProSafe VPN Firewall 200 FVX538 Reference Manual PPTP Idle-Timeout Logs. Table C-10. System Logs: WAN Status, PPTP Idle-Timeout Message Nov 29 11:19:02 [FVX538] [pppd] Starting connection Nov 29 11:19:05 [FVX538] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVX538] [pppd] local IP address 192.168.200.214 Nov 29 11:19:05 [FVX538] [pppd] remote IP address 192.168.200.1 Nov 29 11:19:05 [FVX538] [pppd] primary DNS address 202.153.32.2 Nov 29 11:19:05 [FVX538] [pppd] secondary DNS address 202.153.32.2...
Page 226
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-12. System Logs: Web Filtering and Content Filtering Message Jan 23 16:36:35 [FVX538] [kernel] [KEYWORD_BLOCKED] [URL]==>[ www.redhat.com/ ] IN=SELF OUT=SELF SRC=192.168.10.210 DST=209.132.177.50 PROTO=TCP SPT=4282 DPT=80 Explanation • This packet is blocked by keyword blocking •...
ProSafe VPN Firewall 200 FVX538 Reference Manual Traffic Metering Logs Table C-13. System Logs: Traffic Metering Message Jan 23 19:03:44 [TRAFFIC_METER] TRAFFIC_METER: Monthly Limit of 10 MB has reached for WAN1._ Explanation Traffic limit to WAN1 that was set as 10Mb has been reached. This stops all the incoming and outgoing traffic if configured like that in “When Limit is reached”...
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs Table C-16. System Logs: Multicast/Broadcast Message Jan 1 07:24:13 [FVX538] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC=192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 Explanation • This packet (Broadcast) is destined to the device from the WAN network. •...
Page 229
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Message 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][RST_PACKET][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation Invalid RST packet Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0...
Page 230
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Explanation Bad Hardware Checksum for ICMP packets Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0...
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message 2007 Oct 1 00:44:17 [FVX538] [kernel]...
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN to WAN Logs Table C-19. Routing Logs: LAN to WAN Message Nov 29 09:19:43 [FVX538] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to WAN has been allowed by the firewall. •...
ProSafe VPN Firewall 200 FVX538 Reference Manual DMZ to LAN Logs Table C-23. Routing Logs: DMZ to WAN Message Nov 29 09:44:06 [FVX538] [kernel] DMZ2LAN[DROP] IN=DMZ OUT=LAN SRC=192.168.20.10 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from DMZ to LAN has been dropped by the firewall. •...
Page 234
ProSafe VPN Firewall 200 FVX538 Reference Manual C-16 System Logs and Error Messages v1.0, January 2010...
NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. As part the new maintenance firmware release, NETGEAR has...
NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 Two-Factor Authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to perform Two-Factor Authentication on NETGEAR SSL and VPN firewall products.
Page 237
ProSafe VPN Firewall 200 FVX538 Reference Manual The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token software, enter the PIN that has been given to them (something they know) and then press “continue”...
Page 238
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time. If a user does not use this passcode before it is expired, the user must go through the request process again to generate a new OTP.
Appendix E Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.com/reference/enu/wsdhcp/index.htm...
Page 240
ProSafe VPN Firewall 200 FVX538 Reference Manual Related Documents v1.0, January 2010...
Index Numerics VPN Policy 5-19 Auto Detect 3322.org 2-14 Auto Uplink Auto-Rollover configuration of access definition of remote management 6-14 Dual WAN ports restoring WAN interface 2-10 Add DMZ WAN Outbound Services screen 4-12 use with DDNS 2-14 Add LAN DMZ Outbound Service screen 4-14 Using WAN port Add LAN WAN Inbound Service...
Page 242
ProSafe VPN Firewall 200 FVX538 Reference Manual Cat5 cable DDNS about 2-14 certificate configuration of 2-14 generate new CSR 5-22 links to 2-15 Certificate Authority. See CA. providers of 2-14 Certificate Revocation List. See CRL. services, examples 2-15 Certificate Signing Request, see CSR DDNS providers links to 2-15...
Page 243
ProSafe VPN Firewall 200 FVX538 Reference Manual firewall security 3-12 Load Balancing, configuration of 2-11 DMZ Port Dynamic DNS increasing traffic configuration of 2-14 DMZ port Dynamic DNS Configuration screen 2-14 setting up 3-12 Dynamic DNS. See DDNS DMZ Setup screen 3-12 DynDNS.org 2-14...
Page 244
ProSafe VPN Firewall 200 FVX538 Reference Manual connecting to the Internet 2-1, B-3 features 1-1, 1-2, 1-4 3-16 front panel rear panel IKE Policies technical specifications management of 5-16 viewing activity 6-34 IKE Policies screen 5-27 Firewall Log IKE Policy Field Description 6-26 about...
Page 245
ProSafe VPN Firewall 200 FVX538 Reference Manual DHCP address pool 4-11 how to assign LAN WAN Outbound Rule multi home LAN example of 4-19 reserved LAN WAN Outbound Rules router default about 4-10 IP Subnet Mask LAN WAN Rule router default example of 4-16 IP/MAC Binding screen...
Page 246
ProSafe VPN Firewall 200 FVX538 Reference Manual testing Client 5-41 monitoring devices 6-33 one-time passcode. See OTP. by DHCP Client Requests 3-6, 6-33 Oray.net 2-14 by Scanning the Network 3-6, 6-33 D-1, D-2 MTU Size 2-17 Outbound Rules Multi Home LAN IPs default definition about 3-10...
Page 247
ProSafe VPN Firewall 200 FVX538 Reference Manual port numbers 4-24 rack mounting hardware Port Speed 2-17 RADIUS description 6-11 Port Triggering WiKID 6-11 about 4-37 adding a rule 4-38 RADIUS Server increasing traffic about 5-30 modifying a rule 4-39 configuring 5-30 rules of use 4-37...
Page 248
ProSafe VPN Firewall 200 FVX538 Reference Manual router administration Services screen 4-25 tips on 4-40 Session Initiation Protocol. See SIP. router broadcast Session Limit screen 4-22 RIP, use with 3-17 Setting Up One-to-One NAT Mapping Router Status example of 4-16 Router Status screen 6-30 Settings Backup &...
Page 249
ProSafe VPN Firewall 200 FVX538 Reference Manual stealth mode 4-21, 6-5 two-factor authentication WiKID 6-11 SYN flood 4-21, 6-5 Two-Factor Authentication. See WiKID. SysLog Server IP Address 6-25 TZO.com 2-14 System log messages UDP flood 4-21 special rule TCP flood special rule Use Default Address TCP/IP...
Page 250
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Policy WAN1 ISP Settings Auto 5-18 manual setup Auto generated 5-16 WAN1 ISP Settings screen Manual 5-18 WAN1 Protocol Bindings 2-11 VPN Tunnel addresses WAN1 Protocol Bindings screen 2-12 Dual WAN Port systems WAN2 ISP VPN Tunnel Connection settings...