NETGEAR ProSafe FVS336Gv2 Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. FVS336Gv2 - ProSafe Dual WAN Gigabit...
  6. Reference manual

NETGEAR ProSafe FVS336Gv2 Reference Manual

Prosafe dual wan gigabit firewall with ssl & ipsec vpn
Hide thumbs Also See for ProSafe FVS336Gv2:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual, Installation Manual
350 East Plumeria Drive
San Jose, CA 95134
USA
July 2013
202-10619-02
v2.0
ProSafe Dual WAN Gigabit
Firewall with SSL & IPsec
VPN FVS336Gv2
Reference M anual

Advertisement

Table of Contents
loading

Related Manuals for NETGEAR ProSafe FVS336Gv2

Summary of Contents for NETGEAR ProSafe FVS336Gv2

  • Page 1 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference M anual 350 East Plumeria Drive San Jose, CA 95134 July 2013 202-10619-02 v2.0...

  • Page 2: Technical Support

    To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
  • Page 3 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).”...

  • Page 4: Revision History

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution.

  • Page 5: Table Of Contents

    Table of Contents Chapter 1 Introduction Package Contents ......... . . 10 Front Panel Features .
  • Page 6 Testing the Connections and Viewing Status Information ... . .80 NETGEAR VPN Client Status and Log Information ....80 VPN Firewall VPN Connection Status and Logs .
  • Page 7 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring Keepalives........95 Configuring Dead Peer Detection.
  • Page 8 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Using an SNMP Manager ........141 Managing the Configuration File.
  • Page 9 What is Two-Factor Authentication......191 NETGEAR Two-Factor Authentication Solutions ....191...

  • Page 10: Chapter 1 Introduction

    Introduction The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 connects your LAN to the Internet through one or two external broadband modems. Dual WAN ports allow you to increase throughput to the Internet by using both ports together, or to maintain a backup connection in case your primary Internet connection fails.

  • Page 11: Front Panel Features

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual If any parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the FVS336Gv2 for repair.

  • Page 12: Rear Panel Features

    Factory Defaults button: Using a sharp object, press and hold this button for about ten seconds until the front panel TEST light flashes to reset the FVS336Gv2 to factory default settings. All configuration settings will be lost and the default password will be restored.

  • Page 13: Qualified Web Browsers

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual the following factory default information: IP address User name Password Figure 1-3 Product Lable Qualified Web Browsers To configure the network storage, you must use a Web browser such as Microsoft Internet Explorer 6 or higher, Mozilla Firefox 3 or higher, or Apple Safari 3 or higher with JavaScript, cookies, and you must have SSL enabled.

  • Page 14: Chapter 2 Connecting The Vpn Firewall To The Internet

    See the Installation Guide, FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN for complete steps. A PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com.

  • Page 15: Logging Into The Vpn Firewall

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on page 26.

  • Page 16: Navigating The Menus

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Click Login. The Web Configuration Manager screen appears, displaying Router Status: Navigating the Menus The Web Configuration Manager menus are organized in a layered structure of main categories and submenus: •...

  • Page 17: Configuring The Internet Connections

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring the Internet Connections To set up your VPN firewall for secure Internet connections, you configure WAN port 1 and WAN port 2. The Web Configuration Manager offers two connection configuration options: •...
  • Page 18 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: If you click Auto Detect while the WAN port already has a connection, you might lose the connection because the VPN firewall will enter its detection mode.

  • Page 19: Manually Configuring The Internet Connection

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, go to “Manually Configuring the Internet Connection” on page 19 following this section, or see “Troubleshooting the ISP Connection”...
  • Page 20 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual In the ISP Type options, select the type of ISP connection you use from the three listed options. By default, “Other (PPPoE)” is selected, as shown below.
  • Page 21 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • My IP Address. IP address assigned by the ISP to make the connection with the ISP server. • Server IP Address. IP address of the PPTP server.

  • Page 22: Configuring The Wan Mode (Required For Dual Wan)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The VPN firewall will attempt to connect to the NETGEAR website. If a successful connection is made, NETGEAR’s website appears. If you intend to use a dual WAN mode, click the WAN2 ISP Settings tab and configure the WAN2 ISP settings using the same steps as WAN1.

  • Page 23: Classical Routing

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • If you only have a single public Internet IP address, you MUST use NAT. (the default setting). • If your ISP has provided you with multiple public IP addresses, you can use one address as the primary shared address for Internet access by your PCs, and you can map incoming traffic on the other public IP addresses to specific PCs on your LAN.
  • Page 24 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To configure the dual WAN ports for Auto-Rollover: Select Network Configuration > WAN Settings from the menu, and click the WAN Mode tab. The WAN Mode screen is displayed In the Port Mode section, select Auto-Rollover Using WAN port.

  • Page 25: Configuring Load Balancing

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Once a rollover occurs, an alert will be generated (see <pdf>“E-Mail Notifications of Event Logs and Alerts” on page 4-68). When the VPN firewall detects that the failed primary WAN interface has been restored, it will automatically rollover again to the primary WAN interface.

  • Page 26: Configuring Dynamic Dns (Optional)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Enter the following data in the Add Protocol Binding section on screen: a. Service. From the drop-down list, choose the desired service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see “Adding Customized Services”...
  • Page 27 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual After you have configured your account information in the network storage, whenever your ISP-assigned IP address changes, your network storage will automatically contact your DDNS service provider, log in to your account, and register your new IP address.

  • Page 28: Configuring The Advanced Wan Options (Optional)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Click the information or registration link in the upper right corner for registration information. Access the website of the DDNS service provider and register for an account (for example, for dyndns.org, go to http://www.dyndns.org).

  • Page 29: Additional Wan Related Configuration

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual a. MTU Size. The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs, you may need to reduce the MTU.

  • Page 30: Chapter 3 Lan Configuration

    LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2. This chapter contains the following sections • Choosing the VPN Firewall DHCP Options” on this page.

  • Page 31: Configuring The Lan Setup Options

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual between 192.168.1.2 and 192.168.1.100, although you may wish to save part of the range for devices with fixed addresses. The network storage will deliver the following parameters to any LAN device that requests DHCP: •...
  • Page 32 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: If you enable the DNS Relay feature, you will not use the network storage as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network.
  • Page 33 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual In the DHCP section, select Disable DHCP Server, Enable DHCP Server, or DHCP Relay. By default, the VPN firewall will function as a DHCP server, providing TCP/IP configuration settings for all computers connected to the VPN firewall's LAN.

  • Page 34: Managing Groups And Hosts (Lan Groups)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual commas and without any blank spaces. For most users, the search base is a variation of the domain name. For example, if your domain is yourcompany.com, your search base dn might be as follows: dc=yourcompany,dc=com.

  • Page 35: Viewing The Lan Groups Database

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Some advantages of the LAN Groups Database are: • Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the desired PC or device.

  • Page 36: Adding Devices To The Lan Groups Database

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The Known PCs and Devices table lists the entries in the LAN Groups Database. For each computer or device, the following fields are displayed: • Name. The name of the PC or device. For computers that do not support the NetBIOS protocol, this will be listed as “Unknown”...

  • Page 37: Changing Group Names In The Lan Groups Database

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual (Optional) To enable DHCP Address Reservation after the entry is in the table, select the checkbox for the new table entry and click Save Binding to bind the IP address to the MAC address for DHCP assignment.

  • Page 38: Configuring Multi Home Lan Ip Addresses

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring Multi Home LAN IP Addresses If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the VPN firewall.

  • Page 39: Configuring Static Routes

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring Static Routes Static Routes provide additional routing information to your VPN firewall. Under normal circumstances, the VPN firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes.

  • Page 40: Configuring Routing Information Protocol (Rip)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Enter the Metric priority for this route. If multiple routes to the same destination exit, the route with the lowest metric is chosen (value must be between 1 and 15).
  • Page 41 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • In Only. The VPN firewall accepts RIP information from other routers, but does not broadcast its routing table. From the RIP Version drop-down list, choose the version from the following options: •...

  • Page 42: Chapter 4 Firewall Protection And Content Filtering

    Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 to protect your network. This chapter contains the following sections: • About Firewall Protection and Content Filtering”...

  • Page 43: Using Rules To Block Or Allow Specific Kinds Of Traffic

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks.
  • Page 44 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Customized Services. Additional services can be added to the list of services in the factory default list. These added services can then have rules defined for them to either allow or block that traffic (see “Adding Customized Services”...
  • Page 45 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table 4-3. Outbound Rules (Continued) Item Description WAN Users Specifies which Internet locations are covered by the rule, based on their IP address. Select the desired option: •...
  • Page 46 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual DNS so that external users can always find your network (see “Configuring Dynamic DNS (Optional)” on page 26). • If the IP address of the local server PC is assigned by DHCP, it may change when the PC is rebooted.
  • Page 47 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table 4-4. Inbound Rules (Continued) Item Description LAN users This field appears only with NAT routing (not classical routing). Specifies which computers on your network are affected by this rule. Select the desired options: •...

  • Page 48: Viewing The Rules

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing the Rules To view the firewall rules: Select Security > Firewall from the menu. The LAN WAN Rules screen is displayed. The following figure shows some examples:...

  • Page 49: Creating A Lan Wan Outbound Services Rule

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Creating a LAN WAN Outbound Services Rule An outbound rule will block or allow the selected application from an internal IP LAN address to an external WAN IP address according to the schedule created on the Schedule screen.

  • Page 50: Modifying Rules

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To create a new inbound service rule in the LAN WAN Rules screen: Click Add under the Inbound Services table to display the Add LAN WAN Inbound Service screen.

  • Page 51: Inbound Rules Examples

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Inbound Rules Examples LAN WAN Inbound Rule: Hosting a Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day.
  • Page 52 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN.

  • Page 53: Outbound Rules Example

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To expose one of the PCs on your LAN as this host: Create an inbound rule that allows all protocols. Place the new rule below all other inbound rules.

  • Page 54: Configuring Other Firewall Features

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring Other Firewall Features You can configure attack checks, set session limits, and manage the Application Level Gateway (ALG) for SIP sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the LAN and WAN networks.

  • Page 55: Configuring Session Limits

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual When blocking is enabled, the VPN firewall will limit the lifetime of partial connections and will be protected from a SYN flood attack. • LAN Security Checks.

  • Page 56: Managing The Application Level Gateway For Sip Sessions

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To configure session limits: Select Security > Firewall > Session Limit to display the Session Limit screen. Click Yes to enable Session Limits. From the drop-down list, select whether you will limit sessions by percentage or by absolute number.

  • Page 57: Creating Services, Qos Profiles, And Bandwidth Profiles

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: •...

  • Page 58: Setting Quality Of Service (Qos) Priorities

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To add a custom service: Select Security > Services from the menu. The Services screen is displayed. In the Add Custom Services section, enter a descriptive name for the service (this name is for your convenience).

  • Page 59: Creating Bandwidth Profiles

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Select Security > Firewall > LAN WAN Rules, and then click Add for Outbound Services. On the Add LAN WAN Outbound Services screen. The QoS priority definition for a service determines the queue that is used for the traffic passing through the VPN firewall.
  • Page 60 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To create a bandwidth profile: Select Security > Bandwidth Profile from the menu. The List of Bandwidth Profiles table displays existing profiles. To create a new bandwidth profile, click Add to open the Add Bandwidth Profile screen.

  • Page 61: Setting A Schedule To Block Or Allow Specific Traffic

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To edit a bandwidth profile: Click the Edit link adjacent to the profile you want to edit. The Edit Bandwidth Profile screen is displayed. (This screen shows the same fields as the Add New Bandwidth Profile screen.)

  • Page 62: Blocking Internet Sites (Content Filtering)

    VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any website is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message.
  • Page 63 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual You can bypass Keyword blocking for trusted domains by adding the exact matching domain to the Trusted Domains table. Access to the domains or keywords in the Trusted Domains table by PCs, even those in the groups for which keyword blocking has been enabled, will still be allowed without any blocking.

  • Page 64: Configuring Source Mac Filtering

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Select Yes to enable content filtering. Click Apply to activate the screen controls. Select any Web Components you wish to block and click Apply. Select the groups to which keyword blocking will apply, then click Enable to activate keyword blocking (or disable to deactivate keyword blocking).

  • Page 65: Configuring Ip/Mac Address Binding

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Select the Source MAC Filter tab. Click Yes to enable Source MAC Filtering. Select the action to be taken on outbound traffic from the listed MAC addresses: Block this list and permit all other MAC addresses.

  • Page 66: Configuring Port Triggering

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To enable IP/MAC address binding enforcement and alerts: Select Security > Address Filter from the menu. Select the IP/MAC Binding tab to display the Source MAC Filter screen.
  • Page 67 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual range of ports. Using this feature requires that you know the port numbers used by the application. Port triggering allows computers on the private network (LAN) to request that one or more ports be forwarded to them.

  • Page 68: E-Mail Notifications Of Event Logs And Alerts

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To add a port triggering rule: Select Security > Port Triggering to display the Port Triggering screen. Enter a user-defined name for this rule in the Name field.

  • Page 69: Administrator Tips

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Firewall Logs & E-mail screen. To configure e-mail or syslog notification, or to view the logs, see “Activating Notification of Events and Alerts” on page 150. Administrator Tips Consider the following operational items: •...

  • Page 70: Chapter 5 Virtual Private Networking Using Ipsec

    This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 to provide secure, encrypted communications between your local network and a remote network or computer.
  • Page 71 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The following diagrams and table show how the WAN mode selection relates to VPN configuration. WAN Auto-Rollover: FQDN Required for VPN Firewall WAN 1 Port Rest of...

  • Page 72: Using The Vpn Wizard For Client And Gateway Configurations

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies. The following section provides wizard and NETGEARVPN Client configuration procedures for the following scenarios: •...
  • Page 73 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Click the VPN Wizard tab. To view the wizard default settings, click the VPN Wizard Default Values link. You can modify these settings after completing the wizard.
  • Page 74 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Tip: To assure tunnels stay active, after completing the wizard, edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive.

  • Page 75: Creating A Client To Gateway Vpn Tunnel

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual After both firewalls are configured, go to VPN > IPsec VPN > Connection Status to display the status of your VPN connections. The tunnel will automatically establish when both the local and target gateway policies are...
  • Page 76 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Use the VPN Wizard Configure the Gateway for a Client Tunnel Select VPN > IPsec VPN from the menu. Click the VPN Wizard tab to display the VPN Wizard screen.
  • Page 77 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR ProSafe VPN Client installed, configure a VPN client policy to connect to the VPN firewall. To configure your VPN client: Right-click on the VPN client icon in your Windows toolbar, choose Security Policy Editor, and verify that the Options >...
  • Page 78 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using gw1.
  • Page 79 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual In the left frame, click My Identity. Fill in the options according to the instructions below. • From the Select Certificate drop-down list, choose None. • Click Pre-Shared Key to enter the key you provided in the VPN Wizard; in this example, we are using “r3m0+eClient”.

  • Page 80: Testing The Connections And Viewing Status Information

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • On the left, expand Authentication (Phase 1) and click Proposal 1: no changes are needed. • On the left, expand Key Exchange (Phase 2) and click Proposal 1. No changes are needed.
  • Page 81 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-9 Log Viewer • Right-click the VPN Client icon in the system tray and select Connection Monitor.

  • Page 82: Vpn Firewall Vpn Connection Status And Logs

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual VPN Firewall VPN Connection Status and Logs To view VPN firewall VPN connection status, go to VPN > Connection Status. You can set a poll interval (in seconds) to check the connection status of all active IKE policies to obtain the latest VPN tunnel activity.

  • Page 83: Managing Vpn Policies

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Managing VPN Policies After you use the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name you selected as the VPN tunnel connection name during Wizard setup identifies both the VPN policy and IKE policy.
  • Page 84 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The IKE Policies Screen When you use the VPN Wizard to set up a VPN tunnel, an IKE policy is established and populated in the List of IKE Policies table on the IKE Policies screen and is given the same name as the new VPN connection name.

  • Page 85: Configuring Vpn Policies

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring VPN Policies You can create two types of VPN policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available.

  • Page 86: Configuring Extended Authentication (Xauth)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Auth. Authentication Algorithm used for the VPN tunnel. The default setting using the VPN Wizard is SHA1. (This setting must match the remote VPN.) • Encr. Encryption algorithm used for the VPN tunnel. The default setting using the VPN Wizard is 3DES.
  • Page 87 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To enable and configure XAUTH: Select VPN > IPsec VPN from the menu. Click the IKE Policies tab. The IKE Policies screen is displayed. You can add XAUTH to an existing IKE Policy by clicking Edit adjacent to the policy to be modified or you can create a new IKE Policy incorporating XAUTH by clicking Add.

  • Page 88: User Database Configuration

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual In the Extended Authentication section, choose the Authentication Type from the drop-down list which will be used to verify user account information. Select one of the following: •...
  • Page 89 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To configure RADIUS servers: Select VPN > IPsec VPN from the menu, and then click the RADIUS Client tab. To activate (enable) the primary RADIUS server, click the Yes radio button. The primary server options become active.

  • Page 90: Assigning Ip Addresses To Remote Users (Modeconfig)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: Selection of the Authentication Protocol, usually PAP or CHAP, is configured on the individual IKE policy screens. Assigning IP Addresses to Remote Users (ModeConfig) To simply the process of connecting remote VPN clients to the VPN firewall, you can use the ModeConfig screen to assign IP addresses to remote users, including a network access IP address, subnet mask, and name server addresses from the VPN firewall.

  • Page 91: Configuring Mode Config Operation On The Vpn Firewall

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Configuring Mode Config Operation on the VPN Firewall You need to configure two screens to configure Mode Config operation on the VPN firewall: the Mode Config screen and the IKE Policies screen.
  • Page 92 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual If you have a WINS Server on your local network, enter its IP address. Enter one or two DNS Server IP addresses to be used by remote VPN clients.
  • Page 93 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual In the Mode Config Record section, enable Mode Config by checking the Yes radio button and selecting the Mode Config record you just created from the drop-down list.

  • Page 94: Configuring The Prosafe Vpn Client For Modeconfig

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: If RADIUS-PAP is selected, the VPN firewall first checks the User Database to see if the user credentials are available. If the user account is not present, the VPN firewalll then connects to the RADIUS server.

  • Page 95: Configuring Keepalives And Dead Peer Detection

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual e. Select your Internet Interface adapter in the Name field. On the left-side of the menu, choose Security Policy. a. Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio button.

  • Page 96: Configuring Dead Peer Detection

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Click the VPN Policies tab, then click the Edit button next to the desired VPN policy. In the General section of the Edit VPN Policy screen, locate the keepalive configuration settings, as shown in .

  • Page 97: Configuring Netbios Bridging With Vpn

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual In the IKE SA Parameters section of the Edit IKE Policy screen, locate the Dead Peer Detection configuration settings, as shown in . Click the Yes radio button to Enable Dead Peer Detection.
  • Page 98 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual In the General section of the Edit VPN Policy screen, click the Enable NetBIOS checkbox. Click Apply at the bottom of the screen. 98 | Chapter 5: Virtual Private Networking Using IPsec...

  • Page 99: Chapter 6 Virtual Private Networking Using Ssl

    Virtual Private Networking Using SSL The NETGEAR <Product Name> <Product Model Number> provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a pre-installed VPN client on their computers. Using the...

  • Page 100: Planning For Ssl Vpn

    New Template Style Guide Reference Manual Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote PC that will allow the remote user to virtually join the corporate network. The SSL VPN Client provides a PPP (point-to-point) connection between the client and the <Product Name>, and a virtual network interface is created on the user’s PC.

  • Page 101: Creating The Portal Layout

    New Template Style Guide Reference Manual For port forwarding, declare the servers and services. Create a list of servers and services that can be made available through user, group, or global policies. You can also associate fully qualified domain names with these servers. The <Product Name>...
  • Page 102 New Template Style Guide Reference Manual <Product Name> by clicking the default button in the Action column of the List of Layouts table, to the right of the desired portal layout. To create a new Portal Layout: Select VPN > SSL VPN from the menu, and then select the Portal Layouts tab. Click Add.
  • Page 103 New Template Style Guide Reference Manual Only alphanumeric characters, hyphen (-), and underscore (_) are accepted for the Portal Layout Name. If you enter other types of characters or spaces, the layout name will be truncated before the first non-alphanumeric character. Note that unlike most other URLs, this name is case sensitive.

  • Page 104: Configuring Domains, Groups, And Users

    New Template Style Guide Reference Manual Note: NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out-of-date web pages, themes, and data being stored in a user’s web browser cache. e. Check the “ActiveX web cache cleaner checkbox to load an ActiveX cache control when users log in to the SSL VPN portal.

  • Page 105: Adding Servers

    New Template Style Guide Reference Manual Adding Servers To configure Port Forwarding, you must define the internal host machines (servers) and TCP applications available to remote users. To add servers, follow these steps: Select VPN > SSL VPN from the menu, and then select the Port Forwarding tab. In the Add New Application for Port Forwarding section of the screen, enter the IP address of an internal server or host computer.

  • Page 106: Adding A New Host Name

    New Template Style Guide Reference Manual Click Add. The “Operation Succeeded” message appears at the top of the tab, and the new application entry is listed in the List of Configured Applications for Port Forwarding table. Repeat this process to add other applications for use in port forwarding. Adding A New Host Name Once the server IP address and port information has been configured, remote users will be able to access the private network servers using Port Forwarding.

  • Page 107: Configuring The Client Ip Address Range

    New Template Style Guide Reference Manual • If you assign an entirely different subnet to the VPN tunnel clients than the subnet used by the corporate network, you must: Add a client route to configure the VPN tunnel client to connect to the corporate network using the VPN tunnel.

  • Page 108: Adding Routes For Vpn Tunnel Clients

    New Template Style Guide Reference Manual In the Client Address Range Begin field, enter the first IP address of the IP address range. In the Client Address Range End field, enter the last IP address of the IP address range. Click Apply.

  • Page 109: Replacing And Deleting Client Routes

    New Template Style Guide Reference Manual Replacing and Deleting Client Routes If an existing route is no longer needed, or if the specifications of an existing route need to be changed, follow these steps: Make a new entry with the correct specifications. (This step is not applicable if you only want to delete the route.) In the Configured Client Routes table, click the Delete button adjacent to the out-of-date route entry.

  • Page 110: Configuring User, Group, And Global Policies

    New Template Style Guide Reference Manual The “Operation Successful” message appears at the top of the tab, and the newly-added resource name appears on the Defined Resource Addresses table. Next to the new resource, click the Edit button. The Add Resource Addresses screen is displayed.
  • Page 111 New Template Style Guide Reference Manual takes precedence over a policy applied to all IP addresses. If two or more IP address ranges are configured, then the smallest address range takes precedence. Hostnames are treated the same as individual IP addresses. Network resources are prioritized just like other address ranges.

  • Page 112: Viewing Ssl Vpn Policies

    New Template Style Guide Reference Manual Viewing SSL VPN Policies To view the existing SSL VPN policies: Select VPN > SSL VPN from the menu, and then select the Policies tab. Make your selection from the following Query options: • Click Global to view all global policies.

  • Page 113: Adding An Ssl Vpn Policy

    New Template Style Guide Reference Manual Adding an SSL VPN Policy To add an SSL VPN Policy: Select VPN > SSL VPN from the menu, and select the Policies tab. The Policies screen is displayed. Make your selection from the following Query options: •...
  • Page 114 New Template Style Guide Reference Manual • If you choose Network Resource, you will need to enter a descriptive Policy Name, then choose a Defined Resource and relevant Permission (PERMIT or DENY) from the pull-down lists. If a needed network resource has not been defined, you can add it before proceeding with this new policy.
  • Page 115 New Template Style Guide Reference Manual • If you choose All Addresses, you will need to enter a descriptive Policy Name, then choose the Service and relevant Permission from the drop-down lists. When you are finished making your selections, click Apply. The Policies screen reappears.

  • Page 116: Chapter 7 Managing Users, Authentication, And Certificates

    Managing Users, Authentication, and Certificates This chapter contains the following sections: • Adding Authentication Domains, Groups, and Users” on this page. • “Managing Certificates” on page 124. Adding Authentication Domains, Groups, and Users You must create name and password accounts for all users who will connect to the VPN firewall.

  • Page 117: Creating A Domain

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Creating a Domain The domain determines the authentication method to be used for associated users. For SSL VPN connections, the domain also determines the portal layout that will be presented, which in turn determines the network resources to which the associated users will have access.
  • Page 118 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To create a domain: Select Users > Domains from the menu. The Domains screen is displayed. Click Add. The Add Domain screen is displayed. Configure the following fields: a.

  • Page 119: Creating A Group

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table 7-9. Authentication Type and Corresponding Required Fields (Continued) Authentication Type Required Authentication Information Fields Radius-MSCHAP Authentication Server, Authentication Secret Radius-MSCHAPv2 Authentication Server, Authentication Secret WIKID-PAP Authentication Server, Authentication Secret...

  • Page 120: Creating A New User Account

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To create a group: Select Users > Groups from the menu. The Groups screen is displayed. Configure the new group settings in the Add New Group section of the screen: a.

  • Page 121: Setting User Login Policies

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Click Add. The Add User screen is displayed. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Administrator, SSL VPN User, or IPsec VPN User.
  • Page 122 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To prohibit this user from logging in from the WAN interface, select the Deny Login from WAN Interface checkbox. In this case, the user can log in only from the LAN interface.

  • Page 123: Changing Passwords And Other User Settings

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Repeat these steps to add additional addresses or subnets. To restrict logging in based on the user’s browser: In the Action column of the List of Users table, click Policies adjacent to the user policy you want to configure.

  • Page 124: Managing Certificates

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual In the Action column of the List of Users table, click Edit for the user for which you want to modify the settings. The Edit User screen is displayed.
  • Page 125 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual or clients, or to be authenticated by remote entities. The same Digital Certificates are extended for secure web access connections over HTTPS. Digital Certificates can be either self signed or can be issued by Certification Authorities (CA) such as via an in-house Windows server, or by an external organization such as Verisign or Thawte.

  • Page 126: Viewing And Loading Ca Certificates

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing and Loading CA Certificates The Trusted Certificates (CA Certificates) table lists the certificates of CAs and contains the following data: • CA Identity (Subject Name). The organization or person to whom the certificate is issued.

  • Page 127: Obtaining A Self Certificate From A Certificate Authority

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual For each self certificate, the following data is listed: • Name. The name you used to identify this certificate. • Subject Name. This is the name that other organizations will see as the holder (owner) of this certificate.
  • Page 128 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual your registered business name or official company name. (Using the same name, or a derivation of the name, in the Title field would be useful.) • From the drop-down lists, choose the following values: Hash Algorithm: MD5 or SHA1.

  • Page 129: Managing Your Certificate Revocation List (Crl)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Submit your certificate request to a CA: a. Connect to the website of the CA. b. Start the Self Certificate request procedure. c. When prompted for the requested data, copy the data from your saved text file (including “----BEGIN CERTIFICATE REQUEST---”...
  • Page 130 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To view your currently-loaded CRLs and upload a new CRL: Locate the Certificate Revocation Lists (CRL) table at the bottom of the Certificates screen. The CRL table lists your active CAs and their critical release dates: •...

  • Page 131: Chapter 8 Vpn Firewall And Network Management

    VPN Firewall and Network Management This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2. The VPN firewall offers many tools for managing the network traffic to optimize its performance.

  • Page 132: Bandwidth Capacity

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Bandwidth Capacity The maximum bandwidth capacity of the VPN firewall in each direction is as follows: • LAN side: 4000 Mbps (four LAN ports at 1000 Mbps each) •...
  • Page 133 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always • BLOCK by schedule, otherwise Allow • ALLOW always •...

  • Page 134: Features That Increase Traffic

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual 3) for when a rule is to be applied. Once a schedule is configured, it affects all rules that use this schedule. You specify the days of the week and time of day for each schedule.

  • Page 135: Port Forwarding

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Port Forwarding The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (that is, the service is unavailable).

  • Page 136: Port Triggering

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Destination Address. These settings determine the destination IP address for this rule which will be applicable to incoming traffic This rule will be applied only when the destination IP address of the incoming packet matches the IP address of the selected WAN interface Selecting ANY enables the rule for any LAN IP destination.

  • Page 137: Using Qos To Shift The Traffic Mix

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and, in turn, the quality of service for the traffic passing through the VPN firewall. The QoS is set individually for each service.
  • Page 138 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To modify the Admin user account settings, including the password: Select Users > Users from the menu. Select the checkbox next to admin in the Name column, then click Edit in the Action column.

  • Page 139: Enabling Remote Management Access

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Enabling Remote Management Access Using the Remote Management screen, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging into the VPN Firewall”...
  • Page 140 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access. Configure the port number that will be used for secure HTTP management. The default port number is 443.

  • Page 141: Using The Command Line Interface

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Tip: If you are using a dynamic DNS service such as TZO, you can identify the WAN IP address of your VPN firewall by running from the tracert Windows Run menu option.
  • Page 142 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To create a new SNMP configuration entry: Select Administration > SNMP from the menu. The SNMP screen is displayed. Configure the following fields in the Create New SNMP Configuration Entry section: a.

  • Page 143: Managing The Configuration File

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To modify the SNMP identification information: The SNMP System Info option arrow at the top of the tab opens the SNMP SysConfiguration screen that displays the SNMP system contact information available to the SNMP manager.
  • Page 144 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual To back up settings: Select Administration > Settings Backup and Firmware Upgrade from the menu. The Settings Backup and Firmware Upgrade screen is displayed. Click Backup to save a copy of your current settings.

  • Page 145: Reverting To Factory Default Settings

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Reverting to Factory Default Settings To reset the VPN firewall to the original factory default settings: Click default. Manually restart the VPN firewall in order for the default settings to take effect. After rebooting, the VPN firewall’s password will be password and the LAN IP address will be...

  • Page 146: Configuring Date And Time Service

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual WARNING! Do not try to go online, turn off the VPN firewall, shutdown the computer or do anything else to the VPN firewall until the VPN firewall finishes the upgrade! When the Test light turns off, wait a few more seconds before continuing.
  • Page 147 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Select an NTP Server option: • Use Default NTP Servers. The RTC is updated regularly by contacting a NETGEAR NTP server on the Internet. A primary and secondary (backup) server are preloaded.

  • Page 148: Chapter 9 Monitoring System Performance

    This chapter describes the full set of system monitoring features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2. You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, and login failures and attacks. You can also view status information about the network storage, WAN ports, LAN ports, and VPN tunnels.

  • Page 149: Enabling The Traffic Meter

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Enabling the Traffic Meter If your ISP charges by traffic volume over a given period of time, or if you want to study traffic types over a period of time, you can activate the Traffic Meter for one or both WAN ports.

  • Page 150: Activating Notification Of Events And Alerts

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: Both incoming and outgoing traffic are included in the limit • Increase this month limit by. Temporarily increase the traffic limit if you have reached the monthly limit, but need to continue accessing the Internet. Select the checkbox and enter the desired increase.
  • Page 151 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual login attempts; and other general information based on the settings that you enter on the Firewall Logs & E-mail screen. You must have e-mail notification enabled to receive the logs in an e-mail message.
  • Page 152 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual In the Send E-mail logs by Schedule section , enter a Schedule for sending the logs. From the Unit drop-down list, choose: Never, Hourly, Daily, or Weekly. Then set the Day and Time fields that correspond to your selection.

  • Page 153: Viewing The Logs

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing the Logs To view the logs, select Monitoring > Firewall Logs & E-mail from the menu, and then click the View Log link in the upper right-hand section of the screen. The Logs screen is displayed.

  • Page 154: Viewing Vpn Firewall Configuration And System Status

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing VPN Firewall Configuration and System Status The Router Status screen provides status and usage information. To view the network storage configuration and system status: Select Monitoring > Router Status from the menu.

  • Page 155: Monitoring Vpn Firewall Statistics

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table 9-3. Router Status Information (Continued) Item Description • WAN1 Configuration WAN Mode: Single, Dual, or Rollover. • WAN State: UP or DOWN. • NAT: Enabled or Disabled.

  • Page 156: Monitoring The Status Of Wan Ports

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Monitoring the Status of WAN Ports You can monitor the status of both of the WAN connections, the Dynamic DNS Server connections, and the DHCP Server connections. To monitor the status of the WAN ports: Select Network Configuration >...

  • Page 157: Viewing The Dhcp Log

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual PCs and other LAN devices become known by these methods: • DHCP Client Requests. By default, the DHCP server in the VPN firewall is enabled, and will accept and respond to DHCP client requests from PCs and other network devices.

  • Page 158: Monitoring Active Users

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Click the DHCP Log link to the right of the tabs. The DHCP Log appears in a popup window. To view the most recent entries, click refresh. To delete all the existing log entries, click clear log.

  • Page 159: Viewing Port Triggering Status

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing Port Triggering Status To view the status of port triggering: Select Security > Port Triggering from the menu. When the Port Triggering screen is displayed, click the Status link...

  • Page 160: Monitoring Vpn Tunnel Connection Status

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Monitoring VPN Tunnel Connection Status To review the status of current VPN tunnels: Select VPN > Connection Status from the menu, and then select the IPsec VPN Connection Status tab.

  • Page 161: Viewing The Vpn Logs

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Viewing the VPN Logs The VPN Logs screen gives log details for recent VPN activity. Select Monitoring > VPN Logs from the menu, and select the IPsec VPN Logs tab. The IPsec VPN Logs screen is displayed.

  • Page 162: Chapter 10 Troubleshooting

    Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2. After each problem description, instructions are provided to help you diagnose and solve the problem. This chapter contains the following sections: •...

  • Page 163: Power Led Not On

    • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.

  • Page 164: Troubleshooting The Web Configuration Interface

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: •...

  • Page 165: Troubleshooting The Isp Connection

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Troubleshooting the ISP Connection If your VPN firewall is unable to access the Internet, you should first determine whether the VPN firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your VPN firewall must request an IP address from the ISP.

  • Page 166: Troubleshooting A Tcp/Ip Network Using A Ping Utility

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual If your VPN firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: • Your PC may not recognize any DNS server addresses.

  • Page 167: Testing The Path From Your Pc To A Remote Device

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and VPN firewall.

  • Page 168: Problems With Date And Time

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • Use the reset button on the rear panel of the VPN firewall. Use this method for cases when the administration password or IP address is not known.
  • Page 169 A DNS (Domain Name Server) converts the Internet name (for example, lookup www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can request a DNS lookup to find the IP address.

  • Page 170: Appendix A Default Settings And Technical Specifications

    Default Settings and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, press and hold the reset button for approximately 10 seconds (until the Test LED blinks rapidly).
  • Page 171 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table A-1. VPN firewall Default Configuration Settings (Continued) Feature Default Behavior Management Time Zone Time Zone Adjusted for Daylight Disabled Saving Time SNMP Disabled Remote Management Disabled...
  • Page 172 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Table A-3. SSL VPN Technical Specifications Parameter Specification Network Management Web-based configuration and status monitoring Concurrent Users Supported 10 tunnels Encryption DES, 3DES, AES, MD5, SHA-1 Authentication...

  • Page 173: Appendix B Network Planning For Dual Wan Ports

    Network Planning for Dual WAN Ports his appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports. This appendix contains the following sections: • What You Need to Do Before You Begin” on this page. •...

  • Page 174: Cabling And Computer Hardware Requirements

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual For load balancing mode, decide which protocols should be bound to a specific WAN port. You can also add your own service protocols to the list. Set up your accounts a.

  • Page 175: Computer Network Configuration Requirements

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual network at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your VPN firewall. Computer Network Configuration Requirements The VPN firewall includes a built-in Web Configuration Manager. To access the configuration...

  • Page 176: Internet Connection Information Form

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry for the Ethernet adapter, and click Properties. Record all the settings for each screen.

  • Page 177: Overview Of The Planning Process

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: • Inbound traffic (port forwarding, port triggering) •...

  • Page 178: The Load Balancing Case For Firewalls With Dual Wan Ports

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual address of the active WAN port always changes. Hence, the use of a fully-qualified domain name is always required, even when the IP address of each WAN port is fixed.

  • Page 179: Inbound Traffic To Single Wan Port (Reference Case)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The addressing of the VPN firewall’s dual WAN port depends on the configuration being implemented: Table B-1. IP addressing requirements for exposed hosts in dual WAN port systems...
  • Page 180 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover, the WAN’s IP address will always change at rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the WAN ports (that is, WAN1 or WAN2).

  • Page 181: Virtual Private Networks (Vpns)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the VPN firewall’s dual WAN port depends on the configuration being implemented: Table B-2.

  • Page 182: Vpn Road Warrior (Client-To-Gateway)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Note: Once the gateway router WAN port rolls over, the VPN tunnel collapses and must be re-established using the new WAN IP address. Figure B-7 Rollover with Dual WAN Ports •...
  • Page 183 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance.
  • Page 184 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC client must re-establish the VPN tunnel.

  • Page 185: Vpn Gateway-To-Gateway

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual VPN Gateway-to-Gateway The following situations exemplify the requirements for a gateway VPN firewall to establish a VPN tunnel with another gateway VPN firewall: • Single gateway WAN ports •...
  • Page 186 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual and port WAN_A2 is inactive at Gateway A; port WAN_B1 is active and port WAN_B2 is inactive at Gateway B. Figure B-14 Gateway-to-Gateway, Dual WAN Ports The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port...

  • Page 187: Vpn Telecommuter (Client-To-Gateway Through A Nat Router)

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
  • Page 188 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance.
  • Page 189 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC must re-establish the VPN tunnel.

  • Page 190: Appendix C Two Factor Authentication

    NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. As part the new maintenance firmware release, NETGEAR has implemented a...

  • Page 191: What Is Two-Factor Authentication

    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual • No need to replace existing hardware. Two-Factor Authentication can be added to existing NETGEAR products through via firmware upgrade. • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and network storage products.
  • Page 192 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual The user launches the WiKID token software, enter the PIN that has been given to them (something they know) and then press “continue” to receive the OTP from the WiKID authentication...

  • Page 193: Appendix D Related Documents

    Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.com/reference/enu/wsdhcp/index.htm Virtual Private Networking http://documentation.netgear.com/reference/enu/vpn/index.htm...

  • Page 194: Appendix E Notification Of Compliance

    Notification of Compliance Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
  • Page 195 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Voluntary Control Council for Interference (VCCI) Statement This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.

  • Page 196: Index

    Index Index Numerics Load balancing mode Rollover mode 3322.org WAN side bandwidth capacity Banner Message Banner Title Active Directory Block Instant Messenger, example of ActiveX web cache control Block Sites Add LAN WAN Inbound Service Content Filtering Add LAN WAN Outbound Service Reducing traffic Add Mode Config Record screen reducing traffic...
  • Page 197 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual editing Domain Name Servers. See DNS. attack Dual WAN Date configuration of setting Dual WAN Port systems troubleshooting VPN Tunnel addresses Daylight Savings Time Dual WAN ports...
  • Page 198 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Firewall Logs & E-mail screen VPN Tunnels Firewall Protection Installation, instructions for Content Filtering, about Interior Gateway Protocol. See IGP. firewall protection Internet firmware configuration requirements downloading...
  • Page 199 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual about multi home LAN IPs about LAN WAN Outbound Rule multi-NAT example of LAN WAN Rule example of LAN WAN Rules Identifier default outbound LDAP configuring overview...
  • Page 200 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Password Authentication Protocol. See PAP. passwords and login timeout about changing priority definitions Passwords,restoring shifting traffic mix performance management using in firewall rules Ping Quality of Service. See QoS.
  • Page 201 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual router Single WAN Port upgrade software inbound traffic router administration tips on sniffer Router Status SNMP Router Status screen about configuring Router Upgrade global access about host only access Router’s MAC Address...
  • Page 202 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Time Zone Connecting setting of VPN Logs screen Time Zone screen VPN passthrough ToS. See QoS. VPN Policies screen traceroute VPN Policy tracert Auto use with DDNS...
  • Page 203 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual Web Components blocking filtering, about Web configuration troubleshooting WiKID authentication, overview description WinPoET WINS server XAUTH IPsec host types of Index | 203...

Table of Contents