NETGEAR ProSafe FVX538 FVX538 FVX538 Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. ProSafe FVX538
  6. Reference manual

NETGEAR ProSafe FVX538 FVX538 FVX538 Reference Manual

Vpn firewall 200
Hide thumbs Also See for ProSafe FVX538 FVX538 FVX538:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Setup Manual, Installation Manual
ProSafe VPN Firewall 200
FVX538 Reference
Manual
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
August 2006
202-10062-04
v1.0

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ProSafe FVX538 FVX538 FVX538 and is the answer not in the manual?

Questions and answers

Related Manuals for NETGEAR ProSafe FVX538 FVX538 FVX538

Summary of Contents for NETGEAR ProSafe FVX538 FVX538 FVX538

  • Page 1 ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA August 2006 202-10062-04 v1.0...
  • Page 2 In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
  • Page 3 Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations. Voluntary Control Council for Interference (VCCI) Statement This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
  • Page 4 Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Page 5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
  • Page 6 Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: Publication Part Number: Publication Version Number FVX538 August 2006 VPN Firewall ProSafe VPN Firewall 200 Business English 202-10062-04 1.0, August 2006...

  • Page 7: Table Of Contents

    About This Manual Conventions, Formats and Scope ...xiii How to Use This Manual ...xiv How to Print this Manual ...xiv Revision History ... xv Chapter 1 Introduction Key Features ...1-1 Dual WAN Ports for Increased Reliability or Outbound Load Balancing ...1-2 A Powerful, True Firewall with Content Filtering ...1-2 Security Features ...1-3 Autosensing Ethernet Connections with Auto Uplink ...1-3...
  • Page 8 Programming the Traffic Meter (if Desired) ...2-7 Configuring the WAN Mode (Required for Dual WAN) ...2-10 Setting Up Auto-Rollover Mode ... 2-11 Setting Up Load Balancing ...2-13 Configuring Dynamic DNS (If Needed) ...2-15 Configuring the Advanced WAN Options (If Needed) ...2-18 Chapter 3 LAN Configuration Using the Firewall as a DHCP server ...3-1...
  • Page 9 Inbound Rules Examples ...4-16 LAN WAN Inbound Rule: Hosting A Local Public Web Server ...4-16 LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses 4-17 LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping 4-17 LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host ...4-19 Outbound Rules Example ...4-20 LAN WAN Outbound Rule: Blocking Instant Messenger ...4-20 Adding Customized Services ...4-21...
  • Page 10 Configuring the VPN Client ...5-22 Testing the Connection ...5-26 Certificate Authorities ...5-27 Generating a Self Certificate Request ...5-28 Uploading a Trusted Certificate ...5-30 Managing your Certificate Revocation List (CRL) ...5-30 Extended Authentication (XAUTH) Configuration ...5-31 Configuring XAUTH for VPN Clients ...5-32 User Database Configuration ...5-34 RADIUS Client Configuration ...5-35 Manually Assigning IP Addresses to Remote Users (ModeConfig) ...5-37...
  • Page 11 Router Upgrade ...6-15 Setting the Time Zone ...6-16 Monitoring the Router ...6-17 Enabling the Traffic Meter ...6-17 Setting Login Failures and Attacks Notification ...6-19 Monitoring Attached Devices ...6-20 Viewing Port Triggering Status ...6-22 Viewing Router Configuration and System Status ...6-23 Monitoring WAN Ports Status ...6-24 Monitoring VPN Tunnel Connection Status ...6-25 VPN Logs ...6-26...
  • Page 12 Internet Configuration Requirements ... C-3 Where Do I Get the Internet Configuration Parameters? ... C-4 Internet Connection Information Form ... C-5 Overview of the Planning Process ... C-6 Inbound Traffic ... C-6 Virtual Private Networks (VPNs) ... C-6 The Roll-over Case for Firewalls With Dual WAN Ports ... C-7 The Load Balancing Case for Firewalls With Dual WAN Ports ...

  • Page 13: About This Manual

    The NETGEAR ® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats, and scope of this manual are described in the following paragraphs.

  • Page 14: How To Use This Manual

    For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix B, “Related Note: Updates to this product are available on the NETGEAR, Inc. website at http://kbserver.netgear.com/products/FVX538.asp. How to Use This Manual The HTML version of this manual includes the following: •...

  • Page 15: Revision History

    • Click the PDF of This Chapter link at the top left of any page in the chapter you want to print. The PDF version of the chapter you were viewing opens in a browser window. • Click the print icon in the upper left of your browser window. –...
  • Page 16 ProSafe VPN Firewall 200 FVX538 Reference Manual v1.0, August 2006...

  • Page 17: Introduction

    (stealth mode). • Support for up to 200 simultaneous IPSec VPN tunnels. • Bundled with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Proactive policy enforcement for anti-virus and anti-spam security with integrated Trend Micro support.

  • Page 18: Dual Wan Ports For Increased Reliability Or Outbound Load Balancing

    ProSafe VPN Firewall 200 FVX538 Reference Manual • Login capability. • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. • One U Rack mountable. Dual WAN Ports for Increased Reliability or Outbound Load Balancing The FVX538 has two broadband WAN ports, WAN1 and WAN2, each capable of operating independently at speeds of either 10 Mbps or 100 Mbps.

  • Page 19: Security Features

    • Keyword Filtering. With its URL keyword filtering feature, the FVX538 prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites. Security Features The VPN firewall is equipped with several features designed to maintain security, as described in this section.

  • Page 20: Trend Micro Integration

    Both products deliver a layered defense against viruses and other malicious code. • Unlike competing antivirus products, both products work your NETGEAR VPN Firewall to enforce antivirus policies - end users cannot access the Internet unless they have antivirus protection with current pattern files installed.

  • Page 21: Maintenance And Support

    Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall: • Flash memory for firmware upgrade •...

  • Page 22: Router Front Panel

    • Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. Router Front Panel The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button.
  • Page 23 Table 1-1. Object Descriptions (continued) Object Activity Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. Link/Act LED On (Green) Blinking (Green) 3. WAN 100 LED Ports On (Green) LEDs Active LED On (Green) On (Amber) 8-port RJ-45 10/100 Mbps Fast Ethernet Switch Link/Act LED...

  • Page 24: Router Rear Panel

    ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity DB9 male connector 6. Console Port —> push in with a 7. Factory sharp object Defaults Router Rear Panel The rear panel of the ProSafe VPN Firewall 200 power connection.

  • Page 25: Rack Mounting Hardware

    Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in Figure 1-3 The Router’s IP Address, Login Name, and Password Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information: •...

  • Page 26: Default Log In Settings

    ProSafe VPN Firewall 200 FVX538 Reference Manual Default Log In Settings To log in to the FVX538 once it is connected: 1. Open a Web browser. 2. Enter as the URL. http://192.168.1.1 Figure 1-5 3. Once the login screen displays •...
  • Page 27 ProSafe VPN Firewall 200 FVX538 Reference Manual Introduction 1-11 v1.0, August 2006...
  • Page 28 ProSafe VPN Firewall 200 FVX538 Reference Manual 1-12 Introduction v1.0, August 2006...

  • Page 29: Connecting The Fvx538 To The Internet

    Installation Guide, FVX538 ProSafe VPN Firewall 200 for complete steps. A PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com.) 2. Log in to the firewall. After logging in, you are ready to set up and configure your firewall.

  • Page 30: Configuring The Internet Connections To Your Isps

    ProSafe VPN Firewall 200 FVX538 Reference Manual 2. When prompted, enter admin for the firewall user name and password for the firewall password, both in lower case letters. (The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection.) 3.
  • Page 31 Figure 2-1 2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP. Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support. When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered.
  • Page 32 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 2-1. Internet connection methods (continued) Connection Method Data Required BigPond Cable Login Username, Password), Login Server. DHCP (Dynamic IP) No data is required. Fixed (Static) IP Static IP address, Subnet, and Gateway IP; and related data supplied by your ISP.

  • Page 33: Setting The Router's Mac Address

    The configure the WAN2 ISP settings: 1. Repeat the above steps to set up the parameters for WAN2 ISP. Start by selecting the WAN2 ISP Settings tab. Next click Auto Detect on the WAN2 ISP Settings screen and then confirm the connection by clicking the WAN Status link.
  • Page 34 Login Server and Idle Timeout fields. The Login Server is the IP address of the local BigPond Login Server in your area. You can find login server information at http://www.netgear.com.sg/support/bigpond.asp 3. If your ISP has assigned a fixed (static or permanent) IP address, select the Use Static IP Address radio box and fill in the following fields: a.

  • Page 35: Programming The Traffic Meter (If Desired)

    6. Click Reset to discard any changes and revert to the previous settings. 7. Click Test to try and connect to the NETGEAR Web site. If you connect successfully and your settings work, then you may click Logout or go on and configure additional settings.
  • Page 36 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-3 2. Click Apply to apply the settings. Click Reset to return to the previous settings. 3. Select the WAN2 Traffic Meter tab and repeat steps 1 through 3 to set the Traffic Meter the the WAN2 port.
  • Page 37 Table 2-2. Traffic Meter Settings Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's WAN1 or WAN2 port. WAN1 or WAN2 can be selected by clicking the appropriate tab; the entire configuration is specific to each wan interface. •...

  • Page 38: Configuring The Wan Mode (Required For Dual Wan)

    ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the WAN Mode (Required for Dual WAN) The dual WAN ports of the ProSafe VPN Firewall 200 can be configured on a mutually exclusive basis for either auto-rollover (for increased system reliability) or load balancing (for maximum bandwidth efficiency).

  • Page 39: Setting Up Auto-Rollover Mode

    If your ISP has allocated many IP addresses to you, and you have assigned one of these addresses to each PC, you can choose Classical Routing. Or, you can use Classical Routing for routing private IP addresses within a campus environment. Otherwise, selecting this method will not allow Internet access through this Router.
  • Page 40 ProSafe VPN Firewall 200 FVX538 Reference Manual • Ping to this IP address – Enter a public IP address that will not reject the Ping request or will not consider the traffic abuse. Queries are sent to this server through the WAN interface being monitored.

  • Page 41: Setting Up Load Balancing

    Setting Up Load Balancing To use multiple ISP links simultaneously, select Load Balancing. In Load Balancing mode, both links will carry data for the protocols that are bound to them. For example, if the HTTP protocol is bound to WAN1 and the FTP protocol is bound to WAN2, then the router will automatically channel FTP data from and to the computers on the LAN through the WAN2 port.
  • Page 42 ProSafe VPN Firewall 200 FVX538 Reference Manual a. Service – From the pull-down menu, select the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see b.

  • Page 43: Configuring Dynamic Dns (If Needed)

    ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-6 3. Modify the parameters for the protocol binding service you selected. 4. Click Apply. The modified rule will be enabled and appear in the Protocol Binding table. 5. Click Reset to return to the previously configured settings. Configuring Dynamic DNS (If Needed) Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names.
  • Page 44 ProSafe VPN Firewall 200 FVX538 Reference Manual are provided for your convenience on the Dynamic DNS Configuration screen.) The VPN firewall firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet. If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS).
  • Page 45 Figure 2-7 2. Check the Dynamic DNS Service radio box you want to enable. The fields corresponding to the selection you have chosen will be highlighted. Each DNS service provider requires its own parameters. 3. Access the Web site of one of the DDNS service providers and set up an account. A link to each DDNS provider is opposite the DNS Configuration screen name.

  • Page 46: Configuring The Advanced Wan Options (If Needed)

    ProSafe VPN Firewall 200 FVX538 Reference Manual d. If your dynamic DNS provider allows the use of wild cards in resolving your URL, you may check the Use wildcards radio box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org 5.
  • Page 47 • MTU Size – The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs you may have to reduce the MTU. But this is rarely required, and should not be done unless you are sure it is necessary for your ISP connection.
  • Page 48 ProSafe VPN Firewall 200 FVX538 Reference Manual 2-20 Connecting the FVX538 to the Internet v1.0, August 2006...

  • Page 49: Lan Configuration

    This chapter describes how to configure the advanced LAN features of your ProSafe VPN Firewall 200. These features can be found by selecting Network Configuration from the primary menu and LAN Setup from the submenu of the browser interface. Using the Firewall as a DHCP server By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, WINS Server, and default gateway addresses to all computers connected to the firewall LAN.

  • Page 50: Configuring The Lan Setup Options

    ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the LAN Setup Options The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and allows you to configure a secondary or “multi-home” LAN IP setup in the LAN. The default values are suitable for most users and situations.
  • Page 51 4. Check the Enable DHCP Server radio button. By default, the router will function as a DHCP (Dynamic Host Configuration Protocol) server, providing TCP/IP configuration for all computers connected to the router's LAN. If another device on your network will be the DHCP server, or if you will manually configure all devices, check the Disable DHCP Server radio button.

  • Page 52: Configuring Multi Home Lan Ips

    ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Reset to discard any changes and revert to the previous configuration. Note: Once you have completed the LAN IP setup, all outbound traffic is allowed and all inbound traffic is discarded. To change these traffic rules, refer to Chapter 4, “Firewall Protection and Content Configuring Multi Home LAN IPs If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or...
  • Page 53 Figure 3-2 Note: Additional IP addresses cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP and DNS server IPs. To make changes to the selected entry: 1. Click Edit in the Action column adjacent to the selected entry. The Edit Secondary LAN IP Setup screen will display.

  • Page 54: Managing Groups And Hosts (Lan Groups)

    ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Reset to discard any changes and revert to the previous settings. Tip: The Secondary LAN IP address will be assigned to the LAN interface of the router and can be used as a gateway by the secondary subnet. Managing Groups and Hosts (LAN Groups) The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices, as well as hosts, that are assigned dynamic IP addresses by this router.
  • Page 55 – You can assign PCs to Groups and apply restrictions to each Group using the Firewall Rules screen (see “Using Rules to Block or Allow Specific Kinds of Traffic” on page – You can also select the Groups to be covered by the Block Sites feature (see Block Sites (Content Filtering)”...
  • Page 56 ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Enter the IP Address that this computer or device is assigned in the IP Address field. If the IP Address Type is Reserved (DHCP Client), the router will reserve the IP address for the associated MAC address.

  • Page 57: Setting Up Address Reservation

    4. Click Apply to save your new settings. The modified record will appear in the Know PCs and Devices table. To edit the names of any of the eight available groups: 1. Click Edit Group Names at the upper right of the Groups and Hosts screen. The Network Database Group Names screen will display.

  • Page 58: Configuring And Enabling The Dmz Port

    ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address, use the Groups and Hosts screen under the Network Configuration menu, LAN Groups submenu (see Note: The reserved address will not be assigned until the next time the PC contacts the firewall's DHCP server.
  • Page 59 Figure 3-5 4. If desired, Enable the DHCP Server (Dynamic Host Configuration Protocol), which will provide TCP/IP configuration for all computers connected to the router’s DMZ network. Then configure the following items: a. Starting IP Address – This box specifies the first of the contiguous addresses in the IP address pool.

  • Page 60: Static Routes

    ProSafe VPN Firewall 200 FVX538 Reference Manual Static Routes Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You should configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network.

  • Page 61: Routing Information Protocol (Rip)

    4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network to which the route leads. 7.
  • Page 62 ProSafe VPN Firewall 200 FVX538 Reference Manual • Out Only – The router broadcasts its routing table periodically but does not accept RIP information from other routers. • In Only – The router accepts RIP information from other routers, but does not broadcast its routing table.

  • Page 63: Static Route Example

    4. Authentication for RIP2B/2M required? If you selected RIP-2B or RIP-2M, check the YES radio box to enable the feature, and input the First Key Parameters and Second Key Parameters MD-5 keys to authenticate between routers. 5. Click Reset to discard any changes and revert to the previous settings. 6.
  • Page 64 ProSafe VPN Firewall 200 FVX538 Reference Manual will not be allowed web access unless they have the Trend Micro OfficeScan client installed and updated with the latest virus definitions. To enable Trend Micro: 1. Select Security from the main menu and Trend Micro from the submenu. The Trend Micro screen will display.
  • Page 65 ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply to submit your changes. Note: The Office Scan Server must also appear in the exclusion list! Note: Follow the instructions in the Trend Micro documentation to complete the installation and configuration of the Trend Micro OfficeScan Server. LAN Configuration 3-17 v1.0, August 2006...
  • Page 66 ProSafe VPN Firewall 200 FVX538 Reference Manual 3-18 LAN Configuration v1.0, August 2006...

  • Page 67: Firewall Protection And Content Filtering

    Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 to protect your network. These features can be found by selecting Security from the main menu and selecting Block Sites from the submenu of the browser interface.

  • Page 68: Services-Based Rules

    ProSafe VPN Firewall 200 FVX538 Reference Manual A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FVX538 are: • Inbound: Block all access from outside except responses to requests from the LAN side. •...
  • Page 69 Table 4-1. Outbound Rules Item Description Service Name Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see Action (Filter) Select the desired action for outgoing connections covered by this rule: •...

  • Page 70: Inbound Rules (Port Forwarding)

    ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-1. Outbound Rules (continued) Item Description QoS Priority This setting determines the priority of a service which, in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service.
  • Page 71 Table 4-2. Inbound Rules Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see Action (Filter) Select the desired action for packets covered by this rule: •...
  • Page 72 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Inbound Rules (continued) Item Description QoS Priority This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service.

  • Page 73: Order Of Precedence For Rules

    ProSafe VPN Firewall 200 FVX538 Reference Manual Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu as the last item in the list, as shown in Figure 4-1: Figure 4-1 For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the bottom.
  • Page 74 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Change the Default Outbound Policy by selecting Block Always from the drop-down menu and click Apply.. Figure 4-2 To make changes to an existing outbound or inbound service rule: 1. In the Action column adjacent to the rule click: •...

  • Page 75: Lan Wan Outbound Services Rules

    LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. The outbound rule will block the selected application from any internal IP LAN address to any external WAN IP address according to the schedule created in the Schedule menu.

  • Page 76: Lan Wan Inbound Services Rules

    ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound services opens holes in your firewall.
  • Page 77 ProSafe VPN Firewall 200 FVX538 Reference Manual out from the DMZ to the Internet (Outbound) or coming in from the Internet to the DMZ (Inbound). The default outbound policy can be changed to block all outbound traffic and enable only specific services to pass through the router by adding an Outbound services Rule. Figure 4-5 Firewall Protection and Content Filtering 4-11...

  • Page 78: Setting Lan Dmz Rules

    ProSafe VPN Firewall 200 FVX538 Reference Manual To change the Default Outbound Policy: 1. Select Security from the main menu, Firewall Rules from the submenu and then select the DMZ WAN Rules tab. The DMZ WAN Rules screen will display. 2.

  • Page 79: Lan Dmz Outbound Services Rules

    To make changes to an existing outbound or inbound LAN DMZ service rule: 1. In the Action column adjacent to the rule click: • Edit – to make any changes to the rule definition. The Outbound Service screen will display containing the data for the selected rule page 4-2).

  • Page 80: Lan Dmz Inbound Services Rules

    ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Complete the Outbound Service screen, and save the data (see Blocking)” on page 4-2). 3. Click Reset to cancel your settings and return to the previous settings. 4. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table.
  • Page 81 • LAN Security Checks. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application listening at that port, (2) see that no application is listening at that port and (3) reply with an ICMP Destination Unreachable packet.

  • Page 82: Inbound Rules Examples

    ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply to save your settings. Figure 4-8 Inbound Rules Examples LAN WAN Inbound Rule: Hosting A Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day.

  • Page 83: Lan Wan Inbound Rule: Allowing Videoconference From Restricted Addresses

    Internet access to your LAN PCs through NAT. The other addresses are available to map to your servers. The following addressing scheme is used to illustrate this procedure: • Netgear FVX538 ProSafe VPN Firewall – WAN1 IP address: 10.1.0.118 –...
  • Page 84 ProSafe VPN Firewall 200 FVX538 Reference Manual • Web server PC on the firewall’s LAN – LAN IP address: 192.168.1.2 – DMZ IP Address: 192.168.10.2 – Access to Web server is (simulated) public IP address: 10.1.0.52 Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ.

  • Page 85: Lan Wan Or Dmz Wan Inbound Rule: Specifying An Exposed Host

    ProSafe VPN Firewall 200 FVX538 Reference Manual 6. In the Send to LAN Server field, enter the local IP address of your Web server PC. 7. From the Public Destination IP Address pull down menu, choose Other Public IP Address. 8.

  • Page 86: Outbound Rules Example

    ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.

  • Page 87: Adding Customized Services

    ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-14 Adding Customized Services Services are functions performed by server computers at the request of client computers. You can configure up to 125 custom services. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’...
  • Page 88 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-15 To add a customized service: 1. Select Security from the main menu and Services from the submenu. The Services screen will display. 2. In the Add Custom Service table, enter a descriptive name for the service (this is for your convenience).

  • Page 89: Setting Quality Of Service (Qos) Priorities

    To edit the parameters of a service: 1. In the Custom Services Table, click the Edit icon adjacent to the service you want to edit. The Edit Service screen will display. 2. Modify the parameters you wish to change. 3. Click Reset to cancel the changes and restore the previous settings. 4.

  • Page 90: Setting A Schedule To Block Or Allow Specific Traffic

    ProSafe VPN Firewall 200 FVX538 Reference Manual Setting a Schedule to Block or Allow Specific Traffic If you enabled Content Filtering in the Block Sites menu, or if you defined an outbound or inbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted.

  • Page 91: Setting Block Sites (Content Filtering)

    Web site is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message. Several types of blocking are available: •...
  • Page 92 ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Build your list of blocked Keywords or Domain Names in the Blocked Keyword fields. After each entry, click Add. The Keyword or Domain name will be added to the Blocked Keywords table. (You can also edit an entry by clicking Edit in the Action column adjacent to the entry.) 6.

  • Page 93: Enabling Source Mac Filtering

    Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed. •...

  • Page 94: Port Triggering

    ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Build your list of Source MAC Addresses to be block by entering the first MAC address in the MAC Address field in the form xx:xx:xx:xx:xx:xx where x is a numeric (0 to 9) or an alphabet between and a and f (inclusive), for example: 00:e0:4c:69:0a: 4.
  • Page 95 • After a PC has finished using a Port Triggering application, there is a Time-out period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated. Note: For additional ways of allowing inbound traffic, see Forwarding)”...
  • Page 96 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-19 3. From the Protocol pull-down menu, select either TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 5.

  • Page 97: E-Mail Notifications Of Event Logs And Alerts

    6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display.
  • Page 98 ProSafe VPN Firewall 200 FVX538 Reference Manual You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs on the Logs screen (see page 4-34). Selecting all events will increase the size of the log, so it is good practice to select only those events which are required.
  • Page 99 3. Enter a Schedule for sending the logs. From the Unit pull-down menu, select: Never, Hourly, Daily, or Weekly. Then fill in the Day and Time fields that correspond to your selection. 4. In the Security Logs section, check the network segments radio box for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets).
  • Page 100 ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. SysLog Facility Message Levels (continued) Numerical Code Severity Warning: Warning conditions Notice: Normal but significant conditions Informational: Informational messages Debug: Debug level messages To view the Firewall logs: 1. Click on the View Log icon opposite the Firewall Logs & E-mail tab. The Logs screen will display.

  • Page 101: Administrator Tips

    Table 4-4. Firewall Log Field Descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and The service port number of the initiating device, and whether it originated from the interface...
  • Page 102 ProSafe VPN Firewall 200 FVX538 Reference Manual 4-36 Firewall Protection and Content Filtering v1.0, August 2006...

  • Page 103: Virtual Private Networking

    This chapter describes how to use the virtual private networking (VPN) features of the VPN firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Tip: When using dual WAN port networks, use the VPN Wizard to configure the basic parameters and them edit the VPN and IKE Policy screens for the various VPN scenarios.
  • Page 104 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-1 shows the WAN Mode setup screen for Auto-Rollover Mode using WAN port 1. It also shows the Protocol Bindings screen that displays if Load Balancing is selected. (When Load Balancing is selected, no WAN Failure Detection Method fields are selectable.) This setup is accomplished in “Configuring the WAN Mode (Required for Dual WAN)”...

  • Page 105: Setting Up A Vpn Connection Using The Vpn Wizard

    • Mandatory when the WAN ports are in load balancing mode and the IP addresses are dynamic (Figure 5-3 on page 5-3) • Optional when the WAN ports are in load balancing mode if the IP addresses are static (Figure 5-3 on page 5-3) “Configuring Dynamic DNS (If Needed)”...

  • Page 106: Creating A Vpn Tunnel To A Gateway

    ProSafe VPN Firewall 200 FVX538 Reference Manual determine the IPSec keys and VPN policies it sets up. It also will set the parameters for the network connection: Security Association, traffic selectors, authentication algorithm, and encryption. The parameters used by the VPN wizard are based on the VPNC recommendations. Creating a VPN Tunnel to a Gateway You can set up multiple Gateway VPN tunnel policies through the VPN Wizard.
  • Page 107 Figure 5-4 7. Enter the Remote LAN IP Address and Subnet Mask of the remote gateway. The information entered here must match the Local LAN IP and Subnet Mask of the remote gateway; otherwise the secure tunnel will fail to connect.The IP address range used on the remote LAN must be different from the IP address range used on the local LAN.
  • Page 108 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-5 You can also view the status of your IKE Policies by clicking the IKE Policies tab. The IKE Policies screen will display. Then view or edit the parameters of the “Offsite” policy by clicking Edit in the Action column adjacent to the policy.

  • Page 109: Creating A Vpn Tunnel Connection To A Vpn Client

    Figure 5-6 Creating a VPN Tunnel Connection to a VPN Client You can set up multiple Gateway VPN tunnel policies through the VPN Wizard. Multiple remote VPN Client policies can also be set up through the VPN Wizard by changing the default End Point Information settings.
  • Page 110 6. Enter the public WAN IP address of the gateway to which you want to connect. Alternatively, you can provide the Internet name of the gateway. The Internet name is the Fully Qualified Domain Name (FQDN); for example, vpn.netgear.com. 7. Enter the Local WAN IP Address or Internet name. Both local and remote ends should be defined as either IP addresses or Internet Names (FQDN).
  • Page 111 ProSafe VPN Firewall 200 FVX538 Reference Manual 8. Click Apply. The VPN Policies screen will display showing that the Client policy “home” has been added and enabled. Click Edit in the Action column adjacent to the “home” policy to view the “home” policy parameters. It should not be necessary to make any changes Figure 5-8 You can also view the status of your IKE Policies by clicking the IKE Policies tab.

  • Page 112: Vpn Tunnel Policies

    ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-9 VPN Tunnel Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN Policy and an IKE Policy are established and populated in both Policy Tables. The name you selected as the VPN Tunnel connection name during Wizard setup identifies both the VPN Policy and IKE Policy.

  • Page 113: Managing Ike Policies

    • “Manual” generated VPN policies cannot use the IKE negotiation protocol. Managing IKE Policies IKE Policies are activated when: 1. The VPN Policy Selector determines that some traffic matches an existing VPN Policy. If the VPN policy is of type “Auto”, then the Auto Policy Parameters defined in the VPN Policy are accessed which specify which IKE Policy to use.

  • Page 114: Vpn Policy

    However, if you have only one policy for each remote VPN Endpoint, then the policy order is not important.) 5-12 for a link to the NETGEAR website. 5-27). To use a CA, each VPN Gateway must have a Certificate v1.0, August 2006...

  • Page 115: Vpn Policy Table

    3. The VPN tunnel is created according to the parameters in the SA (Security Association). 4. The remote VPN Endpoint must have a matching SA, or it will refuse the connection. VPN Policy Table Only one Client Policy may configured at a time (noted by an “*” next to the policy name). The Policy Table contains the following fields: •...

  • Page 116: Creating A Vpn Gateway Connection: Between Fvx538 And Fvs338

    Creating a VPN Gateway Connection: Between FVX538 and FVS338 This section describes how to configure a VPN connection between a NETGEAR FVX538 VPN Firewall and a NETGEAR FVS338 VPN Firewall. Using the VPN Wizard for each VPN firewall, we will create a set of policies (IKE and VPN) that will allow the two firewalls to connect from locations with fixed IP addresses.
  • Page 117 6. Select the local WAN interface to bind this connection to the WAN port for the VPN tunnel. Figure 5-10 7. Enter the WAN IP address of the remote FVS338 and then enter the WAN IP address of the local FVX538. (Both local and remote ends must define the address as either an IP address or a FQDN.
  • Page 118 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-11 To view the VPN Policy parameters: 1. Click Edit in the Action column adjacent to the “to_fvs” policy. The Edit VPN Policy screen will display. (It should not be necessary to make any changes. 2.
  • Page 119 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-12 To view the IKE Policy Configuration parameters: 1. Select the IKE Policies tab. The IKE Policies table will display. Virtual Private Networking 5-17 v1.0, August 2006...
  • Page 120 ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Select “to_FVS” and click Edit. It should not be necessary to make any changes) Figure 5-13 Note: When XAUTH is enabled as an Edge Device, incoming VPN connections are authenticated against the FVX538 User Database first; then, if configured, a RADIUS server is checked.

  • Page 121: Configuring The Fvs338

    Configuring the FVS338 To configure the FVS338 VPN Wizard: 1. Select VPN from the main menu and VPN Wizard from the submenu. The VPN Wizard screen will display. 2. Check the Gateway radio box for the type of VPN tunnel connection. 3.

  • Page 122: Testing The Connection

    If more PCs are to be connected, an additional policy or policies must be created. Each PC will use Netgear's ProSafe VPN Client software. Since the PC's IP address is assumed to be unknown, the PC must always be the Initiator of the connection.
  • Page 123 5. Check either the WAN1 or WAN 2 radio box to select the WAN interface tunnel. Figure 5-15 6. Enter he remote WAN’s IP Address or Internet Name and then enter the local WAN’s IP Address or Internet Name. In this example, we are using their FQDNs. (Both the local and remote addresses must be of the same type—either both must be FQDN or both must be an IP address.) 7.

  • Page 124: Configuring The Vpn Client

    ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the VPN Client From a PC with the Netgear Prosafe VPN Client installed, you can configure a VPN client policy to connect to the FVX538. To configure your VPN client: 1. Right-click on the VPN client icon Editor.
  • Page 125 Figure 5-17 7. In the left frame, click My Identity. 8. From the Select Certificate pull-down menu, select None. 9. From the ID Type pull-down menu, select Domain Name. The value entered under Domain Name will be of the form “<name><XY>.fvx_remote.com”, where each user must use a different variation on the Domain Name entered here.
  • Page 126 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-18 5. Before leaving the My Identity menu, click Pre-Shared Key. 6. Click Enter Key and then enter your preshared key, and click OK. This key will be shared by all users of the FVX538 policy “home”. Figure 5-19 7.
  • Page 127 8. For the Phase 1 Negotiation Mode, check the Aggressive Mode radio box. 9. PFS should be disabled, and Enable Replay Detection should be enabled. Figure 5-20 10. In the left frame, expand Authentication (Phase 1) and select Proposal 1. The Proposal 1 fields should mirror those in the following figure.

  • Page 128: Testing The Connection

    ProSafe VPN Firewall 200 FVX538 Reference Manual 11. In the left frame, expand Key Exchange (Phase 2) and select Proposal 1. The fields in this proposal should also mirror those in the following figure. No changes should be necessary. 12. In the upper left of the window, click the disk icon to save the policy. Figure 5-22 Testing the Connection 1.

  • Page 129: Certificate Authorities

    2. For additional status and troubleshooting information, right-click on the VPN client icon Logs and Connection Status screens in the FVX538. Figure 5-23 Certificate Authorities Digital Self Certificates are used to authenticate the identity of users and systems, and are issued by various CAs (Certification Authorities).

  • Page 130: Generating A Self Certificate Request

    ProSafe VPN Firewall 200 FVX538 Reference Manual The Active Self Certificates table shows the Certificates issued to you by the various CAs (Certification Authorities), and available for use. For each Certificate, the following data is listed: • Name. The name you used to identify this Certificate. •...
  • Page 131 Figure 5-24 • Domain Name – If you have a Domain name, you can enter it here. Otherwise, you should leave this field blank. • E-mail Address – Enter your e-mail address in this field. 4. Click Generate. A new certificate request is created and added to the Self Certificate requests table.

  • Page 132: Uploading A Trusted Certificate

    ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Copy the contents of the Data to supply to CA text box into a file, including all of the data contained in “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST---”Click Done. You will return to the Certificate screen and your Request details will be displayed in the Self Certificates Requests table showing a Status of “Waiting for Certificate upload”...

  • Page 133: Extended Authentication (Xauth) Configuration

    • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. To upload a Certificate Identify to the CRL: 1.

  • Page 134: Configuring Xauth For Vpn Clients

    ProSafe VPN Firewall 200 FVX538 Reference Manual • IPSec Host. If you want authentication by the remote gateway, enter a User Name and Password to be associated with this IKE policy. If this option is chosen, the remote gateway must specify the user name and password used for authenticating this gateway. Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the local User Database for the user credentials.
  • Page 135 – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the router will first check in the User Database to see if the user credentials are available. If the user account is not present, the router will then connect to the RADIUS server (see “RADIUS Client Configuration”...

  • Page 136: User Database Configuration

    ProSafe VPN Firewall 200 FVX538 Reference Manual User Database Configuration The User Database screen is used to configure and administer users when Extended Authentication is enabled as an Edge Device. Whether or not you use an external RADIUS server, you may want some users to be authenticated locally. These users must be added to the User Database Configured Users table.

  • Page 137: Radius Client Configuration

    To edit the user name or password: 1. Click Edit opposite the user’s name. The Edit User screen will display. 2. Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to the previous settings. The modified user name and password will display in the Configured Users table.
  • Page 138 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-28 3. Enter the Primary RADIUS Server IP address. 4. Enter a Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server.

  • Page 139: Manually Assigning Ip Addresses To Remote Users (Modeconfig)

    – LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Mode Config Operation After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP configuration parameters such as IP address, subnet mask and name server addresses. The Mode...

  • Page 140: Configuring The Vpn Firewall

    ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the VPN Firewall Two menus must be configured—the Mode Config menu and the IKE Policies menu. To configure the Mode Config menu: 1. From the main menu, select VPN, and then select Mode Config from the submenu. The Mode Config screen will display.
  • Page 141 Figure 5-29 To configure an IKE Policy: 1. From the main menu, select VPN. The IKE Policies screen will display showing the current policies in the List of IKE Policies Table. 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. 3.
  • Page 142 ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the General section: a. Enter a description name in the Policy Name Field such as “salesperson”. This name will be used as part of the remote identifier in the VPN client configuration. b.

  • Page 143: Configuring The Prosafe Vpn Client For Modeconfig

    Figure 5-30 Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon.
  • Page 144 ProSafe VPN Firewall 200 FVX538 Reference Manual b. From the ID Type pull-down menu, select IP Subnet. c. Enter the IP Subnet and Mask of the VPN firewall (this is the LAN network IP address of the gateway). d. Check the Connect using radio button and select Secure Gateway Tunnel from the pull- down menu.
  • Page 145 d. Under Virtual Adapter pull-down menu, select Preferred. The Internal Network IP Address should be 0.0.0.0. Note: If no box is displayed for Internal Network IP Address, go to Options/ Global Policy Settings, and check the box for “Allow to Specify Internal Network Address.”...
  • Page 146 ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-33 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds)).
  • Page 147 To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; in this case “My Connections\modecfg_test”. 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test will display and the VPN client icon in the toolbar will read “On”.
  • Page 148 ProSafe VPN Firewall 200 FVX538 Reference Manual 5-46 Virtual Private Networking v1.0, August 2006...

  • Page 149: Router And Network Management

    This chapter describes how to use the network management features of your ProSafe VPN Firewall 200. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface. The ProSafe VPN Firewall 200 offers many tools for managing the network traffic to optimize its performance.

  • Page 150: Vpn Firewall Features That Reduce Traffic

    ProSafe VPN Firewall 200 FVX538 Reference Manual Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall. But there is no backup in case one of the WAN ports fail. In such an event and with one exception, the traffic that would have been sent on the failed WAN port gets diverted to the WAN port that is still working, thus increasing its loading.
  • Page 151 – Groups: The rule is applied to a Group (see on page 3-6to assign PCs to a Group using Network Database). • WAN Users – These settings determine which Internet locations are covered by the rule, based on their IP address. –...

  • Page 152: Block Sites

    ProSafe VPN Firewall 200 FVX538 Reference Manual Schedule. If you have set firewall rules on the Rules screen, you can configure three different schedules (i.e., schedule 1, schedule 2, and schedule 3) for when a rule is to be applied. Once a schedule is configured, it affects all Rules that use this schedule.

  • Page 153: Vpn Firewall Features That Increase Traffic

    VPN Firewall Features That Increase Traffic Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • DMZ port • Exposed hosts • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (i.e., the service is unavailable).

  • Page 154: Port Triggering

    ProSafe VPN Firewall 200 FVX538 Reference Manual • Enable DNS Proxy – Enable this to allow incoming DNS queries. • Enable Stealth Mode – Enable this to set the firewall to operate in stealth mode. As you define your firewall rules, you can further refine their application according to the following criteria: •...

  • Page 155: Dmz Port

    • The remote system receives the PCs request and responds using the different port numbers that you have now opened. • This Router matches the response to the previous request and forwards the response to the PC. Without Port Triggering, this response would be treated as a new connection request rather than a response.

  • Page 156: Tools For Traffic Management

    Changing Passwords and Settings The default passwords for the firewall’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. You can also configure a separate password for guests.
  • Page 157 ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save this setting.. Note: If you make the administrator login time-out value too large, you will have to wait a long time before you are able to log back into the router if your previous login was disrupted (i.e., you did not click Logout on the Main Menu bar to log out).

  • Page 158: Enabling Remote Management Access

    ProSafe VPN Firewall 200 FVX538 Reference Manual Enabling Remote Management Access Using the Remote Management page, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging into the VPN Firewall”...

  • Page 159: Using A Snmp Manager

    b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access.
  • Page 160 ProSafe VPN Firewall 200 FVX538 Reference Manual The SNMP Configuration table lists the SNMP configurations by: • IP Address: The IP address of the SNMP manager. • Port: The trap port of the configuration. • Community: The trap community string of the configuration. To create a new SNMP configuration entry: 1.

  • Page 161: Settings Backup And Firmware Upgrade

    Figure 6-3 The SNMP System Info link displays the VPN firewall identification information available to the SNMP Manager: System Contact, System Location, and System name. To modify the SNMP System contact information: 1. Click the SNMP System Info link. The SNMP SysConfiguration screen will display. 2.

  • Page 162: Backup And Restore Settings

    To restore settings from a backup file: 1. Click Browse. Locate and select the previously saved backup file (by default, netgear.cfg). 2. When you have located the file, click restore.

  • Page 163: Router Upgrade

    To download a firmware version: 1. Go to the NETGEAR Web site at http://www.netgear.com/support and click on Downloads. 2. From the Product Selection pull-down menu, select your product. Select the software version and follow the To Install steps to download your software.

  • Page 164: Setting The Time Zone

    3. Select a NTP Server option by checking one of the following radio boxes: • Use Default NTP Servers: If this is enabled, then the RTC (Real-Time Clock) is updated regularly by contacting a Default Netgear NTP Server on the Internet. 6-16 Router and Network Management...

  • Page 165: Monitoring The Router

    Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the Default Netgear NTP servers. 4. Click Apply to save your settings or click Cancel to revert to your previous settings.
  • Page 166 ProSafe VPN Firewall 200 FVX538 Reference Manual • Internet Traffic Statistics – Displays statistics on Internet Traffic via the WAN port. If you have not enabled the Traffic Meter, these statistics are not available. • Traffic by Protocol – Click this button to display Internet Traffic details. The volume of traffic for each protocol will be displayed in a sub-window.

  • Page 167: Setting Login Failures And Attacks Notification

    ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-7 Setting Login Failures and Attacks Notification Figure 6-8 shows the Firewall Logs & E-mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs & E-mail from the submenu. You can send a System log of firewall activities to an email address or a log of the firewall activities can be viewed, saved to a Syslog server, and then sent to an e-mail address.

  • Page 168: Monitoring Attached Devices

    ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-8 Monitoring Attached Devices The Groups and Hosts menu contains a table of all IP devices that the VPN firewall has discovered on the local network. Select Network Configuration from the main menu and LAN Groups from the submenu.
  • Page 169 Figure 6-9 The network database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: • DHCP Client Requests – By default, the DHCP server in this Router is enabled, and will accept and respond to DHCP client requests from PCs and other network devices.

  • Page 170: Viewing Port Triggering Status

    ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-1. Known PCs and Devices (continued) Item Description MAC Address The MAC address of the PC. The MAC address is a low-level network identifier which is fixed at manufacture. Group Each PC or device must be in a single group. The Group column indicates which group each entry is in.

  • Page 171: Viewing Router Configuration And System Status

    Viewing Router Configuration and System Status The Router Status screen provides status and usage information. Select Monitoring from the main menu and Router Status from the submenu. The Router Status screen will display. Figure 6-11 Table 6-3. Router Status Fields Item Description System Name...

  • Page 172: Monitoring Wan Ports Status

    ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-3. Router Status Fields Item Description WAN1 Configuration Indicates whether the WAN Mode is Single, Dual, or Rollover, and whether the WAN State is UP or DOWN. It also displays if: • NAT is Enabled or Disabled. •...

  • Page 173: Monitoring Vpn Tunnel Connection Status

    ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-12 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu. The IPSec Connection Status screen will display. Figure 6-13 Router and Network Management 6-25...

  • Page 174: Vpn Logs

    ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-4. VPN Status data Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN Endpoint. Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA.

  • Page 175: Dhcp Log

    ProSafe VPN Firewall 200 FVX538 Reference Manual DHCP Log You can view the DHCP log from the LAN Setup screen. Select Network Configuration from the main menu and LAN Setup from the submenu. When the LAN Setup screen displays, click the DHCP Log link.
  • Page 176 “Back” on the Windows menu bar to return to the Diagnostics screen. Perform a DNS A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to Lookup an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
  • Page 177 Table 6-5. Diagnostics (continued) Item Description Display the Routing This operation will display the internal routing table. This information is used, most Table often, by Technical Support. Reboot the Router Used to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally.
  • Page 178 ProSafe VPN Firewall 200 FVX538 Reference Manual 6-30 Router and Network Management v1.0, August 2006...

  • Page 179: Troubleshooting

    • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.

  • Page 180: Leds Never Turn Off

    ProSafe VPN Firewall 200 FVX538 Reference Manual LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: •...
  • Page 181 • Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.2 to 192.168.0.254. Note: If your PC’s IP address is shown as 169.254.x.x: Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server.

  • Page 182: Troubleshooting The Isp Connection

    Web Configuration Manager. To check the WAN IP address: 1. Launch your browser and select an external site such as www.netgear.com 2. Access the Main Menu of the firewall’s configuration at http://192.168.1.1 3. Under the Monitoring menu, select Router Status 4.

  • Page 183: Troubleshooting A Tcp/Ip Network Using A Ping Utility

    – Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: •...

  • Page 184: Testing The Path From Your Pc To A Remote Device

    ProSafe VPN Firewall 200 FVX538 Reference Manual • Wrong physical connections – Make sure the LAN port LED is on. If the LED is off, follow the instructions in or Internet Port LEDs Not On” on page – Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and firewall.

  • Page 185: Restoring The Default Configuration And Password

    Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall’s administration password to password and the IP address to 192.168.1.1. You can erase the current configuration and restore factory defaults in two ways: •...
  • Page 186 ProSafe VPN Firewall 200 FVX538 Reference Manual Troubleshooting v1.0, August 2006...

  • Page 187: Default Settings And Technical Specifications

    Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly).
  • Page 188 ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) Feature Time Zone Time Zone Adjusted for Daylight Saving Time SNMP Remote Management Firewall Inbound (communications coming in from the Internet) Outbound (communications going out to the Internet) Source MAC filtering Stealth Mode...
  • Page 189 Table A-2. VPN firewall Technical Specifications (continued) Feature Environmental Specifications Operating temperature: Operating humidity: Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: Default Settings and Technical Specifications ProSafe VPN Firewall 200 FVX538 Reference Manual Specifications 0° to 40° C (32º...
  • Page 190 ProSafe VPN Firewall 200 FVX538 Reference Manual Default Settings and Technical Specifications v1.0, August 2006...

  • Page 191: Appendix B Related Documents

    This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Internet Networking and TCP/IP Addressing: Wireless Communications: Preparing a Computer for Network Access: Virtual Private Networking...
  • Page 192 ProSafe VPN Firewall 200 FVX538 Reference Manual Related Documents v1.0, August 2006...

  • Page 193: Network Planning For Dual Wan Ports

    Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports. What You Will Need to Do Before You Begin The ProSafe VPN Firewall 200 is a powerful and versatile solution for your networking needs. But to make the configuration process easier and to understand all of the choices available to you, you need to think through the following items before you begin: 1.
  • Page 194 ProSafe VPN Firewall 200 FVX538 Reference Manual – You can also add your own service protocols to the list (see on page 4-2 for information on how to do this). 3. Set up your accounts a. Have active Internet services such as that provided by cable or DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information.

  • Page 195: Cabling And Computer Hardware Requirements

    FVX538, your must use a Java-enabled Web browser program that supports HTTP uploads such as Microsoft Internet Explorer or Netscape Navigator. NETGEAR recommends using Internet Explorer or Netscape Navigator 4.0 or above. Free browser programs are readily available for Windows, Macintosh, or UNIX/Linux.

  • Page 196: Where Do I Get The Internet Configuration Parameters

    • You may also refer to the FVX538 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs. Once you locate your Internet configuration parameters, you may want to record them on the page below.

  • Page 197: Internet Connection Information Form

    Internet Connection Information Form Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. For AOL customers, the login name is their primary screen name. Some ISPs use your full e-mail address as the login name.

  • Page 198: Overview Of The Planning Process

    ProSafe VPN Firewall 200 FVX538 Reference Manual Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: • Inbound traffic (e.g., port forwarding, port triggering, DMZ port) • Virtual private networks (VPNs) The two WAN ports can be configured on a mutually-exclusive basis to either: •...

  • Page 199: The Roll-Over Case For Firewalls With Dual Wan Ports

    The Roll-over Case for Firewalls With Dual WAN Ports Rollover (Figure C-2) for the dual WAN port case is different from the single gateway WAN port case when specifying the IP address. Only one WAN port is active at a time and when it rolls over, the IP address of the active WAN port always changes.

  • Page 200: Inbound Traffic

    (Figure qualified domain name if the IP address is dynamic. Router WAN IP netgear.dyndns.org IP address of WAN port: FQDN is required for dynamic IP address and is optional for fixed IP address Figure C-4 Inbound Traffic to Dual WAN Port Systems The IP address range of the firewall’s WAN port must be both fixed and public so that the public...

  • Page 201: Inbound Traffic: Dual Wan Ports For Improved Reliability

    WAN ports (i.e., WAN1 or WAN2). Dual WAN Ports (Before Rollover) WAN1 IP Router netgear.dyndns.org WAN2 port inactive WAN2 IP (N/A) IP address of active WAN port changes after a rollover (use of fully-qualified domain names always required) Figure C-5...

  • Page 202: Virtual Private Networks (Vpns

    ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table C-2.

  • Page 203: Vpn Road Warrior (Client-To-Gateway

    Dual WAN Ports (Before Rollover) WAN1 IP Gateway netgear.dyndns.org WAN2 port inactive VPN Router WAN2 IP (N/A) IP address of active WAN port changes after a rollover (use of fully-qualified domain names always required) Figure C-7 • Load Balancing Case for Dual Gateway WAN Ports...

  • Page 204: Vpn Road Warrior: Single Gateway Wan Port (Reference Case

    Network Planning for Dual WAN Ports v1.0, August 2006 (Figure C-9), the remote PC client Client B WAN IP 0.0.0.0 Remote PC (running NETGEAR ProSafe VPN Client) (Figure C-10), the remote PC Client B WAN IP 0.0.0.0 Remote PC (running NETGEAR...

  • Page 205: Vpn Road Warrior: Dual Gateway Wan Ports For Load Balancing

    WAN2 IP Fully-Qualified Domain Names (FQDN) - required for Fixed IP addresses - required for Dynamic IP addresses v1.0, August 2006 Client B WAN IP 0.0.0.0 Remote PC (running NETGEAR ProSafe VPN Client) (Figure C-12), the remote PC C-13...

  • Page 206: Vpn Gateway-To-Gateway

    Fully-Qualified Domain Names (FQDN) - optional for Fixed IP addresses - required for Dynamic IP addresses Network Planning for Dual WAN Ports v1.0, August 2006 Client B WAN IP 0.0.0.0 Remote PC (running NETGEAR ProSafe VPN Client) (Figure C-13), either gateway...

  • Page 207: Vpn Gateway-To-Gateway: Dual Gateway Wan Ports For Improved Reliability

    10.5.6.0/24 Gateway-to-Gateway Example (Single WAN Ports) Gateway A LAN IP 10.5.6.1 netgear.dyndns.org VPN Router (at office A) Figure C-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
  • Page 208 (Dual WAN Ports, After Rollover) Gateway A WAN_A1 port inactive LAN IP 10.5.6.1 netgear.dyndns.org VPN Router (at office A) One of the gateway routers must re-establish VPN tunnel after a rollover Figure C-15 The purpose of the fully-qualified domain names is this case is to toggle the domain name of the failed-over gateway firewall between the IP addresses of the active WAN port (i.e., WAN_A1 and...

  • Page 209: Vpn Gateway-To-Gateway: Dual Gateway Wan Ports For Load Balancing

    VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.

  • Page 210: Vpn Telecommuter: Single Gateway Wan Port (Reference Case

    Network Planning for Dual WAN Ports v1.0, August 2006 (Figure C-17), the remote PC Client B NAT Router B Remote PC (running NETGEAR ProSafe VPN Client) (Figure C-18), the remote PC Client B NAT Router B Remote PC (running NETGEAR...
  • Page 211 C-19), the previously inactive gateway WAN WAN1 IP (N/A) WAN IP 0.0.0.0 WAN2 IP NAT Router (at telecommuter's home office) Remote PC must re-establish VPN tunnel after a rollover v1.0, August 2006 Client B NAT Router B Remote PC (running NETGEAR ProSafe VPN Client) C-19...

  • Page 212: V1.0, August

    C-20 WAN1 IP WAN IP 0.0.0.0 WAN2 IP NAT Router (at telecommuter's home office) Network Planning for Dual WAN Ports v1.0, August 2006 (Figure C-20), the remote PC Client B NAT Router B Remote PC (running NETGEAR ProSafe VPN Client)

  • Page 213: Index

    access remote management 6-10 Active Self Certificates 5-27 Add DMZ WAN Outbound Services screen 4-12 Add LAN DMZ Inbound Service screen 4-14 Add LAN DMZ Outbound Service screen 4-13 Add LAN WAN Inbound Service 4-10 Add LAN WAN Outbound Service screen 4-9 Add Mode Config Record screen 5-38 Add Protocol Binding Destination Network 2-13...
  • Page 214 ProSafe VPN Firewall 200 FVX538 Reference Manual Content Filtering 4-1 about 4-25 Block Sites 4-25 enabling 4-25 firewall protection, about 4-1 content filtering 1-2, 4-1 crossover cable 1-3, 7-2 Customized Service editing 4-23 customized service adding 4-22 Customized Services adding 4-2, 4-21 Date setting 6-16 troubleshooting 7-7...
  • Page 215 about protection 1-2 Dual WAN configuration of 2-10 Dual WAN Port inbound traffic C-8 load balancing, inbound traffic C-9 Dual WAN Port systems VPN Tunnel addresses 5-1 Dual WAN Ports features of 1-2 network planning C-1 Dual WAN ports Auto-Rollover, configuration of 2-11 Load Balancing, configuration of 2-13 Dynamic DNS configuration of 2-15...
  • Page 216 ProSafe VPN Firewall 200 FVX538 Reference Manual editing 3-9 Groups and Hosts screen 3-7, 3-9, 3-10 groups, managing 3-6 hardware requirements C-3 Hosting A Local Public Web Server example of 4-16 hosts, managing 3-6 Iego.net 2-15 IGP 3-13 IKE Policies management of 5-11 IKE Policies screen 5-9 IKE Policy...
  • Page 217 L2TP 4-15 configuration 3-1 using LAN IP setup options 3-2 LAN DMZ Inbound Services adding rule 4-14 LAN DMZ Outbound Services adding rule 4-13 LAN DMZ Rules 4-12 LAN DMZ Rules screen 4-12 LAN DMZ service rule modifying 4-13 LAN Security Checks 4-15 LAN Setup screen 3-2, 6-27 LAN side bandwidth capacity 6-1...
  • Page 218 ProSafe VPN Firewall 200 FVX538 Reference Manual network configuration requirements C-3 Network Database about 3-6 advantages of 3-6 fields 3-7 Network Database Group Names screen 3-9 network planning Dual WAN Ports C-1 Network Time Protocol. See NTP. newsgroup 4-25 NTP 6-16 troubleshooting 7-7 NTP Servers custom 6-17...
  • Page 219 priority definitions 4-23 shifting traffic mix 6-7 SIP 2.0 support 1-1 Quality of Service. See QoS Quality of Service. See Qos. rack mounting 1-9 rack mounting hardware 1-9 RADIUS Server configuring 5-35 RADIUS-CHAP 5-31, 5-33 AUTH, using with 5-32 RADIUS-PAP 5-31 XAUTH, using with 5-32 reducing traffic 6-2 Block Sites 6-4...
  • Page 220 ProSafe VPN Firewall 200 FVX538 Reference Manual Add Protocol Binding 2-14 Service Based Rules 4-2 Service Blocking reducing traffic 6-2 service blocking 4-2 Outbound Rules 4-2 port filtering 4-2 service numbers common protocols 4-21 Services screen 4-21, 4-22 Setting Up One-to-One NAT Mapping example of 4-17 Settings Backup &...
  • Page 221 definitions 2-9 Trend Micro enabling 3-15 Office Scan Server 3-16 OfficeScan client, exclusion list 3-16 requirements for use 3-15 Trend Micro integration 1-4 Trend Micro screen 3-16 Trend Micro security 1-4 troubleshooting 7-1 browsers 7-3 configuration settings, using sniffer 7-3 defaults 7-3 ISP connection 7-4 NTP 7-7...
  • Page 222 ProSafe VPN Firewall 200 FVX538 Reference Manual VPNs C-6, C-10 about C-10 creating a VPN Gateway connection 5-14 gateway-to-gateway C-14, C-15, C-17 road warrior C-11, C-12, C-13 telecommuter C-18, C-20 viewing VPN tunnel status 6-25 configuring Advanced options 2-18 configuring WAN Mode 2-10 WAN Failure Detection Method 2-10, 2-11 WAN Mode 2-11 WAN Mode setup 5-2...

This manual is also suitable for:

Fvx538 - prosafe vpn firewall 200 router

Table of Contents