NETGEAR FVS338 - ProSafe VPN Firewall 50 Router Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. FVS338 - ProSafe VPN Firewall 50 Router
  6. Reference manual

NETGEAR FVS338 - ProSafe VPN Firewall 50 Router Reference Manual

Vpn firewall
Hide thumbs Also See for FVS338 - ProSafe VPN Firewall 50 Router:
Table of Contents

Advertisement

Quick Links

Download this manual
FVS338 ProSafe VPN
Firewall 50 Reference
Manual
NETGEAR, Inc.
350 East Plumeria Drive
Santa Clara, CA 95134 USA
March 2009
202-10046-08
v1.0

Advertisement

Table of Contents
loading

Related Manuals for NETGEAR FVS338 - ProSafe VPN Firewall 50 Router

Summary of Contents for NETGEAR FVS338 - ProSafe VPN Firewall 50 Router

  • Page 1 FVS338 ProSafe VPN Firewall 50 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive Santa Clara, CA 95134 USA March 2009 202-10046-08 v1.0...
  • Page 2 In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
  • Page 3 Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations. Voluntary Control Council for Interference (VCCI) Statement This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
  • Page 4 Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Page 5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
  • Page 6 Product and Publication Details Model Number: FVS338 Publication Date: March 2009 Product Family: VPN firewall Product Name: ProSafe VPN Firewall 50 Home or Business Product: Business Language: English Publication Part Number: 202-10046-08 Publication Version Number v1.0, March 2009...

  • Page 7: Table Of Contents

    Contents About This Manual Conventions, Formats and Scope ...................xiii Revision History .......................xiv Chapter 1 Introduction Key Features ........................1-1 Full Routing on Both the Broadband and Serial WAN Ports ........1-2 A Powerful, True Firewall with Content Filtering ............1-2 Security ........................1-3 Autosensing Ethernet Connections with Auto Uplink ..........1-3 Extensive Protocol Support ..................1-3 Easy Installation and Management ................1-4 Maintenance and Support ..................1-5...
  • Page 8 Manually Configure WAN1 ISP Settings: ............2-9 Programming the Traffic Meter (if Desired) ............2-11 To Enable the Traffic Meter ................2-11 Configuring the WAN Mode ..................2-13 Configuring Dynamic DNS (If Needed) .................2-14 Chapter 3 LAN Configuration Choosing the Firewall DHCP Options ................3-1 Configuring the LAN Setup Options .................3-2 Configuring Multi-Home LAN IPs ................3-5 Managing Groups and Hosts ..................3-6...
  • Page 9 Creating a Client to Gateway VPN Tunnel ...............5-5 Use the VPN Wizard Configure the Gateway for a Client Tunnel ......5-6 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection Testing the Connections and Viewing Status Information ..........5-11 NETGEAR VPN Client Status and Log Information ..........
  • Page 10 Certificates ........................5-31 Trusted Certificates (CA Certificates) ..............5-32 Self Certificates ......................5-33 Managing your Certificate Revocation List (CRL) ..........5-36 Chapter 6 Router and Network Management Performance Management .....................6-1 VPN Firewall Features That Reduce Traffic .............6-1 Service Blocking ....................6-1 Block Sites ......................6-3 Source MAC Filtering ..................6-4 VPN Firewall Features That Increase Traffic ............6-4 Port Forwarding ....................6-4 Port Triggering ....................6-6...
  • Page 11 Performing Diagnostics ..................6-27 Chapter 7 Troubleshooting Basic Functions ......................7-1 Power LED Not On ....................7-1 LEDs Never Turn Off ....................7-2 LAN or Internet Port LEDs Not On ................7-2 Troubleshooting the Web Configuration Interface ............7-2 Troubleshooting the ISP Connection ................7-4 Troubleshooting a TCP/IP Network Using a Ping Utility ..........7-5 Testing the LAN Path to Your Firewall ..............7-5 Testing the Path from Your PC to a Remote Device ..........7-6 Restoring the Default Configuration and Password ............7-7...
  • Page 12 Related Documents Appendix D Two Factor Authentication Why do I need Two-Factor Authentication? ..............D-1 What are the benefits of Two-Factor Authentication? ..........D-1 What is Two-Factor Authentication ................. D-2 NETGEAR Two-Factor Authentication Solutions ............D-2 Index Contents v1.0, March 2009...

  • Page 13: About This Manual

    About This Manual The NETGEAR ® ProSafe™ VPN Firewall 50 FVS338 Reference Manual describes how to install, configure and troubleshoot the ProSafe VPN Firewall 50. The information in this manual is intended for readers with intermediate computer and Internet skills.

  • Page 14: Revision History

    For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix C, “Related Documents” Note: Updates to this product are available on the NETGEAR, Inc. website at http://kbserver.netgear.com/products/FVS338.asp. Revision History Version...

  • Page 15: Introduction

    Chapter 1 Introduction The ProSafe VPN Firewall 50 with 8 port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FVS338 is a complete security solution that protects your network from attacks and intrusions.

  • Page 16: Full Routing On Both The Broadband And Serial Wan Ports

    FVS338 ProSafe VPN Firewall 50 Reference Manual • Built in 8-port 10/100 Mbps switch. • Extensive Protocol Support. • Login capability. • SNMP for manageability. • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. Full Routing on Both the Broadband and Serial WAN Ports You can install, configure, and operate the FVS338 to take full advantage of a variety of routing options on both the serial and broadband WAN ports, including:...

  • Page 17: Security

    FVS338 ProSafe VPN Firewall 50 Reference Manual Security The VPN firewall is equipped with several features designed to maintain security, as described in this section. • PCs Hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network.

  • Page 18: Easy Installation And Management

    ISP account. • VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.

  • Page 19: Maintenance And Support

    FVS338 ProSafe VPN Firewall 50 Reference Manual Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall: • Flash memory for firmware upgrade • Free technical support seven days a week, twenty-four hours a day Introduction v1.0, March 2009...

  • Page 20: Package Contents

    • Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. Router Hardware Components Following is a description of the front and rear panels of the FVS338, including instructions for installing the FVS338 using the rack mounting hardware.
  • Page 21 FVS338 ProSafe VPN Firewall 50 Reference Manual The table below describes each item on the front panel and its operation. Table 1-1. Object Descriptions Object Activity Description Power LED On (Green) Power is supplied to the router. Power is not supplied to the router. Test LED On (Amber) Test mode: The system is initializing or the initialization has failed.

  • Page 22: Router Rear Panel

    FVS338 ProSafe VPN Firewall 50 Reference Manual Router Rear Panel The rear panel of the ProSafe VPN Firewall 50 (Figure 1-2) contains the On/Off switch and AC power connection. Figure 1-2 Viewed from left to right, the rear panel contains the following elements: •...

  • Page 23: Factory Default Login

    FVS338 ProSafe VPN Firewall 50 Reference Manual Factory Default Login Check the label on the bottom of the FVS338’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN •...
  • Page 24 FVS338 ProSafe VPN Firewall 50 Reference Manual 1-10 Introduction v1.0, March 2009...

  • Page 25: Connecting The Fvs338 To The Internet

    Chapter 2 Connecting the FVS338 to the Internet This section provides instructions for connecting the VPN firewall, including these topics: • “Connecting the VPN Firewall to Your Network” on page 2-1 • “Configuring the WAN Mode” on page 2-13 • “Configuring Dynamic DNS (If Needed)”...

  • Page 26: Configuring Your Internet Connection

    FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Enter admin for the User Name and password for the Password, both in lower case letters.The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection. 3.
  • Page 27 FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP. Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support. When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered.

  • Page 28: Dialup Isp Serial Wan Port Settings

    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. Set up the traffic meter for ISP1 if desired. See “Programming the Traffic Meter (if Desired)” on page 2-11. Note: At this point in the configuration process, you are now connected to the Internet through the broadband Ethernet WAN.
  • Page 29 FVS338 ProSafe VPN Firewall 50 Reference Manual c. Telephone: The telephone number or access number to dial for connectivity. Type in the number using the format described in your modem's user manual. d. Alternative Telephone: An alternative number which will be dialed if the first is not available (optional).

  • Page 30: Setting The Router's Mac Address (Advanced Options)

    FVS338 ProSafe VPN Firewall 50 Reference Manual c. Dial-up Type: Check the Tone radio box if your phone line supports touch tone dialing; select Pulse for pulse mode dialing. Select Other – use Dial String to configure additional options such as Auto-Answer, etc. (consult your modem manual for dial strings).

  • Page 31: To Change The Mtu Value For Your Dialup Modem

    FVS338 ProSafe VPN Firewall 50 Reference Manual • Port Speed. In most cases, your router can automatically determine the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may need to manually select the port speed. This could occur on some older broadband modems.

  • Page 32: Manually Configuring Your Internet Connection

    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-6 Manually Configuring Your Internet Connection If you know your Broadband ISP connection type, you can bypass the Auto Detect feature and connect your router manually. Ensure that you have all of the relevant connection information such as IP Addresses, account information, type of ISP connection, etc., before you begin.

  • Page 33: Manually Configure Wan1 Isp Settings

    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-7 Manually Configure WAN1 ISP Settings: Step 1.Does your Internet connection require a login? If you need to enter login information every time you connect to the Internet through your ISP, select Yes. Otherwise, select No. 2.
  • Page 34 5. Click Apply to save the settings or click Cancel to revert to the previous settings. 6. Click Test to try and connect to the NETGEAR Web site. If you connect successfully and your settings work, then you may click Logout or go on and configure additional settings.

  • Page 35: Programming The Traffic Meter (If Desired)

    FVS338 ProSafe VPN Firewall 50 Reference Manual Programming the Traffic Meter (if Desired) The traffic meter is useful when an ISP charges by traffic volume over a given period of time or if you want to look at traffic types over a period of time. To Enable the Traffic Meter Step 1.From the primary menu, select Monitoring, and then select Traffic Meter from the secondary menu.
  • Page 36 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2-2. Traffic Meter Settings Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's Broadband or Dialup port. Broadband or Dialup can be selected by clicking the appropriate tap;...

  • Page 37: Configuring The Wan Mode

    FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the WAN Mode The WAN Mode screen allows you to configure how your router uses your external Internet connections; for example, your WAN port or dialup modem connections. • NAT. NAT is the technology which allows all PCs on your LAN to share a single Internet IP address.

  • Page 38: Configuring Dynamic Dns (If Needed)

    FVS338 ProSafe VPN Firewall 50 Reference Manual • If you have both ISP links connected for Internet connectivity, check the Primary Broadband with Dialup as backup for auto-rollover. 4. The WAN Failure Detection Method must be configured to notify the router of a link failure if you are using Dialup as a backup to engage auto-rollover.
  • Page 39 FVS338 ProSafe VPN Firewall 50 Reference Manual This router firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet. After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your dynamic DNS service provider, log in to your account, and register your new IP address.
  • Page 40 FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Access the Web site of one of the DDNS service providers and set up an account. A link to each DDNS provider is near the top right of the window opposite to the DDNS service provider tabs.

  • Page 41: Lan Configuration

    Chapter 3 LAN Configuration This chapter describes how to configure LAN Setup, LAN Groups and Routing (Static IP) features of your ProSafe VPN Firewall 50, including the following sections: • “Choosing the Firewall DHCP Options” on page 3-1 • “Managing Groups and Hosts” on page 3-6 •...

  • Page 42: Configuring The Lan Setup Options

    FVS338 ProSafe VPN Firewall 50 Reference Manual • WINS Server (if you entered a WINS server address in the DHCP Setup menu). • Lease Time (date obtained and duration of lease). DHCP Relay options allow you to make the firewall a dhcp relay agent. The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages.
  • Page 43 FVS338 ProSafe VPN Firewall 50 Reference Manual 1. Select Network Configuration from the primary menu and LAN Setup from the submenu. The LAN Setup screen will display. Figure 3-1 2. Enter the IP Address of your router (factory default: 192.168.1.1). (Always make sure that the LAN Port IP address and DMZ port IP address are in different subnets.) 3.
  • Page 44 FVS338 ProSafe VPN Firewall 50 Reference Manual b. Enter the Starting IP Address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address. The IP address 192.168.1.2 is the default start address.

  • Page 45: Configuring Multi-Home Lan Ips

    FVS338 ProSafe VPN Firewall 50 Reference Manual The feature is particularly useful in Auto Rollover mode. For example, if the DNS servers for each connection are different, then a link failure may render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make requests to the router and the router, in turn, sends those requests to the DNS servers of the active connection.

  • Page 46: Managing Groups And Hosts

    FVS338 ProSafe VPN Firewall 50 Reference Manual • Subnet Mask: IPv4 Subnet Mask. • Action/Edit: Click to make changes to the selected entry. • Select All: Selects all the entries in the Available Secondary LAN IPs table. • Delete: Deletes selected entries from the Available Secondary LAN IPs table. To add a secondary LAN IP address: 1.

  • Page 47: Creating The Network Database

    FVS338 ProSafe VPN Firewall 50 Reference Manual • Scanning the Network. The router will scan the local network periodically, using standard methods such as ARP and NetBIOS, to detect active computers or devices which are not DHCP clients. For computers that do not support the NetBIOS protocol, the name will be displayed in the known PCs and Devices table as “Unknown”.
  • Page 48 FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 3-3 The Network Database is created by: • Using the DHCP Server: The router’s DHCP server is configured, by default, to respond to DHCP requests from clients on the LAN. Every computer that receives a response from the router will be added to the Network Database.
  • Page 49 FVS338 ProSafe VPN Firewall 50 Reference Manual • Name: The name of the computer or device. Computers that do not support the NetBIOS protocol will be listed as Unknown. In this case, the name can be edited manually for easier management.

  • Page 50: Setting Up Address Reservation

    FVS338 ProSafe VPN Firewall 50 Reference Manual Setting Up Address Reservation When you specify a reserved IP address for a device on the LAN (based on the MAC address of the device), that computer or device will always receive the same IP address each time it accesses the firewall’s DHCP server.

  • Page 51: Static Route Example

    FVS338 ProSafe VPN Firewall 50 Reference Manual 5. Type the Destination IP Address or network of the route’s final destination. 6. Enter the IP Subnet Mask for this destination. If the destination is a single host, enter 255.255.255.255. Figure 3-4 7.

  • Page 52: Rip Configuration

    FVS338 ProSafe VPN Firewall 50 Reference Manual • You have an ISDN firewall on your home network for connecting to the company where you are employed. This firewall’s address on your LAN is 192.168.1.100. • Your company’s network is 134.177.0.0. When you first configured your firewall, two implicit static routes were created.
  • Page 53 FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 3-5 To enable RIP: 1. Select Network Configuration from the main menu and Routing from the submenu. The Routing screen will display. 2. Click the RIP Configuration link. The RIP Configuration screen will display. 3.
  • Page 54 FVS338 ProSafe VPN Firewall 50 Reference Manual • None – the router neither broadcasts its route table nor does it accept any RIP packets from other routers. This effectively disables RIP. 4. Select the RIP Version from the pull-down menu: •...

  • Page 55: Firewall Protection And Content Filtering

    Chapter 4 Firewall Protection and Content Filtering The ProSafe VPN Firewall 50 provides you with Web content filtering options such as Block Sites and Keyword Blocking. This chapter includes the following sections: • “About Firewall Security” on page 4-1 • “Adding Customized Services”...

  • Page 56: Using Rules To Block Or Allow Specific Kinds Of Traffic

    FVS338 ProSafe VPN Firewall 50 Reference Manual Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other. You can configure up to 600 rules on the FVS338. Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources.
  • Page 57 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-1. Outbound Rules Fields Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services”...
  • Page 58 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-1. Outbound Rules Fields (continued) Item Description QoS Priority This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service.
  • Page 59 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-2. Inbound Rules Fields Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services”...

  • Page 60: Order Of Precedence For Firewall Rules

    FVS338 ProSafe VPN Firewall 50 Reference Manual Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location.

  • Page 61: Setting Lan Wan Rules

    FVS338 ProSafe VPN Firewall 50 Reference Manual Setting LAN WAN Rules The Default Outbound Policy is to allow all traffic from and to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from either going out from the LAN to the Internet (Outbound) or coming in from the Internet to the LAN (Inbound).

  • Page 62: Lan Wan Outbound Services Rules

    FVS338 ProSafe VPN Firewall 50 Reference Manual • Up – to move the rule up one position in the table rank. • Down – to move the rule down one position in the table rank. 2. Check the radio box adjacent to the rule and click: •...

  • Page 63: Lan Wan Inbound Services Rules

    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-3 LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. WAN Users: Whether all WAN addresses or specific IP addresses are included in the rule.

  • Page 64: Attack Checks

    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-4 Attack Checks This screen allows you to specify whether or not the router should be protected against common attacks in the LAN and WAN networks. The various types of attack checks are listed on the Attack Checks screen and defined below: •...
  • Page 65 FVS338 ProSafe VPN Firewall 50 Reference Manual When the victimized system is flooded, it is forced to send many ICMP packets, eventually making it unreachable by other clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach him, thus making the attacker’s network location anonymous.

  • Page 66: Session Limit

    FVS338 ProSafe VPN Firewall 50 Reference Manual Session Limit Session Limit allows you to specify the total number of sessions per user over an IP (Internet Protocol) connection allowed across the router. This feature can be enabled on the Session Limit screen and is shown below (Session Limit is disabled by default): Figure 4-6 To enable Session Limit:...

  • Page 67: Inbound Rules Examples

    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. In the Session Timeout section, modify TCP, UDP, and ICMP timeouts as required. A session will time out if it does not receive any data for the duration of the specified timeout. The default values are 1200 seconds for TCP, 180 seconds for UDP, and 8 seconds for ICMP.

  • Page 68: Setting Up One-To-One Nat Mapping

    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-8 Setting Up One-to-One NAT Mapping In this example, we will configure multi-NAT to support multiple public IP addresses on one WAN interface. By creating an inbound rule, we will configure the firewall to host an additional public IP address and associate this address with a Web server on the LAN.

  • Page 69: Specifying An Exposed Host

    FVS338 ProSafe VPN Firewall 50 Reference Manual 8. Click Apply. The rule will display in the Inbound Services table shown in Figure 4-10. Figure 4-9 Your rule will now appear in the Inbound Services table of the Rules menu (see Figure 4-10).

  • Page 70: Outbound Rules Example - Blocking Instant Messenger

    1. Create an inbound rule that allows all protocols. 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.

  • Page 71: Adding Customized Services

    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-12 Adding Customized Services Services are functions performed by server computers at the request of client computers. You can configure up to 125 custom services. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’...
  • Page 72 FVS338 ProSafe VPN Firewall 50 Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups.

  • Page 73: Specifying Quality Of Service (Qos) Priorities

    FVS338 ProSafe VPN Firewall 50 Reference Manual Specifying Quality of Service (QoS) Priorities The Quality of Service (QoS) Priorities setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. The user can change this priority: •...

  • Page 74: Setting A Schedule To Block Or Allow Specific Traffic

    VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any Web site is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message. 4-20 Firewall Protection and Content Filtering v1.0, March 2009...
  • Page 75 FVS338 ProSafe VPN Firewall 50 Reference Manual Several types of blocking are available: • Web Components blocking. You can block the following Web component types: Proxy, Java, ActiveX, and Cookies. Even sites on the Trusted Domains list will be subject to Web Components blocking when the blocking of a particular Web component is enabled.
  • Page 76 FVS338 ProSafe VPN Firewall 50 Reference Manual 7. Click Reset to cancel your changes and revert to the previous settings. 8. Click Apply to save your settings. Figure 4-15 4-22 Firewall Protection and Content Filtering v1.0, March 2009...

  • Page 77: Enabling Source Mac Filtering

    FVS338 ProSafe VPN Firewall 50 Reference Manual Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed by default.

  • Page 78: Ip/Mac Binding

    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. Click Add. The Mac Address will be added to the Available MAC Addresses to be Blocked table. (You can edit the MAC address by clicking Edit in the Action column adjacent to the MAC Address.) 5.
  • Page 79 FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-17 The IP/MAC Binding Table lists the currently defined IP/MAC Bind rules: • Name: Displays the user-defined name for this rule. • MAC Addresses: Displays the MAC Addresses for this rule. • IP Addresses: Displays the IP Addresses for this rule.

  • Page 80: Setting Up Port Triggering

    FVS338 ProSafe VPN Firewall 50 Reference Manual Setting Up Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the Application.
  • Page 81 FVS338 ProSafe VPN Firewall 50 Reference Manual 2. From the Enable pull-down menu, indicate if the rule is enabled or disabled. Figure 4-18 3. From the Protocol pull-down menu, select either TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields; a.

  • Page 82: Bandwidth Limiting

    FVS338 ProSafe VPN Firewall 50 Reference Manual b. Enter the End Port range (1 - 65534). 6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display.
  • Page 83 FVS338 ProSafe VPN Firewall 50 Reference Manual Example: When a new connection is established by a device, the device will locate the firewall rule corresponding to the following connections. • If the rule has a bandwidth profile specification, then the device will create a bandwidth class in the kernel.

  • Page 84: E-Mail Notifications Of Event Logs And Alerts

    FVS338 ProSafe VPN Firewall 50 Reference Manual d. Type: Specify the type of profile. e. Direction: Specify the direction for the profile. WAN: Specify the WAN interface (if in Load Balancing Mode) for the profile. 3. Click Apply to save your settings. Your new Bandwidth Profile will be added to the Bandwidth Profile Table.
  • Page 85 FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-21 To set up Firewall Logs and E-mail alerts: 1. Select Monitoring from the main menu and then Firewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen will display. 2.
  • Page 86 FVS338 ProSafe VPN Firewall 50 Reference Manual 5. In the System Logs section, check the radio box for the type of system events to be logged. 6. Check the Yes radio box to enable E-mail Logs. Then enter: a. E-mail Server address – Enter the outgoing E-mail SMTP mail server address of your ISP (for example, 172.16.1.10).
  • Page 87 FVS338 ProSafe VPN Firewall 50 Reference Manual 1. Click on the View Log icon opposite the Firewall Logs & E-mail tab. The Logs screen will display. 2. If the E-mail Logs options as been enabled, you can send a copy of the log by clicking send log.

  • Page 88: Administrator Information

    FVS338 ProSafe VPN Firewall 50 Reference Manual Administrator Information Consider the following operational items: 1. As an option, you can enable remote management if you have to manage distant sites from a central location (see “Enabling Remote Management Access” on page 6-10).
  • Page 89 FVS338 ProSafe VPN Firewall 50 Reference Manual Firewall Protection and Content Filtering 4-35 v1.0, March 2009...
  • Page 90 FVS338 ProSafe VPN Firewall 50 Reference Manual 4-36 Firewall Protection and Content Filtering v1.0, March 2009...
  • Page 91 FVS338 ProSafe VPN Firewall 50 Reference Manual Firewall Protection and Content Filtering 4-37 v1.0, March 2009...
  • Page 92 FVS338 ProSafe VPN Firewall 50 Reference Manual 4-38 Firewall Protection and Content Filtering v1.0, March 2009...

  • Page 93: Virtual Private Networking

    Chapter 5 Virtual Private Networking This chapter describes how to use the Virtual Private Networking (VPN) features of the VPN firewall. This chapter includes the following sections: • “Considerations for Dual WAN Port Systems” on page 5-1 • “Using the VPN Wizard for Client and Gateway Configurations” on page 5-2 •...

  • Page 94: Using The Vpn Wizard For Client And Gateway Configurations

    All tunnels must be re-established after a rollover using the new WAN IP address. Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR VPN Client configuration procedures for the following scenarios: •...
  • Page 95 FVS338 ProSafe VPN Firewall 50 Reference Manual 1. Select VPN > IPsec VPN > VPN Wizard to display the VPN Wizard tab page. To view the wizard default settings, click the VPN Default values link. You can modify these settings after completing the wizard. •...
  • Page 96 7. Click Apply to save your settings: the VPN Policies page shows the policy is now enabled. Figure 5-4 8. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured.

  • Page 97: Creating A Client To Gateway Vpn Tunnel

    FVS338 ProSafe VPN Firewall 50 Reference Manual The tunnel will automatically establish when both the local and target gateway policies are appropriately configured and enabled, Note: When using FQDN, if the dynamic DNS service is slow to update their servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDN does not resolve to your new address.

  • Page 98: Use The Vpn Wizard Configure The Gateway For A Client Tunnel

    FVS338 ProSafe VPN Firewall 50 Reference Manual Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. From the main menu, go to VPN > IPSec VPN > VPN Wizard. The VPN Wizard displays. • VPN Client connection •...

  • Page 99: Use The Netgear Vpn Client Security Policy Editor To Create A Secure Connection

    Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR Prosafe VPN Client installed, configure a VPN client policy to connect to the FVS338. Follow these steps to configure your VPN client.
  • Page 100 FVS338 ProSafe VPN Firewall 50 Reference Manual 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using gw1.
  • Page 101 FVS338 ProSafe VPN Firewall 50 Reference Manual 3. In the left frame, click My Identity. Fill in the options according to the instructions below. r3m0+eC1ient Figure 5-11 • From the Select Certificate pull-down menu, choose None. • Click Pre-Shared Key to enter the key you provided in the VPN Wizard; in this example, we are using r3m0+eC1ient.
  • Page 102 FVS338 ProSafe VPN Firewall 50 Reference Manual 4. Verify the Security Policy settings; no changes are needed. Figure 5-12 • On the left, click Security Policy to view the settings: no changes are needed. • On the left, expand Authentication (Phase 1) and click Proposal 1: no changes are needed.

  • Page 103: Testing The Connections And Viewing Status Information

    FVS338 ProSafe VPN Firewall 50 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the FVS338 provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.
  • Page 104 FVS338 ProSafe VPN Firewall 50 Reference Manual 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-15 •...

  • Page 105: Fvs338 Vpn Connection Status And Logs

    FVS338 ProSafe VPN Firewall 50 Reference Manual The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client policy is deactivated. The client policy is deactivated but not connected. The client policy is activated and connected.

  • Page 106: Ike Policies

    FVS338 ProSafe VPN Firewall 50 Reference Manual To view FVS338 VPN logs, go to Monitoring > VPNLogs. Figure 5-18 IKE Policies The IKE (Internet Key Exchange) protocol performs negotiations between the two VPN Gateways, and provides automatic management of the Keys used in IPSec. It is important to remember that: •...

  • Page 107: Ike Policy Table

    FVS338 ProSafe VPN Firewall 50 Reference Manual 3. An IKE session is established, using the SA (Security Association) parameters specified in a matching IKE Policy: • Keys and other parameters are exchanged. • An IPsec SA (Security Association) is established, using the parameters in the VPN Policy.

  • Page 108: Vpn Policies

    FVS338 ProSafe VPN Firewall 50 Reference Manual To gain a more complete understanding of the encryption, authentication and DH algorithm technologies, see Appendix C, “Related Documents”. VPN Policies You can create two types of VPN Policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available.

  • Page 109: Vpn Tunnel Connection Status

    FVS338 ProSafe VPN Firewall 50 Reference Manual • ! (Status). Indicates whether the policy is enabled (green circle) or disabled (grey circle). To Enable or Disable a Policy, check the radio box adjacent to the circle and click Enable or Disable, as required.

  • Page 110: Extended Authentication (Xauth) Configuration

    FVS338 ProSafe VPN Firewall 50 Reference Manual • Endpoint. The IP address on the remote VPN Endpoint. • Tx (KBytes). The amount of data transmitted over this SA. • Tx (Packets). The number of packets transmitted over this SA. • State.

  • Page 111: Configuring Xauth For Vpn Clients

    FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the Local Database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server. Note: If you are modifying an existing IKE Policy to add XAUTH, if it is in use by a VPN Policy, the VPN policy must be disabled before you can modify the IKE Policy.

  • Page 112: User Database Configuration

    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. Click Apply to save your settings. Figure 5-19 User Database Configuration The User Database Screen is used to configure and administer VPN Client users for use by the XAUTH server. Whether or not you use an external RADIUS server, you may want to have some users authenticated locally.

  • Page 113: Radius Client Configuration

    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. Click Add. The User Name will be added to the Configured Hosts table. Figure 5-20 To edit the user name or password: 1. Click Edit opposite the user’s name. The Edit User screen will display. 2.
  • Page 114 FVS338 ProSafe VPN Firewall 50 Reference Manual password information. The gateway will try and verify this information first against a local User Database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server. To configure the Primary RADIUS Server: 1.

  • Page 115: Assigning Ip Addresses To Remote Users (Modeconfig)

    PC running ProSafe VPN Client software using these IP addresses. • NETGEAR ProSafe VPN Firewall 50 – WAN IP address: 172.21.4.1 – LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Virtual Private Networking 5-23 v1.0, March 2009...

  • Page 116: Modeconfig Operation

    FVS338 ProSafe VPN Firewall 50 Reference Manual ModeConfig Operation After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP configuration parameters such as IP address, subnet mask and name server addresses. The ModeConfig module will allocate an IP address from the configured IP address pool and will activate a temporary IPSec policy using the template security proposal information configured in the ModeConfig record.
  • Page 117 FVS338 ProSafe VPN Firewall 50 Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10.
  • Page 118 FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. 3. Enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down menu. (You can view the parameters of the selected record by clicking the View selected radio box.) Mode Config works only in Aggressive Mode, and Aggressive Mode requires that both ends of the tunnel be defined by a FQDN.
  • Page 119 FVS338 ProSafe VPN Firewall 50 Reference Manual 9. If Edge Device was enabled, select the Authentication Type from the pull down menu which will be used to verify account information: User Database, RADIUS-CHAP or RADIUS-PAP. Users must be added thorough the User Database screen (see “User Database Configuration”...

  • Page 120: Configuring The Prosafe Vpn Client For Modeconfig

    FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon.
  • Page 121 FVS338 ProSafe VPN Firewall 50 Reference Manual b. From the Select Certificate pull-down menu, select None. c. From the ID Type pull-down menu, select Domain Name and create an identifier based on the name of the IKE policy you created; for example “remote_id.com”. d.
  • Page 122 FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-26 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds)).

  • Page 123: Certificates

    FVS338 ProSafe VPN Firewall 50 Reference Manual To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; in this case “My Connections\modecfg_test”. 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test will display and the VPN client icon in the toolbar will read “On”.

  • Page 124: Trusted Certificates (Ca Certificates)

    FVS338 ProSafe VPN Firewall 50 Reference Manual for VPN then the certificate is only uploaded to the VPN certificate repository. Thus, certificates used by HTTPS and IPSec will be different if their purpose is not defined to be VPN and HTTPS. Trusted Certificates (CA Certificates) Trusted Certificates are used to verify the validity of certificates issued to an organization and signed by the issuing CA authority.

  • Page 125: Self Certificates

    This information must be submitted in the following format: C=<country>, ST=<state>, L=<city>, O=<organization>, OU=<department>, CN=<device name>. In the following example: C=USA, ST=CA, L=Santa Clara, O=NETGEAR, OU=XX, CN=FVS338) • From the pull-down menus, select the following values: –...
  • Page 126 FVS338 ProSafe VPN Firewall 50 Reference Manual – Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but may also impact performance.) 3. Complete the Optional fields, if desired, with the following information: • IP Address – If you have a fixed IP address, you may enter it here. Otherwise, you should leave this field blank.
  • Page 127 FVS338 ProSafe VPN Firewall 50 Reference Manual Save to file Figure 5-29 To submit your Self Certificate request to a CA: 1. Connect to the web site of the CA. 2. Start the Self Certificate request procedure. 3. When prompted for the requested data, copy the data from your saved data file (including “--- -BEGIN CERTIFICATE REQUEST---”...

  • Page 128: Managing Your Certificate Revocation List (Crl)

    FVS338 ProSafe VPN Firewall 50 Reference Manual When you obtain the certificate from the CA, you can then upload it to your computer. Click Browse to locate the Certificate file and then click Upload. The certificate will display in the Active Self Certificates table (see Figure 5-28).

  • Page 129: Router And Network Management

    Chapter 6 Router and Network Management This chapter describes how to use the network management features of your ProSafe VPN Firewall 50. This chapter includes the following sections: • “Performance Management” on page 6-1 • “Administration” on page 6-7 • “Monitoring the Router”...
  • Page 130 FVS338 ProSafe VPN Firewall 50 Reference Manual Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always • BLOCK by schedule, otherwise Allow • ALLOW always • ALLOW by schedule, otherwise Block As you define your firewall rules, you can further refine their application according to the following criteria: •...
  • Page 131 FVS338 ProSafe VPN Firewall 50 Reference Manual Groups and Hosts. You can apply these rules selectively to groups of PCs to reduce the outbound or inbound traffic. The Network Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: •...

  • Page 132: Vpn Firewall Features That Increase Traffic

    FVS338 ProSafe VPN Firewall 50 Reference Manual “Setting Block Sites (Content Filtering)” on page 4-20 for the procedure on how to use this feature. Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain PCs on the LAN, you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses.
  • Page 133 FVS338 ProSafe VPN Firewall 50 Reference Manual • ALLOW by schedule, otherwise Block You can also enable a check on special rules: • VPN Passthrough – Enable this to pass the VPN traffic without any filtering, specially used when this firewall is between two VPN tunnel end points. •...

  • Page 134: Port Triggering

    FVS338 ProSafe VPN Firewall 50 Reference Manual Port Triggering Port triggering allows some applications to function correctly that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the Application. Once configured, operation is as follows: •...

  • Page 135: Tools For Traffic Management

    Changing Passwords and Settings The default passwords for the firewall’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. You can also configure a separate password for guests.
  • Page 136 FVS338 ProSafe VPN Firewall 50 Reference Manual 1. Select Users from the main menu and Local Authentication from the submenu. Figure 6-1 2. Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest Settings radio box.

  • Page 137: Radius Server External Authentication

    FVS338 ProSafe VPN Firewall 50 Reference Manual Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. RADIUS Server External Authentication For authentication to RADIUS or WIKID, you can define the authentication type. Figure 6-2 When a user logs in, the VPN firewall will validate with the appropriate RADIUS or WIKID server that the user is authorized to log in.

  • Page 138: Enabling Remote Management Access

    FVS338 ProSafe VPN Firewall 50 Reference Manual When specifying RADIUS domain authentication, you are presented with several authentication protocol choices, as summarized in the following table: Table 6-1. Authentication Description Protocol Password Authentication Protocol (PAP) is a simple protocol in which the client sends a password in clear text.
  • Page 139 FVS338 ProSafe VPN Firewall 50 Reference Manual https://194.177.0.123:8080 Figure 6-3 To configure your firewall for Remote Management: 1. Select the Turn Remote Management On check box. a. Specify what external addresses will be allowed to access the firewall’s remote management. Note: For enhanced security, restrict access to as few external IP addresses as practical.
  • Page 140 FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Specify the Port Number that will be used for accessing the management interface. Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management Web interface to a custom port by entering that number in the box provided.

  • Page 141: Using A Snmp Manager

    FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Specify what external addresses will be allowed to access the firewall’s remote management. Note: For enhanced security, restrict access to as few external IP addresses as practical. a. To allow access from any IP address on the Internet, select Everyone. b.
  • Page 142 FVS338 ProSafe VPN Firewall 50 Reference Manual • If you want to make the VPN firewall globally accessible using the community string, but still receive traps on the host, enter 0.0.0.0 as the Subnet Mask and an IP Address for where the traps will be received.

  • Page 143: Settings Backup And Firmware Upgrade

    To restore settings from a backup file: 1. Click Browse. Locate and select the previously saved backup file (by default, netgear.cfg). 2. When you have located the file, click restore.

  • Page 144: Router Upgrade

    To download a firmware version: 1. Go to the NETGEAR Web site at http://www.netgear.com/support and click on Downloads. 2. From the Product Selection pull-down menu, select your product. Select the software version and follow the To Install steps to download your software.

  • Page 145: Setting The Time Zone

    FVS338 ProSafe VPN Firewall 50 Reference Manual Warning: Once you click Upload do NOT interrupt the router! To upgrade router software: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. 2.

  • Page 146: Monitoring The Router

    • Use Default NTP Servers: If this is enabled, then the RTC (Real-Time Clock) is updated regularly by contacting a Default Netgear NTP Server on the Internet. • Use Custom NTP Servers: If you prefer to use a particular NTP server, enable this instead and enter the name or IP address of an NTP Server in the Server 1 Name/IP Address field.

  • Page 147: Enabling The Traffic Meter

    FVS338 ProSafe VPN Firewall 50 Reference Manual Enabling the Traffic Meter To monitor traffic limits on each of the WAN ports, select Administration from the main menu and Traffic Meter from the submenu. The Broadband Traffic Meter screen will display. (The Broadband and Dialup ports are programmed separately.) A WAN port shuts down once its traffic limit is reached if the Block all traffic feature is enabled.

  • Page 148: Setting Login Failures And Attacks Notification

    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-8 Setting Login Failures and Attacks Notification Figure 6-9 shows the Firewall Logs & E-mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs & E-mail from the submenu. You can send a System log of firewall activities to an email address or a log of the firewall activities can be viewed, saved to a syslog server, and then sent to an email address.
  • Page 149 FVS338 ProSafe VPN Firewall 50 Reference Manual View System Logs Select the types of events to email. Select the segments to track for System Log events. Enable email alerts. Syslog Server enabled Figure 6-9 Router and Network Management 6-21 v1.0, March 2009...

  • Page 150: Viewing Port Triggering Status

    FVS338 ProSafe VPN Firewall 50 Reference Manual Viewing Port Triggering Status You can view the status of Port Triggering by selecting Security from the main menu and Port Triggering from the submenu. When the Port Triggering screen display, click the Status link. Figure 6-10 Table 6-2.

  • Page 151: Viewing Router Configuration And System Status

    FVS338 ProSafe VPN Firewall 50 Reference Manual Viewing Router Configuration and System Status The Router Status menu provides status and usage information. From the main menu of the browser interface, click on Management, then select Router Status, The Router Status screen will display.

  • Page 152: Monitoring Wan Ports Status

    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-3. Router Configuration Status Fields Item Description Broadband Indicates whether the WAN Mode is Single or Rollover, and whether the WAN State Configuration is UP or DOWN. If the WAN State is up, it also displays •...

  • Page 153: Monitoring Vpn Tunnel Connection Status

    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-12 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu. The IPSec Connection Status screen will display. Figure 6-13 Table 6-4.

  • Page 154: Vpn Logs

    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-4. IPSec Connection Status Fields (continued) Item Description Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA. State The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase.

  • Page 155: Performing Diagnostics

    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-15 Performing Diagnostics You can perform diagnostics such as pinging an IP address, performing a DNS lookup, displaying the routing table, rebooting the firewall, and capturing packets. Select Monitoring from the main menu and Diagnostics from the submenu.
  • Page 156 “Back” on the Windows menu bar to return to the Diagnostics screen. Perform a DNS Lookup A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
  • Page 157 FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-5. Diagnostics Fields Item Description Reboot the Router Used to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally. Note: Rebooting will break any existing connections either to the Router (such as this one) or through the Router (for example, LAN users accessing the Internet).
  • Page 158 FVS338 ProSafe VPN Firewall 50 Reference Manual 6-30 Router and Network Management v1.0, March 2009...

  • Page 159: Troubleshooting

    Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 50. This chapter includes the following sections: • “Basic Functions” on page 7-1 • “Troubleshooting the Web Configuration Interface” on page 7-2 • “Troubleshooting the ISP Connection” on page 7-4 •...

  • Page 160: Leds Never Turn Off

    FVS338 ProSafe VPN Firewall 50 Reference Manual • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support. LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off.
  • Page 161 FVS338 ProSafe VPN Firewall 50 Reference Manual • Make sure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.2 to 192.168.0.254.

  • Page 162: Troubleshooting The Isp Connection

    Web Configuration Manager. To check the WAN IP address: 1. Launch your browser and select an external site such as www.netgear.com 2. Access the Main Menu of the firewall’s configuration at http://192.168.1.1 3. Under the Monitoring menu, select Router Status 4.

  • Page 163: Troubleshooting A Tcp/Ip Network Using A Ping Utility

    FVS338 ProSafe VPN Firewall 50 Reference Manual – Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Configuring your Internet Connection” on page 2-2. If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet: •...

  • Page 164: Testing The Path From Your Pc To A Remote Device

    FVS338 ProSafe VPN Firewall 50 Reference Manual If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections – Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On”...

  • Page 165: Restoring The Default Configuration And Password

    FVS338 ProSafe VPN Firewall 50 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall’s administration password to password and the IP address to 192.168.1.1. You can erase the current configuration and restore factory defaults in two ways: •...
  • Page 166 FVS338 ProSafe VPN Firewall 50 Reference Manual Troubleshooting v1.0, March 2009...

  • Page 167: Default Settings And Technical Specifications

    Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly).
  • Page 168 FVS338 ProSafe VPN Firewall 50 Reference Manual Table A-1. FVS338 Default Settings (continued) Feature Default Behavior Time Zone Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound (communications coming in from Disabled (except traffic on port 80, the http port) the Internet) Outbound (communications going out to Enabled (all)
  • Page 169 FVS338 ProSafe VPN Firewall 50 Reference Manual Table A-2. VPN firewall Default Technical Specifications Feature Specification Environmental Specifications Operating temperature: 0 to 40 C (32º to 104º F) Operating humidity: 90% maximum relative humidity, noncondensing Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B...
  • Page 170 FVS338 ProSafe VPN Firewall 50 Reference Manual Default Settings and Technical Specifications v1.0, March 2009...

  • Page 171: System Logs And Error Messages

    Appendix B System Logs and Error Messages This appendix uses the following log parameter terms. Table B-1. Log Parameter Terms Term Description [FVS338] System identifier [kernel] Message from the kernel. CODE Protocol code (e.g., protocol is ICMP, type 8) and CODE=0 means successful reply. DEST Destination IP Address of the machine to which the packet is destined.

  • Page 172: Reboot

    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-2. System Logs: System Startup Message Jan 1 15:22:28 [FVS338] [ledTog] [SYSTEM START-UP] System Started Explanation Log generated when the system is started. Recommended Action None Reboot This section describes log messages generated during system reboot. Table B-3.

  • Page 173: Login/Logout

    Table B-4. System Logs: NTP Message Nov 28 12:31:13 [FVS338] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [FVS338] [ntpdate] Requesting time from time-f.netgear.com Nov 28 12:31:14 [FVS338] [ntpdate] adjust time server 69.25.106.19 offset 0.140254 sec Nov 28 12:31:14 [FVS338] [ntpdate] Synchronized time with time-f.netgear.com...

  • Page 174: Ipsec Restart

    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-6. System Logs: Firewall Restart Message Jan 23 16:20:44 [FVS338] [wand] [FW] Firewall Restarted Explanation Log generated when the firewall is restarted. This log is logged when firewall restarts after applying any changes in the configuration.

  • Page 175: Ppp Logs

    FVS338 ProSafe VPN Firewall 50 Reference Manual System Logs: WAN Status, Auto Rollover Message Nov 17 09:59:09 [FVS338] [wand] [LBFO] WAN1 Test Failed 1 of 3 times_ Nov 17 09:59:39 [FVS338] [wand] [LBFO] WAN1 Test Failed 2 of 3 times_ Nov 17 10:00:09 [FVS338] [wand] [LBFO] WAN1 Test Failed 3 of 3 times_ Nov 17 10:01:01 [FVS338] [wand] [LBFO] WAN1 Test Failed 4 of 3 times_ Nov 17 10:01:35 [FVS338] [wand] [LBFO] WAN1 Test Failed 5 of 3 times_...
  • Page 176 FVS338 ProSafe VPN Firewall 50 Reference Manual PPPoE Idle-Timeout Logs. Table B-8. System Logs: WAN Status, PPE, PPPoE Idle-Timeout Message Nov 29 13:12:46 [FVS338] [pppd] Starting connection Nov 29 13:12:49 [FVS338] [pppd] Remote message: Success Nov 29 13:12:49 [FVS338] [pppd] PAP authentication succeeded Nov 29 13:12:49 [FVS338] [pppd] local IP address 50.0.0.62 Nov 29 13:12:49 [FVS338] [pppd] remote IP address 50.0.0.1 Nov 29 13:12:49 [FVS338] [pppd] primary DNS address 202.153.32.3...

  • Page 177: Web Filtering And Content Filtering Logs

    FVS338 ProSafe VPN Firewall 50 Reference Manual PPTP Idle-Timeout Logs. Table B-9. System Logs: WAN Status, PPE, PPTP Idle-Timeout Message Nov 29 11:19:02 [FVS338] [pppd] Starting connection Nov 29 11:19:05 [FVS338] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVS338] [pppd] local IP address 192.168.200.214 Nov 29 11:19:05 [FVS338] [pppd] remote IP address 192.168.200.1 Nov 29 11:19:05 [FVS338] [pppd] primary DNS address 202.153.32.2 Nov 29 11:19:05 [FVS338] [pppd] secondary DNS address 202.153.32.2...
  • Page 178 FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-11. System Logs: Web Filtering and Content Filtering Message Jan 23 16:36:35 [FVS338] [kernel] [KEYWORD_BLOCKED] [URL]==>[ www.redhat.com/ ] IN=SELF OUT=SELF SRC=192.168.10.210 DST=209.132.177.50 PROTO=TCP SPT=4282 DPT=80 Explanation • This packet is blocked by keyword blocking •...

  • Page 179: Traffic Metering Logs

    FVS338 ProSafe VPN Firewall 50 Reference Manual Traffic Metering Logs Table B-12. System Logs: Traffic Metering Message Jan 23 19:03:44 [TRAFFIC_METER] TRAFFIC_METER: Monthly Limit of 10 MB has reached for WAN1._ Explanation Traffic limit to WAN1 that was set as 10Mb has been reached. This stops all the incoming and outgoing traffic if configured like that in “When Limit is reached”...

  • Page 180: Ftp Logging

    FVS338 ProSafe VPN Firewall 50 Reference Manual Multicast/Broadcast Logs Table B-15. System Logs: Multicast/Broadcast Message Jan 1 07:24:13 [FVS338] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC=192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 Explanation • This packet (Broadcast) is destined to the device from the WAN network. •...
  • Page 181 FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-17. System Logs: Invalid Packets (continued) Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message 2007 Oct 1 00:44:17 [FVS338] [kernel]...
  • Page 182 FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-17. System Logs: Invalid Packets (continued) Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 Message 2007 Oct 1 00:44:17 [FVS338] [kernel]...

  • Page 183: Routing Logs

    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-17. System Logs: Invalid Packets (continued) Message 2007 Oct 1 00:44:17 [FVS338] [kernel] [INVALID][REOPEN_CLOSE_CONN][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT=23 DPT=54899 Explanation Attempt to re-open/close session Recommended Action 1. Invalid packets are dropped. 2. Use this command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0...

  • Page 184: Lan To Wan Logs

    FVS338 ProSafe VPN Firewall 50 Reference Manual LAN to WAN Logs Table B-18. Routing Logs: LAN to WAN Message Nov 29 09:19:43 [FVS338] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to WAN has been allowed by the firewall. •...

  • Page 185: Appendix C Related Documents

    Appendix C Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and http://documentation.netgear.com/reference/enu/tcpip/index.htm TCP/IP Addressing: Wireless http://documentation.netgear.com/reference/enu/wireless/index.htm Communications: Preparing a Computer for http://documentation.netgear.com/reference/enu/wsdhcp/index.htm...
  • Page 186 FVS338 ProSafe VPN Firewall 50 Reference Manual Related Documents v1.0, March 2009...

  • Page 187: Two Factor Authentication

    NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. As part the new maintenance firmware release,...

  • Page 188: What Is Two-Factor Authentication

    NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 Two-Factor Authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to do Two-Factor Authentication on NETGEAR SSL and VPN firewall products.
  • Page 189 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The WiKID solution is based on a request-response architecture where a one-time passcode (OTP), that is time synchronized with the authentication server, is generated and sent to the user once the validity of a user credential has been confirmed by the server.
  • Page 190 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. A one-time passcode (something they have) is generated for this user. Figure D-2 Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time.
  • Page 191 Two-Factor Authentication is a new and easy way to enhance networking security products without having to replace the existing hardware. To obtain and try the new Two-Factor Authentication solution on your products, visit NETGEAR Support website at http://kbserver.netgear.com. Two Factor Authentication...
  • Page 192 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Two Factor Authentication v1.3, March 2009...

  • Page 193: Index

    Index with schedule 4-20 Broadband Status Add LAN WAN Inbound Service screen 4-9, 4-14 monitoring 6-24 Add LAN WAN Outbound Service screen 4-8 Broadband Traffic Meter screen 6-19 address reservation 3-10 VPN Policies, use with 5-17 ARP 3-7 VPN gateway, use with 5-16 Attack Checks CA Certificates Block TCP Flood 4-10...
  • Page 194 FVS338 ProSafe VPN Firewall 50 Reference Manual server IP address 3-4 date DNS lookup 6-27 troubleshooting 7-7 DNS Proxy 1-4 Daylight Savings Time Domain Name setting 6-18 router 3-3 Dead Peer Detection 5-15 Domain Name Blocking 6-3 default configuration domain name blocking. See Keyword Blocking restoring 7-7 DOS protection default firewall rules 4-2...
  • Page 195 FVS338 ProSafe VPN Firewall 50 Reference Manual alerts, emailing of 4-30 Port Forwarding 4-4 connecting 2-1, 2-2 Increased Traffic logging in to 2-1 Port Triggering 6-6 rear panel 1-8 Increased traffic security, about 4-1 Port Forwarding 6-4 status 6-23 VPN tunnels 6-6 technical specifications A-1 installation 1-4 firewall access...
  • Page 196 FVS338 ProSafe VPN Firewall 50 Reference Manual monitoring devices by DHCP Client Requests 3-8 L2TP by Scanning the Network 3-8 VPN Tunnel 4-11 multicasting guidelines 3-14 configuration 3-1 ports and attached devices 6-26 using LAN IP setup options 3-2 LAN Security Checks NAS Identifier UDP flood 4-10 use with RADIUS 5-22...
  • Page 197 FVS338 ProSafe VPN Firewall 50 Reference Manual Ping RADIUS-PAP Troubleshooting TCP/IP 7-5 XAUTH, use with 5-19 pinging an IP address 6-27 Reboot the Router 6-29 port filtering 4-2 reducing traffic Outbound Rules 4-2 Block Sites 6-1 Service Blocking 6-1 Port Forwarding 4-2, 4-4, 6-4 Source MAC filtering 6-1 Inbound Rules 4-4 remote management 6-9, 6-10...
  • Page 198 FVS338 ProSafe VPN Firewall 50 Reference Manual Schedule 1 screen 4-20 configuring 3-10 example 3-11 Security 1-3 Stealth Mode Self Certificate Attack Checks 4-10 format of 5-33 Request, generating 5-33 SYN flood denial of service attack 4-10 Self Certificate request submitting 5-35 Syslog Server 4-32 Self Certificates...
  • Page 199 FVS338 ProSafe VPN Firewall 50 Reference Manual UDP flood denial of service attack 4-10 port connection status 6-26 upgrade firmware 6-15 WAN Ports Status monitoring 6-24 upgrade router steps to 6-17 WAN Users Service Blocking 6-2 User Database configuring 5-20 Web Component Blocking 6-3 XAUTH, use with 5-19 Web Components...
  • Page 200 FVS338 ProSafe VPN Firewall 50 Reference Manual Index-8 v1.0, March 2009...

This manual is also suitable for:

Prosafe vpn firewall 50 fvs338 fvs338 fvs338

Table of Contents