Page 1 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 202-10257-05 v1.0 January 2010...
Page 2: Technical Support
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN gemäß der im BMPT- AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Page 4 Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
Page 5 Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
Page 6 v1.0, January 2010...
Page 7: Table Of Contents
Contents ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual About This Manual Conventions, Formats, and Scope .................. xv How to Print This Manual ....................xvi Revision History .......................xvi Chapter 1 Introduction Key Features ........................1-1 Dual WAN Ports for Increased Reliability or Outbound Load Balancing ....1-2 Advanced VPN Support for Both IPsec and SSL .............1-2 A Powerful, True Firewall with Content Filtering ............1-3 Autosensing Ethernet Connections with Auto Uplink ..........1-3...
Page 8 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring the WAN Mode (Required for Dual WAN) ..........2-11 Network Address Translation .................2-12 Classical Routing ....................2-12 Configuring Auto-Rollover Mode ................2-13 Configuring Load Balancing ...................2-14 Configuring Dynamic DNS (Optional) ................2-16 Configuring the Advanced WAN Options (Optional) .............2-18 Additional WAN Related Configuration ..............2-20 Chapter 3...
Page 9 Creating Gateway to Gateway VPN Tunnels with the Wizard .........5-3 Creating a Client to Gateway VPN Tunnel ...............5-6 Testing the Connections and Viewing Status Information ..........5-12 NETGEAR VPN Client Status and Log Information ..........5-12 VPN Firewall VPN Connection Status and Logs ............5-14 Managing VPN Policies ....................5-15 Configuring IKE Policies ..................5-16...
Page 10 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Dead Peer Detection ................5-33 Configuring NetBIOS Bridging with VPN ..............5-34 Chapter 6 Virtual Private Networking Using SSL Understanding the Portal Options ...................6-1 Planning for SSL VPN ....................6-2 Creating the Portal Layout ....................6-3 Configuring Domains, Groups, and Users ..............6-7 Configuring Applications for Port Forwarding ..............6-7...
Page 11 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Chapter 8 VPN Firewall and Network Management Performance Management .....................8-1 Bandwidth Capacity ....................8-1 Features That Reduce Traffic ...................8-2 Features That Increase Traffic .................8-5 Using QoS to Shift the Traffic Mix ................8-7 Tools for Traffic Management ...................8-8 Changing Passwords and Administrator Settings ............8-8 Enabling Remote Management Access ...............8-10...
Page 12 VPN Telecommuter (Client-to-Gateway Through a NAT Router) ......B-16 Appendix C Two Factor Authentication Why do I need Two-Factor Authentication? ..............C-1 What are the benefits of Two-Factor Authentication? ..........C-1 What is Two-Factor Authentication ................. C-2 NETGEAR Two-Factor Authentication Solutions ............C-2 v1.0, January 2010...
Page 13 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Appendix D Related Documents Index xiii v1.0, January 2010...
Page 14 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual v1.0, January 2010...
Page 15: About This Manual
About This Manual The NETGEAR ® ProSafe™ Dual WAN Gigabit Firewall with SSL & IPsec VPN Reference Manual describes how to install, configure and troubleshoot a ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. The information in this manual is intended for readers with intermediate computer and networking skills.
Page 16: How To Print This Manual
NETGEAR website in Appendix D, “Related Documents.” Note: Product updates are available on the NETGEAR, Inc. website at http://kb.netgear.com/app/home. How to Print This Manual To print this manual, your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files.
Page 17 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 202-10257-04 March Added these corrections and topics for the March 2009 firmware 2009 maintenance release: • WIKID 2 factor authentication • SIP AGL support • DHCP Relay support •...
Page 18 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 202-10257-05 January (continued) (continued) 2010 • Updated the “Attack Checks” section and screen (Figure 4-8) to show that you can specify an IP address that is allowed to respond to a ping.
Page 19: Introduction
Chapter 1 Introduction The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable modems or DSL modems. Dual wide area network (WAN) ports allow you to increase throughput to the Internet by using both ports together, or to maintain a backup connection in case of failure of your primary Internet connection.
Page 20: Dual Wan Ports For Increased Reliability Or Outbound Load Balancing
VPN client software on the remote computer. – IPsec VPN with broad protocol support for secure connection to other IPsec gateways and clients. – Bundled with the single-user license of the NETGEAR ProSafe VPN Client software (VPN01L) – Supports 25 concurrent IPsec VPN tunnels. •...
Page 21: A Powerful, True Firewall With Content Filtering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – Browser based, platform-independent, remote access through a number of popular browsers, such as Microsoft Internet Explorer or Apple Safari. – Provides granular access to corporate resources based upon user type or group membership.
Page 22: Extensive Protocol Support
ISP account. • VPN Wizard. The FVS336G includes the NETGEAR VPN Wizard to easily configure IPsec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the IPsec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
Page 23: Maintenance And Support
Visual monitoring. The FVS336G’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FVS336G: • Flash memory for firmware upgrade.
Page 24: Front Panel Features
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the FVS336G for repair.
Page 25: Rear Panel Features
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 1-1. LED Descriptions (continued) Object Activity Description On (Green) The WAN port has detected a link with a connected Ethernet device. LINK/ACT (Link and Blinking (Green) Data is being transmitted or received by the WAN port. Activity) The WAN port has no link.
Page 26: Default Ip Address, Login Name, And Password Location
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • AC power receptacle: Universal AC input (100-240 VAC, 50-60 Hz). • On/off power switch. Default IP Address, Login Name, and Password Location Check the label on the bottom of the FVS336G’s enclosure if you need a reminder of the following factory default information: IP Address User Name...
Page 27: Connecting The Fvs336G To The Internet
FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN for complete steps. A PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com. 2. Log in to the VPN Firewall. After logging in, you are ready to set up and configure your VPN firewall.
Page 28: Logging Into The Vpn Firewall
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on page 2-16.
Page 29 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Click Login. The Web Configuration Manager appears, displaying the Router Status screen: Figure 2-2 Connecting the FVS336G to the Internet v1.0, January 2010...
Page 30: Navigating The Menus
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Navigating the Menus The Web Configuration Manager menus are organized in a layered structure of main categories and submenus: • Main menu. The horizontal orange bar near the top of the page is the main menu, containing the primary configuration categories.
Page 31: Automatically Detecting And Connecting
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Automatically Detecting and Connecting To automatically configure the WAN ports for connection to the Internet: Figure 2-3 1. Select Network Configuration > WAN Settings from the menu. The WAN Settings tabs appear, with the WAN1 ISP Settings screen in view.
Page 32 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 2-4 a. If Auto Detect is successful, a status bar at the top of the screen will display the results. b. If Auto Detect senses a connection method that requires input from you, it will prompt you for the information.
Page 33: Manually Configuring The Internet Connection
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 2-5 The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, go to “Manually Configuring the Internet Connection” on page 2-7 following this section, or see “Troubleshooting the ISP Connection”...
Page 34 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To manually configure the WAN1 ISP settings: 1. Select Network Configuration > WAN Settings from the menu. The WAN Settings tabs appear, with the WAN1 ISP Settings screen in view. 2.
Page 35 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual b. Configure the following fields: • Account Name. Valid account name for the PPPoE connection. • Domain Name. Name of your ISP’s domain or your domain name if your ISP has assigned one.
Page 36 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 7. Review the Internet (IP) Address options. Figure 2-8 8. If your ISP has not assigned a static IP address, click Get dynamically from ISP. The ISP will automatically assign an IP address to the VPN firewall using DHCP network protocol.
Page 37: Configuring The Wan Mode (Required For Dual Wan)
12. Click Test to evaluate your entries. The VPN firewall will attempt to connect to the NETGEAR website. If a successful connection is made, NETGEAR’s website appears. 13. If you intend to use a dual WAN mode, click the WAN2 ISP Settings tab and configure the WAN2 ISP settings using the same steps as WAN1.
Page 38: Network Address Translation
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Load Balancing Mode. The VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional. Note: Scenarios could arise when load balancing needs to be bypassed for certain traffic or applications.
Page 39: Configuring Auto-Rollover Mode
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Auto-Rollover Mode To use a redundant ISP link for backup purposes, ensure that the backup WAN port has already been configured. Then select the WAN port that will act as the primary link for this mode and configure the WAN Failure Detection Method to support Auto-Rollover.
Page 40: Configuring Load Balancing
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. In the Port Mode section, select Auto-Rollover Using WAN port. 3. From the pull-down menu, choose which WAN port will act as the primary link for this mode. 4.
Page 41 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Protocol binding Protocol binding addresses two issues: • Segregation of traffic between links that are not of the same speed. High volume traffic can be routed through the WAN port connected to a high speed link and low volume traffic can be routed through the WAN port connected to the low speed link.
Page 42: Configuring Dynamic Dns (Optional)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Single address. Enter the required address and the rule will be applied to that particular PC. • Address range. If this option is selected, you must enter the start and finish fields. •...
Page 43 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual You may need to use a fully qualified domain name (FQDN): • For auto-rollover mode, you will need a FQDN to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address.
Page 44: Configuring The Advanced Wan Options (Optional)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Current WAN Mode section reports the currently configured WAN mode. (For example, Single Port WAN1, Load Balancing or Auto Rollover.) Only those options that match the configured WAN Mode will be accessible.
Page 45 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 2-14 3. Edit the default information you want to change. a. MTU Size. The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs, you may need to reduce the MTU.
Page 46: Additional Wan Related Configuration
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Additional WAN Related Configuration • If you want the ability to manage the VPN firewall remotely, enable remote management at this time (see “Enabling Remote Management Access” on page 8-10).
Page 47: Lan Configuration
Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G. This chapter contains the following sections • “Choosing the VPN Firewall DHCP Options” on this page •...
Page 48: Configuring The Lan Setup Options
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The VPN firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP address from the range you have defined. • Subnet mask. •...
Page 49 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: If you enable the DNS Relay feature, you will not use the VPN firewall as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network.
Page 50 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: If you change the LAN IP address of the VPN firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again.
Page 51 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • WINS Server. (Optional) Specifies the IP address of a local Windows NetBIOS Server if one is present in your network. • Lease Time. This specifies the duration for which IP addresses will be leased to clients. If you will use a Lightweight Directory Access Protocol (LDAP) authentication server for network-validated domain-based authentication, select Enable LDAP Information to enable the DHCP server to provide LDAP server information.
Page 52: Managing Groups And Hosts (Lan Groups)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Managing Groups and Hosts (LAN Groups) The Known PCs and Devices table on the LAN Groups screen contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the VPN firewall, or have been discovered by other means.
Page 53: Viewing The Lan Groups Database
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • A computer is identified by its MAC address—not its IP address. Hence, changing a computer’s IP address does not affect any restrictions applied to that PC. Viewing the LAN Groups Database To view the LAN Groups Database, follow these steps: 1.
Page 54: Adding Devices To The Lan Groups Database
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Adding Devices to the LAN Groups Database To add devices manually to the LAN Groups Database, follow these steps: 1. In the Add Known PCs and Devices section, make the following entries: •...
Page 55: Configuring Dhcp Address Reservation
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To edit the names of any of the eight available groups: 1. From the LAN Groups tab, click the Edit Group Names link to the right of the tabs. The Network Database Group Names screen appears.
Page 56: Configuring Multi Home Lan Ip Addresses
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Multi Home LAN IP Addresses If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the VPN firewall.
Page 57: Configuring Static Routes
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Click Add. The new Secondary LAN IP address will appear in the Available Secondary LAN IPs table. Note: IP addresses on these secondary subnets cannot be configured in the DHCP server.
Page 58 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Click Add. The Add Static Route screen is displayed. Figure 3-6 3. Enter a route name for this static route in the Route Name field (for identification and management).
Page 59: Configuring Routing Information Protocol (Rip)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network.
Page 60 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Both. The VPN firewall broadcasts its routing table and also processes RIP information received from other routers. • Out Only. The VPN firewall broadcasts its routing table periodically but does not accept RIP information from other routers.
Page 61: Firewall Protection And Content Filtering
Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G to protect your network. This chapter contains the following sections: •...
Page 62: Using Rules To Block Or Allow Specific Kinds Of Traffic
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks.
Page 63: About Services-Based Rules
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual About Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Outbound Rules (service blocking). Outbound traffic is normally allowed unless the VPN firewall is configured to disallow it.
Page 64 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-1. Outbound Rules (continued) Item Description Select Schedule Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be used by this rule. • This pull-down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block”...
Page 65 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: See “Configuring Source MAC Filtering” on page 4-28 for yet another way to block outbound traffic from selected PCs that would otherwise be allowed by the VPN firewall.
Page 66 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-2. Inbound Rules Item Description Service Select the desired service or application to be covered by this rule. If the desired service or application does not appear in the table, you must define it using the Services screen (see “Adding Customized Services”...
Page 67 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-2. Inbound Rules (continued) Item Description Specifies whether packets covered by this rule are logged. Select the desired action: • Always – Always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules.
Page 68: Viewing The Rules
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Viewing the Rules To view the firewall rules: Select Security > Firewall from the menu. The LAN WAN Rules screen is displayed (Figure 4-1 shows some examples). Figure 4-1 Order of Precedence for Rules As you define new rules, they are added to the tables in the LAN WAN Rules screen as the last...
Page 69: Creating A Lan Wan Outbound Services Rule
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To change the default outbound policy, follow these steps: 1. Go to the LAN WAN Rules screen, shown in Figure 4-1 on page 4-8. 2. Change the Default Outbound Policy by selecting Block Always from the pull-down menu. 3.
Page 70: Creating A Lan Wan Inbound Services Rule
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Configure the parameters based on the descriptions in Table 4-1 on page 4-3. 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table.
Page 71: Modifying Rules
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Modifying Rules To make changes to an existing outbound or inbound service rule on the the LAN WAN Rules screen, in the Action column to the right of to the rule, click on of the following table buttons: •...
Page 72 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-4 LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule.
Page 73 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN.
Page 74: Outbound Rules Example
1. Create an inbound rule that allows all protocols. 2. Place the new rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer on your LAN is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
Page 75: Configuring Other Firewall Features
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-7 Configuring Other Firewall Features You can configure attack checks, set session limits, and manage the Application Level Gateway (ALG) for SIP sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the LAN and WAN networks.
Page 76 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-8 The various types of attack checks listed on the Attack Checks screen are: • WAN Security Checks – Respond To Ping On Internet Ports. By default, the VPN firewall responds to an ICMP Echo (ping) packet coming from the Internet or WAN side.
Page 77: Configuring Session Limits
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • LAN Security Checks. – Block UDP flood. A UDP flood is a form of denial of service attack in which the attacking machine sends a large number of UDP packets to random ports to the victim host.
Page 78: Managing The Application Level Gateway For Sip Sessions
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To configure session limits: 1. Select Security > Firewall > Session Limit to display the Session Limit screen. Figure 4-9 2. Click Yes to enable Session Limits. 3.
Page 79: Creating Services, Qos Profiles, And Bandwidth Profiles
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To enable ALG for SIP: 1. Select Security > Firewall > Advanced to display the Advanced screen. Figure 4-10 2. Select the Enable SIP ALG checkbox. 3. Click Apply to save your settings. Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules:...
Page 80 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual service to a server computer, the requested service is identified by a service or port number. This number appears as the destination port number in the transmitted IP packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web server) request.
Page 81: Setting Quality Of Service (Qos) Priorities
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 6. Click Add. The new custom service will be added to the Custom Services Table. Modifying a Service To edit the parameters of an existing service: 1. In the Custom Services Table, click the Edit button adjacent to the service you want to edit. The Edit Service screen is displayed.
Page 82: Creating Bandwidth Profiles
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The QoS priority definition for a service determines the queue that is used for the traffic passing through the VPN firewall. A priority is assigned to IP packets using this service. Priorities are defined by the “Type of Service (ToS) in the Internet Protocol Suite”...
Page 83 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The List of Bandwidth Profiles table displays existing profiles. 2. To create a new bandwidth profile, click Add. The Add Bandwidth Profile screen is displayed. Figure 4-14 3.
Page 84: Setting A Schedule To Block Or Allow Specific Traffic
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Click Apply. The new bandwidth profile will be added to the List of Bandwidth Profiles table. To edit a bandwidth profile: 1. Click the Edit link adjacent to the profile you want to edit. The Edit Bandwidth Profile screen is displayed.
Page 85: Blocking Internet Sites (Content Filtering)
Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any website is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message. Several types of blocking are available: •...
Page 86 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – Cookies. Cookies are used to store session information by websites that usually require login. However, several websites use cookies to store tracking information and browsing habits. Enabling this option filters out cookies from being created by a website. Note: Many websites require that cookies be accepted in order for the site to be accessed properly.
Page 87 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To enable Content Filtering: 1. Select Security > Block Sites to display the Block Sites screen. Figure 4-16 2. Select Yes to enable content filtering. 3. Click Apply to activate the screen controls. Firewall Protection and Content Filtering 4-27 v1.0, January 2010...
Page 88: Configuring Source Mac Filtering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Select any Web Components you wish to block and click Apply. 5. Select the groups to which keyword blocking will apply, then click Enable to activate keyword blocking (or disable to deactivate keyword blocking).
Page 89 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-17 3. Click Yes to enable Source MAC Filtering. 4. Select the action to be taken on outbound traffic from the listed MAC addresses: – Block this list and permit all other MAC addresses. –...
Page 90: Configuring Ip/Mac Address Binding
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring IP/MAC Address Binding You can configure the VPN firewall to drop packets and generate an alert when a device appears to have hijacked or spoofed another device’s IP address. An IP address can be bound to a specific MAC address either by using a DHCP reserved address (see “Configuring DHCP Address Reservation”...
Page 91: Configuring Port Triggering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual b. Enter the MAC Address and IP Address to be bound. A valid MAC address is six colon- separated pairs of hexadecimal digits (0 to 9 and a to f). For example: 01:23:45:ab:cd:ef. c.
Page 92 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note these restrictions with port triggering: • Only one PC can use a port triggering application at any time. • After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC.
Page 93: E-Mail Notifications Of Event Logs And Alerts
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 7. Click Add. The port triggering rule will be added to the Port Triggering Rules table. To check the status of the port triggering rules, click the Status option arrow to the right of the tab on the Port Triggering screen.
Page 94 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – Schedules (see “Setting a Schedule to Block or Allow Specific Traffic” on page 4-24) – Block sites (see “Blocking Internet Sites (Content Filtering)” on page 4-25) –...
Page 95: Virtual Private Networking Using Ipsec
Chapter 5 Virtual Private Networking Using IPsec This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G to provide secure, encrypted communications between your local network and a remote network or computer. This chapter contains the following sections: •...
Page 96 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The diagrams and table below show how the WAN mode selection relates to VPN configuration. WAN Auto-Rollover: FQDN Required for VPN Firewall WAN 1 Port Rest of Firewall Firewall Internet...
Page 97: Using The Vpn Wizard For Client And Gateway Configurations
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR VPN Client configuration procedures for the following scenarios: •...
Page 98 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-4 3. Select Gateway as your connection type. 4. Create a Connection Name. Enter a descriptive name for the connection. This name used to help you manage the VPN settings; is not supplied to the remote VPN endpoint. 5.
Page 99 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 7. Enter the Remote and Local WAN IP Addresses or Internet Names of the gateways which will connect. • Both the remote WAN address and your local WAN address are required. Tip: To assure tunnels stay active, after completing the wizard, manually edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive.
Page 100: Creating A Client To Gateway Vpn Tunnel
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 10. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured.
Page 101 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to the gateway. Use the VPN Wizard Configure the Gateway for a Client Tunnel 1.
Page 102 Figure 5-9 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR ProSafe VPN Client installed, configure a VPN client policy to connect to the VPN firewall. Virtual Private Networking Using IPsec...
Page 103 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Follow these steps to configure your VPN client. 1. Right-click on the VPN client icon in your Windows toolbar, choose Security Policy Editor, and verify that the Options > Secure > Specified Connections selection is enabled. Figure 5-10 2.
Page 104 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Fill in the other options according to the instructions below. • Under Connection Security, verify that the Secure radio button is selected. • From the ID Type pull-down menu, choose IP Subnet. •...
Page 105 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Verify the Security Policy settings; no changes are needed. Figure 5-13 Virtual Private Networking Using IPsec 5-11 v1.0, January 2010...
Page 106: Testing The Connections And Viewing Status Information
5. In the upper left of the window, click the disk icon to save the policy. Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.
Page 107 Connections\gw1”. Figure 5-15 The VPN client icon in the system tray should state On: 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer.
Page 108: Vpn Firewall Vpn Connection Status And Logs
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-17 The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2.
Page 109: Managing Vpn Policies
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual You can set a poll interval (in seconds) to check the connection status of all active IKE policies to obtain the latest VPN tunnel activity. The Active IPSec SA(s) table also lists current data for each active IPsec SA (security association): •...
Page 110: Configuring Ike Policies
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual You can edit existing policies, or add new VPN and IKE policies directly in the policy tables. Note: You cannot modify an IKE policy that is associated with an enabled VPN policy. To modify the IKE policy, first disable the VPN policy.
Page 111 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Go to VPN > Policies to view the IKE Policies screen. (The example policies that are listed in the List of IKE Policies table do not correspond to the IKE policies that were created using the VPN Wizard earlier in this chapter.) Figure 5-20 Each policy that is listed in the List of IKE Policies table contains the following data:...
Page 112: Configuring Vpn Policies
To gain a more complete understanding of the encryption, authentication and DH algorithm technologies, see Appendix D, “Related Documents” for a link to the NETGEAR website. Configuring VPN Policies You can create two types of VPN policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available.
Page 113: Configuring Extended Authentication (Xauth)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Only one client policy may configured at a time (noted by an “*” next to the policy name). The List of VPN Policies table contains the following fields: •...
Page 114: Configuring Xauth For Vpn Clients
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual XAUTH can be enabled when adding or editing an IKE Policy. Two types of XAUTH are available: • Edge Device. If this is selected, the VPN firewall is used as a VPN concentrator where one or more gateway tunnels terminate.
Page 115 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. You can add XAUTH to an existing IKE Policy by clicking Edit adjacent to the policy to be modified or you can create a new IKE Policy incorporating XAUTH by clicking Add. Figure 5-22 4.
Page 116: User Database Configuration
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Specify one of the following authentication types: – User Database to verify against the VPN firewall’s user database. Users must be added through the User Database screen (see “User Database Configuration”...
Page 117 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-23 3. To activate (enable) the primary RADIUS server, click the Yes radio button. The primary server options become active. 4. Configure the following entries: • Primary RADIUS Server IP address.
Page 118: Assigning Ip Addresses To Remote Users (Modeconfig)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Enable a backup RADIUS server (if required). 6. Set the Time Out Period, in seconds, that the VPN firewall should wait for a response from the RADIUS server. 7.
Page 119: Configuring Mode Config Operation On The Vpn Firewall
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual IP address from the configured IP address pool and activates a temporary IPsec policy, using the information that is specified in the Traffic Tunnel Security Level section of the Mode Config record (on the Add Mode Config Record screen that is shown in Figure 5-25 on page 5-26).
Page 120 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Click Add. The Add Mode Config Record screen is displayed. Figure 5-25 4. Enter a descriptive Record Name such as “Sales”. 5. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients.
Page 121 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 10. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 •...
Page 122 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-26 3. In the Mode Config Record section, enable Mode Config by checking the Yes radio button and selecting the Mode Config record you just created from the pull-down menu. (You can view the parameters of the selected record by clicking the view selected button.) Mode Config works only in Aggressive Mode, and Aggressive Mode requires that both ends of the tunnel are defined by an FQDN.
Page 123 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. In the General section: • Enter a descriptive name in the Policy Name field such as “salesperson”. This name will be used as part of the remote identifier in the VPN client configuration. •...
Page 124: Configuring The Prosafe Vpn Client For Modeconfig
12. Click Apply. The new policy will appear in the List of IKE Policies table. Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1.
Page 125 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual d. Under Virtual Adapter pull-down menu, choose Preferred. The Internal Network IP Address should be 0.0.0.0. Note: If no box is displayed for Internal Network IP Address, go to Options/ Global Policy Settings, and check the box for “Allow to Specify Internal Network Address.”...
Page 126: Configuring Keepalives And Dead Peer Detection
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Keepalives and Dead Peer Detection In some cases, it may not be desirable to have a VPN tunnel drop when traffic is idle; for example, when client-server applications over the tunnel cannot tolerate the tunnel establishment time. If you require your VPN tunnel to remain connected, you can use the Keepalive and Dead Peer Detection features to prevent the tunnel from dropping and to force a reconnection if the tunnel drops for any reason.
Page 127: Configuring Dead Peer Detection
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. In the Ping IP Address boxes, enter an IP address on the remote LAN. This must be the address of a host that can respond to ICMP ping requests. 6.
Page 128: Configuring Netbios Bridging With Vpn
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 6. In Reconnect after failure count, set the number of DPD failures allowed before tearing down the connection. The default is 3 failures. When the VPN firewall senses an IKE connection failure, it deletes the IPSec and IKE Security Association and forces a reestablishment of the connection.
Page 129: Understanding The Portal Options
Chapter 6 Virtual Private Networking Using SSL The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G provides a hardware- based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a pre-installed VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the VPN firewall can authenticate itself to an SSL-enabled client, such as a standard web browser.
Page 130: Planning For Ssl Vpn
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote PC that will allow the remote user to virtually join the corporate network. The SSL VPN Client provides a PPP (point-to-point) connection between the client and the VPN firewall, and a virtual network interface is created on the user’s PC.
Page 131: Creating The Portal Layout
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual When you define the SSL VPN policies that determine network resource access for your SSL VPN users, you can define global policies, group policies, or individual policies. Because you must assign an authentication domain when creating a group, the group is created after you have created the domain.
Page 132 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Portal Layouts are applied by selecting from available portal layouts in the configuration of a Domain. When you have completed your Portal Layout, you can apply the Portal Layout to one or more authentication domains (see “Creating a Domain”...
Page 133 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 6-2 3. In the Portal Layout and Theme Name section of the screen, configure the following entries: a. Enter a descriptive name for the portal layout in the Portal Layout Name field. This name will be part of the path of the SSL VPN portal URL.
Page 134 These directives help prevent clients browsers from caching SSL VPN portal pages and other web content. Note: NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out-of-date web pages, themes, and data being stored in a user’s web browser cache.
Page 135: Configuring Domains, Groups, And Users
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The web cache cleaner will prompt the user to delete all temporary Internet files, cookies and browser history when the user logs out or closes the web browser window. The ActiveX web cache control will be ignored by web browsers that don't support ActiveX.
Page 136: Adding Servers
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Adding Servers To configure Port Forwarding, you must define the internal host machines (servers) and TCP applications available to remote users. To add servers, follow these steps: 1.
Page 137: Adding A New Host Name
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 6-1. Port Forwarding Applications/TCP Port Numbers (continued) TCP Application Port Number POP3 (receive mail) NTP (network time protocol) Citrix 1494 Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 a.
Page 138: Configuring The Ssl Vpn Client
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring the SSL VPN Client The SSL VPN Client within the VPN firewall will assign IP addresses to remote VPN tunnel clients. Because the VPN tunnel connection is a point-to-point connection, you can assign IP addresses from the corporate subnet to the remote VPN tunnel clients.
Page 139: Configuring The Client Ip Address Range
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring the Client IP Address Range Determine the address range to be assigned to VPN tunnel clients, then define the address range. To configure the client IP address range: 1.
Page 140: Adding Routes For Vpn Tunnel Clients
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Adding Routes for VPN Tunnel Clients The VPN Tunnel Clients assume that the following networks are located across the VPN over SSL tunnel: • The subnet containing the client IP address (PPP interface), as determined by the class of the address (Class A, B, or C).
Page 141: Using Network Resource Objects To Simplify Policies
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Using Network Resource Objects to Simplify Policies Network resources are groups of IP addresses, IP address ranges, and services. By defining resource objects, you can more quickly create and configure network policies. You will not need to redefine the same set of IP addresses or address ranges when configuring the same access policies for multiple users.
Page 142 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Click Add. The “Operation Successful” message appears at the top of the tab, and the newly-added resource name appears on the Defined Resource Addresses table. 5. Adjacent to the new resource, click the Edit button. The Add Resource Addresses screen is displayed.
Page 143: Configuring User, Group, And Global Policies
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring User, Group, and Global Policies An administrator can define and apply user, group and global policies to predefined network resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN services.
Page 144: Viewing Ssl Vpn Policies
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: The user would not be able to access ftp.company.com using its IP address 10.0.1.3. The VPN firewall policy engine does not perform reverse DNS lookups. Viewing SSL VPN Policies To view the existing SSL VPN policies, follow these steps: 1.
Page 145: Adding An Ssl Vpn Policy
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: Global policies are displayed in the List of SSL VPN Policies table. Policies that apply only to groups or users are displayed in the Related Policies Table but not in the List of SSL VPN Policies table.
Page 146 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. In the Add SSL VPN Policies section of the screen, review the Apply Policy To options and click one. Depending upon your selection, specific options to the right are activated or inactivated as noted in the following: •...
Page 147 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • If you choose IP Network, you will need to enter a descriptive Policy Name, IP Address, Subnet Mask, then choose the Service and relevant Permission from the pull-down menus.
Page 148 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 6-20 Virtual Private Networking Using SSL v1.0, January 2010...
Page 149: Managing Users, Authentication, And Certificates
Chapter 7 Managing Users, Authentication, and Certificates This chapter contains the following sections: • “Adding Authentication Domains, Groups, and Users” on this page • “Managing Certificates” on page 7-11 Adding Authentication Domains, Groups, and Users You must create name and password accounts for all users who will connect to the VPN firewall. This includes administrators and SSL VPN clients.
Page 150 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 7-1 summarizes the authentication protocols and methods that the VPN firewall supports. Table 7-1.Authentication Protocols and Methods Authentication Description (or Subfield and Description) Protocol or Method Password Authentication Protocol (PAP) is a simple protocol in which the client sends a password in clear text.
Page 151 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To create a domain: 1. Select Users > Domains from the menu. The Domains screen is displayed. Figure 7-1 2. Click Add. The Add Domain screen is displayed. Figure 7-2 Managing Users, Authentication, and Certificates v1.0, January 2010...
Page 152 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Configure the following fields: a. Enter a descriptive name for the domain in the Domain Name field. b. Select the Authentication Type. The required fields are activated in varying combinations according to your selection of Authentication Type: Table 7-2.
Page 153: Creating A Group
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Creating a Group The use of groups simplifies the configuration of VPN policies when different sets of users will have different restrictions and access controls. Note: Groups that are defined in the User screen are used for setting SSL VPN policies. These groups should not be confused with LAN Groups that are defined in the Network Configuration | LAN Settings | LAN Groups tab, which are used to simplify firewall policies.
Page 154: Creating A New User Account
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Creating a New User Account To add individual user accounts: 1. Select Users > Users from the menu. The Users screen is displayed. Figure 7-4 2. Click Add. The Add User screen is displayed. Figure 7-5 3.
Page 155: Setting User Login Policies
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual c. Select Group. Select from a list of configured groups. The user will be associated with the domain that is associated with that group. d. Password/Confirm Password. The password can contain alphanumeric characters, dash, and underscore.
Page 156 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To restrict logging in based on IP address: 1. In the Action column of the List of Users table, click Policies adjacent to the user policy you want to configure.
Page 157: Changing Passwords And Other User Settings
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To restrict logging in based on the user’s browser: 1. In the Action column of the List of Users table, click Policies adjacent to the user policy you want to configure.
Page 158 SSL VPN User. User who can only log in to the SSL VPN portal. • IPSEC VPN User. User who can only make an IPsec VPN connection via a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see “Configuring Extended Authentication (XAUTH)” on page 5-19”).
Page 159: Managing Certificates
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Click Apply to save your settings or Cancel to return to your previous settings. Note: The password and time-out value you enter will be changed back to password and 10 minutes, respectively, after a factory defaults reset.
Page 160: Viewing And Loading Ca Certificates
A self-signed certificate will trigger a warning from most browsers as it provides no protection against identity theft of the server. Your VPN firewall contains a self-signed certificate from NETGEAR. We recommend that you replace this certificate prior to deploying the VPN firewall in your network.
Page 161: Viewing Active Self Certificates
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-10 When you obtain a self certificate from a CA, you will also receive the CA certificate. In addition, many CAs make their certificates available on their Websites. To load a CA certificate into your VPN firewall: 1.
Page 162: Obtaining A Self Certificate From A Certificate Authority
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Subject Name. This is the name that other organizations will see as the holder (owner) of this certificate. This should be your registered business name or official company name. Generally, all of your certificates should have the same value in the Subject field.
Page 163 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Configure the following fields: • Name – Enter a descriptive name that will identify this certificate. • Subject – This is the name which other organizations will see as the holder (owner) of the certificate.
Page 164 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. In the Self Certificate Requests table, click view in the Action column to view the request. Figure 7-14 6. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from “----BEGIN CERTIFICATE REQUEST---”...
Page 165: Managing Your Certificate Revocation List (Crl)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 9. Return to the Certificates screen and locate the Self Certificate Requests section. Figure 7-15 10. Select the checkbox next to the certificate request, then click Browse and locate the certificate file on your PC.
Page 166 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-16 The CRL table lists your active CAs and their critical release dates: • CA Identify – The official name of the CA which issued this CRL. •...
Page 167: Performance Management
Chapter 8 VPN Firewall and Network Management This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G. The VPN firewall offers many tools for managing the network traffic to optimize its performance. You can also control administrator access, be alerted to important events requiring prompt action, monitor the VPN firewall status, perform diagnostics, and manage the VPN firewall configuration file.
Page 168: Features That Reduce Traffic
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual In practice, the WAN side bandwidth capacity will be much lower when DSL or cable modems are used to connect to the Internet. At 1.5 Mbps, the WAN ports will support the following traffic rates: •...
Page 169 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual As you define your firewall rules, you can further refine their application according to the following criteria: • LAN Users. These settings determine which computers on your network are affected by this rule.
Page 170 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Schedule. If you have set firewall rules on the LAN WAN Rules screen, you can configure three different schedules (for example, schedule 1, schedule 2, and schedule 3) for when a rule is to be applied.
Page 171: Features That Increase Traffic
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Features That Increase Traffic Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • Exposed hosts • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks.
Page 172 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Enable Stealth Mode. Prevents the VPN firewall from responding to incoming requests for unsupported services. As you define your firewall rules, you can further refine their application according to the following criteria: •...
Page 173: Using Qos To Shift The Traffic Mix
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • The remote system receives the PCs request and responds using the different port numbers that you have now opened. • The VPN firewall matches the response to the previous request and forwards the response to the PC.
Page 174: Tools For Traffic Management
7-9. The default administrator and guest password for the Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. You can also configure a separate password for the guest account. To modify the Admin user account settings, including the password: 1.
Page 175 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Edit User screen is displayed, with the current settings for Administrator displayed in the Select User Type pull-down menu (for more information about the different types of users, “Changing Passwords and Other User Settings”...
Page 176: Enabling Remote Management Access
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Enabling Remote Management Access Using the Remote Management screen, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging into the VPN Firewall”...
Page 177 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Click the Yes radio button to enable secure HTTP management (enabled by default), and configure the external IP addresses that will be allowed to connect. a. To allow access from any IP address on the Internet, select Everyone. b.
Page 178: Using The Command Line Interface
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: The first time you remotely connect to the VPN firewall with a browser via SSL, you may get a warning message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 5.5 or higher, simply click Yes to accept the certificate.
Page 179: Using An Snmp Manager
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Using an SNMP Manager Simple Network Management Protocol (SNMP) lets you monitor and manage your VPN firewall from an SNMP Manager. It provides a remote means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security.
Page 180: Managing The Configuration File
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – To make the VPN firewall globally accessible using the community string, but still receive traps on the host, enter 0.0.0.0 as the subnet mask and an IP address for where the traps will be received.
Page 181 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Once you have installed the VPN firewall and have it working properly, you should back up a copy of your settings to a file on your computer. If necessary, you can later restore the VPN firewall settings from this file.
Page 182 To restore settings from a backup file: 1. Next to Restore save settings from file, click Browse. 2. Locate and select the previously saved backup file (by default, netgear.cfg). 3. When you have located the file, click restore. An Alert page will appear indicating the status of the restore operation. You must manually restart the VPN firewall for the restored settings to take effect.
Page 183: Configuring Date And Time Service
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To download a firmware version: 1. Go to the NETGEAR website at http://www.netgear.com/support and click Downloads. 2. From the Product Selection pull-down menu, choose the FVS336G. 3. Click on the desired firmware version to reach the download page. Be sure to read the release notes on the download page before upgrading the VPN firewall’s software.
Page 184 NTP Server in the Server 1 Name/IP Address field. You can enter the address of a backup NTP server in the Server 2 Name/IP Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the default Netgear NTP servers.
Page 185: Monitoring System Performance
Chapter 9 Monitoring System Performance This chapter describes the full set of system monitoring features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G. You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, and login failures and attacks. You can also view status information about the VPN firewall, WAN ports, LAN ports, and VPN tunnels.
Page 186 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-1 2. Enable the traffic meter by clicking the Yes radio button under Do you want to enable Traffic Metering on WAN1? The traffic meter will record the volume of Internet traffic passing through the WAN1.
Page 187 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: Both incoming and outgoing traffic are included in the limit • Increase this month limit by. Temporarily increase the traffic limit if you have reached the monthly limit, but need to continue accessing the Internet. Select the checkbox and enter the desired increase.
Page 188: Activating Notification Of Events And Alerts
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Activating Notification of Events and Alerts The Firewall Logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address. For example, your VPN firewall will log security-related events such as: accepted and dropped packets on different segments of your LAN;...
Page 189 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-2 Monitoring System Performance v1.0, January 2010...
Page 190: Viewing The Logs
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 7. To respond to IDENT protocol messages, check the Respond to Identd from SMTP Server box. The Ident Protocol is a weak scheme to verify the sender of e-mail (a common daemon program for providing the ident service is identd).
Page 191 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-3 If the E-mail Logs option has been enabled on the Firewall Logs & E-mail screen, you can send a copy of the log by clicking Send Log. Click Refresh Log to retrieve the latest update;...
Page 192: Viewing Vpn Firewall Configuration And System Status
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Viewing VPN Firewall Configuration and System Status The Router Status screen provides status and usage information. To view the VPN firewall configuration and system status: Select Monitoring > Router Status from the menu. The Router Status screen is displayed Figure 9-4 The following information is displayed.
Page 193: Monitoring Vpn Firewall Statistics
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 9-3. Router Status Information (continued) Item Description WAN1 Configuration • WAN Mode: Single, Dual, or Rollover. • WAN State: UP or DOWN. • NAT: Enabled or Disabled. •...
Page 194: Monitoring The Status Of Wan Ports
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To set the poll interval: 1. Click the Stop button. 2. From the Poll Interval pull-down menu, select a new interval (the minimum is 5 seconds, the maximum is 5 minutes).
Page 195: Monitoring Attached Devices
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Monitoring Attached Devices The LAN Groups screen contains a table of all IP devices that the VPN firewall has discovered on the local network. To view the LAN Groups screen: 1.
Page 196: Viewing The Dhcp Log
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Table 9-4. Known PCs and Devices options Item Description Name...
Page 197: Monitoring Active Users
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Click the DHCP Log link to the right of the tabs. The DHCP Log appears in a popup window. Figure 9-9 3. To view the most recent entries, click refresh. To delete all the existing log entries, click clear log.
Page 198: Viewing Port Triggering Status
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Viewing Port Triggering Status To view the status of port triggering: 1. Select Security > Port Triggering from the menu. The Port Triggering screen is displayed. Figure 9-11 2.
Page 199: Monitoring Vpn Tunnel Connection Status
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 9-5. Port Triggering Status Information (continued) Item Description Open Ports The Incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above. Time Remaining The time remaining before this rule is released and made available for other PCs.
Page 200: Viewing The Vpn Logs
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Select the SSL VPN Connection Status tab. The SLL VPN Connection Status screen is displayed Figure 9-14 The active SSL VPN user’s user name, group, and IP address are listed in the table with a timestamp indicating the time and date that the user connected.
Page 201: Troubleshooting
Chapter 10 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G. After each problem description, instructions are provided to help you diagnose and solve the problem. This chapter contains the following sections: •...
Page 202: Power Led Not On
• Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
Page 203: Troubleshooting The Web Configuration Interface
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: •...
Page 204: Troubleshooting The Isp Connection
Web Configuration Manager. To check the WAN IP address: 1. Launch your browser and navigate to an external site such as www.netgear.com. 2. Access the Main Menu of the VPN firewall’s configuration at https://192.168.1.1.
Page 205: Troubleshooting A Tcp/Ip Network Using A Ping Utility
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name on the WAN1 ISP Settings or WAN2 ISP Settings screen (see Figure 2-3 on page 2-5).
Page 206: Testing The Path From Your Pc To A Remote Device
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Click OK. A message, similar to the following, should display: Pinging <IP address> with 32 bytes of data If the path is working, you will see this message: Reply from <IP address>: bytes=32 time=NN ms TTL=xxx If the path is not working, you will see this message: Request timed out...
Page 207: Restoring The Default Configuration And Password
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • If your ISP assigned a host name to your PC, enter that host name as the Account Name on the WAN1 ISP Settings or WAN2 ISP Settings screen (see Figure 2-3 on page 2-5).
Page 208: Using The Diagnostics Utilities
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Problems with the date and time function can include: • Date shown is January 1, 2000. Cause: The VPN firewall has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly. If you have just completed configuring the VPN firewall, wait at least five minutes and check the date and time again.
Page 209 A DNS (Domain Name Server) converts the Internet name (for example, lookup www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can request a DNS lookup to find the IP address.
Page 210 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 10-10 Troubleshooting v1.0, January 2010...
Page 211: Default Settings And Technical Specifications
Appendix A Default Settings and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, press and hold the reset button for approximately 10 seconds (until the TEST LED blinks rapidly).
Page 212 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) Feature Default Behavior Management Time Zone Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound (communications coming in from Denied...
Page 213 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table A-2. VPN firewall Technical Specifications (continued) Feature Specifications Environmental Specifications Operating temperature: 0° to 40° C (32º to 104º F) Operating humidity: 90% maximum relative humidity, noncondensing Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B...
Page 214 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Default Settings and Technical Specifications v1.0, January 2010...
Page 215: Network Planning For Dual Wan Ports
Appendix B Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports. This appendix contains the following sections: • “What You Will Need to Do Before You Begin”...
Page 216 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Protocol binding – For rollover mode, protocol binding does not apply. – For load balancing mode, decide which protocols should be bound to a specific WAN port. –...
Page 217: Cabling And Computer Hardware Requirements
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • You can choose a variety of WAN options if the factory default settings are not suitable for your installation. These options include enabling a WAN port to respond to a ping, and setting MTU size, port speed, and upload bandwidth.
Page 218: Where Do I Get The Internet Configuration Parameters
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Fixed IP Address which is also known as Static IP Address Where Do I Get the Internet Configuration Parameters? There are several ways you can gather the required Internet connection information. •...
Page 219: Overview Of The Planning Process
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following: Primary DNS Server IP Address: ______.______.______.______ Secondary DNS Server IP Address: ______.______.______.______ Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or .
Page 220: Virtual Private Networks (Vpns
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Virtual Private Networks (VPNs) A virtual private network (VPN) tunnel provides a secure communication channel between either two gateway VPN firewalls or between a remote PC client and gateway VPN firewall. As a result, the IP address of at least one of the tunnel end points must be known in advance in order for the other tunnel end point to establish (or re-establish) the VPN tunnel.
Page 221: The Load Balancing Case For Firewalls With Dual Wan Ports
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Load Balancing Case for Firewalls With Dual WAN Ports Load balancing for the dual WAN port case is similar to the single WAN port case when specifying the IP address.
Page 222: Inbound Traffic To Dual Wan Port Systems
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual In the single WAN case, the WAN’s Internet address is either fixed IP or a fully-qualified domain name if the IP address is dynamic. Figure B-4 Inbound Traffic to Dual WAN Port Systems The IP address range of the VPN firewall’s WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled.
Page 223: Virtual Private Networks (Vpns
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure B-6 Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the VPN firewall’s dual WAN port depends on the configuration being implemented: Table B-2.
Page 224 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Rollover Case for Dual Gateway WAN Ports Rollover for the dual gateway WAN port case is different from the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Only one WAN port is active at a time and when it rolls over, the IP address of the active WAN port always changes.
Page 225: Vpn Road Warrior (Client-To-Gateway
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Road Warrior (Client-to-Gateway) The following situations exemplify the requirements for a remote PC client with no firewall to establish a VPN tunnel with a gateway VPN firewall: •...
Page 226 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP address of the remote PC client is not known in advance.
Page 227: Vpn Gateway-To-Gateway
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The purpose of the fully-qualified domain name in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or re-establish a VPN tunnel.
Page 228 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure B-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
Page 229 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual After a rollover of a gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN_A2 in this example) and one of the gateway VPN firewalls must re- establish the VPN tunnel.
Page 230: Vpn Telecommuter (Client-To-Gateway Through A Nat Router
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
Page 231 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP address of the remote NAT router is not known in advance.
Page 232 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The purpose of the fully-qualified domain name is this case is to toggle the domain name of the gateway router between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or re-establish a VPN tunnel.
Page 233: Two Factor Authentication
NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. As part the new maintenance firmware release, NETGEAR has...
Page 234: What Is Two-Factor Authentication
NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 Two-Factor Authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to perform Two-Factor Authentication on NETGEAR SSL and VPN firewall products.
Page 235 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token software, enter the PIN that has been given to them (something they know) and then press “continue”...
Page 236 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time. If a user does not use this passcode before it is expired, the user must go through the request process again to generate a new OTP.
Page 237: Related Documents
Appendix D Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.com/reference/enu/wsdhcp/index.htm...
Page 238 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Related Documents v1.0, January 2010...
Page 239 Index Numerics Dual WAN ports restoring WAN interface 2-14 3322.org 2-16 use with DDNS 2-17 Using WAN port 2-14 Active Directory ActiveX web cache control Backup and restore settings 8-15 Add LAN WAN Inbound Service 4-10 Bandwidth capacity LAN side Add LAN WAN Outbound Service Load balancing mode Add Mode Config Record screen...
Page 240 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Challenge Handshake Authentication Protocol. See DHCP log CHAP. monitoring 9-12 CHAP. See also RADIUS-CHAP, MIAS-CHAP, or DHCP server WiKID-CHAP. about address pool Classical Routing, definition of 2-12 configuring secondary IP addresses 3-11 CLI management, by Telnet...
Page 241 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Dual WAN ports viewing activity 9-15 Auto-Rollover, configuration of 2-13 Firewall Log inbound traffic Field Description Load Balancing, configuration of 2-15 Firewall Logs load balancing, inbound traffic e-mailing of 4-33, 9-4 network planning...
Page 242 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual XAUTH, adding to 5-21 IPsec host 5-20 Inbound Rules ISP connection default definition troubleshooting 10-4 field descriptions order of precedence Port Forwarding 4-3, 4-5 rules for use Keep Connected, Idle Timeout inbound rules keepalive, VPN...
Page 243 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual troubleshooting 10-2 Lightweight Directory Access Protocol. See LDAP. Load Balancing Identifier 5-23 bandwidth capacity configuration of 2-14 configuring 2-12 definition of 2-12 firewall, use with use with DDNS 2-17 multi-NAT 4-13...
Page 244 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual modifying 4-11 Portal Site Title Outbound Services ports field descriptions explanation of WAN and LAN PPP connection PPP over Ethernet. See PPPoE. PPPoE 1-4, 2-6, 2-8 package contents Account Name packet capture 10-9...
Page 245 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual reducing traffic Routing Information Protocol. See RIP. Block Sites routing menu 3-11 service blocking rules Source MAC Filtering blocking traffic remote management 8-10 inbound access 8-10 inbound example 4-13 configuration 8-10...
Page 246 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Simple Network Management Protocol. See SNMP. SysLog Server IP Address Single WAN Port inbound traffic 4-18 sniffer 10-3 tab, menu SNMP TCP flood about 8-13 special rule configuring 8-13 TCP/IP...
Page 247 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual User Policies 6-15 VPNs B-6, B-9 about gateway-to-gateway B-13, B-14, B-15 road warrior B-11, B-13 telecommuter B-17, B-18 view protocol bindings viewing VPN tunnel status 9-15 Load Balancing 2-15 VoIP (voice over IP) sessions 4-18...
Page 248 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual XAUTH IPsec host 5-20 types of 5-20 Index-10 v1.0, January 2010...

This manual is also suitable for:

Prosafe fvs336g

NETGEAR FVS336Gv1 - ProSafe Dual WAN Gigabit Firewall Reference Manual

About this Manual

Chapter 1 Introduction

Chapter 2 Connecting the FVS336G to the Internet

Chapter 3 LAN Configuration

Chapter 4 Firewall Protection and Content Filtering

Chapter 5 Virtual Private Networking Using Ipsec

Chapter 6 Virtual Private Networking Using SSL

Chapter 7 Managing Users, Authentication, and Certificates

Chapter 8 VPN Firewall and Network Management

Chapter 9 Monitoring System Performance

Chapter 10 Troubleshooting

Appendix A

Default Settings and Technical Specifications

Appendix B Network Planning for Dual WAN Ports

Appendix C Two Factor Authentication

Quick Links

Troubleshooting

Related Manuals for NETGEAR FVS336Gv1 - ProSafe Dual WAN Gigabit Firewall

Summary of Contents for NETGEAR FVS336Gv1 - ProSafe Dual WAN Gigabit Firewall