NETGEAR FVS318G-100NAS Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. FVS318G-100NAS
  6. Reference manual

NETGEAR FVS318G-100NAS Reference Manual

Gigabit 8 port vpn firewall
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
ProSafe Gigabit 8 Port
VPN Firewall FVS318G
Reference Manual
NETGEAR, Inc.
350 East Plumeria Drive
San Jose, CA 95134
202-10521-02
v1.1
August 2010

Advertisement

Table of Contents
loading

Related Manuals for NETGEAR FVS318G-100NAS

Summary of Contents for NETGEAR FVS318G-100NAS

  • Page 1 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 202-10521-02 v1.1 August 2010...

  • Page 2: Technical Support

    In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
  • Page 3 Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Gigabit 8 Port VPN Firewall FVS318G gemäß der im BMPT-AmtsblVfg 243/ 1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
  • Page 4 Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
  • Page 5 Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
  • Page 6 v1.1, August 2010...

  • Page 7: Table Of Contents

    Contents ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual About This Manual Conventions, Formats and Scope ...................xiii How to Print This Manual ....................xiv Chapter 1 Introduction Key Features ........................1-1 Advanced VPN Support for IPsec ................1-2 A Powerful, True Firewall with Content Filtering ............1-2 Security Features .....................1-3 Autosensing Ethernet Connections with Auto Uplink ..........1-3 Extensive Protocol Support ..................1-4...
  • Page 8 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Chapter 3 LAN Configuration Choosing the VPN Firewall DHCP Options ..............3-1 Configuring the LAN Setup Options ................3-2 Managing Groups and Hosts (LAN Groups) ..............3-5 Creating the Network Database ................3-6 Viewing the Network Database ................3-7 Adding Devices to the Network Database ..............3-8 Changing Group Names in the LAN Groups Database ...........3-9 Setting Up DHCP Address Reservation ..............3-9...
  • Page 9 Creating Gateway to Gateway VPN Tunnels with the Wizard .........5-2 Creating a Client to Gateway VPN Tunnel ...............5-5 Testing the Connections and Viewing Status Information ..........5-11 NETGEAR VPN Client Status and Log Information ..........5-11 VPN Firewall VPN Connection Status and Logs ............5-14 Managing VPN Policies ....................5-15 Configuring IKE Policies ..................5-15...
  • Page 10 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring NetBIOS Bridging with VPN ..............5-55 Chapter 6 VPN Firewall and Network Management Performance Management .....................6-1 Bandwidth Capacity ....................6-1 VPN Firewall Features That Reduce Traffic .............6-2 VPN Firewall Features That Increase Traffic ............6-4 Using QoS to Shift the Traffic Mix ................6-7 Tools for Traffic Management ..................6-8 Configuring Users, Administrative Settings, and Remote Management ......6-8...
  • Page 11 Appendix B Two Factor Authentication Why do I need Two-Factor Authentication? ..............B-1 What are the benefits of Two-Factor Authentication? ..........B-1 What is Two-Factor Authentication ................. B-2 NETGEAR Two-Factor Authentication Solutions ............B-2 Appendix C Related Documents Index Contents...

  • Page 12: Prosafe Gigabit 8 Port Vpn Firewall Fvs318G Reference Manual

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Contents v1.1, August 2010...

  • Page 13: About This Manual

    About This Manual The NETGEAR ® ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual describes how to install, configure and troubleshoot the ProSafe Gigabit 8 Port VPN Firewall FVS318G. The information in this manual is intended for readers with intermediate computer and Internet skills.

  • Page 14: How To Print This Manual

    NETGEAR website in Appendix C, “Related Documents.” Note: Product updates are available on the NETGEAR, Inc. website at http://kb.netgear.com/app/home. How to Print This Manual To print this manual, your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files.
  • Page 15 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 202-10521-02 April 2010 Added the following new features for the April 2010 firmware maintenance release: • Connection reset and delay options on the Broadband ISP Settings screen (see “Manually Configuring Your Internet Connection”).
  • Page 16 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual About This Manual v1.1, August 2010...

  • Page 17: Introduction

    Chapter 1 Introduction The ProSafe Gigabit 8 Port VPN Firewall FVS318G with eight 10/100/1000 Mbps Gigabit Ethernet LAN ports and one 10/100/1000 Mbps Gigabit Ethernet WAN port connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem.

  • Page 18: Advanced Vpn Support For Ipsec

    IPsec VPN with broad protocol support for secure connection to other IPsec gateways and clients. • Bundled with a single-user license of the NETGEAR ProSafe VPN Client software (VPN01L) • Supports 5 concurrent IPsec VPN tunnels. A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT routers, the FVS318G is a true firewall, using stateful packet inspection to defend against hacker attacks.

  • Page 19: Security Features

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Keyword Filtering. With its URL keyword filtering feature, the FVS318G prevents objectionable content from reaching your PCs. The VPN firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the VPN firewall to log and report attempts to access objectionable Internet sites.

  • Page 20: Extensive Protocol Support

    ISP account. • VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.

  • Page 21: Maintenance And Support

    ProSafe VPN Client software (one user license) • Warranty and Support Information Card If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the VPN firewall for repair.

  • Page 22: Vpn Firewall Front And Rear Panels

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual VPN Firewall Front and Rear Panels The FVS318G front panel includes eight LAN ports, one WAN port, and four groups of status indicator light-emitting diodes (LEDs), including Power and Test, LAN, and WAN LEDs. Figure 1-1 Table 1-1 describes each item on the front panel and its operation.
  • Page 23 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 1-1. LED Descriptions (continued) Object Activity Description One WAN Port On (Green) The WAN port is connected. 6. Active Off) The Internet connection is down The WAN port is either not (left side of port) enabled or has no link.

  • Page 24: Default Ip Address, Login Name, And Password

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Default IP Address, Login Name, and Password Check the label on the bottom of the FVS318G’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 • User name: admin •...

  • Page 25: Connecting The Vpn Firewall To The Internet

    VPN Firewall FVS318G Installation Guide for complete steps. A PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com. 2. Log in to the VPN Firewall. After logging in, you are ready to set up and configure your VPN firewall.

  • Page 26: Logging Into The Vpn Firewall

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 6. Configure the WAN options (optional). As an option, change the VPN firewall’s Media Access Control (MAC) address, the factory default MTU size, and the port speed. However, these are advanced features and changing them is not usually required. See “Configuring the Advanced Broadband Options”...

  • Page 27: Navigating The Menus

    VPN firewall (see “Configuring an External Server for Authentication” on page 6-11). If you enable remote management, NETGEAR strongly advises you to change your password (see “Changing Passwords and Settings” on page 6-8). Navigating the Menus...

  • Page 28: Configuring The Internet Connection To Your Isp

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring the Internet Connection to Your ISP To automatically configure the broadband port and connect to the Internet: 1. Select Network Configuration from the main menu and Broadband ISP Settings from the submenu.
  • Page 29 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in Table 2-1. Note: When you click Auto Detect while the WAN port already has a connection, you might lose the connection because the VPN firewall will enter its detection mode.

  • Page 30: Manually Configuring Your Internet Connection

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The Connection Status window should show a valid IP address and gateway. If the configuration was not successful, skip ahead to “Manually Configuring Your Internet Connection following this section, or see “Troubleshooting the ISP Connection”...
  • Page 31 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 4. In the ISP Type section, select the type of ISP connection you use from the two listed options. (By default, “Other (PPPoE)” is selected.) Figure 2-5 • Other (PPPoE). If you have installed login software such as WinPoET or Ethernet, then your connection type is PPPoE.
  • Page 32 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual – Idle Timeout. Check the Keep Connected radio box to keep the connection always on. To logout after the connection is idle for a period of time, click Idle Time and enter the number of minutes to wait before disconnecting in the timeout field.

  • Page 33: Configuring The Wan Mode

    8. Click Test to evaluate your entries. The VPN firewall will attempt to connect to the NETGEAR website. If a successful connection is made, NETGEAR’s website appears. Configuring the WAN Mode To access the WAN Mode screen, select Network Configuration from the main menu and WAN Settings from the submenu.
  • Page 34 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The WAN Mode screen allows you to configure how the VPN firewalll uses the external Internet connection. This screen gives you two choices for accessing the external Internet connection. • Network Address Translation (NAT). This technique allows several computers on a LAN to share the same Internet connection (IP address) while using private IP address on the LAN, which are hidden from the Internet.

  • Page 35: Configuring Dynamic Dns

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring Dynamic DNS Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS.org, TZO.com, Oray.net, or 3322.org.
  • Page 36 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 2-9 2. Click the tab of the DNS service you want to enable. Each DNS service provider requires registration. After registration you can configure the required settings on the corresponding screen for the DNS service.

  • Page 37: Configuring The Advanced Broadband Options

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring the Advanced Broadband Options To configure the advanced broadband options: 1. Select Network Configuration from the main menu and Broadband ISP Settings from the submenu. The Broadband ISP Settings screen displays. 2.

  • Page 38: Additional Wan Related Configuration

    If you want the ability to manage the VPN firewalll remotely, enable remote management at this time (see “Enabling Remote Management Access” on page 6-14). If you enable remote management, NETGEAR strongly recommends that you change your password (see “Changing Passwords and Settings” on page 6-8). •...

  • Page 39: Lan Configuration

    Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Gigabit 8 Port VPN Firewall FVS318G, including the following sections: • “Choosing the VPN Firewall DHCP Options” on this page • “Configuring the LAN Setup Options” on page 3-2 •...

  • Page 40: Configuring The Lan Setup Options

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The VPN firewall will deliver the following settings to any LAN device that requests DHCP: • An IP address from the range that you have defined. • Subnet mask. • Gateway IP address (the VPN firewall’s LAN IP address). •...
  • Page 41 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To configure the LAN Setup options: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen displays. Figure 3-1 2. In the LAN TCP/IP Setup section, configure the following settings: •...
  • Page 42 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • IP Subnet Mask. The subnet mask specifies the network number portion of an IP address. Your VPN firewall will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask.

  • Page 43: Managing Groups And Hosts (Lan Groups)

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual If you will use a Lightweight Directory Access Protocol (LDAP) authentication server for network-validated domain-based authentication, select Enable LDAP Information to enable the DHCP server to provide LDAP server information. Enter the following settings: •...

  • Page 44: Creating The Network Database

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The Network Database is updated by these methods: • DHCP Client Requests. By default, the DHCP server in this VPN firewall is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the Network Database.

  • Page 45: Viewing The Network Database

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Viewing the Network Database To view the Network Database, follow these steps: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen displays. 2.

  • Page 46: Adding Devices To The Network Database

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Adding Devices to the Network Database To add devices manually to the network database: 1. To add computers to the network database manually, make the following selections: • Name: The name of the PC or device. •...

  • Page 47: Changing Group Names In The Lan Groups Database

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Changing Group Names in the LAN Groups Database By default, the LAN Groups are named Group1 through Group8. You can rename these group names to be more descriptive, such as Engineering or Marketing. To edit the names of any of the eight available groups: 1.

  • Page 48: Configuring Multi Home Lan Ip Addresses

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Note: The reserved address will not be assigned until the next time the PC contacts the VPN firewall's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew. Configuring Multi Home LAN IP Addresses If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases”...

  • Page 49: Configuring And Enabling The Dmz Port

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. In the Add Secondary LAN IP Address section, enter the additional IP address and subnet mask to be assigned to the LAN port of the VPN firewall. 4. Click Add. The secondary LAN IP address will be added to the Available Secondary LAN IPs table.
  • Page 50 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The DMZ Setup screen allows you to set up the DMZ port. It permits you to enable or disable the hardware DMZ port (LAN port 8, see “VPN Firewall Front and Rear Panels” on page 1-6) and configure an IP address and Mask for the DMZ port.
  • Page 51 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 4. In the DHCP for DMZ Connected Computers section, select one of the following three radio buttons: • Disable DHCP Server. The DHCP server is disabled, which is the default setting. Select this radio button if another device on your DMZ network will be the DHCP server, or if you will manually configure all devices.

  • Page 52: Configuring Static Routes

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual If you will use a Lightweight Directory Access Protocol (LDAP) authentication server for network-validated domain-based authentication, select Enable LDAP Information to enable the DHCP server to provide LDAP server information. Enter the following settings: –...
  • Page 53 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To add a static route: 1. Select Network Configuration from the main menu and Routing from the submenu. The Routing screen displays. Figure 3-6 2. Click Add. The Add Static Route screen displays. Figure 3-7 3.

  • Page 54: Static Route Example

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 6. In the Destination IP Address field, enter the destination IP address to the host or network to which the route leads. 7. In the IP Subnet Mask field, enter the IP subnet mask for this destination. If the destination is a single host, enter 255.255.255.255.

  • Page 55: Configuring Routing Information Protocol (Rip)

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN firewall at 192.168.1.100. • A Metric value of 1 will work since the ISDN firewall is on the LAN. •...
  • Page 56 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. From the RIP Direction pull-down menu, select the direction in which the VPN firewall will send and receives RIP packets. The choices are: • None. The VPN firewall neither broadcasts its routing table nor does it accept any RIP packets from other routers.

  • Page 57: Firewall Protection And Content Filtering

    Chapter 4 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Gigabit 8 Port VPN Firewall FVS318G to protect your network. This chapter includes the following sections: • “About Firewall Protection and Content Filtering”...

  • Page 58: Using Rules To Block Or Allow Specific Kinds Of Traffic

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions.

  • Page 59: Services-Based Rules

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Outbound Rules (service blocking). Outbound traffic is normally allowed unless the VPN firewall is configured to disallow it. •...
  • Page 60 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 4-1. Outbound Rules (continued) Item Description Select Schedule Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be used by this rule. • This pull-down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block”...
  • Page 61 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 4-1. Outbound Rules (continued) Item Description Bandwidth Bandwidth Limiting determines the way in which the data is sent to or from your host. The Profile purpose of bandwidth limiting is to provide a solution for limiting the outgoing or incoming traffic, thus preventing the LAN users for consuming all the bandwidth of your Internet connection.
  • Page 62 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 4-2. Inbound Rules Item Description Services Select the desired service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see “Adding Customized Services”...
  • Page 63 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 4-2. Inbound Rules (continued) Item Description This determines whether packets covered by this rule are logged. Select the desired action: • Always. Always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules.

  • Page 64: Viewing Rules And Order Of Precedence For Rules

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Viewing Rules and Order of Precedence for Rules To view the firewall rules, select Security from the main menu and Firewall from the submenu. The LAN WAN Rules screen appears (Figure 4-1 shows some examples).

  • Page 65: Configuring Lan Wan Rules

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To make changes to an existing outbound or inbound service rule on the the LAN WAN Rules, DMZ WAN Rules, or LAN DMZ Rules screen, in the Action column to the right of to the rule, click on of the following table buttons: •...
  • Page 66 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
  • Page 67 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual LAN WAN Inbound Services Rules This Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound services opens holes in your VPN firewall.

  • Page 68: Configuring Dmz Wan Rules

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring DMZ WAN Rules The firewall rules for traffic between the DMZ and the WAN/Internet are configured on the DMZ WAN Rules screen. The Default Outbound Policy is to allow all traffic from and to the Internet to pass through.

  • Page 69: Configuring Lan Dmz Rules

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 4-5 4. Configure the settings based on the descriptions in Table 4-1 on page 4-3. 5. Click Apply. The new rule will appear in the Outbound Services table. The rule is automatically enabled.
  • Page 70 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To create a new LAN DMZ outbound service policy: 1. Select Security from the main menu and Firewall Rules from the submenu. The LAN WAN Rules screen displays. 2. Select the LAN DMZ Rules tab. The LAN DMZ Rules screen displays. Figure 4-6 3.

  • Page 71: Inbound Rules Examples

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 5. Click Apply. The new rule will appear in the Outbound Services table. The rule is automatically enabled. The procedure to add a new LAN DMZ inbound service policy is similar to the procedure described above with the exception that you click Add under the Inbound Services table, you configure the settings based on the descriptions in Table 4-2 on page...
  • Page 72 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. Figure 4-9 In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
  • Page 73 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 4-10 The following addressing scheme is used in this example: • VPN firewall FVS318G – WAN primary public IP address: 10.1.0.1 – WAN additional public IP address: 10.1.0.5 – LAN IP address 192.168.1.1 •...
  • Page 74 1. Create an inbound rule that allows all protocols. 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.

  • Page 75: Outbound Rules Example

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio or other non-essential sites. LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.

  • Page 76: Attack Checks

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Attack Checks The Attack Checks screen allows you to specify whether or not the VPN firewall should be protected against common attacks in the DMZ, LAN and WAN networks. To enable the appropriate attack checks for your environment: 1.
  • Page 77 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual – Block TCP Flood. A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system. When the system responds, the attacker does not complete the connection, thus saturating the server with half-open connections.

  • Page 78: Setting Session Limits

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Setting Session Limits Session Limit allows you to specify the total number of sessions allowed, per user, over an IP (Internet Protocol) connection across the VPN firewall. This feature is enabled on the Session Limit screen and shown below in Figure 4-14.

  • Page 79: Managing The Application Level Gateway For Sip Sessions

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Note: Some protocols (such as FTP or RSTP) create two sessions per connection which should be considered when configuring Session Limiting. The Total Number of Packets Dropped due to Session Limit field shows total number of packets dropped when session limit is reached.

  • Page 80: Creating Services, Qos Profiles, And Bandwidth Profiles

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: •...
  • Page 81 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups.

  • Page 82: Specifying Quality Of Service (Qos) Priorities

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Modifying a Service To edit the settings of a service: 1. In the Custom Services Table, click the Edit icon adjacent to the service you want to edit. The Edit Service screen displays. Figure 4-17 2.

  • Page 83: Creating Bandwidth Profiles

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual A ToS priority for traffic passing through the VPN firewall is one of the following: • Normal-Service. No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0.
  • Page 84 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To add a bandwidth profile: 1. Select Security from the main menu and Bandwidth Profile from the submenu. The Bandwidth Profile screen displays. Figure 4-18 2. Click Add to add a new bandwidth profile. The Add New Bandwidth Profile screen displays. Figure 4-19 3.

  • Page 85: Setting A Schedule To Block Or Allow Specific Traffic

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual c. Depending on the direction that you selected, enter the minimum and maximum bandwidths to be allowed: • Enter the Outbound Minimum Bandwidth and Outbound Maximum Bandwidth in Kbps. • Enter the Inbound Minimum Bandwidth and Inbound Maximum Bandwidth in Kbps.

  • Page 86: Blocking Internet Sites (Content Filtering)

    If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message. Several types of blocking are available: •...
  • Page 87 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual – Proxy. A proxy server (or simply, proxy) allows computers to route connections to other computers through the proxy, thus circumventing certain firewall rules. For example, if connections to a specific IP address are blocked by a firewall rule, the requests can be routed through a proxy that is not blocked by the rule, rendering the restriction ineffective.
  • Page 88 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To enable Content Filtering: 1. Select Security from the main menu and Block Sites from the submenu. The Block Sites screen displays. Figure 4-21 4-32 Firewall Protection and Content Filtering v1.1, August 2010...

  • Page 89: Configuring Source Mac Filtering

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Check the Yes radio button to enable content filtering. 3. Click Apply to activate the screen controls. 4. Check the radio boxes of any Web components you wish to block. 5.
  • Page 90 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 4-22 2. Check the Yes radio box in the MAC Filtering Enable section. 3. Select the action to be taken on outbound traffic from the listed MAC addresses: • Block this list and permit all other MAC addresses. •...

  • Page 91: Configuring Ip/Mac Address Binding

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring IP/MAC Address Binding IP/MAC binding allows you to bind an IP address to a MAC address and the other way around. Some devices are configured with static addresses. To prevent users from changing their static IP addresses, IP/MAC binding must be enabled on the VPN firewall.
  • Page 92 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 4-23 3. Select the Yes radio box and click Apply. Make sure that you have enabled the e-maling of logs (see “Activating Notification of Events and Alerts” on page 6-23). 4.

  • Page 93: Configuring Port Triggering

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To edit an IP/MAC binding rule, click Edit adjacent to the entry. The following fields of an existing IP/MAC binding rule can be modified: • MAC Address. Specify the MAC Address for this rule. •...
  • Page 94 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Without port triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the port forwarding rules. Note these restrictions with port triggering: •...
  • Page 95 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 6. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b.

  • Page 96: Configuring Upnp (Universal Plug And Play)

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To check the status of the port triggering rules, click the Status option arrow on the Port Triggering screen. Figure 4-26 Configuring UPnP (Universal Plug and Play) The UPnP (Universal Plug and Play) feature allows the VPN Firewall to automatically discover and configure the devices when it searches over LAN and WAN.

  • Page 97: Email Notifications Of Event Logs And Alerts

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. Configure the following fields: – Advertisement Period. Enter the period in minutes that specified how often the VPN firewall should broadcast its UPnP information to all devices within its range. –...

  • Page 98: Administrator Tips

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Administrator Tips Consider the following operational items: • As an option, you can enable remote management if you have to manage distant sites from a central location (see “Configuring an External Server for Authentication” on page 6-11).

  • Page 99: Virtual Private Networking

    “Configuring NetBIOS Bridging with VPN” on page 5-55 Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR VPN Client configuration procedures for the following scenarios: •...

  • Page 100: Creating Gateway To Gateway Vpn Tunnels With The Wizard

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Creating Gateway to Gateway VPN Tunnels with the Wizard Figure 5-1 Follow these steps to set up a gateway VPN tunnel using the VPN Wizard. 1. Select VPN from the main menu and VPN Wizard from the submenu. The VPN Wizard screen displays.
  • Page 101 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To view the wizard default settings, click the VPN Wizard Default Values option arrow. You can modify these settings after completing the wizard. 2. Select Gateway as your connection type. 3. Create a Connection Name. Enter a descriptive name for the connection. This name used to help you manage the VPN settings;...
  • Page 102 Figure 5-3 9. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured. To display the status of your VPN connections, select VPN from the main menu and Connection Status from the submenu.

  • Page 103: Creating A Client To Gateway Vpn Tunnel

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Creating a Client to Gateway VPN Tunnel Figure 5-5 Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to the gateway. Use the VPN Wizard Configure the Gateway for a Client Tunnel 1.
  • Page 104 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Tip: To assure tunnels stay active, after completing the wizard, manually edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side of the network to keep the tunnel alive. Figure 5-6 7.
  • Page 105 Figure 5-7 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR ProSafe VPN Client installed, configure a VPN client policy to connect to the VPN firewall. Follow these steps to configure your VPN client.
  • Page 106 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using gw1.
  • Page 107 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. In the left frame, click My Identity. Fill in the options according to the instructions below. Figure 5-10 • From the Select Certificate pull-down menu, choose None. • Click Pre-Shared Key to enter the key you provided in the VPN Wizard; in this example, we are using “r3m0+eC1ient.”...
  • Page 108 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 5-11 5-10 Virtual Private Networking v1.1, August 2010...

  • Page 109: Testing The Connections And Viewing Status Information

    5. In the upper left of the window, click the disk icon to save the policy. Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.
  • Page 110 Connections\gw1”. Figure 5-13 The VPN client icon in the system tray should state On: 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer.
  • Page 111 “Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection” on page 5-7. The VPN client system tray icon provides a variety of status indications, which are listed below.

  • Page 112: Vpn Firewall Vpn Connection Status And Logs

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual VPN Firewall VPN Connection Status and Logs To view VPN firewall VPN connection status, select VPN from the main menu and Connection Status from the submenu. The VPN Connection Status screen displays. Figure 5-16 Note: The information in the VPN Connection Status screen in Figure 5-16...

  • Page 113: Managing Vpn Policies

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To view VPN firewall VPN logs, select Monitoring from the main menu and VPN Logs from the submenu. The VPN Logs screen displays. Figure 5-17 Managing VPN Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN policy and an IKE policy are established and populated in both policy tables.
  • Page 114 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual IKE policies are activated when: 1. The VPN Policy Selector determines that some traffic matches an existing VPN policy. If the VPN policy is of type “Auto”, then the auto policy settings that are defined in the VPN policy are accessed which specify which IKE policy to use.
  • Page 115 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Each policy that is listed in the List of IKE Policies table contains the following data: • Name. Uniquely identifies each IKE policy. The name is chosen by you and used for the purpose of managing your policies;...
  • Page 116 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Manually Adding or Editing an IKE Policy To manually add an IKE policy: 1. Select VPN from the main menu and Policies from the submenu. The Policies submenu tabs appear with the IKE Policies screen in view (see Figure 5-18 on page 5-16).
  • Page 117 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. Complete the fields, select the radio buttons, and make your selections from the pull-down menus as explained Table 5-2. Table 5-2. Add IKE Policy Settings Item Description (or Subfield and Description) Mode Config Record Do you want to use Specify whether or not the IKE policy uses a Mode Config Record.
  • Page 118 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-2. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Local Identifier Type From the pull-down menu, select one of the following ISAKMP identifiers to be used by the VPN firewall, and then specify the identifier in the field below: •...
  • Page 119 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-2. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Authentication Select one of the following radio buttons to specify the authentication method: Method • Pre-shared key. A secret that is shared between the VPN firewall and the remote endpoint.
  • Page 120 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-2. Add IKE Policy Settings (continued) Item Description (or Subfield and Description) Extended Authentication XAUTH Select one of the following radio buttons to specify whether or not Extended Configuration Authentication (XAUTH) is enabled, and–if enabled–which device is used to verify user account information: Note: For more •...

  • Page 121: Configuring Vpn Policies

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 4. Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE Policies table. Configuring VPN Policies You can create two types of VPN policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available.
  • Page 122 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Click the VPN Policies tab. The VPN Policies screen is displayed. Figure 5-20 Only one client policy may configured at a time (noted by an “*” next to the policy name). The List of VPN Policies contains the following fields: •...
  • Page 123 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To delete one or more VPN polices: 1. Select the checkbox to the left of the policy that you want to delete or click the select all table button to select all VPN policies. 2.
  • Page 124 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 5-21 4. Complete the fields, select the radio buttons and checkboxes, and make your selections from the pull-down menus as explained Table 5-3 on page 5-27. 5-26 Virtual Private Networking v1.1, August 2010...
  • Page 125 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-3. Add VPN Policy Settings Item Description (or Subfield and Description) General Policy Name A descriptive name of the VPN policy for identification and management purposes. Note: The name is not supplied to the remote VPN endpoint. Policy Type From the pull-down menu, select one of the following policy types: •...
  • Page 126 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-3. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Traffic Selection Local IP From the pull-down menu, select the address or addresses that are part of the VPN tunnel on the VPN firewall: •...
  • Page 127 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-3. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) Integrity Algorithm From the pull-down menu, select one of the following two algorithms to be used in the VPN header for the authentication process: •...

  • Page 128: Managing Certificates

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 5-3. Add VPN Policy Settings (continued) Item Description (or Subfield and Description) PFS Key Group Select this checkbox to enable Perfect Forward Secrecy (PFS), and then select a Diffie-Hellman (DH) group from the pull-down menu. The DH Group sets the strength of the algorithm in bits.
  • Page 129 A self-signed certificate will trigger a warning from most browsers as it provides no protection against identity theft of the server. The VPN firewall contains a self-signed certificate from NETGEAR. We recommend that you replace this certificate prior to deploying the VPN firewall in your network.

  • Page 130: Understanding The Certificates Screen

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Understanding the Certificates Screen To display the Certificates screen, select VPN form the main menu and Certificates from the submenu. Because of the large size of this screen, and because of the way the information is presented, the Certificates screen is divided and presented in this manual in different figures.

  • Page 131: Understanding And Viewing Active Self Certificates

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To view the VPN certificates: Select VPN from the main menu and Certificates from the submenu. The Certificates screen displays. The top section of the Certificates screen displays the Trusted Certificates (CACertificates) section.
  • Page 132 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual There can be three reasons why a security alert is generated for a security certificate: • The security certificate was issued by a company you have not chosen to trust. • The date of the security certificate is invalid.

  • Page 133: Obtaining A Self Certificate From A Certificate Authority

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Issuer Name. The name of the CA that issued the certificate. • Expiry Time. The date on which the certificate expires. You should renew the certificate before it expires. Obtaining a Self Certificate from a Certificate Authority To use a self certificate, you must first request the certificate from the CA, then download and activate the certificate on your system.
  • Page 134 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Configure the following fields: • Name. Enter a descriptive name that will identify this certificate. • Subject. This is the name which other organizations will see as the holder (owner) of the certificate.
  • Page 135 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 6. In the Self Certificate Requests table, click view in the Action column to view the request. Figure 5-27 7. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from “----BEGIN CERTIFICATE REQUEST---”...

  • Page 136: Managing Your Certificate Revocation List (Crl)

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual If you have not already uploaded the CA certificate, do so now, as described in “Viewing and Loading CA Certificates” on page 5-32. You should also periodically check the Certificate Revocation Lists (CRL) table, as described in the following section. Managing your Certificate Revocation List (CRL) A CRL (Certificate Revocation List) file shows certificates that have been revoked and are no longer valid.

  • Page 137: Configuring Extended Authentication (Xauth)

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring Extended Authentication (XAUTH) When connecting many VPN clients to a VPN gateway router, an administrator may want a unique user authentication method beyond relying on a single common preshared key for all clients. Although the administrator could configure a unique VPN policy for each user, it is more convenient for the VPN gateway router to authenticate users from a stored list of user accounts.
  • Page 138 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. You can add XAUTH to an existing IKE policy by clicking the edit button adjacent to the policy to be modified or you can create a new IKE policy incorporating XAUTH by clicking add.

  • Page 139: Configuring The User Database For Xauth

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual – User Database to verify against the VPN firewall’s user database. Users must be added through the User Database screen (see “Configuring the User Database for XAUTH” on page 5-41). – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server.

  • Page 140: Configuring Radius Clients For Xauth

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Enter a User Name. This is the unique ID of a user which will be added to the User Name database. 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4.
  • Page 141 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 5-31 3. Enable the primary RADIUS server by checking the Yes radio box. 4. Enter the primary RADIUS Server IP Address. 5. Enter a Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server.

  • Page 142: Assigning Ip Addresses To Remote Users (Modeconfig)

    In the following example, we configured the VPN firewall using ModeConfig, and then configured a PC running ProSafe VPN Client software using these IP addresses. • NETGEAR ProSafe Gigabit 8 Port VPN Firewall FVS318G – WAN IP address: 172.21.4.1 –...

  • Page 143: Configuring Mode Config Operation On The Vpn Firewall

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Note: After configuring a Mode Config record, you must manually configure an IKE policy and select the newly-created Mode Config record from the Select Mode Config Record pull-down menu (see “Configuring Mode Config Operation on the Firewall.”...
  • Page 144 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 5-33 3. Enter a descriptive Record Name such as “Sales”. 4. Assign at least one range of IP pool addresses in the First IP Pool field to give to remote VPN clients.
  • Page 145 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10.
  • Page 146 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Recommended settings are: • Encryption Algorithm: 3DES • Authentication Algorithm: SHA-1 • Diffie-Hellman: Group 2 • SA Lifetime: 3600 seconds Figure 5-34 5-48 Virtual Private Networking v1.1, August 2010...
  • Page 147 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 9. Enter a Pre-Shared Key that will also be configured in the VPN client. 10. XAUTH is disabled by default. To enable XAUTH, in the Extended Authentication section, select one of the following:: •...

  • Page 148: Configuring The Prosafe Vpn Client For Modeconfig

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon.
  • Page 149 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. From the left side of the menu, click My Identity. Figure 5-36 Enter the following information: a. Click Pre-Shared Key and enter the key you configured in the VPN firewall’s Add IKE Policy screen b.
  • Page 150 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual b. Check the Enable Perfect Forward Secrecy (PFS) radio button, and select the Diffie- Hellman Group 2 from the PFS Key Group pull-down menu. c. Enable Replay Detection should be checked. 4.

  • Page 151: Configuring Keepalives And Dead Peer Detection

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds). 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. Testing the Mode Config Connection To test the connection: 1.

  • Page 152: Configuring Dead Peer Detection

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 4. In the General section of the Edit VPN Policy screen, locate the keepalive configuration settings. Figure 5-39 5. Click the Yes radio button to enable keepalive. 6. In the Ping IP Address boxes, enter an IP address on the remote LAN. This must be the address of a host that can respond to ICMP ping requests.

  • Page 153: Configuring Netbios Bridging With Vpn

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. In the IKE SA Parameters section of the Edit IKE Policy screen, locate the Dead Peer Detection configuration settings. Figure 5-40 4. Click the Yes radio button to Enable Dead Peer Detection. 5.
  • Page 154 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Click the VPN Policies tab. The VPN Policies screen displays (see Figure 5-20 on page 5-24). 3. In the List of VPN Policies table, click the edit button to the right of the VPN policy that you want to edit.

  • Page 155: Vpn Firewall And Network Management

    Chapter 6 VPN Firewall and Network Management This chapter describes how to use the network management features of your ProSafe Gigabit 8 Port VPN Firewall FVS318G. This chapter includes the following sections: • “Performance Management” on this page • “Configuring Users, Administrative Settings, and Remote Management” on page 6-8 •...

  • Page 156: Vpn Firewall Features That Reduce Traffic

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual VPN Firewall Features That Reduce Traffic You can adjust the following features of the VPN firewall in such a way that the traffic load on the WAN side decreases: • LAN WAN outbound rules (also referred to as service blocking) •...
  • Page 157 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • WAN Users. These settings determine which Internet locations are covered by the rule, based on their IP address. – Any. The rule applies to all Internet IP address. – Single address. The rule applies to a single Internet IP address. –...

  • Page 158: Vpn Firewall Features That Increase Traffic

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Keyword (and Domain Name) Blocking. You can specify up to 32 words that, should they appear in the website name (that is, URL) or in a newsgroup name, will cause that site or newsgroup to be blocked by the VPN firewall.
  • Page 159 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Port Forwarding The VPN firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (that is, the service is unavailable).
  • Page 160 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • WAN Users. These settings determine which Internet locations are covered by the rule, based on their IP address. – Any. The rule applies to all Internet IP address. – Single address. The rule applies to a single Internet IP address. –...

  • Page 161: Using Qos To Shift The Traffic Mix

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual – After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC. This is required because the firewall cannot be sure when the application has terminated.

  • Page 162: Tools For Traffic Management

    “Configuring Date and Time Service” on page 6-21 Changing Passwords and Settings The default passwords for the VPN firewall’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. You can also configure a separate password for guests.
  • Page 163 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. In the User Selection section of the screen, select either the Edit Admin Settings or Edit Guest Settings radio box. Figure 6-1 4. In either the Admin Settings or the Guest Settings section of the screen: a.

  • Page 164: Adding External Users

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Note: After a factory defaults reset, the password and time-out value will be changed back to password and 5 minutes, respectively. Adding External Users You can add external users for which you then can configure an authentication method (see “Configuring an External Server for Authentication”...

  • Page 165: Configuring An External Server For Authentication

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b. User Type. Select either Admin or Guest. c. Idle Timeout. This is the period after which an idle user will be automatically logged out of the Web Configuration Manager.
  • Page 166 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To configure external authentication: 1. Select Users from the main menu and External Authentication from the submenu. The External Users screen displays. 2. Select the External Authentication tab. The External Authentication screen displays. Figure 6-4 3.
  • Page 167 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same secret phrase must be configured on both client and server. •...

  • Page 168: Enabling Remote Management Access

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Enabling Remote Management Access Using the Remote Management screen, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see “Logging into the VPN Firewall”...
  • Page 169 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. Check Allow Remote Management radio box. 3. Click the Yes radio button to enable secure HTTP management (enabled by default), and configure the external IP addresses that will be allowed to connect. a.

  • Page 170: Using An Snmp Manager

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Note: To maintain security, the VPN firewall will reject a login that uses http://address rather than the SSL https://address. Note: The first time that you remotely connect to the VPN firewall with a browser via SSL, you may get a warning message regarding the SSL certificate.
  • Page 171 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To create a new SNMP configuration entry: 1. Select Administration from the main menu and SNMP from the submenu. The SNMP screen displays. Figure 6-6 2. Under Create New SNMP Configuration Entry, enter the IP address of the SNMP manager in the IP Address field and the subnet mask in the Subnet Mask field.

  • Page 172: Managing The Configuration File

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual When you click on the SNMP System Info option arrow on the SNMP screen, the VPN firewall’s identification information is displayed. This following identification information is available to the SNMP Manager: system contact, system location, and system name. To modify the SNMP identification information: 1.
  • Page 173 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Backing Up Settings To back up settings: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen displays. Figure 6-8 2.
  • Page 174 1. On the Settings Backup and Firmware Upgrade screen, next to Restore save settings from file, click Browse. 2. Locate and select the previously saved backup file (by default, netgear.cfg). 3. When you have located the file, click restore. An Alert screen will appear indicating the status of the restore operation. You must manually restart the VPN firewall for the restored settings to take effect.

  • Page 175: Configuring Date And Time Service

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual After downloading an upgrade file, you may need to unzip (uncompress) it before upgrading the VPN firewall. If Release Notes are included in the download, read them before continuing. 4. Select Administration from the main menu and Settings Backup & Upgrade from the submenu.
  • Page 176 NTP Server in the Server 1 Name/IP Address field. You can enter the address of a backup NTP server in the Server 2 Name/IP Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the default Netgear NTP servers.

  • Page 177: Monitoring System Performance

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Monitoring System Performance You can be alerted to important events such as WAN traffic limits reached, login failures, and attacks. You can also view status information about the VPN firewall, broadband port, LAN ports, and VPN tunnels.
  • Page 178 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Figure 6-10 6-24 VPN Firewall and Network Management v1.1, August 2010...
  • Page 179 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 2. In the Log Options section, enter the name of the log in the Log Identifier field. The Log Identifier is a mandatory field used to identify which device sent the log messages. The identifier is appended to log messages.

  • Page 180: Viewing The Logs

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • LOG_ERROR (Error conditions) • LOG_WARNING (Warning conditions) • LOG_NOTICE (Normal but significant conditions) • LOG_INFO (Informational messages) • LOG_DEBUG (Debug level messages) 10. Click Reset to cancel your changes and return to the previous settings or click Apply to save your settings.

  • Page 181: Enabling The Traffic Meter

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 6-2. Firewall Log Field Descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry.
  • Page 182 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Increase this month limit by. Temporarily increase the traffic limit if you have reached the monthly limit, but need to continue accessing the Internet. Select the checkbox and enter the desired increase. (The checkbox will automatically be cleared when saved so that the increase is only applied once.) •...
  • Page 183 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Restart Traffic Counter at a Specific Time. Restart the traffic counter at a specific time and day of the month. Fill in the time fields and choose AM or PM and the day of the month from the pull-down menus.

  • Page 184: Viewing The Vpn Firewall Configuration And System Status

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Viewing the VPN Firewall Configuration and System Status The Router Status screen provides status and usage information. Select Monitoring from the main menu and Router Status from the submenu. The Router Status screen displays. This screen displays current settings and statistics for your VPN firewall.

  • Page 185: Monitoring Vpn Firewall Statistics

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table 6-3. Router Status Fields (continued) Item Description LAN Port Displays the current settings for MAC address, IP address, DHCP status and IP subnet mask that you set in the LAN IP Setup screen. DHCP can be either Enabled or Disabled.

  • Page 186: Monitoring Broadband Port Status

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual For each interface (Broadband, LAN, and DMZ), the number of transmitted (Tx Pkts) and received (Rx Pkts) packets, the number of collided packets, the transmitted (Tx B/s) and received (Rx B/s) bytes per second, and the interface up-time are shown. To set the poll interval: 1.

  • Page 187: Monitoring Attached Devices

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Monitoring Attached Devices The LAN Groups screen contains a table of all IP devices that the VPN firewall has discovered on the local network. To view the LAN Groups screen: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. 2.

  • Page 188: Monitoring Vpn Tunnel Connection Status

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Table 6-4. Known PCs and Devices options Item Description Name...

  • Page 189: Viewing The Vpn Logs

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The Active IPsec (SA)s table lists each active connection with the following information Table 6-5. IPsec Connection Status Fields Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN endpoint.

  • Page 190: Viewing The Dhcp Log

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Viewing the DHCP Log To display the DHCP log: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen displays. 2. Click the DHCP Log option arrow in the upper right-hand section of the screen. The DHCP Log popup screen displays.
  • Page 191 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual To view the most recent entries, click refresh. Table 6-6. Port Triggering Status Data Item Description Rule The name of the rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule.

  • Page 192: Vpn Firewall And Network Management

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 6-38 VPN Firewall and Network Management v1.1, August 2010...

  • Page 193: Troubleshooting

    Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe Gigabit 8 Port VPN Firewall FVS318G. This chapter includes the following sections: • “Basic Functions” on this page • “Troubleshooting the Web Configuration Interface” on page 7-3 •...

  • Page 194: Power Led Not On

    • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.

  • Page 195: Troubleshooting The Web Configuration Interface

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the VPN firewall as described in the previous section.

  • Page 196: Troubleshooting The Isp Connection

    Web Configuration Manager. To check the WAN IP address: 1. Launch your browser and select an external site such as www.netgear.com. 2. Access the Main Menu of the VPN firewall’s configuration at http://192.168.1.1. 3. Select Monitoring from the main menu and Router Status from the submenu.

  • Page 197: Troubleshooting A Tcp/Ip Network Using A Ping Utility

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name on the Broadband ISP Settings screen (see Figure 2-2 on page 2-4).

  • Page 198: Testing The Path From Your Pc To A Remote Device

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Pinging <IP address> with 32 bytes of data If the path is working, you will see this message: Reply from <IP address>: bytes=32 time=NN ms TTL=xxx If the path is not working, you will see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: •...

  • Page 199: Restoring The Default Configuration And Password

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual – If your ISP assigned a host name to your PC, enter that host name as the Account Name on the Broadband ISP Settings screen (see Figure 2-2 on page 2-4). –...

  • Page 200: Using The Diagnostics Utilities

    ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Problems with the date and time function can include: • Date and time shown is Thu Jan 01 00:01:52 GMT 1970. Cause: The VPN firewall has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly.
  • Page 201 “Back” on the Windows menu bar to return to the Diagnostics screen. Perform a DNS A DNS (Domain Name Server) converts the Internet name such as www.netgear.com Lookup to an IP address. If you need the IP address of a Web, FTP, Mail or other server on the Internet, you can do a DNS lookup to find the IP address.
  • Page 202 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual 7-10 Troubleshooting v1.1, August 2010...

  • Page 203: Default Settings And Technical Specifications

    Appendix A Default Settings and Technical Specifications You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 5 seconds (until the TEST LED blinks rapidly).
  • Page 204 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) Feature Default Behavior Management Time Zone Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound (communications coming in from Disabled (except traffic on port 80, the HTTP port) the Internet) Outbound (communications going out to...
  • Page 205 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Table A-2. VPN firewall Technical Specifications (continued) Feature Specifications Environmental Specifications Operating temperature: 0 to 40 C (32º to 104º F) Operating humidity: 90% maximum relative humidity, noncondensing Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B...
  • Page 206 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Default Settings and Technical Specifications v1.1, August 2010...

  • Page 207: Two Factor Authentication

    NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. As part the new maintenance firmware release, NETGEAR has...

  • Page 208: What Is Two-Factor Authentication

    NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 Two-Factor Authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to perform Two-Factor Authentication on NETGEAR SSL and VPN firewall products.
  • Page 209 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token software, enter the PIN that has been given to them (something they know) and then press “continue”...
  • Page 210 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used before the expiration time. If a user does not use this passcode before it is expired, the user must go through the request process again to generate a new OTP.

  • Page 211: Related Documents

    Appendix C Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link TCP/IP Networking Basics http://documentation.netgear.com/reference/enu/tcpip/index.htm Wireless Networking Basics http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing Your Network http://documentation.netgear.com/reference/enu/wsdhcp/index.htm...
  • Page 212 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Related Documents v1.1, August 2010...
  • Page 213 Index Numerics IKE Policy 5-17 Authentication Header 3322.org 2-11 VPN Policy 5-24 Auto Detect Auto Uplink access remote management 6-14 Add DMZ WAN Outbound Services screen 4-12 backup and restore settings 6-19 Add LAN DMZ Outbound Service screen 4-14 bandwidth capacity Add LAN WAN Inbound Service 4-11 LAN side...
  • Page 214 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual certificates default user name 1-8, 2-2 5-32 denial of service attack 4-21 management of 5-35 Denial of Service. See DoS. trusted (CA certificates) 5-32 DES and 3DES 5-20, 5-28, 5-29 Classical Routing 5-21, 5-30 definition of 2-10...
  • Page 215 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Domain Name factory default settings router 3-4, 3-13 revert to 6-18 Domain Name Blocking 4-31 Firewall Logs emailing of 4-41, 6-23 Domain Name Servers. See DNS. field descriptions 6-27 setting up 6-23 about protection viewing...
  • Page 216 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual default definition configuring 5-53 example 4-16 VPN tunnels 5-27 field descriptions key features order of precedence Keyword Blocking 4-31 Port Forwarding 4-3, 4-5 applying 4-33 rules for use Keyword Filtering Inbound Services field descriptions increasing traffic DMZ port...
  • Page 217 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual advantages of Network Database Group Names screen MAC address Network Time Protocol. See NTP. blocked, adding 4-33 configuring newsgroup 4-31 format of 2-14 NTP Servers spoofing custom 6-22 main menu default 6-22 setting 6-21...
  • Page 218 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual service blocking WiKID 6-11 Port Forwarding RADIUS Server Inbound Rules 4-3, 4-5 about 5-42 increasing traffic configuring 5-42 rules, about Edge Device 5-39 port numbers 4-24 RADIUS-CHAP 5-39, 5-41 AUTH, using with 5-39 Port Speed 2-13...
  • Page 219 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Routing Information Protocol. See RIP. Simple Network Management Protocol. See SNMP. Routing screen 3-15 4-23 RSA signatures 5-21 sniffer rules SNMP blocking traffic about 6-16 inbound example 4-16 configuring 6-17 order of precedence 4-24 global access 6-17...
  • Page 220 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual TCP/IP network, troubleshooting VoIP (voice over IP) sessions 4-23 technical specifications VPN Client Time configuring daylight savings, troubleshooting VPN firewall setting 6-21 Connecting troubleshooting VPN Logs Time Zone monitoring 6-35 setting of 6-21 VPN Logs screen 6-35...
  • Page 221 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Web Components 4-30 blocking 4-33 filtering, about 4-30 Web configuration troubleshooting WiKID 6-11 authentication, overview WinPoET WINS server 3-4, 3-13 XAUTH IKE policies 5-22 IPSec Host 5-39 types of 5-39 Index-9 v1.1, August 2010...
  • Page 222 ProSafe Gigabit 8 Port VPN Firewall FVS318G Reference Manual Index-10 v1.1, August 2010...

This manual is also suitable for:

Prosafe fvs318g

Table of Contents