NETGEAR FVS318G Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. FVS318G - ProSafe Gigabit VPN Firewall Data Sheet...
  6. Reference manual

NETGEAR FVS318G Reference Manual

Vpn firewall
Hide thumbs Also See for FVS318G:
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
Table of Contents

Advertisement

Quick Links

See also: Installation Manual
NETGEAR ProSAFE VPN Firewall
FVS318G v2
R e f e r e n c e M a n u a l
October 2014
202-11465-01
350 East Plumeria Drive
San Jose, CA 95134
USA

Advertisement

Table of Contents
loading

Related Manuals for NETGEAR FVS318G

Summary of Contents for NETGEAR FVS318G

  • Page 1 NETGEAR ProSAFE VPN Firewall FVS318G v2 R e f e r e n c e M a n u a l October 2014 202-11465-01 350 East Plumeria Drive San Jose, CA 95134...

  • Page 2: Revision History

    See the regulatory compliance document before connecting the power supply. Trademarks NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice....

  • Page 3: Table Of Contents

    Chapter 1 Introduction What Is the NETGEAR ProSAFE VPN Firewall FVS318G v2? ....9 Key Features and Capabilities ......... . .9 Advanced VPN Support for IPSec .
  • Page 4 NETGEAR ProSAFE VPN Firewall FVS318G v2 Configure ISATAP Automatic Tunneling ......48 View the Tunnel Status and IPv6 Addresses.
  • Page 5 Test the Connection and View Connection and Status Information ..234 Test the NETGEAR VPN Client Connection ......234 NETGEAR VPN Client Status and Log Information .
  • Page 6 NETGEAR ProSAFE VPN Firewall FVS318G v2 Configure Mode Config Operation on the VPN Firewall....262 Configure the ProSafe VPN Client for Mode Config Operation ..268 Test the Mode Config Connection .
  • Page 7 What Is Two-Factor Authentication? ....... 408 NETGEAR Two-Factor Authentication Solutions ......409...

  • Page 8: Chapter 1 Introduction

    Introduction This chapter provides an overview of the features and capabilities of the NETGEAR ProSAFE VPN Firewall FVS318G v2 and explains how to log in to the device and use its web management interface. The chapter contains the following sections: What Is the NETGEAR ProSAFE VPN Firewall FVS318G v2? •...

  • Page 9: What Is The Netgear Prosafe Vpn Firewall Fvs318G V2

    NETGEAR ProSAFE VPN Firewall FVS318G v2 What Is the NETGEAR ProSAFE VPN Firewall FVS318G v2? The NETGEAR ProSAFE VPN Firewall FVS318G v2, hereafter referred to as the VPN firewall, connects your local area network (LAN) to the Internet through an external broadband access device such as a cable or DSL modem, satellite or wireless Internet dish, or another router.

  • Page 10: Advanced Vpn Support For Ipsec

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Advanced VPN Support for IPSec The VPN firewall supports IPSec virtual private network (VPN) connections. IPSec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer.

  • Page 11: Extensive Protocol Support

    ISP account. • IPSec VPN Wizard. The VPN firewall includes the NETGEAR IPSec VPN Wizard so that you can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC).

  • Page 12: Maintenance And Support

    Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall: • Flash memory for firmware upgrades.

  • Page 13: Hardware Features

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Installation Guide • If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Hardware Features The front panel ports and LEDs, rear panel ports, and bottom label of the VPN firewall are described in the following sections.
  • Page 14 NETGEAR ProSAFE VPN Firewall FVS318G v2 The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are described in detail in the following table. Some LED explanation is provided on the front panel.
  • Page 15 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 1. LED descriptions (continued) Activity Description LAN Ports Left LED The LAN port does not detect a link. On (green) The LAN port detected a link with a connected Ethernet device. Blinking (green) Data is being transmitted or received by the LAN port.

  • Page 16: Rear Panel

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Rear Panel The rear panel of the VPN firewall includes the antennas, a cable lock receptacle, a console port, a Reset button, a DC power connection, and a power switch. (1) Security lock (3) Reset button...

  • Page 17: Bottom Panel With Product Label

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Bottom Panel with Product Label The product label on the bottom of the VPN firewall’s enclosure displays factory default settings, regulatory compliance, and other information. Figure 4. Product label Choose a Location for the VPN Firewall The VPN firewall is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted on a wall.

  • Page 18: Wall-Mount The Vpn Firewall With The Mounting Kit

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Appendix A, Default Settings and Technical temperatures for the VPN firewall, see Specifications. Wall-Mount the VPN Firewall with the Mounting Kit Use the mounting kit for the VPN firewall to install the appliance on a wall. Attach the mounting brackets using the hardware that is supplied with the mounting kit.

  • Page 19: Log In To The Vpn Firewall

    To connect the VPN firewall physically to your network, connect the cables and restart your network according to the instructions in the NETGEAR ProSAFE VPN Firewall FVS318G v2 Installation Guide. To configure the VPN firewall, you must use a web browser such as Microsoft Internet Explorer 7.0 or later, Mozilla Firefox 4.0 or later, or Apple Safari 3.0 or later with JavaScript,...
  • Page 20 NETGEAR ProSAFE VPN Firewall FVS318G v2 Note: The VPN firewall user name and password are not the same as any user name or password that you might use to log in to your Internet connection. Leave the domain as it is (geardomain).

  • Page 21: Web Management Interface Menu Layout

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Web Management Interface Menu Layout The following figure shows the menu at the top the web management interface: IP radio buttons 3rd level: Submenu tab (blue) 2nd level: Configuration menu link (gray) Option arrows: Additional screen for submenu item 1st level: Main navigation menu link (orange) Figure 6.

  • Page 22: Requirements For Entering Ip Addresses

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The bottom of each screen provides action buttons. The nature of the screen determines which action buttons are shown. The following figure shows an example: Figure 7. Action buttons Any of the following action buttons might display onscreen (this list might not be complete): •...

  • Page 23: Ipv4 Addresses

    NETGEAR ProSAFE VPN Firewall FVS318G v2 IPv4 Addresses The fourth octet of an IP address must be between 0 and 255 (both inclusive). This requirement applies to any IP address that you enter on a screen of the web management interface.

  • Page 24: Chapter 2 Ipv4 And Ipv6 Internet And Broadband Settings

    IPv4 and IPv6 Internet and Broadband Settings This chapter explains how to configure the Internet and WAN settings. The chapter contains the following sections: Internet and WAN Configuration Tasks • Configure the IPv4 Internet Connection and WAN Settings • Configure the IPv6 Internet Connection and WAN Settings •...

  • Page 25: Internet And Wan Configuration Tasks

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Internet and WAN Configuration Tasks The tasks that are required to complete the Internet connection of your VPN firewall depend on whether you use an IPv4 connection or an IPv6 connection to your Internet service provider (ISP).

  • Page 26: Configure The Ipv4 Internet Connection And Wan Settings

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Select the IPv4 / IPv6 mode to support both IPv4 and IPv6 traffic. For more information, Configure the IPv6 Routing Mode on page 39. Configure the IPv6 Internet connection to your ISP and connect to your ISP.

  • Page 27: Network Address Translation

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Configure the IPv6 mode. The latter mode adds IPv6 functionality. For more information, see Routing Mode on page 39. Network Address Translation Network Address Translation (NAT) allows all computers on your LAN to share a single public Internet IP address.

  • Page 28: Let The Vpn Firewall Automatically Detect And Configure An Ipv4 Internet Connection

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Network Configuration > WAN Settings. Select the NAT radio button or the Classical Routing radio button. WARNING: Changing the WAN mode causes all LAN WAN and DMZ WAN inbound rules to revert to default settings.
  • Page 29 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Network Configuration > WAN Settings > Broadband ISP Settings. In the upper right of the screen, the IPv4 radio button is selected by default. The ISP Broadband Settings screen displays the IPv4 settings.
  • Page 30 NETGEAR ProSAFE VPN Firewall FVS318G v2 • If the autodetect process senses a connection method that requires input from you, it prompts you for the information. The following table explains the settings that you might need to enter: Table 2. IPv4 Internet connection methods...

  • Page 31: Manually Configure An Ipv4 Internet Connection

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The Connection Status screen shows a valid IP address and gateway, and you are Manually connected to the Internet. If the configuration was not successful, skip ahead to Configure an IPv4 Internet Connection Troubleshoot the ISP...
  • Page 32 NETGEAR ProSAFE VPN Firewall FVS318G v2 If you selected the Yes radio button, enter the login name in the Login field and the password in the Password field. This information is provided by your ISP. In the ISP Type section, select the type of ISP connection that you use from the two listed options.
  • Page 33 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 3. PPTP and PPPoE settings (continued) Setting Description Other (PPPoE) If you installed login software, your connection type is PPPoE. Select this radio button, and enter the following settings: Note: For login and password Account Name The valid account name for the PPPoE connection.
  • Page 34 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 4. Internet IP address settings Setting Description Get Dynamically If your ISP did not assign you a static IP address, select the Get Dynamically from ISP from ISP radio button. The ISP automatically assigns an IP address to the VPN firewall using DHCP network protocol.

  • Page 35: Configure Dynamic Dns

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 5. DNS server settings (continued) Setting Description Use These DNS If your ISP assigned DNS addresses, select the Use These DNS Servers radio Servers button. Make sure that you provide valid DNS server IP addresses in the fields.
  • Page 36 NETGEAR ProSAFE VPN Firewall FVS318G v2 if your Internet account uses a dynamically assigned IP address, you do not know in advance what your IP address will be, and the address can change frequently—hence, the need for a commercial DDNS service, which allows you to register an extension to its domain and restores DNS requests for the resulting fully qualified domain name (FQDN) to your frequently changing IP address.
  • Page 37 NETGEAR ProSAFE VPN Firewall FVS318G v2 For registration information, click the Information option arrow in the upper right of a DNS screen. For example, DynDNS Information. Access the website of the DDNS service provider, and register for an account. For example, for Dyn, visit http://dyn.com/dns/.

  • Page 38: Configure The Ipv6 Internet Connection And Wan Settings

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Your configuration is saved. Configure the IPv6 Internet Connection and WAN Settings The nature of your IPv6 network determines how you must configure the IPv6 Internet connection: • Native IPv6 network. Your network is a native IPv6 network if the VPN firewall uses an IPv6 address and is connected to an IPv6 ISP and if your network consists of IPv6-only devices.

  • Page 39: Configure The Ipv6 Routing Mode

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Configure the IPv6 Routing Mode By default, the VPN firewall supports IPv4 only. To use IPv6, you must enable the VPN firewall to support both devices with IPv4 addresses and devices with IPv6 addresses. The routing mode does not include an IPv6-only option;...

  • Page 40: Use A Dhcpv6 Server To Configure An Ipv6 Internet Connection

    NETGEAR ProSAFE VPN Firewall FVS318G v2 WARNING: Changing the IP routing mode causes the VPN firewall to reboot. Click the Apply button. Your settings are saved. Use a DHCPv6 Server to Configure an IPv6 Internet Connection The VPN firewall can autoconfigure its ISP settings through a DHCPv6 server by using either stateless or stateful address autoconfiguration: •...
  • Page 41 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select the IPv6 radio button. In the Internet Address section, from the IPv6 list, select DHCPv6. In the DHCPv6 section, select a configuration option: • Stateless Address Auto Configuration • Stateful Address Auto Configuration...

  • Page 42: Configure A Static Ipv6 Internet Connection

    NETGEAR ProSAFE VPN Firewall FVS318G v2 To verify the connection, click the Status option arrow in the upper right of the screen. The Connection Status screen shows a valid IP address and gateway, and you are Troubleshoot the connected to the Internet. If the configuration was not successful, see ISP Connection on page 389.
  • Page 43 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select the IPv6 radio button. In the Internet Address section, from the IPv6 list, select Static IPv6. In the Static IP Address section, enter the settings as described in the following table. Your IPv6 ISP gave you your static IPv6 information.

  • Page 44: Configure A Pppoe Ipv6 Internet Connection

    NETGEAR ProSAFE VPN Firewall FVS318G v2 To verify the connection, click the Status option arrow in the upper right of the screen. The Connection Status screen shows a valid IP address and gateway, and you are Troubleshoot the connected to the Internet. If the configuration was not successful, see ISP Connection on page 389.
  • Page 45 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select the IPv6 radio button. In the Internet Address section, from the IPv6 list, select PPPoE. In the PPPoE IPv6, enter the settings as described in the following table. Your IPv6 ISP gave you your PPPoE IPv6 information.
  • Page 46 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 8. Broadband ISP Settings screen settings for a PPPoE IPv6 connection (continued) Setting Description DHCPv6 Option From the DHCPv6 Option list, select one of the following DHCPv6 server options, as directed by your ISP: •...

  • Page 47: Configure 6To4 Automatic Tunneling

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Configure 6to4 Automatic Tunneling If your network is an isolated IPv6 network that is not connected to an IPv6 ISP, you must make sure that the IPv6 packets can travel over the IPv4 Internet backbone by enabling automatic 6to4 tunneling.

  • Page 48: Configure Isatap Automatic Tunneling

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Network Configuration > WAN Settings > 6 to 4 Tunneling. Select the Enable Automatic Tunneling check box. Click the Apply button. Your changes are saved. Configure ISATAP Automatic Tunneling If your network is an IPv4 network or IPv6 network that consists of both IPv4 and IPv6...
  • Page 49 NETGEAR ProSAFE VPN Firewall FVS318G v2 b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain).
  • Page 50 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.

  • Page 51: View The Tunnel Status And Ipv6 Addresses

    IPv6 address so that the IPv4-translated address becomes 0::ffff:0:a.b.c.d/96. For SIIT to function, the routing mode must be IPv4 / IPv6. NETGEAR’s implementation of SIIT lets you enter a single IPv4 address on the SIIT screen. This IPv4 address is then used...

  • Page 52: Configure Advanced Wan Options And Other Tasks

    NETGEAR ProSAFE VPN Firewall FVS318G v2 in the IPv4-translated address for IPv6 devices to enable communication between IPv4-only devices on the VPN firewall’s LAN and IPv6-only devices on the WAN. To configure SIIT:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.
  • Page 53 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.
  • Page 54 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 10. Broadband Advanced Options screen settings (continued) Setting Description Custom Select the Custom radio button, and enter an MTU value in the Bytes field. For some ISPs, you might need to reduce the MTU. This is rarely required. Do not do this unless you are sure that it is necessary for your ISP connection.

  • Page 55: Additional Wan-Related Configuration Tasks

    If you want the ability to manage the VPN firewall remotely, enable remote management (see Configure Remote Management Access on page 328). If you enable remote management, Change Passwords NETGEAR strongly recommends that you change your password (see and Administrator and Guest Settings on page 326). Enable the WAN Traffic You can also set up the traffic meter for the WAN interface.

  • Page 56: Chapter 3 Lan Configuration

    LAN Configuration This chapter describes how to configure the LAN features of your VPN firewall. The chapter contains the following sections: Manage IPv4 Virtual LANs and DHCP Options • Configure IPv4 Multihome LAN IP Addresses on the Default VLAN • Manage IPv4 Groups and Hosts (IPv4 LAN Groups) •...

  • Page 57: Manage Ipv4 Virtual Lans And Dhcp Options

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Manage IPv4 Virtual LANs and DHCP Options A local area network (LAN) can generally be defined as a broadcast domain. Hubs, bridges, or switches in the same physical segment or segments connect all end node devices.

  • Page 58: Assign And Manage Vlan Profiles

    NETGEAR ProSAFE VPN Firewall FVS318G v2 LAN ports of the VPN firewall are assigned to the default VLAN, or VLAN 1. Therefore, by default, all eight LAN ports use the default PVID 1. However, you can assign another PVID to a LAN port by selecting a VLAN profile from the list on the LAN Setup screen.
  • Page 59 NETGEAR ProSAFE VPN Firewall FVS318G v2 The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password.

  • Page 60: Vlan Dhcp Options

    NETGEAR ProSAFE VPN Firewall FVS318G v2 VLAN DHCP Options For each VLAN, you must specify the Dynamic Host Configuration Protocol (DHCP) options. Configure a VLAN Profile For more information, see on page 61. For more information about the configuration of the DHCP options for the VPN firewall’s...

  • Page 61: Dns Proxy

    NETGEAR ProSAFE VPN Firewall FVS318G v2 DNS Proxy When the DNS proxy option is enabled for a VLAN, the VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS servers (as configured on the Broadband ISP Settings screens).
  • Page 62 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Network Configuration > LAN Setup. Port-Based VLANs For information about how to manage VLANs, see on page 57. The following information describes how to configure a VLAN profile. LAN Configuration...
  • Page 63 NETGEAR ProSAFE VPN Firewall FVS318G v2 Under the VLAN Profiles table, click the Add table button. Enter the settings as described in the following table: Table 11. Add VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile.
  • Page 64 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 11. Add VLAN Profile screen settings (continued) Setting Description Port Membership Port 1, Port 2, Port 3, Select one, several, or all port check boxes to make the ports members of this Port 4, Port 5, Port 6,...
  • Page 65 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 11. Add VLAN Profile screen settings (continued) Setting Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the VPN firewall to function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN.
  • Page 66 O (for organization) • C (for country) • DC (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).
  • Page 67 NETGEAR ProSAFE VPN Firewall FVS318G v2 Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain). c. Click the Login button. The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out.

  • Page 68: Configure Vlan Mac Addresses And Lan Advanced Settings

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The ! status icon changes from a green circle to a gray circle, indicating that the selected VLAN or VLANs are disabled. • Delete. Deletes the VLAN or VLANs. Configure VLAN MAC Addresses and LAN Advanced Settings By default, all configured VLAN profiles share the same single MAC address as the LAN ports.

  • Page 69: Configure Ipv4 Multihome Lan Ip Addresses On The Default Vlan

    NETGEAR ProSAFE VPN Firewall FVS318G v2 In the upper middle of the LAN Setup screen, click the Advanced option arrow. From the MAC Address for VLANs list, select Unique. The default is Same. (Optional) Disable the broadcast of ARP packets for the default VLAN by clearing the Enable ARP Broadcast check box.
  • Page 70 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.

  • Page 71: Manage Ipv4 Groups And Hosts (Ipv4 Lan Groups)

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain). c. Click the Login button. The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out.
  • Page 72 NETGEAR ProSAFE VPN Firewall FVS318G v2 Manage the Network Database up the network database. For more information, see page 73. The network database is updated by these methods: • DHCP client requests. When the DHCP server is enabled, it accepts and responds to DHCP client requests from computers and other network devices.

  • Page 73: Manage The Network Database

    NETGEAR ProSAFE VPN Firewall FVS318G v2 DHCPv6 Server Options • Manage the Network Database You can view the network database, manually add or remove database entries, and edit database entries. The Known PCs and Devices table lists the entries in the network database.
  • Page 74 NETGEAR ProSAFE VPN Firewall FVS318G v2 • Group. Each computer or device can be assigned to a single LAN group. By default, a computer or device is assigned to Group 1. You can select a different LAN group from the Group list in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen.
  • Page 75 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 12. Add Known PCs and Devices section settings (continued) Setting Description IP Address Enter the IP address that this computer or device is assigned to: • If the IP address type is Fixed (set on PC), the IP address must be outside the address range that is allocated to the DHCP server pool to prevent the IP address from also being allocated by the DHCP server.
  • Page 76 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the Known PCs and Devices table, click the Edit table button of a table entry. Modify the settings. Table 12 For more information, see on page 74. Click the Apply button. Your changes are saved.

  • Page 77: Change Group Names In The Network Database

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Change Group Names in the Network Database By default, the groups are named Group1 through Group8. You can change these group names to be more descriptive, such as GlobalMarketing and GlobalSales. To edit the names of any of the eight available groups: ...

  • Page 78: Set Up Dhcp Address Reservation

    LAN use. Note: Site-local addresses, that is, addresses that start with FEC0, are depreciated. However, NETGEAR implements a site-local address as a temporary default IPv6 LAN address that you can replace with another LAN address. The firewall restricts external communication of this default site-local address.

  • Page 79: Dhcpv6 Server Options

    NETGEAR ProSAFE VPN Firewall FVS318G v2 DHCPv6 Server Options • Configure the IPv6 LAN • Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the • DHCPv6 Server Options The IPv6 clients in the LAN can autoconfigure their own IPv6 address or obtain an IPv6 address through a DHCPv6 server.

  • Page 80: Configure The Ipv6 Lan

    NETGEAR ProSAFE VPN Firewall FVS318G v2 • Configure the RADVD. Configure the IPv6 Router Advertisement Daemon and For more information, see Advertisement Prefixes for the LAN on page 88. • Optionally, manually add prefixes to the List of Prefixes for Prefix Delegation table on the LAN Setup screen for IPv6.
  • Page 81 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the upper right of the screen, select the IPv6 radio button. Enter the settings as described in the following table. Table 13. LAN Setup screen settings for IPv6 Setting Description IPv6 LAN Setup IPv6 Address Enter the LAN IPv6 address.
  • Page 82 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 13. LAN Setup screen settings for IPv6 (continued) Setting Description DHCPv6 DHCP Status Specify the status of the DHCPv6 server: • Disable DHCPv6 Server. This is the default setting, and the DHCPv6 fields are masked out.
  • Page 83 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 13. LAN Setup screen settings for IPv6 (continued) Setting Description DHCP Status Domain Name Enter the domain name of the DHCP server. (continued) Server Preference Enter the DHCP server preference value. The possible values are 0–255, with 255 as the default setting.
  • Page 84 NETGEAR ProSAFE VPN Firewall FVS318G v2 The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password.
  • Page 85 NETGEAR ProSAFE VPN Firewall FVS318G v2 b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain).
  • Page 86 NETGEAR ProSAFE VPN Firewall FVS318G v2 IPv6 LAN Prefixes for Prefix Delegation If you configure a stateless DHCPv6 server for the LAN and select the Prefix Delegation check box (both on the ISP Broadband Settings screen for IPv6 and on the LAN Setup screen for IPv6), a prefix delegation pool is automatically added to the List of Prefixes for Prefix Delegation table.
  • Page 87 NETGEAR ProSAFE VPN Firewall FVS318G v2 The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password.

  • Page 88: Configure The Ipv6 Router Advertisement Daemon And Advertisement Prefixes For The Lan

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The information is deleted. Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN Note: If you do not configure stateful DHCPv6 for the LAN but use stateless DHCPv6, you must configure the Router Advertisement Deamon (RADVD) and advertisement prefixes.
  • Page 89 NETGEAR ProSAFE VPN Firewall FVS318G v2 To configure the Router Advertisement Daemon for the LAN:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
  • Page 90 NETGEAR ProSAFE VPN Firewall FVS318G v2 Enter the settings as described in the following table: Table 16. RADVD screen settings for the LAN Setting Description RADVD Status Select the RADVD status: • Enable. The RADVD is enabled, and the RADVD fields become available for you to configure.
  • Page 91 NETGEAR ProSAFE VPN Firewall FVS318G v2 • For a global, local, or ISATAP address, you must specify the prefix, prefix length, and prefix lifetime. To add an advertisement prefix for the LAN:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.
  • Page 92 NETGEAR ProSAFE VPN Firewall FVS318G v2 Enter the settings as described in the following table: Table 17. Add Advertisement Prefix screen settings for the LAN Setting Description IPv6 Prefix Type Select the IPv6 prefix type: • 6to4. The prefix is for a 6to4 address. You must complete the SLA ID field and Prefix Lifetime field.

  • Page 93: Configure Ipv6 Multihome Lan Ip Addresses On The Default Vlan

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The Add Advertisement Prefix screen displays. Table 17 Modify the settings as described in on page 92. Click the Apply button. Your changes are saved. To delete one or more advertisement prefixes:  Log in to the unit: a.
  • Page 94 NETGEAR ProSAFE VPN Firewall FVS318G v2 • WAN IP address. 2000::e246:9aff:fe1d:1a9c with a prefix length of 64 • DMZ IP address. 176::e246:9aff:fe1d:a1bc with a prefix length of 64 • Primary LAN IP address. FEC0::1 with a prefix length of 10 •...
  • Page 95 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.

  • Page 96: Enable And Configure The Dmz Port For Ipv4 And Ipv6 Traffic

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Enable and Configure the DMZ Port for IPv4 and IPv6 Traffic The demilitarized zone (DMZ) is a network that, by default, is configured with fewer firewall restrictions than the LAN. The DMZ can be used to host servers (such as a web server, FTP server, or email server) and provide public access to them.
  • Page 97 NETGEAR ProSAFE VPN Firewall FVS318G v2 b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain).
  • Page 98 NETGEAR ProSAFE VPN Firewall FVS318G v2 Enter the settings as described in the following table: Table 18. DMZ Setup screen settings for IPv4 Setting Description DMZ Port Setup Do you want to Select one of the following radio buttons: enable DMZ Port? •...
  • Page 99 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 18. DMZ Setup screen settings for IPv4 (continued) Setting Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the VPN firewall to function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN.

  • Page 100: Dmz Port For Ipv6 Traffic

    O (for organization) • C (for country) • DC (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).
  • Page 101 NETGEAR ProSAFE VPN Firewall FVS318G v2 For stateless DHCPv6, you must configure the RADVD and advertisement prefixes. For Configure the IPv6 Router Advertisement Daemon and more information, see Advertisement Prefixes for the DMZ on page 106. • Stateful DHCPv6 server. The IPv6 clients in the DMZ obtain an interface IP address, configuration information such as DNS server information, and other parameters from the DHCPv6 server.
  • Page 102 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the upper right of the screen, select the IPv6 radio button. Enter the settings as described in the following table: Table 19. DMZ Setup screen settings for IPv6 Setting Description DMZ Port Setup...
  • Page 103 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 19. DMZ Setup screen settings for IPv6 (continued) Setting Description DHCPv6 for DMZ Connected Computers DHCP Status Specify the status of the DHCPv6 server: • Disable DHCPv6 Server. This is the default setting, and the DHCPv6 fields are masked out.
  • Page 104 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 19. DMZ Setup screen settings for IPv6 (continued) Setting Description DHCP Status DNS Server Select one of the DNS server options from the lists: (continued) • Use DNS Proxy. The VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS...
  • Page 105 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Network Configuration > DMZ Setup. The DMZ Setup screen displays. In the upper right of the screen, select the IPv6 radio button. Under the List of IPv6 Address Pools table, click the Add button.

  • Page 106: Configure The Ipv6 Router Advertisement Daemon And Advertisement Prefixes For The Dmz

    NETGEAR ProSAFE VPN Firewall FVS318G v2 To delete one or more IPv6 DMZ address pools:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
  • Page 107 NETGEAR ProSAFE VPN Firewall FVS318G v2 The following table provides an overview of how information is obtained in the DMZ when you configure a stateless DHCPv6 server and the RADVD: Table 21. DHCPv6 and RADVD interaction in the DMZ Flags in the RADVD...
  • Page 108 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 22. RADVD screen settings for the DMZ Setting Description RADVD Status Select the RADVD status: • Enable. The RADVD is enabled, and the RADVD fields become available. • Disable. The RADVD is disabled, and the RADVD fields are masked out. This is the default setting.
  • Page 109 NETGEAR ProSAFE VPN Firewall FVS318G v2 To add an advertisement prefix for the DMZ:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
  • Page 110 NETGEAR ProSAFE VPN Firewall FVS318G v2 To edit an advertisement prefix:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.

  • Page 111: Manage Static Ipv4 Routing

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Select the IPv6 radio button. The DMZ Setup screen displays the IPv6 settings. Click the RADVD option arrow. Select the check box to the left of each advertisement prefix that you want to delete or click the Select All table button to select all advertisement prefixes.
  • Page 112 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Network Configuration > Routing. Click the Add table button. Enter the settings as described in the following table: Table 24. Add Static Route screen settings for IPv4 Setting Description Route Name The route name for the static route (for purposes of identification and management).
  • Page 113 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 24. Add Static Route screen settings for IPv4 (continued) Setting Description Gateway IP Address The gateway IP address through which the destination host or network can be reached. Metric The priority of the route. Select a value between 2 and 15. If multiple routes to the same destination exist, the route with the lowest metric is used.

  • Page 114: Configure The Routing Information Protocol

    NETGEAR ProSAFE VPN Firewall FVS318G v2 c. Click the Login button. The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select Network Configuration > Routing. The Static Routing screen displays.
  • Page 115 NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the RIP Configuration option arrow. Enter the settings as described in the following table: Table 25. RIP Configuration screen settings Setting Description RIP Direction Select the direction in which the VPN firewall sends and receives RIP packets: •...

  • Page 116: Ipv4 Static Route Example

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 25. RIP Configuration screen settings (continued) Setting Description Authentication for RIP-2B/2M Authentication for Authentication for RP-2B or RIP-2M is disabled by default, that is, the No radio RIP-2B/2M required? button is selected. To enable authentication for RP-2B or RIP-2M, select the Yes radio button, and enter the settings for the following fields.

  • Page 117: Manage Static Ipv6 Routing

    RIP is activated. Manage Static IPv6 Routing NETGEAR’s implementation of IPv6 does not support RIP next generation (RIPng) to exchange routing information, and dynamic changes to IPv6 routes are not possible. To enable routers to exchange information over a static IPv6 route, you must manually configure the static route information on each router.
  • Page 118 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the upper right of the screen, select the IPv6 radio button. Click the Add table button. Enter the settings as described in the following table. Table 26. Add IPv6 Static Routing screen settings...
  • Page 119 NETGEAR ProSAFE VPN Firewall FVS318G v2 To edit an IPv6 static route:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.

  • Page 120: Configure Quality Of Service

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Select the check box to the left of each route that you want to delete or click the Select All table button to select all routes. Click the Delete table button. The information is deleted.
  • Page 121 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Network Configuration > QoS. To enable QoS, under Do you want to enable QoS, select the Yes radio button. To select the QoS type, next to QoS Type, select either the Rate Control or the Priority radio button.
  • Page 122 NETGEAR ProSAFE VPN Firewall FVS318G v2 Under the List of QoS Profiles table, click the Add button. Enter the settings as described in the following table. Table 27. QoS profile configuration settings Setting Description QoS Type Select either Rate Control or Priority.
  • Page 123 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 27. QoS profile configuration settings (continued) Setting Description Group Computers that are part of the group defined in the network database are affected by the rule. Start Enter the starting address for a single address or a range of IP addresses.
  • Page 124 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select the QoS profile that you want to modify and click the Edit button. Table 27 Modify the settings as described in on page 122. Click the Apply button.S Your changes are saved. To delete a QoS profile: ...

  • Page 125: Chapter 4 Firewall Protection

    Firewall Protection This chapter describes how to use the firewall features of the VPN firewall to protect your network. The chapter contains the following sections: About Firewall Protection • Overview of Rules to Block or Allow Specific Kinds of Traffic •...

  • Page 126: About Firewall Protection

    NETGEAR ProSAFE VPN Firewall FVS318G v2 About Firewall Protection A firewall protects one network (the trusted network, such as your LAN) from another (the untrusted network, such as the Internet), while allowing communication between the two. You can further segment keyword blocking to certain known groups. For information about how to...

  • Page 127: Overview Of Rules To Block Or Allow Specific Kinds Of Traffic

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Overview of Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other. You can configure up to 800 firewall rules on the VPN firewall (see the following table).

  • Page 128: Outbound Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Inbound Rules • Order of Precedence for Rules • Outbound Rules The VPN firewall allows you to block the use of certain Internet services by computers on your network. This is called service blocking or port filtering.
  • Page 129 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 29. Outbound rules overview (continued) Setting Description Outbound Rules WAN Users Select which Internet locations are covered by the rule, based on LAN WAN rules their IP address: DMZ WAN rules • Any. All Internet IP addresses are covered by this rule.

  • Page 130: Inbound Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 29. Outbound rules overview (continued) Setting Description Outbound Rules Select whether packets covered by this rule are logged: All rules • Always. Always log traffic that matches this rule. This is useful when you are debugging your rules.
  • Page 131 NETGEAR ProSAFE VPN Firewall FVS318G v2 Whether or not DHCP is enabled, how the computer accesses the server’s LAN address impacts the inbound rules, for example: • If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP address might change periodically as the DHCP lease expires.
  • Page 132 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 30. Inbound rules overview (continued) Setting Description Inbound Rules Select Schedule The time schedule (that is, Schedule1, Schedule2, or All rules when BLOCK Schedule3) that is used by this rule. by schedule, otherwise allow or •...
  • Page 133 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 30. Inbound rules overview (continued) Setting Description Inbound Rules WAN Users Select which Internet locations are covered by the rule, based on LAN WAN rules their IP address: DMZ WAN rules • Any. All Internet IP addresses are covered by this rule.

  • Page 134: Order Of Precedence For Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Order of Precedence for Rules As you define a new rule, it is added to a table in a Rules screen as the last item in the list, as shown in the following figure, which shows the LAN WAN Rules screen for IPv4 as an example: Figure 9.
  • Page 135 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.
  • Page 136 NETGEAR ProSAFE VPN Firewall FVS318G v2 To change the default outbound policy for IPv6 traffic or to change existing IPv6 rules:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.

  • Page 137: Create Lan Wan Outbound Service Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 • Down. Moves the rule down one position in the table rank. • Edit. Allows you to change the definition of an existing rule. Depending on your selection, one of the following screens displays:...
  • Page 138 NETGEAR ProSAFE VPN Firewall FVS318G v2 LAN address and any external WAN IP address according to the schedule created on the Schedule screen. WARNING: Make sure that you understand the consequences of a LAN WAN outbound rule before you apply the rule. Incorrect configuration might cause serious connection problems.
  • Page 139 NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the Add table button under the Outbound Services table. Table 29 Enter the settings as described in on page 128. In addition to selections from the Service, Action, and Log lists, you must make selections from the following lists: •...
  • Page 140 NETGEAR ProSAFE VPN Firewall FVS318G v2 The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password.

  • Page 141: Create Lan Wan Inbound Service Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the Apply button. Your changes are saved. Create LAN WAN Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic. If you did not define any rules, no rules are listed. By default, all inbound traffic (from the Internet to the LAN) is blocked.
  • Page 142 NETGEAR ProSAFE VPN Firewall FVS318G v2 Under the Inbound Services table, click the Add table button. Table 30 Enter the settings as described in on page 131. In addition to selections from the Service, Action, and Log lists, you must make selections from the following lists: •...
  • Page 143 NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the Apply button. Your changes are saved. IPv6 LAN WAN Inbound Rules To create an IPv6 LAN WAN inbound rule:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.

  • Page 144: Configure Dmz Wan Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 • LAN Users • WAN Users Unless your selection from the Action list is BLOCK always, you also must make a selection from the Select Schedule list. Click the Apply button. Your changes are saved.
  • Page 145 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Security > Firewall > DMZ WAN Rules. To change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: •...
  • Page 146 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Security > Firewall > DMZ WAN Rules. The Firewall submenu tabs display with the DMZ WAN Rules screen for IPv4 in view. In the upper right of the screen, select the IPv6 radio button.

  • Page 147: Create Dmz Wan Outbound Service Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select Security > Firewall > DMZ WAN Rules. The Firewall submenu tabs display with the DMZ WAN Rules screen for IPv4 in view.
  • Page 148 NETGEAR ProSAFE VPN Firewall FVS318G v2 The DMZ WAN Rules screen displays. The IPv4 radio button is selected by default. The screen displays the IPv4 settings. Click the Add table button under the Outbound Services table. Table 29 Enter the settings as described in on page 128.
  • Page 149 NETGEAR ProSAFE VPN Firewall FVS318G v2 IPv6 DMZ WAN Outbound Service Rules To create an IPv6 DMZ WAN outbound rule:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.

  • Page 150: Create Dmz Wan Inbound Service Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 • WAN Users Unless your selection from the Action list is BLOCK always, you also must make selections from the following lists: • Select Schedule • QoS Priority Click the Apply button. Your changes are saved.
  • Page 151 NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the Add table button under the Inbound Services table. Table 30 Enter the settings as described in on page 131. In addition to selections from the Service, Action, and Log lists, you must make selections from the following lists: •...
  • Page 152 NETGEAR ProSAFE VPN Firewall FVS318G v2 IPv6 DMZ WAN Inbound Service Rules To create an IPv6 DMZ WAN inbound rule:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.

  • Page 153: Configure Lan Dmz Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 • WAN Users Unless your selection from the Action list is BLOCK always, you also must make selections from the Select Schedule list. Click the Apply button. Your changes are saved. Configure LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ.
  • Page 154 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Security > Firewall > LAN DMZ Rules. To change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: •...
  • Page 155 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the upper right of the screen, select the IPv6 radio button. To change an existing outbound or inbound service rule, in the Action column to the right of the rule, click one of the following table buttons: •...

  • Page 156: Create Lan Dmz Outbound Service Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 To view the DMZ WAN Rules screen for IPv6 rules, in the upper right of the screen, select the IPv6 radio button. Select the check box to the left of each rule that you want to enable, disable, or delete, or click the Select All table button to select all rules.
  • Page 157 NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the Add table button under the Outbound Services table. Table 29 Enter the settings as described in on page 128. In addition to selections from the Service, Action, and Log lists, you must make selections from the following lists: •...

  • Page 158: Create Lan Dmz Inbound Service Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select Security > Firewall > LAN DMZ Rules. The LAN DMZ Rules screen displays.
  • Page 159 NETGEAR ProSAFE VPN Firewall FVS318G v2 IPv4 LAN DMZ Inbound Service Rules To create an IPv4 LAN DMZ inbound rule:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.
  • Page 160 NETGEAR ProSAFE VPN Firewall FVS318G v2 Unless your selection from the Action list is BLOCK always, you also must make a selection from the Select Schedule list. Click the Apply button. Your changes are saved. IPv6 LAN DMZ Inbound Service Rules To create an IPv6 LAN DMZ inbound rule: ...

  • Page 161: Examples Of Firewall Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 In addition to selections from the Service, Action, and Log lists, you must make selections from the following lists: • LAN Users • DMZ Users Unless your selection from the Action list is BLOCK always, you also must make a selection from the Select Schedule list.
  • Page 162 NETGEAR ProSAFE VPN Firewall FVS318G v2 IPv4 LAN WAN Inbound Rule: Host a Local Public Web Server If you host a public web server on your local network, you can define a rule to allow inbound web (HTTP) requests from any outside IP address to the IP address of your web server at any time of the day.
  • Page 163 NETGEAR ProSAFE VPN Firewall FVS318G v2 following figure). In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses. Figure 11. Example of inbound firewall rule IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Set Up One-to-One NAT...
  • Page 164 NETGEAR ProSAFE VPN Firewall FVS318G v2 Access to the web server is the (simulated) public IP address. 10.1.0.52 Tip: If you arrange with your ISP to use more than one public IP address, you can use the additional public IP addresses to map to servers on your LAN or DMZ.
  • Page 165 NETGEAR ProSAFE VPN Firewall FVS318G v2 Under the Inbound Services table, click the Add table button. From the Service list, select HTTP for a web server. From the Action list, select ALLOW always. In the Send to LAN Server field, enter the local IP address of your web server computer.
  • Page 166 NETGEAR ProSAFE VPN Firewall FVS318G v2 WARNING: Do not set up an exposed host from a remote connection because you will likely lock yourself out from the VPN firewall. To expose one of the computers on your LAN or DMZ as this host: ...

  • Page 167: Examples Of Outbound Firewall Rules

    NETGEAR ProSAFE VPN Firewall FVS318G v2 WARNING: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network.
  • Page 168 NETGEAR ProSAFE VPN Firewall FVS318G v2 You can also enable the VPN firewall to log any attempt to use Instant Messenger during the blocked period. See the example in the following figure. Figure 14. Example of outbound firewall rule IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an FTP...

  • Page 169: Configure Other Firewall Features

    NETGEAR ProSAFE VPN Firewall FVS318G v2 You can also configure the QoS profile to maximize the throughput. See the example in the following figure. Figure 15. Example of outbound firewall rule Configure Other Firewall Features You can configure attack checks, set session limits, and manage the application-level gateway (ALG) for SIP sessions.
  • Page 170 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.
  • Page 171 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 31. Attack Checks screen settings for IPv4 (continued) Setting Description LAN Security Checks Block UDP flood Select the Block UDP flood check box to prevent the VPN firewall from accepting more than a specified number of simultaneous, active User Datagram Protocol (UDP) connections from a single device on the LAN.
  • Page 172 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 31. Attack Checks screen settings for IPv4 (continued) Setting Description Jumbo Frames Enable Jumbo Jumbo frames allow multiple smaller packets to be combined into a single larger Frame packet, reducing network overhead and increasing data transfer performance.

  • Page 173: Set Limits For Ipv4 Sessions

    NETGEAR ProSAFE VPN Firewall FVS318G v2 • Respond to Ping on Internet Ports. Select this check box to enable the VPN firewall to respond to a ping from the Internet to its IPv6 address. A ping can be used as a diagnostic tool.
  • Page 174 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Security > Firewall > Session Limit. Select the Yes radio button under Do you want to enable Session Limit? Enter the settings as described in the following table: Table 32. Session Limit screen settings...

  • Page 175: Manage The Application Level Gateway For Sip Sessions

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 32. Session Limit screen settings (continued) Setting Description Session Timeout TCP Timeout For each protocol, specify a time-out in seconds. A session expires if no data for the session is received during the time-out period. The default time-out periods are...

  • Page 176: Services, Bandwidth Profiles, And Qos Profiles

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Your changes are saved. Services, Bandwidth Profiles, and QoS Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: •...
  • Page 177 NETGEAR ProSAFE VPN Firewall FVS318G v2 to the list for use in defining firewall rules. The Services screen shows a list of services that you defined. To define a new service, you must determine first which port number or range of numbers is used by the application.
  • Page 178 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the Add Customer Service section, enter the settings as described in the following table: Table 33. Services screen settings Setting Description Name A descriptive name of the service for identification and management purposes.
  • Page 179 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the Custom Services table to the right of the service that you want to edit, click the Edit table button. Modify the settings that you wish to change. Table 33 on page 178.

  • Page 180: Create Bandwidth Profiles

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Create Bandwidth Profiles Bandwidth profiles determine how data is communicated with the hosts. The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic, thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN link.
  • Page 181 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Security > Bandwidth Profiles. Under the List of Bandwidth Profiles table, click the Add table button. Enter the settings as described in the following table: Table 34. Add Bandwidth Profile screen settings Setting...
  • Page 182 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 34. Add Bandwidth Profile screen settings (continued) Setting Description Inbound Minimum The inbound minimum allocated bandwidth in Kbps. No default setting is specified. Bandwidth Inbound Maximum The inbound maximum allowed bandwidth in Kbps. The maximum allowable Bandwidth bandwidth is 100,000 Kbps, and you cannot configure less than 100 Kbps.

  • Page 183: Preconfigured Quality Of Service Profiles

    NETGEAR ProSAFE VPN Firewall FVS318G v2 In the List of Bandwidth Profiles table to the right of the bandwidth profile that you want to edit, click the Edit table button. The Edit Bandwidth Profile screen displays. Modify the settings that you wish to change.

  • Page 184: Configure Service Groups

    NETGEAR ProSAFE VPN Firewall FVS318G v2 • Add DMZ WAN Outbound Services screen for IPv6 • Services screen These are the default QoS profiles that are preconfigured and that cannot be edited: • Normal-Service. Used when no special priority is given to the traffic. IP packets are marked with a ToS value of 0.
  • Page 185 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Security > Service Groups. The following table lists all the custom service groups and their settings. Table 35. Custom service group settings Setting Description A numerical ID that the router assigns to a service group. The router contains a list of predefined services and custom services that can be viewed on the Firewall Rules screens (select Network Security >...
  • Page 186 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 36. The settings to add a custom service group (continued) Setting Description >> Click this button to move the selected services from the Available Services list to the List of Selected Services list.

  • Page 187: Configure Ip Groups

    NETGEAR ProSAFE VPN Firewall FVS318G v2 b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain).
  • Page 188 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Security > IP Groups. The following table lists all the custom IP groups and their settings. Table 37. Custom IP group settings Setting Description A numerical ID assigned to a custom IP group (by the router). The router contains a list of predefined IP groups which can be viewed from the Firewall Rules screen, which you access from the Security menu.

  • Page 189: Configure Content Filtering

    NETGEAR ProSAFE VPN Firewall FVS318G v2 In the Custom IP Groups table to the right of the service that you want to edit, click the Edit table button. Modify the settings that you wish to change. Table 37 on page 188.
  • Page 190 NETGEAR ProSAFE VPN Firewall FVS318G v2 Several types of blocking are available: • Web component blocking. Even sites that are listed in the Trusted Domains table are subject to web component blocking when the blocking of a particular web component is enabled.
  • Page 191 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.
  • Page 192 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Security > Content Filtering. In the Content Filtering section, select the Yes radio button. In the Web Components section, select the components that you want to block. Firewall Protection...
  • Page 193 NETGEAR ProSAFE VPN Firewall FVS318G v2 By default, none of these components are blocked, that is, none of these check boxes are selected: • Proxy. Blocks proxy servers. • Java. Blocks Java applets from being downloaded. • ActiveX. Blocks ActiveX applets from being downloaded.
  • Page 194 NETGEAR ProSAFE VPN Firewall FVS318G v2 b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain).

  • Page 195: Set A Schedule To Block Or Allow Specific Traffic

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the Apply button. Your changes are saved. Set a Schedule to Block or Allow Specific Traffic Schedules define the time frames under which firewall rules can be applied. You can define three schedules, Schedule 1, Schedule 2, and Schedule 3, and you can select any one of these when defining firewall rules.

  • Page 196: Enable Source Mac Filtering

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Security > Services > Schedule 1. In the Scheduled Days section, select one of the following radio buttons: • All Days. The schedule is in effect all days of the week. • Specific Days. The schedule is in effect only on specific days. To the right of the radio buttons, select the check box for each day that you want the schedule to be in effect.
  • Page 197 NETGEAR ProSAFE VPN Firewall FVS318G v2 By default, the source MAC address filter is disabled. All the traffic received from computers with any MAC address is allowed. When the source MAC address filter is enabled, depending on the selected policy, traffic is either permitted or blocked if it comes from any computers or devices whose MAC addresses are listed in MAC Addresses table.
  • Page 198 NETGEAR ProSAFE VPN Firewall FVS318G v2 • Permit and Block the rest. Traffic coming from all addresses in the MAC Addresses table is permitted. Traffic from all other MAC addresses is blocked. Click the Apply button. Your changes are saved.

  • Page 199: Set Up Ip/Mac Bindings

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Set Up IP/MAC Bindings IP/MAC binding allows you to bind an IPv4 or IPv6 address to a MAC address and the other way around. Some computers or devices are configured with static addresses. To prevent users from changing their static IP addresses, the IP/MAC binding feature must be enabled on the VPN firewall.
  • Page 200 NETGEAR ProSAFE VPN Firewall FVS318G v2 c. Click the Login button. The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select Security > Address Filter > IP/MAC Binding.
  • Page 201 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 38. IP/MAC Binding screen settings for IPv4 (continued) Setting Description IP Address The IPv4 address of the computer or device that is bound to the MAC address. Log Dropped To log the dropped packets, select Enable from the list. The default setting is Disable.
  • Page 202 NETGEAR ProSAFE VPN Firewall FVS318G v2 Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain). c. Click the Login button. The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out.
  • Page 203 NETGEAR ProSAFE VPN Firewall FVS318G v2 Enter new poll interval in seconds. Click the Set Interval button. Wait for the confirmation that the operation succeeded before you close the window. IPv6/MAC Bindings To set up a binding between a MAC address and an IPv6 address: ...
  • Page 204 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the Email IP/MAC Violations section, specify if you want to enable email logs for IP/MAC binding violations. You must do this only once. Select one of the following radio buttons: • Yes. IP/MAC binding violations are emailed. Click the Firewall Logs & E-mail page link to ensure that emailing of logs is enabled on the Firewall Logs &...
  • Page 205 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the IP/MAC Bindings table to the right of the IP/MAC binding that you want to edit, click the Edit table button. The Edit IP/MAC Binding screen displays. Modify the settings that you wish to change.

  • Page 206: Configure Port Triggering

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select Security > Address Filter > IP/MAC Binding. The IP/MAC Binding screen displays.
  • Page 207 NETGEAR ProSAFE VPN Firewall FVS318G v2 Without port triggering, the response from the external application would be treated as a new connection request rather than a response to a request from the LAN network. As such, it would be handled in accordance with the inbound port forwarding rules and most likely would be blocked.
  • Page 208 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the Add Port Triggering Rule section, enter the settings as described in the following table: Table 40. Port Triggering screen settings Setting Description Name A descriptive name of the rule for identification and management purposes.
  • Page 209 NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the Apply button. Your changes are saved. To remove one or more port triggering rules from the table:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.

  • Page 210: Configure Universal Plug And Play

    NETGEAR ProSAFE VPN Firewall FVS318G v2 In the upper right of the Port Triggering screen, click the Status option arrow. Configure Universal Plug and Play The Universal Plug and Play (UPnP) feature enables the VPN firewall to automatically discover and configure devices when it searches the LAN and WAN. UPnP is supported for IPv4 devices only.
  • Page 211 NETGEAR ProSAFE VPN Firewall FVS318G v2 The UPnP Portmap Table in the lower part of the screen shows the IP addresses and other settings of UPnP devices that accessed the VPN firewall and that were automatically detected by the VPN firewall: •...

  • Page 212: Chapter 5 Virtual Private Networking Using Ipsec And L2Tp Connections

    Virtual Private Networking Using IPSec and L2TP Connections This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer. The chapter contains the following sections: Use the IPSec VPN Wizard for Client and Gateway Configurations •...

  • Page 213: Use The Ipsec Vpn Wizard For Client And Gateway Configurations

    The settings that the VPN Wizard uses are based on the recommendations of the VPN Consortium (VPNC), an organization that promotes multivendor VPN interoperability. The following sections provide wizard and NETGEAR ProSafe VPN Client software configuration procedures: Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard •...
  • Page 214 NETGEAR ProSAFE VPN Firewall FVS318G v2 For DHCP WAN configurations, first set up the tunnel with IP addresses. After you validate the connection, you can use the wizard to create new policies using the FQDN for the WAN addresses. When using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel fails because the FQDNs do not resolve to your new address.
  • Page 215 NETGEAR ProSAFE VPN Firewall FVS318G v2 To view the wizard default settings, in the upper right of the screen, click the VPN Wizard default values option arrow. Complete the settings as described in the following table: Table 41. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel...
  • Page 216 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 41. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel (continued) Setting Description Secure Connection Remote Accessibility What is the remote LAN IP Enter the LAN IPv4 address of the remote gateway. Address?

  • Page 217: Create An Ipv6 Gateway-To-Gateway Vpn Tunnel With The Wizard

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard Figure 17. Example of VPN tunnel To ensure that tunnels stay active, after completing the wizard, manually edit the VPN policy to enable keep-alives, which periodically sends ping packets to the host on the peer side of Configure Keep-Alives the network to keep the tunnel alive.
  • Page 218 NETGEAR ProSAFE VPN Firewall FVS318G v2 To view the wizard default settings, in the upper right of the screen, click the VPN Wizard default values option arrow. Complete the settings as described in the following table: Table 42. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel...
  • Page 219 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 42. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel (continued) Setting Description Secure Connection Remote Accessibility What is the remote LAN IP Enter the LAN IPv6 address of the remote gateway. Address?

  • Page 220: Create An Ipv4 Client-To-Gateway Vpn Tunnel With The Wizard

    To configure a VPN client tunnel, follow the steps in the following sections: Use the VPN Wizard to Configure the Gateway for a Client Tunnel • Use the NETGEAR VPN Client Wizard to Create a Secure Connection • Manually Create a Secure Connection Using the NETGEAR VPN Client •...
  • Page 221 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select VPN > IPSec VPN > VPN Wizard. To display the wizard default settings, in the upper right of the screen, click the VPN Wizard default values option arrow. A pop-up screen displays, showing the wizard default values. After you complete the wizard, you can modify these settings for the tunnel policy that you set up.
  • Page 222 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 43. IPSec VPN Wizard settings for a client-to-gateway tunnel (continued) Setting Description End Point Information What is the Remote When you select the Client radio button in the About VPN Wizard section, Identifier Information? the default remote FQDN (remote.com) is automatically entered.
  • Page 223 Router’s LAN network IPv4 address 192.168.1.0 Router’s WAN IPv4 address 192.168.15.175 Use the NETGEAR VPN Client Wizard to Create a Secure Connection You can set up the VPN client in two different ways: • Configuration Wizard. The Configuration Wizard configures the default settings and provides basic interoperability so that the VPN client can easily communicate with the VPN firewall (or third-party VPN devices).
  • Page 224 NETGEAR ProSAFE VPN Firewall FVS318G v2 To use the Configuration Wizard to set up a VPN connection between the VPN client  and the VPN firewall: Right-click the VPN client icon in your Windows system tray, and select Configuration Panel.
  • Page 225 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select the A router or a VPN gateway radio button, and click the Next button. Specify the following VPN tunnel parameters: • IP or DNS public (external) address of the remote equipment. Enter the remote IP address or DNS name of the VPN firewall.
  • Page 226 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the tree list pane of the Configuration Panel screen, click Gateway (the default name given to the authentication phase). The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default.
  • Page 227 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 45. VPN client advanced authentication settings (continued) Setting Description Local and Remote ID Local ID As the type of ID, select DNS from the list because you specified FQDN in the VPN firewall configuration.
  • Page 228 The VPN client configuration is now complete. Manually Create a Secure Connection Using the NETGEAR VPN Client Perform these tasks from a computer on which the NETGEAR ProSafe VPN Client is installed. To manually configure a VPN connection between the VPN client and the VPN firewall, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and specify the global parameters.
  • Page 229 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and select New Phase 1. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name.
  • Page 230 NETGEAR ProSAFE VPN Firewall FVS318G v2 Specify the settings that are described in the following table. Table 46. VPN client authentication settings Setting Description Interface Select Any from the list. Remote Gateway Enter the remote IP address or DNS name of the VPN firewall. For example, enter 192.168.15.175.
  • Page 231 NETGEAR ProSAFE VPN Firewall FVS318G v2 Specify the settings that are described in the following table. Table 47. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the VPN firewall.
  • Page 232 NETGEAR ProSAFE VPN Firewall FVS318G v2 This is the name for the IPSec configuration that is used only for the VPN client, not during IPSec negotiation. You can view and change this name in the tree list pane. This name must be a unique name.
  • Page 233 NETGEAR ProSAFE VPN Firewall FVS318G v2 To use the new settings immediately, click the Apply button. To keep the settings for future use, click the Save button. Configure the Global Parameters To specify the global parameters:  Right-click the VPN client icon in your Windows system tray, and select Configuration Panel.

  • Page 234: Test The Connection And View Connection And Status Information

    Test the Connection and View Connection and Status Information Both the NETGEAR ProSafe VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.

  • Page 235: Netgear Vpn Client Status And Log Information

    Figure 20. VPN client icon in system tray NETGEAR VPN Client Status and Log Information To view detailed negotiation and error information on the NETGEAR VPN client:  Right-click the VPN client icon in the system tray, and select Console.

  • Page 236: View The Vpn Firewall Ipsec Vpn Connection Status

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The VPN Client Console Active screen displays. View the VPN Firewall IPSec VPN Connection Status To view the status of current IPSec VPN tunnels:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.

  • Page 237: View The Vpn Firewall Ipsec Vpn Log

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Select VPN > Connection Status. The Active IPSec SA(s) table lists each active connection with the information that is described in the following table. Table 49. IPSec VPN Connection Status screen information Item Description Policy Name The name of the VPN policy that is associated with this SA.

  • Page 238: Manage Ipsec Vpn Policies

    NETGEAR ProSAFE VPN Firewall FVS318G v2 c. Click the Login button. The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select Monitoring > VPN Logs > IPSec VPN Logs.
  • Page 239 NETGEAR ProSAFE VPN Firewall FVS318G v2 The IKE policy that is specified in the Auto Policy Parameters section of the Add VPN Policy screen for the VPN policy is used to start negotiations with the remote VPN gateway. An IKE session is established, using the security association (SA) settings that are specified in a matching IKE policy, and the following happens: •...
  • Page 240 NETGEAR ProSAFE VPN Firewall FVS318G v2 Each policy contains the data that is described in the following table. These fields are Table 51 described in more detail in on page 243. Table 50. IKE Policies screen information for IPv4 and IPv6...
  • Page 241 NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the Delete table button. Manually Add or Edit an IKE Policy To manually add an IKE policy for IPv4 or IPv6:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.
  • Page 242 NETGEAR ProSAFE VPN Firewall FVS318G v2 • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by Step default. Go to • IPv6. Select the IPv6 radio button. Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 243 NETGEAR ProSAFE VPN Firewall FVS318G v2 Complete the settings as described in the following table: Table 51. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Specify whether the IKE policy uses a Mode Config record. For information about...
  • Page 244 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 51. Add IKE Policy screen settings (continued) Setting Description Local Identifier Type From the list, select one of the following ISAKMP identifiers to be used by the VPN firewall, and specify the identifier in the Identifier field: •...
  • Page 245 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 51. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select the authentication method: • Pre-shared key. A secret that is shared between the VPN firewall and the remote endpoint. • RSA-Signature. Uses the active self-signed certificate that you uploaded on...
  • Page 246 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 51. Add IKE Policy screen settings (continued) Setting Description Extended Authentication XAUTH Configuration Select whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: •...

  • Page 247: Manage Vpn Policies

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen for IPv4 in view.
  • Page 248 NETGEAR ProSAFE VPN Firewall FVS318G v2 VPN Policies You can add additional policies—either Auto or Manual—and manage the VPN policies that were already created. You can edit policies, enable or disable policies, or delete them entirely. These are the rules for VPN policy use: •...
  • Page 249 NETGEAR ProSAFE VPN Firewall FVS318G v2 Each policy contains the data that are described in the following table. These fields are Table 53 described in more detail in on page 252. Table 52. VPN Policies screen information for IPv4 and IPv6...
  • Page 250 NETGEAR ProSAFE VPN Firewall FVS318G v2 To enable or disable one or more VPN policies:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
  • Page 251 NETGEAR ProSAFE VPN Firewall FVS318G v2 • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by Step default. Go to Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 252 NETGEAR ProSAFE VPN Firewall FVS318G v2 • IPv6. Select the IPv6 radio button. Complete the settings as described in the following table. The only differences between IPv4 and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6). Table 53. Add New VPN Policy screen settings for IPv4 and IPv6...
  • Page 253 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Policy Type From the list, select the policy type: • Auto Policy. Some settings (the ones in the Manual Policy Parameters section) for the VPN tunnel are generated automatically.
  • Page 254 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Traffic Selection Local IP From the list, select the address or addresses that are part of the VPN tunnel on the VPN firewall: •...
  • Page 255 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Key-Out The encryption key for the outbound policy. The length of the key depends on the selected encryption algorithm: •...
  • Page 256 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Integrity Algorithm From the list, select the algorithm to be used in the VPN header for the authentication process: •...

  • Page 257: Configure Extended Authentication (Xauth)

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The Edit VPN Policy screen displays. This screen shows the same fields as the Add New VPN Policy screen. Table 53 Modify the settings that you wish to change (see on page 252). Click the Apply button.
  • Page 258 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.

  • Page 259: User Database Configuration

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 54. Extended authentication settings for IPv4 and IPv6 (continued) Setting Description Username The user name for XAUTH. Password The password for XAUTH. Click the Apply button. Your changes are saved. User Database Configuration When XAUTH is enabled in an Edge Device configuration, users must be authenticated either by a local user database account or by an external RADIUS server.
  • Page 260 NETGEAR ProSAFE VPN Firewall FVS318G v2 Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain). c. Click the Login button. The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out.

  • Page 261: Assign Ipv4 Addresses To Remote Users

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 55. RADIUS Client screen settings (continued) Setting Description To enable and configure the backup RADIUS server, select the Yes radio button, and enter the settings for the three fields to the right. The default setting is that the No radio button is selected.

  • Page 262: Configure Mode Config Operation On The Vpn Firewall

    NETGEAR ProSAFE VPN Firewall FVS318G v2 subnet mask, WINS server, and DNS address from the VPN firewall. The Mode Config feature allocates an IP address from the configured IP address pool and activates a temporary IPSec policy, using the information that is specified in the Traffic Tunnel Security Level section of the Mode Config record.
  • Page 263 NETGEAR ProSAFE VPN Firewall FVS318G v2 Under the List of Mode Config Records table, click the Add table button. Complete the settings as described in the following table. Table 56. Add Mode Config Record screen settings Setting Description Client Pool...
  • Page 264 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 56. Add Mode Config Record screen settings (continued) Setting Description Traffic Tunnel Security Level Note: Generally, the default settings work well for a Mode Config configuration. PFS Key Group Select this check box to enable Perfect Forward Secrecy (PFS), and select a Diffie-Hellman (DH) group from the list.
  • Page 265 NETGEAR ProSAFE VPN Firewall FVS318G v2 Under the List of IKE Policies table, click the Add table button. The Add IKE Policy screen displays the IPv4 settings. Specify the IP version for which you want to add an IKE policy: •...
  • Page 266 NETGEAR ProSAFE VPN Firewall FVS318G v2 The IKE policy settings that are described in the following table are specifically for a Mode Table 51 Config configuration. on page 243 explains the general IKE policy settings. Table 57. Add IKE Policy screen settings for a Mode Config configuration...
  • Page 267 The period in seconds for which the IKE SA is valid. When the period times out, the next rekeying occurs. The default setting is 28800 seconds (eight hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (one hour).

  • Page 268: Configure The Prosafe Vpn Client For Mode Config Operation

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 57. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description Extended Authentication XAUTH Configuration Select whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: •...
  • Page 269 NETGEAR ProSAFE VPN Firewall FVS318G v2 Perform these tasks from a computer on which the NETGEAR ProSafe VPN Client is installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and specify the global parameters.
  • Page 270 NETGEAR ProSAFE VPN Firewall FVS318G v2 d. Click anywhere in the tree list pane. This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name must be a unique name.
  • Page 271 NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the Advanced tab in the Authentication pane. Specify the settings that are described in the following table. Table 59. VPN client advanced authentication settings (Mode Config) Setting Description Advanced features Mode Config Select this check box to enable Mode Config.
  • Page 272 NETGEAR ProSAFE VPN Firewall FVS318G v2 Create the Mode Config IPSec Configuration (Phase 2 Settings) On the VPN firewall, the IPSec configuration (phase 2 settings) is referred to as the IKE settings. To create an IPSec configuration:  Right-click the VPN client icon in your Windows system tray, and select Configuration Panel.
  • Page 273 NETGEAR ProSAFE VPN Firewall FVS318G v2 Specify the settings that are described in the following table. Table 60. VPN client IPSec configuration settings (Mode Config) Setting Description VPN Client This field is masked out because Mode Config is selected. After an IPSec connection is address established, the IP address that is issued by the VPN firewall displays in this field.

  • Page 274: Test The Mode Config Connection

    NETGEAR ProSAFE VPN Firewall FVS318G v2 In the left column of the Configuration Panel screen, click Global Parameters. Specify the following default lifetimes in seconds to match the configuration on the VPN firewall: • Authentication (IKE), Default. Enter 3600 seconds.

  • Page 275: Modify Or Delete A Mode Config Record

    NETGEAR ProSAFE VPN Firewall FVS318G v2 When the tunnel opens successfully, the Tunnel opened message displays above the system tray, and the VPN client displays a green icon in the system tray. Verify that the VPN firewall issued an IP address to the VPN client.

  • Page 276: Configure Keep-Alives And Dead Peer Detection

    NETGEAR ProSAFE VPN Firewall FVS318G v2 b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain).

  • Page 277: Configure Keep-Alives

    NETGEAR ProSAFE VPN Firewall FVS318G v2 establishment time. If you require a VPN tunnel to remain connected, you can use the keep-alive and Dead Peer Detection (DPD) features to prevent the tunnel from being disconnected and to force a reconnection if the tunnel disconnects for any reason.

  • Page 278: Configure Dead Peer Detection

    NETGEAR ProSAFE VPN Firewall FVS318G v2 In the List of VPN Policies table, to the right of the VPN policy that you want to edit, click the Edit table button. Enter the settings as described in the following table: Table 61. Keep-alive settings...
  • Page 279 NETGEAR ProSAFE VPN Firewall FVS318G v2 To configure DPD on a configured IKE policy:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.

  • Page 280: Configure Netbios Bridging With Ipsec Vpn

    NETGEAR ProSAFE VPN Firewall FVS318G v2 In the IKE SA Parameters section, locate the DPD fields, and complete the settings as described the following table. Table 62. Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Select the Yes radio button to enable DPD. When the VPN firewall detects an...

  • Page 281: Configure The L2Tp Server

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The VPN Policies screen displays. Specify the IP version for which you want to edit a VPN policy: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by Step default.
  • Page 282 NETGEAR ProSAFE VPN Firewall FVS318G v2 Configure with geardomain.) For information about how to create L2TP user accounts, see User Accounts on page 295. To enable the L2TP server and configure the L2TP server pool:  Log in to the unit: a.

  • Page 283: View The Active L2Tp Users

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 63. L2TP Server screen settings (continued) Setting Description Authentication Select one or more of the following authentication methods to authenticate L2TP users: • PAP. RADIUS-Password Authentication Protocol (PAP). • CHAP. RADIUS-Challenge Handshake Authentication Protocol (CHAP).
  • Page 284 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 64. L2TP Active Users screen information (continued) Item Description L2TP IP The IP address that is assigned by the L2TP server on the VPN firewall. Action Click the Disconnect table button to terminate the L2TP connection.

  • Page 285: Chapter 6 Manage Users, Authentication, And Vpn Certificates

    Manage Users, Authentication, and VPN Certificates This chapter describes how to manage users, authentication, and security certificates for IPSec VPN. The chapter contains the following sections: The VPN Firewall’s Authentication Process and Options • Configure Authentication Domains, Groups, and Users •...

  • Page 286: The Vpn Firewall's Authentication Process And Options

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The VPN Firewall’s Authentication Process and Options Users are assigned to a group, and a group is assigned to a domain. Therefore, you must first create any domains, then groups, and then user accounts.

  • Page 287: Configure Authentication Domains, Groups, And Users

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 65. External authentication protocols and methods (continued) Authentication Description Protocol or Method Active Directory A network-validated domain-based authentication method that functions with a Microsoft Active Directory authentication server. Microsoft Active Directory authentication servers support a group and user structure.
  • Page 288 NETGEAR ProSAFE VPN Firewall FVS318G v2 The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select Users > Domains. The List of Domains table displays the following fields: •...
  • Page 289 NETGEAR ProSAFE VPN Firewall FVS318G v2 Complete the settings as described in the following table: Table 66. Add Domain screen settings Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Authentication Type From the list, select the authentication method that the VPN firewall applies: •...
  • Page 290 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 66. Add Domain screen settings (continued) Setting Description Authentication Type • WIKID-PAP. WiKID Systems PAP. Complete the following fields: (continued) Authentication Server Authentication Secret Note: If you select • WIKID-CHAP. WiKID Systems CHAP. Complete the following fields:...
  • Page 291 NETGEAR ProSAFE VPN Firewall FVS318G v2 If you use local authentication, make sure that it is not disabled: in the Local Authentication section of the Domain screen, select the No radio button. A combination of local and external authentication is supported.

  • Page 292: Configure Groups

    NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.
  • Page 293 NETGEAR ProSAFE VPN Firewall FVS318G v2 Create Groups When you create a domain on the Domains screen, a group with the same name as the new domain is created automatically. You cannot delete such a group on the Groups screen.
  • Page 294 NETGEAR ProSAFE VPN Firewall FVS318G v2 Under the List of Groups table, click the Add table button. Complete the settings as described in the following table: Table 67. Add Group screen settings Setting Description Name A descriptive (alphanumeric) name of the group for identification and management purposes.

  • Page 295: Configure User Accounts

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The Groups screen displays. In the List of Groups table, select the check box to the left of each group that you want to delete or click the Select All table button to select all groups.
  • Page 296 Guest user. A user who can only view the VPN firewall configuration (that is, read-only access). • IPSec VPN user. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 257). •...
  • Page 297 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Users > Users. The List of Users table displays the users and displays the following fields: • Check box. Allows you to select the user in the table. • Name. The name of the user. If the user name is appended by an asterisk, the user is a default user that is preconfigured on the VPN firewall and cannot be deleted.
  • Page 298 Guest User. A user who can only view the VPN firewall configuration (that is, read-only access). • IPSEC VPN User. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled Configure Extended Authentication (XAUTH) (see on page 257).

  • Page 299: Set User Login Policies

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Users > Users. The Users screen displays. In the List of Users table, select the check box to the left of each user account that you want to delete or click the Select All table button to select all accounts.
  • Page 300 NETGEAR ProSAFE VPN Firewall FVS318G v2 In the Action column of the List of Users table, for the user for which you want to set login policies, click the Policies table button. Make the following optional selections: • To prohibit the user from logging in to the VPN firewall, select the Disable Login check box.
  • Page 301 NETGEAR ProSAFE VPN Firewall FVS318G v2 The policies submenu tabs display, with the Login Policies screen in view. Click the By Source IP Address submenu tab. In the Defined Addresses Status section, select one of the following radio buttons: •...
  • Page 302 NETGEAR ProSAFE VPN Firewall FVS318G v2 To delete one or more IPv4 addresses:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
  • Page 303 NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the By Source IP Address submenu tab. In the upper right of the screen, select the IPv6 radio button. In the Defined Addresses Status section, select one of the following radio buttons: •...
  • Page 304 NETGEAR ProSAFE VPN Firewall FVS318G v2 To delete one or more IPv6 addresses:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
  • Page 305 NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the By Client Browser submenu tab. In the Defined Browsers Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Browsers. Deny logging in from the browsers in the Defined Browsers table.

  • Page 306: Change Passwords And Other User Settings

    • The default administrator and default guest passwords for the web management interface are both password. NETGEAR recommends that you change the password for the administrator account to a more secure password and that you configure a separate secure password for the guest account.
  • Page 307 NETGEAR ProSAFE VPN Firewall FVS318G v2 c. Click the Login button. The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select Users > Users. The Users screen displays.

  • Page 308: Manage Digital Certificates For Vpn Connections

    The VPN firewall contains a self-signed digital certificate from NETGEAR. This certificate can be downloaded from the VPN firewall login screen for browser import. However, NETGEAR...

  • Page 309: Vpn Certificates

    NETGEAR ProSAFE VPN Firewall FVS318G v2 recommends that you replace this digital certificate with a digital certificate from a well-known commercial CA before you deploy the VPN firewall in your network. This section contains the following topics: VPN Certificates •...
  • Page 310 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.

  • Page 311: Manage Vpn Self-Signed Certificates

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Select VPN > Certificates. The Certificates screen displays. In the Upload Trusted Certificates section of the screen, navigate to the trusted digital certificate file that you downloaded on your computer and click the Browse button.
  • Page 312 NETGEAR ProSAFE VPN Firewall FVS318G v2 When a security alert is generated, the user can decide whether to trust the host. Generate a CSR and Obtain a Self-Signed Certificate from a CA To use a self-signed certificate, you first must request the digital certificate from a CA and download and activate the digital certificate on the VPN firewall.
  • Page 313 NETGEAR ProSAFE VPN Firewall FVS318G v2 The Certificates screen displays. Scroll down. In the Generate Self Certificate Request section of the screen, enter the settings as described in the following table: Table 72. Generate self-signed certificate request settings Setting Description Name A descriptive name of the domain for identification and management purposes.
  • Page 314 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 72. Generate self-signed certificate request settings (continued) Setting Description Signature Key Length From the list, select the signature key length in bits: • • 1024 • 2048 Note: Larger key sizes might improve security but might also decrease performance.
  • Page 315 NETGEAR ProSAFE VPN Firewall FVS318G v2 d. Submit the CA form. If no problems ensue, the digital certificate is issued by the CA. Download the digital certificate file from the CA and store it on your computer. Return to the Certificates screen and locate the Self Certificate Requests section.

  • Page 316: Manage The Vpn Certificate Revocation List

    NETGEAR ProSAFE VPN Firewall FVS318G v2 • Expiry Time. The date on which the digital certificate expires. Renew the digital certificate before it expires. To delete one or more self-signed certificates:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.
  • Page 317 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select VPN > Certificates. The Certificates screen displays. Scroll down. The Certificate Revocation Lists (CRL) table lists the active CAs and their critical release dates: • CA Identity. The official name of the CA that issued the CRL.
  • Page 318 NETGEAR ProSAFE VPN Firewall FVS318G v2 Click the Delete table button. The information is deleted. Manage Users, Authentication, and VPN Certificates...

  • Page 319: Chapter 7 Network And System Management

    Network and System Management This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the VPN firewall. The chapter contains the following sections: Performance Management • System Management •...

  • Page 320: Performance Management

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Performance Management Performance management consists of controlling the traffic through the VPN firewall so that the necessary traffic gets through when there is a bottleneck. You can either reduce unnecessary traffic or reschedule some traffic to low-peak times to prevent bottlenecks from occurring in the first place.
  • Page 321 NETGEAR ProSAFE VPN Firewall FVS318G v2 WARNING: Incorrect configuration of outbound firewall rules can cause serious connection problems. Each rule lets you specify the desired action for the connections that are covered by the rule: • BLOCK always • BLOCK by schedule, otherwise allow •...

  • Page 322: Content Filtering

    NETGEAR ProSAFE VPN Firewall FVS318G v2 • Schedule. You can configure three different schedules to specify when a rule is applied. Once a schedule is configured, it affects all rules that use this schedule. You specify the Set a days of the week and time of day for each schedule. For more information, see Schedule to Block or Allow Specific Traffic on page 195.
  • Page 323 NETGEAR ProSAFE VPN Firewall FVS318G v2 • Configuring VPN tunnels LAN WAN Inbound Rules and DMZ WAN Inbound Rules The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for inbound traffic (from WAN to LAN and from WAN to the DMZ). Any inbound rule that you create allows additional incoming traffic and therefore increases the traffic load on the WAN side.

  • Page 324: Port Triggering

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Groups. The rule is applied to a group of computers. You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules as follows. • The Known PCs and Devices table is an automatically maintained list of all known...

  • Page 325: Use Qos And Bandwidth Assignment To Shift The Traffic Mix

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Enable and Configure the DMZ Port For information about how to enable the DMZ port, see for IPv4 and IPv6 Traffic on page 96. For information about how to configure DMZ traffic Configure DMZ WAN Rules rules, see on page 144.

  • Page 326: Monitoring Tools For Traffic Management

    The default administrator and default guest passwords for the web management interface are both password. NETGEAR recommends that you change the password for the administrator account to a more secure password, and that you configure a separate secure password for the guest account.
  • Page 327 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Users > Users. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. You cannot modify the administrator user name, user type, or group assignment.

  • Page 328: Configure Remote Management Access

    VPN firewall’s web management interface is accessible to anyone who knows its IP address and default password. Because a malicious WAN user can reconfigure the VPN firewall and misuse it in many ways, NETGEAR recommends that you change the admin and Configure Login guest default passwords before continuing.
  • Page 329 NETGEAR ProSAFE VPN Firewall FVS318G v2 • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by Step default. Go to Network and System Management...
  • Page 330 NETGEAR ProSAFE VPN Firewall FVS318G v2 • IPv6. Select the IPv6 radio button. Enter the settings as described in the following table: Table 73. Remote Management screen settings for IPv4 and IPv6 Setting Description Secure HTTP Management Allow Secure HTTP...

  • Page 331: Use The Command-Line Interface

    Simple Network Management Protocol (SNMP) forms part of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). SNMP is used in network management systems such as the NETGEAR ProSafe Network Management Software Network and System Management...
  • Page 332 NETGEAR ProSAFE VPN Firewall FVS318G v2 (NMS200) to monitor network-attached devices for conditions that warrant administrative attention. SNMP exposes management data in the form of variables on the managed systems, which describe the system configuration. These variables can then be queried (and sometimes set) by managing applications.
  • Page 333 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Administration > SNMP. The SNMPv3 Users table includes the default SNMPv3 users that are preconfigured on the VPN firewall. The SNMPv3 Users table shows the following columns: • Username. The default user names (admin or guest).
  • Page 334 NETGEAR ProSAFE VPN Firewall FVS318G v2 To enable access from the WAN, specify a new SNMP configuration, or enable SNMP trap events, enter the settings as described in the following table: Table 74. SNMP screen settings Setting Description Access From WAN...
  • Page 335 NETGEAR ProSAFE VPN Firewall FVS318G v2 b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain).
  • Page 336 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select the check box to the left of each SNMP configuration that you want to delete or click the Select All table button to select all SNMP configurations. Click the Delete table button. The information is deleted.
  • Page 337 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 75. Edit User screen settings for SNMPv3 users (continued) Setting Description Security Level From the list, select the security level for communication between the SNMPv3 user and the SNMP agent that collects the MIB objects from the VPN firewall: •...

  • Page 338: Manage The Configuration File

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The SNMP screen displays. In the upper right of the screen, click the SNMP System Info option arrow. Enter the settings as described in the following table: Table 76. SNMP SysConfiguration screen settings Setting...
  • Page 339 To save a copy of your current settings, next to Save a copy of current settings, click the Backup button. A screen displays, showing the file name of the backup file (FVS318G.cfg). Click the Save file button and then click the OK button.
  • Page 340 NETGEAR ProSAFE VPN Firewall FVS318G v2 Note the following: • If your browser is not configured to save downloaded files automatically, locate the folder in which you want to save the file, specify the file name, and save the file.

  • Page 341: Revert To Factory Default Settings

    Select Administration > Settings Backup & Upgrade. Next to Restore saved settings from file, click the Browse button. Locate and select the previously saved backup file (by default, FVS318G.cfg). Click the Restore button. A warning message might display, and you must confirm that you want to restore the configuration.
  • Page 342 NETGEAR ProSAFE VPN Firewall FVS318G v2 WARNING: When you press the hardware factory default Reset button or click the software Default button, the VPN firewall settings are erased. All firewall rules, VPN policies, LAN and WAN settings, and other settings are lost. Back up your settings if you intend to use them.

  • Page 343: Update The Firmware

     Visit the NETGEAR website at http://support.netgear.com. Navigate to the FVS318G v2 support page, and click the Downloads tab. Click the desired firmware version to reach the download page. Be sure to read the release notes on the download page before upgrading the VPN firewall’s software.
  • Page 344 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.

  • Page 345: Configure Date And Time Service

    NETGEAR ProSAFE VPN Firewall FVS318G v2 When the reboot process is complete, log in to the VPN firewall again. The reboot process is complete when the Test LED on the front panel turns off. Select Monitoring. The Router Status screen displays, showing the new firmware version in the System Info section of the screen.
  • Page 346 Note: If you select the Use Custom NTP Servers option but leave either the Server 1 or Server 2 field blank, both fields are set to the default NETGEAR NTP servers. Note: A list of public NTP servers is available at http://support.ntp.org/bin/view/Servers/WebHome.
  • Page 347 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 77. Time Zone screen settings (continued) Setting Description NTP Servers (custom) Server 1 Name / IP Address Enter the IP address or host name of the primary NTP server. Server 2 Name / IP Address Enter the IP address or host name of the backup NTP server.

  • Page 348: Chapter 8 Monitor System Access And Performance

    Monitor System Access and Performance This chapter describes the system-monitoring features of the VPN firewall. You can be alerted to important events such WAN traffic limits reached, login failures, and attacks. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more.

  • Page 349: Enable The Wan Traffic Meter

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Enable the WAN Traffic Meter If your ISP charges by traffic volume over a given period, or if you want to study traffic types over a period, you can activate the traffic meter for IPv4 traffic on the WAN port.
  • Page 350 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Monitoring > Traffic Meter. The Internet Traffic Statistics section in the lower part of the screen displays statistics on Internet traffic through the WAN port. If you did not enable the traffic meter, these statistics are not available.
  • Page 351 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 78. Broadband Traffic Meter screen settings Setting Description Enable Traffic Meter Do you want to Select a traffic metering option: enable Traffic • Yes. Traffic metering is enabled, and the traffic meter records the volume of Metering on Internet traffic passing through the WAN interface.
  • Page 352 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 78. Broadband Traffic Meter screen settings (continued) Setting Description When Limit is reached Block Traffic Select which action the VPN firewall performs when the traffic limit is reached: • Block All Traffic. All incoming and outgoing Internet and email traffic is blocked.

  • Page 353: Configure Logging, Alerts, And Event Notifications

    Enabling routing and other event logs might generate a significant volume of log messages. NETGEAR recommends that you enable firewall logs for debugging purposes only. Note: This release does not support sending the NTP and DNS logs to the syslog server or the mail server.
  • Page 354 NETGEAR ProSAFE VPN Firewall FVS318G v2 The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select Monitoring > Firewall Logs & E-mail. Monitor System Access and Performance...
  • Page 355 NETGEAR ProSAFE VPN Firewall FVS318G v2 Enter the settings as described in the following table: Table 79. Firewall Logs & E-mail screen settings Setting Description Log Options Log Identifier Enter the name of the log identifier. The identifier is appended to log messages to identify the device that sent the log messages.
  • Page 356 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 79. Firewall Logs & E-mail screen settings (continued) Setting Description Enable E-mail Logs Do you want Select the Yes radio button to enable the VPN firewall to email logs to a specified email logs to be address.

  • Page 357: How To Send Syslogs Over A Vpn Tunnel Between Sites

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 79. Firewall Logs & E-mail screen settings (continued) Setting Description Enable SysLogs Do you want To enable the VPN firewall to send logs to a specified syslog server, select the Yes radio to enable button.
  • Page 358 NETGEAR ProSAFE VPN Firewall FVS318G v2 Type of Address Gateway 1 at Site 1 Gateway 2 at Site 2 LAN subnet mask 255.255.255.0 255.255.255.0 LAN IP address syslog server 192.168.10.2 Not applicable Configure Gateway 1 at Site 1 • Configure Gateway 2 at Site 2 •...
  • Page 359 NETGEAR ProSAFE VPN Firewall FVS318G v2 b. In the Username field, enter admin and in the Password / Passcode field, enter password. Use lowercase letters. If you changed the password, enter your personalized password. Leave the domain as it is (geardomain).
  • Page 360 NETGEAR ProSAFE VPN Firewall FVS318G v2 • Local WAN IP address. 10.0.0.2 • Remote LAN IP address. 192.168.10.0 • Remote LAN subnet mask. 255.255.255.0 Click the Apply button. Your changes are saved. To change the local IP address in the VPN policy: ...

  • Page 361: View The Status

    NETGEAR ProSAFE VPN Firewall FVS318G v2 c. Click the Login button. The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select Monitoring > Firewall Logs & E-mail. The Firewall Logs & E-mail screen displays.
  • Page 362 NETGEAR ProSAFE VPN Firewall FVS318G v2 Tunnel Status • Router Status To view the Router Status:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
  • Page 363 NETGEAR ProSAFE VPN Firewall FVS318G v2 The following table explains the fields of the Router Status screen: Table 80. Router Status screen information Item Description System Info System Name The NETGEAR system name. Firmware Version The installed firmware version. LAN (VLAN) Information For each of the LAN ports, the screen shows the IP address and subnet mask.
  • Page 364 NETGEAR ProSAFE VPN Firewall FVS318G v2 Router Statistics To view the Router Statistics:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
  • Page 365 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 81. Router Statistics screen information (continued) Item Description Tx B/s The number of bytes transmitted per second on the port. Rx B/s The number of bytes received per second on the port. Up Time The period that the port is active since it was restarted.
  • Page 366 NETGEAR ProSAFE VPN Firewall FVS318G v2 Select Monitoring > Router Status > Detailed Status. Monitor System Access and Performance...
  • Page 367 NETGEAR ProSAFE VPN Firewall FVS318G v2 The following table explains the fields of the Detailed Status screen: Table 82. Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the LAN ports. VLAN Profile...
  • Page 368 The link state can be either LINK UP or LINK DOWN, depending on whether the WAN port is physically connected to a modem, dish, or router. For information about connecting a WAN port, see the NETGEAR ProSAFE VPN Firewall FVS318G v2 Installation Guide.
  • Page 369 NETGEAR ProSAFE VPN Firewall FVS318G v2 VLAN Status You can display the current settings of the router's configured VLAN ports. To view the status of the configured VLAN ports:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1.

  • Page 370: View The Vpn Connection Status And L2Tp Users

    NETGEAR ProSAFE VPN Firewall FVS318G v2 To view the status of the tunnels and IPv6 addresses:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
  • Page 371 NETGEAR ProSAFE VPN Firewall FVS318G v2 The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select VPN > Connection Status. The policy name, the endpoint’s IP address, the amount of data and number of packets transmitted, and the state of the connection are listed in the table.

  • Page 372: View The Vpn Logs

    NETGEAR ProSAFE VPN Firewall FVS318G v2 View the VPN Logs To display the IPSec VPN log:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.

  • Page 373: View The Wan Port Status

    NETGEAR ProSAFE VPN Firewall FVS318G v2 c. Click the Login button. The Router Status screen displays. After five minutes of inactivity, which is the default login time-out, you are automatically logged out. Select Security > Port Triggering. In the upper right of the screen, click the Status option arrow.
  • Page 374 NETGEAR ProSAFE VPN Firewall FVS318G v2 IPv4 WAN Port Status To view the IPv4 status of the WAN port:  Log in to the unit: a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
  • Page 375 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 84. Connection Status screen information for an IPv4 connection (continued) Item Description IP Address The addresses that were automatically detected or that you configured on the Broadband ISP Settings (IPv4) screen. Subnet Mask...

  • Page 376: View The Attached Devices And The Dhcp Log

    NETGEAR ProSAFE VPN Firewall FVS318G v2 In the upper right of the screen, click the Status option arrow. The type of connection determines the information that is displayed on the Connection Status screen. The screen can display the information that is described in the following table: Table 85.
  • Page 377 NETGEAR ProSAFE VPN Firewall FVS318G v2 database. For information about how to edit the Known PCs and Devices table or manually Manage the Network Database add entries to the table, see on page 73. If the VPN firewall is rebooted, the data in the Known PCs and Devices table is lost until the VPN firewall rediscovers the devices.
  • Page 378 NETGEAR ProSAFE VPN Firewall FVS318G v2 • Group. Each computer or device can be assigned to a single LAN group. By default, a computer or device is assigned to Group 1. You can select a different LAN group from the Group list in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen.

  • Page 379: Diagnostics Utilities

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Configure a VLAN Profile The LAN Setup screen displays. For more information, see page 61. Diagnostics Utilities The VPN firewall provides diagnostic tools that help you analyze the status of the network and traffic conditions. Two types of tools are available: •...
  • Page 380 NETGEAR ProSAFE VPN Firewall FVS318G v2 • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. • IPv6. Select the IPv6 radio button. The various tasks that you can perform on the Diagnostics screen are described in the...

  • Page 381: Send A Ping Packet

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Display the Routing Tables • Capture Packets in Real Time • Reboot the VPN Firewall Remotely • Send a Ping Packet Use the ping utility to send a ping packet request to check the connection between the VPN firewall and a specific IP address or FQDN.

  • Page 382: Look Up A Dns Address

    To return to the Diagnostics screen, on the browser menu bar, click the Back button. Look Up a DNS Address A Domain Name Server (DNS) converts the Internet name (for example, www.netgear.com) to an IP address. If you need the IP address of a web, FTP, mail, or other server on the Internet, request a DNS lookup to find the IP address.

  • Page 383: Display The Routing Tables

    The results of the lookup action are displayed in a new screen. To return to the Diagnostics screen, on the browser menu bar, click the Back button. Display the Routing Tables Displaying the internal routing table can assist NETGEAR technical support in diagnosing routing problems. To display the routing table: ...

  • Page 384: Capture Packets In Real Time

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Capture Packets in Real Time Capturing packets can assist NETGEAR technical support in diagnosing packet transfer problems. You can also use a traffic analyzer to do your own problem diagnoses. To capture packets in real time: ...

  • Page 385: Reboot The Vpn Firewall Remotely

    When the download is complete, browse to the download location you specified, and verify that the file was downloaded successfully. (Optional) Send the file to NETGEAR technical support for analysis. Reboot the VPN Firewall Remotely You can perform a remote reboot, for example, when the VPN firewall seems to be unstable or is not operating normally.

  • Page 386: Chapter 9 Troubleshooting

    Troubleshooting This chapter provides troubleshooting tips and information for the VPN firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the VPN firewall on? Basic Functioning Go to on page 387.

  • Page 387: Basic Functioning

    Doing so sets the VPN firewall’s IP address to 192.168.1.1. This procedure is described Restore the Default Configuration and Password on page 397. If the error persists, it is possible that a hardware problem occurred. Contact NETGEAR technical support. Troubleshooting...

  • Page 388: Lan Or Wan Port Leds Not On

    NETGEAR ProSAFE VPN Firewall FVS318G v2 LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the VPN firewall and at the hub, router, or workstation.

  • Page 389: When You Enter A Url Or Ip Address, A Time-Out Error Occurs

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The factory default login name is admin, and the password is password. Make sure that Caps Lock is off when entering this information. Note: To be able to configure the VPN firewall, your computer’s IP address does not need to be on the same subnet as the VPN firewall.
  • Page 390 NETGEAR ProSAFE VPN Firewall FVS318G v2 a. In the address field of any of the qualified web browsers, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays. b. In the Username field, enter admin and in the Password / Passcode field, enter password.

  • Page 391: Troubleshooting The Ipv6 Connection

    A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically, your ISP provides the addresses of one or two DNS servers for your use. You can configure your computer manually with DNS addresses, as described in your operating system documentation.
  • Page 392 NETGEAR ProSAFE VPN Firewall FVS318G v2 • Make sure that the VPN firewall can provide IPv6 addresses to the computers on the LAN. Manage the IPv6 LAN For more information, see on page 78. Check the settings on the LAN Setup (IPv6) screen, and if applicable for your type of configuration, on the RADVD screen.
  • Page 393 NETGEAR ProSAFE VPN Firewall FVS318G v2 b. Click or double-click Local Area Connection for the connection to the VPN firewall. c. Make sure that Internet Protocol Version 6 (TCP/IPv6) displays. • Make sure that the computer is using an IPv6 address.
  • Page 394 NETGEAR ProSAFE VPN Firewall FVS318G v2 c. Click or double-click View status of this connection. d. Make sure that Internet access shows for the IPv6 connection. The previous figure shows that the device is not connected to the Internet. e. Click the Details button.

  • Page 395: Troubleshoot A Tcp/Ip Network Using A Ping Utility

    NETGEAR ProSAFE VPN Firewall FVS318G v2 The previous figure does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which start, in this case, with fe80. Troubleshoot a TCP/IP Network Using a Ping Utility Most TCP/IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device.

  • Page 396: Test The Path From Your Computer To A Remote Device

    NETGEAR ProSAFE VPN Firewall FVS318G v2 • Wrong network configuration Verify that the Ethernet card driver software and TCP/IP software are both installed and configured on your computer or workstation. Verify that the IP address for your VPN firewall and your workstation are correct and that the addresses are on the same subnet.

  • Page 397: Restore The Default Configuration And Password

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Restore the Default Configuration and Password To reset the VPN firewall to the original factory default settings, you can use one of the following two methods: • Press the factory default Reset button on the rear panel of the VPN firewall and hold the button for about eight seconds until the Test LED turns on and begins to blink (about 30 seconds).

  • Page 398: Address Problems With Date And Time

    Adjust for Daylight Savings Time check box. Access the Knowledge Base and Documentation To access NETGEAR’s knowledge base for the VPN firewall:  Select Web Support > Knowledgebase. To access NETGEAR’s documentation library for your VPN firewall model:  Select Web Support > Documentation. Troubleshooting...

  • Page 399: Appendix A Default Settings And Technical Specifications

    Default Settings and Technical Specifications This appendix provides the default settings and the physical and technical specifications of the VPN firewall in the following sections: Factory Default Settings • Physical and Technical Specifications •...

  • Page 400: Factory Default Settings

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Factory Default Settings You can use the factory default Reset button on the rear panel to reset all settings to their Revert to Factory factory defaults. This is called a hard reset (for more information, see Default Settings on page 341).
  • Page 401 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 86. VPN firewall factory default configuration settings (continued) Feature Default Behavior IPv4 LAN, DMZ, and routing settings LAN IPv4 address for the default VLAN 192.168.1.1 LAN IPv4 subnet mask for the default VLAN 255.255.255.0...
  • Page 402 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 86. VPN firewall factory default configuration settings (continued) Feature Default Behavior Firewall and security settings Inbound LAN WAN rules (communications coming in from All traffic is blocked, except for traffic the Internet) in response to requests from the LAN.
  • Page 403 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 86. VPN firewall factory default configuration settings (continued) Feature Default Behavior QoS profiles Normal-Service Minimize-Cost Maximize-Reliability Maximize-Throughput Minimize-Delay Content filtering Disabled Proxy server blocking Disabled Java applets blocking Disabled ActiveX controls blocking Disabled...
  • Page 404 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 86. VPN firewall factory default configuration settings (continued) Feature Default Behavior VPN IPSec Wizard: IKE policy settings for IPv4 gateway-to-client tunnels Exchange mode Aggressive ID type FQDN Local WAN ID remote.com Remote WAN ID local.com...

  • Page 405: Physical And Technical Specifications

    NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 86. VPN firewall factory default configuration settings (continued) Feature Default Behavior Administrative and monitoring settings Secure HTTP management Enabled Telnet management Disabled Traffic meter Disabled SNMP Disabled Time zone Time zone adjusted for daylight saving time...
  • Page 406 NETGEAR ProSAFE VPN Firewall FVS318G v2 Table 87. VPN firewall physical and technical specifications (continued) Feature Specification Environmental specifications Operating temperatures 0º to 40ºC 32º to 104ºF Storage temperatures –20º to 70ºC –4º to 158ºF Operating humidity 90% maximum relative humidity, noncondensing...

  • Page 407: Appendix B Two-Factor Authentication

    Two-Factor Authentication This appendix provides an overview of two-factor authentication and an example of how to implement the WiKID solution. This appendix contains the following sections: Why Do I Need Two-Factor Authentication? • NETGEAR Two-Factor Authentication Solutions •...

  • Page 408: Why Do I Need Two-Factor Authentication

    NETGEAR also recognizes the need to provide more than just a firewall to protect the networks. NETGEAR implements a more robust authentication system known as two-factor authentication (2FA or T-FA) to help address the fast-growing network security issues.

  • Page 409: Netgear Two-Factor Authentication Solutions

    NETGEAR Two-Factor Authentication Solutions NETGEAR implements two two-factor authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now can use WiKID to perform two-factor authentication on NETGEAR VPN firewall products.
  • Page 410 NETGEAR ProSAFE VPN Firewall FVS318G v2 A one-time passcode (something the user possesses) is generated. Note: The one-time passcode is time-synchronized to the authentication server so that the OTP can be used only once and must be used before the expiration time. If a user does not use this passcode before it expires, the user must go through the request process again to generate a new OTP.
  • Page 411 Index Numerics Mode Config settings SNMPv3 user settings – 10BASE-T, 100BASE-T, and 1000BASE-T speeds VPN policy settings – 3322.org ALG (application-level gateway) 6to4 tunnels application-level gateway (ALG) configuring globally ARP (Address Resolution Protocol) DMZ, configuring for broadcasting, configuring LAN, configuring for requests arrows, option (web management interface) attached devices...
  • Page 412 NETGEAR ProSAFE VPN Firewall FVS318G v2 blocking menu –?? cookies configuration settings, defaults instant messaging (rule example) connection reset, PPPoE broadband connection Java connection to Internet testing sites to reduce traffic connection type and state (WAN), viewing TCP flood console port...
  • Page 413 NETGEAR ProSAFE VPN Firewall FVS318G v2 NTP servers Diffie-Hellman (DH) groups password digital certificates. See certificates. port number LDAP server dimensions PVID direction, bandwidth profiles QoS profiles DMZ (demilitarized zone) – remote management configuring router lifetime increasing traffic DMZ RADVD...
  • Page 414 NETGEAR ProSAFE VPN Firewall FVS318G v2 exchange mode, IKE policies groups – LAN groups exposed hosts VPN policies increasing traffic – specifying (rule example) guests, user account extended authentication (XAUTH) GUI (graphical user interface) – configuring described IKE policies troubleshooting...
  • Page 415 NETGEAR ProSAFE VPN Firewall FVS318G v2 – – overview IPv4 DMZ, configuring port forwarding IPv4 gateway installation, verifying IPv4 Internet connection instant messaging, blocking (rule example) autodetecting manually configuring interface specifications setting up Interior Gateway Protocol (IGP) IPv4 ISP, logging in...
  • Page 416 NETGEAR ProSAFE VPN Firewall FVS318G v2 – LAN address groups, assigning and managing LAN advertisements IPv4 settings, configuring LAN DHCPv6 address pools IPv6 settings, configuring – LAN prefix delegation Known PCs and Devices table – secondary LAN IP address network database...
  • Page 417 NETGEAR ProSAFE VPN Firewall FVS318G v2 MAC addresses names, changing blocked, adding DDNS host and domain configuring ISP login format known PCs and devices – IP bindings LAN groups spoofing PPTP and PPPoE accounts VLANs, unique NAS (Network Access Server)
  • Page 418 NETGEAR ProSAFE VPN Firewall FVS318G v2 LAN-to-DMZ rules IPSec VPN LAN-to-WAN rules automatically generated order of precedence groups, configuring overview managing QoS profile manually generated reducing traffic pools, Mode Config operation scheduling port filtering service blocking reducing traffic – settings...
  • Page 419 NETGEAR ProSAFE VPN Firewall FVS318G v2 secondary LAN IP address LAN, configuring for static routes RAs (router advertisements) prefix lifetimes, IPv6 DMZ, configuring for DMZ advertisements LAN, configuring for LAN advertisements read-only and read-write access prefixes, IPv6 rebooting – 6to4 tunnel...
  • Page 420 NETGEAR ProSAFE VPN Firewall FVS318G v2 – IPv4, configuring stateful packet inspection (SPI) – IPv6, configuring stateless and stateful IPv6 addresses, autoconfiguration Secure Hash Algorithm 1. See SHA-1. Stateless IP/ICMP Translation (SIIT) secure HTTP management static addresses security association. See SA.
  • Page 421 NETGEAR ProSAFE VPN Firewall FVS318G v2 traffic User Datagram Protocol (UDP) action when reaching limit user interface – bandwidth described diagnostic tools troubleshooting – increasing user name, default managing user passwords, changing – reducing – user types traffic meter (or counter) users –...
  • Page 422 NETGEAR ProSAFE VPN Firewall FVS318G v2 ISAKMP identifier Mode Config operation managing Mode Config operation XAUTH XAUTH (extended authentication) increasing traffic – configuring IP addresses IKE policies client-to-gateway (wizard) gateway-to-gateway (wizard) local and remote IPSec VPN logs specifications IPSec VPN policies...

This manual is also suitable for:

Prosafe fvs318g v2

Table of Contents