Netgear FVX538v1 FVX538 Reference Manual
Netgear FVX538v1 - ProSafe VPN Firewall Dual WAN Manual
 |
View all Netgear FVX538v1 manuals
Add to My Manuals
Save this manual to your list of manuals |
Netgear FVX538v1 manual content summary:
- Netgear FVX538v1 | FVX538 Reference Manual - Page 1
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0 - Netgear FVX538v1 | FVX538 Reference Manual - Page 2
NETGEAR and the NETGEAR logo are registered trademarks and ProSafe and ProSecure are trademarks of NETGEAR, Inc. Microsoft, Windows, and Windows 15 of the FCC Rules. These limits are with the instructions, may cause EU Regulatory Compliance Statement ProSafe VPN Firewall 200 is compliant with the - Netgear FVX538v1 | FVX538 Reference Manual - Page 3
and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed to endorse or promote any products derived from this software without his specific prior written permission. This software is provided 'as is' with no - Netgear FVX538v1 | FVX538 Reference Manual - Page 4
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY - Netgear FVX538v1 | FVX538 Reference Manual - Page 5
to make and use derivative works provided that such works are identified as "derived from promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED . zlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th - Netgear FVX538v1 | FVX538 Reference Manual - Page 6
Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: Publication Part Number: Publication Version Number FVX538 March 2009 VPN Firewall ProSafe VPN Firewall 200 Business English 202-10062-09 1.0 vi 1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 7
Mounting Hardware 1-8 The Router's IP Address, Login Name, and Password 1-9 Chapter 2 Connecting the FVX538 to the Internet Logging into the VPN Firewall 2-1 Configuring the Internet Connections to Your ISPs 2-2 Setting the Router's MAC Address 2-4 Manually Configuring Your Internet Connection - Netgear FVX538v1 | FVX538 Reference Manual - Page 8
Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the Network Database 3-7 Setting Up Address Reservation 3-9 Configuring and Enabling the DMZ Port 3-10 Static Routes ...3-12 Configuring Static - Netgear FVX538v1 | FVX538 Reference Manual - Page 9
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25 Setting Quality of Service (QoS) Priorities 4-27 Setting a Schedule to Block or Allow Specific Traffic 4-28 Setting Block Sites ( - Netgear FVX538v1 | FVX538 Reference Manual - Page 10
VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring - Netgear FVX538v1 | FVX538 Reference Manual - Page 11
VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status 6-24 Viewing Router Configuration and System Status 6-25 Monitoring WAN Ports Status 6-26 Monitoring VPN Tunnel Connection Status 6-27 VPN Logs ...6-28 DHCP Log ...6-29 Performing Diagnostics 6-29 Chapter 7 Troubleshooting - Netgear FVX538v1 | FVX538 Reference Manual - Page 12
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ...B-8 Inbound Traffic to Single WAN Port (Reference Case B-8 Inbound Traffic to Dual WAN Port Systems B-8 Inbound Traffic: Dual WAN Ports for Improved Reliability B-9 Inbound Traffic: Dual WAN Ports for Load Balancing B-9 Virtual - Netgear FVX538v1 | FVX538 Reference Manual - Page 13
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C-10 Routing Logs ...C-13 LAN to WAN Logs C-13 LAN to DMZ Logs C-14 DMZ to WAN Logs C-14 WAN to LAN Logs C-14 DMZ to LAN Logs C-14 WAN to DMZ Logs C-15 Appendix D Related - Netgear FVX538v1 | FVX538 Reference Manual - Page 14
ProSafe VPN Firewall 200 FVX538 Reference Manual xiv Contents v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 15
Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual extensions User input, IP addresses, GUI screen text Command prompt, CLI text, code URL links • Formats. This manual uses the following - Netgear FVX538v1 | FVX538 Reference Manual - Page 16
and topics for the March 2009 firmware maintenance release: • WIKID 2 factor authentication • SIP AGL support • DHCP Relay support • Update VPN configuration procedure topics • Update the Certificate management topic • Correct the firewall scheduling topic xvi About This Manual v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 17
page 1-6 • "The Router's IP Address, Login Name, and Password" on page 1-9 Key Features The VPN firewall provides the following features: • Dual 10/100 Mbps Ethernet WAN ports for load balancing or failover protection, providing increased system reliability and load balancing. The WAN ports do not - Netgear FVX538v1 | FVX538 Reference Manual - Page 18
ProSafe VPN Firewall 200 FVX538 Reference Manual • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation and management. • Advanced SPI Firewall and Multi-NAT support. • Extensive Protocol Support. • Login capability. • - Netgear FVX538v1 | FVX538 Reference Manual - Page 19
ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. The FVX538 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the - Netgear FVX538v1 | FVX538 Reference Manual - Page 20
ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to "Internet Configuration Requirements" in Appendix - Netgear FVX538v1 | FVX538 Reference Manual - Page 21
Management. The firewall allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number. • Visual monitoring. The VPN - Netgear FVX538v1 | FVX538 Reference Manual - Page 22
ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. 1 2 3 4 5 6 7 Figure 1-1 Table 1-1 describes each item on the front panel and - Netgear FVX538v1 | FVX538 Reference Manual - Page 23
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description 4. LAN Ports and LEDs 8-port RJ-45 10/100 Mbps Fast Ethernet Switch Link/Act LED On (Green) Blinking (Green) Off N-way automatic speed negotiation, auto MDI/MDIX. The LAN - Netgear FVX538v1 | FVX538 Reference Manual - Page 24
ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection. Figure 1-2 1 2 Viewed from left to right, the rear panel contains the following elements: 1. AC power - Netgear FVX538v1 | FVX538 Reference Manual - Page 25
ProSafe VPN Firewall 200 FVX538 Reference Manual The Router's IP Address, Login Name, and Password Check the label on the bottom of the FVX538's enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN • User name: - Netgear FVX538v1 | FVX538 Reference Manual - Page 26
ProSafe VPN Firewall 200 FVX538 Reference Manual 1-10 v1.0, March 2009 Introduction - Netgear FVX538v1 | FVX538 Reference Manual - Page 27
that you can log in remotely in the future to manage the firewall (see "RADIUS Server External Authentication" on page 6-10). If you enable remote management, you are strongly advised to change your password (see "Changing Passwords and Settings" on page 6-8). Connecting the FVX538 to the Internet - Netgear FVX538v1 | FVX538 Reference Manual - Page 28
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the Internet Connections to Your ISPs You should first configure your Internet connections to your ISPs on WAN port 1, and then configure WAN port 2 second. To automatically configure the WAN ports and connect to the Internet: 1. The WAN1 - Netgear FVX538v1 | FVX538 Reference Manual - Page 29
ProSafe VPN Firewall 200 FVX538 Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the following table. Table 2-1. Internet connection methods Connection Method PPPoE PPTP DHCP (Dynamic IP) - Netgear FVX538v1 | FVX538 Reference Manual - Page 30
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Set up the traffic meter for WAN 1 ISP if desired. See "Programming the Traffic Meter (if Desired)" on page 2-6. Note: At this point of the configuration process, you are now connected to the Internet through WAN port 1. But you must continue with - Netgear FVX538v1 | FVX538 Reference Manual - Page 31
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box. The text box fields that require data entry will be highlighted, based on the connection that you selected. If - Netgear FVX538v1 | FVX538 Reference Manual - Page 32
VPN Firewall 200 FVX538 Reference Manual If your ISP has not assigned a Static IP address, select the Get dynamically from ISP radio box. The ISP will automatically assign an IP address to the router using DHCP network protocol. 4. If your ISP has not assigned any Domain Name Servers (DNS) addresses - Netgear FVX538v1 | FVX538 Reference Manual - Page 33
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-3 2. Click Apply to apply the settings. Click Reset to return to the previous settings. 3. Select the WAN2 Traffic Meter tab and repeat steps 1 through 3 to set the Traffic Meter the the WAN2 port. Table 2-2. Traffic Meter Settings - Netgear FVX538v1 | FVX538 Reference Manual - Page 34
) The dual WAN ports of the ProSafe VPN Firewall 200 can be configured on a mutually exclusive basis for either auto-rollover (for increased system reliability) or load balancing (for maximum bandwidth efficiency). • Auto-Rollover Mode. In this mode, the selected WAN interface is made primary and - Netgear FVX538v1 | FVX538 Reference Manual - Page 35
ProSafe VPN Firewall 200 FVX538 Reference Manual If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to - Netgear FVX538v1 | FVX538 Reference Manual - Page 36
ProSafe VPN Firewall 200 FVX538 Reference Manual When the router is configured in Auto-Rollover Mode, the router uses the WAN Failure Detection Method to check the connection of the primary link at regular intervals to detect router status. Link failure is detected in one of the following ways: • By - Netgear FVX538v1 | FVX538 Reference Manual - Page 37
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-4 6. Enter the Maximum Failover amount. The WAN interface is considered down after the configured number of queries have failed to elicit a reply. The rollover link is brought up after this. The Failover default is 4 failures. The default - Netgear FVX538v1 | FVX538 Reference Manual - Page 38
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Load Balancing To use multiple ISP links simultaneously, select Load Balancing. In Load Balancing mode, both links will carry data for the protocols that are bound to them. For example, if the HTTP protocol is bound to WAN1 and - Netgear FVX538v1 | FVX538 Reference Manual - Page 39
ProSafe VPN Firewall 200 FVX538 Reference Manual a. Service - From the pull-down menu, select the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see "Services-Based Rules" on - Netgear FVX538v1 | FVX538 Reference Manual - Page 40
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-6 3. Modify the parameters for the protocol binding service you selected. 4. Click Apply. The modified rule will be enabled and appear in the Protocol Binding table. 5. Click Reset to return to the previously configured settings. Configuring - Netgear FVX538v1 | FVX538 Reference Manual - Page 41
ProSafe VPN Firewall 200 FVX538 Reference Manual IP address will be, and the address can change frequently-hence, the need for a commercial DDNS service, which allows you to register an extension to its domain, and restores DNS requests for the resulting FQDN to your frequently-changing IP address. - Netgear FVX538v1 | FVX538 Reference Manual - Page 42
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-7 2. Click the tab of the Dynamic DNS Service you want to enable. Each DNS service provider requires registration and you then configure its parameters on the corresponding tab page. 3. Access the Web site of one of the DDNS service - Netgear FVX538v1 | FVX538 Reference Manual - Page 43
ProSafe VPN Firewall 200 FVX538 Reference Manual For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org 5. Click Apply to save your configuration. 6. Click Reset to return to the previous settings. Configuring the Advanced WAN - Netgear FVX538v1 | FVX538 Reference Manual - Page 44
ProSafe VPN Firewall 200 FVX538 Reference Manual • Port Speed - In most cases, your router can automatically determine the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may have to manually select the port - Netgear FVX538v1 | FVX538 Reference Manual - Page 45
ProSafe VPN Firewall 200, including the following sections: • "Choosing the Firewall DHCP Options" on page 3-1 • "Managing Groups and Hosts (LAN Groups)" on page 3-6 • "Configuring and Enabling the DMZ Port" on page 3-10 • "Static Routes" on page 3-12 Choosing the Firewall DHCP Options By default - Netgear FVX538v1 | FVX538 Reference Manual - Page 46
ProSafe VPN Firewall 200 FVX538 Reference Manual • Primary DNS Server (the firewall's LAN IP address). • WINS Server (if you entered a WINS server address in the DHCP Setup menu). • Lease Time (date obtained and duration of lease). DHCP Relay options allow you to make the firewall a dhcp relay agent - Netgear FVX538v1 | FVX538 Reference Manual - Page 47
VPN Firewall 200 FVX538 Reference Manual 1. Select Network Configuration from the primary menu and LAN Setup from the submenu. The LAN Setup screen will display. Figure 3-1 2. Enter the IP Address of your router (factory default: 192.168.1.1). (Always make sure that the LAN Port IP address and DMZ - Netgear FVX538v1 | FVX538 Reference Manual - Page 48
ProSafe VPN Firewall 200 FVX538 Reference Manual b. Enter the Starting IP Address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address. The IP address - Netgear FVX538v1 | FVX538 Reference Manual - Page 49
ProSafe VPN Firewall 200 FVX538 Reference Manual The feature is particularly useful in Auto Rollover mode. For example, if the DNS servers for each connection are different, then a link failure may render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make - Netgear FVX538v1 | FVX538 Reference Manual - Page 50
ProSafe VPN Firewall 200 FVX538 Reference Manual • Action: The Edit link allows you to make changes to the selected entry. • Select All: Selects all the entries in the Available Secondary LAN IPs table. • Delete: Deletes selected entries from the Available Secondary LAN IPs table. To add a secondary - Netgear FVX538v1 | FVX538 Reference Manual - Page 51
ProSafe VPN Firewall 200 FVX538 Reference Manual Creating the Network Database Some advantages of the Network Database are: • Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the desired PC or device. • No need to reserve an IP address for a PC in - Netgear FVX538v1 | FVX538 Reference Manual - Page 52
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-3 The Network Database is created by: • Using the DHCP Server: The router's DHCP server is configured, by default, to respond to DHCP requests from clients on the LAN. Every computer that receives a response from the router will be added to - Netgear FVX538v1 | FVX538 Reference Manual - Page 53
ProSafe VPN Firewall 200 FVX538 Reference Manual • MAC Address: The MAC address of the computer's network interface. • Group: Each PC or device can be assigned to a single group. By default, a computer is assigned to the first group (Group 1). To change the group assignment by selecting the Edit - Netgear FVX538v1 | FVX538 Reference Manual - Page 54
. The DMZ Setup screen allows you to set up the DMZ port. It permits you to enable or disable the hardware DMZ port (LAN port 8, see "Router Front and Rear Panels" on page 1-6) and configure an IP address and Mask for the DMZ port. To enable and configure the DMZ port: 1. From the main menu, select - Netgear FVX538v1 | FVX538 Reference Manual - Page 55
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-4 4. If desired, Enable the DHCP Server (Dynamic Host Configuration Protocol), which will provide TCP/IP configuration for all computers connected to the router's DMZ network. Note: If you enable the DNS Relay feature, you will not use the - Netgear FVX538v1 | FVX538 Reference Manual - Page 56
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings. The DMZ LED next to LAN port 8 (see "Router Front and Rear Panels" on page 1-6) will light up indicating that the DMZ port has been enabled. If another device on your DMZ network will be the DHCP server, or if you - Netgear FVX538v1 | FVX538 Reference Manual - Page 57
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-5 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network to which the route - Netgear FVX538v1 | FVX538 Reference Manual - Page 58
ProSafe VPN Firewall 200 FVX538 Reference Manual Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other - Netgear FVX538v1 | FVX538 Reference Manual - Page 59
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-6 3. From the RIP Version pull-down menu, select the version: • RIP-1 - A classful routing that does not include subnet information. This is the most commonly supported version. • RIP-2 - Supports subnet information. Both RIP-2B and RIP-2M - Netgear FVX538v1 | FVX538 Reference Manual - Page 60
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Save to save your settings. Static Route Example For example, you may require a static route if: • Your primary Internet access is through a cable modem to an ISP. • You have an ISDN firewall on your home network for connecting to the company - Netgear FVX538v1 | FVX538 Reference Manual - Page 61
of the ProSafe VPN Firewall 200 to protect your network. This chapter includes the following sections: • "About Firewall Protection and Content Filtering" on page 4-1 • "Using Rules to Block or Allow Specific Kinds of Traffic" on page 4-2 • "Setting a Schedule to Block or Allow Specific Traffic" on - Netgear FVX538v1 | FVX538 Reference Manual - Page 62
ProSafe VPN Firewall 200 FVX538 Reference Manual intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT. Using Rules to Block or Allow Specific Kinds - Netgear FVX538v1 | FVX538 Reference Manual - Page 63
ProSafe VPN Firewall 200 FVX538 Reference Manual • Customized Services - Additional services can be added to the list of services in the factory default list. These added services can then have rules defined for them to either allow or block that traffic (see "Adding Customized Services" on page 4- - Netgear FVX538v1 | FVX538 Reference Manual - Page 64
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item LAN users WAN Users DMZ Users Description These settings determine which computers on your network are affected by this rule. Select the desired options: • Any - All PCs and devices on your LAN. • Single - Netgear FVX538v1 | FVX538 Reference Manual - Page 65
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item QoS Priority NAT IP Description The priority assigned to IP packets of this service. The priorities are defined by "Type of Service (TOS) in the Internet Protocol Suite" standards, RFC 1349. The router - Netgear FVX538v1 | FVX538 Reference Manual - Page 66
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Bandwidth Profile Log Description Bandwidth Limiting determines the way in which the data is sent to/from your host. The purpose of bandwidth limiting is to provide a solution - Netgear FVX538v1 | FVX538 Reference Manual - Page 67
ProSafe VPN Firewall 200 FVX538 Reference Manual • Local PCs must access the local server using the PCs' local LAN address. Attempts by local PCs to access the server using the external WAN IP address will fail. Note: See "Port Triggering" on page 4-35 for yet another way to allow certain types of - Netgear FVX538v1 | FVX538 Reference Manual - Page 68
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules (continued) Item Bandwidth Profile Log Description Bandwidth Limiting determines the way in which the data is sent to/from your host. The purpose of bandwidth limiting is to provide a solution - Netgear FVX538v1 | FVX538 Reference Manual - Page 69
the most specific services or addresses). The Up and Down button allows you to relocate a defined rule to a new position in the table. Setting LAN WAN Rules The Default Outbound Policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types - Netgear FVX538v1 | FVX538 Reference Manual - Page 70
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Change the Default Outbound Policy by selecting Block Always from the drop-down menu and click Apply. Figure 4-2 To make changes to an existing outbound or inbound service rule: 1. In the Action column adjacent to the rule click: • Edit - to make - Netgear FVX538v1 | FVX538 Reference Manual - Page 71
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. The - Netgear FVX538v1 | FVX538 Reference Manual - Page 72
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound - Netgear FVX538v1 | FVX538 Reference Manual - Page 73
ProSafe VPN Firewall 200 FVX538 Reference Manual out from the DMZ to the Internet (Outbound) or coming in from the Internet to the DMZ (Inbound). The default outbound policy can be changed to block all outbound traffic and enable only specific services to pass through the router by adding an - Netgear FVX538v1 | FVX538 Reference Manual - Page 74
ProSafe VPN Firewall 200 FVX538 Reference Manual To change the Default Outbound Policy: 1. Select Security from the main menu, Firewall Rules from the submenu and then select the DMZ WAN Rules tab. The DMZ WAN Rules screen will display. 2. Click Add under the Outbound Services table. The Add DMZ WAN - Netgear FVX538v1 | FVX538 Reference Manual - Page 75
VPN Firewall 200 FVX538 Reference Manual To make changes to an existing outbound or inbound LAN DMZ service rule: 1. In the Action column adjacent to the rule click: • Edit - to make any changes to the rule definition. The Outbound Service screen will display containing the data for the selected - Netgear FVX538v1 | FVX538 Reference Manual - Page 76
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Complete the Outbound Service screen, and save the data (see "Outbound Rules (Service Blocking)" on page 4-3). 3. Click Reset to cancel your settings and return to the previous settings. 4. Click Apply to save your changes and reset the fields on - Netgear FVX538v1 | FVX538 Reference Manual - Page 77
ProSafe VPN Firewall 200 FVX538 Reference Manual • LAN Security Checks. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application - Netgear FVX538v1 | FVX538 Reference Manual - Page 78
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 4-8 Session Limit Session Limit allows you to specify the total number of sessions allowed, per user, over an IP (Internet Protocol) connection across the router. This feature is enabled on the Session Limit screen and shown below in Figure - Netgear FVX538v1 | FVX538 Reference Manual - Page 79
ProSafe VPN Firewall 200 FVX538 Reference Manual To enable Session Limit: 1. Click the Yes radio button under Do you want to enable Session Limit? 2. From the User Limit Parameter drop-down list, define the maximum number of sessions per IP either as a percentage of maximum sessions or as an - Netgear FVX538v1 | FVX538 Reference Manual - Page 80
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Rules Examples LAN WAN Inbound Rule: Hosting A Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web - Netgear FVX538v1 | FVX538 Reference Manual - Page 81
VPN Firewall 200 FVX538 Reference Manual In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses. LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping In this example, we will configure multi-NAT to support multiple public IP addresses - Netgear FVX538v1 | FVX538 Reference Manual - Page 82
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. From the Service pull-down menu, select the HTTP service for a Web server. Figure 4-12 5. From the Action pull-down menu, select Allow Always. 6. In the Send to LAN Server field, enter the local IP address of your Web server PC. 7. From the Public - Netgear FVX538v1 | FVX538 Reference Manual - Page 83
ProSafe VPN Firewall 200 FVX538 Reference Manual Your rule will now appear in the Inbound Services table of the Rules menu (see Figure 4-13). This rule is different from a normal inbound port forwarding rule in that the Destination box contains an IP Address other than your normal WAN IP Address. - Netgear FVX538v1 | FVX538 Reference Manual - Page 84
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Any and Allow Always (or Allow by Schedule) 2. Place rule below all other inbound rules Figure 4-14 Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio or other non- - Netgear FVX538v1 | FVX538 Reference Manual - Page 85
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according - Netgear FVX538v1 | FVX538 Reference Manual - Page 86
ProSafe VPN Firewall 200 FVX538 Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When - Netgear FVX538v1 | FVX538 Reference Manual - Page 87
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Select the Layer 3 Protocol that the service uses as its transport protocol. It can be TCP, UDP or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses. If the service uses only one port, then the Start Port and the Finish - Netgear FVX538v1 | FVX538 Reference Manual - Page 88
ProSafe VPN Firewall 200 FVX538 Reference Manual • Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a ToS value of 2. • Maximize-Throughput: Used when the - Netgear FVX538v1 | FVX538 Reference Manual - Page 89
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Check the radio button for All Days or Specific Days. If you chose Specific Days, check the radio button for each day you want the schedule to be in effect. 3. Check the radio button to schedule the time of day: All Day, or Specific Times. If you - Netgear FVX538v1 | FVX538 Reference Manual - Page 90
ProSafe VPN Firewall 200 FVX538 Reference Manual • If you wish to block all Internet browsing access, enter the keyword ".". To enable Content Filtering: 1. Select Security from the main menu and Block Sites from the sub-menu. The Block Sites screen will display. 2. Check the Yes radio button to - Netgear FVX538v1 | FVX538 Reference Manual - Page 91
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-18 Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC - Netgear FVX538v1 | FVX538 Reference Manual - Page 92
VPN Firewall 200 FVX538 Reference Manual • When enabled, traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table. Figure 4-19 Note: For additional ways of restricting outbound traffic, see "Outbound Rules (Service - Netgear FVX538v1 | FVX538 Reference Manual - Page 93
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings. To remove an entry from the table, select the MAC address entry and click Delete. To select all the list of MAC addresses, click Select All. A checkmark will appear in the box to the left of each MAC address in - Netgear FVX538v1 | FVX538 Reference Manual - Page 94
VPN Firewall 200 FVX538 Reference Manual Figure 4-20 3. Add an IP/MAC Bind rule by entering: a. Name: Specify an easily identifiable name for this rule. b. MAC Address: Specify the MAC Address for this rule. c. IP Addresses: Specify the IP Address for this rule. d. Log Dropped Packets: Select - Netgear FVX538v1 | FVX538 Reference Manual - Page 95
ProSafe VPN Firewall 200 FVX538 Reference Manual To remove an entry from the table, select the IP/MAC Bind entry and click Delete. Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by - Netgear FVX538v1 | FVX538 Reference Manual - Page 96
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-21 3. From the Protocol pull-down menu, select either the TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 5. In the Incoming (Response) - Netgear FVX538v1 | FVX538 Reference Manual - Page 97
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display. 2. Modify any - Netgear FVX538v1 | FVX538 Reference Manual - Page 98
ProSafe VPN Firewall 200 FVX538 Reference Manual For example, when a new connection is established by a device, the device will locate the firewall rule corresponding to the connection. • If the rule has a bandwidth profile specification, then the device will create a bandwidth class in the kernel. - Netgear FVX538v1 | FVX538 Reference Manual - Page 99
ProSafe VPN Firewall 200 FVX538 Reference Manual • Name: Displays the user-defined name for this bandwidth profile. • Bandwidth Range: Displays the range for the bandwidth profile. • Type: Displays the type of bandwidth profile. • Direction: Displays the direction of the bandwidth profile. • WAN: - Netgear FVX538v1 | FVX538 Reference Manual - Page 100
ProSafe VPN Firewall 200 FVX538 Reference Manual You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs on the Logs screen (see Figure 4-25 on page 4-42). Selecting all events will increase the size of - Netgear FVX538v1 | FVX538 Reference Manual - Page 101
the ident service is identd). 9. You can configure the firewall to send system logs to an external PC that is running a syslog logging program. Click the Yes radio box to enable SysLogs and send messages to the Syslog Server, then: a. Enter your SysLog Server IP address b. Select the appropriate - Netgear FVX538v1 | FVX538 Reference Manual - Page 102
ProSafe VPN Firewall 200 FVX538 Reference Manual 11. Click Apply to save your settings. To view the Firewall logs: 1. Click on the View Log icon opposite the Firewall Logs & E-mail tab. The Logs screen will display. 2. If the E-mail Logs options as been enabled, you can send a copy of the log by - Netgear FVX538v1 | FVX538 Reference Manual - Page 103
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-4. Firewall Log Field Descriptions (continued) Field Source port and interface Destination Destination port and interface Description The service port number of the initiating device, and whether it originated from the LAN, WAN or DMZ. The - Netgear FVX538v1 | FVX538 Reference Manual - Page 104
ProSafe VPN Firewall 200 FVX538 Reference Manual 4-44 Firewall Protection and Content Filtering v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 105
are in load balancing mode if the IP addresses are static but mandatory if the WAN IP addresses are dynamic. Refer to "Virtual Private Networks (VPNs)" on page B-10 for more on the IP addressing requirements for VPN in the dual WAN modes. For instructions on how to select and configure a dynamic DNS - Netgear FVX538v1 | FVX538 Reference Manual - Page 106
ProSafe VPN Firewall 200 FVX538 Reference Manual The diagrams and table below show how the WAN mode selection relates to VPN configuration. WAN Auto-Rollover: FQDN Required for VPN Firewall Rest of Firewall Functions Firewall WAN Port Functions Firewall Rollover Control WAN 1 Port WAN 2 Port - Netgear FVX538v1 | FVX538 Reference Manual - Page 107
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR VPN Client configuration procedures for the following - Netgear FVX538v1 | FVX538 Reference Manual - Page 108
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select VPN > IPsec VPN > VPN Wizard to display the VPN Wizard tab page. To view the wizard default settings, click the VPN Default values link. You can modify these settings after completing the wizard. • Gateway connection • Connection name • Pre - Netgear FVX538v1 | FVX538 Reference Manual - Page 109
ProSafe VPN Firewall 200 FVX538 Reference Manual • Both the remote WAN address and your local WAN address are required. Tip: To assure tunnels stay active, after completing the wizard, manually edit the VPN policy to enable keepalive which periodically sends ping packets to the host on the peer side - Netgear FVX538v1 | FVX538 Reference Manual - Page 110
ProSafe VPN Firewall 200 FVX538 Reference Manual After both firewalls are configured, go to VPN > IPsec VPN > Connection Status to display the status of your VPN connections. Figure 5-6 The tunnel will automatically establish when both the local and target gateway policies are appropriately - Netgear FVX538v1 | FVX538 Reference Manual - Page 111
ProSafe VPN Firewall 200 FVX538 Reference Manual Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. From the main menu, go to VPN > IPSec VPN > VPN Wizard. The VPN Wizard displays. • VPN Client connection • Connection name • Pre-shared key: r3m0+eC1ient • Remote identifier • Local - Netgear FVX538v1 | FVX538 Reference Manual - Page 112
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings: the VPN Policies page shows the policy is now enabled. Figure 5-9 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR Prosafe VPN Client installed, configure - Netgear FVX538v1 | FVX538 Reference Manual - Page 113
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using gw1. Figure 5-11 Fill in the other options according to the - Netgear FVX538v1 | FVX538 Reference Manual - Page 114
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. In the left frame, click My Identity. Fill in the options according to the instructions below. r3m0+eC1ient Figure 5-12 • From the Select Certificate pull-down menu, choose None. • Click Pre-Shared Key to enter the key you provided in the VPN - Netgear FVX538v1 | FVX538 Reference Manual - Page 115
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Verify the Security Policy settings; no changes are needed. Figure 5-13 • On the left, click Security Policy to view the settings: no changes are needed. • On the left, expand Authentication (Phase 1) and click Proposal 1: no changes are needed. • - Netgear FVX538v1 | FVX538 Reference Manual - Page 116
ProSafe VPN Firewall 200 FVX538 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the FVX538 provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a - Netgear FVX538v1 | FVX538 Reference Manual - Page 117
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-16 • Right-click the VPN Client icon in - Netgear FVX538v1 | FVX538 Reference Manual - Page 118
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client policy is deactivated. The client policy is deactivated but not connected. The client policy is - Netgear FVX538v1 | FVX538 Reference Manual - Page 119
ProSafe VPN Firewall 200 FVX538 Reference Manual To view FVX538 VPN logs, go to Monitoring > VPNLogs. Figure 5-19 VPN Tunnel Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN Policy and an IKE Policy are established and populated in both Policy Tables. The name you selected as - Netgear FVX538v1 | FVX538 Reference Manual - Page 120
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. If the VPN Policy is a "Manual" policy, then the Manual Policy Parameters defined in the VPN Policy are accessed and the first matching IKE Policy is used to start negotiations with the remote VPN Gateway. • If negotiations fail, the next matching - Netgear FVX538v1 | FVX538 Reference Manual - Page 121
ProSafe VPN Firewall 200 FVX538 Reference Manual • DH. Diffie-Hellman Group. The Diffie-Hellman algorithm is used when exchanging keys. The DH Group sets the number of bits. The VPN Wizard default setting is Group 2. (This setting must match the Remote VPN.) • Enable Dead Peer Detection: Dead Peer - Netgear FVX538v1 | FVX538 Reference Manual - Page 122
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Policy Table Only one Client Policy may configured at a time (noted by an "*" next to the policy name). The Policy Table contains the following fields: • ! (Status). Indicates whether the policy is enabled (green - Netgear FVX538v1 | FVX538 Reference Manual - Page 123
Certificate Authorities ProSafe VPN Firewall 200 FVX538 Reference Manual Digital Self Certificates are used to authenticate the identity of users and systems, and are issued by various CAs (Certification Authorities). Digital Certificates are used by this router during the IKE (Internet Key - Netgear FVX538v1 | FVX538 Reference Manual - Page 124
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identity (Subject Name). The organization or person to whom the certificate is issued. • Issuer Name. The name of the CA that issued the certificate. • Expiry Time. The date after which the certificate becomes invalid The Active Self Certificates - Netgear FVX538v1 | FVX538 Reference Manual - Page 125
ProSafe VPN Firewall 200 FVX538 Reference Manual - Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but may also impact performance.) 3. Complete the Optional fields, if desired, with the following information: Figure 5-20 • IP Address - If you have a fixed IP address, - Netgear FVX538v1 | FVX538 Reference Manual - Page 126
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Copy the contents of the Data to supply to CA text box into a file, including all of the data contained in "----BEGIN CERTIFICATE REQUEST---" and "---END CERTIFICATE REQUEST---"Click Done. You will return to the Certificate screen and your Request - Netgear FVX538v1 | FVX538 Reference Manual - Page 127
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identify - The official name of the CA which issued this CRL. • Last Update - The date when this CRL was released. • Next Update Authentication (XAUTH) Configuration When connecting many VPN clients to a VPN gateway router, an administrator may - Netgear FVX538v1 | FVX538 Reference Manual - Page 128
ProSafe VPN Firewall 200 FVX538 Reference Manual • IPSec Host. If you want authentication by the remote gateway, enter a User Name and Password to be associated with this IKE policy. If this option is chosen, the remote gateway must specify the user name and password used for authenticating this - Netgear FVX538v1 | FVX538 Reference Manual - Page 129
ProSafe VPN Firewall 200 FVX538 Reference Manual - RADIUS-CHAP or RADIUS-PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS-PAP is selected, the router will first check in the User Database to see if the user credentials are available. If the - Netgear FVX538v1 | FVX538 Reference Manual - Page 130
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4. Click Add. The User Name will be added to the Configured Users table. Figure 5-23 5-26 v1.0, March 2009 Virtual Private Networking - Netgear FVX538v1 | FVX538 Reference Manual - Page 131
ProSafe VPN Firewall 200 FVX538 Reference Manual To edit the user name or password: 1. Click Edit opposite the user's name. The Edit User screen will display. 2. Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to - Netgear FVX538v1 | FVX538 Reference Manual - Page 132
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 5-24 3. Enter the Primary RADIUS Server IP address. 4. Enter a Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client - Netgear FVX538v1 | FVX538 Reference Manual - Page 133
VPN Firewall 200 FVX538 Reference Manual 9. Click Reset to cancel any changes and revert to the previous settings. 10. Click Apply to save the settings. Note: Selection of the Authentication Protocol, usually PAP or CHAP, is configured on the individual IKE policy screens. Assigning IP Addresses - Netgear FVX538v1 | FVX538 Reference Manual - Page 134
its IP address. 6. Enter one or two DNS Server IP addresses to be used by remote VPN clients. 7. If you enable Perfect Forward Secrecy (PFS), select DH Group 1 or 2. This setting must match exactly the configuration of the remote VPN client, 8. Specify the Local IP Subnet to which the remote client - Netgear FVX538v1 | FVX538 Reference Manual - Page 135
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-25 To configure an IKE Policy: 1. From the main menu, select VPN. The IKE Policies screen will display showing the current policies in the List of IKE Policies Table. 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will - Netgear FVX538v1 | FVX538 Reference Manual - Page 136
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the General section: a. Enter a description name in the Policy Name Field such as "salesperson". This name will be used as part of the remote identifier in the VPN client configuration. b. Set Direction/Type to Responder. c. The Exchange Mode - Netgear FVX538v1 | FVX538 Reference Manual - Page 137
VPN Firewall 200 FVX538 Reference Manual 10. Click Apply. The new policy will appear in the IKE Policies Table (a sample policy is shown below) Figure 5-26 Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client - Netgear FVX538v1 | FVX538 Reference Manual - Page 138
ProSafe VPN Firewall 200 FVX538 Reference Manual b. From the ID Type pull-down menu, select IP Subnet. c. Enter the IP Subnet and Mask of the VPN firewall (this is the LAN network IP address of the gateway). d. Check the Connect using radio button and select Secure Gateway Tunnel from the pull- down - Netgear FVX538v1 | FVX538 Reference Manual - Page 139
ProSafe VPN Firewall 200 FVX538 Reference Manual d. Under Virtual Adapter pull-down menu, select Preferred. The Internal Network IP Address should be 0.0.0.0. Note: If no box is displayed for Internal Network IP Address, go to Options/ Global Policy Settings, and check the box for "Allow to Specify - Netgear FVX538v1 | FVX538 Reference Manual - Page 140
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-29 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds - Netgear FVX538v1 | FVX538 Reference Manual - Page 141
ProSafe VPN Firewall 200 FVX538 Reference Manual To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; in this case "My Connections\modecfg_test". 2. Click on the connection. Within 30 seconds the - Netgear FVX538v1 | FVX538 Reference Manual - Page 142
ProSafe VPN Firewall 200 FVX538 Reference Manual 5-38 v1.0, March 2009 Virtual Private Networking - Netgear FVX538v1 | FVX538 Reference Manual - Page 143
help the network manager accomplish these goals. Bandwidth Capacity The maximum bandwidth capacity of the VPN firewall in each direction is as follows: • LAN side: 1,800 Mbps (eight LAN ports at 100 Mbps each, plus one Gigabit LAN port) • WAN side: 200 Mbps (load balancing mode, two WAN ports at 100 - Netgear FVX538v1 | FVX538 Reference Manual - Page 144
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall. But there is no backup in case one of the WAN ports fail. In such an event and with one exception, the traffic that would have been - Netgear FVX538v1 | FVX538 Reference Manual - Page 145
Firewall 200 FVX538 Reference Manual - Groups: The rule is applied to a Group (see "Managing Groups and Hosts (LAN Groups)" on page 3-6to assign PCs to a Group using Network Database). • WAN Users - These settings determine which Internet locations are covered by the rule, based on their IP address - Netgear FVX538v1 | FVX538 Reference Manual - Page 146
ProSafe VPN Firewall 200 FVX538 Reference Manual Schedule. If you have set firewall rules on the Rules screen, you can configure three different schedules (i.e., schedule 1, schedule 2, and schedule 3) for when a rule is to be applied. Once a schedule is configured, it affects all Rules that use - Netgear FVX538v1 | FVX538 Reference Manual - Page 147
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Firewall Features That Increase Traffic Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • DMZ port • Exposed hosts • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) - Netgear FVX538v1 | FVX538 Reference Manual - Page 148
ProSafe VPN Firewall 200 FVX538 Reference Manual • Enable DNS Proxy - Enable this to allow incoming DNS queries. • Enable Stealth Mode - Enable this to set the firewall to operate in stealth mode. As you define your firewall rules, you can further refine their application according to the following - Netgear FVX538v1 | FVX538 Reference Manual - Page 149
ProSafe VPN Firewall 200 FVX538 Reference Manual • The remote system receives the PCs request and responds using the different port numbers that you have now opened. • This Router matches the response to the previous request and forwards the response to the PC. Without Port Triggering, this - Netgear FVX538v1 | FVX538 Reference Manual - Page 150
passwords and settings, configure an SNMP manager, backup settings and upgrade firmware, and enable remote management. Administrator access is read/write and guest access is read-only. Changing Passwords and Settings The default passwords for the firewall's Web Configuration Manager is password - Netgear FVX538v1 | FVX538 Reference Manual - Page 151
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Users from the main menu and Local Authentication from the submenu. Figure 6-1 2. Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest Settings radio box. 3. Change the password by first entering the - Netgear FVX538v1 | FVX538 Reference Manual - Page 152
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. RADIUS Server External Authentication For authentication to RADIUS or WIKID, you can define the - Netgear FVX538v1 | FVX538 Reference Manual - Page 153
client devices. Enabling Remote Management Access Using the Remote Management page, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see "Logging into the VPN Firewall - Netgear FVX538v1 | FVX538 Reference Manual - Page 154
200 FVX538 Reference Manual Figure 6-3 To configure your firewall for Remote Management: 1. Select Administration from the main menu and Remote Management from the submenu. The Remote Management screen will display. 2. Check Allow Remote Management radio box. 3. Specify what external addresses - Netgear FVX538v1 | FVX538 Reference Manual - Page 155
ProSafe VPN Firewall 200 FVX538 Reference Manual Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management Web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but do - Netgear FVX538v1 | FVX538 Reference Manual - Page 156
ProSafe VPN Firewall 200 FVX538 Reference Manual • To allow access from any IP address on the Internet, select Everyone. • To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. • To allow access - Netgear FVX538v1 | FVX538 Reference Manual - Page 157
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Click Add to create the new configuration. The entry will display in the SNMP Configuration table. 6. Click Edit in the Action column adjacent to the entry to modify or change the selected configuration. Figure 6-4 The SNMP System Info link - Netgear FVX538v1 | FVX538 Reference Manual - Page 158
ProSafe VPN Firewall 200 FVX538 Reference Manual • Back up and save a copy of your current settings • Restore saved settings from the backed-up file. • Revert to the factory default settings. • Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware version. - Netgear FVX538v1 | FVX538 Reference Manual - Page 159
200 FVX538 Reference Manual You must manually restart the VPN firewall in order for the default settings to take effect. After rebooting, the router's password will be password and the LAN IP address will be 192.168.1.1. The VPN firewall will act as a DHCP server on the LAN and act as a DHCP client - Netgear FVX538v1 | FVX538 Reference Manual - Page 160
ProSafe VPN Firewall 200 FVX538 Reference Manual Warning: Once you click Upload do NOT interrupt the router! 6-18 v1.0, March 2009 Router and Network Management - Netgear FVX538v1 | FVX538 Reference Manual - Page 161
ProSafe VPN Firewall 200 FVX538 Reference Manual To upgrade router software: 1. Select Administration from the main menu and Settings Backup and Firmware Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. 2. Click Browse in the Router Upgrade section. 3. Locate - Netgear FVX538v1 | FVX538 Reference Manual - Page 162
ProSafe VPN Firewall 200 FVX538 Reference Manual • Use Custom NTP Servers: If you prefer to use a particular NTP server, enable this instead and enter the name or IP address of an NTP Server in the Server 1 Name/IP Address field. If required, you can also enter the address of another NTP server in - Netgear FVX538v1 | FVX538 Reference Manual - Page 163
ProSafe VPN Firewall 200 FVX538 Reference Manual • Internet Traffic Statistics - Displays statistics on Internet Traffic via the WAN port. If you have not enabled the Traffic Meter, these statistics are not available. • Traffic by Protocol - Click this button to display Internet Traffic details. The - Netgear FVX538v1 | FVX538 Reference Manual - Page 164
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-8 Setting Login Failures and Attacks Notification Figure 6-9 shows the Firewall Logs & E-mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs & E-mail from the submenu. You can send a System log - Netgear FVX538v1 | FVX538 Reference Manual - Page 165
Figure 6-9 ProSafe VPN Firewall 200 FVX538 Reference Manual View System Logs Select the types of events to email. Select the segments to track for System Log events. Enable email alerts. Syslog Server enabled Router and Network Management v1.0, March 2009 6-23 - Netgear FVX538v1 | FVX538 Reference Manual - Page 166
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status You can view the status of Port Triggering by selecting Security from the main menu and Port Triggering from the submenu. When the Port Triggering screen display, click the Status link. Figure 6-10 Table 6-2. Port - Netgear FVX538v1 | FVX538 Reference Manual - Page 167
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Router Configuration and System Status The Router Status screen provides status and usage information. Select Monitoring from the main menu and Router Status from the submenu. The Router Status screen will display. Figure 6-11 Table 6-3. - Netgear FVX538v1 | FVX538 Reference Manual - Page 168
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-3. Router Status Fields Item Description WAN1 Configuration Indicates whether the WAN Mode is Single, Dual, or Rollover, and whether the WAN State is UP or DOWN. It also displays if: • NAT is Enabled or Disabled. • Connection Type: DHCP - Netgear FVX538v1 | FVX538 Reference Manual - Page 169
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 6-12 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu. The IPSec Connection Status screen will display. Figure 6-13 Table 6-4. VPN - Netgear FVX538v1 | FVX538 Reference Manual - Page 170
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-4. VPN Status data Item Tx (KB) Tx (Packets) State Action Description The amount of data transmitted over this SA. The number of IP packets transmitted over this SA. The current status of the SA.Phase 1 is Authentication phase and Phase 2 - Netgear FVX538v1 | FVX538 Reference Manual - Page 171
ProSafe VPN Firewall 200 FVX538 Reference Manual DHCP Log You can view the DHCP log from the LAN Setup screen. Select Network Configuration from the main menu and LAN Setup from the submenu. When the LAN Setup screen displays, click the DHCP Log link. Figure 6-15 Performing Diagnostics You can - Netgear FVX538v1 | FVX538 Reference Manual - Page 172
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-16 Table 6-5. Diagnostics Item Ping or Trace an IP address Perform a DNS Lookup Description Ping - Used to send a ping packet request to a specified IP address-most often, to test a connection. If the request times out (no reply is - Netgear FVX538v1 | FVX538 Reference Manual - Page 173
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-5. Diagnostics (continued) Item Description Display the Routing Table Reboot the Router Packet Trace This operation will display the internal routing table. This information is used, most often, by Technical Support. Used to perform a - Netgear FVX538v1 | FVX538 Reference Manual - Page 174
ProSafe VPN Firewall 200 FVX538 Reference Manual 6-32 v1.0, March 2009 Router and Network Management - Netgear FVX538v1 | FVX538 Reference Manual - Page 175
and information for your ProSafe VPN Firewall 200. This chapter includes the following sections: • "Basic Functions" on page 7-1 • "Troubleshooting the Web Configuration Interface" on page 7-2 • "Troubleshooting the ISP Connection" on page 7-4 • "Troubleshooting a TCP/IP Network Using a Ping Utility - Netgear FVX538v1 | FVX538 Reference Manual - Page 176
to factory defaults. This will set the firewall's IP address to 192.168.1.1. This procedure is explained in "Restoring the Default Configuration and Password" on page 7-7. If the error persists, you might have a hardware problem and should contact technical support. LAN or Internet Port LEDs - Netgear FVX538v1 | FVX538 Reference Manual - Page 177
to factory defaults. This will set the firewall's IP address to 192.168.1.1. This procedure is explained in "Restoring the Default Configuration and Password" on page 7-7. Tip: If you don't want to revert to the factory default settings and lose your configuration settings, you can reboot the router - Netgear FVX538v1 | FVX538 Reference Manual - Page 178
ProSafe VPN Firewall 200 FVX538 Reference Manual Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall - Netgear FVX538v1 | FVX538 Reference Manual - Page 179
ProSafe VPN Firewall 200 FVX538 Reference Manual - Configure your firewall to spoof your PC's MAC address. This can be done in the Basic Settings menu. Refer to "Manually Configuring Your Internet Connection" on page 2-4. If your firewall can obtain an IP address, but your PC is unable to load any - Netgear FVX538v1 | FVX538 Reference Manual - Page 180
ProSafe VPN Firewall 200 FVX538 Reference Manual • Wrong physical connections - Make sure the LAN port LED is on. If the LED is off, follow the instructions in "LAN or Internet Port LEDs Not On" on page 7-2. - Check that the corresponding Link LEDs are on for your network interface card and for the - Netgear FVX538v1 | FVX538 Reference Manual - Page 181
ProSafe VPN Firewall 200 FVX538 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall's administration password to password and the IP address to 192.168.1.1. You can erase the current - Netgear FVX538v1 | FVX538 Reference Manual - Page 182
ProSafe VPN Firewall 200 FVX538 Reference Manual 7-8 Troubleshooting v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 183
. Table A-1. VPN firewall Default Configuration Settings Feature Router Login User Login URL User Name (case sensitive) Login Password (case sensitive) Internet Connection WAN MAC Address WAN MTU Size Port Speed Local Network (LAN) Lan IP Subnet Mask RIP Direction RIP Version RIP Authentication - Netgear FVX538v1 | FVX538 Reference Manual - Page 184
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) Feature Default Behavior Time Zone GMT Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound (communications coming - Netgear FVX538v1 | FVX538 Reference Manual - Page 185
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-2. VPN firewall Technical Specifications (continued) Feature Environmental Specifications Operating temperature: Operating humidity: Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: Specifications 0 to 40 - Netgear FVX538v1 | FVX538 Reference Manual - Page 186
ProSafe VPN Firewall 200 FVX538 Reference Manual A-4 Default Settings and Technical Specifications v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 187
the factors to consider when planning a network using a firewall that has dual WAN ports. What You Will Need to Do Before You Begin The ProSafe VPN Firewall 200 is a powerful and versatile solution for your networking needs. But to make the configuration process easier and to understand all of the - Netgear FVX538v1 | FVX538 Reference Manual - Page 188
to respond to a ping and setting MTU size, port speed, and upload bandwidth. 4. Prepare to physically connect the firewall to cable or DSL modems and a computer. Instruction for connecting your VPN firewall are in Installation Guide, FVX538 ProSafe VPN Firewall 200. B-2 Network Planning for Dual - Netgear FVX538v1 | FVX538 Reference Manual - Page 189
ISPs set up your Internet accounts, you will need one or more of these configuration parameters to connect your firewall to the Internet: • Host and Domain Names • ISP Login Name and Password • ISP Domain Name Server (DNS) Addresses • Fixed IP Address which is also known as Static IP Address Where - Netgear FVX538v1 | FVX538 Reference Manual - Page 190
ProSafe VPN Firewall 200 FVX538 Reference Manual • If you have a computer already connected using the active Internet access account, you can gather the configuration information from that computer. - For Windows 95/98/ME, open the Network control panel, select the TCP/IP entry for the Ethernet - Netgear FVX538v1 | FVX538 Reference Manual - Page 191
ProSafe VPN Firewall 200 FVX538 Reference Manual Internet Connection Information Form Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. For - Netgear FVX538v1 | FVX538 Reference Manual - Page 192
VPN Firewall 200 FVX538 Reference Manual Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: • Inbound traffic (e.g., port forwarding, port triggering, DMZ port) • Virtual private networks (VPNs) The two WAN ports can be configured - Netgear FVX538v1 | FVX538 Reference Manual - Page 193
such as multiple exposed hosts are not supported when using dual WAN port rollover because the IP addresses of each WAN port must be in the identical range of fixed addresses. The Load Balancing Case for Firewalls With Dual WAN Ports Load balancing for the dual WAN port case is similar to the single - Netgear FVX538v1 | FVX538 Reference Manual - Page 194
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Inbound Rules menu. Instead of discarding this - Netgear FVX538v1 | FVX538 Reference Manual - Page 195
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover, the WAN's IP address will always change at rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the WAN ports - Netgear FVX538v1 | FVX538 Reference Manual - Page 196
ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall's dual WAN port depends on the configuration - Netgear FVX538v1 | FVX538 Reference Manual - Page 197
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-7 • Load Balancing Case for Dual Gateway WAN Ports Load balancing for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP address is either fixed - Netgear FVX538v1 | FVX538 Reference Manual - Page 198
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The - Netgear FVX538v1 | FVX538 Reference Manual - Page 199
IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or re-establish a VPN tunnel. VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, the remote - Netgear FVX538v1 | FVX538 Reference Manual - Page 200
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-12 The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional. VPN Gateway-to- - Netgear FVX538v1 | FVX538 Reference Manual - Page 201
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional. VPN Gateway-to-Gateway: - Netgear FVX538v1 | FVX538 Reference Manual - Page 202
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port - Netgear FVX538v1 | FVX538 Reference Manual - Page 203
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate - Netgear FVX538v1 | FVX538 Reference Manual - Page 204
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in - Netgear FVX538v1 | FVX538 Reference Manual - Page 205
this case is to toggle the domain name of the gateway router between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or re-establish a VPN tunnel. Network Planning for Dual WAN Ports v1.0, March 2009 B-19 - Netgear FVX538v1 | FVX538 Reference Manual - Page 206
Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router - Netgear FVX538v1 | FVX538 Reference Manual - Page 207
destined. Destination port. Incoming interface for packet. Outgoing interface for packet. Protocol used. Packet coming from the system only. Source port Source IP Address of machine from where the packet is coming. Protocol type System Log Messages This section describes log messages that belong - Netgear FVX538v1 | FVX538 Reference Manual - Page 208
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-2. System Logs: System Startup Message Explanation Recommended Action Jan 1 15:22:28 [FVX538] [ledTog] [SYSTEM START-UP] System Started Log generated when the system is started. None Reboot This section describes log messages generated - Netgear FVX538v1 | FVX538 Reference Manual - Page 209
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-4. System Logs: NTP (continued) Explanation Recommended Action Message1: DNS resolution for the NTP server (time-f.netgear.com) Message2: request for NTP update from the time server. Message3: Adjust time by re-setting system time. Message4 - Netgear FVX538v1 | FVX538 Reference Manual - Page 210
ProSafe VPN Firewall 200 FVX538 Reference Manual IPSec Restart This logging is always done. Table C-7. System Logs: IPSec Restart Message Explanation Recommended Action Jan 23 16:20:44 [FVX538] [wand] [IPSEC] IPSEC Restarted Log generated when the IPSEC is restarted. This log is logged when - Netgear FVX538v1 | FVX538 Reference Manual - Page 211
ProSafe VPN Firewall 200 FVX538 Reference Manual Auto Rollover When the WAN mode is configured for Auto Rollover, the primary link is active and secondary acts only as a backup. When the primary link goes down, the secondary link becomes active - Netgear FVX538v1 | FVX538 Reference Manual - Page 212
ProSafe VPN Firewall 200 FVX538 Reference Manual PPP Logs This section describes the WAN PPP connection logs. The PPP type can be configured from the web management. PPPoE Idle-Timeout Logs. Table C-9. System Logs: WAN Status, PPE, PPPoE Idle-Timeout Message Explanation Recommended Action Nov 29 - Netgear FVX538v1 | FVX538 Reference Manual - Page 213
ProSafe VPN Firewall 200 FVX538 Reference Manual PPTP Idle-Timeout Logs. Table C-10. System Logs: WAN Status, PPE, PPTP Idle-Timeout Message Explanation Nov 29 11:19:02 [FVX538] [pppd] Starting connection Nov 29 11:19:05 [FVX538] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVX538] [pppd - Netgear FVX538v1 | FVX538 Reference Manual - Page 214
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-12. System Logs: Web Filtering and Content Filtering Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Jan 23 16:36:35 [FVX538] [ - Netgear FVX538v1 | FVX538 Reference Manual - Page 215
ProSafe VPN Firewall 200 FVX538 Reference Manual Traffic Metering Logs Table C-13. System Logs: Traffic Metering Message Explanation Recommended Action Jan 23 19:03:44 [TRAFFIC_METER] TRAFFIC_METER: Monthly Limit of 10 MB has reached for WAN1._ Traffic limit to WAN1 that was set as 10Mb has been - Netgear FVX538v1 | FVX538 Reference Manual - Page 216
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-16. System Logs: Multicast/Broadcast (continued) Explanation Recommended Action • This packet (Broadcast) is destined to the device from the WAN network. • For other parameters, refer to Table C-1. None FTP Logging Table C-17. System Logs - Netgear FVX538v1 | FVX538 Reference Manual - Page 217
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs command to enable dropping and logging of the invalid packets: fw/rules/attackChecks/configure dropInvalid 1 To allow invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 2007 Oct 1 00:44:17 [FVX538 - Netgear FVX538v1 | FVX538 Reference Manual - Page 218
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action 1. Invalid packets - Netgear FVX538v1 | FVX538 Reference Manual - Page 219
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Message Explanation Recommended Action Message Explanation Recommended Action 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][OUT_OF_WINDOW][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT - Netgear FVX538v1 | FVX538 Reference Manual - Page 220
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN to DMZ Logs Table C-20. Routing Logs: LAN to DMZ Message Explanation Recommended Action Nov 29 09:44:06 [FVX538] [kernel] LAN2DMZ[ACCEPT] IN=LAN OUT=DMZ SRC=192.168.10.10 DST=192.168.20.10 PROTO=ICMP TYPE=8 CODE=0 • This packet from LAN to DMZ - Netgear FVX538v1 | FVX538 Reference Manual - Page 221
ProSafe VPN Firewall 200 FVX538 Reference Manual WAN to DMZ Logs Table C-24. Routing Logs: WAN to DMZ Message Explanation Recommended Action Nov 29 09:19:43 [FVX538] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=DMZ SRC=192.168.1.214 DST=192.168.20.10 PROTO=ICMP TYPE=8 CODE=0 • This packet from WAN to DMZ - Netgear FVX538v1 | FVX538 Reference Manual - Page 222
ProSafe VPN Firewall 200 FVX538 Reference Manual C-16 v1.0, March 2009 System Logs and Error Messages - Netgear FVX538v1 | FVX538 Reference Manual - Page 223
complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP http://documentation.netgear.com/reference/enu/tcpip/index.htm Addressing: Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing - Netgear FVX538v1 | FVX538 Reference Manual - Page 224
ProSafe VPN Firewall 200 FVX538 Reference Manual D-2 Related Documents v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 225
networks. As part the new maintenance firmware release, NETGEAR has implemented a more robust authentication system known as Two-Factor Authentication (2FA or T-FA) on its SSL and IPSec VPN firewall product line to help address the fast-growing network security issues. What are the benefits of Two - Netgear FVX538v1 | FVX538 Reference Manual - Page 226
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall by implementing multiple factors to the authentication process that challenge and confirm the users identities - Netgear FVX538v1 | FVX538 Reference Manual - Page 227
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The WiKID solution is based on a request-response architecture where a one-time passcode (OTP), that is time synchronized with the authentication server, is generated and sent to the user once the validity of a - Netgear FVX538v1 | FVX538 Reference Manual - Page 228
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. A one-time passcode (something they have) is generated for this user. is expired, the user will need to go through the request process again to generate a new OTP. E-4 Two Factor Authentication v1.3, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 229
Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. The user then goes to the two factor login page and enters the generated one-time passcode as the login password. Figure E-3 Two-Factor Authentication is a new and easy way to enhance networking security products without having to replace - Netgear FVX538v1 | FVX538 Reference Manual - Page 230
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual E-6 Two Factor Authentication v1.3, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 231
2-2 Auto Uplink 1-3 Auto-Rollover configuration of 2-9 definition of 2-8 Dual WAN ports 5-1 restoring WAN interface 2-11 use with DDNS 2-15 Using WAN port 2-10 B Back up settings 6-16 backup and restore settings 6-16 bandwidth capacity 6-1 LAN side 6-1 Load balancing mode 6-1 Rollover mode 6-1 WAN - Netgear FVX538v1 | FVX538 Reference Manual - Page 232
4-26 D Date setting 6-19 date troubleshooting 7-7 Daylight Savings Time adjusting for 6-19 DDNS about 2-14 configuration of 2-15 links to 2-16 services, examples 2-16 DDNS providers links to 2-16 Dead Peer Detection 5-17 default configuration restoring 7-7 default IP Address 1-9 default password - Netgear FVX538v1 | FVX538 Reference Manual - Page 233
ProSafe VPN Firewall 200 FVX538 Reference Manual Domain Name Servers. See DNS. DoS about protection 1-2 Dual WAN configuration of 2-8 Dual WAN Port inbound traffic B-8 load balancing, inbound traffic B-9 Dual WAN Port systems VPN Tunnel addresses 5-2 Dual WAN Ports features of 1-2 network planning - Netgear FVX538v1 | FVX538 Reference Manual - Page 234
ProSafe VPN Firewall 200 FVX538 Reference Manual H hardware requirements B-3 Hosting A Local Public Web Server example of 4-20 hosts, managing 3-6 I IGP 3-14 IKE Policies management of 5-15 IKE Policy about 5-15 ModeConfig, configuring with 5-31 XAUTH, adding to 5-24 Inbound Rules default - Netgear FVX538v1 | FVX538 Reference Manual - Page 235
bindings 2-12 Load balancing mode bandwidth capacity 6-1 Log Entry Descriptions C-1 logging in default login 2-1 M MAC Address format of 4-32 ProSafe VPN Firewall 200 FVX538 Reference Manual MAC address 7-6 configuring 2-3, 2-4 format of 2-18 spoofing 7-5 MAC addresses blocked, adding 4-32 - Netgear FVX538v1 | FVX538 Reference Manual - Page 236
ProSafe VPN Firewall 200 FVX538 Reference Manual troubleshooting 7-7 NTP Servers custom 6-20 default 6-19 NTP servers setting 6-19 O Oray.net 2-14 Outbound Rules default definition 4-2 field descriptions 4-3 order of precedence 4-9 service blocking 4-2 outbound rules 4-3 Outbound Service Rule - Netgear FVX538v1 | FVX538 Reference Manual - Page 237
3-14 static routes, use with 3-13 versions of 3-15 RIP Configuration screen 3-14 Rollover mode bandwidth capacity 6-1 router upgrade software 6-19 router administration tips on 4-43 router broadcast RIP, use with 3-14 Router Status 2-9 ProSafe VPN Firewall 200 FVX538 Reference Manual Router Status - Netgear FVX538v1 | FVX538 Reference Manual - Page 238
ProSafe VPN Firewall 200 FVX538 Reference Manual Settings Backup & Upgrade screen 6-15 Settings Backup and Firmware Upgrade 6-16 Simple Network Management Protocol. See SNMP. Single WAN Port inbound traffic B-8 sniffer 7-3 SNMP about 6-14 configuring 6-14 global access 6-14 host only access 6-14 - Netgear FVX538v1 | FVX538 Reference Manual - Page 239
18 Manual 5-17 VPN Tunnel addresses Dual WAN Port systems 5-2 VPN Tunnel Connection monitoring status 6-27 VPN Tunnels increasing traffic 6-7 L2TP 4-17 VPN tunnels IPsec 4-17 load balancing mode 5-2 PPTP 4-17 rollover mode 5-2 VPN Wizard Gateway tunnel 5-3 VPN Client, configuring 5-6 VPNC 5-3 VPNs - Netgear FVX538v1 | FVX538 Reference Manual - Page 240
Meter 2-6 WAN2 ISP settings 2-4 WAN2 ISP Settings manual setup 2-6 WAN2 Protocol Bindings 2-13 WAN2 Protocol Bindings screen. 2-13 WAN2 Traffic Meter 2-7 Web Components 4-29 blocking 4-30 filtering, about 4-29 Web configuration troubleshooting 7-2 WiKID 6-11 WinPoET 2-5 X XAUTH IPSec Host 5-24
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
 |
 |
March 2009
202-10062-09
v1.0
NETGEAR
, Inc.
350 East Plumeria Drive
San Jose, CA 95134 USA
ProSafe VPN Firewall 200
FVX538 Reference
Manual