Home » Netgear Manuals » Bridges & Routers » Netgear FVS336G » Manual Viewer

Netgear FVS336G FVS336G Reference Manual - Page 77

Outbound Rules Example, Adding Customized Services, LAN WAN Inbound Rule: Specifying an Exposed Host

UPC - 606449052015

Add to My Manuals
Save this manual to your list of manuals

Page 77 highlights

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To test the connection from a PC on the WAN side, type http://10.1.0.5. The home page of the Web server should appear. LAN WAN Inbound Rule: Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined. To expose one of the PCs on your LAN as this host: 1. Create an inbound rule that allows all protocols. 2. Place the new rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer on your LAN is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network. Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio, or other non-essential services. LAN WAN Outbound Rule: Blocking Instant Messenger To block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu. You can also have the firewall log any attempt to use Instant Messenger during that blocked period. Adding Customized Services Services are functions performed by server computers at the request of client computers. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players' moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number. This number appears as the destination port number in the transmitted IP packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web server) request. The service numbers for many common protocols are defined by the Internet Engineering Task Force (IETF) and published in RFC1700, "Assigned Numbers." Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application. Firewall Protection and Content Filtering v1.2, June 2008 4-15

Section	Page
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual	1
Contents	7
About This Manual	13
Conventions, Formats, and Scope	13
How to Use This Manual	14
How to Print this Manual	14
Revision History	15
Chapter 1 Introduction	17
Key Features	17
Dual WAN Ports for Increased Reliability or Outbound Load Balancing	18
Advanced VPN Support for Both IPsec and SSL	18
A Powerful, True Firewall with Content Filtering	19
Autosensing Ethernet Connections with Auto Uplink	19
Extensive Protocol Support	20
Easy Installation and Management	20
Maintenance and Support	21
Package Contents	21
Front Panel Features	22
Rear Panel Features	23
Default IP Address, Login Name, and Password Location	24
Qualified Web Browsers	24
Chapter 2 Connecting the FVS336G to the Internet	27
Understanding the Connection Steps	27
Logging into the VPN Firewall Router	28
Navigating the Menus	30
Configuring the Internet Connections	30
Automatically Detecting and Connecting	30
Manually Configuring the Internet Connection	34
Configuring the WAN Mode (Required for Dual WAN)	37
Network Address Translation	38
Classical Routing	38
Configuring Auto-Rollover Mode	39
Configuring Load Balancing	41
Configuring Dynamic DNS (Optional)	43
Configuring the Advanced WAN Options (Optional)	45
Additional WAN Related Configuration	47
Chapter 3 LAN Configuration	49
Using the VPN Firewall as a DHCP server	49
Configuring the LAN Setup Options	50
Managing Groups and Hosts (LAN Groups)	53
Viewing the LAN Groups Database	54
Changing Group Names in the LAN Groups Database	55
Configuring DHCP Address Reservation	56
Configuring Multi Home LAN IP Addresses	57
Configuring Static Routes	58
Configuring Static Routes	58
Configuring Routing Information Protocol (RIP)	60
Chapter 4 Firewall Protection and Content Filtering	63
About Firewall Protection and Content Filtering	63
Using Rules to Block or Allow Specific Kinds of Traffic	64
About Services-Based Rules	65
Viewing the Rules	69
Order of Precedence for Rules	70
Setting the Default Outbound Policy	70
Creating a LAN WAN Outbound Services Rule	71
Creating a LAN WAN Inbound Services Rule	72
Inbound Rules Examples	74
Outbound Rules Example	77
Adding Customized Services	77
Setting Quality of Service (QoS) Priorities	79
Attack Checks	80
Blocking Internet Sites (Content Filtering)	82
Configuring Source MAC Filtering	86
Configuring IP/MAC Address Binding Alerts	88
Configuring Port Triggering	89
Setting a Schedule to Block or Allow Specific Traffic	91
Configuring a Bandwidth Profile	92
Configuring Session Limits	94
E-Mail Notifications of Event Logs and Alerts	95
Administrator Tips	95
Chapter 5 Virtual Private Networking Using IPsec	97
Considerations for Dual WAN Port Systems	97
Configuring an IPsec VPN Connection using the VPN Wizard	100
Creating a VPN Tunnel to a Gateway	100
Creating a VPN Tunnel Connection to a VPN Client	104
Managing VPN Tunnel Policies	109
About IKE	109
Managing IKE Policies	109
About the IKE Policy Table	110
VPN Policy	110
VPN Tunnel Connection Status	112
Creating a VPN Client Connection: VPN Client to FVS336G	112
Configuring the FVS336G	113
Configuring the VPN Client	113
Testing the Connection	115
Configuring Extended Authentication (XAUTH)	115
Configuring XAUTH for VPN Clients	116
User Database Configuration	117
RADIUS Client Configuration	117
Manually Assigning IP Addresses to Remote Users (ModeConfig)	119
Mode Config Operation	119
Configuring the VPN Firewall	120
Configuring the ProSafe VPN Client for ModeConfig	123
Configuring Keepalives and Dead Peer Detection	125
Configuring Keepalive	125
Configuring NetBIOS Bridging with VPN	127
Chapter 6 Virtual Private Networking Using SSL Connections	129
Understanding the Portal Options	129
Planning for SSL VPN	130
Creating the Portal Layout	131
Configuring Domains, Groups, and Users	135
Configuring Applications for Port Forwarding	135
Adding Servers	136
Adding A New Host Name	137
Configuring the SSL VPN Client	138
Configuring the Client IP Address Range	139
Adding Routes for VPN Tunnel Clients	140
Replacing and Deleting Client Routes	140
Using Network Resource Objects to Simplify Policies	141
Adding New Network Resources	141
Configuring User, Group, and Global Policies	143
Viewing Policies	144
Adding a Policy	145
Chapter 7 Managing Users, Authentication, and Certificates	149
Adding Authentication Domains, Groups, and Users	149
Creating a Domain	149
Creating a Group	151
Creating a New User Account	152
Setting User Login Policies	154
Managing Certificates	156
Viewing and Loading CA Certificates	157
Viewing Active Self Certificates	158
Obtaining a Self Certificate from a Certificate Authority	159
Managing your Certificate Revocation List (CRL)	162
Chapter 8 Router and Network Management	165
Performance Management	165
Bandwidth Capacity	165
Features That Reduce Traffic	166
Features That Increase Traffic	169
Using QoS to Shift the Traffic Mix	172
Tools for Traffic Management	172
Changing Passwords and Administrator Settings	172
Enabling Remote Management Access	174
Using the Command Line Interface	176
Using an SNMP Manager	177
Configuration File Management	179
Upgrading the Firmware	181
Configuring Date and Time Service	182
Chapter 9 Monitoring System Performance	185
Enabling the Traffic Meter	185
Activating Notification of Events and Alerts	188
Viewing Firewall Logs	190
Viewing Router Configuration and System Status	191
Monitoring the Status of WAN Ports	193
Monitoring Attached Devices	194
Reviewing the DHCP Log	196
Monitoring Active Users	196
Viewing Port Triggering Status	197
Monitoring VPN Tunnel Connection Status	198
Reviewing the VPN Logs	199
Chapter 10 Troubleshooting	201
Basic Functions	201
Power LED Not On	202
LEDs Never Turn Off	202
LAN or WAN Port LEDs Not On	202
Troubleshooting the Web Configuration Interface	203
Troubleshooting the ISP Connection	204
Troubleshooting a TCP/IP Network Using a Ping Utility	205
Testing the LAN Path to Your VPN Firewall	205
Testing the Path from Your PC to a Remote Device	206
Restoring the Default Configuration and Password	207
Problems with Date and Time	207
Using the Diagnostics Utilities	208
Appendix A Default Settings and Technical Specifications	211
Appendix B Related Documents	215
Appendix C Network Planning for Dual WAN Ports	217
What You Will Need to Do Before You Begin	217
Cabling and Computer Hardware Requirements	219
Computer Network Configuration Requirements	219
Internet Configuration Requirements	220
Where Do I Get the Internet Configuration Parameters?	220
Internet Connection Information Form	221
Overview of the Planning Process	222
Inbound Traffic	222
Virtual Private Networks (VPNs)	222
The Roll-over Case for Firewalls With Dual WAN Ports	223
The Load Balancing Case for Firewalls With Dual WAN Ports	223
Inbound Traffic	224
Inbound Traffic to Single WAN Port (Reference Case)	224
Inbound Traffic to Dual WAN Port Systems	224
Virtual Private Networks (VPNs)	226
VPN Road Warrior (Client-to-Gateway)	227
VPN Gateway-to-Gateway	230
VPN Telecommuter (Client-to-Gateway Through a NAT Router)	233

Match case Limit results 1 per page

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual

Firewall Protection and Content Filtering

4-15

v1.2, June 2008

To test the connection from a PC on the WAN side, type

http://10.1.0.5.

The home page of the

Web server should appear.

LAN WAN Inbound Rule: Specifying an Exposed Host

Specifying an exposed host allows you to set up a computer or server that is available to anyone on

the Internet for services that you have not yet defined.

To expose one of the PCs on your LAN as this host:

Create an inbound rule that allows all protocols.

Place the new rule

below

all other inbound rules.

Outbound Rules Example

Outbound rules let you prevent users from using applications such as Instant Messenger, Real

Audio, or other non-essential services.

LAN WAN Outbound Rule: Blocking Instant Messenger

To block Instant Messenger usage by employees during working hours, you can create an

outbound rule to block that application from any internal IP address to any external address

according to the schedule that you have created in the Schedule menu. You can also have the

firewall log any attempt to use Instant Messenger during that blocked period.

Adding Customized Services

Services are functions performed by server computers at the request of client computers. For

example, Web servers serve Web pages, time servers serve time and date information, and game

hosts serve data about other players’ moves. When a computer on the Internet sends a request for

service to a server computer, the requested service is identified by a service or port number. This

number appears as the destination port number in the transmitted IP packets. For example, a packet

that is sent with destination port number 80 is an HTTP (Web server) request.

The service numbers for many common protocols are defined by the Internet Engineering Task

Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other

applications are typically chosen from the range 1024 to 65535 by the authors of the application.

Note:

For security, NETGEAR strongly recommends that you avoid creating an exposed

host. When a computer on your LAN is designated as the exposed host, it loses

much of the protection of the firewall and is exposed to many exploits from the

Internet. If compromised, the computer can be used to attack your network.