Netgear FVS338 FVS338 Reference Manual

Netgear FVS338 - ProSafe VPN Firewall 50 Router Manual

Get Netgear FVS338 - ProSafe VPN Firewall 50 Router PDF manuals and user guides
UPC - 606449037197
View all Netgear FVS338 manuals
Add to My Manuals
Save this manual to your list of manuals

Netgear FVS338 manual content summary:

  • Netgear FVS338 | FVS338 Reference Manual - Page 1
    FVS338 ProSafe VPN Firewall 50 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive Santa Clara, CA 95134 USA March 2009 202-10046-08 v1.0
  • Netgear FVS338 | FVS338 Reference Manual - Page 2
    NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR by one or more testing to the following standards: EN55022 Class B, EN55024 and EN60950-1. Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe VPN Firewall 50
  • Netgear FVS338 | FVS338 Reference Manual - Page 3
    has been granted the right to test the series for compliance with the become the cause of radio interference. Read instructions for correct handling. Additional Copyrights AES Copyright products derived from this software without his specific prior written permission. This software is provided 'as
  • Netgear FVS338 | FVS338 Reference Manual - Page 4
    SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved use of this software must display the following acknowledgment: "This product includes software developed by the CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
  • Netgear FVS338 | FVS338 Reference Manual - Page 5
    rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided
  • Netgear FVS338 | FVS338 Reference Manual - Page 6
    Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: Publication Part Number: Publication Version Number FVS338 March 2009 VPN firewall ProSafe VPN Firewall 50 Business English 202-10046-08 1.0 vi v1.0, March 2009
  • Netgear FVS338 | FVS338 Reference Manual - Page 7
    in to the VPN Firewall 2-1 Configuring your Internet Connection 2-2 Broadband ISP Settings 2-2 Dialup ISP Serial WAN port Settings 2-4 Setting the Router's MAC Address (Advanced Options 2-6 To Change the Router Default MAC Address 2-6 To Change the MTU Value for Your Dialup Modem 2-7 Manually
  • Netgear FVS338 | FVS338 Reference Manual - Page 8
    Specific Kinds of Traffic 4-2 Services-Based Rules 4-2 Order of Precedence for Firewall Rules 4-6 Setting LAN WAN Rules 4-7 LAN WAN Outbound Services Rules 4-8 LAN WAN Inbound Services Rules 4-9 Attack Checks ...4-10 Session Limit ...4-12 Inbound Rules Examples 4-13 Hosting A Local Public
  • Netgear FVS338 | FVS338 Reference Manual - Page 9
    Configure the Gateway for a Client Tunnel 5-6 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection 5-7 Testing the Connections and Viewing Status Information 5-11 NETGEAR VPN Client Status and Log Information 5-11 FVS338 VPN Connection Status and Logs 5-13 IKE Policies
  • Netgear FVS338 | FVS338 Reference Manual - Page 10
    6-1 Service Blocking 6-1 Block Sites ...6-3 Source MAC Filtering 6-4 VPN Firewall Features That Increase Traffic 6-4 Port Forwarding 6-4 Port Triggering 6-6 VPN Tunnels ...6-6 Using QoS to Shift the Traffic Mix 6-6 Tools for Traffic Management 6-7 Administration ...6-7 Changing Passwords and
  • Netgear FVS338 | FVS338 Reference Manual - Page 11
    the Default Configuration and Password 7-7 Problems with Date and Time 7-7 Appendix A Default Settings and Technical Specifications Appendix B System Logs and Error Messages System Log Messages B-1 System Startup ...B-1 Reboot ...B-2 NTP ...B-2 Login/Logout ...B-3 Firewall Restart ...B-3 IPSec
  • Netgear FVS338 | FVS338 Reference Manual - Page 12
    LAN to WAN Logs B-14 WAN to LAN Logs B-14 Appendix C Related Documents Appendix D Two Factor Authentication Why do I need Two-Factor Authentication D-1 What are the benefits of Two-Factor Authentication D-1 What is Two-Factor Authentication D-2 NETGEAR Two-Factor Authentication Solutions D-2
  • Netgear FVS338 | FVS338 Reference Manual - Page 13
    About This Manual The NETGEAR® ProSafe™ VPN Firewall 50 FVS338 Reference Manual describes how to install, configure and troubleshoot the ProSafe VPN Firewall 50. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope
  • Netgear FVS338 | FVS338 Reference Manual - Page 14
    and topics for the March 2009 firmware maintenance release: • WIKID 2 factor authentication • SIP AGL support • DHCP Relay support • Update VPN configuration procedure topics • Update the Certificate management topic • Correct the firewall scheduling topic xiv About This Manual v1.0, March 2009
  • Netgear FVS338 | FVS338 Reference Manual - Page 15
    • "Factory Default Login" on page 1-9 Key Features The VPN firewall provides the following features: • One 10/100 Mbps port for an Ethernet connection to a broadband WAN device, such as a cable modem or DSL modem, and one serial port for a dial-up modem connection to the Internet through the public
  • Netgear FVS338 | FVS338 Reference Manual - Page 16
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Built in 8-port 10/100 Mbps switch. • Extensive Protocol Support. • Login capability. • SNMP for manageability. • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. Full Routing on Both the Broadband and
  • Netgear FVS338 | FVS338 Reference Manual - Page 17
    to specific PCs based on the service port number of the incoming request. You can specify forwarding of single ports or ranges of ports. • Exposed Host (Software DMZ). Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local
  • Netgear FVS338 | FVS338 Reference Manual - Page 18
    securely login to the Web Management Interface from a remote location on the Internet. For additional security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number. • Visual monitoring. The VPN firewall's front
  • Netgear FVS338 | FVS338 Reference Manual - Page 19
    FVS338 ProSafe VPN Firewall 50 Reference Manual Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall: • Flash memory for firmware upgrade • Free technical support seven days a week, twenty-four hours a day Introduction 1-5 v1.0, March
  • Netgear FVS338 | FVS338 Reference Manual - Page 20
    including instructions for installing the FVS338 using the rack mounting hardware. Router Front Panel The ProSafe VPN Firewall 50 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. Power LED Figure 1-1 Test Modem Internet LED LED LEDs Local
  • Netgear FVS338 | FVS338 Reference Manual - Page 21
    not supplied to the router. Test mode: The system is initializing or the initialization has failed. Writing to Flash memory (during upgrading or resetting to defaults). The system has booted successfully. The serial port has successfully connected to an ISP and received an IP Address. Server data is
  • Netgear FVS338 | FVS338 Reference Manual - Page 22
    the ProSafe VPN Firewall 50 (Figure 1-2) contains the On/Off switch and AC power connection. Figure 1-2 Viewed from left to right, the rear panel contains the following elements: • Modem port - serves as the WAN2 Internet port through the public switched telephone network (PSTN). • Factory Defaults
  • Netgear FVS338 | FVS338 Reference Manual - Page 23
    Factory Default Login FVS338 ProSafe VPN Firewall 50 Reference Manual Check the label on the bottom of the FVS338's enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN • User name: admin • Password: password
  • Netgear FVS338 | FVS338 Reference Manual - Page 24
    FVS338 ProSafe VPN Firewall 50 Reference Manual 1-10 v1.0, March 2009 Introduction
  • Netgear FVS338 | FVS338 Reference Manual - Page 25
    computer needs to be configured to obtain an IP address automatically via DHCP. To log in to the VPN firewall: Step 1.Open a Internet Explorer, Netscape® Navigator, or Firefox browser. In the browser window, enter http://192.168.1.1 in the address field. The FVS338 login screen will display. Figure
  • Netgear FVS338 | FVS338 Reference Manual - Page 26
    Login. The Broadband ISP Settings screen will display. Note: See "Enabling Remote Management Access" on page 6-10 for more information on Remote management enable. If you enable remote management, change your password to a more secure one than the standard factory default (see "Changing Passwords
  • Netgear FVS338 | FVS338 Reference Manual - Page 27
    methods Connection Method PPPoE PPTP BigPond Cable DHCP (Dynamic IP) Fixed IP Data Required Login (Username, Password). Login (Username, Password), Local IP, and PPTP Server IP. Login Username, Password), Account Name, and Server IP. No data is required. IP address and related data supplied
  • Netgear FVS338 | FVS338 Reference Manual - Page 28
    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. Set up the traffic meter for ISP1 if desired. See "Programming the Traffic Meter (if Desired)" on page 2-11. Note: At this point in the configuration process, you are now connected to the Internet through the broadband Ethernet WAN. Optionally, you
  • Netgear FVS338 | FVS338 Reference Manual - Page 29
    the IP address automatically when connecting. a. The default setting of Get Dynamically from ISP will configure the router to accept the ISP assigned IP address. b. If your ISP has assigned a static IP address, select the Use Static IP Address radio box and enter the IP address in the IP Address
  • Netgear FVS338 | FVS338 Reference Manual - Page 30
    FVS338 ProSafe VPN Firewall 50 Reference Manual c. Dial-up Type: Check the Tone radio box if your phone line supports touch tone dialing; select Pulse for pulse mode dialing. Select Other - use Dial String to configure additional options such as Auto-Answer, etc. (consult your modem manual for dial
  • Netgear FVS338 | FVS338 Reference Manual - Page 31
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Port Speed. In most cases, your router can automatically determine the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may need to manually select the port
  • Netgear FVS338 | FVS338 Reference Manual - Page 32
    FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 2-6 Manually Configuring Your Internet Connection If you know your Broadband ISP connection type, you can bypass the Auto Detect feature and connect your router manually. Ensure that you have all of the relevant connection information such as
  • Netgear FVS338 | FVS338 Reference Manual - Page 33
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-7 Manually Configure WAN1 ISP Settings: Step 1.Does your Internet connection require a login? If you need to enter login What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the
  • Netgear FVS338 | FVS338 Reference Manual - Page 34
    FVS338 ProSafe VPN Firewall 50 Reference Manual - My IP Address: IP address assigned by the ISP to make the connection with the ISP server. - Server IP Address: IP address of the PPTP server. • Other (PPPoE): If you have installed login software such as WinPoET or Enternet, then your connection
  • Netgear FVS338 | FVS338 Reference Manual - Page 35
    FVS338 ProSafe VPN Firewall 50 Reference Manual Programming the Traffic Meter (if Desired) The traffic meter is useful when an ISP charges by traffic volume over a given period of time or if you want to look at traffic types over a period of time. To Enable the Traffic Meter Step 1.From the primary
  • Netgear FVS338 | FVS338 Reference Manual - Page 36
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2-2. Traffic Meter Settings Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's Broadband or Dialup port. Broadband or Dialup can be selected by clicking the
  • Netgear FVS338 | FVS338 Reference Manual - Page 37
    FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the WAN Mode The WAN Mode screen allows you to configure how your router uses your external Internet connections; for example, your WAN port or dialup modem connections. • NAT. NAT is the technology which allows all PCs on your LAN to share
  • Netgear FVS338 | FVS338 Reference Manual - Page 38
    FVS338 ProSafe VPN Firewall 50 Reference Manual • If you have both ISP links connected for Internet connectivity, check the Primary Broadband with Dialup as backup for auto-rollover. 4. The WAN Failure Detection Method must be configured to notify the router of a link failure if you are using Dialup
  • Netgear FVS338 | FVS338 Reference Manual - Page 39
    FVS338 ProSafe VPN Firewall 50 Reference Manual This router firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet. After you have configured your account information in the
  • Netgear FVS338 | FVS338 Reference Manual - Page 40
    FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Access the Web site of one of the DDNS service providers and set up an account. A link to each DDNS provider is near the top right of the window opposite to the DDNS service provider tabs. The link is encircled with a dashed line in Figure 2-9. 4.
  • Netgear FVS338 | FVS338 Reference Manual - Page 41
    Setup, LAN Groups and Routing (Static IP) features of your ProSafe VPN Firewall 50, including the following sections: • "Choosing the Firewall DHCP Options" on page 3-1 • "Managing Groups and Hosts" on page 3-6 • "Configuring Static Routes" on page 3-10 Choosing the Firewall DHCP Options By default
  • Netgear FVS338 | FVS338 Reference Manual - Page 42
    over routers that do not support forwarding of these types of messages. The DHCP Relay Agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or which is not located on the local subnet. If you have no configured DHCP Relay
  • Netgear FVS338 | FVS338 Reference Manual - Page 43
    ProSafe VPN Firewall 50 Reference Manual 1. Select Network Configuration from the primary menu and LAN Setup from the submenu. The LAN Setup screen will display. Figure 3-1 2. Enter the IP Address of your router (factory default: 192.168.1.1). (Always make sure that the LAN Port IP address and DMZ
  • Netgear FVS338 | FVS338 Reference Manual - Page 44
    FVS338 ProSafe VPN Firewall 50 Reference Manual b. Enter the Starting IP Address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address. The IP address 192
  • Netgear FVS338 | FVS338 Reference Manual - Page 45
    servers (as configured in the WAN settings page). - When disabled, all DHCP clients will receive the DNS IP addresses of the ISP. 5. Click Apply to save your settings. 6. Click Reset to discard any changes and revert to the previous configuration. Note: Once you have completed the LAN IP setup, all
  • Netgear FVS338 | FVS338 Reference Manual - Page 46
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Subnet Mask: IPv4 Subnet Mask. • Action/Edit: Click to make changes to the selected entry. • Select All: Selects all the entries in the Available Secondary LAN IPs table. • Delete: Deletes selected entries from the Available Secondary LAN IPs table.
  • Netgear FVS338 | FVS338 Reference Manual - Page 47
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Scanning the Network. The router will scan the local network periodically, using standard methods such as ARP and NetBIOS, to detect active computers or devices which are not DHCP clients. For computers that do not support the NetBIOS protocol, the
  • Netgear FVS338 | FVS338 Reference Manual - Page 48
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 3-3 The Network Database is created by: • Using the DHCP Server: The router's DHCP server is configured, by default, to respond to DHCP requests from clients on the LAN. Every computer that receives a response from the router will be added to
  • Netgear FVS338 | FVS338 Reference Manual - Page 49
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Name: The name of the computer or device. Computers that do not support the NetBIOS protocol will be listed as Unknown. In this case, the name can be edited manually for easier management. If the computer was assigned an IP address by the DHCP server
  • Netgear FVS338 | FVS338 Reference Manual - Page 50
    FVS338 ProSafe VPN Firewall 50 Reference Manual Setting Up Address Reservation When you specify a reserved IP address for a device on the LAN (based on the MAC address of the device), that computer or device will always receive the same IP address each time it accesses the firewall's DHCP server.
  • Netgear FVS338 | FVS338 Reference Manual - Page 51
    FVS338 ProSafe VPN Firewall 50 Reference Manual 5. Type the Destination IP Address or network of the route's final destination. 6. Enter the IP Subnet Mask for this destination. If the destination is a single host, enter 255.255.255.255. Figure 3-4 7. From the Interface pull-down menu, selection
  • Netgear FVS338 | FVS338 Reference Manual - Page 52
    specify that this static route applies to all 134.177.x.x addresses. • The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN firewall at 192.168.1.100. • A Metric value of 1 will work since the ISDN firewall is on the LAN. • Private is selected
  • Netgear FVS338 | FVS338 Reference Manual - Page 53
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 3-5 To enable RIP: 1. Select Network Configuration from the main menu and Routing from the submenu. The Routing screen will display. 2. Click the RIP Configuration link. The RIP Configuration screen will display. 3. From the RIP Direction pull-
  • Netgear FVS338 | FVS338 Reference Manual - Page 54
    FVS338 ProSafe VPN Firewall 50 Reference Manual • None - the router neither broadcasts its route table nor does it accept any RIP packets from other routers. This effectively disables RIP. 4. Select the RIP Version from the pull-down menu: • RIP-1 - classful routing and does not include subnet
  • Netgear FVS338 | FVS338 Reference Manual - Page 55
    Quality of Service (QoS) Priorities" on page 4-19 • "Setting a Schedule to Block or Allow Specific Traffic" on page 4-20 • "Setting Block Sites (Content Filtering)" on page 4-20 • "Enabling Source MAC Filtering" on page 4-23 • "Setting Up Port Triggering" on page 4-26 • "Bandwidth Limiting" on page
  • Netgear FVS338 | FVS338 Reference Manual - Page 56
    FVS338 ProSafe VPN Firewall 50 Reference Manual Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other. You can configure up to 600 rules on the FVS338. Inbound rules (WAN to LAN) restrict access
  • Netgear FVS338 | FVS338 Reference Manual - Page 57
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-1. Outbound Rules Fields Item Services Action Select Schedule LAN users WAN Users Description Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must
  • Netgear FVS338 | FVS338 Reference Manual - Page 58
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-1. Outbound Rules Fields (continued) Item QoS Priority Log Description This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. By default, the
  • Netgear FVS338 | FVS338 Reference Manual - Page 59
    address of the WAN1 or WAN2 ports or another public IP address. This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change
  • Netgear FVS338 | FVS338 Reference Manual - Page 60
    FVS338 ProSafe VPN Firewall 50 Reference Manual Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at
  • Netgear FVS338 | FVS338 Reference Manual - Page 61
    Setting LAN WAN Rules FVS338 ProSafe VPN Firewall 50 Reference Manual The Default Outbound Policy is to allow all traffic from and to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from either going out from the LAN to the Internet (Outbound) or
  • Netgear FVS338 | FVS338 Reference Manual - Page 62
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Up - to move the rule up one position in the table rank. • Down - to move the rule down one position in the table rank. 2. Check the radio box adjacent to the rule and click: • Click Disable to disable the rule. The "!" Status icon will change from
  • Netgear FVS338 | FVS338 Reference Manual - Page 63
    FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 4-3 LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. WAN Users: Whether all
  • Netgear FVS338 | FVS338 Reference Manual - Page 64
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-4 Attack Checks This screen allows you to specify whether or not the router should be protected against common attacks in the LAN and WAN networks. The various types of attack checks are listed on the Attack Checks screen and defined below: •
  • Netgear FVS338 | FVS338 Reference Manual - Page 65
    FVS338 ProSafe VPN Firewall 50 Reference Manual When the victimized system is flooded, it is forced to send many ICMP packets, eventually making it unreachable by other clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not
  • Netgear FVS338 | FVS338 Reference Manual - Page 66
    FVS338 ProSafe VPN Firewall 50 Reference Manual Session Limit Session Limit allows you to specify the total number of sessions per user over an IP (Internet Protocol) connection allowed across the router. This feature can be enabled on the Session Limit screen and is shown below (Session Limit is
  • Netgear FVS338 | FVS338 Reference Manual - Page 67
    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. In the Session Timeout section, modify TCP, UDP, and ICMP timeouts as required. A session will time out if it does not receive any data for the duration of the specified timeout. The default values are 1200 seconds for TCP, 180 seconds for UDP, and
  • Netgear FVS338 | FVS338 Reference Manual - Page 68
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-8 Setting Up One-to-One NAT Mapping In this example, we will configure multi-NAT to support multiple public IP addresses on one WAN interface. By creating an inbound rule, we will configure the firewall to host an additional public IP address
  • Netgear FVS338 | FVS338 Reference Manual - Page 69
    ProSafe VPN Firewall 50 Reference Manual 8. Click Apply. The rule will display in the Inbound Services table shown in Figure 4-10. Figure 4-9 Your rule will now appear in the Inbound Services table of the Rules menu (see Figure 4-10). This rule is different from a normal inbound port forwarding
  • Netgear FVS338 | FVS338 Reference Manual - Page 70
    FVS338 ProSafe VPN Firewall 50 Reference Manual 1. Create an inbound rule that allows all protocols. 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses
  • Netgear FVS338 | FVS338 Reference Manual - Page 71
    FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 4-12 Adding Customized Services Services are functions performed by server computers at the request of client computers. You can configure up to 125 custom services. For example, Web servers serve Web pages, time servers serve time and date
  • Netgear FVS338 | FVS338 Reference Manual - Page 72
    FVS338 ProSafe VPN Firewall 50 Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you
  • Netgear FVS338 | FVS338 Reference Manual - Page 73
    FVS338 ProSafe VPN Firewall 50 Reference Manual Specifying Quality of Service (QoS) Priorities The Quality of Service (QoS) Priorities setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. The user can change
  • Netgear FVS338 | FVS338 Reference Manual - Page 74
    FVS338 ProSafe VPN Firewall 50 Reference Manual Setting a Schedule to Block or Allow Specific Traffic Schedules define the timeframes under which firewall rules may be applied. Figure 4-14 Three schedules, Schedule 1, Schedule 2 and Schedule3 can be defined, and any one of these can be selected
  • Netgear FVS338 | FVS338 Reference Manual - Page 75
    FVS338 ProSafe VPN Firewall 50 Reference Manual Several types of blocking are available: • Web Components blocking. You can block the following Web component types: Proxy, Java, ActiveX, and Cookies. Even sites on the Trusted Domains list will be subject to Web Components blocking when the blocking
  • Netgear FVS338 | FVS338 Reference Manual - Page 76
    FVS338 ProSafe VPN Firewall 50 Reference Manual 7. Click Reset to cancel your changes and revert to the previous settings. 8. Click Apply to save your settings. Figure 4-15 4-22 Firewall Protection and Content Filtering v1.0, March 2009
  • Netgear FVS338 | FVS338 Reference Manual - Page 77
    FVS338 ProSafe VPN Firewall 50 Reference Manual Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed
  • Netgear FVS338 | FVS338 Reference Manual - Page 78
    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. Click Add. The Mac Address will be added to the Available MAC Addresses to be Blocked table. (You can edit the MAC address by clicking Edit in the Action column adjacent to the MAC Address.) 5. Click Reset to cancel a MAC address entry before adding
  • Netgear FVS338 | FVS338 Reference Manual - Page 79
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-17 The IP/MAC Binding Table lists the currently defined IP/MAC Bind rules: • Name: Displays the user-defined name for this rule. • MAC Addresses: Displays the MAC Addresses for this rule. • IP Addresses: Displays the IP Addresses for this
  • Netgear FVS338 | FVS338 Reference Manual - Page 80
    FVS338 ProSafe VPN Firewall 50 Reference Manual Setting Up Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers
  • Netgear FVS338 | FVS338 Reference Manual - Page 81
    FVS338 ProSafe VPN Firewall 50 Reference Manual 2. From the Enable pull-down menu, indicate if the rule is enabled or disabled. Figure 4-18 3. From the Protocol pull-down menu, select either TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields; a. Enter the Start Port range (1 -
  • Netgear FVS338 | FVS338 Reference Manual - Page 82
    FVS338 ProSafe VPN Firewall 50 Reference Manual b. Enter the End Port range (1 - 65534). 6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering
  • Netgear FVS338 | FVS338 Reference Manual - Page 83
    FVS338 ProSafe VPN Firewall 50 Reference Manual Example: When a new connection is established by a device, the device will locate the firewall rule corresponding to the following connections. • If the rule has a bandwidth profile specification, then the device will create a bandwidth class in the
  • Netgear FVS338 | FVS338 Reference Manual - Page 84
    FVS338 ProSafe VPN Firewall 50 Reference Manual d. Type: Specify the type of profile. e. Direction: Specify the direction for the profile. f. WAN: Specify the WAN interface (if in Load Balancing Mode) for the profile. 3. Click Apply to save your settings. Your new Bandwidth Profile will be added to
  • Netgear FVS338 | FVS338 Reference Manual - Page 85
    FVS338 ProSafe VPN Firewall 50 Reference Manual : Figure 4-21 To set up Firewall Logs and E-mail alerts: 1. Select Monitoring from the main menu and then Firewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen will display. 2. Enter the name of the log in the Log Identifier field
  • Netgear FVS338 | FVS338 Reference Manual - Page 86
    FVS338 ProSafe VPN Firewall 50 Reference Manual 5. In the System Logs section, check the radio box for the type of system events to be logged. 6. Check the Yes radio box to enable E-mail Logs. Then enter: a. E-mail Server address - Enter the outgoing E-mail SMTP mail server address of your ISP (for
  • Netgear FVS338 | FVS338 Reference Manual - Page 87
    of the initiating device, and whether it originated from the LAN, WAN or DMZ. The name or IP address of the destination device or Web site. The service port number of the destination device, and whether it's on the LAN, WAN or DMZ. Firewall Protection and Content Filtering v1.0, March 2009 4-33
  • Netgear FVS338 | FVS338 Reference Manual - Page 88
    FVS338 ProSafe VPN Firewall 50 Reference Manual Administrator Information Consider the following operational items: 1. As an option, you can enable remote management if you have to manage distant sites from a central location (see "Enabling Remote Management Access" on page 6-10). 2. Although
  • Netgear FVS338 | FVS338 Reference Manual - Page 89
    FVS338 ProSafe VPN Firewall 50 Reference Manual Firewall Protection and Content Filtering v1.0, March 2009 4-35
  • Netgear FVS338 | FVS338 Reference Manual - Page 90
    FVS338 ProSafe VPN Firewall 50 Reference Manual 4-36 Firewall Protection and Content Filtering v1.0, March 2009
  • Netgear FVS338 | FVS338 Reference Manual - Page 91
    FVS338 ProSafe VPN Firewall 50 Reference Manual Firewall Protection and Content Filtering v1.0, March 2009 4-37
  • Netgear FVS338 | FVS338 Reference Manual - Page 92
    FVS338 ProSafe VPN Firewall 50 Reference Manual 4-38 Firewall Protection and Content Filtering v1.0, March 2009
  • Netgear FVS338 | FVS338 Reference Manual - Page 93
    the VPN Wizard for Client and Gateway Configurations" on page 5-2 • "Testing the Connections and Viewing Status Information" on page 5-11 • "IKE Policies" on page 5-14 • "VPN Policies" on page 5-16 • "Extended Authentication (XAUTH) Configuration" on page 5-18 • "Assigning IP Addresses to Remote
  • Netgear FVS338 | FVS338 Reference Manual - Page 94
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 5-1 summarizes the WAN addressing requirements for either dual WAN mode. Table 5-1. IP Addressing for VPNs in Dual WAN Port Systems Configuration WAN IP address Rollover Modea VPN Road Warrior (client-to-gateway) Fixed or DHCP VPN Gateway-
  • Netgear FVS338 | FVS338 Reference Manual - Page 95
    FVS338 ProSafe VPN Firewall 50 Reference Manual 1. Select VPN > IPsec VPN > VPN Wizard to display the VPN Wizard tab page. To view the wizard default settings, click the VPN Default values link. You can modify these settings after completing the wizard. • Gateway connection • Connection name • Pre-
  • Netgear FVS338 | FVS338 Reference Manual - Page 96
    FVS338 ProSafe VPN Firewall 50 Reference Manual • The remote WAN IP address must be a public address or the Internet name of the remote gateway. The Internet name is the Fully Qualified Domain Name (FQDN) as registered in a Dynamic DNS service. Both local and remote endpoints should be defined as
  • Netgear FVS338 | FVS338 Reference Manual - Page 97
    FVS338 ProSafe VPN Firewall 50 Reference Manual The tunnel will automatically establish when both the local and target gateway policies are appropriately configured and enabled, Note: When using FQDN, if the dynamic DNS service is slow to update their servers when your DHCP WAN address changes, the
  • Netgear FVS338 | FVS338 Reference Manual - Page 98
    FVS338 ProSafe VPN Firewall 50 Reference Manual Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. From the main menu, go to VPN > IPSec VPN > VPN Wizard. The VPN Wizard displays. • VPN Client connection • Connection name • Pre-shared key: r3m0+eC1ient • Remote identifier • Local
  • Netgear FVS338 | FVS338 Reference Manual - Page 99
    FVS338 ProSafe VPN Firewall 50 Reference Manual 6. Click Apply to save your settings: the VPN Policies page shows the policy is now enabled. Figure 5-8 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR Prosafe VPN Client installed, configure a
  • Netgear FVS338 | FVS338 Reference Manual - Page 100
    FVS338 ProSafe VPN Firewall 50 Reference Manual 2. In the upper left of the Policy Editor window, click the New Document icon (the first on the left) to open a New Connection. Give the New Connection a name; in this example, we are using
  • Netgear FVS338 | FVS338 Reference Manual - Page 101
    FVS338 ProSafe VPN Firewall 50 Reference Manual 3. In the left frame, click My Identity. Fill in the options according to the instructions below. r3m0+eC1ient Figure 5-11 • From the Select Certificate pull-down menu, choose None. • Click Pre-Shared Key to enter the key you provided in the VPN Wizard
  • Netgear FVS338 | FVS338 Reference Manual - Page 102
    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. Verify the Security Policy settings; no changes are needed. Figure 5-12 • On the left, click Security Policy to view the settings: no changes are needed. • On the left, expand Authentication (Phase 1) and click Proposal 1: no changes are needed. •
  • Netgear FVS338 | FVS338 Reference Manual - Page 103
    FVS338 ProSafe VPN Firewall 50 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the FVS338 provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a
  • Netgear FVS338 | FVS338 Reference Manual - Page 104
    FVS338 ProSafe VPN Firewall 50 Reference Manual 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-15 • Right-click the VPN Client icon in
  • Netgear FVS338 | FVS338 Reference Manual - Page 105
    FVS338 ProSafe VPN Firewall 50 Reference Manual The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client policy is deactivated. The client policy is deactivated but not connected. The client policy is
  • Netgear FVS338 | FVS338 Reference Manual - Page 106
    FVS338 ProSafe VPN Firewall 50 Reference Manual To view FVS338 VPN logs, go to Monitoring > VPNLogs. Figure 5-18 IKE Policies The IKE (Internet Key Exchange) protocol performs negotiations between the two VPN Gateways, and provides automatic management of the Keys used in IPSec. It is important to
  • Netgear FVS338 | FVS338 Reference Manual - Page 107
    FVS338 ProSafe VPN Firewall 50 Reference Manual 3. An IKE session is established, using the SA (Security Association) parameters specified in a matching IKE Policy: • Keys and other parameters are exchanged. • An IPsec SA (Security Association) is established, using the parameters in the VPN Policy.
  • Netgear FVS338 | FVS338 Reference Manual - Page 108
    FVS338 ProSafe VPN Firewall 50 Reference Manual To gain a more complete understanding of the encryption, authentication and DH algorithm technologies, see Appendix C, "Related Documents". VPN Policies You can create two types of VPN Policies. When using the VPN Wizard to create a VPN policy, only
  • Netgear FVS338 | FVS338 Reference Manual - Page 109
    . • Local. IP address (either a single address, range of address or subnet address) on your local LAN. Traffic must be from (or to) these addresses to be covered by this policy. (Subnet address is the default IP address when using the VPN Wizard). • Remote. IP address or address range of the remote
  • Netgear FVS338 | FVS338 Reference Manual - Page 110
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Endpoint. The IP address on the remote VPN Endpoint. • Tx (KBytes). The amount of data transmitted over this SA. • Tx (Packets). The number of packets transmitted over this SA. • State. The current state
  • Netgear FVS338 | FVS338 Reference Manual - Page 111
    ProSafe VPN Firewall 50 Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the Local Database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server. Note: If you are modifying an existing IKE
  • Netgear FVS338 | FVS338 Reference Manual - Page 112
    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. Click Apply to save your settings. Figure 5-19 User Database Configuration The User Database Screen is used to configure and administer VPN Client users for use by the XAUTH server. Whether or not you use an external RADIUS server, you may want to
  • Netgear FVS338 | FVS338 Reference Manual - Page 113
    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. Click Add. The User Name will be added to the Configured Hosts table. Figure 5-20 To edit the user name or password: 1. Click Edit opposite the user's name. The Edit User screen will display. 2. Make the required changes to the User Name or
  • Netgear FVS338 | FVS338 Reference Manual - Page 114
    FVS338 ProSafe VPN Firewall 50 Reference Manual password information. The gateway will try and verify this information first against a local User Database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server. To configure the
  • Netgear FVS338 | FVS338 Reference Manual - Page 115
    , and then configured a PC running ProSafe VPN Client software using these IP addresses. • NETGEAR ProSafe VPN Firewall 50 - WAN IP address: 172.21.4.1 - LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Virtual Private Networking v1
  • Netgear FVS338 | FVS338 Reference Manual - Page 116
    FVS338 ProSafe VPN Firewall 50 Reference Manual ModeConfig Operation After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP configuration parameters such as IP address, subnet mask and name server addresses. The ModeConfig module will allocate an IP address from
  • Netgear FVS338 | FVS338 Reference Manual - Page 117
    FVS338 ProSafe VPN Firewall 50 Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10. Click Apply. The new
  • Netgear FVS338 | FVS338 Reference Manual - Page 118
    FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. 3. Enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down
  • Netgear FVS338 | FVS338 Reference Manual - Page 119
    FVS338 ProSafe VPN Firewall 50 Reference Manual 9. If Edge Device was enabled, select the present, the router will then connect to the RADIUS server. 10. Click Apply. The new policy will appear in the IKE Policies Table (a sample policy is shown below) Figure 5-23 Virtual Private Networking v1
  • Netgear FVS338 | FVS338 Reference Manual - Page 120
    FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the
  • Netgear FVS338 | FVS338 Reference Manual - Page 121
    FVS338 ProSafe VPN Firewall 50 Reference Manual b. From the Select Certificate pull-down menu, select None. c. From the ID Type pull-down menu, select Domain Name and create an identifier based on the name of the IKE policy you created; for example "remote_id.com". d. Under Virtual Adapter pull-down
  • Netgear FVS338 | FVS338 Reference Manual - Page 122
    values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds)). Figure 5-27 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. 5-30 v1.0, March 2009 Virtual Private Networking
  • Netgear FVS338 | FVS338 Reference Manual - Page 123
    ProSafe VPN Firewall 50 Reference Manual To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; in this case "My Connections\modecfg_test". 2. Click on the connection. Within 30 seconds the message
  • Netgear FVS338 | FVS338 Reference Manual - Page 124
    FVS338 ProSafe VPN Firewall 50 Reference Manual for VPN then the certificate is only uploaded to the VPN certificate repository. Thus, certificates used by HTTPS and IPSec will be different if their purpose is not defined to be VPN and HTTPS. Trusted Certificates (CA Certificates) Trusted
  • Netgear FVS338 | FVS338 Reference Manual - Page 125
    FVS338 ProSafe VPN Firewall 50 Reference Manual Self Certificates Active Self certificates are certificates issued to you by the various Certificate Authorities (CAs) that are available for presentation to peer IKE main menu under VPN, select the Certificates Clara, O=NETGEAR, OU=XX, CN=FVS338) • From
  • Netgear FVS338 | FVS338 Reference Manual - Page 126
    FVS338 ProSafe VPN Firewall 50 Reference Manual - Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but may also impact performance.) 3. Complete the Optional fields, if desired, with the following information: • IP Address - If you have a fixed IP address, you may enter
  • Netgear FVS338 | FVS338 Reference Manual - Page 127
    FVS338 ProSafe VPN Firewall 50 Reference Manual . Save to file Figure 5-29 To submit your Self Certificate request to a REQUEST---" and "---END CERTIFICATE REQUEST'). 4. Submit the CA form. If no problems ensue, the Certificate will be issued. Virtual Private Networking v1.0, March 2009 5-35
  • Netgear FVS338 | FVS338 Reference Manual - Page 128
    FVS338 ProSafe VPN Firewall 50 Reference Manual When you obtain the certificate from the CA, you can then upload it to your computer. Click Browse to locate the Certificate file and then
  • Netgear FVS338 | FVS338 Reference Manual - Page 129
    network manager accomplish these goals. VPN Firewall Features That Reduce Traffic Features of the VPN firewall that can be called upon to decrease WAN-side loading are as follows: • Service Blocking • Block Sites • Source MAC Filtering Service Blocking You can control specific outbound traffic (for
  • Netgear FVS338 | FVS338 Reference Manual - Page 130
    FVS338 ProSafe VPN Firewall 50 Reference Manual Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always • BLOCK by schedule, otherwise Allow • ALLOW always • ALLOW by schedule, otherwise Block As you define your firewall rules, you can further refine
  • Netgear FVS338 | FVS338 Reference Manual - Page 131
    FVS338 ProSafe VPN Firewall 50 Reference Manual Groups and Hosts. You can apply these rules selectively to groups of PCs to reduce the outbound or inbound traffic. The Network Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the
  • Netgear FVS338 | FVS338 Reference Manual - Page 132
    additional firewall rules that are customized to block or allow specific traffic. Warning: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems. You can control specific inbound traffic (i.e., from WAN to LAN and from WAN to DMZ). Inbound Services
  • Netgear FVS338 | FVS338 Reference Manual - Page 133
    FVS338 ProSafe VPN Firewall 50 Reference Manual • ALLOW by schedule, otherwise Block You can also enable a check on special rules: • VPN Passthrough - Enable this to pass the VPN traffic without any filtering, specially used when this firewall is between two VPN tunnel end points. • Drop fragmented
  • Netgear FVS338 | FVS338 Reference Manual - Page 134
    FVS338 ProSafe VPN Firewall 50 Reference Manual Port Triggering Port triggering allows some applications to function correctly that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the Application. Once configured, operation is
  • Netgear FVS338 | FVS338 Reference Manual - Page 135
    FVS338 ProSafe VPN Firewall 50 Reference Manual You will not change the WAN bandwidth used by changing any QoS priority settings. But you will change the mix of traffic through the WAN ports by granting some services a higher priority than others. The quality of a service is impacted by its QoS
  • Netgear FVS338 | FVS338 Reference Manual - Page 136
    FVS338 ProSafe VPN Firewall 50 Reference Manual 1. Select Users from the main menu and Local Authentication from the submenu. Figure 6-1 2. Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest Settings radio box. 3. Change the password by first entering the
  • Netgear FVS338 | FVS338 Reference Manual - Page 137
    FVS338 ProSafe VPN Firewall 50 Reference Manual Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. RADIUS Server External Authentication For authentication to RADIUS or WIKID, you can define the authentication
  • Netgear FVS338 | FVS338 Reference Manual - Page 138
    to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see "Logging in to the VPN Firewall" on page 2-1). Note: Be sure to change the firewall default configuration password to a very secure password. The ideal password should
  • Netgear FVS338 | FVS338 Reference Manual - Page 139
    FVS338 ProSafe VPN Firewall 50 Reference Manual https://194.177.0.123:8080 Figure 6-3 To configure your firewall for Remote Management: 1. Select the Turn Remote Management On check box. a. Specify what external addresses will be allowed to access the firewall's remote management. Note: For
  • Netgear FVS338 | FVS338 Reference Manual - Page 140
    FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Specify the Port Number that will be used for accessing the management interface. Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management Web interface to a custom port by
  • Netgear FVS338 | FVS338 Reference Manual - Page 141
    FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Specify what external addresses will be allowed to access the firewall's remote management. Note: For enhanced security, restrict access to as few external IP addresses as practical. a. To allow access from any IP address on the Internet, select
  • Netgear FVS338 | FVS338 Reference Manual - Page 142
    FVS338 ProSafe VPN Firewall 50 Reference Manual • If you want to make the VPN firewall globally accessible using the community string, but still receive traps on the host, enter 0.0.0.0 as the Subnet Mask and an IP Address for where the traps will be received. 3. Enter the trap port number of the
  • Netgear FVS338 | FVS338 Reference Manual - Page 143
    FVS338 ProSafe VPN Firewall 50 Reference Manual Settings Backup and Firmware Upgrade Once you have installed the VPN firewall and have it working properly, you should back up a copy of your setting so that it is if something goes wrong. When you backup the settings, they are saved
  • Netgear FVS338 | FVS338 Reference Manual - Page 144
    FVS338 ProSafe VPN Firewall 50 Reference Manual You must manually restart the VPN firewall in order for the default settings to take effect. After rebooting, the router's password will be password and the LAN IP address will be 192.168.1.1. The VPN firewall will act as a DHCP server on the LAN and
  • Netgear FVS338 | FVS338 Reference Manual - Page 145
    FVS338 ProSafe VPN Firewall 50 Reference Manual Warning: Once you click Upload do NOT interrupt the router! To upgrade router software: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. 2. Click
  • Netgear FVS338 | FVS338 Reference Manual - Page 146
    Monitoring the Router You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, and login failures and attacks. You can also view status information about the firewall, WAN ports, LAN ports, and VPN tunnels. 6-18 v1.0, March 2009 Router and Network Management
  • Netgear FVS338 | FVS338 Reference Manual - Page 147
    FVS338 ProSafe VPN Firewall 50 Reference Manual Enabling the Traffic Meter To monitor traffic limits on each of the WAN ports, select Administration from the main menu and Traffic Meter from the submenu. The Broadband Traffic Meter screen will display. (The Broadband and Dialup ports are programmed
  • Netgear FVS338 | FVS338 Reference Manual - Page 148
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-8 Setting Login Failures and Attacks Notification Figure 6-9 shows the Firewall Logs & E-mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs & E-mail from the submenu. You can send a System log
  • Netgear FVS338 | FVS338 Reference Manual - Page 149
    Figure 6-9 FVS338 ProSafe VPN Firewall 50 Reference Manual View System Logs Select the types of events to email. Select the segments to track for System Log events. Enable email alerts. Syslog Server enabled Router and Network Management v1.0, March 2009 6-21
  • Netgear FVS338 | FVS338 Reference Manual - Page 150
    rule. Incoming traffic using one of these ports will be sent to the IP address above. The time remaining before this rule is released, and thus available for other PCs. This timer is restarted whenever incoming or outgoing traffic is received. 6-22 v1.0, March 2009 Router and Network Management
  • Netgear FVS338 | FVS338 Reference Manual - Page 151
    is the current software the router is using. This will change if you upgrade your router. Displays the current settings for MAC address, IP address, DHCP role and IP Subnet Mask that you set in the LAN IP Setup page. DHCP can be either Server or None. Router and Network Management v1.0, March 2009
  • Netgear FVS338 | FVS338 Reference Manual - Page 152
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-3. Router Configuration Status Fields Item Description Broadband Configuration Indicates whether the WAN Mode is Single or Rollover, and whether the WAN State is UP or DOWN. If the WAN State is up, it also displays • NAT: Enabled or
  • Netgear FVS338 | FVS338 Reference Manual - Page 153
    FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 6-12 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu. The IPSec Connection Status screen will display. Figure 6-13 Table 6-4.
  • Netgear FVS338 | FVS338 Reference Manual - Page 154
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-4. IPSec Connection Status Fields (continued) Item Tx (KB) Tx (Packets) State Action Description The amount of data transmitted over this SA. The number of IP packets transmitted over this SA. The current status of the SA.Phase 1 is
  • Netgear FVS338 | FVS338 Reference Manual - Page 155
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-15 Performing Diagnostics You can perform diagnostics such as pinging an IP address, performing a DNS lookup, displaying the routing table, rebooting the firewall, and capturing packets. Select Monitoring from the main menu and Diagnostics
  • Netgear FVS338 | FVS338 Reference Manual - Page 156
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-16 Table 6-5. Diagnostics Fields Item Description Ping or Trace an IP address Ping - Used to send a ping packet request to a specified IP address-most often, to test a connection. If the request times out (no reply is received), it
  • Netgear FVS338 | FVS338 Reference Manual - Page 157
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-5. Diagnostics Fields Item Reboot the Router Packet Trace Description Used to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally. Note: Rebooting will break any
  • Netgear FVS338 | FVS338 Reference Manual - Page 158
    FVS338 ProSafe VPN Firewall 50 Reference Manual 6-30 v1.0, March 2009 Router and Network Management
  • Netgear FVS338 | FVS338 Reference Manual - Page 159
    and information for your ProSafe VPN Firewall 50. This chapter includes the following sections: • "Basic Functions" on page 7-1 • "Troubleshooting the Web Configuration Interface" on page 7-2 • "Troubleshooting the ISP Connection" on page 7-4 • "Troubleshooting a TCP/IP Network Using a Ping Utility
  • Netgear FVS338 | FVS338 Reference Manual - Page 160
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support. LEDs Never Turn Off When the firewall is turned on, the LEDs turns on
  • Netgear FVS338 | FVS338 Reference Manual - Page 161
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Make sure your PC's IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC's address should be in the range of 192.168.0.2 to 192.168.0.254. Note: If your PC's IP address is shown as 169.254.x.x:
  • Netgear FVS338 | FVS338 Reference Manual - Page 162
    FVS338 ProSafe VPN Firewall 50 Reference Manual Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall
  • Netgear FVS338 | FVS338 Reference Manual - Page 163
    FVS338 ProSafe VPN Firewall 50 Reference Manual - Configure your firewall to spoof your PC's MAC address. This can be done in the Basic Settings menu. Refer to "Configuring your Internet Connection" on page 2-2. If your firewall can obtain an IP address, but your PC is unable to load any Web pages
  • Netgear FVS338 | FVS338 Reference Manual - Page 164
    FVS338 ProSafe VPN Firewall 50 Reference Manual If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections - Make sure the LAN port LED is on. If the LED is off, follow the instructions in "LAN or Internet Port LEDs Not On" on page 7-2. -
  • Netgear FVS338 | FVS338 Reference Manual - Page 165
    FVS338 ProSafe VPN Firewall 50 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall's administration password to password and the IP address to 192.168.1.1. You can erase the current
  • Netgear FVS338 | FVS338 Reference Manual - Page 166
    FVS338 ProSafe VPN Firewall 50 Reference Manual 7-8 Troubleshooting v1.0, March 2009
  • Netgear FVS338 | FVS338 Reference Manual - Page 167
    FVS338 Default Settings Feature Router Login User Login URL User Name (case sensitive) Login Password (case sensitive) Internet Connection WAN MAC Address WAN MTU Size Port Speed Local Network (LAN) Lan IP Subnet Mask RIP Direction RIP Version RIP Authentication DHCP Server DHCP Starting IP Address
  • Netgear FVS338 | FVS338 Reference Manual - Page 168
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table A-1. FVS338 Default Settings (continued) Feature Default Behavior Time Zone GMT Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound (communications coming in from Disabled (
  • Netgear FVS338 | FVS338 Reference Manual - Page 169
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table A-2. VPN firewall Default Technical Specifications Feature Environmental Specifications Operating temperature: Operating humidity: Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: Specification 0 to 40 C (
  • Netgear FVS338 | FVS338 Reference Manual - Page 170
    FVS338 ProSafe VPN Firewall 50 Reference Manual A-4 Default Settings and Technical Specifications v1.0, March 2009
  • Netgear FVS338 | FVS338 Reference Manual - Page 171
    port Source IP Address of machine from where the packet is coming. Protocol type System Log Messages This section describes log messages that belong to one of the following categories: • Logs generated by traffic that is meant for the device. • Logs generated by traffic that is routed or forwarded
  • Netgear FVS338 | FVS338 Reference Manual - Page 172
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-2. System Logs: System Startup Message Explanation Recommended Action Jan 1 15:22:28 [FVS338] [ledTog] [SYSTEM START-UP] System Started Log generated when the system is started. None Reboot This section describes log messages generated
  • Netgear FVS338 | FVS338 Reference Manual - Page 173
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-4. System Logs: NTP Message Explanation Recommended Action Nov 28 12:31:13 [FVS338] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [FVS338] [ntpdate] Requesting time from time-f.netgear.com Nov 28 12:31:14 [FVS338] [ntpdate] adjust
  • Netgear FVS338 | FVS338 Reference Manual - Page 174
    ProSafe VPN Firewall 50 Reference Manual Table B-6. System Logs: Firewall Restart Message Explanation Recommended Action Jan 23 16:20:44 [FVS338] [wand] [FW] Firewall Restarted Log generated when the firewall is restarted. This log is logged when firewall restarts after applying any changes
  • Netgear FVS338 | FVS338 Reference Manual - Page 175
    FVS338 ProSafe VPN Firewall 50 Reference Manual System Logs: WAN Status, Auto Rollover Message Explanation Recommended Action Nov 17 09:59:09 [FVS338] [wand] [LBFO] WAN1 Test Failed 1 of 3 times_ Nov 17 09:59:39 [FVS338] [wand] [LBFO] WAN1 Test Failed 2 of 3 times_ Nov 17 10:00:09 [FVS338] [wand]
  • Netgear FVS338 | FVS338 Reference Manual - Page 176
    FVS338 ProSafe VPN Firewall 50 Reference Manual PPPoE Idle-Timeout Logs. Table B-8. System Logs: WAN Status, PPE, PPPoE Idle-Timeout Message Explanation Recommended Action Nov 29 13:12:46 [FVS338] [pppd] Starting connection Nov 29 13:12:49 [FVS338] [pppd] Remote message: Success Nov 29 13:12:49 [
  • Netgear FVS338 | FVS338 Reference Manual - Page 177
    ProSafe VPN Firewall 50 Reference Manual PPTP Idle-Timeout Logs. Table B-9. System Logs: WAN Status, PPE, PPTP Idle-Timeout Message Explanation Nov 29 11:19:02 [FVS338] [pppd] Starting connection Nov 29 11:19:05 [FVS338] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVS338] [pppd] local
  • Netgear FVS338 | FVS338 Reference Manual - Page 178
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-11. System Logs: Web Filtering and Content Filtering Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Jan 23 16:36:35 [FVS338] [kernel
  • Netgear FVS338 | FVS338 Reference Manual - Page 179
    FVS338 ProSafe VPN Firewall 50 Reference Manual Traffic Metering Logs Table B-12. System Logs: Traffic Metering Message Explanation Recommended Action Jan 23 19:03:44 [TRAFFIC_METER] TRAFFIC_METER: Monthly Limit of 10 MB has reached for WAN1._ Traffic limit to WAN1 that was set as 10Mb has been
  • Netgear FVS338 | FVS338 Reference Manual - Page 180
    FVS338 ProSafe VPN Firewall 50 Reference Manual Multicast/Broadcast Logs Table B-15. System Logs: Multicast/Broadcast Message Explanation Recommended Action Jan 1 07:24:13 [FVS338] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC=192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 • This packet (
  • Netgear FVS338 | FVS338 Reference Manual - Page 181
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-17. System Logs: Invalid Packets (continued) Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation 1. Invalid packets are dropped. 2. Use
  • Netgear FVS338 | FVS338 Reference Manual - Page 182
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-17. System Logs: Invalid Packets (continued) Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action 1. Invalid packets
  • Netgear FVS338 | FVS338 Reference Manual - Page 183
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-17. System Logs: Invalid Packets (continued) Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action 2007 Oct 1 00:44:17 [FVS338] [kernel] [INVALID][REOPEN_CLOSE_CONN][DROP] SRC=
  • Netgear FVS338 | FVS338 Reference Manual - Page 184
    FVS338 ProSafe VPN Firewall 50 Reference Manual LAN to WAN Logs Table B-18. Routing Logs: LAN to WAN Message Explanation Recommended Action Nov 29 09:19:43 [FVS338] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 • This packet from LAN to WAN
  • Netgear FVS338 | FVS338 Reference Manual - Page 185
    htm TCP/IP Addressing: Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for http://documentation.netgear.com/reference/enu/wsdhcp/index.htm Network Access: Virtual Private Networking (VPN): http://documentation.netgear.com/reference
  • Netgear FVS338 | FVS338 Reference Manual - Page 186
    FVS338 ProSafe VPN Firewall 50 Reference Manual C-2 Related Documents v1.0, March 2009
  • Netgear FVS338 | FVS338 Reference Manual - Page 187
    to protect the networks. As part the new maintenance firmware release, NETGEAR has implemented a more robust authentication system known as Two-Factor Authentication (2FA or T-FA) on its SSL and IPSec VPN firewall product line to help address the fast-growing network security issues. What are the
  • Netgear FVS338 | FVS338 Reference Manual - Page 188
    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products. • Proven regulatory compliance. Two-Factor Authentication has been used as a mandatory authentication
  • Netgear FVS338 | FVS338 Reference Manual - Page 189
    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The WiKID solution is based on a request-response architecture where a one-time passcode (OTP), that is time synchronized with the authentication server, is generated and sent to the user once the validity of a user
  • Netgear FVS338 | FVS338 Reference Manual - Page 190
    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. A one-time passcode (something they have) is generated for this user. Figure D-2 Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used
  • Netgear FVS338 | FVS338 Reference Manual - Page 191
    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. The user then goes to the two factor login page and enters the generated one-time passcode as the login password. Figure D-3 Two-Factor Authentication is a new and easy way to enhance networking security products
  • Netgear FVS338 | FVS338 Reference Manual - Page 192
    ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual D-6 Two Factor Authentication v1.3, March 2009
  • Netgear FVS338 | FVS338 Reference Manual - Page 193
    . See AH. Auto Uplink 1-3 Auto VPN Policies 5-16 Auto-Rollover Dual WAN ports 5-1 B backup and restore settings configuration of 6-15 Bandwidth Profile screen 4-29 Block Sites 6-3 Content Filtering 4-20 reducing traffic 6-3 Block Sites screen Content Filtering 4-21 Block TCP Flood Attack Checks 4-10
  • Netgear FVS338 | FVS338 Reference Manual - Page 194
    FVS338 ProSafe VPN Firewall 50 Reference Manual D date troubleshooting 7-7 Daylight Savings Time setting 6-18 Dead Peer Detection 5-15 default configuration restoring 7-7 default firewall rules 4-2 Inbound 4-2 Outbound 4-2 Default Outbound Policy LAN WAN 4-7 denial of service attack 4-10 UDP flood
  • Netgear FVS338 | FVS338 Reference Manual - Page 195
    Port Forwarding 6-4 VPN tunnels 6-6 installation 1-4 Internet configuring the connection manually 2-8 connection configuration 2-2 traffic information 6-26 Internet Protocol Numbers 4-17 IP Address router default 3-3 IP Address Pool use with ModeConfig 5-24 IP addresses auto-generated 7-3 DHCP
  • Netgear FVS338 | FVS338 Reference Manual - Page 196
    FVS338 ProSafe VPN Firewall 50 Reference Manual L L2TP VPN Tunnel 4-11 LAN configuration 3-1 ports and attached devices 6-26 using LAN IP setup options 3-2 LAN Security Checks UDP flood 4-10 LAN Setup screen 3-3 LAN Users Service Blocking 6-2 LAN WAN Inbound Rules configuring 4-9 LAN WAN Outbound
  • Netgear FVS338 | FVS338 Reference Manual - Page 197
    19 FVS338 ProSafe VPN Firewall 50 Reference Manual RADIUS-PAP XAUTH, use with 5-19 Reboot the Router 6-29 reducing traffic Block Sites 6-1 Service Blocking 6-1 Source MAC filtering 6-1 remote management 6-9, 6-10 access 6-10 configuration 6-11 telnet 6-12 Reserved IP address about 3-10 Reserved IP
  • Netgear FVS338 | FVS338 Reference Manual - Page 198
    FVS338 ProSafe VPN Firewall 50 Reference Manual Schedule 1 screen 4-20 Security 1-3 Self Certificate format of 5-33 Request, generating 5-33 Self Certificate request submitting 5-35 Self Certificates about 5-33 Service Blocking 4-2, 6-1 LAN Users 6-2 rules 6-1 WAN Users 6-2 service blocking 4-2
  • Netgear FVS338 | FVS338 Reference Manual - Page 199
    L2TP 4-11 PPTP 4-11 VPN Tunnel addresses Dual WAN Port systems 5-2 VPN Tunnels 6-6 VPN Wizard Gateway tunnel 5-2 VPN Client, configuring 5-5 VPNC 5-2 FVS338 ProSafe VPN Firewall 50 Reference Manual W WAN port connection status 6-26 WAN Ports Status monitoring 6-24 WAN Users Service Blocking 6-2 Web
  • Netgear FVS338 | FVS338 Reference Manual - Page 200
    FVS338 ProSafe VPN Firewall 50 Reference Manual Index-8 v1.0, March 2009
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
March 2009
202-10046-08
v1.0
NETGEAR
, Inc.
350 East Plumeria Drive
Santa Clara, CA 95134 USA
FVS338 ProSafe VPN
Firewall 50 Reference
Manual