Netgear FVS338 FVS338 Reference Manual

Netgear FVS338 - ProSafe VPN Firewall 50 Router Manual

Get Netgear FVS338 - ProSafe VPN Firewall 50 Router PDF manuals and user guides
UPC - 606449037197
View all Netgear FVS338 manuals
Add to My Manuals
Save this manual to your list of manuals

Netgear FVS338 manual content summary:

  • Netgear FVS338 | FVS338 Reference Manual - Page 1
    FVS338 ProSafe VPN Firewall 50 Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA March 2008 202-10046-06 v1.0
  • Netgear FVS338 | FVS338 Reference Manual - Page 2
    NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR by one or more testing to the following standards: EN55022 Class B, EN55024 and EN60950-1. Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe VPN Firewall 50
  • Netgear FVS338 | FVS338 Reference Manual - Page 3
    has been granted the right to test the series for compliance with the become the cause of radio interference. Read instructions for correct handling. Additional Copyrights AES Copyright products derived from this software without his specific prior written permission. This software is provided 'as
  • Netgear FVS338 | FVS338 Reference Manual - Page 4
    SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved use of this software must display the following acknowledgment: "This product includes software developed by the CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
  • Netgear FVS338 | FVS338 Reference Manual - Page 5
    rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided
  • Netgear FVS338 | FVS338 Reference Manual - Page 6
    Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: Publication Part Number: Publication Version Number FVS338 March 2008 VPN firewall ProSafe VPN Firewall 50 Business English 202-10046-06 1.0 vi v1.0, March 2008
  • Netgear FVS338 | FVS338 Reference Manual - Page 7
    Hardware 1-7 Factory Default Login ...1-7 Chapter 2 Connecting the FVS338 to the Internet Connecting the VPN Firewall to Your Network 2-1 Logging in to the VPN Firewall 2-1 Configuring your Internet Connection 2-2 Setting the Router's MAC Address (Advanced Options 2-7 Manually Configuring Your
  • Netgear FVS338 | FVS338 Reference Manual - Page 8
    LAN Configuration Configuring Your LAN (Local Area Network 3-1 Using the VPN Firewall as a DHCP Server 3-1 Configuring Multi-Home LAN IPs 3-4 Managing Groups and Hosts 3-6 Creating the Network Database 3-6 Setting Up Address Reservation 3-10 Configuring Static Routes 3-10 Static Route Example
  • Netgear FVS338 | FVS338 Reference Manual - Page 9
    Configuring the FVS338 5-13 Configuring the VPN Client 5-14 Testing the Connection 5-19 Extended Authentication (XAUTH) Configuration 5-20 Configuring XAUTH for VPN Clients 5-21 User Database Configuration 5-22 RADIUS Client Configuration 5-23 Manually Assigning IP Addresses to Remote Users
  • Netgear FVS338 | FVS338 Reference Manual - Page 10
    6-4 Port Forwarding 6-4 Port Triggering 6-6 VPN Tunnels ...6-6 Using QoS to Shift the Traffic Mix 6-7 Tools for Traffic Management 6-7 Administration ...6-7 Changing Passwords and Settings 6-7 Enabling Remote Management Access 6-9 Using a SNMP Manager 6-12 Settings Backup and Firmware Upgrade
  • Netgear FVS338 | FVS338 Reference Manual - Page 11
    the Default Configuration and Password 7-7 Problems with Date and Time 7-7 Appendix A Default Settings and Technical Specifications Appendix B System Logs and Error Messages System Log Messages B-1 System Startup ...B-1 Reboot ...B-2 NTP ...B-2 Login/Logout ...B-3 Firewall Restart ...B-3 IPSec
  • Netgear FVS338 | FVS338 Reference Manual - Page 12
    Routing Logs ...B-14 LAN to WAN Logs B-15 LAN to DMZ Logs B-15 DMZ to WAN Logs B-15 WAN to LAN Logs B-15 DMZ to LAN Logs B-16 WAN to DMZ Logs B-16 Appendix C Related Documents Index xii Contents v1.0, March 2008
  • Netgear FVS338 | FVS338 Reference Manual - Page 13
    About This Manual The NETGEAR® ProSafe™ VPN Firewall 50 FVS338 Reference Manual describes how to install, configure and troubleshoot the ProSafe VPN Firewall 50. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope
  • Netgear FVS338 | FVS338 Reference Manual - Page 14
    . • Scope. This manual is written for the VPN firewall according to these specifications: Product Version ProSafe VPN Firewall 50 Manual Publication Date March 2008 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix
  • Netgear FVS338 | FVS338 Reference Manual - Page 15
    Product update: New firmware and new user Interface Remove Trend Micro Updated features New features: IP/MAC Binding; Bandwidth Limits; Session Limits; IKE Keep Alive; Dead Peer Detection; Oray support Document corrections Document additions to Appendix B Maintenance release About This Manual xv
  • Netgear FVS338 | FVS338 Reference Manual - Page 16
    FVS338 ProSafe VPN Firewall 50 Reference Manual xvi About This Manual v1.0, March 2008
  • Netgear FVS338 | FVS338 Reference Manual - Page 17
    Content Filtering and Site Blocking Security. • Quality of Service (QoS) support for traffic prioritization. • Built in 8-port 10/100 Mbps switch. • Extensive Protocol Support. • Login capability. • SNMP for manageability. • Front panel LEDs for easy monitoring of status and activity. Introduction
  • Netgear FVS338 | FVS338 Reference Manual - Page 18
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Flash memory for firmware upgrade. Full Routing on Both the Broadband and Serial WAN Ports You can install, configure, and operate the FVS338 to take full advantage of a variety of routing options on both the serial and broadband WAN ports, including
  • Netgear FVS338 | FVS338 Reference Manual - Page 19
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Port Forwarding with NAT. Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the firewall allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request. You can
  • Netgear FVS338 | FVS338 Reference Manual - Page 20
    , you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number. • Visual monitoring. The VPN firewall's front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the
  • Netgear FVS338 | FVS338 Reference Manual - Page 21
    the FVS338, including instructions for installing the FVS338 using the rack mounting hardware. Router Front Panel The ProSafe VPN Firewall 50 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. Power Test Modem Internet LED LED LED LEDs Local
  • Netgear FVS338 | FVS338 Reference Manual - Page 22
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 1-1. Object Descriptions Object Activity Power LED Test LED MDM LED On (Green) Off On (Amber) Blinking (Amber) Off On (Green) Blinking (Green) Off Internet LEDs Link/Act LED On (Green) Blinking (Green) Off 100 LED On (Green) Off Local
  • Netgear FVS338 | FVS338 Reference Manual - Page 23
    FVS338 ProSafe VPN Firewall 50 Reference Manual Viewed from left to right, the rear panel contains the following elements: • Modem port - serves as the WAN2 Internet port through the public switched telephone network (PSTN). • Factory Defaults reset button. • Local ports - 8-port RJ-45 10/100 Mbps
  • Netgear FVS338 | FVS338 Reference Manual - Page 24
    FVS338 ProSafe VPN Firewall 50 Reference Manual LAN IP Address User Name Password Figure 1-4 To log in to the FVS338 once it is connected: 1. Open a Web browser. 2. Enter http://192.168.1.1 as the URL. Figure 1-5 3. Once the login screen displays (Figure 1-5), enter the following: • admin for User
  • Netgear FVS338 | FVS338 Reference Manual - Page 25
    the Test LED to go out. Make sure your Ethernet and LAN LEDs are lit. (See the FVS338 ProSafe VPN Firewall 50 Installation Guide on your Resource CD.) 2. Log in to the firewall. After logging in, you are ready to set up and configure your firewall. You can also change your password and enable remote
  • Netgear FVS338 | FVS338 Reference Manual - Page 26
    Firewall 50 Reference Manual To log in to the VPN firewall: Step 1.Open a Internet Explorer, Netscape® Navigator, or Firefox browser. In the browser window, enter http://192.168.1.1 in the address field. The FVS338 login screen will display. Figure 2-1 2. Enter admin for the User Name and password
  • Netgear FVS338 | FVS338 Reference Manual - Page 27
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-2 2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP. Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support.
  • Netgear FVS338 | FVS338 Reference Manual - Page 28
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2-1. Internet connection methods Connection Method DHCP (Dynamic IP) Fixed IP Data Required No data is required. IP address and related data supplied by your ISP. 3. Click Broadband Status at the top right of the screen to verify your
  • Netgear FVS338 | FVS338 Reference Manual - Page 29
    FVS338 ProSafe VPN Firewall 50 Reference Manual Step 1.Select Network Configuration from the main menu, WAN Settings from the submenu and This name will be used to log in to the ISP server. b. Password: The account password for the dialup ISP c. Telephone: The telephone number or access number to
  • Netgear FVS338 | FVS338 Reference Manual - Page 30
    FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Specify the method to use for your Dial-up Connection Status. The VPN firewall can automatically dial to the ISP when a connection is needed or can be configured to wait for manual intervention.: a. Check the Connect automatically disconnect after
  • Netgear FVS338 | FVS338 Reference Manual - Page 31
    FVS338 ProSafe VPN Firewall 50 Reference Manual Set up the traffic meter for the Dialup ISP if desired (see "Programming the Traffic Meter (if Desired)" on page 2-12). Note: The response time of your serial port Internet connection will be slower than a broadband Internet connection. Tip: If you
  • Netgear FVS338 | FVS338 Reference Manual - Page 32
    FVS338 ProSafe VPN Firewall 50 Reference Manual This could occur on some older broadband modems. If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100BaseT; otherwise, select 10BaseT. Use the half-duplex settings if full-duplex modes do not work. Figure 2-5 You
  • Netgear FVS338 | FVS338 Reference Manual - Page 33
    FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 2-6 Manually Configuring Your Internet Connection If you know your Broadband ISP connection type, you can bypass the Auto Detect feature and connect your router manually. Ensure that you have all of the relevant connection information such as
  • Netgear FVS338 | FVS338 Reference Manual - Page 34
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-7 To manually configure your WAN1 ISP settings: Step 1.Does your Internet connection require a login? If you need to enter login type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check
  • Netgear FVS338 | FVS338 Reference Manual - Page 35
    local BigPond Login Server in your area. You can find login server information at http://www.netgear.com.sg/support/bigpond.asp 3. If your ISP has assigned a fixed (static or permanent) IP address, select the Use Static IP Address radio box and fill in the following fields: a. IP Address: Static IP
  • Netgear FVS338 | FVS338 Reference Manual - Page 36
    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. If your ISP has not assigned any Domain Name Servers (DNS) addresses, select the Get dynamically from ISP radio box. If your ISP has assigned DNS addresses, select the Use these DNS Servers radio box. Ensure that you fill in valid DNS server IP
  • Netgear FVS338 | FVS338 Reference Manual - Page 37
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 2-8 Connecting the FVS338 to the Internet v1.0, March 2008 2-13
  • Netgear FVS338 | FVS338 Reference Manual - Page 38
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 2-2. Traffic Meter Settings Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's Broadband or Dialup port. Broadband or Dialup can be selected by clicking the
  • Netgear FVS338 | FVS338 Reference Manual - Page 39
    FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the WAN Mode The WAN Mode screen allows you to configure how your router uses your external Internet connections; for example, your WAN port or dialup modem connections. • NAT. NAT is the technology which allows all PCs on your LAN to share
  • Netgear FVS338 | FVS338 Reference Manual - Page 40
    FVS338 ProSafe VPN Firewall 50 Reference Manual • If you have both ISP links connected for Internet connectivity, check the Primary Broadband with Dialup as backup for auto-rollover. 4. The WAN Failure Detection Method must be configured to notify the router of a link failure if you are using Dialup
  • Netgear FVS338 | FVS338 Reference Manual - Page 41
    FVS338 ProSafe VPN Firewall 50 Reference Manual This router firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet. After you have configured your account information in the
  • Netgear FVS338 | FVS338 Reference Manual - Page 42
    FVS338 ProSafe VPN Firewall 50 Reference Manual If you have configured Single Port, select the tab for a DNS service provider, then fill out the DDNS section for that port. If you have enabled Auto-Rollover, choose a service provider and complete both sections. (Only those options that match the
  • Netgear FVS338 | FVS338 Reference Manual - Page 43
    how to configure LAN Setup, LAN Groups and Routing (Static IP) features of your ProSafe VPN Firewall 50. These features can be found under the Network Configuration menu of the router interface. Configuring Your LAN (Local Area Network) By default, the firewall will function as a DHCP (Dynamic Host
  • Netgear FVS338 | FVS338 Reference Manual - Page 44
    FVS338 ProSafe VPN Firewall 50 Reference Manual To modify your LAN setup: 1. Select Network Configuration from the main menu and LAN Setup from the submenu. The LAN Setup screen will display. Figure 3-1 2. Enter the IP Address of your router (factory default: 192.168.1.1). The IP address provided
  • Netgear FVS338 | FVS338 Reference Manual - Page 45
    default is enabled. If enabled, the VPN firewall will provide a LAN IP Address for DNS address name resolution - When enabled, the router will act as a proxy for all DNS requests and communicate with the ISP's DNS servers (as configured in the WAN settings page). - When disabled, all DHCP clients
  • Netgear FVS338 | FVS338 Reference Manual - Page 46
    Click DHCP Log to view the DHCP log of the router. Note: Once you have completed the LAN IP setup, all outbound traffic is allowed and all inbound traffic is discarded. To change these traffic rules, refer to Chapter 4, "Firewall Protection and Content Filtering." Configuring Multi-Home LAN IPs If
  • Netgear FVS338 | FVS338 Reference Manual - Page 47
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 3-2 The Available Secondary LAN IPs table lists the secondary LAN IP addresses added to the router. • IP Address: The IP address alias added to the LAN port of the router. This is the gateway for computers that need to access the Internet. •
  • Netgear FVS338 | FVS338 Reference Manual - Page 48
    FVS338 ProSafe VPN Firewall 50 Reference Manual Warning: Make sure the secondary IP addresses are different from the LAN, WAN, DMZ, and any other subnet attached to this router. Example: WAN1 IP address: 10.0.0.1 with subnet 255.0.0.0 WAN2 IP address: 20.0.0.1 with subnet 255.0.0.0 DMZ IP address:
  • Netgear FVS338 | FVS338 Reference Manual - Page 49
    FVS338 ProSafe VPN Firewall 50 Reference Manual • MAC-level Control over PCs. The Network Database uses the MAC address to identify each PC or device. So changing a PC's IP address does not affect any restrictions on that PC. • Group and Individual Control over PCs - You can assign PCs to Groups and
  • Netgear FVS338 | FVS338 Reference Manual - Page 50
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 3-3 The Network Database is created by: • Using the DHCP Server: The router's DHCP server is configured, by default, to respond to DHCP requests from clients on the LAN. Every computer that receives a response from the router will be added to
  • Netgear FVS338 | FVS338 Reference Manual - Page 51
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Name: The name of the computer or device. Computers that do not support the NetBIOS protocol will be listed as Unknown. In this case, the name can be edited manually for easier management. If the computer was assigned an IP address by the DHCP server
  • Netgear FVS338 | FVS338 Reference Manual - Page 52
    FVS338 ProSafe VPN Firewall 50 Reference Manual Setting Up Address Reservation When you specify a reserved IP address for a device on the LAN (based on the MAC address of the device), that computer or device will always receive the same IP address each time it accesses the firewall's DHCP server.
  • Netgear FVS338 | FVS338 Reference Manual - Page 53
    FVS338 ProSafe VPN Firewall 50 Reference Manual 5. Type the Destination IP Address or network of the route's final destination. 6. Enter the IP Subnet Mask for this destination. If the destination is a single host, enter 255.255.255.255. Figure 3-4 7. From the Interface pull-down menu, selection
  • Netgear FVS338 | FVS338 Reference Manual - Page 54
    specify that this static route applies to all 134.177.x.x addresses. • The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN firewall at 192.168.1.100. • A Metric value of 1 will work since the ISDN firewall is on the LAN. • Private is selected
  • Netgear FVS338 | FVS338 Reference Manual - Page 55
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 3-5 To enable RIP: 1. Select Network Configuration from the main menu and Routing from the submenu. The Routing screen will display. 2. Click the RIP Configuration link. The RIP Configuration screen will display. 3. From the RIP Direction pull-
  • Netgear FVS338 | FVS338 Reference Manual - Page 56
    FVS338 ProSafe VPN Firewall 50 Reference Manual • None - the router neither broadcasts its route table nor does it accept any RIP packets from other routers. This effectively disables RIP. 4. Select the RIP Version from the pull-down menu: • RIP-1 - classful routing and does not include subnet
  • Netgear FVS338 | FVS338 Reference Manual - Page 57
    Packet Inspection goes far beyond NAT. Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other. You can configure up to 600 rules on the FVS338. Inbound rules (WAN to LAN) restrict access by
  • Netgear FVS338 | FVS338 Reference Manual - Page 58
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Outbound: Allow all access from the LAN side to the outside. Services-Based Rules The rules to block traffic are based on the traffic's category of service. • Inbound Rules (port forwarding). Inbound traffic is normally blocked by the firewall unless
  • Netgear FVS338 | FVS338 Reference Manual - Page 59
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-1. Outbound Rules Fields Item Services Action Select Schedule LAN users WAN Users Description Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must
  • Netgear FVS338 | FVS338 Reference Manual - Page 60
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-1. Outbound Rules Fields (continued) Item QoS Priority Log Description This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. By default, the
  • Netgear FVS338 | FVS338 Reference Manual - Page 61
    address of the WAN1 or WAN2 ports or another public IP address. This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change
  • Netgear FVS338 | FVS338 Reference Manual - Page 62
    FVS338 ProSafe VPN Firewall 50 Reference Manual Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at
  • Netgear FVS338 | FVS338 Reference Manual - Page 63
    Setting LAN WAN Rules FVS338 ProSafe VPN Firewall 50 Reference Manual The Default Outbound Policy is to allow all traffic from and to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from either going out from the LAN to the Internet (Outbound) or
  • Netgear FVS338 | FVS338 Reference Manual - Page 64
    FVS338 ProSafe VPN Firewall 50 Reference Manual 1. In the Action column adjacent to the rule click: • Edit - to make any changes to the rule definition of an existing rule. The Outbound Service screen will display containing the data for the selected rule (see Figure 4-3 on page 4-9). • Up - to move
  • Netgear FVS338 | FVS338 Reference Manual - Page 65
    FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 4-3 LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. WAN Users: Whether all
  • Netgear FVS338 | FVS338 Reference Manual - Page 66
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-4 Attack Checks This screen allows you to specify whether or not the router should be protected against common attacks in the LAN and WAN networks. The various types of attack checks are listed on the Attack Checks screen and defined below: •
  • Netgear FVS338 | FVS338 Reference Manual - Page 67
    FVS338 ProSafe VPN Firewall 50 Reference Manual • LAN Security Checks. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application
  • Netgear FVS338 | FVS338 Reference Manual - Page 68
    FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 4-5 Session Limit Session Limit allows you to specify the total number of sessions per user over an IP (Internet Protocol) connection allowed across the router. This feature can be enabled on the Session Limit screen and is shown below (
  • Netgear FVS338 | FVS338 Reference Manual - Page 69
    FVS338 ProSafe VPN Firewall 50 Reference Manual To enable Session Limit: 1. Click the Yes radio button under Do you want to enable Session Limit? 2. From the User Limit Parameter drop-down list, define the maximum number of sessions per IP either as a percentage of maximum sessions or as an absolute
  • Netgear FVS338 | FVS338 Reference Manual - Page 70
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-7 Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example
  • Netgear FVS338 | FVS338 Reference Manual - Page 71
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-8 Setting Up One-to-One NAT Mapping In this example, we will configure multi-NAT to support multiple public IP addresses on one WAN interface. By creating an inbound rule, we will configure the firewall to host an additional public IP address
  • Netgear FVS338 | FVS338 Reference Manual - Page 72
    FVS338 ProSafe VPN Firewall 50 Reference Manual 6. From the Public Destination IP Address pull down menu, choose Other Public IP Address. 7. Enter one of your public Internet addresses that will be used by clients on the Internet to reach your Web server. 8. Click Apply. The rule will display in the
  • Netgear FVS338 | FVS338 Reference Manual - Page 73
    FVS338 ProSafe VPN Firewall 50 Reference Manual To test the connection from a PC on the Internet, type http://, where is the public IP address you have mapped to your Web server. You should see the home page of your Web server. Specifying an Exposed Host Specifying an
  • Netgear FVS338 | FVS338 Reference Manual - Page 74
    FVS338 ProSafe VPN Firewall 50 Reference Manual Outbound Rules Example - Blocking Instant Messenger Outbound rules let you prevent users from using applications such as AOL Instant Messenger, Real Audio or other non-essential sites. If you want to block AOL Instant Messenger usage by employees
  • Netgear FVS338 | FVS338 Reference Manual - Page 75
    FVS338 ProSafe VPN Firewall 50 Reference Manual Although the FVS338 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules. The Services menu shows a
  • Netgear FVS338 | FVS338 Reference Manual - Page 76
    FVS338 ProSafe VPN Firewall 50 Reference Manual To add a service: 1. Select Security from the main menu and Services from the submenu. The Services screen will display. 2. In the Add Custom Service table, enter a descriptive name for the service (this is for your convenience). 3. Select the Layer 3
  • Netgear FVS338 | FVS338 Reference Manual - Page 77
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Normal-Service: No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0. • Minimize-Cost: Used when data has to be transferred over a link that has a lower "cost". The IP packets for
  • Netgear FVS338 | FVS338 Reference Manual - Page 78
    FVS338 ProSafe VPN Firewall 50 Reference Manual Repeat these 5 steps to set to a schedule for Schedule 2 and Schedule 3. Figure 4-14 Setting Block Sites (Content Filtering) If you want restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall's Content
  • Netgear FVS338 | FVS338 Reference Manual - Page 79
    FVS338 ProSafe VPN Firewall 50 Reference Manual You can bypass Keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains or keywords on this list by PCs, even those in the groups for which keyword blocking has been enabled, will
  • Netgear FVS338 | FVS338 Reference Manual - Page 80
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-15 Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC
  • Netgear FVS338 | FVS338 Reference Manual - Page 81
    ProSafe VPN Firewall 50 Reference Manual • When enabled, traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table. Figure 4-16 Note: For additional ways of restricting outbound traffic, see "LAN WAN Outbound Services
  • Netgear FVS338 | FVS338 Reference Manual - Page 82
    ProSafe VPN Firewall 50 Reference Manual 6. When you have completed adding MAC addresses, click Apply to save your settings. IP/MAC Binding IP/MAC Binding allows you to bind an IP to a MAC address and vice-versa. Some machines are configured with static addresses. To prevent users from changing
  • Netgear FVS338 | FVS338 Reference Manual - Page 83
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 4-17 The IP/MAC Binding Table lists the currently defined IP/MAC Bind rules: • Name: Displays the user-defined name for this rule. • MAC Addresses: Displays the MAC Addresses for this rule. • IP Addresses: Displays the IP Addresses for this
  • Netgear FVS338 | FVS338 Reference Manual - Page 84
    FVS338 ProSafe VPN Firewall 50 Reference Manual 4. To remove an entry from the table, select the IP/MAC Bind entry and click Delete. 5. Click Apply to save your settings. Setting Up Port Triggering Port triggering allows some applications running on a LAN network to be available to external
  • Netgear FVS338 | FVS338 Reference Manual - Page 85
    FVS338 ProSafe VPN Firewall 50 Reference Manual 2. From the Enable pull-down menu, indicate if the rule is enabled or disabled. Figure 4-18 3. From the Protocol pull-down menu, select either TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields; a. Enter the Start Port range (1 -
  • Netgear FVS338 | FVS338 Reference Manual - Page 86
    FVS338 ProSafe VPN Firewall 50 Reference Manual b. Enter the End Port range (1 - 65534). 6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering
  • Netgear FVS338 | FVS338 Reference Manual - Page 87
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Bandwidth limiting for outbound traffic is done on the available WAN interface in both the single port and Auto Rollover modes. Bandwidth limiting is handled on the user-specified interface in Load Balancing mode. • Bandwidth limiting for inbound
  • Netgear FVS338 | FVS338 Reference Manual - Page 88
    FVS338 ProSafe VPN Firewall 50 Reference Manual • WAN: Displays the WAN interface for the Load Balancing mode. 2. Click Add to add a new Bandwidth Profile. When the Add New Bandwidth Profile screen displays, enter the following: a. Name: Specify an easily identifiable name for the profile. b.
  • Netgear FVS338 | FVS338 Reference Manual - Page 89
    FVS338 ProSafe VPN Firewall 50 Reference Manual other general information based on the settings you input on the Firewall Logs & E-mail screen. In addition, if you have set up Content Filtering on the Block Sites screen (see "Setting Block Sites (Content Filtering)" on page 4-22), a log will be
  • Netgear FVS338 | FVS338 Reference Manual - Page 90
    FVS338 ProSafe VPN Firewall 50 Reference Manual To set up Firewall Logs and E-mail alerts: 1. Select Monitoring from the main menu and then Firewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen will display. 2. Enter the name of the log in the Log Identifier field. Log
  • Netgear FVS338 | FVS338 Reference Manual - Page 91
    FVS338 ProSafe VPN Firewall 50 Reference Manual • LOG_WARNING (Warning conditions) • LOG_NOTICE (Normal but significant conditions) • LOG_INFO (Informational messages) • LOG_DEBUG (Debug level messages) 10. Click Reset to cancel your changes and return to the previous settings. 11. Click Apply to
  • Netgear FVS338 | FVS338 Reference Manual - Page 92
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 4-3. Log Entry Descriptions Field Date and Time Description or Action Source IP Source port and interface Destination Destination port and interface Description The date and time the log entry was recorded. The type of event and what action
  • Netgear FVS338 | FVS338 Reference Manual - Page 93
    FVS338 ProSafe VPN Firewall 50 Reference Manual Firewall Protection and Content Filtering v1.0, March 2008 4-37
  • Netgear FVS338 | FVS338 Reference Manual - Page 94
    FVS338 ProSafe VPN Firewall 50 Reference Manual 4-38 Firewall Protection and Content Filtering v1.0, March 2008
  • Netgear FVS338 | FVS338 Reference Manual - Page 95
    Private Networking (VPN) features of the VPN firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Tip: When using dual WAN port networks, use the VPN Wizard to configure the basic parameters and then edit the VPN and IKE Policy
  • Netgear FVS338 | FVS338 Reference Manual - Page 96
    Table 5-1 above. The remote WAN IP address of the Gateway must be a public address or the Internet name of the Gateway. The Internet name is the Fully Qualified Domain Name (FQDN) as setup in a Dynamic DNS service. Both local and remote ends should be defined as either IP addresses or Internet Names
  • Netgear FVS338 | FVS338 Reference Manual - Page 97
    FVS338 ProSafe VPN Firewall 50 Reference Manual The Local WAN IP address is the address used in the IKE negotiation phase. Automatically, the WAN IP address assigned by your ISP may display. You can modify the address to use your FQDN; required if the WAN Mode you selected is auto-rollover. 7. Enter
  • Netgear FVS338 | FVS338 Reference Manual - Page 98
    FVS338 ProSafe VPN Firewall 50 Reference Manual IKE Policies The IKE (Internet Key Exchange) protocol performs negotiations between the two VPN Gateways, and provides automatic management of the Keys used in IPSec. It is important to remember that: • "Auto" generated VPN policies must use the IKE
  • Netgear FVS338 | FVS338 Reference Manual - Page 99
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Name. Uniquely identifies each IKE policy. The name is chosen by you and used for the purpose of managing your policies; it is not supplied to the remote VPN Server. If the Policy is a Client Policy, it will be prepended by an "*". • Mode. Two modes
  • Netgear FVS338 | FVS338 Reference Manual - Page 100
    ProSafe VPN Firewall 50 Reference Manual In addition, a CA (Certificate Authority) can also be used to perform authentication (see "Certificates" on page 5-33). To use a CA, each VPN Gateway must have a Certificate from the CA. For each Certificate, there is both a "Public Key" and a "Private
  • Netgear FVS338 | FVS338 Reference Manual - Page 101
    FVS338 ProSafe VPN Firewall 50 Reference Manual - Reconnect after failure count: Fresh negotiation starts when no acknowledgement is received for the specified number of consecutive packets. • Local. IP address (either a single address, range of address or subnet address) on your local LAN. Traffic
  • Netgear FVS338 | FVS338 Reference Manual - Page 102
    a set of policies (IKE and VPN) that will allow the two firewalls to connect from locations with fixed IP addresses. Either firewall can initiate the connection. This procedure was developed and tested using: • Netgear FVS338 VPN Firewall - WAN IP address: 10.1.32.41 - LAN IP address subnet:192.168
  • Netgear FVS338 | FVS338 Reference Manual - Page 103
    ProSafe VPN Firewall 50 Reference Manual Figure 5-1 The IKE Policies screen will display showing the new "to_fvx" policy. Figure 5-2 You can view the IKE parameters by clicking Edit in the Action column adjacent to the "tofvs" policy. It should not be necessary to make any changes. Virtual Private
  • Netgear FVS338 | FVS338 Reference Manual - Page 104
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-3 Click the IKE Policies tab to view the corresponding IKE Policy. The IKE Policies screen will display. Figure 5-4 You can view the VPN parameters by clicking Edit in the Actions column adjacent to "to_fvx". It should not be necessary to
  • Netgear FVS338 | FVS338 Reference Manual - Page 105
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-5 Configuring the FVX538 To configure the FVX538 using the VPN Wizard: 1. Select VPN from the main menu. The Policies screen will display. Click the VPN Wizard link. The VPN Wizard screen will display. 2. Check the Gateway radio box to
  • Netgear FVS338 | FVS338 Reference Manual - Page 106
    FVS338 ProSafe VPN Firewall 50 Reference Manual 6. Enter the remote LAN IP address and subnet mask. 7. Click Apply to create the "to_fvs" IKE and VPN policies. Figure 5-6 Testing the Connection 1. From a PC on either firewall's LAN, try to ping a PC on the other firewall's LAN. Establishing the VPN
  • Netgear FVS338 | FVS338 Reference Manual - Page 107
    the NETGEAR VPN Client. Since the PC's IP address is assumed to be unknown, the PC must always be the Initiator of the connection. This procedure was developed and tested using: • NETGEAR ProSafe VPN Firewall 50 FVS338 • NETGEAR ProSafe VPN Client • NAT router: NETGEAR FR114P Configuring the FVS338
  • Netgear FVS338 | FVS338 Reference Manual - Page 108
    FVS338 ProSafe VPN Firewall 50 Reference Manual fvs_remote.com fvs_local.com Figure 5-7 Configuring the VPN Client On a remote PC that has a NETGEAR ProSafe VPN Client installed, configure the client using the FVS338 VPN Client default parameters (displayed in both the IKE Policy table and the VPN
  • Netgear FVS338 | FVS338 Reference Manual - Page 109
    FVS338 ProSafe VPN Firewall 50 Reference Manual To configure the VPN Client: 1. Right-click on the VPN client icon in your Windows toolbar and select the Security Policy Editor. The Security Policy Editor screen will display. 2. In the upper left of the Policy Editor window, click the New Document
  • Netgear FVS338 | FVS338 Reference Manual - Page 110
    FVS338 ProSafe VPN Firewall 50 Reference Manual fvs_local.com 10.1.32.41 Figure 5-9 8. In the left frame, click on My Identity ( 11. Leave Virtual Adapter disabled, and select your computer's Network Adapter. Your current IP address will appear. 5-16 v1.0, March 2008 Virtual Private Networking
  • Netgear FVS338 | FVS338 Reference Manual - Page 111
    FVS338 ProSafe VPN Firewall 50 Reference Manual fvs_remote.com 10.0.0.12 Figure 5-10 12. Before leaving the My Identity menu, click Pre-Shared Key. 13. Click Enter Key, and type your preshared key. Click OK. This key will be shared by all users of the FVS338 policy "home". 10.0.0.12 Figure 5-11
  • Netgear FVS338 | FVS338 Reference Manual - Page 112
    FVS338 ProSafe VPN Firewall 50 Reference Manual 14. In the left frame, click Security Policy (shown in Figure 5-12). 15. Select Phase 1 Negotiation Mode by checking the Aggressive Mode radio box. 16. PFS Key Group should be disabled, and Enable Replay Detection should be enabled. Figure 5-12 17. In
  • Netgear FVS338 | FVS338 Reference Manual - Page 113
    FVS338 ProSafe VPN Firewall 50 Reference Manual 18. In the left frame, expand Key Exchange (Phase 2) and select Proposal 1. Compare with the figure below. No changes should be necessary. 19. In the upper left of the window, click the disk icon to save the policy. Figure 5-14 Testing the Connection
  • Netgear FVS338 | FVS338 Reference Manual - Page 114
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 5-15 Extended Authentication (XAUTH) Configuration When connecting many VPN clients to a VPN gateway router, an administrator may want a unique user authentication method beyond relying on a single common preshared key for all clients. Although
  • Netgear FVS338 | FVS338 Reference Manual - Page 115
    FVS338 ProSafe VPN Firewall 50 Reference Manual . Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the local User Database for the user credentials. If the user account is not present, the router will then connect to a RADIUS server. Configuring XAUTH for VPN
  • Netgear FVS338 | FVS338 Reference Manual - Page 116
    FVS338 ProSafe VPN Firewall 50 Reference Manual • IPSec Host if you want to be authenticated by the remote gateway. In the adjacent Username and Password fields, type in the information user name and password associated with the IKE policy for authenticating this gateway (by the remote gateway). 4.
  • Netgear FVS338 | FVS338 Reference Manual - Page 117
    FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4. Click Add. The User Name will be added to the Configured Hosts table. Figure 5-17 To edit the user name or password: 1. Click Edit opposite the user's name.
  • Netgear FVS338 | FVS338 Reference Manual - Page 118
    FVS338 ProSafe VPN Firewall 50 Reference Manual information such as a username/password or some encrypted response using his username/ password information. The gateway will try and verify this information first against a local on the configuration of the RADIUS Server, the router's IP address may be
  • Netgear FVS338 | FVS338 Reference Manual - Page 119
    , and then configured a PC running ProSafe VPN Client software using these IP addresses. • NETGEAR ProSafe VPN Firewall 50 - WAN IP address: 172.21.4.1 - LAN IP address/subnet: 192.168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Virtual Private Networking v1
  • Netgear FVS338 | FVS338 Reference Manual - Page 120
    FVS338 ProSafe VPN Firewall 50 Reference Manual ModeConfig Operation After IKE Phase 1 is complete, the VPN connection initiator (remote user/client) asks for IP configuration parameters such as IP address, subnet mask and name server addresses. The ModeConfig module will allocate an IP address from
  • Netgear FVS338 | FVS338 Reference Manual - Page 121
    FVS338 ProSafe VPN Firewall 50 Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 • Encryption Algorithm: 3DES 10. Click Apply. The new
  • Netgear FVS338 | FVS338 Reference Manual - Page 122
    FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. 3. Enable Mode Config by checking the Yes radio box and selecting the Mode Config record you just created from the pull-down
  • Netgear FVS338 | FVS338 Reference Manual - Page 123
    FVS338 ProSafe VPN Firewall 50 Reference Manual 9. If Edge Device was enabled, select the present, the router will then connect to the RADIUS server. 10. Click Apply. The new policy will appear in the IKE Policies Table (a sample policy is shown below) Figure 5-20 Virtual Private Networking v1
  • Netgear FVS338 | FVS338 Reference Manual - Page 124
    FVS338 ProSafe VPN Firewall 50 Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the
  • Netgear FVS338 | FVS338 Reference Manual - Page 125
    FVS338 ProSafe VPN Firewall 50 Reference Manual b. From the Select Certificate pull-down menu, select None. c. From the ID Type pull-down menu, select Domain Name and create an identifier based on the name of the IKE policy you created; for example "remote_id.com". d. Under Virtual Adapter pull-down
  • Netgear FVS338 | FVS338 Reference Manual - Page 126
    values to match your configuration of the VPN firewall ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds)). Figure 5-24 6. Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client. 5-32 v1.0, March 2008 Virtual Private Networking
  • Netgear FVS338 | FVS338 Reference Manual - Page 127
    ProSafe VPN Firewall 50 Reference Manual To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; in this case "My Connections\modecfg_test". 2. Click on the connection. Within 30 seconds the message
  • Netgear FVS338 | FVS338 Reference Manual - Page 128
    FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Click Browse to locate the trusted certificate on your computer and then click Upload. The certificate will be stored on the router and will display in the Trusted Certificates table. Figure 5-25 Self Certificates Active Self certificates are
  • Netgear FVS338 | FVS338 Reference Manual - Page 129
    FVS338 ProSafe VPN Firewall 50 Reference Manual ST=CA, L=Santa Clara, O=NETGEAR, OU=XX, CN=FVS338) • From the pull-down following information: • IP Address - If you have a fixed IP address, you may enter instructions of the CA to complete the certificate request process. Virtual Private Networking v1
  • Netgear FVS338 | FVS338 Reference Manual - Page 130
    FVS338 ProSafe VPN Firewall 50 Reference Manual . Save to file Figure 5-26 To submit your Self Certificate request to a CA: BEGIN CERTIFICATE REQUEST---" and "---END CERTIFICATE REQUEST'). 4. Submit the CA form. If no problems ensue, the Certificate will be issued. 5-36 v1.0, March 2008 Virtual
  • Netgear FVS338 | FVS338 Reference Manual - Page 131
    FVS338 ProSafe VPN Firewall 50 Reference Manual When you obtain the certificate from the CA, you can then upload it to your computer. Click Browse to locate the Certificate file and then
  • Netgear FVS338 | FVS338 Reference Manual - Page 132
    FVS338 ProSafe VPN Firewall 50 Reference Manual 5-38 v1.0, March 2008 Virtual Private Networking
  • Netgear FVS338 | FVS338 Reference Manual - Page 133
    help the network manager accomplish these goals. VPN Firewall Features That Reduce Traffic Features of the VPN firewall that can be called upon to decrease WAN-side loading are as follows: • Service Blocking • Block Sites • Source MAC Filtering Router and Network Management 6-1 v1.0, March 2008
  • Netgear FVS338 | FVS338 Reference Manual - Page 134
    FVS338 ProSafe VPN Firewall 50 Reference Manual Service Blocking You can control specific outbound traffic (for example., from LAN to WAN). Outbound Services lists all existing rules for outbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule
  • Netgear FVS338 | FVS338 Reference Manual - Page 135
    FVS338 ProSafe VPN Firewall 50 Reference Manual See "Using Rules to Block or Allow Specific Kinds of Traffic" on page 4-1 for the procedure on how to use this feature. Services. The Rules menu contains a list of predefined Services for creating firewall rules. If a service does not appear in the
  • Netgear FVS338 | FVS338 Reference Manual - Page 136
    FVS338 ProSafe VPN Firewall 50 Reference Manual You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed
  • Netgear FVS338 | FVS338 Reference Manual - Page 137
    FVS338 ProSafe VPN Firewall 50 Reference Manual You can control specific inbound traffic (i.e., from WAN to LAN and from WAN to DMZ). Inbound Services lists all existing rules for inbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule blocks all
  • Netgear FVS338 | FVS338 Reference Manual - Page 138
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Services - You can specify the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see "Adding Customized Services" on page 4-18).
  • Netgear FVS338 | FVS338 Reference Manual - Page 139
    an SNMP manager, backup settings and upgrade firmware, and enable remote management. Administrator access is read/write and guest access is read-only. Changing Passwords and Settings The default passwords for the firewall's Web Configuration Manager is password. Netgear recommends that you change
  • Netgear FVS338 | FVS338 Reference Manual - Page 140
    FVS338 ProSafe VPN Firewall 50 Reference Manual To modify User or Admin settings: 1. Select Administration from the main menu and Set Password from the submenu. The Set Password screen will display. 2. Select the Settings you wish to edit by checking either the Edit Admin Settings or Edit Guest
  • Netgear FVS338 | FVS338 Reference Manual - Page 141
    FVS338 ProSafe VPN Firewall 50 Reference Manual Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a factory defaults reset. Enabling Remote Management Access Using the Remote Management page, you can allow an administrator on the
  • Netgear FVS338 | FVS338 Reference Manual - Page 142
    FVS338 ProSafe VPN Firewall 50 Reference Manual https://194.177.0.123:8080 Figure 6-2 To configure your firewall for Remote Management: 1. Select the Turn Remote Management On check box. a. Specify what external addresses will be allowed to access the firewall's remote management. Note: For
  • Netgear FVS338 | FVS338 Reference Manual - Page 143
    FVS338 ProSafe VPN Firewall 50 Reference Manual 2. Specify the Port Number that will be used for accessing the management interface. Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management Web interface to a custom port by
  • Netgear FVS338 | FVS338 Reference Manual - Page 144
    FVS338 ProSafe VPN Firewall 50 Reference Manual 3. Specify what external addresses will be allowed to access the firewall's remote management. Note: For enhanced security, restrict access to as few external IP addresses as practical. a. To allow access from any IP address on the Internet, select
  • Netgear FVS338 | FVS338 Reference Manual - Page 145
    FVS338 ProSafe VPN Firewall 50 Reference Manual • If you want to make the VPN firewall globally accessible using the community string, but still receive traps on the host, enter 0.0.0.0 as the Subnet Mask and an IP Address for where the traps will be received. 3. Enter the trap port number of the
  • Netgear FVS338 | FVS338 Reference Manual - Page 146
    FVS338 ProSafe VPN Firewall 50 Reference Manual Settings Backup and Firmware Upgrade Once you have installed the VPN firewall and have it working properly, you should back up a copy of your setting so that it is if something goes wrong. When you backup the settings, they are saved
  • Netgear FVS338 | FVS338 Reference Manual - Page 147
    FVS338 ProSafe VPN Firewall 50 Reference Manual You must manually restart the VPN firewall in order for the default settings to take effect. After rebooting, the router's password will be password and the LAN IP address will be 192.168.1.1. The VPN firewall will act as a DHCP server on the LAN and
  • Netgear FVS338 | FVS338 Reference Manual - Page 148
    FVS338 ProSafe VPN Firewall 50 Reference Manual Warning: Once you click Upload do NOT interrupt the router! To upgrade router software: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. 2. Click
  • Netgear FVS338 | FVS338 Reference Manual - Page 149
    Figure 6-5 Monitoring the Router You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, and login failures and attacks. You can also view status information about the firewall, WAN ports, LAN ports, and VPN tunnels. Router and Network Management v1.0, March
  • Netgear FVS338 | FVS338 Reference Manual - Page 150
    FVS338 ProSafe VPN Firewall 50 Reference Manual Enabling the Traffic Meter To monitor traffic limits on each of the WAN ports, select Administration from the main menu and Traffic Meter from the submenu. The Broadband Traffic Meter screen will display. (The Broadband and Dialup ports are programmed
  • Netgear FVS338 | FVS338 Reference Manual - Page 151
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-7 Setting Login Failures and Attacks Notification Figure 6-8 shows the Firewall Logs & E-mail screen that is invoked by selecting Monitoring from the main menu and selecting Firewall Logs & E-mail from the submenu. You can send a System log
  • Netgear FVS338 | FVS338 Reference Manual - Page 152
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-8 View System Logs Select the types of events to email. Select the segments to track for System Log events. Enable email alerts. Syslog Server enabled 6-20 v1.0, March 2008 Router and Network Management
  • Netgear FVS338 | FVS338 Reference Manual - Page 153
    this rule. Incoming traffic using one of these ports will be sent to the IP address above. The time remaining before this rule is released, and thus available for other PCs. This timer is restarted whenever incoming or outgoing traffic is received. Router and Network Management v1.0, March 2008
  • Netgear FVS338 | FVS338 Reference Manual - Page 154
    current software the router is using. This will change if you upgrade your router. Displays the current settings for MAC address, IP address, DHCP role and IP Subnet Mask that you set in the LAN IP Setup page. DHCP can be either Server or None. 6-22 v1.0, March 2008 Router and Network Management
  • Netgear FVS338 | FVS338 Reference Manual - Page 155
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-2. Router Configuration Status Fields Item Description Broadband Configuration Indicates whether the WAN Mode is Single or Rollover, and whether the WAN State is UP or DOWN. If the WAN State is up, it also displays • NAT: Enabled or
  • Netgear FVS338 | FVS338 Reference Manual - Page 156
    FVS338 ProSafe VPN Firewall 50 Reference Manual . Figure 6-11 Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN from the main menu and Connection Status from the submenu. The IPSec Connection Status screen will display. Figure 6-12 Table 6-3.
  • Netgear FVS338 | FVS338 Reference Manual - Page 157
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-3. IPSec Connection Status Fields (continued) Item Tx (KB) Tx (Packets) State Action Description The amount of data transmitted over this SA. The number of IP packets transmitted over this SA. The current status of the SA.Phase 1 is
  • Netgear FVS338 | FVS338 Reference Manual - Page 158
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-14 Performing Diagnostics You can perform diagnostics such as pinging an IP address, performing a DNS lookup, displaying the routing table, rebooting the firewall, and capturing packets. Select Monitoring from the main menu and Diagnostics
  • Netgear FVS338 | FVS338 Reference Manual - Page 159
    FVS338 ProSafe VPN Firewall 50 Reference Manual Figure 6-15 Table 6-4. Diagnostics Fields Item Description Ping or Trace an IP address Ping - Used to send a ping packet request to a specified IP address-most often, to test a connection. If the request times out (no reply is received), it
  • Netgear FVS338 | FVS338 Reference Manual - Page 160
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table 6-4. Diagnostics Fields Item Reboot the Router Packet Trace Description Used to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally. Note: Rebooting will break any
  • Netgear FVS338 | FVS338 Reference Manual - Page 161
    Chapter 7 Troubleshooting This chapter provides troubleshooting tips and information for your ProSafe VPN Firewall 50. After each problem description, instructions are provided to help you diagnose and solve the problem. Basic Functions After you turn on power to the firewall, the following sequence
  • Netgear FVS338 | FVS338 Reference Manual - Page 162
    to factory defaults. This will set the firewall's IP address to 192.168.1.1. This procedure is explained in "Restoring the Default Configuration and Password" on page 7-7. If the error persists, you might have a hardware problem and should contact technical support. LAN or Internet Port LEDs
  • Netgear FVS338 | FVS338 Reference Manual - Page 163
    FVS338 ProSafe VPN Firewall 50 Reference Manual • Make sure your PC's IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC's address should be in the range of 192.168.0.2 to 192.168.0.254. Note: If your PC's IP address is shown as 169.254.x.x:
  • Netgear FVS338 | FVS338 Reference Manual - Page 164
    FVS338 ProSafe VPN Firewall 50 Reference Manual Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall
  • Netgear FVS338 | FVS338 Reference Manual - Page 165
    FVS338 ProSafe VPN Firewall 50 Reference Manual - Configure your firewall to spoof your PC's MAC address. This can be done in the Basic Settings menu. Refer to "Configuring your Internet Connection" on page 2-2. If your firewall can obtain an IP address, but your PC is unable to load any Web pages
  • Netgear FVS338 | FVS338 Reference Manual - Page 166
    FVS338 ProSafe VPN Firewall 50 Reference Manual If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections - Make sure the LAN port LED is on. If the LED is off, follow the instructions in "LAN or Internet Port LEDs Not On" on page 7-2. -
  • Netgear FVS338 | FVS338 Reference Manual - Page 167
    FVS338 ProSafe VPN Firewall 50 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall's administration password to password and the IP address to 192.168.1.1. You can erase the current
  • Netgear FVS338 | FVS338 Reference Manual - Page 168
    FVS338 ProSafe VPN Firewall 50 Reference Manual 7-8 Troubleshooting v1.0, March 2008
  • Netgear FVS338 | FVS338 Reference Manual - Page 169
    FVS338 Default Settings Feature Router Login User Login URL User Name (case sensitive) Login Password (case sensitive) Internet Connection WAN MAC Address WAN MTU Size Port Speed Local Network (LAN) Lan IP Subnet Mask RIP Direction RIP Version RIP Authentication DHCP Server DHCP Starting IP Address
  • Netgear FVS338 | FVS338 Reference Manual - Page 170
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table A-1. FVS338 Default Settings (continued) Feature Default Behavior Time Zone GMT Time Zone Adjusted for Daylight Saving Disabled Time SNMP Disabled Remote Management Disabled Firewall Inbound (communications coming in from Disabled (
  • Netgear FVS338 | FVS338 Reference Manual - Page 171
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table A-2. VPN firewall Default Technical Specifications Feature Environmental Specifications Operating temperature: Operating humidity: Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: Specification 0° to 40° C (
  • Netgear FVS338 | FVS338 Reference Manual - Page 172
    FVS338 ProSafe VPN Firewall 50 Reference Manual A-4 Default Settings and Technical Specifications v1.0, March 2008
  • Netgear FVS338 | FVS338 Reference Manual - Page 173
    port Source IP Address of machine from where the packet is coming. Protocol type System Log Messages This section describes log messages that belong to one of the following categories: • Logs generated by traffic that is meant for the device. • Logs generated by traffic that is routed or forwarded
  • Netgear FVS338 | FVS338 Reference Manual - Page 174
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-2. System Logs: System Startup Message Explanation Recommended Action Jan 1 15:22:28 [FVS338] [ledTog] [SYSTEM START-UP] System Started Log generated when the system is started. None Reboot This section describes log messages generated
  • Netgear FVS338 | FVS338 Reference Manual - Page 175
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-4. System Logs: NTP Message Explanation Recommended Action Nov 28 12:31:13 [FVS338] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [FVS338] [ntpdate] Requesting time from time-f.netgear.com Nov 28 12:31:14 [FVS338] [ntpdate] adjust
  • Netgear FVS338 | FVS338 Reference Manual - Page 176
    ProSafe VPN Firewall 50 Reference Manual Table B-6. System Logs: Firewall Restart Message Explanation Recommended Action Jan 23 16:20:44 [FVS338] [wand] [FW] Firewall Restarted Log generated when the firewall is restarted. This log is logged when firewall restarts after applying any changes
  • Netgear FVS338 | FVS338 Reference Manual - Page 177
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-8. System Logs: WAN Status, Load Balancing Message Explanation Recommended Action Dec 1 12:11:27 [FVS338] [wand] [LBFO] Restarting WAN1_ Dec 1 12:11:31 [FVS338] [wand] [LBFO] Restarting WAN2_ Dec 1 12:11:35 [FVS338] [wand] [LBFO] WAN1(UP),
  • Netgear FVS338 | FVS338 Reference Manual - Page 178
    FVS338 ProSafe VPN Firewall 50 Reference Manual System Logs: WAN Status, Auto Rollover Message Explanation Recommended Action Nov 17 09:59:09 [FVS338] [wand] [LBFO] WAN1 Test Failed 1 of 3 times_ Nov 17 09:59:39 [FVS338] [wand] [LBFO] WAN1 Test Failed 2 of 3 times_ Nov 17 10:00:09 [FVS338] [wand]
  • Netgear FVS338 | FVS338 Reference Manual - Page 179
    FVS338 ProSafe VPN Firewall 50 Reference Manual PPPoE Idle-Timeout Logs. Table B-9. System Logs: WAN Status, PPE, PPPoE Idle-Timeout Message Explanation Recommended Action Nov 29 13:12:46 [FVS338] [pppd] Starting connection Nov 29 13:12:49 [FVS338] [pppd] Remote message: Success Nov 29 13:12:49 [
  • Netgear FVS338 | FVS338 Reference Manual - Page 180
    ProSafe VPN Firewall 50 Reference Manual PPTP Idle-Timeout Logs. Table B-10. System Logs: WAN Status, PPE, PPTP Idle-Timeout Message Explanation Nov 29 11:19:02 [FVS338] [pppd] Starting connection Nov 29 11:19:05 [FVS338] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVS338] [pppd] local
  • Netgear FVS338 | FVS338 Reference Manual - Page 181
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-12. System Logs: Web Filtering and Content Filtering Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Jan 23 16:36:35 [FVS338] [kernel
  • Netgear FVS338 | FVS338 Reference Manual - Page 182
    FVS338 ProSafe VPN Firewall 50 Reference Manual Traffic Metering Logs Table B-13. System Logs: Traffic Metering Message Explanation Recommended Action Jan 23 19:03:44 [TRAFFIC_METER] TRAFFIC_METER: Monthly Limit of 10 MB has reached for WAN1._ Traffic limit to WAN1 that was set as 10Mb has been
  • Netgear FVS338 | FVS338 Reference Manual - Page 183
    FVS338 ProSafe VPN Firewall 50 Reference Manual Multicast/Broadcast Logs Table B-16. System Logs: Multicast/Broadcast Message Explanation Recommended Action Jan 1 07:24:13 [FVS338] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC=192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 • This packet (
  • Netgear FVS338 | FVS338 Reference Manual - Page 184
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-18. System Logs: Invalid Packets (continued) Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation 1. Invalid packets are dropped. 2. Use
  • Netgear FVS338 | FVS338 Reference Manual - Page 185
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-18. System Logs: Invalid Packets (continued) Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action 1. Invalid packets
  • Netgear FVS338 | FVS338 Reference Manual - Page 186
    FVS338 ProSafe VPN Firewall 50 Reference Manual Table B-18. System Logs: Invalid Packets (continued) Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][REOPEN_CLOSE_CONN][DROP] SRC=
  • Netgear FVS338 | FVS338 Reference Manual - Page 187
    FVS338 ProSafe VPN Firewall 50 Reference Manual LAN to WAN Logs Table B-19. Routing Logs: LAN to WAN Message Explanation Recommended Action Nov 29 09:19:43 [FVS338] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 • This packet from LAN to WAN
  • Netgear FVS338 | FVS338 Reference Manual - Page 188
    FVS338 ProSafe VPN Firewall 50 Reference Manual DMZ to LAN Logs Table B-23. Routing Logs: DMZ to WAN Message Explanation Recommended Action Nov 29 09:44:06 [FVS338] [kernel] DMZ2LAN[DROP] IN=DMZ OUT=LAN SRC=192.168.20.10 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 • This packet from DMZ to LAN
  • Netgear FVS338 | FVS338 Reference Manual - Page 189
    htm TCP/IP Addressing: Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for http://documentation.netgear.com/reference/enu/wsdhcp/index.htm Network Access: Virtual Private Networking (VPN): http://documentation.netgear.com/reference
  • Netgear FVS338 | FVS338 Reference Manual - Page 190
    FVS338 ProSafe VPN Firewall 50 Reference Manual C-2 Related Documents v1.0, March 2008
  • Netgear FVS338 | FVS338 Reference Manual - Page 191
    Index A Add LAN WAN Inbound Service screen 4-9, 4-15 Add LAN WAN Outbound Service screen 4-8 address reservation 3-10 AH VPN Policies, use with 5-7 ARP 3-6 Attack Checks Block TCP Flood 4-10 Respond To Ping On Internet 4-10 Stealth Mode 4-10 Attack Checks screen 4-10, 4-11 Attacks Notification 6-19
  • Netgear FVS338 | FVS338 Reference Manual - Page 192
    FVS338 ProSafe VPN Firewall 50 Reference Manual D date troubleshooting 7-7 Daylight Savings Time setting 6-17 Dead Peer Detection 5-5 default configuration restoring 7-7 default firewall rules 4-1 Inbound 4-1 Outbound 4-2 Default Outbound Policy LAN WAN 4-7 denial of service attack 4-10 UDP flood
  • Netgear FVS338 | FVS338 Reference Manual - Page 193
    FVS338 ProSafe VPN Firewall 50 Reference Manual technical specifications A-1 firewall access remote management 6-9 Firewall Logs configuring 4-34 emailing of 4-32 Firewall Logs & E-mail screen 4-33, 6-19 firewall protection 4-1 firewall rules about 4-1 ordering 4-6 firmware upgrade 6-14 FQDN use in
  • Netgear FVS338 | FVS338 Reference Manual - Page 194
    FVS338 ProSafe VPN Firewall 50 Reference Manual examples of 4-23 L L2TP VPN Tunnel 4-11 LAN configuration 3-1 ports and attached devices 6-25 LAN Security Checks UDP flood 4-11 LAN Setup Enable DHCP Server 3-3 Enable DNS Proxy 3-3 IP Address 3-2 IP Address Pool 3-3 IP Subnet Mask 3-3 WINS Server IP
  • Netgear FVS338 | FVS338 Reference Manual - Page 195
    FVS338 ProSafe VPN Firewall 50 Reference Manual R rack mounting 1-7 RADIUS Client screen 5-24 RADIUS server configuring 5-23 RADIUS-CHAP XAUTH, use with 5-21 RADIUS-PAP XAUTH, use with 5-21 Reboot the Router 6-28 reducing traffic Block Sites 6-1 Service Blocking 6-1 Source MAC filtering 6-1 remote
  • Netgear FVS338 | FVS338 Reference Manual - Page 196
    FVS338 ProSafe VPN Firewall 50 Reference Manual blocking traffic 4-1 service blocking 4-2 services-based 4-2 S Schedule blocking traffic 4-21 rules, covered by 6-2 Schedule 1 screen 4-21 Security 1-2 Security Policy Editor screen 5-15 Self Certificate format of 5-35 Request, generating 5-34 Self
  • Netgear FVS338 | FVS338 Reference Manual - Page 197
    FVS338 ProSafe VPN Firewall 50 Reference Manual LEDs Never Turn Off 7-2 NTP 7-7 Power LED Not On 7-1 Web configuration 7-2 Trusted Certificates 5-33 about 5-33 U UDP flood denial of service attack 4-11 upgrade firmware 6-14 upgrade router steps to 6-16 User Database configuring 5-22 XAUTH, use with
  • Netgear FVS338 | FVS338 Reference Manual - Page 198
    FVS338 ProSafe VPN Firewall 50 Reference Manual Index-8 v1.0, March 2008
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
March 2008
202-10046-06
v1.0
NETGEAR
, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
FVS338 ProSafe VPN
Firewall 50 Reference
Manual