Netgear FVX538 FVX538 Reference Manual
Netgear FVX538 - ProSafe VPN Firewall 200 Router Manual
 |
UPC - 606449037234
View all Netgear FVX538 manuals
Add to My Manuals
Save this manual to your list of manuals |
Netgear FVX538 manual content summary:
- Netgear FVX538 | FVX538 Reference Manual - Page 1
Reference Manual for the ProSafe VPN Firewall 200 FVX538 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10062-02 Version 1.1 January 2005 January 2005 - Netgear FVX538 | FVX538 Reference Manual - Page 2
NETGEAR is a trademark of Netgear, Inc. Microsoft, Windows, and Windows to part 15 of the FCC Rules. These limits are designed to provide in accordance with the instructions, may cause harmful interference wird hiermit bestätigt, daß das FVX538 ProSafe VPN Firewall 200 gemäß der im BMPT-AmtsblVfg 243/ - Netgear FVX538 | FVX538 Reference Manual - Page 3
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Certificate of the Manufacturer/Importer It is hereby certified that the FVX538 ProSafe VPN Firewall 200 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some - Netgear FVX538 | FVX538 Reference Manual - Page 4
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All , OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON - Netgear FVX538 | FVX538 Reference Manual - Page 5
Manual for the ProSafe VPN Firewall 200 FVX538 make and use derivative works provided that such works are identified as "derived products derived from this software without specific prior written permission. THIS SOFTWARE -- interface of the 'zlib' general purpose compression library version 1.1.4, - Netgear FVX538 | FVX538 Reference Manual - Page 6
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: FVX538 January 2005 Router FVX538 ProSafe VPN Firewall 200 Business English -6 January 2005 - Netgear FVX538 | FVX538 Reference Manual - Page 7
Router's IP Address, Login Name, and Password 2-9 Logging into the Router 2-9 Default Factory Settings 2-10 NETGEAR Related Products 2-11 Chapter 3 Network Planning Overview of the Planning Process 3-1 Inbound Traffic ...3-1 Virtual Private Networks (VPNs 3-1 The Roll-over Case for Firewalls - Netgear FVX538 | FVX538 Reference Manual - Page 8
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The Load Balancing Case for Firewalls With Dual WAN Ports 3-2 Inbound Traffic ...3-3 Inbound Traffic to Single WAN Port (Reference Case 3-3 Inbound Traffic to Dual WAN Port Systems 3-3 Inbound Traffic: Dual WAN Ports for Improved - Netgear FVX538 | FVX538 Reference Manual - Page 9
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Load Balancing (and Protocol Binding) Setup 4-17 Step 5: Configure Dynamic DNS (If Needed 4-20 Step 6: Configure the WAN Options (If Needed 4-23 Chapter 5 LAN Configuration Using the LAN IP Setup Options 5-1 Configuring LAN TCP/IP Setup - Netgear FVX538 | FVX538 Reference Manual - Page 10
8-5 Port Triggering 8-7 DMZ Port ...8-7 VPN Tunnels ...8-8 Using QoS to Shift the Traffic Mix 8-8 Tools for Traffic Management 8-8 Administrator and Guest Access Authorization 8-8 Changing the Passwords and Login Timeout 8-9 Enabling Remote Management Access 8-9 Command Line Interface 8-11 - Netgear FVX538 | FVX538 Reference Manual - Page 11
8-21 DHCP Log ...8-23 Port Triggering Status 8-23 Firewall ...8-24 VPN Tunnels ...8-27 SNMP ...8-28 Diagnostics ...8-28 Configuration File Management 8-30 Restoring and Backing Up the Configuration 8-31 Upgrading the Firewall Software 8-31 Erasing the Configuration (Factory Defaults Reset 8-32 - Netgear FVX538 | FVX538 Reference Manual - Page 12
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Appendix A Technical Specifications Appendix B Network, Routing, Firewall, and Basics Related Publications ...B-1 Basic Router Concepts B-1 What is a Router B-2 Routing Information Protocol B-2 IP Addresses and the Internet B-2 Netmask - Netgear FVX538 | FVX538 Reference Manual - Page 13
Manual for the ProSafe VPN Firewall 200 FVX538 Enabling DHCP to Automatically Configure TCP/IP Settings C-8 DHCP Configuration of TCP/IP in Windows XP C-8 DHCP Configuration of TCP/IP in Windows 2000 C-10 DHCP Configuration of TCP/IP in Windows NT4 C-13 Verifying TCP/IP Properties for Windows - Netgear FVX538 | FVX538 Reference Manual - Page 14
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Testing and Troubleshooting D-11 Additional Reading ...D-11 Glossary List of Glossary Terms Glossary-1 Numeric ...Glossary-1 A ...Glossary-2 B ...Glossary-2 C ...Glossary-3 D ...Glossary-3 E ...Glossary-4 G ...Glossary-5 I ...Glossary-5 L - Netgear FVX538 | FVX538 Reference Manual - Page 15
or special interest. This manual is written for the FVX538 VPN firewall according to these specifications.: Table 1-2. Manual Scope Product Version Manual Publication Date FVX538 ProSafe VPN Firewall 200 January 2005 Note: Product updates are available on the NETGEAR, Inc. Web site at - Netgear FVX538 | FVX538 Reference Manual - Page 16
Reference Manual for the ProSafe VPN Firewall 200 FVX538 How to Use This Manual The HTML version of this manual includes the following: • Buttons, and , for browsing forwards or backwards through the manual one page at a time •A button that displays the table of contents and an button. - Netgear FVX538 | FVX538 Reference Manual - Page 17
Reference Manual for the ProSafe VPN Firewall 200 FVX538 How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a Page in the HTML View. Each page in the HTML version of the manual is dedicated to a major topic. Use the - Netgear FVX538 | FVX538 Reference Manual - Page 18
Reference Manual for the ProSafe VPN Firewall 200 FVX538 1-4 About This Manual January 2005 - Netgear FVX538 | FVX538 Reference Manual - Page 19
and provide load balancing and link aggregation. • Support for up to 200 VPN tunnels. • Easy, web-based setup for installation and management. • URL keyword Content Filtering and Site Blocking Security. • Quality of Service (QoS) support for traffic prioritization. • Built in 8-port 10/100 - Netgear FVX538 | FVX538 Reference Manual - Page 20
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. • 1 U Rack mountable. Dual WAN Ports for Increased Reliability or Outbound Load Balancing The FVX538 VPN firewall has two broadband WAN ports, - Netgear FVX538 | FVX538 Reference Manual - Page 21
direct incoming traffic to specific PCs based on the service port number of the incoming request. You can specify forwarding of single ports or ranges of ports. • DMZ port Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local - Netgear FVX538 | FVX538 Reference Manual - Page 22
remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC. Easy Installation and Management You can install, configure, and operate the FVX538 ProSafe VPN Firewall 200 - Netgear FVX538 | FVX538 Reference Manual - Page 23
firewall allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number. • Visual monitoring The FVX538 VPN firewall - Netgear FVX538 | FVX538 Reference Manual - Page 24
your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. The Router's Front Panel The FVX538 ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button - Netgear FVX538 | FVX538 Reference Manual - Page 25
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 2-1. Object Descriptions (continued) Object Activity Description WAN Ports and LEDs Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. Link/Act LED On (Green) Blinking (Green) Off The WAN port has detected a - Netgear FVX538 | FVX538 Reference Manual - Page 26
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The Router's Rear Panel The rear panel of the FVX538 ProSafe VPN Firewall 200 (Figure 2-2) contains the On/Off switch and AC power connection. 100-240 VAC, 50-60Hz, 0.7A max. Figure 2-2: FVX538 Rear Panel AC Power On/Off Connection Switch - Netgear FVX538 | FVX538 Reference Manual - Page 27
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The Router's IP Address, Login Name, and Password Check the label on the bottom of the FVX538's enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN • User - Netgear FVX538 | FVX538 Reference Manual - Page 28
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 2-5: Login screen on the Web browser Default Factory Settings When you first receive your FVX538, the default factory settings will be set as shown in Table 2-1 below. You can restore these defaults with the Factory Defaults restore - Netgear FVX538 | FVX538 Reference Manual - Page 29
Manual for the ProSafe VPN Firewall 200 FVX538 NETGEAR Related Products NETGEAR products related to the FVX538 ProSafe VPN Firewall 200 are as follows: • FA311 10/100 PCI Adapter • FA511 10/100 32-bit CardBus Adapter • GA311 10/100/1000 PCI Adapter • FVL328 ProSafe VPN Firewall • FVS318 ProSafe VPN - Netgear FVX538 | FVX538 Reference Manual - Page 30
Reference Manual for the ProSafe VPN Firewall 200 FVX538 2-12 January 2005 Introduction - Netgear FVX538 | FVX538 Reference Manual - Page 31
Manual for the ProSafe VPN Firewall 200 FVX538 Chapter 3 Network Planning This chapter describes the factors to consider when planning a network using a firewall that has dual WAN ports. Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports - Netgear FVX538 | FVX538 Reference Manual - Page 32
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: Once the gateway firewall WAN port rolls over, the VPN tunnel collapses and must be re-established using the new WAN IP address. The Roll-over Case for Firewalls With Dual WAN Ports Rollover (Figure 3-1) for the dual WAN port case is - Netgear FVX538 | FVX538 Reference Manual - Page 33
the ProSafe VPN Firewall 200 FVX538 Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Inbound Rules menu. Instead of discarding this traffic, you can have it forwarded - Netgear FVX538 | FVX538 Reference Manual - Page 34
Manual for the ProSafe VPN Firewall 200 FVX538 Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover (Figure 3-4), the WAN's IP address will always change at rollover. A fully-qualified domain name must be used that toggles between the IP addresses - Netgear FVX538 | FVX538 Reference Manual - Page 35
Manual for the ProSafe VPN Firewall 200 FVX538 Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall's dual WAN port depends on the configuration - Netgear FVX538 | FVX538 Reference Manual - Page 36
Manual for the ProSafe VPN Firewall 200 FVX538 Dual WAN Ports (Before Rollover) WAN1 IP Gateway netgear.dyndns.org X X VPN Router WAN2 port inactive WAN2 IP (N/A) Dual WAN Ports (After Rollover) Gateway WAN1 IP (N/A) WAN1 port inactive X X netgear.dyndns.org VPN Router WAN2 IP IP - Netgear FVX538 | FVX538 Reference Manual - Page 37
Reference Manual for the ProSafe VPN Firewall 200 FVX538 10.5.6.0/24 Road Warrior Example (Single WAN Port) Client B LAN IP 10.5.6.1 Gateway A VPN Router (at employer's main office) WAN IP FQDN bzrouter.dyndns.org Fully-Qualified Domain Names (FQDN) - optional for Fixed IP addresses - required - Netgear FVX538 | FVX538 Reference Manual - Page 38
the domain name of the gateway firewall between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or re-establish a VPN tunnel. VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing In the case of the - Netgear FVX538 | FVX538 Reference Manual - Page 39
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional. VPN Gateway-to-Gateway - Netgear FVX538 | FVX538 Reference Manual - Page 40
Reference Manual for the ProSafe VPN Firewall 200 FVX538 VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall (Figure 3-13), either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate - Netgear FVX538 | FVX538 Reference Manual - Page 41
Reference Manual for the ProSafe VPN Firewall 200 FVX538 10.5.6.0/24 Gateway-to-Gateway Example (Dual WAN Ports, After Rollover) 172.23.9.0/24 LAN IP 10.5.6.1 Gateway A VPN Router (at office A) WAN_A1 IP (N/A) WAN_A1 port inactive X X WAN_B1 IP netgearB.dyndns.org Gateway B netgear.dyndns. - Netgear FVX538 | FVX538 Reference Manual - Page 42
gateway WAN ports used for load balancing VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall (Figure 3-16), the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not - Netgear FVX538 | FVX538 Reference Manual - Page 43
WAN2 IP WAN IP 0.0.0.0 Fully-Qualified Domain Names (FQDN) - required for Fixed IP addresses - required for Dynamic IP addresses NAT Router B NAT Router (at telecommuter's home office) Remote PC must re-establish VPN tunnel after a rollover Client B Remote PC (running NETGEAR ProSafe VPN Client - Netgear FVX538 | FVX538 Reference Manual - Page 44
.dyndns.org WAN2 IP 0.0.0.0 Fully-Qualified Domain Names (FQDN) - optional for Fixed IP addresses - required for Dynamic IP addresses NAT Router (at telecommuter's home office) Client B Remote PC (running NETGEAR ProSafe VPN Client) Figure 3-19: Dual gateway WAN ports (load balancing case) for - Netgear FVX538 | FVX538 Reference Manual - Page 45
describes how to connect the WAN ports of the FVX538 VPN firewall to the Internet. What You Will Need to Do Before You Begin The FVX538 ProSafe VPN Firewall 200 is a powerful and versatile solution for your networking needs. But to make the configuration process easier and to understand all of - Netgear FVX538 | FVX538 Reference Manual - Page 46
5: Configure Dynamic DNS (If Needed)" on page 4-20. 3. Plan your network management approach • The FVX538 VPN firewall is capable of being managed remotely, but this feature must be enabled locally after each factory default reset. You are strongly advised to change the default password password to - Netgear FVX538 | FVX538 Reference Manual - Page 47
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • There are a variety of WAN options you can choose when the factory default settings are not applicable to your installation. These include enabling a WAN port to respond to a ping and setting MTU size, port speed, and upload bandwidth. You - Netgear FVX538 | FVX538 Reference Manual - Page 48
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Fixed IP Address which is also known as Static IP Address Where Do I Get the Internet Configuration Parameters? There are several ways you can gather the required Internet connection information. • Your ISPs provide all the information - Netgear FVX538 | FVX538 Reference Manual - Page 49
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Record Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by - Netgear FVX538 | FVX538 Reference Manual - Page 50
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Connecting the FVX538 ProSafe VPN Firewall 200 This section provides instructions for connecting the FVX538 VPN firewall. Also, the Resource CD for ProSafe VPN Firewall included with your firewall contains an animated Installation Assistant to - Netgear FVX538 | FVX538 Reference Manual - Page 51
"The Router's Front Panel" on page 2-6 for a description of lights on the front panel and their meaning. Step 2: Log in to the VPN Firewall (Required) Note: To connect to the firewall, your computer needs to be configured to obtain an IP address automatically via DHCP. If you need instructions on - Netgear FVX538 | FVX538 Reference Manual - Page 52
Manual for the ProSafe VPN Firewall 200 FVX538 Figure 4-2: Login screen on the Web browser 2. For security reasons, the firewall has its own user name and password. When prompted, enter admin for the firewall user name and password for the firewall password, both in lower case letters.The firewall - Netgear FVX538 | FVX538 Reference Manual - Page 53
WAN1 screens Reference Manual for the ProSafe VPN Firewall 200 FVX538 WAN2 screens Figure 4-3: WAN1 and WAN2 Basic Settings and Setup Wizard Screens Connecting the FVX538 to the Internet 4-9 January 2005 - Netgear FVX538 | FVX538 Reference Manual - Page 54
). Login (Username, Password), Local IP, and PPTP Server IP. No data is required. IP address and related data supplied by your ISP. e. Set up the traffic meter for ISP1 if desired. See "Programming the Traffic Meter (if Desired)" on page 4-13. Note: At this point of the configuration process - Netgear FVX538 | FVX538 Reference Manual - Page 55
Reference Manual for the ProSafe VPN Firewall 200 FVX538 2. The steps to configure WAN port 2 are as follows: a. Repeat the above steps to set up the parameters for ISP2. Start by clicking the WAN2 ISP link directly under WAN Setup on the upper left of the main menu to get the WAN2 ISP Settings - Netgear FVX538 | FVX538 Reference Manual - Page 56
Manual for the ProSafe VPN Firewall 200 FVX538 Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below if you do not want to allow the Setup Wizard to determine your configuration as described in the previous sections. ISP Does Not Require Login - Netgear FVX538 | FVX538 Reference Manual - Page 57
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Programming the Traffic Meter (if Desired) From the Main Menu of the browser interface, under WAN Setup, click Traffic Meter. You will get the screens shown in Figure 4-5. Fill out the information described in Table 4-1. Figure 4-5: Traffic - Netgear FVX538 | FVX538 Reference Manual - Page 58
ProSafe VPN Firewall 200 FVX538 Table 4-1. Traffic meter Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's WAN1 or WAN2 port.WAN1 or WAN2 can be selected through the drop down menu, the entire configuration - Netgear FVX538 | FVX538 Reference Manual - Page 59
The dual WAN ports of the FVX538 ProSafe VPN Firewall 200 can be configured on a mutually exclusive basis for either rollover for increased system reliability or load balancing for maximum bandwidth efficiency. • Rollover (Auto-Rollover) Mode-In this mode, the selected WAN interface is made primary - Netgear FVX538 | FVX538 Reference Manual - Page 60
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Rollover Setup Perform the following steps to configure the dual WAN ports for rollover: 1. Click the WAN Mode link directly under Setup on the upper left of the main menu to invoke the WAN Mode Auto-Rollover screen shown in Figure 4-6. - Netgear FVX538 | FVX538 Reference Manual - Page 61
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Test Period-DNS query is sent periodically after every test period. The minimum test period is 30 seconds. • Maximum Failures-The WAN interface is considered down after the configured number of DNS queries have failed to elicit a DNS reply - Netgear FVX538 | FVX538 Reference Manual - Page 62
Manual for the ProSafe VPN Firewall 200 FVX538 Figure 4-7: WAN Mode screen for load balancing and protocol binding Fill out the screen using the following parameter definitions: • Detection of WAN failure-WAN failure is detected using DNS queries to the DNS server. For each WAN interface, DNS - Netgear FVX538 | FVX538 Reference Manual - Page 63
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Test Period-DNS query is sent periodically after every test period. The minimum test period is 30 seconds. • Maximum Failures-The WAN interface is considered down after the configured number of DNS queries have failed to elicit a DNS reply - Netgear FVX538 | FVX538 Reference Manual - Page 64
password and LAN address you have chosen for the firewall. 2. From the Main Menu of the browser interface, under WAN Setup, click on Dynamic DNS. a. Rollover Mode: You will get the screen shown in Figure 4-8 with AUTO_ROLLOVER shown in the pulldown. b. Load Balancing Mode: Select WAN1 or WAN2 - Netgear FVX538 | FVX538 Reference Manual - Page 65
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Dynamic DNS screen for rollover mode Dynamic DNS screens for load balancing mode Figure 4-8: Dynamic DNS screens Connecting the FVX538 to the Internet January 2005 4-21 - Netgear FVX538 | FVX538 Reference Manual - Page 66
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Each DNS service provider requires its own parameters (Figure 4-9). DynDNS Service Screen TZO Service Screen Oray Service Screen Figure 4-9: Dynamic DNS service provider screens 3. Access the website of one of the dynamic DNS service - Netgear FVX538 | FVX538 Reference Manual - Page 67
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet. Step 6: Configure the WAN Options (If Needed) Perform the - Netgear FVX538 | FVX538 Reference Manual - Page 68
Manual for the ProSafe VPN Firewall 200 FVX538 • Port Speed-In most cases, your router can automatically determine the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may need to manually select the port - Netgear FVX538 | FVX538 Reference Manual - Page 69
features of your FVX538 ProSafe VPN Firewall 200. These features can be found under the Advanced heading in the Main Menu of the browser interface. • LAN Setup • DMZ Setup • Static Routes Using the LAN IP Setup Options The LAN IP Setup menu allows configuration of LAN IP services such as DHCP - Netgear FVX538 | FVX538 Reference Manual - Page 70
ProSafe VPN Firewall 200 FVX538 Figure 5-1: LAN IP Setup menu Note: Once you have completed the LAN IP setup, all outbound traffic is allowed and all inbound traffic is discarded. To change these traffic rules, refer to Chapter 6, "Firewall Protection and Content Filtering. Configuring LAN TCP/IP - Netgear FVX538 | FVX538 Reference Manual - Page 71
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • IP Subnet Mask: The subnet mask specifies the network number portion of an IP address. Your router will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255 - Netgear FVX538 | FVX538 Reference Manual - Page 72
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Ending IP Address - This box specifies the last of the contiguous addresses in the IP address pool. 192.168.1.254 is the default ending address. • WINS Server - This box can specify the Windows NetBios Server IP if one is present in your - Netgear FVX538 | FVX538 Reference Manual - Page 73
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Primary DNS Server (if you entered a Primary DNS address in the Basic Settings menu; otherwise, the firewall's LAN IP address) • Secondary DNS Server (if you entered a Secondary DNS address in the Basic Settings menu) • WINS Server (if you - Netgear FVX538 | FVX538 Reference Manual - Page 74
standard firewall security used for the LAN. The DMZ Setup screen allows you to set up the DMZ port. It permits you to enable or disable the hardware DMZ port (i.e., LAN port 8, see "The Router's Front Panel" on page 2-6) and configure an IP address and Mask for the DMZ port. 5-6 LAN Configuration - Netgear FVX538 | FVX538 Reference Manual - Page 75
Firewall 200 FVX538 Step 1: Enable the DMZ port From the Main Menu of the browser interface, under Advanced, click on DMZ Setup to view the DMZ Setup menu, shown below. Figure 5-4: DMZ Setup screen To enable and configure the DMZ port: 1. Click the Enable DMZ Port checkbox. 2. Enter the IP Address - Netgear FVX538 | FVX538 Reference Manual - Page 76
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Ending IP Address - This box specifies the last of the contiguous addresses in the IP address pool. 192.168.10.254 is the default ending address. • WINS Server - This box specifies the Windows Internet Naming Service Server IP. • Lease Time - Netgear FVX538 | FVX538 Reference Manual - Page 77
Manual for the ProSafe VPN Firewall 200 FVX538 Configuring Static Routes Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure - Netgear FVX538 | FVX538 Reference Manual - Page 78
Manual for the ProSafe VPN Firewall 200 FVX538 4. Select Active to make this route effective. 5. Type the Destination IP Address of the final destination. 6. Type the IP Subnet Mask for this destination. If the destination is a single host, type 255.255.255.255. 7. Type the Gateway IP Address - Netgear FVX538 | FVX538 Reference Manual - Page 79
interface. Firewall Protection and Content Filtering Overview The FVX538 ProSafe VPN Firewall 200 response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT. Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific - Netgear FVX538 | FVX538 Reference Manual - Page 80
Reference Manual for the ProSafe VPN Firewall 200 FVX538 A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FVX538 are: • Inbound: Block all access from outside except responses to requests from the LAN side. • Outbound: Allow all access from the - Netgear FVX538 | FVX538 Reference Manual - Page 81
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems. Outbound Services-This lists all existing rules for outbound traffic. If you have not defined any rules, only the default rule will - Netgear FVX538 | FVX538 Reference Manual - Page 82
Reference Manual for the ProSafe VPN Firewall 200 FVX538 b. Click the button for the desired actions: - Edit - to make any changes to the rule definition. The Inbound Service screen will be displayed (see "Inbound Rules (Port Forwarding)" on page 6-5) with the data for the selected rule. - Move - to - Netgear FVX538 | FVX538 Reference Manual - Page 83
VPN Firewall 200 FVX538 • Quality of service (QoS) priorities-Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays. You can change this QoS priority if desired to change the traffic mix through the system. Inbound Rules (Port Forwarding - Netgear FVX538 | FVX538 Reference Manual - Page 84
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-1. Inbound Services Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu ( - Netgear FVX538 | FVX538 Reference Manual - Page 85
Manual for the ProSafe VPN Firewall 200 FVX538 Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services - Netgear FVX538 | FVX538 Reference Manual - Page 86
of external IP addresses. Figure 6-4: Rule example: videoconference from restricted addresses Inbound Rule Example: One-to-One NAT Mapping This application note describes how to configure multi-NAT to support multiple public IP addresses on one WAN interface of a NETGEAR FVX538 ProSafe VPN Firewall - Netgear FVX538 | FVX538 Reference Manual - Page 87
Manual for the ProSafe VPN Firewall 200 FVX538 - LAN IP address subnet is 192.168.1.1 255.255.255.0 - DMZ IP address subnet is 192.168.10.1 255.255.255.0 • Web server PC on the firewall's LAN - LAN IP address is 192.168.1.2 - Access to Web server is (simulated) public IP address 10.1.0.52 IP Address - Netgear FVX538 | FVX538 Reference Manual - Page 88
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-5: Rule example: one-to-one NAT mapping 5. Select Action "ALLOW always". 6. For Send to LAN Server, enter the local IP address of your web server PC. 7. For Public Destination IP Address, choose "Other Public IP Address." 8. Enter - Netgear FVX538 | FVX538 Reference Manual - Page 89
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-6: Rule example: one-to-one NAT mapping on inbound services To test the connection from a PC on the Internet, type http://, where is the public IP address you have mapped to your web server. You should see - Netgear FVX538 | FVX538 Reference Manual - Page 90
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If - Netgear FVX538 | FVX538 Reference Manual - Page 91
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Outbound Rules (Service Blocking) The FVX538 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. Figure 6-8: Add Outbound Service Rules screen Note: See "Source - Netgear FVX538 | FVX538 Reference Manual - Page 92
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-1. Outbound Services Item Action Select Schedule LAN users WAN Users QoS Priority Log Description Select the desired action for outgoing connections covered by this rule: • BLOCK always • BLOCK by schedule, otherwise Allow • ALLOW - Netgear FVX538 | FVX538 Reference Manual - Page 93
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Outbound Rule Example: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address - Netgear FVX538 | FVX538 Reference Manual - Page 94
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 6-10: Figure 6-10: Rules table with examples For any traffic attempting to pass through the firewall, the packet - Netgear FVX538 | FVX538 Reference Manual - Page 95
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Although the FVX538 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules. The Services menu - Netgear FVX538 | FVX538 Reference Manual - Page 96
Reference Manual for the ProSafe VPN Firewall 200 FVX538 5. Click Apply. The new service will now appear in the Services menu, and in the Service name selection box in the Rules menu. Quality of Service (QoS) Priorities This setting determines the priority of a service, which in turn, determines the - Netgear FVX538 | FVX538 Reference Manual - Page 97
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The QoS priority definition for a service determines the queue that is used for its traffic passing through the FVX538 VPN firewall as follows: Table 6-2. Traffic queue to be used for a service Netgear QoS Setting† Native ToS Setting* - Netgear FVX538 | FVX538 Reference Manual - Page 98
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Managing Groups and Hosts The Network Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: • DHCP Client Requests-By default, the DHCP server in this Router - Netgear FVX538 | FVX538 Reference Manual - Page 99
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-13: Groups and Hosts screens Firewall Protection and Content Filtering January 2005 6-21 - Netgear FVX538 | FVX538 Reference Manual - Page 100
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-3. Groups and hosts Item Known PCs and Devices Operations Description This table lists all current entries in the Network Database. For each PC or device, the following data is displayed. • Radio button-Use this to select a PC for - Netgear FVX538 | FVX538 Reference Manual - Page 101
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-14: Schedule menu To invoke rules and block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, if - Netgear FVX538 | FVX538 Reference Manual - Page 102
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Time Zone The FVX538 VPN firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must specify your Time - Netgear FVX538 | FVX538 Reference Manual - Page 103
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The Block Sites menu is shown in Figure 6-15: Figure 6-15: Block Sites menu Firewall Protection and Content Filtering January 2005 6-25 - Netgear FVX538 | FVX538 Reference Manual - Page 104
Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-4. Block Sites Item Description Web Component Blocking Select Proxy, Java, ActiveX and Cookies to enable respective content filtering. Example: By enabling Java filtering *.java files will be blocked. Note: Keywords are always blocked - Netgear FVX538 | FVX538 Reference Manual - Page 105
by default. • When enabled, Internet-bound traffic will be dropped from the PCs that have the configured MAC addresses. Figure 6-16: Source MAC Filter screens Note: For additional ways of restricting outbound traffic, see "Outbound Rules (Service Blocking)" on page 6-13. Firewall Protection - Netgear FVX538 | FVX538 Reference Manual - Page 106
them with the PC. • The remote system receives the PCs request and responds using the different port numbers that you have now opened. • This Router matches the response to the previous request, and forwards the response to the PC. Without Port Triggering, this response would be treated as a new - Netgear FVX538 | FVX538 Reference Manual - Page 107
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • After a PC has finished using a Port Triggering application, there is a Time-out period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated. Note: For - Netgear FVX538 | FVX538 Reference Manual - Page 108
Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-6. Port Triggering Item Description Port Triggering Rules • Enable - Indicates if the rule is enabled or disabled. Generally, there is no need to disable a rule unless it interferes with some other function such as Port Forwarding - Netgear FVX538 | FVX538 Reference Manual - Page 109
Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-18: Logs and E-mail screens Click on View Log button to view various log messages generated by the Router. • In view log window To delete all log entries: Click Clear Log. • To see the most recent entries: Click Refresh. • To E-mail the log - Netgear FVX538 | FVX538 Reference Manual - Page 110
Manual for the ProSafe VPN Firewall 200 FVX538 Items to include in the log: • Use these checkboxes to determine which events are included in the log. Selecting all events will increase the size of the log, so it is good practice to disable any events which are not really required. • Selecting - Netgear FVX538 | FVX538 Reference Manual - Page 111
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • In the Log Threshold Time box, set the logs Threshold time. • In the Alert Queue Length box, set the alerts queue length. Click Apply to have your changes take effect. Syslog You can configure the firewall to send system logs to an external - Netgear FVX538 | FVX538 Reference Manual - Page 112
Manual for the ProSafe VPN Firewall 200 FVX538 Figure 6-19: Firewall Logs menu Table 6-7. Log entry descriptions Field Date and Time Description or Action Source IP Description The date and time the log entry was recorded. The type of event and what action was taken if any. The IP address - Netgear FVX538 | FVX538 Reference Manual - Page 113
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 6-7. Log entry descriptions Field Description Source port and interface The service port number of the initiating device, and whether it originated from the LAN or WAN Destination The name or IP address of the destination device - Netgear FVX538 | FVX538 Reference Manual - Page 114
Reference Manual for the ProSafe VPN Firewall 200 FVX538 6-36 Firewall Protection and Content Filtering January 2005 - Netgear FVX538 | FVX538 Reference Manual - Page 115
IP addressing requirements for VPNs in dual WAN port systems Configuration and WAN IP address Rollover Mode* Load Balancing Mode VPN Road Warrior (client-to-gateway) Fixed Dynamic VPN Gateway-to-Gateway Fixed Dynamic VPN Telecommuter Fixed (client-to-gateway through Dynamic a NAT router - Netgear FVX538 | FVX538 Reference Manual - Page 116
Manual for the ProSafe VPN Firewall 200 FVX538 Figure 7-1 shows the setup screens for the selected WAN mode. This setup is accomplished in "Step 4: Configure the WAN Mode (Required for Dual WAN)" on page 4-15. Rollover Mode Setup Screen Load Balancing Mode Setup Screen Figure 7-1: WAN Mode Setup - Netgear FVX538 | FVX538 Reference Manual - Page 117
Reference Manual for the ProSafe VPN Firewall 200 FVX538 See "Step 5: Configure Dynamic DNS (If Needed)" on page 4-20 for how to select and configure the Dynamic DNS service. FVX538 Functional Block Diagram FVX538 Firewall Rest of FVX538 Functions FVX538 WAN Port Functions FVX538 Rollover - Netgear FVX538 | FVX538 Reference Manual - Page 118
Block Diagram FVX538 Firewall Rest of FVX538 Functions FVX538 WAN Port Functions Load Balancing Control Dynamic DNS screens WAN 1 Port WAN 2 Port Internet FQDN required (dynamic IP addresses) FQDN optional (static IP addresses) FQDN setup for WAN1 port Select Dynamic DNS service FQDN setup - Netgear FVX538 | FVX538 Reference Manual - Page 119
FVS338 VPN Firewall with version 1.6.7 firmware - WAN IP address is 10.1.1.150 - LAN IP address subnet is 192.168.2.1 255.255.255.0 Configuring the FVX538 1. Select the VPN Wizard 2. Give the client connection a name, such as to_fvs. 3. Enter a value for the pre-shared key. 4. Select 'a remote VPN - Netgear FVX538 | FVX538 Reference Manual - Page 120
Reference Manual for the ProSafe VPN Firewall 200 FVX538 5. Click Next. 6. Enter the WAN IP address of the remote FVS338. 7. Click WAN1 to bind this connection to the WAN1 port. Figure 7-5: WAN IP address of remote FVS338 8. Click Next. 9. Enter the LAN IP address and subnet mask of the remote - Netgear FVX538 | FVX538 Reference Manual - Page 121
Reference Manual for the ProSafe VPN Firewall 200 FVX538 11. Click Done to create the 'to_fvs' IKE and VPN policies. In the IKE Policies menu, the 'to_fvs' IKE policy will appear in the table. Figure 7-7: IKE Policies 12. You can view the IKE parameters by selecting 'to_fvs' and clicking Edit. It - Netgear FVX538 | FVX538 Reference Manual - Page 122
Reference Manual for the ProSafe VPN Firewall 200 FVX538 13. In the VPN Policies menu, the 'to_fvs' VPN policy will appear in the table. Figure 7-9: FVX538 VPN Policies screen 7-8 Virtual Private Networking January 2005 - Netgear FVX538 | FVX538 Reference Manual - Page 123
Reference Manual for the ProSafe VPN Firewall 200 FVX538 14. You can view the VPN parameters by selecting 'to_fvs' and clicking Edit. It should not be necessary to make any changes. Figure 7-10: FVX538-to-FVS338 VPN screen Configuring the FVS338 1. Select the VPN Wizard 2. Give the client - Netgear FVX538 | FVX538 Reference Manual - Page 124
Reference Manual for the ProSafe VPN Firewall 200 FVX538 4. Select 'a remote VPN gateway'. Figure 7-11: VPN Wizard start page 5. Click Next. 6. Enter the WAN IP address of the remote FVX538. Figure 7-12: WAN IP address of remote FVX538 7. Click Next. 7-10 January 2005 Virtual Private Networking - Netgear FVX538 | FVX538 Reference Manual - Page 125
FVX538 VPN firewall. Using the FVX538's VPN Wizard, we will create a single set of policies (IKE and VPN) that will allow up to 50 remote PCs to connect from locations in which their IP addresses are unknown in advance. The PCs may be directly connected to the Internet or may be behind NAT routers - Netgear FVX538 | FVX538 Reference Manual - Page 126
the ProSafe VPN Firewall 200 FVX538 This procedure was developed and tested using: • Netgear FVX538 ProSafe VPN Firewall 200 with version 1.6.11 firmware • Netgear VPN Client version 10.3.5 (Build 6) • NAT router: Netgear FR114P with version 1.5_09 firmware Configuring the FVX538 1. Select the VPN - Netgear FVX538 | FVX538 Reference Manual - Page 127
Reference Manual for the ProSafe VPN Firewall 200 FVX538 2. In the upper left of the Policy Editor window, click the New Document icon to open a New Connection. Figure 7-15: New Client Connection screen Virtual Private Networking January 2005 7-13 - Netgear FVX538 | FVX538 Reference Manual - Page 128
Reference Manual for the ProSafe VPN Firewall 200 FVX538 3. Give the New Connection a name, such as to_FVS. Figure 7-16: New connection named 4. In the Remote Party Identity section, select ID Type of IP Subnet. 5. Enter the LAN IP Subnet Address and Subnet Mask of the FVX538's LAN. 6. Select ' - Netgear FVX538 | FVX538 Reference Manual - Page 129
Reference Manual for the ProSafe VPN Firewall 200 FVX538 8. For Domain Name, enter 'fvs_local.com' and enter the WAN IP Address of the FVX538. Figure 7-17: Remote client info 9. In the left frame, click on My Identity. 10. Select Certificate = None. 11. Under ID Type, select 'Domain Name'. The - Netgear FVX538 | FVX538 Reference Manual - Page 130
Reference Manual for the ProSafe VPN Firewall 200 FVX538 12. Leave Virtual Adapter disabled, and select your computer's Network Adapter. Your current IP address will appear. Figure 7-18: My Identity screen 13. Before leaving the My Identity menu, click the Pre-Shared Key button. 7-16 January 2005 - Netgear FVX538 | FVX538 Reference Manual - Page 131
Reference Manual for the ProSafe VPN Firewall 200 FVX538 14. Click Enter Key, type your preshared key, and click OK. This key will be shared by all users of the FVX538 policy "home". Figure 7-19: Pre-shared key 15. In the left frame, click on Security Policy. Virtual Private Networking January - Netgear FVX538 | FVX538 Reference Manual - Page 132
Reference Manual for the ProSafe VPN Firewall 200 FVX538 16. Select Phase 1 Negotiation Mode = Aggressive Mode. PFS should be disabled, and Replay Detection should be enabled. Figure 7-20: Client Security Policy screen 7-18 January 2005 Virtual Private Networking - Netgear FVX538 | FVX538 Reference Manual - Page 133
Reference Manual for the ProSafe VPN Firewall 200 FVX538 17. In the left frame, expand Authentication and select Proposal 1. Compare with the figure below. No changes should be necessary. Figure 7-21: Client Authorization screen Virtual Private Networking January 2005 7-19 - Netgear FVX538 | FVX538 Reference Manual - Page 134
Reference Manual for the ProSafe VPN Firewall 200 FVX538 18. In the left frame, expand Key Exchange and select Proposal 1. Compare with the figure below. No changes should be necessary. Figure 7-22: Client Key Exchange screen 19. In the upper left of the window, click the disk icon to save the - Netgear FVX538 | FVX538 Reference Manual - Page 135
Reference Manual for the ProSafe VPN Firewall 200 FVX538 21. For additional status and troubleshooting information, right-click on the VPN client icon in your Windows toolbar and select "Connection Monitor" or "Log Viewer", or view the VPN log and status menu in the FVX538. Figure 7-23: Client - Netgear FVX538 | FVX538 Reference Manual - Page 136
Reference Manual for the ProSafe VPN Firewall 200 FVX538 7-22 January 2005 Virtual Private Networking - Netgear FVX538 | FVX538 Reference Manual - Page 137
Chapter 8 Router and Network Management This chapter describes how to use the network management features of your FVX538 ProSafe VPN Firewall 200. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface. The FVX538 ProSafe VPN Firewall 200 offers - Netgear FVX538 | FVX538 Reference Manual - Page 138
Reference Manual for the ProSafe VPN Firewall 200 FVX538 As a result and depending on the traffic being carried, the WAN side of the firewall will be the limiting factor to throughput for most installations. Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the WAN - Netgear FVX538 | FVX538 Reference Manual - Page 139
Reference Manual for the ProSafe VPN Firewall 200 FVX538 - Single address: The rule will be applied to the address of a particular PC. - Address range: The rule is applied to a range of addresses. - Groups: The rule is applied to a Group (you use the Network Database to assign PCs to Groups-see " - Netgear FVX538 | FVX538 Reference Manual - Page 140
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Scanning the Network-The local network is scanned using standard methods such as arp. This will detect active devices which are not DHCP clients. However, sometimes the name of the PC or device cannot be accurately determined, and will be - Netgear FVX538 | FVX538 Reference Manual - Page 141
Features That Increase Traffic Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • DMZ port • Exposed hosts • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or - Netgear FVX538 | FVX538 Reference Manual - Page 142
Reference Manual for the ProSafe VPN Firewall 200 FVX538 You can also enable a check on special rules: • VPN Passthrough-Enable this to pass the VPN traffic without any filtering, specially used when this firewall is between two VPN tunnel end points. • Drop fragmented IP packets-Enable this to drop - Netgear FVX538 | FVX538 Reference Manual - Page 143
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Port Triggering Port triggering allows some applications to function correctly that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the Application. Once configured, - Netgear FVX538 | FVX538 Reference Manual - Page 144
WAN ports by granting some services a higher priority than others. The quality of a service is impacted by its QoS setting, however. See "Quality of Service (QoS) Priorities" on page 6-18 for the procedure on how to use this feature. Tools for Traffic Management The FVX538 ProSafe VPN Firewall 200 - Netgear FVX538 | FVX538 Reference Manual - Page 145
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Changing the Passwords and Login Timeout The default passwords for the firewall's Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. From the main menu of the browser interface, - Netgear FVX538 | FVX538 Reference Manual - Page 146
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Note: Be sure to change the firewall's default configuration password to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, - Netgear FVX538 | FVX538 Reference Manual - Page 147
TRACERT from the Windows Start menu Run option. For example, tracert yourFVX538.mynetgear.net and you will see the IP address your ISP assigned to the FVX538. Command Line Interface Note: The command line interface is not supported at this time. Check the Netgear Web site for the latest status. You - Netgear FVX538 | FVX538 Reference Manual - Page 148
Reference Manual for the ProSafe VPN Firewall 200 FVX538 1. From the command line prompt, enter the following command: telnet 192.168.1.1 2. Enter admin and password when prompted for the login and password information (or enter guest and password to log in as a read-only guest). Note: No password - Netgear FVX538 | FVX538 Reference Manual - Page 149
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Each WAN port is programmed separately. WAN port shuts down once the traffic limit is reached. An email alert can be sent when this shutdown happens. Figure 8-3: Traffic Limit Reached alert Login Failures and Attacks Figure 8-3 shows the Log - Netgear FVX538 | FVX538 Reference Manual - Page 150
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Select the types of alerts to email. Enable email alerts. Figure 8-4: Logs and email screen Accumulate 64 messages before sending a log email. Wait 24 hours before sending sending an email. Accumulate 8 messages before sending an alert - Netgear FVX538 | FVX538 Reference Manual - Page 151
Monitoring Reference Manual for the ProSafe VPN Firewall 200 FVX538 You can view status information about the firewall, WAN ports, LAN ports, and VPN tunnels and program SNMP connections. Viewing VPN Firewall Status and Time Information Firewall Status The Router Status menu provides status and - Netgear FVX538 | FVX538 Reference Manual - Page 152
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 8-5: Router Status screen 8-16 January 2005 Router and Network Management - Netgear FVX538 | FVX538 Reference Manual - Page 153
Manual for the ProSafe VPN Firewall 200 FVX538 Table 8-1. Router Status Item Description System Name This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using. This will change if you upgrade your router. LAN Port - Netgear FVX538 | FVX538 Reference Manual - Page 154
Manual for the ProSafe VPN Firewall 200 FVX538 Automatic adjustment enable for daylight savings time Current date and time Figure 8-6: Time information on the Schedule screen If supported for your region, you can check Automatically adjust for Daylight Savings Time. 8-18 January 2005 Router - Netgear FVX538 | FVX538 Reference Manual - Page 155
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 8-1. Current date and time Item Use Default NTP Servers (Network Time Protocol) Use Custom NTP Servers Description If enabled, the system clock is updated regularly by contacting a Default Netgear NTP Server on the Internet. If you - Netgear FVX538 | FVX538 Reference Manual - Page 156
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Dynamic DNS Status Invoke the Dynamic DNS Status screen from Dynamic DNS screen by clicking Show Status to see the current DDNS Status in a sub-window. Figure 8-8: Dynamic DNS Status screen Internet Traffic Information The Internet Traffic - Netgear FVX538 | FVX538 Reference Manual - Page 157
the ProSafe VPN Firewall 200 FVX538 Figure 8-9: Internet Traffic information LAN Ports and Attached Devices Known PCs and Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network. From the Main Menu of the browser interface, under - Netgear FVX538 | FVX538 Reference Manual - Page 158
Manual for the ProSafe VPN Firewall 200 FVX538 Figure 8-10: Network Database screen The Network Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: • DHCP Client Requests-By default, the DHCP server in this Router - Netgear FVX538 | FVX538 Reference Manual - Page 159
Manual for the ProSafe VPN Firewall 200 FVX538 Note: If the firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force the firewall to look for attached devices, click the Refresh button. DHCP Log You can view the DHCP log. Invoke the DHCP Log from LAN IP Setup - Netgear FVX538 | FVX538 Reference Manual - Page 160
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Table 8-1. Port Triggering Status data Item Rule LAN IP Address Open Ports Time Remaining Description The name of the Rule. The IP address of the PC currently using this rule. The Incoming ports which are associated the this rule. Incoming - Netgear FVX538 | FVX538 Reference Manual - Page 161
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Select the types of logs to email. Enable emailing of logs. Figure 8-13: Logs and email screen Enable system logs. Accumulate 64 messages before sending a log email. Wait 24 hours before sending sending an email. Accumulate 8 messages - Netgear FVX538 | FVX538 Reference Manual - Page 162
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Invoke the Firewall Log screen from Logs and Email screen. Figure 8-14: Firewall Log screen (invoked from Logs and Email screen) 8-26 January 2005 Router and Network Management - Netgear FVX538 | FVX538 Reference Manual - Page 163
Firewall 200 FVX538 VPN Tunnels You can view the status of the VPN tunnels. Figure 8-15: VPN Status/Log and IPSec Connection Status screens Table 8-1. Item Policy Name Endpoint Tx (KBytes) VPN Status data Description The name of the VPN policy associated with this SA. The IP address on the remote - Netgear FVX538 | FVX538 Reference Manual - Page 164
ProSafe VPN Firewall 200 FVX538 Table 8-1. Item State Action VPN Status data Description The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase. Use this button to terminate/build the SA (connection) if required. SNMP SNMP lets you monitor and manage log - Netgear FVX538 | FVX538 Reference Manual - Page 165
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure 8-17: Diagnostics screen Table 8-1. Diagnostics Item Description Ping or Trace an IP address Perform a DNS Lookup Display the Routing Table Ping-Use this to send a ping packet request to the specified IP address. This is often - Netgear FVX538 | FVX538 Reference Manual - Page 166
(restored) from the user's PC, or cleared to factory default settings. You can also upgrade the firewall software with the latest version from Netgear. From the Main Menu of the browser interface, under the Management heading, select the Settings Backup heading to bring up the menu shown below. Be - Netgear FVX538 | FVX538 Reference Manual - Page 167
used to upload new firmware into the FVX538 VPN firewall must support HTTP uploads. NETGEAR recommends using Microsoft Internet Explorer or Netscape Navigator 3.0 or above. From the Main Menu of the browser interface, under the Management heading, select the Router Upgrade heading to display the - Netgear FVX538 | FVX538 Reference Manual - Page 168
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Be careful how you use this! Figure 8-19: Router Upgrade menu To upload new firmware: 1. Download and unzip the new software file from NETGEAR. 2. In the Router Upgrade menu, click the Browse button and browse to the location of the binary - Netgear FVX538 | FVX538 Reference Manual - Page 169
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • To restore the factory default configuration settings without knowing the login password or IP address, you must use the Default Reset button on the front panel of the firewall (see "The Router's Front Panel" on page 2-6). Also see " - Netgear FVX538 | FVX538 Reference Manual - Page 170
Reference Manual for the ProSafe VPN Firewall 200 FVX538 8-34 January 2005 Router and Network Management - Netgear FVX538 | FVX538 Reference Manual - Page 171
This chapter gives information about troubleshooting your FVX538 ProSafe VPN Firewall 200. After each problem description, instructions are provided to help you diagnose and solve the problem. Basic Functioning After you turn on power to the firewall, the following sequence of events - Netgear FVX538 | FVX538 Reference Manual - Page 172
to factory defaults. This will set the firewall's IP address to 192.168.1.1. This procedure is explained in "Restoring the Default Configuration and Password" on page 9-7. If the error persists, you might have a hardware problem and should contact technical support. LAN or Internet Port LEDs - Netgear FVX538 | FVX538 Reference Manual - Page 173
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Troubleshooting the Web Configuration Interface If you are unable to access the firewall's Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the firewall as - Netgear FVX538 | FVX538 Reference Manual - Page 174
Manual for the ProSafe VPN Firewall 200 FVX538 Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall - Netgear FVX538 | FVX538 Reference Manual - Page 175
Manual for the ProSafe VPN Firewall 200 FVX538 OR Configure your firewall to spoof your PC's MAC address. This can be done in the Basic Settings menu. Refer to "Manually Configuring Your Internet Connection" on page 4-12. If your firewall can obtain an IP address, but your PC is unable to load - Netgear FVX538 | FVX538 Reference Manual - Page 176
the ProSafe VPN Firewall 200 FVX538 If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections - Make sure the LAN port LED is on. If the LED is off, follow the instructions - Netgear FVX538 | FVX538 Reference Manual - Page 177
when the administration password or IP address is not known. To restore the factory default configuration settings without knowing the administration password or IP address, you must use the Default Reset button on the rear panel of the firewall. 1. Press and hold the Default Reset button until the - Netgear FVX538 | FVX538 Reference Manual - Page 178
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Time is off by one hour. Cause: The firewall does not automatically sense Daylight Savings Time. In the E-Mail menu, check or uncheck the box marked "Adjust for Daylight Savings Time". 9-8 Troubleshooting January 2005 - Netgear FVX538 | FVX538 Reference Manual - Page 179
This appendix provides technical specifications for the FVX538 ProSafe VPN Firewall 200. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia - Netgear FVX538 | FVX538 Reference Manual - Page 180
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Interface Specifications LAN: WAN: VCCI Class B EN 55 022 (CISPR 22), Class B 10BASE-T or 100BASE-Tx, RJ-45 10BASE-T or 100BASE-Tx A-2 Technical Specifications January 2005 - Netgear FVX538 | FVX538 Reference Manual - Page 181
. In order to make the best use of the slower WAN link, a mechanism must be in place for selecting and transmitting only the data traffic meant for the Internet. The function of selecting and forwarding this data is performed by a router. Network, Routing, Firewall, and Basics B-1 January 2005 - Netgear FVX538 | FVX538 Reference Manual - Page 182
chooses the best path for forwarding network traffic. Routers vary in performance and scale, number of routing protocols supported, and types of physical WAN connection they support. The FVX538 ProSafe VPN Firewall 200 is a small office router that routes the IP protocol over a single-user broadband - Netgear FVX538 | FVX538 Reference Manual - Page 183
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the - Netgear FVX538 | FVX538 Reference Manual - Page 184
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x. • Class D Class D addresses are used for - Netgear FVX538 | FVX538 Reference Manual - Page 185
Manual for the ProSafe VPN Firewall 200 FVX538 As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as "/n." In the example, the address - Netgear FVX538 | FVX538 Reference Manual - Page 186
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the - Netgear FVX538 | FVX538 Reference Manual - Page 187
reserved the following three blocks of IP addresses specifically for private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 Choose your private network number from this range. The DHCP server of the FVX538 VPN firewall is preconfigured to automatically - Netgear FVX538 | FVX538 Reference Manual - Page 188
Manual for the ProSafe VPN Firewall 200 FVX538 Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address - Netgear FVX538 | FVX538 Reference Manual - Page 189
Reference Manual for the ProSafe VPN Firewall 200 FVX538 This scheme offers the additional benefit of firewall-like protection because the internal LAN addresses are not available to the Internet through the translated connection. All incoming inquiries are filtered out by the router. This filtering - Netgear FVX538 | FVX538 Reference Manual - Page 190
Manual for the ProSafe VPN Firewall 200 FVX538 Domain Name Server Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address - Netgear FVX538 | FVX538 Reference Manual - Page 191
Reference Manual for the ProSafe VPN Firewall 200 FVX538 What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion - Netgear FVX538 | FVX538 Reference Manual - Page 192
Reference Manual for the ProSafe VPN Firewall 200 FVX538 . Table B-1. UTP Ethernet cable wiring, straight-through Pin Wire color Signal 1 Orange/White Transmit (Tx) + 2 Orange Transmit (Tx) - both 10 and 100 Mbits/second networks. B-12 January 2005 Network, Routing, Firewall, and Basics - Netgear FVX538 | FVX538 Reference Manual - Page 193
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Inside Twisted Pair Cables For two devices to communicate, the interface ports, called MDI or uplink ports. Most repeaters and switch ports are configured as media-dependent interfaces with built-in crossover ports, called MDI-X or normal ports - Netgear FVX538 | FVX538 Reference Manual - Page 194
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Figure B-3: Category 5 UTP Cable with Male RJ-45 Plug at Each End Note: Flat "silver satin" telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be - Netgear FVX538 | FVX538 Reference Manual - Page 195
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The FVX538 VPN firewall incorporates Auto UplinkTM technology (also called MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) - Netgear FVX538 | FVX538 Reference Manual - Page 196
Reference Manual for the ProSafe VPN Firewall 200 FVX538 B-16 January 2005 Network, Routing, Firewall, and Basics - Netgear FVX538 | FVX538 Reference Manual - Page 197
through the FVX538 ProSafe VPN Firewall 200 and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a broadband modem, or if you configured it using instructions provided by - Netgear FVX538 | FVX538 Reference Manual - Page 198
Manual for the ProSafe VPN Firewall 200 FVX538 In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address - Netgear FVX538 | FVX538 Reference Manual - Page 199
Reference Manual for the ProSafe VPN Firewall 200 FVX538 You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for - Netgear FVX538 | FVX538 Reference Manual - Page 200
Reference Manual for the ProSafe VPN Firewall 200 FVX538 If you need Client for Microsoft Networks: a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client for Microsoft Networks, and then click OK. 3. Restart your PC for the changes to take effect. - Netgear FVX538 | FVX538 Reference Manual - Page 201
Manual for the ProSafe VPN Firewall 200 FVX538 Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window - Netgear FVX538 | FVX538 Reference Manual - Page 202
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the - Netgear FVX538 | FVX538 Reference Manual - Page 203
Reference Manual for the ProSafe VPN Firewall 200 FVX538 2. Type winipcfg, and then click OK. The IP Configuration window opens, which lists (among other things), your IP address, subnet mask, and default gateway. 3. From the drop-down box, select your Ethernet adapter. The window is updated to show - Netgear FVX538 | FVX538 Reference Manual - Page 204
Manual for the ProSafe VPN Firewall 200 FVX538 Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process - Netgear FVX538 | FVX538 Reference Manual - Page 205
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. • Administrator logon access rights are needed to use this window. • Click the - Netgear FVX538 | FVX538 Reference Manual - Page 206
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/ IP in Windows - Netgear FVX538 | FVX538 Reference Manual - Page 207
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. • The Local Area Connection Properties dialog box - Netgear FVX538 | FVX538 Reference Manual - Page 208
Manual for the ProSafe VPN Firewall 200 FVX538 • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected - Netgear FVX538 | FVX538 Reference Manual - Page 209
VPN Firewall 200 FVX538 DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. • Choose Settings from the Start Menu, and then select - Netgear FVX538 | FVX538 Reference Manual - Page 210
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button. C-14 January 2005 Preparing Your Network - Netgear FVX538 | FVX538 Reference Manual - Page 211
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • The TCP/IP Properties dialog box now displays. • Click the IP Address tab. • Select the radio button marked Obtain an IP address from a DHCP server. • Click OK. This completes the configuration of TCP/IP in Windows NT. Restart the PC. Repeat - Netgear FVX538 | FVX538 Reference Manual - Page 212
Manual for the ProSafe VPN Firewall 200 FVX538 • The default gateway is 192.168.1.1 4. Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP - Netgear FVX538 | FVX538 Reference Manual - Page 213
Reference Manual for the ProSafe VPN Firewall 200 FVX538 2. If not already selected, select Built-in Ethernet in the Configure list. 3. If not already selected, Select Using DHCP in the TCP/IP tab. 4. Click Save. Verifying TCP/IP Properties for Macintosh Computers After your Macintosh is configured - Netgear FVX538 | FVX538 Reference Manual - Page 214
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be - Netgear FVX538 | FVX538 Reference Manual - Page 215
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • An IP address and subnet mask • A gateway IP address, which is the address of the ISP's router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account's full server names may look like this - Netgear FVX538 | FVX538 Reference Manual - Page 216
Manual for the ProSafe VPN Firewall 200 FVX538 If an IP address appears under Installed Gateways, write down the address. This is the ISP's gateway address. Select the address and then click Remove to remove the gateway address. 6. Select the DNS Configuration tab. If any DNS server addresses - Netgear FVX538 | FVX538 Reference Manual - Page 217
Manual for the ProSafe VPN Firewall 200 FVX538 Restarting the Network Once you've set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the FVX538 VPN firewall. After configuring - Netgear FVX538 | FVX538 Reference Manual - Page 218
Reference Manual for the ProSafe VPN Firewall 200 FVX538 C-22 January 2005 Preparing Your Network - Netgear FVX538 | FVX538 Reference Manual - Page 219
or theft. IPSec-based VPNs can be created over any type of IP network, including the Internet, Frame Relay, ATM, and MPLS, but only the Internet is ubiquitous and inexpensive. VPNs are traditionally used for: • Intranets: Intranets connect an organization's locations. These locations range from the - Netgear FVX538 | FVX538 Reference Manual - Page 220
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization's modem pool is one method of access for remote workers, but is expensive because the - Netgear FVX538 | FVX538 Reference Manual - Page 221
Manual for the ProSafe VPN Firewall 200 FVX538 • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA - Netgear FVX538 | FVX538 Reference Manual - Page 222
Reference Manual for the ProSafe VPN Firewall 200 FVX538 The ESP header is inserted into the packet between the IP header and any subsequent packet contents an enterprise can set up multiple SAs to enable multiple secure VPNs, as well as define SAs within the VPN to support different departments and - Netgear FVX538 | FVX538 Reference Manual - Page 223
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, - Netgear FVX538 | FVX538 Reference Manual - Page 224
Manual for the ProSafe VPN Firewall 200 FVX538 Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it. IPSec - Netgear FVX538 | FVX538 Reference Manual - Page 225
Manual for the ProSafe VPN Firewall 200 FVX538 VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes - Netgear FVX538 | FVX538 Reference Manual - Page 226
the firewall instructions for both gateways to understand how to open specific protocols, ports, and addresses that you intend to allow. Setting Up a VPN Tunnel Between Gateways A SA, frequently called a tunnel, is the set of information that allows two entities (networks, PCs, routers, firewalls - Netgear FVX538 | FVX538 Reference Manual - Page 227
Reference Manual for the ProSafe VPN Firewall 200 FVX538 VPN Gateway A VPN Tunnel VPN Gateway B Figure 9-8: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to - Netgear FVX538 | FVX538 Reference Manual - Page 228
Reference Manual for the ProSafe VPN Firewall 200 FVX538 2. IKE Phase I. a. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. b. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. c. A - Netgear FVX538 | FVX538 Reference Manual - Page 229
the ProSafe VPN Firewall 200 FVX538 VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: • TripleDES • SHA-1 • ESP tunnel mode • MODP group 1 • Perfect forward secrecy for rekeying • SA lifetime of 28800 seconds (one hour) Testing and Troubleshooting Once - Netgear FVX538 | FVX538 Reference Manual - Page 230
Reference Manual for the ProSafe VPN Firewall 200 FVX538 • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol - Netgear FVX538 | FVX538 Reference Manual - Page 231
keys. 802.1x uses a protocol called EAP (Extensible Authentication Protocol) and supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, and public key authentication. For details on EAP specifically, refer to IETF's RFC 2284. 802.11a IEEE - Netgear FVX538 | FVX538 Reference Manual - Page 232
Reference Manual for the ProSafe VPN Firewall 200 FVX538 A Access Control List (ACL) An ACL is a Service Set (IBSS). Ad-hoc mode is useful for establishing a network where wireless infrastructure does not exist or where services are not required. ADSL Short for asymmetric digital subscriber line - Netgear FVX538 | FVX538 Reference Manual - Page 233
are really who they claim to be. D DHCP An Ethernet protocol specifying how a centralized DHCP server can assign network configuration information to multiple DHCP clients. The assigned information includes IP addresses, DNS addresses, and gateway (router) addresses. DMZ Glossary -3 January 2005 - Netgear FVX538 | FVX538 Reference Manual - Page 234
the ProSafe VPN Firewall 200 FVX538 Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. There are security issues with doing this, so only do this if you'll willing to risk open access. DNS Short - Netgear FVX538 | FVX538 Reference Manual - Page 235
Reference Manual for the ProSafe VPN Firewall 200 FVX538 the AP for proof of identity, which the AP gets from the user and then sends back to the server to complete the authentication. EAP is defined by RFC 2284. ESSID The Extended Service Set Identification (ESSID) is a thirty-two character ( - Netgear FVX538 | FVX538 Reference Manual - Page 236
Reference Manual for the ProSafe VPN Firewall 200 FVX538 BSSs that form a single subnetwork. Most corporate wireless LANs operate in infrastructure mode because they require access to the wired LAN in order to use services such as file servers or printers. Internet Control Message Protocol ICMP is - Netgear FVX538 | FVX538 Reference Manual - Page 237
Manual for the ProSafe VPN Firewall 200 FVX538 that supports medium-dependent functions and uses the services of the physical layer to provide services to the Terms) MAC address The Media Access Control address is a unique 48-bit hardware address assigned to every network interface card. Usually - Netgear FVX538 | FVX538 Reference Manual - Page 238
the ProSafe VPN Firewall 200 FVX538 router, or access point, the perspective is reversed, and the hub receives on pins 1 and 2. This wiring is referred to as Media Dependant Interface - Crossover (MDI-X). MTU The size in bytes of the largest packet that can be sent or received. P packet A block of - Netgear FVX538 | FVX538 Reference Manual - Page 239
Manual for the ProSafe VPN Firewall 200 FVX538 PSTN Public Switched Telephone Network. Q QoS See "Quality of Service" Quality of Service QoS is a networking term that specifies a guaranteed level of throughput. Throughput is the amount of data transferred from one device to another or processed - Netgear FVX538 | FVX538 Reference Manual - Page 240
Reference Manual for the ProSafe VPN Firewall 200 FVX538 Segment A section of a LAN that is connected to the rest of the network using a switch, bridge, or repeater. Subnet Mask Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which - Netgear FVX538 | FVX538 Reference Manual - Page 241
Reference Manual for the ProSafe VPN Firewall 200 FVX538 WEP Wired Equivalent Privacy is a data encryption protocol for 802.11b wireless networks. All wireless nodes and access points on the network are configured with a 64-bit or 128-bit Shared Key for data encryption. Wide Area Network A WAN is a - Netgear FVX538 | FVX538 Reference Manual - Page 242
Reference Manual for the ProSafe VPN Firewall 200 FVX538 -12 Glossary January 2005
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
 |
 |
January 2005
202-10062-02
Version 1.1
January 2005
NETGEAR
, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
Reference Manual for the
ProSafe VPN Firewall 200
FVX538