Netgear FVX538v1 FVX538 Reference Manual
Netgear FVX538v1 - ProSafe VPN Firewall Dual WAN Manual
 |
View all Netgear FVX538v1 manuals
Add to My Manuals
Save this manual to your list of manuals |
Netgear FVX538v1 manual content summary:
- Netgear FVX538v1 | FVX538 Reference Manual - Page 1
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0 - Netgear FVX538v1 | FVX538 Reference Manual - Page 2
, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is - Netgear FVX538v1 | FVX538 Reference Manual - Page 3
interference in such residential areas. When used near a radio or TV receiver, it may become the cause of radio interference. Read instructions for correct handling. Additional Copyrights AES Copyright (c) 2001, Dr Brian Gladman , Worcester, UK. All rights reserved. TERMS - Netgear FVX538v1 | FVX538 Reference Manual - Page 4
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - Netgear FVX538v1 | FVX538 Reference Manual - Page 5
software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or - Netgear FVX538v1 | FVX538 Reference Manual - Page 6
Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: Publication Part Number: Publication Version Number FVX538 March 2009 VPN Firewall ProSafe VPN Firewall 200 Business English 202-10062-09 1.0 vi 1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 7
Uplink 1-3 Extensive Protocol Support 1-4 Easy Installation and Management 1-4 Maintenance and Support 1-5 Package Contents ...1-5 Router Front and Rear Panels 1-6 Rack Mounting Hardware 1-8 The Router's IP Address, Login Name, and Password 1-9 Chapter 2 Connecting the FVX538 to the Internet - Netgear FVX538v1 | FVX538 Reference Manual - Page 8
VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the Network Database 3-7 Setting Up Address Reservation - Netgear FVX538v1 | FVX538 Reference Manual - Page 9
FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25 Setting Quality of Service and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 FVX538 VPN Connection Status and Logs 5- - Netgear FVX538v1 | FVX538 Reference Manual - Page 10
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 - Netgear FVX538v1 | FVX538 Reference Manual - Page 11
200 FVX538 Reference Manual Viewing Port Triggering Status 6-24 Viewing Router Configuration and System Status 6-25 Monitoring WAN Ports Status 6-26 Monitoring VPN Tunnel Connection Status 6-27 VPN Logs ...6-28 DHCP Log ...6-29 Performing Diagnostics 6-29 Chapter 7 Troubleshooting Basic - Netgear FVX538v1 | FVX538 Reference Manual - Page 12
VPN Firewall 200 FVX538 Reference Manual Inbound Traffic B-17 VPN Telecommuter (Client-to-Gateway Through a NAT Router B-17 VPN Telecommuter: Single Gateway WAN Port (Reference Case C-1 System Startup ...C-1 Reboot ...C-2 NTP ...C-2 Login/Logout ...C-3 Firewall Restart ...C-3 IPSec Restart ...C-4 - Netgear FVX538v1 | FVX538 Reference Manual - Page 13
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C- the benefits of Two-Factor Authentication E-1 What is Two-Factor Authentication E-2 NETGEAR Two-Factor Authentication Solutions E-2 Index Contents xiii v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 14
ProSafe VPN Firewall 200 FVX538 Reference Manual xiv Contents v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 15
Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual extensions User input, IP addresses, GUI screen text Command prompt, CLI text, code URL links • Formats. This manual uses the following - Netgear FVX538v1 | FVX538 Reference Manual - Page 16
website at http://kbserver.netgear.com/products/FVX538.asp. Revision History Part Number Version Number Date Description 202-10062-04 1.0 202-10062-05 1.0 202-10062-06 1.0 202-10062-06 1.1 202-10062-06 1.2 202-10062-07 1.0 202-10062-09 1.0 Aug. 2006 Product update: New firmware and a new user - Netgear FVX538v1 | FVX538 Reference Manual - Page 17
keywords. The FVX538 is a plug-and-play device that can be installed and configured within minutes. This chapter contains the following sections: • "Key Features" on page 1-1 • "Package Contents" on page 1-5 • "Router Front and Rear Panels" on page 1-6 • "The Router's IP Address, Login Name, and - Netgear FVX538v1 | FVX538 Reference Manual - Page 18
VPN Firewall 200 FVX538 Reference Manual • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation and management. • Advanced SPI Firewall and Multi-NAT support. • Extensive Protocol Support. • Login capability. • Front panel - Netgear FVX538v1 | FVX538 Reference Manual - Page 19
FVX538 Reference Manual • Logs security incidents. The FVX538 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding - Netgear FVX538v1 | FVX538 Reference Manual - Page 20
200 FVX538 Reference Manual Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to "Internet Configuration Requirements" in Appendix B." • IP Address - Netgear FVX538v1 | FVX538 Reference Manual - Page 21
management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number. • Visual monitoring. The VPN firewall's front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to - Netgear FVX538v1 | FVX538 Reference Manual - Page 22
ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. 1 2 3 4 5 6 7 - Netgear FVX538v1 | FVX538 Reference Manual - Page 23
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description 4. LAN Ports and LEDs 8-port RJ-45 10/100 Mbps Fast Ethernet Switch Link/Act LED On (Green) - Netgear FVX538v1 | FVX538 Reference Manual - Page 24
ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection. Figure 1-2 1 2 Viewed from left to right, - Netgear FVX538v1 | FVX538 Reference Manual - Page 25
ProSafe VPN Firewall 200 FVX538 Reference Manual The Router's IP Address, Login Name, and Password Check the label on the bottom of the FVX538's enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN • User name: - Netgear FVX538v1 | FVX538 Reference Manual - Page 26
ProSafe VPN Firewall 200 FVX538 Reference Manual 1-10 v1.0, March 2009 Introduction - Netgear FVX538v1 | FVX538 Reference Manual - Page 27
needs to be configured to obtain an IP address automatically via DHCP. If you need instructions on how to configure you computer for may use to log in to your Internet connection.) 3. Click Login. Note: You might want to enable remote management at this FVX538 to the Internet 2-1 v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 28
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring the Internet Connections to Your ISPs You should first configure your Internet connections different connection methods and suggest one that your ISP will most likely support. 2-2 Connecting the FVX538 to the Internet v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 29
200 FVX538 Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the following table. Table 2-1. Internet connection methods Connection Method PPPoE PPTP DHCP (Dynamic IP) Fixed (Static) IP - Netgear FVX538v1 | FVX538 Reference Manual - Page 30
200 FVX538 Reference Manual 4. Set your router manually. Ensure that you have all of the relevant connection information such as IP Addresses, account 10). To manually configure your WAN1 ISP Settings: 1. Does your Internet connection require a login? If you need to enter login information every - Netgear FVX538v1 | FVX538 Reference Manual - Page 31
IP address assigned to you. This will identify the router to your ISP. b. Subnet Mask: This is usually provided by the ISP or your network administrator. c. Gateway IP Address: IP address of the ISP's gateway. This is usually provided by the ISP or your network administrator. Connecting the FVX538 - Netgear FVX538v1 | FVX538 Reference Manual - Page 32
ProSafe VPN Firewall 200 FVX538 Reference Manual If your ISP has not assigned a Static IP address, select the Get dynamically from ISP radio box. The ISP will automatically assign an IP address to the router using DHCP network protocol. 4. If your ISP has not assigned any Domain Name Servers (DNS) - Netgear FVX538v1 | FVX538 Reference Manual - Page 33
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-3 2. Click Apply to apply the settings. Click Reset to return to Check this if you wish to record the volume of Internet traffic passing through the Router's WAN1 or WAN2 port. WAN1 or WAN2 can be selected by clicking the appropriate tab - Netgear FVX538v1 | FVX538 Reference Manual - Page 34
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 2-2. Traffic Meter Settings Parameter Description Increase this month's limit Use this to temporarily increase link once the original primary link is back up and running again. 2-8 Connecting the FVX538 to the Internet v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 35
on your LAN to share a single Internet IP address. From the Internet, there is only a single device (the Router) and a single IP address. PCs on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet. - The Router uses NAT to select the correct PC (on - Netgear FVX538v1 | FVX538 Reference Manual - Page 36
Method to check the connection of the primary link at regular intervals to detect router status. Link failure is detected in one of the following ways: • By using DNS queries to a DNS server, or • By a Ping to an IP address. For each WAN interface, DNS queries or Ping requests are sent to the - Netgear FVX538v1 | FVX538 Reference Manual - Page 37
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-4 6. Enter the Maximum Failover amount. The WAN interface is considered down after the configured number by reapplying the Auto-Rollover settings in the WAN Port Mode menu. Connecting the FVX538 to the Internet v1.0, March 2009 2-11 - Netgear FVX538v1 | FVX538 Reference Manual - Page 38
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Load Balancing To use multiple ISP , then the router will automatically channel FTP data from and to the computers on the LAN through the WAN2 port. All HTTP traffic will be routed through the WAN1 port. Note: NETGEAR recommends that all - Netgear FVX538v1 | FVX538 Reference Manual - Page 39
ProSafe VPN Firewall 200 FVX538 Reference Manual a. Service - From the pull-down menu, select the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see "Services-Based Rules" on - Netgear FVX538v1 | FVX538 Reference Manual - Page 40
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-6 3. Modify the parameters for the protocol binding service you selected. 4. is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with - Netgear FVX538v1 | FVX538 Reference Manual - Page 41
Firewall 200 FVX538 Reference Manual IP address will be, and the address can change frequently-hence, the need for a commercial DDNS service, which allows you to register an extension to its domain, and restores DNS requests for the resulting FQDN to your frequently-changing IP address. After you - Netgear FVX538v1 | FVX538 Reference Manual - Page 42
VPN Firewall 200 FVX538 Reference Manual Figure 2-7 2. Click the tab of the Dynamic DNS Service you want to enable. Each DNS service provider requires registration and you then configure its parameters on the corresponding tab page. 3. Access the Web site of one of the DDNS service providers and - Netgear FVX538v1 | FVX538 Reference Manual - Page 43
ProSafe VPN Firewall 200 FVX538 Reference Manual For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org 5. Click Apply to save your configuration. 6. Click Reset to return to the previous settings. Configuring the Advanced WAN - Netgear FVX538v1 | FVX538 Reference Manual - Page 44
to manually select the port speed. AutoSense is the default. If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100M; otherwise, select 10M. Use the half-duplex settings unless you are sure you need full duplex. • Router's MAC Address - Each computer or router on - Netgear FVX538v1 | FVX538 Reference Manual - Page 45
Appendix D, "Related Documents" for an explanation of DHCP and information about how to assign IP addresses for your network. If another device on your network will be the DHCP server, or if you will manually configure the network settings of all of your computers, clear the Enable DHCP server radio - Netgear FVX538v1 | FVX538 Reference Manual - Page 46
ProSafe VPN Firewall 200 FVX538 Reference Manual • Primary DNS Server (the firewall's LAN IP address). • WINS Server (if you entered a WINS server address in the DHCP Setup menu). • Lease Time (date obtained and duration of lease). DHCP Relay options allow you to make the firewall a dhcp relay agent - Netgear FVX538v1 | FVX538 Reference Manual - Page 47
FVX538 Reference Manual 1. Select Network Configuration from the primary menu and LAN Setup from the submenu. The LAN Setup screen will display. Figure 3-1 2. Enter the IP Address of your router (factory default: 192.168.1.1). (Always make sure that the LAN Port IP address and DMZ port IP address - Netgear FVX538v1 | FVX538 Reference Manual - Page 48
be assigned an IP address between the Starting IP address and this IP address. The IP address 192.168.1.100 is the default ending address. Note: The Starting and Ending DHCP addresses should be in the same "network" as the LAN TCP/IP address of the router (the IP Address in LAN TCP/IP Setup section - Netgear FVX538v1 | FVX538 Reference Manual - Page 49
on those networks access to the Internet. Figure 3-2 The Available Secondary LAN IPs table lists the secondary LAN IP addresses added to the router. • IP Address: The IP address alias added to the LAN port of the router. This is the gateway for computers that need to access the Internet. • Subnet - Netgear FVX538v1 | FVX538 Reference Manual - Page 50
the secondary subnets must be manually configured with the IP addresses, gateway IP and DNS server IPs. Warning: Make sure the secondary IP addresses are different from the LAN, WAN, DMZ, and any other subnet attached to this router. For example: WAN1 IP address: 10.0.0.1 with subnet 255.0.0.0 WAN2 - Netgear FVX538v1 | FVX538 Reference Manual - Page 51
ProSafe VPN Firewall 200 FVX538 Reference Manual Creating the Network Database Some advantages of the Network Database are: • Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the desired PC or device. • No need to reserve an IP address for a PC in - Netgear FVX538v1 | FVX538 Reference Manual - Page 52
be appended to the name. • IP Address: The current IP address of the computer. For DHCP clients of the router, this IP address will not change. If a computer is assigned a static IP address, you must to update this entry manually when the IP address of the computer changes. 3-8 LAN Configuration - Netgear FVX538v1 | FVX538 Reference Manual - Page 53
ProSafe VPN Firewall 200 FVX538 Reference Manual • MAC Address: The MAC address of the computer's network interface. • manually, fill in the following fields: • Name: The name of the PC or device. • IP Address Type: - Select Reserved (DHCP Client) to direct the router to reserve the IP address - Netgear FVX538v1 | FVX538 Reference Manual - Page 54
standard firewall security used for the LAN. The DMZ Setup screen allows you to set up the DMZ port. It permits you to enable or disable the hardware DMZ port (LAN port 8, see "Router Front and Rear Panels" on page 1-6) and configure an IP address and Mask for the DMZ port. To enable and - Netgear FVX538v1 | FVX538 Reference Manual - Page 55
computers connected to the router's DMZ network. Note: If you enable the DNS Relay feature, you will not use the FVX538 as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network. Then configure the following items: a. Starting IP Address - This box specifies - Netgear FVX538v1 | FVX538 Reference Manual - Page 56
VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings. The DMZ LED next to LAN port 8 (see "Router Front and Rear static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network. Configuring Static Routes To add or edit - Netgear FVX538v1 | FVX538 Reference Manual - Page 57
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-5 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network to which the route - Netgear FVX538v1 | FVX538 Reference Manual - Page 58
ProSafe VPN Firewall 200 FVX538 Reference Manual Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other - Netgear FVX538v1 | FVX538 Reference Manual - Page 59
FVX538 Reference Manual Figure 3-6 3. From the RIP Version pull-down menu, select the version: • RIP-1 - A classful routing that does not include subnet information. This is the most commonly supported version. • RIP-2 - Supports authenticate between routers. 5. Click Reset to discard any changes - Netgear FVX538v1 | FVX538 Reference Manual - Page 60
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Save to save your settings. Static Route Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134.177.x.x addresses. • The Gateway IP Address fields specifies that all traffic for these addresses - Netgear FVX538v1 | FVX538 Reference Manual - Page 61
)" on page 4-29 • "Enabling Source MAC Filtering" on page 4-31 • "IP/MAC Binding" on page 4-33 • "Port Triggering" on page 4-35 • " addresses and Web address keywords. You can also block Internet access by applications and services, such as chat or games. A firewall is a special category of router - Netgear FVX538v1 | FVX538 Reference Manual - Page 62
ProSafe VPN Firewall 200 FVX538 Reference Manual intrusions. NAT performs a very limited stateful and LAN/DMZ traffic. Table 4-1. Supported FIrewall Rule Configurations Traffic Rule LAN WAN DMZ WAN LAN DMZ Outbound Rules 50 50 50 Inbound Rules 50 50 50 Services-Based Rules The rules to block - Netgear FVX538v1 | FVX538 Reference Manual - Page 63
VPN Firewall 200 FVX538 Reference Manual • Customized Services - Additional services can be added to the list of services in the factory default list. These added services can then have rules defined for them to either allow or block that traffic (see "Adding Customized Services" on page 4-25 - Netgear FVX538v1 | FVX538 Reference Manual - Page 64
200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item LAN users WAN Users DMZ Users Description These settings determine which computers on your network are affected by this rule. Select the desired options: • Any - All PCs and devices on your LAN. • Single address - Enter - Netgear FVX538v1 | FVX538 Reference Manual - Page 65
FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item QoS Priority NAT IP Description The priority assigned to IP packets of this service. The priorities are defined by "Type of Service (TOS) in the Internet Protocol Suite" standards, RFC 1349. The router marks the Type Of Service - Netgear FVX538v1 | FVX538 Reference Manual - Page 66
rule, whether it matches or not. Inbound Rules (Port Forwarding) Because the FVX538 uses Network Address Translation (NAT), your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can - Netgear FVX538v1 | FVX538 Reference Manual - Page 67
FVX538 Reference Manual • Local PCs must access the local server using the PCs' local LAN address. Attempts by local PCs to access the server using the external WAN IP address Services Action (Filter) Select the desired Service or application to be covered by this rule. If the desired service - Netgear FVX538v1 | FVX538 Reference Manual - Page 68
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules (continued) Item Bandwidth Profile Log check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP. Remember - Netgear FVX538v1 | FVX538 Reference Manual - Page 69
FVX538 Reference Manual most strict rules at the top (those with the most specific services or addresses). The Up and Down button allows you to relocate a defined traffic which then allows you to enable only specific services to pass through the router. To change the Default Outbound Policy: 1. - Netgear FVX538v1 | FVX538 Reference Manual - Page 70
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Change the Default Outbound Policy by selecting Block Always from the drop-down menu and click Apply. Figure 4-2 To make changes to an existing outbound or inbound service rule: 1. In the Action column adjacent to the rule click: • Edit - to make - Netgear FVX538v1 | FVX538 Reference Manual - Page 71
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. The - Netgear FVX538v1 | FVX538 Reference Manual - Page 72
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound - Netgear FVX538v1 | FVX538 Reference Manual - Page 73
ProSafe VPN Firewall 200 FVX538 Reference Manual out from the DMZ to the Internet (Outbound) or coming in from the Internet to the DMZ (Inbound). The default outbound policy can be changed to block all outbound traffic and enable only specific services to pass through the router by adding an - Netgear FVX538v1 | FVX538 Reference Manual - Page 74
ProSafe VPN Firewall 200 FVX538 Reference Manual To change the Default Outbound Policy: 1. Select Security from the main menu, Firewall Rules from the submenu and then select the DMZ WAN Rules tab. The DMZ WAN Rules screen will display. 2. Click Add under the Outbound Services table. The Add DMZ WAN - Netgear FVX538v1 | FVX538 Reference Manual - Page 75
ProSafe VPN Firewall 200 FVX538 Reference Manual To make changes to an existing outbound or inbound LAN DMZ service rule: 1. In the Action column adjacent to the rule click: • Edit - to make any changes to the rule definition. The Outbound Service screen will display containing the data for the - Netgear FVX538v1 | FVX538 Reference Manual - Page 76
VPN Firewall 200 FVX538 Reference Manual 2. Complete the Outbound Service screen, and save the data (see "Outbound Rules (Service Blocking)" on page • WAN Security Checks - Respond To Ping On Internet Ports. If you want the router to respond to a "Ping" from the Internet, click this check box. This - Netgear FVX538v1 | FVX538 Reference Manual - Page 77
FVX538 Reference Manual • LAN Security Checks. A UDP flood is a form of denial of service clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the attacker's network location anonymous. If enabled, the router will not accept more than 20 simultaneous, active - Netgear FVX538v1 | FVX538 Reference Manual - Page 78
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 4-8 Session Limit Session Limit allows you to specify the total number of sessions allowed, per user, over an IP (Internet Protocol) connection across the router. This feature is enabled on the Session Limit screen and shown below in Figure - Netgear FVX538v1 | FVX538 Reference Manual - Page 79
ProSafe VPN Firewall 200 FVX538 Reference Manual To enable Session Limit: 1. Click the Yes radio button under Do you want to enable Session Limit? 2. From the User Limit Parameter drop-down list, define the maximum number of sessions per IP either as a percentage of maximum sessions or as an - Netgear FVX538v1 | FVX538 Reference Manual - Page 80
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Rules Examples LAN WAN Inbound Rule: Hosting A Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web - Netgear FVX538v1 | FVX538 Reference Manual - Page 81
used as the primary IP address of the router. This address will be used to provide Internet access to your LAN PCs through NAT. The other addresses are available to map to your servers. The following addressing scheme is used to illustrate this procedure: • Netgear FVX538 ProSafe VPN Firewall - WAN1 - Netgear FVX538v1 | FVX538 Reference Manual - Page 82
FVX538 Reference Manual 4. From the Service pull-down menu, select the HTTP service for a Web server. Figure 4-12 5. From the Action pull-down menu, select Allow Always. 6. In the Send to LAN Server field, enter the local IP address of your Web server PC. 7. From the Public Destination IP Address - Netgear FVX538v1 | FVX538 Reference Manual - Page 83
FVX538 Reference Manual Your rule will now appear in the Inbound Services table of the Rules menu (see Figure 4-13). This rule is different from a normal inbound port forwarding rule in that the Destination box contains an IP Address other than your normal WAN IP Address security, NETGEAR strongly - Netgear FVX538v1 | FVX538 Reference Manual - Page 84
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Any and Allow Always (or Allow by Schedule) 2. Place rule below all other inbound rules Figure 4-14 Outbound Rules Example Outbound rules let you - Netgear FVX538v1 | FVX538 Reference Manual - Page 85
FVX538 Reference Manual LAN WAN Outbound Rule: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address to 125 custom services. For example, - Netgear FVX538v1 | FVX538 Reference Manual - Page 86
ProSafe VPN Firewall 200 FVX538 Reference Manual To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the - Netgear FVX538v1 | FVX538 Reference Manual - Page 87
FVX538 Reference Manual 3. Select the Layer 3 Protocol that the service uses as its transport protocol. It can be TCP, UDP or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses. If the service -Service: No special priority given to the traffic. The IP packets for services - Netgear FVX538v1 | FVX538 Reference Manual - Page 88
ProSafe VPN Firewall 200 FVX538 Reference Manual • Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a ToS value of 2. • Maximize-Throughput: Used when the - Netgear FVX538v1 | FVX538 Reference Manual - Page 89
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Check the radio button for All Days or more of these features and users try to access a blocked site, they will see a "Blocked by NETGEAR" message. Several types of blocking are available: • Web Components blocking. You can block the following Web - Netgear FVX538v1 | FVX538 Reference Manual - Page 90
ProSafe VPN Firewall 200 FVX538 Reference Manual • If you wish to block all Internet browsing access, enter the keyword ".". To enable Content Filtering: 1. Select Security from the main menu and Block Sites - Netgear FVX538v1 | FVX538 Reference Manual - Page 91
Firewall 200 FVX538 Reference Manual Figure 4-18 Enabling Source MAC Filtering Source MAC Filter allows you to filter out traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed - Netgear FVX538v1 | FVX538 Reference Manual - Page 92
200 FVX538 Reference Manual • When enabled, traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table. Figure 4-19 Note: For additional ways of restricting outbound traffic, see "Outbound Rules (Service Blocking - Netgear FVX538v1 | FVX538 Reference Manual - Page 93
following scenarios indicate the possible outcome. • Host1: Matching IP & MAC address in IP/MAC Table. • Host2: Matching IP but inconsistent MAC address in IP/MAC Table. • Host3: Matching MAC but inconsistent IP address in IP/MAC Table. The router will block the traffic coming from Host2 and Host3 - Netgear FVX538v1 | FVX538 Reference Manual - Page 94
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-20 3. Add an IP/MAC Bind rule by entering: a. Name: Specify an easily identifiable name for this rule. b. MAC Address: Specify the MAC Address for this rule. c. IP Addresses: Specify the IP Address for this rule. d. Log Dropped Packets: - Netgear FVX538v1 | FVX538 Reference Manual - Page 95
ProSafe VPN Firewall 200 FVX538 Reference Manual To remove an entry from the table, select the IP/MAC Bind entry and click before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated. Note: For additional ways of allowing - Netgear FVX538v1 | FVX538 Reference Manual - Page 96
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-21 3. From the Protocol pull-down menu, select either the TCP or UDP protocol. 4. In the Outgoing (Trigger) Port Range fields: a. Enter the Start - Netgear FVX538v1 | FVX538 Reference Manual - Page 97
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table. To edit or modify a rule: 1. Click Edit in the Action - Netgear FVX538v1 | FVX538 Reference Manual - Page 98
ProSafe VPN Firewall 200 FVX538 Reference Manual For example, when a new connection is established by a device, . An exception occurs for an individual bandwidth profile if the classes are per source IP. The source IP is the IP of the first packet of the connection: The class is deleted when all the - Netgear FVX538v1 | FVX538 Reference Manual - Page 99
Firewall 200 FVX538 Reference Manual • Name attack information, and other information to a specified e-mail address. For example, your VPN firewall will log security-related or DMZ; denied incoming and outgoing service requests; hacker probes and Login attempts; and other general information based - Netgear FVX538v1 | FVX538 Reference Manual - Page 100
ProSafe VPN Firewall 200 FVX538 Reference Manual You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't have e-mail notification enabled, you can view the - Netgear FVX538v1 | FVX538 Reference Manual - Page 101
200 FVX538 Reference Manual 3. Enter service is identd). 9. You can configure the firewall to send system logs to an external PC that is running a syslog logging program. Click the Yes radio box to enable SysLogs and send messages to the Syslog Server, then: a. Enter your SysLog Server IP address - Netgear FVX538v1 | FVX538 Reference Manual - Page 102
ProSafe VPN Firewall 200 FVX538 Reference Manual 11. Click Apply to save your settings. To view the Firewall Time Description or Action Source IP Description The date and time the log entry was recorded. The type of event and what action was taken if any. The IP address of the initiating device for - Netgear FVX538v1 | FVX538 Reference Manual - Page 103
200 FVX538 Reference Manual Table 4-4. Firewall Log Field Descriptions (continued) Field Source port and interface Destination Destination port and interface Description The service port number of the initiating device, and whether it originated from the LAN, WAN or DMZ. The name or IP address of - Netgear FVX538v1 | FVX538 Reference Manual - Page 104
ProSafe VPN Firewall 200 FVX538 Reference Manual 4-44 Firewall Protection and Content Filtering v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 105
are dynamic. Refer to "Virtual Private Networks (VPNs)" on page B-10 for more on the IP addressing requirements for VPN in the dual WAN modes. For instructions on how to select and configure a dynamic DNS service for resolving FQDNs, see "Configuring Dynamic DNS (If Needed)" on page 2-14. For - Netgear FVX538v1 | FVX538 Reference Manual - Page 106
ProSafe VPN Firewall 200 FVX538 Reference Manual The diagrams and table below show how the WAN mode WAN IP address Rollover Modea VPN Road Warrior (client-to-gateway) Fixed Dynamic VPN Gateway-to-Gateway Fixed Dynamic VPN Telecommuter Fixed (client-to-gateway through a NAT router) Dynamic - Netgear FVX538v1 | FVX538 Reference Manual - Page 107
FVX538 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR task. The VPN Wizard efficiently guides you through the setup procedure with a series of - Netgear FVX538v1 | FVX538 Reference Manual - Page 108
Firewall 200 FVX538 Reference Manual 1. Select manually update the VPN policy to enable VPN rollover. This allows the VPN tunnel to roll over when the WAN Mode is set to Auto Rollover. The wizard will not set up the VPN policy with rollover enabled. 6. Enter the Remote and Local WAN IP Addresses - Netgear FVX538v1 | FVX538 Reference Manual - Page 109
FVX538 Reference Manual • Both the remote WAN address and your local WAN address are required. Tip: To assure tunnels stay active, after completing the wizard, manually service. Both local and remote endpoints should be defined as either FQDN or IP addresses. A combination of IP address NETGEAR VPN - Netgear FVX538v1 | FVX538 Reference Manual - Page 110
ProSafe VPN Firewall 200 FVX538 Reference Manual After both firewalls are configured, go to VPN > IPsec VPN > and enabled, Note: When using FQDN, if the dynamic DNS service is slow to update their servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDN does not - Netgear FVX538v1 | FVX538 Reference Manual - Page 111
ProSafe VPN Firewall 200 FVX538 Reference Manual Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. From the main menu, go to VPN > IPSec VPN > VPN Wizard. The VPN Wizard displays. • - Netgear FVX538v1 | FVX538 Reference Manual - Page 112
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Click Apply to save your settings: the VPN Policies page shows the policy is now enabled. Figure 5-9 Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection From a PC with the NETGEAR Prosafe VPN Client installed, configure - Netgear FVX538v1 | FVX538 Reference Manual - Page 113
11 Fill in the other options according to the instructions below. • Under Connection Security, verify that the Secure radio button is selected. • From the ID Type pull-down menu, choose IP Subnet. • Enter the LAN IP Subnet Address and Subnet Mask of the FVX538 LAN; in this example, we are using 192 - Netgear FVX538v1 | FVX538 Reference Manual - Page 114
VPN Firewall 200 FVX538 Reference Manual 3. In the left frame, click My Identity. Fill in the options according to the instructions below. r3m0+ Name. • Leave Virtual Adapter disabled. • In Network Adapter select the adapter you will use; the IP address of the selected adapter will display. 5-10 v1 - Netgear FVX538v1 | FVX538 Reference Manual - Page 115
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Verify the Security Policy settings; no changes are needed. Figure 5-13 • On the left, click Security Policy to view the settings: no changes are needed. • - Netgear FVX538v1 | FVX538 Reference Manual - Page 116
200 FVX538 Reference Manual Testing the Connections and Viewing Status Information Both the NETGEAR VPN Client and the FVX538 provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection. NETGEAR VPN - Netgear FVX538v1 | FVX538 Reference Manual - Page 117
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN client, follow these steps. • Right-click the VPN Client icon in the system tray and select Log Viewer. Figure 5-16 • Right-click the VPN - Netgear FVX538v1 | FVX538 Reference Manual - Page 118
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN client system tray icon provides a variety of status and connected. A flashing vertical bar indicates traffic on the tunnel. FVX538 VPN Connection Status and Logs To view FVX538 VPN connection status, go to VPN > Connection Status. Figure - Netgear FVX538v1 | FVX538 Reference Manual - Page 119
ProSafe VPN Firewall 200 FVX538 Reference Manual To view FVX538 VPN logs, go to Monitoring > VPNLogs. Figure 5-19 VPN Tunnel Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN Policy - Netgear FVX538v1 | FVX538 Reference Manual - Page 120
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. If the VPN Policy is a "Manual" policy, then the Manual Policy Parameters defined in the VPN Policy are accessed and the first matching IKE Policy is used to start negotiations with the remote VPN Gateway. • - Netgear FVX538v1 | FVX538 Reference Manual - Page 121
ProSafe VPN Firewall 200 FVX538 Reference Manual • DH. Diffie-Hellman Group. The Diffie-Hellman , authentication and DH algorithm technologies, see Appendix D, "Related Documents" for a link to the NETGEAR website. VPN Policy You can create two types of VPN Policies. When using the VPN Wizard - Netgear FVX538v1 | FVX538 Reference Manual - Page 122
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Policy Table Only one Client Policy may Enable Keep alive: check to enable. - Ping IP Address: Enter the IP Address to which ping packets need to be sent. - Detection period: Router sends ping packets periodically at regular intervals of time - Netgear FVX538v1 | FVX538 Reference Manual - Page 123
Certificate Authorities ProSafe VPN Firewall 200 FVX538 Reference Manual Digital Self Certificates are used to authenticate the identity of users and systems, and are issued by various CAs (Certification Authorities). Digital Certificates are used by this router during the IKE (Internet Key - Netgear FVX538v1 | FVX538 Reference Manual - Page 124
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identity (Subject Name). The organization or person to whom the certificate is issued. • Issuer Name. The name of the CA that issued the certificate. • - Netgear FVX538v1 | FVX538 Reference Manual - Page 125
VPN Firewall 200 FVX538 Reference Manual - Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but may also impact performance.) 3. Complete the Optional fields, if desired, with the following information: Figure 5-20 • IP Address - If you have a fixed IP address, you may - Netgear FVX538v1 | FVX538 Reference Manual - Page 126
VPN Firewall 200 FVX538 Reference Manual 6. Copy CERTIFICATE REQUEST'). 4. Submit the CA form. If no problems ensue, the Certificate will be issued. Uploading a Trusted track all of your CAs to ensure that you have the latest version and/or that your certificate has not been revoked. To track your - Netgear FVX538v1 | FVX538 Reference Manual - Page 127
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA Identify - The official name of the CA which issued this IKE Policy. Two types of XAUTH are available: • Edge Device. If this is selected, the router is used as a VPN concentrator where one or more gateway tunnels terminate. If this option is - Netgear FVX538v1 | FVX538 Reference Manual - Page 128
ProSafe VPN Firewall 200 FVX538 Reference Manual • IPSec Host. If you want authentication by the remote menu which will be used to verify user account information. Select • Edge Device to use this router as a VPN concentrator where one or more gateway tunnels terminate. When this option is chosen, - Netgear FVX538v1 | FVX538 Reference Manual - Page 129
ProSafe VPN Firewall 200 FVX538 Reference Manual - RADIUS-CHAP or RADIUS-PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS-PAP is selected, the router will first check in the User Database to see if the user credentials are available. If the - Netgear FVX538v1 | FVX538 Reference Manual - Page 130
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter a Password for the user, and reenter the password in the Confirm Password field. 4. Click Add. The User Name will be added to the Configured Users table. Figure 5-23 5-26 v1.0, March 2009 Virtual Private Networking - Netgear FVX538v1 | FVX538 Reference Manual - Page 131
ProSafe VPN Firewall 200 FVX538 Reference Manual To edit the user name or password: 1. Click Edit the Configured Users table. RADIUS Client Configuration RADIUS (Remote Authentication Dial In User Service, RFC 2865) is a protocol for managing Authentication, Authorization and Accounting (AAA) - Netgear FVX538v1 | FVX538 Reference Manual - Page 132
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 5-24 3. Enter the Primary RADIUS Server IP address. 4. Enter a Secret Phrase. the RADIUS Server. Depending on the configuration of the RADIUS Server, the router's IP address may be sufficient as an identifier, or the Server may require a - Netgear FVX538v1 | FVX538 Reference Manual - Page 133
of connecting remote VPN clients to the FVX538, the ModeConfig module can be used to assign IP addresses to remote users, including a network access IP address, subnet mask, and name server addresses from the router. Remote users are given IP addresses available in secured network space so that - Netgear FVX538v1 | FVX538 Reference Manual - Page 134
addresses to be used by remote VPN clients. 7. If you enable Perfect Forward Secrecy (PFS), select DH Group 1 or 2. This setting must match exactly the configuration of the remote VPN client, 8. Specify the Local IP Subnet to which the remote client will have access. Typically, this is your router - Netgear FVX538v1 | FVX538 Reference Manual - Page 135
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-25 To configure an IKE Policy: 1. From the main menu, select VPN. The IKE Policies screen will display showing the current policies in the - Netgear FVX538v1 | FVX538 Reference Manual - Page 136
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the General section: a. Enter a description name in 8. XAUTH is disabled by default. To enable XAUTH, select: • Edge Device to use this router as a VPN concentrator where one or more gateway tunnels terminate. (If selected, you must specify the - Netgear FVX538v1 | FVX538 Reference Manual - Page 137
ProSafe VPN Firewall 200 FVX538 Reference Manual 10. Click Apply. The new policy will appear in the IKE Policies Table (a sample policy is shown below) Figure 5-26 Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote - Netgear FVX538v1 | FVX538 Reference Manual - Page 138
ProSafe VPN Firewall 200 FVX538 Reference Manual b. From the ID Type pull-down menu, select IP Subnet. c. Enter the IP Subnet and Mask of the VPN firewall (this is the LAN network IP address of the gateway). d. Check the Connect using radio button and select Secure Gateway Tunnel from the pull- down - Netgear FVX538v1 | FVX538 Reference Manual - Page 139
ProSafe VPN Firewall 200 FVX538 Reference Manual d. Under Virtual Adapter pull-down menu, select Preferred. The Internal Network IP Address should be 0.0.0.0. Note: If no box is displayed for Internal Network IP Address, go to Options/ Global Policy Settings, and check the box for "Allow to Specify - Netgear FVX538v1 | FVX538 Reference Manual - Page 140
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-29 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the values to match your configuration of - Netgear FVX538v1 | FVX538 Reference Manual - Page 141
ProSafe VPN Firewall 200 FVX538 Reference Manual To test the connection: 1. Right-click on the VPN client icon in the Windows toolbar and select Connect. The connection policy you configured will appear; - Netgear FVX538v1 | FVX538 Reference Manual - Page 142
ProSafe VPN Firewall 200 FVX538 Reference Manual 5-38 v1.0, March 2009 Virtual Private Networking - Netgear FVX538v1 | FVX538 Reference Manual - Page 143
• "Administration" on page 6-8 • "Monitoring the Router" on page 6-20 Performance Management Performance management consists of cable modems are used to connect to the Internet. At 1.5 Mbps, the WAN ports will support the following traffic rates: • Load balancing mode: 3 Mbps (two WAN ports at 1.5 - Netgear FVX538v1 | FVX538 Reference Manual - Page 144
FVX538 Reference Manual • Service blocking • Block sites • Source MAC filtering Service Blocking configuration will cause serious problems. Each rule lets address: The rule will be applied to the address of a particular PC. - Address range: The rule is applied to a range of addresses. 6-2 Router - Netgear FVX538v1 | FVX538 Reference Manual - Page 145
200 FVX538 Reference Manual - Groups: The rule is applied to a Group (see "Managing Groups and Hosts (LAN Groups)" on page 3-6to assign PCs to a Group using Network Database). • WAN Users - These settings determine which Internet locations are covered by the rule, based on their IP address. - Any - Netgear FVX538v1 | FVX538 Reference Manual - Page 146
ProSafe VPN Firewall 200 FVX538 Reference Manual Schedule. If you have set firewall rules on the Rules received from the PCs with the specified MAC addresses. By default, this feature is disabled; all traffic received from PCs with any MAC address is allowed. See "Enabling Source MAC Filtering" - Netgear FVX538v1 | FVX538 Reference Manual - Page 147
VPN Firewall 200 FVX538 Reference Manual VPN Firewall Features That Increase Traffic Features that tend to increase WAN-side loading are as follows: • Port forwarding • Port triggering • DMZ port • Exposed hosts • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks - Netgear FVX538v1 | FVX538 Reference Manual - Page 148
FVX538 Reference Manual IP address of the selected WAN interface Selecting ANY enables the rule for any LAN IP destination. WAN1 and WAN2 corresponds to the respective WAN interface governed by this rule. • Services - You can specify the desired Services table. • This Router records this connection, - Netgear FVX538v1 | FVX538 Reference Manual - Page 149
FVX538 Reference Manual • The remote system receives the PCs request and responds using the different port numbers that you have now opened. • This Router a computer or server that is available to anyone on the Internet for services that you haven't defined. The default setting of the rules is that - Netgear FVX538v1 | FVX538 Reference Manual - Page 150
FVX538 Reference Manual The QoS priority settings conform to the IEEE 802.1D-1998 (formerly 802.1p) standard for class of service to have. See "Monitoring the Router" on page 6-20 for a settings and upgrade firmware, and enable Configuration Manager is password. Netgear recommends that you change - Netgear FVX538v1 | FVX538 Reference Manual - Page 151
ProSafe VPN Firewall 200 FVX538 Reference Manual 1. Select Users from the main menu and Local If you make the administrator login time-out value too large, you will have to wait a long time before you are able to log back into the router if your previous login was disrupted (i.e., you did - Netgear FVX538v1 | FVX538 Reference Manual - Page 152
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a the appropriate RADIUS or WIKID server that the user is authorized to log in. 6-10 v1.0, March 2009 Router and Network Management - Netgear FVX538v1 | FVX538 Reference Manual - Page 153
ProSafe VPN Firewall 200 FVX538 Reference Manual When specifying RADIUS domain authentication, you are presented with several authentication protocol choices, as "Changing Passwords and Settings" on page 6-8 for the procedure on how to do this. Router and Network Management v1.0, March 2009 6-11 - Netgear FVX538v1 | FVX538 Reference Manual - Page 154
ending IP address to define the allowed range. c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access. 4. Specify the Port Number that will be used for accessing the management interface. 6-12 v1.0, March 2009 Router and - Netgear FVX538v1 | FVX538 Reference Manual - Page 155
FVX538 Reference Manual Web browser access normally uses the standard HTTP service IP address is 134.177.0.123 and you use port number 8080, type the following in your browser: https://134.177.0.123:8080 The router's remote login service such as TZO, you can identify the IP address of your FVX538 by - Netgear FVX538v1 | FVX538 Reference Manual - Page 156
FVX538 Reference Manual • To allow access from any IP address on the Internet, select Everyone. • To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. • To allow access from a single IP address - Netgear FVX538v1 | FVX538 Reference Manual - Page 157
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Click Add to create the new configuration. The entry will display in the can then restore the VPN firewall settings from this file. The Settings Backup and Firmware Upgrade screen allows you to: Router and Network Management v1.0, March 2009 6-15 - Netgear FVX538v1 | FVX538 Reference Manual - Page 158
Firewall 200 FVX538 Reference Manual • Back up and save a copy of your current settings • Restore saved settings from the backed-up file. • Revert to the factory default settings. • Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware version. Backup and - Netgear FVX538v1 | FVX538 Reference Manual - Page 159
ProSafe VPN Firewall 200 FVX538 Reference Manual You must manually restart the VPN firewall in order for the default settings to take effect. After rebooting, the router's password will be password and the LAN IP address will be 192.168.1.1. The VPN firewall will act as a DHCP server on the LAN and - Netgear FVX538v1 | FVX538 Reference Manual - Page 160
ProSafe VPN Firewall 200 FVX538 Reference Manual Warning: Once you click Upload do NOT interrupt the router! 6-18 v1.0, March 2009 Router and Network Management - Netgear FVX538v1 | FVX538 Reference Manual - Page 161
FVX538 Reference Manual To upgrade router software: 1. Select Administration from the main menu and Settings Backup and Firmware Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. 2. Click Browse in the Router firmware version to verify that your router supported - Netgear FVX538v1 | FVX538 Reference Manual - Page 162
ProSafe VPN Firewall 200 FVX538 Reference Manual • Use Custom NTP Servers: If you prefer to use a particular NTP server, enable this instead and enter the name or IP address of an NTP Server in the Server 1 Name/IP Address field. If required, you can also enter the address of another NTP server in - Netgear FVX538v1 | FVX538 Reference Manual - Page 163
ProSafe VPN Firewall 200 FVX538 Reference Manual • Internet Traffic Statistics - Displays statistics on Internet Traffic via the WAN port. If you have reached. An e-mail can be sent. Traffic Counter settings Internet Traffic Statistics Figure 6-7 Router and Network Management v1.0, March 2009 6-21 - Netgear FVX538v1 | FVX538 Reference Manual - Page 164
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-8 Setting Login Failures and Attacks Notification Figure 6-9 of firewall activities to an email address or a log of the firewall activities can be viewed, saved to a Syslog server, and then sent to an e-mail address. You can view the logs by - Netgear FVX538v1 | FVX538 Reference Manual - Page 165
Figure 6-9 ProSafe VPN Firewall 200 FVX538 Reference Manual View System Logs Select the types of events to email. Select the segments to track for System Log events. Enable email alerts. Syslog Server enabled Router and Network Management v1.0, March 2009 6-23 - Netgear FVX538v1 | FVX538 Reference Manual - Page 166
200 FVX538 Reference Manual Viewing Data Item Rule LAN IP Address Open Ports Time Remaining Description The name of the Rule. The IP address of the PC currently using traffic using one of these ports will be sent to the IP address above. The time remaining before this rule is released, and thus - Netgear FVX538v1 | FVX538 Reference Manual - Page 167
Item System Name Firmware Version LAN Port Description This is the Account Name that you entered in the Basic Settings page. This is the current software the router is using. This will change if you upgrade your router. Displays the current settings for MAC address, IP address, DHCP role and - Netgear FVX538v1 | FVX538 Reference Manual - Page 168
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-3. Router Status Fields Item Description WAN1 IP Address • Subnet Mask • Gateway Address • Primary and Secondary DNS Server Addresses • MAC Address. WAN2 Configuration Displays the same details as for WAN1 Configuration. Note: The Router - Netgear FVX538v1 | FVX538 Reference Manual - Page 169
ProSafe VPN Firewall 200 FVX538 Reference Manual . Figure 6-12 Monitoring VPN Tunnel Connection Status You can view the Name Endpoint Description The name of the VPN policy associated with this SA. The IP address on the remote VPN Endpoint. Router and Network Management v1.0, March 2009 6-27 - Netgear FVX538v1 | FVX538 Reference Manual - Page 170
VPN Firewall 200 FVX538 Reference Manual Table 6-4. VPN Status data Item Tx (KB) Tx (Packets) State Action Description The amount of data transmitted over this SA. The number of IP packets transmitted over this the log entries. Figure 6-14 6-28 v1.0, March 2009 Router and Network Management - Netgear FVX538v1 | FVX538 Reference Manual - Page 171
Select Network Configuration from the main menu and LAN Setup from the submenu. When the LAN Setup screen displays, click the DHCP Log link. Figure 6-15 Performing Diagnostics You can perform diagnostics such as pinging an IP address, performing a DNS lookup, displaying the routing table, rebooting - Netgear FVX538v1 | FVX538 Reference Manual - Page 172
Diagnostics screen. A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address. 6-30 v1.0, March 2009 Router and Network Management - Netgear FVX538v1 | FVX538 Reference Manual - Page 173
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-5. Diagnostics (continued) Item Description Display the Routing Table Reboot the Router Packet Trace This operation will display the internal routing table. This information is used, most often, by Technical Support. Used to perform a - Netgear FVX538v1 | FVX538 Reference Manual - Page 174
ProSafe VPN Firewall 200 FVX538 Reference Manual 6-32 v1.0, March 2009 Router and Network Management - Netgear FVX538v1 | FVX538 Reference Manual - Page 175
Troubleshooting the ISP Connection" on page 7-4 • "Troubleshooting a TCP/IP Network Using a Ping Utility" on page 7-5 • "Restoring the Default Configuration and Password" on page 7-7 • "Problems adapter is properly connected to a functioning power outlet. Troubleshooting 7-1 v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 176
ProSafe VPN Firewall 200 FVX538 Reference Manual • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support. LEDs Never Turn Off When the firewall is turned on, the LEDs turns on - Netgear FVX538v1 | FVX538 Reference Manual - Page 177
200 FVX538 Reference Manual • Make sure your PC's IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC's address should be in the range of 192.168.0.2 to 192.168.0.254. Note: If your PC's IP address is shown as 169.254.x.x: Recent versions of - Netgear FVX538v1 | FVX538 Reference Manual - Page 178
FVX538 Reference Manual Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address - Netgear FVX538v1 | FVX538 Reference Manual - Page 179
IP addresses. Typically your ISP will provide the addresses of one or two DNS servers for your use. You may configure your PC manually with DNS addresses, as explained in your operating system documentation. • Your PC may not have the firewall configured as its TCP/IP gateway. Troubleshooting - Netgear FVX538v1 | FVX538 Reference Manual - Page 180
VPN Firewall 200 FVX538 Reference Manual • Wrong physical connections - Make sure the LAN port LED is on. If the LED is off, follow the instructions in "LAN or card driver software and TCP/IP software are both installed and configured on your PC or workstation. - Verify that the IP address for your - Netgear FVX538v1 | FVX538 Reference Manual - Page 181
FVX538 Reference Manual Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings, changing the firewall's administration password to password and the IP address of day. Problems with the date Troubleshooting 7-7 v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 182
ProSafe VPN Firewall 200 FVX538 Reference Manual 7-8 Troubleshooting v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 183
Feature Router Login User Login URL User Name (case sensitive) Login Password (case sensitive) Internet Connection WAN MAC Address WAN MTU Size Port Speed Local Network (LAN) Lan IP Subnet Mask RIP Direction RIP Version RIP Authentication DHCP Server DHCP Starting IP Address DHCP Ending IP Address - Netgear FVX538v1 | FVX538 Reference Manual - Page 184
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: United Kingdom, Australia: Europe: Japan - Netgear FVX538v1 | FVX538 Reference Manual - Page 185
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-2. VPN firewall Technical Specifications (continued) Feature Environmental Specifications Operating temperature: Operating humidity: Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: Specifications 0 to 40 - Netgear FVX538v1 | FVX538 Reference Manual - Page 186
ProSafe VPN Firewall 200 FVX538 Reference Manual A-4 Default Settings and Technical Specifications v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 187
have a dynamic IP address. b. If address. Protocol binding - For rollover mode, protocol binding does not apply. - For load balancing mode, you need to decide which protocols you want to bind to a specific WAN port if you are going to take advantage of this option. - You can also add your own service - Netgear FVX538v1 | FVX538 Reference Manual - Page 188
200 FVX538 Reference Manual a. Have active Internet services such as that provided by cable or DSL broadband accounts and locate the Internet Service or DSL modems and a computer. Instruction for connecting your VPN firewall are in Installation Guide, FVX538 ProSafe VPN Firewall 200. B-2 Network - Netgear FVX538v1 | FVX538 Reference Manual - Page 189
FVX538 Reference Manual FVX538, your must use a Java-enabled Web browser program that supports HTTP uploads such as Microsoft Internet Explorer or Netscape Navigator. NETGEAR Login Name and Password • ISP Domain Name Server (DNS) Addresses • Fixed IP Address which is also known as Static IP Address - Netgear FVX538v1 | FVX538 Reference Manual - Page 190
TCP/IP entry for the Ethernet adapter, and click Properties. Record all the settings for each tab page. - For Macintosh computers, open the TCP/IP or Network control panel. Record all the settings for each section. • You may also refer to the FVX538 Resource CD for the NETGEAR Router ISP Guide which - Netgear FVX538v1 | FVX538 Reference Manual - Page 191
fill in the following: Login Name Password Service Name Fixed or Static IP Address: If you have a static IP address, record the following information. For example, 169.254.141.148 could be a valid IP address. Fixed or Static Internet IP Address Gateway IP Address Subnet Mask ISP DNS Server - Netgear FVX538v1 | FVX538 Reference Manual - Page 192
ProSafe VPN Firewall 200 FVX538 Reference Manual Overview of the Planning Process The areas that require planning gateway VPN firewalls or between a remote PC client and gateway VPN firewall. As a result, the IP address of at least one of the tunnel end points must be known in advance in order for - Netgear FVX538v1 | FVX538 Reference Manual - Page 193
VPN Firewall 200 FVX538 Reference Manual The Roll-over Case for Firewalls With Dual WAN Ports Rollover for the dual WAN port case is different from the single gateway WAN port case when specifying the IP address. Only one WAN port is active at a time and when it rolls over, the IP address of the - Netgear FVX538v1 | FVX538 Reference Manual - Page 194
the exposed host when this feature is supported and enabled. In the single WAN case, the WAN's Internet address is either fixed IP or a fully-qualified domain name if the IP address is dynamic. Figure B-4 Inbound Traffic to Dual WAN Port Systems The IP address range of the firewall's WAN port must - Netgear FVX538v1 | FVX538 Reference Manual - Page 195
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover, the WAN's IP address will always change at rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the WAN ports - Netgear FVX538v1 | FVX538 Reference Manual - Page 196
ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall's dual WAN port depends on the configuration - Netgear FVX538v1 | FVX538 Reference Manual - Page 197
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-7 • Load Balancing Case for Dual Gateway WAN Ports Load balancing for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP address is either fixed - Netgear FVX538v1 | FVX538 Reference Manual - Page 198
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The - Netgear FVX538v1 | FVX538 Reference Manual - Page 199
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in - Netgear FVX538v1 | FVX538 Reference Manual - Page 200
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-12 The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional. VPN Gateway-to- - Netgear FVX538v1 | FVX538 Reference Manual - Page 201
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure B-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional. VPN Gateway-to-Gateway: - Netgear FVX538v1 | FVX538 Reference Manual - Page 202
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port - Netgear FVX538v1 | FVX538 Reference Manual - Page 203
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for exemplify the requirements for a remote PC client connected to the Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway VPN firewall at the company office: - Netgear FVX538v1 | FVX538 Reference Manual - Page 204
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall, the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in - Netgear FVX538v1 | FVX538 Reference Manual - Page 205
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in - Netgear FVX538v1 | FVX538 Reference Manual - Page 206
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing In necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance. The chosen gateway WAN port must act as the responder. - Netgear FVX538v1 | FVX538 Reference Manual - Page 207
terms. Table C-1. Log Parameter Terms Term [FVX538] [kernel] CODE DEST DPT IN OUT PROTO SELF SPT SRC TYPE Description System identifier Message from the kernel. Protocol code (e.g., protocol is ICMP, type 8) and CODE=0 means successful reply. Destination IP Address of the machine to which the - Netgear FVX538v1 | FVX538 Reference Manual - Page 208
200 FVX538 Reference Manual Table C-2. System Logs: System Startup Message Explanation Recommended Action Jan 1 15:22:28 [FVX538] :31:13 [FVX538] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [FVX538] [ntpdate] Requesting time from time-f.netgear.com Nov 28 12:31:14 [FVX538] [ntpdate] - Netgear FVX538v1 | FVX538 Reference Manual - Page 209
Explanation Recommended Action Message Explanation Recommended Action Nov 28 14:45:42 [FVX538] [login] Login succeeded: user admin from 192.168.10.10 Login of user admin from host with IP address 192.168.10.10 None Nov 28 14:55:09 [FVX538] [seclogin] Logout succeeded for user admin Nov 28 14:55:13 - Netgear FVX538v1 | FVX538 Reference Manual - Page 210
FVX538 Reference Manual IPSec Restart This logging is always done. Table C-7. System Logs: IPSec Restart Message Explanation Recommended Action Jan 23 16:20:44 [FVX538 If there are two ISP links for Internet connectivity, the router can be configured either in Auto Rollover mode or Load Balancing - Netgear FVX538v1 | FVX538 Reference Manual - Page 211
ProSafe VPN Firewall 200 FVX538 Reference Manual Auto Rollover When the WAN mode is configured for Auto Rollover, the primary link is active and secondary acts only as a backup. When the primary - Netgear FVX538v1 | FVX538 Reference Manual - Page 212
ProSafe VPN Firewall 200 FVX538 Reference Manual PPP Logs This section describes FVX538] [pppd] Connection terminated. Message 1: PPPoE connection establishment started. Message 2: Message from PPPoE server for correct login Message 3: Authentication for PPP succeeded. Message 4: Local IP address - Netgear FVX538v1 | FVX538 Reference Manual - Page 213
200 FVX538 Reference Manual PPTP Idle-Timeout Logs. Table C-10. System Logs: WAN Status, PPE, PPTP Idle-Timeout Message Explanation Nov 29 11:19:02 [FVX538] [pppd] Starting connection Nov 29 11:19:05 [FVX538] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVX538] [pppd] local IP address - Netgear FVX538v1 | FVX538 Reference Manual - Page 214
URL blocked due to keyword blocking is shown by [URL] along with source and destination IP addressed, protocol, source port and destination port. • For other parameters, refer to Table C-1. None Jan 23 16:53:32 [FVX538] [kernel] [JAVA_BLOCKED] [URL]==>[ www.java.com/js/css.js ] IN=SELF OUT=SELF SRC - Netgear FVX538v1 | FVX538 Reference Manual - Page 215
ProSafe VPN Firewall 200 FVX538 Reference Manual Traffic Metering Logs Table C-13. System Logs: Traffic Redirect message sent to the router bye another router. • For other parameters, refer to Table C-1. To enable these logs, from CLI command prompt of the router, enter this command: monitor - Netgear FVX538v1 | FVX538 Reference Manual - Page 216
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-16. System Logs: Multicast/Broadcast (continued) Explanation Recommended Action to Table C-1. To enable these logs, from CLI command prompt of the router, enter this command: monitor/firewallLogs/logger/loggerConfig logFtp 1 And to disable - Netgear FVX538v1 | FVX538 Reference Manual - Page 217
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) invalid packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][ICMP_TYPE][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=ICMP - Netgear FVX538v1 | FVX538 Reference Manual - Page 218
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][REOPEN_CLOSE_CONN][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO= - Netgear FVX538v1 | FVX538 Reference Manual - Page 219
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Message Explanation Recommended Action Message Explanation Recommended Action 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][OUT_OF_WINDOW][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP SPT - Netgear FVX538v1 | FVX538 Reference Manual - Page 220
Firewall 200 FVX538 Reference Manual LAN to DMZ Logs Table C-20. Routing Logs: LAN to DMZ Message Explanation Recommended Action Nov 29 09:44:06 [FVX538] [ : WAN to LAN Message Explanation Recommended Action Nov 29 10:05:15 [FVX538] [kernel] WAN2LAN[ACCEPT] IN=WAN OUT=LAN SRC=192.168.1.214 DST - Netgear FVX538v1 | FVX538 Reference Manual - Page 221
ProSafe VPN Firewall 200 FVX538 Reference Manual WAN to DMZ Logs Table C-24. Routing Logs: WAN to DMZ Message Explanation Recommended Action Nov 29 09:19:43 [FVX538] [kernel] WAN2DMZ[ACCEPT] IN=WAN OUT=DMZ SRC=192.168.1.214 DST=192.168.20.10 PROTO=ICMP TYPE=8 CODE=0 • This packet from WAN to - Netgear FVX538v1 | FVX538 Reference Manual - Page 222
ProSafe VPN Firewall 200 FVX538 Reference Manual C-16 v1.0, March 2009 System Logs and Error Messages - Netgear FVX538v1 | FVX538 Reference Manual - Page 223
of the technologies used in your NETGEAR product. Document Link Internet Networking and TCP/IP http://documentation.netgear.com/reference/enu/tcpip/index.htm Addressing: Wireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htm Preparing a Computer for Network - Netgear FVX538v1 | FVX538 Reference Manual - Page 224
ProSafe VPN Firewall 200 FVX538 Reference Manual D-2 Related Documents v1.0, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 225
the networks. As part the new maintenance firmware release, NETGEAR has implemented a more robust authentication system known as Two-Factor Authentication (2FA or T-FA) on its SSL and IPSec VPN firewall product line to help address - Netgear FVX538v1 | FVX538 Reference Manual - Page 226
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL and VPN firewall products. • Proven regulatory compliance. Two-Factor Authentication has been used as a mandatory authentication - Netgear FVX538v1 | FVX538 Reference Manual - Page 227
Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The WiKID solution is based on a request-response been confirmed by the server. The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs. Here is - Netgear FVX538v1 | FVX538 Reference Manual - Page 228
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. A one-time passcode (something they have) is generated for this user. Figure E-2 Note: The one-time passcode is time synchronized to the authentication server so - Netgear FVX538v1 | FVX538 Reference Manual - Page 229
passcode as the login password. Figure E-3 Two-Factor Authentication is a new and easy way to enhance networking security products without having to replace the existing hardware. To obtain and try the new Two-Factor Authentication solution on your products, visit NETGEAR Support website at http - Netgear FVX538v1 | FVX538 Reference Manual - Page 230
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual E-6 Two Factor Authentication v1.3, March 2009 - Netgear FVX538v1 | FVX538 Reference Manual - Page 231
Mode Config Record screen 5-30 Add Protocol Binding Destination Network 2-12 Service 2-12 address reservation 3-9 Advanced Options MTU Size 2-17 Port Speed 2-18 Router's MAC Address 2-18 Allowing Videoconference from Restricted Addresses example of 4-20 Attack Checks about 4-16 Attack Checks screen - Netgear FVX538v1 | FVX538 Reference Manual - Page 232
Services adding 4-3, 4-26 D Date setting 6-19 date troubleshooting 7-7 Daylight Savings Time adjusting for 6-19 DDNS about 2-14 configuration of 2-15 links to 2-16 services, examples 2-16 DDNS providers links to 2-16 Dead Peer Detection 5-17 default configuration restoring 7-7 default IP Address - Netgear FVX538v1 | FVX538 Reference Manual - Page 233
IP Address DHCP Address Pool 3-4 Ethernet, Auto Uplink 1-3 Event Logs emailing of 4-39 Extended Authentication. See XAUTH. F factory default login firewall protection 4-1 firmware downloading 6-17 upgrade 6-17 Fixed IP 2-3 FQDN 2-15, 5-2 fully qualified domain name. See FQDN. FVX538 features of 1-1 - Netgear FVX538v1 | FVX538 Reference Manual - Page 234
2-4 connecting to 2-1 Internet connection configuring 2-2 manual configuration 2-4 Internet service connection types 2-3 Internet Service Provider. See ISP. Internet Traffic Statistics 6-21 IP Address router default 3-3 IP addresses auto-generated 7-3 DHCP address pool 3-1 how to assign 3-1 multi - Netgear FVX538v1 | FVX538 Reference Manual - Page 235
bandwidth capacity 6-1 Log Entry Descriptions C-1 logging in default login 2-1 M MAC Address format of 4-32 ProSafe VPN Firewall 200 FVX538 Reference Manual MAC address 7-6 configuring 2-3, 2-4 format of 2-18 spoofing 7-5 MAC addresses blocked, adding 4-32 Maximum Failover 2-11 ModeConfig 5-29 - Netgear FVX538v1 | FVX538 Reference Manual - Page 236
Outbound Services Rules adding 4-11 P package contents 1-5 passwords and login timeout changing 6-8 passwords,restoring 7-7 performance management 6-1 Ping responding to 2-4 troubleshooting TCP/IP 7-5 Ping On Internet Ports 4-16 Ping to an IP address Auto-Rollover 2-10 Ping to this IP address 2-10 - Netgear FVX538v1 | FVX538 Reference Manual - Page 237
Reserved IP Addresses 3-9 Restore saved settings 6-16 Return E-mail Address 4-41 RFC 1349 4-27 RFC1700 protocol numbers 4-25 RIP 3-14 about 3-14 configuring parameters 3-14 static routes, use with 3-13 versions of 3-15 RIP Configuration screen 3-14 Rollover mode bandwidth capacity 6-1 router upgrade - Netgear FVX538v1 | FVX538 Reference Manual - Page 238
VPN Firewall 200 FVX538 Reference Manual Settings Backup & Upgrade screen 6-15 Settings Backup and Firmware Upgrade 6-16 Simple IP Address 4-41 System log messages C-1 T TCP/IP network, troubleshooting 7-5 Test Period 2-10 Time setting 6-19 time daylight savings, troubleshooting 7-7 troubleshooting - Netgear FVX538v1 | FVX538 Reference Manual - Page 239
ProSafe VPN Firewall 200 FVX538 Reference Manual two-factor authentication WiKID 6-11 TZO.com 2-14 U UDP flood 4-17 Use Default Address 2-4 User Database 5-24 adding user 5-25 editing user 5-27 User Database screen 5-25 V view protocol bindings Load Balancing 2-12 viewing logs 6-22 VPN gateway to - Netgear FVX538v1 | FVX538 Reference Manual - Page 240
Meter 2-6 WAN2 ISP settings 2-4 WAN2 ISP Settings manual setup 2-6 WAN2 Protocol Bindings 2-13 WAN2 Protocol Bindings screen. 2-13 WAN2 Traffic Meter 2-7 Web Components 4-29 blocking 4-30 filtering, about 4-29 Web configuration troubleshooting 7-2 WiKID 6-11 WinPoET 2-5 X XAUTH IPSec Host 5-24
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
 |
 |
March 2009
202-10062-09
v1.0
NETGEAR
, Inc.
350 East Plumeria Drive
San Jose, CA 95134 USA
ProSafe VPN Firewall 200
FVX538 Reference
Manual