Netgear FVX538v2 FVX538v2 Reference Manual
Netgear FVX538v2 - ProSafe VPN Firewall Dual WAN Manual
 |
View all Netgear FVX538v2 manuals
Add to My Manuals
Save this manual to your list of manuals |
Netgear FVX538v2 manual content summary:
- Netgear FVX538v2 | FVX538v2 Reference Manual - Page 1
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 202-10062-10 v1.0 January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 2
of product and software upgrades. NETGEAR, INC. Support Information Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card. E-mail: [email protected] North American NETGEAR website: http://www.netgear.com Trademarks NETGEAR and the NETGEAR logo are - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 3
Importer It is hereby certified that the ProSafe VPN Firewall 200 has been suppressed in the notes in the operating instructions. Federal Office for Telecommunications software without his specific prior written permission. This software is provided "as is" with no express or implied warranties - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 4
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 5
version 1.1.4, March 11th, 2002. Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler. This software is provided "as is," without any express or implied warranty : Publication Part Number: Publication Version Number FVX538 January 2010 VPN Firewall ProSafe VPN Firewall 200 Business English - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 6
vi v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 7
Contents ProSafe VPN Firewall 200 FVX538 Reference Manual About This Manual Conventions, Formats and Scope xiii How to Print This Manual xiv Revision History Ethernet Connections with Auto Uplink 1-3 Extensive Protocol Support 1-4 Easy Installation and Management 1-4 Maintenance and Support 1-5 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 8
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Load Balancing 2-11 Configuring Dynamic DNS (Optional 2-14 Configuring the 22 Managing the Application Level Gateway for SIP Sessions 4-23 Creating Services, QoS Profiles, and Bandwidth Profiles 4-24 viii Contents v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 9
ProSafe VPN Firewall 200 FVX538 Reference Manual Adding Customized Services 4-24 Specifying Quality of Service (QoS) Priorities 4-26 5-6 Testing the Connections and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 VPN Firewall VPN Connection Status and Logs - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 10
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuration File 6-18 Configuring Date and Time Service 6-21 Monitoring System Performance 6-23 Activating Connection Status 6-34 Viewing the VPN Logs 6-35 Viewing the DHCP Log 6-36 Viewing Port Triggering Status 6-36 Chapter 7 Troubleshooting - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 11
ProSafe VPN Firewall 200 FVX538 Reference Manual Power LED Not On 7-2 LEDs Never Turn Off 7-2 LAN or Internet Port LEDs Not On 7-2 Troubleshooting the Web Configuration Interface 7-3 Troubleshooting the ISP Connection 7-4 Troubleshooting a TCP/IP Network Using a Ping Utility 7-5 Testing the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 12
ProSafe VPN Firewall 200 FVX538 Reference Manual Appendix C System Logs and Error Messages System Log Messages C-1 System Startup of Two-Factor Authentication D-1 What is Two-Factor Authentication D-2 NETGEAR Two-Factor Authentication Solutions D-2 Appendix E Related Documents Index xii - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 13
About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers with intermediate computer and Internet skills. Conventions, Formats and Scope The conventions, formats - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 14
FVX538 Reference Manual • Scope. This manual is written for the VPN firewall according to these specifications. Product Version Manual Publication Date ProSafe VPN Firewall 200 January 2010 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 15
ProSafe VPN Firewall 200 FVX538 Reference Manual 202-10062-09 1.0 202-10062-10 1.0 Mar. 09 January 2010 Adds these corrections and topics for the March 2009 firmware maintenance release: • WIKID 2 factor authentication • SIP ALG support • DHCP Relay support • Update VPN configuration procedure - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 16
ProSafe VPN Firewall 200 FVX538 Reference Manual 202-10062-10 1.0 (continued) January 2010 (continued) • Updated to show the current user interface: * "Creating Services, QoS Profiles, and Bandwidth Profiles" * "Setting to the "Troubleshooting" chapter. xvi About This Manual v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 17
up to 200 simultaneous IPSec VPN tunnels. • Support for up to 400 internal LAN users (and 50K connections). • Bundled with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and multimedia. • Built - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 18
VPN Firewall 200 FVX538 Reference Manual • One console port for local management. • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation and management. • Advanced SPI Firewall and Multi-NAT support. • Extensive Protocol - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 19
local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you can have it forwarded to one computer on your network. Autosensing Ethernet Connections with Auto Uplink With its internal 8-port 10/100 switch, the FVX538 can connect to either a 10 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 20
ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The FVX538 supports Internet service connection setup and forwards DNS requests from the LAN connection, asking you only for the information required for your type of ISP account. • VPN Wizard. The VPN firewall includes the NETGEAR - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 21
activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FVX538: • Flash memory for firmware upgrade • Technical support seven days a week, 24 hours a day, according to the terms identified in the Warranty and Support information card provided with - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 22
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Firewall Front and Rear Panels The FVX538 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. 1 2 3 4 5 6 7 Figure 1-1 Table 1-1 describes each item on the front panel and its - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 23
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object LED Activity Description 3, WAN Ports and LEDs (continued) Active LED On (Green) On (Amber) Off The WAN port has a valid Internet connection. The Internet connection is down or not being used - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 24
ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the FVX538 contains the On/Off switch and AC power connection. Figure 1-2 1 2 Viewed from left to right, the rear panel contains the following elements: 1. AC power in 2. On/Off switch Rack Mounting Hardware The FVX538 can be - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 25
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN Firewall's IP Address, Login Name, and Password Check the label on the bottom of the FVX538's IP Address User Name Password Figure 1-4 To log in to the FVX538 once it is connected, go to http://192.168.1.1. Figure 1-5 Once the login screen - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 26
ProSafe VPN Firewall 200 FVX538 Reference Manual Qualified Web Browsers To configure the FVX538, you must use a Web browser such as Microsoft Internet Explorer 6 or higher, Mozilla Firefox 3 or higher, or Apple Safari 3 or higher with JavaScript, cookies, and - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 27
to your network. Connect the cables and restart your network according to the instructions in the installation guide. See the Installation Guide, FVX538 ProSafe VPN Firewall 200 for complete steps. A PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com. 2. Log in - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 28
ProSafe VPN Firewall 200 FVX538 Reference Manual can change the factory default MTU size and port speed. However, these are advanced features and changing them connect to the VPN firewall, your computer needs to be configured to obtain an IP address automatically via DHCP. If you need instructions - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 29
ProSafe VPN Firewall 200 FVX538 Reference Manual To automatically configure the WAN ports and connect to the Internet: 1. Select Internet connection provided by your ISP. Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support. Connecting the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 30
ProSafe VPN Firewall 200 FVX538 Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in Table 2-1. Note: When you click Auto Detect while the WAN port already has a connection, you might lose - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 31
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Set up the traffic meter for WAN 1 ISP if desired. See "Enabling the Traffic Meter" on page 627. Note: At this point of the configuration process, you are now connected to the Internet through WAN port 1. But you must continue with the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 32
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box. The text box fields that require data entry will be highlighted, based on the connection that you selected. If - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 33
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. If your ISP has assigned a fixed (static or permanent) names such as www.google.com, www.netgear.com, etc. to Internet addresses called IP addresses. Incorrect settings here will result in connectivity problems. 5. Click Apply to save the settings - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 34
ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN firewall supports the following modes: • Auto-Rollover Mode. In this mode, the selected WAN on the front panel (see "VPN Firewall Front and Rear Panels" on page 1-6). 2-8 Connecting the VPN Firewall to the Internet v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 35
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Up Auto-Rollover Mode If you want to use Detection Method to support Auto-Rollover. When the VPN firewall is configured in Auto-Rollover mode, the VPN firewall uses the WAN Failure Detection Method to check the connection of the primary link - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 36
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Enter a Test Period in seconds. DNS query is sent periodically after every test period. The default interface by reapplying the Auto-Rollover settings in the WAN Port Mode menu. 2-10 Connecting the VPN Firewall to the Internet v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 37
ProSafe VPN Firewall 200 FVX538 Reference Manual through the WAN1 port. Note: NETGEAR recommends that all specific traffic (for speed. High volume traffic can be routed through the port connected to a high speed link and low volume traffic can be routed through the port connected to the low speed - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 38
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Enter the following data in the Add Protocol Binding section: a. Service - From the pull-down menu, select the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 39
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-5 3. Modify the parameters for the protocol binding service you selected. 4. Click Apply. The modified rule will be enabled and appear in the Protocol Binding table. 5. Click Reset to return to the previously configured settings. Connecting - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 40
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring Dynamic DNS (Optional) Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS.org - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 41
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 2-6 2. Click the tab of the Dynamic DNS Service you want to enable. Each DNS service provider requires registration and you then configure its parameters on the corresponding screen. 3. Access the website of one of the DDNS service providers - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 42
ProSafe VPN Firewall 200 FVX538 Reference Manual d. If your dynamic DNS provider allows the use of wild cards in resolving your URL screen will display. 2. Click Advanced to access the WAN1 Advanced Options screen. Figure 2-7 2-16 Connecting the VPN Firewall to the Internet v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 43
(WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may have to manually select the port speed. AutoSense is the default. If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100BaseT Half_Duplex; otherwise, select - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 44
ProSafe VPN Firewall 200 FVX538 Reference Manual 2-18 Connecting the VPN Firewall to the Internet v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 45
the advanced LAN features of your ProSafe VPN Firewall 200 FVX538, including the following sections: • Server, and default gateway addresses to all computers connected to the VPN firewall LAN. The assigned be the DHCP server, or if you will manually configure the network settings of all of your - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 46
ProSafe VPN Firewall 200 FVX538 Reference Manual broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP Relay of the active connection. Configuring the LAN Setup Options The LAN Setup screen allows configuration of LAN IP services such as DHCP - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 47
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: If you enable the DNS Relay feature, you will not use the VPN firewall as a DHCP server but rather as a DHCP relay agent for a DHCP server somewhere else on your network. To configure the LAN Setup options: 1. Select Network Configuration from - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 48
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: If you change the LAN IP address of the VPN firewall while connected through the browser, you will be disconnected. You must then open a new connection configured in the LAN TCP/IP Setup section of the LAN Setup screen). • Primary DNS Server. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 49
ProSafe VPN Firewall 200 FVX538 Reference Manual sequence of relative distinguished names (rdn), connected with commas and without any blank spaces. IP addresses. The VPN firewall will still service DNS requests sent to its LAN IP address have completed the LAN IP setup, all outbound traffic is allowed - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 50
ProSafe VPN Firewall 200 FVX538 Reference Manual Managing Groups and Hosts (LAN Groups) The Known by this VPN firewall. Collectively, these entries make up the Network Database. The Network Database is updated by these methods: • DHCP Client Requests. By default, the DHCP server in this VPN firewall - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 51
ProSafe VPN Firewall 200 FVX538 Reference Manual from the submenu. The LAN Setup screen will display. 2. Click support the NetBIOS protocol will be listed as Unknown. In this case, the name can be edited manually update this entry manually when the IP address of the computer changes. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 52
ProSafe VPN Firewall 200 FVX538 Reference Manual • MAC Address. The MAC address of the computer's network entry. Adding Devices to the Network Database To add devices manually to the Network Database: 1. To add computers to the network database manually, fill in the following fields: • Name: The name - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 53
ProSafe VPN Firewall 200 FVX538 Reference Manual Changing Group Names in the LAN Groups Database By default, the LAN Groups are named Group1 through Group8. You can rename these group names to - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 54
ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address, manually enter the device on the LAN Groups Select Network Configuration from the primary menu and LAN Settings from the submenu. The LAN Setup screen will display. 2. Click the LAN Multi-homing tab. The LAN Multi-homing - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 55
ProSafe VPN Firewall 200 FVX538 Reference Manual • IP Address. The IP address alias added to the LAN LAN port on the VPN firewall can be dedicated as a hardware DMZ port for safely providing services to the Internet, without compromising security on your LAN. The DMZ port feature is also helpful - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 56
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: A separate firewall security profile is provided for the DMZ port that is hardware independent of the standard firewall security used for the LAN. The DMZ Setup screen allows you to set up the DMZ port. It permits you to enable or disable the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 57
ProSafe VPN Firewall 200 FVX538 Reference Manual If desired, select Enable DHCP Server, which will provide TCP/IP configuration for all computers connected to the VPN firewall's DMZ network. If another device on your DMZ network will be the DHCP server, or if you will manually TCP/IP Setup section). - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 58
ProSafe VPN Firewall 200 FVX538 Reference Manual • port. Specifies the port number that the LDAP unchecked, the DHCP server will provide the ISP's DNS server IP addresses. The VPN firewall will still service DNS requests sent to its LAN IP address unless you disable DNS Proxy in the VPN firewall's - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 59
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add. The Add Static Route screen will display. Figure 3-7 3. Enter a route name for this static route in the Route Name field (for identification and - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 60
ProSafe VPN Firewall 200 FVX538 Reference Manual Static Route Example For example, you may require a static route if: • Your primary Internet access is through a cable modem to an ISP. • You have an ISDN firewall on your home network for connecting to the company where you are employed. This - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 61
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click RIP Configuration link to Version pull-down menu, select the version: • Disabled. The default section disables RIP versions. • RIP-1. A class-based routing that does not include subnet information. This is the most commonly supported version - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 62
ProSafe VPN Firewall 200 FVX538 Reference Manual • RIP-2. This includes all the functionality of RIPv1 plus it supports subnet information. Though the data is sent in RIP-2 format for both RIP-2B and RIP-2M, the modes in which packets are sent are - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 63
how to use the content filtering features of the ProSafe VPN Firewall 200 FVX538 to protect your network. This chapter includes the Other Firewall Features" on page 4-19 • "Creating Services, QoS Profiles, and Bandwidth Profiles" on page 4-24 • "Setting a Schedule to Block or Allow Specific - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 64
ProSafe VPN Firewall 200 FVX538 Reference Manual Kinds of Traffic This section includes the following topics: • "Services-Based Rules" on this page • "Viewing Rules and Order of , DMZ/WAN traffic and LAN/DMZ traffic. Table 4-1. Supported FIrewall Rule Configurations Traffic Rule LAN WAN DMZ WAN LAN - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 65
ProSafe VPN Firewall 200 FVX538 Reference Manual Services-Based Rules The rules to block traffic are based on the traffic's category of service. • Outbound Rules (service the Services menu (see "Adding Customized Services" on page 4-24). Select the desired action for outgoing connections covered by - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 66
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item Description Select the DMZ computers. QoS Priority Specifies the priority of a service which, in turn, determines the quality of that service for the traffic passing through the VPN firewall. By default - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 67
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Outbound Rules (continued) Item to the Internet. The rule tells the VPN firewall to direct inbound traffic for a particular service to one local server based on the destination port number. This is also known as port forwarding - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 68
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules Item Description Services Select the desired service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see "Adding - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 69
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Inbound Rules (continued) Item Log Bandwidth Profile Description for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 70
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-1 For LAN WAN rules, DMZ WAN rules, and LAN DMZ rules, for any traffic attempting to pass through the VPN firewall, the packet information is subjected to the rules in the order shown in the Outbound Services and Inbound Services rules - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 71
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click one of the following table buttons: • enable. Enables the can be changed to block all outbound traffic which then allows you to enable only specific services to pass through the VPN firewall. To change the default outbound policy: 1. Select - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 72
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply. LAN WAN Outbound Services Rules You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 73
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed in the Outbound Services table. LAN WAN Inbound Services Rules This Inbound Services table lists all existing rules for inbound traffic. If you have - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 74
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring DMZ WAN Rules The firewall rules for WAN Rules screen will display. Figure 4-5 3. Click Add under the Outbound Services table. The Add DMZ WAN Outbound Services screen will display (see Figure 4-6 on page 4-13). 4-12 Firewall Protection - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 75
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-6 4. Configure the parameters based on the descriptions in Table 4-2 on page 4-3. 5. Click Apply. The new rule will appear in the Outbound Services table. The rule is automatically enabled. The procedure to add a new DMZ WAN inbound service - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 76
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Select the LAN DMZ Rules tab. The LAN DMZ Rules screen will display. Figure 4-7 3. Click Add under the Outbound Services Table. The Add LAN DMZ Outbound Service screen will display. Figure 4-8 4. Configure the parameters based on the descriptions - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 77
ProSafe VPN Firewall 200 FVX538 Reference Manual The procedure to add a new LAN DMZ inbound service policy is similar to the procedure described above with the exception that you click Add under the Inbound Services table, you configure the parameters based on the descriptions in Table 4-3 on page - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 78
ProSafe VPN Firewall 200 FVX538 Reference Manual inbound rule. Figure 4-10 In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses multi-NAT to support multiple public IP addresses on one WAN interface. The inbound rule instructs the VPN firewall - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 79
example: • VPN firewall FVX538 - WAN1 primary public IP address: 10.1.0.1 - WAN1 additional public IP address: 10.1.0.5 - LAN IP address 192.168.1.1 • Web server PC on the VPN firewall's LAN - LAN IP address: 192.168.1.11 - Port number for Web service: 8080 To test the connection from a PC on the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 80
ProSafe VPN Firewall 200 FVX538 Reference Manual To expose one of the PCs on your LAN or DMZ as this host: 1. Create an inbound rule that allows all protocols. 2. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 81
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio or other non-essential sites. LAN WAN - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 82
ProSafe VPN Firewall 200 FVX538 Reference Manual Attack Checks The Attack Checks screen allows the Internet or WAN side. Responding to a ping can be a useful diagnostic tool when there are connectivity problems. If the ping option is enabled, you can allow either any IP address or a specific IP - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 83
ProSafe VPN Firewall 200 FVX538 Reference Manual - Enable Stealth Mode. In stealth mode, the VPN firewall will not respond to port scans from the WAN or Internet, which makes it less susceptible to discovery and attacks. - Block TCP Flood. A SYN flood is a form of denial of service to connect to - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 84
ProSafe VPN Firewall 200 FVX538 Reference Manual Setting Session Limits Session Limit allows you to specify the total number of sessions allowed, per user, over an IP (Internet Protocol) connection across the VPN firewall. This feature is enabled on the Session Limit screen and shown below in Figure - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 85
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: Some protocols (such as FTP or RSTP) create two sessions per connection which the Session Initiation Protocol (SIP) across the firewall and provides support for multiple SIP clients. ALG support for SIP is disabled by default. To enable ALG for - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 86
ProSafe VPN Firewall 200 FVX538 Reference Manual Creating Services, QoS Profiles, and Bandwidth Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: • Services. A - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 87
ProSafe VPN Firewall 200 FVX538 Reference Manual To define a new service, first you must determine which port number or UDP or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses. If the service uses only one port, then the Start Port and the Finish Port will be the same. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 88
ProSafe VPN Firewall 200 FVX538 Reference Manual Modifying a Service To edit the parameters of a service: 1. In the Custom Services Table, click the Edit icon adjacent to the service you want to edit. The Edit Service screen will display. Figure 4-18 2. Modify the parameters you wish to change. 3. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 89
ProSafe VPN Firewall 200 FVX538 Reference Manual A ToS priority for traffic passing through the VPN firewall is one of the following: • Normal-Service. No special priority given to the traffic. The IP packets for services of the connection: The class is deleted when all the connections using the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 90
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-19 2. Click Add to add a new bandwidth profile. The Add New Bandwidth Profile screen displays. Figure 4-20 3. Enter the following information: a. Enter a Profile Name. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 91
ProSafe VPN Firewall 200 FVX538 Reference Manual c. Depending on the direction that you selected, enter the minimum and maximum bandwidths to be allowed: • Enter the Outbound Minimum Bandwidth and Outbound Maximum Bandwidth - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 92
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-21 2. Check the radio button for All Days or Specific Days. If you chose these features and users try to access a blocked site, they will see a "Blocked by NETGEAR" message. 4-30 Firewall Protection and Content Filtering v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 93
ProSafe VPN Firewall 200 FVX538 Reference Manual Several types of blocking are available: • Web Components blocking. You can block the following Web component types: Proxy, Java, ActiveX, and Cookies. Some of these - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 94
ProSafe VPN Firewall 200 FVX538 Reference Manual Keyword application examples: • If the keyword "XXX" is specified, the URL is blocked, as is the newsgroup alt.pictures. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 95
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Check the Yes radio button to enable content filtering. 3. be Blocked table. Note: For additional ways of restricting outbound traffic, see "Outbound Rules (Service Blocking)" on page 4-3. To enable MAC filtering and add MAC addresses to be blocked: - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 96
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-23 2. Check the Yes radio box in the MAC Filtering Enable section. 3. Select the action to be taken on outbound traffic from the listed - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 97
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring IP/MAC Address Binding IP/MAC binding allows you to bind an IP address Select the IP/MAC Binding tab. The IP/MAC Binding screen will display (see Figure 4-24 on page 4-36). Firewall Protection and Content Filtering v1.0, January 2010 4-35 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 98
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 4-24 3. Select the Yes radio box and click Apply. Make sure that you have enabled the e-maling of logs (see "Activating Notification of Events and Alerts" - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 99
ProSafe VPN Firewall 200 FVX538 Reference Manual To edit an IP/MAC Bind rule, click Edit adjacent to by the VPN firewall when it functions in NAT mode. Some applications require that when external devices connect to them, they receive data on a specific port or range of ports. The VPN firewall must - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 100
ProSafe VPN Firewall 200 FVX538 Reference Manual Note these restrictions with port triggering: • Only one PC can use a port triggering application at any time. • After a PC has finished using a port triggering application, - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 101
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 7. Click Add. The Port Triggering Rule - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 102
ProSafe VPN Firewall 200 FVX538 Reference Manual E-Mail Notifications of Event Logs and Alerts The accepted and dropped packets on different segments of your LAN; denied incoming and outgoing service requests; hacker probes and login attempts; and other general information based on the settings - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 103
(VPN) features of the ProSafe VPN Firewall 200 FVX538. This chapter includes the following sections: • "Considerations for Dual WAN Port Systems" on this page • "Using the VPN Wizard for Client and Gateway Configurations" on page 5-3 • "Testing the Connections and Viewing Status Information" on - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 104
ProSafe VPN Firewall 200 FVX538 Reference Manual The diagrams and table below show how the WAN mode selection relates to VPN configuration. WAN Auto-Rollover: FQDN Required for VPN Firewall Rest of - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 105
ProSafe VPN Firewall 200 FVX538 Reference Manual Using the VPN Wizard for Client and Gateway Configurations You use the VPN Wizard to configure multiple gateway or client VPN tunnel policies. The section below provides wizard and NETGEAR VPN Client configuration procedures for the following - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 106
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-4 2. Select Gateway as your connection type. 3. Create a Connection Name. Enter a descriptive name for the connection rollover configuration, after completing the wizard, you must manually update the VPN policy to enable VPN rollover. This - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 107
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Enter the Remote and Local WAN IP Addresses or Internet Names of the gateways which will connect. • Both the remote WAN address and your local WAN address are required. Tip: To assure tunnels stay active, after completing the wizard, manually edit - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 108
ProSafe VPN Firewall 200 FVX538 Reference Manual 9. If you are connecting to another NETGEAR VPN firewall, use the VPN Wizard to configure the second VPN firewall to connect to the one you just configured. To display the status of your VPN connections, select VPN from the main menu and Connection - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 109
ProSafe VPN Firewall 200 FVX538 Reference Manual Follow these steps to configure the a VPN client tunnel: • Configure the client policies on the gateway. • Configure the VPN client to connect to the gateway. Use the VPN Wizard Configure the Gateway for a Client Tunnel 1. Select VPN from the main - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 110
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. Enter a Pre-shared Key; in this example, we are using r3m0+eC1ient, which must also be entered in the VPN client software. The key length must be 8 characters minimum and cannot exceed 49 characters. 5. Choose which WAN port to use as the VPN - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 111
ProSafe VPN Firewall 200 FVX538 Reference Manual Follow these steps to configure your VPN client. 1. Right-click on the VPN client icon in your Windows toolbar, choose Security Policy Editor, and verify that the Options > Secure > Specified Connections selection is enabled. Figure 5-10 2. In the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 112
ProSafe VPN Firewall 200 FVX538 Reference Manual Fill in the other options according to the instructions below. • Under Connection the left frame, click My Identity. Fill in the options according to the instructions below. Figure 5-12 • From the Select Certificate pull-down menu, choose None - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 113
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-13 Virtual Private Networking v1.0, January 2010 5-11 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 114
ProSafe VPN Firewall 200 FVX538 Reference Manual • On the left, click Security Policy to view the settings: no verifying the status of a connection and troubleshooting problems with a connection. NETGEAR VPN Client Status and Log Information To test a client connection and view the status and log - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 115
Firewall 200 FVX538 Reference Manual Within 30 seconds you should receive the message "Successfully connected to My Connections\gw1". Figure 5-15 The VPN client icon in the system tray should state On: 2. To view more detailed additional status and troubleshooting information from the NETGEAR VPN - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 116
ProSafe VPN Firewall 200 FVX538 Reference Manual • Right-click the VPN Client icon in the system tray and select Connection Monitor. Figure 5-17 The VPN client system tray icon provides a variety of status indications, which are listed below. Table 5-2. System Tray Icon Status The client - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 117
ProSafe VPN Firewall 200 FVX538 Reference Manual You can set a Poll Interval (in seconds) to check the connection status Phase 2 is "Key Exchange phase". Action. Allows you to terminate or build the SA (connection), if required. To view VPN firewall VPN logs, select Monitoring from the main menu and - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 118
ProSafe VPN Firewall 200 FVX538 Reference Manual Managing VPN Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN policy and an IKE policy are established and populated in both policy tables. The name you selected as the VPN Tunnel connection name during Wizard setup identifies - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 119
ProSafe VPN Firewall 200 FVX538 Reference Manual The IKE Policies Screen When you use the VPN Wizard to set up a VPN tunnel, an IKE Policy is established and populated in the List of IKE Policies table on the IKE Policies screen and is given the same name as the new VPN connection name. You can - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 120
ProSafe VPN Firewall 200 FVX538 Reference Manual • Auth. Authentication Algorithm used for the IKE SA. The and DH algorithm technologies, see Appendix E, "Related Documents" for a link to the NETGEAR website. Configuring VPN Policies You can create two types of VPN policies. When using the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 121
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. The remote VPN Endpoint must have a matching SA, or it will refuse the connection. Only one client policy may configured at a time (noted by an "*" next to the policy name). The List of VPN Policies contains the following fields: • ! ( - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 122
ProSafe VPN Firewall 200 FVX538 Reference Manual HTTPS. The VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients, and to be authenticated by The VPN firewall contains a self-signed certificate from NETGEAR. We recommend that you replace this certificate prior - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 123
ProSafe VPN Firewall 200 FVX538 Reference Manual • CA certificate. Each CA issues its own CA identity certificate in order to validate communication with the CA and to verify the validity of certificates - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 124
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Active Self Certificates The Active Self Certificates table on To use a self certificate, you must first request the certificate from the CA, then download and activate the certificate on your system. To request a self certificate from a CA, - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 125
ProSafe VPN Firewall 200 FVX538 Reference Manual To generate a new Certificate Signing Request (CSR) file: 1. Locate the Generate Self Certificate Request section of the Certificates screen. Figure 5-23 2. Configure the following fields: • - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 126
ProSafe VPN Firewall 200 FVX538 Reference Manual • Domain Name - If you have an Internet domain name, you can . A new certificate request is created and added to the Self Certificate Requests table. Figure 5-24 5. In the Self Certificate Requests table, click view in the Action column to view the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 127
ProSafe VPN Firewall 200 FVX538 Reference Manual 7. Submit your certificate request to a CA: a. Connect to the website of the CA. b. Start the Self Certificate request procedure. c. When prompted for the requested data, copy the data from your saved text - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 128
ProSafe VPN Firewall 200 FVX538 Reference Manual The CRL table lists your active CAs and their critical release dates: • CA Identify - The official name of the CA which issued this CRL. • Last Update - The date when this CRL was released. • Next Update - The date when the next CRL will be released. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 129
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the local database to be authenticated against XAUTH, - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 130
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 5-28 3. In the Extended Authentication section of the Add IKE Policy (or Edit IKE Policy) screen, select the Authentication Type from the pull-down - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 131
ProSafe VPN Firewall 200 FVX538 Reference Manual - User Database to verify against the VPN firewall's user user credentials are available. If the user account is not present, the VPN firewall will then connect to the RADIUS server (see "RADIUS Client Configuration" on page 5-30). • IPSec Host. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 132
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Enter Client Configuration RADIUS (Remote Authentication Dial In User Service, RFC 2865) is a protocol for managing access to network resources. During the establishment of a VPN connection, the VPN gateway can interrupt the process with an - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 133
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Select the RADIUS Client tab. The RADIUS Client screen will display. Figure 5-30 3. Enable the primary RADIUS server by checking the Yes radio box. 4. Enter - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 134
ProSafe VPN Firewall 200 FVX538 Reference Manual 8. Set the Time Out Period, in seconds, .168.2.1/255.255.255.0 • NETGEAR ProSafe VPN Client software IP address: 192.168.1.2 Mode Config Operation After the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the remote user - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 135
ProSafe VPN Firewall 200 FVX538 Reference Manual IP address from the configured IP address pool and released only after the VPN client has gracefully disconnected or after the SA lifetime for the connection has timed out. Configuring Mode Config Operation on the VPN Firewall You need to configure two - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 136
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add. The Add Mode Config Record screen will display. Figure 5-32 3. Enter a descriptive Record Name such as "Sales". 4. Assign at least one range of - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 137
ProSafe VPN Firewall 200 FVX538 Reference Manual 9. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 138
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Click Add to configure a new IKE Policy. The Add IKE Policy screen will display. Figure 5-34 3. In the Mode Config Record section, enable Mode Config - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 139
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the General section: • Enter a description name in the Policy Name field such as "SalesPerson". This name will be used as part of the remote - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 140
. The new policy will appear in the List of IKE Policies table. Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 141
ProSafe VPN Firewall 200 FVX538 Reference Manual d. Check the Connect using radio button and select Secure Gateway Tunnel from the pulldown menu. e. From the ID Type pull-down menu, select Domain name and enter the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 142
ProSafe VPN Firewall 200 FVX538 Reference Manual e. Select your Internet Interface adapter from the Name pull-down menu. 3. On the left-side of the menu, select Security Policy. Enter the following information: a. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 143
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. Click on Key Exchange (Phase 2) on the left-side of select Connect. The connection policy you configured will appear; in this case "My Connections\modecfg_test". 2. Click on the connection. Within 30 seconds the message "Successfully connected to - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 144
ProSafe VPN Firewall 200 FVX538 Reference Manual Configuring Keepalives and Dead Peer Detection In some cases, it may not be desirable to have a VPN tunnel drop when traffic is idle; for example, - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 145
ProSafe VPN Firewall 200 FVX538 Reference Manual 5. In the Ping IP Address boxes, enter an IP missed responses that will be considered a tunnel connection failure. The default is 3 missed responses. When the VPN firewall senses a tunnel connection failure, it forces a reestablishment of the tunnel - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 146
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. In Reconnect after failure count, set the number of DPD failures allowed before tearing down the connection. The default is 3 failures. When the VPN firewall senses an IKE connection failure, it deletes the IPSec and IKE Security Association and - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 147
to use the network management features of your ProSafe VPN Firewall 200 FVX538. This chapter includes the following sections: • be much lower when DSL or cable modems are used to connect to the Internet. At 1.5 Mbps, the WAN ports will support the following traffic rates: • Load balancing mode: 3 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 148
ProSafe VPN Firewall 200 FVX538 Reference Manual side loading are as follows: • Service blocking • Blocking sites • Source MAC filtering Service Blocking You can control specific outbound will cause serious problems. Each rule lets you specify the desired action for the connections covered by the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 149
ProSafe VPN Firewall 200 FVX538 Reference Manual - Groups. you must define it using the Services screen (see "Adding Customized Services" on page 4-24). • Groups and Hosts. You this, leaving the DHCP Server feature (on the LAN Setup screen) enabled is strongly recommended. - Scanning the Network. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 150
ProSafe VPN Firewall 200 FVX538 Reference Manual Blocking Sites If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall's filtering feature. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 151
ProSafe VPN Firewall 200 FVX538 Reference Manual Port Forwarding The VPN firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (that is, the service serious problems. You - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 152
ProSafe VPN Firewall 200 FVX538 Reference Manual you must define it using the Services screen (see "Adding Customized Services" on page 4-24). • Schedule. If you have set an outgoing connection using a port number defined in the Port Triggering table. • The VPN firewall records this connection, opens - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 153
ProSafe VPN Firewall 200 FVX538 Reference Manual procedure on how to use this feature. DMZ Port The DMZ Setup screen allows you to set up the DMZ port. Specifying a computer or server that is available to anyone on the Internet for services that you haven't defined. The default setting of the rules - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 154
ProSafe VPN Firewall 200 FVX538 Reference Manual You will not change the WAN bandwidth used by changing any QoS priority settings. But you will change the mix of traffic through the WAN ports by granting some services a higher priority than others. The quality of a service and upgrade firmware, and - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 155
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-1 2. In the Enable Local Authentication section of the screen: a. Enable local authentication by selecting the Yes radio box. b. Click Apply to save your settings. 3. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 156
ProSafe VPN Firewall 200 FVX538 Reference Manual b. Click Apply to save your settings. Note: The password and time-out value you enter will be changed back to password and 5 minutes, respectively, after a - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 157
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Configure the following fields: a. User Name. Enter a unique identifier or CHAP password-based authentication method that functions with Microsoft Internet Authentication Service (MIAS), which is a component of Microsoft Windows 2003 Server. WiKID - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 158
ProSafe VPN Firewall 200 FVX538 Reference Manual To configure external authentication: 1. Select Users from the main menu and External Authentication from the submenu. The External Users screen will display. 2. Select the External - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 159
ProSafe VPN Firewall 200 FVX538 Reference Manual • Primary Server NAS Identifier. The identifier for the the VPN firewall will make to contact the RADIUS server. When this number is exceeded, the connection to the RADIUS server cannot be set up. • Users Default Timeout. The period in minutes - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 160
ProSafe VPN Firewall 200 FVX538 Reference Manual Enabling Remote Management Access Using the Remote Management screen, you can allow an administrator on the Internet to configure, upgrade, and check the status of your VPN firewall. You must be logged in locally to enable remote management (see " - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 161
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Check Allow Remote Management radio box. 3. Click the Yes radio button to enable secure HTTP management (enabled by default), and configure the external IP addresses that will be allowed to connect number of any common service port. The default is - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 162
ProSafe VPN Firewall 200 FVX538 Reference Manual . Note: To maintain security, the VPN firewall will reject a login that uses http://address rather than the SSL https://address. Note: The first time you remotely connect connections will also be disabled. Tip: If you are using a dynamic DNS service - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 163
ProSafe VPN Firewall 200 FVX538 Reference Manual To create a new SNMP configuration entry: 1. Select Administration from the main menu and SNMP from the submenu. The SNMP screen will display. Figure 6-6 2. Under Create - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 164
ProSafe VPN Firewall 200 FVX538 Reference Manual When you click on the SNMP System Info link • Revert to the factory default settings. • Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware version. 6-18 VPN Firewall and Network Management v1.0, January - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 165
ProSafe VPN Firewall 200 FVX538 Reference Manual Backing Up Settings To back up settings: 1. Select Administration from the main menu and Settings Backup & Upgrade from the submenu. The Settings Backup and Firmware Upgrade screen will display. Figure 6-8 2. Click backup to save a copy of your - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 166
www.netgear.com/support and click Downloads. 2. From the Product Selection pull-down menu, choose the FVX538. 3. Click on the desired firmware version to reach the download page. Be sure to read the release notes on the download page before upgrading the VPN firewall's software. After downloading an - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 167
ProSafe VPN Firewall 200 FVX538 Reference Manual 6. Locate the downloaded file and click Upload. This will start the software upgrade to your VPN firewall. The software upgrade process might take some time. At the conclusion of the upgrade, your VPN firewall will reboot. Warning: After you have - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 168
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-9 2. From the Date/Time pull-down menu, select the local time zone. This is required in order for scheduling to work correctly. The VPN firewall includes a Real-Time Clock (RTC), which it uses for scheduling. 3. If supported in your region, - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 169
ProSafe VPN Firewall 200 FVX538 Reference Manual Attached Devices" on page 6-33 • "Monitoring VPN Tunnel Connection Status" on page 6-34 • "Viewing the VPN Logs DMZ; denied incoming and outgoing service requests; hacker probes and Login 24). VPN Firewall and Network Management v1.0, January 2010 6-23 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 170
ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 6-10 6-24 VPN Firewall and Network Management v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 171
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. In the Log Options section, enter the Protocol is a weak scheme to verify the sender of e-mail (a common daemon program for providing the ident service is identd). 8. In the Send E-mail logs by Schedule section , enter a Schedule for sending the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 172
ProSafe VPN Firewall 200 FVX538 Reference Manual • LOG_NOTICE (Normal but significant conditions) • LOG_INFO ( a copy of the log by clicking send log. Click refresh log to retrieve the latest update. Click clear log to delete all entries. Log entries are described in Table 6-2. See Appendix - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 173
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-2. Firewall Log Field Descriptions (continued) Field Source IP Source port and interface Destination Destination port and interface Description The IP address of the initiating device for this log entry. The service port number of the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 174
ProSafe VPN Firewall 200 FVX538 Reference Manual 2. Enable the traffic meter by clicking the Yes radio No Limit. Any specified restrictions will not be applied when traffic limit is reached. • Download only. The specified restrictions will be applied to the incoming traffic only • Both Directions. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 175
ProSafe VPN Firewall 200 FVX538 Reference Manual 4. In the When limit is reached section, make the following volume of traffic for each protocol will be displayed in a popup window. Traffic counters are updated in MBytes scale; the counter starts only when traffic passed is at least 1MB. Figure 6- - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 176
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing the VPN Firewall Configuration and System Firmware Version LAN Port Description This is the Account Name that you entered on the WAN ISP Settings screen. This is the current software the VPN firewall is using. This will change if you upgrade - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 177
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 6-3. Router Status Fields (continued) Item Description WAN1 Configuration • WAN Mode: Single, Dual, or Rollover. • WAN State: UP or DOWN. • NAT: Enabled or Disabled. • Connection Type: Static IP, DHCP, PPPoE, or PPTP. • Connection State: - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 178
ProSafe VPN Firewall 200 FVX538 Reference Manual To set the poll interval: 1. Click the Stop button. 2. display. 2. Click the WAN Status link in the upper right-hand section of the screen. The Connection Status popup window displays a status report on the WAN1 port. Figure 6-16 To get a status - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 179
ProSafe VPN Firewall 200 FVX538 Reference Manual Monitoring Attached Devices The LAN Groups screen contains in the database. Because of this, leaving the DHCP Server feature enabled (on the LAN Setup screen) is strongly recommended. • Scanning the Network. The local network is scanned using standard - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 180
ProSafe VPN Firewall 200 FVX538 Reference Manual on the PC (as a fixed IP address), you may need to update this entry manually if the IP address on the PC is changed. The MAC address of the devices. Monitoring VPN Tunnel Connection Status You can view the status of the VPN tunnels by selecting VPN - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 181
ProSafe VPN Firewall 200 FVX538 Reference Manual The Active IPsec (SA)s table lists each active connection with the following information Table 6-5. IPsec Connection Status Fields Item Policy Name Endpoint Tx (KB) Tx (Packets) State Action Description The name of the VPN policy associated with - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 182
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing the DHCP Log To display the DHCP log: 1. Select Network Configuration from the main menu and LAN Settings from the submenu. The LAN Setup screen will displays. 2. Click the DHCP Log link in the upper right-hand section of the screen. The DHCP - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 183
ProSafe VPN Firewall 200 FVX538 Reference Manual To view the most recent entries, click refresh. Table 6-6. Port Triggering Status Data Item Rule LAN IP Address Open Ports Time Remaining Description The name - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 184
ProSafe VPN Firewall 200 FVX538 Reference Manual 6-38 VPN Firewall and Network Management v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 185
tips and information for your ProSafe VPN Firewall 200 FVX538. This chapter includes the following sections: • "Basic Functions" on this page • "Troubleshooting the Web Configuration Interface" on page 7-3 • "Troubleshooting the ISP Connection" on page 7-4 • "Troubleshooting a TCP/IP Network Using - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 186
and that the power supply adapter is properly connected to a functioning power outlet. • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support. LEDs Never Turn Off When the VPN - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 187
ProSafe VPN Firewall 200 FVX538 Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall's Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection 169.254.x.x: Recent versions of Windows and - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 188
ProSafe VPN Firewall 200 FVX538 Reference Manual be caching the old configuration. Troubleshooting the ISP Connection If your VPN firewall is select an external site such as www.netgear.com. 2. Access the Main Menu of obtain an IP address from the ISP, the problem may be one of the following: • Your - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 189
ProSafe VPN Firewall 200 FVX538 Reference Manual • Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name on the WAN1 ISP Settings or WAN2 ISP Settings screen (see Figure 2-1 on page 2-3). • Your ISP only allows one Ethernet MAC address to connect - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 190
ProSafe VPN Firewall 200 FVX538 Reference Manual 3. Click OK. A message, similar to the following, should , you could have one of the following problems: • Wrong physical connections - Make sure the LAN port LED is on. If the LED is off, follow the instructions in "LAN or Internet Port LEDs Not On - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 191
ProSafe VPN Firewall 200 FVX538 Reference Manual the MAC address of a single PC connected to that modem. If this is the from the Settings Backup and Firmware Upgrade screen (see "Reverting to for the VPN firewall to reboot. Problems with Date and Time The Time Troubleshooting 7-7 v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 192
ProSafe VPN Firewall 200 FVX538 Reference Manual Problems with the date and time function Savings Time. Go to the Time Zone screen (see "Configuring Date and Time Service" on page 6-21), and select or deselect the check box marked "Automatically . Figure 7-1 7-8 v1.0, January 2010 Troubleshooting - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 193
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 7-1. Diagnostics Item Description Ping or Trace an IP Address Perform a DNS Lookup Display the Routing Table Ping. Used to send a ping packet request to a specified IP address-most often, to test a connection www.netgear. Support connections - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 194
ProSafe VPN Firewall 200 FVX538 Reference Manual 7-10 v1.0, January 2010 Troubleshooting - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 195
Login User Login URL User Name (case sensitive) Login Password (case sensitive) Internet Connection WAN MAC Address WAN MTU Size Port Speed Local Network (LAN) Lan IP Subnet Mask RIP Direction RIP Version RIP Authentication DHCP Server DHCP Starting IP Address DHCP Ending IP Address DMZ Default - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 196
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) Feature Default ) Source MAC filtering Disabled Stealth Mode Enabled Technical specifications for the ProSafe VPN Firewall 200 are listed in the following table. Table A-2. VPN - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 197
ProSafe VPN Firewall 200 FVX538 Reference Manual Table A-2. VPN firewall Technical Specifications (continued) Feature Environmental Specifications Operating temperature: Operating humidity: Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: Specifications 0° to 40 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 198
ProSafe VPN Firewall 200 FVX538 Reference Manual A-4 Default Settings and Technical Specifications v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 199
" on page B-5 • "Inbound Traffic" on page B-7 • "Virtual Private Networks (VPNs)" on page B-9 What You Will Need to Do Before You Begin The ProSafe VPN Firewall 200 is a powerful and versatile solution for your networking needs. But to make the configuration process easier and to understand all of - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 200
ProSafe VPN Firewall 200 FVX538 Reference Manual - For rollover mode, protocol binding does not apply. - For load balancing mode, you need to decide which protocols you want to bind to a specific WAN port if you are going to take advantage of this option. - You can also add your own service - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 201
speed, and upload bandwidth. 4. Prepare to physically connect the VPN firewall to cable or DSL modems and a computer. Instruction for connecting your VPN firewall are in Installation Guide, FVX538 ProSafe Java-enabled Web browser program that supports HTTP uploads such as Microsoft Internet Explorer - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 202
ProSafe VPN Firewall 200 FVX538 Reference Manual • Fixed IP Address which is also known as Static IP Address Where Do I Get the Internet Configuration Parameters? There are several ways you can gather the required Internet connection information. • Your ISPs provide all the information needed to - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 203
ProSafe VPN Firewall 200 FVX538 Reference Manual given host or domain names, you can use the following examples as a guide: • If your main e-mail account with your ISP is [email protected] FQDN) from a dynamic DNS service provider for their IP addresses. Dynamic DSN Service Provider FQDN Overview of the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 204
ProSafe VPN Firewall 200 FVX538 Reference Manual Virtual Private Networks (VPNs) A virtual private network (VPN) of each WAN port is fixed. Figure B-2 Features such as multiple exposed hosts are not supported when using dual WAN port rollover because the IP addresses of each WAN port must be in - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 205
ProSafe VPN Firewall 200 FVX538 Reference Manual The unless the traffic is a response to one of your local computers or a service that you have configured in the Inbound Rules menu. Instead of discarding this is supported and enabled. Network Planning for Dual WAN Ports B-7 v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 206
ProSafe VPN Firewall 200 FVX538 Reference Manual In the single WAN case, the WAN's Internet address so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled. Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 207
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic: Dual WAN Ports for Load Balancing In the dual WAN port case for load balancing, the Internet address of each WAN port is - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 208
ProSafe VPN Firewall 200 FVX538 Reference Manual Table B-2. IP Addressing Requirements for VPNs in Dual WAN Port Systems Configuration and WAN IP address Single WAN Port (reference case) Dual WAN Port Cases - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 209
ProSafe VPN Firewall 200 FVX538 Reference Manual Load balancing for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 210
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, a fully-qualified domain name must - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 211
ProSafe VPN Firewall 200 FVX538 Reference Manual After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 212
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 213
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall, either - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 214
ProSafe VPN Firewall 200 FVX538 Reference Manual The purpose of the fully-qualified domain names IP address and NAT router. The following situations exemplify the requirements for a remote PC client connected to the Internet with a dynamic IP address through a NAT router to establish a VPN tunnel - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 215
ProSafe VPN Firewall 200 FVX538 Reference Manual • Dual gateway WAN ports used for load balancing VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 216
ProSafe VPN Firewall 200 FVX538 Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 217
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall, the remote PC - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 218
ProSafe VPN Firewall 200 FVX538 Reference Manual B-20 Network Planning for Dual WAN Ports v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 219
Appendix C System Logs and Error Messages This appendix uses the following log parameter terms. Table C-1. Log Parameter Terms Term [FVX538] [kernel] CODE DEST DPT IN OUT PROTO SELF SPT SRC TYPE Description System identifier Message from the kernel. Protocol code (e.g., protocol is ICMP, type 8) - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 220
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-2. System Logs: System Startup Message Explanation Recommended Action Jan 1 15:22:28 [FVX538 [FVX538] [ntpdate] Looking Up time-f.netgear.com Nov 28 12:31:13 [FVX538] [ntpdate] Requesting time from time-f.netgear.com Nov 28 12:31:14 [FVX538] - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 221
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-4. System Logs: NTP (continued) Explanation Recommended Action Message1: DNS resolution for the NTP server (time-f.netgear.com) Message2: request for NTP update from the time server. Message3: Adjust time by re-setting system time. Message4 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 222
ProSafe VPN Firewall 200 FVX538 Reference Manual IPSec Restart This logging is always done. Table C-7. System Logs: IPSec Restart Message Explanation Recommended Action Jan 23 16:20:44 [FVX538 . If there are two ISP links for Internet connectivity, the VPN firewall can be configured either in - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 223
ProSafe VPN Firewall 200 FVX538 Reference Manual Auto Rollover When the WAN mode is configured for Auto Rollover, the primary link is active and secondary acts only as a backup. When the primary - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 224
ProSafe VPN Firewall 200 FVX538 Reference Manual PPP Logs This section describes the WAN PPP connection logs. The PPP type can be configured from the web management. PPPoE Idle-Timeout Logs. Table C-9. System Logs: WAN Status, PPPoE Idle-Timeout Message Explanation - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 225
ProSafe VPN Firewall 200 FVX538 Reference Manual PPTP Idle-Timeout Logs. Table C-10. System Logs: WAN Status, PPTP Idle-Timeout Message Explanation Nov 29 11:19:02 [FVX538] [pppd] Starting connection Nov 29 11:19:05 [FVX538] [pppd] CHAP authentication succeeded Nov 29 11:19:05 [FVX538] [pppd] - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 226
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-12. System Logs: Web Filtering and Content Filtering Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Jan 23 16:36:35 [FVX538] [ - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 227
ProSafe VPN Firewall 200 FVX538 Reference Manual Traffic Metering Logs Table C-13. System Logs: Traffic Limit Counter. Unicast Logs Table C-14. System Logs: Unicast Message Explanation Recommended Action Nov 24 11:52:55 [FVX538] [kernel] UCAST IN=SELF OUT=WAN SRC=192.168.10.1 DST=192.168.10.10 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 228
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs Table C-16. System Logs: Multicast/Broadcast Message Explanation Recommended Action Jan 1 07:24:13 [FVX538] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC=192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 • This packet ( - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 229
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message Explanation Recommended Action Message 2007 Oct 1 00:44:17 [FVX538] [ - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 230
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][REOPEN_CLOSE_CONN][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO=TCP - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 231
ProSafe VPN Firewall 200 FVX538 Reference Manual Table C-18. System Logs: Invalid Packets (continued) Recommended packet and disable logging: fw/rules/attackChecks/configure dropInvalid 0 2007 Oct 1 00:44:17 [FVX538] [kernel] [INVALID][OUT_OF_WINDOW][DROP] SRC=192.168.20.10 DST=192.168.20.2 PROTO= - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 232
ProSafe VPN Firewall 200 FVX538 Reference Manual LAN to WAN Logs Table C-19. Routing Logs: LAN to WAN Message Explanation Recommended Action Nov 29 09:19:43 [FVX538 WAN to LAN Message Explanation Recommended Action Nov 29 10:05:15 [FVX538] [kernel] WAN2LAN[ACCEPT] IN=WAN OUT=LAN SRC=192.168.1. - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 233
ProSafe VPN Firewall 200 FVX538 Reference Manual DMZ to LAN Logs Table C-23. Routing Logs: DMZ to WAN Message Explanation Recommended Action Nov 29 09:44:06 [FVX538 DMZ Logs Table C-24. Routing Logs: WAN to DMZ Message Explanation Recommended Action Nov 29 09:19:43 [FVX538] [kernel] WAN2DMZ[ - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 234
ProSafe VPN Firewall 200 FVX538 Reference Manual C-16 v1.0, January 2010 System Logs and Error Messages - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 235
a firewall to protect the networks. As part the new maintenance firmware release, NETGEAR has implemented a more robust authentication system known as Two-Factor Authentication be added to existing NETGEAR products through via firmware upgrade. Two Factor Authentication D-1 v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 236
ProSafe VPN Firewall 200 FVX538 Reference Manual • Quick to deploy and manage. The WiKID solution integrates seamlessly with the NETGEAR SSL theft. NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 Two-Factor Authentication solutions from WiKID. WiKID is the software-based token - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 237
ProSafe VPN Firewall 200 FVX538 Reference Manual The request-response architecture is capable of self-service initialization by end-users, dramatically reducing implementation and maintenance costs. Here is an example of how WiKID works. 1. The user launches the WiKID token software, enter the PIN - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 238
ProSafe VPN Firewall 200 FVX538 Reference Manual Note: The one-time passcode is time synchronized to the authentication server so that the OTP can only be used once and must be used - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 239
provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document TCP/IP Networking Basics Wireless Networking Basics Preparing Your Network Virtual Private Networking Basics Glossary Link http://documentation - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 240
ProSafe VPN Firewall 200 FVX538 Reference Manual E-2 Related Documents v1.0, January 2010 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 241
screen 4-10 Add Mode Config Record screen 5-34 Add Protocol Binding Destination Network 2-12 Service 2-12 address reservation 3-9 Advanced Options MTU Size 2-17 Port Speed 2-17 Router's MAC Address 2-17 ALG 4-23 Allowing Videoconference from Restricted Addresses example of 4-16 Application Level - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 242
ProSafe VPN Firewall 200 FVX538 Reference Manual line interface 6-16 configuration automatic by DHCP 1-4 Connecting the VPN firewall 2-1 Content 4-30 Content Filtering Service editing 4-26 customized service adding 4-25 Customized Services adding 4-3, 4-25 D Date setting 6-21 date troubleshooting - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 243
DMZ Port increasing traffic 6-7 DMZ port 1-3 setting up 3-12 DMZ Setup screen 3-12 DMZ WAN Inbound Rule example of 4-17 DMZ WAN B-1 Dual WAN ports Auto-Rollover, configuration of 2-9 ProSafe VPN Firewall 200 FVX538 Reference Manual Load Balancing, configuration of 2-11 Dynamic DNS configuration of - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 244
Installation, instructions for 2-1 Interior Gateway Protocol. See IGP. Internet configuration requirements B-3, B-4 configuring the connection manually 2-5 connecting to 2-1 Internet connection configuring 2-2 manual configuration 2-5 Internet service connection types 2-4 Internet Service Provider - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 245
4-14 LAN Groups menu 3-7 LAN Security Checks 4-21 LAN Setup screen 3-3, 6-36 LAN side bandwidth capacity 6-1 LAN WAN Inbound Rule example of 4-15, 4-16, 4-17 LAN WAN Inbound Services Rules about 4-11 ProSafe VPN Firewall 200 FVX538 Reference Manual add 4-11 LAN WAN Outbound Rule example of 4-19 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 246
ProSafe VPN Firewall 200 FVX538 Reference Manual testing Client 5-41 Services field descriptions 4-3 Outbound Services Rules adding 4-10 P package contents 1-5 passwords and login timeout changing 6-8 passwords,restoring 7-7 performance management 6-1 Ping responding to 2-5 troubleshooting - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 247
of for rules 4-24 protocol numbers assigned 4-24 protocols Routing Information Protocol 1-4 Q QoS 4-3 about 4-26 priority definitions 4-26 shifting traffic mix 6-7 SIP 2.0 support 1-1 Quality of Service. See QoS R rack mounting 1-8 ProSafe VPN Firewall 200 FVX538 Reference Manual rack mounting - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 248
4-3 port filtering 4-3 service numbers common protocols 4-24 Index-8 Services screen 4-25 Session Initiation Protocol. See SIP. Session Limit screen 4-22 Setting Up One-to-One NAT Mapping example of 4-16 Settings Backup & Upgrade screen 6-18 Settings Backup and Firmware Upgrade 6-19 Simple Network - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 249
ProSafe VPN Firewall 200 FVX538 Reference Manual stealth mode 4-21, 6-5 SYN flood 4-21, 6-5 SysLog Server IP Address 6-25 System log messages C-1 T TCP flood special rule 6-5 TCP/IP network, troubleshooting 7-5 Test Period 2-10 Time setting 6-21 time daylight savings, troubleshooting 7-8 - Netgear FVX538v2 | FVX538v2 Reference Manual - Page 250
ProSafe VPN Firewall 200 FVX538 Reference Manual VPN Policy Auto 5-18 Auto generated 5-16 Manual 5-18 VPN Tunnel addresses Dual WAN Port systems 5-2 VPN Tunnel Connection monitoring status 6-34 VPN Tunnels increasing traffic 6-7 VPN tunnels load balancing mode 5-2 rollover mode 5-2 VPN Wizard
-
1 -
2 -
3 -
4 -
5 -
6 -
7 -
8
-
9
-
10
-
11
-
12
-
13
-
14
-
15
-
16
-
17
-
18
-
19
-
20
-
21
-
22
-
23
-
24
-
25
-
26
-
27
-
28
-
29
-
30
-
31
-
32
-
33
-
34
-
35
-
36
-
37
-
38
-
39
-
40
-
41
-
42
-
43
-
44
-
45
-
46
-
47
-
48
-
49
-
50
-
51
-
52
-
53
-
54
-
55
-
56
-
57
-
58
-
59
-
60
-
61
-
62
-
63
-
64
-
65
-
66
-
67
-
68
-
69
-
70
-
71
-
72
-
73
-
74
-
75
-
76
-
77
-
78
-
79
-
80
-
81
-
82
-
83
-
84
-
85
-
86
-
87
-
88
-
89
-
90
-
91
-
92
-
93
-
94
-
95
-
96
-
97
-
98
-
99
-
100
-
101
-
102
-
103
-
104
-
105
-
106
-
107
-
108
-
109
-
110
-
111
-
112
-
113
-
114
-
115
-
116
-
117
-
118
-
119
-
120
-
121
-
122
-
123
-
124
-
125
-
126
-
127
-
128
-
129
-
130
-
131
-
132
-
133
-
134
-
135
-
136
-
137
-
138
-
139
-
140
-
141
-
142
-
143
-
144
-
145
-
146
-
147
-
148
-
149
-
150
-
151
-
152
-
153
-
154
-
155
-
156
-
157
-
158
-
159
-
160
-
161
-
162
-
163
-
164
-
165
-
166
-
167
-
168
-
169
-
170
-
171
-
172
-
173
-
174
-
175
-
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
-
184
-
185
-
186
-
187
-
188
-
189
-
190
-
191
-
192
-
193
-
194
-
195
-
196
-
197
-
198
-
199
-
200
-
201
-
202
-
203
-
204
-
205
-
206
-
207
-
208
-
209
-
210
-
211
-
212
-
213
-
214
-
215
-
216
-
217
-
218
-
219
-
220
-
221
-
222
-
223
-
224
-
225
-
226
-
227
-
228
-
229
-
230
-
231
-
232
-
233
-
234
-
235
-
236
-
237
-
238
-
239
-
240
-
241
-
242
-
243
-
244
-
245
-
246
-
247
-
248
-
249
-
250
 |
 |
202-10062-10
v1.0
January 2010
NETGEAR
, Inc.
350 East Plumeria Drive
San Jose, CA 95134
ProSafe VPN Firewall 200
FVX538 Reference
Manual