Home » Netgear Manuals » Network Security & Firewall Devices » Netgear FVX538v2 » Manual Viewer

Netgear FVX538v2 FVX538v2 Reference Manual - Page 34

Auto-Rollover Mode, WAN Failure Detection Method, Load Balancing Mode, Classical Routing, Viewing

Add to My Manuals
Save this manual to your list of manuals

Page 34 highlights

ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN firewall supports the following modes: • Auto-Rollover Mode. In this mode, the selected WAN interface is made primary and the other is the rollover link. As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic. Traffic will automatically roll back to the original primary link once the original primary link is back up and running again. If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover. • Load Balancing Mode. In this mode the VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional. Note: Scenarios could arise when load balancing needs to be bypassed for certain traffic or applications. Here the traffic needs to go on a specific WAN interface. This is done with the protocol binding rules of that WAN interface. The rule should match the desired traffic. For both alternatives, you must also set up Network Address Translation (NAT): • NAT. NAT is the technology which allows all PCs on your LAN to share a single Internet IP address. From the Internet, there is only a single device (the VPN firewall) and a single IP address. PCs on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet. - The VPN firewall uses NAT to select the correct PC (on your LAN) to receive any incoming data. - If you only have a single Internet IP address, you MUST use NAT. NAT is the default setting. • Classical Routing. In this mode, the VPN firewall performs routing, but without NAT. To gain Internet access, each PC on your LAN must have a valid Internet IP address. If your ISP has allocated many IP addresses to you, and you have assigned one of these addresses to each PC, you can choose Classical Routing. Or, you can use Classical Routing for routing private IP addresses within a campus environment. Otherwise, selecting this method will not allow Internet access through this VPN firewall. To learn the status of the WAN ports, you can view the Router Status screen (see "Viewing the VPN Firewall Configuration and System Status" on page 6-30) or look at the LEDs on the front panel (see "VPN Firewall Front and Rear Panels" on page 1-6). 2-8 Connecting the VPN Firewall to the Internet v1.0, January 2010

Section	Page
ProSafe VPN Firewall 200 FVX538 Reference Manual	1
Contents	7
About This Manual	13
Conventions, Formats and Scope	13
How to Print This Manual	14
Revision History	14
Chapter 1 Introduction	17
Key Features	17
Dual WAN Ports for Increased Reliability or Outbound Load Balancing	18
A Powerful, True Firewall with Content Filtering	18
Security Features	19
Autosensing Ethernet Connections with Auto Uplink	19
Extensive Protocol Support	20
Easy Installation and Management	20
Maintenance and Support	21
Package Contents	21
VPN Firewall Front and Rear Panels	22
Rack Mounting Hardware	24
The VPN Firewall’s IP Address, Login Name, and Password	25
Qualified Web Browsers	26
Chapter 2 Connecting the VPN Firewall to the Internet	27
Understanding the Connection Steps	27
Logging into the VPN Firewall	28
Configuring the Internet Connections to Your ISPs	28
Setting the VPN Firewall’s MAC Address	31
Manually Configuring Your Internet Connection	31
Configuring the WAN Mode (Required for Dual WAN)	33
Setting Up Auto-Rollover Mode	35
Setting Up Load Balancing	37
Configuring Dynamic DNS (Optional)	40
Configuring the Advanced WAN Options (Optional)	42
Additional WAN Related Configuration	43
Chapter 3 LAN Configuration	45
Choosing the VPN Firewall DHCP Options	45
Configuring the LAN Setup Options	46
Managing Groups and Hosts (LAN Groups)	50
Creating the Network Database	50
Viewing the Network Database	51
Adding Devices to the Network Database	52
Changing Group Names in the LAN Groups Database	53
Setting Up DHCP Address Reservation	53
Configuring Multi Home LAN IP Addresses	54
Configuring and Enabling the DMZ Port	55
Configuring Static Routes	58
Static Route Example	60
Configuring Routing Information Protocol (RIP)	60
Chapter 4 Firewall Protection and Content Filtering	63
About Firewall Protection and Content Filtering	63
Using Rules to Block or Allow Specific Kinds of Traffic	64
Services-Based Rules	65
Outbound Rules (Service Blocking)	65
Inbound Rules (Port Forwarding)	67
Viewing Rules and Order of Precedence for Rules	69
Configuring LAN WAN Rules	71
LAN WAN Outbound Services Rules	72
LAN WAN Inbound Services Rules	73
Configuring DMZ WAN Rules	74
Configuring LAN DMZ Rules	75
Inbound Rules Examples	77
LAN WAN Inbound Rule: Hosting a Local Public Web Server	77
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses	78
LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping	78
LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host	79
Outbound Rules Example	81
LAN WAN Outbound Rule: Blocking Instant Messenger	81
Configuring Other Firewall Features	81
Attack Checks	82
Setting Session Limits	84
Managing the Application Level Gateway for SIP Sessions	85
Creating Services, QoS Profiles, and Bandwidth Profiles	86
Adding Customized Services	86
Modifying a Service	88
Specifying Quality of Service (QoS) Priorities	88
Creating Bandwidth Profiles	89
Setting a Schedule to Block or Allow Specific Traffic	91
Blocking Internet Sites (Content Filtering)	92
Configuring Source MAC Filtering	95
Configuring IP/MAC Address Binding	97
Configuring Port Triggering	99
E-Mail Notifications of Event Logs and Alerts	102
Administrator Tips	102
Chapter 5 Virtual Private Networking	103
Considerations for Dual WAN Port Systems	103
Using the VPN Wizard for Client and Gateway Configurations	105
Creating Gateway to Gateway VPN Tunnels with the Wizard	105
Creating a Client to Gateway VPN Tunnel	108
Use the VPN Wizard Configure the Gateway for a Client Tunnel	109
Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection	110
Testing the Connections and Viewing Status Information	114
NETGEAR VPN Client Status and Log Information	114
VPN Firewall VPN Connection Status and Logs	116
Managing VPN Policies	118
Configuring IKE Policies	118
The IKE Policies Screen	119
Configuring VPN Policies	120
The VPN Policies Screen	120
Managing Certificates	121
Viewing and Loading CA Certificates	123
Viewing Active Self Certificates	124
Obtaining a Self Certificate from a Certificate Authority	124
Managing your Certificate Revocation List (CRL)	127
Extended Authentication (XAUTH) Configuration	128
Configuring XAUTH for VPN Clients	129
User Database Configuration	131
RADIUS Client Configuration	132
Assigning IP Addresses to Remote Users (ModeConfig)	134
Mode Config Operation	134
Configuring Mode Config Operation on the VPN Firewall	135
Configuring the Mode Config Screen	135
Configuring an IKE Policy for Mode Config Operation	137
Configuring the ProSafe VPN Client for ModeConfig	140
Testing the Mode Config Connection	143
Configuring Keepalives and Dead Peer Detection	144
Configuring Keepalives	144
Configuring Dead Peer Detection	145
Configuring NetBIOS Bridging with VPN	146
Chapter 6 VPN Firewall and Network Management	147
Performance Management	147
Bandwidth Capacity	147
VPN Firewall Features That Reduce Traffic	148
Service Blocking	148
Blocking Sites	150
Source MAC Filtering	150
VPN Firewall Features That Increase Traffic	150
Port Forwarding	151
Port Triggering	152
DMZ Port	153
VPN Tunnels	153
Using QoS to Shift the Traffic Mix	153
Tools for Traffic Management	154
Configuring Users, Administrative Settings, and Remote Management	154
Changing Passwords and Settings	154
Adding External Users	156
Configuring an External Server for Authentication	157
Enabling Remote Management Access	160
Using an SNMP Manager	162
Managing the Configuration File	164
Backing Up Settings	165
An Alert screen will appear indicating the status of the restore operation. You must manually restart the VPN firewall for the restored settings to take effect.	166
Reverting to Factory Default Settings	166
Upgrading the Firmware	166
Configuring Date and Time Service	167
Monitoring System Performance	169
Activating Notification of Events and Alerts	169
Viewing the Logs	172
Enabling the Traffic Meter	173
Viewing the VPN Firewall Configuration and System Status	176
Monitoring VPN Firewall Statistics	177
Monitoring WAN Ports Status	178
Monitoring Attached Devices	179
Monitoring VPN Tunnel Connection Status	180
Viewing the VPN Logs	181
Viewing the DHCP Log	182
Viewing Port Triggering Status	182
Chapter 7 Troubleshooting	185
Basic Functions	185
Power LED Not On	186
LEDs Never Turn Off	186
LAN or Internet Port LEDs Not On	186
Troubleshooting the Web Configuration Interface	187
Troubleshooting the ISP Connection	188
Troubleshooting a TCP/IP Network Using a Ping Utility	189
Testing the LAN Path to Your VPN Firewall	189
Testing the Path from Your PC to a Remote Device	190
Restoring the Default Configuration and Password	191
Problems with Date and Time	191
Using the Diagnostics Utilities	192
Appendix A Default Settings and Technical Specifications	195
Appendix B Network Planning for Dual WAN Ports	199
What You Will Need to Do Before You Begin	199
Cabling and Computer Hardware Requirements	201
Computer Network Configuration Requirements	201
Internet Configuration Requirements	201
Where Do I Get the Internet Configuration Parameters?	202
Internet Connection Information Form	202
Overview of the Planning Process	203
Inbound Traffic	203
Virtual Private Networks (VPNs)	204
The Roll-over Case for Firewalls With Dual WAN Ports	204
The Load Balancing Case for Firewalls With Dual WAN Ports	205
Inbound Traffic	205
Inbound Traffic to Single WAN Port (Reference Case)	205
Inbound Traffic to Dual WAN Port Systems	206
Inbound Traffic: Dual WAN Ports for Improved Reliability	206
Inbound Traffic: Dual WAN Ports for Load Balancing	207
Virtual Private Networks (VPNs)	207
VPN Road Warrior (Client-to-Gateway)	209
VPN Road Warrior: Single Gateway WAN Port (Reference Case)	209
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability	210
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing	211
VPN Gateway-to-Gateway	212
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case)	212
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability	213
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing	214
VPN Telecommuter (Client-to-Gateway Through a NAT Router)	214
VPN Telecommuter: Single Gateway WAN Port (Reference Case)	215
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability	215
VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing	217
Appendix C System Logs and Error Messages	219
System Log Messages	219
System Startup	219
Reboot	220
NTP	220
Login/Logout	221
Firewall Restart	221
IPSec Restart	222
WAN Status	222
Load Balancing	222
Auto Rollover	223
PPP Logs	224
Web Filtering and Content Filtering Logs	225
Traffic Metering Logs	227
Unicast Logs	227
ICMP Redirect Logs	227
Multicast/Broadcast Logs	228
FTP Logging	228
Invalid Packet Logging	228
Routing Logs	231
LAN to WAN Logs	232
LAN to DMZ Logs	232
DMZ to WAN Logs	232
WAN to LAN Logs	232
DMZ to LAN Logs	233
WAN to DMZ Logs	233
Appendix D Two Factor Authentication	235
Why do I need Two-Factor Authentication?	235
What are the benefits of Two-Factor Authentication?	235
What is Two-Factor Authentication	236
NETGEAR Two-Factor Authentication Solutions	236
Appendix E Related Documents	239

Match case Limit results 1 per page

ProSafe VPN Firewall 200 FVX538 Reference Manual

2-8

Connecting the VPN Firewall to the Internet

v1.0, January 2010

The VPN firewall supports the following modes:

•

Auto-Rollover Mode

. In this mode, the selected WAN interface is made primary and the other

is the rollover link. As long as the primary link is up, all traffic is sent over the primary link.

Once the primary WAN interface goes down, the rollover link is brought up to send the traffic.

Traffic will automatically roll back to the original primary link once the original primary link

is back up and running again.

If you want to use a redundant ISP link for backup purposes, select the WAN port that will act

as the primary link for this mode. Ensure that the backup WAN port has also been configured

and that you configure the

WAN Failure Detection Method

to support Auto-Rollover.

•

Load Balancing Mode

. In this mode the VPN firewall distributes the outbound traffic equally

among the WAN interfaces that are functional.

For both alternatives, you must also set up Network Address Translation (NAT):

•

NAT

NAT is the technology which allows all PCs on your LAN to share a single Internet IP

address. From the Internet, there is only a single device (the VPN firewall) and a single IP

address. PCs on your LAN can use any private IP address range, and these IP addresses are not

visible from the Internet.

–

The VPN firewall uses NAT to select the correct PC (on your LAN) to receive any

incoming data.

–

If you only have a single Internet IP address, you MUST use NAT.

NAT is the default setting.

•

Classical Routing

In this mode, the VPN firewall performs routing, but without NAT. To gain

Internet access, each PC on your LAN must have a valid Internet IP address.

If your ISP has allocated many IP addresses to you, and you have assigned one of these

addresses to each PC, you can choose Classical Routing. Or, you can use Classical Routing for

routing private IP addresses within a campus environment. Otherwise, selecting this method

will not allow Internet access through this VPN firewall.

To learn the status of the WAN ports, you can view the Router Status screen (see

“Viewing the

VPN Firewall Configuration and System Status” on page 6-30

) or look at the LEDs on the front

panel (see

“VPN Firewall Front and Rear Panels” on page 1-6

Note:

Scenarios could arise when load balancing needs to be bypassed for certain

traffic or applications. Here the traffic needs to go on a specific WAN

interface. This is done with the protocol binding rules of that WAN interface.

The rule should match the desired traffic.