Page 1 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA June 2008 202-10257-02 v1.2...
Page 2 © 2008 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Page 3 equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions. Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Page 4 Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Page 5 Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
Page 6 1.2, June 2008...
Page 7: Table Of Contents
About This Manual Conventions, Formats, and Scope ...xiii How to Use This Manual ...xiv How to Print this Manual ...xiv Revision History ... xv Chapter 1 Introduction Key Features ...1-1 Dual WAN Ports for Increased Reliability or Outbound Load Balancing ...1-2 Advanced VPN Support for Both IPsec and SSL ...1-2 A Powerful, True Firewall with Content Filtering ...1-3 Autosensing Ethernet Connections with Auto Uplink ...1-3...
Page 8 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Network Address Translation ...2-12 Classical Routing ...2-12 Configuring Auto-Rollover Mode ...2-13 Configuring Load Balancing ...2-15 Configuring Dynamic DNS (Optional) ...2-17 Configuring the Advanced WAN Options (Optional) ...2-19 Additional WAN Related Configuration ...2-21 Chapter 3 LAN Configuration...
Page 9 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Source MAC Filtering ...4-24 Configuring IP/MAC Address Binding Alerts ...4-26 Configuring Port Triggering ...4-27 Setting a Schedule to Block or Allow Specific Traffic ...4-29 Configuring a Bandwidth Profile ...4-30 Configuring Session Limits ...4-32 E-Mail Notifications of Event Logs and Alerts ...4-33 Administrator Tips ...4-33...
Page 10 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Chapter 6 Virtual Private Networking Using SSL Connections Understanding the Portal Options ...6-1 Planning for SSL VPN ...6-2 Creating the Portal Layout ...6-3 Configuring Domains, Groups, and Users ...6-7 Configuring Applications for Port Forwarding ...6-7 Adding Servers ...6-8 Adding A New Host Name ...6-9...
Page 11 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Features That Reduce Traffic ...8-2 Features That Increase Traffic ...8-5 Using QoS to Shift the Traffic Mix ...8-8 Tools for Traffic Management ...8-8 Changing Passwords and Administrator Settings ...8-8 Enabling Remote Management Access ...8-10 Using the Command Line Interface ...8-12 Using an SNMP Manager ...8-13...
Page 12 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Restoring the Default Configuration and Password ...10-7 Problems with Date and Time ...10-7 Using the Diagnostics Utilities ...10-8 Appendix A Default Settings and Technical Specifications Appendix B Related Documents Appendix C Network Planning for Dual WAN Ports...
Page 13: About This Manual
The NETGEAR ® ProSafe™ Dual WAN Gigabit Firewall with SSL & IPsec VPN Reference Manual describes how to install, configure and troubleshoot a ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. The information in this manual is intended for readers with intermediate computer and networking skills.
Page 14: How To Use This Manual
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Danger: This is a safety warning. Failure to take heed of this notice may result in personal injury or death. • Scope. This manual is written for the VPN firewall according to these specifications: Product Version Manual Publication Date For more information about network, Internet, firewall, and VPN technologies, see the links to the...
Page 15: Revision History
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe Web site at http://www.adobe.com.
Page 16 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual v1.2, June 2008...
Page 17: Introduction
The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable modems or DSL modems. Dual wide area network (WAN) ports allow you to increase throughput to the Internet by using both ports together, or to maintain a backup connection in case of failure of your primary Internet connection.
Page 18: Dual Wan Ports For Increased Reliability Or Outbound Load Balancing
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Easy, web-based setup for installation and management. • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. • Internal universal switching power supply. Dual WAN Ports for Increased Reliability or Outbound Load Balancing The FVS336G has two broadband WAN ports.
Page 19: A Powerful, True Firewall With Content Filtering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – Browser based, platform-independent, remote access through a number of popular browsers, such as Microsoft Internet Explorer or Apple Safari. – Provides granular access to corporate resources based upon user type or group membership.
Page 20: Extensive Protocol Support
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to Configuration Requirements” on page •...
Page 21: Maintenance And Support
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure IPsec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the IPsec VPN tunnels are interoperable with other VPNC- compliant VPN routers and clients.
Page 22: Front Panel Features
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – ProSafe VPN Client Software – one user license. • Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair.
Page 23: Rear Panel Features
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 1-1. LED Descriptions (continued) Object Activity LINK/ACT On (Green) (Link and Blinking (Green) Activity) LAN Ports SPEED On (Green) On (Amber) LINK/ACT On (Green) (Link and Blinking (Green) Activity) Rear Panel Features...
Page 24: Default Ip Address, Login Name, And Password Location
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors. 4. Cable security lock receptacle. 5. AC power receptacle. Universal AC input (100-240 VAC, 50-60 Hz).
Page 25 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications. Note that Java is only required for the SSL VPN portal, not the Web Management Interface. Introduction v1.2, June 2008...
Page 26 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1-10 Introduction v1.2, June 2008...
Page 27: Connecting The Fvs336G To The Internet
Connecting the FVS336G to the Internet The initial Internet configuration of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN is described in this chapter. This chapter contains the following sections: • “Understanding the Connection Steps” on page 2-1 •...
Page 28: Logging Into The Vpn Firewall Router
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified domain names during this phase (if required). See page 2-17. 6. Configure the WAN options (optional). Optionally, you can enable each WAN port to respond to a ping, and you can change the factory default MTU size and port speed.
Page 29 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Click Login. The Web Configuration Manager appears, displaying the Router Status menu: Figure 2-2 Connecting the FVS336G to the Internet v1.2, June 2008...
Page 30: Navigating The Menus
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Navigating the Menus The Web Configuration Manager menus are organized in a layered structure of main categories and submenus: • Main menu. The horizontal orange bar near the top of the page is the main menu, containing the primary configuration categories.
Page 31 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Select Network Configuration > WAN Settings from the menu. The WAN Settings tabs appear, with the WAN1 ISP Settings tab in view. Figure 2-3 2. Click Auto Detect at the bottom of the menu. Auto Detect will probe the WAN port for a range of connection methods and suggest one that your ISP appears to support.
Page 32 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual b. If Auto Detect senses a connection method that requires input from you, it will prompt you for the information. All methods with their required settings are detailed in the following table.
Page 33 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual A popup window appears, displaying the connection status of WAN port 1. Figure 2-5 The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, skip ahead to this section, or see “Troubleshooting the ISP Connection”...
Page 34: Manually Configuring The Internet Connection
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Manually Configuring the Internet Connection Unless your ISP automatically assigns your configuration automatically via DHCP, you will need to obtain configuration parameters from your ISP in order to manually establish an Internet connection.
Page 35 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual a. Select Other (PPPoE). Figure 2-8 b. Configure the following fields: • Account Name. Valid account name for the PPPoE connection • Domain Name. Name of your ISP’s domain or your domain name if your ISP has assigned one.
Page 36 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual a. Select BigPond Cable. b. Configure the Login Server and Idle Timeout fields. The Login Server is the IP address of the local BigPond Login Server in your area. 8.
Page 37: Configuring The Wan Mode (Required For Dual Wan)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 11. Review the Domain Name Server (DNS) Servers options. Figure 2-10 • If your ISP has not assigned any Domain Name Servers (DNS) addresses, click Get dynamically from ISP. •...
Page 38: Network Address Translation
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover.
Page 39: Configuring Auto-Rollover Mode
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To learn the status of the WAN ports, you can view the Router Status page (see Tunnel Connection Status” on page Features” on page 1-6). Configuring Auto-Rollover Mode To use a redundant ISP link for backup purposes, ensure that the backup WAN port has already been configured.
Page 40 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 2-11 2. In the Port Mode section, select Auto-Rollover Using WAN port. 3. From the pull-down menu, choose which WAN port will act as the primary link for this mode. 4.
Page 41: Configuring Load Balancing
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 6. Enter the Failover after count. The WAN interface is considered down after the configured number of queries have failed to elicit a reply. The rollover link is brought up after this. The Failover default is 4 failures.
Page 42 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Click view protocol bindings (if required). The WAN1 Protocol Bindings screen is displayed. Figure 2-12 Enter the following data in the Add Protocol Binding options: a. Service. From the pull-down menu, choose the desired Service or application to be covered by this rule.
Page 43: Configuring Dynamic Dns (Optional)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Address range. If this option is selected, you must enter the start and finish fields. 4. Click Add to save this rule. The new Protocol Binding Rule will be enabled and added to the Protocol Binding Table for the WAN1 port.
Page 44 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To configure Dynamic DNS: 1. Select Network Configuration > Dynamic DNS from the main menu and click the Dynamic DNS Configuration tab. The Dynamic DNS Configuration screen is displayed. Figure 2-13 The Current WAN Mode section reports the currently configured WAN mode.
Page 45: Configuring The Advanced Wan Options (Optional)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Click the information or registration link in the upper right corner for registration information. Figure 2-14: 4. Access the Web site of the DDNS service provider and register for an account (for example, for dyndns.org, go to http://www.dyndns.org).
Page 46 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Click the Advanced link to the right of the tabs. The WAN1 Advanced Options tab is displayed (along with the WAN2 Advanced Options tab). Figure 2-15 3.
Page 47: Additional Wan Related Configuration
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The format for the MAC address is 01:23:45:67:89:AB (numbers 0-9 and either uppercase or lowercase letters A-F). If you select Use This MAC Address and then type in a MAC address, your entry will be overwritten.
Page 48 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2-22 Connecting the FVS336G to the Internet v1.2, June 2008...
Page 49: Lan Configuration
This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. This chapter contains the following sections • “Using the VPN Firewall as a DHCP server” on page 3-1 •...
Page 50: Configuring The Lan Setup Options
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The VPN firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP Address from the range you have defined. • Subnet Mask. •...
Page 51 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 3-1 2. In the LAN TCP/IP Setup section, configure the following settings: • IP Address. The LAN address of your VPN firewall (factory default: 192.168.1.1). Note: If you change the LAN IP address of the firewall while connected through the browser, you will be disconnected.
Page 52 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. In the DHCP section, select Enable or Disable DHCP Server. By default, the VPN firewall will function as a DHCP server, providing TCP/IP configuration settings for all computers connected to the VPN firewall's LAN. If another device on your network will be the DHCP server, or if you will manually configure all devices, click Disable DHCP Server.
Page 53: Managing Groups And Hosts (Lan Groups)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Managing Groups and Hosts (LAN Groups) The Known PCs and Devices table in the LAN Groups menu contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the VPN firewall, or have been discovered by other means.
Page 54: Viewing The Lan Groups Database
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • A computer is identified by its MAC address—not its IP address. Hence, changing a computer’s IP address does not affect any restrictions applied to that PC. Viewing the LAN Groups Database To view the LAN Groups Database, follow these steps: 1.
Page 55: Changing Group Names In The Lan Groups Database
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Action. Allows modification of the selected entry by clicking Edit. Adding Devices to the LAN Groups Database To add devices manually to the LAN Groups Database, follow these steps: 1.
Page 56: Configuring Dhcp Address Reservation
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. From the LAN Groups tab, click the Edit Group Names link to the right of the tabs. The Network Database Group Names tab appears. Figure 3-3 2.
Page 57: Configuring Multi Home Lan Ip Addresses
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Multi Home LAN IP Addresses If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the VPN firewall.
Page 58: Configuring Static Routes
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Tip: The secondary LAN IP address will be assigned to the LAN interface of the VPN firewall and can be used as a gateway by computers on the secondary subnet.
Page 59 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Click Add. The Add Static Route tab is displayed. Figure 3-6 3. Enter a route name for this static route in the Route Name field (for identification and management).
Page 60: Configuring Routing Information Protocol (Rip)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network.
Page 61 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Both. The VPN firewall broadcasts its routing table and also processes RIP information received from other routers. • Out Only. The VPN firewall broadcasts its routing table periodically but does not accept RIP information from other routers.
Page 62 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3-14 LAN Configuration v1.2, June 2008...
Page 63: Firewall Protection And Content Filtering
Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to protect your network. This chapter contains the following sections: • “About Firewall Protection and Content Filtering” on page 4-1 •...
Page 64: Using Rules To Block Or Allow Specific Kinds Of Traffic
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks.
Page 65: About Services-Based Rules
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual About Services-Based Rules The rules to block traffic are based on the traffic’s category of service. • Outbound Rules (service blocking). Outbound traffic is normally allowed unless the firewall is configured to disallow it.
Page 66 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-1. Outbound Rules (continued) Item Description Action (Select Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be Schedule) used by this rule. • This drop down menu gets activated only when “BLOCK by schedule, otherwise Allow”...
Page 67 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: See “Configuring Source MAC Filtering” on page 4-24 block outbound traffic from selected PCs that would otherwise be allowed by the firewall. Inbound Rules (Port Forwarding) When the FVS336G uses Network Address Translation (NAT), your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers.
Page 68 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-2. Inbound Rules Item Description Service Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see Action (Filter) Select the desired action for packets covered by this rule:...
Page 69: Viewing The Rules
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 4-2. Inbound Rules (continued) Item Description Specifies whether packets covered by this rule are logged. Select the desired action: • Always – Always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules.
Page 70: Order Of Precedence For Rules
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-1 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu as the last item in the list, as shown in Figure 4-1.
Page 71: Creating A Lan Wan Outbound Services Rule
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To change the Default Outbound Policy, follow these steps: 1. Click the LAN WAN Rules tab, shown in Figure 4-1. 2. Change the Default Outbound Policy by choosing Block Always from the drop-down menu. 3.
Page 72: Creating A Lan Wan Inbound Services Rule
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Click Add under the Outbound Services Table. The Add LAN WAN Outbound Service screen is displayed... Figure 4-2 2. Configure the parameters based on the descriptions in 3.
Page 73 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-3 2. Configure the parameters based on the descriptions in 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Inbound Services table.
Page 74: Inbound Rules Examples
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. Check the box adjacent to the rule, then do any of the following: • Click Enable to enable the rule. The “!” Status icon will turn green. •...
Page 75 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 4-5, CU-SeeMe connections are allowed to a local host only from...
Page 76 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual In the example shown in Figure addresses on one WAN interface. The inbound rule instructs the VPN firewall to host an additional public IP address (10.1.0.5) and to associate this address with the Web server on the LAN (at 192.168.1.2).
Page 77: Outbound Rules Example
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To test the connection from a PC on the WAN side, type http://10.1.0.5. The home page of the Web server should appear. LAN WAN Inbound Rule: Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined.
Page 78 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Although the FVS336G already holds a list of many service port numbers, you are not limited to these choices. Use the Services screen to add additional services and applications to the list for use in defining firewall rules.
Page 79: Setting Quality Of Service (Qos) Priorities
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. In the Custom Services Table, click the Edit button adjacent to the service you want to edit. The Edit Service screen is displayed. 2. Modify the parameters you wish to change. 3.
Page 80: Attack Checks
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Normal-Service. No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0. • Minimize-Cost. Used when the data must be transferred over a link that has a low transmission cost.
Page 81 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-9 3. Check the boxes for the Attack Checks you wish to monitor. The various types of attack checks are listed and defined below. 4. Click Apply to save your settings. The various types of attack checks listed on the Attack Checks screen are: •...
Page 82: Blocking Internet Sites (Content Filtering)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – Block UDP flood—A UDP flood is a form of denial of service attack in which the attacking machine sends a large number of UDP packets to random ports to the victim host.
Page 83 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Web Components blocking. You can filter the following Web Component types: Proxy, Java, ActiveX, and Cookies. For example, by enabling Java filtering, “Java” files will be blocked. Certain commonly used web components can be blocked for increased security.
Page 84 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Keyword application examples: • If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is blocked, as is the newsgroup alt.pictures.XXX. • If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or .gov) can be viewed.
Page 85 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-10 2. Select Yes to enable Content Filtering. 3. Click Apply to activate the menu controls. Firewall Protection and Content Filtering 4-23 v1.2, June 2008...
Page 86: Configuring Source Mac Filtering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Select any Web Components you wish to block and click Apply. 5. Select the groups to which Keyword Blocking will apply, then click Enable to activate Keyword blocking (or disable to deactivate Keyword Blocking).
Page 87 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-11 2. Click Yes to enable Source MAC Filtering. 3. Select the action to be taken on outbound traffic from the listed MAC addresses: – Block this list and permit all other MAC addresses –...
Page 88: Configuring Ip/Mac Address Binding Alerts
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring IP/MAC Address Binding Alerts You can configure the FVS336G to drop packets and generate an alert when a device appears to have hijacked or spoofed another device’s IP address. An IP address can be bound to a specific MAC address either by using a DHCP reserved address (see Reservation”...
Page 89: Configuring Port Triggering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. To add a manual binding entry, enter the following data in the Add IP/MAC Bindings section: a. Enter a Name for the bound host device. b. Enter the MAC Address and IP Address to be bound. A valid MAC address is six colon- separated pairs of hexadecimal digits (0 to 9 and a to f).
Page 90 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note these restrictions with Port Triggering: • Only one PC can use a port triggering application at any time. • After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC.
Page 91: Setting A Schedule To Block Or Allow Specific Traffic
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 7. Click Add. The port triggering rule will be added to the Port Triggering Rules table. To check the status of the port triggering rules, click the Status option arrow to the right of the tab on the Port Triggering screen.
Page 92: Configuring A Bandwidth Profile
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 4-14 2. Schedule days by selecting either the All Days radio button or the Specific Days radio button. If you selected Specific Days, specify which days. 3.
Page 93 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Select Security from the main menu and Bandwidth Profile from the submenu. The Bandwidth Profile menu will display. Figure 4-15 The List of Bandwidth Profiles displays existing profiles. 2.
Page 94: Configuring Session Limits
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual d. From the Direction pull-down box, select whether the profile will apply to outbound or inbound traffic. 4. Click Apply. The new bandwidth profile will be added to the list. Configuring Session Limits To prevent one user or group from using excessive system resources, you can limit the total number of IP sessions allowed through the FVS336G for an individual or group.
Page 95: E-Mail Notifications Of Event Logs And Alerts
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. In the pull-down menu, select whether you will limit sessions by percentage or by absolute number. The percentage is computed based on the total connection capacity of the device.When setting a limit based on absolute number, note that some protocols (for example, FTP and RSTP) create two sessions per connection.
Page 96 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Block sites (see “Blocking Internet Sites (Content Filtering)” on page • Source MAC filtering (see • Port triggering (see “Configuring Port Triggering” on page 4-34 “Configuring Source MAC Filtering” on page Firewall Protection and Content Filtering v1.2, June 2008 4-20)
Page 97: Virtual Private Networking Using Ipsec
Virtual Private Networking Using IPsec This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to provide secure, encrypted communications between your local network and a remote network or computer. This chapter contains the following sections: •...
Page 98 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 5-1. IP Addressing for VPNs in Dual WAN Port Systems Configuration and WAN IP address VPN Gateway-to-Gateway Fixed Dynamic VPN Telecommuter Fixed (client-to-gateway through Dynamic a NAT router) a.
Page 99 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The use of fully qualified domain names is: • Mandatory when the WAN ports are in rollover mode for the VPN tunnels to fail over. • Mandatory when the WAN ports are in load balancing mode and the IP addresses are dynamic (Figure 5-3 on page 5-3) •...
Page 100: Configuring An Ipsec Vpn Connection Using The Vpn Wizard
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring an IPsec VPN Connection using the VPN Wizard Configuring a VPN tunnel connection requires that all settings and parameters on both sides of the VPN tunnel match or mirror each other precisely, which can be a daunting task. The VPN Wizard efficiently guides you through the setup procedure with a series of questions that will determine the IPsec keys and VPN policies it sets up.
Page 101 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-4 1. Select Gateway as your VPN tunnel connection. The wizard needs to know whether you are planning to connect to a remote gateway or setting up the connection for a remote client PC to establish a secure connection to this device.
Page 102 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Both the remote WAN address and your local WAN address are required. When choosing these addresses, follow the guidelines in • The remote WAN IP address must be a public address or the Internet name of the remote gateway.
Page 103 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-5 You can also view the status of your IKE Policies by clicking the IKE Policies tab. The IKE Policies screen is displayed. Then view or edit the parameters of the new policy by clicking Edit in the Action column adjacent to the policy.
Page 104: Creating A Vpn Tunnel Connection To A Vpn Client
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-6 Creating a VPN Tunnel Connection to a VPN Client You can set up multiple remote VPN Client policies through the VPN Wizard by changing the default End Point Information settings created for each policy by the wizard.
Page 105 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-7 5. Select which WAN interface (WAN1 or WAN2) will act as this endpoint of the VPN tunnel. 6. Enter the public Remote WAN IP address of the gateway to which you want to connect. Alternatively, you can provide the Internet name of the gateway.
Page 106 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-8 To view the “home” policy: Click Edit in the Action column adjacent to the “home” policy to view the “home” policy parameters. The Edit VPN Policy screen is displayed. It should not be necessary to make any changes.
Page 107 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-9 You can also view the status of your IKE Policies by clicking the IKE Policies tab. The IKE Policies screen is displayed. Virtual Private Networking Using IPsec 5-11 v1.2, June 2008...
Page 108 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-10 To see the detailed settings of the IKE Policy, click the Edit button next to the policy. The Edit IKE Policy tab is displayed Figure 5-11 5-12 Virtual Private Networking Using IPsec v1.2, June 2008...
Page 109: Managing Vpn Tunnel Policies
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Managing VPN Tunnel Policies After you use the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name you selected as the VPN tunnel connection name during Wizard setup identifies both the VPN policy and IKE policy.
Page 110: About The Ike Policy Table
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual About the IKE Policy Table When you use the VPN Wizard to set up a VPN tunnel, an IKE policy is established and populated in the List of IKE Policies and is given the same name as the new VPN connection name. You can also edit exiting policies or add new IKE policies directly on the List of IKE Policies.
Page 111 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual In addition, a Certificate Authority (CA) can also be used to perform authentication (see “Managing Certificates” on page from the CA. For each certificate, there is both a public key and a private key. The public key is freely distributed, and is used by any sender to encrypt data intended for the receiver (the key owner).
Page 112: Vpn Tunnel Connection Status
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Auth. Authentication Algorithm used for the VPN tunnel. The default setting using the VPN Wizard is SHA1. (This setting must match the Remote VPN.) • Encr. Encryption algorithm used for the VPN tunnel. The default setting using the VPN Wizard is 3DES.
Page 113: Configuring The Fvs336G
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • NETGEAR ProSafe VPN Client • NAT router: NETGEAR FR114P Configuring the FVS336G 1. Select VPN > IPsec VPN in the main menu. Select the VPN Wizard tab. 2.
Page 114 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 4. Enter the LAN IP Subnet Address and Subnet Mask of the FVS336G LAN. Check the Connect using radio button and choose Secure Gateway Tunnel from the pull-down menu. 5.
Page 115: Testing The Connection
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Testing the Connection 1. From your PC, right-click on the VPN client icon in your Windows toolbar and choose Connect..., then My Connections\to_FVG. Within 30 seconds you should receive the message “Successfully connected to My Connections\to_FVG”...
Page 116: Configuring Xauth For Vpn Clients
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring XAUTH for VPN Clients Once the XAUTH has been enabled, you must establish user accounts on the User Database to be authenticated against XAUTH, or you must enable a RADIUS-CHAP or RADIUS-PAP server. Note: You cannot modify an existing IKE policy to add XAUTH while the IKE policy is in use by a VPN policy.
Page 117: User Database Configuration
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the VPN firewall will first check in the user database to see if the user credentials are available.
Page 118 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-13 3. To activate (enable) the Primary RADIUS server, click the Yes radio button. The primary server options become active. 4. Configure the following entries: • Primary RADIUS Server IP address.
Page 119: Manually Assigning Ip Addresses To Remote Users (Modeconfig)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. Enable a Backup RADIUS Server (if required). 6. Set the Time Out Period, in seconds, that the VPN firewall should wait for a response from the RADIUS server. 7.
Page 120: Configuring The Vpn Firewall
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual temporary IPsec policy using the template security proposal information configured in the Mode Config record. Note: After configuring a Mode Config record, you must go to the IKE Policies menu and configure an IKE policy using the newly-created Mode Config record as the Remote Host Configuration Record.
Page 121 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 5-15 5. Enter a descriptive Record Name such as “Sales”. 6. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients.
Page 122 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 11. Specify the VPN policy settings. These settings must match the configuration of the remote VPN client. Recommended settings are: • SA Lifetime: 3600 seconds • Authentication Algorithm: SHA-1 •...
Page 123: Configuring The Prosafe Vpn Client For Modeconfig
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • SA Lifetime: 3600 seconds 7. Enter a Pre-Shared Key that will also be configured in the VPN client. 8. XAUTH is disabled by default. To enable XAUTH, choose one of the following: •...
Page 124 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual d. Check the Connect using radio button and choose Secure Gateway Tunnel from the pull- down menu. e. From the ID Type pull-down menu, choose Domain name and enter the FQDN of the VPN firewall;...
Page 125: Configuring Keepalives And Dead Peer Detection
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Right-click on the VPN client icon in the Windows toolbar and click Connect. The connection policy you configured will appear; in this case “My Connections\modecfg_test”. 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test is displayed and the VPN client icon in the toolbar will read “On”.
Page 126 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. In the General menu frame of the Edit VPN Policy menu, locate the keepalive configuration settings, as shown in Figure Figure 5-16 4. Click the Yes radio button to enable keepalive. 5.
Page 127: Configuring Netbios Bridging With Vpn
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. In the IKE SA Parameters menu frame of the Edit IKE Policy menu, locate the Dead Peer Detection configuration settings, as shown in Figure 5-17 4. Click the Yes radio button to Enable Dead Peer Detection. 5.
Page 128 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. In the General menu frame of the Edit VPN Policy menu, click the Enable NetBIOS check box, as shown in Figure 5-18. Figure 5-18 4. Click Apply at the bottom of the menu. 5-32 Virtual Private Networking Using IPsec v1.2, June 2008...
Page 129: Virtual Private Networking Using Ssl Connections
The FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN provides a hardware- based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a pre-installed VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the FVS336G can authenticate itself to an SSL-enabled client, such as a standard web browser.
Page 130: Planning For Ssl Vpn
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual firewall. Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote PC that will allow the remote user to virtually join the corporate network. The SSL VPN Client provides a PPP (point-to-point) connection between the client and the VPN firewall, and a virtual network interface is created on the user’s PC.
Page 131: Creating The Portal Layout
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual When you define the SSL VPN policies that determine network resource access for your SSL VPN users, you can define global policies, group policies, or individual policies. Because you must assign an authentication domain when creating a group, the group is created after you have created the domain.
Page 132 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Portal Layouts are applied by selecting from available portal layouts in the configuration of a Domain. When you have completed your Portal Layout, you can apply the Portal Layout to one or more authentication domains (see XREF to apply a Portal Layout to a Domain).
Page 133 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 6-2 3. In the Portal Layout and Theme Name section of the menu, configure the following entries: a. Enter a descriptive name for the portal layout in the Portal Layout Name field. This name will be part of the path of the SSL VPN portal URL.
Page 134 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual on login page checkbox to show the banner title and banner message text on the Login screen as shown below Figure 6-3 As shown in the figure, the banner title text is displayed in the orange header bar. The banner message text is displayed in the grey header bar.
Page 135: Configuring Domains, Groups, And Users
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The web cache cleaner will prompt the user to delete all temporary Internet files, cookies and browser history when the user logs out or closes the web browser window. The ActiveX web cache control will be ignored by web browsers that don't support ActiveX.
Page 136: Adding Servers
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Adding Servers To configure Port Forwarding, you must define the internal host machines (servers) and TCP applications available to remote users. To add servers, follow these steps: 1.
Page 137: Adding A New Host Name
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 6-1. Port Forwarding Applications/TCP Port Numbers (continued) TCP Application POP3 (receive mail) NTP (network time protocol) Citrix Terminal Services VNC (virtual network computing) a. Users can specify the port number together with the host name or IP address.
Page 138: Configuring The Ssl Vpn Client
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Remote users can now securely access network applications once they have logged into the SSL VPN portal and launched Port Forwarding. Configuring the SSL VPN Client The SSL VPN Client within the FVS336G will assign IP addresses to remote VPN tunnel clients. Because the VPN tunnel connection is a point-to-point connection, you can assign IP addresses from the corporate subnet to the remote VPN tunnel clients.
Page 139: Configuring The Client Ip Address Range
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring the Client IP Address Range Determine the address range to be assigned to VPN tunnel clients, then define the address range. To configure the client IP address range: 1.
Page 140: Adding Routes For Vpn Tunnel Clients
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN tunnel clients are now able to connect to the VPN firewall and receive a virtual IP address in the client address range. Adding Routes for VPN Tunnel Clients The VPN Tunnel Clients assume that the following networks are located across the VPN over SSL tunnel: •...
Page 141: Using Network Resource Objects To Simplify Policies
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. If an existing route is no longer needed for any reason, you can delete it. Using Network Resource Objects to Simplify Policies Network resources are groups of IP addresses, IP address ranges, and services. By defining resource objects, you can more quickly create and configure network policies.
Page 142 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. In the Service pull-down menu, select the type of service to which the resource will apply: either VPN Tunnel or Port Forwarding. 4. Click Add. The “Operation Successful” message appears at the top of the tab, and the newly-added resource name appears on the List of Resources table.
Page 143: Configuring User, Group, And Global Policies
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring User, Group, and Global Policies An administrator can define and apply user, group and global policies to predefined network resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN services.
Page 144: Viewing Policies
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • An FTP server at ftp.company.com, the user would be granted access by Policy 3. A single host name is more specific than the IP address range configured in Policy 2. Note: The user would not be able to access ftp.company.com using its IP address 10.0.1.3.
Page 145: Adding A Policy
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Adding a Policy To add a policy, follow these steps: 1. Select VPN > SSL VPN from the main menu, and select the Policies tab. The Policies screen will display.
Page 146 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • If you choose Network Resource, you’ll need to enter a descriptive Policy Name, then choose a Defined Resource and relevant Permission (PERMIT or DENY) from the pull- down menus.
Page 147 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 6-12 • If you choose All Addresses, you’ll need to enter a descriptive Policy Name, then choose the Service and relevant Permission from the pull-down menus. Figure 6-13 5.
Page 148 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 6-20 Virtual Private Networking Using SSL Connections v1.2, June 2008...
Page 149: Managing Users, Authentication, And Certificates
Managing Users, Authentication, and Certificates This chapter contains the following sections: • “Adding Authentication Domains, Groups, and Users” on page 7-1 • “Managing Certificates” on page 7-8 Adding Authentication Domains, Groups, and Users You must create name and password accounts for all users who will connect to the VPN firewall. This includes administrators and SSL VPN clients.
Page 150 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-1 2. Click Add. The Add Domain screen displays. Figure 7-2 3. Configure the following fields: a. Enter a descriptive name for the domain in the Domain Name field. b.
Page 151: Creating A Group
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The required fields are activated in varying combinations according to your selection of Authentication Type: Authentication Type Local User Database Radius-PAP Radius-CHAP Radius-MSCHAP Radius-MSCHAPv2 NT Domain Active Directory LDAP c.
Page 152: Creating A New User Account
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-3 2. Configure the new group settings in the Add New Group section of the menu: a. Name. Enter a descriptive name for the group. b. Domain. Select the appropriate domain (only for Administrator or SSL VPN User). c.
Page 153 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-4 2. Click Add. The Add User tab screen is displayed. Figure 7-5 3. Configure the following fields: a. User Name. Enter a unique identifier, using any alphanumeric characters. b.
Page 154: Setting User Login Policies
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual e. Idle Timeout. For an Administrator, this is the period at which an idle user will be automatically logged out of the Web Configuration Manager. 4. Click Apply to save and apply your entries. The new user appears in the List of Users. Setting User Login Policies You can restrict the ability of defined users to log into the Web Configuration Manager.
Page 155 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To restrict logging in based on IP address: 1. Select the by Source IP Address tab. The by Source IP Address screen will display. Figure 7-7 2. In the Defined Addresses Status section, select: •...
Page 156: Managing Certificates
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To restrict logging in based on the user’s browser: 1. Select the by Client Browser tab. The by Client Browser screen will display. Figure 7-8 2. In the Defined Browsers Status section, select> •...
Page 157: Viewing And Loading Ca Certificates
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • A public encryption key to be used by clients for encrypting messages to the server. • Information identifying the operator of the server. • A digital signature confirming the identity of the operator of the server. Ideally, the signature is from a trusted third party whose identity can be verified absolutely.
Page 158: Viewing Active Self Certificates
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To view the VPN Certificates: Select VPN > Certificates from the main menu. The Certificates screen displays. The top section of the Certificates screen displays the Trusted Certificates (CA Certificates). Figure 7-9 When you obtain a self certificate from a CA, you will also receive the CA certificate.
Page 159: Obtaining A Self Certificate From A Certificate Authority
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual For each self certificate, the following data is listed: • Name. The name you used to identify this certificate. • Subject Name. This is the name that other organizations will see as the holder (owner) of this certificate.
Page 160 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-11 3. Complete the Optional fields, if desired, with the following information: • IP Address – If you have a fixed IP address, you may enter it here. Otherwise, you should leave this field blank.
Page 161 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. In the Self Certificate Requests table, click View under the Action column to view the request. Figure 7-13 6. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from “----BEGIN CERTIFICATE REQUEST---”...
Page 162: Managing Your Certificate Revocation List (Crl)
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 9. Return to the Certificates screen and locate the Self Certificate Requests section.. Figure 7-14 10. Select the checkbox next to the certificate request, then click Browse and locate the certificate file on your PC.
Page 163 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 7-15 The CRL table lists your active CAs and their critical release dates: • CA Identify – The official name of the CA which issued this CRL. •...
Page 164 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 7-16 Managing Users, Authentication, and Certificates v1.2, June 2008...
Page 165: Router And Network Management
This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface. The ProSafe Dual WAN Gigabit Firewall with SSL &...
Page 166: Features That Reduce Traffic
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • WAN side: 2000 Mbps (load balancing mode, two WAN ports at 1000 Mbps each) or 1000 Mbps (rollover mode, one active WAN port at 1000 Mbps) In practice, the WAN side bandwidth capacity will be much lower when DSL or cable modems are used to connect to the Internet.
Page 167 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • ALLOW by schedule, otherwise Block As you define your firewall rules, you can further refine their application according to the following criteria: • LAN Users. These settings determine which computers on your network are affected by this rule.
Page 168 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Groups and Hosts You can apply these rules selectively to groups of PCs to reduce the outbound or inbound traffic. The LAN Groups Database is an automatically-maintained list of all known PCs and network devices.
Page 169: Features That Increase Traffic
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed without any blocking.
Page 170 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual You can control specific inbound traffic (from WAN to LAN). Inbound Services lists all existing rules for inbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule blocks all inbound traffic.
Page 171 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Services. You can specify the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services”...
Page 172: Using Qos To Shift The Traffic Mix
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Chapter 5, “Virtual Private Networking Using VPN, and Chapter 6, “Virtual Private Networking Using SSL Connections how to use SSL VPN. Using QoS to Shift the Traffic Mix The QoS priority settings determine the priority and, in turn, the quality of service for the traffic passing through the firewall.
Page 173 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 8-1 2. Select the checkbox adjacent to admin in the Name column, then click Edit in the Action column. The Edit User screen is displayed, with the current settings for Administrator displayed in the Select User Type pull-down menu.
Page 174: Enabling Remote Management Access
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 5. (Optional) To change the idle timeout for an administrator login session, enter a new number of minutes in the Idle Timeout field. 6. Click Apply to save your settings or Reset to return to your previous settings. Note: If the administrator login timeout value is too large, you may have to wait a long time before you are able to log back into the VPN firewall if your previous login was disrupted (for example, if you did not click Logout on the...
Page 175 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 8-3 2. Click the Yes radio button to enable HTTPS remote management (enabled by default). 3. To enable remote management by the command line interface (CLI) over Telnet, click Yes to Allow Telnet Management, and configure the external IP addresses that will be allowed to connect.
Page 176: Using The Command Line Interface
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The VPN firewall’s remote login URL is https://<IP_address> or https://<FullyQualifiedDomainName>.. Note: To maintain security, the FVS336G will reject a login that uses http://address rather than the SSL https://address. Note: The first time you remotely connect to the FVS336G with a browser via SSL, you may get a warning message regarding the SSL certificate.
Page 177: Using An Snmp Manager
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To access the CLI from a communications terminal when the VPN firewall is still set to its factory defaults (or use your own settings if you have changed them), do the following: 1.
Page 178 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 8-4 2. Configure the following fields in the Create New SNMP Configuration Entry section: a. Enter the IP Address of the SNMP manager in the IP Address field and the Subnet Mask in the Subnet Mask field.
Page 179: Configuration File Management
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 8-5 You can edit the System Contact, System Location, and System name. Configuration File Management The configuration settings of the VPN firewall are stored within the firewall in a configuration file. This file can be saved (backed up) to a user’s PC, retrieved (restored) from the user’s PC, or cleared to factory default settings.
Page 180 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Select Administration > Settings Backup and Firmware Upgrade from the main menu. The Settings Backup and Firmware Upgrade screen is displayed. Figure 8-6 2. Click Backup to save a copy of your current settings. •...
Page 181: Upgrading The Firmware
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Revert to Factory Default Settings To reset the VPN firewall to the original factory default settings: 1. Click default. 2. You must manually restart the VPN firewall in order for the default settings to take effect. After rebooting, the VPN firewall’s password will be password and the LAN IP address will be 192.168.1.1.
Page 182: Configuring Date And Time Service
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 3. Locate the downloaded file and click upload. This will start the software upgrade to your VPN firewall. This may take some time. At the conclusion of the upgrade, your VPN firewall will reboot.
Page 183 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 8-7 2. From the Date/Time pull-down menu, choose the Local Time Zone. This is required in order for scheduling to work correctly. The VPN firewall includes a real-time clock (RTC), which it uses for scheduling.
Page 184 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 8-20 Router and Network Management v1.2, June 2008...
Page 185: Monitoring System Performance
This chapter describes the full set of system monitoring features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. You can be alerted to important events such as WAN port rollover, WAN traffic limits reached, and login failures and attacks. You can also view status information about the firewall, WAN ports, LAN ports, and VPN tunnels.
Page 186 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-1 2. Enable the traffic meter by clicking the Yes radio button under Do you want to enable Traffic Metering on WAN1? The traffic meter will record the volume of Internet traffic passing through the WAN1.
Page 187 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Note: Both incoming and outgoing traffic are included in the limit • Increase this month limit by. Temporarily increase the Traffic Limit if you have reached the monthly limit, but need to continue accessing the Internet. Select the checkbox and enter the desired increase.
Page 188: Activating Notification Of Events And Alerts
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Activating Notification of Events and Alerts The Firewall Logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address. For example, your VPN firewall will log security-related events such as: accepted and dropped packets on different segments of your LAN;...
Page 189 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-2 7. To respond to IDENT protocol messages, check the Respond to Identd from SMTP Server box. The Ident Protocol is a weak scheme to verify the sender of e-mail (a common daemon program for providing the ident service is identd).
Page 190: Viewing Firewall Logs
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 8. Enter a Schedule for sending the logs. From the Unit pull-down menu, choose: Never, Hourly, Daily, or Weekly. Then set the Day and Time fields that correspond to your selection. 9.
Page 191: Viewing Router Configuration And System Status
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Log entries are described in Table Table 9-1. Firewall Logs Field Descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any.
Page 192 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-3 The following information is displayed: Item Description System Name This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using. This will change if you upgrade your router.
Page 193: Monitoring The Status Of Wan Ports
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Item Description WAN1 Configuration Indicates whether the WAN Mode is Single, Dual, or Rollover, and whether the WAN State is UP or DOWN. It also is displayed if: •...
Page 194: Monitoring Attached Devices
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-4 Monitoring Attached Devices The LAN Groups screen contains a table of all IP devices that the VPN firewall has discovered on the local network. To view the LAN Groups screen: 1.
Page 195 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure 9-5 The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Table 9-2.
Page 196: Reviewing The Dhcp Log
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Reviewing the DHCP Log To review the most recent entries in the DHCP log: 1. Select Network Configuration > LAN Settings from the main menu, and then click the LAN Setup tab.
Page 197: Viewing Port Triggering Status
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual To display the list of active users: 1. Select Monitoring > Active Users from the main menu. The Active Users screen is displayed. Figure 9-8 The active user’s username, group, and IP address are listed in the table with a timestamp indicating the time and date that the user logged in.
Page 198: Monitoring Vpn Tunnel Connection Status
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 2. When the Port Triggering screen is displayed, click the Status link to the right of the tab to display the Port Triggering Status. Figure 9-10 The status window displays the following information: Item Description Rule...
Page 199: Reviewing The Vpn Logs
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Active IPsec SAs table lists each active connection with the following information. Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN endpoint.
Page 200 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 1. Select Monitoring > VPN Logs from the main menu, and select the IPsec VPN Logs tab. The IPsec VPN Logs screen will display. Figure 9-13 2. To view the most recent entries, click refresh log. To delete all the existing log entries, click clear log.
Page 201: Troubleshooting
This chapter provides troubleshooting tips and information for your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. After each problem description, instructions are provided to help you diagnose and solve the problem. This chapter contains the following sections: •...
Page 202: Power Led Not On
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Power LED Not On If the Power and other LEDs are off when your VPN firewall is turned on: • Make sure that the power cord is properly connected to your VPN firewall and that the power supply adapter is properly connected to a functioning power outlet.
Page 203: Troubleshooting The Web Configuration Interface
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Troubleshooting the Web Configuration Interface If you are unable to access the VPN firewall’s Web Configuration interface from a PC on your local network, check the following: •...
Page 204: Troubleshooting The Isp Connection
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • When entering configuration settings, be sure to click the APPLY button before moving to another menu or tab, or your changes are lost. • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.
Page 205: Troubleshooting A Tcp/Ip Network Using A Ping Utility
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Your ISP only allows one Ethernet MAC address to connect to the Internet, and may check for your PC’s MAC address. In this case: – Inform your ISP that you have bought a new network device, and ask them to use the VPN firewall’s MAC address;...
Page 206: Testing The Path From Your Pc To A Remote Device
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Reply from <IP address>: bytes=32 time=NN ms TTL=xxx If the path is not working, you will see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: •...
Page 207: Restoring The Default Configuration And Password
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem.
Page 208: Using The Diagnostics Utilities
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • Time is off by one hour. Cause: The VPN firewall does not automatically sense Daylight Savings Time. Check the Time Zone menu, and check or uncheck the box marked “Adjust for Daylight Savings Time”.
Page 209 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table 10-1. Diagnostics Item Description Ping or trace an IP Ping – Used to send a ping packet request to a specified IP address—most often, to address test a connection.
Page 210 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual 10-10 Troubleshooting v1.2, June 2008...
Page 211: Default Settings And Technical Specifications
Default Settings and Technical Specifications You can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, press and hold the reset button for approximately 10 seconds (until the TEST LED blinks rapidly).
Page 212 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table A-1. VPN firewall Default Configuration Settings (continued) Feature Time Zone Time Zone Adjusted for Daylight Saving Time SNMP Remote Management Firewall Inbound (communications coming in from the Internet) Outbound (communications from the LAN to the Internet)
Page 213 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Table A-2. VPN firewall Technical Specifications (continued) Feature Environmental Specifications Operating temperature: Operating humidity: Electromagnetic Emissions Meets requirements of: Interface Specifications LAN: WAN: Table A-3. SSL VPN Technical Specifications Parameter Specification Network Management...
Page 214 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Default Settings and Technical Specifications v1.2, June 2008...
Page 215: Appendix B Related Documents
This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Internet Networking and TCP/IP Addressing: Wireless Communications: Preparing a Computer for Network Access: Virtual Private Networking (VPN): Glossary Related Documents...
Page 216 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Related Documents v1.2, June 2008...
Page 217: Network Planning For Dual Wan Ports
Network Planning for Dual WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has dual WAN ports. This appendix contains the following sections: • “What You Will Need to Do Before You Begin” on page C-1 •...
Page 218 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual – For rollover mode, protocol binding does not apply. – For load balancing mode, decide which protocols should be bound to a specific WAN port (you will make these selections in (Required for Dual WAN)”...
Page 219: Cabling And Computer Hardware Requirements
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual • The VPN firewall is capable of being managed remotely, but this feature must be enabled locally after each factory default reset. You are strongly advised to change the default management password to a strong password before enabling remote management.
Page 220: Internet Configuration Requirements
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Internet Configuration Requirements Depending on how your ISPs set up your Internet accounts, you will need one or more of these configuration parameters to connect your firewall to the Internet: •...
Page 221: Internet Connection Information Form
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Internet Connection Information Form Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP.
Page 222: Overview Of The Planning Process
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: • Inbound traffic (port forwarding, port triggering) •...
Page 223: The Roll-Over Case For Firewalls With Dual Wan Ports
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The Roll-over Case for Firewalls With Dual WAN Ports Rollover (Figure C-2) for the dual WAN port case is different from the single gateway WAN port case when specifying the IP address. Only one WAN port is active at a time and when it rolls over, the IP address of the active WAN port always changes.
Page 224: Inbound Traffic
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Inbound Traffic Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Inbound Rules menu.
Page 225 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the WAN ports (i.e., WAN1 or WAN2).
Page 226: Virtual Private Networks (Vpns
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table C-2.
Page 227: Vpn Road Warrior (Client-To-Gateway
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure C-7 • Load Balancing Case for Dual Gateway WAN Ports Load balancing (Figure C-8) for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point.
Page 228 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall (Figure C-9), the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance.
Page 229 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance).
Page 230: Vpn Gateway-To-Gateway
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure C-12 The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
Page 231 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Figure C-13 The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
Page 232 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port is not known in advance).
Page 233: Vpn Telecommuter (Client-To-Gateway Through A Nat Router
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
Page 234 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Telecommuter: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN firewall (Figure C-17), the remote PC client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance.
Page 235 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance).
Page 236 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN firewall (Figure C-20), the remote PC client initiates the VPN tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote NAT router is not known in advance.
Page 237: Index
access remote management 8-10 ActiveX web cache control 6-6 Add LAN WAN Inbound Service 4-10 Add LAN WAN Outbound Service 4-10 Add Mode Config Record screen 5-24 Add Protocol Binding Destination Network 2-16 Service 2-16 Add Resource Addresses menu 6-14 Adding 4-15 address reservation 3-8 administrator login timeout 8-10...
Page 238 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual by Telnet 8-11 command line interface 8-12, 8-13 configuration automatic by DHCP 1-4 connecting the VPN firewall 2-1 Connection Status VPN Tunnels 5-16 Content 4-20 Content Filtering 4-1 about 4-20 Block Sites 4-20 enabling 4-22...
Page 239 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Dual WAN Ports features of 1-2 Dual WAN ports Auto-Rollover, configuration of 2-13 inbound traffic C-8 Load Balancing, configuration of 2-15 load balancing, inbound traffic C-9 network planning C-1 Dynamic DNS configuration of 2-17 Dynamic DNS Configuration screen 2-17, 2-18...
Page 240 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual IGP 3-12 IKE Policies menu 5-11 IKE Policy about 5-13 management of 5-13 ModeConfig, configuring with 5-26 XAUTH, adding to 5-20 Inbound Rules default definition 4-2 field descriptions 4-6 order of precedence 4-8 Port Forwarding 4-3, 4-5 rules for use 4-5...
Page 241 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual example of 4-13 LAN WAN Rules default outbound 4-8 lease time 3-4 LEDs explanation of 1-6 troubleshooting 10-2 Load Balancing bandwidth capacity 8-2 configuration of 2-15 definition of 2-12 use with DDNS 2-17 view protocol bindings 2-16 logging in...
Page 242 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual adding 4-9 modifying 4-11 Outbound Services field descriptions 4-3 package contents 1-5 packet capture 10-9 passwords and login timeout changing 8-8 passwords,restoring 10-7 performance management 8-1, 9-1 Ping troubleshooting TCP/IP 10-5 ping 10-9...
Page 243 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual in LAN groups database 3-7 restrictions 3-7 resources defining 6-13 restore saved settings 8-15 retry interval 2-14 Return E-mail Address 9-4 RFC 1349 4-17 RFC1700 protocol numbers 4-15 about 3-12 advertising static routes 3-11 configuring parameters 3-12...
Page 244 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Add Protocol Binding 2-16 Specifying an Exposed Host example of 4-15 split tunnel configuring 6-11 description 6-10 spoof MAC address 10-5 SSL VPN Client description 6-2 SSL VPN Logs 9-16 Starting IP Address DHCP Address Pool 3-4 Stateful Packet Inspection...
Page 245 ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual rollover, with dual WAN ports C-7 telecommuter, about C-17 telecommuter, Dual gateway C-18 telecommuter, single gateway C-18 VPN Client configuring 5-8 configuring PC, example 5-17 VPN Wizard example 5-17 VPN firewall connecting 2-1 VPN Logs screen 9-15...

This manual is also suitable for:

Fvs336g-100nas

NETGEAR ProSafe FVS336G Reference Manual

About this Manual

Chapter 1 Introduction

Chapter 2 Connecting the FVS336G to the Internet

Chapter 3 LAN Configuration

Chapter 4 Firewall Protection and Content Filtering

Chapter 5 Virtual Private Networking Using Ipsec

Chapter 6 Virtual Private Networking Using SSL Connections

Chapter 7 Managing Users, Authentication, and Certificates

Chapter 8 Router and Network Management

Chapter 9 Monitoring System Performance

Chapter 10 Troubleshooting

Appendix A

Default Settings and Technical Specifications

Appendix B Related Documents

Appendix C Network Planning for Dual WAN Ports

Index

Quick Links

Troubleshooting

Related Manuals for NETGEAR ProSafe FVS336G

Summary of Contents for NETGEAR ProSafe FVS336G