Page 1 ProSAFE Dual WAN Gigabit SSL VPN Firewall Mode l F VS33 6Gv 2 Reference Man ual December 2014 202-10619-03 350 East Plumeria Drive San Jose, CA 95134...
Page 2 See the regulatory compliance document before connecting the power supply. Trademarks NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice.
Page 3: Table Of Contents
Contents Chapter 1 Get an Overview of the Features and Hardware and Log In What Is the ProSAFE Dual WAN Gigabit SSL VPN Firewall?....13 Key Features and Capabilities .
Page 4 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Method for IPv4 Interfaces......... 56 Manage Secondary IPv4 WAN Addresses .
Page 5 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Chapter 4 Configure the IPv4 LAN Settings Manage IPv4 Virtual LANs and DHCP Options ......115 IPv4 LANs and VLANs.
Page 6 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage a Stateful DHCPv6 Server and IPv6 Address Pools for the DMZ. 197 Manage Static IPv6 Routing ......... 204 Add a Static IPv6 Route .
Page 7 Test the NETGEAR ProSAFE VPN Client VPN Tunnel Connection ..361 NETGEAR ProSAFE VPN Client Status and Log Information ... . . 362 View the VPN Firewall IPSec VPN Connection Status and Terminate or Establish Tunnels .
Page 8 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Test the Mode Config Connection ........408 Change a Mode Config Record .
Page 9 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage User Login Policies ........504 Change Passwords and Automatic Logout Period .
Page 10 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 View the Attached Devices ........599 View the DHCP Log .
Page 11 What Is Two-Factor Authentication?....... . 662 NETGEAR Two-Factor Authentication Solutions......663 Appendix D Default Settings and Technical Specifications Factory Default Settings .
Page 12 This chapter provides an overview of the features and capabilities of the NETGEAR ProSAFE ® Dual WAN Gigabit SSL VPN Firewall for model FVS336Gv2 and explains how to log in to the device and use its web management interface. The chapter contains the following sections: •...
Page 13: What Is The Prosafe Dual Wan Gigabit Ssl Vpn Firewall
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 What Is the ProSAFE Dual WAN Gigabit SSL VPN Firewall? The ProSAFE Dual WAN Gigabit SSL VPN Firewall, hereafter referred to as the VPN firewall, connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable or DSL modems or satellite or wireless Internet dishes.
Page 14: Two Wan Ports For Increased Reliability And Load Balancing
Advanced IPSec VPN and SSL VPN support with support for up to 25 concurrent IPSec VPN tunnels and up to 10 concurrent SSL VPN tunnels • Bundled with a single-user license of the NETGEAR ProSAFE VPN Client software (VPN01L) •...
Page 15: Advanced Vpn Support For Both Ipsec And Ssl
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Advanced VPN Support for Both IPSec and SSL The VPN firewall supports IPSec and SSL virtual private network (VPN) connections: • IPSec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters.
Page 16: Security Features
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Security Features The VPN firewall is equipped with several features designed to maintain security: • Computers hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN.
Page 17: Easy Installation And Management
Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the VPN firewall: • Flash memory for firmware upgrades.
Page 18: Package Contents
Application notes and other helpful information ProSAFE VPN Client software (VPN01L) If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Hardware Features The front panel ports and LEDs, back panel ports, and bottom label of the VPN firewall are described in the following sections: •...
Page 19 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Left WAN LEDs Left LAN LEDs Power LED DMZ LED Test LED Right LAN LEDs Right WAN LEDs Internet LEDs Figure 1. Front panel Table 1. LED descriptions Activity Description Power Green Power is supplied to the VPN firewall.
Page 20: Back Panel
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 1. LED descriptions (continued) Activity Description WAN Ports Left LED Green The WAN port has a valid connection with a device that provides an Internet connection. Blinking green The WAN port receives or transmits data.
Page 21: Bottom Panel With Product Label
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Factory Defaults reset button. To reset the VPN firewall to factory default settings, use a sharp object to press and hold this button for about eight seconds until the front panel Test LED blinks.
Page 22: Rack-Mount The Vpn Firewall With The Mounting Kit
Before you can log in to VPN firewall, install the VPN firewall in your network by connecting the cables and restarting your network according to the instructions in the ProSAFE Dual WAN Gigabit SSL VPN Firewall FVS336Gv2 Installation Guide. You can download a PDF of this guide from downloadcenter.netgear.com.
Page 23: Web Management Interface Overview
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Web Management Interface Overview The following figure shows the menu at the top the web management interface: IP radio buttons First Level: Main navigation menu link (orange) Option arrows: Second level: Configuration menu link (gray)
Page 24: Requirements For Entering Ip Addresses
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Both radio buttons are disabled. IP functionality does not apply. The bottom of each screen provides action buttons. The nature of a screen determines which action buttons are shown. Most screens and sections of screens provide an accompanying help screen. To open the help screen, click the icon.
Page 25 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To log in to the VPN firewall: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 26: Change The Password For The Default Administrator Account
You are now ready to configure the VPN firewall for your specific network environment. However, NETGEAR recommends that you first change the password for the default administrator account to a secure password. Change the Password for the Default Administrator...
Page 27 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Select Users > Users. The Users screen displays. In the List of Users table, click the Edit button for the admin default user. The Edit Users screen displays. Select the Check to Edit Password check box.
Page 28: Chapter 2 Configure The Ipv4 Internet And Wan Settings
Configure the IPv4 Internet and WAN Settings This chapter explains how to configure the IPv4 Internet and WAN settings. The chapter contains the following sections: • Roadmap to Setting Up IPv4 Internet Connections to Your ISPs • Configure the IPv4 Internet Connection and WAN Settings •...
Page 29: Roadmap To Setting Up Ipv4 Internet Connections To Your Isps
Typically, the VPN firewall is installed as a network gateway to function as a combined LAN switch and firewall to protect the network from incoming threats and provide secure connections. To complement the firewall protection, NETGEAR recommends that you use a gateway security appliance such as a NETGEAR ProSECURE® STM appliance.
Page 30: Configure The Ipv4 Internet Connection And Wan Settings
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 This task is described in Manage Dynamic DNS Connections on page 63. (Optional) Configure advanced WAN options. If necessary, change the factory default MTU size, port speed and duplex settings, advertised MAC address of the VPN firewall, and WAN connection type and corresponding upload and download connection speeds.
Page 31 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note the following about NAT: • The VPN firewall uses NAT to select the correct computer (on your LAN) to receive any incoming data. • If you have only a single public Internet IP address, you must use NAT (the default setting).
Page 32: Let The Vpn Firewall Automatically Detect And Configure An Ipv4 Internet Connection
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the NAT (Network Address Translation) section, select the NAT radio button or the Classical Routing radio button. WARNING: Changing the WAN mode causes all LAN WAN and DMZ WAN inbound rules to revert to default settings.
Page 33 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: If your ISP requires MAC authentication and another MAC address was previously registered with your ISP, you must configure that MAC address on the VPN firewall (see Change the Advertised MAC Address of the VPN Firewall on page 70) before you begin the following procedure.
Page 34 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Failure Detection Method. The failure detection method that is active for the WAN interface (see Configure the Auto-Rollover Mode and Failure Detection Method for IPv4 Interfaces on page 56). Any of the following methods can be displayed: None, DNS Lookup (WAN DNS Servers), DNS Lookup (the configured IP address is displayed), or PING (the configured IP address is displayed).
Page 35 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Auto Detect button. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support. The autodetect process returns one of the following results: •...
Page 36: Manually Configure A Static Ipv4 Internet Connection
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Connection Status screen shows a valid IP address and gateway. You are connected to the Internet. For more information about the connection status, see View the WAN Port Status and Terminate or Establish the Internet Connection page 594.
Page 37 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 38 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description IP Subnet Mask The subnet mask is usually provided by your ISP. Gateway IP Address The IP address of the ISP’s gateway is usually provided by your ISP. Locate the Domain Name Server (DNS) Servers section.
Page 39: Manually Configure A Pppoe Ipv4 Internet Connection
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN firewall attempts to make a connection according to the settings that you entered. Verify the connection: a. Select Network Configuration > WAN Settings > WAN Setup. The WAN Setup screen displays the IPv4 settings.
Page 40 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: If your ISP requires MAC authentication and another MAC address was previously registered with your ISP, you must configure that MAC address on the VPN firewall (see Change the Advertised MAC Address of the VPN Firewall on page 70) before you begin the following procedure.
Page 41 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the login name in the Login field and the password in the Password field. This information is provided by your ISP and is specific for the PPPoE service. In the ISP Type section, select the Other (PPPoE) radio button.
Page 42 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Configure the IP address settings as described in the following table. Setting Description Select an IP address radio button: • Get Dynamically from ISP. Select this radio button if your ISP has not assigned you a static IP address.
Page 43 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To configure an automatic connection reset, specify the settings as described in the following table. Setting Description Select the Connection Reset check box to specify a time when the WAN connection is reset, that is, the connection is disconnected momentarily and then reestablished.
Page 44: Manually Configure A Pptp Ipv4 Internet Connection
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manually Configure a PPTP IPv4 Internet Connection To configure a PPTP IPv4 Internet connection, enter the PPTP IPv4 information that your IPv4 ISP gave you. If you do not have this information, contact your IPv4 ISP.
Page 45 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the WAN IPv4 Settings table, click the Edit button for the WAN interface that you want to configure. The WAN IPv4 ISP Settings screen displays. In the ISP Login section, select the Yes radio button.
Page 46 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Idle Timeout Select a connection method radio button: • Keep Connected. Select this radio button to keep the connection always on. • Idle Timeout. Select this radio button to log out after the connection is idle for a period.
Page 47 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Specify the DNS settings as described in the following table. Setting Description Select a Domain Name Server (DNS) radio button: • Get Automatically from ISP. Select this radio button if your ISP has not assigned you any DNS IP addresses.
Page 48: Configure Load Balancing Or Auto-Rollover For Ipv4 Interfaces
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Connection Status pop-up screen displays. The IP addresses that are shown in this figure are not related to any other examples in this manual. The Connection Status screen shows a valid IP address and gateway. You are connected to the Internet.
Page 49: Configure Load Balancing Mode And Optional Protocol Binding
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 firewall supports weighted load balancing and round-robin load balancing (see Configure Load Balancing Mode and Optional Protocol Binding for IPv4 Interfaces on page 49). Note: Scenarios could arise in which load balancing must be bypassed for certain traffic or applications.
Page 50 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Protocol Binding When a protocol is bound to a particular WAN port, all outgoing traffic of that protocol is directed to the bound WAN port. For example, if the HTTPS protocol is bound to the WAN1 port and the FTP protocol is bound to the WAN2 port, the VPN firewall automatically routes all outbound HTTPS traffic from the computers on the LAN through the WAN1 port.
Page 51 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Load Balancing Settings section, configure the following settings: a. Select the Load Balancing Mode radio button. b. From the corresponding menu on the right, select a load balancing method: •...
Page 52 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 53 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Configure the protocol binding settings as described in the following table. Setting Description Service From the menu, select a service or application to be covered by this rule. If the service or...
Page 54 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Your settings are saved. The protocol binding rule is added to the Protocol Binding table. The rule is automatically enabled, which is indicated by a green circle in the ! status icon column.
Page 55 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To enable, disable, or remove one or more protocol binding rules: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 56: Configure The Auto-Rollover Mode And Failure Detection
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Configure the Auto-Rollover Mode and Failure Detection Method for IPv4 Interfaces Instead of using two WAN interfaces simultaneously in a load balancing configuration, you can use one WAN interface as the primary link and the other WAN interface as the backup link for increased reliability.
Page 57 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 58 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Your settings are saved. Configure the Failure Detection Method for IPv4 WAN Interfaces The following procedure describes how to configure the failure detection method for IPv4 WAN interfaces that function in auto-rollover mode.
Page 59: Manage Secondary Ipv4 Wan Addresses
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Failure Detection Select a failure detection method: Method • WAN DNS. DNS queries are sent to the WAN DNS server that you configured for the WAN interface (see Configure the IPv4 Internet Connection and WAN Settings on page 30).
Page 60: Secondary Ipv4 Wan Addresses
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Remove One or More Secondary WAN Addresses Secondary IPv4 WAN Addresses You can set up a single WAN Ethernet port to be accessed through multiple IPv4 addresses by adding aliases to the port. An alias is a secondary WAN address. One advantage is, for example, that you can assign different virtual IP addresses to a web server and an FTP server, even though both servers use the same physical IP address.
Page 61 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 62: Remove One Or More Secondary Wan Addresses
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Add button. The secondary IP address is added to the List of Secondary WAN addresses table. Repeat Step 9 Step 10 for each secondary IP address that you want to add to the List of Secondary WAN addresses table.
Page 63: Manage Dynamic Dns Connections
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage Dynamic DNS Connections The following sections provide information about managing Dynamic DNS: • Dynamic DNS • Configure Dynamic DNS Dynamic DNS Dynamic DNS (DDNS) is an Internet service that allows devices with varying public IPv4 addresses to be located using Internet domain names.
Page 64 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To configure DDNS for both WAN interfaces: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 65 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The WAN Mode section reports the configured WAN mode (for example, Single Port WAN1, Load Balancing, or Auto Rollover). Only those options that match the configured WAN mode are accessible on the screen.
Page 66: Managing Advanced Wan Options
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Your settings are saved. Managing Advanced WAN Options The following sections provide information about managing advanced WAN options: • Change the Maximum Transmission Unit Size • Change the Port Speed and Duplex Settings •...
Page 67 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the WAN IPv4 Settings table, click the Edit button for the WAN interface that you want to configure. The WAN IPv4 ISP Settings screen displays. Click the Advanced option arrow in the upper right.
Page 68: Change The Port Speed And Duplex Settings
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change the Port Speed and Duplex Settings In most cases, the VPN firewall can automatically determine the connection speed of the WAN port of the device (modem, dish, or router) that provides the WAN connection. If you cannot establish an Internet connection, you might need to manually select the port speed.
Page 69 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Speed section, if you know the Ethernet port speed of the modem, dish, or router, select it from the Port Speed menu. • AutoSense. Speed autosensing. This is the default setting. The firewall can sense all Ethernet speeds and duplex modes, including 1000BASE-T speed at full duplex.
Page 70: Change The Advertised Mac Address Of The Vpn Firewall
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change the Advertised MAC Address of the VPN Firewall Each computer or router on your network has a unique 48-bit local Ethernet address. This is also referred to as the computer’s Media Access Control (MAC) address.
Page 71 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Router’s MAC Address section, enter the settings as described in the following table. Setting Description Use Default Address To use the VPN firewall’s own MAC address, select the Use Default Address radio button.
Page 72: Set The Wan Connection Type And Corresponding Speeds
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Your settings are saved. Set the WAN Connection Type and Corresponding Speeds The WAN connection type and corresponding upload and download connection speeds in effect limit the rate of traffic that is being forwarded by the VPN firewall.
Page 73 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Upload/Download Settings section, enter the settings as described in the following table. Setting Description WAN Connection Type From the menu, select the type of connection that the VPN firewall uses to connect to the Internet over the selected interface: DSL, ADLS, T1, T3, or Other.
Page 74: Manage Wan Qos And Wan Qos Profiles
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage WAN QoS and WAN QoS Profiles The following sections provide information about managing WAN Quality of Service (QoS) and WAN QoS profiles: • WAN QoS • Add a Rate Control WAN QoS Profile •...
Page 75: Add A Rate Control Wan Qos Profile
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: To configure and apply QoS profiles successfully, familiarity with QoS concepts such QoS priority queues, IP precedence, DHCP, and their values is helpful. Add a Rate Control WAN QoS Profile The following procedure describes how to add a rate control QoS profile for a WAN interface.
Page 76 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description QoS Type From the menu, select Rate Control. For information about the Priority selection, see Add a Priority Queue WAN QoS Profile on page 78.
Page 77 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Congestion Priority From the menu, select the priority queue that determines the allocation of excess bandwidth and the classification level of the packets among other priority queues on the VPN firewall: •...
Page 78: Add A Priority Queue Wan Qos Profile
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Add a Priority Queue WAN QoS Profile The following procedure describes how to add a priority queue QoS profile for a WAN interface.  To add a priority queue WAN QoS profile: On your computer, launch an Internet browser.
Page 79 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description QoS Type From the menu, select Priority. For information about the Rate Control selection, see Add a Rate Control WAN QoS Profile on page 75).
Page 80: Enable Wan Qos And Select The Wan Qos Type
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Hosts Start IP End IP Select Group Bandwidth Allocation Outbound Minimum These settings do not apply to a priority profile. Bandwidth Outbound Maximum Bandwidth Inbound Minimum Bandwidth Inbound Maximum...
Page 81 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 82: Change A Qos Profile
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • QoS Type. The type of profile, either Rate Control or Priority. • Interface Name. The WAN interface to which the profile applies (WAN1 or WAN2). • Service. The service to which the profile applies.
Page 83: Enable, Disable, Or Remove One Or More Wan Qos Profiles
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change the settings. For information about the settings, see Add a Rate Control WAN QoS Profile on page 75 Add a Priority Queue WAN QoS Profile on page 78. Click the Apply button.
Page 84: Additional Wan-Related Configuration Tasks
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The ! status icons change from green circles to gray circles, indicating that the selected profiles are disabled. • Delete. Removes the selected WAN QoS profiles. The selected profiles are removed from the List of QoS Profiles table.
Page 85: Chapter 3 Configure The Ipv6 Internet And Wan Settings
Configure the IPv6 Internet and WAN Settings This chapter explains how to configure the IPv6 Internet and WAN settings. The chapter contains the following sections: • Roadmap to Setting Up an IPv6 Internet Connection to Your ISP • Configure the IPv6 Internet Connection and WAN Settings •...
Page 86: Roadmap To Setting Up An Ipv6 Internet Connection To Your Isp
Typically, the VPN firewall is installed as a network gateway to function as a combined LAN switch and firewall to protect the network from incoming threats and provide secure connections. To complement the firewall protection, NETGEAR recommends that you use a gateway security appliance such as a NETGEAR ProSECURE STM appliance.
Page 87: Configure The Ipv6 Internet Connection And Wan Settings
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 (Optional) Configure auto-rollover and failure detection. By default, the WAN interfaces are configured for primary (single) WAN mode. You can enable auto-rollover and configure the failure detection settings. These tasks are described in Configure Auto-Rollover for IPv6 Interfaces on page 109.
Page 88: Manage The Ipv6 Routing Mode
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 After you configured the IPv6 routing mode, you must configure a WAN interface with a global unicast address to enable secure IPv6 Internet connections on your VPN firewall. A global unicast address is a public and routable IPv6 WAN address that can be statically or dynamically assigned.
Page 89 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enable the IPv6 Routing Mode The following procedure describes how to enable the IPv6 routing mode.  To enable the IPv6 routing mode: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 90: Use A Dhcpv6 Server To Configure An Ipv6 Internet Connection Automatically
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WARNING: Changing the IP routing mode causes the VPN firewall to reboot. Click the Apply button. Your settings are saved. Use a DHCPv6 Server to Configure an IPv6 Internet Connection Automatically A DHCPv6 server can allow the VPN firewall to autoconfigure its IPv6 Internet settings.
Page 91 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: If your ISP requires MAC authentication and another MAC address was previously registered with your ISP, you must configure that MAC address on the VPN firewall (see Change the Advertised MAC Address of the VPN Firewall on page 70) before you begin the following procedure.
Page 92 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Status. The status of the WAN interface (UP or DOWN). • WAN IP. The IPv6 address of the WAN interface. • Action. The Edit button provides access to the WAN IPv6 ISP Settings screen (see Step 8) for the corresponding WAN interface;...
Page 93: Manually Configure A Static Ipv6 Internet Connection
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Prefix delegation check box is selected. A prefix is assigned by the ISP DHCPv6 server through prefix delegation, for example, 2001:db8:: /64. The VPN firewall’s own stateless DHCPv6 server can assign this prefix to its IPv6 LAN clients.
Page 94 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manually Configure a Static IPv6 Internet Connection To configure a static IPv6 Internet connection, enter the IPv6 address information that your IPv6 ISP gave you. If you do not have this information, contact your IPv6 ISP.
Page 95 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the IPv6 WAN Settings table, click the Edit button for the WAN interface that you want to configure. The WAN IPv6 ISP Settings screen displays. The following figure shows the WAN2 IPv6 ISP Settings screen as an example.
Page 96 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: If you do not know your static IPv6 address information, contact your IPv6 ISP. Setting Description IPv6 Address The IP address that your ISP assigned to you. Enter the address in one of the following formats (all four examples specify the same IPv6 address): •...
Page 97: Manually Configure A Pppoe Ipv6 Internet Connection
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Connection Status screen shows a valid IP address and gateway. You are connected to the Internet. For more information about the connections status, see View the WAN Port Status and Terminate or Establish the Internet Connection page 594.
Page 98 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 99 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Internet Address section, from the IPv6 menu, select PPPoE. In the PPPoE IPv6 section, enter the settings as described in the following table. Note: If you do not know your PPPoE IPv6 information, contact your IPv6 ISP.
Page 100 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description DHCPv6 Option From the DHCPv6 Option menu, select a DHCPv6 server option, as directed by your ISP: • Disable-DHCPv6. DHCPv6 is disabled. You must specify the DNS servers in the Primary DNS Server and Secondary DNS Server fields to receive an IP address from the ISP.
Page 101: Manage Tunneling For Ipv6 Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Connection Status screen shows a valid IP address and gateway. You are connected to the Internet. For more information about the connection status, see View the WAN Port Status and Terminate or Establish the Internet Connection page 594.
Page 102 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 6to4 is a WAN tunnel mechanism for automatic tunneling of IPv6 traffic between a device with an IPv6 address and a device with an IPv4 address, or the other way around. 6to4 tunneling is used to transfer IPv6 traffic between LAN IPv6 hosts and WAN IPv6 networks over the IPv4 network.
Page 103: Manage Isatap Automatic Tunneling
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Network Configuration > WAN Settings > 6 to 4 Tunneling.
Page 104 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: If you do not use a stateful DHCPv6 server in your LAN, you must configure the Router Advertisement Daemon (RADVD) and set up ISATAP advertisement prefixes (which are referred to as Global/Local/ISATAP prefixes) for ISATAP tunneling to function correctly.
Page 105 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Add button under the List of Available ISATAP Tunnels table. The Add ISATAP Tunnel screen displays. Specify the tunnel settings as described in the following table. Setting Description ISATAP Subnet Prefix The IPv6 prefix for the tunnel.
Page 106 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 107: View The Tunnel Status And Tunnel Ipv6 Addresses
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 108: Configure Stateless Ip/Icmp Translation
IPv6 address so that the IPv4-translated address becomes 0::ffff:0:a.b.c.d/96. For SIIT to function, the routing mode must be IPv4/IPv6. NETGEAR’s implementation of SIIT lets you configure a single IPv4 address. This IPv4 address is then used in the IPv4-translated address for IPv6 devices to enable communication between IPv4-only devices on the VPN firewall’s LAN and IPv6-only devices on the WAN.
Page 109: Configure Auto-Rollover For Ipv6 Interfaces
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 110: Auto-Rollover For Ipv6 Wan Interfaces
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Auto-Rollover for IPv6 WAN Interfaces You can configure the VPN firewall’s IPv6 interfaces for auto-rollover for increased system reliability. You must specify one WAN interface as the primary interface. The VPN firewall supports the following modes for IPv6 interfaces: •...
Page 111 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 112: Configure The Failure Detection Method For Ipv6 Wan Interfaces
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The other WAN interface becomes disabled. c. Select the Auto Rollover check box. d. From the corresponding menu on the right, select a WAN interface to function as the backup WAN interface.
Page 113 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the IPv6 WAN Settings table, click the Edit button for the WAN interface that you selected as the primary WAN interface. The WAN IPv6 ISP Settings screen displays. Click the Advanced option arrow in the upper right.
Page 114: Additional Wan-Related Configuration Tasks
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: You can configure the VPN firewall to generate a WAN status log and email this log to a specified address (see Manage Logging, Alerts, and Event Notifications on page 567).
Page 115: Chapter 4 Configure The Ipv4 Lan Settings
Configure the IPv4 LAN Settings This chapter describes how to configure the IPv4 LAN features of your VPN firewall. The chapter contains the following sections: • Manage IPv4 Virtual LANs and DHCP Options • Manage IPv4 Multihome LAN IP Addresses on the Default VLAN •...
Page 116: Ipv4 Lans And Vlans
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage IPv4 Virtual LANs and DHCP Options The following sections provide information about managing IPv4 VLANs and DHCP options: • IPv4 LANs and VLANs • Port-Based VLANs • Assign VLAN Profiles •...
Page 117: Port-Based Vlans
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Port-Based VLANs The VPN firewall supports port-based VLANs. Port-based VLANs confine broadcast traffic to the LAN ports. Even though a LAN port can be a member of more than one VLAN, the port can have only one VLAN ID as its port VLAN identifier (PVID).
Page 118 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To assign VLAN profiles to LAN ports: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 119: Vlan Dhcp
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • VLAN ID. The unique ID (or tag) assigned to the VLAN profile. • Subnet IP. The subnet IP address for the VLAN profile. • DHCP Status. The DHCP server status for the VLAN profile, which can be either Enabled or Disabled.
Page 120: Manage Vlan Profiles
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For most applications, the default DHCP server and TCP/IP settings of the VPN firewall are satisfactory. The VPN firewall delivers the following settings to any LAN device that requests DHCP: •...
Page 121 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: For information about how to manage VLANs, see Port-Based VLANs on page 116. The following sections provide information about managing VLAN profiles: • Add a VLAN Profile • Change a VLAN Profile •...
Page 122 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Add button. The Add VLAN Profile screen displays. Configure the IPv4 LAN Settings...
Page 123 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the same VLAN ID number.
Page 124 OU (for organizational unit) O (for organization) C (for country) DC (for domain) For example, to search the netgear.net domain for all last names of Johnson, enter the following objects: cn=Johnson,dc=Netgear,dc=net • Port. The port number for the LDAP server. The default setting is 0 (zero).
Page 125 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Inter VLAN Routing Enable Inter VLAN This setting is optional. To ensure that traffic is routed only to VLANs for which Routing inter-VLAN routing is enabled, select the Enable Inter VLAN Routing check box.
Page 126 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Apply button. Your settings are saved. The modified VLAN profile displays in the VLAN Profiles table on the LAN Setup screen. Enable, Disable, or Delete Existing VLAN Profiles The following procedure describes how to enable or disable existing VLAN profiles or remove VLAN profiles that you no longer need.
Page 127: Configure Unique Vlan Mac Addresses
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The ! status icons change from green circles to gray circles, indicating that the selected profiles are disabled. • Delete. Removes the selected VLAN profiles. The selected profiles are removed from the VLAN Profiles table.
Page 128: Disable The Broadcast Of Arp Packets For The Default Vlan
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 From the MAC Address for VLANs menu, select Unique. The default setting is Same. Click the Apply button. Your settings are saved. VLANs have unique MAC addresses. Note: If you attempt to configure more than 16 VLANs, the MAC addresses that are assigned to each VLAN might no longer be distinct.
Page 129: Manage Ipv4 Multihome Lan Ip Addresses On The Default Vlan
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Network Configuration > LAN Settings.
Page 130: Add A Secondary Lan Ipv4 Address
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 access to the Internet, but you can do so only for the default VLAN. The IP address that is assigned as a secondary IP address must be unique and cannot be assigned to a VLAN.
Page 131: Change A Secondary Lan Ipv4 Address
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Available Secondary LAN IPs table displays the secondary LAN IP addresses that you added to the VPN firewall. In the Add Secondary LAN IP Address section, enter the following settings: •...
Page 132: Remove One Or More Secondary Lan Ipv4 Addresses
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain.
Page 133: Manage Ipv4 Lan Groups And Hosts
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. Select Network Configuration > LAN Settings > LAN Multi-homing. The LAN Multi-homing screen displays the IPv4 settings. In the Available Secondary LAN IPs table, select the check box to the left of each secondary IP address that you want to remove, or click the Select All button to select all secondary IP addresses.
Page 134: Dhcp Address Reservation
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • You do not need to reserve an IP address for a computer in the DHCP server. All IP address assignments made by the DHCP server are maintained until the computer or device is removed from the network database, either by expiration (inactive for a long time) or by you.
Page 135 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Remove One or More Devices from the Network Database View or Add Devices Manually to the Network Database The following procedure describes how to view or add devices manually to the network database.
Page 136 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Known PCs and Devices table lists the entries in the network database. For each computer or device, the following fields display: • Check box. Allows you to select the computer or device in the table.
Page 137 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description MAC Address Enter the MAC address of the computer’s or device’s network interface. The MAC address format is six colon-separated pairs of hexadecimal characters (0–9 and a–f), such as 01:23:d2:6f:89:ab.
Page 138 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The LAN Groups screen displays. The following figure shows some manually added devices in the Known PCs and Devices table as an example. In the Known PCs and Devices table, click the Edit button for the device that you want to change.
Page 139 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove One or More Devices from the Network Database The following procedure describes how to remove one or more devices from the network database.  To remove one or more devices from the network database: On your computer, launch an Internet browser.
Page 140: Change Group Names In The Network Database
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change Group Names in the Network Database By default, the groups are named Group1 through Group8. You can change these group names to be more descriptive, for example, GlobalMarketing and GlobalSales.
Page 141: Manage The Dmz Port For Ipv4 Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Select the radio button next to the group name that you want to change. Note: You can change only one group name at a time. Type a new name in the field.
Page 142: Enable And Configure The Dmz Port For Ipv4 Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 applications and to work correctly with them, but other applications might not function well. In some cases, local computers can run the application correctly if those computers are used on the DMZ port.
Page 143 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description DMZ Port Setup Select the Yes radio button to configure the DMZ port settings. Complete the following fields: • IP Address. Enter the IP address of the DMZ port. Make sure that the DMZ port IP address and LAN port IP address are in different subnets (for example, an address outside the LAN DHCP address pool, such as 192.168.1.101 when the LAN DHCP pool is 192.168.1.2–192.168.1.100).
Page 144 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description DHCP for DMZ Connected Computers Select one of the following radio buttons: • Disable DHCP Server. If another device in the DMZ functions as the Dynamic Host Configuration Protocol (DHCP) server for the DMZ, or if you intend to manually configure the network settings of all computers in the DMZ, select the Disable DHCP Server radio button to disable the DHCP server.
Page 145: Manage Static Ipv4 Routing
OU (for organizational unit) O (for organization) C (for country) DC (for domain) For example, to search the netgear.net domain for all last names of Johnson, enter the following objects: cn=Johnson,dc=Netgear,dc=net • Port. The port number for the LDAP server. The default setting is 0 (zero).
Page 146: Add A Static Ipv4 Route
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 and you do not need to configure additional static routes. Configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets on your network. The VPN firewall automatically sets up routes between VLANs and secondary IPv4...
Page 147 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Route Name The route name for the static route (for purposes of identification and management). Active To make the static route effective, select the Active check box.
Page 148: Change A Static Ipv4 Route
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change a Static IPv4 Route The following procedure describes how to change an existing IPv4 static route.  To change an IPv4 static route: On your computer, launch an Internet browser.
Page 149: Configure The Routing Information Protocol
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. In the Username field, type your user name and in the Password / Passcode field, type your password.
Page 150 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Network Configuration > Routing.
Page 151 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description RIP Direction From the RIP Direction menu, select the direction in which the VPN firewall sends and receives RIP packets: •...
Page 152: Ipv4 Static Route Example
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Your settings are saved. IPv4 Static Route Example In this example, we assume the following: • The VPN firewall’s primary Internet access is through a cable modem to an ISP. •...
Page 153: Chapter 5 Configure The Ipv6 Lan Settings
Configure the IPv6 LAN Settings This chapter describes how to configure the IPv6 LAN features of your VPN firewall. The chapter contains the following sections: • Manage the IPv6 LAN • Manage IPv6 Multihome LAN IP Addresses • Manage the DMZ Port for IPv6 Traffic •...
Page 154: Manage The Ipv6 Lan
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage the IPv6 LAN The following sections provide information about managing the IPv6 LAN: • IPv6 LANs • DHCPv6 LAN Server Concepts and Configuration Roadmap • Configure a Stateless DHCPv6 Server Without Prefix Delegation for the LAN •...
Page 155 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN firewall provides three DHCPv6 options for the LAN. The following sections provide information about the DHCPv6 options for the LAN: • Concept: Stateless DHCPv6 Server Without Prefix Delegation for the LAN •...
Page 156: Configure A Stateless Dhcpv6 Server Without Prefix Delegation For The Lan
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For stateless DHCPv6 with prefix delegation, you must enable and configure the RADVD, but you do not need to add advertisement prefixes to the RADVD because the DHCPv6 server assigns the prefixes that you specify for the DHCPv6 server.
Page 157 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 158 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description IPv6 LAN Setup IPv6 Address Enter the LAN IPv6 address. The default address is fc00::1. (For more information, IPv6 LANs on page 153.)
Page 159: Manage A Stateless Dhcpv6 Server With Prefix Delegation For The Lan
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Prefix Delegation Leave the Prefix Delegation check box cleared. Prefix delegation is disabled in the LAN. This is the default setting. For information about using the stateless DHCPv6 server with prefix delegation, see Manage a Stateless DHCPv6 Server with Prefix Delegation for the LAN on page 158.
Page 160 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Stateless DHCPv6 Server and Prefix Delegation for the LAN As an option for a stateless DHCPv6 server, you can enable prefix delegation. Note that this is prefix delegation by the DHCPv6 server in the LAN, not by the ISP DHCPv6 sever in the WAN.
Page 161 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 b. In the upper right, select the IPv6 radio button. The WAN Setup screen displays the IPv6 settings. c. In the WAN IPv6 Settings table, click the Edit button for the WAN interface for which you want to check the WAN configuration.
Page 162 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 f. Make sure that the Prefix Delegation check box is selected. g. If you made any changes, click the Apply button. Your settings are saved. Select Network Configuration > LAN Settings.
Page 163 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description DHCPv6 DHCP Status Enable the DHCPv6 server by selecting Enable DHCPv6 Server from the DHCP Status menu. The default menu selection is Disable DHCPv6 Server. DHCP Mode From the DHCP Mode menu, select Stateless.
Page 164 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manually Add IPv6 LAN Prefixes for Prefix Delegation As an option, you can also manually add prefixes to enable the DHCPv6 server to assign these prefixes to its IPv6 LAN clients.
Page 165 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Apply button. Your settings are saved. The new prefix is added to the List of Prefixes for Prefix Delegation table on the LAN Setup screen for IPv6. Change an IPv6 LAN Prefix for Prefix Delegation The following procedure describes how to change an existing IPv6 LAN prefix for prefix delegation.
Page 166: Manage A Stateful Dhcpv6 Server And Ipv6 Address Pools For The Lan
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove One or More IPv6 LAN Prefixes for Prefix Delegation The following procedure describes how to remove one or more prefixes that you no longer need for prefix delegation.  To remove one or more prefixes for prefix delegation: On your computer, launch an Internet browser.
Page 167 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Remove One or More IPv6 LAN Address Pools Stateful DHCPv6 Server and IPv6 Address Pool for the LAN With a stateful DHCPv6 server, the IPv6 clients in the LAN obtain an interface IP address, configuration information such as DNS server information, and other parameters from the DHCPv6 server.
Page 168 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description IPv6 LAN Setup IPv6 Address Enter the LAN IPv6 address. The default address is fc00::1. (For more information, IPv6 LANs on page 153.)
Page 169 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Server Preference Enter the DHCP server preference value. The possible values are 0–255, with 255 as the default setting. This is an optional setting that specifies the server’s preference value in a server advertise message.
Page 170 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Network Configuration > LAN Settings.
Page 171 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 172: Manage The Ipv6 Router Advertisement Daemon For The Lan
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 173 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPv6 Router Advertisement Daemon for the LAN The RADVD is an application that uses the Neighbor Discovery Protocol (NDP) to collect link-local advertisements of IPv6 addresses and IPv6 prefixes in the LAN. The RADVD then distributes this information in the LAN, which allows IPv6 clients to configure their own IPv6 address.
Page 174 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 175 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description RADVD Status From the RADVD Status menu, select Enable. The RADVD is enabled, and the RADVD fields are available. The default selection is Disable. The RADVD is disabled, and the RADVD fields are masked out.
Page 176 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Router Preference Select the VPN firewall’s preference in relation to other hosts and routers in the LAN: • Low. The VPN firewall is treated as a nonpreferred router in the LAN.
Page 177 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Network Configuration > LAN Settings.
Page 178 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you enabled the ISP DHCPv6 server to assign a prefix through prefix delegation to the VPN firewall (see Use a DHCPv6 Server to Configure an IPv6 Internet Connection Automatically on page 90), the advertisement prefixes that are based on the ISPs assignment are shown in the List of Prefixes to Advertise table.
Page 179 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description IPv6 Prefix Type Select the IPv6 prefix type: • 6to4. The prefix is for a 6to4 address. You must select a WAN interface from the 6to4Interface menu and complete the SLA ID field and Prefix Lifetime field.
Page 180 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Network Configuration > LAN Settings.
Page 181: Manage Ipv6 Multihome Lan Ip Addresses
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Network Configuration > LAN Settings.
Page 182: Add A Secondary Lan Ipv6 Address
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Secondary LAN IP address. 2001:db8:3000::2192 with a prefix length of 10 Add a Secondary LAN IPv6 Address The following procedure describes how to add a secondary LAN IPv6 address. ...
Page 183: Change A Secondary Lan Ipv6 Address
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Add Secondary LAN IP Address section, enter the following settings: • IPv6 Address. Enter the secondary address that you want to assign to the LAN ports. • Prefix Length. Enter the prefix length for the secondary IP address.
Page 184: Remove One Or More Secondary Lan Ipv6 Addresses
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Available Secondary LAN IPs table, click the Edit button for the secondary IP address that you want to change. The Edit LAN Multi-homing screen displays. Modify the IP address or prefix length, or both: •...
Page 185: Manage The Dmz Port For Ipv6 Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Delete button. The selected secondary IPv6 addresses are removed from the Available Secondary LAN IPs table. Manage the DMZ Port for IPv6 Traffic The following sections provide information about managing the DMZ port for IPv6 traffic: •...
Page 186: Manage A Stateless Dhcpv6 Server With Prefix Delegation For The Dmz
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 receive DNS server information from the DHCPv6 server (see Configure a Stateless DHCPv6 Server for the DMZ on page 185). For stateless DHCPv6, you also must configure the RADVD and advertisement prefixes...
Page 187 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 188 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description DMZ Port Setup Select the Yes radio button to configure the DMZ port settings. Complete the following fields: • IPv6 Address. Enter the IP address of the DMZ port. Make sure that the DMZ port IP address, LAN port IP address, and WAN port IP address are in different subnets.
Page 189 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description DNS Server From the DNS Server menu, select a DNS server option: • Use DNS Proxy. The VPN firewall acts as a proxy for all DNS requests and communicates with the ISP DNS servers that you configure. For...
Page 190 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPv6 Router Advertisement Daemon for the DMZ Hosts and routers in the DMZ use NDP to determine the link-layer addresses and related information of neighbors in the DMZ that can forward packets on their behalf. The VPN firewall periodically distributes router advertisements (RAs) throughout the DMZ to provide such information to the hosts and routers in the DMZ.
Page 191 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 192 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description RADVD Status From the RADVD Status menu, select Enable. The RADVD is enabled and the RADVD fields are available. The default selection is Disable. The RADVD is disabled and the RADVD fields are masked out.
Page 193 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Router Preference Select the VPN firewall’s preference in relation to other hosts and routers in the DMZ: • Low. The VPN firewall is treated as a nonpreferred router in the DMZ.
Page 194 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the upper right, select the IPv6 radio button. The DMZ Setup screen displays the IPv6 settings. The following figure shows an example. Click the RADVD option arrow in the upper right.
Page 195 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Under the List of Prefixes to Advertise table, click the Add button. The Add Advertisement Prefix screen displays. Configure the IPv6 LAN Settings...
Page 196 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description IPv6 Prefix Type Select the IPv6 prefix type: • 6to4. The prefix is for a 6to4 address. You must select a WAN interface from the 6to4Interface menu and complete the SLA ID field and Prefix Lifetime field.
Page 197 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Network Configuration > DMZ Setup.
Page 198: Manage A Stateful Dhcpv6 Server And Ipv6 Address Pools For The Dmz
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Network Configuration > DMZ Setup.
Page 199 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Configure a Stateful DHCPv6 Server for the DMZ The following procedure describes how to configure a stateful DHCPv6 server and corresponding IPv6 settings for the DMZ.  To configure a stateful DHCPv6 server and corresponding IPv6 settings for the DMZ: On your computer, launch an Internet browser.
Page 200 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description DMZ Port Setup Select the Yes radio button to configure the DMZ port settings. Complete the following fields: • IPv6 Address. Enter the IP address of the DMZ port. Make sure that the DMZ port IP address, LAN port IP address, and WAN port IP address are in different subnets.
Page 201 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Domain Name Enter the domain name of the DHCP server. Server Preference Enter the DHCP server preference value. The possible values are 0–255, with 255 as the default setting.
Page 202 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain.
Page 203 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCPv6 client joining the DMZ is assigned an IP address between this address and the end IP address.
Page 204 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Login button. The Router Status screen displays. Select Network Configuration > DMZ Setup. The DMZ Setup screen displays the IPv4 settings. In the upper right, select the IPv6 radio button.
Page 205: Manage Static Ipv6 Routing
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the upper right, select the IPv6 radio button. The DMZ Setup screen displays the IPv6 settings. In List of IPv6 Address Pools table, select the check box to the left of each address pool that you want to remove or click the Select All button to select all address pools.
Page 206 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Login button. The Router Status screen displays. Select Network Configuration > Routing. The Static Routing screen displays the IPv4 settings. In the upper right, select the IPv6 radio button.
Page 207: Change A Static Ipv6 Route
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Interface From the menu, select the physical or virtual network interface (the WAN1 or WAN2 interface, a sit0 Tunnel, LAN interface, or DMZ interface) through which the route is accessible.
Page 208: Remove One Or More Static Ipv6 Routes
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Edit IPv6 Static Routing screen displays. Change the settings. For information about the settings, see Add a Static IPv6 Route on page 204. Click the Apply button. Your settings are saved. The modified route displays in the List of IPv6 Static Routes table on the Static Routes screen.
Page 209: Chapter 6 Customize Firewall Protection
Customize Firewall Protection This chapter describes how to use the firewall features of the VPN firewall to protect your network. The chapter contains the following sections: • Firewall Protection • Overview of Rules to Block or Allow Specific Kinds of Traffic •...
Page 210 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Firewall Protection A firewall protects one network (the trusted network, such as your LAN) from another (the untrusted network, such as the Internet) while allowing communication between the two. You can further segment keyword blocking to certain known groups such as LAN groups and IP groups.
Page 211: Overview Of Rules To Block Or Allow Specific Kinds Of Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Overview of Rules to Block or Allow Specific Kinds of Traffic The following sections provide overviews of rules to block and allow specific kinds of traffic: • Firewall Rules • Outbound Rules — Service Blocking •...
Page 212 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Default DMZ WAN Rules For DMZ WAN traffic, the default policy is to block all traffic from and to the Internet. You can change the default policy by adding DMZ WAN firewall rules that allow specific types of traffic to go out from the DMZ to the Internet (outbound) or to come in from the Internet to the DMZ (inbound).
Page 213: Outbound Rules - Service Blocking
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Profiles for IPv4 Firewall Rules on page 293 and Default Quality of Service Priorities for IPv6 Firewall Rules on page 298). • Bandwidth profiles. After you configure a bandwidth profile (see...
Page 214 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 5. Outbound rules overview Setting Description Outbound Rules Service The service or application to be covered by this rule. If the service All rules or application does not display in the list, you must define it (see Manage Customized Services on page 280).
Page 215 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 5. Outbound rules overview (continued) Setting Description Outbound Rules WAN Users The settings that determine which Internet locations are covered LAN WAN rules by the rule, based on their IP address. The options are as follows: DMZ WAN rules •...
Page 216: Inbound Rules - Port Forwarding
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 5. Outbound rules overview (continued) Setting Description Outbound Rules Bandwidth Profile Bandwidth limiting determines how the data is sent to and from IPv4 LAN WAN rules your host. The purpose of bandwidth limiting is to provide a...
Page 217 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The rule informs the firewall to direct inbound traffic for a particular service to one local server based on the destination port number. This process is known as port forwarding. WARNING: Allowing inbound services opens security holes in your network.
Page 218: Settings For Inbound Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Settings for Inbound Rules The following table describes the components that let you configure rules for inbound traffic. For information about the actual procedures to configure inbound rules, see the following sections: •...
Page 219 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 6. Inbound rules overview (continued) Setting Description Inbound Rules WAN Destination IP The setting that determines the destination IP address applicable IPv4 LAN WAN rules Address to incoming traffic. This is the public IP address that maps to the IPv4 DMZ WAN rules internal LAN server.
Page 220 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 6. Inbound rules overview (continued) Setting Description Inbound Rules DMZ Users The settings that determine which DMZ computers on the DMZ DMZ WAN rules network are covered by this rule. The options are as follows: LAN DMZ rules •...
Page 221: Change The Default Outbound Policy For Lan Wan Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 6. Inbound rules overview (continued) Setting Description Inbound Rules The setting that determines whether packets covered by this rule All rules are logged. The options are as follows: • Always. Always log traffic that matches this rule. This is useful when you are debugging your rules.
Page 222 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 223: Change The Default Lan Wan Outbound Policy For Ipv6 Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change the Default LAN WAN Outbound Policy for IPv6 Traffic The following procedure describes how to change the default outbound policy for IPv6 traffic from the LAN to the WAN. ...
Page 224: Add Lan Wan Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 From the Default Outbound Policy menu, select Block Always. By default, Allow Always is selected. Click the Apply button. Your settings are saved. Add LAN WAN Rules The following sections provide information about managing LAN WAN rules: •...
Page 225 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Add an IPv6 LAN WAN Outbound Rule Add an IPv4 LAN WAN Outbound Rule The following procedure describes how to add an IPv4 LAN WAN outbound rule.  To add an IPv4 LAN WAN outbound rule: On your computer, launch an Internet browser.
Page 226 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Under the Outbound Services table, click the Add button. The Add LAN WAN Outbound Service screen for IPv4 displays. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Outbound Rules page 212.
Page 227 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The following table lists the menus that apply to an IPv4 LAN WAN outbound rule. Menus that apply to all IPv4 LAN WAN outbound Menus that apply only when your selection from...
Page 228 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Firewall submenu tabs display with the LAN WAN Rules screen in view, displaying the IPv4 settings. In the upper right, select the IPv6 radio button. The LAN WAN Rules screen displays the IPv6 settings.
Page 229: Add Lan Wan Inbound Service Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The following table lists the menus that apply to an IPv6 LAN WAN outbound rule. Menus that apply to all IPv6 LAN WAN outbound Menus that apply only when your selection from...
Page 230 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Add an IPv4 LAN WAN Inbound Rule The following procedure describes how you can add an IPv4 LAN WAN inbound rule.  To add an IPv4 LAN WAN inbound rule: On your computer, launch an Internet browser.
Page 231 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Under the Inbound Services table, click the Add button. The Add LAN WAN Inbound Service screen for IPv4 displays. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Inbound Rules page 217.
Page 232 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Menus that apply to all IPv4 LAN WAN inbound Menus that apply only when your selection from rules the Action menu is not BLOCK always WAN Users Bandwidth Profile Click the Apply button.
Page 233 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Under the Inbound Services table, click the Add button. The Add LAN WAN Inbound Service screen for IPv6 displays. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Inbound Rules page 217.
Page 234: Add Dmz Wan Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Menus that apply to all IPv6 LAN WAN inbound Menus that apply only when your selection from rules the Action menu is not BLOCK always LAN Users WAN Users Click the Apply button.
Page 235 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 236 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Outbound Rules page 212. The following table lists the menus that apply to an IPv4 DMZ WAN outbound rule.
Page 237 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 238: Add Dmz Wan Inbound Service Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Outbound Rules page 212. The following table lists the menus that apply to an IPv6 DMZ WAN outbound rule.
Page 239 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: Inbound LAN WAN rules take precedence over inbound DMZ WAN rules. When an inbound packet matches an inbound LAN WAN rule, the VPN firewall does not match the packet against inbound DMZ WAN rules.
Page 240 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Under the Inbound Services table, click the Add button. The Add DMZ WAN Inbound Service screen for IPv4 displays. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Inbound Rules page 217.
Page 241 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The following table lists the menus that apply to an IPv4 DMZ WAN inbound rule. Menus that apply to all IPv4 DMZ WAN inbound Menus that apply only when your selection from...
Page 242 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. Select Security > Firewall > DMZ WAN Rules. The DMZ WAN Rule screen displays the IPv4 settings. In the upper right, select the IPv6 radio button.
Page 243: Add Lan Dmz Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The following table lists the menus that apply to an IPv6 DMZ WAN inbound rule. Menus that apply to all IPv6 DMZ WAN inbound Menus that apply only when your selection from...
Page 244 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To add an IPv4 LAN DMZ outbound rule: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 245 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Outbound Rules page 212. The following table lists the menus that apply to an IPv4 LAN DMZ outbound rule.
Page 246 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 247: Add Lan Dmz Inbound Service Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Outbound Rules page 212. The following table lists the menus that apply to an IPv6 LAN DMZ outbound rule.
Page 248 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The following sections provide information about adding LAN DMZ inbound service rules: • Add an IPv4 LAN DMZ Inbound Rule • Add an IPv6 LAN DMZ Inbound Rule Add an IPv4 LAN DMZ Inbound Rule The following procedure describes how to add an IPv4 LAN DMZ inbound rule.
Page 249 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Under the Inbound Services table, click the Add button. The Add LAN DMZ Inbound Service screen for IPv4 displays. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Inbound Rules page 217.
Page 250 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 251: Manage Existing Firewall Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Inbound Rules page 217. The following table lists the menus that apply to an IPv6 LAN DMZ inbound rule.
Page 252 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Remove the rule  To manage an existing rule: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 253: Examples Of Firewall Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Take one of the actions that are described in the following table. Action Steps In the leftmost column of the table, select the check box for the rule. Change a rule On the same row in the table, click the Edit button.
Page 254: Examples Of Inbound Firewall Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Examples of Inbound Firewall Rules • Examples of Outbound Firewall Rules Examples of Inbound Firewall Rules The following sections provide examples of IPv4 and IPv6 LAN WAN inbound rules: •...
Page 255 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Service From the menu, select HTTP. Action From the menu, select ALLOW always. Send to LAN Server From the menu, select Single address.
Page 256 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPv4 LAN WAN Inbound Rule: Allow a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses and according to a schedule.
Page 257 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Service From the menu, select CU-SEEME:UDP. Action From the menu, select ALLOW by schedule, otherwise block. (If you do not want to use a schedule, select ALLOW always.) Select Schedule From the menu, select a schedule.
Page 258 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description You can leave the selection from the menu at Never. Bandwidth Profile You can leave the selection from the menu at NONE. Click the Apply button. Your settings are saved. The new rule is added to the Inbound Services table on the LAN WAN Rules screen.
Page 259 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Network Configuration > WAN Settings > WAN Setup.
Page 260 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Service From the menu, select HTTP. Action From the menu, select ALLOW always. Send to LAN Server From the menu, select Single address.
Page 261 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPv6 LAN WAN Inbound Rule: Restrict RTelnet from a Single WAN User to a Single LAN User If you want to restrict incoming reverse Telnet (RTelnet) sessions from a single IPv6 WAN user to a single IPv6 LAN user, specify the initiating IPv6 WAN address and the receiving IPv6 LAN address.
Page 262: Examples Of Outbound Firewall Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Service From the menu, select RTelnet. Action From the menu, select ALLOW always. LAN Users From the menu, select Single address.
Page 263 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPv4 LAN WAN Outbound Rule: Block Instant Messenger If you want to block Instant Messenger usage by employees during specific hours such as working hours, you can create an outbound rule to block such an application from any internal IP address to any external address according to the schedule that you create.
Page 264 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Service From the menu, select AIM. Action From the menu, select BLOCK by schedule, otherwise allow. Select Schedule From the menu, select a schedule.
Page 265 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an FTP Site on the Internet If you want to allow a group of DMZ users to access a particular FTP site on the Internet during specific hours such as working hours, you can create an outbound rule to allow such traffic by specifying the IPv6 DMZ start and finish addresses and the IPv6 WAN address.
Page 266: Configure Other Firewall Features
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Service From the menu, select FTP. Action From the menu, select ALLOW by schedule, otherwise block. Select Schedule From the menu, select a schedule.
Page 267: Manage Protection Against Common Network Attacks
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Set Limits for IPv4 Sessions • Manage Time-Out Periods for TCP, UDP, and ICMP Sessions • Manage Multicast Pass-Through • Manage the Application Level Gateway for SIP Sessions You can configure attack checks, set session limits, configure multicast pass-through, and manage the application level gateway (ALG) for SIP sessions.
Page 268 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Attack Checks screen displays the IPv4 settings. Enter the settings as described in the following table. Setting Description WAN Security Checks Respond to Ping on Select the Respond to Ping on Internet Ports check box to enable the VPN firewall Internet Ports to respond to a ping from the Internet to its IPv4 address.
Page 269 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description LAN Security Checks Block UDP flood Select the Block UDP flood check box to prevent the VPN firewall from accepting more than a specified number of simultaneous, active User Datagram Protocol (UDP) connections from a single device on the LAN.
Page 270: Manage Vpn Pass-Through
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 271 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Manage VPN Pass-Through in the IPv4 Network • Manage VPN Pass-Through in the IPv6 Network VPN Pass-Through When the VPN firewall functions in NAT mode, all packets going to a remote VPN gateway are first filtered through NAT and then encrypted according to the VPN policy.
Page 272 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To block VPN pass-through, clear any of the following check boxes, which are selected by default to allow VPN pass-through: • IPSec. Clearing this check box disables NAT filtering for IPSec tunnels.
Page 273: Set Limits For Ipv4 Sessions
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain.
Page 274 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 275: Manage Time-Out Periods For Tcp, Udp, And Icmp Sessions
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Session Limit Session Limit Control From the menu, select an option: • When single IP exceeds. When the limit is reached, no new session is allowed from the IP address.
Page 276 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 277: Manage Multicast Pass-Through
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • ICMP Timeout. For ICMP traffic, the default time-out period is 8 seconds. Click the Apply button. Your settings are saved. Manage Multicast Pass-Through Multicast pass-through is supported for IPv4 traffic only. The following sections provide information about managing multicast pass-through: •...
Page 278 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Security > Firewall > IGMP.
Page 279: Manage The Application Level Gateway For Sip Sessions
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 b. Click the Add button. The multicast source address is added to the Alternate Networks table. c. Repeat Step a Step b for each multicast source address that you must add to the Alternate Networks table.
Page 280: Manage Firewall Objects
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To enable ALG for SIP: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 281: Firewall Objects
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Manage Quality of Service Profiles for IPv4 Firewall Rules • Default Quality of Service Priorities for IPv6 Firewall Rules • Manage Bandwidth Profiles for IPv4 Traffic Firewall Objects When you create inbound and outbound firewall rules, you use firewall objects such as...
Page 282 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Services Overview Examples of web servers that provide web services include the following: web servers provide web pages, time servers provide time and date information, and game hosts provide data about players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number.
Page 283 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Select Security > Services. The Services screen displays. The Custom Services Table shows the user-defined services. The following figure shows some examples. In the Add Customer Service section, enter the settings as described in the following table.
Page 284 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 285: Manage Service Groups
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To remove one or more customized services: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 286 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 single firewall rule. For example, in a configuration with 10 web servers, each of which requires the same three port-forwarding rules, you can create a service group for the port-forwarding rules and an IP group for the web servers (see Manage IP Address Groups on page 288) and then create only one firewall rule.
Page 287 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Name field, enter a name for the service. Specify the services for the group by use the move buttons (<< and >>) to move services between the Available Services field and the List of Selected Services field.
Page 288 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Select Network Security > Services > Service Groups. The Service Group screen displays. In the Custom Service Group Table, click the Edit button for the service group that you want to change.
Page 289: Manage Ip Address Groups
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage IP Address Groups You can combine individual IP addresses into IP address groups. The following sections provide information about managing IP address groups: • IP Address Groups Overview • Add an IP Address Group •...
Page 290 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Select Security > Services > IP Groups. The IP Groups screen displays. The following figure shows two groups in the Custom IP Groups Table as examples. In the Add New Custom IP Group section, do the following: •...
Page 291 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Repeat the previous two steps to add more IP addresses to the IP Addresses Grouped table. Click the Edit button again. The IP Groups screen displays. The group configuration is complete.
Page 292 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The selected IP addresses are removed from the IP Addresses Grouped table. c. In the IP Address field, type an IP address. d. Click the Add button. The IP address is added to the IP Addresses Grouped table.
Page 293: Define A Schedule
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Define a Schedule Schedules define the time frames under which firewall rules are applied. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these when defining firewall rules.
Page 294: Manage Quality Of Service Profiles For Ipv4 Firewall Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Scheduled Days section, select a radio button: • All Days. The schedule is in effect all days of the week. • Specific Days. The schedule is in effect only on specific days. To the right of the radio buttons, select the check box for each day that you want the schedule to be in effect.
Page 295 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Change an IPv4 QoS Profile • Remove One or More IPv4 QoS Profiles IPv4 QoS Profiles Overview A QoS profile becomes active only when it is associated with a nonblocking inbound or outbound firewall rule or service and IPv4 traffic that matches the firewall rule or service is processed by the VPN firewall.
Page 296 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 297 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Profile Name A descriptive name of the QoS profile for identification and management purposes. Re-Mark Select the Re-Mark check box to set the Differentiated Services (DiffServ) mark in the Type of Service (ToS) byte of an IP header by specifying the QoS type (IP precedence or DHCP) and QoS value.
Page 298 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 299: Default Quality Of Service Priorities For Ipv6 Firewall Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Security > Services > QoS Profiles.
Page 300: Manage Bandwidth Profiles For Ipv4 Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage Bandwidth Profiles for IPv4 Traffic Bandwidth profiles determine how fast or slow data is communicated with the hosts. The following sections provide information about managing quality of service profiles for IPv4 firewall rules: •...
Page 301 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Add and Enable a Bandwidth Profile The following procedure describes how to add and enable a bandwidth profile that you then can use as an object for a firewall rule. Note: When you enable a bandwidth profile, the performance of the VPN firewall might be affected slightly.
Page 302 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Under the List of Bandwidth Profiles table, click the Add button. The Add Bandwidth Profile screen displays. Enter the settings as described in the following table. Setting Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes.
Page 303 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Inbound Maximum The inbound maximum allowed bandwidth in Kbps. The maximum allowable Bandwidth bandwidth is 100,000 Kbps and you cannot configure less than 100 Kbps. The VPN firewall does not provide a default setting.
Page 304 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 305 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Login button. The Router Status screen displays. Select Security > Bandwidth Profiles. The Bandwidth Profiles screen displays. In the List of Bandwidth Profiles table, select the check box to the left of each bandwidth profile that you want to remove or click the Select All button to select all profiles.
Page 306: Chapter 7 Protect Your Network
Protect Your Network This chapter describes how to protect your network through features other than the firewall. The chapter contains the following sections: • Manage Content Filtering • Enable Source MAC Filtering • Manage IP/MAC Bindings • Manage Port Triggering •...
Page 307: Manage Content Filtering
By default, content filtering and web component blocking are disabled; all requested traffic from any website is allowed. If you enable one or more of these features and users try to access a blocked site, they see a “Blocked by NETGEAR” message. Note: Content filtering is supported for IPv4 users and groups only.
Page 308: Enable Content Filtering And Select Web Components
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: Many websites require that cookies be accepted for the site to be accessed correctly. Blocking cookies might interfere with useful functions provided by these websites. • Keyword blocking (domain name blocking). You can specify up to 32 words to block.
Page 309 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Security > Content Filtering.
Page 310: Manage Keywords And Domain Names That Must Be Blocked
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Web Components section, select the check boxes for the components that you want to block: • Proxy. Blocks proxy servers. • Java. Blocks Java applets from being downloaded. •...
Page 311: Manage Domain Names That You Trust
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To compose the list of blocked keywords and domain names, add, change, or remove keywords and domain names: • Add. To add a keyword or domain name, do the following: a. In the Add Blocked Keyword section, in the Blocked Keyword field, enter a keyword or domain name.
Page 312: Manage Keyword Blocking For Lan Groups
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain.
Page 313: Enable Source Mac Filtering
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 314 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To enable MAC filtering and manage MAC addresses to be permitted or blocked: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 315: Manage Ip/Mac Bindings
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Permit and Block the rest. Traffic coming from all addresses in the MAC Addresses table is permitted. Traffic from all other MAC addresses is blocked. Click the Apply button. Your settings are saved. The MAC Address field in the Add Source MAC Address section becomes available.
Page 316: Manage Ip/Mac Bindings For Ipv4 Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 detects packets with an IP address that matches the IP address in the IP/MAC Bindings table but does not match the related MAC address in the IP/MAC Bindings table (or the other way around), the packets are dropped.
Page 317 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 View and Set Up an IPv4/MAC Binding The following procedure describes how to view existing IPv4/MAC bindings and set up a binding between a MAC address and an IPv4 address. ...
Page 318 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Email IP/MAC Violations section, specify if you want to enable email logs for IP/MAC binding violations by selecting one of the following radio buttons: • Yes. The VPN firewall does email IP/MAC binding violations.
Page 319 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 320 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Login button. The Router Status screen displays. Select Security > Address Filter > IP/MAC Binding. The IP/MAC Binding screen displays the IPv4 settings. In the IP/MAC Bindings table, select the check box to the left of each IP/MAC binding that you want to remove or click the Select All button to select all bindings.
Page 321: Manage Ip/Mac Bindings For Ipv6 Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The pop-up screen displays the dropped IPv4 packets. Click the Stop button. Wait for the confirmation that the operation succeeded. In the Poll Interval field, enter new poll interval in seconds.
Page 322 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 323 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: You must specify only once whether you want IP/MAC binding violations for IPv6 traffic to be logged and emailed. Your selection applies to all IPv6 IP/MAC bindings. Click the Apply button.
Page 324 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. Select Security > Address Filter > IP/MAC Binding. The IP/MAC Binding screen displays the IPv4 settings. In the upper right, select the IPv6 radio button. The IP/MAC Binding screen displays the IPv6 settings.
Page 325 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the upper right, select the IPv6 radio button. The IP/MAC Binding screen displays the IPv6 settings. In the IP/MAC Bindings table, select the check box to the left of each IP/MAC binding that you want to remove or click the Select All button to select all bindings.
Page 326: Manage Port Triggering
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The pop-up screen displays the dropped IPv6 packets. Click the Stop button. Wait for the confirmation that the operation succeeded. In the Poll Interval field, enter new poll interval in seconds.
Page 327: Add A Port Triggering Rule
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The remote system receives the computer’s request and responds using the incoming port or ports that are associated with the port triggering rule on the VPN firewall. The VPN firewall matches the response to the previous request and forwards the response to the computer.
Page 328 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Port Triggering screen displays. The following figure shows a rule in the Port Triggering Rules table as an example. In the Add Port Triggering Rule section, enter the settings as described in the following table.
Page 329: Change A Port Triggering Rule
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change a Port Triggering Rule The following procedure describes how to change an existing port triggering rule.  To change a port triggering rule: On your computer, launch an Internet browser.
Page 330: Display The Status Of Active Port Triggering Rules
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 331: Enable Universal Plug And Play
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Security > Port Triggering.
Page 332 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Security > UPnP.
Page 333 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Refresh button. The content of the UPnP Portmap Table refreshes. Any UPnP devices that accessed the VPN firewall and that were automatically detected by the VPN firewall display in the UPnP Portmap Table.
Page 334: Chapter 8 Set Up Virtual Private Networking With Ipsec Connections
Set Up Virtual Private Networking With IPSec Connections This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer. The chapter contains the following sections: •...
Page 335: Dual Wan Port Systems
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Dual WAN Port Systems If two WAN ports are configured for either IPv4 or IPv6, you can enable either auto-rollover mode for increased system reliability or load balancing mode for optimum bandwidth efficiency.
Page 336: Use The Ipsec Vpn Wizard For Client And Gateway Configurations
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The following table summarizes the WAN addressing requirements (FQDN or IP address) for a VPN tunnel in either dual WAN mode. Table 7. IP addressing for VPNs in dual WAN port systems...
Page 337: View The Ipsec Vpn Wizard Default Values
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 algorithm, and encryption. The settings that the VPN Wizard uses are based on the recommendations of the VPN Consortium (VPNC), an organization that promotes multivendor VPN interoperability. Tip: To ensure that VPN tunnels stay active, after completing the wizard, manually change the VPN policy to enable keep-alives.
Page 338: Create An Ipv4 Gateway-To-Gateway Vpn Tunnel With The Wizard
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays the IPv4 settings. Click the VPN Wizard default values option arrow in the upper right.
Page 339 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 8. Example of an IPv4 gateway-to-gateway IPSec VPN connection  To set up an IPv4 gateway-to-gateway VPN tunnel using the VPN Wizard: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 340 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description About VPN Wizard This VPN tunnel will connect Select the Gateway radio button. to the following peers The local WAN port’s IP address or Internet name displays in the End Point Information section.
Page 341 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description This VPN tunnel will use the Select a WAN interface from the menu. following local WAN Interface The VPN tunnel uses the WAN interface as the local endpoint. To enable VPN rollover, select the Enable RollOver? check box.
Page 342: Create An Ipv6 Gateway-To-Gateway Vpn Tunnel With The Wizard
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The configuration steps depend on the remote gateway. On the VPN firewall, activate the IPSec VPN connection: a. Select VPN > Connection Status. b. Locate the policy in the table and click the Connect button.
Page 343 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To set up an IPv6 gateway-to-gateway VPN tunnel using the VPN Wizard: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 344 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description About VPN Wizard This VPN tunnel will connect Select the Gateway radio button. to the following peers The local WAN port’s IP address or Internet name displays in the End Point Information section.
Page 345 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description This VPN tunnel will use the Select a WAN interface from the menu. following local WAN Interface The VPN tunnel uses the WAN interface as the local endpoint. To enable VPN rollover, select the Enable RollOver? check box.
Page 346: Create An Ipv4 Client-To-Gateway Vpn Tunnel With The Wizard
• Use the VPN Wizard to Configure the Gateway for a Client Tunnel • Use the NETGEAR ProSAFE VPN Client Wizard to Create a Secure Connection to the VPN Firewall • Manually Create a Secure Connection to the VPN Firewall Using the NETGEAR...
Page 347 The VPN firewall supports client connections with the NETGEAR ProSAFE VPN Client, which is an application that you can install on a computer. The VPN firewall is bundled with a single-user license of the NETGEAR ProSAFE VPN Client software (VPN01L). For information about the NETGEAR ProSAFE VPN Client, including information about multi-user licenses, visit http://www.netgear.com/business/products/security/vpn-software.aspx.
Page 348 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To set up the VPN firewall for a client-to-gateway VPN tunnel using the VPN Wizard: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 349 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description About VPN Wizard This VPN tunnel will connect Select the VPN Client radio button. to the following peers The default remote FQDN (remote.com) and the default local FQDN (local.com) display in the End Point Information section.
Page 350 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description This VPN tunnel will use the Select a WAN interface from the menu. following local WAN Interface The VPN tunnel uses the WAN interface as the local endpoint. To enable VPN rollover, select the Enable RollOver? check box.
Page 351 Router’s LAN network IPv4 address 192.168.1.0 Router’s WAN IPv4 address 192.168.15.175 Use the NETGEAR ProSAFE VPN Client Wizard to Create a Secure Connection to the VPN Firewall Note: In this section, the NETGEAR ProSAFE VPN Client is referred to as the VPN client.
Page 352 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 From the main menu, select Configuration > Wizard. Select the A router or a VPN gateway radio button. Click the Next button. Set Up Virtual Private Networking With IPSec Connections...
Page 353 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Specify the following VPN tunnel parameters: • IP or DNS public (external) address of the remote equipment. Enter the remote IP address or DNS name of the VPN firewall. For example, enter 192.168.15.175.
Page 354 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 a. In the tree list pane of the Configuration Panel screen, click Gateway (the default name given to the authentication phase). The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default.
Page 355 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Local and Remote ID Local ID As the type of ID, select DNS from the Local ID menu because you specified FQDN in the VPN firewall configuration. As the value of the ID, enter remote.com as the local ID for the VPN client.
Page 356 The VPN client lets you set up the VPN connection with the integrated Configuration Wizard (see Use the NETGEAR ProSAFE VPN Client Wizard to Create a Secure Connection to the VPN Firewall on page 349), which is the easier and preferred method, or manually. In some situations you might prefer the manual configuration, which provides more control over the configuration process.
Page 357 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and select New Phase 1. Change the name of the authentication phase (the default name is Gateway): a. Right-click the authentication phase name.
Page 358 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Specify the settings that are described in the following table. Setting Description Interface From the menu, select Any. Remote Gateway Enter the remote IP address or DNS name of the VPN firewall. For example, enter 192.168.15.175.
Page 359 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Specify the settings that are described in the following table. Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the VPN firewall.
Page 360 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Your settings are saved. Continue the manual configuration of the VPN client with the IPSec configuration. In the tree list pane of the Configuration Panel screen, right-click the vpn_client authentication phase name and select New Phase 2.
Page 361 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Specify the settings that are described in the following table. Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that the VPN client uses in the VPN firewall’s LAN.
Page 362: Test The Connection And View Connection And Status Information
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Specify the default lifetimes in seconds: • Authentication (IKE), Default. The default lifetime value is 3600 seconds. Change this setting to 28800 seconds to match the configuration of the VPN firewall.
Page 363: Test The Netgear Prosafe Vpn Client Vpn Tunnel Connection
Test the NETGEAR ProSAFE VPN Client VPN Tunnel Connection Note: In this section, the NETGEAR ProSAFE VPN Client is referred to as the VPN client. After you configure the IPSec VPN connection on the VPN firewall and the VPN client, you can test the VPN tunnel connection.
Page 364: Netgear Prosafe Vpn Client Status And Log Information
VPN tunnel opened Figure 11. VPN client system tray color codes Both the NETGEAR ProSAFE VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.
Page 365: View The Vpn Firewall Ipsec Vpn Connection Status And Terminate Or Establish Tunnels
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 View the VPN Firewall IPSec VPN Connection Status and Terminate or Establish Tunnels You can view the connection status of all IPSec VPN tunnel sessions on the VPN firewall. For a gateway-to-gateway connection, you can terminate or establish a tunnel. For a client-to-gateway connection, you can terminate a tunnel.
Page 366: View The Vpn Firewall Ipsec Vpn Log
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view. The following figure shows an IPSec security association (SA) as an example. The Active IPSec SA(s) table lists each active connection with the information that is described in the following table.
Page 367: Manage Ipsec Vpn Policies Manually
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To display the IPSec VPN log on the VPN firewall: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 368: Manage Ike Policies
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 You can change existing policies or manually add new VPN and IKE policies directly in the policy tables. The following sections provide information about managing IPSec VPN policies manually: • Manage IKE Policies •...
Page 369 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 View the IKE Policies The following procedure describes how to view the IKE policies that were automatically added and that you manually added.  To view the IKE policies: On your computer, launch an Internet browser.
Page 370 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Each policy contains the settings that are described in the following table. These settings apply to both IPv4 and IPv6 IKE policies. For more information about these settings, see Manually Add an IKE Policy on page 368.
Page 371 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen for IPv4 in view. To add an IKE policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button.
Page 372 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Other than the nature of the IP addresses, the settings that you must enter for IPv4 and IPv6 settings are identical. Set Up Virtual Private Networking With IPSec Connections...
Page 373 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Mode Config Record Do you want to use Specify whether the IKE policy uses a Mode Config record. For information about Mode Config Record? how to define a Mode Config record, see Mode Config Overview on page 394.
Page 374 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Identifier Type From the menu, select an ISAKMP identifier to be used by the VPN firewall and specify the identifier in the Identifier field: • Local Wan IP. The WAN IP address of the VPN firewall. When you select this option, the Identifier field automatically shows the IP address of the selected WAN interface.
Page 375 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Diffie-Hellman (DH) The DH Group sets the strength of the algorithm in bits. The higher the group, the Group more secure the exchange. From the menu, select the strength: •...
Page 376 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Authentication Type If you select Edge Device from the AUTH Configuration menu, you must select an authentication type from the Authentication Type menu: • User Database. XAUTH occurs through the VPN firewall’s user database. For...
Page 377 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN Policies screen displays the IPV4 settings. To change a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings.
Page 378 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If the IKE policy that you want to change is associated with a VPN policy, first disable the VPN policy: a. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings.
Page 379 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN policy is reenabled. The gray circle to the left of the VPN policy turns green. Remove One or More IKE Policies The following procedure describes how you can remove one or more IKE policies that you no longer need.
Page 380: Manage Vpn Policies
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 c. In the List of VPN policies table, select the VPN policy that is associated with the IKE policy that you want to change. Note: When you use the VPN IPsec Wizard, the VPN and IKE policies that are added automatically have the same name.
Page 381 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 involved. A manual VPN policy cannot use the Internet Key Exchange (IKE) negotiation protocol. • Auto. Some settings for the VPN tunnel are generated automatically through the use of the IKE protocol to perform negotiations between the two VPN endpoints (the local ID endpoint and the remote ID endpoint).
Page 382 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain.
Page 383 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Item Description Auth The authentication algorithm that is used for the VPN tunnel. This setting must match the setting on the remote endpoint. Encr The encryption algorithm that is used for the VPN tunnel. This setting must match the setting on the remote endpoint.
Page 384 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Under the List of VPN Policies table, click the Add button. The Add New VPN Policy screen displays. The Add New VPN Policy screen for IPv4 and the Add New VPN Policy screen for IPv6 are almost identical.
Page 385 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Other than the nature of the IP addresses, the settings that you must enter for IPv4 and IPv6 are identical with one exception. The IPv4 settings require a subnet mask but the IPv6 settings require a prefix length.
Page 386 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Enable Keepalive Select a radio button to specify if keep-alive is enabled: • No. Keep-alive requests are disabled for the VPN tunnel. This is the default setting. • Yes. Keep-alive requests are enabled for the VPN tunnel. Periodically, the VPN firewall sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive.
Page 387 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Encryption Algorithm From the menu, select the algorithm to negotiate the security association (SA): • 3DES. Triple DES. This is the default algorithm. • None. No encryption algorithm. •...
Page 388 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Auto Policy Parameters Note: These fields apply only when you select Manual Policy from the Policy Type menu. SA Lifetime The lifetime of the security association (SA) is the period or the amount of transmitted data after which the SA becomes invalid and must be renegotiated.
Page 389 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 390: Configure Extended Authentication (Xauth)
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 391: Extended Authentication Overview
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Extended Authentication Overview When many VPN clients connect to a VPN firewall, you might want to use a unique user authentication method beyond relying on a single common pre-shared key for all clients.
Page 392 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain.
Page 393 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Locate the Extended Authentication section. Enter the settings as described in the following table. Setting Description Select a radio button to specify whether Extended Authentication (XAUTH) is enabled and, if enabled, which device is used to verify user account information: •...
Page 394: Radius
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 d. Click the Enable button. The VPN policy is reenabled. The gray circle to the left of the VPN policy turns green. RADIUS Remote Authentication Dial In User Service (RADIUS, RFC 2865) is a protocol for managing authentication, authorization, and accounting (AAA) of multiple users in a network.
Page 395 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Login button. The Router Status screen displays. Select VPN > IPSec VPN > RADIUS Client. The RADIUS Client screen displays. Enter the settings as described in the following table.
Page 396: Assign Ipv4 Addresses To Remote Users
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description To enable and configure the backup RADIUS server, select the Yes radio button and enter the settings for the three fields to the right. By default, the No radio button is selected.
Page 397: Configure Mode Config Operation On The Vpn Firewall
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 to remote users IP addresses from a secured network space so that the remote users appear as seamless extensions of the network. You can use the Mode Config feature in combination with an IPv6 IKE policy to assign IPv4 addresses to clients but you cannot assign IPv6 addresses to clients.
Page 398 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Mode Config screen displays. As an example, the screen shows two existing Mode Config records with the names EMEA Sales and Americas Sales: • For EMEA Sales, a first pool (172.16.100.1 through 172.16.100.99) and second pool (172.16.200.1 through 172.16.200.99) are shown.
Page 399 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes. First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable the VPN firewall to allocate these to remote VPN clients.
Page 400 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Integrity Algorithm From the menu, select the algorithm to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting.
Page 401 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Note: The IKE policy settings that are described in the following table are specifically for a Mode Config configuration. For information about...
Page 402 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description General Policy Name A descriptive name of the IKE policy for identification and management purposes. This example uses ModeConfigAME_Sales. Note: The name is not supplied to the remote VPN endpoint.
Page 403 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Enable Dead Peer Select a radio button to specify whether Dead Peer Detection (DPD) is enabled: Detection • No. This feature is disabled. This is the default setting. •...
Page 404: Configure The Netgear Prosafe Vpn Client For Mode Config Operation
Configure the NETGEAR ProSAFE VPN Client for Mode Config Operation Note: In this section, the NETGEAR ProSAFE VPN Client is referred to as the VPN client. When the Mode Config feature is enabled, the following information is negotiated between the VPN client and the VPN firewall during the authentication phase: •...
Page 405 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and select New Phase 1. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name.
Page 406 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Specify the settings that are described in the following table. Setting Description Interface From the menu, select Any. Remote Gateway Enter the remote IP address or DNS name of the VPN firewall. For example, enter 192.168.15.175.
Page 407 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Specify the settings that are described in the following table. Setting Description Advanced features Mode Config Select this check box to enable Mode Config. Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the VPN firewall.
Page 408 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the tree list pane of the Configuration Panel screen, right-click the GW_ModeConfig authentication phase name and select New Phase 2. Change the name of the IPSec configuration (the default is Tunnel): a.
Page 409 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Remote LAN address The address that you must enter depends on whether you specified a local IP address for the Mode Config record on the VPN firewall: • If you did not specify a local IP address for the Mode Config record, enter the VPN firewall’s default LAN IP address in the Remote LAN Address field as...
Page 410: Test The Mode Config Connection
The Mode Config configuration of the VPN client is now complete. Test the Mode Config Connection Note: In this section, the NETGEAR ProSAFE VPN Client is referred to as the VPN client. Set Up Virtual Private Networking With IPSec Connections...
Page 411 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 After you have set up the Mode Config configuration on both the VPN client and the VPN firewall, test the configuration to make sure that the VPN firewall does assign an IP address to the VPN client.
Page 412: Change A Mode Config Record
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change a Mode Config Record The following procedure describes how to change an existing Mode Config record. Note: Before you change a Mode Config record, make sure that it is not used in an IKE policy.
Page 413: Remove One Or More Mode Config Records
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove One or More Mode Config Records The following procedure describes how to remove one or more Mode Config records that you do no longer need in IKE policies. Note: Before you remove a Mode Config record, make sure that it is not used in an IKE policy.
Page 414: Keep-Alive And Dead Peer Detection Overview
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Keep-Alive and Dead Peer Detection Overview • Configure Keep-Alives • Configure Dead Peer Detection Keep-Alive and Dead Peer Detection Overview In some cases, you might not want a VPN tunnel to be disconnected when traffic is idle, for example, when client-server applications over the tunnel cannot tolerate the tunnel establishment time.
Page 415 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN Policies screen displays the IPv4 settings. To change a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings.
Page 416: Configure Dead Peer Detection
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Dead Peer Detection Configure The following procedure describes how to configure Dead Peer Detection for an existing IKE policy.  To configure Dead Peer Detection for an existing IKE policy: On your computer, launch an Internet browser.
Page 417 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To change an IKE policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The IKE Policies screen for IPv6 displays. In the List of IKE Policies table, click the Edit button for the IKE policy that you want to change.
Page 418: Configure Netbios Bridging With Ipsec Vpn
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN Policies screen displays the IPv6 settings. c. In the List of VPN policies table, select the VPN policy that is associated with the IKE policy that you changed. d. Click the Enable button.
Page 419: Manage The Pptp Server
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Edit VPN Policy screen displays. The following figure shows only the top part with the General section of the Edit VPN Policy screen for IPv6. The Edit VPN Policy screen for IPv4 is identical to the Edit VPN Policy screen for IPv6.
Page 420: Enable And Configure The Pptp Server
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 You must enable the PPTP server on the VPN firewall, specify a PPTP server address pool, and create PPTP user accounts. (PPTP users are authenticated through local authentication with geardomain.) For information about how to create PPTP user accounts, see...
Page 421 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description PPTP Server Enable To enable the PPTP server, select the Enable check box. Start IP Address Type the first IP address of the address pool.
Page 422: View The Active Pptp Users And Disconnect Active Users
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 View the Active PPTP Users and Disconnect Active Users The following procedure describes how to view all active PPTP users and disconnect active PPTP users.  To view all active PPTP users and disconnect active PPTP users: On your computer, launch an Internet browser.
Page 423: Manage The L2Tp Server
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Item Description PPTP IP The IP address that is assigned by the PPTP server on the VPN firewall. Action The Disconnect button lets you terminate an active PPTP connection. (This button displays only if an active PPTP connection exists.)
Page 424 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To enable the L2TP server and configure the L2TP server pool: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 425: View The Active L2Tp Users And Disconnect Active Users
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Ending IP Address The last IP address of the pool. A maximum of 26 contiguous addresses is supported. (The first address of the pool cannot be assigned to a user.) Idle Timeout The period after which an idle user is automatically logged out of the L2TP server.
Page 426 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The List of L2TP Active Users table lists each active connection with the information that is described in the following table. Item Description Username The name of the L2TP user that you have defined (see...
Page 427: Chapter 9 Set Up Virtual Private Networking With Ssl Connections
Set Up Virtual Private Networking with SSL Connections This chapter describes how to use the SSL VPN solution of the VPN firewall to provide remote access for mobile users to their corporate resources. The chapter contains the following sections: • SSL VPN Portals Overview •...
Page 428: Ssl Vpn Portals Overview
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 SSL VPN Portals Overview The following sections provide concept information about the SSL VPN portal: • SSL VPN Capabilities • SSL Tunnels • SSL Port Forwarding • Build and Access an SSL Portal...
Page 429: Build And Access An Ssl Portal
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Port forwarding supports only TCP connections, not UDP connections or connections using other IP protocols. • Port forwarding detects and reroutes individual data streams on the user’s computer to the port forwarding connection rather than opening up a full tunnel to the corporate network.
Page 430: Ssl Vpn Wizard Overview
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 SSL VPN Wizard Overview This section provides an overview of the SSL VPN Wizard. For more information about how to set up a portal, see Build an SSL Portal with the SSL VPN Wizard on page 429.
Page 431: Build An Ssl Portal With The Ssl Vpn Wizard
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Add SSL VPN users that are allowed to access the SSL portal (see Manage User Accounts on page 498. • Add more applications and services for SSL port forwarding (see...
Page 432 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. WARNING: Do not enter an existing portal layout name in the Portal Layout Name field; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings.
Page 433 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Portal Layout and Theme Name Portal Layout A descriptive name for the portal layout. This name is part of the path of the SSL VPN Name portal URL. Use only alphanumeric characters, hyphens (-), and underscores (_) in the Portal Layout Name field.
Page 434 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description SSL VPN Portal Pages to Display Note: Although you can select both, you typically select either the VPN Tunnel page check box or the Port Forwarding check box. VPN Tunnel page To provide full network connectivity, select this check box.
Page 435 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Note: If you leave the Domain Name field blank, the SSL VPN Wizard uses the default domain name geardomain.
Page 436 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description LDAP Base DN The LDAP distinguished name (DN) that is required to access the LDAP authentication server. This must be a user in the LDAP directory who has read access to all the users that you want to import into the VPN firewall.
Page 437 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WARNING: Do not enter an existing user name in the User Name field; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings. Setting Description User Name A descriptive (alphanumeric) name of the user for identification and management purposes.
Page 438 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. WARNING: Do not enter an existing route for a VPN tunnel client in the Destination Network and Subnet Mask fields; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings.
Page 439 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients. This setting is optional. Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients.
Page 440 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WARNING: In the upper Local Server IP Address field, do not enter an IP address that is already in use or in the TCP Port Number field do not enter a port number that is already in use; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings.
Page 441 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Verify the settings. To make changes to the settings: a. Click the Back button to navigate to the screen on which you want to change the settings. b. Change the settings.
Page 442: Access A Custom Ssl Vpn Portal
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Your settings are saved. If the VPN firewall accepts the settings, the Policies screen displays with a message Operation succeeded at the top of the screen. If the VPN firewall rejects the settings, review the settings that you entered and try again.
Page 443 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 444 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type the name that you associated with the portal and in the Password / Passcode field, type the password that you associated with the portal. From the Domain menu, select the domain that you associated with the portal.
Page 445 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The following figure shows a portal screen with a Port Forwarding menu option only. A portal screen displays a simple menu that provides the SSL user with the following menu selections: •...
Page 446: View Ssl Vpn Connection And Status Information
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 View SSL VPN Connection and Status Information The following sections provide information about viewing the SSL VPN tunnel connections and log: • View the VPN Firewall SSL VPN Connection Status and Disconnect Active Users •...
Page 447: View The Vpn Firewall Ssl Vpn Log
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The SSL VPN Connection Status table lists each active connection with the information that is described in the following table. Item Description Username The user name that is associated with the SSL session.
Page 448: Manually Set Up Or Change An Ssl Portal
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain.
Page 449 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Create an SSL portal layout (see Manage the Portal Layout on page 448). When remote users log in to the VPN firewall, they see a portal screen that you can customize to present the resources and functions that you want to make available.
Page 450: Manage The Portal Layout
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To simplify policies, define network resource objects (see Manage Network Resource Objects to Simplify Policies on page 467). Network resource objects are groups of IP addresses, IP address ranges, and services.
Page 451 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Create a Portal Layout The portal layout specifies the login screen that you present to an SSL VPN user and determines the type of access that you grant.  To create a portal layout: On your computer, launch an Internet browser.
Page 452 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Description. The banner message that is displayed at the top of the portal. • Use Count. The number of authentication domains that use the portal. • Portal URL (IPv4). The IPv4 URL at which the portal can be accessed. The IPv4...
Page 453 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Banner Title The banner title of a banner message that users see before they log in to the portal, for example, Welcome to Customer Support. Note: For an example, see Access a Custom SSL VPN Portal on page 440.
Page 454 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change a Portal Layout The following procedure describes how to change an existing portal layout. If you enabled IPv6 (see Manage the IPv6 Routing Mode on page 88), changes that you make to an IPv4 portal layout are automatically applied to the corresponding IPv6 portal layout, or the other way around.
Page 455: Configure Applications For Ssl Vpn Port Forwarding
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 on page 88), if you remove an IPv4 portal layout, the corresponding IPv6 portal layout is removed automatically, and the other way around. If you remove an IPv6 portal layout, the corresponding IPv4 portal is removed automatically.
Page 456 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 SSL VPN Port Forwarding Overview Note: SSL port forwarding does not apply if you configure full VPN tunnel capability for an SSL portal. SSL VPN port forwarding is supported for IPv4 connections only.
Page 457 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Add a Server and Port Number for SSL Port Forwarding To configure port forwarding, you must define the IP addresses of the internal servers and the port number for TCP applications and services that are available to remote users.
Page 458 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Add New Application for Port Forwarding section, complete the following fields: • IP Address. The IP address of an internal server or host computer on which a service or application runs to which you want to grant a remote user access.
Page 459 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Add New Host Name for Port Forwarding section, specify information in the following fields: • Local Server IP Address. The IP address of the internal server or host computer that you want to name.
Page 460 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 461: Configure The Ssl Vpn Client
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the List of Configured Applications for Port Forwarding table, to the right of the host name that you want to remove, click the corresponding Delete button. The IP address and port number are removed from the List of Configured Applications for Port Forwarding table.
Page 462 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • If you enable split-tunnel support and you assign an entirely different subnet to the VPN tunnel clients from the subnet that is used by the local network, you must add a client route to ensure that a VPN tunnel client connects to the local network over the VPN tunnel.
Page 463 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Client IP Address Range section, enter the settings as described in the following table. Setting Description Enable Full Tunnel Support Select this check box to enable full-tunnel support. Full tunnel support provides clients access to the entire LAN network.
Page 464 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Your settings are saved. VPN tunnel clients are now able to connect to the VPN firewall and receive a virtual IPv4 address in the client address range. Add an IPv4 Route for VPN Tunnel Clients...
Page 465 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Add Routes for VPN Tunnel Clients section, complete the following fields: • Destination Network. The IPv4 address of the local destination network or subnet that provides access to one or more port forwarding applications and services.
Page 466 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 467 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Client IP Address Range section, enter the settings as described in the following table. Setting Description Enable Full Tunnel Support Select this check box to enable full-tunnel support. If you leave this check box...
Page 468 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the upper right, select the IPv6 radio button. The SSL VPN Client screen displays the IPv6 settings. The following figure shows examples. In the Add Routes for VPN Tunnel Clients section, complete the following fields: •...
Page 469: Manage Network Resource Objects To Simplify Policies
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 470 Defining network resources is optional; smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources. But for most organizations, NETGEAR recommends that you use network resources. If your server or network configuration changes, you can perform an update quickly by using network resources instead of individually updating all of the user and group policies.
Page 471 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Add New Resource section, specify the following information: • Resource Name. A descriptive name of the resource for identification and management purposes. • Service. From the Service menu, select the type of service to which the resource applies: VPN Tunnel.
Page 472 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select VPN > SSL VPN > Resources.
Page 473 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Object Type From the menu, select an option: • IP Address. The object is an IPv4 or IPv6 address. In the IP Address / Name field, enter the IP address or FQDN for the object (that is, application or service) that you assign to this resource.
Page 474 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Resources screen displays. In the List of Resources table, select the check box to the left of each network resource that you want to remove or click the Select All button to select all network resources.
Page 475: Configure User, Group, And Global Policies
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Edit Resources screen displays the IPv6 settings. In the Defined Resource Addresses table, click the Delete button to the right of the resource address configuration that you want to remove.
Page 476 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Policy 3. A Permit rule allows FTP access to the predefined network resource with the name FTP Servers. The FTP Servers network resource includes the following addresses: 10.0.0.5–10.0.0.20 and the FQDN ftp.company.com, which resolves to 10.0.1.3.
Page 477 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The SSL VPN submenu tabs display with the Policies screen in view. The following figure shows examples. In the Query section, select a radio button: • Global. View all global policies.
Page 478 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To add an SSL policy for an existing network resource: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 479 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Add SSL VPN Policy screen displays the IPv6 settings. Except for the IPv6 Prefix Length field, which is the Subnet Mask field on the screen for IPv4, the IPv6 screen is identical to the IPv4 screen.
Page 480 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 481 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Policy For Select the type of SSL VPN policy: • Global. The new policy is global and includes all groups and users.
Page 482 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 483 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Policy For Select the type of SSL VPN policy: • Global. The new policy is global and includes all groups and users.
Page 484 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 485 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Policy For Select the type of SSL VPN policy: • Global. The new policy is global and includes all groups and users.
Page 486 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 487 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove One or More IPv4 or IPV6 SSL VPN Policies The following procedure describes how to remove an SSL policy that you no longer need.  To remove one or more VPN policies: On your computer, launch an Internet browser.
Page 488 Manage Users, Authentication, and VPN Certificates This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. The chapter contains the following sections: • VPN Firewall’s Authentication • Configure Authentication Domains, Groups, and User Accounts •...
Page 489: Chapter 10 Manage Users, Authentication, And Vpn Certificates
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 VPN Firewall’s Authentication Users are assigned to a group, and a group is assigned to a domain. Therefore, first create any domains, then groups, then user accounts. Note: Do not confuse the authentication groups with the LAN groups that...
Page 490: Configure Authentication Domains, Groups, And User Accounts
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 9. External authentication protocols and methods (continued) Authentication Description Protocol or Method WiKID WiKID Systems is a PAP or CHAP key-based two-factor authentication method that functions with public key cryptography. The client sends an encrypted PIN to the WiKID server and receives a one-time passcode with a short expiration period.
Page 491 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Remove One or More Authentication Domains Authentication Domains Overview An authentication domain specifies the authentication method for users that are assigned to the domain. For SSL connections, the domain also determines the portal layout that is presented, which in turn determines the network resources to which the associated users have access.
Page 492 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The List of Domains table lists the following information: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain. The name of the default domain (geardomain) to which the default SSL-VPN portal is assigned is appended by an asterisk.
Page 493 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Note: If you leave the Domain Name field blank, the SSL VPN Wizard uses the default domain name geardomain.
Page 494 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description LDAP Base DN The LDAP distinguished name (DN) that is required to access the LDAP authentication server. This must be a user in the LDAP directory who has read access to all the users that you want to import into the VPN firewall.
Page 495 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. In the Username field, type your user name and in the Password / Passcode field, type your password.
Page 496: Manage Authentication Groups
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 497 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IMPORTANT: When you add a domain, the VPN firewall creates a group with the same name as the new domain automatically. You cannot remove such a group. However, when you remove the domain with which the group is associated, the group is removed automatically.
Page 498 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The List of Groups table lists the following information: • Check box. Allows you to select the group in the table. • Name. The name of the group. The name of the default group (geardomain) that is assigned to the default domain (also geardomain) is appended by an asterisk.
Page 499 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change an Authentication Group For a group that was automatically created when you added an authentication domain, you can modify only the idle time-out settings but not the group name or associated domain.
Page 500: Manage User Accounts
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For a group that you created manually, if the group has users assigned to it, you first must assign the users to another group; otherwise, you cannot remove the group (see...
Page 501 Guest user. A user who can only view the VPN firewall configuration (that is, read-only access). • IPSec VPN user. A user who can make an IPSec VPN connection only through a NETGEAR ProSAFE VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 388). •...
Page 502 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Add a User Account The following procedure describes how to manually add a user account.  To add a user account: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 503 Guest (readonly). A user who can only view the VPN firewall configuration (that is, read-only access). • IPSEC VPN User. A user who can make an IPSec VPN connection only through a NETGEAR ProSAFE VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 388).
Page 504 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Password The password that the user must enter to gain access to the VPN firewall. Confirm Password The password that you enter in this field must be identical to the password that you enter in the Password field.
Page 505 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The password fields become accessible. Change the password. Click the Apply button. Your settings are saved. The modified user account displays in the List of Users table on the Users screen.
Page 506: Manage User Login Policies
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage User Login Policies You can restrict the ability of defined users to log in to the VPN firewall’s web management interface. You can also require or prohibit logging in from certain IP addresses or from particular browsers.
Page 507 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Select one or both check boxes: • Disable Login. Prohibits the user from logging in to the VPN firewall. • Deny Login from WAN Interface. Prohibits the user from logging in from the WAN interface.
Page 508 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. Select Users > Users. The Users screen displays. In the List of Users table, to the right of the user for which you want to set login policies, click the corresponding Policies button.
Page 509 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WARNING: If you allow login only from the defined IP addresses, add your own IP address to the Defined Addresses table; otherwise, you are locked out. Setting Description Source Address Type Select the type of address from the menu: •...
Page 510 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Users > Users.
Page 511 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. Select Users > Users. The Users screen displays. In the List of Users table, to the right of the user for which you want to set login policies, click the corresponding Policies button.
Page 512 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Add button. The browser is added to the Defined Browsers table. Repeat Step 11 Step 12 for any other browsers that you want to add to the Defined Browsers table.
Page 513: Change Passwords And Automatic Logout Period
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change Passwords and Automatic Logout Period For any user, you can change the password and automatic logout period. Only administrators have read/write access and can change these settings. All other users have read-only access.
Page 514: Manage Digital Certificates For Vpn Connections
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the List of Users table, to the right of the user for which you want to change the settings, click the corresponding Edit button. The Edit Users screen displays. Change the password and logout period settings as described in the following table.
Page 515: Vpn Certificates Overview
The VPN firewall contains a self-signed digital certificate from NETGEAR. However, NETGEAR recommends that you replace this digital certificate with a digital certificate from a well-known commercial CA before you deploy the VPN firewall in your network.
Page 516: Manage Vpn Ca Certificates
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 You can view loaded digital certificates, upload a new digital certificate, and generate a certificate signing request (CSR). The VPN firewall typically holds two types of digital certificates: • CA certificates. Each CA issues its own digital certificate to validate communication with the CA and to verify the validity of digital certificates that are signed by the CA.
Page 517 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 518: Manage Vpn Self-Signed Certificates
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove a CA Certificate The following procedure describes how to remove one or more CA certificates that you no longer need.  To remove one or more CA certificates: On your computer, launch an Internet browser.
Page 519 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Generate a Certificate Signing Request and Obtain a Self-Signed Certificate from a CA To use a self-signed certificate, you first must request the digital certificate from a CA and then download and activate the digital certificate on the VPN firewall. To request a self-signed certificate from a CA, you must generate a certificate signing request (CSR) for and on the VPN firewall.
Page 520 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Generate Self Certificate Request section, enter the settings as described in the following table. Setting Description Name A descriptive name of the domain for identification and management purposes. Subject The name that other organizations see as the holder (owner) of the certificate.
Page 521 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Domain Name (Optional) Enter your Internet domain name or leave this field blank. E-mail Address (Optional) Enter the email address of a technical contact in your company. Click the Generate button.
Page 522 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Upload button. The VPN firewall verifies the certificate for validity and purpose. If the VPN firewall approves the certificate, it is added to the Active Self Certificates table. View Self-Signed Certificates The following procedure describes how to view active self-signed certificates.
Page 523 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove One or More Self-Signed Certificates The following procedure describes how to remove one or more self-signed certificates that you no longer need.  To remove one or more self-signed certificates: On your computer, launch an Internet browser.
Page 524: Manage The Vpn Certificate Revocation List
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 525 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 526 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove One or More Certificate Revocation Lists The following procedure describes how to remove one or more Certificate Revocation Lists (CRLs) that you no longer need.  To remove one or more CRLs: On your computer, launch an Internet browser.
Page 527 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 12. Security alert A security alert can be generated for a security certificate for three reasons: • The security certificate was issued by a company you have not chosen to trust.
Page 528 Optimize Performance and Manage Your System This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the VPN firewall. The chapter contains the following sections: • Performance Management • System Management...
Page 529: Chapter 11 Optimize Performance And Manage Your System
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Performance Management Performance management consists of controlling the traffic through the VPN firewall so that the necessary traffic gets through if a bottleneck occurs. To prevent bottlenecks from occurring in the first place, you can either reduce unnecessary traffic or reschedule some traffic to low-peak times.
Page 530: Features That Reduce Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Features That Reduce Traffic The following sections provide information about features of the VPN firewall that you can change in such a way that the traffic load on the WAN side decreases: •...
Page 531 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Address range. The rule applies to a range of addresses. Groups. The rule applies to a group of computers. (You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules.) The Known PCs...
Page 532: Features That Increase Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To further narrow down the content filtering, you can configure groups to which the content-filtering rules apply and trusted domains for which the content-filtering rules do not apply. Source MAC Filtering...
Page 533 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Add LAN WAN Rules on page 223 and Add DMZ WAN Rules on page 233. When you define inbound firewall rules, you can further refine their application according to the following criteria: •...
Page 534: Dmz Port
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using the port triggering feature requires that you know the port numbers used by the application.
Page 535: Use Qos And Bandwidth Assignment To Shift The Traffic Mix
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Use QoS and Bandwidth Assignment to Shift the Traffic Mix By setting the Quality of Service (QoS) priority and assigning bandwidth profiles to firewall rules, you can shift the traffic mix to aim for optimum performance of the VPN firewall.
Page 536: System Management
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 System Management The following sections provide information about system management: • Set Up Remote Management Access • Use the Command-Line Interface • Use a Simple Network Management Protocol Manager • Manage the Configuration File •...
Page 537 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Tip: If you are using a Dynamic DNS service such as TZO, you can identify the WAN IP address of your VPN firewall by running tracert from the Windows Run menu option. Trace the route to your registered FQDN.
Page 538 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To configure remote management for IPv6, in the upper right, select the IPv6 radio button. The Remote Management screen displays the IPv6 settings. Enter the settings as described in the following table.
Page 539: Use The Command-Line Interface
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Telnet Management Allow Telnet To enable Telnet management, select the Yes radio button. By default, the No radio Management? button is selected and Telnet management is disabled. Select the addresses through which access is allowed: •...
Page 540: Use A Simple Network Management Protocol Manager
SNMP Overview SNMP forms part of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). SNMP is used in network management systems such as the NETGEAR ProSAFE Network Management Software (NMS300) to monitor network-attached devices for conditions that warrant administrative attention.
Page 541 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Administration > SNMP.
Page 542 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Create New SNMP Configuration Entry section, enter the settings as described in the following table. Setting Description Access From WAN Enable access from To enable SNMP access by an SNMP manager through the WAN interface, select the Enable access from WAN check box.
Page 543 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To change an SNMP configuration: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 544 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove One or More SNMP Configurations The following procedure describes how to remove one or more SNMP configurations that you no longer need.  To remove one or more SNMP configurations: On your computer, launch an Internet browser.
Page 545 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 546 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • Access Type. Read-write user (RWUSER) or read-only user (ROUSER). By default, the user Admin is an RWUSER and the user guest is an ROUSER. • Security Level. The level of security that indicates whether security is disabled: NoAuthNoPriv.
Page 547 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Authentication Password The authentication password that an SNMPv3 user must enter to be granted access to the SNMP agent that collects the MIB objects from the VPN firewall. Privacy Algorithm...
Page 548: Manage The Configuration File
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description SysContact Enter the SNMP system contact information that is available to the SNMP manager. This setting is optional. SysLocation Enter the physical location of the VPN firewall. This setting is optional.
Page 549 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Back Up Settings The backup feature saves all VPN firewall settings to a file. Back up your settings periodically and store the backup file in a safe place. Tip: You can use a backup file to export all settings to another VPN firewall that has the same language and management software versions.
Page 550 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Back Up button. A screen displays, showing the file name of the backup file (FVS336GV2.cfg). Follow the directions of your browser to save the file. Open the folder in which you saved the backup file and verify that it is saved successfully.
Page 551 The Settings Backup and Firmware Upgrade screen displays. To the left of the Restore button, click the Browse button. Locate and select the previously saved backup file (by default, FVS336GV2.cfg). WARNING: Once you start restoring settings, do not interrupt the process. Do...
Page 552 To download a firmware version and upgrade the firmware: Visit the NETGEAR website at http://support.netgear.com. Navigate to the FVS336GV2 support page and click the Downloads tab. Click the desired firmware version to reach the download page. Be sure to read the release notes on the download page before upgrading the VPN firewall’s software.
Page 553: Revert To Factory Default Settings
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To the left of the Upgrade button, click the Browse button. Follow the directions of your browser to locate and select the downloaded firmware file. WARNING: After you have started the firmware installation process, do not interrupt the process.
Page 554 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WARNING: When you press the hardware Factory Defaults reset button or use the web management interface to reset the VPN firewall to factory default settings, all custom VPN firewall settings are erased. All firewall rules, VPN policies, LAN and WAN settings, and other settings are lost.
Page 555 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Page 556: Configure Date And Time Service
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 number of seconds left until the reboot process is complete. The reboot process takes about 160 seconds. (If you can see the unit: The reboot process is complete when the Test LED on the front panel turns off.) Configure Date and Time Service You can configure date, time, and NTP server designations.
Page 557 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The bottom of the screen displays the current weekday, date, time, time zone, and year. In the example in the previous figure, the following displays: Current Time: Wednesday, May 28, 2014, 01:03:52 (GMT +0000).
Page 558 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Select NTP Mode In all three NTP modes, the VPN firewall functions both as a client and a server. The VPN firewall synchronizes its clock with the specified NTP server or servers and provides time service to clients.
Page 559 Monitor System Access and Performance This chapter describes the system-monitoring features of the VPN firewall. You can be alerted to important events such WAN traffic limits reached, login failures, and attacks. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more.
Page 560: Chapter 12 Monitor System Access And Performance
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Configure and Enable the WAN IPv4 Traffic Meter If your ISP charges by traffic volume over a given period, or if you want to study traffic types over a period, you can activate the traffic meter for IPV4 traffic on a WAN interface.
Page 561 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you want to configure the settings for the WAN2 interface, click the WAN2 Traffic Meter tab. Enter the settings as described in the following table. Setting Description Enable Traffic Meter In the Do you want to enable Traffic Metering on WAN1? section, select a radio button: •...
Page 562: Manage The Lan Ipv4 Traffic Meter
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Increase this month Select this check box to temporarily increase a previously specified monthly traffic limit by volume limit, and enter the additional allowed volume in MB. The default setting is 0...
Page 563: Configure And Enable The Traffic Meter For A Lan Ipv4 Address Account
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Configure and Enable the Traffic Meter for a LAN IPv4 Address Account If your ISP charges by traffic volume over a period and you must charge the costs to individual accounts, or if you want to study the traffic volume that is requested or sent over LAN IPv4 addresses over a period, add and configure individual LAN IPv4 address accounts (profiles) for the LAN traffic meter.
Page 564 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Advanced option arrow in the upper right. The IPv4 LAN Advanced screen displays. Click the LAN Traffic Meter tab. The LAN Traffic Meter screen displays. The following figure shows some examples in the LAN Traffic Meter Table.
Page 565 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the settings as described in the following table. Setting Description Add LAN Traffic Meter Account LAN IP Address The LAN IP address for the account. Direction From the Direction menu, select the direction of the traffic that is measured: •...
Page 566: View Traffic Meter Statistics For A Lan Account
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Your settings are saved. The new account is added to the LAN Traffic Meter Table on the LAN Traffic Meter screen. View Traffic Meter Statistics for a LAN Account The following procedure describes how to view the traffic meter statistics for a LAN IPv4 address account.
Page 567: Change The Traffic Meter For A Lan Account
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Change the Traffic Meter for a LAN Account The following procedure describes how to change the traffic meter for an existing LAN IPv4 address account.  To change the traffic meter for an existing LAN IPv4 address account: On your computer, launch an Internet browser.
Page 568: Remove One Or More Lan Traffic Meter Accounts
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For more information about the settings, see Configure and Enable the Traffic Meter for a LAN IPv4 Address Account on page 561. Click the Apply button. Your settings are saved. The modified account displays in the LAN Traffic Meter Table on the LAN Traffic Meter screen.
Page 569: Manage Logging, Alerts, And Event Notifications
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage Logging, Alerts, and Event Notifications The following sections provide information about managing logging, alerts, and event notifications: • Logging, Alert, and Event Notification • Configure and Activate Logs • Enable and Schedule Emailing of Logs •...
Page 570 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 571: Enable And Schedule Emailing Of Logs
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description System Logs Option Select which system events are logged: • Change of Time by NTP. Logs a message when the system time changes after a request from an NTP server.
Page 572 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 573: Enable The Syslogs
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description Send to E-Mail The email address to which the logs are sent. Typically, this is the email address of Address the administrator. Custom SMTP Port The port number of the SMTP server for the outgoing email.
Page 574 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 575: View The Routing Logs, System Logs, And Other Event Logs
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Setting Description SysLog Server The IP address or FQDN of the syslog server. SysLog Severity All the logs with a severity that is equal to and above the severity that you specify are logged on the specified syslog server.
Page 576: View The Dns Logs
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Select Monitoring > Firewall Logs & E-mail. The Firewall Logs & E-mail screen displays. Click the View Log option arrow in the upper right. The View Log screen displays the logs.
Page 577: View The Ntp Logs
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Monitoring > Firewall Logs & E-mail.
Page 578: Send Syslogs Over A Vpn Tunnel Between Sites
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain.
Page 579 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 At Site 2, set up a VPN tunnel between Gateway 2 and Gateway 1 at Site 1 (see Configure the VPN Tunnel on Gateway 2 at Site 2 on page 579)
Page 580 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays. Configure a gateway-to-gateway VPN tunnel using the following information: • Connection name. Any name of your choice •...
Page 581 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the General section, clear the Enable NetBIOS check box. In the Traffic Selector section, make the following changes: • From the Remote IP menu, select Single. • In the Start IP field, type 10.0.0.2.
Page 582 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Click the Apply button. Your settings are saved. Change the Remote IP Address in the VPN Policy on Gateway 2 at Site 2 The following procedure describes how to change the local IP address in the VPN policy on Gateway 2 at Site 2 to the WAN IP address of the same Gateway 2.
Page 583: View The Status And Statistics Of The Vpn Firewall And Its Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 On the Gateway at Site 2, Specify the Syslog Server on Site 1 The following procedure describes how to specify that Gateway 2 at Site 2 must send the syslogs to the syslog server that is connected to Gateway 1 at Site 1.
Page 584: View The System Status
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • View the VPN Connection Status, L2TP Users, and PPTP Users • View the VPN Logs • View the Port Triggering Status • View the WAN Port Status and Terminate or Establish the Internet Connection •...
Page 585 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain.
Page 586 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Item Description LAN IPv6 Information MAC Address The MAC address of the VPN firewall. IPv6 Address The IPv6 LAN address that is assigned to the VPN firewall. For information about configuring the IPv6 address, see...
Page 587 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 588 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Wait for the counter to stop. b. In the Poll Interval field, enter a new value in seconds. c. Click the Set interval button. View Detailed Status Information About the VPN Firewall The following procedure describes how to view detailed status information about the IP addresses and MAC addresses on the VPN firewall, as well as other information.
Page 589 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The following table explains the fields of the Detailed Status screen. Item Description LAN Port Configuration The following fields are shown for each of the LAN ports. VLAN Profile The name of the VLAN profile that you assigned to the LAN port (see...
Page 590 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Item Description VLAN ID The VLAN ID that you assigned to the LAN port (see Manage VLAN Profiles page 119). If the default VLAN profile is used, the VLAN ID is 1, which means that all tagged and untagged traffic can pass on the LAN port.
Page 591 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Item Description WAN Configuration WAN Mode The WAN mode can be Single Port, Load Balancing, or Auto Rollover. For information about configuring the WAN mode, see Manage the IPv4 WAN Routing Mode on page 30.
Page 592: View The Vlan Status
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Item Description IPv6 Address The IPv6 address and prefix length of the WAN port. For information about configuring the IPv6 address and prefix length of the WAN port, see Configure the IPv6 Internet Connection and WAN Settings on page 87.
Page 593 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. Click the Login button. The Router Status screen displays. Select Monitoring > Router Status > VLAN Status.
Page 594: View The Vpn Connection Status, L2Tp Users, And Pptp Users
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 595: View The Vpn Logs
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 View the VPN Logs The following sections provide information about viewing the IPSec VPN and SSL VPN logs: • View the VPN Firewall IPSec VPN Log on page 364 • View the VPN Firewall SSL VPN Log...
Page 596: View The Wan Port Status And Terminate Or Establish The Internet Connection
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Port Triggering Status screen displays the information that is described in the following table. Item Description The sequence number of the rule onscreen. Rule The name of the port triggering rule that is associated with this entry.
Page 597 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain.
Page 598 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Item Description Connection Status The connection status can be either Connected or Disconnected. IP Address Subnet Mask The addresses that were automatically detected or that you configured (see Configure the IPv4 Internet Connection and WAN Settings on page 30).
Page 599 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Select Network Configuration > WAN Settings > WAN Setup. The WAN Setup screen displays the IPv4 settings. In the upper right, select the IPv6 radio button. The WAN Setup screen displays the IPv6 settings: Click the Status button that corresponds to the WAN interface for which you want to view the status.
Page 600: Display Internet Traffic By Type Of Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Item Description IPv6 Address The IPv6 addresses that were automatically detected or that you configured (see Use a DHCPv6 Server to Configure an IPv6 Internet Connection Automatically on page 90 and...
Page 601: View The Attached Devices
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The incoming and outgoing volume of traffic for each protocol and the total volume of traffic are displayed. Traffic counters are updated in MBs; the counter starts only when traffic passed is at least 1 MB. In addition, the pop-up screen displays the traffic meter’s start and end dates.
Page 602 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Router Status screen displays. Select Network Configuration > LAN Settings > LAN Groups. The LAN Groups screen displays. The following figure shows some examples in the Known PCs and Devices table.
Page 603: View The Dhcp Log
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 View the DHCP Log The following procedure describes how to view and clear the DHCP log. Note: For information about how to change the DHCP settings, see Manage VLAN Profiles on page 119.
Page 604 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To view the most recent entries, click the Refresh Log button. The information onscreen is updated. To remove all existing log entries, click the Clear Log button. All log entries are removed.
Page 605 Diagnostics and Troubleshooting This chapter provides troubleshooting tips and information for the VPN firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. The chapter contains the following sections: •...
Page 606: Chapter 13 Diagnostics And Troubleshooting
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Use the Diagnostics Utilities The following sections provide information about using the diagnostic utilities: • Diagnostic Utility • Send a Ping Packet • Trace a Route • Look Up a DNS Address •...
Page 607 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 608: Trace A Route
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Select either a gateway or a VPN policy: • Clear the Ping through VPN tunnel? check box and select a gateway from the Select Local Gateway menu. The Select VPN Policy menu is masked out.
Page 609 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To trace the route to an IPv6 location instead of an IPv4 location, in the upper right, select the IPv6 radio button. The Diagnostics screen displays the IPv6 settings. Except for the Domain Name field, which is the IP Address / Domain Name field on the screen for IPv4, the IPv6 screen is identical to the IPv4 screen.
Page 610: Look Up A Dns Address
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Look Up a DNS Address A Domain Name Server (DNS) converts the Internet name (for example, www.netgear.com) to an IP address. If you need the IP address of a web, FTP, mail, or other server on the Internet, request a DNS lookup to find the IP address.
Page 611: Capture Packets In Real Time
The Route Display pop-up screen displays the routing table. Capture Packets in Real Time Capturing packets can assist NETGEAR technical support in diagnosing packet transfer problems. You can also use a traffic analyzer to do your own problem diagnoses. ...
Page 612 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Page 613: Reboot The Vpn Firewall Remotely
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Reboot the VPN Firewall Remotely You can perform a remote reboot, for example, when the VPN firewall seems to have become unstable or is not operating normally. For information about scheduling the VPN...
Page 614: Troubleshoot Basic Functioning
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2  To schedule the VPN firewall to reboot: On your computer, launch an Internet browser. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process.
Page 615: Troubleshoot The Web Management Interface
VPN firewall and that the power supply adapter is correctly connected to a functioning power outlet. If the error persists, you have a hardware problem. Contact NETGEAR technical support. Test LED does not turn off.
Page 616: When You Enter A Url Or Ip Address, A Time-Out Error Occurs
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 cannot reach a DHCP server. These autogenerated addresses are in the range of 169.254.x.x. If your IP address is in this range, check the connection from the computer to the VPN firewall and reboot your computer.
Page 617: Troubleshoot The Isp Connection
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 • If the computer is configured correctly but still not working, ensure that the VPN firewall is connected and turned on. Connect to the web management interface and check the VPN firewall’s settings.
Page 618: Force Your Modem Or Router To Recognize The Vpn Firewall
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The WAN Setup screen for IPv4 displays. To check the WAN IPv6 address instead of the WAN IPv4 address, in the upper right, select the IPv6 radio button. The WAN Setup screen for IPv6 displays.
Page 619: Troubleshoot The Ipv6 Connection
A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically, your ISP provides the addresses of one or two DNS servers for your use. You can configure your computer manually with DNS addresses, as described in your operating system documentation.
Page 620 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Windows Server 2003 R2, all versions Linux and other UNIX-based systems with a correctly configured kernel MAC OS X • Make sure that IPv6 is enabled on the computer. On a computer that runs a...
Page 621 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 c. Click or double-click View status of this connection. The Local Area Connection Status screen displays. d. Make sure that Internet access shows for the IPv6 connection. The previous figure shows that there is no Internet access.
Page 622: Troubleshoot A Tcp/Ip Network Using A Ping Utility
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 f. Make sure that an IPv6 address shows. The previous figure does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which start, in this case, with fe80.
Page 623: Test The Path From Your Computer To A Remote Device
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Verify that the Ethernet card driver software and TCP/IP software are both installed and configured on your computer or workstation. Verify that the IP address for your VPN firewall and your workstation are correct and that the addresses are on the same subnet.
Page 624: Access Documentation From The Web Management Interface
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 correctly. If you have just completed configuring the VPN firewall, wait at least five minutes, and check the date and time again. • Time is off by one hour. Cause: The VPN firewall does not automatically detect daylight saving time.
Page 625 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Page 626 Network Planning for Multiple WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has more than one WAN port. This appendix contains the following sections: • What to Consider Before You Begin •...
Page 627: Appendix A Network Planning For Multiple Wan Ports
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 What to Consider Before You Begin The following sections provide information about planning and requirements: • Planning Overview • Cabling and Computer Hardware Requirements • Computer Network Configuration Requirements • Internet Configuration Requirements Planning Overview The VPN firewall is a powerful and versatile solution for your networking needs.
Page 628: Cabling And Computer Hardware Requirements
• The VPN firewall can be managed remotely but you must enable remote management locally after each factory default reset. NETGEAR strongly advises you to change the default management password to a strong password before enabling remote management. • If the factory default settings are not suitable for your installation, you can choose various WAN options.
Page 629: Internet Configuration Requirements
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Internet Configuration Requirements Depending on how your ISP sets up your Internet accounts, you need the following Internet configuration information to connect VPN firewall to the Internet: • Host and domain names •...
Page 630: Overview Of The Planning Process
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WAN 1 gateway IP address: ______.______.______.______ WAN 1 subnet mask: ______.______.______.______ WAN 2 fixed or static Internet IP address: ______.______.______.______ WAN 2 gateway IP address: ______.______.______.______ WAN 2 subnet mask: ______.______.______.______ •...
Page 631 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 You can configure two WAN ports on a mutually exclusive basis to do either of the following: • Auto-rollover for increased reliability • Load balance for outgoing traffic These various types of traffic and auto-rollover or load balancing, which are listed below, all interact to make the planning process more challenging: •...
Page 632: Planning For Inbound Traffic
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 15. Dual WAN ports in load balancing mode Planning for Inbound Traffic Incoming traffic from the Internet is normally discarded by the VPN firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule.
Page 633: Inbound Traffic To A Single Wan Port System
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Inbound Traffic to a Single WAN Port System The Internet IP address of the VPN firewall’s WAN port must be known to the public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled.
Page 634: Planning For Virtual Private Networks
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. To maintain better control of WAN port traffic, consider making one of the WAN port Internet addresses public and to keep the other one private.
Page 635 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For a single WAN gateway configuration, use an FQDN when the IP address is dynamic and either an FQDN or the IP address itself when the IP address is fixed. The situation is different in dual WAN port gateway configurations.
Page 636: Vpn Telecommuter - Client-To-Gateway
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 VPN Telecommuter - Client-to-Gateway The following situations exemplify the requirements for a remote computer client with no firewall to establish a VPN tunnel with a gateway VPN firewall: • Single-gateway WAN port •...
Page 637 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The IP addresses of the WAN ports can be either fixed or dynamic, but you always must use an FQDN because the active WAN port could be either WAN1 or WAN2 (that is, the IP address of the active WAN port is not known in advance).
Page 638: Vpn Gateway-To-Gateway
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 VPN Gateway-to-Gateway The following situations exemplify the requirements for a gateway VPN firewall to establish a VPN tunnel with another gateway VPN firewall: • Single-gateway WAN ports • Redundant dual-gateway WAN ports for increased reliability (before and after rollover) •...
Page 639 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 26. Gateway-to-gateway example in a dual WAN port configuration before auto-rollover The IP addresses of the gateway WAN ports can be either fixed or dynamic, but you must always use an FQDN because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (that is, the IP address of the active WAN ports is not known in advance).
Page 640: Vpn Telecommuter - Client-To-Gateway Through A Nat Router
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 28. Gateway-to-gateway example in a dual WAN port configuration with load balancing The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you must use an FQDN.
Page 641 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 29. Telecommuter example in a single WAN port configuration with NAT The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, you must use an FQDN.
Page 642 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 31. Telecommuter example in a dual WAN port configuration with NAT after auto-rollover The purpose of the FQDN is to toggle the domain name of the gateway between the IP addresses of the active WAN port (that is, WAN1 and WAN2) so that the remote computer client can determine the gateway IP address to establish or reestablish a VPN tunnel.
Page 643 System Logs and Error Messages This appendix provides examples and explanations of system logs and error message. When applicable, a recommended action is provided. This appendix contains the following sections: • Log Message Terms • System Log Messages • Routing Logs •...
Page 644: Appendix B System Logs And Error Messages
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Log Message Terms This appendix uses the following log message terms. Table 13. Log message terms Term Description [FVS336Gv2] System identifier. [kernel] Message from the kernel. CODE Protocol code (for example, protocol is ICMP, type 8) and CODE=0 means successful reply.
Page 645: Ntp
Nov 28 12:31:16 [FVS336Gv2] [ntpdate] Date and Time Before Synchronization: Tue Nov 28 12:31:13 GMT+0530 2006 Nov 28 12:31:16 [FVS336Gv2] [ntpdate] Date and Time After Synchronization: Tue Nov 28 12:31:16 GMT+0530 2006 Nov 28 12:31:16 [FVS336Gv2] [ntpdate] Next Synchronization after 2 Hours Explanation Message 1: DNS resolution for the NTP server (time-f.netgear.com).
Page 646: System Startup
Table 15. System logs: login and logout (continued) Recommended action None Message Nov 28 14:55:09 [FVS336Gv2] [seclogin] Logout succeeded for user admin Nov 28 14:55:13 [FVS336Gv2] [seclogin] Login succeeded: user admin from 192.168.1.214 Explanation Secure login or logout of user admin from host with IP address 192.168.1.214.
Page 647: Ipsec Restart
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPSec Restart This section describes logs that are generated when IPSec restarts. Table 19. System logs: IPSec restart Message Jan 23 16:20:44 [FVS336Gv2] [wand] [IPSEC] IPSEC Restarted Explanation Log generated when the IPSec is restarted.
Page 648: Wan Status
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Multicast and Broadcast Logs Table 22. System logs: multicast and broadcast Message Jan 1 07:24:13 [FVS336Gv2] [kernel] MCAST-BCAST IN=WAN OUT=SELF SRC= 192.168.1.73 DST=192.168.1.255 PROTO=UDP SPT=138 DPT=138 Explanation • This multicast or broadcast packet is sent to the device from the WAN network.
Page 649 Table 24. System logs: WAN status, auto-rollover Message Nov 17 09:59:09 [FVS336Gv2] [wand] [LBFO] WAN1 Test Failed 1 of 3 times_ Nov 17 09:59:39 [FVS336Gv2] [wand] [LBFO] WAN1 Test Failed 2 of 3 times_ Nov 17 10:00:09 [FVS336Gv2] [wand] [LBFO] WAN1 Test Failed 3 of 3 times_...
Page 650 Nov 29 11:29:26 [FVS336Gv2] [pppd] Terminating connection due to lack of activity. Nov 29 11:29:28 [FVS336Gv2] [pppd] Connect time 8.2 minutes. Nov 29 11:29:28 [FVS336Gv2] [pppd] Sent 1408 bytes, received 0 bytes. Nov 29 11:29:29 [FVS336Gv2] [pppd] Connection terminated. Explanation Message 1: PPPoE connection started.
Page 651 Nov 29 11:20:45 [FVS336Gv2] [pppd] Serial link appears to be disconnected. Nov 29 11:20:45 [FVS336Gv2] [pppd] Connect time 1.7 minutes. Nov 29 11:20:45 [FVS336Gv2] [pppd] Sent 520 bytes, received 80 bytes. Nov 29 11:20:51 [FVS336Gv2] [pppd] Connection terminated. Explanation Message 1: Starting PPP connection process.
Page 652: Resolved Dns Names
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Resolved DNS Names This section describes the logs of DNS name resolution messages. Table 28. System logs: DNS name resolution messages Message 2000 Jan 1 05:12:00 [FVS336Gv2] [dnsmasq] [DNSRESOLV]:teamf1.com from 192.168.11.2 Explanation This log is generated when the DNS name (that is, teamf1) is resolved.
Page 653 "pol1"_ Messages 8 through 19 2000 Jan 1 04:13:39 [FVS336Gv2] [IKE] Configuration found for 20.0.0.1[500]._ 2000 Jan 1 04:13:39 [FVS336Gv2] [IKE] Received request for new phase 1 negotiation: 20.0.0.2[500]<=>20.0.0.1[500]_ 2000 Jan 1 04:13:39 [FVS336Gv2] [IKE] Beginning Identity Protection mode._ 2000 Jan 1 04:13:39 [FVS336Gv2] [IKE] Received Vendor ID: RFC XXXX_...
Page 654 2000 Jan 1 04:32:25 [FVS336Gv2] [IKE] purged IPSec-SA proto_id=ESP spi= 181708762._ 2000 Jan 1 04:32:25 [FVS336Gv2] [IKE] purged IPSec-SA proto_id=ESP spi= 153677140._ 2000 Jan 1 04:32:25 [FVS336Gv2] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._ 2000 Jan 1 04:32:25 [FVS336Gv2] [IKE] IPSec configuration with identifier "pol1" deleted successfully_ 2000 Jan 1 04:32:25 [FVS336Gv2] [IKE] no phase 2 bounded._...
Page 655 192.168.11.0/24<->192.168.10.0/24_ 2000 Jan 1 04:52:33 [FVS336Gv2] [IKE] Configuration found for 20.0.0.1._ 2000 Jan 1 04:52:59 [FVS336Gv2] [IKE] Phase 1 negotiation failed due to time up for 20.0.0.1[500]. b73efd188399b7f2:0000000000000000_ 2000 Jan 1 04:53:04 [FVS336Gv2] [IKE] Phase 2 negotiation failed due to time up waiting for phase 1.
Page 656 Table 34. System logs: IPSec VPN tunnel, client policy, disconnection from the client side Message 2000 Jan 1 02:34:45 [FVS336Gv2] [IKE] Deleting generated policy for 20.0.0.1[0]_ 2000 Jan 1 02:34:45 [FVS336Gv2] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._ 2000 Jan 1 02:34:45 [FVS336Gv2] [IKE] Purged IPSec-SA with proto_id=ESP and spi=3000608295(0xb2d9a627)._...
Page 657 VPN Tunnel" src=20.0.0.1 user=sai dst=20.0.0.2 arg="" op="" result="" rcvd="" msg="SSL VPN Tunnel" Explanation An SSL VPN tunnel is established for ID FVS336Gv2 with the WAN host 20.0.0.1 through WAN interface 20.0.0.2 and logged in with the user name “sai.” Recommended action None Table 37.
Page 658: Traffic Meter Logs
Transport (Java)" src=192.168.11.2 user=sai dst=192.168.11.1 arg= "" op="" result="" rcvd="" msg="Virtual Transport (Java)" Explanation An SSL VPN tunnel through port forwarding is established for ID FVS336Gv2 from the LAN host 192.168.11.2 with interface 192.168.11.1 and logged in with the user name “sai.”...
Page 659: Lan To Wan Logs
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 LAN to WAN Logs Table 40. Routing logs: LAN to WAN Message Nov 29 09:19:43 [FVS336Gv2] [kernel] LAN2WAN[ACCEPT] IN=LAN OUT=WAN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from LAN to WAN is allowed by the firewall.
Page 660: Dmz To Lan Logs
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 DMZ to LAN Logs Table 44. Routing logs: DMZ to WAN Message Nov 29 09:44:06 [FVS336Gv2] [kernel] DMZ2LAN[DROP] IN=DMZ OUT=LAN SRC=192.168.20.10 DST=192.168.10.10 PROTO=ICMP TYPE=8 CODE=0 Explanation • This packet from DMZ to LAN is dropped by the firewall.
Page 661: Source Mac Filter Logs
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Source MAC Filter Logs Table 47. Other event logs: source MAC filter logs Message 2000 Jan 1 06:40:10 [FVS336Gv2] [kernel] SRC_MAC_MATCH[DROP] SRC MAC = 00:12:3f:34:41:14 IN=LAN OUT=WAN SRC=192.168.11.3 DST=209.85.153.103 PROTO=ICMP TYPE=8 CODE=0...
Page 662: Dhcp Logs
2000 Jan 1 07:27:48 [FVS336Gv2] [dhcpd] DHCPOFFER on 192.168.11.2 to 00:0f:1f:8f:7c:4a via eth0.1 Message 5 2000 Jan 1 07:27:48 [FVS336Gv2] [dhcpd] Wrote 2 leases to leases file. Message 6 2000 Jan 1 07:27:48 [FVS336Gv2] [dhcpd] DHCPREQUEST for 192.168.11.2 (192.168.11.1) from 00:0f:1f:8f:7c:4a via eth0.1 Message 7 2000 Jan 1 07:27:48 [FVS336Gv2] [dhcpd] DHCPACK on 192.168.11.2 to...
Page 663 Two-Factor Authentication This appendix provides an overview of two-factor authentication and an example of how to implement the WiKID solution. The appendix contains the following sections: • Why Do I Need Two-Factor Authentication? • NETGEAR Two-Factor Authentication Solutions...
Page 664: Appendix C Two-Factor Authentication
NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. NETGEAR has implemented a more robust authentication system known as two-factor authentication (2FA or T-FA) to help address the fast-growing network security issues.
Page 665: Netgear Two-Factor Authentication Solutions
NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 two-factor authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now can use WiKID to perform two-factor authentication on NETGEAR SSL and VPN firewall products.
Page 666 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The WiKID authentication server generates the one-time passcode (“something the user has”). The one-time passcode (OTP) is time-synchronized to the authentication server so that you can use the OTP only once and you must the OTP before the expiration time. If you do not use this passcode before it expires, you must go through the request process again to generate a new OTP.
Page 667 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enter the OTP as the login password. Click the Login button. You are logged in. Two-Factor Authentication...
Page 668: Specifications
Default Settings and Technical Specifications This appendix provides the default settings and the physical and technical specifications of the VPN firewall in the following sections: • Factory Default Settings • Physical and Technical Specifications...
Page 669: Appendix D Default Settings And Technical Specifications
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Factory Default Settings For information about restoring the VPN firewall to factory default settings, see Revert to Factory Default Settings on page 551. The following table shows the default configuration settings for the VPN firewall: Table 51.
Page 670 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 51. VPN firewall factory default configuration settings (continued) Feature Default Behavior IPv4 LAN, DMZ, and routing settings LAN IPv4 address for the default VLAN 192.168.1.1 LAN IPv4 subnet mask for the default VLAN 255.255.255.0...
Page 671 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 51. VPN firewall factory default configuration settings (continued) Feature Default Behavior Firewall and security settings Inbound LAN WAN rules (communications coming in from All traffic is blocked, except for traffic the Internet) in response to requests from the LAN.
Page 672 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 51. VPN firewall factory default configuration settings (continued) Feature Default Behavior QoS priorities (for IPv6 firewall rules) Normal-Service Minimize-Cost Maximize-Reliability Maximize-Throughput Minimize-Delay Content filtering Disabled Proxy server blocking Disabled Java applets blocking...
Page 673 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 51. VPN firewall factory default configuration settings (continued) Feature Default Behavior VPN IPsec Wizard: IKE policy settings for IPv4 gateway-to-client tunnels Exchange mode Aggressive ID type FQDN Local WAN ID remote.com...
Page 674: Physical And Technical Specifications
ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 51. VPN firewall factory default configuration settings (continued) Feature Default Behavior Administrative and monitoring settings Secure HTTP management Enabled Telnet management Disabled Traffic meter Disabled SNMP Disabled Time zone Time zone adjusted for daylight saving time...
Page 675 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Table 52. VPN firewall physical and technical specifications (continued) Feature Specification Environmental specifications Operating temperatures 0º to 45ºC 32º to 113ºF Storage temperatures –20º to 70ºC –4º to 158ºF Operating humidity...
Page 676 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The following table shows the SSL VPN specifications for the VPN firewall: Table 54. VPN firewall SSL VPN specifications Setting Specification Network management Web-based configuration and status monitoring Number of concurrent users supported SSL versions SSLv3, TLS1.0...
Page 677: Index
Index Numerics advertisement, UPnP information AES (Advanced Encryption Standard) 10BASE-T, 100BASE-T, and 1000BASE-T speeds IKE policy settings – 3322.org Mode Config settings 6to4 tunnels SNMPv3 user settings configuring globally – VPN policy settings DMZ, configuring for alternate network, multicast pass-through LAN, configuring for application level gateway (ALG) ARP (Address Resolution Protocol)
Page 678 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 – – configuring certification authority (CA) described CHAP (Challenge Handshake Authentication Protocol) – IPv6 configuring See also described MIAS (Microsoft Internet Authentication Service) VPN IPSec RADIUS authentication WiKID autosensing port speed...
Page 679 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 – configuration settings user name DMZ port VLAN IPv4 address and subnet mask VPN firewall IPv4 address and subnet mask IPv6 address and prefix length VPN Wizard settings settings WAN QoS priority queue...
Page 680 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 proxy, VLANs understanding queries, auto-rollover event logs server IP addresses – examples of firewall rules SSL VPN settings exchange mode, IKE policies server IPv4 addresses exposed hosts broadband settings increasing traffic...
Page 681 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 front panel Mode Config operation LEDs XAUTH ports inbound rules FTP access, allowing from DMZ (rule example) default – examples full tunnel, SSL VPN increasing traffic fully qualified domain names. See FQDNs.
Page 682 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IP precedence, QoS DMZ port – DNS servers IP/MAC bindings errors – IPSec hosts, XAUTH fe80 and fec0 IPSec VPN Wizard LAN address pools client-to-gateway tunnels, setting up LAN advertisement prefixes...
Page 683 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPv6 tunnel status and addresses, viewing LAN traffic meter (or counter) IPv6 tunnels Layer 2 Tunneling Protocol (L2TP) server – configuring globally LDAP DMZ, configuring for domain authentication LAN, configuring for...
Page 684 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 login time-out monitoring default settings changing MPPE (Microsoft Point-to-Point Encryption) default MTU (maximum transmission unit) looking up DNS address default IPv6 DMZ packets IPv6 LAN packets multicast pass-through MAC addresses multihome LAN addresses blocked or permitted, adding –...
Page 685 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 NT domain passwords changing NTP (Network Time Protocol) default modes and servers, settings troubleshooting Perfect Forward Secrecy (PFS) performance management permanent addresses IPv4 address – one-time passcode (OTP) IPv6 address online documentation...
Page 686 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 customized services prefix lifetimes, IPv6 port triggering DMZ advertisements SSL VPN port forwarding LAN advertisements port ranges prefixes, IPv6 port triggering 6to4 tunnel SSL VPN policies DMZ advertisements SSL VPN resources...
Page 687 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 routing log messages, explanation routing logs rack-mounting kit routing modes RADIUS IPv4 CHAP and PAP IPv6 (IPv4-only and IPv4/IPv6) domain authentication routing table MSCHAP(v2), domain authentication adding static IPv4 routes RADIUS authentication...
Page 688 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 shared bandwidth allocation, WAN traffic port number using SSL VPN Wizard shutting down portal signature key length accessing SIIT (Stateless IP/ICMP Translation) settings, using SSL VPN Wizard Simple Network Management Protocol (SNMP) portals –...
Page 689 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 technical support ISP connection LEDs telecommuter (client-to-gateway) Telnet and RTelnet, restricting access (rule example) testing your setup Telnet management time-out error temperatures, operating and storage web management interface Test LED –...
Page 690 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 versions XAUTH SNMP increasing traffic IP addresses videoconferencing client-to-gateway (wizard) DMZ port gateway-to-gateway (wizard) from restricted address (rule example) local and remote violations, IP/MAC binding IPSec VPN virtual LAN. See VLANs.
Page 691 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 classical routing (IPv4), configuring web management interface connection speed described connection status troubleshooting IPv4, viewing weight IPv6, viewing weighted load balancing connection type and state, viewing WiKID default port MAC addresses...

NETGEAR ProSafe FVS336Gv2 Reference Manual

Chapter 1 Get an Overview of the Features and Hardware and Log in

Chapter 2 Configure the Ipv4 Internet and WAN Settings

Chapter 3 Configure the Ipv6 Internet and WAN Settings

Chapter 4 Configure the Ipv4 LAN Settings

Chapter 5 Configure the Ipv6 LAN Settings

Chapter 6 Customize Firewall Protection

Chapter 7 Protect Your Network

Chapter 8 Set up Virtual Private Networking with Ipsec Connections

Chapter 9 Set up Virtual Private Networking with SSL Connections

Chapter 10 Manage Users, Authentication, and VPN Certificates

Chapter 11 Optimize Performance and Manage Your System

Chapter 12 Monitor System Access and Performance

Quick Links

Troubleshooting

Related Manuals for NETGEAR ProSafe FVS336Gv2

Summary of Contents for NETGEAR ProSafe FVS336Gv2