How it Works
Netgear
Loading...
FVS336G
Data Sheet
3 pgs717.05 Kb0
Installation Manual
2 pgs709.42 Kb0
Installation Manual [de]
2 pgs157.77 Kb0
Installation Manual [es]
2 pgs157.65 Kb0
Installation Manual [fr]
2 pgs158.25 Kb0
Reference Guide
248 pgs6.28 Mb0
Reference Guide
203 pgs10.01 Mb0
Reference Guide
233 pgs5.68 Mb0
Reference Manual
356 pgs1.5 Mb0
Reference Manual
706 pgs10.8 Mb0
Reference Manual
245 pgs6.12 Mb0
Reference Manual
10 pgs163.41 Kb0
Setup Manual
9 pgs633.77 Kb0
User Manual
691 pgs11.32 Mb0
User Manual
2 pgs365.53 Kb0
Table of contents
Loading...

Netgear FVS336G Reference Guide

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
NETGEAR, Inc.
350 East Plumeria Drive San Jose, CA 95134
202-10257-05 v1.0 January 2010
© 2007–2010 by NETGEAR, Inc. All rights reserved.
Technical Support
Please refer to the support information card that shipped with your product. By registering your product at
http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of
product and software upgrades. NETGEAR, INC. Support Information Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card. E-mail: support@netgear.com
North American NETGEAR website:
http://www.netgear.com
Trademarks
NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc. Microsoft, Windows, and Windows NT ar e registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruct ions, may cause harmf ul interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
EU Regulatory Compliance Statement
The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN is compliant with the following EU Council Directives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and EN60950-1.
ii
v1.0, January 2010
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß das ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN gemäß der im BMPT­AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Certificate of the Manufacturer/Importer
It is hereby certified that the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, howe v er, be subject to certain restrictions. Please refer to the notes in the operating instructions.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference. Read instructions for correct handling.
Additional Copyrights
AES Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK.
All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions:
1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The copyright holder’s name must not be used to endorse or promote any products derived from this software without his specific prior written permission.
This software is provided “as is” with no express or implied warranties of correctness or fitness for purpose.
v1.0, January 2010
iii
Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS,” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD5 Message­Digest Algorithm” in all material mentioning or referencing the derived work. RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind. These notices must be retained in any copies of any part of this documentation and/or software.
http://www.openssl.org/).”
http://www.openssl.org/).”
iv
v1.0, January 2010
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved.
Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University. The name of the University may not be used to endor se or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Zlib zlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th,
2002. Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler.
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alu mni.caltech.edu The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt and rfc1952.txt (gzip format)
(zlib format), rfc1951.txt (deflate format)
Product and Publication Details
Model Number: FVS336G Publication Date: January 2010 Product Family: VPN Firewall Product Name: ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN Home or Business Product: Business Language: English Publication Part Number: 202-10257-05 Publication Version Number 1.0
v1.0, January 2010
v
vi
v1.0, January 2010

Contents

ProSafe Dual WA N Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
About This Manual
Conventions, Formats, and Scope .................................................................................. xv
How to Print This Manual ................................................................................................xvi
Revision History ..................... ... ....................................... ... ... .... ... ... ................................xvi
Chapter 1 Introduction
Key Features ..................................................................................................................1-1
Dual WAN Ports for Increased Reliability or Outbound Load Balancing ..................1-2
Advanced VPN Support for Both IPsec and SSL .....................................................1-2
A Powerful, True Firewall with Content Filtering ......................................................1-3
Autosensing Ethernet Connections with Auto Uplink ...............................................1-3
Extensive Protocol Support ......................................................................................1-4
Easy Installation and Management ................................................................................1-4
Maintenance and Support ............................... ... ....................................... ... ... ... .... ........1-5
Package Contents ..........................................................................................................1-5
Front Panel Features ......................................................................................................1-6
Rear Panel Features ......................................................................................................1-7
Default IP Address, Login Name, and Password Location ........................... .................. 1-8
Qualified Web Browsers .................................................................................................1-8
Chapter 2 Connecting the FVS336G to the Internet
Understanding the Connection Steps .............................................................................2-1
Logging into the VPN Firewall .................. .... ... ... ... ... .... ... ....................................... ... ... ..2-2
Navigating the Menus .....................................................................................................2-4
Configuring the Internet Connections ........................................................... ..................2-4
Automatically Detecting and Connecting ............................ ... ... ... .... ... ... ... ...............2-5
Manually Configuring the Internet Connection ... .... ... ... ....................................... ... ..2-7
v1.0, January 2010
vii
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Configuring the WAN Mode (Required for Dual WAN) .... ....................................... ... ...2-11
Network Address Translation .................................................................................2-12
Classical Routing ...................................................................................................2-12
Configuring Auto-Rollover Mode ............................................................................2-13
Configuring Load Balancing ...................................................................................2-14
Configuring Dynamic DNS (Optional) ...........................................................................2-16
Configuring the Advanced WAN Options (Optional) ............................................... ...... 2-18
Additional WAN Related Configuration ..................................................................2-20
Chapter 3 LAN Configuration
Choosing the VPN Firewall DHCP Options ....................................................................3-1
Configuring the LAN Setup Options ...............................................................................3-2
Managing Groups and Hosts (LAN Groups) ...................................................................3-6
Viewing the LAN Groups Database .........................................................................3-7
Adding Devices to the LAN Groups Database ......................................................... 3-8
Changing Group Names in the LAN Groups Database ...........................................3-8
Configuring DHCP Address Reservation .................................................................3-9
Configuring Multi Home LAN IP Addresses ..................................................................3-10
Configuring Static Routes .............................................................................................3-11
Configuring Routing Information Protocol (RIP) ................. ... .... ... ... ... .... ... ... ... ... .... ... ...3-13
Chapter 4 Firewall Protection and Content Filtering
About Firewall Protection and Content Filtering .............................................................4-1
Using Rules to Block or Allow Specific Kinds of Traffic ..................................................4-2
About Services-Based Rules ...................................................................................4-3
Viewing the Rules ....................................................................................................4-8
Order of Precedence for Rules ................................................................................4-8
Setting the Default Outbound Policy ............................... .... ... ... ....... ... ... ... ... .... ... ... ..4-8
Creating a LAN WAN Outbound Services Rule .......................................................4-9
Creating a LAN WAN Inbound Services Rule ........................................................4-10
Modifying Rules ......................................................................................................4-11
Inbound Rules Examples .......................................................................................4-11
Outbound Rules Example ............................... ... .... ... ... ....................................... ...4-14
Configuring Other Firewall Features .............................................................................4-15
Attack Checks ....................... .... ... ... ....................................... ... ... .... ... ...................4-15
viii
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Configuring Session Limits .....................................................................................4-17
Managing the Application Level Gateway for SIP Sessions ..................................4-18
Creating Services, QoS Profiles, and Bandwidth Profiles ............................................4-19
Adding Customized Services .................................................................................4-19
Setting Quality of Service (QoS) Priorities ............................................................. 4-21
Creating Bandwidth Profiles ...... ... ... ... ....................................................................4-22
Setting a Schedule to Block or Allow Specific Traffic ................................. ... ... ... .... ... ...4-24
Blocking Internet Sites (Content Filtering) ....................................................................4-25
Configuring Source MAC Filtering ................................................................................4-28
Configuring IP/MAC Address Binding ...........................................................................4-30
Configuring Port Triggering ...........................................................................................4-31
E-Mail Notifications of Event Logs and Alerts ......................................... ......................4-33
Administrator Tips .........................................................................................................4-33
Chapter 5 Virtual Private Networking Using IPsec
Considerations for Dual WAN Port Systems ..................................................................5-1
Using the VPN Wizard for Client and Gateway Configurations ...................................... 5-3
Creating Gateway to Gateway VPN Tunnels with the Wizard .................................5-3
Creating a Client to Gateway VPN Tunnel ...............................................................5-6
Testing the Connections and Viewing Status Information ............................................. 5-12
NETGEAR VPN Client Status and Log Information ............................................... 5-12
VPN Firewall VPN Connection Status and Logs .... ... ... ... .... ... ...... .... ... ... ... ... .... ... ...5-14
Managing VPN Policies .. .... ... ... ... ....................................... ... .... ... ... .............................5-15
Configuring IKE Policies ............................... ....................................... ... ... ... .... ... ...5-16
Configuring VPN Policies .......................................................................................5-18
Configuring Extended Authentication (XAUTH) ............................................................5-19
Configuring XAUTH for VPN Clients ......................................................................5-20
User Database Configuration .... ... ... ....................................... ... ... .... ... ...................5-22
RADIUS Client Configuration .................................................................................5-22
Assigning IP Addresses to Remote Users (ModeConfig) .............................................5-24
Mode Config Operation ... ... ... .... ... ... ... .... ...................................... .... ... ... ... .............5-24
Configuring Mode Config Operation on the VPN Firewall ......................................5-25
Configuring the ProSafe VPN Client for ModeConfig ....................................... ......5-30
Configuring Keepalives and Dead Peer Detection .......................................................5-32
Configuring Keepalives ..........................................................................................5-32
v1.0, January 2010
ix
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Configuring Dead Peer Detection ..........................................................................5-33
Configuring NetBIOS Bridging with VPN ......................................................................5-34
Chapter 6 Virtual Private Networking Using SSL
Understanding the Portal Options ...................................................................................6-1
Planning for SSL VPN ....................................................................................................6-2
Creating the Portal Layout ..............................................................................................6-3
Configuring Domains, Groups, and Users ......................................................................6-7
Configuring Applications for Port Forwarding ............................................ .....................6-7
Adding Servers ................................... ....................................... ... .... ... ... ..................6-8
Adding A New Host Name . ... .... ... ... ... .... ...................................... .... ... ... ... ...............6-9
Configuring the SSL VPN Client ...................................................................................6-10
Configuring the Client IP Address Range . ...... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ......6-11
Adding Routes for VPN Tunnel Clients ........ ... ... .... ... ... ... .... ... ... ... ....... ... ... ... .... ... ...6-12
Replacing and Deleting Client Routes ...................................................................6-12
Using Network Resource Objects to Simplify Policies ..................................................6-13
Adding New Network Resources ..........................................................................6-13
Configuring User, Group, and Global Policies ..............................................................6-15
Viewing SSL VPN Policies .....................................................................................6-16
Adding an SSL VPN Policy ....................................................................................6-17
Chapter 7 Managing Users, Authentication, and Certificates
Adding Authentication Domains, Groups, and Users .....................................................7-1
Creating a Domain ............................. .... ... ... ... ....................................... ... ... .... ... ... ..7-1
Creating a Group .................................... ...................................... .... ... ... ... ...............7-5
Creating a New User Account ... ... ... ....................................... ... ... .... ... ... ..................7-6
Setting User Login Policies ............................. ... .... ... ....................................... ... ... ..7-7
Changing Passwords and Other User Settings ......................... ....... ...... ...... ....... .....7-9
Managing Certificates ...................... ... ... ... .... ... ....................................... ... ... ... ... .... ......7-11
Viewing and Loading CA Certificates .....................................................................7-12
Viewing Active Self Certificates ..............................................................................7-13
Obtaining a Self Certificate from a Certificate Authority ...................... ... ... ... .... ... ...7-14
Managing your Certificate Revocation List (CRL) .. ... ... ..........................................7-17
x
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Chapter 8 VPN Firewall and Network Management
Performance Management ....................................... .... ... ... ... ....................................... ..8-1
Bandwidth Capacity .................................................................. ... .... ... ... ..................8-1
Features That Reduce Traffic ...................................................................................8-2
Features That Increase Traffic .................................................................................8-5
Using QoS to Shift the Traffic Mix ............................................................................8-7
Tools for Traffic Management .......... ... .... ... ... ....................................... ... ... ... .... ... ..... 8-8
Changing Passwords and Administrator Settings .... .... ... ... ... .... ... ..................................8-8
Enabling Remote Management Access .......................................................................8-10
Using the Command Line Interface ..............................................................................8-12
Using an SNMP Manager .............................................................................................8-13
Managing the Configuration File ...................................................................................8-14
Configuring Date and Time Service ..............................................................................8-17
Chapter 9 Monitoring System Performance
Enabling the Traffic Meter ...............................................................................................9-1
Activating Notification of Events and Alerts ....................................................................9-4
Viewing the Logs ............................................................................................................9-6
Viewing VPN Firewall Configuration and System Status ................................................ 9-8
Monitoring VPN Firewall Statistics ......... ... .... ... ... ... ... .... ...................................... .... ... ... ..9-9
Monitoring the Status of WAN Ports .............................................................................9-10
Monitoring Attached Devices ........................................................................................9-11
Viewing the DHCP Log .................................................................................................9-12
Monitoring Active Users ................... ... ... ... ....................................... ... .... ... ... ... ... ..........9-13
Viewing Port Triggering Status .....................................................................................9-14
Monitoring VPN Tunnel Connection Status ........ ... ....... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ...9-15
Viewing the VPN Logs ..................................................................................................9-16
Chapter 10 Troubleshooting
Basic Functions ............................................................................................................10-1
Power LED Not On .................................................................................................10-2
LEDs Never Turn Off ..............................................................................................10-2
LAN or WAN Port LEDs Not On .............................................................................10-2
Troubleshooting the Web Configuration Interface ........................................................10-3
v1.0, January 2010
xi
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Troubleshooting the ISP Connection ............................................................................10-4
Troubleshooting a TCP/IP Network Using a Ping Utility ...............................................10-5
Testing the LAN Path to Your VPN Firewall ...........................................................10-5
Testing the Path from Your PC to a Remote Device ..............................................10-6
Restoring the Default Configuration and Password ............ ... .... ... ... ... ..........................10-7
Problems with Date and Time .......................................................................................10-7
Using the Diagnostics Utilities ......................................................................................10-8
Appendix A Default Settings and Technical Specifications
Appendix B Network Planning for Dual WAN Ports
What You Will Need to Do Before You Begin ................................................................ B-1
Cabling and Computer Hardware Requirements .................................................... B-3
Computer Network Configuration Requirements ...................................... ... .... ... ... . B-3
Internet Configuration Requirements ...................................................................... B-3
Where Do I Get the Internet Configuration Parameters? ........................................ B-4
Internet Connection Information Form .................................................................... B-4
Overview of the Planning Process ................................................................................. B-5
Inbound Traffic ........................................................................................................ B-5
Virtual Private Networks (VPNs) ............................................................................. B-6
The Roll-over Case for Firewalls With Dual WAN Ports .......................................... B-6
The Load Balancing Case for Firewalls With Dual WAN Ports ............................... B-7
Inbound Traffic ............................................................................................................... B-7
Inbound Traffic to Single WAN Port (Reference Case) ........................................... B-7
Inbound Traffic to Dual WAN Port Systems ............................................................ B-8
Virtual Private Networks (VPNs) .................................................................................... B-9
VPN Road Warrior (Client-to-Gateway) .................................................................B-11
VPN Gateway-to-Gateway ........... ...... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ...... .... ... .. B-13
VPN Telecommuter (Client-to-Gateway Through a NAT Router) .......................... B-16
Appendix C Two Factor Authentication
Why do I need Two-Factor Authentication? ...................................................................C-1
What are the benefits of Two-Factor Authentication? ............................................. C-1
What is Two-Factor Authentication ......................................................................... C-2
NETGEAR Two-Factor Authentication Solutions ....................................................... .... C-2
xii
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Appendix D Related Documents
Index
v1.0, January 2010
xiii
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
xiv
v1.0, January 2010

About This Manual

The NETGEAR® ProSafe™ Dual WAN Gigabit Firewall with SSL & IPsec VPN Reference Manual describes how to install, configure and troubleshoot a ProSafe Dual WAN Gigabit
Firewall with SSL & IPsec VPN. The information in this manual is intended for readers with intermediate computer and networking skills.

Conventions, Formats, and Scope

The conventions, formats, and scope of this manual are described in the following paragraphs:
Typographical Conventions. This manual uses the following typographical conventions:
Italic Emphasis, books, CDs, file and server names, extensions
Bold User input, IP addresses, GUI screen text
Fixed Command prompt, CLI text, code
italic URL links
Formats. This manual uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
Tip: This format is used to highlight a procedure that will save time or resources.
Warning: Ignoring this type of note may result in a malfunction or damage to the
equipment.
Danger: This is a safety warning. Failure to take heed of this notice may result in
personal injury or death.
v1.0, January 2010
xv
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Scope. This manual is written for the VPN firewall according to these specifications:
Product Version ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN Manual Publication Date January 2010
For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix D, “Related Documents.”
Note: Product updates are available on the NETGEAR, Inc. website at
http://kb.netgear.com/app/home.

How to Print This Manual

T o print this manual, your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe websit e at
http://www.adobe.com.
Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.

Revision History

Part Number
202-10257-01 1.0 October
202-10257-02 1.1 November
202-10257-03 1.2 June 2008 Updated to align with router firmware update.
xvi
Version Number
Date Description
First publication
2007
Text corrections
2007
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
202-10257-04 1.3 March
2009
202-10257-05 1.0 January
2010
Added these corrections and topics for the March 2009 firmware maintenance release:
• WIKID 2 factor authentication
• SIP AGL support
• DHCP Relay support
• Updated VPN configuration procedure topics
• Updated the Certificate management topic
• Corrected the firewall scheduling topic Added the following new features for the January 2010 firmware
maintenance release:
• Connection reset and delay options on the WAN ISP Settings screen (see “Manually Configuring the Internet Connection”).
• Support for DNS 3322 in the Dynamic DNS submenu (see
“Configuring Dynamic DNS (Optional)”).
• Support for an address range for inbound LAN rules on the Add LAN WAN Inbound Service screen (see “Inbound Rules (Port
Forwarding)” and “Creating a LAN WAN Inbound Services Rule”).
• Support for new log options such as Resolved DNS Names and VPN on the Firewall Logs & E-mail screen (see “Activating
Notification of Events and Alerts”).
In addition, made the following substantial changes to the book:
• Resized many screen captures for better viewing.
• Made various corrections.
• Made global stylistic changes for consistency and clarity.
• Added technical support information to page ii.
• Updated the bottom label image (Figure 1-3).
• Updated the qualified Web browsers in the “Qualified Web
Browsers” and “Computer Network Configuration Requirements
sections.
• Updated the WAN1 ISP Settings screen (Figure 2-3) and the ISP Type options in the
Connection” section.
• Updated the Dynamic DNS Configuration screen (Figure 2-12) and the DDNS providers in the “Configuring Dynamic DNS
(Optional)” section.
• Reorganized Chapter 4, “Firewall Protection and Content
Filtering.”
• Updated the LAN Setup screen (Figure 3-1). Added DHCP Relay information, LDAP information, and the Enable ARP Broadcast paragraph to the “Configuring the LAN Setup Options” section.
• Updated the Add LAN WAN Inbound Service screen (Figure 4-3), related screens in the “Inbound Rules Examples” section, and the Inbound Rules table (Table 4-2) to show that a range of IP addresses can be selected for the Send to LAN Server field.
• Updated the “Modifying Rules” section.
“Manually Configuring the Internet
v1.0, January 2010
xvii
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
202-10257-05 (continued)
1.0 January 2010
(continued)
• Updated the “Attack Checks” section and screen (Figure 4-8) to show that you can specify an IP address that is allowed to respond to a ping.
• Added the “Managing the Application Level Gateway for SIP
Sessions” section.
• Updated the “Creating Bandwidth Profiles” section, including
Figure 4-13 and Figure 4-14.
• Added the IKE Policies screen (Figure 5-20 and Figure 5-26) to respectively the “The IKE Policies Screen” section and the
“Configuring an IKE Policy for Mode Config Operation” section.
• Added the Add IKE Policy screen (Figure 5-22) to “Configuring
XAUTH for VPN Clients” section.
• Updated the VPN-SSL Policies screen (Figure 6-8 and
Figure 6-9) to show the Related Policies Table and added a Note
to the “Viewing SSL VPN Policies” section.
• Revised the “Creating a Domain” secti on, added the Authentication Protocols and Methods table (Table 7-1), and revised the Domains screen (Figure 7-1).
• Revised the “Changing Passwords and Other User Settings” section and replaced the Local Authentication screen with the Edit User screen (Figure 7-9).
• Removed the “RADIUS Server External Authentication” section (with its External Authentication screen) that has been superseded by the “RADIUS Client Configuration” section and the “Creating a Domain” section.
• Revised and corrected the “Performance Management” section.
• Updated the “Enabling Remote Management Access” section and the Remote Management screen (Figure 8-3) to show the extended secure HTTP management options.
• Updated the Firewall Logs & E-mail screen (Figure 9-2) to show the new log options and revised Table 9-1.
• Added the (firewall) Logs screen (Figure 9-3).
• Revised and corrected the Router Status information in
Table 9-3.
• Added the “Monitoring VPN Firewall Statistics” section.
• Made screen reference corrections in Chapter 10,
“Troubleshooting.”
• Updated Appe
ndix D, “Related Documents.”
xviii
v1.0, January 2010
Chapter 1
Introduction
The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable modems or DSL modems. Dual wide area network (WAN) ports allow you to increase throughput to the Internet by using both ports together, or to maintain a backup connection in case of failure of your primary Internet connection.
As a complete security solution, the FVS336G incorporates a powerful and flexible firewall to safeguard your network, while providing advanced IPsec and SSL VPN technologies for secure and simple remote connections.
The use of Gigabit Ethernet LAN and WAN ports ensures extremely high data transfer speeds The FVS336G is a plug-and-play device that can be installed and configured within minutes. This chapter contains the following sections:
“Key Features” on this page
“Package Contents” on page 1-5
“Front Panel Features” on page 1-6
“Rear Panel Features” on page 1-7
“Default IP Address, Login Name, and Password Location” on page 1-8
“Qualified Web Browsers” on page 1-8

Key Features

The FVS336G provides the following key features:
Dual 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing or failover p rotection of your Internet connection, providing increased system reliability or increased throughput.
Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data transfer between local network resources.
Advanced IPsec and SSL VPN support.
Advanced stateful packet inspection (SPI) firewall with multi-NAT support.
1-1
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Easy, web-based setup for installation and management.
Front panel LEDs for easy monitoring of status and activity.
Flash memory for firmware upgrade.
Internal universal switching power supply.

Dual WAN Ports for Increased Reliability or Outbound Load Balancing

The FVS336G has two broadband WAN ports. The second WAN port allows you to connect a second broadband Internet line that can be configured on a mutually-exclusive basis to:
Provide backup and rollover if one line is inoperable, ensuring you are never disconnected.
Load balance, or use both Internet lines simultaneously for outgoing traffic. The FVS336G balances users between the two lines for maximum bandwidth efficiency.
See “Network Planning for Dual WAN Ports” on page B-1 for the planning factors to consider when implementing the following capabilities with dual WAN port gateways:
Single or multiple exposed hosts.
V irtual private networks.

Advanced VPN Support for Both IPsec and SSL

The FVS336G supports IPsec and SSL virtual private network (VPN) connections.
IPsec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer.
IPsec VPN with broad protocol support for secure connection to other IPsec gateways and
clients.
Bundled with the single-user license of the NETGEAR ProSafe VPN Client software
(VPN01L)
Supports 25 concurrent IPsec VPN tunnels.
SSL VPN provides remote access for mobile users to selected corporate resources without requiring a pre-installed VPN client on their computers.
Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce
transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories.
1-2 Introduction
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Browser based, platform-independent, remote access through a number of popular
browsers, such as Microsoft Internet Explorer or Apple Safari.
Provides granular access to corporate resources based upon user type or group
membership.
Supports 10 concurrent SSL VPN sessions.

A Powerful, True Firewall with Content Filtering

Unlike simple Internet sharing NAT routers, the FVS336G is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks. Its firewall features include:
Automatically detects and thwarts denial of service (DoS) attacks such as Ping of Death and SYN Flood.
Blocks unwanted traffic from the Internet to your LAN.
Blocks access from your LAN to Internet locations or services that you specify as off-limits.
Prevents objectionable content from reaching your PCs. You can control access to Internet content by screening for Web services, Web addresses, and keywords within Web addresses. You can configure the FVS336G to log and report attempts to access objectionable Internet sites.
Permits scheduling of firewall policies by day and time.
Logs security events such as blocked incoming traffic, port scans, attacks, and administrator logins. Y ou can configure the FVS336G to e-mail the log to you at specified intervals. You can also configure the FVS336G to send immediate alert messages to your e-mail address or e-mail pager whenever a significant event occurs.

Autosensing Ethernet Connections with Auto Uplink

With its internal 4-po rt 10/100/1000 Mbps switch and dual 10/100/1000 WAN ports, the FVS336 G can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit Ethernet network. The four LAN and two WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.
The FVS336G incorporates Auto Uplink sense whether the Ethernet cable plugged into the port should have a “normal” connection such as to a PC or an “uplink” connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.
Introduction 1-3
TM
technology. Each Ethernet port will automatically
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual

Extensive Protocol Support

The FVS336G supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol
Configuration Requirements” on page B-3.
IP Address Sharing by NAT. The FVS336G allows many networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account.
Automatic Configuration of Attached PCs by DHCP. The FVS336G dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network.
DNS Proxy. When DHCP is enabled and no DNS addresses are specified, the FVS336G provides its own address as a DNS server to the attached PCs. The FVS336G obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.
PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC.
Quality of Service (QoS). Support for traffic prioritization.
(RIP). For further information about TCP/IP, refer to “Internet

Easy Installation and Management

You can install, configure, and operate the FVS336G within minutes after connecting it to the network. The following features simplify installation and management tasks:
Browser-Based Management. Browser-based configuration allows you to easily configure your FVS336G from almost any type of personal computer, such as Windows, Macintosh, or Linux. Online help documentation is built into the browser-based Web Management Interface.
Auto Detection of ISP. The FVS336G automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.
VPN Wizard. The FVS336G includes the NETGEAR VPN Wizard to easily configure IPsec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the IPsec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
1-4 Introduction
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
SNMP. The FVS336G supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2.
Diagnostic Functions. The FVS336G incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot.
Remote Management. The FVS336G allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses.
Visual monitoring. The FVS336G’s front panel LEDs provide an easy way to monitor its status and activity.

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the FVS336G:
Flash memory for firmware upgrade.
Technical support seven days a week, 24 hours a day, according to the terms identified in the Warranty and Support information card provided with your product.

Package Contents

The product package should contain the following items:
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G appliance.
One AC power cable.
Rubber feet.
One Category 5 (Cat5) Ethernet cable.
Installation Guide, FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN.
Resource CD, including: – Application Notes and other helpful information. – ProSafe VPN Client Software—one user license.
Warranty and Support Information Card.
Introduction 1-5
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the FVS336G for repair.

Front Panel Features

The FVS336G front panel shown below includes four groups of status indicator light-emitting diodes (LEDs), including Power and Test, WAN1, WAN2, and the LAN lights:
Figure 1-1
The function of each LED is described in the following table:
Table 1-1. LED Descriptions
Object Activity Description PWR
(Power)
TEST
WAN Ports
ACTIVE
SPEED
On (Green) Power is supplied to the FVS336G. Off Power is not supplied to the FVS336G. On (Amber) Test mode: The system is initializing or the initialization has failed. Blinking (Amber) Writing to Flash memory (during upgrading or resetting to defaults). Off The system has booted successfully.
On (Green) The WAN port has a valid Internet connection. On (Amber) The Internet connection is down or not being used because the WAN port
is in standby for failover. Off The WAN port is either not enabled or has no link. On (Green) The WAN port is operating at 1,000 Mbps. On (Amber) The WAN port is operating at 100 Mbps. Off The WAN port is operating at 10 Mbps.
1-6 Introduction
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Table 1-1. LED Descriptions (continued)
Object Activity Description
LINK/ACT (Link and Activity)
LAN Ports
SPEED
LINK/ACT (Link and Activity)
On (Green) The WAN port has detected a link with a connected Ethernet device. Blinking (Green) Data is being transmitted or received by the WAN port. Off The WAN port has no link.
On (Green) The LAN port is operating at 1,000 Mbps. On (Amber) The LAN port is operating at 100 Mbps. Off The LAN port is operating at 10 Mbps. On (Green) The LAN port has detected a link with a connected Ethernet device. Blinking (Green) Data is being transmitted or received by the LAN port. Off The LAN port has no link.

Rear Panel Features

The rear panel of the FVS336G includes Gigabit Ethernet LAN and WAN connections, a cable lock receptacle, power and reset switches, and an AC power connection.
Figure 1-2
Viewed from left to right, the rear panel contains the following elements:
Factory Defaults button: Using a sharp object, press and hold this button for about ten seconds until the front panel TEST light flashes to reset the FVS336G to factory default settings. All configuration settings will be lost and the default password will be restored.
LAN Ethernet ports: Four switched N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet ports: T wo independent N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
Cable security lock receptacle.
Introduction 1-7
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
IP Address
User Name
Password
AC power receptacle: Universal AC input (100-240 VAC, 50-60 Hz).
On/off power switch.

Default IP Address, Login Name, and Password Location

Check the label on the bottom of the FVS336G’s enclosure if you need a reminder of the following factory default information:
Figure 1-3

Qualified Web Browsers

To configure the FVS336G, you must use a Web browser such as Microsoft Internet Explorer 6 or higher, Mozilla Firefox 3 or higher, or Apple Safari 3 or higher with JavaScript, cookies, and you must have SSL enabled.
Although these Web browsers are qualified for use with the FVS336G’s Web Management Interface for configuring the FVS336G, SSL VPN users should choose a browser that supports JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications. Note that Java is only required for the SSL VPN portal, not the Web Management Interface.
1-8 Introduction
v1.0, January 2010
Chapter 2
Connecting the FVS336G to the Internet
The initial Internet configuration of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G, hereafter referred to as the VPN firewall, is described in this chapter.
This chapter contains the following sections:
“Understanding the Connection Steps” on this page
“Logging into the VPN Firewall” on page 2-2
“Navigating the Menus” on page 2-4
“Configuring the Internet Connections” on page 2-4
“Configuring the WAN Mode (Required for Dual WAN)” on page 2-11
“Configuring Dynamic DNS (Optional)” on page 2-16
“Configuring the Advanced WAN Options (Optional)” on page 2-18

Understanding the Connection Steps

Typically, six steps are required to complete the basic Internet connection of your VPN firewall.
1. Connect the VPN firewall physically to your network. Connect the cables and restart your network according to the instructions in the installation guide. See the Installation Guide, FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN for complete steps. A PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com.
2. Log in to the VPN Firewall. After logging in, you are ready to set up and configure your VPN firewall. You can also change your password and enable remote management at this time. See “Logging into the VPN Firewall” on page 2-2.
3. Configure the Internet connections to your ISP(s). During this phase, you will connect to your ISPs. See “Configuring the Internet Connections” on page 2-4.
4. Configure the WAN mode (required for dual WAN operatio n). Select either dedicated (single WAN) mode, auto-rollover mode, or load balancing mode. For load balancing, you can also select any necessary protocol bindings. See “Configuring the WAN Mode (Required for
Dual WAN)” on page 2-11.
2-1
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on
page 2-16.
6. Configure the WAN options (optional). Optionally, you can enable each WAN port to respond to a ping, and you can change the factory default MTU size and port speed. However , these are advanced features and changing them is not usually required. See “Configuring the
Advanced WAN Options (Optional)” on page 2-18.
Each of these tasks is detailed separately in this chapter. The configuration of firewall and VPN features is described in later chapters.

Logging into the VPN Firewall

To connect to the VPN firewall, your computer needs to be configured to obtain an IP address automatically from the VPN firewall by DHCP. For instructions on how to configure your computer for DHCP, refer to the “Preparing Y our Network” document that you can access from the link in Appendix D, “Related Documents.”
To connect and log in to the VPN firewall follow these steps:
1. Start any of the qualified browsers, as detailed in “Qualified Web Browsers” on page 1-8.
2. Enter https://192.168.1.1 in the address field. The Manager login features appear in the
browser.
Figure 2-1
3. In the User field, type admin
4. In the Password field, type password
Note that both entries are in lower case letters.
2-2 Connecting the FVS336G to the Internet
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
5. Click Login. The Web Configuration Manager appears, displaying the Router Status screen:
Figure 2-2
Connecting the FVS336G to the Internet 2-3
v1.0, January 2010
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual

Navigating the Menus

The Web Configuration Manager menus are organized in a layered structure of main categories and submenus:
Main menu. The horizontal orange bar near the top of the page is the main menu, containing the primary configuration categories. Clicking on a primary category changes the contents of the submenu bar.
Submenu. The horizontal grey bar immediately below the main menu is the submenu, containing subcategories of the currently selected primary category.
Tab. Immediately below the submenu bar, at the top of the menu active window, are one or more tabs, further subdividing the currently selected subcategory if necessary.
Option arrow . To the right of the tabs on some menus are one or more blue dots with an arrow in the center . Clicking an option arrow brings up either a popup window or an ad vanced option menu.
Tip: In the instructions in this guide, we may refer to a menu using the notation
primary | subcategory, such as Network Configuration | WAN Settings. In this example, Network is the selected primary category (in the main menu) and WAN Settings is the selected subcategory (in the submenu).
You can now proceed to the first configuration task, configuring the VPN firewall’s Internet connections.

Configuring the Internet Connections

To set up your VPN firewall for secure Internet connections, you configure WAN ports 1 and 2. The Web Configuration Manager offers two connection configuration options:
Automatic detection and configuration of the network connection.
Manual configuration of the network connection.
Each option is detailed in the sections following.
2-4 Connecting the FVS336G to the Internet
v1.0, January 2010
Loading...
+ 218 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use