Netgear FVX538 Reference Guide
ProSafe VPN Firewall 200
FVX538 Reference
Manual
NETGEAR, Inc.
350 East Plumeria Drive
San Jose, CA 95134
202-10062-10
v1.0
January 2010
© 2006–2010 by NETGEAR, Inc. All rights reserved.
Technical Support
Please refer to the support information card that shipped with your product. By registering your product at
http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of product
and software upgrades.
NETGEAR, INC. Support Information
Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card.
E-mail: support@netgear.com
North American NETGEAR website: http://www.netgear.com
Trademarks
NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc.
Microsoft, Windows, and Wi ndows NT are registered trademarks of Microsoft Corporation. Other brand and product
names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency
Notice
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to
part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a
residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and
used in accordance with the instruct ions, may cause harmf ul interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to
radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try
to correct the interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
• Consult the dealer or an experienced radio/TV technician for help.
EU Regulatory Compliance Statement
The ProSafe VPN Firewall 200 is compliant with the following EU Council Directives: 89/336/EEC and LVD 73/23/
EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and EN60950-1.
ii
v1.0, January 2010
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß das ProSafe VPN Firewall 200 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/
1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann
jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Certificate of the Manufacturer/Importer
It is hereby certified that the ProSafe VPN Firewall 200 has been suppressed in accordance with the conditions set out in
the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in
accordance with the regulations may, however , be subject to certain restricti ons. Please refer to the notes in the operating
instructions.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regulations.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area
thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing
Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference.
Read instructions for correct handling.
Additional Copyrights
AES Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK.
All rights reserved.
TERMS
Redistribution and use in source and binary forms, with or without modification, are permitted
subject to the following conditions:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions, and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. The copyright holder’s name must not be used to endorse or promote any products
derived from this software without his specific prior written permission.
This software is provided “as is” with no express or implied warranties of correctness or fitness
for purpose.
v1.0, January 2010
iii
Open SSL Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions, and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the
following acknowledgment: “This product includes software developed by the OpenSSL
Project for use in the OpenSSL Toolkit (
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or
promote products derived from this software without prior written permission. For written
permission, contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL”
appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: “This
product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit (
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS,” AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This
product includes software written by Tim Hudson (tjh@cryptsoft.com).
MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
License to copy and use this software is granted provided that it is identified as the “RSA Data
Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this
software or this function. License is also granted to make and use derivative works provided
that such works are identified as “derived from the RSA Data Security, Inc. MD5 MessageDigest Algorithm” in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of
this software or the suitability of this software for any particular purpose. It is provided “as is”
without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this documentation and/or
software.
http://www.openssl.org/).”
http://www.openssl.org/).”
iv
v1.0, January 2010
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved.
Redistribution and use in source and binary forms are permitted provided that the above
copyright notice and this paragraph are duplicated in all such forms and that any
documentation, advertising materials, and other materials related to such distribution and use
acknowledge that the software was developed by Carnegie Mellon University. The name of
the University may not be used to endor s e or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Zlib zlib.h. Interface of the zlib general purpose compression library version 1.1.4, March 11th,
2002. Copyright (C) 1995–2002 Jean-loup Gailly and Mark Adler.
This software is provided “as is,” without any express or implied warranty. In no event will the
authors be held liable for any damages arising from the use of this software. Permission is
granted to anyone to use this software for any purpose, including commercial applications,
and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote
the original software. If you use this software in a product, an acknowledgment in the
product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented
as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alu mni.caltech.edu.
The data format used by the zlib library is described by RFCs (Request for Comments) 1950
to 1952 in the files
format), and rfc1952.txt (gzip format).
ftp://ds.internic.net/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate
Product and Publication Details
Model Number: FVX538
Publication Date: January 2010
Product Family: VPN Firewall
Product Name: ProSafe VPN Firewall 200
Home or Business Product: Business
Language: English
Publication Part Number: 202-10062-10
Publication Version Number 1.0
v1.0, January 2010
v
vi
v1.0, January 2010
Contents
ProSafe VPN Firewall 200 FVX538 Reference Manual
About This Manual
Conventions, Formats and Scope ...................................................................................xiii
How to Print This Manual ................................................................................................xiv
Revision History ..................... ... ... .... ... ... ... .......................................... .............................xiv
Chapter 1
Introduction
Key Features ..................................................................................................................1-1
Dual WAN Ports for Increased Reliability or Outbound Load Balancing ..................1-2
A Powerful, True Firewall with Content Filtering ......................................................1-2
Security Features .....................................................................................................1-3
Autosensing Ethernet Connections with Auto Uplink ...............................................1-3
Extensive Protocol Support ......................................................................................1-4
Easy Installation and Management ..........................................................................1-4
Maintenance and Support .................. .... ... ... ... .......................................... ... .... ... ... ..1-5
Package Contents ..........................................................................................................1-5
VPN Firewall Front and Rear Panels ..............................................................................1-6
Rack Mounting Hardware .........................................................................................1-8
The VPN Firewall’s IP Address, Login Name, and Password ........................................1-9
Qualified Web Browsers ...............................................................................................1-10
Chapter 2
Connecting the VPN Firewall to the Internet
Understanding the Connection Steps .............................................................................2-1
Logging into the VPN Firewall ................................................... ... ... ... ............................2-2
Configuring the Internet Connections to Your ISPs ........................................................2-2
Setting the VPN Firewall’s MAC Address ................................................................2-5
Manually Configuring Your Internet Connection .................................. .....................2-5
Configuring the WAN Mode (Required for Dual WAN) ................................................... 2-7
Setting Up Auto-Rollover Mode .......................... ....... ...... ....... ...... ....... ...... ....... ... .....2-9
v1.0, January 2010
vii
ProSafe VPN Firewall 200 FVX538 Reference Manual
Setting Up Load Balancing .................................................................................. ...2-11
Configuring Dynamic DNS (Optional) ...........................................................................2-14
Configuring the Advanced WAN Options (Optional) ............................................... ...... 2-16
Additional WAN Related Configuration ..................................................................2-17
Chapter 3
LAN Configuration
Choosing the VPN Firewall DHCP Options ....................................................................3-1
Configuring the LAN Setup Options ...............................................................................3-2
Managing Groups and Hosts (LAN Groups) ...................................................................3-6
Creating the Network Database ...... ... .... ... ... ... ... .......................................... .... ... ... ..3-6
Viewing the Network Database ................................................................................3-7
Adding Devices to the Network Database ................................................................3-8
Changing Group Names in the LAN Groups Database ...........................................3-9
Setting Up DHCP Address Reservation ...................................................................3-9
Configuring Multi Home LAN IP Addresses ..................................................................3-10
Configuring and Enabling the DMZ Port .......................................................................3-11
Configuring Static Routes .............................................................................................3-14
Static Route Example .............................................................................................3-16
Configuring Routing Information Protocol (RIP) .... ... .... .......................................... ... ...3-16
Chapter 4
Firewall Protection and Content Filtering
About Firewall Protection and Content Filtering .............................................................4-1
Using Rules to Block or Allow Specific Kinds of Traffic ..................................................4-2
Services-Based Rules ........................................ .... ... ... ... .........................................4-3
Viewing Rules and Order of Precedence for Rules ................................ ................ ..4-7
Configuring LAN WAN Rules ...................................................................................4-9
Configuring DMZ WAN Rules ................................................................................4-12
Configuring LAN DMZ Rules ..................................................................................4-13
Inbound Rules Examples .......................................................................................4-15
Outbound Rules Example ................................................................ ... ... ... ... .... ... ...4-19
Configuring Other Firewall Features .............................................................................4-19
Attack Checks .............. ... ... ... .... ... ....................................... ... ... ... .... ... ... ... .............4-20
Setting Session Limits .. ... ... ... .... ... ... ... .... .......................................... ......................4-22
Managing the Application Level Gateway for SIP Sessions ..................................4-23
Creating Services, QoS Profiles, and Bandwidth Profiles ............................................4-24
viii Contents
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
Adding Customized Services .................................................................................4-24
Specifying Quality of Service (QoS) Priorities .................................. ... ... ... ... .... ... ...4-26
Creating Bandwidth Profiles ...... ... ... ....... ................................................................4-27
Setting a Schedule to Block or Allow Specific Traffic .......................... .... ... ... ................4-29
Blocking Internet Sites (Content Filtering) ....................................................................4-30
Configuring Source MAC Filtering ................................................................................4-33
Configuring IP/MAC Address Binding ...........................................................................4-35
Configuring Port Triggering ...........................................................................................4-37
E-Mail Notifications of Event Logs and Alerts ......................................... ......................4-40
Administrator Tips .........................................................................................................4-40
Chapter 5
Virtual Private Networking
Considerations for Dual WAN Port Systems ..................................................................5-1
Using the VPN Wizard for Client and Gateway Configurations ...................................... 5-3
Creating Gateway to Gateway VPN Tunnels with the Wizard .................................5-3
Creating a Client to Gateway VPN Tunnel ...............................................................5-6
Testing the Connections and Viewing Status Information ............................................. 5-12
NETGEAR VPN Client Status and Log Information ............................................... 5-12
VPN Firewall VPN Connection Status and Logs .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ...5-14
Managing VPN Policies .. .... ... ... ... .... ... ... ... .... ... ... ... ... .......................................... .... ... ...5-16
Configuring IKE Policies ............................... ... ... .... ... ... ... .... ... ... .............................5-16
Configuring VPN Policies .......................................................................................5-18
Managing Certificates ................................................................ ...................................5-19
Viewing and Loading CA Certificates .....................................................................5-21
Viewing Active Self Certificates ..............................................................................5-22
Obtaining a Self Certificate from a Certificate Authority ......................... ................5-22
Managing your Certificate Revocation List (CRL) .. ... ... ..........................................5-25
Extended Authentication (XAUTH) Configuration ............................ ................... ..........5-26
Configuring XAUTH for VPN Clients ......................................................................5-27
User Database Configuration .... ... ... ... .... .......................................... ... ... ... .............5-29
RADIUS Client Configuration .................................................................................5-30
Assigning IP Addresses to Remote Users (ModeConfig) .............................................5-32
Mode Config Operation ...... .......................................... ..........................................5-32
Configuring Mode Config Operation on the VPN Firewall ......................................5-33
Configuring the ProSafe VPN Client for ModeConfig .......................................... ...5-38
Contents ix
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
Configuring Keepalives and Dead Peer Detection .......................................................5-42
Configuring Keepalives ..........................................................................................5-42
Configuring Dead Peer Detection ..........................................................................5-43
Configuring NetBIOS Bridging with VPN ......................................................................5-44
Chapter 6
VPN Firewall and Network Management
Performance Management ................................. .......................................... ... ... .... ........ 6-1
Bandwidth Capacity .................. ... ... ... .... ... ... .......................................... ..................6-1
VPN Firewall Features That Reduce Traffic .............................................................6-2
VPN Firewall Features That Increase Traffic ...........................................................6-4
Using QoS to Shift the Traffic Mix ............................................................................6-7
Tools for Traffic Management ................................. ... ... ... .... ... ... ... ............................6-8
Configuring Users, Administrative Settings, and Remote Management .........................6-8
Changing Passwords and Settings ..........................................................................6-8
Adding External Users ........................... ... .............................................................6-10
Configuring an External Server for Authentication ................. ................................ 6-11
Enabling Remote Management Access .................................................................6-14
Using an SNMP Manager ......................................................................................6-16
Managing the Configuration File ............................................................................6-18
Configuring Date and Time Service .......................................................................6-21
Monitoring System Performance ..... ... ... ... .... ... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... .............6-23
Activating Notification of Events and Alerts ............................................................6-23
Viewing the Logs ....................................................................................................6-26
Enabling the Traffic Meter ......................................................................................6-27
Viewing the VPN Firewall Configuration and System Status .................................6-30
Monitoring VPN Firewall Statistics ......... ... ... ... ... .... .......................................... ... ...6-31
Monitoring WAN Ports Status ................. ... ... ... ... .... ... ... ..........................................6-32
Monitoring Attached Devices .................................................................................6-33
Monitoring VPN Tunnel Connection Status ............................ ... ... .... ... ... ... .............6-34
Viewing the VPN Logs ...........................................................................................6-35
Viewing the DHCP Log ..........................................................................................6-36
Viewing Port Triggering Status ...............................................................................6-36
Chapter 7
Troubleshooting
Basic Functions ..............................................................................................................7-1
x Contents
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
Power LED Not On ...................................................................................................7-2
LEDs Never Turn Off ................................................................................................7-2
LAN or Internet Port LEDs Not On ......... ... ... ... ... .... ... ... .......................................... ..7-2
Troubleshooting the Web Configuration Interface ..........................................................7-3
Troubleshooting the ISP Connection ..............................................................................7-4
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................7-5
Testing the LAN Path to Your VPN Firewall .............................................................7-5
Testing the Path from Your PC to a Remote Device ................................................7-6
Restoring the Default Configuration and Password ............... .........................................7-7
Problems with Date and Time .........................................................................................7-7
Using the Diagnostics Utilities ........................................................................................7-8
Appendix A
Default Settings and Technical Specifications
Appendix B
Network Planning for Dual WAN Ports
What You Will Need to Do Before You Begin ................................................................ B-1
Cabling and Computer Hardware Requirements .................................................... B-3
Computer Network Configuration Requirements ......................... .... ... ... ... ... .... ... ... . B-3
Internet Configuration Requirements ...................................................................... B-3
Where Do I Get the Internet Configuration Parameters? ........................................ B-4
Internet Connection Information Form .................................................................... B-4
Overview of the Planning Process ................................................................................. B-5
Inbound Traffic ........................................................................................................ B-5
Virtual Private Networks (VPNs) ............................................................................. B-6
The Roll-over Case for Firewalls With Dual WAN Ports .......................................... B-6
The Load Balancing Case for Firewalls With Dual WAN Ports ............................... B-7
Inbound Traffic ............................................................................................................... B-7
Inbound Traffic to Single WAN Port (Reference Case) ........................................... B-7
Inbound Traffic to Dual WAN Port Systems ............................................................ B-8
Virtual Private Networks (VPNs) .................................................................................... B-9
VPN Road Warrior (Client-to-Gateway) .................................................................B-11
VPN Gateway-to-Gateway ........... ... ... .... ... ... ... ... .... ... ... ......................................... B-14
VPN Telecommuter (Client-to-Gateway Through a NAT Router) .......................... B-16
Contents xi
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
Appendix C
System Logs and Error Messages
System Log Messages .................................................................................................. C-1
System Startup ............................. ... ... .... ... ... ... ... ....................................... ... .... ... ... . C-1
Reboot ....................................... ... ... ....................................... ... ... .... ... ... ... ... .... .......C-2
NTP .................................... ................................................................. .................... C-2
Login/Logout ........................................................................................................... C-3
Firewall Restart .......................................................................................................C-3
IPSec Restart ........ ... .... ... ... ... .... ...................................... .... ... ... ... .... ... ... .................C-4
WAN Status .................. ... ... ... ....................................... ... .... ... ... ... ........................... C-4
Web Filtering and Content Filtering Logs ................................................................ C-7
Traffic Metering Logs ........................................................................ ... ... ... ... ...........C-9
Unicast Logs ......................... .... ... ... ... .... ... ... ....................................... ... ... ... .... ... ... . C-9
FTP Logging ................................. ... ... .... ... .......................................... ..................C-10
Invalid Packet Logging ....... ... .... ... ... ... .... ... ... ... ... .... ... ... ... ...................................... C-10
Routing Logs ............................................................................................................... C-13
LAN to WAN Logs ................................................................................................. C-14
LAN to DMZ Logs .................................................................................................. C-14
DMZ to WAN Logs ................................................................................................C-14
WAN to LAN Logs ................................................................................................. C-14
DMZ to LAN Logs .................................................................................................. C-15
WAN to DMZ Logs ................................................................................................C-15
Appendix D
Two Factor Authentication
Why do I need Two-Factor Authentication? ...................................................................D-1
What are the benefits of Two-Factor Authentication? ............................................. D-1
What is Two-Factor Authentication ......................................................................... D-2
NETGEAR Two-Factor Authentication Solutions ....................................................... ... . D-2
Appendix E
Related Documents
Index
xii Contents
v1.0, January 2010
About This Manual
The NETGEAR® ProSafe™ VPN Firewall 200 describes how to install, configure and
troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers
with intermediate computer and Internet skills.
Conventions, Formats and Scope
The conventions, formats, and scope of this manual are described in the following paragraphs.
• Typographical Conventions. This manual uses the following typographical conventions:
Italics Emphasis, books, CDs, file and server names, extensions
Bold User input, IP addresses, GUI screen text
Fixed Command prompt, CLI text, code
italics URL links
• Formats. This manual uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
Tip: This format is used to highlight a procedure that will save time or resources.
Warning: Ignoring this type of note may result in a malfunction or damage to the
equipment.
Danger: This is a safety warning. Failure to take heed of this notice may result in
personal injury or death.
v1.0, January 2010
xiii
ProSafe VPN Firewall 200 FVX538 Reference Manual
• Scope. This manual is written for the VPN firewall according to these specifications.
Product Version ProSafe VPN Firewall 200
Manual Publication Date January 2010
For more information about network, Internet, firewall, and VPN technologies, see the links to the
NETGEAR website in Appendix E, “Related Documents.”
Note: Product updates are available on the NETGEAR, Inc. website at
http://kb.netgear.com/app/home.
How to Print This Manual
T o print this manual, your computer must have the free Adobe Acrobat reader installed in order to
view and print PDF files. The Acrobat reader is available on the Adobe websit e at
http://www.adobe.com.
Tip: If your printer supports printing two pages on a single sheet of paper, you can save
paper and printer ink by selecting this feature.
Revision History
Part Number
202-10062-04 1.0 Aug. 2006 Product update: New firmware and a new user interface.
202-10062-05 1.0 Jan. 2007 Remove Trend Micro
202-10062-06 1.0 Jul. 2007 New features: IP/MAC Binding; Bandwidth Limits; Session Limits;
202-10062-06 1.1 Oct. 2007 Document corrections
202-10062-06 1.2 Oct. 2007 Document additions to Appendix C
202-10062-07 1.0 Mar. 08 Maintenance release
xiv About This Manual
Version
Number
Date Description
IKE Keep Alive; Dead Peer Detection; Oray Support
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
202-10062-09 1.0 Mar. 09 Adds these corrections and topics for the March 2009 firmware
maintenance release:
• WIKID 2 factor authentication
• SIP ALG support
• DHCP Relay support
• Update VPN configuration procedure topics
• Update the Certificate management topic
• Correct the firewall scheduling topic
202-10062-10 1.0 January
2010
Added the following new features for the January 2010 firmware
maintenance release:
• Connection reset and delay options on the WAN ISP Settings
screen (see “Manually Configuring Your Internet Connection”).
• Support for DNS 3322 in the Dynamic DNS submenu (see
“Configuring Dynamic DNS (Optional)”).
• Support for an address range for inbound LAN rules on the Add
LAN WAN Inbound Service screen (see “Inbound Rules (Port
Forwarding)” and “Inbound Rules Examples”).
• Support for new log options such as Resolved DNS Names and
VPN on the Firewall Logs & E-mail screen (see “Activating
Notification of Events and Alerts”).
In addition, made the following substantial changes to the book:
• Resized all screen captures for better viewing.
• Added qualified Web browser information in the “Qualified Web
Browsers” and “Computer Network Configuration Requirements”
sections.
• Updated the WAN1 ISP Settings screen (Figure 2-1) and the ISP
Type options in the
Connection” section.
• Updated the Dynamic DNS Configuration screen (Figure 2-6)
and the DDNS providers in the ““Configuring Dynamic DNS
(Optional)” section.
• Revised the “Enabling the Traffic Meter” section and moved this
section from the “Connecting the VPN Firewall to the Internet”
chapter to the “VPN Firewall and Network Management” chapter.
• Added the “Additional WAN Related Configuration“ section.
• Updated the LAN Setup screen (Figure 3-1), added LDAP
information and the Enable ARP Broadcast paragraph to the
“Configuring the LAN Setup Options” section, and revised this
section for more clarity.
• Updated the LAN Groups screen (Figure 3-2) and the Network
Database Group Name screen (Figure 3-3 ), and revised the
“Managing Groups and Hosts (LAN Groups)” section for more
clarity.
”“Manually Configuring Your Internet
About This Manual xv
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
202-10062-10
(continued)
1.0 January
2010
(continued)
• Updated the LAN Multi-homing screen (Figure 3-4) and revised
the “Configuring Multi Home LAN IP Addresses” section for more
clarity.
• Revised the “Configuring and Enabling the DMZ Port” section for
more clarity.
• Updated the RIP Configuration screen (Figure 3-8).
• Revised the “Viewing Rules and Order of Precedence for Rules”
section and updated the LAN WAN Rules screen (Figure 4-2).
• Updated the Add LAN WAN Inbound Service screen
(Figure 4-3), related screens in the “Inbound Rules Examples”
section, and the Inbound Rules table (Table 4-3) to show that a
range of IP addresses can be selected for the Send to LAN
Server field.
• Updated the sections and screens in the “Configuring Other
Firewall Features” section and added the “Managing the
Application Level Gateway for SIP Sessions” section.
• Updated the following sections and screens in the “Firewall
Protection and Content Filtering” chapter to show the current
user interface:
* “Creating Services, QoS Profiles, and Bandwidth Profiles”
* “Setting a Schedule to Block or Allow Specific Traffic”
* “Blocking Internet Sites (Content Filtering)”
* “Configuring Source MAC Filtering”
* “Configuring IP/MAC Address Binding”
* “Configuring Port Triggering”
• Moved the procedures and screens from the “E-Mail
Notifications of Event Logs and Alerts” section in the “Firewall
Protection and Content Filtering” chapter to the “Activating
Notification of Events and Alerts” section in the ”“VPN Firewall
and Network Management” chapter.
• Updated all FVX538 screens and made various corrections and
clarifications in the “Virtual Private Networking” chapter.
• Revised the “Managing Certificates” section and added the
following sections to the “Virtual Private Networking” chapter:
* “Configuring Keepalives and Dead Peer Detection”
* “Configuring NetBIOS Bridging with VPN”
• Revised the following sections in the “VPN Firewall and Network
Management” chapter and updated all screens in these sections:
* “Configuring Users, Administrative Settings, and Remote
Management”
* “Monitoring System Performance”
• Moved the “Using the Diagnostics Utilities” section from the
“VPN Firewall and Network Management” chapter to the
“Troubleshooting” chapter.
xvi About This Manual
v1.0, January 2010
Chapter 1
Introduction
The ProSafe VPN Firewall 200 FVX538 with eight 1 0/100 ports and one 1/100/1000 port connects
your local area network (LAN) to the Internet through an external access device such as a cable
modem or DSL modem.
The FVX538 is a complete security solution that protects your network from attacks and
intrusions. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of
Service (DoS) attack protection and multi-NAT support. The VPN firewall supports multiple W eb
content filtering options, plus browsing activity reporting and instant alerts—both via e-mail.
Network administrators can establish restricted access policies based on time-of-day, Website
addresses and address keywords.
The FVX538 is a plug-and-play device that can be installed and configured within minutes.
This chapter contains the following sections:
• “Key Features” on this page
• “Package Contents” on page 1-5
• “VPN Firewall Front and Rear Panels” on page 1-6
• “The VPN Firewall’s IP Address, Login Name, and Password” on page 1-9
• “Qualified Web Browsers” on page 1-10
Key Features
The VPN firewall provides the following features:
• Dual 10/100 Mbps Ethernet WAN ports for load balancing or failover protection, providing
increased system reliability and load balancing. The WAN ports do not respond at all to
unsolicited traffic (stealth mode).
• Support for up to 200 simultaneous IPSec VPN tunnels.
• Support for up to 400 internal LAN users (and 50K connections ) .
• Bundled with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L)
• Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and multimedia.
• Built-in 10/100 Mbps ports plus 1 Gigabit Switch port.
1-1
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
• One console port for local management.
• SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software
(NMS100).
• Easy, web-based setup for installation and management.
• Advanced SPI Firewall and Multi-NAT support.
• Extensive Protocol Support.
• Login capability.
• Front panel LEDs for easy monitoring of status and activity.
• Flash memory for firmware upgrade.
• One U Rack mountable.
Dual WAN Ports for Increased Reliability or Outbound Load Balancing
The FVX538 has two broadband WAN ports, WAN1 and WAN2, each capable of operating
independently at speeds of either 10 Mbps or 100 Mbps. The two WAN ports let you connect a
second broadband Internet line that can be configured on a mutually-exclusive basis to:
• Provide backup and rollover if one line is inoperable, ensuring you are never disconnected.
• Load balance, or use both Internet lines simultaneously for the outgoing traffic. The VPN
firewall balances users between the two lines for maximum bandwidth efficiency.
See “Network Planning for Dual WAN Ports” on page B-1 for the planning factors to consider
when implementing the following capabilities with dual WAN port gateways:
• Single or multiple exposed hosts
• V irtual private networks
A Powerful, True Firewall with Content Filtering
Unlike simple Internet sharing NAT routers, the FVX538 is a true firewall, using stateful packet
inspection to defend against hacker attacks. Its firewall features include:
• DoS protection. Automatically detects and thwarts DoS attacks such as Ping of Death, SYN
Flood, LAND Attack, and IP Spoofing.
• Secure Firewall. Blocks unwanted traffic from the Internet to your LAN.
• Block Sites. Blocks access from your LAN to Internet locations or services that you specify as
off-limits.
1-2 Introduction
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
• Logs security incidents. The FVX538 will log security events such as blocked incoming
traffic, port scans, attacks, and administrator logins. You can configure the VPN firewall to
e-mail the log to you at specified intervals. You can also configure the VPN firewall to send
immediate alert messages to your e-mail address or e-mail pager whenever a significant event
occurs.
• Keyword Filtering. With its URL keyword filtering feature, the FVX538 prevents
objectionable content from reaching your PCs. The VPN firewall allows you to control access
to Internet content by screening for keywords within Web addresses. You can configure the
VPN firewall to log and report attempts to access objectionable Internet sites.
Security Features
The FVX538 is equipped with several features designed to maintain security, as described in this
section.
• PCs Hidden by NAT. NAT opens a temporary path to the Internet for requests originating
from the local network. Requests originating from outside the LAN are discarded, preventing
users outside the LAN from finding and directly accessing the PCs on the LAN.
• Port Forwarding with NAT. Although NAT prevents Internet locations from directly
accessing the PCs on the LAN, the VPN firewall allows you to direct incoming traffic to
specific PCs based on the service port number of the incoming request. You can specify
forwarding of single ports or ranges of ports.
• DMZ port. Incoming traffic from the Internet is normally discarded by the VPN firewall
unless the traffic is a response to one of your local computers or a service for which you have
configured an inbound rule. Instead of discarding this traffic, you can have it forwarded to one
computer on your network.
Autosensing Ethernet Connections with Auto Uplink
With its internal 8-port 10/100 switch, the FVX538 can connect to either a 10 Mbps standard
Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are
autosensing and capable of full-duplex or half-duplex operation.
The VPN firewall incorporates Auto Uplink
sense whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as
to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to
the correct configuration. This feature also eliminates the need to worry about crossover cables, as
Auto Uplink will accommodate either type of cable to make the right connection.
Introduction 1-3
TM
technology. Each Ethernet port will automatically
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
Extensive Protocol Support
The FVX538 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing
Information Protocol
Basics” document that you can access from the link in “Related Documents” in Appendix E.
• IP Address Sharing by NAT. The VPN firewall allows several networked PCs to share an
Internet account using only a single IP address, which may be statically or dynamically
assigned by your Internet service provider (ISP). This technique, known as NAT, allows the
use of an inexpensive single-user ISP account.
• Automatic Configuration of Attached PCs by DHCP. The VPN firewall dynamic ally
assigns network configuration information, including IP, gateway, and domain name server
(DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol
(DHCP). This feature greatly simplifies configuration of PCs on your local network.
• DNS Proxy. When DHCP is enabled and no DNS addresses are specified, the VPN firewall
provides its own address as a DNS server to the attached PCs. The VPN firewall obtains actual
DNS addresses from the ISP during connection setup and forwards DNS requests from the
LAN.
• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet
over a DSL connection by simulating a dial-up connection. This feature eliminates the need to
run a login program such as EnterNet or WinPOET on your PC.
(RIP). For further information about TCP/IP, see the “TCP/IP Networking
Easy Installation and Management
You can install, configure, and operate the FVX538 within minutes after connecting it to the
network. The following features simplify installation and management tasks:
• Browser-Based Management. Browser-based configuration allows you to easily configure
your VPN firewall from almost any type of personal computer, such as Windows, Macintosh,
or Linux. A user-friendly Setup W izard is provided and online help documentation is built into
the browser-based Web Management Interface.
• Auto Detect. The VPN firewall automatically senses the type of Internet connection, asking
you only for the information required for your type of ISP account.
• VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure
VPN tunnels according to the recommendations of the Virtual Private Network Consortium
(VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers
and clients.
1-4 Introduction
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
• SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to let
you monitor and manage log resources from an SNMP-compliant system manager. The SNMP
system configuration lets you change the system variables for MIB2.
• Diagnostic Functions. The VPN firewall incorporates built-in diagnostic functions such as
Ping, Trace Route, DNS lookup, and remote reboot.
• Remote Management. The VPN firewall allows you to login to the Web Management
Interface from a remote location on the Internet. For security, you can limit remote
management access to a specified remote IP address or range of addresses, and you can choose
a nonstandard port number.
• Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its
status and activity.
Maintenance and Support
NETGEAR offers the following features to help you maximize your use of the FVX538:
• Flash memory for firmware upgrade
• Technical support seven days a week, 24 hours a day, according to the terms identified in the
Warranty and Support information card provided with your product.
Package Contents
The product package should contain the following items:
• FVX538 ProSafe VPN Firewall 200.
• AC power cable.
• 19-inch rack mounting hardware and rubber feet.
• Category 5 (Cat5) Ethernet cable.
• Installation Guide, FVX538 ProSafe VPN Firewall 200
• Resource CD, including:
– Application Notes and other helpful information.
– ProSafe VPN Client Software – five user licenses.
• Warranty and Support Information Card.
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the VPN firewall for
repair.
Introduction 1-5
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
12 3 4 5 6 7
VPN Firewall Front and Rear Panels
The FVX538 front panel shown below contains the port connections, status LEDs, and the factory
defaults reset button.
Figure 1-1
Table 1-1 describe s each item on the front panel and its operation.
Table 1-1. Object Descriptions
Object LED Activity Description
1.
Power LED
2.
Test LED
3,
WAN Ports and
LEDs
On (Green) Power is supplied to the VPN firewall.
Off Power is not supplied to the VPN firewall.
On (Amber) Test mode: The system is initializing or the initialization
has failed.
Blinking (Amber) Writing to Flash memory (during upgrading or resetting to
defaults).
Off The system has booted successfully.
Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX.
On (Green) The WAN port has detected a link with a connected
Link/Act
LED
100 LED
Blinking (Green) Data is being transmitted or received by the WAN port.
Off The WAN port has no link.
On (Green) The WAN port is operating at 100 Mbps.
Off The WAN port is operating at 10 Mbps.
Ethernet device.
1-6 Introduction
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
Table 1-1. Object Descriptions (continued)
Object LED Activity Description
On (Green) The WAN port has a valid Internet connection.
3,
WAN Ports and
LEDs
(continued)
4.
LAN Ports and
LEDs
5.
Gigabit Port and
LEDs
6.
Console Port
7.
Factory Defaults
Active
LED
8-port RJ-45 10/100 Mbps Fast Ethernet Switch N-way automatic speed negotiation,
auto MDI/MDIX.
Link/Act
LED
100 LED
DMZ LED
(port 8)
Gbit RJ-45 connector. Port for connecting to a Gigabit Ethernet device.
Link/Act
LED
Speed
LED
DB9 male connector.
Port for connecting to an optional console terminal. Default baud rate is 115.2K; pinouts:
(2) Tx, (3) Rx, (5) and (7) Gnd.
Push in with a sharp object
Factory Defaults reset push button (see Appendix A, “Default Settings and Technical
Specifications” for the factory defaults).
On (Amber) The Internet connection is down or not being used
because the port is available for failover in case the
connection on other WAN port fails.
Off The WAN port is either not enabled or has no link.
On (Green) The LAN port has detected a link with a connected
Ethernet device.
Blinking (Green) Data is being transmitted or received by the LAN port.
Off The LAN port has no link.
On (Green) The LAN port is operating at 100 Mbps.
Off The LAN port is operating at 10 Mbps.
On (Green) Port 8 is operating as a dedicated hardware DMZ port.
Off Port 8 is operating as a normal LAN port.
On (Green) The LAN port has detected a link with a connected
Ethernet device.
Blinking (Green) Data is being transmitted or received by the LAN port.
Off The LAN port has no link.
On (Green) The LAN port is operating at 1,000 Mbps.
On (Amber) The LAN port is operating at 100 Mbps.
Off The LAN port is operating at 10 Mbps.
Introduction 1-7
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
12
The rear panel of the FVX538 contains the On/Off switch and AC power connection.
Figure 1-2
Viewed from left to right, the rear panel contains the following elements:
1. AC power in
2. On/Off switch
Rack Mounting Hardware
The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack
(using the included rack mounting hardware illustrated in Figure 1-3).
Figure 1-3
1-8 Introduction
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
LAN IP Address
User Name
Password
The VPN Firewall’s IP Address, Login Name, and Password
Check the label on the bottom of the FVX538’s enclosure if you forget the following factory
default information:
• IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN
• User name: admin
• Password: password
Figure 1-4
To log in to the FVX538 once it is connected, go to http://192.168.1.1.
Figure 1-5
Once the login screen displays, enter admin for the User Name and the password for Password.
Introduction 1-9
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
Qualified Web Browsers
To configure the FVX538, you must use a Web browser such as Microsoft Internet Explorer 6 or
higher, Mozilla Firefox 3 or higher, or Apple Safari 3 or higher with JavaScript, cookies, and you
must have SSL enabled.
1-10 Introduction
v1.0, January 2010
Chapter 2
Connecting the VPN Firewall to the Internet
This section provides instructions for connecting the ProSafe VPN Firewall 200 FVX538,
including these topics:
• “Understanding the Connection Steps” on this page
• “Logging into the VPN Firewall” on page 2-2
• “Configuring the Internet Connections to Your ISPs” on page 2-2
• “Configuring the WAN Mode (Required for Dual WAN)” on page 2-7
• “Configuring Dynamic DNS (Optional)” on page 2-14
• “Configuring the Advanced WAN Options (Optional)” on page 2-16
Setting up VPN tunnels is covered in Chapter 5, “Virtual Private Networking.”
Understanding the Connection S teps
Typically, six steps are required to complete the basic Internet connection of your VPN firewall.
1. Connect the VPN firewall physically to your network. Connect the cables and restart your
network according to the instructions in the installation guide. See the Installation Guide,
FVX538 ProSafe VPN Firewall 200 for complete steps. A PDF of the Installation Guide is on
the NETGEAR website at: http://kbserver.netgear.com.
2. Log in to the VPN Firewall. After logging in, you are ready to set up and configure your
VPN firewall. You can also change your password and enable remote management at this
time. See “Logging into the VPN Firewall” on page 2-2.
3. Configure the Internet connections to your ISP(s). During this phase, you will connect to
your ISPs. See “Configuring the Internet Connections to Your ISPs” on page 2-2.
4. Configure the WAN mode (required for dual WAN operation). Select either dedicated
(single WAN) mode, auto-rollover mode, or load balancing mode. For load balancing, you can
also select any necessary protocol bindings. See “Configuring the WAN Mode (Required for
Dual WAN)” on page 2-7.
2-1
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified
domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on
page 2-14.
6. Configure the WAN options (optional). Optionally, you can enable each WAN port to
respond to a ping, and you can change the factory default MTU size and port speed. However ,
these are advanced features and changing them is not usually required. See “Configuring the
Advanced WAN Options (Optional)” on page 2-16.
Each of these tasks is detailed separately in this chapter. The configuration of firewall and VPN
features is described in later chapters.
Logging into the VPN Firewall
To connect to the VPN firewall, your computer needs to be configured to obtain an IP address
automatically via DHCP. If you need instructions on how to configure you computer for DHCP,
refer to the “Preparing Your Network” document that you can access from the link in Appendix E,
“Related Documents.”
To log in to the VPN firewall:
1. Connect to the VPN firewall by typing http://192.168.1.1 in the address field of your browser.
2. When prompted, enter admin for the VPN firewall user name and password for the VPN
firewall password, both in lower case letters. (The VPN firewall user name and password are
not the same as any user name or password you may use to log in to your Internet connection.)
3. Click Login.
Note: You might want to enable remote management at this time so that you can log
in remotely in the future to manage the VPN firewall (see “Configuring an
External Server for Authentication” on page 6-11). If you enable remote
management, you are strongly advised to change your password (see
“Changing Passwords and Settings” on page 6-8).
Configuring the Internet Connections to Your ISPs
You should first configure your Internet connections to your ISPs on WAN port 1, and then on
WAN port 2.
2-2 Connecting the VPN Firewall to the Internet
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
To automatically configure the WAN ports and connect to the Internet:
1. Select the primary menu option Network Configuration and the submenu option WAN
Settings. WAN1 ISP Settings screen will display.
Figure 2-1
2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet
connection provided by your ISP. Auto Detect will probe for different connection methods and
suggest one that your ISP will most likely support.
Connecting the VPN Firewall to the Internet 2-3
v1.0, January 2010
ProSafe VPN Firewall 200 FVX538 Reference Manual
When Auto Detect successfully detects an active Internet service, it reports which connection
type it discovered. The options are described in Table 2-1.
Note: When you click Auto Detect while the WAN port already has a connection,
you might lose the connection because the VPN firewall will enter its
detection mode.
Table 2-1. Internet connection methods
Connection
Method
PPPoE Login (Username, Password); Account Name, Domain Name
PPTP Login (Username, Password), Account Name, Local IP address, and PPTP
DHCP (Dynamic IP) No data is required.
Fixed (Static) IP Static IP address, Subnet, and Gateway IP; and related data supplied by your
Data Required
Server IP address;
ISP.
If Auto Detect does not find a connection, you will be prompted to check the physical
connection between your VPN firewall and the cable or DSL line or to check your VPN
firewall’s MAC address (see “Setting the VPN Firewall’s MAC Address” on page 2-5).
3. Click W AN Status at the top right of the screen to verify WAN Port 1 connection status. Click
Connect if there is no connection.
Figure 2-2
2-4 Connecting the VPN Firewall to the Internet
v1.0, January 2010
Loading...