How it Works
NETGEAR
Loading...
FVX538
Application Note
6 pgs420.35 Kb0
Application Note
3 pgs58.87 Kb0
Application Note
5 pgs82.7 Kb0
Configuration Manual
8 pgs1.16 Mb0
Configuration Manual
8 pgs419.1 Kb0
Data Sheet
2 pgs190.98 Kb0
Network Setup Manual
8 pgs426.99 Kb0
Reference Guide
240 pgs3.47 Mb0
Reference Guide
250 pgs8.69 Mb0
Reference Manual
242 pgs7.38 Mb0
Reference Manual
250 pgs9.2 Mb0
Reference Manual
10 pgs163.4 Kb0
Setup Manual
9 pgs939.73 Kb0
User Manual
2 pgs325.64 Kb0
User Manual
222 pgs7.72 Mb0
User Manual
3 pgs726.4 Kb0
User Manual
26 pgs1.71 Mb0
Table of contents
Loading...

NETGEAR FVX538 User Manual

Download

ProSafe VPN Firewall 200 FVX538 Reference Manual

NETGEAR, Inc.
4500 Great America Parkway Santa Clara, CA 95054 USA
August 2006 202-10062-04 v1.0
© 2006 by NETGEAR, Inc. All rights reserved.
Trademarks
NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc. Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruct ions, may cause harmf ul interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
EU Regulatory Compliance Statement
ProSafe VPN Firewall 200 is compliant with the following EU Council Directives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and EN60950-1.
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß das ProSafe VPN Firewall 200 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/ 1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Certificate of the Manufacturer/Importer
It is hereby certified that the ProSafe VPN Firewall 200 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however , be subject to certain restricti ons. Please refer to the notes in the operating instructions.
ii
1.0, August 2006
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference. Read instructions for correct handling.
Additional Copyrights
AES Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted
subject to the following conditions:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The copyright holder's name must not be used to endorse or promote any products derived from this software without his specific prior written permission.
This software is provided 'as is' with no express or implied warranties of correctness or fitness for purpose.
1.0, August 2006
iii
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)”
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
iv
1.0, August 2006
MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message­Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this documentation and/or software.
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved.
Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University. The name of the University may not be used to endor s e or promote products derive d from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Zlib zlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th,
2002. Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler.
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alu mni.caltech.edu The data format used by the zlib library is described by RFCs (Request for Comments) 1950
to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt and rfc1952.txt (gzip format)
(zlib format), rfc1951.txt (deflate format)
1.0, August 2006
v
Product and Publication Details
Model Number: FVX538 Publication Date: August 2006 Product Family: VPN Firewall Product Name: ProSafe VPN Firewall 200 Home or Business Product: Business Language: English Publication Part Number: 202-10062-04 Publication Version Number 1.0
vi
1.0, August 2006

Contents

About This Manual
Conventions, Formats and Scope ...................................................................................xiii
How to Use This Manual ..................................................................................................xiv
How to Print this Manual ..................................................................................................xiv
Revision History ..................... ... .......................................... .......................................... ...xv
Chapter 1 Introduction
Key Features ..................................................................................................................1-1
Dual WAN Ports for Increased Reliability or Outbound Load Balancing ..................1-2
A Powerful, True Firewall with Content Filtering ......................................................1-2
Security Features .....................................................................................................1-3
Autosensing Ethernet Connections with Auto Uplink ...............................................1-3
Extensive Protocol Support ......................................................................................1-3
Trend Micro Integration ............................................................................................1-4
Easy Installation and Management ..........................................................................1-4
Maintenance and Support .................. .... ... ... ... .......................................... ... .... ... ... ..1-5
Package Contents ..........................................................................................................1-5
Router Front Panel ...................................................................................................1-6
Router Rear Panel ...................................................................................................1-8
Rack Mounting Hardware .........................................................................................1-9
The Router’s IP Address, Login Name, and Password ............................................1-9
Default Log In Settings ...........................................................................................1-10
Chapter 2 Connecting the FVX538 to the Internet
Logging into the VPN Firewall ................................................... ... ... ... ............................2-1
Configuring the Internet Connections to Your ISPs ........................................................2-2
Setting the Router’s MAC Address ........................... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..2-5
Manually Configuring Your Internet Connection ........ .......................... .....................2-5
v1.0, August 2006
vii
Programming the Traffic Meter (if Desired) ..............................................................2-7
Configuring the WAN Mode (Required for Dual WAN) .... ....................................... ... ...2-10
Setting Up Auto-Rollover Mode .......................... ....... ...... ....... ...... ....... ...... ....... ... ...2-11
Setting Up Load Balancing .....................................................................................2-13
Configuring Dynamic DNS (If Needed) .........................................................................2-15
Configuring the Advanced WAN Options (If Needed) ................................................ ...2-18
Chapter 3 LAN Configuration
Using the Firewall as a DHCP server .............................................................................3-1
Configuring the LAN Setup Options ................ ......................................................... 3-2
Configuring Multi Home LAN IPs .............................................................................3-4
Managing Groups and Hosts (LAN Groups) ...................................................................3-6
Creating the Network Database ...... ... .... ... ... ... ... .......................................... .... ... ... ..3-6
Setting Up Address Reservation ..................... ......................................................... 3-9
Configuring and Enabling the DMZ Port .......................................................................3-10
Static Routes ................................................................................................................3-12
Configuring Static Routes .......................................................................................3-12
Routing Information Protocol (RIP) ........................................................................3-13
Static Route Example .............................................................................................3-15
Enabling Trend Micro Antivirus Enforcement ...............................................................3-15
Chapter 4 Firewall Protection and Content Filtering
Using Rules to Block or Allow Specific Kinds of Traffic ..................................................4-1
Services-Based Rules ........................................ .... ... ... ... .........................................4-2
Outbound Rules (Service Blocking) ...................................................................4-2
Inbound Rules (Port Forwarding) ......................................................................4-4
Order of Precedence for Rules ................................................................................4-7
Setting LAN WAN Rules .............................................................. ............................4-7
LAN WAN Outbound Services Rules .................................................................4-9
LAN WAN Inbound Services Rules .................................................................4-10
Setting DMZ WAN Rules .................................... .... ... .......................................... ...4-10
Setting LAN DMZ Rules .........................................................................................4-12
LAN DMZ Outbound Services Rules ...............................................................4-13
LAN DMZ Inbound Services Rules ..................................................................4-14
Attack Checks .................................................... .... ... ....................................... ... ...4-14
viii
v1.0, August 2006
Inbound Rules Examples .......................................................................................4-16
LAN WAN Inbound Rule: Hosting A Local Public Web Server ........................4-16
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses 4-17
LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping 4-17
LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host .............4-19
Outbound Rules Example ................................................................ ... ...................4-20
LAN WAN Outbound Rule: Blocking Instant Messenger .................................4-20
Adding Customized Services .................................................................................4-21
Setting Quality of Service (QoS) Priorities ............................................................. 4-23
Setting a Schedule to Block or Allow Specific Traffic .................................... ... ... .... ... ...4-24
Setting Block Sites (Content Filtering) ................ .................................................... ......4-25
Enabling Source MAC Filtering ....................................................................................4-27
Port Triggering ............................. .... ... ... ... .... .......................................... ......................4-28
E-Mail Notifications of Event Logs and Alerts ......................................... ......................4-31
Administrator Tips .........................................................................................................4-35
Chapter 5 Virtual Private Networking
Dual WAN Port Systems .................................................................................................5-1
Setting up a VPN Connection using the VPN Wizard .....................................................5-3
Creating a VPN Tunnel to a Gateway ......................................................................5-4
Creating a VPN Tunnel Connection to a VPN Client ....................... ... ... ... ... .... ... ... ..5-7
VPN Tunnel Policies ................................. .... ... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ................5-10
IKE Policy ........................................ ... .... ... ... ... ... .... ... ....................................... ... ...5-10
Managing IKE Policies ................. .... ... ... ... ... .... ... .......................................... ...5-11
IKE Policy Table . .......................................... .......................................... ..........5-11
VPN Policy ................... ... ... ... .... ...................................... .... ... ... ... .... ... ... ... .............5-12
Managing VPN Policies ......................................................................... .... ... ...5-12
VPN Policy Table ................ ... ... ... .... ... ... ..........................................................5-13
VPN Tunnel Connection Status ..............................................................................5-13
Creating a VPN Gateway Connection: Between FVX538 and FVS338 .......................5-14
Configuring the FVX538 .........................................................................................5-14
Configuring the FVS338 .........................................................................................5-19
Testing the Connection ...........................................................................................5-20
Creating a VPN Client Connection: VPN Client to FVX538 ....................... ... ... ... .... ... ...5-20
Configuring the FVX538 .........................................................................................5-20
v1.0, August 2006
ix
Configuring the VPN Client ....................... .......................................... ... ... ... .... ... ...5-22
Testing the Connection ...........................................................................................5-26
Certificate Authorities ...................................................................................................5-27
Generating a Self Certificate Request ....................................................................5-28
Uploading a Trusted Certificate ..............................................................................5-30
Managing your Certificate Revocation List (CRL) .. ... ... ..........................................5-30
Extended Authentication (XAUTH) Configuration ............................ ................... ..........5-31
Configuring XAUTH for VPN Clients ......................................................................5-32
User Database Configuration .... ... ... ... .... .......................................... ... ... ... .............5-34
RADIUS Client Configuration .................................................................................5-35
Manually Assigning IP Addresses to Remote Users (ModeConfig) .............................5-37
Mode Config Operation ...... .......................................... ..........................................5-37
Configuring the VPN Firewall .......... .......................................... ... .... ... ... ... ... .... ... ...5-38
Configuring the ProSafe VPN Client for ModeConfig .......................................... ...5-41
Chapter 6 Router and Network Management
Performance Management ................................. .......................................... ... ... .... ........ 6-1
Bandwidth Capacity .................. ... ... ... .... ... ... .......................................... ..................6-1
VPN Firewall Features That Reduce Traffic .............................................................6-2
Service Blocking .......................... .... ... ... ... ... .... ... .......................................... ..... 6-2
Block Sites .........................................................................................................6-4
Source MAC Filtering ........................................................................................6-4
VPN Firewall Features That Increase Traffic ...........................................................6-5
Port Forwarding ..................................... ... .......................................... ... .... ... ..... 6-5
Port Triggering ....................... ... ... .... ... ...............................................................6-6
DMZ Port ...........................................................................................................6-7
VPN Tunnels ................................................ .... .......................................... ........6-7
Using QoS to Shift the Traffic Mix ............................................................................6-7
Tools for Traffic Management .......... ... .... ... ... ... ... .... ... .......................................... ..... 6-8
Administration ..................................... ............................................. ...............................6-8
Changing Passwords and Settings ..........................................................................6-8
Enabling Remote Management Access .................................................................6-10
Using a SNMP Manager ........................................................................................6-11
Settings Backup and Firmware Upgrade ...............................................................6-13
Backup and Restore Settings ..........................................................................6-14
x
v1.0, August 2006
Router Upgrade ...............................................................................................6-15
Setting the Time Zone ........ ... .... ... ... .......................................... ... .... ... ...................6-16
Monitoring the Router ......................................... ... ... .......................................... .... ... ...6-17
Enabling the Traffic Meter ......................................................................................6-17
Setting Login Failures and Attacks Notification ................................ ...................... 6-19
Monitoring Attached Devices .................................................................................6-20
Viewing Port Triggering Status ...............................................................................6-22
Viewing Router Configuration and System Status .................................................6-23
Monitoring WAN Ports Status .......................... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ...6-24
Monitoring VPN Tunnel Connection Status ...................................... ... ... ... ... .... ... ...6-25
VPN Logs ........... ... ... .... ... ... ... ....................................... ... .... ... ... ... .... ... ...................6-26
DHCP Log ..............................................................................................................6-27
Performing Diagnostics ...... ... .... ... ... ... .... ................................................................6-27
Chapter 7 Troubleshooting
Basic Functions ..............................................................................................................7-1
Power LED Not On ...................................................................................................7-1
LEDs Never Turn Off ................................................................................................7-2
LAN or Internet Port LEDs Not On ......... ... ... ... ... .... ... ... .......................................... ..7-2
Troubleshooting the Web Configuration Interface ..........................................................7-2
Troubleshooting the ISP Connection ..............................................................................7-4
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................7-5
Testing the LAN Path to Your Firewall ......................................................................7-5
Testing the Path from Your PC to a Remote Device ................................................7-6
Restoring the Default Configuration and Password ............... .........................................7-7
Problems with Date and Time .........................................................................................7-7
Appendix A Default Settings and Technical Specifications
Appendix B Related Documents
Appendix C Network Planning for Dual WAN Ports
What You Will Need to Do Before You Begin ................................................................C-1
Cabling and Computer Hardware Requirements ....................................................C-3
Computer Network Configuration Requirements ......................... .... ... ... ... ... .... ... ... . C-3
v1.0, August 2006
xi
Internet Configuration Requirements ...................................................................... C-3
Where Do I Get the Internet Configuration Parameters? ........................................ C-4
Internet Connection Information Form ....................................................................C-5
Overview of the Planning Process ................................................................................. C-6
Inbound Traffic ........................................................................................................C-6
Virtual Private Networks (VPNs) ............................................................................. C-6
The Roll-over Case for Firewalls With Dual WAN Ports ..........................................C-7
The Load Balancing Case for Firewalls With Dual WAN Ports ...............................C-7
Inbound Traffic ...............................................................................................................C-8
Inbound Traffic to Single WAN Port (Reference Case) ...........................................C-8
Inbound Traffic to Dual WAN Port Systems ............................................................ C-8
Inbound Traffic: Dual WAN Ports for Improved Reliability ................................C-9
Inbound Traffic: Dual WAN Ports for Load Balancing .......................................C-9
Virtual Private Networks (VPNs) .................................................................................. C-10
VPN Road Warrior (Client-to-Gateway) ................................................................ C-1 1
VPN Road Warrior: Single Gateway WAN Port (Reference Case) ................. C-12
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability .........C-12
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing ................ C-13
VPN Gateway-to-Gateway ........... ...... .... ... ............................................................ C-14
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case) ..C-14
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability C-15
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing ...C-17
VPN Telecommuter (Client-to-Gateway Through a NAT Router) ..........................C-17
VPN Telecommuter: Single Gateway WAN Port (Reference Case) ...............C-18
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability ........C-18
VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing ..............C-20
Index
xii
v1.0, August 2006

About This Manual

The NETGEAR® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers with intermediate computer and Internet skills.

Conventions, Formats and Scope

The conventions, formats, and scope of this manual are described in the following paragraphs.
Typographical Conventions. This manual uses the following typographical conventions:
Italics Emphasis, books, CDs, URL names
Bold User input
Fixed Screen text, file and server names, extensions, commands, IP addresses
Formats. This manual uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
Tip: This format is used to highlight a procedure that will save time or resources.
Warning: Ignoring this type of note may result in a malfunction or damage to the
equipment.
Danger: This is a safety warning. Failure to take heed of this notice may result in
personal injury or death.
v1.0, August 2006
xiii
ProSafe VPN Firewall 200 FVX538 Reference Manual
Scope. This manual is written for the VPN firewall according to the following specifications:
Product Version ProSafe VPN Firewall 200 Manual Publication Date August 2006
For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix B, “Related Documents.”
Note: Updates to this product are available on the NETGEAR, Inc. website at
http://kbserver.netgear.com/products/FVX538.asp.

How to Use This Manual

The HTML version of this manual includes the following:
Buttons, an d , for browsing forward or backward through the manual one page at a time.
A button that displays the table of contents and a button that displays the Index. Double-click on a link in the table of contents or index to navigate directly to where the topic is described in the manual.
A button to access the full NETGEAR, Inc. online knowledge base for the product model.
Links to PDF versions of the full manual and individual chapters.

How to Print this Manual

To print this manual you can choose one of the following options, according to your needs.
Printing a Page from HTML. Each page in the HTML version of the manual is dedicated to a major topic. Select File > Print from the browser menu to print the page contents.
Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe Web site at
http://www.adobe.com.
Printing a PDF Chapter. Use the PDF of This Chapter link at the top left of any page.
xiv
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Click the PDF of This Chapter link at the top left of any page in the chapter you want to print. The PDF version of the chapter you were viewing opens in a browser window.
Click the print icon in the upper left of your browser window.
Printing a PDF version of the Complete Manual. Use the Complete PDF Manual link
at the top left of any page.
Click the Complete PDF Manual link at the top left of any page in the manual. The PDF version of the complete manual opens in a browser window.
Click the print icon in the upper left of your browser window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can
save paper and printer ink by selecting this feature.

Revision History

Part Number
202-10062-04 1.0 Product update: New firmware and a new user interface.
Version Number
Description
v1.0, August 2006
xv
ProSafe VPN Firewall 200 FVX538 Reference Manual
xvi
v1.0, August 2006
Chapter 1
Introduction
The ProSafe VPN Firewall 200 with eight 10/100 ports and one 1/100/1000 port connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem.
The FVX538 is a complete security solution that protects your network from attacks and intrusions. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support. The VPN firewall supports multiple Web content filtering options, plus browsing activity reporting and instant alerts—both via e-mail. Network administrators can establish restricted access policies based on time-of-day, Website addresses and address keywords.
The FVX538 is a plug-and-play device that can be installed and configured within minutes.

Key Features

The VPN firewall provides the following features:
Dual 10/100 Mbps Ethernet WAN ports for load balancing or failover protection, providing increased system reliability, load balancing, or link aggregation. The WAN ports do not respond at all to unsolicited traffic (stealth mode).
Support for up to 200 simultaneous IPSec VPN tunnels.
Bundled with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L)
Proactive policy enforcement for anti-virus and anti-spam security with integrated Trend Micro support.
Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and multimedia.
Built-in 10/100 Mbps ports plus 1 Gigabit Switch port.
One console port for local management.
SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100).
Easy, web-based setup for installation and management.
Advanced SPI Firewall and Multi-NAT support.
Extensive Protocol Support.
Introduction 1-1
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Login capability.
Front panel LEDs for easy monitoring of status and activity.
Flash memory for firmware upgrade.
One U Rack mountable.

Dual WAN Ports for Increased Reliability or Outbound Load Balancing

The FVX538 has two broadband WAN ports, WAN1 and WAN2, each capable of operating independently at speeds of either 10 Mbps or 100 Mbps. The two WAN ports let you connect a second broadband Internet line that can be configured on a mutually-exclusive basis to:
Provide backup and rollover if one line is inoperable, ensuring you are never disconnected.
Load balance, or use both Internet lines simultaneously for the outgoing traffic. The firewall balances users between the two lines for maximum bandwidth efficiency.
See “Network Planning for Dual WAN Ports” on page C-1 for the planning factors to consider when implementing the following capabilities with dual WAN port gateways:
Single or multiple exposed hosts
V irtual private networks

A Powerful, True Firewall with Content Filtering

Unlike simple Internet sharing NAT routers, the FVX538 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include:
DoS protection. Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing.
Secure Firewall. Blocks unwanted traffic from the Internet to your LAN.
Block Sites. Blocks access from your LAN to Internet locations or services that you specify as off-limits.
Logs security incidents. The FVX538 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.
1-2 Introduction
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Keyword Filtering. With its URL keyword filtering feature, the FVX538 prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.

Security Features

The VPN firewall is equipped with several features designed to maintain security, as described in this section.
PCs Hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the PCs on the LAN.
Port Forwarding with NAT. Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the firewall allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request. You can specify forwarding of single ports or ranges of ports.
DMZ port. Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you can have it forwarded to one computer on your network.

Autosensing Ethernet Connections with Auto Uplink

With its internal 8-port 10/100 switch, the FVX538 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.
TM
The firewall incorporates Auto Uplink whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.
technology. Each Ethernet port will automatically sense

Extensive Protocol Support

The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol to “Internet Configuration Requirements” in Appendix C.”
Introduction 1-3
(RIP). For further information about TCP/IP, refer
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
IP Address Sharing by NAT. The VPN firewall allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account.
Automatic Configuration of Attached PCs by DHCP. The VPN firewall dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network.
DNS Proxy. When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.
PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC.

Trend Micro Integration

If you have installed the Trend Micro Client/Server/Messaging Suite for SMB on your local network, you can have the firewall enforce its use. When Antivirus Enforcement is selected, local PCs will not be allowed Web access unless they have the Trend Micro OfficeScan client installed and updated with the latest virus definitions.
The Client/Server/Messaging Suite for Small and Medium Business protects file servers, mail servers, and PCs on your network —including antispam capability. The Client/Server Suite for Small and Medium Business protects files servers and PCs.
Both products deliver a layered defense against viruses and other malicious code.
Unlike competing antivirus products, both products work your NETGEAR VPN Firewall to enforce antivirus policies - end users cannot access the Internet unless they have antivirus protection with current pattern files installed.
Both products are specifically built to meet the needs of growing businesses and feature easy installation, automatic transparent updates, and damage cleanup capability.
Activate either product for a free trial.

Easy Installation and Management

You can install, configure, and operate the ProSafe VPN Firewall 200 within minutes after connecting it to the network. The following features simplify installation and management tasks:
1-4 Introduction
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Browser-Based Management. Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface.
Auto Detect. The VPN firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.
VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2.
Diagnostic Functions. The firewall incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot.
Remote Management. The firewall allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number.
Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity.

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the VPN firewall:
Flash memory for firmware upgrade
Free technical support seven days a week, 24 hours a day, according to the terms identified in the Warranty and Support information card provided with your product.

Package Contents

The product package should contain the following items:
ProSafe VPN Firewall 200.
AC power cable.
Introduction 1-5
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
19-inch rack mounting hardware and rubber feet.
Category 5 (Cat5) Ethernet cable.
Installation Guide, FVX538 ProSafe VPN Firewall 200
Resource CD, including: – Application Notes and other helpful information. – ProSafe VPN Client Software – five user licenses. – Trend Micro software evaluation.
Warranty and Support Information Card.
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair.

Router Front Panel

The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button.
12 3 4 5 6 7
Figure 1-1
Table 1-1 describes each item on the front panel and its operation.
Table 1-1. Object Descriptions
Object Activity Description
1. Power LED
2. Test LED
1-6 Introduction
On (Green) Off
On (Amber) Blinking (Amber) Off
Power is supplied to the firewall. Power is not supplied to the firewall.
Test mode: The system is initializing or the initialization has failed. Writing to Flash memory (during upgrading or resetting to defaults). The system has booted successfully.
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Table 1-1. Object Descriptions (continued)
Object Activity Description
Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. Link/Act LED
3. WAN Ports and LEDs
4. LAN Ports and LEDs
5. Gigabit Port and LEDs
On (Green) Blinking (Green) Off
100 LED
On (Green) Off
Active LED
On (Green) On (Amber)
Off
8-port RJ-45 10/100 Mbps Fast Ethernet Switch
Link/Act LED
On (Green) Blinking (Green) Off
100 LED
On (Green) Off
DMZ (port 8)
On (Green)
Off Gbit RJ-45 connector Port for connecting to a gigabit Ethernet device. Link/Act LED
On (Green)
Blinking (Green)
Off Speed LED
On (Green)
On (Amber)
Off
The WAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the WAN port. The WAN port has no link.
The WAN port is operating at 100 Mbps. The WAN port is operating at 10 Mbps.
The WAN port has a valid Internet connection. The Internet connection is down or not being used because the port is available for failover in case the connection on other WAN port fails. The WAN port is either not enabled or has no link.
N-way automatic speed negotiation, auto MDI/MDIX.
The LAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the LAN port. The LAN port has no link.
The LAN port is operating at 100 Mbps. The LAN port is operating at 10 Mbps.
Port 8 is operating as a dedicated hardware DMZ port. Port 8 is operating as a normal LAN port.
The LAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the LAN port. The LAN port has no link.
The LAN port is operating at 1,000 Mbps. The LAN port is operating at 100 Mbps. The LAN port is operating at 10 Mbps.
Introduction 1-7
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Table 1-1. Object Descriptions (continued)
Object Activity Description
6. Console Port
7. Factory Defaults
DB9 male connector Port for connecting to an optional console terminal. Default baud rate
is 115.2K; pinouts: (2) Tx, (3) Rx, (5) and (7) Gnd.
—> push in with a sharp object
Factory Defaults reset push button (see Appendix A, “Default
Settings and Technical Specifications” for the factory defaults).

Router Rear Panel

The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection.
12
Figure 1-2
Viewed from left to right, the rear panel contains the following elements:
1. AC power in
2. On/Off switch
1-8 Introduction
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual

Rack Mounting Hardware

The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in Figure 1-3).
Figure 1-3

The Router’s IP Address, Login Name, and Password

Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information:
IP Address:
•User name:
Password:
http://192.168.1.1 to reach the Web-based GUI from the LAN
admin
password
LAN IP Address User Name Password
Figure 1-4
Introduction 1-9
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual

Default Log In Settings

To log in to the FVX538 once it is connected:
1. Open a Web browser.
2. Enter
http://192.168.1.1 as the URL.
Figure 1-5
3. Once the login screen displays (Figure 1-5), enter the following information:
admin for User Name password for Password
1-10 Introduction
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Introduction 1-11
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
1-12 Introduction
v1.0, August 2006
Chapter 2
Connecting the FVX538 to the Internet
T ypically, six steps are required to complete the basic connection of your firewall. Setting up VPN tunnels are covered in Chapter 5, “Virtual Private Networking.”
1. Connect the firewall physically to your network. Connect the cables, turn on your router
and wait for the Test LED to go out. Make sure your Ethernet and LAN LEDs are lit. (See the
Installation Guide, FVX538 ProSafe VPN Firewall 200 for complete steps. A PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com.)
2. Log in to the firewall. After logging in, you are ready to set up and configure your firewall.
You can also change your password and enable remote management at this time.
3. Configure the Internet connections to your ISP(s). During this phase, you will connect to
your ISPs. You can also program the WAN traffic meters at this time if desired.
4. Configure the WAN mode (required for dual WAN operation). Select either auto-rollover
mode or load balancing mode (on a mutually exclusive basis). For load balancing, you can also select the protocol bindings.
5. Configure dynamic DNS on the WAN ports (if needed). Configure your fully qualified
domain names during this phase (if required).
6. Configure the WAN options (if needed). Optionally, you can enable each WAN port to
respond to a ping. You can also change the factory default MTU size, port speed, and uplink bandwidth. However, these are advanced features and changing them is not usually required.

Logging into the VPN Firewall

To connect to the firewall, your computer needs to be configured to obtain an IP address automatically via DHCP. If you need instructions on how to configure you computer for DHCP, refer to the link in Appendix B, “Related Documents.
To log in to the VPN firewall:
1. Connect to the firewall by typing http://192.168.1.1 in the address field of Interne t Explorer,
Mozilla Firefox or Netscape® Navigator.
Connecting the FVX538 to the Internet 2-1
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
2. When prompted, enter admin for the firewall user name and password for the firewall
password, both in lower case letters. (The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection.)
3. Click Login.
Note: You might want to enable remote management at this time so that you can log
in remotely in the future to manage the firewall (see “Enabling Remote
Management Access” on page 6-10). If you enable remote management, you
are strongly advised to change your password (see “Changing Passwords and
Settings” on page 6-8).

Configuring the Internet Connections to Your ISPs

You should first configure your Internet connections to your ISPs on WAN port 1, and then configure WAN port 2 second.
To automatically configure the WAN ports and connect to the Internet:
1. The WA N1 ISP Settings screen similar to the one shown in Figure 2-1 should display when you log in. (If the screen does not display, select the primary menu option Network Configuration and the sub-menu option WAN Settings.
2-2 Connecting the FVX538 to the Internet
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Figure 2-1
2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP. Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support.
When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the following table.
Table 2-1. Internet connection methods
Connection Method Data Required
PPPoE Login (Username, Password); Account Name, Domain Name PPTP Login (Username, Password), Account Name, Local IP address, and
PPTP Server IP address;
Connecting the FVX538 to the Internet 2-3
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Table 2-1. Internet connection methods (continued)
Connection Method Data Required
BigPond Cable Login Username, Password), Login Server. DHCP (Dynamic IP) No data is required. Fixed (Static) IP Static IP address, Subnet, and Gateway IP; and related data supplied by
your ISP.
If Auto Detect does not find a connection, you will be prompted to check the physical connection between your firewall and the cable or DSL line or to check your Router’s MAC address (see “Setting the Router’s MAC Address” on page 2-5).
3. Click W AN Status at the top right of the screen to verify W AN Port 1 connection status. Click Connect if connection not already present.
Figure 2-2
4. Set up the traffic meter for WAN 1 ISP if desired. See “Programming the Traffic Meter (if
Desired)” on page 2-7.
Note: At this point of the configuration process, you are now connected to the
Internet through WAN port 1. But you must continue with the configuration process to get the complete functionality of the dual WAN interface.
2-4 Connecting the FVX538 to the Internet
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
The configure the WAN2 ISP settings:
1. Repeat the above steps to set up the para meters for WAN2 ISP. Start by selecting the WAN2
ISP Settings tab. Next click Auto Detect on the WAN2 ISP Settings screen and then confirm the connection by clicking the WAN Status link.
2. Set up the traffic meter for WAN2 ISP, if desired. See “Programming the Traffic Meter (if
Desired)” on page 2-7.

Setting the Router’s MAC Address

Each computer or router on your network has a unique 48-bit local Ethernet address. This is also referred to as the computer's MAC (Media Access Control) address. The default is set to Use Default Address. If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, then you must enter that address. Setting the router’s MAC address is controlled through the Advanced options on the WAN1 ISP Settings and WAN2 ISP Settings screen (see“Configuring the Advanced WAN Options (If Needed)” on page 2-18).

Manually Configuring Your Internet Connection

If you know your ISP connection type, you can bypass the Auto Detect feature and connect your router manually. Ensure that you have all of the relevant connection information such as IP Addresses, account information, type of ISP connection, etc., before you begin. Unless your ISP automatically assigns your configuration automatically via DHCP, you will need the configuration parameters from your ISP (see Figure 2-1).
Note: To enable a WAN port to respond to a Ping from the Internet, use the Rules me nu
(Figure 4-2 on page 4-8).
To manually configure your WAN1 ISP Settings:
1. Does your Internet connection require a login? If you need to enter login information every time you connect to the Internet through your ISP, select Yes. Otherwise, select No.
2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box. The text box fields that require data entry will be highlighted, based on the connection that you selected. If your ISP has not assigned any login information, then choose the No radio box and skip this section. For example:
Austria (PPTP): If your ISP is Austria Telecom or any other ISP that uses PP TP fo r login,
select this. Then, fill in the following highlighted fields:
Connecting the FVX538 to the Internet 2-5
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Account Name (also known as Host Name or System Name): Enter the valid account
name for the PP TP connection (usually your email “ID” assigned by your ISP). Some ISPs require entering your full email address here.
Domain Name: Your domain name or workgroup name assigned by your ISP, or your
ISPs domain name. You may leave this field blank.
Idle Timeout: Check the Keep Connected radio box to keep the connection always
on. To logout after the connection is idle for a period of time, select Idle Time and enter the number of minutes to wait before disconnecting in the timeout field. This is useful if your ISP charges you based on the amount of time you have logged in.
My IP Address: IP address assigned by the ISP to make the connection with the ISP
server.
Server IP Address: IP address of the PPTP server.
Other (PPPoE): If you have installed login software such as WinPoET or Enternet, then
your connection type is PPPoE. Select this connection and configure the following fields: – Account Name: Valid account name for the PPPoE connection – Domain Name: Name of your ISPs domain or your domain name if your ISP has
assigned one. You may leave this field blank.
Idle Timeout: Select Keep Connected, to keep the connection always on. To logout
after the connection is idle for a period of time, select Idle Time and enter the number of minutes to wait before disconnecting, in the timeout field.
BigPond Cable: If your ISP is Telstra BigPond Cable, select this option and fill in the
Login Server and Idle Timeout fields. The Login Server is the IP address of the local BigPond Login Server in your area. You can find login server information at
http://www.netgear.com.sg/support/bigpond.asp
3. If your ISP has assigned a fixed (static or permanent) IP address, select the Use Static IP Address radio box and fill in the following fields:
a. IP Address: Static IP address assigned to you. This will identify the router to your ISP. b. Subnet Mask: This is usually provided by the ISP or your network administrator. c. Gateway IP Address: IP address of the ISP’s gateway. This is usually provided by the ISP
or your network administrator.
If your ISP has not assigned a Static IP address, select the Get dynamically from ISP radio box. The ISP will automatically assign an IP address to the router using DHCP network protocol.
2-6 Connecting the FVX538 to the Internet
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
4. If your ISP has not assigned any Domain Name Servers (DNS) addresses, select the Get dynamically from ISP radio box. If your ISP has assigned DNS addresses, select the Use these DNS Servers radio box. Ensure that you fill in valid DNS server IP addresses in the
fields. Incorrect DNS entries may cause connectivity issues.
Note: Domain Name Servers (DNS) convert Internet names such as
www.google.com, www.netgear.com, etc. to Internet addresses called IP addresses. Incorrect settings here will result in connectivity problems.
5. Click Apply to save the settings.
6. Click Reset to discard any changes and reve rt to the previous settings.
7. Click Test to try and connect to the NETGEAR Web site. If you connect successfully and your
settings work, then you may click Logout or go on and configure additional settings.
To configure your WAN2 ISP settings:
1. Select the WAN2 ISP Settings tab. The WAN2 ISP Settings screen will display.
2. Repeat steps 1 through 7 above.

Programming the Traffic Meter (if Desired)

The traffic meter is useful when an ISP charges by traffic volume ov er a given period of time or if you want to look at traffic types over a period of time.
To enable the traffic meter:
1. From the primary menu, select Monitoring, and then select Traffic Meter from the secondary menu. The WAN1 Traffic Meter screen will display. Fill out the information described in
Table 2-2.
Connecting the FVX538 to the Internet 2-7
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Figure 2-3
2. Click Apply to apply the settings. Click Reset to return to the previous settings.
3. Select the WAN2 Traffic Meter tab and repeat steps 1 through 3 to set the Traffic Meter the
the WAN2 port.
2-8 Connecting the FVX538 to the Internet
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Table 2-2. Traffic Meter Settings
Parameter Description
Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the
Router's WAN1 or WA N2 port. WAN1 or WAN2 can be selected by clicking the appropriate tab; the entire configuration is specific to each wan interface.
• No Limit - If this is selected specified restriction will not be applied when traffic limit is reached.
• Download only - If this is selected the specified restriction will be applied to the incoming traffic only
• Both Directions - If this is selected the specified restriction will be applied to both incoming and outgoing traffic only
Enable Monthly Limit Use this if your ISP charges for additional traffic. If enabled , enter the monthly
volume limit and select the desired behavior when the limit is reached. Note: Both incoming and outgoing traffic are included in the limit.
Increase this month's limit
This month's limit This displays the limit for the current month. Restart traffic
counter Restart Counter at a
Specific Time
Send E-mail Report before restarting counter
When limit is reached
Internet Traffic Statistics
Traffic by Protocol Click this link if you want to know more details of the Internet Traffic. The volume of
Use this to temporarily increase the Traffic Limit if you have reached the monthly limit, but need to continue accessing the Internet. Check the checkbox and enter the desired increase. (The checkbox will automatically be cleared when saved so the increase is only applied once.)
This determines when the traffic counter restarts. Choose the desired time and day of the month.
Check this radio button to restart the Traffic Counter at a specific time and day of the month. Fill in the time fields and select AM or PM and the day of the month from the pull-down menus.
If checked, an E-mail report will be sent immediately before restarting the counter. You must configure the E-mail screen in order for this function to work (see “E-Mail
Notifications of Event Logs and Alerts” on page 4-31).
Select the desired option:
• Block all traffic - all access to and from the Internet will be blocked.
• Block all traffic except E-mail - Only E-mail traffic will be allowed. All other traffic will be blocked.
• If using this option, you may also select the Send E-mail alert option. You must configure the E-mail screen in order for this function to work.
This displays statistics on Internet Traffic via the WAN port. If you have not enabled the Traffic Meter, these statistics are not available.
traffic for each protocol will be displayed in a sub-window.Traffic counters are updated in MBytes scale, counter starts only when traffic passed is at least 1MB.
Connecting the FVX538 to the Internet 2-9
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual

Configuring the WAN Mode (Required for Dual WAN)

The dual WAN ports of the ProSafe VPN Firewall 200 can be configured on a mutually exclusive basis for either auto-rollover (for increased system reliability) or load balancing (for maximum bandwidth efficiency).
Auto-Rollover Mode. In this mode, the selected WAN interface is made primary and the other
is the rollover link. As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic.Traffic will automatically roll back to the original primary link once the original primary link is back up and running again.
If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover.
Load Balancing Mode. In this mode the router distributes the outbound traffic equally among
the WAN interfaces that are functional.
Note: Scenarios could arise when load balancing needs to be bypassed for certain
traffic or applications. Here the traffic needs to go on a specific WAN interface. This is done with the protocol binding rules of that WAN interface. The rule should match the desired traffic.
For both alternatives, you must also set up Network Address Translation (NAT):
NAT. NAT is the technology which allows all PCs on your LAN to share a single Internet IP
address. From the Internet, there is only a single device (the Router) and a single IP address. PCs on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet.
The Router uses NAT to select the correct PC (on your LAN) to receive any incoming
data. – If you only have a single Internet IP address, you MUST use NAT. NAT is the default setting.
Classical Routing. In this mode, the Router performs Routing, but without NAT. To gain
Internet access, each PC on your LAN must have a valid Internet IP address.
2-10 Connecting the FVX538 to the Internet
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
If your ISP has allocated many IP addresses to you, and you have assigned one of these addresses to each PC, you can choose Classical Routing. Or, you can use Classical Routing for routing private IP addresses within a campus environment. Otherwise, selecting this method will not allow Internet access through this Router.
To learn the status of the WAN ports, you can view the Router Status page (see “Viewing Router
Configuration and System Status” on page 6-23) or look at the LEDs on the front panel (see “Router Front Panel” on page 1-6).

Setting Up Auto-Rollover Mode

If you want to use a redundant ISP link for backup purposes, ensure that the backup WAN port has already been configured. Then you select the WAN port that will act as the primary link for this mode and configure the WAN Failure Detection Method to support Auto-Rollover.
When the router is configured in Auto-Rollover Mode, the router uses the WAN Failure Detection Method to check the connection of the primary link at regular intervals to detect router status. Link failure is detected in one of the following ways:
By using DNS queries to a DNS server, or
By a Ping to an IP address. For each WAN interface, DNS queries or Ping requests are sent to the specified IP address. If
replies are not received, the corresponding WAN interface is considered down. To configure the dual WAN ports for Auto-Rollover
1. Select Network Configuration from the primary menu and WAN Mode from the secondary
menu. The WAN Mode screen will display.
2. In the Port Mode section, check the Auto-Rollover Using WAN port radio box.
3. Selection the WAN port that will act as the primary link for this mode from the pull-down
menu.
4. From the WAN Failure detection Method section, select the detection failure method radio
box from one of the following choices:
DNS lookup using configured DNS Servers (ISP DNS Servers) – In this case, DNS
queries are sent to the DNS server configured on the WAN ISP pages (see “Configuring
the Internet Connections to Your ISPs” on page 2-2).
DNS lookup using this DNS Server (for example, a public DNS Server) – Enter any
public DNS server. DNS queries are sent to this server through the WAN interface being
monitored.
Connecting the FVX538 to the Internet 2-11
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Ping to this IP address – Enter a public IP address that will not reject the Ping request or
will not consider the traffic abuse. Queries are sent to this server through the WAN
interface being monitored.
5. Enter a Test Period in seconds. DNS query is sent periodica lly after every test period. The
default test period is 30 seconds.
Figure 2-4
6. Enter the Maximum Fa ilover amount. The WAN interface is considered down after the
configured number of queries have failed to elicit a reply. The rollover link is brought up after this. The Failover default is 4 failures.
The default time to roll over after the primary WAN interface fails is 2 minutes (a 30-second minimum test period, times a minimum of 4 tests).
7. Click Apply to save your settings.
8. Click Reset to revert to the previous settings.
Once a rollover occurs, an alert will be generated (see “E-Mail Notifications of Event Logs and
Alerts” on page 4-31). When notified that the failed WAN interface has been restored, you can
force traffic back on the original primary WAN interface by reapplying the Auto-Rollover settings in the WAN Port Mode menu.
2-12 Connecting the FVX538 to the Internet
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual

Setting Up Load Balancing

To use multiple ISP links simultaneously, select Load Balancing. In Load Balancing mode, both links will carry data for the protocols that are bound to them. For example, if the HTTP protocol is bound to WAN1 and the FTP protocol is bound to WAN2, then the router will automatically channel FTP data from and to the computers on the LAN through the WAN2 port. All HTTP traffic will be routed through the WAN1 port.
Load Balancing can be used to segregat e traf fic betwee n links that ar e not of the same speed. High volume traffic can be routed through the port connected to a high speed link and low volume traffic can be routed through the port connected to the low speed link.
To configure the dual WAN ports for load balancing with protocol binding:
1. Check the Load Balancing radio button on the WAN Mode screen shown in Figure 2-4 above, and click view protocol bindings (if protocol binding is needed). The WAN1 Protocol Bindings screen will display.
Figure 2-5
2. Enter the following data in the Add Protocol Binding section:
Connecting the FVX538 to the Internet 2-13
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
a. Service – From the pu ll-down menu, select the desired Services or applications to be
covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services-Based Rules” on page 4-2).
b. Destination Network – These settings determine which Internet locations are covered by
the rule, based on their IP address. Select the desired option:
Any – All Internet IP address are covered by this rule.
Single address – Enter the required address in the start fields.
Address range – If this option is selected, you must enter the start and finish fields.
c. Source Network – These settings determine which computers on your network are
affected by this rule. Select the desired options:
Any – All PCs and devices on your LAN.
Single address – Enter the required address and the rule will be applied to that
particular PC.
Address range – If this option is selected, you must enter the start and finish fields.
Group 1-Group 8 – If this option is selected, the devices assigned to this group will be affected. (You may also assign a customized name to the group. See Edit Group
Names on the Groups and Hosts menu in the LAN Groups sub-menu.)
3. Click Add in the Add column adjacent to the rule. The new Protocol Binding Rule will be
enabled and added to the Protocol Binding Table for the WAN1 port. Select the WAN2 Protocol Bindings tab, and repeat steps 1 through 9, to set protocol bin dings
for the WAN2 port.
To Edit or Add additional Protocol Binding settings:
1. Select Network Configuration from the main menu and Protocol Binding from the submenu. The WAN1 Protocol Bindings screen will display.
You can add or edit protocol bindings to either the WAN1 port or click the WAN2 Protocol Bindings tab to access the WAN2 Protocol Bindings screen. To add a new protocol binding, following the preceding procedure.
2. Check the radio button adjacent to the protocol binding rule you want to modify. Click Edit in the Action column adjacent to the rule. The Edit Protocol Binding screen will display.
2-14 Connecting the FVX538 to the Internet
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Figure 2-6
3. Modify the parameters for the protocol binding service you selected.
4. Click Apply. The modified rule will be enabled and appear in the Protocol Binding table.
5. Click Reset to return to the previously configured settings.

Configuring Dynamic DNS (If Needed)

Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS.org, TZO.com or Iego.net. (Links to DynDNS, TZO and Iego
Connecting the FVX538 to the Internet 2-15
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
are provided for your convenience on the Dynamic DNS Configuration screen.) The VPN firewall firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet.
If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently—hence, the need for a commercial DDNS service, which allows you to register an extension to its domain, and restores DNS requests for the resulting FQDN to your frequently-changing IP address.
After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your DDNS service provider, log in to your account, and register your new IP address.
For auto-rollover mode, you will need a fully qualified domain name (FQDN) to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address.
For load balancing mode, you may still need a fully qualified domain name (FQDN) either for convenience or if you have a dynamic IP address.
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the
dynamic DNS service will not work because private addresses will not be routed on the Internet.
To configure Dynamic DNS:
1. Select Network Configuration from the primary menu and Dynamic DNS from the sub­menu. The Dynamic DNS Configuration screen will display.
The WAN Mode section displays the currently configured WAN mode (for example, Single Port WAN1, Load Balancing or Auto Rollover). Only those options that match the configured WAN Mode will be accessible.
2-16 Connecting the FVX538 to the Internet
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
DDNS links
Figure 2-7
2. Check the Dynamic DNS Service radio box you want to enable. The fields corresponding to the selection you have chosen will be highlighted. Each DNS service provider requires its own parameters.
3. Access the Web site of one of the DDNS service providers and set up an account. A link to each DDNS provider is opposite the DNS Configuration screen name.
4. After setting up your account, return to the Dynamic DNS Configuration screen and fill in the required fields for the DDNS service you selected:
a. In the Host and Domain Name field, enter the entire FQDN name that your dynamic DNS
service provider gave you (for example: <yourname>.dyndns.org).
b. Enter the User Name, User email Address, or Account Name requested by the DDNS
Service to identify you when logging into your DDNS account.
c. Enter the Password, or User Key, for your DDNS account.
Connecting the FVX538 to the Internet 2-17
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
d. If your dynamic DNS provider allows the use of wild cards in resolving your URL, you
may check the Use wildcards radio box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased
to the same IP address as yourhost.dyndns.org
5. Click Apply to save your configuration.
6. Click Reset to return to the previous settings.

Configuring the Advanced WAN Options (If Needed)

To configure the Advanced WAN options:
1. If you haven’t already, log in to the firewall at the default LAN address of http://192.168.1.1, default user name of admin, and default password of password (or whatever password and LAN address you have chosen for the firewall).
2. Select Network Configuration from the primary menu and WAN Settings from the sub­menu. The WAN Settings screen will display. Click Advanced to access the WAN1 Advanced Options screen.
Figure 2-8
3. Edit the default information you want to change.
2-18 Connecting the FVX538 to the Internet
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
MTU Size – The normal MTU (Maximum Transmit Unit) value for most Ethernet
networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs you may have to reduce the MTU. But this is rarely required, and should not be done unless you are sure it is necessary for your ISP connection.
Port Speed – In most cases, your router can automatically determine the connection speed
of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may have to manually select the port speed. AutoSense is the default.
If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100M; otherwise, select 10M. Use the half-duplex settings unless you are sure you need full duplex.
Router's MAC Address – Each computer or router on your network has a unique 32-bit
local Ethernet address. This is also referred to as the computer's MAC (Media Access Control) address. The default is Use default address. However, if your ISP requires MAC authentication, then select either
Use this Computer's MAC address to have the router use the MAC address of the
computer you are now using, or – Use This MAC Address to manually type in the MAC address that your ISP expects. The format for the MAC address is XX:XX:XX:XX:XX:XX (numbers 0-9 and either
uppercase or lowercase letters A-F). If you select Use This MAC Address and then type in a MAC address, your entry will be overwritten.
Connecting the FVX538 to the Internet 2-19
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
2-20 Connecting the FVX538 to the Internet
v1.0, August 2006
Chapter 3
LAN Configuration
This chapter describes how to configure the advanced LAN features of your ProSafe VPN Firewall
200. These features can be found by selecting Network Configuration from the primary menu and LAN Setup from the submenu of the browser interface.

Using the Firewall as a DHCP server

By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, WINS Server, and default gateway addresses to all computers connected to the firewall LAN. The assigned default gateway address is the LAN address of the firewall. IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu. Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.
For most applications, the default DHCP and TCP/IP settings of the firewall are satisfactory. See the link to “Preparing a Computer for Network Access” in Appendix B, “Related Documents” for an explanation of DHCP and information about how to assign IP addresses for your network.
If another device on your network will be the DHCP server, or if you will manually configure the network settings of all of your computers, clear the Enable DHCP server radio box by selecting the Disable DHCP Server radio box. Otherwise, leave it checked.
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP Address. These addresses should be part of the same IP address subnet as the firewall’s LAN IP address. Using the default addressing scheme, you should define a range between 192.168.1.2 and
192.168.1.100, although you may wish to save part of the range for device s with fixed addresses. The firewall will deliver the following parameters to any LAN device that requests DHCP:
An IP Address from the range you have defined.
Subnet Mask.
Gateway IP Address (the firewall’s LAN IP address).
Primary DNS Server (the firewall’s LAN IP address).
WINS Server (if you entered a WINS server address in the DHCP Setup menu).
Lease Time (date obtained and duration of lease).
LAN Configuration 3-1
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual

Configuring the LAN Setup Options

The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and allows you to configure a secondary or “multi-home” LAN IP setup in the LAN. The default values are suitable for most users and situations. These are advanced settings most usually configured by a network administrator.
To modify your LAN setup:
1. Select Network Configuration from the primary menu and LAN Setup from the submenu. The LAN Setup screen will display.
Figure 3-1
2. Enter the IP Address of your router (factory default: 192.168.1.1). (Always make sure that the LAN Port IP address and DMZ port IP address are in different subnets.)
3. Enter the IP Subnet Mask. The subnet mask specifies the network number portion of an IP address. Your router will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask (computed by the router).
3-2 LAN Configuration
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
4. Check the Enable DHCP Server radio button. By default, the router will function as a DHCP (Dynamic Host Configuration Protocol) server, providing TCP/IP configuration for all computers connected to the router's LAN. If another device on your network will be the DHCP server, or if you will manually configure all devices, check the Disable DHCP Server radio button. Enable DHCP Server is the default. If Enabled is selected, enter the following parameters:
a. Enter the Domain Name of the router (this is optional). b. Enter the S tarting IP Address. This address specifies the first of the contiguous addresses
in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address. The IP address 192.168.1.2 is the default start address.
c. Enter the Ending IP Address. This address specifies the last of the contiguous addresses
in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between the Starting IP address and this IP address. The IP address 192.168.1.100 is the default ending address.
Note: The Starting and Ending DHCP addresses should be in the same “network”
as the LAN TCP/IP address of the router (the IP Address in LAN TCP/IP
Setup section).
d. Enter a WINS Server IP address. This box can specify the Windows NetBios Server IP if
one is present in your network. This field is optional.
e. Enter a Lease Time. This specifies the duration for which IP addresses will be leased to
clients.
f. Check the Enable DNS Proxy radio box. This is optional—the default is enabled. If
enabled, the VPN firewall will provide a LAN IP Address for DNS address name resolution.
Note: If you change the LAN IP address of the firewall while connected through the
browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. For example, if you change the default IP address 192.168.1.1 to 10.0.0.1, you must enter http://10.0.0.1 in your browser to reconnect to the web management interface.
5. Click Apply to save your settings.
LAN Configuration 3-3
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
6. Click Reset to discard any changes and revert to the previous configuration.
Note: Once you have completed the LAN IP setup, all outbound traffic is allowed
and all inbound traffic is discarded. To change these traffic rules, refer to
Chapter 4, “Firewall Protection and Content Filtering.

Configuring Multi Home LAN IPs

If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or
10.0.0.0), then you can add “aliases” to the LAN port thereby giving computers on those networks
access to the Internet. This allows the firewall to act as a gateway to additional logical subnets on your LAN. You can assign the firewall an IP address on each additional logical subnet
•The Available Secondary LAN IPs table lists the secondary LAN IP addresses added to the router.
•The IP Address is the “alias” added to the LAN port of the router . This will be the gateway for computers that need to access the Internet.
•The Subnet Mask is the IPv4 Subnet Mask.
To add a secondary LAN IP address:
1. Enter the IP Address and the Subnet Mask in the respective fields of the Add Secondary LAN IP Address section.
2. Click Add. The new Secondary LAN IP address will appear in the A vailable Secondary LAN IPs table.
3. Click Select all to select all the entries in the Available Secondary LAN IPs table. All the
radio buttons are selected.
4. Click Delete to delete only those entries with checked radio buttons from the Available Secondary LAN IPs table.
3-4 LAN Configuration
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
.
Figure 3-2
Note: Additional IP addresses cannot be configured in the DHCP server. The hosts on
the secondary subnets must be manually configured with IP addresses, gateway IP and DNS server IPs.
To make changes to the selected entry:
1. Click Edit in the Action column adjacent to the selected entry. The Edit Secondary LAN IP Setup screen will display.
2. Modify the IP Address and Subnet Mask fields and click Apply.
LAN Configuration 3-5
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
3. Click Reset to discard any changes and revert to the previous settings.
Tip: The Secondary LAN IP address will be assigned to the LAN interface of the
router and can be used as a gateway by the secondary subnet.

Managing Groups and Hosts (LAN Groups)

The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices, as well as hosts, that are assigned dynamic IP addresses by this router. Collectively, these entries make up the Network Database. The Network Database is created in two ways:
DHCP Client Requests. By default, the DHCP server in this Router is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the Network Database. Because of this, leaving the DHCP Server feature (on the LAN screen) enabled is strongly recommended.
Scanning the Network. The local network is scanned using standard methods such as ARP. This will detect active devices which are not DHCP clients. However, sometimes the name of the PC or device cannot be accurately determined, and will be shown as Unknown.

Creating the Network Database

Some advantages of the Network Database are:
Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the desired PC or device.
No need to reserve an IP address for a PC in the DHCP Server. All IP address assignments made by the DHCP Server will be maintained until the PC or device is removed from the database, either by expiry (inactive for a long time) or by you.
No need to use a Fixed IP on PCs. Because the address allocated by the DHCP Server will never change, you don't need to assign a fixed IP to a PC to ensure it always has the same IP address.
MAC level control over PCs. The Network Database uses the MAC address to identify each PC or device. So changing a PC’s IP address does not affect any restrictions on that PC.
Group and individual control over PCs.
3-6 LAN Configuration
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
You can assign PCs to Groups and apply restrictions to each Group using the Firewall
Rules screen (see “Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-1).
You can also select the Groups to be covered by the Block Sites feature (see “Setting
Block Sites (Content Filtering)” on page 4-25).
If necessary, you can also create Firewall Rules to a pply to a single PC (see “Enabling
Source MAC Filtering” on page 4-27). Because the MAC address is used to identify each
PC, users cannot avoid these restrictions by changing their IP address.
A computer is identified by its MAC address—not its IP address. Hence, changing a computer’s IP address does not affect any restrictions applied to that PC.
This Known PCs and Devices table lists entries in the Network Database. For each computer or device, the following fields are displayed:
Name: The name of the PC or device. For computers that do not support the NetBIOS protocol, this will be listed as “Unknown” (you can edit the entry manually to add a meaningful name). If the computer was assigned an IP address by the DHCP server, then the Name will be appended by an asterisk.
IP Address: The current IP address of the computer. For DHCP clients of the router, this IP address will not change. If a computer is assigned a static IP addresses, you will need to update this entry manually if the IP address on the computer has been changed.
MAC Address: The MAC address of the PC’s network interface.
Group: Each PC or device can be assigned to a single group. By default, a computer is assigned to Group 1, unless a different group is selected from the Group pull-down menu .
Action: Allows modification of the selected entry by clicking Edit.
To add computers to the network database manually:
1. Select Network Configuration from the main menu and LAN Groups from the submenu. The Groups and Hosts screen will display.
2. In the Add Known PCs and Devices table, enter the name of the PC or device.
3. From the IP Address Type pull-down menu, select Reserved (DHCP Client) to direct the
router to reserve the IP address for allocation by the DHCP server, or select Fixed (Set on PC) if the IP address is statically assigned on the computer.
Note: When assigning a Reserved IP address to a client, the IP address selected must
be outside the range of addresses allocated to the DHCP Server pool.
LAN Configuration 3-7
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
4. Enter the IP Address that this computer or device is assigned in the IP Address field. If the IP Address Type is Reserved (DHCP Client), the router will reserve the IP address for the associated MAC address.
5. Enter the MAC Address of the computer’s network interface in the MAC Addre ss field. The MAC address should be in the form: xx:xx:xx:xx:xx:xx (for example: 00:80:48:2a:8b:c0 that contain numbers 0-9 and letters a-f).
6. From the Group pull-down menu, enter the Group to which the computer will be assigned. (Group 1 is the default group.)
7. Click Add. The device will be added to the Known PCs and Devices table.
Figure 3-3
To edit the information of any of the Known PCs or Devices:
1. Click Edit in the Action column opposite the name of the device. The Edit Gr oups and Hosts screen will display.
2. Modify any of the fields on this screen.
3. Click Reset to cancel your settings and return to the previous settings.
3-8 LAN Configuration
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
4. Click Apply to save your new settings. The modified record will appear in the Know PCs and Devices table.
To edit the names of any of the eight available groups:
1. Click Edit Group Names at the upper right of the Groups and Hosts screen. The Network Database Group Names screen will display.
2. Check the radio button opposite the Group Name you want to change and type a suitable name
in the field.
3. Click Reset to discard any changes and reve rt to the previous settings.
4. Click Apply to save the settings.
Figure 3-4

Setting Up Address Reservation

When you specify a reserved IP address for a device on the LAN (based on the MAC address of the device), that computer or device will always receive the same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be assigned to servers or access points that require permanent IP settings. The Reserved IP address that you select must be outside of the DHCP Server pool.
LAN Configuration 3-9
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
To reserve an IP address, use the Groups and Hosts screen under the Network Configuration menu, LAN Groups submenu (see “Creating the Network Database” on page 3-6).
Note: The reserved address will not be assigned until the next time the PC contacts the
firewall's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew.

Configuring and Enabling the DMZ Port

The De-Militarized Zone (DMZ) is a network which, when compared to the LAN, has fewer firewall restrictions, by default. This zone can be used to host servers (such as a web server, ftp server, or email server, for example) and give public access to the m. The eighth LAN port on the router can be dedicated as a hardware DMZ port for safely providing services to the Internet, without compromising security on your LAN.
The DMZ port feature is also helpful when using some online games and videoconferencing applications that are incompatible with NAT. The firewall is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well. In some cases, local PCs can run the application properly if those PCs are used on the DMZ port.
Note: A separate firewall security profile is provided for the DMZ port that is
independent of the standard firewall security used for the LAN.
The DMZ Setup screen allows you to set up the DMZ port. It permits you to enable or disable the hardware DMZ port (LAN port 8, see “Router Front Panel” on page 1-6) and configure an IP address and Mask for the DMZ port.
To enable and configure the DMZ port:
1. From the main menu, select Network Configuration and then select DMZ Setup from the submenu. The DMZ Setup screen will display.
2. Check the Do you want to enable DMA Port? radio box.
3. Enter an IP Address and the Subnet mask for the DMZ port. Make sure that the DMZ port IP
address and LAN Port IP address are in different subnets (for example, an address outside the LAN Address pool, such as 192.168.1.101).
3-10 LAN Configuration
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Figure 3-5
4. If desired, Enable the DHCP Server (Dynamic Host Configuration Protocol), which will provide TCP/IP configuration for all computers connected to the router’s DMZ network. Then configure the following items:
a. Starting IP Address – This box specifies the first of the contiguous addresses in the IP
address pool.
b. Ending IP Address – This box specifies the last of the contiguous addresses in the IP
address pool.
c. WINS Server – This box specifies the Windows Internet Naming Service Server IP. d. Lease Time – This box specifies the Lease time to be given to the DHCP Clients. e. Enable DNS Proxy – If enabled, the VPN firewall will as a DNS for address resolution.
5. Click Reset to cancel changes made on this screen and revert to the previous settings.
6. Click Apply to save your settings. The DMZ LED next to LAN port 8 (see “Router Front
Panel” on page 1-6) will light up indicating that the DMZ port has been enabled.
If another device on your DMZ network will be the DHCP server, or if you will manually configure all devices, leave the Disable option (default) checked.
To define the DMZ WAN Rules and LAN DMZ Rules, see “Setting DMZ WAN Rules” on
page 4-10 and “Setting LAN DMZ Rules” on page 4-12, respectively.
LAN Configuration 3-11
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual

Static Routes

Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You should configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network.

Configuring Static Routes

To add or edit a static route:
1. Select Network Configuration from the main menu and Routing from the submenu. The Routing screen will display.
2. Click Add. The Add Static Route menu, shown below, will display.
3. Enter a route name for this static route in the Route Name field (for identification and
management).
Figure 3-6
3-12 LAN Configuration
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
4. Select Active to make this route effective.
5. Select Private if you want to limit access to the LAN only. The static route will not be
advertised in RIP.
6. Enter the Destination IP Address to the host or network to which the route leads.
7. Enter the IP Subnet Mask for this destination. If the destination is a single host, enter
255.255.255.255.
8. Enter the Interface which is the physical network interface (WAN1, WAN2, or LAN) through which this route is accessible.
9. Enter the Gateway IP Address through which the destination host or network can be reached (must be a firewall on the same LAN segment as the firewall).
10. Enter the Metric priority for this route. If multiple routes to the same destination exit, the route with the lowest metric is chosen. (value must be between 1 and 15),
11. Click Reset to discard any changes and revert to the previous settings.
12. Click Apply to save your settings. The new static route will be added to Route table. You can edit the route’s settings by clicking Edit in the Action column adjacent to the route.

Routing Information Protocol (RIP)

RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network. RIP is disabled by default.
To configure RIP parameters:
1. Select Network Configuration from the main menu and Routing from the submenu. When the Routing screen displays, click RIP Configuration. The RIP Configuration screen will display.
2. From the RIP Direction pull-down menu, select the direction in which the router will send and receives RIP packets. The choices are:
None – The router neither broadcasts its route table nor does it accept any RIP packets
from other routers. This effectively disables RIP.
Both – The router broadcasts its routing table and also processes RIP information received
from other routers.
LAN Configuration 3-13
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Out Only – The router broadcasts its routing table periodically but does not accept RIP
information from other routers.
In Only – The router accepts RIP information from other routers, but does not broadcast
its routing table.
Figure 3-7
3. From the RIP Version pull-down menu, select the version:
RIP-1 – A classful routing that does not include subnet information. This is the most
commonly supported version.
RIP-2 – Supports subnet information. Both RIP-2B and RIP-2M send the routing data in
RIP-2 format:
RIP-2B Sends the routing data in RIP-2 format and uses subnet broadcasting.
RIP-2M Sends the routing data in RIP-2 format and uses multicasting.
3-14 LAN Configuration
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
4. Authentication for RIP2B/2M required? If you selected RIP-2B or RIP-2M, check the YES radio box to enable the feature, and input the First Key Parameters and Second Key
Parameters MD-5 keys to authenticate between routers.
5. Click Reset to discard any changes and revert to the previous settings.
6. Click Save to save your settings.

Static Route Example

For example, you may require a static route if:
Your primary Internet access is through a cable modem to an ISP.
You have an ISDN firewall on your home network for connecting to the company where you are employed. This firewall’s address on your LAN is 192.168.1.100.
Your company’s network is 134.177.0.0.
When you first configured your firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.1.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 network, your firewall will forward your request to the ISP. The ISP forwards your request to the company where you are employed, and the request will likely be denied by the company’s firewall.
In this case you must define a static route, telling your firewall that 134.177.0.0 should be accessed through the ISDN firewall at 192.168.1.100.
In this example:
The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134.177.x.x addresses.
The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN firewall at 192.168.1.100.
A Metric value of 1 will work since the ISDN firewall is on the LAN.
Private is selected only as a precautionary security measure in case RIP is activated.

Enabling Trend Micro Antivirus Enforcement

If you installed the Trend Micro Client/Server Messagi ng Suite for SMB on yo ur local network, the firewall can enforce antivirus scanning. When Antivirus Enforcement is selected, local PCs
LAN Configuration 3-15
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
will not be allowed web access unless they have the Trend Micro OfficeScan client installed and updated with the latest virus definitions.
To enable Trend Micro:
1. Select Security from the main menu and Trend Micro from the submenu. The Trend Micro screen will display.
2. In the Do you want to enable the Antivirus Enforcement? section, check the Yes radio box.
Figure 3-8
3. Enter the Office Scan Server IP Address on the LAN.
4. Then enter the 5-digit port number used for communications between the Office Scan clients and the server in the Office Scan Client Communication Port.
5. Finally, enter the Office Scan Server HTTP Port (by default port 8080).
6. Click Apply.
To allow a PC to access the web without the OfficeScan client:
1. Enter the IP address of a PC to be excluded in the Add Host table and then click Add. The PC address will appear in the Host Exclusion List table.
2. Add additional PCs, one at a time, until all of the PCs to be excluded are contained in the Host Exclusion List.
3-16 LAN Configuration
v1.0, August 2006
3. Click Apply to submit your changes.
Note: The Office Scan Server must also appear in the exclusion list!
Note: Follow the instructions in the Trend Micro documentation to complete the
installation and configuration of the Trend Micro OfficeScan Server.
ProSafe VPN Firewall 200 FVX538 Reference Manual
LAN Configuration 3-17
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
3-18 LAN Configuration
v1.0, August 2006
Chapter 4
Firewall Protection and Content Filtering
This chapter describes how to use the content filtering features of the ProSafe VPN Firewall 200 to protect your network. These features can be found by selecting Security from the main menu and selecting Block Sites from the submenu of the browser interface.
About Firewall Protection and Content Filtering
The ProSafe VPN Firewall 200 provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail. Parents and network administrators can establish restricted access policies based on time-of-day, Web addresses and Web address keywords. You can also block Internet access by applications and services, such as chat or games.
A firewall is a special category of router that protects one network (the “trusted” network, such as your LAN) from another (the untrusted network, such as the Internet), while allowing communication between the two. You can further segment keyword blocking to certain known groups (see “Managing Groups and Hosts (LAN Groups)” on page 3-6 to set up LAN Groups).
A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT.

Using Rules to Block or Allow Specific Kinds of Traffic

Firewall rules are used to block or allow specific traffic passing through from one side to the other. You can configure up to 600 rules on the FVX538. Inbound rules (W AN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine what outside resources local users can have access to.
Firewall Protection and Content Filtering 4-1
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FVX538 are:
Inbound: Block all access from outside except responses to requests from the LAN side.
Outbound: Allow all access from the LAN side to the outside.
The firewall rules for blocking/allowing traffic on the VPN firewall can be applied to LAN/WAN traffic, DMZ/WAN traffic and LAN/DMZ traffic.

Services-Based Rules

The rules to block traffic are based on the traffic’s category of service.
Outbound Rules (service blocking) – Outbound traffic is normally allowed unless the firewall is configured to disallow it.
Inbound Rules (port forwarding) – Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side. The firewall can be configured to allow this otherwise blocked traffic.
Customized Services – Additional services can be added to the list of services in the factory default list. These added services can then have rules defined for them to either allow or block that traffic (see “Adding Customized Services” on page 4-21.
Quality of Service (QoS) priorities – Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays. You can change this QoS priority if desired to change the traffic mix through the system (see “Setting Quality of Service (QoS)
Priorities” on page 4-23).
Outbound Rules (Service Blocking)
The FVX538 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering.
Note: See “Enabling Source MAC Filtering” on page 4-27 for yet another way to block
outbound traffic from selected PCs that would otherwise be allowed by the firewall.
4-2 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Table 4-1. Outbound Rules
Item Description
Service Name Select the desired Service or application to be covered by this rule. If the desired
service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-21).
Action (Filter) Select the desired action for outgoing connections covered by this rule:
• BLOCK always
• BLOCK by schedule, otherwise Allow
• ALLOW always
• ALLOW by schedule, otherwise Block Note: Any outbound traffic which is not blocked by rules you create will be allowed by the Default rule. ALLOW rules are only useful if the traffic is already covered by a BLOCK rule. That is, you wish to allow a subset of traffic that is currently blocked by another rule.
Action (Select Schedule)
LAN users These settings determine which computers on your network are affected by this rule.
WAN Users These settings determine which Internet locations are covered by the rule, based on
DMZ Users These settings determine which DMZ computers on DMZ network are affected by
Select the desired time schedule (i.e., Schedule1, Schedule2, or Schedule3) that will be used by this rule.
• This drop down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.
• Use schedule page to configure the time schedules (see “Setting a Schedule to
Block or Allow Specific Traffic” on page 4-24).
Select the desired options:
• Any – All PCs and devices on your LAN.
• Single address – Enter the required address and the rule will be applied to that particular PC.
• Address range – If this option is selected, you must enter the start and finish fields.
• Groups – Select the Group to which this rule will apply. Use the LAN Groups screen (under Network Configuration) to assign PCs to Groups. See “Managing Groups
and Hosts (LAN Groups)” on page 3-6.
their IP address. Select the desired option:
• Any – All Internet IP address are covered by this rule.
• Single address – Enter the required address in the start field.
• Address range – If this option is selected, you must enter the start and end fields.
this rule. Select the desired options.
• Any – All PCs and devices on your DMZ network.
• Single address – Enter the required address and the rule will be applied to that particular PC on the DMZ network.
• Address range – If this option is selected, you must enter the start and finish fields of the DMZ computers.
Firewall Protection and Content Filtering 4-3
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Table 4-1. Outbound Rules (continued)
Item Description
QoS Priority This setting determines the priority of a service which, in turn, determines the quality
of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change it accordingly. If the user does not make a selection (i.e., leaves it as None), then the native priority of the service will be applied to the policy. See “Setting Quality of Service (QoS) Priorities”
on page 4-23.
Log This determines whether packets covered by this rule are logged. Select the desired
action:
• Always – always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules.
• Never – never log traffic considered by this rule, whether it matches or not.
Inbound Rules (Port Forwarding)
Because the FVX538 uses Network Address Translation (NAT), your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can make a local server (for example, a Web server or game server) visible and available to the Internet. The rule tells the firewall to direct inbound traffic for a particular service to one local server based on the destination port number. This is al so known as port forwarding.
Whether or not DHCP is enabled, how the PCs will access the server’s LAN address impacts the Inbound Rules. For example:
If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP
address may change periodically as the DHCP lease expires. Consider using Dyamic DNS (under Network Configuration) so that external users can always find your network (see
“Configuring Dynamic DNS (If Needed)” on page 2-15.
If the IP address of the local server PC is assigned by DHCP, it may change when the PC is
rebooted. To avoid this, use the Reserved IP address feature in the LAN Groups menu (under Network Configuration) to keep the PC’s IP address constant (see “Setting Up Address
Reservation” on page 3-9.
Local PCs must access the local server using the PCs’ local LAN address. Attempts by local PCs to access the server using the external WAN IP address will fail.
Note: See “Port Triggering” on page 4-28 for yet another way to allow certain types
of inbound traffic that would otherwise be blocked by the firewall.
4-4 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Table 4-2. Inbound Rules
Item Description
Services Select the desired Service or application to be covered by this rule. If the desired
service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-21).
Action (Filter) Select the desired action for packets covered by this rule:
• BLOCK always
• BLOCK by schedule, otherwise Allow
• ALLOW always
• ALLOW by schedule, otherwise Block Note: Any inbound traffic which is not allowed by rules you create will be blocked by the Default rule.
Action (Select Schedule)
LAN Server or DMZ Server
Translate to Port Number
WAN Users These settings determine which Internet locations are covered by the rule, based on
WAN Destination IP Address
Select the desired time schedule (i.e., Schedule1, Schedule2, or Schedule3) that will be used by this rule (see “Setting a Schedule to Block or Allow Specific Traffic” on
page 4-24).
• This drop down menu gets activated only when “BLOCK by schedule, otherwise Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.
• Use schedule page to configure the time schedules.
This LAN address or DMZ Server address determines which computer on your network is hosting this service rule. (You can also translate this address to a port number.)
Check the “Translate to Port Number” and enter a port number if you want to assign the LAN Server to a specific port.
their IP addresses. Select the desired option:
• Any – All Internet IP address are covered by this rule.
• Single address – Enter the required address in the start field.
• Address range – If this option is selected, you must enter the start and end fields.
This setting determines the destination IP address applicable to incoming traffic. This is the public IP address that will map to the internal LAN server; it can either be the address of the WAN1 or WAN2 ports or another public IP address
.
Firewall Protection and Content Filtering 4-5
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Table 4-2. Inbound Rules (continued)
Item Description
QoS Priority This setting determines the priority of a service, which in turn, determines the quality
of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change it accordingly. If the user does not make a selection (i.e., leaves it as None), then the native priority of the service will be applied to the policy. See “Setting Quality of Service (QoS) Priorities”
on page 4-23.
Log This determines whether packets covered by this rule are logged. Select the desired
action:
• Always – Always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules.
• Never – Never log traffic considered by this rule, whether it matches or not.
Note: Some residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.
Remember that allowing inbound services opens holes in your VPN firewall. Only enable those ports that are necessary for your network. It is also advisable to turn on the server application security and invoke the user password or privilege levels, if provided.
4-6 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual

Order of Precedence for Rules

As you define new rules, they are added to the tables in the Rules menu as the last item in the list, as shown in Figure 4-1:
Figure 4-1
For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the bottom. In some cases, the order of precedence of two or more rules may be important in determining the disposition of a packet. For example, you should place the most strict rules at the top (those with the most specific services or addresses). The Up and Down button allows you to relocate a defined rule to a new position in the table.

Setting LAN WAN Rules

The Default Outbound Policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (Outbound). The default policy of Allow Always can be changed to block all outbound traffic which then allows you to enable only specific services to pass through the router.
To change the Default Outbound Policy:
1. Select Security from the main menu and Firewall Rules from the submenu. The LAN WAN Rules screen will display.
Firewall Protection and Content Filtering 4-7
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
2. Change the Default Outbound Policy by selecting Block Always from the drop-down menu and click Apply..
Figure 4-2
To make changes to an existing outbound or inbound service rule:
1. In the Action column adjacent to the rule click:
Edit – to make any changes to the rule definition of an existing rule. The Outbound
Service screen will display containing the data for the selected rule (see Figure 4-3 on
page 4-9).
Up – to move the rule up one position in the table rank.
Down – to move the rule down one position in the table rank.
2. Check the radio box adjacent to the rule and click:
Click Disable to disable the rule. The “!” Status icon will change from green to grey,
indicating that the rule is disabled. (By default, when a rule is added to the table it is automatically enabled.)
Click Delete to delete the rule.
3. Click Select All to select all rules. A check will appear in the radio box for each rule.
4-8 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
LAN WAN Outbound Services Rules
You may define rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. The outbound rule will block the selected application from any internal IP LAN address to any external WAN IP address according to the schedule created in the Schedule menu.
You can also tailor these rules to your specific needs (see “Administrator Tips” on page 4-35).
Note: This feature is for Advanced Administrators only! Incorrect configuration will
cause serious problems.
To create a new outbound service rule:
1. Click Add under the Outbound Services Table. The Add LAN WAN Outbound Service screen will display.
..
Figure 4-3
2. Complete the Outbound Service screen, and save the data (see Table 4-1 on page 4-3).
3. Click Reset to cancel your settings and return to the previous settings.
4. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table.
Firewall Protection and Content Filtering 4-9
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
LAN WAN Inbound Services Rules
This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound services opens holes in your firewall. Only enable those ports that are necessary for your network.
To create a new inbound service rule:
1. Click Add under the Inbound Services Table. The Add LAN WAN Inbound Service screen will display.
Figure 4-4
2. Complete the Add WAN LAN Inbound Services screen (see Table 4-2 on page 4-5).
3. Click Reset to cancel your settings and return to the previous settings.
4. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Inbound Services table.

Setting DMZ WAN Rules

The firewall rules for traffic between the DMZ and the WAN/Internet are configured on the DMZ WAN Rules screen. The Default Outbound Policy is to allow all traffic from and to the Internet to
pass through. Firewall rules can then be applied to block specific types of traffic from either going
4-10 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
out from the DMZ to the Internet (Outbound) or coming in from the Internet to the DMZ (Inbound). The default outbound policy can be changed to bloc k all outbound traffic and enable only specific services to pass through the router by adding an Outbound services Rule.
Figure 4-5
Firewall Protection and Content Filtering 4-11
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
To change the Default Outbound Policy:
1. Select Security from the main menu, Firewall Rules from the submenu and then select the DMZ WAN Rules tab. The DMZ WAN Rules screen will display.
2. Click Add under the Outbound Services table. The Add DMZ WAN Outbound Services
screen will display.
3. Accept the default settings to block all services or sele ct a specific service to block from the Services pull-down menu.
4. Click Apply. The Block Always rule will appear in the Outbound Services table. The rule is automatically enabled.
The procedures described in “Setting LAN WAN Rules” on page 4-7 for setting inbound and outbound rules on the standard LAN firewall are the same as the procedures used for setting inbound and outbound rules on the DMZ port firewall.

Setting LAN DMZ Rules

The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ. The Default Outbound and Inbound Policies is to allow all traffic between the local LAN and DMZ network. Firewall rules can then be applied to block specific types of traffic from either going out from the L AN to the DMZ (Outbound) or coming in from the DMZ to the LAN (Inbound).
To access the LAN DMZ Rules screen:
1. Select Security on the main menu, then select Firewall Rules and click the LAN DMZ Rules tab. The LAN DMZ Rules screen will display showing the both the Outbound Services and Inbound Services tables.
Figure 4-6
4-12 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
To make changes to an existing outbound or inbound LAN DMZ service rule:
1. In the Action column adjacent to the rule click:
Edit – to make any changes to the rule definition. The Outbound Service screen will
display containing the data for the selected rule “Outbound Rules (Service Blocking)” on
page 4-2).
Up – to move the rule up one position in the table rank.
Down – to move the rule down one position in the table rank.
2. Check the radio box adjacent to the rule and:
Click Disable to disable the rule. The “!” Status icon will change from green to grey,
indicating that the rule is disabled. (By default, when a rule is added to the table it is automatically enabled.)
Click Delete to delete the rule.
3. Click Select All to select all rules. A check will appear in the radio box for each rule.
LAN DMZ Outbound Services Rules
To create a new outbound LAN DMZ service rule:
1. Click Add under the Outbound Services Table. The Add LAN DMZ Outbound Service screen will display.
Figure 4-7
Firewall Protection and Content Filtering 4-13
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
2. Complete the Outbound Service screen, and save the data (see “Outbound Rules (Service
Blocking)” on page 4-2).
3. Click Reset to cancel your settings and return to the previous settings.
4. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table.
LAN DMZ Inbound Services Rules
To define an In bound LAN DMZ Rule:
1. Click Add under the Inbound Services table. The Add LAN DMZ Inbound Service screen will display.
2. Complete the Inbound Service screen and save the data (see “Inbound Rules (Port
Forwarding)” on page 4-4).
3. Click Reset to cancel your settings and return to the previous settings.
4. Click Apply to save your settings. The new rule will be added to the Inbound Services table.

Attack Checks

This screen allows you to specify whether or not the router should be protected against common attacks in the DMZ, LAN and WAN networks. The various types of attack checks are listed on the
Attack Checks screen and defined below:
WAN Security Checks
Respond To Ping On Internet Ports. If you want the router to respond to a “Ping” from
the Internet, click this check box. This can be used as a diagnostic tool. You shouldn't check this box unless you have a specific reason to do so.
Enable Stealth Mode . If enabled, the router will not respond to port scans from the WAN,
thus making it less susceptible to discovery and attacks.
Block TCP Flood. A SYN flood is a form of denial of service attack in which an attacker
sends a succession of SYN requests to a target system. When the system responds, the attacker doesn’t complete the connections, thus leaving the connection half-open and flooding the server with SYN messages. No legitimate connections can then be made.
When enabled, the router will drop all invalid TCP packets and will be protected from a SYN flood attack.
4-14 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
LAN Security Checks. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application listening at that port, (2) see that no application is listening at that port and (3) reply with an ICMP Destination Unreachable packet.
When the victimized system is flooded, it is forced to send many ICMP packets, eventually making it unreachable by other clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach him, thus making the attacker’s network location anonymous.
If enabled, the router will not accept more than 20 simultaneous, active UDP connections from a single computer on the LAN.
VPN Pass through. When the router is in NAT mode, all packets going to the Remote VPN Gateway are first filtered through NAT and then encrypted per the VPN policy.
For example, if a VPN Client or Gateway on the LAN side of this router wants to connect to another VPN endpoint on the WAN (placing this router between two VPN end points), encrypted packets are sent to this router. S ince this router filters the encrypted packets through NAT, the packets become invalid unless VPN Pass through is enabled.
When enabled, the VPN tunnel will pass the VPN traffic without any filtering. Tunnels can be: –IPSec –PPTP –L2TP
To enable the appropriate Attack Checks for your environment:
1. Select Security from the main menu, Firewall Rules from the submenu and then the Attack Checks tab. The Attack Checks screen will display.
2. Check the radio boxes of the Attack Checks you wish to initiate.
Firewall Protection and Content Filtering 4-15
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
3. Click Apply to save your settings.
Figure 4-8

Inbound Rules Examples

LAN WAN Inbound Rule: Hosting A Local Public Web Server
If you host a public W eb ser ver on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day. This rule is shown in Figure 4-9.
Figure 4-9
4-16 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example, CU­SeeMe connections are allowed only from a specified range of external IP addresses.
Figure 4-10
LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping
In this example, we will configure multi-NAT to support multiple public IP addresses on one WAN interface. By creating an inbound rule, we will configure the firewall to host an additional public IP address and associate this address with a Web server on the LAN.
If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses will be used as the primary IP address of the router. This address will be used to provide Internet access to your LAN PCs through NAT. The other addresses are available to map to your servers.
The following addressing scheme is used to illustrate this procedure:
Netgear FVX538 ProSafe VPN Firewall – WAN1 IP address: 10.1.0.118 – LAN IP address subnet: 192.168.1.1; subnet 255.255.255.0 – DMZ IP address subnet: 192.168.10.1; subnet 255.255.255.0
Firewall Protection and Content Filtering 4-17
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Web server PC on the firewall’s LAN – LAN IP address: 192.168.1.2 – DMZ IP Address: 192.168.10.2 – Access to Web server is (simulated) public IP address: 10.1.0.52
Tip: If you arrange with your ISP to have more than one public IP address for your use,
you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses will be used as the primary IP address of the router which will be used to provide Internet access to your LAN PCs through NAT. The other addresses are available to map to your servers.
To configure the FVX538 for additional IP addresses:
1. Select Security from the main menu and Firewall Rules from the submenu.
2. If your server is to be on your LAN, select LAN WAN Rules. If your server is to be on your DMZ, select DMZ WAN Rules.
3. Click Add under the Inbound Services table. The Add LAN WAN Inbound Service screen
will display.
4. From the Service pull-down menu, select the HTTP service for a Web server.
Figure 4-11
5. From the Action pull-down menu, select Allow Always.
4-18 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
6. In the Send to LAN Server field, enter the local IP address of your Web server PC.
7. From the Public Destination IP Address pull down menu, choose Other Public IP Address.
8. Enter one of your public Internet addresses that will be used by clients on the Internet to reach
your Web server.
9. Click Apply.
Your rule will now appear in the Inbound Services table of the Rules menu (see Figure 4-12). This rule is different from a normal inbound port forwarding rule in that the Des tination box contains an IP Address other than your normal WAN IP Address.
Figure 4-12
To test the connection from a PC on the Internet, type http://<IP_address>, where <IP_address> is the public IP address you have mapped to your Web server. You should see the home page of your Web server.
LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host
Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined.
To expose one of the PCs on your LAN or DMZ as this host:
1. Create an inbound rule that allows all protocols.
Firewall Protection and Content Filtering 4-19
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
2. Place the rule below all other inbound rules.
Note: For security, NETGEAR strongly recommends that you avoid creating an exposed
host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network.
1. Select Any and Allow Always (or Allow by Schedule)
2. Place rule below all other inbound rules
Figure 4-13

Outbound Rules Example

Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio or other non-essential sites.
LAN WAN Outbound Rule: Blocking Instant Messenger
If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu. You can also have the firewall log any attempt to use Instant Messenger during that blocked period.
4-20 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Figure 4-14

Adding Customized Services

Services are functions performed by server computers at the request of client computers. You can configure up to 125 custom services.
For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number. This number appears as the destination port number in the transmitted IP packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Although the FVX538 already holds a list of many service port numbers, you are not limited to these choices. Use the Services screen to add additional services and applications to the list for use in defining firewall rules. The Services menu shows a list of services that you have defined, as shown in Figure 4-15.
To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, you can enter it on the Services screen.
Firewall Protection and Content Filtering 4-21
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Figure 4-15
To add a customized service:
1. Select Security from the main menu and Services from the submenu. The Services screen will display.
2. In the Add Custom Service table, enter a descriptive name for the service (this is for your convenience).
3. Select the Layer 3 Protocol that the service uses as its transport protocol. It can be TCP, UDP or ICMP.
4. Enter the first TCP or UDP port of the range that the service uses. If the service uses only one port, then the Start Port and the Finish Port will be the same.
5. Enter the last port of the range that the service uses. If the service only uses a single port number, enter the same number in both fields.
6. Click Add. The new custom service will be added to the Custom Services Table.
4-22 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
To edit the parameters of a service:
1. In the Custom Services Table, click the Edit icon adjacent to the service you want to edit. The Edit Service screen will display.
2. Modify the parameters you wish to change.
3. Click Reset to cancel the changes and restore the previous settings.
4. Click Apply to confirm your changes. The modified service will display in the Custom
Services Table.

Setting Quality of Service (QoS) Priorities

The Quality of Service (QoS) Priorities setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. The user can change this priority
•On the Services screen in the Custom Services Table for customized services (see Figure 4-
15).
•On the Add LAN WAN Outbound Services screen (see Figure 4-3.)
•On the Add DMZ WAN Outbound Services screen (see Figure 4-5)
The QoS priority definition for a service determines the queue that is used for the traffic passing through the VPN firewall. A priority is assigned to IP packets using this service. Priorities are defined by the “Type of Service (ToS) in the Internet Protocol Suite” standards, RFC 1349 . A ToS priority for traffic passing through the VPN firewall is one of the following:
Normal-Service: No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0.
Minimize-Cost: Used when data has to be transferred over a link that has a lower “cost”. The IP packets for services with this priority are marked with a ToS value of 1.
Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a ToS value of 2.
Maximize-Throughput: Used when the volume of data transferred during an interval is important even if the latency over the link is high. The IP packets for services with this priority are marked with a ToS value of 4.
Minimize-Delay: Used when the time required (latency) for the packet to reach the destination must be low. The IP packets for services with this priority are marked with a ToS value of 8.
Firewall Protection and Content Filtering 4-23
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual

Setting a Schedule to Block or Allow Specific Traffic

If you enabled Content Filtering in the Block Sites menu, or if you defined an outbound or inbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall allows you to specify when blocking will be enforced by configuring one of the Schedules—Schedule 1, Schedule 2 or Schedule 3.
To invo ke rules and block keywords or Internet domains based on a schedule:
1. Select Security from the main menu and Schedule from the sub -menu. The Schedule 1 screen will display.
2. Check the radio button for All Days or Specific Days. If you chose Specific Days, check the radio button for each day you want the schedule to be in effect.
3. Check the radio button to schedule the time of day: All Day, or Specific Times. If you chose Specific Times, enter the Start Time and End Time fields (Hour , Minute, AM/PM), whi ch will limit access during certain times for the selected days.
4. Click Reset to cancel your settings and revert to the previous settings.
5. Click Apply to save your settings to Schedule 1.
Repeat these 5 steps to set to a schedule for Schedule 2 and Schedule 3.
Figure 4-16
4-24 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual

Setting Block Sites (Content Filtering)

If you want to restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s Content Fi ltering and Web Components filtering. By default, these features are disabled; all requested traffic from any Web site is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message.
Several types of blocking are available:
Web Components blocking. You can block the following Web component types: Proxy , Java, ActiveX, and Cookies. Even sites on the Trusted Domains list will be subject to Web Components blocking when the blocking of a particular Web component is enabled.
Keyword Blocking (Domain Name Blocking). Yo u can specify up to 32 words that, should they appear in the Web site name (URL) or in a newsgroup name, will cause that site or newsgroup to be blocked by the VPN firewall.
You can apply the keywords to one or more groups. Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked. Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled.
You can bypass Keyword block ing for trusted domains by adding the exact m atching domain to the list of Trusted Domains. Access to the domains or keywords on this list by PCs, even those in the groups for which keyword blocking has been enabled, will still be allowed without any blocking.
Keyword application examples:
If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is blocked, as is the newsgroup alt.pictures.XXX.
If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or .gov) can be viewed.
If you wish to block all Internet browsing access, enter the keyword “.”.
To enable Content Filtering:
1. Select Security from the main menu and Block Sites from the sub-menu. The Block Sites screen will display.
2. Check the Yes radio button to enable Content Filtering.
3. Check the radio boxes of any Web Components you wish to block.
4. Check the radio buttons of the groups to which you wish to apply Keyword Blocking. Click Enable to activate Keyword blocking (or disable to deactivate Keyword Blocking).
Firewall Protection and Content Filtering 4-25
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
5. Build your list of blocked Keywords or Domain Names in the Blocked Keyword fields. After each entry , click Add. The Keyword or Domain name will be added to the Blocked Keywords table. (You can also edit an entry by clicking Edit in the Action column adjacent to the entry.)
6. Build a list of Trusted Domains in the Trusted Domains fields. After each entry, click Add. The Trusted Domain will appear in the Trusted Domains table. (You can also edit any entry by clicking Edit in the Action column adjacent to the entry.)
7. Click Reset to cancel your changes and revert to the previous settings.
8. Click Apply to save your settings.
Figure 4-17
4-26 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual

Enabling Source MAC Filtering

Source MAC Filter allows you to filter out traffic coming from certain known machines or devices.
By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed.
When enabled, traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table.
Figure 4-18
Note: For additional ways of restricting outbound traffic, see “Outbound Rules
(Service Blocking)” on page 4-2
To enable MAC filtering and add MAC addresses to be blocked:
1. Select Security from the main menu and Source MAC Filter from the sub-menu. The Source MAC Filter screen will display.
2. Check the Yes radio box in the MAC Filtering Enable section.
Firewall Protection and Content Filtering 4-27
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
3. Build your list of Source MAC Addresses to be block by entering the first MAC address in the MAC Address field in the form xx:xx:xx:xx:xx:xx where x is a numeric (0 to 9) or an
alphabet between and a and f (inclusive), for example: 00:e0:4c:69:0a:
4. Click Add. The Mac Address will be added to the Available MAC Addresses to be Blocked table. (You can edit the MAC address by clicking Edit in the Action column adjacent to the MAC Address.)
5. Click Reset to cancel a MAC address entry before adding it to the table.
6. Click Apply to save your settings.
To remove an entry from the table, select the MAC address entry and click Delete. T o select all the list of MAC addresses, click Select All. A checkmark will appear in the box to the
left of each MAC address in the Available MAC Addresses to be Blocked table
.

Port Triggering

Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the Application.
Once configured, Port Triggering operates as follows:
1. A PC makes an outgoing connection using a port number defined in the Port Triggering table.
2. The VPN firewall records this connection, opens the additional INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC.
3. The remote system receives the PCs request and responds using the different port numbers that you have now opened.
4. The VPN firewall matches the response to the previous request, and forwards the response to the PC.
Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules:
Only one PC can use a Port Triggering application at any time.
4-28 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
After a PC has finished using a Port Triggering application, there is a Time-out period before the application can be used by another PC. This is required because this Router canno t be sure when the application has terminated.
Note: For additional ways of allowing inbound traffic, see “Inbound Rules (Port
Forwarding)” on page 4-4.
To add a Port Triggering Rule:
1. Select Security from the main menu and Port Triggering from the submenu. The Port Triggering screen will display.
1. Enter a user-defined name for this rule in the Name field.
2. From the Enable pull-down menu, indicate if the rule is enabled or disabled.
Firewall Protection and Content Filtering 4-29
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Figure 4-19
3. From the Protocol pull-down menu, select either TCP or UDP protocol.
4. In the Outgoing (Trigger) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534).
5. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534).
4-30 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table.
To edit or modify a rule:
1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display.
2. Modify any of the fields for this rule.
3. Click Reset to cancel any changes and return to the previous settings.
4. Click Apply to save your modifications. Your changes will appear in the Port Triggering Rules table.
To check the status of the Port Triggering rules, click the Status link on the Port Tr iggering screen.
Figure 4-20

E-Mail Notifications of Event Logs and Alerts

The Firewall Logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address. For example, your VPN firewall will log security-related events such as: accepted and dropped packets on different segments of your LAN or DMZ; denied incoming and outgoing service requests; hacker probes and Login attempts; and other general information based on the settings you input on the Firewall Logs & E-mail screen. In addition, if you have set up Content Filtering on the Block Sites screen (see
“Setting Block Sites (Content Filtering)” on page 4-25), a log will be generated when someone on
your network tries to access a blocked site.
Firewall Protection and Content Filtering 4-31
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs on the Logs screen (see Figure 4-22 on
page 4-34). Selecting all events will increase the size of the log, so it is good practice to select only
those events which are required.
Figure 4-21
To set up Firewall Logs and E-mail alerts:
1. Select Monitoring from the main menu and then Firewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen will display.
2. Enter the name of the log in the Log Identifier field. Log Identifier is a mandatory field used to identify the log messages. The ID appended to log messages.
4-32 Firewall Protection and Content Filtering
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
3. Enter a Schedule for sending the logs. From the Unit pull-down menu, select: Never, Hourly, Daily, or Weekly. Then fill in the Day and Time fields that correspond to your selection.
4. In the Security Logs section, check the network segments radio box for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets).
5. In the System Logs section, check the radio box for the type of system events to be logged.
6. Check the Yes radio box to enable E-mail Logs. Then enter: a. E-mail Server address – Enter the outgoing E-mail SMTP mail server address of your
ISP (for example, 172.16.1.10). If you leave this box blank, no logs will be sent to you.
b. Return E-mail Address – Enter the e-mail address of the user. c. Send To E-mail Address – Enter the e-mail address where the logs and alerts should be
sent. You must use the full e-mail address (for example, ChrisXY@myISP.com).
7. The No Authentication radio box is checked by default. If your SMTP server authenticates users, uncheck the radio box by selecting the authentication type—either Login Plain or CRAM-MD5—based on your SMTP server requirements. Then enter the user name and password to be used for authentication.
8. If you want to respond to IDENT protocol, check the Respond to Identd from SMTP Server radio box. The Ident Protocol is an Internet protocol that helps identify the user of a particular TCP connection (a common daemon program for providing the ident service is identd).
9. You can configure the firewall to send system logs to an external PC that is running a syslog logging program. Click the Yes radio box to enable SysLogs and send messages to the syslog server, then:
a. Enter your SysLog Server IP address b. Select the appropriate syslog facility from the SysLog Facility pull-down menu. The
SysLog Facility levels of severity are described in Table 4-3 below.
10. Click Reset to cancel your changes and return to the previous settings.
11. Click Apply to save your settings.
Table 4-3. SysLog Facility Message Levels
Numerical Code Severity
0 Emergency: System is unusable 1 Alert: Action must be taken immediately 2 Critical: Critical conditions 3 Error: Error conditions
Firewall Protection and Content Filtering 4-33
v1.0, August 2006
ProSafe VPN Firewall 200 FVX538 Reference Manual
Table 4-3. SysLog Facility Message Levels (continued)
Numerical Code Severity
4 Warning: Warning conditions 5 Notice: Normal but significant conditions 6 Informational: Informational messages 7 Debug: Debug level messages
To view the Firewall logs:
1. Click on the View Log icon opposite the Firewall Logs & E-mail tab. The Logs screen will display.
2. If the E-mail Logs options as been enabled, you can send a copy of the log by clicking send log.
3. Click refresh log to retrieve the latest update; and click clear log to delete all entries.
Log entries are described in Table 4-4.
Figure 4-22
4-34 Firewall Protection and Content Filtering
v1.0, August 2006
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use