NETGEAR FVX538 User Manual

ProSafe VPN Firewall 200 FVX538 Reference Manual

NETGEAR, Inc.

4500 Great America Parkway Santa Clara, CA 95054 USA

August 2006 202-10062-04 v1.0

Trademarks

NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc. Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.

Statement of Conditions

In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.

NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.

Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruct ions, may cause harmf ul interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

• Consult the dealer or an experienced radio/TV technician for help.

EU Regulatory Compliance Statement

ProSafe VPN Firewall 200 is compliant with the following EU Council Directives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and EN60950-1.

Bestätigung des Herstellers/Importeurs

Es wird hiermit bestätigt, daß das ProSafe VPN Firewall 200 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/ 1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.

Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.

Certificate of the Manufacturer/Importer

It is hereby certified that the ProSafe VPN Firewall 200 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however , be subject to certain restricti ons. Please refer to the notes in the operating instructions.

1.0, August 2006

Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.

Voluntary Control Council for Interference (VCCI) Statement

This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.

When used near a radio or TV receiver , it may become the cause of radio interference. Read instructions for correct handling.

Additional Copyrights

subject to the following conditions:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The copyright holder's name must not be used to endorse or promote any products derived from this software without his specific prior written permission.

This software is provided 'as is' with no express or implied warranties of correctness or fitness for purpose.

1.0, August 2006

iii

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)”

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).

1.0, August 2006

License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 MessageDigest Algorithm" in all material mentioning or referencing the derived work.

RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind.

These notices must be retained in any copies of any part of this documentation and/or software.

Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University. The name of the University may not be used to endor s e or promote products derive d from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Zlib zlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th,

This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:

1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.

2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.

3. This notice may not be removed or altered from any source distribution.

Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alu mni.caltech.edu The data format used by the zlib library is described by RFCs (Request for Comments) 1950

to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt and rfc1952.txt (gzip format)

(zlib format), rfc1951.txt (deflate format)

1.0, August 2006

Product and Publication Details

Model Number: FVX538 Publication Date: August 2006 Product Family: VPN Firewall Product Name: ProSafe VPN Firewall 200 Home or Business Product: Business Language: English Publication Part Number: 202-10062-04 Publication Version Number 1.0

1.0, August 2006

About This Manual

Conventions, Formats and Scope ...................................................................................xiii

How to Use This Manual ..................................................................................................xiv

How to Print this Manual ..................................................................................................xiv

Revision History ..................... ... .......................................... .......................................... ...xv

Chapter 1 Introduction

Key Features ..................................................................................................................1-1

Dual WAN Ports for Increased Reliability or Outbound Load Balancing ..................1-2

A Powerful, True Firewall with Content Filtering ......................................................1-2

Security Features .....................................................................................................1-3

Autosensing Ethernet Connections with Auto Uplink ...............................................1-3

Extensive Protocol Support ......................................................................................1-3

Trend Micro Integration ............................................................................................1-4

Easy Installation and Management ..........................................................................1-4

Maintenance and Support .................. .... ... ... ... .......................................... ... .... ... ... ..1-5

Package Contents ..........................................................................................................1-5

Router Front Panel ...................................................................................................1-6

Router Rear Panel ...................................................................................................1-8

Rack Mounting Hardware .........................................................................................1-9

The Router’s IP Address, Login Name, and Password ............................................1-9

Default Log In Settings ...........................................................................................1-10

Chapter 2 Connecting the FVX538 to the Internet

Logging into the VPN Firewall ................................................... ... ... ... ............................2-1

Configuring the Internet Connections to Your ISPs ........................................................2-2

Setting the Router’s MAC Address ........................... ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..2-5

Manually Configuring Your Internet Connection ........ .......................... .....................2-5

v1.0, August 2006

vii

Programming the Traffic Meter (if Desired) ..............................................................2-7

Configuring the WAN Mode (Required for Dual WAN) .... ....................................... ... ...2-10

Setting Up Auto-Rollover Mode .......................... ....... ...... ....... ...... ....... ...... ....... ... ...2-11

Setting Up Load Balancing .....................................................................................2-13

Configuring Dynamic DNS (If Needed) .........................................................................2-15

Configuring the Advanced WAN Options (If Needed) ................................................ ...2-18

Chapter 3 LAN Configuration

Using the Firewall as a DHCP server .............................................................................3-1

Configuring the LAN Setup Options ................ ......................................................... 3-2

Configuring Multi Home LAN IPs .............................................................................3-4

Managing Groups and Hosts (LAN Groups) ...................................................................3-6

Creating the Network Database ...... ... .... ... ... ... ... .......................................... .... ... ... ..3-6

Setting Up Address Reservation ..................... ......................................................... 3-9

Configuring and Enabling the DMZ Port .......................................................................3-10

Static Routes ................................................................................................................3-12

Configuring Static Routes .......................................................................................3-12

Routing Information Protocol (RIP) ........................................................................3-13

Static Route Example .............................................................................................3-15

Enabling Trend Micro Antivirus Enforcement ...............................................................3-15

Chapter 4 Firewall Protection and Content Filtering

Using Rules to Block or Allow Specific Kinds of Traffic ..................................................4-1

Services-Based Rules ........................................ .... ... ... ... .........................................4-2

Outbound Rules (Service Blocking) ...................................................................4-2

Inbound Rules (Port Forwarding) ......................................................................4-4

Order of Precedence for Rules ................................................................................4-7

Setting LAN WAN Rules .............................................................. ............................4-7

LAN WAN Outbound Services Rules .................................................................4-9

LAN WAN Inbound Services Rules .................................................................4-10

Setting DMZ WAN Rules .................................... .... ... .......................................... ...4-10

Setting LAN DMZ Rules .........................................................................................4-12

LAN DMZ Outbound Services Rules ...............................................................4-13

LAN DMZ Inbound Services Rules ..................................................................4-14

Attack Checks .................................................... .... ... ....................................... ... ...4-14

viii

v1.0, August 2006

Inbound Rules Examples .......................................................................................4-16

LAN WAN Inbound Rule: Hosting A Local Public Web Server ........................4-16

LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses 4-17

LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping 4-17

LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host .............4-19

Outbound Rules Example ................................................................ ... ...................4-20

LAN WAN Outbound Rule: Blocking Instant Messenger .................................4-20

Adding Customized Services .................................................................................4-21

Setting Quality of Service (QoS) Priorities ............................................................. 4-23

Setting a Schedule to Block or Allow Specific Traffic .................................... ... ... .... ... ...4-24

Setting Block Sites (Content Filtering) ................ .................................................... ......4-25

Enabling Source MAC Filtering ....................................................................................4-27

Port Triggering ............................. .... ... ... ... .... .......................................... ......................4-28

E-Mail Notifications of Event Logs and Alerts ......................................... ......................4-31

Administrator Tips .........................................................................................................4-35

Chapter 5 Virtual Private Networking

Dual WAN Port Systems .................................................................................................5-1

Setting up a VPN Connection using the VPN Wizard .....................................................5-3

Creating a VPN Tunnel to a Gateway ......................................................................5-4

Creating a VPN Tunnel Connection to a VPN Client ....................... ... ... ... ... .... ... ... ..5-7

VPN Tunnel Policies ................................. .... ... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ................5-10

IKE Policy ........................................ ... .... ... ... ... ... .... ... ....................................... ... ...5-10

Managing IKE Policies ................. .... ... ... ... ... .... ... .......................................... ...5-11

IKE Policy Table . .......................................... .......................................... ..........5-11

VPN Policy ................... ... ... ... .... ...................................... .... ... ... ... .... ... ... ... .............5-12

Managing VPN Policies ......................................................................... .... ... ...5-12

VPN Policy Table ................ ... ... ... .... ... ... ..........................................................5-13

VPN Tunnel Connection Status ..............................................................................5-13

Creating a VPN Gateway Connection: Between FVX538 and FVS338 .......................5-14

Configuring the FVX538 .........................................................................................5-14

Configuring the FVS338 .........................................................................................5-19

Testing the Connection ...........................................................................................5-20

Creating a VPN Client Connection: VPN Client to FVX538 ....................... ... ... ... .... ... ...5-20

Configuring the FVX538 .........................................................................................5-20

v1.0, August 2006

Configuring the VPN Client ....................... .......................................... ... ... ... .... ... ...5-22

Testing the Connection ...........................................................................................5-26

Certificate Authorities ...................................................................................................5-27

Generating a Self Certificate Request ....................................................................5-28

Uploading a Trusted Certificate ..............................................................................5-30

Managing your Certificate Revocation List (CRL) .. ... ... ..........................................5-30

Extended Authentication (XAUTH) Configuration ............................ ................... ..........5-31

Configuring XAUTH for VPN Clients ......................................................................5-32

User Database Configuration .... ... ... ... .... .......................................... ... ... ... .............5-34

RADIUS Client Configuration .................................................................................5-35

Manually Assigning IP Addresses to Remote Users (ModeConfig) .............................5-37

Mode Config Operation ...... .......................................... ..........................................5-37

Configuring the VPN Firewall .......... .......................................... ... .... ... ... ... ... .... ... ...5-38

Configuring the ProSafe VPN Client for ModeConfig .......................................... ...5-41

Chapter 6 Router and Network Management

Performance Management ................................. .......................................... ... ... .... ........ 6-1

Bandwidth Capacity .................. ... ... ... .... ... ... .......................................... ..................6-1

VPN Firewall Features That Reduce Traffic .............................................................6-2

Service Blocking .......................... .... ... ... ... ... .... ... .......................................... ..... 6-2

Block Sites .........................................................................................................6-4

Source MAC Filtering ........................................................................................6-4

VPN Firewall Features That Increase Traffic ...........................................................6-5

Port Forwarding ..................................... ... .......................................... ... .... ... ..... 6-5

Port Triggering ....................... ... ... .... ... ...............................................................6-6

DMZ Port ...........................................................................................................6-7

VPN Tunnels ................................................ .... .......................................... ........6-7

Using QoS to Shift the Traffic Mix ............................................................................6-7

Tools for Traffic Management .......... ... .... ... ... ... ... .... ... .......................................... ..... 6-8

Administration ..................................... ............................................. ...............................6-8

Changing Passwords and Settings ..........................................................................6-8

Enabling Remote Management Access .................................................................6-10

Using a SNMP Manager ........................................................................................6-11

Settings Backup and Firmware Upgrade ...............................................................6-13

Backup and Restore Settings ..........................................................................6-14

v1.0, August 2006

Router Upgrade ...............................................................................................6-15

Setting the Time Zone ........ ... .... ... ... .......................................... ... .... ... ...................6-16

Monitoring the Router ......................................... ... ... .......................................... .... ... ...6-17

Enabling the Traffic Meter ......................................................................................6-17

Setting Login Failures and Attacks Notification ................................ ...................... 6-19

Monitoring Attached Devices .................................................................................6-20

Viewing Port Triggering Status ...............................................................................6-22

Viewing Router Configuration and System Status .................................................6-23

Monitoring WAN Ports Status .......................... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ...6-24

Monitoring VPN Tunnel Connection Status ...................................... ... ... ... ... .... ... ...6-25

VPN Logs ........... ... ... .... ... ... ... ....................................... ... .... ... ... ... .... ... ...................6-26

DHCP Log ..............................................................................................................6-27

Performing Diagnostics ...... ... .... ... ... ... .... ................................................................6-27

Chapter 7 Troubleshooting

Basic Functions ..............................................................................................................7-1

Power LED Not On ...................................................................................................7-1

LEDs Never Turn Off ................................................................................................7-2

LAN or Internet Port LEDs Not On ......... ... ... ... ... .... ... ... .......................................... ..7-2

Troubleshooting the Web Configuration Interface ..........................................................7-2

Troubleshooting the ISP Connection ..............................................................................7-4

Troubleshooting a TCP/IP Network Using a Ping Utility .................................................7-5

Testing the LAN Path to Your Firewall ......................................................................7-5

Testing the Path from Your PC to a Remote Device ................................................7-6

Restoring the Default Configuration and Password ............... .........................................7-7

Problems with Date and Time .........................................................................................7-7

Appendix A Default Settings and Technical Specifications

Appendix B Related Documents

Appendix C Network Planning for Dual WAN Ports

What You Will Need to Do Before You Begin ................................................................C-1

Cabling and Computer Hardware Requirements ....................................................C-3

Computer Network Configuration Requirements ......................... .... ... ... ... ... .... ... ... . C-3

v1.0, August 2006

Internet Configuration Requirements ...................................................................... C-3

Where Do I Get the Internet Configuration Parameters? ........................................ C-4

Internet Connection Information Form ....................................................................C-5

Overview of the Planning Process ................................................................................. C-6

Inbound Traffic ........................................................................................................C-6

Virtual Private Networks (VPNs) ............................................................................. C-6

The Roll-over Case for Firewalls With Dual WAN Ports ..........................................C-7

The Load Balancing Case for Firewalls With Dual WAN Ports ...............................C-7

Inbound Traffic ...............................................................................................................C-8

Inbound Traffic to Single WAN Port (Reference Case) ...........................................C-8

Inbound Traffic to Dual WAN Port Systems ............................................................ C-8

Inbound Traffic: Dual WAN Ports for Improved Reliability ................................C-9

Inbound Traffic: Dual WAN Ports for Load Balancing .......................................C-9

Virtual Private Networks (VPNs) .................................................................................. C-10

VPN Road Warrior (Client-to-Gateway) ................................................................ C-1 1

VPN Road Warrior: Single Gateway WAN Port (Reference Case) ................. C-12

VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability .........C-12

VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing ................ C-13

VPN Gateway-to-Gateway ........... ...... .... ... ............................................................ C-14

VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case) ..C-14

VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability C-15

VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing ...C-17

VPN Telecommuter (Client-to-Gateway Through a NAT Router) ..........................C-17

VPN Telecommuter: Single Gateway WAN Port (Reference Case) ...............C-18

VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability ........C-18

VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing ..............C-20

Index

xii

v1.0, August 2006

About This Manual

The NETGEAR® ProSafe™ VPN Firewall 200 describes how to install, configure and troubleshoot the ProSafe VPN Firewall 200. The information in this manual is intended for readers with intermediate computer and Internet skills.

Conventions, Formats and Scope

The conventions, formats, and scope of this manual are described in the following paragraphs.

• Typographical Conventions. This manual uses the following typographical conventions:

Italics Emphasis, books, CDs, URL names

Bold User input

Fixed Screen text, file and server names, extensions, commands, IP addresses

• Formats. This manual uses the following formats to highlight special messages:

Note: This format is used to highlight information of importance or special interest.

Tip: This format is used to highlight a procedure that will save time or resources.

Warning: Ignoring this type of note may result in a malfunction or damage to the

equipment.

Danger: This is a safety warning. Failure to take heed of this notice may result in

personal injury or death.

v1.0, August 2006

xiii

ProSafe VPN Firewall 200 FVX538 Reference Manual

• Scope. This manual is written for the VPN firewall according to the following specifications:

Product Version ProSafe VPN Firewall 200 Manual Publication Date August 2006

For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix B, “Related Documents.”

Note: Updates to this product are available on the NETGEAR, Inc. website at

http://kbserver.netgear.com/products/FVX538.asp.

How to Use This Manual

The HTML version of this manual includes the following:

• Buttons, an d , for browsing forward or backward through the manual one page at a time.

• A button that displays the table of contents and a button that displays the Index. Double-click on a link in the table of contents or index to navigate directly to where the topic is described in the manual.

• A button to access the full NETGEAR, Inc. online knowledge base for the product model.

• Links to PDF versions of the full manual and individual chapters.

How to Print this Manual

To print this manual you can choose one of the following options, according to your needs.

• Printing a Page from HTML. Each page in the HTML version of the manual is dedicated to a major topic. Select File > Print from the browser menu to print the page contents.

• Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe Web site at

http://www.adobe.com.

– Printing a PDF Chapter. Use the PDF of This Chapter link at the top left of any page.

xiv

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

• Click the PDF of This Chapter link at the top left of any page in the chapter you want to print. The PDF version of the chapter you were viewing opens in a browser window.

• Click the print icon in the upper left of your browser window.

– Printing a PDF version of the Complete Manual. Use the Complete PDF Manual link

at the top left of any page.

• Click the Complete PDF Manual link at the top left of any page in the manual. The PDF version of the complete manual opens in a browser window.

• Click the print icon in the upper left of your browser window.

Tip: If your printer supports printing two pages on a single sheet of paper, you can

save paper and printer ink by selecting this feature.

Revision History

Part Number

202-10062-04 1.0 Product update: New firmware and a new user interface.

Version Number

Description

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

xvi

v1.0, August 2006

Chapter 1

Introduction

The ProSafe VPN Firewall 200 with eight 10/100 ports and one 1/100/1000 port connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem.

The FVX538 is a complete security solution that protects your network from attacks and intrusions. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support. The VPN firewall supports multiple Web content filtering options, plus browsing activity reporting and instant alerts—both via e-mail. Network administrators can establish restricted access policies based on time-of-day, Website addresses and address keywords.

The FVX538 is a plug-and-play device that can be installed and configured within minutes.

Key Features

The VPN firewall provides the following features:

• Dual 10/100 Mbps Ethernet WAN ports for load balancing or failover protection, providing increased system reliability, load balancing, or link aggregation. The WAN ports do not respond at all to unsolicited traffic (stealth mode).

• Support for up to 200 simultaneous IPSec VPN tunnels.

• Bundled with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L)

• Proactive policy enforcement for anti-virus and anti-spam security with integrated Trend Micro support.

• Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and multimedia.

• Built-in 10/100 Mbps ports plus 1 Gigabit Switch port.

• One console port for local management.

• SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100).

• Easy, web-based setup for installation and management.

• Advanced SPI Firewall and Multi-NAT support.

• Extensive Protocol Support.

Introduction 1-1

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

• Login capability.

• Front panel LEDs for easy monitoring of status and activity.

• Flash memory for firmware upgrade.

• One U Rack mountable.

Dual WAN Ports for Increased Reliability or Outbound Load Balancing

The FVX538 has two broadband WAN ports, WAN1 and WAN2, each capable of operating independently at speeds of either 10 Mbps or 100 Mbps. The two WAN ports let you connect a second broadband Internet line that can be configured on a mutually-exclusive basis to:

• Provide backup and rollover if one line is inoperable, ensuring you are never disconnected.

• Load balance, or use both Internet lines simultaneously for the outgoing traffic. The firewall balances users between the two lines for maximum bandwidth efficiency.

See “Network Planning for Dual WAN Ports” on page C-1 for the planning factors to consider when implementing the following capabilities with dual WAN port gateways:

• Single or multiple exposed hosts

• V irtual private networks

A Powerful, True Firewall with Content Filtering

Unlike simple Internet sharing NAT routers, the FVX538 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include:

• DoS protection. Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing.

• Secure Firewall. Blocks unwanted traffic from the Internet to your LAN.

• Block Sites. Blocks access from your LAN to Internet locations or services that you specify as off-limits.

• Logs security incidents. The FVX538 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.

1-2 Introduction

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

• Keyword Filtering. With its URL keyword filtering feature, the FVX538 prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.

Security Features

The VPN firewall is equipped with several features designed to maintain security, as described in this section.

• PCs Hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the PCs on the LAN.

• Port Forwarding with NAT. Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the firewall allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request. You can specify forwarding of single ports or ranges of ports.

• DMZ port. Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you can have it forwarded to one computer on your network.

Autosensing Ethernet Connections with Auto Uplink

With its internal 8-port 10/100 switch, the FVX538 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.

The firewall incorporates Auto Uplink whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.

technology. Each Ethernet port will automatically sense

Extensive Protocol Support

The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol to “Internet Configuration Requirements” in Appendix C.”

Introduction 1-3

(RIP). For further information about TCP/IP, refer

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

• IP Address Sharing by NAT. The VPN firewall allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account.

• Automatic Configuration of Attached PCs by DHCP. The VPN firewall dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network.

• DNS Proxy. When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.

• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC.

Trend Micro Integration

If you have installed the Trend Micro Client/Server/Messaging Suite for SMB on your local network, you can have the firewall enforce its use. When Antivirus Enforcement is selected, local PCs will not be allowed Web access unless they have the Trend Micro OfficeScan client installed and updated with the latest virus definitions.

The Client/Server/Messaging Suite for Small and Medium Business protects file servers, mail servers, and PCs on your network —including antispam capability. The Client/Server Suite for Small and Medium Business protects files servers and PCs.

• Both products deliver a layered defense against viruses and other malicious code.

• Unlike competing antivirus products, both products work your NETGEAR VPN Firewall to enforce antivirus policies - end users cannot access the Internet unless they have antivirus protection with current pattern files installed.

• Both products are specifically built to meet the needs of growing businesses and feature easy installation, automatic transparent updates, and damage cleanup capability.

• Activate either product for a free trial.

Easy Installation and Management

You can install, configure, and operate the ProSafe VPN Firewall 200 within minutes after connecting it to the network. The following features simplify installation and management tasks:

1-4 Introduction

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

• Browser-Based Management. Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface.

• Auto Detect. The VPN firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.

• VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.

• SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2.

• Diagnostic Functions. The firewall incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot.

• Remote Management. The firewall allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number.

• Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity.

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the VPN firewall:

• Flash memory for firmware upgrade

• Free technical support seven days a week, 24 hours a day, according to the terms identified in the Warranty and Support information card provided with your product.

Package Contents

The product package should contain the following items:

• ProSafe VPN Firewall 200.

• AC power cable.

Introduction 1-5

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

• 19-inch rack mounting hardware and rubber feet.

• Category 5 (Cat5) Ethernet cable.

• Installation Guide, FVX538 ProSafe VPN Firewall 200

• Resource CD, including: – Application Notes and other helpful information. – ProSafe VPN Client Software – five user licenses. – Trend Micro software evaluation.

• Warranty and Support Information Card.

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair.

Router Front Panel

The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button.

12 3 4 5 6 7

Figure 1-1

Table 1-1 describes each item on the front panel and its operation.

Table 1-1. Object Descriptions

Object Activity Description

1. Power LED

2. Test LED

1-6 Introduction

On (Green) Off

On (Amber) Blinking (Amber) Off

Power is supplied to the firewall. Power is not supplied to the firewall.

Test mode: The system is initializing or the initialization has failed. Writing to Flash memory (during upgrading or resetting to defaults). The system has booted successfully.

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

Table 1-1. Object Descriptions (continued)

Object Activity Description

Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. Link/Act LED

3. WAN Ports and LEDs

4. LAN Ports and LEDs

5. Gigabit Port and LEDs

On (Green) Blinking (Green) Off

100 LED

On (Green) Off

Active LED

On (Green) On (Amber)

Off

8-port RJ-45 10/100 Mbps Fast Ethernet Switch

Link/Act LED

On (Green) Blinking (Green) Off

100 LED

On (Green) Off

DMZ (port 8)

On (Green)

Off Gbit RJ-45 connector Port for connecting to a gigabit Ethernet device. Link/Act LED

On (Green)

Blinking (Green)

Off Speed LED

On (Green)

On (Amber)

Off

The WAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the WAN port. The WAN port has no link.

The WAN port is operating at 100 Mbps. The WAN port is operating at 10 Mbps.

The WAN port has a valid Internet connection. The Internet connection is down or not being used because the port is available for failover in case the connection on other WAN port fails. The WAN port is either not enabled or has no link.

N-way automatic speed negotiation, auto MDI/MDIX.

The LAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the LAN port. The LAN port has no link.

The LAN port is operating at 100 Mbps. The LAN port is operating at 10 Mbps.

Port 8 is operating as a dedicated hardware DMZ port. Port 8 is operating as a normal LAN port.

The LAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the LAN port. The LAN port has no link.

The LAN port is operating at 1,000 Mbps. The LAN port is operating at 100 Mbps. The LAN port is operating at 10 Mbps.

Introduction 1-7

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

Table 1-1. Object Descriptions (continued)

Object Activity Description

6. Console Port

7. Factory Defaults

DB9 male connector Port for connecting to an optional console terminal. Default baud rate

is 115.2K; pinouts: (2) Tx, (3) Rx, (5) and (7) Gnd.

—> push in with a sharp object

Factory Defaults reset push button (see Appendix A, “Default

Settings and Technical Specifications” for the factory defaults).

Router Rear Panel

The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection.

Figure 1-2

Viewed from left to right, the rear panel contains the following elements:

1. AC power in

2. On/Off switch

1-8 Introduction

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

Rack Mounting Hardware

The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in Figure 1-3).

Figure 1-3

The Router’s IP Address, Login Name, and Password

Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information:

• IP Address:

•User name:

• Password:

http://192.168.1.1 to reach the Web-based GUI from the LAN

admin

password

LAN IP Address User Name Password

Figure 1-4

Introduction 1-9

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

Default Log In Settings

To log in to the FVX538 once it is connected:

1. Open a Web browser.

2. Enter

http://192.168.1.1 as the URL.

Figure 1-5

3. Once the login screen displays (Figure 1-5), enter the following information:

•

admin for User Name password for Password

•

1-10 Introduction

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

Introduction 1-11

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

1-12 Introduction

v1.0, August 2006

Chapter 2

Connecting the FVX538 to the Internet

T ypically, six steps are required to complete the basic connection of your firewall. Setting up VPN tunnels are covered in Chapter 5, “Virtual Private Networking.”

1. Connect the firewall physically to your network. Connect the cables, turn on your router

and wait for the Test LED to go out. Make sure your Ethernet and LAN LEDs are lit. (See the

Installation Guide, FVX538 ProSafe VPN Firewall 200 for complete steps. A PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com.)

2. Log in to the firewall. After logging in, you are ready to set up and configure your firewall.

You can also change your password and enable remote management at this time.

3. Configure the Internet connections to your ISP(s). During this phase, you will connect to

your ISPs. You can also program the WAN traffic meters at this time if desired.

4. Configure the WAN mode (required for dual WAN operation). Select either auto-rollover

mode or load balancing mode (on a mutually exclusive basis). For load balancing, you can also select the protocol bindings.

5. Configure dynamic DNS on the WAN ports (if needed). Configure your fully qualified

domain names during this phase (if required).

6. Configure the WAN options (if needed). Optionally, you can enable each WAN port to

respond to a ping. You can also change the factory default MTU size, port speed, and uplink bandwidth. However, these are advanced features and changing them is not usually required.

Logging into the VPN Firewall

To connect to the firewall, your computer needs to be configured to obtain an IP address automatically via DHCP. If you need instructions on how to configure you computer for DHCP, refer to the link in Appendix B, “Related Documents.

To log in to the VPN firewall:

1. Connect to the firewall by typing http://192.168.1.1 in the address field of Interne t Explorer,

Mozilla Firefox or Netscape® Navigator.

Connecting the FVX538 to the Internet 2-1

v1.0, August 2006

ProSafe VPN Firewall 200 FVX538 Reference Manual

2. When prompted, enter admin for the firewall user name and password for the firewall

password, both in lower case letters. (The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection.)

3. Click Login.

Note: You might want to enable remote management at this time so that you can log

in remotely in the future to manage the firewall (see “Enabling Remote

Management Access” on page 6-10). If you enable remote management, you

are strongly advised to change your password (see “Changing Passwords and

Settings” on page 6-8).

Configuring the Internet Connections to Your ISPs

You should first configure your Internet connections to your ISPs on WAN port 1, and then configure WAN port 2 second.

To automatically configure the WAN ports and connect to the Internet:

1. The WA N1 ISP Settings screen similar to the one shown in Figure 2-1 should display when you log in. (If the screen does not display, select the primary menu option Network Configuration and the sub-menu option WAN Settings.

2-2 Connecting the FVX538 to the Internet

v1.0, August 2006

+ 192 hidden pages