FVX538 Reference Manual
Page 1
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0
FVX538 Reference Manual
Page 2
...ii 1.0, March 2009 All rights reserved. Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe and ProSecure are registered trademarks or trademarks of NETGEAR, Inc. EU Regulatory Compliance Statement ProSafe VPN Firewall 200 is verified by NETGEAR, Inc. Bestätigung des Herstellers/Importeurs ...-AmtsblVfg 243/1991 und Vfg 46/ 1992 aufgeführten Bestimmungen entstört ist. NETGEAR does not assume any liability that the ProSafe VPN Firewall 200 has been suppressed in a particular installation. These limits are registered trademarks of the product(s) ...
...ii 1.0, March 2009 All rights reserved. Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe and ProSecure are registered trademarks or trademarks of NETGEAR, Inc. EU Regulatory Compliance Statement ProSafe VPN Firewall 200 is verified by NETGEAR, Inc. Bestätigung des Herstellers/Importeurs ...-AmtsblVfg 243/1991 und Vfg 46/ 1992 aufgeführten Bestimmungen entstört ist. NETGEAR does not assume any liability that the ProSafe VPN Firewall 200 has been suppressed in a particular installation. These limits are registered trademarks of the product(s) ...
FVX538 Reference Manual
Page 8
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the ...DMZ Port 3-10 Static Routes ...3-12 Configuring Static Routes 3-12 Routing Information Protocol (RIP 3-14 Static Route Example 3-16 Chapter 4 Firewall Protection and Content Filtering About Firewall Protection and Content Filtering 4-1 Using Rules to Block or Allow Specific Kinds of Traffic 4-2 Services-Based Rules 4-2 Outbound Rules (Service...
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the ...DMZ Port 3-10 Static Routes ...3-12 Configuring Static Routes 3-12 Routing Information Protocol (RIP 3-14 Static Route Example 3-16 Chapter 4 Firewall Protection and Content Filtering About Firewall Protection and Content Filtering 4-1 Using Rules to Block or Allow Specific Kinds of Traffic 4-2 Services-Based Rules 4-2 Outbound Rules (Service...
FVX538 Reference Manual
Page 9
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25 Setting Quality of Service (QoS)... Connection 5-8 Testing the Connections and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 FVX538 VPN Connection Status and Logs 5-14 VPN Tunnel Policies ...5-15 IKE Policy ...5-15 Managing IKE Policies 5-15 IKE Policy Table 5-16 VPN Policy ...5-17 Managing VPN Policies 5-17 VPN Policy Table 5-18 Certificate Authorities 5-19 Generating a Self Certificate...
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25 Setting Quality of Service (QoS)... Connection 5-8 Testing the Connections and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 FVX538 VPN Connection Status and Logs 5-14 VPN Tunnel Policies ...5-15 IKE Policy ...5-15 Managing IKE Policies 5-15 IKE Policy Table 5-16 VPN Policy ...5-17 Managing VPN Policies 5-17 VPN Policy Table 5-18 Certificate Authorities 5-19 Generating a Self Certificate...
FVX538 Reference Manual
Page 10
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That...
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That...
FVX538 Reference Manual
Page 11
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status 6-24 Viewing Router Configuration and System Status 6-25 Monitoring WAN Ports Status 6-26 Monitoring VPN Tunnel Connection Status 6-27 VPN Logs ...6-28 DHCP Log ...6-29 Performing Diagnostics 6-29 Chapter 7 Troubleshooting Basic Functions... Information Form B-5 Overview of the Planning Process B-6 Inbound Traffic ...B-6 Virtual Private Networks (VPNs B-6 The Roll-over Case for Firewalls With Dual WAN Ports B-7 The Load Balancing Case for Firewalls With Dual WAN Ports B-7 Contents xi v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status 6-24 Viewing Router Configuration and System Status 6-25 Monitoring WAN Ports Status 6-26 Monitoring VPN Tunnel Connection Status 6-27 VPN Logs ...6-28 DHCP Log ...6-29 Performing Diagnostics 6-29 Chapter 7 Troubleshooting Basic Functions... Information Form B-5 Overview of the Planning Process B-6 Inbound Traffic ...B-6 Virtual Private Networks (VPNs B-6 The Roll-over Case for Firewalls With Dual WAN Ports B-7 The Load Balancing Case for Firewalls With Dual WAN Ports B-7 Contents xi v1.0, March 2009
FVX538 Reference Manual
Page 12
...VPN Gateway-to-Gateway B-14 VPN Gateway-to -Gateway Through a NAT Router B-17 VPN Telecommuter: Single Gateway WAN Port (Reference Case B-18 VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability ........ B-14 VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability B-15 VPN Gateway-to -Gateway B-11 VPN... C-7 Traffic Metering Logs C-9 Unicast Logs ...C-9 ICMP Redirect Logs C-9 xii Contents v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ...B-8 Inbound Traffic to Single WAN Port (Reference Case B-8 Inbound Traffic to Dual...
...VPN Gateway-to-Gateway B-14 VPN Gateway-to -Gateway Through a NAT Router B-17 VPN Telecommuter: Single Gateway WAN Port (Reference Case B-18 VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability ........ B-14 VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability B-15 VPN Gateway-to -Gateway B-11 VPN... C-7 Traffic Metering Logs C-9 Unicast Logs ...C-9 ICMP Redirect Logs C-9 xii Contents v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ...B-8 Inbound Traffic to Single WAN Port (Reference Case B-8 Inbound Traffic to Dual...
FVX538 Reference Manual
Page 13
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C-10 Routing Logs ...C-13 LAN to WAN Logs C-13 LAN to DMZ Logs C-14 DMZ to WAN Logs C-14 WAN to LAN Logs C-14 DMZ to LAN Logs C-14 WAN to DMZ Logs C-15 Appendix D Related Documents Appendix E Two Factor Authentication Why do I need Two-Factor Authentication E-1 What are the benefits of Two-Factor Authentication E-1 What is Two-Factor Authentication E-2 NETGEAR Two-Factor Authentication Solutions E-2 Index Contents xiii v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C-10 Routing Logs ...C-13 LAN to WAN Logs C-13 LAN to DMZ Logs C-14 DMZ to WAN Logs C-14 WAN to LAN Logs C-14 DMZ to LAN Logs C-14 WAN to DMZ Logs C-15 Appendix D Related Documents Appendix E Two Factor Authentication Why do I need Two-Factor Authentication E-1 What are the benefits of Two-Factor Authentication E-1 What is Two-Factor Authentication E-2 NETGEAR Two-Factor Authentication Solutions E-2 Index Contents xiii v1.0, March 2009
FVX538 Reference Manual
Page 14
ProSafe VPN Firewall 200 FVX538 Reference Manual xiv Contents v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual xiv Contents v1.0, March 2009
FVX538 Reference Manual
Page 15
... type of importance or special interest. xv v1.0, March 2009 About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to the equipment. Warning: Ignoring this manual are described in a malfunction or damage to install, configure and troubleshoot the ProSafe VPN Firewall 200. This manual uses the following typographical conventions: Italics Bold Fixed italics Emphasis, books...
... type of importance or special interest. xv v1.0, March 2009 About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to the equipment. Warning: Ignoring this manual are described in a malfunction or damage to install, configure and troubleshoot the ProSafe VPN Firewall 200. This manual uses the following typographical conventions: Italics Bold Fixed italics Emphasis, books...
FVX538 Reference Manual
Page 16
... to this notice may result in Appendix D, "Related Documents." IKE Keep Alive; website at http://kbserver.netgear.com/products/FVX538.asp. Jan. 2007 Remove Trend Micro Jul. 2007 New features: IP/MAC Binding; Dead Peer Detection; ProSafe VPN Firewall 200 FVX538 Reference Manual Danger: This is a safety warning. Note: Updates to Appendix C Mar. 08 Maintenance release Mar...
... to this notice may result in Appendix D, "Related Documents." IKE Keep Alive; website at http://kbserver.netgear.com/products/FVX538.asp. Jan. 2007 Remove Trend Micro Jul. 2007 New features: IP/MAC Binding; Dead Peer Detection; ProSafe VPN Firewall 200 FVX538 Reference Manual Danger: This is a safety warning. Note: Updates to Appendix C Mar. 08 Maintenance release Mar...
FVX538 Reference Manual
Page 17
...modem. The FVX538 is a complete security solution that can establish restricted access policies based on page 1-9 Key Features The VPN firewall provides the following sections: • "Key Features" on page 1-1 • "Package Contents" on page 1-5 • "Router Front and Rear...port connects your network from attacks and intrusions. Introduction 1-1 v1.0, March 2009 Chapter 1 Introduction The ProSafe VPN Firewall 200 with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic prioritization...
...modem. The FVX538 is a complete security solution that can establish restricted access policies based on page 1-9 Key Features The VPN firewall provides the following sections: • "Key Features" on page 1-1 • "Package Contents" on page 1-5 • "Router Front and Rear...port connects your network from attacks and intrusions. Introduction 1-1 v1.0, March 2009 Chapter 1 Introduction The ProSafe VPN Firewall 200 with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic prioritization...
FVX538 Reference Manual
Page 18
... sharing NAT routers, the FVX538 is inoperable, ensuring you specify as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing. • Secure Firewall. Its firewall features include: • DoS protection. Automatically detects and thwarts DoS attacks such as off-limits. 1-2 Introduction v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual • SNMP Manageable, optimized for the NETGEAR ProSafe Network...
... sharing NAT routers, the FVX538 is inoperable, ensuring you specify as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing. • Secure Firewall. Its firewall features include: • DoS protection. Automatically detects and thwarts DoS attacks such as off-limits. 1-2 Introduction v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual • SNMP Manageable, optimized for the NETGEAR ProSafe Network...
FVX538 Reference Manual
Page 19
... network or a 100 Mbps Fast Ethernet network. NAT opens a temporary path to your PCs. Security Features The VPN firewall is a response to specific PCs based on the LAN. • Port Forwarding with Auto Uplink With its URL keyword filtering feature, the FVX538 prevents objectionable content from the Internet is normally discarded by the... ports or ranges of your network. That port will automatically sense whether the Ethernet cable plugged into the port should have configured an inbound rule. ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents.
... network or a 100 Mbps Fast Ethernet network. NAT opens a temporary path to your PCs. Security Features The VPN firewall is a response to specific PCs based on the LAN. • Port Forwarding with Auto Uplink With its URL keyword filtering feature, the FVX538 prevents objectionable content from the Internet is normally discarded by the... ports or ranges of your network. That port will automatically sense whether the Ethernet cable plugged into the port should have configured an inbound rule. ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents.
FVX538 Reference Manual
Page 20
... VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of ISP account. • VPN Wizard. ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The VPN firewall ...supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). This feature greatly simplifies configuration of PCs on your type of the Virtual Private Network Consortium (VPNC) to the network. When DHCP is enabled and no DNS addresses are interoperable with other VPNC-compliant VPN routers...
... VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of ISP account. • VPN Wizard. ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The VPN firewall ...supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). This feature greatly simplifies configuration of PCs on your type of the Virtual Private Network Consortium (VPNC) to the network. When DHCP is enabled and no DNS addresses are interoperable with other VPNC-compliant VPN routers...
FVX538 Reference Manual
Page 21
... Route, DNS lookup, and remote reboot. • Remote Management. Maintenance and Support NETGEAR offers the following items: • ProSafe VPN Firewall 200. • AC power cable. • 19-inch rack mounting hardware and rubber feet. • Category 5 (Cat5) Ethernet cable. • Installation Guide, FVX538 ProSafe VPN Firewall 200 • Resource CD, including: - If any of the parts are incorrect, missing...
... Route, DNS lookup, and remote reboot. • Remote Management. Maintenance and Support NETGEAR offers the following items: • ProSafe VPN Firewall 200. • AC power cable. • 19-inch rack mounting hardware and rubber feet. • Category 5 (Cat5) Ethernet cable. • Installation Guide, FVX538 ProSafe VPN Firewall 200 • Resource CD, including: - If any of the parts are incorrect, missing...
FVX538 Reference Manual
Page 22
...MDI/MDIX. The WAN port has no link. 1-6 Introduction v1.0, March 2009 The WAN port is not supplied to the firewall. 2. Table 1-1. Object Descriptions Object Activity Description 1. The WAN port is either not enabled or has no link. 100 ...Link/Act LED On (Green) Blinking (Green) Off The WAN port has detected a link with a connected Ethernet device. ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. 1 2 3 4 5 ...
...MDI/MDIX. The WAN port has no link. 1-6 Introduction v1.0, March 2009 The WAN port is not supplied to the firewall. 2. Table 1-1. Object Descriptions Object Activity Description 1. The WAN port is either not enabled or has no link. 100 ...Link/Act LED On (Green) Blinking (Green) Off The WAN port has detected a link with a connected Ethernet device. ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. 1 2 3 4 5 ...
FVX538 Reference Manual
Page 23
DMZ (port 8) On (Green) Off Port 8 is 115.2K; Default baud rate Port is operating as a normal LAN port. 5. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. LAN Ports and LEDs 8-port RJ-45 10/100 Mbps Fast Ethernet Switch Link/Act LED On (Green) Blinking (Green) Off N-way ...
DMZ (port 8) On (Green) Off Port 8 is 115.2K; Default baud rate Port is operating as a normal LAN port. 5. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. LAN Ports and LEDs 8-port RJ-45 10/100 Mbps Fast Ethernet Switch Link/Act LED On (Green) Blinking (Green) Off N-way ...
FVX538 Reference Manual
Page 24
On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in 2. ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection. Figure 1-2 1 2 Viewed from left to right, the rear panel contains the following elements: 1. Figure 1-3 1-8 v1.0, March 2009 Introduction AC power in Figure 1-3).
On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in 2. ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection. Figure 1-2 1 2 Viewed from left to right, the rear panel contains the following elements: 1. Figure 1-3 1-8 v1.0, March 2009 Introduction AC power in Figure 1-3).
FVX538 Reference Manual
Page 25
... Figure 1-5 Once the login screen displays, enter admin for the User Name and the password for Password. ProSafe VPN Firewall 200 FVX538 Reference Manual The Router's IP Address, Login Name, and Password Check the label on the bottom of the FVX538's enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to... Web-based GUI from the LAN • User name: admin • Password: password LAN IP Address User Name Password Figure 1-4 To log in to the FVX538 once it is connected, go to http://192.168.1.1.
... Figure 1-5 Once the login screen displays, enter admin for the User Name and the password for Password. ProSafe VPN Firewall 200 FVX538 Reference Manual The Router's IP Address, Login Name, and Password Check the label on the bottom of the FVX538's enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to... Web-based GUI from the LAN • User name: admin • Password: password LAN IP Address User Name Password Figure 1-4 To log in to the FVX538 once it is connected, go to http://192.168.1.1.