FVX538 Reference Manual
Page 1
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0
FVX538 Reference Manual
Page 2
... ii 1.0, March 2009 Other brand and product names are registered trademarks of the Manufacturer/Importer It is no guarantee that the ProSafe VPN Firewall 200 has been suppressed in accordance with the instructions, may , however, be determined by turning the equipment off and on a...accordance with the conditions set out in the operating instructions. EU Regulatory Compliance Statement ProSafe VPN Firewall 200 is verified by NETGEAR, Inc. All rights reserved. Please refer to part 15 of NETGEAR, Inc. These limits are trademarks of the FCC Rules. Das vorschriftsmä...
... ii 1.0, March 2009 Other brand and product names are registered trademarks of the Manufacturer/Importer It is no guarantee that the ProSafe VPN Firewall 200 has been suppressed in accordance with the instructions, may , however, be determined by turning the equipment off and on a...accordance with the conditions set out in the operating instructions. EU Regulatory Compliance Statement ProSafe VPN Firewall 200 is verified by NETGEAR, Inc. All rights reserved. Please refer to part 15 of NETGEAR, Inc. These limits are trademarks of the FCC Rules. Das vorschriftsmä...
FVX538 Reference Manual
Page 8
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the ...DMZ Port 3-10 Static Routes ...3-12 Configuring Static Routes 3-12 Routing Information Protocol (RIP 3-14 Static Route Example 3-16 Chapter 4 Firewall Protection and Content Filtering About Firewall Protection and Content Filtering 4-1 Using Rules to Block or Allow Specific Kinds of Traffic 4-2 Services-Based Rules 4-2 Outbound Rules (Service...
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the ...DMZ Port 3-10 Static Routes ...3-12 Configuring Static Routes 3-12 Routing Information Protocol (RIP 3-14 Static Route Example 3-16 Chapter 4 Firewall Protection and Content Filtering About Firewall Protection and Content Filtering 4-1 Using Rules to Block or Allow Specific Kinds of Traffic 4-2 Services-Based Rules 4-2 Outbound Rules (Service...
FVX538 Reference Manual
Page 9
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25 Setting Quality of Service (QoS)... Connection 5-8 Testing the Connections and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 FVX538 VPN Connection Status and Logs 5-14 VPN Tunnel Policies ...5-15 IKE Policy ...5-15 Managing IKE Policies 5-15 IKE Policy Table 5-16 VPN Policy ...5-17 Managing VPN Policies 5-17 VPN Policy Table 5-18 Certificate Authorities 5-19 Generating a Self Certificate...
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25 Setting Quality of Service (QoS)... Connection 5-8 Testing the Connections and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 FVX538 VPN Connection Status and Logs 5-14 VPN Tunnel Policies ...5-15 IKE Policy ...5-15 Managing IKE Policies 5-15 IKE Policy Table 5-16 VPN Policy ...5-17 Managing VPN Policies 5-17 VPN Policy Table 5-18 Certificate Authorities 5-19 Generating a Self Certificate...
FVX538 Reference Manual
Page 10
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That...
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That...
FVX538 Reference Manual
Page 11
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status 6-24 Viewing Router Configuration and System Status 6-25 Monitoring WAN Ports Status 6-26 Monitoring VPN Tunnel Connection Status 6-27 VPN Logs ...6-28 DHCP Log ...6-29 Performing Diagnostics 6-29 Chapter 7 Troubleshooting Basic Functions... Information Form B-5 Overview of the Planning Process B-6 Inbound Traffic ...B-6 Virtual Private Networks (VPNs B-6 The Roll-over Case for Firewalls With Dual WAN Ports B-7 The Load Balancing Case for Firewalls With Dual WAN Ports B-7 Contents xi v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status 6-24 Viewing Router Configuration and System Status 6-25 Monitoring WAN Ports Status 6-26 Monitoring VPN Tunnel Connection Status 6-27 VPN Logs ...6-28 DHCP Log ...6-29 Performing Diagnostics 6-29 Chapter 7 Troubleshooting Basic Functions... Information Form B-5 Overview of the Planning Process B-6 Inbound Traffic ...B-6 Virtual Private Networks (VPNs B-6 The Roll-over Case for Firewalls With Dual WAN Ports B-7 The Load Balancing Case for Firewalls With Dual WAN Ports B-7 Contents xi v1.0, March 2009
FVX538 Reference Manual
Page 12
... Gateway WAN Ports for Load Balancing ... B-12 VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing B-13 VPN Gateway-to-Gateway B-14 VPN Gateway-to -Gateway B-11 VPN Road Warrior: Single Gateway WAN Port (Reference Case B-12 VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability ......... ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ...B-8 Inbound Traffic to...
... Gateway WAN Ports for Load Balancing ... B-12 VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing B-13 VPN Gateway-to-Gateway B-14 VPN Gateway-to -Gateway B-11 VPN Road Warrior: Single Gateway WAN Port (Reference Case B-12 VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability ......... ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ...B-8 Inbound Traffic to...
FVX538 Reference Manual
Page 13
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C-10 Routing Logs ...C-13 LAN to WAN Logs C-13 LAN to DMZ Logs C-14 DMZ to WAN Logs C-14 WAN to LAN Logs C-14 DMZ to LAN Logs C-14 WAN to DMZ Logs C-15 Appendix D Related Documents Appendix E Two Factor Authentication Why do I need Two-Factor Authentication E-1 What are the benefits of Two-Factor Authentication E-1 What is Two-Factor Authentication E-2 NETGEAR Two-Factor Authentication Solutions E-2 Index Contents xiii v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C-10 Routing Logs ...C-13 LAN to WAN Logs C-13 LAN to DMZ Logs C-14 DMZ to WAN Logs C-14 WAN to LAN Logs C-14 DMZ to LAN Logs C-14 WAN to DMZ Logs C-15 Appendix D Related Documents Appendix E Two Factor Authentication Why do I need Two-Factor Authentication E-1 What are the benefits of Two-Factor Authentication E-1 What is Two-Factor Authentication E-2 NETGEAR Two-Factor Authentication Solutions E-2 Index Contents xiii v1.0, March 2009
FVX538 Reference Manual
Page 14
ProSafe VPN Firewall 200 FVX538 Reference Manual xiv Contents v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual xiv Contents v1.0, March 2009
FVX538 Reference Manual
Page 15
... Command prompt, CLI text, code URL links • Formats. Tip: This format is used to install, configure and troubleshoot the ProSafe VPN Firewall 200. xv v1.0, March 2009 About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to highlight a procedure that will save time or resources. The information in this manual are described in a malfunction...
... Command prompt, CLI text, code URL links • Formats. Tip: This format is used to install, configure and troubleshoot the ProSafe VPN Firewall 200. xv v1.0, March 2009 About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to highlight a procedure that will save time or resources. The information in this manual are described in a malfunction...
FVX538 Reference Manual
Page 16
...Detection; ProSafe VPN Firewall 200 FVX538 Reference Manual Danger: This is a safety warning. Failure to this notice may result in Appendix D, "Related Documents." For more information about network, Internet, firewall, and VPN technologies...firewall scheduling topic xvi About This Manual v1.0, March 2009 IKE Keep Alive; Bandwidth Limits; Session Limits; Note: Updates to take heed of this product are available on the NETGEAR, Inc. website at http://kbserver.netgear.com/products/FVX538.asp. Oray Support Oct. 2007 Document corrections Oct. 2007 Document additions to the NETGEAR...
...Detection; ProSafe VPN Firewall 200 FVX538 Reference Manual Danger: This is a safety warning. Failure to this notice may result in Appendix D, "Related Documents." For more information about network, Internet, firewall, and VPN technologies...firewall scheduling topic xvi About This Manual v1.0, March 2009 IKE Keep Alive; Bandwidth Limits; Session Limits; Note: Updates to take heed of this product are available on the NETGEAR, Inc. website at http://kbserver.netgear.com/products/FVX538.asp. Oray Support Oct. 2007 Document corrections Oct. 2007 Document additions to the NETGEAR...
FVX538 Reference Manual
Page 17
... Switch port. • One console port for local management. The FVX538 is a complete security solution that can establish restricted access policies based on page 1-9 Key Features The VPN firewall provides the following features: • Dual 10/100 Mbps Ethernet WAN..." on page 1-5 • "Router Front and Rear Panels" on page 1-6 • "The Router's IP Address, Login Name, and Password" on time-of-day, Website addresses and address keywords. Chapter 1 Introduction The ProSafe VPN Firewall 200 with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • ...
... Switch port. • One console port for local management. The FVX538 is a complete security solution that can establish restricted access policies based on page 1-9 Key Features The VPN firewall provides the following features: • Dual 10/100 Mbps Ethernet WAN..." on page 1-5 • "Router Front and Rear Panels" on page 1-6 • "The Router's IP Address, Login Name, and Password" on time-of-day, Website addresses and address keywords. Chapter 1 Introduction The ProSafe VPN Firewall 200 with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • ...
FVX538 Reference Manual
Page 18
... port gateways: • Single or multiple exposed hosts • Virtual private networks A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT routers, the FVX538 is inoperable, ensuring you specify as Ping of status and activity. • Flash memory for firmware ...at speeds of either 10 Mbps or 100 Mbps. Dual WAN Ports for the outgoing traffic. ProSafe VPN Firewall 200 FVX538 Reference Manual • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation and management. •...
... port gateways: • Single or multiple exposed hosts • Virtual private networks A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT routers, the FVX538 is inoperable, ensuring you specify as Ping of status and activity. • Flash memory for firmware ...at speeds of either 10 Mbps or 100 Mbps. Dual WAN Ports for the outgoing traffic. ProSafe VPN Firewall 200 FVX538 Reference Manual • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation and management. •...
FVX538 Reference Manual
Page 19
...a 'normal' connection such as to a PC or an 'uplink' connection such as to the correct configuration. Security Features The VPN firewall is a response to either type of your email address or email pager whenever a significant event occurs. • Keyword Filtering. ...users outside the LAN are autosensing and capable of ports. • DMZ port. ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. Requests originating from the local network. The FVX538 will accommodate either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet...
...a 'normal' connection such as to a PC or an 'uplink' connection such as to the correct configuration. Security Features The VPN firewall is a response to either type of your email address or email pager whenever a significant event occurs. • Keyword Filtering. ...users outside the LAN are autosensing and capable of ports. • DMZ port. ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. Requests originating from the local network. The FVX538 will accommodate either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet...
FVX538 Reference Manual
Page 20
...VPN routers and clients. • SNMP. This feature eliminates the need to attached PCs on the LAN using only a single IP address, which may be statically or dynamically assigned by NAT. The following features simplify installation and management tasks: • Browser-Based Management. The VPN firewall... account. • VPN Wizard. ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The VPN firewall supports the Transmission Control...the attached PCs. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the ...
...VPN routers and clients. • SNMP. This feature eliminates the need to attached PCs on the LAN using only a single IP address, which may be statically or dynamically assigned by NAT. The following features simplify installation and management tasks: • Browser-Based Management. The VPN firewall... account. • VPN Wizard. ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The VPN firewall supports the Transmission Control...the attached PCs. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the ...
FVX538 Reference Manual
Page 21
... Support information card provided with your product. Maintenance and Support NETGEAR offers the following items: • ProSafe VPN Firewall 200. • AC power cable. • 19-inch rack mounting hardware and rubber feet. • Category 5 (Cat5) Ethernet cable. • Installation Guide, FVX538 ProSafe VPN Firewall 200 • Resource CD, including: - The firewall allows you to login to a specified remote IP address...
... Support information card provided with your product. Maintenance and Support NETGEAR offers the following items: • ProSafe VPN Firewall 200. • AC power cable. • 19-inch rack mounting hardware and rubber feet. • Category 5 (Cat5) Ethernet cable. • Installation Guide, FVX538 ProSafe VPN Firewall 200 • Resource CD, including: - The firewall allows you to login to a specified remote IP address...
FVX538 Reference Manual
Page 22
... has booted successfully. 3. WAN Ports and LEDs Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. 1 2 3 4 ...Active LED On (Green) On (Amber) Off The WAN port has a valid Internet connection. Data is not supplied to the firewall. 2. The Internet connection is down or not being transmitted or received by the WAN port. Test LED On (Amber) Blinking (...
... has booted successfully. 3. WAN Ports and LEDs Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. 1 2 3 4 ...Active LED On (Green) On (Amber) Off The WAN port has a valid Internet connection. Data is not supplied to the firewall. 2. The Internet connection is down or not being transmitted or received by the WAN port. Test LED On (Amber) Blinking (...
FVX538 Reference Manual
Page 23
... (Green) Off The LAN port is being transmitted or received by the LAN port. Console DB9 male connector Port for connecting to a gigabit Ethernet device. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. The LAN port is 115.2K; Factory Push in with a sharp Factory Defaults reset push button (see Appendix A, "Default Defaults object Settings...
... (Green) Off The LAN port is being transmitted or received by the LAN port. Console DB9 male connector Port for connecting to a gigabit Ethernet device. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. The LAN port is 115.2K; Factory Push in with a sharp Factory Defaults reset push button (see Appendix A, "Default Defaults object Settings...
FVX538 Reference Manual
Page 24
ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection. AC power in Figure 1-3). Figure 1-2 1 2 Viewed from left to right, the rear panel contains the following elements: 1. Figure 1-3 1-8 v1.0, March 2009 Introduction On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in 2.
ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection. AC power in Figure 1-3). Figure 1-2 1 2 Viewed from left to right, the rear panel contains the following elements: 1. Figure 1-3 1-8 v1.0, March 2009 Introduction On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in 2.
FVX538 Reference Manual
Page 25
... screen displays, enter admin for the User Name and the password for Password. Introduction 1-9 v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual The Router's IP Address, Login Name, and Password Check the label on the bottom of the FVX538's enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to... Web-based GUI from the LAN • User name: admin • Password: password LAN IP Address User Name Password Figure 1-4 To log in to the FVX538 once it is connected, go to http://192.168.1.1.
... screen displays, enter admin for the User Name and the password for Password. Introduction 1-9 v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual The Router's IP Address, Login Name, and Password Check the label on the bottom of the FVX538's enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to... Web-based GUI from the LAN • User name: admin • Password: password LAN IP Address User Name Password Figure 1-4 To log in to the FVX538 once it is connected, go to http://192.168.1.1.