FVX538 Reference Manual
Page 1
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0
FVX538 Reference Manual
Page 2
... 1.0, March 2009 Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe and ProSecure are designed to provide reasonable protection against harmful interference in accordance with the instructions, may cause harmful interference to the products described in der Betriebsanleitung. EU Regulatory Compliance Statement ProSafe VPN Firewall 200 is hereby certified that the ProSafe VPN Firewall 200 has been suppressed in...
... 1.0, March 2009 Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe and ProSecure are designed to provide reasonable protection against harmful interference in accordance with the instructions, may cause harmful interference to the products described in der Betriebsanleitung. EU Regulatory Compliance Statement ProSafe VPN Firewall 200 is hereby certified that the ProSafe VPN Firewall 200 has been suppressed in...
FVX538 Reference Manual
Page 7
... 1-4 Easy Installation and Management 1-4 Maintenance and Support 1-5 Package Contents ...1-5 Router Front and Rear Panels 1-6 Rack Mounting Hardware 1-8 The Router's IP Address, Login Name, and Password 1-9 Chapter 2 Connecting the FVX538 to the Internet Logging into the VPN Firewall 2-1 Configuring the Internet Connections to Your ISPs 2-2 Setting the Router's MAC Address 2-4 Manually Configuring Your Internet Connection 2-4 Programming the...
... 1-4 Easy Installation and Management 1-4 Maintenance and Support 1-5 Package Contents ...1-5 Router Front and Rear Panels 1-6 Rack Mounting Hardware 1-8 The Router's IP Address, Login Name, and Password 1-9 Chapter 2 Connecting the FVX538 to the Internet Logging into the VPN Firewall 2-1 Configuring the Internet Connections to Your ISPs 2-2 Setting the Router's MAC Address 2-4 Manually Configuring Your Internet Connection 2-4 Programming the...
FVX538 Reference Manual
Page 8
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the ...DMZ Port 3-10 Static Routes ...3-12 Configuring Static Routes 3-12 Routing Information Protocol (RIP 3-14 Static Route Example 3-16 Chapter 4 Firewall Protection and Content Filtering About Firewall Protection and Content Filtering 4-1 Using Rules to Block or Allow Specific Kinds of Traffic 4-2 Services-Based Rules 4-2 Outbound Rules (Service...
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the ...DMZ Port 3-10 Static Routes ...3-12 Configuring Static Routes 3-12 Routing Information Protocol (RIP 3-14 Static Route Example 3-16 Chapter 4 Firewall Protection and Content Filtering About Firewall Protection and Content Filtering 4-1 Using Rules to Block or Allow Specific Kinds of Traffic 4-2 Services-Based Rules 4-2 Outbound Rules (Service...
FVX538 Reference Manual
Page 9
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25 Setting Quality of Service (QoS)... Connection 5-8 Testing the Connections and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 FVX538 VPN Connection Status and Logs 5-14 VPN Tunnel Policies ...5-15 IKE Policy ...5-15 Managing IKE Policies 5-15 IKE Policy Table 5-16 VPN Policy ...5-17 Managing VPN Policies 5-17 VPN Policy Table 5-18 Certificate Authorities 5-19 Generating a Self Certificate...
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25 Setting Quality of Service (QoS)... Connection 5-8 Testing the Connections and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 FVX538 VPN Connection Status and Logs 5-14 VPN Tunnel Policies ...5-15 IKE Policy ...5-15 Managing IKE Policies 5-15 IKE Policy Table 5-16 VPN Policy ...5-17 Managing VPN Policies 5-17 VPN Policy Table 5-18 Certificate Authorities 5-19 Generating a Self Certificate...
FVX538 Reference Manual
Page 10
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That...
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That...
FVX538 Reference Manual
Page 11
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status 6-24 Viewing Router Configuration and System Status 6-25 Monitoring WAN Ports Status 6-26 Monitoring VPN Tunnel Connection Status 6-27 VPN Logs ...6-28 DHCP Log ...6-29 Performing Diagnostics 6-29 Chapter 7 Troubleshooting Basic Functions... Information Form B-5 Overview of the Planning Process B-6 Inbound Traffic ...B-6 Virtual Private Networks (VPNs B-6 The Roll-over Case for Firewalls With Dual WAN Ports B-7 The Load Balancing Case for Firewalls With Dual WAN Ports B-7 Contents xi v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status 6-24 Viewing Router Configuration and System Status 6-25 Monitoring WAN Ports Status 6-26 Monitoring VPN Tunnel Connection Status 6-27 VPN Logs ...6-28 DHCP Log ...6-29 Performing Diagnostics 6-29 Chapter 7 Troubleshooting Basic Functions... Information Form B-5 Overview of the Planning Process B-6 Inbound Traffic ...B-6 Virtual Private Networks (VPNs B-6 The Roll-over Case for Firewalls With Dual WAN Ports B-7 The Load Balancing Case for Firewalls With Dual WAN Ports B-7 Contents xi v1.0, March 2009
FVX538 Reference Manual
Page 12
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ...B-8 Inbound Traffic to Single WAN Port (Reference Case B-8 Inbound Traffic to Dual WAN Port Systems B-8 Inbound Traffic: Dual WAN Ports for Improved Reliability B-9 Inbound Traffic: Dual WAN Ports for Load Balancing B-9 Virtual Private Networks (VPNs B-10 VPN Road Warrior (Client-to-Gateway B-11 VPN Road Warrior: Single Gateway WAN Port...
ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ...B-8 Inbound Traffic to Single WAN Port (Reference Case B-8 Inbound Traffic to Dual WAN Port Systems B-8 Inbound Traffic: Dual WAN Ports for Improved Reliability B-9 Inbound Traffic: Dual WAN Ports for Load Balancing B-9 Virtual Private Networks (VPNs B-10 VPN Road Warrior (Client-to-Gateway B-11 VPN Road Warrior: Single Gateway WAN Port...
FVX538 Reference Manual
Page 13
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C-10 Routing Logs ...C-13 LAN to WAN Logs C-13 LAN to DMZ Logs C-14 DMZ to WAN Logs C-14 WAN to LAN Logs C-14 DMZ to LAN Logs C-14 WAN to DMZ Logs C-15 Appendix D Related Documents Appendix E Two Factor Authentication Why do I need Two-Factor Authentication E-1 What are the benefits of Two-Factor Authentication E-1 What is Two-Factor Authentication E-2 NETGEAR Two-Factor Authentication Solutions E-2 Index Contents xiii v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C-10 Routing Logs ...C-13 LAN to WAN Logs C-13 LAN to DMZ Logs C-14 DMZ to WAN Logs C-14 WAN to LAN Logs C-14 DMZ to LAN Logs C-14 WAN to DMZ Logs C-15 Appendix D Related Documents Appendix E Two Factor Authentication Why do I need Two-Factor Authentication E-1 What are the benefits of Two-Factor Authentication E-1 What is Two-Factor Authentication E-2 NETGEAR Two-Factor Authentication Solutions E-2 Index Contents xiii v1.0, March 2009
FVX538 Reference Manual
Page 14
ProSafe VPN Firewall 200 FVX538 Reference Manual xiv Contents v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual xiv Contents v1.0, March 2009
FVX538 Reference Manual
Page 15
...importance or special interest. Warning: Ignoring this manual are described in a malfunction or damage to install, configure and troubleshoot the ProSafe VPN Firewall 200. This manual uses the following typographical conventions: Italics Bold Fixed italics Emphasis, books, CDs, file and server names, extensions... used to highlight a procedure that will save time or resources. xv v1.0, March 2009 About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to the equipment. The information in this manual is used to highlight information of note may result in...
...importance or special interest. Warning: Ignoring this manual are described in a malfunction or damage to install, configure and troubleshoot the ProSafe VPN Firewall 200. This manual uses the following typographical conventions: Italics Bold Fixed italics Emphasis, books, CDs, file and server names, extensions... used to highlight a procedure that will save time or resources. xv v1.0, March 2009 About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to the equipment. The information in this manual is used to highlight information of note may result in...
FVX538 Reference Manual
Page 16
website at http://kbserver.netgear.com/products/FVX538.asp. For more information about network, Internet, firewall, and VPN technologies, see the links to Appendix C Mar. 08 Maintenance release Mar. 09 Adds these corrections and topics for the March 2009 firmware maintenance release: • ... 1.0 202-10062-09 1.0 Aug. 2006 Product update: New firmware and a new user interface. Note: Updates to take heed of this product are available on the NETGEAR, Inc. Dead Peer Detection; ProSafe VPN Firewall 200 FVX538 Reference Manual Danger: This is a safety warning.
website at http://kbserver.netgear.com/products/FVX538.asp. For more information about network, Internet, firewall, and VPN technologies, see the links to Appendix C Mar. 08 Maintenance release Mar. 09 Adds these corrections and topics for the March 2009 firmware maintenance release: • ... 1.0 202-10062-09 1.0 Aug. 2006 Product update: New firmware and a new user interface. Note: Updates to take heed of this product are available on the NETGEAR, Inc. Dead Peer Detection; ProSafe VPN Firewall 200 FVX538 Reference Manual Danger: This is a safety warning.
FVX538 Reference Manual
Page 17
...1000 port connects your network from attacks and intrusions. Introduction 1-1 v1.0, March 2009 Chapter 1 Introduction The ProSafe VPN Firewall 200 with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, ... e-mail. The FVX538 is a complete security solution that can establish restricted access policies based on page 1-9 Key Features The VPN firewall provides the following sections: • "Key Features" on page 1-1 • "Package Contents" on page 1-5 • "Router Front and Rear ...
...1000 port connects your network from attacks and intrusions. Introduction 1-1 v1.0, March 2009 Chapter 1 Introduction The ProSafe VPN Firewall 200 with the 5-user license of the NETGEAR ProSafe VPN Client software (VPN05L) • Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, ... e-mail. The FVX538 is a complete security solution that can establish restricted access policies based on page 1-9 Key Features The VPN firewall provides the following sections: • "Key Features" on page 1-1 • "Package Contents" on page 1-5 • "Router Front and Rear ...
FVX538 Reference Manual
Page 18
ProSafe VPN Firewall 200 FVX538 Reference Manual • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation and management. • Advanced SPI Firewall and Multi-NAT support. • Extensive Protocol Support. • Login capability. ...: • Single or multiple exposed hosts • Virtual private networks A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT routers, the FVX538 is inoperable, ensuring you are never disconnected. • Load balance, or use both Internet...
ProSafe VPN Firewall 200 FVX538 Reference Manual • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). • Easy, web-based setup for installation and management. • Advanced SPI Firewall and Multi-NAT support. • Extensive Protocol Support. • Login capability. ...: • Single or multiple exposed hosts • Virtual private networks A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT routers, the FVX538 is inoperable, ensuring you are never disconnected. • Load balance, or use both Internet...
FVX538 Reference Manual
Page 19
...designed to maintain security, as to Internet content by NAT. With its internal 8-port 10/100 switch, the FVX538 can configure the firewall to log and report attempts to one of discarding this section. • PCs Hidden by screening for requests ...originating from directly accessing the PCs on the LAN, the firewall allows you to direct incoming traffic to you can have configured an inbound rule. The firewall allows you have it forwarded to access objectionable Internet sites. ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents.
...designed to maintain security, as to Internet content by NAT. With its internal 8-port 10/100 switch, the FVX538 can configure the firewall to log and report attempts to one of discarding this section. • PCs Hidden by screening for requests ...originating from directly accessing the PCs on the LAN, the firewall allows you to direct incoming traffic to you can have configured an inbound rule. The firewall allows you have it forwarded to access objectionable Internet sites. ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents.
FVX538 Reference Manual
Page 20
...ProSafe VPN Firewall 200 within minutes after connecting it to let you only for the information required for your local network. • DNS Proxy. The VPN firewall allows several networked PCs to the attached PCs. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN...IP Address Sharing by your PC. ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol/Internet ... no DNS addresses are interoperable with other VPNC-compliant VPN routers and clients. • SNMP. PPPoE is built ...
...ProSafe VPN Firewall 200 within minutes after connecting it to let you only for the information required for your local network. • DNS Proxy. The VPN firewall allows several networked PCs to the attached PCs. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN...IP Address Sharing by your PC. ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol/Internet ... no DNS addresses are interoperable with other VPNC-compliant VPN routers and clients. • SNMP. PPPoE is built ...
FVX538 Reference Manual
Page 21
... and Support information card provided with your product. Introduction 1-5 v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual • Diagnostic Functions. Maintenance and Support NETGEAR offers the following items: • ProSafe VPN Firewall 200. • AC power cable. • 19-inch rack mounting hardware and rubber feet. • Category 5 (Cat5) Ethernet cable. • Installation Guide, FVX538 ProSafe VPN Firewall 200 • Resource CD, including: -
... and Support information card provided with your product. Introduction 1-5 v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual • Diagnostic Functions. Maintenance and Support NETGEAR offers the following items: • ProSafe VPN Firewall 200. • AC power cable. • 19-inch rack mounting hardware and rubber feet. • Category 5 (Cat5) Ethernet cable. • Installation Guide, FVX538 ProSafe VPN Firewall 200 • Resource CD, including: -
FVX538 Reference Manual
Page 22
...The WAN port is either not enabled or has no link. 100 LED On (Green) Off The WAN port is supplied to the firewall. Test LED On (Amber) Blinking (Amber) Off Test mode: The system is being used because the port is not supplied to ... Writing to Flash memory (during upgrading or resetting to the firewall. 2. WAN Ports and LEDs Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. Table 1-1. ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, ...
...The WAN port is either not enabled or has no link. 100 LED On (Green) Off The WAN port is supplied to the firewall. Test LED On (Amber) Blinking (Amber) Off Test mode: The system is being used because the port is not supplied to ... Writing to Flash memory (during upgrading or resetting to the firewall. 2. WAN Ports and LEDs Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. Table 1-1. ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, ...
FVX538 Reference Manual
Page 23
... a normal LAN port. 5. Console DB9 male connector Port for connecting to a gigabit Ethernet device. pinouts: (2) Tx, (3) Rx, (5) and (7) Gnd. 7. The LAN port has no link. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Gigabit Port and LEDs Gbit RJ-45 connector Link/Act LED On (Green) Blinking (Green) Off Port for the factory defaults). The...
... a normal LAN port. 5. Console DB9 male connector Port for connecting to a gigabit Ethernet device. pinouts: (2) Tx, (3) Rx, (5) and (7) Gnd. 7. The LAN port has no link. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Gigabit Port and LEDs Gbit RJ-45 connector Link/Act LED On (Green) Blinking (Green) Off Port for the factory defaults). The...
FVX538 Reference Manual
Page 24
AC power in Figure 1-3). On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in 2. Figure 1-3 1-8 v1.0, March 2009 Introduction ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection. Figure 1-2 1 2 Viewed from left to right, the rear panel contains the following elements: 1.
AC power in Figure 1-3). On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in 2. Figure 1-3 1-8 v1.0, March 2009 Introduction ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection. Figure 1-2 1 2 Viewed from left to right, the rear panel contains the following elements: 1.