FVX538 Reference Manual
Page 1
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0
ProSafe VPN Firewall 200 FVX538 Reference Manual NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 USA March 2009 202-10062-09 v1.0
FVX538 Reference Manual
Page 7
... Installation and Management 1-4 Maintenance and Support 1-5 Package Contents ...1-5 Router Front and Rear Panels 1-6 Rack Mounting Hardware 1-8 The Router's IP Address, Login Name, and Password 1-9 Chapter 2 Connecting the FVX538 to the Internet Logging into the VPN Firewall 2-1 Configuring the Internet Connections to Your ISPs 2-2 Setting the Router's MAC Address 2-4 Manually Configuring Your Internet Connection 2-4 Programming the Traffic Meter...
... Installation and Management 1-4 Maintenance and Support 1-5 Package Contents ...1-5 Router Front and Rear Panels 1-6 Rack Mounting Hardware 1-8 The Router's IP Address, Login Name, and Password 1-9 Chapter 2 Connecting the FVX538 to the Internet Logging into the VPN Firewall 2-1 Configuring the Internet Connections to Your ISPs 2-2 Setting the Router's MAC Address 2-4 Manually Configuring Your Internet Connection 2-4 Programming the Traffic Meter...
FVX538 Reference Manual
Page 8
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the ...DMZ Port 3-10 Static Routes ...3-12 Configuring Static Routes 3-12 Routing Information Protocol (RIP 3-14 Static Route Example 3-16 Chapter 4 Firewall Protection and Content Filtering About Firewall Protection and Content Filtering 4-1 Using Rules to Block or Allow Specific Kinds of Traffic 4-2 Services-Based Rules 4-2 Outbound Rules (Service...
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the ...DMZ Port 3-10 Static Routes ...3-12 Configuring Static Routes 3-12 Routing Information Protocol (RIP 3-14 Static Route Example 3-16 Chapter 4 Firewall Protection and Content Filtering About Firewall Protection and Content Filtering 4-1 Using Rules to Block or Allow Specific Kinds of Traffic 4-2 Services-Based Rules 4-2 Outbound Rules (Service...
FVX538 Reference Manual
Page 9
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25 Setting Quality of Service (QoS) Priorities ...Connection 5-8 Testing the Connections and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 FVX538 VPN Connection Status and Logs 5-14 VPN Tunnel Policies ...5-15 IKE Policy ...5-15 Managing IKE Policies 5-15 IKE Policy Table 5-16 VPN Policy ...5-17 Managing VPN Policies 5-17 VPN Policy Table 5-18 Certificate Authorities 5-19 Generating a Self...
ProSafe VPN Firewall 200 FVX538 Reference Manual Outbound Rules Example 4-24 LAN WAN Outbound Rule: Blocking Instant Messenger 4-25 Adding Customized Services 4-25 Setting Quality of Service (QoS) Priorities ...Connection 5-8 Testing the Connections and Viewing Status Information 5-12 NETGEAR VPN Client Status and Log Information 5-12 FVX538 VPN Connection Status and Logs 5-14 VPN Tunnel Policies ...5-15 IKE Policy ...5-15 Managing IKE Policies 5-15 IKE Policy Table 5-16 VPN Policy ...5-17 Managing VPN Policies 5-17 VPN Policy Table 5-18 Certificate Authorities 5-19 Generating a Self...
FVX538 Reference Manual
Page 10
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That Reduce...
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That Reduce...
FVX538 Reference Manual
Page 11
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status 6-24 Viewing Router Configuration and System Status 6-25 Monitoring WAN Ports Status 6-26 Monitoring VPN Tunnel Connection Status 6-27 VPN Logs ...6-28 DHCP Log ...6-29 Performing Diagnostics 6-29 Chapter 7 Troubleshooting Basic Functions... Information Form B-5 Overview of the Planning Process B-6 Inbound Traffic ...B-6 Virtual Private Networks (VPNs B-6 The Roll-over Case for Firewalls With Dual WAN Ports B-7 The Load Balancing Case for Firewalls With Dual WAN Ports B-7 Contents xi v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual Viewing Port Triggering Status 6-24 Viewing Router Configuration and System Status 6-25 Monitoring WAN Ports Status 6-26 Monitoring VPN Tunnel Connection Status 6-27 VPN Logs ...6-28 DHCP Log ...6-29 Performing Diagnostics 6-29 Chapter 7 Troubleshooting Basic Functions... Information Form B-5 Overview of the Planning Process B-6 Inbound Traffic ...B-6 Virtual Private Networks (VPNs B-6 The Roll-over Case for Firewalls With Dual WAN Ports B-7 The Load Balancing Case for Firewalls With Dual WAN Ports B-7 Contents xi v1.0, March 2009
FVX538 Reference Manual
Page 12
... VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability B-15 VPN Gateway-to -Gateway Through a NAT Router B-17 VPN Telecommuter: Single Gateway WAN Port (Reference Case B-18 VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability ........ B-17 VPN Telecommuter...for Load Balancing B-13 VPN Gateway-to-Gateway B-14 VPN Gateway-to -Gateway B-11 VPN Road Warrior: Single Gateway WAN Port (Reference Case B-12 VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability ......... ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ...B-8 Inbound ...
... VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability B-15 VPN Gateway-to -Gateway Through a NAT Router B-17 VPN Telecommuter: Single Gateway WAN Port (Reference Case B-18 VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability ........ B-17 VPN Telecommuter...for Load Balancing B-13 VPN Gateway-to-Gateway B-14 VPN Gateway-to -Gateway B-11 VPN Road Warrior: Single Gateway WAN Port (Reference Case B-12 VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability ......... ProSafe VPN Firewall 200 FVX538 Reference Manual Inbound Traffic ...B-8 Inbound ...
FVX538 Reference Manual
Page 13
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C-10 Routing Logs ...C-13 LAN to WAN Logs C-13 LAN to DMZ Logs C-14 DMZ to WAN Logs C-14 WAN to LAN Logs C-14 DMZ to LAN Logs C-14 WAN to DMZ Logs C-15 Appendix D Related Documents Appendix E Two Factor Authentication Why do I need Two-Factor Authentication E-1 What are the benefits of Two-Factor Authentication E-1 What is Two-Factor Authentication E-2 NETGEAR Two-Factor Authentication Solutions E-2 Index Contents xiii v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C-10 Routing Logs ...C-13 LAN to WAN Logs C-13 LAN to DMZ Logs C-14 DMZ to WAN Logs C-14 WAN to LAN Logs C-14 DMZ to LAN Logs C-14 WAN to DMZ Logs C-15 Appendix D Related Documents Appendix E Two Factor Authentication Why do I need Two-Factor Authentication E-1 What are the benefits of Two-Factor Authentication E-1 What is Two-Factor Authentication E-2 NETGEAR Two-Factor Authentication Solutions E-2 Index Contents xiii v1.0, March 2009
FVX538 Reference Manual
Page 14
ProSafe VPN Firewall 200 FVX538 Reference Manual xiv Contents v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual xiv Contents v1.0, March 2009
FVX538 Reference Manual
Page 15
... the equipment. Conventions, Formats and Scope The conventions, formats, and scope of note may result in the following paragraphs. • Typographical Conventions. About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to highlight special messages: Note: This format is intended for readers with intermediate computer and Internet skills. The information in this...
... the equipment. Conventions, Formats and Scope The conventions, formats, and scope of note may result in the following paragraphs. • Typographical Conventions. About This Manual The NETGEAR® ProSafe™ VPN Firewall 200 describes how to highlight special messages: Note: This format is intended for readers with intermediate computer and Internet skills. The information in this...
FVX538 Reference Manual
Page 16
... Session Limits; Dead Peer Detection; Bandwidth Limits; website at http://kbserver.netgear.com/products/FVX538.asp. Jan. 2007 Remove Trend Micro Jul. 2007 New features: IP/MAC Binding; ProSafe VPN Firewall 200 FVX538 Reference Manual Danger: This is a safety warning. Revision History Part Number Version Number... WIKID 2 factor authentication • SIP AGL support • DHCP Relay support • Update VPN configuration procedure topics • Update the Certificate management topic • Correct the firewall scheduling topic xvi About This Manual v1.0, March 2009
... Session Limits; Dead Peer Detection; Bandwidth Limits; website at http://kbserver.netgear.com/products/FVX538.asp. Jan. 2007 Remove Trend Micro Jul. 2007 New features: IP/MAC Binding; ProSafe VPN Firewall 200 FVX538 Reference Manual Danger: This is a safety warning. Revision History Part Number Version Number... WIKID 2 factor authentication • SIP AGL support • DHCP Relay support • Update VPN configuration procedure topics • Update the Certificate management topic • Correct the firewall scheduling topic xvi About This Manual v1.0, March 2009
FVX538 Reference Manual
Page 18
... Unlike simple Internet sharing NAT routers, the FVX538 is inoperable, ensuring you specify as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing. • Secure Firewall. Automatically detects and thwarts DoS attacks such as off-limits. 1-2 Introduction v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). •...
... Unlike simple Internet sharing NAT routers, the FVX538 is inoperable, ensuring you specify as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing. • Secure Firewall. Automatically detects and thwarts DoS attacks such as off-limits. 1-2 Introduction v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual • SNMP Manageable, optimized for the NETGEAR ProSafe Network Management Software (NMS100). •...
FVX538 Reference Manual
Page 19
... or ranges of full-duplex or half-duplex operation. NAT opens a temporary path to the correct configuration. Security Features The VPN firewall is a response to your network. ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. The FVX538 will accommodate either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. You can also configure the...
... or ranges of full-duplex or half-duplex operation. NAT opens a temporary path to the correct configuration. Security Features The VPN firewall is a response to your network. ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. The FVX538 will accommodate either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. You can also configure the...
FVX538 Reference Manual
Page 20
... using the Dynamic Host Configuration Protocol (DHCP). The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to "Internet Configuration Requirements" in Appendix ...VPN firewall automatically senses the type of ISP account. • VPN Wizard. ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). When DHCP is enabled and no DNS addresses are interoperable with other VPNC-compliant VPN routers...
... using the Dynamic Host Configuration Protocol (DHCP). The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to "Internet Configuration Requirements" in Appendix ...VPN firewall automatically senses the type of ISP account. • VPN Wizard. ProSafe VPN Firewall 200 FVX538 Reference Manual Extensive Protocol Support The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). When DHCP is enabled and no DNS addresses are interoperable with other VPNC-compliant VPN routers...
FVX538 Reference Manual
Page 21
... in the Warranty and Support information card provided with your NETGEAR dealer. Maintenance and Support NETGEAR offers the following items: • ProSafe VPN Firewall 200. • AC power cable. • 19-inch rack mounting hardware and rubber feet. • Category 5 (Cat5) Ethernet cable. • Installation Guide, FVX538 ProSafe VPN Firewall 200 • Resource CD, including: - If any of addresses, and you...
... in the Warranty and Support information card provided with your NETGEAR dealer. Maintenance and Support NETGEAR offers the following items: • ProSafe VPN Firewall 200. • AC power cable. • 19-inch rack mounting hardware and rubber feet. • Category 5 (Cat5) Ethernet cable. • Installation Guide, FVX538 ProSafe VPN Firewall 200 • Resource CD, including: - If any of addresses, and you...
FVX538 Reference Manual
Page 22
Table 1-1. Power is operating at 10 Mbps. Writing to Flash memory (during upgrading or resetting to the firewall. WAN Ports and LEDs Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. The WAN port has ... not enabled or has no link. 100 LED On (Green) Off The WAN port is not supplied to the firewall. 2. The WAN port is supplied to defaults). ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. 1 2 3...
Table 1-1. Power is operating at 10 Mbps. Writing to Flash memory (during upgrading or resetting to the firewall. WAN Ports and LEDs Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. The WAN port has ... not enabled or has no link. 100 LED On (Green) Off The WAN port is not supplied to the firewall. 2. The WAN port is supplied to defaults). ProSafe VPN Firewall 200 FVX538 Reference Manual Router Front and Rear Panels The ProSafe VPN Firewall 200 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button. 1 2 3...
FVX538 Reference Manual
Page 23
... Mbps Fast Ethernet Switch Link/Act LED On (Green) Blinking (Green) Off N-way automatic speed negotiation, auto MDI/MDIX. The LAN port has no link. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description 4. Data is operating at 1,000 Mbps. DMZ (port 8) On (Green) Off Port 8 is operating at 100 Mbps...
... Mbps Fast Ethernet Switch Link/Act LED On (Green) Blinking (Green) Off N-way automatic speed negotiation, auto MDI/MDIX. The LAN port has no link. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description 4. Data is operating at 1,000 Mbps. DMZ (port 8) On (Green) Off Port 8 is operating at 100 Mbps...
FVX538 Reference Manual
Page 24
On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in 2. Figure 1-3 1-8 v1.0, March 2009 Introduction Figure 1-2 1 2 Viewed from left to right, the rear panel contains the following elements: 1. AC power in Figure 1-3). ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection.
On/Off switch Rack Mounting Hardware The FVX538 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in 2. Figure 1-3 1-8 v1.0, March 2009 Introduction Figure 1-2 1 2 Viewed from left to right, the rear panel contains the following elements: 1. AC power in Figure 1-3). ProSafe VPN Firewall 200 FVX538 Reference Manual The rear panel of the ProSafe VPN Firewall 200 (Figure 1-2) contains the On/Off switch and AC power connection.
FVX538 Reference Manual
Page 25
Introduction 1-9 v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual The Router's IP Address, Login Name, and Password Check the label on the bottom of the FVX538's enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the... LAN • User name: admin • Password: password LAN IP Address User Name Password Figure 1-4 To log in to the FVX538 once it is connected, go to http://192.168.1.1. Figure 1-5 Once the login screen displays, enter admin for the User Name and the password...
Introduction 1-9 v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual The Router's IP Address, Login Name, and Password Check the label on the bottom of the FVX538's enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the... LAN • User name: admin • Password: password LAN IP Address User Name Password Figure 1-4 To log in to the FVX538 once it is connected, go to http://192.168.1.1. Figure 1-5 Once the login screen displays, enter admin for the User Name and the password...
FVX538 Reference Manual
Page 26
ProSafe VPN Firewall 200 FVX538 Reference Manual 1-10 v1.0, March 2009 Introduction
ProSafe VPN Firewall 200 FVX538 Reference Manual 1-10 v1.0, March 2009 Introduction