Transcription

ProSafe Dual WAN GigabitFirewall with SSL & IPsecVPN FVS336G ReferenceManualNETGEAR, Inc.350 East Plumeria DriveSan Jose, CA 95134202-10257-05v1.0January 2010

2007–2010 by NETGEAR, Inc. All rights reserved.Technical SupportPlease refer to the support information card that shipped with your product. By registering your product athttp://www.netgear.com/register, we can provide you with faster expert technical support and timely notices ofproduct and software upgrades.NETGEAR, INC. Support InformationPhone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card.E-mail: [email protected] American NETGEAR website: http://www.netgear.comTrademarksNETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc.Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and productnames are registered trademarks or trademarks of their respective holders.Statement of ConditionsIn the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right tomake changes to the products described in this document without notice.NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuitlayout(s) described herein.Federal Communications Commission (FCC) Compliance Notice: Radio FrequencyNoticeThis equipment has been tested and found to comply with the limits for a Class B digital device, pursuant topart 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in aresidential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed andused in accordance with the instructions, may cause harmful interference to radio communications. However, there is noguarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference toradio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to tryto correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help.EU Regulatory Compliance StatementThe ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN is compliant with the following EU CouncilDirectives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022Class B, EN55024 and EN60950-1.iiv1.0, January 2010

Bestätigung des Herstellers/ImporteursEs wird hiermit bestätigt, daß das ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN gemäß der im BMPTAmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreibeneiniger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte dieAnmerkungen in der Betriebsanleitung.Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Marktgebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.Certificate of the Manufacturer/ImporterIt is hereby certified that the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN has been suppressedin accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of someequipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certainrestrictions. Please refer to the notes in the operating instructions.Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the marketand has been granted the right to test the series for compliance with the regulations.Voluntary Control Council for Interference (VCCI) StatementThis equipment is in the second category (information equipment to be used in a residential area or an adjacent areathereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data ProcessingEquipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.When used near a radio or TV receiver, it may become the cause of radio interference.Read instructions for correct handling.Additional CopyrightsAESCopyright (c) 2001, Dr. Brian Gladman, [email protected], Worcester, UK.All rights reserved.TERMSRedistribution and use in source and binary forms, with or without modification, are permittedsubject to the following conditions:1. Redistributions of source code must retain the above copyright notice, this list ofconditions, and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions, and the following disclaimer in the documentation and/or other materialsprovided with the distribution.3. The copyright holder’s name must not be used to endorse or promote any productsderived from this software without his specific prior written permission.This software is provided “as is” with no express or implied warranties of correctness or fitnessfor purpose.iiiv1.0, January 2010

Open SSLCopyright (c) 1998–2000 The OpenSSL Project. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permittedprovided that the following conditions are met:1. Redistributions of source code must retain the above copyright notice, this list ofconditions, and the following disclaimer.2. Redistributions in binary form must reproduce the above copyright notice, this list ofconditions, and the following disclaimer in the documentation and/or other materialsprovided with the distribution.3. All advertising materials mentioning features or use of this software must display thefollowing acknowledgment: “This product includes software developed by the OpenSSLProject for use in the OpenSSL Toolkit (http://www.openssl.org/).”4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse orpromote products derived from this software without prior written permission. For writtenpermission, contact [email protected] Products derived from this software may not be called “OpenSSL” nor may “OpenSSL”appear in their names without prior written permission of the OpenSSL Project.6. Redistributions of any form whatsoever must retain the following acknowledgment: “Thisproduct includes software developed by the OpenSSL Project for use in the OpenSSLToolkit (http://www.openssl.org/).”THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS,” AND ANYEXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITSCONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, ORPROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.This product includes cryptographic software written by Eric Young ([email protected]). Thisproduct includes software written by Tim Hudson ([email protected]).MD5Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.License to copy and use this software is granted provided that it is identified as the “RSA DataSecurity, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing thissoftware or this function. License is also granted to make and use derivative works providedthat such works are identified as “derived from the RSA Data Security, Inc. MD5 MessageDigest Algorithm” in all material mentioning or referencing the derived work.RSA Data Security, Inc. makes no representations concerning either the merchantability ofthis software or the suitability of this software for any particular purpose. It is provided “as is”without express or implied warranty of any kind.These notices must be retained in any copies of any part of this documentation and/orsoftware.ivv1.0, January 2010

PPPCopyright (c) 1989 Carnegie Mellon University. All rights reserved.Redistribution and use in source and binary forms are permitted provided that the abovecopyright notice and this paragraph are duplicated in all such forms and that anydocumentation, advertising materials, and other materials related to such distribution and useacknowledge that the software was developed by Carnegie Mellon University. The name ofthe University may not be used to endorse or promote products derived from this softwarewithout specific prior written permission.THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OFMERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.Zlibzlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th,2002. Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler.This software is provided 'as-is', without any express or implied warranty. In no event will theauthors be held liable for any damages arising from the use of this software. Permission isgranted to anyone to use this software for any purpose, including commercial applications,and to alter it and redistribute it freely, subject to the following restrictions:1. The origin of this software must not be misrepresented; you must not claim that you wrotethe original software. If you use this software in a product, an acknowledgment in theproduct documentation would be appreciated but is not required.2. Altered source versions must be plainly marked as such, and must not be misrepresentedas being the original software.3. This notice may not be removed or altered from any source distribution.Jean-loup Gailly: [email protected]; Mark Adler: [email protected] data format used by the zlib library is described by RFCs (Request for Comments) 1950to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate format)and rfc1952.txt (gzip format)Product and Publication DetailsModel Number:FVS336GPublication Date:January 2010Product Family:VPN FirewallProduct Name:ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPNHome or Business Product:BusinessLanguage:EnglishPublication Part Number:202-10257-05Publication Version Number1.0vv1.0, January 2010

viv1.0, January 2010

ContentsProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336GReference ManualAbout This ManualConventions, Formats, and Scope . xvHow to Print This Manual .xviRevision History .xviChapter 1IntroductionKey Features .1-1Dual WAN Ports for Increased Reliability or Outbound Load Balancing .1-2Advanced VPN Support for Both IPsec and SSL .1-2A Powerful, True Firewall with Content Filtering .1-3Autosensing Ethernet Connections with Auto Uplink .1-3Extensive Protocol Support .1-4Easy Installation and Management .1-4Maintenance and Support .1-5Package Contents .1-5Front Panel Features .1-6Rear Panel Features .1-7Default IP Address, Login Name, and Password Location .1-8Qualified Web Browsers .1-8Chapter 2Connecting the FVS336G to the InternetUnderstanding the Connection Steps .2-1Logging into the VPN Firewall .2-2Navigating the Menus .2-4Configuring the Internet Connections .2-4Automatically Detecting and Connecting .2-5Manually Configuring the Internet Connection .2-7viiv1.0, January 2010

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualConfiguring the WAN Mode (Required for Dual WAN) . 2-11Network Address Translation .2-12Classical Routing .2-12Configuring Auto-Rollover Mode .2-13Configuring Load Balancing .2-14Configuring Dynamic DNS (Optional) .2-16Configuring the Advanced WAN Options (Optional) .2-18Additional WAN Related Configuration .2-20Chapter 3LAN ConfigurationChoosing the VPN Firewall DHCP Options .3-1Configuring the LAN Setup Options .3-2Managing Groups and Hosts (LAN Groups) .3-6Viewing the LAN Groups Database .3-7Adding Devices to the LAN Groups Database .3-8Changing Group Names in the LAN Groups Database .3-8Configuring DHCP Address Reservation .3-9Configuring Multi Home LAN IP Addresses .3-10Configuring Static Routes . 3-11Configuring Routing Information Protocol (RIP) .3-13Chapter 4Firewall Protection and Content FilteringAbout Firewall Protection and Content Filtering .4-1Using Rules to Block or Allow Specific Kinds of Traffic .4-2About Services-Based Rules .4-3Viewing the Rules .4-8Order of Precedence for Rules .4-8Setting the Default Outbound Policy .4-8Creating a LAN WAN Outbound Services Rule .4-9Creating a LAN WAN Inbound Services Rule .4-10Modifying Rules . 4-11Inbound Rules Examples . 4-11Outbound Rules Example .4-14Configuring Other Firewall Features .4-15Attack Checks .4-15viiiv1.0, January 2010

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualConfiguring Session Limits .4-17Managing the Application Level Gateway for SIP Sessions .4-18Creating Services, QoS Profiles, and Bandwidth Profiles .4-19Adding Customized Services .4-19Setting Quality of Service (QoS) Priorities .4-21Creating Bandwidth Profiles .4-22Setting a Schedule to Block or Allow Specific Traffic .4-24Blocking Internet Sites (Content Filtering) .4-25Configuring Source MAC Filtering .4-28Configuring IP/MAC Address Binding .4-30Configuring Port Triggering .4-31E-Mail Notifications of Event Logs and Alerts .4-33Administrator Tips .4-33Chapter 5Virtual Private Networking Using IPsecConsiderations for Dual WAN Port Systems .5-1Using the VPN Wizard for Client and Gateway Configurations .5-3Creating Gateway to Gateway VPN Tunnels with the Wizard .5-3Creating a Client to Gateway VPN Tunnel .5-6Testing the Connections and Viewing Status Information .5-12NETGEAR VPN Client Status and Log Information .5-12VPN Firewall VPN Connection Status and Logs .5-14Managing VPN Policies .5-15Configuring IKE Policies .5-16Configuring VPN Policies .5-18Configuring Extended Authentication (XAUTH) .5-19Configuring XAUTH for VPN Clients .5-20User Database Configuration .5-22RADIUS Client Configuration .5-22Assigning IP Addresses to Remote Users (ModeConfig) .5-24Mode Config Operation .5-24Configuring Mode Config Operation on the VPN Firewall .5-25Configuring the ProSafe VPN Client for ModeConfig .5-30Configuring Keepalives and Dead Peer Detection .5-32Configuring Keepalives .5-32ixv1.0, January 2010

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualConfiguring Dead Peer Detection .5-33Configuring NetBIOS Bridging with VPN .5-34Chapter 6Virtual Private Networking Using SSLUnderstanding the Portal Options .6-1Planning for SSL VPN .6-2Creating the Portal Layout .6-3Configuring Domains, Groups, and Users .6-7Configuring Applications for Port Forwarding .6-7Adding Servers .6-8Adding A New Host Name .6-9Configuring the SSL VPN Client .6-10Configuring the Client IP Address Range . 6-11Adding Routes for VPN Tunnel Clients .6-12Replacing and Deleting Client Routes .6-12Using Network Resource Objects to Simplify Policies .6-13Adding New Network Resources .6-13Configuring User, Group, and Global Policies .6-15Viewing SSL VPN Policies .6-16Adding an SSL VPN Policy .6-17Chapter 7Managing Users, Authentication, and CertificatesAdding Authentication Domains, Groups, and Users .7-1Creating a Domain .7-1Creating a Group .7-5Creating a New User Account .7-6Setting User Login Policies .7-7Changing Passwords and Other User Settings .7-9Managing Certificates . 7-11Viewing and Loading CA Certificates .7-12Viewing Active Self Certificates .7-13Obtaining a Self Certificate from a Certificate Authority .7-14Managing your Certificate Revocation List (CRL) .7-17xv1.0, January 2010

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualChapter 8VPN Firewall and Network ManagementPerformance Management .8-1Bandwidth Capacity .8-1Features That Reduce Traffic .8-2Features That Increase Traffic .8-5Using QoS to Shift the Traffic Mix .8-7Tools for Traffic Management .8-8Changing Passwords and Administrator Settings .8-8Enabling Remote Management Access .8-10Using the Command Line Interface .8-12Using an SNMP Manager .8-13Managing the Configuration File .8-14Configuring Date and Time Service .8-17Chapter 9Monitoring System PerformanceEnabling the Traffic Meter .9-1Activating Notification of Events and Alerts .9-4Viewing the Logs .9-6Viewing VPN Firewall Configuration and System Status .9-8Monitoring VPN Firewall Statistics .9-9Monitoring the Status of WAN Ports .9-10Monitoring Attached Devices . 9-11Viewing the DHCP Log .9-12Monitoring Active Users .9-13Viewing Port Triggering Status .9-14Monitoring VPN Tunnel Connection Status .9-15Viewing the VPN Logs .9-16Chapter 10TroubleshootingBasic Functions .10-1Power LED Not On .10-2LEDs Never Turn Off .10-2LAN or WAN Port LEDs Not On .10-2Troubleshooting the Web Configuration Interface .10-3xiv1.0, January 2010

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualTroubleshooting the ISP Connection .10-4Troubleshooting a TCP/IP Network Using a Ping Utility .10-5Testing the LAN Path to Your VPN Firewall .10-5Testing the Path from Your PC to a Remote Device .10-6Restoring the Default Configuration and Password .10-7Problems with Date and Time .10-7Using the Diagnostics Utilities .10-8Appendix ADefault Settings and Technical SpecificationsAppendix BNetwork Planning for Dual WAN PortsWhat You Will Need to Do Before You Begin . B-1Cabling and Computer Hardware Requirements . B-3Computer Network Configuration Requirements . B-3Internet Configuration Requirements . B-3Where Do I Get the Internet Configuration Parameters? . B-4Internet Connection Information Form . B-4Overview of the Planning Process . B-5Inbound Traffic . B-5Virtual Private Networks (VPNs) .

202-10257-05 v1.0 January 2010 NETGEAR, Inc. 350 East Plumeria Drive San Jose, CA 95134 ProSafe Dual WAN Gi