Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Customize Firewall Protection 260 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPv6 LAN WAN Inbound Rule: Restrict RTelnet from a Single WAN User to a Single LAN User If you want to restrict incoming reverse Telnet (RTelnet) sessions from a single IPv6 WAN user to a single IPv6 LAN user, specify the initiating IPv6 WAN address and the receiving IPv6 LAN address. To restrict RTelnet traffic from a single WAN user to a single LAN user: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall. The Firewall submenu tabs display with the LAN WAN Rules screen in view, displaying the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The LAN WAN Rules screen displays the IPv6 settings. 8. Under the Inbound Services table, click the Add button. The Add LAN WAN Inbound Service screen for IPv6 displays.
Customize Firewall Protection 261 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Enter the settings as described in the following table. 10. Click the Apply button. Your settings are saved. The new rule is added to the Inbound Services table on the LAN WAN Rules screen. Examples of Outbound Firewall Rules Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio, or other traffic that might be nonessential. The following sections provide examples of IPv4 LAN WAN and IPv6 DMZ WAN outbound rules: •IPv4 LAN WAN Outbound Rule: Block Instant Messenger •IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an FTP Site on the Internet SettingDescription Service From the menu, select RTelnet. Action From the menu, select ALLOW always. LAN Users From the menu, select Single address. In the Start field, enter the LAN IPv6 address that accepts RTelnet traffic. WAN Users From the menu, select Single Address. In the Start field, enter the WAN IPv6 address from which the VPN firewall accepts RTelnet traffic. Log From the menu, select Always. VPN firewall logs all RTelnet traffic that is covered by this rule.
Customize Firewall Protection 262 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPv4 LAN WAN Outbound Rule: Block Instant Messenger If you want to block Instant Messenger usage by employees during specific hours such as working hours, you can create an outbound rule to block such an application from any internal IP address to any external address according to the schedule that you create. You can also enable the VPN firewall to log any attempt to use Instant Messenger during the blocked period. To block Instant Messenger according to a schedule and log attempts to access Instant Messenger: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall. The Firewall submenu tabs display with the LAN WAN Rules screen in view, displaying the IPv4 settings. 7. Under the Outbound Services table, click the Add button. The Add LAN WAN Outbound Service screen for IPv4 displays.
Customize Firewall Protection 263 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Enter the settings as described in the following table. 9. Click the Apply button. Your settings are saved. The new rule is added to the Outbound Services table on the LAN WAN Rules screen. SettingDescription Service From the menu, select AIM. Action From the menu, select BLOCK by schedule, otherwise allow. Select Schedule From the menu, select a schedule. For information about how to configure schedules, see Define a Schedule on page 292. LAN Users From the menu, select Any. This rule affects all LAN users. WAN Users From the menu, select Any. This rule affects all WAN users. QoS Profile You can leave the selection from the menu at None. Log From the menu, select Always. VPN firewall logs all attempt to access Instant Messenger during the period that this rule is in effect. Bandwidth Profile You can leave the selection from the menu at NONE. NAT IP You can leave the selection from the menu at Auto.
Customize Firewall Protection 264 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an FTP Site on the Internet If you want to allow a group of DMZ users to access a particular FTP site on the Internet during specific hours such as working hours, you can create an outbound rule to allow such traffic by specifying the IPv6 DMZ start and finish addresses and the IPv6 WAN address. You can also configure the QoS profile to maximize the throughput. To allows a group of users on the DMZ access to an FTP site on the Internet: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall > DMZ WAN Rules. The DMZ WAN Rules screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The DMZ WAN Rules screen displays the IPv6 settings. 8. Under the Outbound Services table, click the Add button. The Add DMZ WAN Outbound Service screen for IPv6 displays.
Customize Firewall Protection 265 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Enter the settings as described in the following table. 10. Click the Apply button. Your settings are saved. The new rule is added to the Outbound Services table on the DMZ WAN Rules screen. Configure Other Firewall Features The following sections provide information about other firewall features: •Manage Protection Against Common Network Attacks •Manage VPN Pass-Through SettingDescription Service From the menu, select FTP. Action From the menu, select ALLOW by schedule, otherwise block. Select Schedule From the menu, select a schedule. For information about how to configure schedules, see Define a Schedule on page 292. DMZ Users From the menu, select Address Range. In the Start and Finish fields, specify the DMZ IPv6 address range for the users that are allowed to access the FTP server. WAN Users From the menu, select Single Address. In the Start field, enter the WAN IPv6 address of the FTP server on the Internet. Log You can leave the selection from the menu at Never. QoS Priority From the menu, select Maximize-Throughput. For more information about QoS priorities for IPv6 traffic, see Default Quality of Service Priorities for IPv6 Firewall Rules on page 298.
Customize Firewall Protection 266 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •Set Limits for IPv4 Sessions •Manage Time-Out Periods for TCP, UDP, and ICMP Sessions •Manage Multicast Pass-Through •Manage the Application Level Gateway for SIP Sessions You can configure attack checks, set session limits, configure multicast pass-through, and manage the application level gateway (ALG) for SIP sessions. Manage Protection Against Common Network Attacks For IPv4 traffic, you can specify whether the VPN firewall is protected against common attacks in the WAN and LAN networks. For IPv6 traffic, the only option is to specify the ping settings for the WAN ports. The following sections provide information about managing protection against common network attacks: •Manage Protection Against IPv4 Network Attacks •Manage the Ping Settings for the IPv6 WAN Ports Manage Protection Against IPv4 Network Attacks The following procedure describes how to manage protection against IPv4 network attacks by setting up WAN and LAN security checks, including the ping settings for the IPv4 WAN ports. To manage protection against IPv4 attacks for your network environment: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall > Attack Checks.
Customize Firewall Protection 267 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Attack Checks screen displays the IPv4 settings. 7. Enter the settings as described in the following table. SettingDescription WAN Security Checks Respond to Ping on Internet PortsSelect the Respond to Ping on Internet Ports check box to enable the VPN firewall to respond to a ping from the Internet to its IPv4 address. A ping can be used as a diagnostic tool. Keep this check box cleared unless you have a specific reason to enable the VPN firewall to respond to a ping from the Internet. If you select the Respond to Ping on Internet Ports check box, specify the IP address on which a ping is allowed: • Any. A ping is allowed on any IP address. This is the default setting. • IP Address. A ping is allowed only on a single IP address, which you must specify in the IP Address field. Enable Stealth Mode Select the Enable Stealth Mode check box to prevent the VPN firewall from responding to port scans from the WAN, thus making it less susceptible to discovery and attacks. By default, the Enable Stealth Mode check box is selected. Block TCP flood Select the Block TCP flood check box (which is the default setting) to enable the VPN firewall to drop all invalid TCP packets and to protect the VPN firewall from a SYN flood attack. By default, the Block TCP flood check box is selected. In the TCP Flood Limit field, enter the number of packets per second that defines a SYN flood attack. You can enter a number from 1 to 100. The default value is 100. The VPN firewall drops TCP packets that exceed the specified number of packets per second. A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN (synchronize) requests to a target system. When the system responds, the attacker does not complete the connections, thus leaving the connection half open and flooding the server with SYN messages. No legitimate connections can then be made.
Customize Firewall Protection 268 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Click the Apply button. Your settings are saved. Manage the Ping Settings for the IPv6 WAN Ports The following procedure describes how to manage a WAN security check for IPv6 traffic by specifying the ping settings for the WAN ports. By default, the VPN firewall does not allow pings on the IPv6 WAN ports. Keep this setting unless you have a specific reason to enable the VPN firewall to respond to a ping from the Internet. To allow pings on the IPv6 WAN ports and specify the ping settings: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. LAN Security Checks Block UDP flood Select the Block UDP flood check box to prevent the VPN firewall from accepting more than a specified number of simultaneous, active User Datagram Protocol (UDP) connections from a single device on the LAN. By default, the Block UDP flood check box is selected. In the UDP Flood Limit field, enter the number of connections per second that defines a UDP flood. You can enter a number from 1 to 40. The default value is 40. The VPN firewall drops UDP packets that exceed the specified number of connections per second. A UDP flood is a form of denial of service attack that can be initiated when one device sends many UDP packets to random ports on a remote host. As a result, the distant host does the following: 1.Checks for the application listening at that port. 2.Sees that no application is listening at that port. 3.Replies with an ICMP Destination Unreachable packet. When the victimized system is flooded, it is forced to send many ICMP packets, eventually making it unreachable by other clients. The attacker might also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach the attacker, thus making the attacker’s network location anonymous. Disable Ping Reply on LAN PortsSelect the Disable Ping Reply on LAN Ports check box to prevent the VPN firewall from responding to a ping on a LAN port. A ping can be used as a diagnostic tool. Keep this check box cleared unless you have a specific reason to prevent the VPN firewall from responding to a ping on a LAN port. SettingDescription
Customize Firewall Protection 269 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall > Attack Checks. The Attack Checks screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The Attack Checks screen displays the IPv6 settings. 8. Select the Respond to Ping on Internet Ports check box. 9. Specify the IP addresses from which a ping is allowed by selecting one of the following radio buttons: •Any. A ping is allowed on any IP address. This is the default setting. •IP Address. A ping is allowed only on a single IP address, which you must specify in the IP Address field. 10. Click the Apply button. Your settings are saved. Manage VPN Pass-Through By default VPN pass-through is enabled on the VPN firewall. However, you can change the VPN pass-through settings for your network environment. The following sections provide information about managing VPN pass-through: •VPN Pass-Through