Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Customize Firewall Protection 270 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •Manage VPN Pass-Through in the IPv4 Network •Manage VPN Pass-Through in the IPv6 Network VPN Pass-Through When the VPN firewall functions in NAT mode, all packets going to a remote VPN gateway are first filtered through NAT and then encrypted according to the VPN policy. For example, if a VPN client or gateway on the LAN side of the VPN firewall must connect to another VPN endpoint on the WAN side (placing the VPN firewall between two VPN endpoints), encrypted packets are sent to the VPN firewall. Because the VPN firewall filters the encrypted packets through NAT, the packets become invalid unless you enable VPN pass-through. By default, VPN pass-through is allowed on the VPN firewall, enabling VPN traffic that is initiated from the LAN to reach the WAN, irrespective of the default firewall outbound policy and custom firewall rules. For IPv4 traffic, you can specify whether to allow or block VPN pass-through for IPSec, PPTP, and L2TP traffic. For IPv6 traffic, the only option is to specify whether to allow or block VPN pass-through for IPSec traffic. Manage VPN Pass-Through in the IPv4 Network The following procedure describes how to manage VPN pass-through for IPv4 traffic. By default, all types of VPN pass-through are allowed on the VPN firewall. To manage VPN pass-through for IPv4 traffic: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall > Attack Checks. The Attack Checks screen displays the IPv4 settings.
Customize Firewall Protection 271 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. To block VPN pass-through, clear any of the following check boxes, which are selected by default to allow VPN pass-through: •IPSec. Clearing this check box disables NAT filtering for IPSec tunnels. •PPTP. Clearing this check box disables NAT filtering for PPTP tunnels. •L2TP. Clearing this check box disables NAT filtering for L2TP tunnels. 8. Click the Apply button. Your settings are saved. Manage VPN Pass-Through in the IPv6 Network The following procedure describes how to manage VPN pass-through for IPv6 traffic. By default, VPN pass-through for IPsec is allowed on the VPN firewall, enabling IPSec VPN traffic that is initiated from the LAN to reach the WAN, irrespective of the default firewall outbound policy and custom firewall rules. To manage IPv6 attack checks for your network environment: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password.
Customize Firewall Protection 272 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall > Attack Checks. The Attack Checks screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The Attack Checks screen displays the IPv6 settings. 8. To block VPN pass-through for IPSec traffic, clear the IPsec check box, which is selected by default to allow VPN pass-through for IPSec traffic. 9. Click the Apply button. Your settings are saved. Set Limits for IPv4 Sessions You can specify the total number of sessions that are allowed, per user, over an IPv4 connection across the VPN firewall. The session limits feature is disabled by default. To enable and configure session limits: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password.
Customize Firewall Protection 273 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall > Session Limit. The Session Limit screen displays. 7. Select the Yes radio button.
Customize Firewall Protection 274 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Enter the settings as described in the following table. 9. Click the Apply button. Your settings are saved. Manage Time-Out Periods for TCP, UDP, and ICMP Sessions For IPv4 traffic, a TCP, UDP, or ICMP session expires if the VPN firewall does not process data for the session during the time-out period. To manage the time-out periods for TCP, UDP, and ICMP sessions: 1. On your computer, launch an Internet browser. SettingDescription Session Limit Session Limit Control From the menu, select an option: • When single IP exceeds. When the limit is reached, no new session is allowed from the IP address. A new session is allowed only when an existing session is terminated or times out. You must specify the action and period by selecting one of the following radio buttons: - Block IP to add new session for. No new session is allowed from the IP address for a period. In the Time field, specify the period in seconds. - Block IPs all connections for. All sessions from the IP address are terminated, and new sessions are blocked for a period. In the Time field, specify the period in seconds. • Single IP Cannot Exceed. When the limit is reached, no new session is allowed from the IP address for a specified period, or all sessions from the IP address are terminated and new sessions are blocked for a specified period. User Limit Parameter From the menu, select an option: • Percentage of Max Sessions. A percentage of the total session connection capacity of the VPN firewall. • Number of Sessions. An absolute number of maximum sessions. User Limit Enter a number to indicate the user limit. Note the following: • If the selection from the User Limit Parameter is Percentage of Max Sessions, the number specifies the maximum number of sessions that are allowed from a single-source device as a percentage of the total session connection capacity of the VPN firewall. (The session limit is per-device based.) • If the selection from the User Limit Parameter is Number of Sessions, the number specifies an absolute value. Note:Some protocols such as FTP and RSTP create two sessions per connection, which you must consider when you configure a session limit. Total Number of Packets Dropped due to Session LimitThis is a nonconfigurable counter that displays the total number of dropped packets when the session limit is reached.
Customize Firewall Protection 275 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall > Session Limit. The Session Limit screen displays. 7. In the Session Timeout section, enter the time-out periods in the following fields: •TCP Timeout. Enter a period in seconds. For TCP traffic, the default time-out period is 3600 seconds. •UDP Timeout. For UDP traffic, the default time-out period is 180 seconds.
Customize Firewall Protection 276 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •ICMP Timeout. For ICMP traffic, the default time-out period is 8 seconds. 8. Click the Apply button. Your settings are saved. Manage Multicast Pass-Through Multicast pass-through is supported for IPv4 traffic only. The following sections provide information about managing multicast pass-through: •Multicast Pass-Through •Enable and Configure Multicast Pass-Through •Remove One or More Multicast Source Addresses Multicast Pass-Through IP multicast pass-through allows multicast packets that originate in the WAN, such as packets from a media streaming or gaming application, to be forwarded to the LAN subnet. Internet Group Management Protocol (IGMP) is used to support multicast between IP hosts and their adjacent neighbors. If you enable multicast pass-through, an IGMP proxy is enabled for the upstream (WAN) and downstream (LAN) interfaces. This proxy allows the VPN firewall to forward relevant multicast traffic from the WAN to the LAN and to keep track of the IGMP group membership when LAN hosts join or leave the multicast group. Enable and Configure Multicast Pass-Through The following procedure describes how to enable and configure multicast pass-through for IPv4 traffic. By default, multicast pass-through is disabled. To enable and configure multicast pass-through: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Customize Firewall Protection 277 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall > IGMP. The IGMP screen displays. The following figure shows one alternate network as an example. 7. Select the Ye s radio button. 8. If you configured load balancing (see Configure Load Balancing Mode and Optional Protocol Binding for IPv4 Interfaces on page 49), from the Bind Upstream Interface menu, select the upstream interface (WAN1, the default, or WAN2) to which multicast traffic must be bound. Only a single interface can function as the upstream interface. Note:When you change the WAN mode to load balancing while multicast pass-through is already enabled, multicast traffic is bound to the active interface of the previous WAN mode. 9. Click the Apply button. Multicast pass-through is enabled. 10. If the interface to which multicast traffic is bound is configured for PPPoE or PPTP, you must add the multicast source address to the Alternate Networks table: a.In the Alternate Networks section, below the table, enter the following settings: •IP Address. Enter the multicast source IP address. •Subnet Mask. Enter the subnet mask for the multicast source address.
Customize Firewall Protection 278 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 b. Click the Add button. The multicast source address is added to the Alternate Networks table. c. Repeat Step a and Step b for each multicast source address that you must add to the Alternate Networks table. Remove One or More Multicast Source Addresses The following procedure describes how to remove one or more multicast source addresses that you no longer need for a PPPoE or PPTP configuration. To remove one or more multicast source addresses: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall > IGMP. The IGMP screen displays. 7. In the Alternate Networks table, select the check box to the left of each address that you want to remove or click the Select All button to select all addresses. 8. Click the Delete button. The selected addresses are removed from the Alternate Networks table. Manage the Application Level Gateway for SIP Sessions The Application Level Gateway (ALG) facilitates multimedia sessions such as voice over IP (VoIP) sessions that use the Session Initiation Protocol (SIP) across the firewall and provides support for multiple SIP clients. SIP support for the ALG, which is an IPv4 feature, is disabled by default.
Customize Firewall Protection 279 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To enable ALG for SIP: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall > Advanced. The Advanced screen displays. 7. Select the Enable SIP ALG check box. 8. Click the Apply button. Your settings are saved. Manage Firewall Objects The following sections provide information about firewall objects: •Firewall Objects •Manage Customized Services •Manage Service Groups •Manage IP Address Groups •Define a Schedule