Home > Netgear > Router > Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual

Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual

    Download as PDF Print this page Share this page

    Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    Page
    of 691
    							Customize Firewall Protection 
    270 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
    •Manage VPN Pass-Through in the IPv4 Network
    •Manage VPN Pass-Through in the IPv6 Network
    VPN Pass-Through
    When the VPN firewall functions in NAT mode, all packets going to a remote VPN gateway 
    are first filtered through NAT and then encrypted according to the VPN policy. For example, if 
    a VPN client or gateway on the LAN side of the VPN firewall must connect to another VPN 
    endpoint on the WAN side (placing the VPN firewall between two VPN endpoints), encrypted 
    packets are sent to the VPN firewall. Because the VPN firewall filters the encrypted packets 
    through NAT, the packets become invalid unless you enable VPN pass-through.
    By default, VPN pass-through is allowed on the VPN firewall, enabling VPN traffic that is 
    initiated from the LAN to reach the WAN, irrespective of the default firewall outbound policy and 
    custom firewall rules.
    For IPv4 traffic, you can specify whether to allow or block VPN pass-through for IPSec, PPTP, 
    and L2TP traffic. For IPv6 traffic, the only option is to specify whether to allow or block VPN 
    pass-through for IPSec traffic.
    Manage VPN Pass-Through in the IPv4 Network
    The following procedure describes how to manage VPN pass-through for IPv4 traffic. By 
    default, all types of VPN pass-through are allowed on the VPN firewall.
    To manage VPN pass-through for IPv4 traffic:
    1. On your computer, launch an Internet browser.
    2. In the address field of your browser, enter the IP address that was assigned to the VPN 
    firewall during the installation process.
    The VPN firewall factory default IP address is 192.168.1.1.
    The NETGEAR Configuration Manager Login screen displays.
    3. In the Username field, type your user name and in the Password / Passcode field, type 
    your password.
    For the default administrative account, the default user name is admin and the default 
    password is password.
    4. If you changed the default domain or were assigned a domain, from the Domain menu, 
    select the domain.
    If you did not change the domain or were not assigned a domain, leave the menu 
    selection at geardomain.
    5. Click the Login button.
    The Router Status screen displays.
    6. Select Security > Firewall > Attack Checks.
    The Attack Checks screen displays the IPv4 settings. 
    						
    							Customize Firewall Protection 
    271  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
    7. To block VPN pass-through, clear any of the following check boxes, which are selected by 
    default to allow VPN pass-through:
    •IPSec. Clearing this check box disables NAT filtering for IPSec tunnels.
    •PPTP. Clearing this check box disables NAT filtering for PPTP tunnels.
    •L2TP. Clearing this check box disables NAT filtering for L2TP tunnels.
    8. Click the Apply button.
    Your settings are saved.
    Manage VPN Pass-Through in the IPv6 Network
    The following procedure describes how to manage VPN pass-through for IPv6 traffic. By 
    default, VPN pass-through for IPsec is allowed on the VPN firewall, enabling IPSec VPN 
    traffic that is initiated from the LAN to reach the WAN, irrespective of the default firewall outbound 
    policy and custom firewall rules. 
    To manage IPv6 attack checks for your network environment:
    1. On your computer, launch an Internet browser.
    2. In the address field of your browser, enter the IP address that was assigned to the VPN 
    firewall during the installation process.
    The VPN firewall factory default IP address is 192.168.1.1.
    The NETGEAR Configuration Manager Login screen displays.
    3. In the Username field, type your user name and in the Password / Passcode field, type 
    your password.
    For the default administrative account, the default user name is admin and the default 
    password is password. 
    						
    							Customize Firewall Protection 
    272 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
    4. If you changed the default domain or were assigned a domain, from the Domain menu, 
    select the domain.
    If you did not change the domain or were not assigned a domain, leave the menu 
    selection at geardomain.
    5. Click the Login button.
    The Router Status screen displays.
    6. Select Security > Firewall > Attack Checks.
    The Attack Checks screen displays the IPv4 settings.
    7. In the upper right, select the IPv6 radio button. 
    The Attack Checks screen displays the IPv6 settings.
    8. To block VPN pass-through for IPSec traffic, clear the IPsec check box, which is selected 
    by default to allow VPN pass-through for IPSec traffic.
    9. Click the Apply button.
    Your settings are saved.
    Set Limits for IPv4 Sessions
    You can specify the total number of sessions that are allowed, per user, over an IPv4 
    connection across the VPN firewall. The session limits feature is disabled by default.
    To enable and configure session limits:
    1. On your computer, launch an Internet browser.
    2. In the address field of your browser, enter the IP address that was assigned to the VPN 
    firewall during the installation process.
    The VPN firewall factory default IP address is 192.168.1.1.
    The NETGEAR Configuration Manager Login screen displays.
    3. In the Username field, type your user name and in the Password / Passcode field, type 
    your password. 
    						
    							Customize Firewall Protection 
    273  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
    For the default administrative account, the default user name is admin and the default 
    password is password.
    4. If you changed the default domain or were assigned a domain, from the Domain menu, 
    select the domain.
    If you did not change the domain or were not assigned a domain, leave the menu 
    selection at geardomain.
    5. Click the Login button.
    The Router Status screen displays.
    6. Select Security > Firewall > Session Limit.
    The Session Limit screen displays.
    7. Select the Yes radio button. 
    						
    							Customize Firewall Protection 
    274 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
    8. Enter the settings as described in the following table.
    9. Click the Apply button.
    Your settings are saved.
    Manage Time-Out Periods for TCP, UDP, and ICMP Sessions
    For IPv4 traffic, a TCP, UDP, or ICMP session expires if the VPN firewall does not process 
    data for the session during the time-out period.
    To manage the time-out periods for TCP, UDP, and ICMP sessions:
    1. On your computer, launch an Internet browser.
    SettingDescription
    Session Limit
    Session Limit Control From the menu, select an option:
    • When single IP exceeds. When the limit is reached, no new session is 
    allowed from the IP address. A new session is allowed only when an existing 
    session is terminated or times out. You must specify the action and period by 
    selecting one of the following radio buttons:
    -  Block IP to add new session for. No new session is allowed from the IP 
    address for a period. In the Time field, specify the period in seconds.
    -  Block IPs all connections for. All sessions from the IP address are 
    terminated, and new sessions are blocked for a period. In the Time field, 
    specify the period in seconds.
    • Single IP Cannot Exceed. When the limit is reached, no new session is 
    allowed from the IP address for a specified period, or all sessions from the IP 
    address are terminated and new sessions are blocked for a specified period. 
    User Limit Parameter From the menu, select an option:
    • Percentage of Max Sessions. A percentage of the total session connection 
    capacity of the VPN firewall.
    • Number of Sessions. An  absolute  number  of  maximum  sessions.
    User Limit Enter a number to indicate the user limit. Note the following:
    • If the selection from the User Limit Parameter is Percentage of Max 
    Sessions, the number specifies the maximum number of sessions that are 
    allowed from a single-source device as a percentage of the total session 
    connection capacity of the VPN firewall. (The session limit is per-device 
    based.) 
    • If the selection from the User Limit Parameter is Number of Sessions, the 
    number specifies an absolute value.
    Note:Some protocols such as FTP and RSTP create two sessions per connection, 
    which you must consider when you configure a session limit.
    Total Number of 
    Packets Dropped due 
    to Session LimitThis is a nonconfigurable counter that displays the total number of dropped packets 
    when the session limit is reached. 
    						
    							Customize Firewall Protection 
    275  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
    2. In the address field of your browser, enter the IP address that was assigned to the VPN 
    firewall during the installation process.
    The VPN firewall factory default IP address is 192.168.1.1.
    The NETGEAR Configuration Manager Login screen displays.
    3. In the Username field, type your user name and in the Password / Passcode field, type 
    your password.
    For the default administrative account, the default user name is admin and the default 
    password is password.
    4. If you changed the default domain or were assigned a domain, from the Domain menu, 
    select the domain.
    If you did not change the domain or were not assigned a domain, leave the menu 
    selection at geardomain.
    5. Click the Login button.
    The Router Status screen displays.
    6. Select Security > Firewall > Session Limit.
    The Session Limit screen displays.
    7. In the Session Timeout section, enter the time-out periods in the following fields:
    •TCP Timeout. Enter a period in seconds. 
    For TCP traffic, the default time-out period is 3600 seconds.
    •UDP Timeout. 
    For UDP traffic, the default time-out period is 180 seconds. 
    						
    							Customize Firewall Protection 
    276 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
    •ICMP Timeout. 
    For ICMP traffic, the default time-out period is 8 seconds.
    8. Click the Apply button.
    Your settings are saved.
    Manage Multicast Pass-Through
    Multicast pass-through is supported for IPv4 traffic only. The following sections provide 
    information about managing multicast pass-through:
    •Multicast Pass-Through
    •Enable and Configure Multicast Pass-Through
    •Remove One or More Multicast Source Addresses
    Multicast Pass-Through
    IP multicast pass-through allows multicast packets that originate in the WAN, such as 
    packets from a media streaming or gaming application, to be forwarded to the LAN subnet. 
    Internet Group Management Protocol (IGMP) is used to support multicast between IP hosts 
    and their adjacent neighbors.
    If you enable multicast pass-through, an IGMP proxy is enabled for the upstream (WAN) and 
    downstream (LAN) interfaces. This proxy allows the VPN firewall to forward relevant 
    multicast traffic from the WAN to the LAN and to keep track of the IGMP group membership 
    when LAN hosts join or leave the multicast group.
    Enable and Configure Multicast Pass-Through
    The following procedure describes how to enable and configure multicast pass-through for 
    IPv4 traffic. By default, multicast pass-through is disabled.
    To enable and configure multicast pass-through:
    1. On your computer, launch an Internet browser.
    2. In the address field of your browser, enter the IP address that was assigned to the VPN 
    firewall during the installation process.
    The VPN firewall factory default IP address is 192.168.1.1.
    The NETGEAR Configuration Manager Login screen displays.
    3. In the Username field, type your user name and in the Password / Passcode field, type 
    your password.
    For the default administrative account, the default user name is admin and the default 
    password is password.
    4. If you changed the default domain or were assigned a domain, from the Domain menu, 
    select the domain. 
    						
    							Customize Firewall Protection 
    277  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
    If you did not change the domain or were not assigned a domain, leave the menu 
    selection at geardomain.
    5. Click the Login button.
    The Router Status screen displays.
    6. Select Security > Firewall > IGMP. 
    The IGMP screen displays. The following figure shows one alternate network as an 
    example.
    7. Select the Ye s radio button.
    8. If you configured load balancing (see Configure Load Balancing Mode and Optional Protocol 
    Binding for IPv4 Interfaces on page 49), from the Bind Upstream Interface menu, select 
    the upstream interface (WAN1, the default, or WAN2) to which multicast traffic must be 
    bound.
    Only a single interface can function as the upstream interface. 
    Note:When you change the WAN mode to load balancing while multicast 
    pass-through is already enabled, multicast traffic is bound to the active 
    interface of the previous WAN mode.
    9. Click the Apply button.
    Multicast pass-through is enabled.
    10. If the interface to which multicast traffic is bound is configured for PPPoE or PPTP, you must 
    add the multicast source address to the Alternate Networks table:
    a.In the Alternate Networks section, below the table, enter the following settings:
    •IP Address. Enter the multicast source IP address.
    •Subnet Mask. Enter the subnet mask for the multicast source address. 
    						
    							Customize Firewall Protection 
    278 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
    b. Click the Add button.
    The multicast source address is added to the Alternate Networks table.
    c. Repeat Step a and Step b for each multicast source address that you must add to 
    the Alternate  Networks  table.
    Remove One or More Multicast Source Addresses
    The following procedure describes how to remove one or more multicast source addresses 
    that you no longer need for a PPPoE or PPTP configuration.
    To remove one or more multicast source addresses:
    1. On your computer, launch an Internet browser.
    2. In the address field of your browser, enter the IP address that was assigned to the VPN 
    firewall during the installation process.
    The VPN firewall factory default IP address is 192.168.1.1.
    The NETGEAR Configuration Manager Login screen displays.
    3. In the Username field, type your user name and in the Password / Passcode field, type 
    your password.
    For the default administrative account, the default user name is admin and the default 
    password is password.
    4. If you changed the default domain or were assigned a domain, from the Domain menu, 
    select the domain.
    If you did not change the domain or were not assigned a domain, leave the menu 
    selection at geardomain.
    5. Click the Login button.
    The Router Status screen displays.
    6. Select Security > Firewall > IGMP. 
    The IGMP screen displays.
    7. In the Alternate Networks table, select the check box to the left of each address that you 
    want to remove or click the Select All button to select all addresses.
    8. Click the Delete button.
    The selected addresses are removed from the Alternate Networks table.
    Manage the Application Level Gateway for SIP Sessions
    The Application Level Gateway (ALG) facilitates multimedia sessions such as voice over IP 
    (VoIP) sessions that use the Session Initiation Protocol (SIP) across the firewall and provides 
    support for multiple SIP clients. SIP support for the ALG, which is an IPv4 feature, is disabled 
    by default.  
    						
    							Customize Firewall Protection 
    279  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
    To enable ALG for SIP:
    1. On your computer, launch an Internet browser.
    2. In the address field of your browser, enter the IP address that was assigned to the VPN 
    firewall during the installation process.
    The VPN firewall factory default IP address is 192.168.1.1.
    The NETGEAR Configuration Manager Login screen displays.
    3. In the Username field, type your user name and in the Password / Passcode field, type 
    your password.
    For the default administrative account, the default user name is admin and the default 
    password is password.
    4. If you changed the default domain or were assigned a domain, from the Domain menu, 
    select the domain.
    If you did not change the domain or were not assigned a domain, leave the menu 
    selection at geardomain.
    5. Click the Login button.
    The Router Status screen displays.
    6. Select Security > Firewall > Advanced.
    The Advanced screen displays.
    7. Select the Enable SIP ALG check box.
    8. Click the Apply button.
    Your settings are saved.
    Manage Firewall Objects
    The following sections provide information about firewall objects:
    •Firewall Objects
    •Manage Customized Services
    •Manage Service Groups
    •Manage IP Address Groups
    •Define a Schedule 
    						
    All Netgear manuals Comments (0)

    Related Manuals for Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual