Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Manage Users, Authentication, and VPN Certificates 519 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Click the Generate button. A new SCR is created and added to the Self Certificate Requests table. 9. To view the new SCR, in the Self Certificate Requests table, click the View button. The Certificate Request Data screen displays. 10. Copy the contents of the Data to supply to CA text field into a text file, including all of the data contained from “-----BEGIN CERTIFICATE REQUEST-----” to “-----END CERTIFICATE REQUEST-----.” 11. Submit your SCR to a CA: a.Connect to the website of the CA. b. Start the SCR procedure. c. When prompted for the requested data, copy the data from your saved text file (including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE REQUEST-----”). d. Submit the CA form. If no problems ensue, the digital certificate is issued by the CA. 12. Download the digital certificate file from the CA and store it on your computer. 13. Return to the Certificates screen and locate the Self Certificate Requests section. 14. Select the check box next to the self-signed certificate request. 15. Click the Browse button and navigate to the digital certificate file from the CA that you just stored on your computer. Domain Name (Optional) Enter your Internet domain name or leave this field blank. E-mail Address (Optional) Enter the email address of a technical contact in your company. SettingDescription
Manage Users, Authentication, and VPN Certificates 520 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 16. Click the Upload button. The VPN firewall verifies the certificate for validity and purpose. If the VPN firewall approves the certificate, it is added to the Active Self Certificates table. View Self-Signed Certificates The following procedure describes how to view active self-signed certificates. To view active self-signed certificates: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > Certificates. The Certificates screen displays. The Active Self Certificates table shows the digital certificates that are issued to you by a CA and available for use. For each self-signed certificate, the table lists the following information: •Name. The name that you used to identify this digital certificate. •Subject Name. The name that you used for your company and that other organizations see as the holder (owner) of the certificate. •Serial Number. A serial number maintained by the CA. The number is used to identify the digital certificate with the CA. •Issuer Name. The name of the CA that issued the digital certificate. •Expiry Time. The date on which the digital certificate expires. You must renew the digital certificate before it expires.
Manage Users, Authentication, and VPN Certificates 521 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove One or More Self-Signed Certificates The following procedure describes how to remove one or more self-signed certificates that you no longer need. To remove one or more self-signed certificates: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > Certificates. The Certificates screen displays. 7. In the Active Self Certificates table, select the check box to the left of each self-signed certificate that you want to remove or click the Select All button to select all self-signed certificates. 8. Click the Delete button. The selected certificates are removed from the Active Self Certificates table. Remove One or More Certificate Signing Requests The following procedure describes how to remove one or more certificate signing requests (CSRs) that you no longer need. To remove one or more CSRs: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
Manage Users, Authentication, and VPN Certificates 522 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > Certificates. The Certificates screen displays. 7. In the Self Certificate Requests table, select the check box to the left of each certificate signing request that you want to remove or click the Select All button to select all certificate signing requests. 8. Click the Delete button. The selected requests are removed from the Self Certificate Requests table. Manage the VPN Certificate Revocation List A Certificate Revocation List (CRL) shows digital certificates that are revoked and no longer valid. Each CA issues its own CRLs. It is important that you keep your CRLs up-to-date. You must obtain the CRL for each CA regularly. The following sections provide information about managing CRLs: •View Certificate Revocation Lists and Upload a Certificate Revocation List •Remove One or More Certificate Revocation Lists •Self-Signed Certificates and Security Alerts View Certificate Revocation Lists and Upload a Certificate Revocation List The following procedure describes how to view the loaded Certificate Revocation Lists (CRLs) and upload a new CRL. To view the CRLs and upload a new CRL: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
Manage Users, Authentication, and VPN Certificates 523 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > Certificates. The Certificates screen displays. The following figure shows the bottom section with the Certificate Revocation Lists (CRL) table. The table shows a certificate as an example. The Certificate Revocation Lists (CRL) table lists the active CAs and their critical release dates: •CA Identity. The official name of the CA that issued the CRL. •Last Update. The date when the CRL was released. •Next Update. The date when the next CRL will be released. 7. In the Upload CRL section, click the Browse button and navigate to the CLR file that you previously downloaded from a CA. 8. Click the Upload button. The VPN firewall verifies the CRL. If the VPN firewall approves the CRL, it is added to the Certificate Revocation Lists (CRL) table. Note:If the table already contains a CRL from the same CA, the old CRL is removed when you upload the new CRL.
Manage Users, Authentication, and VPN Certificates 524 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Remove One or More Certificate Revocation Lists The following procedure describes how to remove one or more Certificate Revocation Lists (CRLs) that you no longer need. To remove one or more CRLs: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > Certificates. The Certificates screen displays. 7. In the Certificate Revocation Lists (CRL) table, select the check box to the left of each CRL that you want to remove or click the Select All button to select all CRLs. 8. Click the Delete button. The selected CRLs are removed from the Certificate Revocation Lists (CRL) table. Self-Signed Certificates and Security Alerts A self-signed digital certificate triggers a warning from most browsers because the certificate provides no protection against identity theft of a server. The following figure shows an image of a browser security alert.
Manage Users, Authentication, and VPN Certificates 525 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 12. Security alert A security alert can be generated for a security certificate for three reasons: •The security certificate was issued by a company you have not chosen to trust. •The date of the security certificate is invalid. •The name on the security certificate is invalid or does not match the name of the site. When a security alert is generated, the user can decide whether to trust the host.
526 11 11. Optimize Performance and Manage Your System This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the VPN firewall. The chapter contains the following sections: •Performance Management •System Management
Optimize Performance and Manage Your System 527 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Performance Management Performance management consists of controlling the traffic through the VPN firewall so that the necessary traffic gets through if a bottleneck occurs. To prevent bottlenecks from occurring in the first place, you can either reduce unnecessary traffic or reschedule some traffic to low-peak times. The VPN firewall has the necessary features and tools to help the network manager accomplish these goals. The following sections provide information about performance management: •Bandwidth Capacity Overview •Features That Reduce Traffic •Features That Increase Traffic •Use QoS and Bandwidth Assignment to Shift the Traffic Mix •Monitoring Tools for Traffic Management Bandwidth Capacity Overview The maximum bandwidth capacity of the VPN firewall in each direction is as follows: •LAN side. 4000 Mbps (four LAN ports at 1000 Mbps each) •WAN side -Load balancing mode. 2000 Mbps (two WAN ports at 1000 Mbps each) -Auto-rollover mode. 1000 Mbps (one active WAN port at 1000 Mbps) -Single WAN port mode. 1000 Mbps (one active WAN port at 1000 Mbps) In practice, the WAN-side bandwidth capacity is much lower when you use a DSL or cable modem to connect to the Internet. At 1.5 Mbps, the WAN ports support the following traffic rates: •Load balancing mode. 3 Mbps (two WAN ports at 1.5 Mbps each) •Auto-rollover mode. 1.5 Mbps (one active WAN port at 1.5 Mbps) •Single WAN port mode. 1.5 Mbps (one active WAN port at 1.5 Mbps) As a result, and depending on the traffic that is being carried, the WAN side of the VPN firewall is the limiting factor to throughput for most installations. Using two WAN ports in load balancing mode increases the bandwidth capacity of the WAN side of the VPN firewall, but no backup is present if one of the WAN ports fails. When such a failure occurs, the traffic that would be sent on the failed WAN port is diverted to another WAN port that is still working, thus increasing its load. However, one exception exists: Traffic that is bound by protocol to the WAN port that failed is not diverted.
Optimize Performance and Manage Your System 528 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Features That Reduce Traffic The following sections provide information about features of the VPN firewall that you can change in such a way that the traffic load on the WAN side decreases: •LAN WAN Outbound Rules and DMZ WAN Outbound Rules — Service Blocking •Content Filtering •Source MAC Filtering LAN WAN Outbound Rules and DMZ WAN Outbound Rules — Service Blocking You can control specific outbound traffic (from LAN to WAN and from the DMZ to WAN). Any outbound rule that you create restricts outgoing traffic and therefore decreases the traffic load on the WAN side. If you have not defined any LAN WAN outbound rules, only the default rule applies, which allows all outgoing traffic. WARNING: Incorrect configuration of outbound firewall rules can cause serious connection problems. Each of the following rules lets you specify the desired action for the connections that are covered by the rule: •BLOCK always •BLOCK by schedule, otherwise allow •ALLOW always •ALLOW by schedule, otherwise block This section summarizes the various criteria that you can apply to outbound rules in order to reduce traffic. For more information about outbound rules, see Outbound Rules — Service Blocking on page 212. For detailed information about how to configure outbound rules, see Add LAN WAN Rules on page 223 and Add DMZ WAN Rules on page 233. When you define outbound firewall rules, you can further refine their application according to the following criteria: •Services. You can specify the services or applications to be covered by an outbound rule. If the desired service or application does not display in the list, you must define it (see Outbound Rules — Service Blocking on page 212 and Manage Customized Services on page 280). •LAN users (or DMZ users). You can specify which computers on your network are affected by an outbound rule. You have several options: -Any. The rule applies to all computers and devices on your LAN or DMZ. -Single address. The rule applies to the address of a particular computer.