Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Optimize Performance and Manage Your System 529 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 -Address range. The rule applies to a range of addresses. -Groups. The rule applies to a group of computers. (You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules.) The Known PCs and Devices table is an automatically maintained list of all known computers and network devices and is generally referred to as the network database, (see Manage the Network Database on page 133). Computers and network devices are entered into the network database by various methods, (see Manage IPv4 LAN Groups and Hosts on page 132). -IP Groups. The rule applies to a group of individual LAN IP addresses. For information about assigning IP addresses to groups, see Manage IP Address Groups on page 288. (LAN IP groups do not apply to DMZ WAN outbound rules.) •WAN users. You can specify which Internet locations are covered by an outbound rule, based on their IP address: -Any. The rule applies to all Internet IP address. -Single address. The rule applies to a single Internet IP address. -Address range. The rule applies to a range of Internet IP addresses. -IP Groups. The rule applies to a group of individual WAN IP addresses. For information about assigning IP addresses to groups, see Manage IP Address Groups on page 288. •Schedule. You can configure three different schedules to specify when a rule is applied. After a schedule is configured, it affects all rules that use this schedule. You specify the days of the week and time of day for each schedule. For more information, see Define a Schedule on page 292. •QoS profile. You can apply QoS profiles to outbound rules to regulate the priority of traffic. For information about QoS profiles, see Manage Quality of Service Profiles for IPv4 Firewall Rules on page 293. •Bandwidth profile. You can define bandwidth profiles and then apply the outbound LAN WAN rules to limit traffic. (You cannot apply bandwidth profiles to DMZ WAN rules.) For information about how to define bandwidth profiles, see Manage Bandwidth Profiles for IPv4 Traffic on page 299. Content Filtering If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall’s content-filtering feature. By default, this feature is disabled; all requested traffic from any website is allowed. To reduce traffic, the VPN firewall provides the following methods to filter web content: •Keyword blocking. You can specify words that, if they appear in the website name (URL) or newsgroup name, cause that site or newsgroup to be blocked by the VPN firewall. •Web object blocking. You can block the following web component types: embedded objects (ActiveX and Java), proxies, and cookies.
Optimize Performance and Manage Your System 530 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To further narrow down the content filtering, you can configure groups to which the content-filtering rules apply and trusted domains for which the content-filtering rules do not apply. Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain computers on the LAN, you can use the source MAC filtering feature to drop the traffic received from the computers with the specified MAC addresses. By default, this feature is disabled; all traffic received from computers with any MAC address is allowed. For information about how to use this feature, see Enable Source MAC Filtering on page 312. Features That Increase Traffic The following sections provide information about features of the VPN firewall that might cause the traffic load on the WAN side to increase: •LAN WAN Inbound Rules and DMZ WAN Inbound Rules — Port Forwarding •Port Triggering •DMZ Port •Exposed Hosts •VPN, L2TP, and PPTP Tunnels LAN WAN Inbound Rules and DMZ WAN Inbound Rules — Port Forwarding Any inbound rule that you create allows additional incoming traffic (from WAN to LAN and from WAN to the DMZ) and therefore increases the traffic load on the WAN side. If you have not defined any LAN WAN inbound rules, only the default rule applies, which blocks all access from outside except responses to requests from the LAN side. WARNING: Incorrect configuration of inbound firewall rules can cause serious connection problems. Each of the following rules lets you specify the desired action for the connections covered by the rule: •BLOCK always •BLOCK by schedule, otherwise allow •ALLOW always •ALLOW by schedule, otherwise block This section summarizes the various criteria that you can apply to inbound rules and that might increase traffic. For more information about inbound rules, see Inbound Rules — Port Forwarding on page 215. For detailed information about how to configure inbound rules, see
Optimize Performance and Manage Your System 531 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Add LAN WAN Rules on page 223 and Add DMZ WAN Rules on page 233. When you define inbound firewall rules, you can further refine their application according to the following criteria: •Services. You can specify the services or applications to be covered by an inbound rule. If the desired service or application does not display in the list, you must define it (see Inbound Rules — Port Forwarding on page 215 and Manage Customized Services on page 280). •WAN destination IP address. You can specify the destination IP address for incoming traffic. Traffic is directed to the specified address only when the destination IP address of the incoming packet matches the IP address of the selected WAN interface. •LAN users (or DMZ users). You specify which computers on your network are affected by an inbound rule only when the IPv4 routing mode is Classical Routing. When Classical Routing is enabled, you have several options: -Any. The rule applies to all computers and devices on your LAN or DMZ. -Single address. The rule applies to the address of a particular computer. -Address range. The rule applies to a range of addresses. -Groups. The rule is applied to a group of computers. (You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules.) The Known PCs and Devices table is an automatically maintained list of all known computers and network devices and is generally referred to as the network database (see Manage the Network Database on page 133). Computers and network devices are entered into the network database by various methods (see Manage IPv4 LAN Groups and Hosts on page 132). -IP Groups. The rule applies to a group of individual LAN IP addresses. For information about assigning IP addresses to groups, see Manage IP Address Groups on page 288. (LAN IP groups do not apply to DMZ WAN inbound rules.) •WAN users. You can specify which Internet locations are covered by an inbound rule, based on their IP address: -Any. The rule applies to all Internet IP address. -Single address. The rule applies to a single Internet IP address. -Address range. The rule applies to a range of Internet IP addresses. -IP Groups. The rule applies to a group of individual WAN IP addresses. For information about assigning IP addresses to groups, see Manage IP Address Groups on page 288. •Schedule. You can configure three different schedules to specify when a rule is applied. After a schedule is configured, it affects all rules that use this schedule. You specify the days of the week and time of day for each schedule. For more information, see Define a Schedule on page 292. •Bandwidth profile. You can define bandwidth profiles and then apply them to inbound LAN WAN rules to limit traffic. (You cannot apply bandwidth profiles to DMZ WAN rules.) For information about how to define bandwidth profiles, see Manage Bandwidth Profiles for IPv4 Traffic on page 299.
Optimize Performance and Manage Your System 532 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using the port triggering feature requires that you know the port numbers used by the application. Without port triggering, the response from the external application would be treated as a new connection request rather than a response to a request from the LAN network. As such, it would be handled in accordance with the inbound port forwarding rules and most likely would be blocked. For information about how to configure port triggering, see Manage Port Triggering on page 325. DMZ Port The demilitarized zone (DMZ) is a network that, by default, has fewer firewall restrictions when compared to the LAN. The DMZ can be used to host servers (such as a web server, FTP server, or email server) and provide public access to them. The fourth LAN port on the VPN firewall (the rightmost LAN port) can be dedicated as a hardware DMZ port to safely provide services to the Internet without compromising security on your LAN. By default, the DMZ port and both inbound and outbound DMZ traffic are disabled. Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports. For information about how to enable the DMZ port, see Manage the DMZ Port for IPv4 Traffic on page 140. For information about how to configure DMZ traffic rules, see Add DMZ WAN Rules on page 233. Exposed Hosts Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined. WARNING: For security, NETGEAR strongly recommends that you do not set up an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network. VPN, L2TP, and PPTP Tunnels The VPN firewall supports site-to-site IPSec VPN tunnels, dedicated SSL VPN tunnels, L2TP tunnels, and PPTP tunnels. Each tunnel requires extensive processing for encryption and authentication, thereby increasing traffic through the WAN ports. For information about IPSec VPN, L2TP, and PPTP tunnels, see Chapter 8, Set Up Virtual Private Networking With IPSec Connections. For information about SSL VPN tunnels, see Chapter 9, Set Up Virtual Private Networking with SSL Connections.
Optimize Performance and Manage Your System 533 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Use QoS and Bandwidth Assignment to Shift the Traffic Mix By setting the Quality of Service (QoS) priority and assigning bandwidth profiles to firewall rules, you can shift the traffic mix to aim for optimum performance of the VPN firewall. The following sections provide information about using QoS and bandwidth assignment to shift the traffic mix: •Setting QoS Priorities •Assigning Bandwidth Profiles Setting QoS Priorities The QoS priority settings determine the Quality of Service for the traffic passing through the VPN firewall. You can create and assign QoS profiles to WAN interfaces. For more information about QoS profiles for WAN interfaces, see Manage WAN QoS and WAN QoS Profiles on page 74. You can also create and assign a QoS profile (IPv4) or QoS priority (IPv6) to LAN WAN and DMZ WAN outbound firewall rules. QoS is set individually for each firewall rule. You can change the mix of traffic through the WAN ports by granting some services a higher priority than others in the following ways: •You can accept the default priority defined by the service itself by not changing its QoS priority. •You can change the priority to a higher or lower value than its default setting to give the service higher or lower priority than it otherwise would have. For more information about QoS profiles, see Manage Quality of Service Profiles for IPv4 Firewall Rules on page 293 and Default Quality of Service Priorities for IPv6 Firewall Rules on page 298. Assigning Bandwidth Profiles When you set the QoS priority, the WAN bandwidth does not change. You change the WAN bandwidth that is assigned to a service or application by applying a bandwidth profile to a LAN WAN inbound or outbound rule. The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic, thus allocating sufficient bandwidth to LAN users while preventing them from consuming all the bandwidth on your WAN links. For more information about bandwidth profiles, see Manage Bandwidth Profiles for IPv4 Traffic on page 299. Monitoring Tools for Traffic Management The VPN firewall includes several tools that can be used to monitor the traffic conditions of the firewall and content-filtering engine and to monitor the users’ access to the Internet and the types of traffic that they are allowed to have. For a description of these tools, see Chapter 12, Monitor System Access and Performance.
Optimize Performance and Manage Your System 534 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 System Management The following sections provide information about system management: •Set Up Remote Management Access •Use the Command-Line Interface •Use a Simple Network Management Protocol Manager •Manage the Configuration File •Revert to Factory Default Settings •Configure Date and Time Service Set Up Remote Management Access An administrator can configure, upgrade, and check the status of the VPN firewall over the Internet through an SSL VPN connection. The following sections provide information about setting up remote management access: •Remote Access •Configure Remote Access Remote Access When you enable remote management, you must use an SSL connection to access the VPN firewall from the Internet. You must enter https:// (not http://) and type the VPN firewall’s WAN IP address and port number in your browser. For example, if the VPN firewall’s WAN IP address is 192.168.15.175 and the port number is 443, type the following in your browser: https://192.168.15.175:443. The VPN firewall’s remote login URL is as follows: https://: or https://: The IP address can be an IPv4 or IPv6 address. Concerning security, note the following: •For enhanced security, restrict access to as few external IP addresses as practical. See Manage User Login Policies on page 504 for information about restricting administrator access by IP address. •To maintain security, the VPN firewall rejects a login that uses http://address rather than the SSL https://address. •The first time that you remotely connect to the VPN firewall with a browser through an SSL connection, you might get a warning message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer, click the Ye s button to accept the certificate.
Optimize Performance and Manage Your System 535 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Tip:If you are using a Dynamic DNS service such as TZO, you can identify the WAN IP address of your VPN firewall by running tracert from the Windows Run menu option. Trace the route to your registered FQDN. For example, enter tracert VPN firewall.mynetgear.net and the WAN IP address that your ISP assigned to the VPN firewall is displayed. Configure Remote Access The following procedure describes how to configure remote management access on the VPN firewall. WARNING: When you enable remote management and grant administrative access through a WAN interface (see Configure Login Policies on page 504), the VPN firewall’s web management interface is accessible to anyone who knows its IP address and default password. Because a malicious WAN user can reconfigure the VPN firewall and misuse it in many ways, NETGEAR recommends that you change the default admin and guest passwords before continuing (see Change Passwords and Automatic Logout Period on page 511). To configure remote management on the VPN firewall: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Administration > Remote Management. The Remote Management screen displays the IPv4 settings.
Optimize Performance and Manage Your System 536 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. To configure remote management for IPv6, in the upper right, select the IPv6 radio button. The Remote Management screen displays the IPv6 settings. 8. Enter the settings as described in the following table. SettingDescription Secure HTTP Management Allow Secure HTTP Management?To enable secure HTTP management, select the Ye s radio button, which is the default setting. Selecting the No radio button disables secure HTTP management. Note:The selected setting applies to both WAN interfaces. Select the addresses through which access is allowed: • Everyone. No IP addresses are restricted. • IP address range. Only users who use devices in the specified IP address range can securely manage over an HTTP connection. In the From fields, type the first IP address of the range; in the To fields, type the last IP address of the range. • Only this PC. Only a user who uses the device with the specified IP address can securely manage over an HTTP connection. Type the IP address in the fields. In the Port Number field, enter the port number through which access is allowed. The default port number is 443. Note:The URL through which you can securely manage over an HTTP connection displays below the Port Number field.
Optimize Performance and Manage Your System 537 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WARNING: If you are remotely connected to the VPN firewall and you select the No radio button to disable secure HTTP management, you and all other SSL VPN users are disconnected when you click the Apply button. 9. Click the Apply button. Your settings are saved. Use the Command-Line Interface You can access the command-line interface (CLI) using the console port on the back panel of the VPN firewall (see Back Panel on page 20). You can access the CLI from a communications terminal when the VPN firewall is still set to its factory defaults or use your own settings if you changed them. To access the CLI: 1. From your computer’s command-line prompt, enter the following command: telnet in which ip address is the IP address of the VPN firewall. You are prompted for the login and password information. 2. Enter admin and password (or enter guest and password to log in as a read-only guest). Any configuration changes made through the CLI are not preserved after a reboot or power cycle unless you issue the CLI save command after making the changes. To end a CLI session, issue the exit command. Telnet Management Allow Telnet Management?To enable Telnet management, select the Ye s radio button. By default, the No radio button is selected and Telnet management is disabled. Select the addresses through which access is allowed: • Everyone. No IP addresses are restricted. • IP address range. Only users who use devices in the specified IP address range can manage over a Telnet connection. In the From fields, type the first IP address of the range; in the To fields, type the last IP address of the range. • Only this PC. Only a user who uses the device with the specified IP address can manage over a Telnet connection. Type the IP address in the fields. SettingDescription
Optimize Performance and Manage Your System 538 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Use a Simple Network Management Protocol Manager Simple Network Management Protocol (SNMP) lets you monitor and manage the VPN firewall from an SNMP manager. The following sections provide information about using an SNMP manager: •SNMP Overview •Set Up an SNMP Configuration and Specify the Trap Events •Change an SNMP Configuration •Remove One or More SNMP Configurations •View SNMPv3 Default Users and Change the Security for an SNMPv3 User •Configure the SNMP System Information SNMP Overview SNMP forms part of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). SNMP is used in network management systems such as the NETGEAR ProSAFE Network Management Software (NMS300) to monitor network-attached devices for conditions that warrant administrative attention. SNMP exposes management data in the form of variables on the managed systems, which describe the system configuration. These variables can then be queried (and sometimes set) by managing applications. SNMP provides a remote means to monitor and control network devices and to manage configurations, statistics collection, performance, and security. The VPN firewall supports SNMPv1, SNMPv2c, and SNMPv3. Set Up an SNMP Configuration and Specify the Trap Events The following procedure describes how to set up an SNMP configuration and specify the trap events. To set up an SNMP configuration and specify the trap events: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.