FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN
-
Upload
dean-knight -
Category
Documents
-
view
45 -
download
1
description
Transcript of FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN
![Page 1: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/1.jpg)
FVS336GPROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN
Presented by Hien Ly
L3 Support Engineer
![Page 2: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/2.jpg)
2.© 1996-2006 NETGEAR® . All rights reserved
Course Agenda
» Introductions» Course Objectives
• FVS336G Features• Specific features on FVS336G• Firewall & Router overview• VPN overview• SSL overview
» FVS336G Administration GUI walk-through» FVS336G User SSL Portal walk-through» FAQ» Known Issues» Q&A
![Page 3: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/3.jpg)
3.© 1996-2006 NETGEAR® . All rights reserved
Introduction
» Course Description:• This training is intended to provide background and update
information about the new ProSafe dual WAN gigabit firewall with IPSec and SSL VPN
» Course Audience:• L2, L3, SE, VAR
» Course Prerequisites:• Familiarity & knowledge of NETGEAR ProSafe VPN firewall
products• Basic knowledge & understanding for VPN (IPSec & SSL)
concepts• Basic usage of VPN configuration on the NETGEAR ProSafe VPN
products
![Page 4: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/4.jpg)
4.© 1996-2006 NETGEAR® . All rights reserved
Course Objectives
» At the end of this course, Technical Support Engineers should be able to do the following:
• Identify the differences between the FVS336G and other NETGEAR Firewall VPN routers
• List and describe unique features on the FVS336G• Identify and list the differences SSL features on the FVS336G
and the SSL312• Configure and setup SSL Portal on the FVS336G
![Page 5: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/5.jpg)
5.© 1996-2006 NETGEAR® . All rights reserved
FVS336G Usage
![Page 6: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/6.jpg)
6.© 1996-2006 NETGEAR® . All rights reserved
Features & Benefits
» Dual 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing or failover/rollover.
» Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch.» Supports 25 concurrent IPsec VPN tunnels.» Supports 10 concurrent SSL VPN sessions.» Bundled with the single-user license of the NETGEAR ProSafe
VPN Client software (VPN01L)» Supports SNMP v2c
» Italicized are new features specific to the FVS336G only
![Page 7: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/7.jpg)
7.© 1996-2006 NETGEAR® . All rights reserved
Package Contents
» ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN.» One AC power cable (100-240 VAC, 50-60 Hz).» Rubber feet.» One Category 5 (Cat5) Ethernet cable.» Installation Guide: FVS336G ProSafe Dual WAN Gigabit Firewall
with SSL & IPsec VPN.» Resource CD, including:
• Application Notes and other helpful information.• ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN
FVS336G Reference Manual• ProSafe VPN Client Software – one user license.
» Warranty and Support Information Card.
![Page 8: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/8.jpg)
8.© 1996-2006 NETGEAR® . All rights reserved
Front Panel
![Page 9: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/9.jpg)
9.© 1996-2006 NETGEAR® . All rights reserved
Rear Panel
» Factory Defaults button• Using a sharp object, press and hold this button for about ten
seconds until the front panel TEST light flashes to reset the FVS336G to factory default settings. All configuration settings will be lost and the default password will be restored.
» LAN & WAN ports• Auto MDI/MDIX, Gigabit Ethernet ports
» AC Power• Universal AC input (100-240 VAC, 50-60 Hz)
» On/off power switch
![Page 10: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/10.jpg)
10.© 1996-2006 NETGEAR® . All rights reserved
Bottom label
» Default LAN IP address: 192.168.1.1» Default username: admin» Default password: password
![Page 11: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/11.jpg)
11.© 1996-2006 NETGEAR® . All rights reserved
Hardware Specifications
» Processor Speed: 300 MHz (Cavium CN3005SCP)» Memory: 16 MB flash, 64 MB DRAM» Power adapter: 12V DC, 1.2A -plug is localized to country of sale» Dimensions: 25.4 x 17.8 x 3.96 cm (10 x 7 x 1.56 in)» Weight: 1.7 kg (3.7 lb)» Operating temperature: 0° to 40°C (32° to 104°F)» Operating humidity: 90% maximum relative humidity, non-condensing
![Page 12: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/12.jpg)
12.© 1996-2006 NETGEAR® . All rights reserved
Technical Support InfoSerial Prefix: 1PD
Item NumberBusiness
Unit Quantity XF Date Ship Mode ETA at DC
FVS336G-100AUS DCIHKN 70 10/19/2007 S 9/21/2007
FVS336G-100EES DCINLN 200 10/12/2007 S 10/16/2007
FVS336G-100EES DCINLN 40 10/26/2007 S 11/27/2007
FVS336G-100ISS DCIHKN 70 10/12/2007 S 9/28/2007
FVS336G-100ISS DCINLN 500 10/12/2007 S 10/16/2007
FVS336G-100ISS DCINLN 280 10/19/2007 S 10/16/2007
FVS336G-100NAS DCUSN 30 9/28/2007 S 10/22/2007
FVS336G-100NAS DCUSN 700 10/12/2007 S 10/8/2007
FVS336G-100UKS DCINLN 400 10/19/2007 S 10/16/2007
FVS336G-100UKS DCINLN 150 10/26/2007 S 11/27/2007
![Page 13: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/13.jpg)
13.© 1996-2006 NETGEAR® . All rights reserved
Performance Spec
» Throughput:» LAN-to-WAN: 60 Mbps total» IPsec VPN (3DES): 16 Mbps» SSL VPN: 10 Mbps
» Connections:» 10,000 concurrent sessions
![Page 14: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/14.jpg)
FVS336G GUI
![Page 15: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/15.jpg)
15.© 1996-2006 NETGEAR® . All rights reserved
Admin GUI
» http://192.168.1.1» Username: admin» Password: password» Domain: geardomain
![Page 16: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/16.jpg)
16.© 1996-2006 NETGEAR® . All rights reserved
Network – WAN settings
![Page 17: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/17.jpg)
17.© 1996-2006 NETGEAR® . All rights reserved
Network – WAN mode
![Page 18: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/18.jpg)
18.© 1996-2006 NETGEAR® . All rights reserved
WAN Mode
![Page 19: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/19.jpg)
19.© 1996-2006 NETGEAR® . All rights reserved
» If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure the WAN Failure Detection Method to support Auto-Rollover.
» Link failure is detected in one of the following ways:• By sending DNS queries to a DNS server, or• By sending a Ping request to an IP address, or• None (no failure detection is performed).
» From each WAN interface, DNS queries or Ping requests are sent to the specified IP address. If replies are not received, after a specified number of retries, the corresponding WAN interface is considered down.
» As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic. Traffic will automatically roll back to the original primary link once the original primary link is back up and running again.
WAN Mode – Auto-Rollover
![Page 20: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/20.jpg)
20.© 1996-2006 NETGEAR® . All rights reserved
WAN Mode – Load Balancing
![Page 21: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/21.jpg)
21.© 1996-2006 NETGEAR® . All rights reserved
» The VPN firewall distributes the outbound traffic equally among the WAN interfaces that are functional.
» Scenarios could arise when load balancing needs to be bypassed for certain traffic or applications. If certain traffic needs to travel on a specific WAN interface, configure protocol binding rules for that WAN interface. The rule should match the desired traffic.
• In the Protocol Binding menu, you specify a protocol such as HTTP, and this causes all outbound traffic of that protocol to use that WAN port.
WAN Mode – Load Balancing
![Page 22: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/22.jpg)
22.© 1996-2006 NETGEAR® . All rights reserved
Dynamic DNS
![Page 23: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/23.jpg)
23.© 1996-2006 NETGEAR® . All rights reserved
LAN Settings
![Page 24: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/24.jpg)
24.© 1996-2006 NETGEAR® . All rights reserved
LAN Settings – Multi-homing
The secondary LAN IP address will be assigned to the LAN interface of the router and can be used as a gateway by computers on the secondary subnet
![Page 25: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/25.jpg)
25.© 1996-2006 NETGEAR® . All rights reserved
» If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the router. This allows the router to act as a gateway to additional logical subnets on your LAN
NOTE: IP addresses on these secondary subnets cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP addresses, and DNS server IP addresses.
LAN Settings – Multi-homing
![Page 26: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/26.jpg)
26.© 1996-2006 NETGEAR® . All rights reserved
Security – Services
![Page 27: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/27.jpg)
27.© 1996-2006 NETGEAR® . All rights reserved
Security – Scheduling
![Page 28: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/28.jpg)
28.© 1996-2006 NETGEAR® . All rights reserved
Security – Block Sites
![Page 29: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/29.jpg)
29.© 1996-2006 NETGEAR® . All rights reserved
Security – Firewall Rules
![Page 30: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/30.jpg)
30.© 1996-2006 NETGEAR® . All rights reserved
Firewall Rules – Adding Inbound
![Page 31: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/31.jpg)
31.© 1996-2006 NETGEAR® . All rights reserved
Firewall Rules – Adding Outbound
![Page 32: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/32.jpg)
32.© 1996-2006 NETGEAR® . All rights reserved
Security – Source MAC Filter
![Page 33: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/33.jpg)
33.© 1996-2006 NETGEAR® . All rights reserved
Security – Port Triggering
![Page 34: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/34.jpg)
34.© 1996-2006 NETGEAR® . All rights reserved
Security – Port Triggering
Once configured, operation is as follows:
1. A PC makes an outgoing connection using a port number defined in the Port Triggering table.
2. This Router records this connection, opens the INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC.
3. The remote system receives the PCs request, and responds using a different port number.
4. This Router matches the response to the previous request, and forwards the response to the PC. (Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.)
Note: » Only 1 PC can use a "Port Triggering" application at any time. » After a PC has finished using a "Port Triggering" application, there is a "Time-out"
period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated.
» Normally for games and chat.
![Page 35: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/35.jpg)
IPSec VPN
![Page 36: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/36.jpg)
36.© 1996-2006 NETGEAR® . All rights reserved
Netgear IPSec VPN – VPN Wizard Box-to-box
![Page 37: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/37.jpg)
37.© 1996-2006 NETGEAR® . All rights reserved
Netgear IPSec VPN – VPN Wizard Client-to-box
![Page 38: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/38.jpg)
38.© 1996-2006 NETGEAR® . All rights reserved
VPN Policy
![Page 39: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/39.jpg)
39.© 1996-2006 NETGEAR® . All rights reserved
VPN Policy – Traffic Selection
![Page 40: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/40.jpg)
40.© 1996-2006 NETGEAR® . All rights reserved
VPN Policy – Policy Parameters
![Page 41: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/41.jpg)
41.© 1996-2006 NETGEAR® . All rights reserved
IKE Policy
![Page 42: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/42.jpg)
42.© 1996-2006 NETGEAR® . All rights reserved
IKE Policy – IKE parameters
![Page 43: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/43.jpg)
43.© 1996-2006 NETGEAR® . All rights reserved
VPN – Certificate Authority (CA)
![Page 44: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/44.jpg)
44.© 1996-2006 NETGEAR® . All rights reserved
Generate Self-sign Certificate
![Page 45: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/45.jpg)
45.© 1996-2006 NETGEAR® . All rights reserved
View Certificate Request
![Page 46: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/46.jpg)
46.© 1996-2006 NETGEAR® . All rights reserved
Certificate Revocation List (CRL)
![Page 47: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/47.jpg)
47.© 1996-2006 NETGEAR® . All rights reserved
Mode Config
![Page 48: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/48.jpg)
48.© 1996-2006 NETGEAR® . All rights reserved
VPN Client – RADIUS Client
![Page 49: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/49.jpg)
SSL VPN
![Page 50: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/50.jpg)
50.© 1996-2006 NETGEAR® . All rights reserved
SSL VPN – Setup Process
1. Create User Portal• VPN > SSL VPN > Portal Layouts
2. Create Domain• Users > Domains• Select the authentication scheme• Link the new domain to the new portal that you have
created in step #1
3. Create Group• Users > Groups• A default group will be created when a domain is created
(this is be indicated with a “*”)• You can create other groups under each domain
4. Create User• Users > Users• Define Login policies
![Page 51: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/51.jpg)
51.© 1996-2006 NETGEAR® . All rights reserved
SSL – Portal Layout
![Page 52: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/52.jpg)
52.© 1996-2006 NETGEAR® . All rights reserved
SSL – Domain
![Page 53: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/53.jpg)
53.© 1996-2006 NETGEAR® . All rights reserved
SSL – Groups
![Page 54: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/54.jpg)
54.© 1996-2006 NETGEAR® . All rights reserved
SSL – Users
![Page 55: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/55.jpg)
55.© 1996-2006 NETGEAR® . All rights reserved
SSL – User Policies
» Deny/Allow users login
NOTE:
This apply to Remote Management access for ALL users, including
Administrator access.
![Page 56: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/56.jpg)
56.© 1996-2006 NETGEAR® . All rights reserved
SSL – User Policies
» Deny/Allow client access based on Source IP address
![Page 57: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/57.jpg)
57.© 1996-2006 NETGEAR® . All rights reserved
SSL – User Policies
» Deny/Allow client access based on web browser
![Page 58: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/58.jpg)
Administrator Settings & Troubleshooting
![Page 59: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/59.jpg)
59.© 1996-2006 NETGEAR® . All rights reserved
Administrative Features
![Page 60: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/60.jpg)
60.© 1996-2006 NETGEAR® . All rights reserved
Traffic Meter
![Page 61: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/61.jpg)
61.© 1996-2006 NETGEAR® . All rights reserved
» Allows you to measure and limit the traffic routed by the router.
» The router will keep a record of the volume of traffic going from the selected interface.
» The router can also be configured to place a restriction on the volume of data being transferred.
Traffic Meter
![Page 62: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/62.jpg)
62.© 1996-2006 NETGEAR® . All rights reserved
Attack Checks
![Page 63: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/63.jpg)
63.© 1996-2006 NETGEAR® . All rights reserved
Firewall Logs
![Page 64: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/64.jpg)
64.© 1996-2006 NETGEAR® . All rights reserved
Email Logs
![Page 65: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/65.jpg)
65.© 1996-2006 NETGEAR® . All rights reserved
Syslog
![Page 66: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/66.jpg)
66.© 1996-2006 NETGEAR® . All rights reserved
VPN Logs
![Page 67: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/67.jpg)
Frequently Asked Questions & Known Issues
![Page 68: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/68.jpg)
68.© 1996-2006 NETGEAR® . All rights reserved
FAQ
» Does the SSL require any additional VPN software?• No, the main intention of the SSL VPN is that users do not need to
install any client software on their PCs. Users only need a web browser that can support ActiveX or Java.
» How many simultaneous VPN connections does FVS336G support?
• It supports up to 25 IPSec VPN tunnels and 10 SSL VPN tunnels.
» Can I manage the box using a port number different from standard HTTPS port number 443, and use 443 for port-forwarding to an internal web server?
• No, not yet. You need to use standard port number 443 to manage the box via HTTPS. To access internal web server by port 443, please use SSL or IPSEC VPN tunnel access.
![Page 69: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/69.jpg)
69.© 1996-2006 NETGEAR® . All rights reserved
FAQ
» How many simultaneous VPN connections does FVS336G support?
• It supports up to 25 IPSEC VPN tunnels and 10 SSL VPN tunnels.
» Does the FVS336G have all the features of the SSL312 VPN Concentrator?
• No, the FVS336G SSL VPN only provide full SSL VPN tunnel and Port Forwarding. For full features of the SSL VPN, we recommend that you purchase a stand alone SSL312 SSL VPN concentrator.
» Do you need additional hardware to use the SSL VPN feature?• No, the SSL VPN is part of the software feature available on the
FVS336G. You may need an authentication server if you are not using the local user database on the FVS336G.
![Page 70: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/70.jpg)
70.© 1996-2006 NETGEAR® . All rights reserved
Known Issues» Dropped packets are not logged thought it matches firewall rule with log option
turns on.
» Admin and guest login from WAN are enabled by default
» Disabling remote management will disable SSL VPN
» Vonage incoming call form WAN rings, but no voice
» VPN rollover does not work if both WAN interfaces are on the same subnet (not common)
» Inbound rule with second public address on a different subnet from WAN interface address does not work if the trafficis initiated from a host directly on this subnet (Not common, normally there is a router in between and that works).
» In Load Balancing mode, a host directly connected to WAN port can ping WAN1, not WAN2. (not a common case, normally there is a router in between and that works.)
» In load balancing mode, SSL VPN user directly connected to WAN port can establish VPN tunnel to WAN1, not WAN2. (not a common case, normally there is a router inbetween and that works.)
![Page 71: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/71.jpg)
71.© 1996-2006 NETGEAR® . All rights reserved
Known Issues
» Login page is not displayed properly if if admin comes in via FVX538 inbound rule to login to the WAN port of FVS336G.(This is a common deployment case).
» Host names in SSL port forwarding cannot mix upper and lower case letters.
» SSL VPN denial policy does not block ping traffic unless the high port number is blank.
» SSL VPN global policy "edit" button does not display "Service" on the edit web page (The work-around is to delete the policy and recreate it).
» The change password option should be grayed out if SSL VPN user is authenticated via Active Directory, Radius or LDAP.It has no effect.
» Port forwarding https port 443 via a secondary public WAN IP in inbound rule cannot reach internal web server (Thework-around is to use SSL VPN to access internal web server).
» PPPoE auto-detect displays "No service detected", although it has already acquired WAN IP address and is functioning.
![Page 72: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/72.jpg)
72.© 1996-2006 NETGEAR® . All rights reserved
Known Issues
» When adding a SSL VPN resource, the IP address is not part of the configuration and is only availabe from "edit" button.
» Raritan KVM client through SSL Port Forwarding gets disconnected after being idle for a while (The work around is touse SSL VPN tunnel instead of Port Forwarding).
![Page 73: FVS336G PROSAFE™ DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN](https://reader036.fdocuments.us/reader036/viewer/2022081419/568136cb550346895d9e65b8/html5/thumbnails/73.jpg)
Thank You!Q & A