NETGEAR CONFIDENTIAL FVX538 ProSafe VPN Firewall 200 NETGEAR CONFIDENTIAL Main Features 8 10/100 ports and 1 gigabit LAN port. One console port. SNMP support (optimized for NMS100) SNMPv2. QoS traffic prioritization. Hardware DMZ. Security co-processor for optimized throughput performance, 90+ Mbps WAN-LAN and up to 100 Mbps 3DES throughput. SPI Firewall and multi-NAT. Support 200 VPN tunnels. Includes VPN client software with 5-users license. Rack-mountable. Future upgradability to SSL VPN, IDS, Anti-virus, anti-spam and anti-spyware security measures. NETGEAR CONFIDENTIAL ProSafe Firewalls Comparison NETGEAR CONFIDENTIAL Front Panel NETGEAR CONFIDENTIAL Rear Panel NETGEAR CONFIDENTIAL Bottom Label NETGEAR CONFIDENTIAL Console - CLI NETGEAR CONFIDENTIAL GUI NETGEAR CONFIDENTIALUsername: admin Password: password NETGEAR CONFIDENTIAL WAN Setup WAN 1 ISP NETGEAR CONFIDENTIAL Setup Wizard NETGEAR CONFIDENTIAL WAN Status NETGEAR CONFIDENTIAL WAN Setup WAN 2 ISP NETGEAR CONFIDENTIAL WAN Setup - Mode NETGEAR CONFIDENTIAL WAN Setup Protocol Binding NETGEAR CONFIDENTIAL WAN Setup - Options 28Kbps to 100Mbps NETGEAR CONFIDENTIAL WAN Setup Dynamic DNS NETGEAR CONFIDENTIAL WAN Setup Traffic Meter NETGEAR CONFIDENTIAL WAN Setup Traffic Meter Statistic by Protocol NETGEAR CONFIDENTIAL Security Groups and Hosts NETGEAR CONFIDENTIAL Security Groups and Hosts Add NETGEAR CONFIDENTIAL Security Groups and Hosts Edit Group Names NETGEAR CONFIDENTIAL Security Source MAC Filter NETGEAR CONFIDENTIAL Security Block Sites NETGEAR CONFIDENTIAL Security Rules NETGEAR CONFIDENTIAL Security Rules Outbound Services NETGEAR CONFIDENTIAL Security Rules Inbound Services NETGEAR CONFIDENTIAL Security - Services NETGEAR CONFIDENTIAL Security - Schedule NETGEAR CONFIDENTIAL Security Logs ands NETGEAR CONFIDENTIAL Security View Log NETGEAR CONFIDENTIAL Security Logs andsLogs and Syslog NETGEAR CONFIDENTIAL VPN VPN Wizard Box-to-box NETGEAR CONFIDENTIAL VPN VPN Wizard Box-to-box Result: NETGEAR CONFIDENTIAL VPN VPN Wizard Client-to-box NETGEAR CONFIDENTIAL VPN VPN Wizard Client-to-box NETGEAR CONFIDENTIAL VPN VPN Status NETGEAR CONFIDENTIAL VPN IKE Policies NETGEAR CONFIDENTIAL VPN IKE Policies - Add NETGEAR CONFIDENTIAL VPN VPN Policies NETGEAR CONFIDENTIAL VPN VPN Policies Add Auto Policy NETGEAR CONFIDENTIAL VPN VPN Policies Add Manual Policy NETGEAR CONFIDENTIAL VPN - CAs NETGEAR CONFIDENTIAL VPN - Certificates NETGEAR CONFIDENTIAL VPN - CRL NETGEAR CONFIDENTIAL Maintenance Router Status NETGEAR CONFIDENTIAL Maintenance Router Status Show Statistics NETGEAR CONFIDENTIAL Maintenance Set Password NETGEAR CONFIDENTIAL Maintenance Remote management NETGEAR CONFIDENTIAL Maintenance - SNMP NETGEAR CONFIDENTIAL Maintenance - Diagnostics NETGEAR CONFIDENTIAL Maintenance Backup Settings NETGEAR CONFIDENTIAL Maintenance Router Upgrade NETGEAR CONFIDENTIAL Advanced LAN Setup NETGEAR CONFIDENTIAL Advanced LAN Setups Multi-Home LAN IP Setups NETGEAR CONFIDENTIAL Advanced DMZ Setups NETGEAR CONFIDENTIAL Port Triggering Once configured, operation is as follows: 1. A PC makes an outgoing connection using a port number defined in the Port Triggering table. 2. This Router records this connection, opens the INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC. 3. The remote system receives the PCs request, and responds using a different port number. 4. This Router matches the response to the previous request, and forwards the response to the PC. (Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.) NETGEAR CONFIDENTIAL Port Triggering Note Only 1 PC can use a "Port Triggering" application at any time. After a PC has finished using a "Port Triggering" application, there is a "Time-out" period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated. Normally for games and chat. NETGEAR CONFIDENTIAL Advanced Port Triggering NETGEAR CONFIDENTIAL Advanced Static Routes NETGEAR CONFIDENTIAL Knowledge Base / Documentation NETGEAR CONFIDENTIAL Troubleshooting NETGEAR CONFIDENTIAL FAQ#1 How does the FVX538 support QoS? The FVS538 prioritizes the routing of a packet through the router according to the TOS bit in the packets layer3 header. For a particular service, you can override the packets specified priority by selecting a different priority in the Services menu, Inbound rules or Outbound Rules. Changing the priority setting will affect the priority given to the packet by the router, but will not actually alter the TOS bits in the packet. NETGEAR CONFIDENTIAL FAQ#2 When I use load balancing through two ISPs, I have problems sending, getting DNS, or using my ISPs news server. When your ISP provides services such as, DNS, or newsgroups, it may require that requests for service originate from an IP address within its domain. If you require one of these services from a particular ISP, you should use your routers Protocol Binding feature to make sure your requests always use the WAN port connected to that ISP. NETGEAR CONFIDENTIAL FAQ#3 My ISP has provided me with a range of public IP addresses. How can I assign them to servers behind the FVX538? When you configure the ISP Settings of your router, assign one IP address as the WAN address to be used by your PCs as the main NAT address for general traffic. In the DMZ Setup menu, you can assign the additional public IP addresses to individual PCs on either your LAN or DMZ (if you have activated port 8 as your DMZ port). To allow inbound traffic to reach one of these PCs, you must create an Inbound Rule for the desired service and set the rules Destination Address to the public IP address assigned to that PC. NETGEAR CONFIDENTIAL FAQ#4 My ISP has provided me with a range of public IP addresses. How can I assign them to servers behind the FVX538? When you configure the ISP Settings of your router, assign one IP address as the WAN address to be used by your PCs as the main NAT address for general traffic. In the DMZ Setup menu, you can assign the additional public IP addresses to individual PCs on either your LAN or DMZ (if you have activated port 8 as your DMZ port). To allow inbound traffic to reach one of these PCs, you must create an Inbound Rule for the desired service and set the rules Destination Address to the public IP address assigned to that PC. (This feature cannot be used when load balancing is selected.) NETGEAR CONFIDENTIAL FAQ#5 Is the VPN policy created by the VPN Wizard compatible to other Netgear VPN routers? The VPN Wizard will create a compatible configuration with our other products when using fixed IP addresses. When using FQDN, some modifications will be necessary after running the wizard. Please refer to our VPN application notes for detailed information. NETGEAR CONFIDENTIAL Known Issues at initial release VPN performance is low (about 25M). Cant make VPN using WAN2 when PPPoE. Dynamic DNS configuration does not save. Sometimes DHCP server stop after change LAN IP. Need to reboot. VPN wizard not compatible with other models when using FQDN. Policy generated need to be edited in order to work with FVS328, FVL328. Upon fail-over, no alert or log entry occurs to notify user. DMZ Setup user must visit Groups and Hosts menu first before PC will display. VPN status menu connect and drop button do not work. VPN in PPPoE environment cant ping gateways LAN IP. VPN policies created with VPN Wizard will not work if the remote side is FQDN. NETGEAR CONFIDENTIAL Known issues at initial release Statistics window does not correctly show line up or down. Always said WAN port is up. The LED is correct. CLI not supported, wont save settings (READ-only). Console get Linux OS shell. Need to type cli to login. Separate KB articles. Can access CLI/GUI by telnet using guest/password, cant change password. Client-to-box VPN need to append one to three characters after policy name. Logging entries are not useful. Sometimes last VPN policy does not appear in menu. Setup Wizard and Apply button cant reliably detect or apply in DHCP ISP environment. Dynamic or static. Manual setup works. Load-balancing protocol binding does not work. Bind an application to a particular WAN. NETGEAR CONFIDENTIAL Known issue at initial release Disabling a VPN policy does not drop an active tunnel. Cant edit VPN policy to change LAN subnet. An attempt to access a blocked site is not logged. NETGEAR CONFIDENTIAL Fixes with firmware v VPN throughput increased. Number of simultaneous sessions increased. Guest password can now be changed separately. Default gateway is now shown in routing table. Fixed: When WAN2 is primary and in PPPoE mode, VPN tunnel cant pass trafic. Fixed: VPN traffic stops under heavy traffic. Remove One-to-one NAT table and Exposed Host, since these functions can be performed with inbound rules.