Netgear orporated 08200084 ProSafe Wireless-N VPN Firewall User Manual FullManual

Netgear Incorporated ProSafe Wireless-N VPN Firewall FullManual

UserManual.wiki >

Netgear orporated >

08200084 User Manual >

Contents

1. Manual part 1
2. Manual part 2

Manual part 2

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualVirtual Private Networking Using SSL 7-5v1.0, July 20083. In the Portal Layout and Theme Name section of the menu, configure the following entries:a. Enter a descriptive name for the portal layout in the Portal Layout Name field. This name will be part of the path of the SSL VPN portal URL. Only alphanumeric characters, hyphen (-), and underscore (_) are accepted for the Portal Layout Name. If you enter other types of characters or spaces, the layout name will be truncated before the first non-alphanumeric character. Note that unlike most other URLs, this name is case sensitive.b. In the Portal Site Title field, enter a title that will appear at the top of the user’s web browser window.c. To display a banner message to users before they log in to the portal, enter the banner title text in the Banner Title field. Also enter the banner message text in the Banner Message text area. Enter a plain text message or include HTML and JavaScript tags. The maximum length of the login page message is 4096 characters. Select the Display banner message Figure 7-2OKNote: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.com, and you created a portal layout named “sales”, then users will be able to access the sub-site at https://vpn.company.com/portal/sales.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual7-6 Virtual Private Networking Using SSLv1.0, July 2008on login page checkbox to show the banner title and banner message text on the Login screen as shown belowAs shown in the figure, the banner title text is displayed in the orange header bar. The banner message text is displayed in the grey header bar.d. Check the Enable HTTP meta tags for cache control checkbox to apply HTTP meta tag cache control directives to this Portal Layout. Cache control directives include:<meta http-equiv=”pragma” content=”no-cache”> <meta http-equiv=”cache-control” content=”no-cache”><meta http-equiv=”cache-control” content=”must-revalidate”>These directives help prevent clients browsers from caching SSL VPN portal pages and other web content. e. Check the “ActiveX web cache cleaner checkbox to load an ActiveX cache control when users log in to the SSL VPN portal.Figure 7-3Need new screenshotNote: NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out-of-date web pages, themes, and data being stored in a user’s web browser cache.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualVirtual Private Networking Using SSL 7-7v1.0, July 2008The web cache cleaner will prompt the user to delete all temporary Internet files, cookies and browser history when the user logs out or closes the web browser window. The ActiveX web cache control will be ignored by web browsers that don't support ActiveX.4. In the SSL VPN Portal Pages to Display section, check the checkboxes for the portal pages you wish users to access. Any pages that are not selected will not be visible from the portal navigation menu. Your choices are:• VPN Tunnel. Provides full network connectivity.• Port Forwarding. Provides access to specific defined network services.5. Click Apply to confirm your settings.The “Operation succeeded” message appears at the top of the tab. Your new layout appears in the List of Layouts table.Configuring Domains, Groups, and UsersRemote users connecting to the SSL firewall must be authenticated before being allowed to access the network. The login window presented to the user requires three items: a User Name, a Password, and a Domain selection. The Domain determines the authentication method to be used and the portal layout that will be presented. You must create name and password accounts for your SSL VPN users. When you create a user account, you must specify a group. Groups are used to simplify the application of access policies. When you create a group, you must specify a domain. Therefore, you should create any needed domains first, then groups, then user accounts.To configure Domains, Groups, and Users, see “Adding Authentication Domains, Groups, and Users” on page 8-1.Configuring Applications for Port ForwardingPort Forwarding provides access to specific defined network services. To define these services, you must specify the internal addresses and TCP applications (port numbers) that will be intercepted by the Port Forwarding client on the user’s PC. The client will reroute this traffic to the firewall.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual7-8 Virtual Private Networking Using SSLv1.0, July 2008Adding ServersTo configure Port Forwarding, you must define the internal host machines (servers) and TCP applications available to remote users. To add servers, follow these steps:1. Select VPN > SSL VPN from the main/submenu, and then select the Port Forwarding tab. The Port Forwarding screen display.2. In the Add New Application for Port Forwarding section, enter the IP address of an internal server or host computer.3. In the TCP Port field, enter the TCP port number of the application to be tunneled. The table below lists many commonly used TCP applications and port numbers.Figure 7-4OKTable 7-1. Port Forwarding Applications/TCP Port NumbersTCP Application Port NumberFTP Data (usually not needed) 20FTP Control Protocol 21SSH 22aTelnet 23aSMTP (send mail) 25HTTP (web) 80

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualVirtual Private Networking Using SSL 7-9v1.0, July 20084. Click Add.The “Operation succeeded” message appears at the top of the tab, and the new application entry is listed in the List of Configured Applications.5. Repeat this process to add other applications for use in Port Forwarding.Adding A New Host NameOnce the server IP address and port information has been configured, remote users will be able to access the private network servers using Port Forwarding. As a convenience for users, you can also specify host name to IP address resolution for the network servers. Host Name Resolution allows users to access TCP applications at familiar addresses such as mail.example.com or ftp.example.com rather than by IP addresses.To add a host name for client name resolution, follow these steps:1. Select the Port Forwarding tab, shown in Figure 7-4.2. If the server you want to name does not appear in the List of Configured Applications for Port Forwarding, you must add it before you can rename it.3. In the Add New Host Name for Port Forwarding section, enter the IP address of the server you want to name.4. In the Fully Qualified Domain Name field, enter the full server name.5. Click Add.The “Operation succeeded” message appears at the top of the tab, and the new entry is listed in the List of Configured Host Names.POP3 (receive mail) 110NTP (network time protocol) 123Citrix 1494Terminal Services 3389VNC (virtual network computing) 5900 or 5800a. Users can specify the port number together with the hostname or IP address.Table 7-1. Port Forwarding Applications/TCP Port Numbers (continued)TCP Application Port Number

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual7-10 Virtual Private Networking Using SSLv1.0, July 2008Remote users can now securely access network applications once they have logged into the SSL VPN portal and launched Port Forwarding.Configuring the SSL VPN ClientThe SSL VPN Client within the SRXN3205 will assign IP addresses to remote VPN tunnel clients. Because the VPN tunnel connection is a point-to-point connection, you can assign IP addresses from the corporate subnet to the remote VPN tunnel clients.Some additional considerations are: • So that the virtual (PPP) interface address of a VPN tunnel client does not conflict with addresses on the corporate network, configure an IP address range that does not directly overlap with addresses on your local network. For example, if 192.168.1.1 through 192.168.1.100 are currently assigned to devices on your local network, then start the client address range at 192.168.1.101 or choose an entirely different subnet altogether.• The VPN tunnel client cannot contact a server on the corporate network if the VPN tunnel client’s Ethernet interface shares the same IP address as the server or the firewall (for example, if your laptop has a network interface IP address of 10.0.0.45, then you won’t be able to contact a server on the remote network that also has the IP address 10.0.0.45).• If you assign an entirely different subnet to the VPN tunnel clients than the subnet used by the corporate network, you must – Add a client route to configure the VPN tunnel client to connect to the corporate network using the VPN tunnel.– Create a static route on the corporate network’s firewall to forward local traffic intended for the VPN tunnel clients to the firewall. • Select whether you want to enable full tunnel or split tunnel support based on your bandwidth:– Full tunnel. Sends all of the client’s traffic across the VPN tunnel.– Split tunnel. Sends only traffic destined for the corporate network based on the specified client routes. All other traffic is sent to the Internet. Split tunnel allows you to manage your company bandwidth by reserving the VPN tunnel for corporate traffic only.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualVirtual Private Networking Using SSL 7-11v1.0, July 2008Configuring the Client IP Address RangeDetermine the address range to be assigned to VPN tunnel clients, then define the address range.To configure the client IP address range:1. Select VPN > SSL VPN from the main/submenu, and then select the SSL VPN Client tab. The SSL VPN Client screen displays.2. Select Enable Full Tunnel Support unless you want split tunneling.3. (Optional) Enter a DNS Suffix to be appended to incomplete DNS search strings.4. Enter Primary and Secondary DNS Server IP addresses to be assigned to the VPN tunnel clients.5. In the Client Address Range Begin field, enter the first IP address of the IP address range.6. In the Client Address Range End field, enter the last IP address of the IP address range.7. Click Apply.The “Operation succeeded” message appears at the top of the tab.Figure 7-5OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual7-12 Virtual Private Networking Using SSLv1.0, July 2008VPN tunnel clients are now able to connect to the firewall and receive a virtual IP address in the client address range.Adding Routes for VPN Tunnel ClientsThe VPN Tunnel Clients assume that the following networks are located across the VPN over the SSL tunnel:• The subnet containing the client IP address (PPP interface), as determined by the class of the address (Class A, B, or C).• Subnets specified in the Configured Client Routes table.If the assigned client IP address range is in a different subnet than the corporate network, or the corporate network has multiple subnets, you must define Client Routes.To add an SSL VPN Tunnel client route, follow these steps:1. Access the SSL VPN Client tab shown in Figure 7-5.2. In the Add Routes section, enter the Destination Network IP address of a local area network or subnet. For example, enter 192.168.0.0.3. Enter the appropriate Subnet Mask.4. Click Add.The “Operation succeeded” message appears at the top of the tab and the new client route is listed in the Configured Client Routes table.Restart the firewall if VPN tunnel clients are currently connected. Restarting forces clients to reconnect and receive new addresses and routes.Replacing and Deleting Client RoutesIf the specifications of an existing route need to be changed, follow these steps:1. Make a new entry with the correct specifications.2. In the Configured Client Routes table, click the Delete button in the actions column.3. If an existing route is no longer needed for any reason, you can delete it.Note: You must also add a static route on your corporate firewall that directs local traffic destined for the VPN tunnel client address range to the firewall.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualVirtual Private Networking Using SSL 7-13v1.0, July 2008Using Network Resource Objects to Simplify PoliciesNetwork resources are groups of IP addresses, IP address ranges, and services. By defining resource objects, you can more quickly create and configure network policies. You will not need to redefine the same set of IP addresses or address ranges when configuring the same access policies for multiple users.Defining network resources is optional; smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources. But for most organizations, we recommend that you use network resources. If your server or network configuration changes, by using network resources you can perform an update quickly instead of individually updating all of the user and group policies.Adding New Network Resources To define a network resource:1. Select VPN > SSL VPN from the main/submenu, and then select the Resources tab. The Resources screen displays.2. In the Add New Resource section, type the (qualified) resource name in the Resource Name field.3. In the Service pull-down menu, select the type of service to apply to the resource: either VPN Tunnel or Port Forwarding.4. Click Add.Figure 7-6OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual7-14 Virtual Private Networking Using SSLv1.0, July 2008The “Operation succeeded” message appears at the top of the tab, and the newly-added resource name appears on the List of Resources table.5. Adjacent to the new resource, click the Edit button. The Add Resource Addresses screen displays. 6. From the Object Type pull-down menu, select either IP Address or IP Network:• If you selected IP Address, enter an IP address or fully qualified domain name in the IP Address/Name field.• If you selected IP Network, enter the IP network address in the Network Address field. Enter the mask length in the Mask Length (0-31) field.7. Enter the Port Range or Port Number for the IP Address or IP Network you selected. 8. Click Apply to add the IP address or IP network to the resource. The new configuration appears in the Defined Resource Addresses table, as shown in Figure 7-7.Configuring User, Group, and Global PoliciesAn administrator can define and apply user, group and global policies to predefined network resource objects, IP addresses, address ranges, or all IP addresses and to different SSL VPN Figure 7-7OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualVirtual Private Networking Using SSL 7-15v1.0, July 2008services. A specific hierarchy is invoked over which policies take precedence. The firewall policy hierarchy is defined as:1. User Policies take precedence over all Group Policies.2. Group Policies take precedence over all Global Policies.3. If two or more user, group, or global policies are configured, the most specific policy takes precedence. For example, a policy configured for a single IP address takes precedence over a policy configured for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over a policy applied to all IP addresses. If two or more IP address ranges are configured, then the smallest address range takes precedence. Hostnames are treated the same as individual IP addresses.Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource. For example, let’s assume the following global policy configuration:• Policy 1: A Deny rule has been configured to block all services to the IP address range 10.0.0.0 – 10.0.0.255.• Policy 2: A Deny rule has been configured to block FTP access to 10.0.1.2 – 10.0.1.10.• Policy 3: A Permit rule has been configured to allow FTP access to the predefined network resource, FTP Servers. The FTP Servers network resource includes the following addresses: 10.0.0.5 – 10.0.0.20 and ftp.company.com, which resolves to 10.0.1.3.Assuming that no conflicting user or group policies have been configured, if a user attempted to access:• An FTP server at 10.0.0.1, the user would be blocked by Policy 1.• An FTP server at 10.0.1.5, the user would be blocked by Policy 2.• An FTP server at 10.0.0.10, the user would be granted access by Policy 3. The IP address range 10.0.0.5 - 10.0.0.20 is more specific than the IP address range defined in Policy 1.• An FTP server at ftp.company.com, the user would be granted access by Policy 3. A single host name is more specific than the IP address range configured in Policy 2.Note: The user would not be able to access ftp.company.com using its IP address 10.0.1.3. The firewall policy engine does not perform reverse DNS lookups.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual7-16 Virtual Private Networking Using SSLv1.0, July 2008Viewing PoliciesTo view the existing policies, follow these steps:1. Select VPN > SSL VPN from the main/submenu, and then select the Policies tab. The Policies screen will display.2. Make your selection from the following Query options:• Click Global to view all global policies.• Click Group to view group policies, and choose the relevant group’s name from the pull-down menu.• Click User to view group policies, and choose the relevant user’s name from the pull-down menu.3. Click the Display button. The List of SSL VPN Policies will display the list for your selected Query option. Change Query selection and click display again for each of the three queries.Adding a PolicyTo add a policy, follow these steps:Figure 7-8OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualVirtual Private Networking Using SSL 7-17v1.0, July 20081. Select VPN > SSL VPN from the main/submenu, and select the Policies tab. The Policies screen displays.2. Make your selection from the following Query options:• Click Global if this new policy is to exclude all users and groups.• Click Group if this new policy is to be limited to a selected group.Open the pull-down menu and choose the relevant group’s name.• Click User if this new policy is to be limited to a selected user.Open the pull-down menu and choose the individual user’s name. 3. Click Add. The Add Policies screen appears.4. In the Add SSL VPN Policies section, review the Apply Policy To options and click one. Depending upon your selection, specific options to the right are activated or inactivated as noted in the following:• If you choose Network Resource, you’ll need to enter a descriptive Policy Name, then choose a Defined Resource and relevant Permission (PERMIT or DENY) from the pull-down menus.Figure 7-9OKNote: You should have already created the needed groups or users as described in “Adding Authentication Domains, Groups, and Users” on page 8-1.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual7-18 Virtual Private Networking Using SSLv1.0, July 2008If a needed network resource has not been defined, you can add it before proceeding with this new policy. See “Adding New Network Resources ” on page 7-13.• If you choose IP Address, you’ll need to enter a descriptive Policy Name, the specific IP Address, then choose the Service and relevant Permission from the pull-down menus.• If you choose IP Network, you’ll need to enter a descriptive Policy Name, IP Address, Subnet Mask, then choose the Service and relevant Permission from the pull-down menus.Figure 7-10Figure 7-11

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualVirtual Private Networking Using SSL 7-19v1.0, July 2008• If you choose All Addresses, you’ll need to enter a descriptive Policy Name, then choose the Service and relevant Permission from the pull-down menus.5. When you are finished making your selections, click Apply. The Policies screen reappears. Your policy goes into effect immediately and is added to the policies in the List of SSL VPN Policies table on this screen.Figure 7-12Figure 7-13Note: In addition to configuring SSL VPN user policies, be sure that HTTPS remote management is enabled. Otherwise, all SSL VPN user connections will be disabled. See “Enabling Remote Management Access” on page 9-10.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual7-20 Virtual Private Networking Using SSLv1.0, July 2008

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualManaging Users, Authentication, and Certificates 8-1v1.0, July 2008Chapter 8Managing Users, Authentication, and CertificatesThis chapter contains the following sections:•“Adding Authentication Domains, Groups, and Users”•“Managing Certificates”Adding Authentication Domains, Groups, and UsersYou must create name and password accounts for all users who will connect to the firewall. This includes administrators and SSL VPN clients. Accounts for IPsec VPN clients are only needed if you have enabled Extended Authentication (XAUTH) in your IPsec VPN configuration.Users connecting to the firewall must be authenticated before being allowed to access the firewall or the VPN-protected network. The login window presented to the user requires three items: a User Name, a Password, and a Domain selection. The Domain determines the authentication method to be used and, for SSL VPN connections, the portal layout that will be presented. Except in the case of IPsec VPN users, when you create a user account, you must specify a group. When you create a group, you must specify a domain. Therefore, you should create any needed domains first, then groups, then user accounts.Creating a DomainThe domain determines the authentication method to be used for associated users. For SSL VPN connections, the domain also determines the portal layout that will be presented, which in turn determines the network resources to which the associated users will have access. To create a domain:1. Select Users > Domains from the main/sub-menu. The Domains screen displays.Note: IPsec VPN users will always belong to the default domain (geardomain) and are not assigned to groups.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual8-2 Managing Users, Authentication, and Certificatesv1.0, July 20082. Click Add. The Add Domain screen displays.3. Configure the following fields:a. Enter a descriptive name for the domain in the Domain Name field. b. Select the Authentication Type.Figure 8-1OKFigure 8-2OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualManaging Users, Authentication, and Certificates 8-3v1.0, July 2008The required fields are activated in varying combinations according to your selection of Authentication Type:c. Select a portal to which this domain will be associated.4. Click Apply to save and apply your entries. The Domain screen will display a new domain row.Creating a GroupThe use of groups simplifies the configuration of VPN policies when different sets of users will have different restrictions and access controls. To create a group:1. Select Users > Groups from the main/submenu and the Groups screen displays.Authentication Type Required Authentication Information FieldsLocal User Database NoneRadius-PAP Authentication Server, Authentication SecretRadius-CHAP Authentication Server, Authentication SecretRadius-MSCHAP Authentication Server, Authentication SecretRadius-MSCHAPv2 Authentication Server, Authentication SecretNT Domain Authentication Server, WorkgroupActive Directory Authentication Server, Active Directory DomainLDAP Authentication Server, LDAP Base DNNote: Groups that are defined in the User menu are used for setting SSL VPN policies. These groups should not be confused with LAN Groups that are defined in the Network | LAN Setup | LAN Groups tab, which are used to simplify firewall policies.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual8-4 Managing Users, Authentication, and Certificatesv1.0, July 20082. Configure the new group settings in the Add New Group section of the menu:a. Name. Enter a descriptive name for the group.b. Domain. Select the appropriate domain (only for Administrator or SSL VPN User).c. Timeout. For an Administrator, this is the period at which an idle user will be automatically logged out of the Web Configuration Manager3. Click Add.The new group appears in the List of Groups, ready for use in user account setup.Creating a New User AccountTo add individual user accounts:1. Select Users > Users from the main/submenu and the Users screen displays.Figure 8-3OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualManaging Users, Authentication, and Certificates 8-5v1.0, July 2008.2. Click Add and the Add User tab screen displays.3. Configure the following fields:a. User Name. Enter a unique identifier, using any alphanumeric characters.b. User Type. Select either Administrator, SSL VPN User, or IPsec VPN User.c. Select Group. Select from a list of configured groups. The user will be associated with the domain that is associated with that group.d. Password/Confirm Password. The password can contain alphanumeric characters, dash, and underscore.Figure 8-4OkFigure 8-5Ok

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual8-6 Managing Users, Authentication, and Certificatesv1.0, July 2008e. Idle Timeout. For an Administrator, this is the period at which an idle user will be automatically logged out of the Web Configuration Manager.4. Click Apply to save and apply your entries. The new user appears in the List of Users.Setting User Login PoliciesYou can restrict the ability of defined users to log into the Web Configuration Manager. You can also require or prohibit logging in from certain IP addresses or using particular browsers.To configure user login policies:1. In the Action column of the List of Users table, click Policies adjacent to the user policy you want to configure. The Login Policies screen displays: 2. To prohibit this user from logging in to the firewall, select the Disable Login checkbox.3. To prohibit this user from logging in from the WAN interface, select the Deny Login from WAN Interface checkbox. In this case, the user can log in only from the LAN interface.4. Click Apply to save your settings.Figure 8-6okNote: For security reasons, Deny Login from WAN Interface is checked by default for admin and guest.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualManaging Users, Authentication, and Certificates 8-7v1.0, July 2008To restrict logging in based on IP address:1. Select the by Source IP Address tab and the by Source IP Address screen displays. 2. In the Defined Addresses Status section, select:•the Deny Login from Defined Addresses to deny logging in from the IP addresses that you will specify•the Allow Login only from Defined Addresses to allow logging in from the IP addresses that you will specify.3. Click Apply.4. To specify a single IP address, select IP Address from the Source Address Type pull-down menu and enter the IP address in the Network Address/IP address field.5. To specify a subnet of IP addresses, select IP Network from the Source Address Type pull-down menu. Enter the network address and netmask length in the Network Address/IP address field.6. Click Add to move the defined address to the Defined Addresses table.7. Repeat these steps to add additional addresses or subnets.Figure 8-7ok

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual8-8 Managing Users, Authentication, and Certificatesv1.0, July 2008To restrict logging in based on the user’s browser:1. Select the by Client Browser tab. The by Client Browser screen will display. 2. In the Defined Browsers Status section, select:•the Deny Login from Defined Browsers to deny logging in from browsers that you will specify.•the Allow Login only from Defined Browsers to allow logging in from browsers that you will specify.3. From the Add Defined Browser selection, select a browser from the Client Browser pull-down menu and click Add to move the defined browser to the Defined Browsers table.4. Repeat these steps to add additional browsers, then click Apply to save your changes.Figure 8-8ok

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualManaging Users, Authentication, and Certificates 8-9v1.0, July 2008Managing Certificates The firewall uses digital certificates to authenticate connecting VPN gateways or clients, and to be authenticated by remote entities. A certificate that authenticates a server, for example, is a file that contains:• A public encryption key to be used by clients for encrypting messages to the server.• Information identifying the operator of the server.• A digital signature confirming the identity of the operator of the server. Ideally, the signature is from a trusted third party whose identity can be verified absolutely.You can obtain a certificate from a well-known commercial Certificate Authority (CA) such as Verisign or Thawte, or you can generate and sign your own certificate. Because a commercial CA takes steps to verify the identity of an applicant, a certificate from a commercial CA provides a strong assurance of the server’s identity. A self-signed certificate will trigger a warning from most browsers as it provides no protection against identity theft of the server.Your firewall contains a self-signed certificate from NETGEAR. We recommend that you replace this certificate prior to deploying the firewall in your network.From the VPN > Certificates main menu/submenu, you can view the currently loaded certificates, upload a new certificate and generate a Certificate Signing Request (CSR). Your firewall will typically hold two types of certificates:• CA certificate. Each CA issues its own CA identity certificate in order to validate communication with the CA and to verify the validity of certificates signed by the CA. • Self certificate. The certificate issued to you by a CA identifying your device. Viewing and Loading CA CertificatesThe Trusted Certificates (CA Certificates) table lists the certificates of CAs and contains the following data: •CA Identity (Subject Name). The organization or person to whom the certificate is issued. •Issuer Name. The name of the CA that issued the certificate. •Expiry Time. The date after which the certificate becomes invalid.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual8-10 Managing Users, Authentication, and Certificatesv1.0, July 2008To view the VPN Certificates:Select VPN > Certificates from the main/sub-menu and the Certificates screen displays.The top section of the Certificates screen displays the Trusted Certificates (CA Certificates).When you obtain a self certificate from a CA, you will also receive the CA certificate. In addition, many CAs make their certificates available on their websites. To load a CA certificate into your firewall:1. Store the CA certificate file on your computer.2. Under Upload Trusted Certificates in the Certificates menu, click Browse and locate the CA certificate file.3. Click Upload. The CA Certificate will appear in the Trusted Certificates (CA Certificates) table.Viewing Active Self CertificatesThe Active Self Certificates table in the Certificates screen shows the certificates issued to you by a CA and available for use. Figure 8-9Maybe OK??Figure 8-10OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualManaging Users, Authentication, and Certificates 8-11v1.0, July 2008For each self certificate, the following data is listed: •Name. The name you used to identify this certificate. •Subject Name. This is the name that other organizations will see as the holder (owner) of this certificate. This should be your registered business name or official company name. Generally, all of your certificates should have the same value in the Subject field. •Serial Number. This is a serial number maintained by the CA. It is used to identify the certificate with in the CA. •Issuer Name. The name of the CA that issued the certificate. •Expiry Time. The date on which the certificate expires. You should renew the certificate before it expires. Obtaining a Self Certificate from a Certificate AuthorityTo use a self certificate, you must first request the certificate from the CA, then download and activate the certificate on your system. To request a self certificate from a CA, you must generate a Certificate Signing Request (CSR) for your firewall. The CSR is a file containing information about your company and about the device that will hold the certificate. Refer to the CA for guidelines on the information you include in your CSR. To generate a new Certificate Signing Request (CSR) file:1. Locate the Generate Self Certificate Request section of the Certificates screen.2. Configure the following fields: •Name – Enter a descriptive name that will identify this certificate.•Subject – This is the name which other organizations will see as the holder (owner) of the certificate. Since this name will be seen by other organizations, you should use your registered business name or official company name. (Using the same name, or a derivation of the name, in the Title field would be useful.)• From the pull-down menus, choose the following values:– Hash Algorithm: MD5 or SHA2.– Signature Algorithm: RSA.– Signature Key Length: 512, 1024, 2048. (Larger key sizes may improve security, but may also decrease performance.)

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual8-12 Managing Users, Authentication, and Certificatesv1.0, July 20083. Complete the Optional fields, if desired, with the following information:•IP Address – If you have a fixed IP address, you may enter it here. Otherwise, you should leave this field blank. •Domain Name – If you have an Internet domain name, you can enter it here. Otherwise, you should leave this field blank.•E-mail Address – Enter the e-mail address of a technical contact in your organization.4. Click Generate. A new certificate request is created and added to the Self Certificate Requests table. Figure 8-11OKFigure 8-12Need new screenshot

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualManaging Users, Authentication, and Certificates 8-13v1.0, July 20085. In the Self Certificate Requests table, click View under the Action column to view the request. 6. Copy the contents of the Data to supply to CA text box into a text file, including all of the data contained from “----BEGIN CERTIFICATE REQUEST---” to “---END CERTIFICATE REQUEST---”. 7. Submit your certificate request to a CA:a. Connect to the website of the CA.b. Start the Self Certificate request procedure.c. When prompted for the requested data, copy the data from your saved text file (including “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST”).d. Submit the CA form. If no problems occur, the certificate will be issued.8. Store the certificate file from the CA on your computer and backup the certificate file from the CA in another location.Figure 8-13OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual8-14 Managing Users, Authentication, and Certificatesv1.0, July 20089. Return to the Certificates screen and locate the Self Certificate Requests section..10. Select the checkbox next to the certificate request, then click Browse and locate the certificate file on your PC. 11. Click Upload. The certificate file will be uploaded to this device and will appear in the Active Self Certificates list. If you have not already uploaded the CA certificate, do so now, as described in “The top section of the Certificates screen displays the Trusted Certificates (CA Certificates).” on page 8-10. You should also periodically check your CA’s Certificate Revocation List, as described in “Managing your Certificate Revocation List (CRL)” on page 8-14. Managing your Certificate Revocation List (CRL) A CRL file shows certificates that have been revoked and are no longer valid. Each CA issues their own CRLs. It is important that you keep your CRLs up-to-date. You should obtain the CRL for each CA regularly.In the Certificates menu, you can view your currently-loaded CRLs and upload a new CRL.To view and upload CRLs: 1. Select VPN > Certificates from the main/submenu.The Certificates menu will display showing the Certificate Revocation Lists (CRL) table at the bottom of the screen.Figure 8-14need new screenshot

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualManaging Users, Authentication, and Certificates 8-15v1.0, July 2008The CRL table lists your active CAs and their critical release dates: •CA Identify – The official name of the CA which issued this CRL. •Last Update – The date when this CRL was released. •Next Update – The date when the next CRL will be released. 2. Click Browse and locate the CRL file you previously downloaded from a CA. 3. Click Upload. The CRL file will be uploaded and the CA Identity will appear in the Certificate Revocation Lists (CRL) table. If you had a previous CA Identity from the same CA, it will be deleted.Figure 8-15OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual8-16 Managing Users, Authentication, and Certificatesv1.0, July 2008

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualFirewall and Network Management 9-1v1.0, July 2008Chapter 9Firewall and Network ManagementThis chapter describes how to use the network management features of your ProSafe Wireless-N VPN Firewall. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface.The ProSafe Wireless-N VPN Firewall offers many tools for managing the network traffic to optimize its performance. You can also control administrator access, be alerted to important events requiring prompt action, monitor the firewall status, perform diagnostics, and manage the firewall configuration file.This chapter contains the following sections:•“Performance Management”•“Changing Passwords and Administrator Settings”•“Enabling Remote Management Access”•“Using an SNMP Manager”•“Settings Backup and Firmware Upgrade”•“Configuring Time Zone Settings”Performance ManagementPerformance management consists of controlling the traffic through the firewall so that the necessary traffic gets through when there is a bottleneck and either reducing unnecessary traffic or rescheduling some traffic to low-peak times to prevent bottlenecks from occurring in the first place. The firewall has the necessary features and tools to help the network manager accomplish these goals.Bandwidth CapacityThe maximum bandwidth capacity of the firewall in each direction is as follows:• LAN side: 5000 Mbps (five LAN ports at 1000 Mbps each)

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual9-2 Firewall and Network Managementv1.0, July 2008• WAN side: 1000 Mbps (one WAN port at 1000 Mbps) In practice, the WAN side bandwidth capacity will be much lower when DSL or cable modems are used to connect to the Internet. As a result and depending on the traffic being carried, the WAN side of the firewall will be the limiting factor to throughput for most installations.Features that Reduce TrafficFeatures of the VPN firewall that can be called upon to decrease WAN-side loading are as follows:• Service blocking• Block sites• Source MAC filteringService BlockingYou can control specific outbound traffic (from LAN to WAN). Outbound Services lists all existing rules for outbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule allows all outgoing traffic. Each rule lets you specify the desired action for the connections covered by the rule:•BLOCK always • BLOCK by schedule, otherwise Allow • ALLOW always • ALLOW by schedule, otherwise Block As you define your firewall rules, you can further refine the application according to the following criteria:•LAN Users. These settings determine which computers on your network are affected by this rule. Select the desired options: –Any. All PCs and devices on your LAN. – Single address. The rule will be applied to the address of a particular PC. – Address range. The rule is applied to a range of addresses.Warning: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualFirewall and Network Management 9-3v1.0, July 2008–Groups. The rule is applied to a Group (see “Managing Groups and Hosts (LAN Groups)” on page 3-5 to assign PCs to a Group using the LAN Groups Database). •WAN Users. These settings determine which Internet locations are covered by the rule, based on the IP address.–Any. The rule applies to all Internet IP address. – Single address. The rule applies to a single Internet IP address. – Address range. The rule is applied to a range of Internet IP addresses. •Services. You can specify the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services-Based Rules” on page 5-2 and “Adding Customized Services” on page 5-17). •Schedule. You can specify whether the rule is to be applied on the Schedule 1, Schedule 2, or Schedule 3 time schedule (see “Setting Schedules to Block or Allow Traffic” on page 5-20).See “Using Rules & Services to Block or Allow Traffic” on page 5-2 for the procedure on how to use this feature.ServicesThe Rules menu contains a list of predefined Services for creating firewall rules. If a service does not appear in the predefined Services list, you can define the service. The new service will then appear in the Rules menu's Services list. See “Services-Based Rules” on page 5-2 for the procedure on how to use this feature.Groups and HostsYou can apply these rules selectively to groups of PCs to reduce the outbound or inbound traffic. The LAN Groups Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: •DHCP Client Request. By default, the DHCP server in this firewall is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the LAN Groups Database. Because of this, leaving the DHCP server feature (on the LAN screen) enabled is strongly recommended. •Scanning the Network. The local network is scanned using ARP. requests. The ARP scan will detect active devices that are not DHCP clients. However, sometimes the name of the PC or device cannot be accurately determined, and will appear in the database as Unknown. •Manual Entry. You can manually enter information about a device.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual9-4 Firewall and Network Managementv1.0, July 2008See “Managing Groups and Hosts (LAN Groups)” on page 3-5 for the procedure on how to use this feature.ScheduleIf you have set firewall rules on the Rules screen, you can configure three different schedules (for example, schedule 1, schedule 2, and schedule 3) for when a rule is to be applied. Once a schedule is configured, it affects all Rules that use this schedule. You specify the days of the week and time of day for each schedule.See “Setting Schedules to Block or Allow Traffic” on page 5-20 for the procedure on how to use this feature.Block SitesIf you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall’s filtering feature. By default, this feature is disabled; all requested traffic from any Web site is allowed. •Keyword (and Domain Name) Blocking. You can specify up to 32 words that, should they appear in the Web site name (i.e., URL) or in a newsgroup name, will cause that site or newsgroup to be blocked by the VPN firewall.You can apply the keywords to one or more groups. Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked. Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled.You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed without any blocking. •Web Component blocking. You can block the following Web component types: Proxy, Java, ActiveX, and Cookies. Sites on the Trusted Domains list are still subject to Web component blocking when the blocking of a particular Web component has been enabled.See “Setting Block Sites (Content Filtering)” on page 5-21 for the procedure on how to use this feature.Source MAC FilteringIf you want to reduce outgoing traffic to prevent Internet access by certain PCs on the LAN, you can use the source MAC filtering feature to drop the traffic received from the PCs with the specified MAC addresses. By default, this feature is disabled; all traffic received from PCs with any MAC address is allowed.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualFirewall and Network Management 9-5v1.0, July 2008See “Enabling Source MAC Filtering (Address Filter)” on page 5-24 for the procedure on how to use this feature.Features that Increase TrafficFeatures that tend to increase WAN-side loading are as follows:• Port forwarding• Port triggering• Exposed hosts•VPN tunnelsPort ForwardingThe firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (i.e., the service is unavailable). You can also create additional firewall rules that are customized to block or allow specific traffic.You can control specific inbound traffic (from WAN to LAN). Inbound Services lists all existing rules for inbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule blocks all inbound traffic. Each rule lets you specify the desired action for the connections covered by the rule:•BLOCK always • ALLOW always • BLOCK by schedule, otherwise allow • ALLOW by schedule, otherwise block You can also enable a check on special rules: •VPN Passthrough. Passes the VPN traffic without any filtering, specially used when this firewall is between two VPN tunnel end points. •Drop fragmented IP packets. Drops any fragmented IP packets. •UDP Flooding. Limits the number of UDP sessions created from one LAN machine. •TCP Flooding. Protects the firewall from SYN flood attack. Warning: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual9-6 Firewall and Network Managementv1.0, July 2008•Enable DNS Proxy. Allows the firewall to handle DNS queries from the LAN. •Enable Stealth Mode. Prevents the firewall from responding to incoming requests for unsupported services. As you define your firewall rules, you can further refine the application according to the following criteria:•LAN Users. These settings determine which computers on your network are affected by this rule. Select the desired IP Address in this field.•WAN Users. These settings determine which Internet locations are covered by the rule, based on the IP address.– Any: The rule applies to all Internet IP address. – Single address: The rule applies to a single Internet IP address. – Address range: The rule is applied to a range of Internet IP addresses. •Destination Address. These settings determine the destination IP address for this rule which will be applicable to incoming traffic. This rule will be applied only when the destination IP address of the incoming packet matches the IP address of the WAN interface. Selecting ANY enables the rule for any LAN IP destination. •Services. You can specify the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 5-17). •Schedule. You can specify whether the rule is to be applied on the Schedule 1, Schedule 2, or Schedule 3 time schedule (see “Setting Schedules to Block or Allow Traffic” on page 5-20).See “Using Rules & Services to Block or Allow Traffic” on page 5-2 for the procedure on how to use this feature.Port TriggeringPort triggering allows some applications to function correctly that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the application. Once configured, port triggering operates as follows: • A PC makes an outgoing connection using a port number defined in the Port Triggering table. • This firewall records this connection, opens the additional INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualFirewall and Network Management 9-7v1.0, July 2008• The remote system receives the PCs request and responds using the different port numbers that you have now opened. • This firewall matches the response to the previous request and forwards the response to the PC. Without port triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.– Only one PC can use a port triggering application at any time. – After a PC has finished using a port triggering application, there is a time-out period before the application can be used by another PC. This is required because the firewall cannot be sure when the application has terminated. See “Enabling Port Triggering” on page 5-28 for the procedure on how to use this feature.VPN TunnelsThe VPN firewall permits up to 5 IPsec VPN tunnels and 3 SSL VPN tunnels not to exceed 8 total tunnels at a time. Each tunnel requires extensive processing for encryption and authentication. See Chapter 6, “Virtual Private Networking Using IPsec” for the procedures on how to use IPsec VPN, and Chapter 7, “Virtual Private Networking Using SSL for the procedures on how to use SSL VPN.Using QoS to Shift the Traffic MixThe QoS priority settings determine the priority and, in turn, the quality of service for the traffic passing through the firewall. The QoS is set individually for each service.• You can accept the default priority defined by the service itself by not changing its QoS setting.• You can change the priority to a higher or lower value than its default setting to give the service higher or lower priority than it otherwise would have.The QoS priority settings conform to the IEEE 802.1D-1998 (formerly 802.1p) standard for class of service tag. You will not change the WAN bandwidth used by changing any QoS priority settings. But you will change the mix of traffic through the WAN port by granting some services a higher priority than others. The quality of a service is impacted by its QoS setting, however.See “Setting Quality of Service (QoS) Priorities” on page 5-19 for the procedure on how to use this feature.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual9-8 Firewall and Network Managementv1.0, July 2008Tools for Traffic ManagementThe ProSafe Wireless-N VPN Firewall includes several tools that can be used to monitor the traffic conditions of the firewall and control who has access to the Internet and the types of traffic each individual is allowed to have. See “Monitoring System Performance” on page 11-1 for a discussion of the tools.Changing Passwords and Administrator SettingsThe default administrator and guest password for the Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. You can also configure a separate password for the guest account. To modify the Administrator user account settings, including password:1. Select Users > Users from the main/submenu and the List of Users screen displays. 2. Select the checkbox adjacent to admin in the Name column, then click Edit in the Action column. Figure 9-1OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualFirewall and Network Management 9-9v1.0, July 2008The Edit User screen is displayed, with the current settings for Administrator displayed in the Select User Type pull-down menu.3. Select the Check to Edit Password checkbox. The password fields become active. 4. Enter the old password, then enter the new password twice. 5. (Optional) To change the idle timeout for an administrator login session, enter a new number of minutes in the Idle Timeout field. 6. Click Apply to save your settings or Reset to return to your previous settings. Figure 9-2OKNote: If the administrator login timeout value is too large, you may have to wait a long time before you are able to log back into the firewall if your previous login was disrupted (for example, if you did not click Logout on the Main Menu bar to log out).Note: After a factory default reset, the password and timeout value will be changed back to password and 5 minutes, respectively.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual9-10 Firewall and Network Managementv1.0, July 2008Enabling Remote Management AccessUsing the Remote Management page, you can allow an administrator on the Internet to configure, upgrade, and check the status of your firewall. You must be logged in locally to enable remote management (see “Logging into the Security Router” on page 2-2). To configure your firewall for Remote Management:1. Select Administration > Remote Management from the main/submenu.The Remote Management screen displays..2. Click the Yes radio box to enable HTTPS remote management (enabled by default).3. Click Apply to have your changes take effect.When accessing your firewall from the Internet, the Secure Sockets Layer (SSL) will be enabled. You will enter https:// (not http://) and type your firewall’s WAN IP address into your browser. For example, if your WAN IP address is 172.16.0.123, type the following in your browser:Note: Be sure to change the default configuration password of the firewall to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and symbols. Your password can be up to 30 characters. See “Changing Passwords and Administrator Settings” on page 9-8 for the procedure on how to do this.Figure 9-3OKNote: For enhanced security, restrict access to as few external IP addresses as practical. See “Setting User Login Policies” on page 8-6 for instructions on restricting administrator access. Be sure to use strong passwords.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualFirewall and Network Management 9-11v1.0, July 2008https://172.16.0.123The firewall’s remote login URL is https://<IP_address> orhttps://<FullyQualifiedDomainName>..Using an SNMP ManagerSimple Network Management Protocol (SNMP) lets you monitor and manage your firewall from an SNMP Manager. It provides a remote means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security. The SNMP Configuration table lists the SNMP configurations by:•IP Address. The IP address of the SNMP manager. Note: To maintain security, the SRXN3205 will reject a login that uses http://address rather than the SSL https://address.Note: The first time you remotely connect to the SRXN3205 with a browser via SSL, you may get a warning message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 5.5 or higher, simply click Yes to accept the certificate.Note: If you are unable to remotely connect to the SRXN3205 after enabling HTTPS remote management, check whether other user policies, such as the default user policy, are preventing access.Note: If you disable HTTPS remote management, all SSL VPN user connections will also be disabled.Tip: If you are using a dynamic DNS service such as TZO, you can identify the WAN IP address of your SRXN3205 by running tracert from the Windows Run menu option. Trace the route to your registered FQDN. For example, enter tracert SRXN3205.mynetgear.net, and the WAN IP address that your ISP assigned to the SRXN3205 is displayed.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual9-12 Firewall and Network Managementv1.0, July 2008•Port. The trap port of the configuration. •Community. The trap community string of the configuration. To create a new SNMP configuration entry:1. Select Administration > SNMP from the main/submenu and the SNMP screen displays..2. Configure the following fields in the Create New SNMP Configuration Entry section:• Enter the IP Address of the SNMP manager in the IP Address field and the Subnet Mask in the Subnet Mask field. – If you want to allow only the host address to access the VPN firewall and receive traps, enter an IP Address of, for example, 192.168.1.101 with a Subnet Mask of 255.255.255.255.– If you want to allow a subnet access to the VPN firewall through SNMP, enter an IP address of, for example,192.168.1.101 with a Subnet Mask of 255.255.255.0. The traps will still be received on 192.168.1.101, but the entire subnet will have access through the community string.– If you want to make the VPN firewall globally accessible using the community string, but still receive traps on the host, enter 0.0.0.0 as the Subnet Mask and an IP Address for where the traps will be received.• Enter the trap port number of the configuration in the Port field. The default is 162.• Enter the trap community string of the configuration in the Community field.3. Click Add to create the new configuration. The entry is displayed in the SNMP Configuration table. Figure 9-4OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualFirewall and Network Management 9-13v1.0, July 2008The SNMP System Info link, located in the upper right of the screen, opens the SNMP SysConfiguration screen. This screen displays the VPN firewall identification information available to the SNMP manager: System Contact, System Location, and System name. You can edit these values.Settings Backup and Firmware Upgrade Once you have installed the VPN firewall and have it working properly, you should back up a copy of your settings, in case something gets corrupted. When you backup the settings, these are saved as a file on your computer. You can then restore the VPN firewall settings from this file. The Settings Backup and Firmware Upgrade screen allows you to:• Back up and save a copy of your current settings• Restore saved settings from the backed-up file. • Revert to the factory default settings.• Upgrade the VPN firewall firmware from a saved file on your hard disk to use a different firmware version. Backup and Restore SettingsTo backup settings:1. Select Administration > Settings Backup and Firmware Upgrade from the main/submenu. The Settings Backup and Firmware Upgrade screen displays.Figure 9-5OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual9-14 Firewall and Network Managementv1.0, July 20082. Click Backup to save a copy of your current settings. • If your browser isn’t set up to save downloaded files automatically, locate where you want to save the file, specify file name, and click Save. • If you have your browser set up to save downloaded files automatically, the file will be saved to your browser’s download location on the hard disk. To restore settings from a backup file: 1. Next to Restore save settings from file, click the Browse button. 2. Locate and select the previously saved backup file (by default, netgear.cfg). 3. When you have located the file, click the Restore button. An Alert page will appear indicating the status of the restore operation. You must manually restart the VPN firewall for the restored settings to take effect. To reset the firewall to the original factory default settings, click the Default button. You must manually restart the VPN firewall before the default settings to take effect. After rebooting, the firewall’s password will be password and the LAN IP address will be 192.168.1.1. The VPN firewall will act as a DHCP server on the LAN, to the wireless clients, and act as a DHCP client to the Internet. Router Upgrade You can install a different version of the VPN firewall firmware from the Settings Backup and Firmware Upgrade menu. To view the current version of the firmware that your VPN firewall is running, choose Monitoring from the main menu. The Router Status screen is displayed, showing all of the VPN firewall router statistics, including the firmware version. When you upgrade your firmware, the new firmware version will be displayed.To download a firmware version:1. Go to the NETGEAR Web site at http://www.netgear.com/support and click Downloads. Warning: Once you start restoring settings or erasing the firewall, do NOT interrupt the process. Do not try to go online, turn off the firewall, shut down the computer or do anything else to the firewall until it finishes restarting! Warning: When you click default, your firewall settings will be erased. All firewall rules, VPN policies, LAN/WAN settings and other settings will be lost. Please backup your settings or all your settings will be lost!

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualFirewall and Network Management 9-15v1.0, July 20082. From the Product Selection pull-down menu, choose the SRXN3205. Select the software version and follow the To Install steps to download your software.After downloading an upgrade file, you may need to unzip (uncompress) it before upgrading the firewall. If release notes are included in the download, read them before continuing.To upgrade the router software: 1. Select Administration > Settings Backup and Firmware Upgrade from the main/submenu. 2. In the Router Upgrade section, click Browse.3. Locate the downloaded file and click Upload. This will start the software upgrade to your VPN firewall. This may take some time. At the conclusion of the upgrade, your firewall will reboot.4. After the VPN firewall has rebooted, click Monitoring and confirm the new firmware version to verify that your firewall now has the new software installed. Configuring Time Zone SettingsThe Time Zone screen provides settings for Date, Time and NTP server designations. The Network Time Protocol (NTP) is used to synchronize computer clock times in a network of computers. To set Time, Date and NTP servers:1. Select Administration > Time Zone from the main/submenu. The Time Zone screen displays.Warning: Do not try to go online, turn off the firewall, shutdown the computer or do anything else to the firewall until the firewall finishes the upgrade! When the Test light turns off, wait a few more seconds before doing anything. Note: In some cases, such as a major upgrade, it may be necessary to erase the configuration and manually reconfigure your firewall after upgrading it. Refer to the release notes included with the software to find out if this is required.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual9-16 Firewall and Network Managementv1.0, July 20082. From the Date/Time pull-down menu, choose the Local Time Zone. This is required for scheduling work correctly. The VPN firewall includes a real-time clock (RTC), which it uses for scheduling. 3. If supported in your region, click Automatically Adjust for Daylight Savings Time. 4. Select an NTP Server option:•Use Default NTP Servers. The RTC is updated regularly by contacting a Netgear NTP server on the Internet. A primary and secondary (backup) server are preloaded.•Use Custom NTP Servers. If you prefer to use a particular NTP server, enter the name or IP address of the NTP Server in the Server 1 Name/IP Address field. You can enter the address of a backup NTP server in the Server 2 Name/IP Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the default Netgear NTP servers. 5. Click Apply to save your settings.Figure 9-6Need new screen shotNote: If you select the default NTP servers or if you enter a custom server FQDN, the firewall must determine the IP address of the NTP server by a DNS lookup. You must configure a DNS server address in the Network menu before the firewall can perform this lookup.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualMonitoring System Performance 11-1v1.0, July 2008Chapter 11Monitoring System PerformanceThis chapter describes the full set of system monitoring features of your ProSafe Wireless-N Security Router. You can be alerted to important events such as {{WAN port rollover}}, WAN traffic limits reached, and login failures and attacks. You can also view status information about the firewall, WAN port, LAN ports, and VPN tunnels.This chapter contains the following sections:•“Enabling the Traffic Meter”•“Activating Notification of Events and Alerts”•“Viewing Firewall Logs”•“Viewing Router Configuration and System Status”•“Monitoring the WAN Port Status”•“Monitoring Attached Devices”•“Reviewing the DHCP Log”•“Monitoring Active Users”•“Viewing Port Triggering Status”•“Monitoring VPN Tunnel Connection Status”•“Reviewing the VPN Logs”Enabling the Traffic MeterIf your ISP charges by traffic volume over a given period of time, or if you want to study traffic types over a period of time, you can activate the Traffic Meter for the WAN port.To monitor traffic limits on the WAN port:1. Select Monitoring > Traffic Meter from the main/submenu, and then the WAN Traffic Meter tab. The WAN Traffic Meter screen will display.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual11-2 Monitoring System Performancev1.0, July 20082. Enable the traffic meter by clicking the Yes radio box under Do you want to enable Traffic Metering on WAN? The traffic meter will record the volume of Internet traffic passing through the WAN. Select the following options:•No Limit. Any specified restrictions will not be applied when traffic limit is reached. •Download only. The specified restrictions will be applied to the incoming traffic only •Both Directions. The specified restrictions will be applied to both incoming and outgoing traffic only •Monthly Limit. Enter the monthly volume limit and select the desired behavior when the limit is reached. Figure 11-1Need New Screenshot

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualMonitoring System Performance 11-3v1.0, July 2008•Increase this month limit by. Temporarily increase the Traffic Limit if you have reached the monthly limit, but need to continue accessing the Internet. Select the checkbox and enter the desired increase. (The checkbox will automatically be cleared when saved so that the increase is only applied once.) •This month limit. Displays the limit for the current month. 3. In the Traffic Counter section, make your traffic counter selections:•Restart Traffic Counter Now. Select this option and click Apply to restart the Traffic Counter immediately. •Restart Traffic Counter at Specific Time. Restart the Traffic Counter at a specific time and day of the month. Fill in the time fields and choose AM or PM and the day of the month from the pull-down menus.•Send e-mail report before restarting counter. An E-mail report will be sent immediately before restarting the counter. You must configure the E-mail screen in order for this function to work (see “E-Mail Notifications of Event Logs and Alerts” on page 5-33).4. In the When limit is reached section, make the following choice:•Block all traffic. All access to and from the Internet will be blocked. •Block all traffic except E-mail. Only E-mail traffic will be allowed. All other traffic will be blocked. •Send E-mail alert. You must configure the E-mail screen in order for this function to work. Go to the Firewall Logs and & E-mail Tab to set this up.5. Click Apply to save your settings.The Internet Traffic Statistics section displays statistics on Internet Traffic via the WAN port. If you have not enabled the Traffic Meter, these statistics are not available. 6. Click the Traffic by Protocol link, in the upper right header, to see a report of the Internet traffic by type. The volume of traffic for each protocol will be displayed in a popup window. Traffic counters are updated in MBytes scale; the counter starts only when traffic passed is at least 1MB.Note: Both incoming and outgoing traffic are included in the limit

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual11-4 Monitoring System Performancev1.0, July 2008Activating Notification of Events and Alerts The Firewall Logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address. For example, your security router will log security-related events such as: accepted and dropped packets on different segments of your LAN; denied incoming and outgoing service requests; hacker probes and login attempts; and other general information based on the settings you input on the Firewall Logs & E-mail menu. In addition, if you have set up Content Filtering on the Block Sites screen (see “Setting Block Sites (Content Filtering)” on page 5-21), a log will be generated when someone on your network tries to access a blocked site. You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs by clicking the View Logs option arrow to the right of the tab. Selecting all events will increase the size of the log, so it is good practice to select only those events which are requiredTo configure logging and notifications:1. Select Monitoring from the main menu and Firewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen displays.2. Enter the name of the log in the Log Identifier field. Log Identifier is a mandatory field used to identify which device sent the log messages. The identifier is appended to log messages. 3. In the Routing Logs section, select the network segments for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets). 4. In the System Logs section, select the type of system events to be logged.5. Check Yes to enable E-mail Logs. Then enter:a. E-mail Server address. Enter either the IP address or Internet name of your ISP’s outgoing E-mail SMTP server. If you leave this box blank, no logs will be sent to you. b. Return E-mail Address. Enter an e-mail address to appear as the sender. c. Send To E-mail Address. Enter the e-mail address where the logs and alerts should be sent. You must use the full e-mail address (for example, jsmith@example.com). 6. No Authentication is selected by default. If your SMTP server requires user authentication, select the required authentication type—either Login Plain or CRAM-MD5. Then enter the user name and password to be used for authentication.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualMonitoring System Performance 11-5v1.0, July 20087. To respond to IDENT protocol messages, check the Respond to Identd from SMTP Server radio box. The Ident Protocol is a weak scheme to verify the sender of e-mail (a common daemon program for providing the ident service is identd).Figure 11-2Need new screenshot more option in this one

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual11-6 Monitoring System Performancev1.0, July 20088. Enter a Schedule for sending the logs. From the Unit pull-down menu, choose: Never, Hourly, Daily, or Weekly. Then set the Day and Time fields that correspond to your selection. 9. You can configure the firewall to send system logs to an external PC that is running a syslog logging program. Click Yes to enable SysLogs and send messages to the syslog server, then:a. Enter your SysLog Server IP address b. Select the appropriate syslog facility from the SysLog Facility pull-down menu. The SysLog Facility levels of severity are described in the table below.10. Click Apply to save your settings.Viewing Firewall LogsTo view the Firewall logs:1. Select Monitoring from the main menu and Firewall Logs & E-mail in the submenu. The Firewall Logs & E-mail screen displays2. Click the View Log link in the upper right-hand section of the screen. The Logs screen is displayed.3. If the E-mail Logs options as been enabled, you can send a copy of the log by clicking Send Log. 4. Click Refresh Log to retrieve the latest update; click Clear Log to delete all entries.Numerical Code Severity0 Emergency: System is unusable1 Alert: Action must be taken immediately2 Critical: Critical conditions3 Error: Error conditions4 Warning: Warning conditions5 Notice: Normal but significant conditions6 Informational: Informational messages7 Debug: Debug level messages

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualMonitoring System Performance 11-7v1.0, July 2008Log entries are described in Table 11-1. Viewing Router Configuration and System Status The Router Status screen provides status and usage information. To view the router configuration and system status:1. Select Monitoring from the main menu and Router Status in the submenu. The Router Status screen is displayed.Table 11-1. Firewall Logs Field DescriptionsField DescriptionDate and Time The date and time the log entry was recorded.Description or Action The type of event and what action was taken if any.Source IP The IP address of the initiating device for this log entry.Source port and interfaceThe service port number of the initiating device, and whether it originated from the LAN or WAN.Destination The name or IP address of the destination device or Web site.Destination port and interfaceThe service port number of the destination device, and whether it’s on the LAN or WAN.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual11-8 Monitoring System Performancev1.0, July 2008The following information is displayed: Figure 11-3Need New screenshotItem DescriptionSystem Name This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using. This will change if you upgrade your router.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualMonitoring System Performance 11-9v1.0, July 2008Monitoring the WAN Port StatusYou can monitor the status of the WAN connection, the Dynamic DNS Server connection, and the DHCP Server connection. To monitor the status of the WAN port:1. Select Network Configuration from the main menu and WAN Settings in the submenu. The WAN ISP Settings screen is displayed.2. Click the WAN Status link in the upper right-hand section of the screen. The Connection Status popup window displays a status report on the WAN port. See figure 12-4.LAN Port Displays the current settings for MAC address, IP address, DHCP role and IP Subnet Mask that you set in the LAN IP Setup page. DHCP can be either Server or None.WAN Configuration Indicates whether the WAN Mode is Single, Dual, or Rollover, and whether the WAN State is UP or DOWN. It also is displayed if:• NAT is Enabled or Disabled. • Connection Type: DHCP enabled or disabled.• Connection State• WAN IP Address• Subnet Mask• Gateway Address• Primary and Secondary DNS Server Addresses• MAC Address.Note: The Router Status screen displays current settings and statistics for your router. As this information is read-only, any changes must be made on other pages.Item Description

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual11-10 Monitoring System Performancev1.0, July 2008.Monitoring Attached DevicesThe LAN Groups screen contains a table of all IP devices that the security router has discovered on the local network. To view the LAN Groups screen:1. Select Network Configuration from the main menu and LAN Settings in the submenu. 2. Then select the LAN Groups tab and the LAN Groups screen displays.3. The Known PCs and Devices database is an automatically-maintained list of LAN-attached devices. PCs and other LAN devices become known by the following methods: •DHCP Client Requests. By default, the DHCP server in the router is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the database. Because of this, leaving the DHCP Server feature enabled (in the LAN Setup menu) is strongly recommended. •Scanning the Network. The local network is scanned using standard methods such as ARP. The scan will detect active devices that are not DHCP clients. However, sometimes the name of the PC or device cannot be accurately determined and will be shown as unknown.•Manually Adding Devices. You can enter information in the Add Known PCs and Devices section and click Add to manually add a device to the database.Figure 11-4Need new screenshot

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualMonitoring System Performance 11-11v1.0, July 2008The Known PCs and Devices table lists all current entries in the LAN Groups database. For each PC or device, the following data is displayed Figure 11-5OKTable 11-2. Known PCs and Devices optionsItem DescriptionName The name of the PC or device. Sometimes, this can not be determined, and will be listed as Unknown. In this case, you can edit the entry to add a meaningful name. IP Address The current IP address. For DHCP clients, where the IP address is allocated by the DHCP Server in this device, this IP address will not change. Where the IP address is set on the PC (as a fixed IP address), you may need to update this entry manually if the IP address on the PC is changed. MAC Address The MAC address of the PC. The MAC address is a low-level network identifier which is fixed at manufacture. Group Each PC or device must be in a single group. The Group column indicates which group each entry is in. By default, all entries are in the Group1. Note: If the security router is rebooted, the table data is lost until the security router rediscovers the devices.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual11-12 Monitoring System Performancev1.0, July 2008Reviewing the DHCP LogTo review the most recent entries in the DHCP log:1. Select Network Configuration > LAN Setup from the main/submenu, and then click the LAN Setup tab. The LAN Setup screen displays.2. Click the DHCP Log link to the right of the tabs. The DHCP Log appears in a popup window.3. To view the most recent entries, click refresh. To delete all the existing log entries, click clear log. Figure 11-6OKFigure 11-7OK

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualMonitoring System Performance 11-13v1.0, July 2008Monitoring Active UsersThe Active Users menu screen displays a list of administrators and SSL VPN users currently logged into the device. To display the list of active users:1. Select Monitoring > Active Users from the main/submenu. The Active Users screen is displayed.The active user’s username, group, and IP address are listed in the table with a timestamp indicating the time and date that the user logged in.2. You can disconnect an active user by clicking Disconnect to the right of the user’s list entry. Viewing Port Triggering StatusTo view the status of Port Triggering:1. Select Security > Port Triggering from the main/submenu. The Port Triggering screen displays.Figure 11-8Need new screenshot

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual11-14 Monitoring System Performancev1.0, July 20082. When the Port Triggering screen is displayed, click the Status link to the right of the tab to display the Port Triggering Status. The status window displays the following information:Figure 11-9OKFigure 11-10OKItem DescriptionRule The name of the port triggering rule associated with this entry. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above. Time Remaining The time remaining before this rule is released and made available for other PCs. This timer is restarted whenever incoming or outgoing traffic is received.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualMonitoring System Performance 11-15v1.0, July 2008Monitoring VPN Tunnel Connection StatusTo review the status of current VPN tunnels:1. Select VPN > Connection Status from the main/submenu, and then select the IPsec VPN Connection Status tab. The IPsec Connection Status screen displays.The Active IPsec SAs table lists each active connection with the following information.2. Select the SSL VPN Connection Status tab and the SLL VPN Connection Status screen displays.Figure 11-11OKItem DescriptionPolicy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN endpoint. Tx (KB) The amount of data transmitted over this SA. Tx (Packets) The number of IP packets transmitted over this SA.State The current status of the SA. Phase 1 is Authentication phase and Phase 2 is Key Exchange phase.Action Use this button to terminate/build the SA (connection) if required. Figure 11-12Need new screenshot

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual11-16 Monitoring System Performancev1.0, July 2008The active SSL VPN user’s username, group, and IP address are listed in the table with a timestamp indicating the time and date that the user connected.3. You can disconnect an active SSL VPN user by clicking Disconnect to the right of the user’s list entry.Reviewing the VPN LogsThe VPN Logs screen gives log details for recent VPN activity. 1. Select Monitoring > VPN Logs from the main/submenu, and select the IPsec VPN Logs tab.The IPsec VPN Logs screen displays.2. To view the most recent entries, click refresh log. 3. To delete all the existing log entries, click clear log. 4. Select the SSL VPN Logs tab to view SSL VPN log details.Figure 11-13Need new screenshot

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualTroubleshooting 12-1v1.0, July 2008Chapter 12TroubleshootingThis chapter provides troubleshooting tips and information for your ProSafe Wireless-N VPN Firewall. After each problem description, instructions are provided to help you diagnose and solve the problem.This chapter contains the following sections:•“Basic Functions”•“Troubleshooting the Web Configuration Interface”•“Troubleshooting the ISP Connection”•“Troubleshooting a TCP/IP Network Using a Ping Utility”•“Restoring the Default Configuration and Password”•“Problems with Date and Time”•“Diagnostics Functions”Basic FunctionsAfter you turn on power to the VPN firewall, the following sequence of events should occur:1. When power is first applied, verify the PWR LED is on.2. After approximately two minutes, verify:a. The TEST LED is not lit.b. The LAN port LINK/ACT LEDs are lit for any local ports connected.c. The WAN port LINK/ACT LEDs are lit on the WAN port.If a port’s LINK/ACT LED is lit, a link has been established to the connected device. If a LAN port is connected to a 1000 Mbps device, verify the port’s SPEED LED is green. If the port is 100 Mbps, the LED will be amber. If the port is 10 Mbps, the LED will be off.If any of these conditions does not occur, refer to the appropriate following section.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual12-2 Troubleshootingv1.0, July 2008Power LED Not OnIf the Power and other LEDs are off when your VPN firewall is turned on:• Verify the power adapter cord is properly connected to your VPN firewall and the power adapter is properly connected to a functioning power outlet. • Verify you are using the 12VDC, 1.5A power adapter supplied by NETGEAR for this product.If the error persists, you have a hardware problem and should contact technical support.LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall.If all LEDs are still on one minute after power up:• Cycle the power to see if the firewall recovers.• Clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to 192.168.1.1. This procedure is explained in “Restoring the Default Configuration and Password” on page 12-7.If the error persists, you might have a hardware problem and should contact technical support.LAN or WAN Port LEDs Not OnIf either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made, check the following:• Verify the Ethernet cable connections are secure at the firewall and at the hub or workstation.• Verify the power is turned on to the connected workstation.• Ensure you are using the correct cable:When connecting the firewall’s Internet port to a cable or DSL modem, use the cable that was supplied with the cable or DSL modem. This cable could be a standard straight-through Ethernet cable or an Ethernet crossover cable.Troubleshooting the Web Configuration InterfaceIf you are unable to access the firewall’s Web Configuration interface from a PC on your local network, check the following:

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualTroubleshooting 12-3v1.0, July 2008• Check the Ethernet connection between the PC and the firewall as described in the previous section.• Ensure your PC’s IP address is on the same subnet as the firewall. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.1.2 to 192.168.1.254.• If your firewall’s IP address has been changed and you don’t know the current IP address, clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to 192.168.1.1. This procedure is explained in “Restoring the Default Configuration and Password” on page 12-7.• Ensure you are using the SSL https://address login rather than http://address.• Ensure your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure the Java applet is loaded.• Try quitting the browser and launching it again.• Ensure you are using the correct login information. The factory default login name is admin and the password is password. Verify CAPS LOCK is off when entering this information.If the firewall does not save changes you have made in the Web Configuration Interface, check the following:• When entering configuration settings, be sure to click the APPLY button before moving to another menu or tab, or your changes are lost. • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.Note: If your PC’s IP address is shown as 169.254.x.x: Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server. These auto-generated addresses are in the range of 169.254.x.x. If your IP address is in this range, check the connection from the PC to the firewall and reboot your PC.Tip: If you don’t want to revert to the factory default settings and lose your configuration settings, you can reboot the firewall and use a sniffer to capture packets sent during the reboot. Look at the ARP packets to locate the firewall’s LAN interface address.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual12-4 Troubleshootingv1.0, July 2008Troubleshooting the ISP ConnectionIf your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager.To check the WAN IP address: 1. Launch your browser and navigate to an external site such as www.netgear.com2. Access the Main Menu of the firewall’s configuration at https://192.168.1.1 3. Under the Monitoring menu, click Router Status.4. Check that an IP address is shown for the WAN Port.If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.If your firewall is unable to obtain an IP address from the ISP, you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure:1. Turn off power to the cable or DSL modem. 2. Turn off power to your firewall. 3. Wait five minutes and reapply power to the cable or DSL modem. 4. When the modem’s LEDs indicate that it has reacquired sync with the ISP, reapply power to your firewall.If your firewall is still unable to obtain an IP address from the ISP, the problem may be one of the following:• Your ISP may require a login program.Ask your ISP whether they require PPP over Ethernet (PPPoE) or some other type of login.• If your ISP requires a login, you may have incorrectly set the login name and password.• Your ISP may check for your PC's host name.Assign the PC Host Name of your ISP account as the Account Name in the Basic Settings menu.• Your ISP only allows one Ethernet MAC address to connect to the Internet, and may check for your PC’s MAC address. In this case:– Inform your ISP that you have bought a new network device, and ask them to use the firewall’s MAC address; or

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualTroubleshooting 12-5v1.0, July 2008– Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring the Internet Connection” on page 2-7.If your firewall can obtain an IP address, but your PC is unable to load any Web pages from the Internet:• Your PC may not recognize any DNS server addresses. A DNS server is a host on the Internet that translates Internet names (such as www addresses) to numeric IP addresses. Typically your ISP will provide the addresses of one or two DNS servers for your use. You may configure your PC manually with DNS addresses, as explained in your operating system documentation.• Your PC may not have the firewall configured as its TCP/IP gateway.Troubleshooting a TCP/IP Network Using a Ping UtilityMost TCP/IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device. The device then responds with an echo reply. Troubleshooting a TCP/IP network is made very easy by using the Ping utility in your PC or workstation.Testing the LAN Path to Your VPN FirewallYou can ping the firewall from your PC to verify that the LAN path to your firewall is set up correctly.To ping the firewall from a PC running Windows 95 or later:1. From the Windows toolbar, click Start and choose Run.2. In the field provided, type “ping” followed by the IP address of the firewall; for example:ping 192.168.1.13. Click OK. A message, similar to the following, should display:Pinging <IP address> with 32 bytes of dataIf the path is working, you will see this message:Reply from <IP address>: bytes=32 time=NN ms TTL=xxxIf the path is not working, you will see this message:Request timed outIf the path is not functioning correctly, you could have one of the following problems:

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual12-6 Troubleshootingv1.0, July 2008• Wrong physical connections– Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or WAN Port LEDs Not On” on page 12-2.– Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and firewall.• Wrong network configuration– Verify that the Ethernet card driver software and TCP/IP software are both installed and configured on your PC or workstation.– Verify that the IP address for your firewall and your workstation are correct and that the addresses are on the same subnet.Testing the Path from Your PC to a Remote DeviceAfter verifying the LAN path works correctly, test the path from your PC to a remote device. From the Windows run menu, type:PING -n 10 <IP address>where <IP address> is the IP address of a remote device such as your ISP’s DNS server.If the path is functioning correctly, replies as in the previous section are displayed. If you do not receive replies:– Verify your PC has the IP address of your firewall listed as the default gateway. If the IP configuration of your PC is assigned by DHCP, this information will not be visible in your PC’s Network Control Panel. – Verify the network address of your PC (the portion of the IP address specified by the netmask) is different from the network address of the remote device.– Verify your cable or DSL modem is connected and functioning.– If your ISP assigned a host name to your PC, enter that host name as the Account Name in the Basic Settings menu.– Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem. If this is the case, you must configure your firewall to “clone” or “spoof” the MAC address from the authorized PC. Refer to “Manually Configuring the Internet Connection” on page 2-7.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualTroubleshooting 12-7v1.0, July 2008Restoring the Default Configuration and PasswordThis section explains how to restore the factory default configuration settings, changing the VPN firewall’s administration password to password and the IP address to 192.168.1.1. You can erase the current configuration and restore factory defaults in two ways:• Use the Erase function of the VPN firewall (see “Settings Backup and Firmware Upgrade” on page 9-13).• Use the reset button (Factory Defaults) on the front panel of the VPN firewall. Use this method for cases when the administration password or IP address is not known.To restore the factory default configuration settings without knowing the administration password or IP address, you must use the reset button on the rear panel of the VPN firewall.To restore the factory defaults:1. Press and hold the Factory Defaults (reset button) until the Test LED turns on and begins to blink (about 10 seconds).Use a slender pointed object, such as an ink pen or paper clip, to press and hold the reset button (Factory Defaults).2. Release the reset button (Factory Defaults) and wait for the VPN firewall to reboot.Problems with Date and TimeThe Administration > Time Zone menu displays the current date and time of day. The VPN firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet. Each entry in the log is stamped with the date and time of day. Problems with the date and time function can include:• Date shown is January 1, 2000. Cause: The VPN firewall has not yet successfully reached a Network Time Server. Verify your Internet access settings are configured correctly. If you have just completed configuring the VPN firewall, wait at least five minutes and check the date and time again.• Time is off by one hour. Cause: The VPN firewall does not automatically sense Daylight Savings Time. Check the Time Zone menu, and check or uncheck the box marked “Adjust for Daylight Savings Time”.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual12-8 Troubleshootingv1.0, July 2008Diagnostics FunctionsYou can perform diagnostics such as pinging an IP address, performing a DNS lookup, displaying the routing table, rebooting the VPN firewall, and capturing packets. 1. Select Monitoring > Diagnostics from the main/submenu. The Diagnostics screen displays.2. View the selections available in the Diagnostic screen and browse the descriptions listed in Table 12-1., “Diagnostics”.Note: For normal operation, diagnostics are not required.Figure 12-1

ProSafe Wireless-N VPN Firewall SRXN3205 Reference ManualTroubleshooting 12-9v1.0, July 2008Table 12-1. Diagnostics Item DescriptionPing or trace an IP addressPing – Used to send a ping packet request to a specified IP address—most often, to test a connection. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping. The ping results will be displayed in a new screen; click “Back” on the Windows menu bar to return to the Diagnostics screen.If the specified address is intended to be reached through a VPN tunnel, check Ping through VPN tunnel.Traceroute – Lists all routers between the source (this device) and the destination IP address. The traceroute results will be displayed in a new screen; click “Back” on the Windows menu bar to return to the Diagnostics screen.Perform a DNS lookupA DNS (Domain Name Server) converts the Internet name (for example, www.netgear.com) to an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can request a DNS lookup to find the IP address.Display the routing tableThis operation will display the internal routing table, which can be used by Technical Support to diagnose routing problems.Reboot the firewall Used to perform a remote reboot (restart). You can use this if the firewall seems to have become unstable or is not operating normally.Note: Rebooting will break any existing connections either to the firewall (such as your management session) or through the firewall (for example, LAN users accessing the Internet). However, connections to the Internet will automatically be re-established when possible.Packet trace Packet Trace selects the interface and starts the packet capture on that interface.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual12-10 Troubleshootingv1.0, July 2008

ProSafe Wireless-N Security Router SRXN3205 Reference ManualDefault Settings and Technical Specifications A-1v1.0, July 2008Appendix ADefault Settings and Technical SpecificationsYou can use the reset button located on the rear panel to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, press and hold the reset button for approximately 10 seconds (until the TEST LED blinks rapidly). Your device will return to the factory configuration settings shown in Table A-1 below.• Pressing the reset button for a shorter period of time will simply cause your device to reboot.Table A-1. router Default Configuration SettingsFeature Default BehaviorRouter LoginUser Login URL https://192.168.1.1User Name (case sensitive) admin Login Password (case sensitive) passwordInternet ConnectionWAN MAC Address Use Default addressWAN MTU Size 1500Port Speed AutoSenseLocal Network (LAN)Lan IP Address 192.168.1.1Subnet Mask 255.255.255.0RIP Direction NoneRIP Version DisabledRIP Authentication DisabledDHCP Server EnabledDHCP Starting IP Address 192.168.1.2DHCP Ending IP Address 192.168.1.100Management

ProSafe Wireless-N Security Router SRXN3205 Reference ManualA-2 Default Settings and Technical Specificationsv1.0, July 2008Technical specifications for the ProSafe Wireless-N Security Router are listed in the following table.Time Zone GMTTime Zone Adjusted for Daylight Saving TimeDisabledSNMP DisabledRemote Management DisabledFirewallInbound (communications coming in from the Internet)DeniedOutbound (communications from the LAN to the Internet)Allowed (all)Source MAC filtering DisabledStealth Mode EnabledTable A-2. router Technical SpecificationsFeature SpecificationsNetwork Protocol and Standards CompatibilityData and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCPPPP over Ethernet (PPPoE)Power AdapterNorth America: 120V, 60 Hz, inputUnited Kingdom, Australia: 240V, 50 Hz, inputEurope: 230V, 50 Hz, inputJapan: 100V, 50/60 Hz, inputPhysical SpecificationsDimensions: 1.7 x 10 x 7.2 in.Weight: 2 kg (4.5 lb)Table A-1. router Default Configuration Settings (continued)Feature Default Behavior

ProSafe Wireless-N Security Router SRXN3205 Reference ManualDefault Settings and Technical Specifications A-3v1.0, July 2008Environmental SpecificationsOperating temperature: 0° to 40° C (32º to 104º F)Operating humidity: 90% maximum relative humidity, noncondensingElectromagnetic EmissionsMeets requirements of: FCC Part 15 Class BVCCI Class BEN 55 022 (CISPR 22), Class BInterface SpecificationsLAN: 10BASE-T or 100BASE-Tx 1000BASE-T, RJ-45WAN: 10BASE-T or 100BASE-Tx 1000BASE-T, RJ-45Table A-3. SSL VPN Technical SpecificationsParameter SpecificationNetwork Management Web-based configuration and status monitoringConcurrent Users Supported10 tunnelsEncryption DES, 3DES, AES, MD5, SHA-1Authentication Local User database, RADIUS, LDAP, MS Active DirectoryCertificates supported X.509, CRLElectromagnetic ComplianceFCC Part 15 Class B, CE, and C-TICKEnvironmental SpecificationsOperating temperature: 0 to 50° COperating humidity: 5-95%, non-condensingTable A-2. router Technical Specifications (continued)Feature Specifications

ProSafe Wireless-N Security Router SRXN3205 Reference ManualA-4 Default Settings and Technical Specificationsv1.0, July 2008

ProSafe Wireless-N Security Router SRXN3205 Reference ManualRelated Documents B-1v1.0, July 2008Appendix BRelated DocumentsThis appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product.Document LinkInternet Networking and TCP/IP Addressing: http://documentation.netgear.com/reference/enu/tcpip/index.htmWireless Communications: http://documentation.netgear.com/reference/enu/wireless/index.htmPreparing a Computer for Network Access: http://documentation.netgear.com/reference/enu/wsdhcp/index.htmVirtual Private Networking (VPN): http://documentation.netgear.com/reference/enu/vpn/index.htmGlossary http://documentation.netgear.com/reference/enu/glossary/index.htm

ProSafe Wireless-N Security Router SRXN3205 Reference ManualB-2 Related Documentsv1.0, July 2008

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualIndex-1v1.0, October 2007IndexAaccessremote management 8-10ActiveX web cache control 6-6Add LAN WAN Inbound Service 4-9Add LAN WAN Outbound Service 4-8Add Mode Config Record screen 5-19Add Protocol BindingDestination Network 2-16Service 2-16Add Resource Addresses menu 6-14Adding 4-16address reservation 3-8administrator login timeout 8-10Advanced OptionsMTU Size 2-20Port Speed 2-20Router’s MAC Address 2-20Allowing Videoconference from Restricted Addressesexample of 4-13Attack Checksabout 4-10Attack Checks screen 4-11Authentication AlgorithmIKE Policy 5-13, 5-15Auto Detect 2-5Auto Uplink 1-4Auto-Rolloverconfiguration of 2-13definition of 2-11Dual WAN ports 5-1restoring WAN interface 2-15use with DDNS 2-17Using WAN port 2-14Bbackup and restore settings 8-14bandwidth capacity 8-1LAN side 8-1Load balancing mode 8-2Rollover mode 8-2WAN side 8-2Banner Message 6-5Banner Title 6-5BigPond Cable 2-6, 2-8Internet connection 2-10Block SitesContent Filtering 4-19reducing traffic 8-4Block Sites screen 4-20Block TCP Flood 4-10block trafficwith schedule 4-18Blocking Instant Messengerexample of 4-16CCAabout 7-9Cat5 cable C-3certificategenerate new CSR 7-11Certificate Authority. See CA.Certificate Signing Request, see CSRcertificatesmanagement of 7-11Classical Routingdefinition of 2-12command line interface 8-12configurationautomatic by DHCP 1-4connecting the VPN firewall 2-1Connection StatusVPN Tunnels 5-15Content 4-19

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualIndex-2v1.0, October 2007Content Filtering 4-1about 4-19Block Sites 4-19enabling 4-20firewall protection, about 4-1content filtering 1-3, 4-1crossover cable 1-4, 10-2CSR 7-11customized serviceadding 4-2, 4-17editing 4-17DDatesetting 8-16troubleshooting 10-7Daylight Savings Timeadjusting for 8-17DDNSabout 2-17configuration of 2-18links to 2-18providers of 2-17services, examples 2-19DDNS providerslinks to 2-19default configurationrestoring 10-7default password 2-3denial of service attack 4-10Denial of Service. See DoS.Destination NetworkAdd Protocol Binding 2-16DHCP 2-6DNS server address 3-4DHCP Address Pool 3-4DHCP logmonitoring 9-12DHCP serverabout 3-1address pool 3-1, 3-4configuring secondary IP addresses 3-9enable 3-4lease time 3-4diagnosticsDNS lookup 10-8packet capture 10-8ping 10-8rebooting 10-8routing table 10-8Diagnostics screen 10-8Diffie-Hellman GroupIKE Policy 5-13Disable DHCP Server 3-1Disable DNS Proxy 4-11DMZ WAN Ruleexample of 4-14DNS 6-2ISP server addresses 2-11lookup for WAN failure 2-14server IP address 3-4DNS proxy 8-6disable 4-11enable 3-4feature 1-4DNS queriesAuto-Rollover 2-13DNS Suffix 6-11Domain Namerouter 3-4Domain Name Blocking 4-19Domain Name Servers. See DNS.DoSabout protection 1-3Dual 1-2Dual WANconfiguration of 2-11Dual WAN Port systemsVPN Tunnel addresses 5-2Dual WAN Portsfeatures of 1-2Dual WAN portsAuto-Rollover, configuration of 2-13inbound traffic C-8

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualIndex-3v1.0, October 2007Load Balancing, configuration of 2-15load balancing, inbound traffic C-9network planning C-1Dynamic DNSconfiguration of 2-17Dynamic DNS Configuration screen 2-17, 2-18Dynamic DNS. See DDNSDynDNS.org 2-17EEdge Device 5-25XAUTH, with ModeConfig 5-22Edit Group Names 2-16, 3-7Edit IKE Policy screen 5-6Edit VPN Policy screen 5-9e-mail logsenabling notification 4-25, 9-4E-mail Server address 9-4Enable DHCP server 3-1Enable DNS Proxy 3-4Ending IP AddressDHCP Address Pool 3-4Event Logsemailing of 4-25, 9-4Extended Authentication. See XAUTH.Ffactory default login 1-8factory default settingsrevert to 8-14failover after 2-15firewallconnecting to the Internet 2-1, C-4features 1-4front panel 1-6rear panel 1-7technical specifications A-1viewing activity 9-14Firewall LogField Description 9-7Firewall Logsemailing of 4-25, 9-4viewing 9-6Firewall Logs & E-mail screen 4-25, 9-4Firewall ProtectionContent Filtering, about 4-1firewall protection 4-1firmwaredownloading 8-15upgrade 8-15fixed IP address 2-6, 3-7FQDN 2-17, 5-2fragmented IP packets 8-6fully qualified domain name. See FQDN.GGateway VPN Tunnelcreating 5-4Global Policies 6-15Group Namesediting 3-7Group Policies 6-15groups, managing 3-5Hhardware requirements C-3host name resolution 6-9Hosting A Local Public Web Serverexample of 4-12hosts, managing 3-5HTTP meta tags 6-6IIego.net 2-17IGP 3-12IKE Policies menu 5-10IKE Policyabout 5-12management of 5-12

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualIndex-4v1.0, October 2007ModeConfig, configuring with 5-21XAUTH, adding to 5-25Inbound Rulesdefault definition 4-2field descriptions 4-5order of precedence 4-7Port Forwarding 4-2, 4-4rules for use 4-4inbound rules 4-4example 4-14Inbound Service Rulemodifying 4-9Inbound Servicesfield descriptions 4-5inbound traffic C-6, C-8dual WAN ports C-8, C-9single WAN port reference case C-8increasing traffic 8-5Port Forwarding 8-5Port Triggering 8-7VPN Tunnels 8-7installation 1-4Installation, instructions for 2-1Interior Gateway Protocol. See IGP.Internetconfiguration requirements C-4, C-5configuring the connection manually 2-8connecting to 2-1Internet connectionmanual configuration 2-8Internet Service Provider. See ISP.IP addressesauto-generated 10-3DHCP address pool 3-1how to assign 3-1multi home LAN 3-5reserved 3-8router default 3-3IP Subnet Maskrouter default 3-3IPsec 4-11IPsec Connection Status screen 9-14IPSec Host 5-26IPsec HostXAUTH, with ModeConfig 5-22IPsec host 5-24ISP connectiontroubleshooting 10-4KKeep ConnectedIdle TImeout 2-9Idle Timeout 2-9Keyword Blocking 4-19applying 4-22Known PCs and Deviceslist of 3-6LL2TP 4-11LANconfiguration 3-1using LAN IP setup options 3-2LAN Groups Databaseabout 3-5advantages of 3-5fields 3-6LAN Groups menu 3-6LAN Security Checks 4-10LAN Setup screen 3-2LAN sidebandwidth capacity 8-1LAN WAN Inbound Ruleexample of 4-12, 4-13, 4-15LAN WAN Inbound Services Rulesabout 4-9add 4-9LAN WAN Outbound Ruleexample of 4-16LAN WAN Ruleexample of 4-14LAN WAN Rulesdefault outbound 4-7lease time 3-4

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualIndex-5v1.0, October 2007LEDsexplanation of 1-6troubleshooting 10-2Load Balancingbandwidth capacity 8-2configuration of 2-15definition of 2-12use with DDNS 2-17view protocol bindings 2-16logging indefault login 2-2login policyrestrict by browser 7-8restrict by IP address 7-7restrict by port 7-6MMAC address 10-7authentication by ISP 2-20configuring 2-6format 2-21, 4-23in LAN groups database 3-7spoofing 10-5MAC addressesblocked, adding 4-22main menu 2-4metricin static routes 3-11ModeConfig 5-18about 5-18assigning remote addresses, example 5-18Client Configuration 5-22IKE Policies menu, configuring 5-19menu, configuring 5-19testing Client 5-23monitoring devices 9-10by DHCP Client Requests 9-10by Scanning the Network 9-10MTU Size 2-20multi home LAN IPs 3-5about 3-9multi-NAT 4-14NNASIdentifier 5-27NATconfiguring 2-12firewall, use with 4-1multi-NAT 4-14one-to-one mapping 2-12one-to-one mapping example 4-14Network Access Server. See NAS.Network Address Translation. See NAT.network configuration requirements C-3Network Databasetable 3-6Network Database Group Names screen 3-7network planningdual WAN ports C-1Network Time Protocol. See NTP.newsgroup 4-20NTP 8-16troubleshooting 10-7NTP serverscustom 8-17default 8-17setting 8-16Ooption arrow 2-4Outbound Rulesdefault definition 4-2field descriptions 4-3order of precedence 4-7service blocking 4-2outbound rules 4-3Outbound Service Ruleadding 4-8modifying 4-9Outbound Servicesfield descriptions 4-3

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualIndex-6v1.0, October 2007Ppackage contents 1-5packet capture 10-9passwords and login timeoutchanging 8-8passwords,restoring 10-7performance management 8-1, 9-1Pingtroubleshooting TCP/IP 10-5ping 10-9Ping On Internet Ports 4-10Ping to an IP addressAuto-Rollover 2-13Ping to this IP address 2-14planninginbound traffic C-6, C-8VPNs C-6policy hierarchy 6-15port filteringservice blocking 4-3Port ForwardingInbound Rules 4-2, 4-4increasing traffic 8-5rules, about 4-4Port Mode 2-14, 2-15port numbers 4-16Port Speed 2-20Port Triggeringabout 4-23adding a rule 4-24increasing traffic 8-7rules of use 4-24status monitoring 9-13Port Triggering screen 4-24, 9-14Portal Site Title 6-5portsexplanation of WAN and LAN 1-6PPP connection 6-2PPP over Ethernet. See PPPoE.PPPoE 1-4, 2-6, 2-8Internet connection 2-9PPTP 2-6, 2-8, 4-11protocol binding 2-15protocol numbersassigned 4-16protocolsRouting Information Protocol 1-4QQoSabout 4-18priority definitions 4-18shifting traffic mix 8-8using in firewall rules 4-2Quality of Service. See QoS.RRADIUS Serverconfiguring 5-26RADIUS-CHAP 5-24, 5-25AUTH, using with 5-24RADIUS-PAP 5-24XAUTH, using with 5-24reducing traffic 8-2Block Sites 8-4service blocking 8-2Source MAC Filtering 8-5remote management 8-10access 8-10configuration 8-10remote usersassigning addresses 5-18ModeConfig 5-18requirementshardware C-3reserved IP addressconfiguring 3-8in LAN groups database 3-7restrictions 3-7resourcesdefining 6-13restore saved settings 8-14retry interval 2-14

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualIndex-7v1.0, October 2007Return E-mail Address 9-4RFC 1349 4-18RFC1700protocol numbers 4-16RIPabout 3-12advertising static routes 3-11configuring parameters 3-12feature 1-4versions of 3-13RIP Configuration menu 3-12Rollover modebandwidth capacity 8-2routerupgrade software 8-16router administrationtips on 4-25Router Status 2-13Router Status screen 9-7Router Upgradeabout 8-15Router’s MAC Address 2-20Routing Information Protocol. See RIP.routing menu 3-10rulesblocking traffic 4-2inbound 4-4inbound example 4-14outbound 4-3service blocking 4-3services-based 4-2running tracert 8-12Sscheduleblocking traffic 4-18Schedule 1 screen 4-18secondary IP addressesDHCP, use with 3-9Secondary LAN IPssee Multi Home LAN IPs 3-9self certificate request 7-11Send To E-mail Address 9-4ServiceAdd Protocol Binding 2-16service 4-16Service Based Rules 4-2service blocking 4-3Outbound Rules 4-2port filtering 4-3reducing traffic 8-2service numberscommon protocols 4-16Services 4-16Services menu 4-17Setting Up One-to-One NAT Mappingexample of 4-14Settings Backup & Upgrade screen 8-14Settings Backup and Firmware Upgrade 8-14Simple Network Management Protocol. See SNMP.Single WAN Portinbound traffic C-8sniffer 10-3SNMPabout 8-12configuring 8-12global access 8-13host only access 8-13subnet access 8-13SNMP screen 8-12Source MAC Filter screen 4-22Source MAC Filteringenabling 4-22reducing traffic 8-5Source NetworkAdd Protocol Binding 2-16Specifying an Exposed Hostexample of 4-15split tunnelconfiguring 6-11description 6-10spoof MAC address 10-5

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualIndex-8v1.0, October 2007SSL VPN Clientdescription 6-2SSL VPN Logs 9-16Starting IP AddressDHCP Address Pool 3-4Stateful Packet Inspectionfirewall, use with 4-1stateful packet inspection. See SPI.Static 3-10static IP addressconfiguring 2-10detecting 2-6static routesabout 3-10configuring 3-10metric 3-11stealth mode 4-10, 8-6submenu 2-4SYN flood 4-10, 8-6SysLog ServerIP Address 9-6Ttab, menu 2-4TCP floodspecial rule 8-6TCP/IPnetwork, troubleshooting 10-5Timesetting 8-16troubleshooting 10-7timedaylight savings, troubleshooting 10-8Time Zonesetting of 8-16Time Zone screen 8-16timeout, administrator login 8-10ToS. See QoS.traceroute 10-9tracertuse with DDNS 8-12trafficincreasing 8-5reducing 8-2traffic management 8-8traffic meter 2-21troubleshooting 10-1browsers 10-3configuration settings, using sniffer 10-3defaults 10-3ISP connection 10-4NTP 10-7testing your setup 10-6Web configuration 10-3Trusted Certificates 7-9, 7-10Trusted Domainsbuilding list of 4-22TZO.com 2-17UUDP flood 4-10special rule 8-6User Database 5-25User Policies 6-15Vview protocol bindingsLoad Balancing 2-16VPNgateway to gateway, about C-14gateway-to-gateway, Dual gateway C-15gateway-to-gateway, single gateway C-14Load Balancing, examples of C-11load balancing, with dual WAN ports C-7Road Warrior, dual gateway C-12Road Warrior, examples of C-11Road Warrior, single gateway C-12Rollover, examples of C-10rollover, with dual WAN ports C-7telecommuter, about C-17telecommuter, Dual gateway C-18telecommuter, single gateway C-18VPN Clientconfiguring 5-7

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference ManualIndex-9v1.0, October 2007configuring PC, example 5-16VPN Wizard example 5-16VPN firewallconnecting 2-1VPN Logs screen 9-15VPN passthrough 4-11, 8-6VPN Policies screen 5-5, 5-9VPN PolicyAuto 5-13field definitions 5-14Manual 5-13VPN Tunnel addressesDual WAN Port systems 5-2VPN Tunnel Connectionmonitoring status 9-14VPN tunnelsabout 5-1Connection Status 5-15increasing traffic 8-7IPsec 4-11L2TP 4-11load balancing mode 5-2PPTP 4-11rollover mode 5-2VPN WizardGateway tunnel 5-4VPN Client, configuring 5-7VPN Wizard Default Values 5-5VPNC 5-4VPNs C-6, C-10about C-10gateway-to-gateway C-14, C-15, C-17road warrior C-11, C-12, C-13telecommuter C-18, C-20viewing VPN tunnel status 9-14WWANconfiguring Advanced options 2-19configuring WAN Mode 2-11WAN Failure Detection Method 2-12, 2-13WAN Mode setup 5-2WAN Port 1 status 2-7WAN Portsmonitoring status 9-9WAN portsstatus of 2-13WAN Security Checkabout 4-10WAN sidebandwidth capacity 8-2WAN Status 2-6WAN1 Advanced Options 2-20WAN1 ISP Settingsmanual setup 2-8WAN1 Protocol Bindings 2-16WAN1 Traffic Meter 9-1WAN2 ISP Settingsmanual setup 2-11WAN2 Protocol Bindings 2-17WAN2 Traffic Meter 9-3Web Components 4-19blocking 4-22filtering, about 4-19Web configurationtroubleshooting 10-3WinPoET 2-8WINS server 3-4XXAUTHIPsec host 5-24types of 5-24

Navigation menu