1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS336Gv3
    5. /
  5. 14
Page 66 / 203 Scroll up to view Page 61 - 65
66
|
Chapter 4:
Firewall Protection and Content Filtering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
To enable IP/MAC address binding enforcement and alerts:
1.
Select Security > Address Filter from the menu.
2.
Select the
IP/MAC Binding
tab to display the Source MAC Filter screen.
3.
In the
Email IP/MAC Violations
section of the screen, check the
Yes
radio button to
enable IP/MAC address binding enforcement and alerts. E-mail alerts must be enabled
(see
“E-Mail Notifications of Event Logs and Alerts”
on page 68).
4.
Click
Apply.
5.
To add a manual binding entry, enter the following data in the
Add IP/MAC Bindings
section:
a.
Enter a
Name
for the bound host device.
b.
Enter the
MAC Address
and
IP Address
to be bound. A valid MAC address is six
colon-separated pairs of hexadecimal digits (0 to 9 and a to f). For example:
01:23:45:ab:cd:ef.
c.
From the pull-down list, select whether dropped packets should be logged to a
special counter.
6.
Click
Apply
. The specified binding will be added to the
IP/MAC Bindings
table.
To see the counter that shows the packets that were dropped because of IP-MAC binding
violations and to set the poll interval, click the
Set Poll Interval
link at the top of the IP/MAC
Binding screen.
Configuring Port Triggering
Port triggering allows some applications to function correctly that would otherwise be partially
blocked by the VPN firewall when it functions in NAT mode. Some applications require that
when external devices connect to them, they receive data on a specific port or range of ports.
The VPN firewall must send all incoming data for that application only on the required port or
Page 67 / 203
Chapter 4:
Firewall Protection and Content Filtering
|
67
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
range of ports. Using this feature requires that you know the port numbers used by the
application.
Port triggering allows computers on the private network (LAN) to request that one or more
ports be forwarded to them. Unlike basic port forwarding which forwards ports to only one
preconfigured IP address, port triggering waits for an outbound request from the private
network on one of the defined outgoing ports. It then automatically sets up forwarding to the
IP address that sent the request. When the application ceases to transmit data over the port,
the VPN firewall waits for a timeout interval and then closes the port or range of ports, making
them available to other computers on the private network.
Once configured, port triggering operates as follows:
1.
A PC makes an outgoing connection using a port number defined in the
Port
Triggering
table.
2.
The VPN firewall records this connection, opens the additional incoming port or ports
associated with this entry in the
Port Triggering
table, and associates them with the
PC.
3.
The remote system receives the PC’s request and responds using the different port
numbers that you have now opened.
4.
The VPN firewall matches the response to the previous request, and forwards the
response to the PC.
Without port triggering, this response would be treated as a new connection request rather
than a response. As such, it would be handled in accordance with the inbound service rules.
Note these restrictions with port triggering:
Only one PC can use a port triggering application at any time.
After a PC has finished using a port triggering application, there is a time-out period
before the application can be used by another PC. This is required because the VPN
firewall cannot be sure when the application has terminated.
Note:
For additional ways of allowing inbound traffic, see
“See
“Configuring Source MAC Filtering” on page 64 for yet another way
to block outbound traffic from selected PCs that would otherwise be
allowed by the VPN firewall.”
on page 45.
Page 68 / 203
68
|
Chapter 4:
Firewall Protection and Content Filtering
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
To add a port triggering rule:
1.
Select Security > Port Triggering to display the Port Triggering screen.
2.
Enter a user-defined name for this rule in the
Name
field.
3.
In the
Enable
field, indicate if the rule is enabled or disabled.
4.
in the
Protocol
field, choose either TCP or UDP transport protocol.
5.
In the
Outgoing (Trigger) Port Range
fields:
a.
Enter the
Start Port
range (1 - 65534).
b.
Enter the
End Port
range (1 - 65534).
6.
In the
Incoming (Response) Port Range
fields:
a.
Enter the
Start Port
range (1 - 65534).
b.
Enter the
End Port
range (1 - 65534).
7.
Click
Add.
The port triggering rule will be added to the
Port Triggering Rules
table.
To check the status of the port triggering rules, click the
Status
option arrow to the right of the
tab on the Port Triggering screen. The following data is displayed:
Rule – The name of the port triggering rule.
LAN IP Address – The IP address of the PC currently using this rule.
Open Ports – The incoming ports associated with this rule. Incoming traffic using these
ports will be sent to the LAN IP address above.
Time Remaining – The time remaining before this rule is released, and thus available for
other PCs. The timer is reset whenever incoming or outgoing traffic is received.
E-Mail Notifications of Event Logs and Alerts
The firewall logs can be configured to log and then e-mail denial of access, general attack
information, and other information to a specified e-mail address. For example, your VPN
firewall will log security-related events such as: accepted and dropped packets on different
segments of your LAN; denied incoming and outgoing service requests; hacker probes and
login attempts; and other general information based on the settings that you enter on the
Page 69 / 203
Chapter 4:
Firewall Protection and Content Filtering
|
69
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Firewall Logs & E-mail screen. To configure e-mail or syslog notification, or to view the logs,
see “Activating Notification of Events and Alerts” on page 150.
Administrator Tips
Consider the following operational items:
As an option, you can enable remote management if you have to manage distant sites
from a central location (see
“Enabling Remote Management Access”
on page 139).
Although rules (see
“Using Rules to Block or Allow Specific Kinds of Traffic”
on page 43)
are the basic way of managing the traffic through your system, you can further refine your
control with the following optional features of the VPN firewall:
-
Groups and hosts (see
“Managing Groups and Hosts (LAN Groups)”
on page 34).
-
Services (see
“About Services-Based Rules”
on page 43).
-
Schedules (see
“Setting a Schedule to Block or Allow Specific Traffic”
on page 61).
-
Block sites (see
“Blocking Internet Sites (Content Filtering)”
on page 62).
-
Source MAC filtering (see
“Configuring Source MAC Filtering”
on page 64).
-
Port triggering (see
“Configuring Port Triggering”
on page 66).
Page 70 / 203
Chapter 5:
Virtual Private Networking Using IPsec
|
70
Virtual Private Networking Using IPsec
5
This chapter describes how to use the IPsec virtual private networking (VPN) features of the
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 to provide secure,
encrypted communications between your local network and a remote network or computer.
This chapter contains the following sections:
Considerations for Dual WAN Port Systems
” on this page.
“Using the VPN Wizard for Client and Gateway Configurations”
on page 72.
“Testing the Connections and Viewing Status Information”
on page 80.
“Managing VPN Policies”
on page 83.
“Configuring Extended Authentication (XAUTH)”
on page 86.
“Assigning IP Addresses to Remote Users (ModeConfig)”
on page 90.
“Configuring Keepalives and Dead Peer Detection”
on page 95.
“Configuring NetBIOS Bridging with VPN”
on page 97.
Considerations for Dual WAN Port Systems
If both of the WAN ports of the VPN firewall are configured, you can enable either
Auto-Rollover mode for increased system reliability or Load Balancing mode for optimum
bandwidth efficiency. This WAN mode choice impacts how the VPN features must be
configured.
The use of fully qualified domain names in VPN policies is mandatory when the WAN ports
are in load balancing or rollover mode; and is also required for the VPN tunnels to fail over.
FQDN is optional when the WAN ports are in load balancing mode if the IP addresses are
static but mandatory if the WAN IP addresses are dynamic.
Refer to <pdf>“Virtual Private Networks (VPNs)” on page B-181 for more on the IP
addressing requirements for VPN in the dual WAN modes. For instructions on how to select
and configure a dynamic DNS service for resolving FQDNs, see
“Configuring Dynamic DNS
(Optional)”
on page 26. For instructions on WAN mode configuration, see
“Configuring the
WAN Mode (Required for Dual WAN)”
on page 22.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top