1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS336Gv3
    5. /
  5. 27
Page 131 / 203 Scroll up to view Page 126 - 130
Chapter 8:
VPN Firewall and Network Management
|
131
VPN Firewall and Network Management
8
This chapter describes how to use the network management features of your ProSafe Dual WAN
Gigabit Firewall with SSL & IPsec VPN FVS336Gv2.
The VPN firewall offers many tools for managing the network traffic to optimize its performance.
You can also control administrator access, be alerted to important events requiring prompt
action, monitor the VPN firewall status, perform diagnostics, and manage the VPN firewall
configuration file.
This chapter contains the following sections:
Performance Management
” on this page.
“Changing Passwords and Administrator Settings”
on page 137.
“Enabling Remote Management Access”
on page 139.
“Using the Command Line Interface”
on page 141.
“Using an SNMP Manager”
on page 141.
“Managing the Configuration File”
on page 143.
“Configuring Date and Time Service”
on page 146.
Performance Management
Performance management consists of controlling the traffic through the VPN firewall so that
the necessary traffic gets through when there is a bottleneck and either reducing
unnecessary traffic or rescheduling some traffic to low-peak times to prevent bottlenecks
from occurring in the first place. The VPN firewall has the necessary features and tools to
help the network manager accomplish these goals.
Page 132 / 203
132
|
Chapter 8:
VPN Firewall and Network Management
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Bandwidth Capacity
The maximum bandwidth capacity of the VPN firewall in each direction is as follows:
LAN side: 4000 Mbps (four LAN ports at 1000 Mbps each)
WAN side: 2000 Mbps (load balancing mode, two WAN ports at 1000 Mbps each) or
1000 Mbps (rollover mode, one active WAN port at 1000 Mbps)
In practice, the WAN side bandwidth capacity will be much lower when DSL or cable modems
are used to connect to the Internet. At 1.5 Mbps, the WAN ports will support the following
traffic rates:
Load balancing mode: 3 Mbps (two WAN ports at 1.5 Mbps each)
Rollover mode: 1.5 Mbps (one active WAN port at 1.5 Mbps)
As a result and depending on the traffic being carried, the WAN side of the VPN firewall will
be the limiting factor to throughput for most installations.
Using the dual WAN ports in load balancing mode increases the bandwidth capacity of the
WAN side of the VPN firewall. But there is no backup in case one of the WAN ports fail. In
such an event and with one exception, the traffic that would have been sent on the failed
WAN port gets diverted to the WAN port that is still working, thus increasing its loading. The
exception is traffic that is bound by protocol to the WAN port that failed. This protocol-bound
traffic is not diverted.
Features That Reduce Traffic
Features of the VPN firewall that can be called upon to decrease WAN-side loading are as
follows:
Service blocking
Blocking sites
Source MAC filtering
Service Blocking
You can control specific outbound traffic (from LAN to WAN). The LAN WAN Rules screen
lists all existing rules for outbound traffic. If you have not defined any rules, only the default
rule will be listed. The default rule allows all outgoing traffic. (See <pdf>“Using Rules to Block
or Allow Specific Kinds of Traffic” on page 4-43 for the procedure on how to use this feature.)
WARNING!
This feature is for advanced administrators only! Incorrect
configuration will cause serious problems.
Page 133 / 203
Chapter 8:
VPN Firewall and Network Management
|
133
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Each rule lets you specify the desired action for the connections covered by the rule:
BLOCK always
BLOCK by schedule, otherwise Allow
ALLOW always
ALLOW by schedule, otherwise Block
As you define your firewall rules, you can further refine their application according to the
following criteria:
LAN Users
. These settings determine which computers on your network are affected by
this rule. Select the desired options:
-
Any
. All PCs and devices on your LAN.
-
Single address
. The rule will be applied to the address of a particular PC.
-
Address range
. The rule is applied to a range of addresses.
-
Groups
.
The rule is applied to a group (see
“Managing Groups and Hosts (LAN
Groups)”
on page 34 to assign PCs to a group using the LAN Groups Database).
WAN Users.
These settings determine which Internet locations are covered by the rule,
based on their IP address.
-
Any
. The rule applies to all Internet IP address.
-
Single address
. The rule applies to a single Internet IP address.
-
Address range
. The rule is applied to a range of Internet IP addresses.
Services
. You can specify the desired services or applications to be covered a rule. If the
desired service or application does not appear in the
Custom Services Table
, you must
define it using the Services screen (see
“Adding Customized Services”
on page 57).
Groups and Hosts
. You can apply these rules selectively to groups of PCs to reduce the
outbound or inbound traffic. The LAN Groups Database is an automatically-maintained
list of all known PCs and network devices. PCs and devices become known by the
following methods:
-
DHCP Client Request
. By default, the DHCP server in this VPN firewall is enabled,
and will accept and respond to DHCP client requests from PCs and other network
devices. These requests also generate an entry in the LAN Groups Database.
Because of this, leaving the DHCP server feature (on the LAN Setup screen) enabled
is strongly recommended.
-
Scanning the Network
. The local network is scanned using ARP. requests. The ARP
scan will detect active devices that are not DHCP clients. However, sometimes the
name of the PC or device cannot be accurately determined, and will appear in the
database as Unknown.
-
Manual Entry
. You can manually enter information about a device.
See
“Managing Groups and Hosts (LAN Groups)”
on page 34 for the procedure on how to
use this feature.
Schedule
. If you have set firewall rules on the LAN WAN Rules screen, you can
configure three different schedules (for example, schedule 1, schedule 2, and schedule
Page 134 / 203
134
|
Chapter 8:
VPN Firewall and Network Management
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
3) for when a rule is to be applied. Once a schedule is configured, it affects all rules that
use this schedule. You specify the days of the week and time of day for each schedule.
(See
“Setting a Schedule to Block or Allow Specific Traffic”
on page 61 for the procedure
on how to use this feature.)
Blocking Sites
If you want to reduce traffic by preventing access to certain sites on the Internet, you can use
the VPN firewall’s filtering feature. By default, this feature is disabled; all requested traffic
from any website is allowed.
Keyword (and Domain Name) Blocking
. You can specify up to 32 words that, should
they appear in the website name (that is, URL) or in a newsgroup name, will cause that
site or newsgroup to be blocked by the VPN firewall.
You can apply the keywords to one or more groups. Requests from the PCs in the groups
for which keyword blocking has been enabled will be blocked. Blocking does not occur for
the PCs that are in the groups for which keyword blocking has not been enabled.
You can bypass keyword blocking for trusted domains by adding the exact matching
domain to the
Trusted Domains
table. Access to the domains in this table by PCs even
in the groups for which keyword blocking has been enabled will still be allowed without
any blocking.
Web Component blocking
. You can block the following Web component types: Proxy,
Java, ActiveX, and Cookies. Sites on the
Trusted Domains
table are still subject to Web
component blocking when the blocking of a particular Web component has been enabled.
See
“Blocking Internet Sites (Content Filtering)”
on page 62 for the procedure on how to use
this feature.
Source MAC Filtering
If you want to reduce outgoing traffic by preventing Internet access by certain PCs on the
LAN, you can use the source MAC filtering feature to drop the traffic received from the PCs
with the specified MAC addresses. By default, this feature is disabled; all traffic received from
PCs with any MAC address is allowed.
See
“Configuring Source MAC Filtering”
on page 64 for the procedure on how to use this
feature.
Features That Increase Traffic
Features that tend to increase WAN-side loading are as follows:
Port forwarding
Port triggering
Exposed hosts
VPN tunnels
Page 135 / 203
Chapter 8:
VPN Firewall and Network Management
|
135
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Port Forwarding
The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to
steal data or damage your PCs, but overloads your Internet connection so you can not use it
(that is, the service is unavailable). You can also create additional firewall rules that are
customized to block or allow specific traffic. (See
“Using Rules to Block or Allow Specific
Kinds of Traffic”
on page 43 for the procedure on how to use this feature.)
WARNING!
This feature is for advanced administrators only! Incorrect
configuration will cause serious problems.
You can control specific inbound traffic (that is, from WAN to LAN). The LAN WAN Rules
screen lists all existing rules for inbound traffic If you have not defined any rules, only the
default rule will be listed. The default rule blocks all inbound traffic.
Each rule lets you specify the desired action for the connections covered by the rule:
BLOCK always
BLOCK by schedule, otherwise Allow
ALLOW always
ALLOW by schedule, otherwise Block
You can also enable a check on special rules:
VPN Passthrough
.
Passes the VPN traffic without any filtering, specially used when the
VPN firewall is located between two VPN tunnel end points.
Drop fragmented IP packets
.
Drops any fragmented IP packets.
UDP Flooding
.
Limits the number of UDP sessions created from one LAN machine.
TCP Flooding
.
Protects the VPN firewall from SYN flood attack.
Enable DNS Proxy
. Allows the VPN firewall to handle DNS queries from the LAN.
Enable Stealth Mode
. Prevents the VPN firewall from responding to incoming requests
for unsupported services.
As you define your firewall rules, you can further refine their application according to the
following criteria:
LAN Users
. These settings determine which computers on your network are affected by
this rule. Select the desired IP Address in this field.
WAN Users
. These settings determine which Internet locations are covered by the rule,
based on their IP address.
-
Any
. The rule applies to all Internet IP address.
-
Single address
. The rule applies to a single Internet IP address.
-
Address range
. The rule is applied to a range of Internet IP addresses.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top