Course Agenda
Introductions Course Objectives FVS336G Features Specific features on FVS336G Firewall & Router overview VPN overview SSL overview FVS336G Administration GUI walk-through FVS336G User SSL Portal walk-through FAQ Known Issues Q&A
Introduction
Course Description: This training is intended to provide background and update information about the new ProSafe dual WAN gigabit firewall with IPSec and SSL VPN Course Audience: L2, L3, SE, VAR Course Prerequisites: Familiarity & knowledge of NETGEAR ProSafe VPN firewall products Basic knowledge & understanding for VPN (IPSec & SSL) concepts Basic usage of VPN configuration on the NETGEAR ProSafe VPN products
.1996-2006 NETGEAR . All rights reserved
Course Objectives
At the end of this course, Technical Support Engineers should be able to do the following: Identify the differences between the FVS336G and other NETGEAR Firewall VPN routers List and describe unique features on the FVS336G Identify and list the differences SSL features on the FVS336G and the SSL312 Configure and setup SSL Portal on the FVS336G
FVS336G Usage
Package Contents
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. One AC power cable (100-240 VAC, 50-60 Hz). Rubber feet. One Category 5 (Cat5) Ethernet cable. Installation Guide: FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. Resource CD, including: Application Notes and other helpful information. ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual ProSafe VPN Client Software one user license. Warranty and Support Information Card.
Front Panel
Rear Panel
Factory Defaults button Using a sharp object, press and hold this button for about ten seconds until the front panel TEST light flashes to reset the FVS336G to factory default settings. All configuration settings will be lost and the default password will be restored. LAN & WAN ports Auto MDI/MDIX, Gigabit Ethernet ports AC Power Universal AC input (100-240 VAC, 50-60 Hz) On/off power switch
Bottom label
Default LAN IP address: 192.168.1.1 Default username: admin Default password: password
10
Hardware Specifications
Processor Speed: 300 MHz (Cavium CN3005SCP) Memory: 16 MB flash, 64 MB DRAM Power adapter: 12V DC, 1.2A -plug is localized to country of sale Dimensions: 25.4 x 17.8 x 3.96 cm (10 x 7 x 1.56 in) Weight: 1.7 kg (3.7 lb) Operating temperature: 0 to 40C (32 to 104F) Operating humidity: 90% maximum relative humidity, non-condensing
11
Business Unit DCIHKN DCINLN DCINLN DCIHKN DCINLN DCINLN DCUSN DCUSN DCINLN DCINLN
XF Date 10/19/2007 10/12/2007 10/26/2007 10/12/2007 10/12/2007 10/19/2007 9/28/2007 10/12/2007 10/19/2007 10/26/2007
Ship Mode ETA at DC S S S S S S S S S S 9/21/2007 10/16/2007 11/27/2007 9/28/2007 10/16/2007 10/16/2007 10/22/2007 10/8/2007 10/16/2007 11/27/2007
12
Performance Spec
Throughput: LAN-to-WAN: 60 Mbps total IPsec VPN (3DES): 16 Mbps SSL VPN: 10 Mbps Connections: 10,000 concurrent sessions
13
FVS336G GUI
Admin GUI
http://192.168.1.1 Username: admin Password: password Domain: geardomain
15
16
17
WAN Mode
18
19
20
21
Dynamic DNS
22
LAN Settings
23
The secondary LAN IP address will be assigned to the LAN interface of the router and can be used as a gateway by computers on the secondary subnet
24
25
Security Services
26
Security Scheduling
27
28
29
30
31
32
33
34
IPSec VPN
36
37
VPN Policy
38
39
40
IKE Policy
41
42
43
44
45
46
Mode Config
47
48
SSL VPN
50
51
SSL Domain
52
SSL Groups
53
SSL Users
54
NOTE: This apply to Remote Management access for ALL users, including Administrator access.
55
56
57
Administrative Features
59
Traffic Meter
60
Traffic Meter
Allows you to measure and limit the traffic routed by the router. The router will keep a record of the volume of traffic going from the selected interface. The router can also be configured to place a restriction on the volume of data being transferred.
61
Attack Checks
62
Firewall Logs
63
Email Logs
64
Syslog
65
VPN Logs
66
68
With Split Tunnel Mode, a remote client has routed access to the NETGEAR LAN 192.168.3.0 /24 from anywhere with an Internet Connection.
.1996-2006 NETGEAR . All rights reserved
69
FAQ
Does the SSL require any additional VPN software? No, the main intention of the SSL VPN is that users do not need to install any client software on their PCs. Users only need a web browser that can support ActiveX or Java. How many simultaneous VPN connections does FVS336G support? It supports up to 25 IPSec VPN tunnels and 10 SSL VPN tunnels. Can I manage the box using a port number different from standard HTTPS port number 443, and use 443 for portforwarding to an internal web server? No, not yet. You need to use standard port number 443 to manage the box via HTTPS. To access internal web server by port 443, please use SSL or IPSEC VPN tunnel access.
.1996-2006 NETGEAR . All rights reserved
70
FAQ
How many simultaneous VPN connections does FVS336G support? It supports up to 25 IPSEC VPN tunnels and 10 SSL VPN tunnels. Does the FVS336G have all the features of the SSL312 VPN Concentrator? No, the FVS336G SSL VPN only provide full SSL VPN tunnel and Port Forwarding. For full features of the SSL VPN, we recommend that you purchase a stand alone SSL312 SSL VPN concentrator. Do you need additional hardware to use the SSL VPN feature? No, the SSL VPN is part of the software feature available on the FVS336G. You may need an authentication server if you are not using the local user database on the FVS336G.
71
Known Issues
Dropped packets are not logged thought it matches firewall rule with log option turns on. Admin and guest login from WAN are enabled by default Disabling remote management will disable SSL VPN Vonage incoming call form WAN rings, but no voice VPN rollover does not work if both WAN interfaces are on the same subnet (not common) Inbound rule with second public address on a different subnet from WAN interface address does not work if the traffic is initiated from a host directly on this subnet (Not common, normally there is a router in between and that works). In Load Balancing mode, a host directly connected to WAN port can ping WAN1, not WAN2. (not a common case, normally there is a router in between and that works.) In load balancing mode, SSL VPN user directly connected to WAN port can establish VPN tunnel to WAN1, not WAN2. (not a common case, normally there is a router inbetween and that works.)
72
Known Issues
Login page is not displayed properly if if admin comes in via FVX538 inbound rule to login to the WAN port of FVS336G. (This is a common deployment case). Host names in SSL port forwarding cannot mix upper and lower case letters. SSL VPN denial policy does not block ping traffic unless the high port number is blank. SSL VPN global policy "edit" button does not display "Service" on the edit web page (The work-around is to delete the policy and recreate it). The change password option should be grayed out if SSL VPN user is authenticated via Active Directory, Radius or LDAP. It has no effect. Port forwarding https port 443 via a secondary public WAN IP in inbound rule cannot reach internal web server (The work-around is to use SSL VPN to access internal web server). PPPoE auto-detect displays "No service detected", although it has already acquired WAN IP address and is functioning.
.1996-2006 NETGEAR . All rights reserved
73
Known Issues
When adding a SSL VPN resource, the IP address is not part of the configuration and is only availabe from "edit" button. Raritan KVM client through SSL Port Forwarding gets disconnected after being idle for a while (The work around is to use SSL VPN tunnel instead of Port Forwarding).
74