Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Customize Firewall Protection 290 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 12. Repeat the previous two steps to add more IP addresses to the IP Addresses Grouped table. 13. Click the Edit button again. The IP Groups screen displays. The group configuration is complete. Change an IP Address Group The following procedure describes how you can change an existing IP group. To change an IP group: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Services > IP Groups. The IP Groups screen displays. 7. In the Custom IP Groups Table, click the Edit button for the IP group that you want to change. The Edit IP Group screen displays. 8. Change the settings. You can change the group name and you can change the group type. You cannot change an IP address that is associated with the group but you can remove the IP address and replace it with another IP address. 9. To remove one or more IP addresses that are associated with the group and add new IP addresses, do the following: a.In the IP Addresses Grouped table, select the check box to the left of each IP address that you want to remove, or click the Select All button to select all IP addresses. b. Click the Delete button.
Customize Firewall Protection 291 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The selected IP addresses are removed from the IP Addresses Grouped table. c. In the IP Address field, type an IP address. d. Click the Add button. The IP address is added to the IP Addresses Grouped table. e. To add another IP address, repeat Step c and Step d. 10. Click the Edit button again. Your settings are saved and the IP Groups screen displays. The modified IP group displays in the Custom IP Groups Table. Remove One or More IP Address Groups The following procedure describes how to remove one or more IP groups that you no longer need as objects for firewall rules. To remove one or more IP groups: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Services > IP Groups. The IP Groups screen displays. 7. In the Custom IP Groups table, select the check box to the left of the IP group that you want to remove, or click the Select All button to select all groups. 8. Click the Delete button. The selected groups are removed from the Custom IP Groups table.
Customize Firewall Protection 292 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Define a Schedule Schedules define the time frames under which firewall rules are applied. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these when defining firewall rules. Other than the tab that you click to specify the schedule that you want to configure, the procedure to define Schedule 2 and Schedule 3 is identical to the procedure to define Schedule 1. To define Schedule 1: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Services > Schedule 1. The Schedule1 screen displays.
Customize Firewall Protection 293 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. In the Scheduled Days section, select a radio button: •All Days. The schedule is in effect all days of the week. •Specific Days. The schedule is in effect only on specific days. To the right of the radio buttons, select the check box for each day that you want the schedule to be in effect. 8. In the Scheduled Time of Day section, select a radio button: •All Day. The schedule is in effect all hours of the selected day or days. •Specific Times. The schedule is in effect only during specific hours of the selected day or days. To the right of the radio buttons, complete the Start Time and End Time fields and select the meridiem from the AM/PM menu to define the time during which the schedule is in effect. 9. Click the Apply button. Your settings are saved to Schedule 1. Manage Quality of Service Profiles for IPv4 Firewall Rules When multiple connections are scheduled for simultaneous transmission on the VPN firewall, a Quality of Service (QoS) profile can define the relative priority of an IPv4 packet. The following sections provide information about managing quality of service profiles for IPv4 firewall rules: •IPv4 QoS Profiles Overview •Add an IPv4 QoS Profile
Customize Firewall Protection 294 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •Change an IPv4 QoS Profile •Remove One or More IPv4 QoS Profiles IPv4 QoS Profiles Overview A QoS profile becomes active only when it is associated with a nonblocking inbound or outbound firewall rule or service and IPv4 traffic that matches the firewall rule or service is processed by the VPN firewall. The Type of Service in the Internet Protocol Suite standards, RFC 1349, defines the priorities. You can assign a QoS profile to the following IPv4 firewall rules: •LAN WAN outbound rules (see Add an IPv4 LAN WAN Outbound Rule on page 224) •LAN WAN inbound rules (see Add an IPv4 LAN WAN Inbound Rule on page 229) •DMZ WAN outbound rules (see Add an IPv4 DMZ WAN Outbound Rule on page 233) •DMZ WAN inbound rules (see Add an IPv4 DMZ WAN Inbound Rule on page 238) Note:When you apply a QoS profile to a firewall rule for the first time, the performance of the VPN firewall might be affected slightly. The VPN firewall does not provide any default QoS profiles for IPv4 traffic. If you want to use QoS for IPv4 traffic, you must add QoS profiles. You could create QoS profiles similar to the default QoS priorities that the VPN firewall provides for IPv6 traffic (see Default Quality of Service Priorities for IPv6 Firewall Rules). Note:To configure and apply QoS profiles successfully, familiarity with QoS concepts such QoS priority queues, IP precedence, DHCP, and their values is helpful. Add an IPv4 QoS Profile The following procedure describes how to add an IPv4 QoS profile that you then can use as an object for a firewall rule. To add an IPv4 QoS profile: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
Customize Firewall Protection 295 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Services > QoS Profiles. The QoS Profile screen displays. The following figure shows some user-define profiles in the List of QoS Profiles table as examples. 7. Under the List of QoS Profiles table, click the Add button. The Add QoS Profile screen displays.
Customize Firewall Protection 296 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Enter the settings as described in the following table. 9. Click the Apply button. Your settings are saved. The new QoS profile is added to the List of QoS Profiles table. Change an IPv4 QoS Profile The following procedure describes how to change an existing IPv4 QoS profile. To change an IPv4 QoS profile: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. SettingDescription Profile Name A descriptive name of the QoS profile for identification and management purposes. Re-Mark Select the Re-Mark check box to set the Differentiated Services (DiffServ) mark in the Type of Service (ToS) byte of an IP header by specifying the QoS type (IP precedence or DHCP) and QoS value. Make a selection from the QoS menu and enter a value in the QoS Value field: • QoS. Select a traffic classification method: - IP Precedence. A legacy method that sets the priority in the ToS byte of an IP header. - DSCP. A method that sets the Differentiated Services Code Point (DSCP) in the Differentiated Services (DS) field (which is the same as the ToS byte) of an IP header. • QoS Value. Enter the QoS value that the VPN firewall must compare against the QoS value in the ToS or DiffServ byte of an IP header. The QoS value that you must enter depends on your selection from the QoS menu: - For IP Precedence, select a value from 0 to 7. - For DSCP, select a value from 1 to 63. If you clear the Re-Mark check box (which is the default setting), the QoS profile is specified only by the QoS priority. QoS Priority The QoS priority represents the classification level of the packet among the priority queues within the VPN firewall. If you select Default, packets are mapped based on the ToS bits in their IP headers. From the QoS Priority menu, select a priority queue: • Default • High • Medium High • Medium • Low
Customize Firewall Protection 297 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Services > QoS Profiles. The QoS Profiles screen displays. 7. In the List of QoS Profiles table, click the Edit button for the QoS profile that you want to change. The Edit QoS Profile screen displays. 8. Change the settings. For information about the settings, see Add an IPv4 QoS Profile on page 294. 9. Click the Apply button. Your settings are saved. The modified QoS profile displays in the List of QoS Profiles table on the QoS Profiles screen. Remove One or More IPv4 QoS Profiles The following procedure describes how to remove one or more IPv4 QoS profiles that you no longer need as objects for firewall rules. To remove one or more IPv4 QoS profiles: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Customize Firewall Protection 298 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Security > Services > QoS Profiles. The QoS Profiles screen displays. 7. In the List of QoS Profiles table, select the check box to the left of each QoS profile that you want to remove, or click the Select All button to select all profiles. 8. Click the Delete button. The selected profiles are removed from the List of QoS Profiles table. Default Quality of Service Priorities for IPv6 Firewall Rules A QoS default profile becomes active only when it is associated with a nonblocking outbound firewall rule or service and IPv6 traffic that matches the firewall rule or service is processed by the VPN firewall. For IPv6 firewall rules and services, you cannot configure QoS profiles. The VPN firewall provides default QoS priorities that you can assign to the following IPv6 firewall rules: •LAN WAN outbound rules (see Add an IPv6 LAN WAN Outbound Rule on page 226) •DMZ WAN outbound rules (see Add an IPv6 DMZ WAN Outbound Rule on page 235) Note:When you apply a QoS profile to a firewall rule for the first time, the performance of the VPN firewall might be affected slightly. The QoS priorities are preconfigured and you cannot change them: •Normal-Service. Used when no special priority is given to the traffic. IP packets are marked with a ToS value of 0. •Minimize-Cost. Used when data must be transferred over a link that has a lower cost. IP packets are marked with a ToS value of 2. •Maximize-Reliability. Used when data must travel to the destination over a reliable link and with little or no retransmission. IP packets are marked with a ToS value of 4. •Maximize-Throughput. Used when the volume of data transferred during an interval is important even if the latency over the link is high. IP packets are marked with a ToS value of 8. •Minimize-Delay. Used when the time required (latency) for the packet to reach the destination must be low. IP packets are marked with a ToS value of 16.
Customize Firewall Protection 299 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage Bandwidth Profiles for IPv4 Traffic Bandwidth profiles determine how fast or slow data is communicated with the hosts. The following sections provide information about managing quality of service profiles for IPv4 firewall rules: •Bandwidth Profiles Overview •Add and Enable a Bandwidth Profile •Change a Bandwidth Profile •Remove One or More Bandwidth Profiles Bandwidth Profiles Overview The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic, thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN link. You can use a single bandwidth profile for both outbound and inbound traffic. For outbound IPv4 traffic, you can apply bandwidth profiles on the WAN interface; for inbound IPv4 traffic, you can apply bandwidth profiles to a LAN interface. Bandwidth profiles do not apply to the DMZ interface, nor to IPv6 traffic. When a new connection is established by a device, the device locates the firewall rule corresponding to the connection and the following happens: •If the rule has a bandwidth profile specification, the device creates a bandwidth class in the kernel. •If multiple connections correspond to the same firewall rule, the connections all share the same bandwidth class. An exception occurs for an individual bandwidth profile if the classes are per-source IP address classes. The source IP address is the IP address of the first packet that is transmitted for the connection. So for outbound firewall rules, the source IP address is the LAN-side IP address; for inbound firewall rules, the source IP address is the WAN-side IP address. The class is removed when all the connections that are using the class expire. After you create a bandwidth profile, you can assign the bandwidth profile to the following firewall rules: •LAN WAN outbound rules for IPv4 (see Add an IPv4 LAN WAN Outbound Rule on page 224). •LAN WAN inbound rules for IPv4 (see Add an IPv4 LAN WAN Inbound Rule on page 229). Note:For bandwidth profiles to functions correctly, make sure that you configure the WAN upload and download settings correctly. For more information, see Managing Advanced WAN Options on page 66.