Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Set Up Virtual Private Networking with SSL Connections 469 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. In the Add New Resource section, specify the following information: •Resource Name. A descriptive name of the resource for identification and management purposes. •Service. From the Service menu, select the type of service to which the resource applies: -VPN Tunnel. The resource applies only to a VPN tunnel. -Port Forwarding. The resource applies only to port forwarding. -All. The resource applies both to a VPN tunnel and to port forwarding. 8. Click the Add button. The new resource is added to the List of Resources table. Define or Change an IPv4 or IPv6 Network Resource and Resource Address After you add a network resource (see Add an SSL Network Resource on page 468), you must define an IP address, or FQDN, or IP network IP and services (port numbers) for the resource. To define or change a network resources and resource address: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Set Up Virtual Private Networking with SSL Connections 470 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN > Resources. The Resources screen displays. 7. In the List of Resources table, click the Edit button for the new resource. The Edit Resources screen displays the IPv4 settings. The following figure shows some examples. 8. To configure the settings for an IPv6 resource instead of an IPv4 resource, in the upper right, select the IPv6 radio button. The Edit Resources screen displays the IPv6 settings. Except for the Prefix Length field, which is the Mask Length field on the screen for IPv4, the IPv6 screen is identical to the IPv4 screen. 9. Enter the settings as described in the following table. SettingDescription Add Resource Addresses Resource Name The unique identifier for the resource. This is the resource name that you created on the Resources screen. Service The SSL service that you assigned to the resource on the Resources screen.
Set Up Virtual Private Networking with SSL Connections 471 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 10. Click the Apply button. Your settings are saved. The new configuration is added to the Defined Resource Addresses table. Remove One or More SSL Network Resources The following procedure describes how you can remove an SSL network resource that you no longer need. To remove an SSL network resource: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN > Resources. Object Type From the menu, select an option: • IP Address. The object is an IPv4 or IPv6 address. In the IP Address / Name field, enter the IP address or FQDN for the object (that is, application or service) that you assign to this resource. • IP Network. The object is an IPv4 or IPv6 network. Configure the following settings: - In the Network Address field, enter the network IP address for the objects (that is, applications or services) that you assign to this resource. - For IPv4, in the Mask Length field, enter the associated network mask length from 0 to 31. For IPv6, in the Prefix Length field, enter the associated prefix length. Port Range / Port Number Enter the port or a range of ports (0–65535) to apply the policy to. The VPN firewall applies the policy to all TCP and UDP traffic that passes on those ports. To apply the policy to all traffic, leave the fields blank. SettingDescription
Set Up Virtual Private Networking with SSL Connections 472 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Resources screen displays. 7. In the List of Resources table, select the check box to the left of each network resource that you want to remove or click the Select All button to select all network resources. 8. Click the Delete button. The selected network resources are removed from the List of Resources table. Remove an IPv4 or IPv6 SSL Resource Address Configuration The following procedure describes how to remove an SSL resource address configuration that you no longer need. Note:If you remove all SSL resource address configurations for a corresponding SSL policy, the policy becomes ineffective. To remove an SSL resource address configuration: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN > Resources. The Resources screen displays. 7. In the List of Resources table, click the Edit button for the resource for which you want to remove a network resource address. The Edit Resources screen displays the IPv4 settings. 8. To remove an IPv6 resource address configuration instead of an IPv4 resource address configuration, in the upper right, select the IPv6 radio button.
Set Up Virtual Private Networking with SSL Connections 473 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Edit Resources screen displays the IPv6 settings. 9. In the Defined Resource Addresses table, click the Delete button to the right of the resource address configuration that you want to remove. The resource address configuration is removed from the Defined Resource Addresses table. Configure User, Group, and Global Policies The following sections provide information about configuring user, group, and global policies for SSL port forwarding: •SSL Policies Overview •View SSL VPN Policies •Add an IPv4 or IPv6 SSL VPN Policy for a Network Resource •Add an IPv4 or IPv6 SSL VPN Policy for a Single IP Address •Add an IPv4 or IPv6 SSL VPN Policy for an IP Network •Add an IPv4 or IPv6 SSL VPN Policy for All Addresses •Change an IPv4 or IPv6 SSL VPN Policy •Remove One or More IPv4 or IPV6 SSL VPN Policies SSL Policies Overview You can define and apply user, group, and global policies to predefined network resource objects, IP addresses, address ranges, or all IP addresses, and to different SSL VPN services (VPN tunnels and port forwarding configurations). A specific hierarchy is invoked over which policies take precedence. The VPN firewall SSL policy hierarchy is as follows: •User policies take precedence over group policies. •Group policies take precedence over global policies. •If two or more user, group, or global policies are configured, the most specific policy takes precedence. For example, a policy that is configured for a single IP address takes precedence over a policy that is configured for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over a policy that applies to all IP addresses. If two or more IP address ranges are configured, the smallest address range takes precedence. Host names are treated the same as individual IP addresses. Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource. For example, assume the following global policy configuration: •Policy 1. A Deny rule blocks all services to the IP address range 10.0.0.0–10.0.0.255. •Policy 2. A Deny rule blocks FTP access to 10.0.1.2–10.0.1.10.
Set Up Virtual Private Networking with SSL Connections 474 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •Policy 3. A Permit rule allows FTP access to the predefined network resource with the name FTP Servers. The FTP Servers network resource includes the following addresses: 10.0.0.5–10.0.0.20 and the FQDN ftp.company.com, which resolves to 10.0.1.3. Assuming that no conflicting user or group policies are configured, if a user attempts to access FTP servers at the following addresses, the following actions occur: •10.0.0.1. The user is blocked by Policy 1. •10.0.1.5. The user is blocked by Policy 2. •10.0.0.10. The user is granted access by Policy 3. The IP address range 10.0.0.5–10.0.0.20 is more specific than the IP address range that is defined in Policy 1. •ftp.company.com. The user is granted access by Policy 3. A single host name is more specific than the IP address range that is configured in Policy 2. Note:In this scenario, the user cannot access ftp.company.com using its IP address 10.0.1.3. The VPN firewall’s policy engine does not perform reverse DNS lookups. View SSL VPN Policies The following procedure describes how to view global, group, and user policies. To view SSL VPN policies: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN.
Set Up Virtual Private Networking with SSL Connections 475 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The SSL VPN submenu tabs display with the Policies screen in view. The following figure shows examples. 7. In the Query section, select a radio button: •Global. View all global policies. •Group. To view group policies: a. Select the Group radio button. b. From the menu, select a user group. •User. To view user policies: a. Select the User radio button. b. From the menu, select a user. 8. Click the Display button. The List of SSL VPN Policies table displays the list for your selected query option. The Related Policies Table displays global policies that might affect group and user policies. Add an IPv4 or IPv6 SSL VPN Policy for a Network Resource The following procedure describes how to add an SSL policy for an existing network resource. Note:Before you can add an SSL policy for a network resource, you must create the network resource (see Manage Network Resource Objects to Simplify Policies on page 467).
Set Up Virtual Private Networking with SSL Connections 476 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To add an SSL policy for an existing network resource: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN. The SSL VPN submenu tabs display with the Policies screen in view. 7. Under the List of SSL VPN Policies table, click the Add button. The Add SSL VPN Policy screen displays the IPv4 settings. . 8. To add an IPv6 SSL policy instead of an IPv4 SSL policy, in the upper right select the IPv6 radio button.
Set Up Virtual Private Networking with SSL Connections 477 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Add SSL VPN Policy screen displays the IPv6 settings. Except for the IPv6 Prefix Length field, which is the Subnet Mask field on the screen for IPv4, the IPv6 screen is identical to the IPv4 screen. 9. Enter the settings as described in the following table. 10. Click the Apply button. Your settings are saved. The policy is added to the List of SSL VPN Policies table on the Policies screen. The new policy goes into effect immediately. Note:If you have configured SSL VPN user policies, make sure that secure HTTP remote management is enabled (see Set Up Remote Management Access on page 534). If secure HTTP remote management is not enabled, all SSL VPN user connections are disabled. Add an IPv4 or IPv6 SSL VPN Policy for a Single IP Address The following procedure describes how to add an SSL policy for a single IP address. To add an SSL policy for a single IP address: 1. On your computer, launch an Internet browser. SettingDescription Policy For Select type of SSL VPN policy: • Global. The new policy is global and includes all groups and users. • Group. The new policy must be limited to a single group. From the menu, select a group name. For information about how to create groups, see Manage Authentication Groups on page 494. • User. The new policy must be limited to a single user. From the menu, select a user name. For information about how to create user accounts, see Manage User Accounts on page 498. Add SSL VPN Policies Apply Policy to? Select the Network Resource radio button. The policy applies to a network resource. The screen adjusts to make the associated fields and menus available fields; and menus that do not apply are masked out. Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. Defined ResourcesFrom the menu, select a network resource that you must have defined on the Resources screen (see Manage Network Resource Objects to Simplify Policies on page 467). Permission From the menu, select Permit or Deny to specify whether the policy permits or denies access.
Set Up Virtual Private Networking with SSL Connections 478 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN. The SSL VPN submenu tabs display with the Policies screen in view. 7. Under the List of SSL VPN Policies table, click the Add button. The Add SSL VPN Policy screen displays the IPv4 settings. . 8. To add an IPv6 SSL policy instead of an IPv4 SSL policy, in the upper right select the IPv6 radio button. The Add SSL VPN Policy screen displays the IPv6 settings. Except for the IPv6 Prefix Length field, which is the Subnet Mask field on the screen for IPv4, the IPv6 screen is identical to the IPv4 screen.