Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual

							 System Logs and Error Messages
659  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
Source MAC Filter Logs
Bandwidth Limit Logs
Table 47.  Other event logs: source MAC filter logs 
Message 2000 Jan 1 06:40:10 [FVS336Gv2] [kernel] SRC_MAC_MATCH[DROP] SRC MAC 
= 00:12:3f:34:41:14 IN=LAN OUT=WAN SRC=192.168.11.3 DST=209.85.153.103 
PROTO=ICMP TYPE=8 CODE=0
Explanation Because MAC address 00:12:3f:34:41:14 of LAN host with IP address 
192.168.11.3 is filtered so that it cannot access the Internet, the packets sent by 
this MAC address to the Google server at address 09.85.153.103 are dropped.
Recommended action Disable source MAC filtering.
Table 48.  Other event logs: bandwidth limit, outbound bandwidth profile 
Message 2000 Jan 1 00:10:36 [FVS336Gv2] [kernel] [BW_LIMIT_DROP] IN=LAN OUT=
WAN SRC=192.168.100.2 DST=22.0.0.2 PROTO=ICMP TYPE=144 CODE=145 
TC_INDEX=10 CLASSID=10:5
Explanation This log is generated when an outbound packet is dropped because the packet 
size exceeds the specified bandwidth limit.
Recommended action Ensure that the packet size is within the specified bandwidth limit.
Table 49.  Other event logs: bandwidth limit, inbound bandwidth profile 
Message 2000 Jan 1 00:08:21 [FVS336Gv2] [kernel] [BW_LIMIT_DROP] IN=LAN OUT=
WAN SRC=22.0.0.2 DST=192.168.100.2 PROTO=ICMP TYPE=112 CODE=113 
TC_INDEX=10 CLASSID=10:2
Explanation This log is generated when an inbound packet is dropped because the packet size 
exceeds the specified bandwidth limit.
Recommended action Ensure that the packet size is within the specified bandwidth limit. 
						

							 System Logs and Error Messages
660 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
DHCP Logs
This section explains the log messages that are generated when a host is assigned a 
dynamic IP address. These messages are displayed on the DHCP Log screen (see 
View the 
DHCP Log on page 601).
Table 50.  DHCP logs 
Message 1 
Message 2 
Message 3 
Message 4 
Message 5
Message 6 
Message 7 2000 Jan 1 07:27:28 [FVS336Gv2] [dhcpd] Listening on 
LPF/eth0.1/00:11:22:78:89:90/192.168.11/24
2000 Jan 1 07:27:37 [FVS336Gv2] [dhcpd] DHCPRELEASE of 192.168.10.2 from 
00:0f:1f:8f:7c:4a via eth0.1 (not found)
2000 Jan 1 07:27:47 [FVS336Gv2] [dhcpd] DHCPDISCOVER from 
00:0f:1f:8f:7c:4a via eth0.1
2000 Jan 1 07:27:48 [FVS336Gv2] [dhcpd] DHCPOFFER on 192.168.11.2 to 
00:0f:1f:8f:7c:4a via eth0.1
2000 Jan 1 07:27:48 [FVS336Gv2] [dhcpd] Wrote 2 leases to leases file.
2000 Jan 1 07:27:48 [FVS336Gv2] [dhcpd] DHCPREQUEST for 192.168.11.2 
(192.168.11.1) from 00:0f:1f:8f:7c:4a via eth0.1
2000 Jan 1 07:27:48 [FVS336Gv2] [dhcpd] DHCPACK on 192.168.11.2 to 
00:0f:1f:8f:7c:4a via eth0.1
Explanation Message 1: The DHCP server is listening on eth0.1.
Message 2: Release of the currently assigned IP address from the host by the 
DHCP server.
Message 3: DHCP broadcast by the host is discovered by the DHCP server.
Message 4: The DHCP server offers a new IP address to the host’s current network 
interface.
Message 5: Two new leases are written to the lease file.
Message 6: DHCP is requested to assign the new IP address by the host.
Message 7: DHCP acknowledgment to the current network interface from the 
server on assignment of the new IP address.
Recommended action None 
						

							661
C
C.   Two-Factor Authentication
This appendix provides an overview of two-factor authentication and an example of how to 
implement the WiKID solution. The appendix contains the following sections:
•Why Do I Need Two-Factor Authentication?
•NETGEAR Two-Factor Authentication Solutions 
						

							 Two-Factor Authentication
662 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
Why Do I Need Two-Factor Authentication?
This section includes the following topics:
•What Are the Benefits of Two-Factor Authentication?
•What Is Two-Factor Authentication?
In today’s market, online identity theft and online fraud continue to be among the fast-growing 
cybercrime activities used by many unethical hackers and cybercriminals to steal digital 
assets for financial gains. Many companies and corporations are losing millions of dollars and 
running into risks of revealing their trade secrets and other proprietary information as a result 
of these cybercrime activities. Security threats and hackers have become more 
sophisticated, and user names, encrypted passwords, and the presence of firewalls are no 
longer enough to protect the networks from being compromised. IT professionals and 
security experts have recognized the need to go beyond the traditional authentication 
process by introducing and requiring additional factors in the authentication process. 
NETGEAR has also recognized the need to provide more than just a firewall to protect the 
networks. NETGEAR has implemented a more robust authentication system known as 
two-factor authentication (2FA or T-FA) to help address the fast-growing network security 
issues. 
What Are the Benefits of Two-Factor Authentication?
The following are the benefits of two-factor authentication:
•Stronger security. Passwords cannot efficiently protect the corporate networks because 
attackers can easily guess simple passwords or users cannot remember complex and 
unique passwords. One-time passcode (OTP) strengthens and replaces the need to 
remember complex password. 
•No need to replace existing hardware. Two-factor authentication can be added to 
existing NETGEAR products through a firmware upgrade.
•Quick to deploy and manage. The WiKID solution integrates seamlessly with the 
NETGEAR SSL and VPN firewall products.
•Proven regulatory compliance. Two-factor authentication is used as a mandatory 
authentication process for many corporations and enterprises worldwide.
What Is Two-Factor Authentication?
Two-factor authentication is a security solution that enhances and strengthens security by 
implementing multiple factors of the authentication process that challenge and confirm the 
users’ identities before they can gain access to the network. Several factors can validate a 
user:
•Something the user knows—for example, a password or PIN.
•Something the user possesses—for example, a token with generated passcode that is six 
to eight digits in length. 
						

							 Two-Factor Authentication
663  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
•Something the user is—for example, biometrics such as a fingerprint or retinal print.
This appendix focuses on and discusses only the first two factors, something you know and 
something you have. This security method can be viewed as a two-tiered authentication 
approach because it typically relies on what you know and what you have. A common 
example of two-factor authentication is a bank (ATM) card that is issued by a bank institute: 
•The PIN to access your account is something the user knows.
•The ATM card is something the user has.
You must have both of these factors to gain access to your bank account. Similar to the way 
ATM cards work, access to the corporate networks and data can also be strengthened using 
a combination of multiple factors such as a PIN and a token (hardware or software) to 
validate the users and reduce the incidence of online identity theft.
NETGEAR Two-Factor Authentication Solutions
NETGEAR has implemented 2 two-factor authentication solutions from WiKID. WiKID is the 
software-based token solution. So instead of using only Windows Active Directory or LDAP 
as the authentication server, administrators now can use WiKID to perform two-factor 
authentication on NETGEAR SSL and VPN firewall products.
The WiKID solution is based on a request-response architecture where a one-time passcode 
(OTP), which is time-synchronized with the authentication server, is generated and sent to 
the user after the validity of a user credential is confirmed by the server.
The request-response architecture is capable of self-service initialization by end users, 
dramatically reducing implementation and maintenance costs. 
Here is an example of how WiKID works.
To use WiKID (for end users):
1. On your computer, launch the WiKID token software.
2. Enter the PIN (“something the user knows”).
3. Click the Continue button. 
						

							 Two-Factor Authentication
664 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
The WiKID authentication server generates the one-time passcode (“something the user 
has”). 
The one-time passcode (OTP) is time-synchronized to the authentication server so that 
you can use the OTP only once and you must the OTP before the expiration time. If you 
do not use this passcode before it expires, you must go through the request process 
again to generate a new OTP.
4. Click the Continue button.
5. The 2 Factor Authentication login screen displays. 
						

							 Two-Factor Authentication
665  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
6. Enter the OTP as the login password.
7. Click the Login button.
You are logged in. 
						

							666
D
D.   Default Settings and Technical 
Specifications
This appendix provides the default settings and the physical and technical specifications of the 
VPN firewall in the following sections:
•Factory Default Settings
•Physical and Technical Specifications 
						

							 Default Settings and Technical Specifications
667  ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2
Factory Default Settings
For information about restoring the VPN firewall to factory default settings, see Revert to 
Factory Default Settings on page 551.
The following table shows the default configuration settings for the VPN firewall:
Table 51.  VPN firewall factory default configuration settings 
FeatureDefault Behavior
Login settings
User login URL https://192.168.1.1
Administrator user name (case-sensitive) admin
Administrator login password (case-sensitive) password
Guest user name (case-sensitive) guest
Guest login password (case-sensitive) password
WAN settings
WAN IPv4 mode (all WAN interfaces) NAT
WAN IPv4 load balancing settings (all WAN interfaces) Primary WAN mode
WAN IPv6 mode (all WAN interfaces) IPv4 only mode
Stateless IP/ICMP Translation (SIIT) Disabled
WAN MAC address (all WAN interfaces) Use default MAC addresses of the 
VPN firewall. 
WAN MTU size (all WAN interfaces) 1500 bytes
1492 bytes for PPPoE connections
Port speed (all WAN interfaces) AutoSense
Secondary IPv4 WAN addresses None
Dynamic DNS for IPv4  Disabled
WAN QoS profiles for IPv4 None 
						

							 Default Settings and Technical Specifications
668 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 
IPv4 LAN, DMZ, and routing settings
LAN IPv4 address for the default VLAN 192.168.1.1
LAN IPv4 subnet mask for the default VLAN 255.255.255.0
VLAN 1 membership All ports
LAN DHCP server for the default VLAN Enabled
LAN DHCP IPv4 starting address for the default VLAN 192.168.1.100
LAN DHCP IPv4 ending address for the default VLAN 192.168.1.254
VLAN MAC addresses All LAN ports share the same MAC 
address.
Broadcast of ARP packets Enabled for the default VLAN
DMZ port for IPv4 Disabled
DMZ IPv4 address (Port 4) 172.16.2.1
DMZ IPv4 subnet mask (Port 4) 255.255.255.0
DMZ DHCP server Disabled
DMZ DHCP IPv4 starting address 176.16.2.100
DMZ DHCP IPv4 ending address 176.16.2.254
RIP direction None
RIP version Disabled
RIP authentication Disabled
IPv6 LAN and DMZ settings
LAN IPv6 address fec0::1
LAN IPv6 prefix length 64
LAN DHCPv6 server Disabled
DMZ port for IPv6 Disabled
DMZ IPv6 address (Port 4) 176::1
DMZ IPv6 prefix length (Port 4) 64
DMZ DHCPv6 server Disabled
Table 51.  VPN firewall factory default configuration settings (continued)
FeatureDefault Behavior