NETGEAR CONFIDENTIAL
FVX538
ProSafe VPN Firewall 200
NETGEAR CONFIDENTIAL
Main Features
• 8 10/100 ports and 1 gigabit LAN port.
• One console port.
• SNMP support (optimized for NMS100) – SNMPv2.
• QoS traffic prioritization.
• Hardware DMZ.
• Security co-processor for optimized throughput performance, 90+ Mbps WAN-LAN and up to 100 Mbps 3DES throughput.
• SPI Firewall and multi-NAT.
• Support 200 VPN tunnels.
• Includes VPN client software with 5-users license.
• Rack-mountable.
• Future upgradability to SSL VPN, IDS, Anti-virus, anti-spam and anti-spyware security measures.
NETGEAR CONFIDENTIAL
ProSafe Firewalls ComparisonFeature FVS318 v3 FVS338 FVL328 FVX538
VPN Tunnels 8 50 100 200WAN-to-LAN throughput 12. 5 Mbps 90+ Mbps 54 Mbps 90+ Mbps
3DES Throughput 1.2 Mbps 60+ Mbps 15 Mbps 90+ MbpsLAN Ports (8)10/100 LAN (8)10/100 LAN (8) 10/100 LAN (8) 10/100 LAN, (1) Gigabit LANWAN Ports (1)10/100Mbps WAN (1)10/100Mbps WAN (1)10/100Mbps WAN (2)10/100Mbps WANSerial port no yes, for analog backup no yes, console port for local mgmtEncryption DES, 3DES, AES DES, 3DES, AES DES, 3DES DES, 3DES, AES
Encryption Method Hardware for 3DES Hardware Hardware HardwareQoS no yes no yes
SNMP no yes no yesSIP aware no future upgrade no future upgradeSSL VPN no no no future upgrade
Digital Certificate Support yes yes yes yesNAT On/Off no yes yes yesMultNAT no yes yes yes
Other VPN01L included VPN05L includedCLI no yes no yes
Rack mountable no no no yesICSA Firewall yes in testing yes in testing
VPNC certifiable yes yes yes yesUS List Price $157 $278 $418 $557
Average Catalog $109 $199 $249 $399
NETGEAR CONFIDENTIAL
Front Panel
NETGEAR CONFIDENTIAL
Rear Panel
NETGEAR CONFIDENTIAL
Bottom Label
NETGEAR CONFIDENTIAL
Console - CLI
NETGEAR CONFIDENTIAL
GUI
NETGEAR CONFIDENTIAL
http://192.168.1.1
• Username: admin
• Password: password
NETGEAR CONFIDENTIAL
WAN Setup – WAN 1 ISP
NETGEAR CONFIDENTIAL
Setup Wizard
NETGEAR CONFIDENTIAL
WAN Status
NETGEAR CONFIDENTIAL
WAN Setup – WAN 2 ISP
NETGEAR CONFIDENTIAL
WAN Setup - Mode
NETGEAR CONFIDENTIAL
WAN Setup – Protocol Binding
NETGEAR CONFIDENTIAL
WAN Setup - Options
28Kbps to 100Mbps
NETGEAR CONFIDENTIAL
WAN Setup – Dynamic DNS
NETGEAR CONFIDENTIAL
WAN Setup – Traffic Meter
NETGEAR CONFIDENTIAL
WAN Setup – Traffic Meter
Statistic by Protocol
NETGEAR CONFIDENTIAL
Security – Groups and Hosts
NETGEAR CONFIDENTIAL
Security – Groups and Hosts
Add
NETGEAR CONFIDENTIAL
Security – Groups and Hosts
Edit Group Names
NETGEAR CONFIDENTIAL
Security – Source MAC Filter
NETGEAR CONFIDENTIAL
Security – Block Sites
NETGEAR CONFIDENTIAL
Security – Rules
NETGEAR CONFIDENTIAL
Security – Rules – Outbound Services
NETGEAR CONFIDENTIAL
Security – Rules – Inbound Services
NETGEAR CONFIDENTIAL
Security - Services
NETGEAR CONFIDENTIAL
Security - Schedule
NETGEAR CONFIDENTIAL
Security – Logs and Emails
NETGEAR CONFIDENTIAL
Security – View Log
NETGEAR CONFIDENTIAL
Security – Logs and Emails
Email Logs and Syslog
NETGEAR CONFIDENTIAL
VPN – VPN Wizard Box-to-box
NETGEAR CONFIDENTIAL
VPN – VPN Wizard Box-to-box
Result:
NETGEAR CONFIDENTIAL
VPN – VPN Wizard Client-to-box
NETGEAR CONFIDENTIAL
VPN – VPN Wizard Client-to-box
NETGEAR CONFIDENTIAL
VPN – VPN Status
NETGEAR CONFIDENTIAL
VPN – IKE Policies
NETGEAR CONFIDENTIAL
VPN – IKE Policies - Add
NETGEAR CONFIDENTIAL
VPN – VPN Policies
NETGEAR CONFIDENTIAL
VPN – VPN Policies – Add Auto Policy
NETGEAR CONFIDENTIAL
VPN – VPN Policies – Add Manual Policy
NETGEAR CONFIDENTIAL
VPN - CAs
NETGEAR CONFIDENTIAL
VPN - Certificates
NETGEAR CONFIDENTIAL
VPN - CRL
NETGEAR CONFIDENTIAL
Maintenance – Router Status
NETGEAR CONFIDENTIAL
Maintenance – Router Status
Show Statistics
NETGEAR CONFIDENTIAL
Maintenance – Set Password
NETGEAR CONFIDENTIAL
Maintenance – Remote management
NETGEAR CONFIDENTIAL
Maintenance - SNMP
NETGEAR CONFIDENTIAL
Maintenance - Diagnostics
NETGEAR CONFIDENTIAL
Maintenance – Backup Settings
NETGEAR CONFIDENTIAL
Maintenance – Router Upgrade
NETGEAR CONFIDENTIAL
Advanced – LAN Setup
NETGEAR CONFIDENTIAL
Advanced – LAN Setups
Multi-Home LAN IP Setups
NETGEAR CONFIDENTIAL
Advanced – DMZ Setups
NETGEAR CONFIDENTIAL
Port Triggering
Once configured, operation is as follows:
1. A PC makes an outgoing connection using a port number defined in the Port Triggering table.
2. This Router records this connection, opens the INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC.
3. The remote system receives the PCs request, and responds using a different port number.
4. This Router matches the response to the previous request, and forwards the response to the PC. (Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.)
NETGEAR CONFIDENTIAL
Port Triggering
Note
• Only 1 PC can use a "Port Triggering" application at any time.
• After a PC has finished using a "Port Triggering" application, there is a "Time-out" period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated.
• Normally for games and chat.
NETGEAR CONFIDENTIAL
Advanced – Port Triggering
NETGEAR CONFIDENTIAL
Advanced – Static Routes
NETGEAR CONFIDENTIAL
Knowledge Base / Documentation
NETGEAR CONFIDENTIAL
Troubleshooting
NETGEAR CONFIDENTIAL
FAQ#1
• How does the FVX538 support QoS?
• The FVS538 prioritizes the routing of a packet through the router according to the TOS bit in the packet’s layer3 header. For a particular service, you can override the packet’s specified priority by selecting a different priority in the Services menu, Inbound rules or Outbound Rules. Changing the priority setting will affect the priority given to the packet by the router, but will not actually alter the TOS bits in the packet.
NETGEAR CONFIDENTIAL
FAQ#2
• When I use load balancing through two ISPs, I have problems sending email, getting DNS, or using my ISP’s news server.
• When your ISP provides services such as email, DNS, or newsgroups, it may require that requests for service originate from an IP address within its domain. If you require one of these services from a particular ISP, you should use your router’s Protocol Binding feature to make sure your requests always use the WAN port connected to that ISP.
NETGEAR CONFIDENTIAL
FAQ#3
• My ISP has provided me with a range of public IP addresses. How can I assign them to servers behind the FVX538?
• When you configure the ISP Settings of your router, assign one IP address as the WAN address to be used by your PCs as the main NAT address for general traffic. In the DMZ Setup menu, you can assign the additional public IP addresses to individual PCs on either your LAN or DMZ (if you have activated port 8 as your DMZ port). To allow inbound traffic to reach one of these PCs, you must create an Inbound Rule for the desired service and set the rule’s Destination Address to the public IP address assigned to that PC.
NETGEAR CONFIDENTIAL
FAQ#4
• My ISP has provided me with a range of public IP addresses. How can I assign them to servers behind the FVX538?
• When you configure the ISP Settings of your router, assign one IP address as the WAN address to be used by your PCs as the main NAT address for general traffic. In the DMZ Setup menu, you can assign the additional public IP addresses to individual PCs on either your LAN or DMZ (if you have activated port 8 as your DMZ port). To allow inbound traffic to reach one of these PCs, you must create an Inbound Rule for the desired service and set the rule’s Destination Address to the public IP address assigned to that PC. (This feature cannot be used when load balancing is selected.)
NETGEAR CONFIDENTIAL
FAQ#5
• Is the VPN policy created by the VPN Wizard compatible to other Netgear VPN routers?
• The VPN Wizard will create a compatible configuration with our other products when using fixed IP addresses. When using FQDN, some modifications will be necessary after running the wizard. Please refer to our VPN application notes for detailed information.
NETGEAR CONFIDENTIAL
Known Issues at initial release
• VPN performance is low (about 25M).• Can’t make VPN using WAN2 when PPPoE.• Dynamic DNS configuration does not save.• Sometimes DHCP server stop after change LAN IP. Need to
reboot.• VPN wizard not compatible with other models when using
FQDN. Policy generated need to be edited in order to work with FVS328, FVL328.
• Upon fail-over, no alert or log entry occurs to notify user.• DMZ Setup – user must visit Groups and Hosts menu first
before PC will display.• VPN status menu – connect and drop button do not work.• VPN in PPPoE environment – can’t ping gateway’s LAN IP.• VPN policies created with VPN Wizard will not work if the
remote side is FQDN.
NETGEAR CONFIDENTIAL
Known issues at initial release• Statistics window does not correctly show line up or down.
Always said WAN port is up. The LED is correct.• CLI not supported, won’t save settings (READ-only). Console
get Linux OS shell. Need to type “cli” to login. Separate KB articles.
• Can access CLI/GUI by telnet using guest/password, can’t change password.
• Client-to-box VPN – need to append one to three characters after policy name.
• Logging entries are not useful.• Sometimes last VPN policy does not appear in menu.• Setup Wizard and Apply button can’t reliably detect or apply in
DHCP ISP environment. Dynamic or static. Manual setup works.
• Load-balancing protocol binding does not work. Bind an application to a particular WAN.
NETGEAR CONFIDENTIAL
Known issue at initial release
• Disabling a VPN policy does not drop an active tunnel.
• Can’t edit VPN policy to change LAN subnet.
• An attempt to access a blocked site is not logged.
NETGEAR CONFIDENTIAL
Fixes with firmware v1.6.12
• VPN throughput increased.
• Number of simultaneous sessions increased.
• Guest password can now be changed separately.
• Default gateway is now shown in routing table.
• Fixed: When WAN2 is primary and in PPPoE mode, VPN tunnel can’t pass trafic.
• Fixed: VPN traffic stops under heavy traffic.
• Remove One-to-one NAT table and Exposed Host, since these functions can be performed with inbound rules.