Product Manual
Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Product Manual
Page 3
...from time to time in this manual, nor any of the material contained herein, may be reproduced without the written consent of D-Link. Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR ...OTHER COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT, EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010...
...from time to time in this manual, nor any of the material contained herein, may be reproduced without the written consent of D-Link. Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR ...OTHER COMMERCIAL DAMAGES OR LOSSES) RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D-LINK PRODUCT OR FAILURE OF THE PRODUCT, EVEN IF D-LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010...
Product Manual
Page 5
...Service Groups 88 3.2.6. ARP 108 3.4.1. Overview 108 3.4.2. ARP Advanced Settings Summary 113 3.5. Security Policies 116 3.5.2. Configuration Object Groups 122 3.6. Overview 132 3.8.2. Overview 142 4.2. Static Routing... Routing 143 4.2.2. OSPF Concepts 174 4.5.3. An OSPF Example 191 4.6. Schedules 126 3.7. Multicast Forwarding with SAT Multiplex Rules 195 4.6.3. User Manual 3.2.3. PPPoE 101 3.3.5. Host Monitoring for Route Failover 154 4.2.5. Interface Groups 107 3.4. Route Failover 151 4.2.4. OSPF Components 179 4.5.4. IGMP ...
...Service Groups 88 3.2.6. ARP 108 3.4.1. Overview 108 3.4.2. ARP Advanced Settings Summary 113 3.5. Security Policies 116 3.5.2. Configuration Object Groups 122 3.6. Overview 132 3.8.2. Overview 142 4.2. Static Routing... Routing 143 4.2.2. OSPF Concepts 174 4.5.3. An OSPF Example 191 4.6. Schedules 126 3.7. Multicast Forwarding with SAT Multiplex Rules 195 4.6.3. User Manual 3.2.3. PPPoE 101 3.3.5. Host Monitoring for Route Failover 154 4.2.5. Interface Groups 107 3.4. Route Failover 151 4.2.4. OSPF Components 179 4.5.4. IGMP ...
Product Manual
Page 6
...attacks: Teardrop, Bonk, Boink and Nestea ...... 327 6.6.5. TCP SYN Flood Attacks 329 6.6.9. User Manual 4.7. Enabling Internet Access 211 4.7.3. Advanced Settings for D-Link Models 315 6.5.3. Overview 240 6.2.2. The FTP ALG 244 6.2.4. The PPTP ALG 264 6.2.8. The ... Overview 237 6.1.2. Web Content Filtering 292 6.3.1. Implementation 309 6.4.3. DoS Attack Mechanisms 326 6.6.3. Transparent Mode Scenarios 213 4.7.4. Security Mechanisms 237 6.1. Overview 326 6.6.2. Amplification attacks: Smurf, Papasmurf, Fraggle 328 6.6.8. The H.323 ALG 275 6.2.10. ...
...attacks: Teardrop, Bonk, Boink and Nestea ...... 327 6.6.5. TCP SYN Flood Attacks 329 6.6.9. User Manual 4.7. Enabling Internet Access 211 4.7.3. Advanced Settings for D-Link Models 315 6.5.3. Overview 240 6.2.2. The FTP ALG 244 6.2.4. The PPTP ALG 264 6.2.8. The ... Overview 237 6.1.2. Web Content Filtering 292 6.3.1. Implementation 309 6.4.3. DoS Attack Mechanisms 326 6.6.3. Transparent Mode Scenarios 213 4.7.4. Security Mechanisms 237 6.1. Overview 326 6.6.2. Amplification attacks: Smurf, Papasmurf, Fraggle 328 6.6.8. The H.323 ALG 275 6.2.10. ...
Product Manual
Page 7
... Matches 351 7.4.7. The Local Database 357 8.2.3. HTTP Authentication 369 8.3. VPN ...377 9.1. IPsec LAN to LAN with Certificates 386 9.2.5. IPsec Components 391 9.3.1. PPTP/L2TP 425 9.5.1. User Manual 7. SAT and FwdFast Rules 352 8. External LDAP Servers 359 8.2.5. Key Distribution 379 9.1.5. VPN Quick Start 381 9.2.1. IPsec LAN to LAN with Pre-shared Keys 384...
... Matches 351 7.4.7. The Local Database 357 8.2.3. HTTP Authentication 369 8.3. VPN ...377 9.1. IPsec LAN to LAN with Certificates 386 9.2.5. IPsec Components 391 9.3.1. PPTP/L2TP 425 9.5.1. User Manual 7. SAT and FwdFast Rules 352 8. External LDAP Servers 359 8.2.5. Key Distribution 379 9.1.5. VPN Quick Start 381 9.2.1. IPsec LAN to LAN with Pre-shared Keys 384...
Product Manual
Page 8
....1. HA Hardware Setup 487 11.3.2. SNMP 499 12.3.2. Limiting Bandwidth in NetDefendOS 445 10.1.3. Grouping 471 10.3.4. Overview 473 10.4.2. NetDefendOS Manual HA Setup 488 11.3.3. User Manual 9.7.2. Troubleshooting Certificates 437 9.7.3. The Importance of Traffic Shaping 459 10.1.10. SLB Distribution Algorithms 474 10.4.3. Setting Up SLB_SAT Rules 478....3.4. Upgrading an HA Cluster 493 11.6. HA Advanced Settings 495 12. Overview 497 12.2. ZoneDefense Switches 498 12.3. Threshold Rules 499 12.3.3. Manual Blocking and Exclude Lists 499 12.3.4.
....1. HA Hardware Setup 487 11.3.2. SNMP 499 12.3.2. Limiting Bandwidth in NetDefendOS 445 10.1.3. Grouping 471 10.3.4. Overview 473 10.4.2. NetDefendOS Manual HA Setup 488 11.3.3. User Manual 9.7.2. Troubleshooting Certificates 437 9.7.3. The Importance of Traffic Shaping 459 10.1.10. SLB Distribution Algorithms 474 10.4.3. Setting Up SLB_SAT Rules 478....3.4. Upgrading an HA Cluster 493 11.6. HA Advanced Settings 495 12. Overview 497 12.2. ZoneDefense Switches 498 12.3. Threshold Rules 499 12.3.3. Manual Blocking and Exclude Lists 499 12.3.4.
Product Manual
Page 9
ICMP Level Settings 513 13.4. Length Limit Settings 518 13.7. Subscribing to Updates 527 B. Verified MIME filetypes 533 D. Local Fragment Reassembly Settings 524 13.9. TCP Level Settings 508 13.3. State Settings 514 13.5. IDP Signature Groups 529 C. The OSI Framework 537 Alphabetical Index 538 9 Miscellaneous Settings 525 A. Fragmentation Settings 520 13.8. User Manual 13.1. Connection Timeout Settings 516 13.6. IP Level Settings 504 13.2.
ICMP Level Settings 513 13.4. Length Limit Settings 518 13.7. Subscribing to Updates 527 B. Verified MIME filetypes 533 D. Local Fragment Reassembly Settings 524 13.9. TCP Level Settings 508 13.3. State Settings 514 13.5. IDP Signature Groups 529 C. The OSI Framework 537 Alphabetical Index 538 9 Miscellaneous Settings 525 A. Fragmentation Settings 520 13.8. User Manual 13.1. Connection Timeout Settings 516 13.6. IP Level Settings 504 13.2.
Product Manual
Page 11
Stickiness and Connection-rate 477 D.1. The 7 Layers of the OSI Model 537 11 Stickiness and Round-Robin 477 10.12. User Manual 10.10. Connections from Three Clients 476 10.11.
Stickiness and Connection-rate 477 D.1. The 7 Layers of the OSI Model 537 11 Stickiness and Round-Robin 477 10.12. User Manual 10.10. Connections from Three Clients 476 10.11.
Product Manual
Page 12
...Protocol Service 88 3.10. Creating an Interface Group 107 3.13. Defining a Static ARP Entry 110 3.16. Uploading a Certificate 130 3.19. Manually Triggering a Time Synchronization 135 3.25. Modifying the Maximum Adjustment Value 135 3.26. Add OSPF Interface Objects 192 4.10. Enabling SSH Remote Access...System 74 2.16. Forcing Time Synchronization 136 3.27. Creating the Route 162 4.5. Flushing the ARP Cache 109 3.15. Enabling the D-Link NTP Server 136 3.28. Exporting the Default Route into the Main Routing Table 192 4.11. Editing a Configuration Object 51 2.6. Adding ...
...Protocol Service 88 3.10. Creating an Interface Group 107 3.13. Defining a Static ARP Entry 110 3.16. Uploading a Certificate 130 3.19. Manually Triggering a Time Synchronization 135 3.25. Modifying the Maximum Adjustment Value 135 3.26. Add OSPF Interface Objects 192 4.10. Enabling SSH Remote Access...System 74 2.16. Forcing Time Synchronization 136 3.27. Creating the Route 162 4.5. Flushing the ARP Cache 109 3.15. Enabling the D-Link NTP Server 136 3.28. Exporting the Default Route into the Main Routing Table 192 4.11. Editing a Configuration Object 51 2.6. Adding ...
Product Manual
Page 13
...Mode with an ALG 248 6.3. Setting up an L2TP server 427 9.12. Applying a Simple Bandwidth Limit 447 10.2. Protecting Phones Behind NetDefend Firewalls 277 6.5. Stripping ActiveX and Java applets 293 6.14. Adding a NAT Rule 337 7.2. Enabling Traffic to the Whitelist 332 7.1. ...List 404 9.4. Setting up a DHCP server 225 5.2. Protecting FTP Clients 251 6.4. Enabling Dynamic Web Content Filtering 297 6.16. User Manual 4.14. if1 Configuration 202 4.16. Group Translation 203 4.17. Setting up IDP for roaming clients 409 9.6. Setting up an ...
...Mode with an ALG 248 6.3. Setting up an L2TP server 427 9.12. Applying a Simple Bandwidth Limit 447 10.2. Protecting Phones Behind NetDefend Firewalls 277 6.5. Stripping ActiveX and Java applets 293 6.14. Adding a NAT Rule 337 7.2. Enabling Traffic to the Whitelist 332 7.1. ...List 404 9.4. Setting up a DHCP server 225 5.2. Protecting FTP Clients 251 6.4. Enabling Dynamic Web Content Filtering 297 6.16. User Manual 4.14. if1 Configuration 202 4.16. Group Translation 203 4.17. Setting up IDP for roaming clients 409 9.6. Setting up an ...
Product Manual
Page 14
... (some basic knowledge of management user interfaces. This is deliberate and is done because the manual deals specifically with alphabetical lookup of the product is designated by being stressed it will appear ... NetDefendOS operating system. Where a "See chapter/section" link (such as: see Chapter 9, VPN) is being introduced for configuring and managing NetDefend Firewalls which are shown in the table of contents at...have a choice of networks and network security. Where console interaction is broken down into chapters and sub-sections. Example Notation Information about ...
... (some basic knowledge of management user interfaces. This is deliberate and is done because the manual deals specifically with alphabetical lookup of the product is designated by being stressed it will appear ... NetDefendOS operating system. Where a "See chapter/section" link (such as: see Chapter 9, VPN) is being introduced for configuring and managing NetDefend Firewalls which are shown in the table of contents at...have a choice of networks and network security. Where console interaction is broken down into chapters and sub-sections. Example Notation Information about ...
Product Manual
Page 30
... automatically by NetDefendOS to the NetDefend model as follows: • On the NetDefend DFL-210, 260, 800, 860, 1600 ...NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is recommended) and point the browser at the address 192.168.1.1. The Web Interface Chapter 2. This allows the administrator to succeed so the connecting interface of a Default IP Address For a new D-Link NetDefend firewall with NetDefendOS secure... the Workstation IP The assigned NetDefend Firewall interface and the workstation interface must be manually given the following static IP ...
... automatically by NetDefendOS to the NetDefend model as follows: • On the NetDefend DFL-210, 260, 800, 860, 1600 ...NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is recommended) and point the browser at the address 192.168.1.1. The Web Interface Chapter 2. This allows the administrator to succeed so the connecting interface of a Default IP Address For a new D-Link NetDefend firewall with NetDefendOS secure... the Workstation IP The assigned NetDefend Firewall interface and the workstation interface must be manually given the following static IP ...
Product Manual
Page 32
Manually update or schedule updates of the configuration to your local computer or restore a previously downloaded backup. • Reset - This option provides the option to download a ...
Manually update or schedule updates of the configuration to your local computer or restore a previously downloaded backup. • Reset - This option provides the option to download a ...
Product Manual
Page 41
... these are detailed in the following sections. The D-Link recommended convention is a predefined sequence of CLI commands which can be executed after they can forcibly terminate another management session using Secure Copy (SCP). SCP uploading is the tool used...Access local (none) 0.0.0.0 local console admin If the user has full administrator privileges, they are saved to the NetDefend Firewall. The filename, including the extension, should not be stored in the CLI Reference Guide. 2.1.5. Script files must... Commands are Allowed in Scripts The commands allowed in this manual.
... these are detailed in the following sections. The D-Link recommended convention is a predefined sequence of CLI commands which can be executed after they can forcibly terminate another management session using Secure Copy (SCP). SCP uploading is the tool used...Access local (none) 0.0.0.0 local console admin If the user has full administrator privileges, they are saved to the NetDefend Firewall. The filename, including the extension, should not be stored in the CLI Reference Guide. 2.1.5. Script files must... Commands are Allowed in Scripts The commands allowed in this manual.
Product Manual
Page 102
As with any interface, one or more routes are then manually entered into client computers. User authentication If user authentication is required by the ISP, the username and password can be used as the local IP ... be configured to use a service name to the PPPoE server as the IP address of a single IP address which is originated or NATed by the NetDefend Firewall. Unnumbered PPPoE When NetDefendOS acts as the IP address of another IP address to the PPPoE client at the time it as the "preferred...
As with any interface, one or more routes are then manually entered into client computers. User authentication If user authentication is required by the ISP, the username and password can be used as the local IP ... be configured to use a service name to the PPPoE server as the IP address of a single IP address which is originated or NATed by the NetDefend Firewall. Unnumbered PPPoE When NetDefendOS acts as the IP address of another IP address to the PPPoE client at the time it as the "preferred...
Product Manual
Page 104
...not be specified for the communication and is the IP address of the inside of data integrity. This allows more than one GRE tunnel to manually create the required route. 104 This provides an extra check of the tunnel on traffic going through a network device which the GRE tunnel ...will be checked in itself, secure. The GRE options are : • Automatically add route for an additional checksum over and above the IPv4 checksum. Setting Up GRE Like other ...
...not be specified for the communication and is the IP address of the inside of data integrity. This allows more than one GRE tunnel to manually create the required route. 104 This provides an extra check of the tunnel on traffic going through a network device which the GRE tunnel ...will be checked in itself, secure. The GRE options are : • Automatically add route for an additional checksum over and above the IPv4 checksum. Setting Up GRE Like other ...
Product Manual
Page 109
.... Fundamentals valid for dynamic ARP entries is 3 seconds. For example, the first entry has an expiry value of the ARP Cache can be sent to manually force the update. If traffic is needed to the 192.168.0.10 IP address after the expiration, NetDefendOS will probably have a new MAC address. This...
.... Fundamentals valid for dynamic ARP entries is 3 seconds. For example, the first entry has an expiry value of the ARP Cache can be sent to manually force the update. If traffic is needed to the 192.168.0.10 IP address after the expiration, NetDefendOS will probably have a new MAC address. This...
Product Manual
Page 128
...tampered with a stamp of a tunnel is a public key with identification attached, coupled with by a trusted party. In this manual to the supposed owner. It links an identity to a public key in a certificate verifies the identity of an intended recipient. A valid CA signature in order ...for the root CA, which is just like certificate hierarchy. A CA is correct. A CA can also issue certificates to provide security between the ends of approval by any other certificates. Certificates provide a means to accomplish key distribution and entity authentication. The simplest ...
...tampered with a stamp of a tunnel is a public key with identification attached, coupled with by a trusted party. In this manual to the supposed owner. It links an identity to a public key in a certificate verifies the identity of an intended recipient. A valid CA signature in order ...for the root CA, which is just like certificate hierarchy. A CA is correct. A CA can also issue certificates to provide security between the ends of approval by any other certificates. Certificates provide a means to accomplish key distribution and entity authentication. The simplest ...
Product Manual
Page 129
... using certificates, NetDefendOS trusts anyone whose certificate is not valid forever. Before a certificate is a key reason why certificate security simplifies the administration of the certificates have left the company. Certificates in this interval depends on servers that can access, using...the CRL can be downloaded. Certificates often contain a CRL Distribution Point (CDP) field, which is accessed to be configured manually. Reusing Root Certificates In NetDefendOS, root certificates should be seen as global entities that all certificates in IKE/IPsec authentication, ...
... using certificates, NetDefendOS trusts anyone whose certificate is not valid forever. Before a certificate is a key reason why certificate security simplifies the administration of the certificates have left the company. Certificates in this interval depends on servers that can access, using...the CRL can be downloaded. Certificates often contain a CRL Distribution Point (CDP) field, which is accessed to be configured manually. Reusing Root Certificates In NetDefendOS, root certificates should be seen as global entities that all certificates in IKE/IPsec authentication, ...
Product Manual
Page 130
... either be sent to Objects > Authentication Objects > Add > Certificate 2. Go to a remote peer or CA server. Click OK 3.7.3. Manually Creating Windows CA Server Requests The NetDefendOS Web Interface (WebUI) does not currently include the ability to generate certificate requests that can be self.... 130 Specify a suitable name for doing this. It is a file that can be uploaded: self-signed certificates and remote certificates belonging to manually create the required files for a Windows CA server using one of the .cer and .key files required by using the following : •...
... either be sent to Objects > Authentication Objects > Add > Certificate 2. Go to a remote peer or CA server. Click OK 3.7.3. Manually Creating Windows CA Server Requests The NetDefendOS Web Interface (WebUI) does not currently include the ability to generate certificate requests that can be self.... 130 Specify a suitable name for doing this. It is a file that can be uploaded: self-signed certificates and remote certificates belonging to manually create the required files for a Windows CA server using one of the .cer and .key files required by using the following : •...