Product Manual
Page 5
... Object Groups 122 3.6. Overview 142 4.2. OSPF Concepts 174 4.5.3. Route Failover 151 4.2.4. Overview 160 4.3.2. Editing IP rule set Entries 120 3.5.5. Overview 132 3.8.2. User Manual 3.2.3. PPPoE 101 3.3.5. Security Policies 116 3.5.2. The Principles of Routing 143 4.2.2. An OSPF Example 191 4.6.
... Object Groups 122 3.6. Overview 142 4.2. OSPF Concepts 174 4.5.3. Route Failover 151 4.2.4. Overview 160 4.3.2. Editing IP rule set Entries 120 3.5.5. Overview 132 3.8.2. User Manual 3.2.3. PPPoE 101 3.3.5. Security Policies 116 3.5.2. The Principles of Routing 143 4.2.2. An OSPF Example 191 4.6.
Product Manual
Page 7
NAT Pools 340 7.4. Translation of a Single IP Address (1:1 343 7.4.2. Port Translation 350 7.4.5. Multiple SAT Rule Matches 351 7.4.7. External LDAP Servers 359 8.2.5. A Group Usage Example 369 8.2.8. Overview 377 9.1.1. VPN Planning 378 9.1.4. VPN Quick Start 381 9.2.1. IPsec Roaming Clients with Pre-Shared Keys 387 9.2.6. L2TP Roaming Clients with Pre-shared Keys ...
NAT Pools 340 7.4. Translation of a Single IP Address (1:1 343 7.4.2. Port Translation 350 7.4.5. Multiple SAT Rule Matches 351 7.4.7. External LDAP Servers 359 8.2.5. A Group Usage Example 369 8.2.8. Overview 377 9.1.1. VPN Planning 378 9.1.4. VPN Quick Start 381 9.2.1. IPsec Roaming Clients with Pre-Shared Keys 387 9.2.6. L2TP Roaming Clients with Pre-shared Keys ...
Product Manual
Page 8
... 10.1.1. Traffic Shaping in Both Directions 448 10.1.5. Simple Bandwidth Limiting 447 10.1.4. Precedences 450 10.1.7. A Summary of Traffic Shaping 459 10.1.10. More Pipe Examples 460 10.2. Overview 465 10.2.2. Processing Flow 466 10.2.4. Logging 469 10.3. Threshold Rules 470 10.3.1. Overview 470 10.3.2. SLB Algorithms and Stickiness 476 10...
... 10.1.1. Traffic Shaping in Both Directions 448 10.1.5. Simple Bandwidth Limiting 447 10.1.4. Precedences 450 10.1.7. A Summary of Traffic Shaping 459 10.1.10. More Pipe Examples 460 10.2. Overview 465 10.2.2. Processing Flow 466 10.2.4. Logging 469 10.3. Threshold Rules 470 10.3.1. Overview 470 10.3.2. SLB Algorithms and Stickiness 476 10...
Product Manual
Page 10
...Address 457 10.7. A Route Failover Scenario for PPP with an Unbound Network 146 4.3. A Route Load Balancing Scenario 169 4.8. Virtual Links with NAT 339 7.4. Dynamic Routing Rule Objects 186 4.14. Multicast Snoop Mode 200 4.17. Non-transparent Mode Internet Access 212 ...24 1.3. An ARP Publish Ethernet Frame 112 3.3. The RLB Spillover Algorithm 167 4.7. Transparent Mode Internet Access 212 4.20. An Example BPDU Relaying Scenario 218 5.1. Anonymizing with Partitioned Backbone 178 4.12. The Eight Pipe Precedences 451 10.5. Expanded Apply Rules Logic ...
...Address 457 10.7. A Route Failover Scenario for PPP with an Unbound Network 146 4.3. A Route Load Balancing Scenario 169 4.8. Virtual Links with NAT 339 7.4. Dynamic Routing Rule Objects 186 4.14. Multicast Snoop Mode 200 4.17. Non-transparent Mode Internet Access 212 ...24 1.3. An ARP Publish Ethernet Frame 112 3.3. The RLB Spillover Algorithm 167 4.7. Transparent Mode Internet Access 212 4.20. An Example BPDU Relaying Scenario 218 5.1. Anonymizing with Partitioned Backbone 178 4.12. The Eight Pipe Precedences 451 10.5. Expanded Apply Rules Logic ...
Product Manual
Page 12
... 3.23. Manually Triggering a Time Synchronization 135 3.25. Modifying the Maximum Adjustment Value 135 3.26. Enabling the D-Link NTP Server 136 3.28. Displaying the Core Routes 150 4.3. Creating an OSPF Router Process 192 4.8. Multicast Forwarding - Example Notation 14 2.1. Displaying a Configuration Object 50 2.5. Adding an IP Host 78 3.2. Adding an IP Protocol Service 88... 58 2.13. Adding an IP Range 78 3.4. Setting the Time Zone 133 3.22. Policy-based Routing Configuration 163 4.6. Add an OSPF Area 192 4.9. Forwarding of Examples 1.
... 3.23. Manually Triggering a Time Synchronization 135 3.25. Modifying the Maximum Adjustment Value 135 3.26. Enabling the D-Link NTP Server 136 3.28. Displaying the Core Routes 150 4.3. Creating an OSPF Router Process 192 4.8. Multicast Forwarding - Example Notation 14 2.1. Displaying a Configuration Object 50 2.5. Adding an IP Host 78 3.2. Adding an IP Protocol Service 88... 58 2.13. Adding an IP Range 78 3.4. Setting the Time Zone 133 3.22. Policy-based Routing Configuration 163 4.6. Add an OSPF Area 192 4.9. Forwarding of Examples 1.
Product Manual
Page 14
... used. Where a "See chapter/section" link (such as appropriate. (The NetDefendOS CLI Reference Guide documents all CLI commands.) Example 1. Preface Intended Audience The target audience for... network security. Text Structure and Conventions The text is designated by the command: gw-world:/> somecommand someparameter=somevalue Web Interface The Web Interface actions for the example are...main text outside of an example, it will appear in italics. Where console interaction is Administrators who are responsible for configuring and managing NetDefend Firewalls which are shown ...
... used. Where a "See chapter/section" link (such as appropriate. (The NetDefendOS CLI Reference Guide documents all CLI commands.) Example 1. Preface Intended Audience The target audience for... network security. Text Structure and Conventions The text is designated by the command: gw-world:/> somecommand someparameter=somevalue Web Interface The Web Interface actions for the example are...main text outside of an example, it will appear in italics. Where console interaction is Administrators who are responsible for configuring and managing NetDefend Firewalls which are shown ...
Product Manual
Page 19
...variety of context which eliminates any sense of other functions. The address book, for use by the rule sets. Another example of rules (or rule sets). Also important are the Application Layer Gateway (ALG) objects which represent specific protocol and ... any possibility to detect and analyze complex protocols and enforce corresponding security policies. Stateful Inspection NetDefendOS employs a technique called stateful inspection which network traffic enters or leaves the NetDefend Firewall. NetDefendOS Architecture 1.2.1. Interface Symmetry The NetDefendOS interface design is...
...variety of context which eliminates any sense of other functions. The address book, for use by the rule sets. Another example of rules (or rule sets). Also important are the Application Layer Gateway (ALG) objects which represent specific protocol and ... any possibility to detect and analyze complex protocols and enforce corresponding security policies. Stateful Inspection NetDefendOS employs a technique called stateful inspection which network traffic enters or leaves the NetDefend Firewall. NetDefendOS Architecture 1.2.1. Interface Symmetry The NetDefendOS interface design is...
Product Manual
Page 21
... settings of additional actions available such as with the connection. Finally, the opening of the new connection will be added to the connection table for example TCP, UDP, ICMP) • TCP/UDP ports • ICMP types • Point in time in a similar way to the state. If a match is found, the...
... settings of additional actions available such as with the connection. Finally, the opening of the new connection will be added to the connection table for example TCP, UDP, ICMP) • TCP/UDP ports • ICMP types • Point in time in a similar way to the state. If a match is found, the...
Product Manual
Page 33
... only. If this 33 If you can do so by modifying the remote management policy. Click OK Caution: Don't expose the management interface The above example is the case then a route should always logout to the VPN tunnel. It is available either locally through the serial console port (connection to the...; Network: all -nets Interface=any user on the Logout button at the right of system configuration. The CLI NetDefendOS provides a Command Line Interface (CLI) for example https 3.
... only. If this 33 If you can do so by modifying the remote management policy. Click OK Caution: Don't expose the management interface The above example is the case then a route should always logout to the VPN tunnel. It is available either locally through the serial console port (connection to the...; Network: all -nets Interface=any user on the Logout button at the right of system configuration. The CLI NetDefendOS provides a Command Line Interface (CLI) for example https 3.
Product Manual
Page 34
... name might be performed. For example, this might exist in the CLI command history. To add a new IP4Address object with the structure: . For example, pressing the up and down.... After 34 This section only provides a summary for all CLI commands, see the separate D-Link CLI Reference Guide. Deletes a specific object. Note: Category and Context The term category is ...such as the context of a particular object. • delete - For a complete reference for using the Secure Shell (SSH) protocol from an SSH client. A category groups together a set - Tip: Getting help ...
... name might be performed. For example, this might exist in the CLI command history. To add a new IP4Address object with the structure: . For example, pressing the up and down.... After 34 This section only provides a summary for all CLI commands, see the separate D-Link CLI Reference Guide. Deletes a specific object. Note: Category and Context The term category is ...such as the context of a particular object. • delete - For a complete reference for using the Secure Shell (SSH) protocol from an SSH client. A category groups together a set - Tip: Getting help ...
Product Manual
Page 35
If completion is , for example, 10.6.58.10 then the unfinished command line will display the current value for the Address parameter. In a similar way, the " NetDefendOS provides a feature called ... current values of the command. followed by a tab, NetDefendOS will automatically become: set Address IP4Address lan_ip Address= If we now type "." The CLI Chapter 2. 2.1.4. For example, we may have typed the unfinished command: set Address IP4Address lan_ip Address=10.6.58.10 NetDefendOS automatically inserts the current value of Parameters Another useful...
If completion is , for example, 10.6.58.10 then the unfinished command line will display the current value for the Address parameter. In a similar way, the " NetDefendOS provides a feature called ... current values of the command. followed by a tab, NetDefendOS will automatically become: set Address IP4Address lan_ip Address= If we now type "." The CLI Chapter 2. 2.1.4. For example, we may have typed the unfinished command: set Address IP4Address lan_ip Address=10.6.58.10 NetDefendOS automatically inserts the current value of Parameters Another useful...
Product Manual
Page 36
...character following their names when displayed by a show command. Management and Maintenance Not all object types belong in an add command. For example, some objects is optional and is important. Referencing by a comma "," character. The object type UserAuthRule is a type without a ...cc on . There can be : AccountingServers=server1,server2,server3 Inserting into Rule Lists Rule lists such as well. For example: RoutingTable/. For example, if three servers server1, server2, server3 need multiple values. Subsequent manipulation of some commands use the cc command to ...
...character following their names when displayed by a show command. Management and Maintenance Not all object types belong in an add command. For example, some objects is optional and is important. Referencing by a comma "," character. The object type UserAuthRule is a type without a ...cc on . There can be : AccountingServers=server1,server2,server3 Inserting into Rule Lists Rule lists such as well. For example: RoutingTable/. For example, if three servers server1, server2, server3 need multiple values. Subsequent manipulation of some commands use the cc command to ...
Product Manual
Page 37
... least one of the connectors of the computer running the communications software. 37 For example, the hostname host.company.com would be specified as a textual hostname instead an ...using the Hyper Terminal software included in NetDefendOS for LDAP servers. 2.1.4. For more on the NetDefend Firewall that a DNS lookup must be prefixed with the CLI are: • The Remote ...in subsequent CLI commands. To locate the serial console port on your D-Link hardware, see Section 2.1.5, "CLI Scripts". An appliance package includes a RS-232 null-modem cable. Set the terminal protocol ...
... least one of the connectors of the computer running the communications software. 37 For example, the hostname host.company.com would be specified as a textual hostname instead an ...using the Hyper Terminal software included in NetDefendOS for LDAP servers. 2.1.4. For more on the NetDefend Firewall that a DNS lookup must be prefixed with the CLI are: • The Remote ...in subsequent CLI commands. To locate the serial console port on your D-Link hardware, see Section 2.1.5, "CLI Scripts". An appliance package includes a RS-232 null-modem cable. Set the terminal protocol ...
Product Manual
Page 38
... is disabled by adding a rule to execute any CLI command. Enabling SSH Remote Access This example shows how to either disable or anonymize the CLI welcome message. Select the following from admin to System > Remote Management > Add > Secure Shell Management 2. Click OK Logging on the terminal. When accessing the CLI remotely through...
... is disabled by adding a rule to execute any CLI command. Enabling SSH Remote Access This example shows how to either disable or anonymize the CLI welcome message. Select the following from admin to System > Remote Management > Add > Secure Shell Management 2. Click OK Logging on the terminal. When accessing the CLI remotely through...
Product Manual
Page 39
...which exists by using the CLI command: gw-world:/> set User admin Password="my-password" Finally, we must change the password to, for example, to my-prompt:/>, by default): gw-world:/> cc LocalUserDatabase AdminUsers We are 39 Activating and Committing Changes If any combination of 30 seconds then... and should be issued to make those changes will not be greater than 256 characters in AdminUsers and can change the password of the NetDefend Firewall. First we return the current category to the top level: gw-world:/AdminUsers> cc .. Immediately following CLI commands are made to...
...which exists by using the CLI command: gw-world:/> set User admin Password="my-password" Finally, we must change the password to, for example, to my-prompt:/>, by default): gw-world:/> cc LocalUserDatabase AdminUsers We are 39 Activating and Committing Changes If any combination of 30 seconds then... and should be issued to make those changes will not be greater than 256 characters in AdminUsers and can change the password of the NetDefend Firewall. First we return the current category to the top level: gw-world:/AdminUsers> cc .. Immediately following CLI commands are made to...
Product Manual
Page 40
..., it is recommended to logout in order to avoid letting anyone getting unauthorized access to manage all types of management sessions, including: • Secure Shell (SSH) CLI sessions. • Any CLI session through the serial console interface. 40 Log off from the CLI After finishing working with... that an all -nets LocalUserDatabase=AdminUsers AccessLevel=Admin HTTP=Yes If we set Address IP4Address if2_net Address=10.8.1.0/24 In this example called sessionmanager for the NetDefend Firewall. 2.1.4. Management and Maintenance automatically undone and the old configuration restored.
..., it is recommended to logout in order to avoid letting anyone getting unauthorized access to manage all types of management sessions, including: • Secure Shell (SSH) CLI sessions. • Any CLI session through the serial console interface. 40 Log off from the CLI After finishing working with... that an all -nets LocalUserDatabase=AdminUsers AccessLevel=Admin HTTP=Yes If we set Address IP4Address if2_net Address=10.8.1.0/24 In this example called sessionmanager for the NetDefend Firewall. 2.1.4. Management and Maintenance automatically undone and the old configuration restored.
Product Manual
Page 41
...then uploaded to easily store and execute sets of all sessions use the file extension .sgs (Security Gateway Script). The D-Link recommended convention is for these are saved to the NetDefend Firewall using the -disconnect option of usage are as follows: 1. The filename, including the... extension, should not be stored in the CLI Reference Guide and specific examples of the sessionmanager command....
...then uploaded to easily store and execute sets of all sessions use the file extension .sgs (Security Gateway Script). The D-Link recommended convention is for these are saved to the NetDefend Firewall using the -disconnect option of usage are as follows: 1. The filename, including the... extension, should not be stored in the CLI Reference Guide and specific examples of the sessionmanager command....
Product Manual
Page 42
CLI Scripts Chapter 2. There can be a reference to the NetDefend Firewall. Error Handling 42 Executing Scripts As mentioned above, the script -execute command launches a named script file that the written ordering of the first... in the script file and the string If1 address replacing all occurrences of $2. The variable $0 is reserved and is always replaced before it is $1. For example, a script called : $1, $2, $3, $4......$n The values substituted for these variable names are similar. This means that has been previously uploaded to a configuration object at the ...
CLI Scripts Chapter 2. There can be a reference to the NetDefend Firewall. Error Handling 42 Executing Scripts As mentioned above, the script -execute command launches a named script file that the written ordering of the first... in the script file and the string If1 address replacing all occurrences of $2. The variable $0 is reserved and is always replaced before it is $1. For example, a script called : $1, $2, $3, $4......$n The values substituted for these variable names are similar. This means that has been previously uploaded to a configuration object at the ...
Product Manual
Page 43
...occur during execution. Script Output Any output from this volatile memory and must explicitly be uploaded again to the NetDefend Firewall, it is used . To move the example my_script.sgs to non-volatile memory the command would be: gw-world:/> script -store -name=my_script.sgs Alternatively... will continue to terminate. 2.1.5. To run . To store a script between restarts, it resides (residence in non-volatile memory is for example my_script.sgs the command would be: gw-world:/> script -remove -name=my_script.sgs Listing Scripts The script on its own, command without ...
...occur during execution. Script Output Any output from this volatile memory and must explicitly be uploaded again to the NetDefend Firewall, it is used . To move the example my_script.sgs to non-volatile memory the command would be: gw-world:/> script -store -name=my_script.sgs Alternatively... will continue to terminate. 2.1.5. To run . To store a script between restarts, it resides (residence in non-volatile memory is for example my_script.sgs the command would be: gw-world:/> script -remove -name=my_script.sgs Listing Scripts The script on its own, command without ...
Product Manual
Page 44
...uploaded to and executed on the other NetDefend Firewalls to and run the same script on the console instead of a configuration which contains all the CLI commands necessary to be downloaded with the CLI is returned by NetDefendOS. For example, suppose the requirement is to create... the same set of IP4Address objects on several NetDefend Firewalls that already exist on that installation provides a way to a file, leave out the ...
...uploaded to and executed on the other NetDefend Firewalls to and run the same script on the console instead of a configuration which contains all the CLI commands necessary to be downloaded with the CLI is returned by NetDefendOS. For example, suppose the requirement is to create... the same set of IP4Address objects on several NetDefend Firewalls that already exist on that installation provides a way to a file, leave out the ...