Product Manual
Page 5
User Manual 3.2.3. Overview 90 3.3.2. VLAN 97 3.3.4. PPPoE 101 3.3.5. GRE Tunnels 103 3.3.6. Security Policies 116 3.5.2. Configuration Object Groups 122 3.6. Date and Time 132 3.8.1. Host Monitoring for Date and Time 136 3.9. Overview 160 4.3.2. The Ordering parameter 161 4.4. Multicast Routing... Folders 121 3.5.6. Certificates in NetDefendOS 129 3.7.3. Editing IP rule set Entries 120 3.5.5. Custom IP Protocol Services 88 3.2.5. Static Routing 143 4.2.1. Advanced IGMP Settings 204 5 DNS 139 4. Policy-based Routing Rules 160 4.3.4.
User Manual 3.2.3. Overview 90 3.3.2. VLAN 97 3.3.4. PPPoE 101 3.3.5. GRE Tunnels 103 3.3.6. Security Policies 116 3.5.2. Configuration Object Groups 122 3.6. Date and Time 132 3.8.1. Host Monitoring for Date and Time 136 3.9. Overview 160 4.3.2. The Ordering parameter 161 4.4. Multicast Routing... Folders 121 3.5.6. Certificates in NetDefendOS 129 3.7.3. Editing IP rule set Entries 120 3.5.5. Custom IP Protocol Services 88 3.2.5. Static Routing 143 4.2.1. Advanced IGMP Settings 204 5 DNS 139 4. Policy-based Routing Rules 160 4.3.4.
Product Manual
Page 12
...a Custom TCP/UDP Service 86 3.9. Adding an Allow IP Rule 121 3.17. Associating Certificates with IPsec Tunnels 130 3.20. Configuring DNS Servers 139 4.1. Displaying the main Routing Table 149 4.2. Creating the Route 162 4.5. Creating an OSPF Router Process 192 4.8. Exporting the...Creating an Interface Group 107 3.13. Setting the Current Date and Time 132 3.21. Setting the Time Zone 133 3.22. Enabling the D-Link NTP Server 136 3.28. Policy-based Routing Configuration 163 4.6. Editing a Configuration Object 51 2.6. Enabling SNMP Monitoring 68 2.15. Listing the...
...a Custom TCP/UDP Service 86 3.9. Adding an Allow IP Rule 121 3.17. Associating Certificates with IPsec Tunnels 130 3.20. Configuring DNS Servers 139 4.1. Displaying the main Routing Table 149 4.2. Creating the Route 162 4.5. Creating an OSPF Router Process 192 4.8. Exporting the...Creating an Interface Group 107 3.13. Setting the Current Date and Time 132 3.21. Setting the Time Zone 133 3.22. Enabling the D-Link NTP Server 136 3.28. Policy-based Routing Configuration 163 4.6. Editing a Configuration Object 51 2.6. Enabling SNMP Monitoring 68 2.15. Listing the...
Product Manual
Page 37
...IP rules which can uniquely identify each NetDefendOS object, including the Name= and Index= options. An appliance package includes a RS-232 null-modem cable. Referencing an IP rule with the CLI are: ...the serial console port on scripts see the D-Link Quick Start Guide . 2.1.4. For more on your system hardware. 3. Using Hostnames in subsequent CLI commands. When DNS lookup needs to be done, at least one...232 cable directly to the console port on the NetDefend Firewall that a name is a local RS-232 port on your D-Link hardware, see Section 2.1.5, "CLI Scripts".
...IP rules which can uniquely identify each NetDefendOS object, including the Name= and Index= options. An appliance package includes a RS-232 null-modem cable. Referencing an IP rule with the CLI are: ...the serial console port on scripts see the D-Link Quick Start Guide . 2.1.4. For more on your system hardware. 3. Using Hostnames in subsequent CLI commands. When DNS lookup needs to be done, at least one...232 cable directly to the console port on the NetDefend Firewall that a name is a local RS-232 port on your D-Link hardware, see Section 2.1.5, "CLI Scripts".
Product Manual
Page 77
... defining an IP address object just once in user authentication. In addition, the chapter explains the different interface types and explains how security policies are used to define symbolic names for specifying the credentials used in the address book and then referencing this topic, see Chapter...8226; IP Rule Sets, page 116 • Schedules, page 126 • Certificates, page 128 • Date and Time, page 132 • DNS, page 139 3.1. Depending on how the address is represented simply by using meaningful symbolic names. • Using address object names instead of IP addresses....
... defining an IP address object just once in user authentication. In addition, the chapter explains the different interface types and explains how security policies are used to define symbolic names for specifying the credentials used in the address book and then referencing this topic, see Chapter...8226; IP Rule Sets, page 116 • Schedules, page 126 • Certificates, page 128 • Date and Time, page 132 • DNS, page 139 3.1. Depending on how the address is represented simply by using meaningful symbolic names. • Using address object names instead of IP addresses....
Product Manual
Page 86
... does not so the predefined service dns-all is usually also required for example, the requirement is only to add a TCP/UDP service, using this may be convenient but even this is to narrow the service filter in a security policy so it allows only the ... the service group all_tcpudpicmp can be included in that the predefined service http-all service does not include DNS A common mistake is not recommended and specifying a narrower service provides better security. 3.2.3. If, for most web surfing. Restrict Services to the Minimum Necessary When choosing a service object...
... does not so the predefined service dns-all is usually also required for example, the requirement is only to add a TCP/UDP service, using this may be convenient but even this is to narrow the service filter in a security policy so it allows only the ... the service group all_tcpudpicmp can be included in that the predefined service http-all service does not include DNS A common mistake is not recommended and specifying a narrower service provides better security. 3.2.3. If, for most web surfing. Restrict Services to the Minimum Necessary When choosing a service object...
Product Manual
Page 93
...includes the IP address of address information by the system. By default, DHCP is used for connection to have these interfaces. DNS server addresses received through the interface. Fundamentals interface will automatically create a direct route to the Internet. In most of the ...fixed IP addresses then DHCP shouldn't be used for receiving external IP address information from the DHCP server are usually used . If your NetDefend Firewall has more information, please see Section 3.4, "ARP"). • Network In addition to exist in Section 3.1.5, "Auto-Generated Address ...
...includes the IP address of address information by the system. By default, DHCP is used for connection to have these interfaces. DNS server addresses received through the interface. Fundamentals interface will automatically create a direct route to the Internet. In most of the ...fixed IP addresses then DHCP shouldn't be used for receiving external IP address information from the DHCP server are usually used . If your NetDefend Firewall has more information, please see Section 3.4, "ARP"). • Network In addition to exist in Section 3.1.5, "Auto-Generated Address ...
Product Manual
Page 134
...This is not needed if using SNTP In this example, time synchronization is set DateTime TimeSynchronization=custom TimeSyncServer1=dns:ntp1.sp.se TimeSyncServer2=dns:ntp2.sp.se TimeSyncInterval=86400 Web Interface 1. Check the Enable time synchronization 134 NetDefendOS always queries all ... highly accurate time, usually using SNTP. Enabling Time Synchronization using IP addresses for retrieving time information from one external DNS server is correctly configured in NetDefendOS so that Time Server URLs can be configured in most network and computer equipment and...
...This is not needed if using SNTP In this example, time synchronization is set DateTime TimeSynchronization=custom TimeSyncServer1=dns:ntp1.sp.se TimeSyncServer2=dns:ntp2.sp.se TimeSyncInterval=86400 Web Interface 1. Check the Enable time synchronization 134 NetDefendOS always queries all ... highly accurate time, usually using SNTP. Enabling Time Synchronization using IP addresses for retrieving time information from one external DNS server is correctly configured in NetDefendOS so that Time Server URLs can be configured in most network and computer equipment and...
Product Manual
Page 135
... Fundamentals 3. Click OK The time server URLs must therefore also have the prefix dns: to set DateTime TimeSyncMaxAdjust=40000 Web Interface 1. NetDefendOS must have a DNS server defined so this resolution can be resolved with a DNS server. Example 3.24. Server time: 2008-02-27 12:21:52 (UTC... is used. Time Servers Chapter 3. Now enter: • Time Server Type: SNTP • Primary Time Server: dns:ntp1.sp.se • Secondary Time Server: dns:ntp2.sp.se 4. For example, assume that an external server is 63 seconds. Modifying the Maximum Adjustment Value Command-...
... Fundamentals 3. Click OK The time server URLs must therefore also have the prefix dns: to set DateTime TimeSyncMaxAdjust=40000 Web Interface 1. NetDefendOS must have a DNS server defined so this resolution can be resolved with a DNS server. Example 3.24. Server time: 2008-02-27 12:21:52 (UTC... is used. Time Servers Chapter 3. Now enter: • Time Server Type: SNTP • Primary Time Server: dns:ntp1.sp.se • Secondary Time Server: dns:ntp2.sp.se 4. For example, assume that an external server is 63 seconds. Modifying the Maximum Adjustment Value Command-...
Product Manual
Page 136
... executed once in NetDefendOS and this value is 86,400 seconds (1 day), meaning that the D-Link Time Server URLs can be necessary to have an external DNS server configured so that the time synchronization process is then possible to manually force a synchronization and disregard... difference is important to override the maximum adjustment. These servers communicate with NetDefendOS using the SNTP protocol. Example 3.27. D-Link Time Servers Using D-Link's own Time Servers is an option in a 24 hour period. Forcing Time Synchronization This example demonstrates how to System >...
... executed once in NetDefendOS and this value is 86,400 seconds (1 day), meaning that the D-Link Time Server URLs can be necessary to have an external DNS server configured so that the time synchronization process is then possible to manually force a synchronization and disregard... difference is important to override the maximum adjustment. These servers communicate with NetDefendOS using the SNTP protocol. Example 3.27. D-Link Time Servers Using D-Link's own Time Servers is an option in a 24 hour period. Forcing Time Synchronization This example demonstrates how to System >...
Product Manual
Page 137
...offset in the format MM-DD. Default: none DST End Date What month and day DST ends, in minutes. Default: SNTP Primary Time Server DNS hostname or IP Address of Timeserver 3. Default: none Time Sync Server Type Type of Timeserver 2. Default: 0 DST Start Date What month and ...day DST starts, in minutes. Default: None Secondary Time Server DNS hostname or IP Address of server for Date and Time Time zone offset in the format MM-DD. Default: None Interval between synchronization Seconds between...
...offset in the format MM-DD. Default: none DST End Date What month and day DST ends, in minutes. Default: SNTP Primary Time Server DNS hostname or IP Address of Timeserver 3. Default: none Time Sync Server Type Type of Timeserver 2. Default: 0 DST Start Date What month and ...day DST starts, in minutes. Default: None Secondary Time Server DNS hostname or IP Address of server for Date and Time Time zone offset in the format MM-DD. Default: None Interval between synchronization Seconds between...
Product Manual
Page 139
...least the primary server must be configured to make use of up to three DNS servers. Command-Line Interface gw-world:/> set DNS DNSServer1=10.0.0.1 DNSServer2=10.0.0.2 Web Interface 1. DNS Overview A DNS server can be configured. Click OK 139 FQDNs are unknown or where it...modules in many aspects of a NetDefendOS configuration where IP addresses are unambiguous textual domain names which specify a node's unique position in DNS client that can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are called the Primary Server...
...least the primary server must be configured to make use of up to three DNS servers. Command-Line Interface gw-world:/> set DNS DNSServer1=10.0.0.1 DNSServer2=10.0.0.2 Web Interface 1. DNS Overview A DNS server can be configured. Click OK 139 FQDNs are unknown or where it...modules in many aspects of a NetDefendOS configuration where IP addresses are unambiguous textual domain names which specify a node's unique position in DNS client that can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are called the Primary Server...
Product Manual
Page 140
...dyndns.org service might be: myuid:[email protected]/nic/update?hostname=mydns.dyndns.org This could be sent as Dynamic DNS and is useful where the NetDefend Firewall has an external IP address that can be used to troubleshoot problems by NetDefendOS is that service. Note: A high...by using HTTP Poster, or the URL could be automatically formatted for that HTTP Poster can also be used to respond. Fundamentals Dynamic DNS A DNS feature offered by seeing what NetDefendOS is sometimes referred to generate an HTTP GET request can change. This is sending and what the ...
...dyndns.org service might be: myuid:[email protected]/nic/update?hostname=mydns.dyndns.org This could be sent as Dynamic DNS and is useful where the NetDefend Firewall has an external IP address that can be used to troubleshoot problems by NetDefendOS is that service. Note: A high...by using HTTP Poster, or the URL could be automatically formatted for that HTTP Poster can also be used to respond. Fundamentals Dynamic DNS A DNS feature offered by seeing what NetDefendOS is sometimes referred to generate an HTTP GET request can change. This is sending and what the ...
Product Manual
Page 212
...is to perform NetDefendOS functions such as the users and will allow traffic from the local users on the same logical IP network as DNS lookup, Web Content Filtering or Anti-Virus and IDP updating. Non-transparent Mode Internet Access The non-switch route usually needed to ... transparent between the users and the ISP. To allow Internet access would be gw-ip. 4.7.2. This switch route will therefore be the NetDefend Firewall's IP address but in transparent mode between the internal physical Ethernet network (pn2) and the Ethernet network to operate in transparent mode...
...is to perform NetDefendOS functions such as the users and will allow traffic from the local users on the same logical IP network as DNS lookup, Web Content Filtering or Anti-Virus and IDP updating. Non-transparent Mode Internet Access The non-switch route usually needed to ... transparent between the users and the ISP. To allow Internet access would be gw-ip. 4.7.2. This switch route will therefore be the NetDefend Firewall's IP address but in transparent mode between the internal physical Ethernet network (pn2) and the Ethernet network to operate in transparent mode...
Product Manual
Page 224
..., it . When NetDefendOS searches for this filter value regardless if the DHCP requests comes from a specified address pool. The DHCP server ordering in NetDefendOS. Each DNS server must have a relayer IP filter value specified and the possible values are as they are not limited to determine the server. DHCP requests that...
..., it . When NetDefendOS searches for this filter value regardless if the DHCP requests comes from a specified address pool. The DHCP server ordering in NetDefendOS. Each DNS server must have a relayer IP filter value specified and the possible values are as they are not limited to determine the server. DHCP requests that...
Product Manual
Page 225
...will be sent to NetBIOS names. For example, domain.com. ReconfShutTimer - Next Server Specifies the IP address of the primary and secondary DNS servers. Example 5.1. The default value is specified by the next parameter, Lease Store Interval. • Lease Store Interval The number of... the Windows Internet Name Service (WINS) servers that a DHCP lease is usually a TFTP server. Primary/Secondary DNS The IP of the next server in seconds, that are used for the server. Never save the database. 2. Domain The domain name ...
...will be sent to NetBIOS names. For example, domain.com. ReconfShutTimer - Next Server Specifies the IP address of the primary and secondary DNS servers. Example 5.1. The default value is specified by the next parameter, Lease Store Interval. • Lease Store Interval The number of... the Windows Internet Name Service (WINS) servers that a DHCP lease is usually a TFTP server. Primary/Secondary DNS The IP of the next server in seconds, that are used for the server. Never save the database. 2. Domain The domain name ...
Product Manual
Page 258
The NetDefendOS Anti-Spam Implementation SMTP functions as DNS Black List (DNSBL) databases and the information is either a not listed response or a listed response. DNSBL Databases A number of trusted organizations maintain publicly available ...a consensus opinion on a DMZ network and there will be spam and it will later download their emails). Security Mechanisms • Dropping email which has a very high probability of being spam. • Letting through the NetDefend Firewall from an external remote SMTP server to emails as a TXT record which is from which local...
The NetDefendOS Anti-Spam Implementation SMTP functions as DNS Black List (DNSBL) databases and the information is either a not listed response or a listed response. DNSBL Databases A number of trusted organizations maintain publicly available ...a consensus opinion on a DMZ network and there will be spam and it will later download their emails). Security Mechanisms • Dropping email which has a very high probability of being spam. • Letting through the NetDefend Firewall from an external remote SMTP server to emails as a TXT record which is from which local...
Product Manual
Page 321
...DB is the Category and MSSQL is done in Appendix B, IDP Signature Groups. These types are : • BACKUP • DB • DNS • FTP • HTTP 3. Signature Group Sub-Category The third level of naming further specifies the target of application or protocol. The Sub-... to the type of the values IDS, IPS or Policy. Processing Multiple Actions For any of signatures. When signature matching occurs it . Security Mechanisms least possible number of IDS, IPS or POLICY. Specifying Signature Groups IDP Signature Groups fall into a three level hierarchical structure. These ...
...DB is the Category and MSSQL is done in Appendix B, IDP Signature Groups. These types are : • BACKUP • DB • DNS • FTP • HTTP 3. Signature Group Sub-Category The third level of naming further specifies the target of application or protocol. The Sub-... to the type of the values IDS, IPS or Policy. Processing Multiple Actions For any of signatures. When signature matching occurs it . Security Mechanisms least possible number of IDS, IPS or POLICY. Specifying Signature Groups IDP Signature Groups fall into a three level hierarchical structure. These ...
Product Manual
Page 322
Using too many signatures during scanning can make the load on ZoneDefense as dns:smtp.domain.com cannot be de-activated through the D-Link ZoneDefense feature. The administrator can be appropriate for Hold Time seconds before sending a new email. IDP Blacklisting The Protect ...When this period of time is taken. IDP ZoneDefense The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule can be used. 322 Security Mechanisms IDS_HTTP* and IPS_HTTP* IDP groups would be configured. Do nothing if an intrusion is Required When ...
Using too many signatures during scanning can make the load on ZoneDefense as dns:smtp.domain.com cannot be de-activated through the D-Link ZoneDefense feature. The administrator can be appropriate for Hold Time seconds before sending a new email. IDP Blacklisting The Protect ...When this period of time is taken. IDP ZoneDefense The Protect action includes the option that the particular D-Link switch that triggers the IDP Rule can be used. 322 Security Mechanisms IDS_HTTP* and IPS_HTTP* IDP groups would be configured. Do nothing if an intrusion is Required When ...
Product Manual
Page 370
... Service 1 Allow lan lannet core lan_ip http-all 2 NAT lan trusted_users wan all-nets http-all 3 NAT lan lannet wan all-nets dns-all 4 SAT lan lannet wan all-nets http-all all-to-one 127.0.0.1 5 Allow lan lannet wan all-nets http-all The SAT... Host Certificate and Root Certificate have these users come to the authentication page we consider the example of a number of clients on the NetDefend Firewall where the local network connects. FORM is trying to access the lan_ip IP address, which corresponds to the users). User Authentication combination...
... Service 1 Allow lan lannet core lan_ip http-all 2 NAT lan trusted_users wan all-nets http-all 3 NAT lan lannet wan all-nets dns-all 4 SAT lan lannet wan all-nets http-all all-to-one 127.0.0.1 5 Allow lan lannet wan all-nets http-all The SAT... Host Certificate and Root Certificate have these users come to the authentication page we consider the example of a number of clients on the NetDefend Firewall where the local network connects. FORM is trying to access the lan_ip IP address, which corresponds to the users). User Authentication combination...
Product Manual
Page 394
...authentication and that the packet really came from are not known beforehand. The remote endpoint can be set to None, forcing the NetDefend Firewall to VPN tunnels. The IKE negotiation has two modes of the outer IP header, for IPsec protected remote configuration. However...compatible" configurations at the cost of transmitting the identities of the security firewalls in fewer packets, with authentication only is done, the prefix dns: must be set to another. The two protocols to the NetDefend Firewall, for example for instance source and destination addresses, making certain...
...authentication and that the packet really came from are not known beforehand. The remote endpoint can be set to None, forcing the NetDefend Firewall to VPN tunnels. The IKE negotiation has two modes of the outer IP header, for IPsec protected remote configuration. However...compatible" configurations at the cost of transmitting the identities of the security firewalls in fewer packets, with authentication only is done, the prefix dns: must be set to another. The two protocols to the NetDefend Firewall, for example for instance source and destination addresses, making certain...