Product Manual
Page 5
...Protocol Services 88 3.2.5. Service Groups 88 3.2.6. ARP 108 3.4.1. The NetDefendOS ARP Cache 108 3.4.3. ARP Advanced Settings Summary 113 3.5. Security Policies 116 3.5.2. Editing IP rule set Entries 120 3.5.5. Settings Summary for Route Failover 156 4.2.6. Overview 142 4.2. Advanced Settings ... Load Balancing 165 4.5. OSPF 171 4.5.1. Dynamic Routing 171 4.5.2. OSPF Components 179 4.5.4. Setting Up OSPF 188 4.5.6. An OSPF Example 191 4.6. Multicast Routing 194 4.6.1. Overview 194 4.6.2. IGMP Configuration 199 4.6.4. Advanced IGMP Settings 204 5
...Protocol Services 88 3.2.5. Service Groups 88 3.2.6. ARP 108 3.4.1. The NetDefendOS ARP Cache 108 3.4.3. ARP Advanced Settings Summary 113 3.5. Security Policies 116 3.5.2. Editing IP rule set Entries 120 3.5.5. Settings Summary for Route Failover 156 4.2.6. Overview 142 4.2. Advanced Settings ... Load Balancing 165 4.5. OSPF 171 4.5.1. Dynamic Routing 171 4.5.2. OSPF Components 179 4.5.4. Setting Up OSPF 188 4.5.6. An OSPF Example 191 4.6. Multicast Routing 194 4.6.1. Overview 194 4.6.2. IGMP Configuration 199 4.6.4. Advanced IGMP Settings 204 5
Product Manual
Page 10
Expanded Apply Rules Logic 26 3.1. A Proxy ARP Example 158 4.5. OSPF Providing Route Redundancy 173 4.10. Virtual Links Connecting Areas 177 4.11. No Address Translation 196 4.15. PPTP ALG Usage 264 6.7. LDAP for ISP Access 152 ... Virtual Links with NAT 339 7.4. Multicast Proxy Mode 200 4.18. Deploying an ALG 240 6.2. TLS Termination 290 6.8. Anonymizing with Partitioned Backbone 178 4.12. A Server Load Balancing Configuration 473 10 A Simple OSPF Scenario 172 4.9. NetDefendOS OSPF Objects 179 4.13. Multicast Snoop Mode 200 4.17. An Example BPDU ...
Expanded Apply Rules Logic 26 3.1. A Proxy ARP Example 158 4.5. OSPF Providing Route Redundancy 173 4.10. Virtual Links Connecting Areas 177 4.11. No Address Translation 196 4.15. PPTP ALG Usage 264 6.7. LDAP for ISP Access 152 ... Virtual Links with NAT 339 7.4. Multicast Proxy Mode 200 4.18. Deploying an ALG 240 6.2. TLS Termination 290 6.8. Anonymizing with Partitioned Backbone 178 4.12. A Server Load Balancing Configuration 473 10 A Simple OSPF Scenario 172 4.9. NetDefendOS OSPF Objects 179 4.13. Multicast Snoop Mode 200 4.17. An Example BPDU ...
Product Manual
Page 12
... 3.1. Deleting an Address Object 79 3.5. Adding an Ethernet Address 79 3.6. Uploading a Certificate 130 3.19. Enabling the D-Link NTP Server 136 3.28. Creating an OSPF Router Process 192 4.8. Forwarding of Examples 1. Enabling SSH Remote Access 38 2.3. Defining a VLAN 100 3.11. Configuring a PPPoE Client 103 3.12. Setting Up RLB 169 4.7. Address Translation 198 12 Listing...
... 3.1. Deleting an Address Object 79 3.5. Adding an Ethernet Address 79 3.6. Uploading a Certificate 130 3.19. Enabling the D-Link NTP Server 136 3.28. Creating an OSPF Router Process 192 4.8. Forwarding of Examples 1. Enabling SSH Remote Access 38 2.3. Defining a VLAN 100 3.11. Configuring a PPPoE Client 103 3.12. Setting Up RLB 169 4.7. Address Translation 198 12 Listing...
Product Manual
Page 14
...security. For example, http://www.dlink.com. They contain a CLI example and/or a Web Interface example... The Command Line Interface example would be clicked to...example are largely textual descriptions of subjects. Where a term is Administrators who are responsible for configuring and managing NetDefend Firewalls which are denoted by the header Example...Example Notation Information about what 14 An index is shown in the main text outside of an example...the NetDefendOS operating system. Examples are given but these ...would appear here. Examples Examples in the table of screenshots. ...
...security. For example, http://www.dlink.com. They contain a CLI example and/or a Web Interface example... The Command Line Interface example would be clicked to...example are largely textual descriptions of subjects. Where a term is Administrators who are responsible for configuring and managing NetDefend Firewalls which are denoted by the header Example...Example Notation Information about what 14 An index is shown in the main text outside of an example...the NetDefendOS operating system. Examples are given but these ...would appear here. Examples Examples in the table of screenshots. ...
Product Manual
Page 33
... Tip: Correctly routing management traffic If there is provided for an all -nets 5. If you need more granular control of system configuration. Enabling remote management via HTTPS Command-Line Interface gw-world:/> add RemoteManagement RemoteMgmtHTTP https Network=all-nets Interface=any • Network: ...all -nets route to the system. Check the HTTPS checkbox 4. Click OK Caution: Don't expose the management interface The above example is a problem with access to your workstation to get unauthorized access to the VPN tunnel. Logout by modifying the remote management policy....
... Tip: Correctly routing management traffic If there is provided for an all -nets 5. If you need more granular control of system configuration. Enabling remote management via HTTPS Command-Line Interface gw-world:/> add RemoteManagement RemoteMgmtHTTP https Network=all-nets Interface=any • Network: ...all -nets route to the system. Check the HTTPS checkbox 4. Click OK Caution: Don't expose the management interface The above example is a problem with access to your workstation to get unauthorized access to the VPN tunnel. Logout by modifying the remote management policy....
Product Manual
Page 34
... sometimes referred to as an IP address or a rule to a NetDefendOS configuration. • set of configuration data as well as allowing runtime data to be displayed and allowing system...a summary for all CLI commands, see the separate D-Link CLI Reference Guide. Sets some property of a particular object. • delete - For example, to move through the list of commands that the... same name might be used CLI commands are: • add - A category groups together a set - For a complete reference for using the Secure Shell...
... sometimes referred to as an IP address or a rule to a NetDefendOS configuration. • set of configuration data as well as allowing runtime data to be displayed and allowing system...a summary for all CLI commands, see the separate D-Link CLI Reference Guide. Sets some property of a particular object. • delete - For example, to move through the list of commands that the... same name might be used CLI commands are: • add - A category groups together a set - For a complete reference for using the Secure Shell...
Product Manual
Page 37
...name assigned to it is strongly recommended to the console port on scripts see the D-Link Quick Start Guide . Using Unique Names For convenience and clarity, it can uniquely ...example, the hostname host.company.com would be configured in the CLI For certain CLI commands, IP addresses can have duplicate names, however it . To locate the serial console port on the NetDefend...available for LDAP servers. The CLI will fail and result in subsequent CLI commands. An appliance package includes a RS-232 null-modem cable. For reasons of backward compatibility to earlier NetDefendOS...
...name assigned to it is strongly recommended to the console port on scripts see the D-Link Quick Start Guide . Using Unique Names For convenience and clarity, it can uniquely ...example, the hostname host.company.com would be configured in the CLI For certain CLI commands, IP addresses can have duplicate names, however it . To locate the serial console port on the NetDefend...available for LDAP servers. The CLI will fail and result in subsequent CLI commands. An appliance package includes a RS-232 null-modem cable. For reasons of backward compatibility to earlier NetDefendOS...
Product Manual
Page 39
The CLI Chapter 2. To change the current category to the current configuration through the CLI, those changes permanent. Activating and Committing Changes ... are made to be set User admin Password="my-password" Finally, we must change the password to, for example, to use only printable characters. Immediately following CLI commands are now in Section 2.1.7, "The Console Boot Menu".... not be greater than 256 characters in the top level node of the NetDefend Firewall. Changing the CLI Prompt The default CLI prompt is: gw-world:/> where Device is changed to user...
The CLI Chapter 2. To change the current category to the current configuration through the CLI, those changes permanent. Activating and Committing Changes ... are made to be set User admin Password="my-password" Finally, we must change the password to, for example, to use only printable characters. Immediately following CLI commands are now in Section 2.1.7, "The Console Boot Menu".... not be greater than 256 characters in the top level node of the NetDefend Firewall. Changing the CLI Prompt The default CLI prompt is: gw-world:/> where Device is changed to user...
Product Manual
Page 40
...other words, Internet access has been enabled for illustration but these could be used for the NetDefend Firewall. The command be public IP addresses instead. Log off from the CLI After finishing working...IP address objects for managing management sessions themselves. Configuring Remote Management Access on an Interface Remote management access may need to be found in this example called sessionmanager for if2 which has an IP...=all types of management sessions, including: • Secure Shell (SSH) CLI sessions. • Any CLI session through the serial console interface. 40
...other words, Internet access has been enabled for illustration but these could be used for the NetDefend Firewall. The command be public IP addresses instead. Log off from the CLI After finishing working...IP address objects for managing management sessions themselves. Configuring Remote Management Access on an Interface Remote management access may need to be found in this example called sessionmanager for if2 which has an IP...=all types of management sessions, including: • Secure Shell (SSH) CLI sessions. • Any CLI session through the serial console interface. 40
Product Manual
Page 42
CLI Scripts Chapter 2. For example, to improve the readability of the script -execute command line. Note: The symbol $0 is reserved Notice that has been previously uploaded to a configuration object at the end of scripts. 2.1.5. The number n in the variable name indicates the variable value... after uploading, the CLI command would mean that the written ordering of the script file itself. For example, the ping command will be a reference to the NetDefend Firewall. For example, a script called : $1, $2, $3, $4......$n The values substituted for these variable names are not, ...
CLI Scripts Chapter 2. For example, to improve the readability of the script -execute command line. Note: The symbol $0 is reserved Notice that has been previously uploaded to a configuration object at the end of scripts. 2.1.5. The number n in the variable name indicates the variable value... after uploading, the CLI command would mean that the written ordering of the script file itself. For example, the ping command will be a reference to the NetDefend Firewall. For example, a script called : $1, $2, $3, $4......$n The values substituted for these variable names are not, ...
Product Manual
Page 44
... objects in length (including the extension) and the filetype should be .sgs. For example, suppose the requirement is returned by NetDefendOS. The created file's contents might, for example, be: add IP4Address If1_ip Address=10.6.60.10 add IP4Address If1_net Address=10.6.60.0/...show -name=my_script.sgs Creating Scripts Automatically When the same configuration objects needs to the local management workstation and then uploaded and executed on other NetDefend Firewalls. The name of IP4Address objects on several NetDefend Firewalls that already exist on that need to be copied ...
... objects in length (including the extension) and the filetype should be .sgs. For example, suppose the requirement is returned by NetDefendOS. The created file's contents might, for example, be: add IP4Address If1_ip Address=10.6.60.10 add IP4Address If1_net Address=10.6.60.0/...show -name=my_script.sgs Creating Scripts Automatically When the same configuration objects needs to the local management workstation and then uploaded and executed on other NetDefend Firewalls. The name of IP4Address objects on several NetDefend Firewalls that already exist on that need to be copied ...
Product Manual
Page 45
....sgs " " NetDefendOS allows the script file my_script2.sgs to execute another script. For example: [email protected]:config.bak. The must be performed between an SCP client and NetDefendOS: File type Configuration Backup (config.bak) System Backup (full.bak) Upload possible Yes (also with WebUI)... and many freely available SCP clients exist for one script to or from the NetDefend Firewall, the secure copy (SCP) protocol can be a defined NetDefendOS user in the examples given here. Note: SCP examples do not show the password prompt SCP will normally prompt for the user password...
....sgs " " NetDefendOS allows the script file my_script2.sgs to execute another script. For example: [email protected]:config.bak. The must be performed between an SCP client and NetDefendOS: File type Configuration Backup (config.bak) System Backup (full.bak) Upload possible Yes (also with WebUI)... and many freely available SCP clients exist for one script to or from the NetDefend Firewall, the secure copy (SCP) protocol can be a defined NetDefendOS user in the examples given here. Note: SCP examples do not show the password prompt SCP will normally prompt for the user password...
Product Manual
Page 46
....5.62.11: To download a configuration backup to the current local directory, the command would be more correctly thought of the NetDefend Firewall is stored only in the..., a file is described further in Section 6.3.4.4, "Customizing HTML Pages". • certificate/ - Examples of sub-directories. When uploading, these is located in Section 2.1.5, "CLI Scripts". • ... structure which identifies what they are. The banner files for HTML ALG dynamic content filtering. Secure Copy Chapter 2. Uploading these "directories" such as sshlclientkey should be : > scp admin1...
....5.62.11: To download a configuration backup to the current local directory, the command would be more correctly thought of the NetDefend Firewall is stored only in the..., a file is described further in Section 6.3.4.4, "Customizing HTML Pages". • certificate/ - Examples of sub-directories. When uploading, these is located in Section 2.1.5, "CLI Scripts". • ... structure which identifies what they are. The banner files for HTML ALG dynamic content filtering. Secure Copy Chapter 2. Uploading these "directories" such as sshlclientkey should be : > scp admin1...
Product Manual
Page 49
... for the Web Interface. Default: 80 WebUI HTTPS port Specifies the HTTP(S) port for the Web Interface. Examples of any kind. Management and Maintenance SSH Before Rules Enable SSH traffic to the previous configuration. Default: Enabled WebUI Before Rules Enable HTTP(S) traffic to use for the administrator to log in before reverting...
... for the Web Interface. Default: 80 WebUI HTTPS port Specifies the HTTP(S) port for the Web Interface. Examples of any kind. Management and Maintenance SSH Before Rules Enable SSH traffic to the previous configuration. Default: Enabled WebUI Before Rules Enable HTTP(S) traffic to use for the administrator to log in before reverting...
Product Manual
Page 50
...can be presented. Listing Configuration Objects To find out what configuration objects exist, you can choose to the list. • Header - Example 2.4. Working with the name of a configuration object representing the telnet service. Example 2.3. This example shows how to manipulate ...CLI. The menu will turn dark blue. Displaying a Configuration Object The simplest operation on the type of the row will list all configuration objects representing a named IPv4 address. 2.1.9. This example shows how to show Service ServiceTCPUDP telnet Property Name: ...
...can be presented. Listing Configuration Objects To find out what configuration objects exist, you can choose to the list. • Header - Example 2.4. Working with the name of a configuration object representing the telnet service. Example 2.3. This example shows how to manipulate ...CLI. The menu will turn dark blue. Displaying a Configuration Object The simplest operation on the type of the row will list all configuration objects representing a named IPv4 address. 2.1.9. This example shows how to show Service ServiceTCPUDP telnet Property Name: ...
Product Manual
Page 51
... be simplified to verify the new property value: gw-world:/> show ServiceTCPUDP telnet Example 2.5. In the Comments textbox, enter your new comment 4. This example shows how to Objects > Services 2. Click on the telnet hyperlink in the list 3. 2.1.9. Working with Configurations Chapter 2. Management and Maintenance Type: SourcePorts: SYNRelay: PassICMPReturn: ALG: MaxSessions: Comments: TCP 0-65535...
... be simplified to verify the new property value: gw-world:/> show ServiceTCPUDP telnet Example 2.5. In the Comments textbox, enter your new comment 4. This example shows how to Objects > Services 2. Click on the telnet hyperlink in the list 3. 2.1.9. Working with Configurations Chapter 2. Management and Maintenance Type: SourcePorts: SYNRelay: PassICMPReturn: ALG: MaxSessions: Comments: TCP 0-65535...
Product Manual
Page 52
... address book. In the Name text box, enter myhost 5. Management and Maintenance Important: Configuration changes must be activated Changes to a configuration object will be applied to the list Example 2.7. Click on the row containing the myhost object 3. 2.1.9. Deleting a Configuration Object This example shows how to Objects > Address Book 2. In the dropdown menu displayed, select Delete...
... address book. In the Name text box, enter myhost 5. Management and Maintenance Important: Configuration changes must be activated Changes to a configuration object will be applied to the list Example 2.7. Click on the row containing the myhost object 3. 2.1.9. Deleting a Configuration Object This example shows how to Objects > Address Book 2. In the dropdown menu displayed, select Delete...
Product Manual
Page 53
...object 3. Working with the new configuration data. Management and Maintenance Example 2.8. This example shows how to see a list of the objects that affect the configurations of live IPsec tunnels are committed, then those changes to a configuration have been modified. Command-Line ...on the running system. Go to be re-established. Go to Configuration > View Changes in front of changes is validated and NetDefendOS will attempt to initialize affected subsystems with Configurations Chapter 2. 2.1.9. Example 2.9. A "*" character indicates that the object has been marked for...
...object 3. Working with the new configuration data. Management and Maintenance Example 2.8. This example shows how to see a list of the objects that affect the configurations of live IPsec tunnels are committed, then those changes to a configuration have been modified. Command-Line ...on the running system. Go to be re-established. Go to Configuration > View Changes in front of changes is validated and NetDefendOS will attempt to initialize affected subsystems with Configurations Chapter 2. 2.1.9. Example 2.9. A "*" character indicates that the object has been marked for...
Product Manual
Page 54
... not issued, then NetDefendOS will revert to using the new configuration. Example 2.10. If the connection succeeds, this is interpreted by not committing a changed configuration. 54 Management and Maintenance default) during which a connection to the Web Interface after 10 ...shown again: gw-world:/> commit The new configuration is still working. Web Interface 1. Activating and Committing a Configuration This example shows how to Configuration > Save and Activate in the menu bar 2. Go to activate and commit a new configuration. If a lost connection could not be ...
... not issued, then NetDefendOS will revert to using the new configuration. Example 2.10. If the connection succeeds, this is interpreted by not committing a changed configuration. 54 Management and Maintenance default) during which a connection to the Web Interface after 10 ...shown again: gw-world:/> commit The new configuration is still working. Web Interface 1. Activating and Committing a Configuration This example shows how to Configuration > Save and Activate in the menu bar 2. Go to activate and commit a new configuration. If a lost connection could not be ...
Product Manual
Page 277
...time. A shorter time forces more frequent registration by clients with . For each scenario a configuration example of ports/traffic before these scenarios are : • Allow TCP Data Channels - Protecting Phones Behind NetDefend Firewalls In the first scenario a H.323 phone is built upon H.225.0 v5 and ... Registration Lifetime - To make sure there are no address translation will be done on a network (lannet) with public IP addresses. Security Mechanisms • The H.323 ALG supports version 5 of a problem if the network becomes unavailable and the client thinks it possible to...
...time. A shorter time forces more frequent registration by clients with . For each scenario a configuration example of ports/traffic before these scenarios are : • Allow TCP Data Channels - Protecting Phones Behind NetDefend Firewalls In the first scenario a H.323 phone is built upon H.225.0 v5 and ... Registration Lifetime - To make sure there are no address translation will be done on a network (lannet) with public IP addresses. Security Mechanisms • The H.323 ALG supports version 5 of a problem if the network becomes unavailable and the client thinks it possible to...