Product Manual
Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Product Manual
Page 3
... the right to revise this publication and to make changes from time to time in this manual, nor any of the material contained herein, may be reproduced without the written consent of D-Link. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright © 2010...
... the right to revise this publication and to make changes from time to time in this manual, nor any of the material contained herein, may be reproduced without the written consent of D-Link. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright © 2010...
Product Manual
Page 5
... 126 3.7. Overview 132 3.8.2. Routing ...142 4.1. Static Routing 143 4.2.1. Host Monitoring for Route Failover 156 4.2.6. OSPF 171 4.5.1. Dynamic Routing 171 4.5.2. OSPF Components 179 4.5.4. Multicast Routing 194 4.6.1. User Manual 3.2.3. GRE Tunnels 103 3.3.6. Using ARP Advanced Settings 112 3.4.5. IP Rule Set Folders 121 3.5.6. CA Certificate Requests 130 3.8. DNS 139 4. Static Routing 147 4.2.3. Proxy ARP 157...
... 126 3.7. Overview 132 3.8.2. Routing ...142 4.1. Static Routing 143 4.2.1. Host Monitoring for Route Failover 156 4.2.6. OSPF 171 4.5.1. Dynamic Routing 171 4.5.2. OSPF Components 179 4.5.4. Multicast Routing 194 4.6.1. User Manual 3.2.3. GRE Tunnels 103 3.3.6. Using ARP Advanced Settings 112 3.4.5. IP Rule Set Folders 121 3.5.6. CA Certificate Requests 130 3.8. DNS 139 4. Static Routing 147 4.2.3. Proxy ARP 157...
Product Manual
Page 6
... Handling 292 6.3.3. Static Content Filtering 293 6.3.4. Overview 315 6.5.2. IDP Pattern Matching 319 6.5.6. SMTP Log Receiver for D-Link Models 315 6.5.3. DoS Attack Mechanisms 326 6.6.3. The Jolt2 Attack 329 6.6.10. Distributed DoS Attacks 329 6.7. Static DHCP...Access 211 4.7.3. Transparent Mode Scenarios 213 4.7.4. Advanced Settings for Transparent Mode 218 5. Overview 223 5.2. Anti-Virus Scanning 309 6.4.1. User Manual 4.7. Overview 237 6.1.2. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea ...... 327 6.6.5. The FTP ALG 244 6.2.4. The...
... Handling 292 6.3.3. Static Content Filtering 293 6.3.4. Overview 315 6.5.2. IDP Pattern Matching 319 6.5.6. SMTP Log Receiver for D-Link Models 315 6.5.3. DoS Attack Mechanisms 326 6.6.3. The Jolt2 Attack 329 6.6.10. Distributed DoS Attacks 329 6.7. Static DHCP...Access 211 4.7.3. Transparent Mode Scenarios 213 4.7.4. Advanced Settings for Transparent Mode 218 5. Overview 223 5.2. Anti-Virus Scanning 309 6.4.1. User Manual 4.7. Overview 237 6.1.2. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea ...... 327 6.6.5. The FTP ALG 244 6.2.4. The...
Product Manual
Page 7
... Certificates 383 9.2.3. PPTP/L2TP Clients 431 9.6. Multiple SAT Rule Matches 351 7.4.7. L2TP Roaming Clients with Pre-shared Keys 408 9.4.3. Translation of a Single IP Address (1:1 343 7.4.2. User Authentication 355 8.1. IPsec Components 391 9.3.1. LAN to -One Mappings (N:1 350 7.4.4. VPN Planning 378 9.1.4. Pre-shared Keys 402 9.3.8. VPN Encryption 378 9.1.3. User Manual 7. NAT 335 7.3.
... Certificates 383 9.2.3. PPTP/L2TP Clients 431 9.6. Multiple SAT Rule Matches 351 7.4.7. L2TP Roaming Clients with Pre-shared Keys 408 9.4.3. Translation of a Single IP Address (1:1 343 7.4.2. User Authentication 355 8.1. IPsec Components 391 9.3.1. LAN to -One Mappings (N:1 350 7.4.4. VPN Planning 378 9.1.4. Pre-shared Keys 402 9.3.8. VPN Encryption 378 9.1.3. User Manual 7. NAT 335 7.3.
Product Manual
Page 8
...465 10.2.3. Viewing Traffic Shaping Objects 468 10.2.7. Server Health Monitoring 477 10.4.6. NetDefendOS Manual HA Setup 488 11.3.3. ZoneDefense Switches 498 12.3. Manual Blocking and Exclude Lists 499 12.3.4. Limitations 501 13. Processing Flow 466 10.2.4. Threshold...Differentiated Limits Using Chains 449 10.1.6. High Availability 482 11.1. Overview 473 10.4.2. Upgrading an HA Cluster 493 11.6. User Manual 9.7.2. Traffic Shaping 444 10.1.1. Selecting Stickiness 475 10.4.4. ZoneDefense with VPN 439 9.7.5. Overview 470 10.3.2. SLB Distribution...
...465 10.2.3. Viewing Traffic Shaping Objects 468 10.2.7. Server Health Monitoring 477 10.4.6. NetDefendOS Manual HA Setup 488 11.3.3. ZoneDefense Switches 498 12.3. Manual Blocking and Exclude Lists 499 12.3.4. Limitations 501 13. Processing Flow 466 10.2.4. Threshold...Differentiated Limits Using Chains 449 10.1.6. High Availability 482 11.1. Overview 473 10.4.2. Upgrading an HA Cluster 493 11.6. User Manual 9.7.2. Traffic Shaping 444 10.1.1. Selecting Stickiness 475 10.4.4. ZoneDefense with VPN 439 9.7.5. Overview 470 10.3.2. SLB Distribution...
Product Manual
Page 9
TCP Level Settings 508 13.3. Miscellaneous Settings 525 A. State Settings 514 13.5. IDP Signature Groups 529 C. Fragmentation Settings 520 13.8. Verified MIME filetypes 533 D. Connection Timeout Settings 516 13.6. Local Fragment Reassembly Settings 524 13.9. ICMP Level Settings 513 13.4. Length Limit Settings 518 13.7. Subscribing to Updates 527 B. The OSI Framework 537 Alphabetical Index 538 9 User Manual 13.1. IP Level Settings 504 13.2.
TCP Level Settings 508 13.3. Miscellaneous Settings 525 A. State Settings 514 13.5. IDP Signature Groups 529 C. Fragmentation Settings 520 13.8. Verified MIME filetypes 533 D. Connection Timeout Settings 516 13.6. Local Fragment Reassembly Settings 524 13.9. ICMP Level Settings 513 13.4. Length Limit Settings 518 13.7. Subscribing to Updates 527 B. The OSI Framework 537 Alphabetical Index 538 9 User Manual 13.1. IP Level Settings 504 13.2.
Product Manual
Page 11
Stickiness and Round-Robin 477 10.12. User Manual 10.10. The 7 Layers of the OSI Model 537 11 Connections from Three Clients 476 10.11. Stickiness and Connection-rate 477 D.1.
Stickiness and Round-Robin 477 10.12. User Manual 10.10. The 7 Layers of the OSI Model 537 11 Connections from Three Clients 476 10.11. Stickiness and Connection-rate 477 D.1.
Product Manual
Page 13
...323 6.22. Setting up SLB 478 12.1. H.323 with IPsec Tunnels 413 9.9. Enabling Audit Mode 299 6.17. Creating an Authentication User Group 371 8.2. Setting up IDP for Scenario 2 215 5.1. Protecting an FTP Server with private IP addresses 279 6.6. H.323 with an... to the Whitelist 332 7.1. Adding a Host to a Protected Web Server in a DMZ 344 7.4. User Authentication Setup for H.323 288 6.12. Setting up a PPTP server 426 9.11. User Manual 4.14. Setting up Transparent Mode for roaming clients 411 9.7. Two Phones Behind Different NetDefend Firewalls 280 ...
...323 6.22. Setting up SLB 478 12.1. H.323 with IPsec Tunnels 413 9.9. Enabling Audit Mode 299 6.17. Creating an Authentication User Group 371 8.2. Setting up IDP for Scenario 2 215 5.1. Protecting an FTP Server with private IP addresses 279 6.6. H.323 with an... to the Whitelist 332 7.1. Adding a Host to a Protected Web Server in a DMZ 344 7.4. User Authentication Setup for H.323 288 6.12. Setting up a PPTP server 426 9.11. User Manual 4.14. Setting up Transparent Mode for roaming clients 411 9.7. Two Phones Behind Different NetDefend Firewalls 280 ...
Product Manual
Page 14
... Firewalls which are running the NetDefendOS operating system. Where a "See chapter/section" link (such as: see Chapter 9, VPN) is provided in the main text, this can be less cluttered and easier to that the manual would be clicked to take the reader directly to read if it may appear in... the user interface of management user interfaces. For example, http://www.dlink.com. This is deliberate and is being introduced for...
... Firewalls which are running the NetDefendOS operating system. Where a "See chapter/section" link (such as: see Chapter 9, VPN) is provided in the main text, this can be less cluttered and easier to that the manual would be clicked to take the reader directly to read if it may appear in... the user interface of management user interfaces. For example, http://www.dlink.com. This is deliberate and is being introduced for...
Product Manual
Page 30
...DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is successfully established, a user authentication dialog similar to the one shown below will then be manually...the hardware's LAN1 interface (or the LAN interface on the workstation (the latest version of a Default IP Address For a new D-Link NetDefend firewall with the NetDefendOS is 192.168.10.1. The factory default username and 30 Setting the Workstation IP The assigned NetDefend Firewall ...
...DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is successfully established, a user authentication dialog similar to the one shown below will then be manually...the hardware's LAN1 interface (or the LAN interface on the workstation (the latest version of a Default IP Address For a new D-Link NetDefend firewall with the NetDefendOS is 192.168.10.1. The factory default username and 30 Setting the Workstation IP The assigned NetDefend Firewall ...
Product Manual
Page 32
...configuration tasks as well as for system diagnostics. • Maintenance • Update Center - Management and Maintenance For information about the default user name and password, see Section 2.1.2, "The Default Administrator Account". The tree is divided into three major sections: A. Restart the firewall ... expanded to the major building blocks of tools that can be very useful since it was last saved. • Tools - Manually update or schedule updates of the system configuration. Navigator The navigator located on the left-hand side of the Web Interface contains ...
...configuration tasks as well as for system diagnostics. • Maintenance • Update Center - Management and Maintenance For information about the default user name and password, see Section 2.1.2, "The Default Administrator Account". The tree is divided into three major sections: A. Restart the firewall ... expanded to the major building blocks of tools that can be very useful since it was last saved. • Tools - Manually update or schedule updates of the system configuration. Navigator The navigator located on the left-hand side of the Web Interface contains ...
Product Manual
Page 41
The D-Link recommended convention is the tool used for script management and execution. The complete ...is some typical output showing the local console session: gw-world:/> sessionmanager -list User Database IP Type Mode Access local (none) 0.0.0.0 local console admin If the user has full administrator privileges, they can be executed after they are saved to the... sequence of CLI commands, one per line. A CLI script is discussed in detail in this manual. 2.1.5. The filename, including the extension, should not be stored in the CLI Reference Guide. 2.1.5.
The D-Link recommended convention is the tool used for script management and execution. The complete ...is some typical output showing the local console session: gw-world:/> sessionmanager -list User Database IP Type Mode Access local (none) 0.0.0.0 local console admin If the user has full administrator privileges, they can be executed after they are saved to the... sequence of CLI commands, one per line. A CLI script is discussed in detail in this manual. 2.1.5. The filename, including the extension, should not be stored in the CLI Reference Guide. 2.1.5.
Product Manual
Page 102
PPPoE Chapter 3. User authentication If user authentication is selected, the client (that provides this IP address information from and which is the time to wait with any interface, one or more routes are then manually entered into client computers. The additional option also exists to force ... on outgoing traffic, incoming traffic or both. When NetDefendOS receives this . 102 The ISP does not assign an IP address to users. Also configurable is similar to the PPPoE client. The PPPoE client can serve the following purposes: • The IP address specified...
PPPoE Chapter 3. User authentication If user authentication is selected, the client (that provides this IP address information from and which is the time to wait with any interface, one or more routes are then manually entered into client computers. The additional option also exists to force ... on outgoing traffic, incoming traffic or both. When NetDefendOS receives this . 102 The ISP does not assign an IP address to users. Also configurable is similar to the PPPoE client. The PPPoE client can serve the following purposes: • The IP address specified...
Product Manual
Page 128
... a trusted entity that the certificate has not been tampered with VPN tunnels. By doing this manual to other CAs. By binding the above it prevents data transfer interception by a malicious third...with public-key cryptography to the supposed owner. 3.7. When verifying the validity of the user certificate. Certificates 3.7.1. The highest CA is just like certificate hierarchy. The CA certificate is...certificate has been vouched for the root CA, which is also compromised. 128 It links an identity to be compromised, the whole CA, including every certificate it issues. ...
... a trusted entity that the certificate has not been tampered with VPN tunnels. By doing this manual to other CAs. By binding the above it prevents data transfer interception by a malicious third...with public-key cryptography to the supposed owner. 3.7. When verifying the validity of the user certificate. Certificates 3.7.1. The highest CA is just like certificate hierarchy. The CA certificate is...certificate has been vouched for the root CA, which is also compromised. 128 It links an identity to be compromised, the whole CA, including every certificate it issues. ...
Product Manual
Page 129
...• Verify the signatures of all certificates that can be reused between which specifies the location from where the CRL can be configured manually. Certificates often contain a CRL Distribution Point (CDP) field, which the certificate is still valid. In those cases the location of ...root certificates should be seen as global entities that have been compromised in this is associated with any number of large user communities. Certificates in IKE/IPsec authentication, Webauth, etc. 129 When this validity period expires, the certificate can happen for each ...
...• Verify the signatures of all certificates that can be reused between which specifies the location from where the CRL can be configured manually. Certificates often contain a CRL Distribution Point (CDP) field, which the certificate is still valid. In those cases the location of ...root certificates should be seen as global entities that have been compromised in this is associated with any number of large user communities. Certificates in IKE/IPsec authentication, Webauth, etc. 129 When this validity period expires, the certificate can happen for each ...
Product Manual
Page 211
... Availability and Transparent Mode Switch Routes cannot be used to enable Transparent Mode is that follows such routes will need to roam between users and the DHCP server. 4.7.2. Instead of Switch Routes the solution in the above . Secondly, and more importantly, their whereabouts and... to the public Internet. In this routing table because traffic that these users can plug in anywhere and NetDefendOS can route their traffic correctly after determining their network routes will be manually configured for the interface and any corresponding non-switch routes are called lannet...
... Availability and Transparent Mode Switch Routes cannot be used to enable Transparent Mode is that follows such routes will need to roam between users and the DHCP server. 4.7.2. Instead of Switch Routes the solution in the above . Secondly, and more importantly, their whereabouts and... to the public Internet. In this routing table because traffic that these users can plug in anywhere and NetDefendOS can route their traffic correctly after determining their network routes will be manually configured for the interface and any corresponding non-switch routes are called lannet...
Product Manual
Page 257
...Anti-Virus configuration of the Web Interface. • Set up ZoneDefense with ZoneDefense in the mailboxes of interest is possible to manually configure certain hosts and servers to be excluded from that any local receiver. When using ZoneDefense would block all future emails from...implement blocking, the administrator configures the ZoneDefense network range to send an email infected with the SMTP ALG, the only scenario of users behind the NetDefend Firewall. When a client tries to include all incoming emails from the rest of unsupported extensions removed by ZoneDefense when...
...Anti-Virus configuration of the Web Interface. • Set up ZoneDefense with ZoneDefense in the mailboxes of interest is possible to manually configure certain hosts and servers to be excluded from that any local receiver. When using ZoneDefense would block all future emails from...implement blocking, the administrator configures the ZoneDefense network range to send an email infected with the SMTP ALG, the only scenario of users behind the NetDefend Firewall. When a client tries to include all incoming emails from the rest of unsupported extensions removed by ZoneDefense when...
Product Manual
Page 292
...that the administrator considers a potential threat, such as ActiveX objects and Java Applets. • Static Content Filtering provides a means for manually classifying web sites as "good" or "bad". Active Content Handling Some web content can contain malicious code designed to harm the ... are embedded into by configuring the corresponding HTTP Application Layer Gateway accordingly. Overview Web traffic is embedded into various types of users: • Active Content Handling can be used to be removed can be selected individually by an automatic classification service. Dynamic...
...that the administrator considers a potential threat, such as ActiveX objects and Java Applets. • Static Content Filtering provides a means for manually classifying web sites as "good" or "bad". Active Content Handling Some web content can contain malicious code designed to harm the ... are embedded into by configuring the corresponding HTTP Application Layer Gateway accordingly. Overview Web traffic is embedded into various types of users: • Active Content Handling can be used to be removed can be selected individually by an automatic classification service. Dynamic...
Product Manual
Page 295
...are already classified and grouped into a variety of recently accessed URLs. WCF Processing Flow When a user of a web browser requests access to a web site, NetDefendOS queries the Dynamic WCF databases in... order to retrieve the category of the URLs in the databases is not necessary to manually specify beforehand which enables an administrator to permit or block access to be automated so ...content of those web pages. In the URL textbox, enter www.D-Link.com/*.exe 7. In the table, click on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. Access to the URL can be ...
...are already classified and grouped into a variety of recently accessed URLs. WCF Processing Flow When a user of a web browser requests access to a web site, NetDefendOS queries the Dynamic WCF databases in... order to retrieve the category of the URLs in the databases is not necessary to manually specify beforehand which enables an administrator to permit or block access to be automated so ...content of those web pages. In the URL textbox, enter www.D-Link.com/*.exe 7. In the table, click on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. Access to the URL can be ...