Product Manual
Page 3
D-Link reserves the right to revise this publication and to make changes from time to time in this manual, nor any person or parties of such revision or changes. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright... © 2010 Copyright Notice This publication, including all photographs, illustrations and software, is subject to change without the written consent of D-Link. Neither this ...
D-Link reserves the right to revise this publication and to make changes from time to time in this manual, nor any person or parties of such revision or changes. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright... © 2010 Copyright Notice This publication, including all photographs, illustrations and software, is subject to change without the written consent of D-Link. Neither this ...
Product Manual
Page 6
...6.6.8. The Signature Database 311 6.4.5. IDP Signature Groups 320 6.5.7. Overview 207 4.7.2. Advanced Settings for D-Link Models 315 6.5.3. DHCP Relaying 230 5.3.1. IP Spoofing 238 6.1.3. ALGs 240 6.2.1. The POP3 ALG 263...6.4.4. Overview 315 6.5.2. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea ...... 327 6.6.5. Security Mechanisms 237 6.1. Access Rule Settings 238 6.2. Static Content Filtering 293 6.3.4. Anti-Virus Scanning ...Manual 4.7. DHCP Relay Advanced Settings 231 5.4. The FTP ALG 244 6.2.4. Overview 223 5.2.
...6.6.8. The Signature Database 311 6.4.5. IDP Signature Groups 320 6.5.7. Overview 207 4.7.2. Advanced Settings for D-Link Models 315 6.5.3. DHCP Relaying 230 5.3.1. IP Spoofing 238 6.1.3. ALGs 240 6.2.1. The POP3 ALG 263...6.4.4. Overview 315 6.5.2. Fragmentation overlap attacks: Teardrop, Bonk, Boink and Nestea ...... 327 6.6.5. Security Mechanisms 237 6.1. Access Rule Settings 238 6.2. Static Content Filtering 293 6.3.4. Anti-Virus Scanning ...Manual 4.7. DHCP Relay Advanced Settings 231 5.4. The FTP ALG 244 6.2.4. Overview 223 5.2.
Product Manual
Page 12
... Uploading a Certificate 130 3.19. Associating Certificates with IPsec Tunnels 130 3.20. Enabling Time Synchronization using the SAT Multiplex Rule 196 4.13. Manually Triggering a Time Synchronization 135 3.25. Configuring DNS Servers 139 4.1. Policy-based Routing Configuration 163 4.6. Creating an OSPF Router Process 192 4.8. ... Entry 110 3.16. Setting the Time Zone 133 3.22. Forcing Time Synchronization 136 3.27. Enabling the D-Link NTP Server 136 3.28. Creating a Policy-based Routing Table 162 4.4. Setting Up RLB 169 4.7. Multicast Forwarding -
... Uploading a Certificate 130 3.19. Associating Certificates with IPsec Tunnels 130 3.20. Enabling Time Synchronization using the SAT Multiplex Rule 196 4.13. Manually Triggering a Time Synchronization 135 3.25. Configuring DNS Servers 139 4.1. Policy-based Routing Configuration 163 4.6. Creating an OSPF Router Process 192 4.8. ... Entry 110 3.16. Setting the Time Zone 133 3.22. Forcing Time Synchronization 136 3.27. Enabling the D-Link NTP Server 136 3.28. Creating a Policy-based Routing Table 162 4.4. Setting Up RLB 169 4.7. Multicast Forwarding -
Product Manual
Page 14
... text are largely textual descriptions of subjects. Text that the reader has some systems may appear in the table of networks and network security. Screenshots This guide contains a minimum of the product is provided in italics. For example, http://www.dlink.com. Command-Line Interface... in a browser in a new window (some basic knowledge of contents at the end of the document to that the manual would appear here. Where a "See chapter/section" link (such as: see Chapter 9, VPN) is designated by the command: gw-world:/> somecommand someparameter=somevalue Web Interface The ...
... text are largely textual descriptions of subjects. Text that the reader has some systems may appear in the table of networks and network security. Screenshots This guide contains a minimum of the product is provided in italics. For example, http://www.dlink.com. Command-Line Interface... in a browser in a new window (some basic knowledge of contents at the end of the document to that the manual would appear here. Where a "See chapter/section" link (such as: see Chapter 9, VPN) is designated by the command: gw-world:/> somecommand someparameter=somevalue Web Interface The ...
Product Manual
Page 30
...DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is 192.168.10.1. If communication with NetDefendOS secure.... The factory default username and 30 The Web Interface Chapter 2. Management and Maintenance NetDefendOS provides an intuitive Web Interface (WebUI) for initial communication between them to succeed so the connecting interface of the workstation must be manually...IP Address For a new D-Link NetDefend firewall with factory defaults...
...DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is 192.168.10.1. If communication with NetDefendOS secure.... The factory default username and 30 The Web Interface Chapter 2. Management and Maintenance NetDefendOS provides an intuitive Web Interface (WebUI) for initial communication between them to succeed so the connecting interface of the workstation must be manually...IP Address For a new D-Link NetDefend firewall with factory defaults...
Product Manual
Page 41
... they can be more than 16 characters. 2. Script files must be stored in this manual. The complete syntax of CLI commands which can forcibly terminate another management session using Secure Copy (SCP). 2.1.5. A CLI script is a predefined sequence of the command is then... timeout : 900 NetCon idle session timeout : 600 To see a list of CLI commands, NetDefendOS provides a feature called /scripts. The D-Link recommended convention is some typical output showing the local console session: gw-world:/> sessionmanager -list User Database IP Type Mode Access local (none)...
... they can be more than 16 characters. 2. Script files must be stored in this manual. The complete syntax of CLI commands which can forcibly terminate another management session using Secure Copy (SCP). 2.1.5. A CLI script is a predefined sequence of the command is then... timeout : 900 NetCon idle session timeout : 600 To see a list of CLI commands, NetDefendOS provides a feature called /scripts. The D-Link recommended convention is some typical output showing the local console session: gw-world:/> sessionmanager -list User Database IP Type Mode Access local (none)...
Product Manual
Page 128
Certificates 3.7.1. This involves the use Pre-shared Keys (PSKs). It links an identity to a public key in order to establish whether a public key truly belongs to a certificate... leads to other entities. When verifying the validity of a user certificate, the entire path from one certificate to provide security between the ends of an X.509 certificate hierarchy with VPN tunnels. Should the private key of the CA be examined ... it , except for making sure that it issues is a trusted entity that issues certificates to better manage security in this manual to the supposed owner.
Certificates 3.7.1. This involves the use Pre-shared Keys (PSKs). It links an identity to a public key in order to establish whether a public key truly belongs to a certificate... leads to other entities. When verifying the validity of a user certificate, the entire path from one certificate to provide security between the ends of an X.509 certificate hierarchy with VPN tunnels. Should the private key of the CA be examined ... it , except for making sure that it issues is a trusted entity that issues certificates to better manage security in this manual to the supposed owner.
Product Manual
Page 136
... force time synchronization, overriding the maximum adjustment setting. Forcing Time Synchronization This example demonstrates how to manually force a synchronization and disregard the maximum adjustment parameter. When the D-Link Server option is the recommended way of the D-Link NTP server: Command-Line Interface gw-world:/> set of the various settings for the synchronization are...
... force time synchronization, overriding the maximum adjustment setting. Forcing Time Synchronization This example demonstrates how to manually force a synchronization and disregard the maximum adjustment parameter. When the D-Link Server option is the recommended way of the D-Link NTP server: Command-Line Interface gw-world:/> set of the various settings for the synchronization are...
Product Manual
Page 152
... expected. This method is appropriate for monitoring that the interface is physically attached and that the route monitoring cannot be chosen: Interface Link Status NetDefendOS will usually have a special status in a scenario with the 152 Monitoring can be monitored by route basis. The metric...methods must be enabled on automatically added routes. For example, the routes that is enabled on an automatically created route, the route should manually set up , the route is required on a route by sending periodic ARP requests. Routing Figure 4.3. As long as healthy. If...
... expected. This method is appropriate for monitoring that the interface is physically attached and that the route monitoring cannot be chosen: Interface Link Status NetDefendOS will usually have a special status in a scenario with the 152 Monitoring can be monitored by route basis. The metric...methods must be enabled on automatically added routes. For example, the routes that is enabled on an automatically created route, the route should manually set up , the route is required on a route by sending periodic ARP requests. Routing Figure 4.3. As long as healthy. If...
Product Manual
Page 172
...and configured to a given destination IP and therefore the best route. With this routing information into the routing tables of having to manually insert this larger picture, each OSPF router can also function within a hierarchy, whereas RIP has no knowledge of routing loops. OSPF depends... is not available on various metrics for path determination, including hops, bandwidth, load and delay. OSPF is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. Instead of A, OSPF 172 Figure 4.8. Here we have a consistent view of control over the ...
...and configured to a given destination IP and therefore the best route. With this routing information into the routing tables of having to manually insert this larger picture, each OSPF router can also function within a hierarchy, whereas RIP has no knowledge of routing loops. OSPF depends... is not available on various metrics for path determination, including hops, bandwidth, load and delay. OSPF is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. Instead of A, OSPF 172 Figure 4.8. Here we have a consistent view of control over the ...
Product Manual
Page 295
... presented to retrieve the category of recently accessed URLs. If access is not necessary to manually specify beforehand which enables an administrator to permit or block access to allow. Dynamic Web ... in many different languages and hosted on . To make an exception from the menu 5. Security Mechanisms 6. Dynamic WCF is only available on certain NetDefend models Dynamic WCF is global, covering...a user of web traffic, which URLs to block or to web pages based on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. Caching can then be automated so it is denied...
... presented to retrieve the category of recently accessed URLs. If access is not necessary to manually specify beforehand which enables an administrator to permit or block access to allow. Dynamic Web ... in many different languages and hosted on . To make an exception from the menu 5. Security Mechanisms 6. Dynamic WCF is only available on certain NetDefend models Dynamic WCF is global, covering...a user of web traffic, which URLs to block or to web pages based on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. Caching can then be automated so it is denied...
Product Manual
Page 300
... correctly, your web browser will present a block page where a dropdown list containing all -nets and the user is wrongly classified. Security Mechanisms manually propose a new classification of blocked sites. Validate the functionality by following these steps: 1. The user is disallowed, the block web... in the web site being reclassified, either according to the category proposed or to a category which is now able to D-Link's central data warehouse for all the categories used with Dynamic Content Filtering and describes the purpose 300 Reclassifying a blocked site This...
... correctly, your web browser will present a block page where a dropdown list containing all -nets and the user is wrongly classified. Security Mechanisms manually propose a new classification of blocked sites. Validate the functionality by following these steps: 1. The user is disallowed, the block web... in the web site being reclassified, either according to the category proposed or to a category which is now able to D-Link's central data warehouse for all the categories used with Dynamic Content Filtering and describes the purpose 300 Reclassifying a blocked site This...
Product Manual
Page 484
... is the Ethernet multicast address corresponding to this recommendation is if an interface is not used over normal unicast packets for security: using unicast packets would otherwise send heartbeats on that the active system is to the inactive unit via a shared switch...source IP is continuously copied to say, after the failover with any other interfaces. Link-level multicasts are missed (that is always 255. 11.2. Disabling Heartbeat Sending on Interfaces The administrator can manually disable heartbeat sending on the sending interface. • The IP TTL is desired...
... is the Ethernet multicast address corresponding to this recommendation is if an interface is not used over normal unicast packets for security: using unicast packets would otherwise send heartbeats on that the active system is to the inactive unit via a shared switch...source IP is continuously copied to say, after the failover with any other interfaces. Link-level multicasts are missed (that is always 255. 11.2. Disabling Heartbeat Sending on Interfaces The administrator can manually disable heartbeat sending on the sending interface. • The IP TTL is desired...
Product Manual
Page 497
...Control List (ACL) rules to outside hosts. Blocked hosts and networks remain blocked until the system administrator manually unblocks them using the ZoneDefense feature. Note: ZoneDefense is not available on a network become infected with.... It can be used as a counter-measure to control locally attached switches. ZoneDefense This chapter describes the D-Link ZoneDefense feature. • Overview, page 497 • ZoneDefense Switches, page 498 • ZoneDefense Operation, page... made per second, or on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. 497
...Control List (ACL) rules to outside hosts. Blocked hosts and networks remain blocked until the system administrator manually unblocks them using the ZoneDefense feature. Note: ZoneDefense is not available on a network become infected with.... It can be used as a counter-measure to control locally attached switches. ZoneDefense This chapter describes the D-Link ZoneDefense feature. • Overview, page 497 • ZoneDefense Switches, page 498 • ZoneDefense Operation, page... made per second, or on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. 497
Product Manual
Page 499
... access to be blocked out instead of how Threshold Rules are specified and function, please see Section 10.3, "Threshold Rules". 12.3.3. Manual Blocking and Exclude Lists 499 SNMP Managers A typical managing device, such as are similar to monitor and control network devices in the ...rule is similar to a userid or password which are D-Link switches. Threshold Rules A threshold rule will trigger the ZoneDefense feature. SNMP Simple Network Management Protocol (SNMP) is write, the manager will ...
... access to be blocked out instead of how Threshold Rules are specified and function, please see Section 10.3, "Threshold Rules". 12.3.3. Manual Blocking and Exclude Lists 499 SNMP Managers A typical managing device, such as are similar to monitor and control network devices in the ...rule is similar to a userid or password which are D-Link switches. Threshold Rules A threshold rule will trigger the ZoneDefense feature. SNMP Simple Network Management Protocol (SNMP) is write, the manager will ...
Product Manual
Page 500
...the community string is also possible to the firewall's interface address 192.168.1.1. Manual Blocking and Exclude Lists Chapter 12. Manually blocked hosts and networks can communicate with a management interface address 192.168.1.250 connecting to manually define hosts and networks that all interfaces on a schedule. This prevents the ... which protocols and protocol port numbers are to be created and used in network range 192.168.2.0/24 for the switch 4. A D-Link switch model DES-3226S is applied. Good practice includes adding to ZoneDefense > Exclude list 500
...the community string is also possible to the firewall's interface address 192.168.1.1. Manual Blocking and Exclude Lists Chapter 12. Manually blocked hosts and networks can communicate with a management interface address 192.168.1.250 connecting to manually define hosts and networks that all interfaces on a schedule. This prevents the ... which protocols and protocol port numbers are to be created and used in network range 192.168.2.0/24 for the switch 4. A D-Link switch model DES-3226S is applied. Good practice includes adding to ZoneDefense > Exclude list 500
Product Manual
Page 527
... renewal In the Web-interface go to Maintenance > Update to the latest updates a D-Link Security Update Subscription should be controlled directly through a number of the latest viruses, security threats and URL categorization. Monitoring database updates In the Web-interface go to Maintenance > License... An IDP database update can be downloaded A step-by selecting Update now to download the latest signatures to manually initiate updating by -step "Registration manual" which contain details of console commands. Tip: A registration guide can also check when the last update was...
... renewal In the Web-interface go to Maintenance > Update to the latest updates a D-Link Security Update Subscription should be controlled directly through a number of the latest viruses, security threats and URL categorization. Monitoring database updates In the Web-interface go to Maintenance > License... An IDP database update can be downloaded A step-by selecting Update now to download the latest signatures to manually initiate updating by -step "Registration manual" which contain details of console commands. Tip: A registration guide can also check when the last update was...
CLI Guide
Page 3
The manufacturer reserves the right to revise this publication and to make changes from time to time in this manual, nor any of Liability UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION, WORK STOPPAGE, LOSS... IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT. CLI Reference Guide DFL-210/260/800/860/1600/2500 NetDefendOS version 2.20 Published 2007-12-24 Copyright © 2007 Copyright Notice This publication, including all rights ...
The manufacturer reserves the right to revise this publication and to make changes from time to time in this manual, nor any of Liability UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. DAMAGES FOR LOSS OF PROFIT, SOFTWARE RESTORATION, WORK STOPPAGE, LOSS... IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT. CLI Reference Guide DFL-210/260/800/860/1600/2500 NetDefendOS version 2.20 Published 2007-12-24 Copyright © 2007 Copyright Notice This publication, including all rights ...
CLI Guide
Page 135
... will be automatically published on ARP lookups during a specified time. (Default: No) Enable a manually specified ARP lookup interval. (Default: No) Specifies the ARP lookup interval in ARP queries. Specifies...for route failover purposes. (Default: No) Mark the route as down if the interface link status changes to use in a named routing table. (Default: Only) Removes the interface ... interface. If the network is directly connected to reach a specified network. Makes the security gateway completely transparent. (Default: No) Text describing the current object. (Optional) 3....
... will be automatically published on ARP lookups during a specified time. (Default: No) Enable a manually specified ARP lookup interval. (Default: No) Specifies the ARP lookup interval in ARP queries. Specifies...for route failover purposes. (Default: No) Mark the route as down if the interface link status changes to use in a named routing table. (Default: Only) Removes the interface ... interface. If the network is directly connected to reach a specified network. Makes the security gateway completely transparent. (Default: No) Text describing the current object. (Optional) 3....