Product Manual
Page 8
....4. Server Load Balancing 473 10.4.1. High Availability 482 11.1. Setting Up HA 487 11.3.1. Overview 497 12.2. Manual Blocking and Exclude Lists 499 12.3.4. ZoneDefense with VPN 439 9.7.5. Limitations 501 13. IPsec Troubleshooting Commands 438 9.7.4. Simple Bandwidth Limiting 447 ... Connections 470 10.3.3. Selecting Stickiness 475 10.4.4. Setting Up SLB_SAT Rules 478 11. HA Advanced Settings 495 12. ZoneDefense Operation 499 12.3.1. Traffic Shaping Recommendations 458 10.1.9. IDP Traffic Shaping 465 10.2.1. The Importance of Traffic Shaping 459 10.1....
....4. Server Load Balancing 473 10.4.1. High Availability 482 11.1. Setting Up HA 487 11.3.1. Overview 497 12.2. Manual Blocking and Exclude Lists 499 12.3.4. ZoneDefense with VPN 439 9.7.5. Limitations 501 13. IPsec Troubleshooting Commands 438 9.7.4. Simple Bandwidth Limiting 447 ... Connections 470 10.3.3. Selecting Stickiness 475 10.4.4. Setting Up SLB_SAT Rules 478 11. HA Advanced Settings 495 12. ZoneDefense Operation 499 12.3.1. Traffic Shaping Recommendations 458 10.1.9. IDP Traffic Shaping 465 10.2.1. The Importance of Traffic Shaping 459 10.1....
Product Manual
Page 10
A Route Failover Scenario for PPP with Partitioned Backbone 178 4.12. A Simple OSPF Scenario 172 4.9. Virtual Links with CHAP, MS-CHAPv1 or MS-CHAPv2 366 9.1. Multicast Snoop Mode 200 4.17. Transparent Mode Internet Access 212 4.20. ... Non-transparent Mode Internet Access 212 4.19. DHCP Server Objects 227 6.1. Anti-Spam Filtering 258 6.6. LDAP for ISP Access 152 4.4. Using Local IP Address with NAT 339 7.4. Dynamic Routing Rule Objects 186 4.14. Deploying an ALG 240 6.2. Anonymizing with an Unbound Network 146 4.3. A Basic ...
A Route Failover Scenario for PPP with Partitioned Backbone 178 4.12. A Simple OSPF Scenario 172 4.9. Virtual Links with CHAP, MS-CHAPv1 or MS-CHAPv2 366 9.1. Multicast Snoop Mode 200 4.17. Transparent Mode Internet Access 212 4.20. ... Non-transparent Mode Internet Access 212 4.19. DHCP Server Objects 227 6.1. Anti-Spam Filtering 258 6.6. LDAP for ISP Access 152 4.4. Using Local IP Address with NAT 339 7.4. Dynamic Routing Rule Objects 186 4.14. Deploying an ALG 240 6.2. Anonymizing with an Unbound Network 146 4.3. A Basic ...
Product Manual
Page 11
The 7 Layers of the OSI Model 537 11 Stickiness and Connection-rate 477 D.1. User Manual 10.10. Stickiness and Round-Robin 477 10.12. Connections from Three Clients 476 10.11.
The 7 Layers of the OSI Model 537 11 Stickiness and Connection-rate 477 D.1. User Manual 10.10. Stickiness and Round-Robin 477 10.12. Connections from Three Clients 476 10.11.
Product Manual
Page 12
... a Specific Service 83 3.8. Configuring a PPPoE Client 103 3.12. Adding an Allow IP Rule 121 3.17. Address Translation 198 12 Adding a Configuration Object 52 2.7. Undeleting a Configuration Object 53 2.9. RADIUS Accounting Server Setup 64 2.14. Enabling SNMP Monitoring 68 2.15. Forcing Time Synchronization 136 3.27. Enabling the D-Link NTP Server 136 3.28. Displaying the main Routing...
... a Specific Service 83 3.8. Configuring a PPPoE Client 103 3.12. Adding an Allow IP Rule 121 3.17. Address Translation 198 12 Adding a Configuration Object 52 2.7. Undeleting a Configuration Object 53 2.9. RADIUS Accounting Server Setup 64 2.14. Enabling SNMP Monitoring 68 2.15. Forcing Time Synchronization 136 3.27. Enabling the D-Link NTP Server 136 3.28. Displaying the main Routing...
Product Manual
Page 13
... Checking DHCP Server Status 226 5.3. Setting up an L2TP server 427 9.12. Protecting FTP Clients 251 6.4. Configuring remote offices for Web Access 371 8.3. Allowing the H.323 Gateway to register with private IP addresses 279 6.6. Enabling Traffic to a Web Server on an Internal Network...Setting up an Access Rule 239 6.2. Setting up Transparent Mode for a Mail Server 323 6.22. IGMP - Setting up SLB 478 12.1. Using Private IP Addresses 281 6.8. Configuring an SMTP Log Receiver 323 6.21. Adding a NAT Rule 337 7.2. Creating an Authentication User Group 371 ...
... Checking DHCP Server Status 226 5.3. Setting up an L2TP server 427 9.12. Protecting FTP Clients 251 6.4. Configuring remote offices for Web Access 371 8.3. Allowing the H.323 Gateway to register with private IP addresses 279 6.6. Enabling Traffic to a Web Server on an Internal Network...Setting up an Access Rule 239 6.2. Setting up Transparent Mode for a Mail Server 323 6.22. IGMP - Setting up SLB 478 12.1. Using Private IP Addresses 281 6.8. Configuring an SMTP Log Receiver 323 6.21. Adding a NAT Rule 337 7.2. Creating an Authentication User Group 371 ...
Product Manual
Page 42
... Executing Scripts As mentioned above, the script -execute command launches a named script file that the file becomes: add IP4Address If1_ip Address=126.12.11.01 Comments="If1 address" Script Validation and Command Ordering CLI scripts are not, by the name of the script -execute command line.... variable is done to be created before execution by default, validated. Error Handling 42 If something always has to be executed with IP address 126.12.11.01 replacing all occurrences of $1 in large script files it is ignored during execution and a warning message is often preferable...
... Executing Scripts As mentioned above, the script -execute command launches a named script file that the file becomes: add IP4Address If1_ip Address=126.12.11.01 Comments="If1 address" Script Validation and Command Ordering CLI scripts are not, by the name of the script -execute command line.... variable is done to be created before execution by default, validated. Error Handling 42 If something always has to be executed with IP address 126.12.11.01 replacing all occurrences of $1 in large script files it is ignored during execution and a warning message is often preferable...
Product Manual
Page 58
... object called DLNNNosGenericTrap, that are based on the SNMPv2c standard as an SNMP trap. Example 2.12. This object includes the following parameters: • System - Note: SNMP Trap standards NetDefendOS ...be sent as defined by managed devices to send messages asynchronously to an SNMP trap receiver with an IP address of a network. The system generating the trap • Severity - Unique identification within the category... Severity of the firewall) is provided by D-Link and defines the SNMP objects and data types that is used to the Log Reference Guide.
... object called DLNNNosGenericTrap, that are based on the SNMPv2c standard as an SNMP trap. Example 2.12. This object includes the following parameters: • System - Note: SNMP Trap standards NetDefendOS ...be sent as defined by managed devices to send messages asynchronously to an SNMP trap receiver with an IP address of a network. The system generating the trap • Severity - Unique identification within the category... Severity of the firewall) is provided by D-Link and defines the SNMP objects and data types that is used to the Log Reference Guide.
Product Manual
Page 74
... restore to the original hardware state that it is possible to return to factory defaults can initiate a backup or restore of the state on 12 December 2008. Go to Factory Defaults Chapter 2. Management and Maintenance be reloaded. The example below illustrates how this example we will be applied ...so that existed when the NetDefend Firewall was shipped by D-Link. Go to complete. 74 Dynamic information such as the IDP and Anti-Virus databases are lost and must be altered to show it ...
... restore to the original hardware state that it is possible to return to factory defaults can initiate a backup or restore of the state on 12 December 2008. Go to Factory Defaults Chapter 2. Management and Maintenance be reloaded. The example below illustrates how this example we will be applied ...so that existed when the NetDefend Firewall was shipped by D-Link. Go to complete. 74 Dynamic information such as the IDP and Anti-Virus databases are lost and must be altered to show it ...
Product Manual
Page 107
... it could provide a match for example, as VLAN interfaces or VPN Tunnels. A group can be used , for the rule. Example 3.12. Creating an Interface Group Command-Line Interface gw-world:/> add Interface InterfaceGroup examplegroup Members=exampleif1,exampleif2 Web Interface 1. Interface Groups Chapter 3. With.../Transport Equivalent can be used in creating security policies in the group could consist of other types such as the source interface in an IP rule , any of the interfaces in the place of the group to Interfaces > Interface Groups > Add > InterfaceGroup 2. With the ...
... it could provide a match for example, as VLAN interfaces or VPN Tunnels. A group can be used , for the rule. Example 3.12. Creating an Interface Group Command-Line Interface gw-world:/> add Interface InterfaceGroup examplegroup Members=exampleif1,exampleif2 Web Interface 1. Interface Groups Chapter 3. With.../Transport Equivalent can be used in creating security policies in the group could consist of other types such as the source interface in an IP rule , any of the interfaces in the place of the group to Interfaces > Interface Groups > Add > InterfaceGroup 2. With the ...
Product Manual
Page 108
... layer protocol (OSI layer 3) address to Ethernet address 4a:32:12:6c:89:a4. The ARP request packet contains the source MAC address, the source IP address and the destination IP address. Initially, the cache is empty at the OSI layer 2, data link layer, and is encapsulated by using its corresponding Ethernet address. The....77 10.5.16.3 Ethernet Address 08:00:10:0f:bc:a5 0a:46:42:4f:ac:65 4a:32:12:6c:89:a4 Expires 45 136 - When a host needs to resolve an IP address to the originating host with another host only if it knows the Ethernet address (MAC address) of a minimal...
... layer protocol (OSI layer 3) address to Ethernet address 4a:32:12:6c:89:a4. The ARP request packet contains the source MAC address, the source IP address and the destination IP address. Initially, the cache is empty at the OSI layer 2, data link layer, and is encapsulated by using its corresponding Ethernet address. The....77 10.5.16.3 Ethernet Address 08:00:10:0f:bc:a5 0a:46:42:4f:ac:65 4a:32:12:6c:89:a4 Expires 45 136 - When a host needs to resolve an IP address to the originating host with another host only if it knows the Ethernet address (MAC address) of a minimal...
Product Manual
Page 135
... to specify that an external server is a significant difference such as an incorrect NetDefendOS configuration. 3. Server time: 2008-02-27 12:21:52 (UTC+00:00) Local time: 2008-02-27 12:24:30 (UTC+00:00) (diff: 158) Local time successfully changed to System > Date and Time 2. This is used. Click...
... to specify that an external server is a significant difference such as an incorrect NetDefendOS configuration. 3. Server time: 2008-02-27 12:21:52 (UTC+00:00) Local time: 2008-02-27 12:24:30 (UTC+00:00) (diff: 158) Local time successfully changed to System > Date and Time 2. This is used. Click...
Product Manual
Page 179
...similar Router Process object should be fault tolerant. If no Router ID is configured, the firewall computes the Router ID based on the highest IP address of any alternate route that is part of the firewalls can therefore be designed to be used in the OSPF AS. OSPF Components This... looks at the NetDefendOS objects that is attached to identify the router in a AS. Defining these objects creates the OSPF network. Figure 4.12. This is that connected NetDefend Firewalls share the information in their routing tables so that traffic entering an interface on each other and route ...
...similar Router Process object should be fault tolerant. If no Router ID is configured, the firewall computes the Router ID based on the highest IP address of any alternate route that is part of the firewalls can therefore be designed to be used in the OSPF AS. OSPF Components This... looks at the NetDefendOS objects that is attached to identify the router in a AS. Defining these objects creates the OSPF network. Figure 4.12. This is that connected NetDefend Firewalls share the information in their routing tables so that traffic entering an interface on each other and route ...
Product Manual
Page 196
... 4.14. The following steps need to the interfaces if1, if2 and if3. Now enter: • Name: multicast_service • Type: UDP • Destination: 1234 196 Example 4.12. Create a custom service for source address translation (see below) but cannot be forwarded to configure the actual forwarding of Multicast Traffic using IGMP. All groups...
... 4.14. The following steps need to the interfaces if1, if2 and if3. Now enter: • Name: multicast_service • Type: UDP • Destination: 1234 196 Example 4.12. Create a custom service for source address translation (see below) but cannot be forwarded to configure the actual forwarding of Multicast Traffic using IGMP. All groups...
Product Manual
Page 213
... Destination all-nets all the addresses into a single object in this case, internal IP addresses could be used to share the Internet connection with many IP addresses to group all -nets 85.12.184.39 194.142.215.15 Gateway gw-ip gw-ip The appropriate IP rules will also need to be added to the... IP rule set to be performed in the example above example would be done by...
... Destination all-nets all the addresses into a single object in this case, internal IP addresses could be used to share the Internet connection with many IP addresses to group all -nets 85.12.184.39 194.142.215.15 Gateway gw-ip gw-ip The appropriate IP rules will also need to be added to the... IP rule set to be performed in the example above example would be done by...
Product Manual
Page 226
...:/> dhcpserver To list all current leases: gw-world:/> dhcpserver -show -mappings DHCP server mappings: Client IP Client MAC 10.4.13.240 00-1e-0b-a0-c6-5f 10.4.13.241 00-0c-29-04-...02-14 10.4.13.254 00-00-00-00-02-54 10.4.13.1 00-12-79-3b-dd-45 10.4.13.2 00-12-79-c4-06-e7 10.4.13.3 *00-a0-f8-23-45-a3 10...ACTIVE ACTIVE ACTIVE ACTIVE 226 Click OK Example 5.2. Now enter: • Name: DHCPServer1 • Interface Filter: lan • IP Address Pool: DHCPRange1 • Netmask: 255.255.255.0 3. DHCP Services This example shows how to System > DHCP > DHCP Servers ...
...:/> dhcpserver To list all current leases: gw-world:/> dhcpserver -show -mappings DHCP server mappings: Client IP Client MAC 10.4.13.240 00-1e-0b-a0-c6-5f 10.4.13.241 00-0c-29-04-...02-14 10.4.13.254 00-00-00-00-02-54 10.4.13.1 00-12-79-3b-dd-45 10.4.13.2 00-12-79-c4-06-e7 10.4.13.3 *00-a0-f8-23-45-a3 10...ACTIVE ACTIVE ACTIVE ACTIVE 226 Click OK Example 5.2. Now enter: • Name: DHCPServer1 • Interface Filter: lan • IP Address Pool: DHCPRange1 • Netmask: 255.255.255.0 3. DHCP Services This example shows how to System > DHCP > DHCP Servers ...
Product Manual
Page 228
... the following command: gw-world:/> set DHCPServerPoolStaticHost 1 Host=192.168.1.12 MACAddress=00-90-12-13-14-15 Web Interface 1. Static DHCP Host Assignment This example shows how to assign the IP address 192.168.1.1 to also specify if the identifier will be shown... Example 5.3. Now enter: • Host: 19.168.1.1 • MAC: 00-90-12-13-14-15 3. DHCP Services can get certain extra information. 228 First, change the category to IP address 192.168.1.12 with an index number: gw-world:/> show DHCPServerPoolStaticHost 1 Property ----------- Add the static DHCP ...
... the following command: gw-world:/> set DHCPServerPoolStaticHost 1 Host=192.168.1.12 MACAddress=00-90-12-13-14-15 Web Interface 1. Static DHCP Host Assignment This example shows how to assign the IP address 192.168.1.1 to also specify if the identifier will be shown... Example 5.3. Now enter: • Host: 19.168.1.1 • MAC: 00-90-12-13-14-15 3. DHCP Services can get certain extra information. 228 First, change the category to IP address 192.168.1.12 with an index number: gw-world:/> show DHCPServerPoolStaticHost 1 Property ----------- Add the static DHCP ...
Product Manual
Page 248
...an internal network from accessing the local network and can be blocked from virus spreading servers and hosts. B. Protecting an FTP Server with private IP addresses, shown below: 248 The FTP ALG Chapter 6. Infected servers that need to be within the range of the configured network range. The... want to take an infected FTP server off-line to be blocked by the NetDefend Firewall. Infected clients that need to be enabled to Chapter 12, ZoneDefense. Depending on a DMZ with an ALG As shown, an FTP Server is outside of the network to 2 scenarios: • A. When a ...
...an internal network from accessing the local network and can be blocked from virus spreading servers and hosts. B. Protecting an FTP Server with private IP addresses, shown below: 248 The FTP ALG Chapter 6. Infected servers that need to be within the range of the configured network range. The... want to take an infected FTP server off-line to be blocked by the NetDefend Firewall. Infected clients that need to be enabled to Chapter 12, ZoneDefense. Depending on a DMZ with an ALG As shown, an FTP Server is outside of the network to 2 scenarios: • A. When a ...
Product Manual
Page 257
.... Tip: Exclusion can be excluded from the SMTP server reply to the ZoneDefense Exclude List. The SMTP ALG Chapter 6. NetDefendOS offers two approaches to Chapter 12, ZoneDefense. 6.2.5.1. Security Mechanisms capa=PIPELINING To indicate that is sending an infected email using a well known free email company, blocking the sending server using ZoneDefense...
.... Tip: Exclusion can be excluded from the SMTP server reply to the ZoneDefense Exclude List. The SMTP ALG Chapter 6. NetDefendOS offers two approaches to Chapter 12, ZoneDefense. 6.2.5.1. Security Mechanisms capa=PIPELINING To indicate that is sending an infected email using a well known free email company, blocking the sending server using ZoneDefense...
Product Manual
Page 288
...: GWToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: dmz • Destination Interface: vpn-hq • Source Network: ip-branchgw • Destination Network: hq-net • Comment: Allow the Gateway to communicate with the H.323 Gatekeeper at the head office, the NetDefend Firewalls in... (this rule should be in both the Branch and Remote Office firewalls). Click OK Example 6.11. Go to Rules > IP Rules > Add > IPRule 2. Click OK Example 6.12. Click OK Note: Outgoing calls do not need a specific rule There is no need to specify a specific rule for...
...: GWToGK • Action: Allow • Service: H323-Gatekeeper • Source Interface: dmz • Destination Interface: vpn-hq • Source Network: ip-branchgw • Destination Network: hq-net • Comment: Allow the Gateway to communicate with the H.323 Gatekeeper at the head office, the NetDefend Firewalls in... (this rule should be in both the Branch and Remote Office firewalls). Click OK Example 6.11. Go to Rules > IP Rules > Add > IPRule 2. Click OK Example 6.12. Click OK Note: Outgoing calls do not need a specific rule There is no need to specify a specific rule for...
Product Manual
Page 303
...or stock quotes. refer to the Investment Sites category (11). Examples might be: • www.loadsofmoney.com.au • www.putsandcalls.com Category 12: E-Banking A web site may be classified under the Investment Sites category if its content includes electronic banking information or services. Examples might be: ...the E-Banking category if its content includes information, services or facilities pertaining to personal investment. refer to the E-Banking category (12). Dynamic Web Content Filtering Chapter 6. This category does not include electronic banking facilities;
...or stock quotes. refer to the Investment Sites category (11). Examples might be: • www.loadsofmoney.com.au • www.putsandcalls.com Category 12: E-Banking A web site may be classified under the Investment Sites category if its content includes electronic banking information or services. Examples might be: ...the E-Banking category if its content includes information, services or facilities pertaining to personal investment. refer to the E-Banking category (12). Dynamic Web Content Filtering Chapter 6. This category does not include electronic banking facilities;