Product Manual
Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Product Manual
Page 3
... this publication and to make changes from time to time in this manual, nor any implied warranties of such revision or changes. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. Limitations of D-Link. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01...
... this publication and to make changes from time to time in this manual, nor any implied warranties of such revision or changes. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. Limitations of D-Link. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01...
Product Manual
Page 5
Service Groups 88 3.2.6. PPPoE 101 3.3.5. Interface Groups 107 3.4. Security Policies 116 3.5.2. Certificates in NetDefendOS 129 3.7.3. Overview 132 3.8.2. Setting Date and Time 132 3.8.3. Host Monitoring for Route Failover 156 4.2.6. The Ordering parameter 161 4.4. Custom ...120 3.5.5. Routing ...142 4.1. Overview 160 4.3.2. Policy-based Routing Rules 160 4.3.4. Setting Up OSPF 188 4.5.6. Settings Summary for Date and Time 136 3.9. Route Load Balancing 165 4.5. User Manual 3.2.3. Interfaces 90 3.3.1. Policy-based Routing 160 4.3.1.
Service Groups 88 3.2.6. PPPoE 101 3.3.5. Interface Groups 107 3.4. Security Policies 116 3.5.2. Certificates in NetDefendOS 129 3.7.3. Overview 132 3.8.2. Setting Date and Time 132 3.8.3. Host Monitoring for Route Failover 156 4.2.6. The Ordering parameter 161 4.4. Custom ...120 3.5.5. Routing ...142 4.1. Overview 160 4.3.2. Policy-based Routing Rules 160 4.3.4. Setting Up OSPF 188 4.5.6. Settings Summary for Date and Time 136 3.9. Route Load Balancing 165 4.5. User Manual 3.2.3. Interfaces 90 3.3.1. Policy-based Routing 160 4.3.1.
Product Manual
Page 6
DHCP Servers 224 5.2.1. Security Mechanisms 237 6.1. Access Rule Settings 238 6.2. The H.323 ALG 275 6.2.10. Overview 309 6.4.2. Subscribing to the D-Link Anti-Virus Service 311 6.4.6. IDP Pattern Matching 319 6.5.6. The Land and... 227 5.2.2. Spanning Tree BPDU Support 217 4.7.5. Advanced Settings for Transparent Mode 218 5. Overview 240 6.2.2. Anti-Virus Scanning 309 6.4.1. User Manual 4.7. Transparent Mode 207 4.7.1. Transparent Mode Scenarios 213 4.7.4. Custom Options 228 5.3. IP Pools 233 6. Overview 237 6.1.2. The TLS ...
DHCP Servers 224 5.2.1. Security Mechanisms 237 6.1. Access Rule Settings 238 6.2. The H.323 ALG 275 6.2.10. Overview 309 6.4.2. Subscribing to the D-Link Anti-Virus Service 311 6.4.6. IDP Pattern Matching 319 6.5.6. The Land and... 227 5.2.2. Spanning Tree BPDU Support 217 4.7.5. Advanced Settings for Transparent Mode 218 5. Overview 240 6.2.2. Anti-Virus Scanning 309 6.4.1. User Manual 4.7. Transparent Mode 207 4.7.1. Transparent Mode Scenarios 213 4.7.4. Custom Options 228 5.3. IP Pools 233 6. Overview 237 6.1.2. The TLS ...
Product Manual
Page 7
...7.3. Translation of Multiple IP Addresses (M:N 348 7.4.3. All-to LAN Tunnels with Certificates 383 9.2.3. User Authentication 355 8.1. HTTP Authentication 369 8.3. Customizing HTML Pages 373 9. VPN Quick Start 381 9.2.1. ... 9.3.1. Overview 406 9.4.2. LAN to -One Mappings (N:1 350 7.4.4. IPsec Advanced Settings 421 9.5. L2TP Servers 426 9.5.3. VPN Troubleshooting 437 9.7.1. User Manual 7. Address Translation 334 7.1. Port Translation 350 7.4.5. SAT and FwdFast Rules 352 8. Authentication Setup 357 8.2.1. External RADIUS Servers 359 8.2.4. Authentication...
...7.3. Translation of Multiple IP Addresses (M:N 348 7.4.3. All-to LAN Tunnels with Certificates 383 9.2.3. User Authentication 355 8.1. HTTP Authentication 369 8.3. Customizing HTML Pages 373 9. VPN Quick Start 381 9.2.1. ... 9.3.1. Overview 406 9.4.2. LAN to -One Mappings (N:1 350 7.4.4. IPsec Advanced Settings 421 9.5. L2TP Servers 426 9.5.3. VPN Troubleshooting 437 9.7.1. User Manual 7. Address Translation 334 7.1. Port Translation 350 7.4.5. SAT and FwdFast Rules 352 8. Authentication Setup 357 8.2.1. External RADIUS Servers 359 8.2.4. Authentication...
Product Manual
Page 8
....1.7. Pipe Groups 455 10.1.8. Limiting the Connection Rate/Total Connections 470 10.3.3. Multiple Triggered Actions 471 10.3.6. HA Advanced Settings 495 12. Manual Blocking and Exclude Lists 499 12.3.4. User Manual 9.7.2. Simple Bandwidth Limiting 447 10.1.4. The Importance of Specifying a Network 466 10.2.5. Logging 469 10.3. Grouping 471 10.3.4. Setting Up SLB_SAT Rules...
....1.7. Pipe Groups 455 10.1.8. Limiting the Connection Rate/Total Connections 470 10.3.3. Multiple Triggered Actions 471 10.3.6. HA Advanced Settings 495 12. Manual Blocking and Exclude Lists 499 12.3.4. User Manual 9.7.2. Simple Bandwidth Limiting 447 10.1.4. The Importance of Specifying a Network 466 10.2.5. Logging 469 10.3. Grouping 471 10.3.4. Setting Up SLB_SAT Rules...
Product Manual
Page 9
Length Limit Settings 518 13.7. Fragmentation Settings 520 13.8. Miscellaneous Settings 525 A. IP Level Settings 504 13.2. Local Fragment Reassembly Settings 524 13.9. Verified MIME filetypes 533 D. State Settings 514 13.5. Subscribing to Updates 527 B. Connection Timeout Settings 516 13.6. IDP Signature Groups 529 C. TCP Level Settings 508 13.3. ICMP Level Settings 513 13.4. The OSI Framework 537 Alphabetical Index 538 9 User Manual 13.1.
Length Limit Settings 518 13.7. Fragmentation Settings 520 13.8. Miscellaneous Settings 525 A. IP Level Settings 504 13.2. Local Fragment Reassembly Settings 524 13.9. Verified MIME filetypes 533 D. State Settings 514 13.5. Subscribing to Updates 527 B. Connection Timeout Settings 516 13.6. IDP Signature Groups 529 C. TCP Level Settings 508 13.3. ICMP Level Settings 513 13.4. The OSI Framework 537 Alphabetical Index 538 9 User Manual 13.1.
Product Manual
Page 11
User Manual 10.10. Connections from Three Clients 476 10.11. Stickiness and Round-Robin 477 10.12. Stickiness and Connection-rate 477 D.1. The 7 Layers of the OSI Model 537 11
User Manual 10.10. Connections from Three Clients 476 10.11. Stickiness and Round-Robin 477 10.12. Stickiness and Connection-rate 477 D.1. The 7 Layers of the OSI Model 537 11
Product Manual
Page 13
...User Manual 4.14. Setting up a PSK based VPN tunnel for Scenario 1 214 4.18. Setting up a PPTP server 426 9.11. User Authentication Setup for H.323 288 6.12. Using an Algorithm Proposal List 401 9.2. Using an Identity List 404 9.4. if1 Configuration 202 4.16. Group Translation 203 4.17. Two Phones Behind Different NetDefend... H.323 with IPsec Tunnels 413 9.9. Allowing the H.323 Gateway to register with Gatekeeper and two NetDefend Firewalls 284 6.10. Translating Traffic to a Web Server on an Internal Network 346 7.5. Editing Content Filtering HTTP...
...User Manual 4.14. Setting up a PSK based VPN tunnel for Scenario 1 214 4.18. Setting up a PPTP server 426 9.11. User Authentication Setup for H.323 288 6.12. Using an Algorithm Proposal List 401 9.2. Using an Identity List 404 9.4. if1 Configuration 202 4.16. Group Translation 203 4.17. Two Phones Behind Different NetDefend... H.323 with IPsec Tunnels 413 9.9. Allowing the H.323 Gateway to register with Gatekeeper and two NetDefend Firewalls 284 6.10. Translating Traffic to a Web Server on an Internal Network 346 7.5. Editing Content Filtering HTTP...
Product Manual
Page 14
... gray background as shown below. Where a "See chapter/section" link (such as appropriate. (The NetDefendOS CLI Reference Guide documents all ... the manual deals specifically with alphabetical lookup of subjects. Examples Examples in a new window (some basic knowledge of networks and network security. It... is Administrators who are responsible for configuring and managing NetDefend Firewalls which are largely textual descriptions of management interface ...to aid with NetDefendOS and administrators have a choice of management user interfaces. They are shown in bold case. Where a web ...
... gray background as shown below. Where a "See chapter/section" link (such as appropriate. (The NetDefendOS CLI Reference Guide documents all ... the manual deals specifically with alphabetical lookup of subjects. Examples Examples in a new window (some basic knowledge of networks and network security. It... is Administrators who are responsible for configuring and managing NetDefend Firewalls which are largely textual descriptions of management interface ...to aid with NetDefendOS and administrators have a choice of management user interfaces. They are shown in bold case. Where a web ...
Product Manual
Page 30
... new D-Link NetDefend firewall with factory defaults, a default internal IP address is assigned automatically by NetDefendOS to the NetDefend model as follows: • On the NetDefend DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, ...of the same logical IP network for management of Internet Explorer or Firefox is successfully established, a user authentication dialog similar to the one shown below will then be manually given the following static IP values: • IP address: 192.168.1.30 • Subnet...
... new D-Link NetDefend firewall with factory defaults, a default internal IP address is assigned automatically by NetDefendOS to the NetDefend model as follows: • On the NetDefend DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, ...of the same logical IP network for management of Internet Explorer or Firefox is successfully established, a user authentication dialog similar to the one shown below will then be manually given the following static IP values: • IP address: 192.168.1.30 • Subnet...
Product Manual
Page 32
... remote management policy. Discards any changes made to analyze a problem. Contains a number of sections corresponding to expose additional sections. Manually update or schedule updates of the system configuration. B. Menu bar The menu bar located at the top of the Web Interface... configuration or status details corresponding to download a file from the internal network. Management and Maintenance For information about the default user name and password, see Section 2.1.2, "The Default Administrator Account". The Web Interface Chapter 2. This option provides the option ...
... remote management policy. Discards any changes made to analyze a problem. Contains a number of sections corresponding to expose additional sections. Manually update or schedule updates of the system configuration. B. Menu bar The menu bar located at the top of the Web Interface... configuration or status details corresponding to download a file from the internal network. Management and Maintenance For information about the default user name and password, see Section 2.1.2, "The Default Administrator Account". The Web Interface Chapter 2. This option provides the option ...
Product Manual
Page 41
...file extension .sgs (Security Gateway Script). Upload the file to run the script file. Use the CLI command script -execute to the NetDefend Firewall using the -... in Section 2.1.6, "Secure Copy". 3. 2.1.5. Create a text file with a text editor containing a sequential list of CLI commands, NetDefendOS provides a feature called /scripts. The D-Link recommended convention is discussed...manual. Below is some typical output showing the local console session: gw-world:/> sessionmanager -list User Database IP Type Mode Access local (none) 0.0.0.0 local console admin If the user...
...file extension .sgs (Security Gateway Script). Upload the file to run the script file. Use the CLI command script -execute to the NetDefend Firewall using the -... in Section 2.1.6, "Secure Copy". 3. 2.1.5. Create a text file with a text editor containing a sequential list of CLI commands, NetDefendOS provides a feature called /scripts. The D-Link recommended convention is discussed...manual. Below is some typical output showing the local console session: gw-world:/> sessionmanager -list User Database IP Type Mode Access local (none) 0.0.0.0 local console admin If the user...
Product Manual
Page 102
...with any interface, one or more routes are then manually entered into client computers. Dial-on-demand If dial-... used in NetDefendOS for unnumbered PPPoE is traffic on outgoing traffic, incoming traffic or both. User authentication If user authentication is originated or NATed by default. This address can be the destination interface. For outbound...NetDefendOS receives this . 102 Also configurable is the time to be up when there is provided by the NetDefend Firewall. Unnumbered PPPoE When NetDefendOS acts as a PPPoE client, support for automatic sending to DHCP. The ...
...with any interface, one or more routes are then manually entered into client computers. Dial-on-demand If dial-... used in NetDefendOS for unnumbered PPPoE is traffic on outgoing traffic, incoming traffic or both. User authentication If user authentication is originated or NATed by default. This address can be the destination interface. For outbound...NetDefendOS receives this . 102 Also configurable is the time to be up when there is provided by the NetDefend Firewall. Unnumbered PPPoE When NetDefendOS acts as a PPPoE client, support for automatic sending to DHCP. The ...
Product Manual
Page 128
...by a Certificate Authority. The highest CA is a public key with identification attached, coupled with the name and user ID of an intended recipient. In this manual to accomplish key distribution and entity authentication. As a VPN network grows so does the complexity of the certificate holder...is with VPN Tunnels The main usage of a user certificate, the entire path from one certificate to other entities. It links an identity to a public key in order to establish whether a public key truly belongs to better manage security in NetDefendOS is a trusted entity that the ...
...by a Certificate Authority. The highest CA is a public key with identification attached, coupled with the name and user ID of an intended recipient. In this manual to accomplish key distribution and entity authentication. As a VPN network grows so does the complexity of the certificate holder...is with VPN Tunnels The main usage of a user certificate, the entire path from one certificate to other entities. It links an identity to a public key in order to establish whether a public key truly belongs to better manage security in NetDefendOS is a trusted entity that the ...
Product Manual
Page 129
...this way is a key reason why certificate security simplifies the administration of all certificates in this interval depends on how the CA is valid. Typically, this validity period expires, the certificate can still be uploaded to validate a user certificate in the certification path. • ... Chapter 3. CRLs are taken to verify the validity of the certificate: • Construct a certification path up to be configured manually. Identification Lists In addition to verifying the signatures of the CRL has to change the validity of all certificates that none of other...
...this way is a key reason why certificate security simplifies the administration of all certificates in this interval depends on how the CA is valid. Typically, this validity period expires, the certificate can still be uploaded to validate a user certificate in the certification path. • ... Chapter 3. CRLs are taken to verify the validity of the certificate: • Construct a certification path up to be configured manually. Identification Lists In addition to verifying the signatures of the CRL has to change the validity of all certificates that none of other...
Product Manual
Page 211
... with a NetDefendOS High Availability Cluster. Below is a typical scenario where a number of creating individual entries, an interface group could be manually configured for the interface and any corresponding non-switch routes are automatically added to the routing table for proxy ARP. 4.7.2. Finally, we ...that firstly, clients will hand out public IP addresses to separate two networks. This method is to use Proxy ARP to users. Secondly, and more importantly, their whereabouts and IP address through ARP exchanges. Enabling Internet Access Chapter 4. Enabling Transparent Mode...
... with a NetDefendOS High Availability Cluster. Below is a typical scenario where a number of creating individual entries, an interface group could be manually configured for the interface and any corresponding non-switch routes are automatically added to the routing table for proxy ARP. 4.7.2. Finally, we ...that firstly, clients will hand out public IP addresses to separate two networks. This method is to use Proxy ARP to users. Secondly, and more importantly, their whereabouts and IP address through ARP exchanges. Enabling Internet Access Chapter 4. Enabling Transparent Mode...
Product Manual
Page 257
...viruses in the ZoneDefense section of the Web Interface. • Set up ZoneDefense with the SMTP ALG, the only scenario of users behind the NetDefend Firewall. When a client tries to use of the network. 6.2.5. The steps to an EHLO client command. When using ZoneDefense...the ZoneDefense Exclude List. Tip: Exclusion can waste resources, transport malware as well as a security issue on the email's origin. Integral to the NetDefendOS SMTP ALG is possible to manually configure certain hosts and servers to Chapter 12, ZoneDefense. 6.2.5.1. The SMTP ALG Chapter 6. ...
...viruses in the ZoneDefense section of the Web Interface. • Set up ZoneDefense with the SMTP ALG, the only scenario of users behind the NetDefend Firewall. When a client tries to use of the network. 6.2.5. The steps to an EHLO client command. When using ZoneDefense...the ZoneDefense Exclude List. Tip: Exclusion can waste resources, transport malware as well as a security issue on the email's origin. Integral to the NetDefendOS SMTP ALG is possible to manually configure certain hosts and servers to Chapter 12, ZoneDefense. 6.2.5.1. The SMTP ALG Chapter 6. ...
Product Manual
Page 292
... Layer Gateway accordingly. NetDefendOS includes support for removing the following mechanisms for an organization or group of users: • Active Content Handling can also be used to many security threats as well as hiding and showing elements on the category they have been classified into web pages...web pages of client-side code and in Section 6.2.2, "The HTTP ALG". 6.3.2. Common examples of this is one of the biggest sources for manually classifying web sites as "good" or "bad". Overview Web traffic is the scripting used to attack webservers) The object types to web sites...
... Layer Gateway accordingly. NetDefendOS includes support for removing the following mechanisms for an organization or group of users: • Active Content Handling can also be used to many security threats as well as hiding and showing elements on the category they have been classified into web pages...web pages of client-side code and in Section 6.2.2, "The HTTP ALG". 6.3.2. Common examples of this is one of the biggest sources for manually classifying web sites as "good" or "bad". Overview Web traffic is the scripting used to attack webservers) The object types to web sites...
Product Manual
Page 295
...web pages based on the content of the URLs in the databases is only available on the recently created HTTP ALG to the user explaining that category. Click OK Simply continue adding specific blacklists and whitelists until the filter satisfies the needs. 6.3.4. Dynamic WCF ...variety of categories such as the Action 6. To make an exception from the menu 5. If access is not necessary to manually specify beforehand which are dropped. Security Mechanisms 6. In the table, click on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. Dynamic Web Content Filtering 6.3.4.1.
...web pages based on the content of the URLs in the databases is only available on the recently created HTTP ALG to the user explaining that category. Click OK Simply continue adding specific blacklists and whitelists until the filter satisfies the needs. 6.3.4. Dynamic WCF ...variety of categories such as the Action 6. To make an exception from the menu 5. If access is not necessary to manually specify beforehand which are dropped. Security Mechanisms 6. In the table, click on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. Dynamic Web Content Filtering 6.3.4.1.