Product Manual
Page 3
Firewall 28 Policy 28 Policy modes 28 Action Types 28 Source and Destination Filter 28 ...User 36 Change Administrative User Access level 37 Change Administrative User Password 37 Delete Administrative User 38 Users 39 The DFL-700 RADIUS Support 39 Enable User Authentication via HTTP / HTTPS 40 Enable RADIUS Support 40 Add User ...41 Change ...Adding TCP, UDP or TCP/UDP Service 45 Adding IP Protocol 46 Grouping Services 46 Protocol-independent settings 47 VPN...48 Introduction to IPSec 48 Introduction to PPTP 48 Introduction to L2TP 49 Point-to-Point Protocol 49 Authentication ...
Firewall 28 Policy 28 Policy modes 28 Action Types 28 Source and Destination Filter 28 ...User 36 Change Administrative User Access level 37 Change Administrative User Password 37 Delete Administrative User 38 Users 39 The DFL-700 RADIUS Support 39 Enable User Authentication via HTTP / HTTPS 40 Enable RADIUS Support 40 Add User ...41 Change ...Adding TCP, UDP or TCP/UDP Service 45 Adding IP Protocol 46 Grouping Services 46 Protocol-independent settings 47 VPN...48 Introduction to IPSec 48 Introduction to PPTP 48 Introduction to L2TP 49 Point-to-Point Protocol 49 Authentication ...
Product Manual
Page 7
... Applets, JavaScript, and VBScript from HTTP traffic z Bandwidth Management DFL-700 features an extensive Traffic Shaper for different users, such as a firewall. In addition the DFL-700 also provides a user-friendly Web UI that allows users to ...Firewall Security z VPN Server/Client Supported Supports IPSec LAN-to-LAN or Roaming user tunnels with an FTP or Telnet server. If any networked computer's Web browser using firewall software or a special piece of hardware built specifically to act as Admin or Read-Only User. This method is called packet filtering. Introduction The DFL-700...
... Applets, JavaScript, and VBScript from HTTP traffic z Bandwidth Management DFL-700 features an extensive Traffic Shaper for different users, such as a firewall. In addition the DFL-700 also provides a user-friendly Web UI that allows users to ...Firewall Security z VPN Server/Client Supported Supports IPSec LAN-to-LAN or Roaming user tunnels with an FTP or Telnet server. If any networked computer's Web browser using firewall software or a special piece of hardware built specifically to act as Admin or Read-Only User. This method is called packet filtering. Introduction The DFL-700...
Product Manual
Page 22
... like this route via another interface. Additional IP Address - The DFL-700 uses a slightly different method of the firewall will also be automatically published on the corresponding interface. Specifies the IP...as a gateway. If the network is directly connected to the firewall interface, no need to cause errors or breaches in security. If no address is no gateway address is normally routed via ...The major difference between this form of all interfaces (except WAN) if enabled on the VPN tunnel. 22 this will provide a list of notation is that you specify the IP address...
... like this route via another interface. Additional IP Address - The DFL-700 uses a slightly different method of the firewall will also be automatically published on the corresponding interface. Specifies the IP...as a gateway. If the network is directly connected to the firewall interface, no need to cause errors or breaches in security. If no address is no gateway address is normally routed via ...The major difference between this form of all interfaces (except WAN) if enabled on the VPN tunnel. 22 this will provide a list of notation is that you specify the IP address...
Product Manual
Page 48
...firewalls on which methods will be at least two SA per IPSec connection. VPN Introduction to IPSec This chapter introduces IPSec, the method, or rather set of Certificates and IPSec lifetime to make a VPN connection. Each SA is the initial negotiation phase, where the two VPN... endpoints agree on both ends must use the same Pre-shared key or set of the DFL-700... • Point-to provide IP security at the network layer. Introduction to PPTP PPTP, Point-to provide security for the underlying IP traffic. PPTP...
...firewalls on which methods will be at least two SA per IPSec connection. VPN Introduction to IPSec This chapter introduces IPSec, the method, or rather set of Certificates and IPSec lifetime to make a VPN connection. Each SA is the initial negotiation phase, where the two VPN... endpoints agree on both ends must use the same Pre-shared key or set of the DFL-700... • Point-to provide IP security at the network layer. Introduction to PPTP PPTP, Point-to provide security for the underlying IP traffic. PPTP...
Product Manual
Page 53
...these steps to add a LAN-to -LAN tunnel and specify the network behind another or between two remote DMZ networks. DFL-700 Firewall The example shows an IPSec VPN between the two networks takes place in the name field. Go to discard changes. Enter a Name for example 192.168... 5. Choose authentication type, either an IP or a DNS name. Creating a LAN-to-LAN IPSec VPN Tunnel Follow these steps with the firewall on the other DFL-700 as IPSec VPN gateways to create a VPN tunnel that connects the branch office network to a computer on the internal networks are not aware that the...
...these steps to add a LAN-to -LAN tunnel and specify the network behind another or between two remote DMZ networks. DFL-700 Firewall The example shows an IPSec VPN between the two networks takes place in the name field. Go to discard changes. Enter a Name for example 192.168... 5. Choose authentication type, either an IP or a DNS name. Creating a LAN-to-LAN IPSec VPN Tunnel Follow these steps with the firewall on the other DFL-700 as IPSec VPN gateways to create a VPN tunnel that connects the branch office network to a computer on the internal networks are not aware that the...
Product Manual
Page 54
Communication between the client and the internal network takes place in the Local Net field. DFL-700 Firewall The example shows a VPN between client and an internal network In the following example users can connect to the main office internal network from anywhere on the Internet. ...make sure the clients use exactly the same PSK. If you configure the VPN policy. Step 1. This is the network your side of the VPN tunnel are allowed. Step 2. The name can also create a VPN tunnel that connects the DFL-700 and the roaming users across the Internet. Specify your local network, or ...
Communication between the client and the internal network takes place in the Local Net field. DFL-700 Firewall The example shows a VPN between client and an internal network In the following example users can connect to the main office internal network from anywhere on the Internet. ...make sure the clients use exactly the same PSK. If you configure the VPN policy. Step 1. This is the network your side of the VPN tunnel are allowed. Step 2. The name can also create a VPN tunnel that connects the DFL-700 and the roaming users across the Internet. Specify your local network, or ...
Product Manual
Page 55
... a-z), and the special characters '-' and '_'. Click the Apply button below to apply the change or click Cancel to discard changes. Go to Firewall and VPN and choose Add new PPTP client or Add new L2TP client in the L2TP/PPTP Clients section. The name can contain numbers (0-9) and upper ... Step 4. Step 1. This field should be used. this should be handed out to add an L2TP or PPTP VPN Client configuration. Specify the Client IP Pool; Go to Firewall and VPN and choose Add new PPTP server or Add new L2TP server in the L2TP/PPTP Server section. Enter the username...
... a-z), and the special characters '-' and '_'. Click the Apply button below to apply the change or click Cancel to discard changes. Go to Firewall and VPN and choose Add new PPTP client or Add new L2TP client in the L2TP/PPTP Clients section. The name can contain numbers (0-9) and upper ... Step 4. Step 1. This field should be used. this should be handed out to add an L2TP or PPTP VPN Client configuration. Specify the Client IP Pool; Go to Firewall and VPN and choose Add new PPTP server or Add new L2TP server in the L2TP/PPTP Server section. Enter the username...
Product Manual
Page 56
...Always tries to indicate NAT-T support when setting up the tunnel. Keepalives No keepalives - The firewall will not send the necessary Vendor ID's to use NAT-T if one of the VPN tunnel. Advanced Settings Advanced settings for each phase-2 negotiation. IKE Mode Specify if Main mode IKE... Secrecy If PFS, Perfect Forwarding Secrecy, is enabled, a new Diffie-Hellman exchange is performed for a VPN tunnel is used when sending the ICMP pings. 56 PFS is used when establishing outbound VPN Tunnels. The firewall will send ICMP pings to 1 (modp 768-bit), 2 (modp 1024-bit), or 5 (modp...
...Always tries to indicate NAT-T support when setting up the tunnel. Keepalives No keepalives - The firewall will not send the necessary Vendor ID's to use NAT-T if one of the VPN tunnel. Advanced Settings Advanced settings for each phase-2 negotiation. IKE Mode Specify if Main mode IKE... Secrecy If PFS, Perfect Forwarding Secrecy, is enabled, a new Diffie-Hellman exchange is performed for a VPN tunnel is used when sending the ICMP pings. 56 PFS is used when establishing outbound VPN Tunnels. The firewall will send ICMP pings to 1 (modp 768-bit), 2 (modp 1024-bit), or 5 (modp...
Product Manual
Page 58
...called end-entity certificates. The following steps are commonly called Admin. Certificate Authorities This is a list of individual remote peers. It links an identity to a public key in the Certificates field on the other entities. These certificates can be selected in the Certificates field ...based authentication can be set up a VPN tunnel, the firewall has to be used by a given CA. This is the certificate used to authenticate individual users or other hand, you to specify a name for HTTPS access to the DFL-700. The firewall trusts anyone whose certificate is signed ...
...called end-entity certificates. The following steps are commonly called Admin. Certificate Authorities This is a list of individual remote peers. It links an identity to a public key in the Certificates field on the other entities. These certificates can be selected in the Certificates field ...based authentication can be set up a VPN tunnel, the firewall has to be used by a given CA. This is the certificate used to authenticate individual users or other hand, you to specify a name for HTTPS access to the DFL-700. The firewall trusts anyone whose certificate is signed ...
Product Manual
Page 59
... Identity list can establish a VPN tunnel, even among peers signed by a CA whose certificate is present in the Certificates field in the Remote Peers list even if Add New was clicked in the Remote Peers list. If an Identity List is configured, the firewall will automatically be used , no... identity matching is performed. However, in the Identity List field on the VPN page to open the VPN tunnel if it will match the identity of the connecting remote peer against ...
... Identity list can establish a VPN tunnel, even among peers signed by a CA whose certificate is present in the Certificates field in the Remote Peers list even if Add New was clicked in the Remote Peers list. If an Identity List is configured, the firewall will automatically be used , no... identity matching is performed. However, in the Identity List field on the VPN page to open the VPN tunnel if it will match the identity of the connecting remote peer against ...
Product Manual
Page 71
...- one shows the CPU usage during the last 24 hours. The time the firewall has been running on the firewall. System Click on this section, the DFL-700 displays the status information about the DFL-700. The other shows the state table usage during the last 24 hours. Administrator... may use the Status section to check the System Status, Interface statistics, VPN status, IP ...
...- one shows the CPU usage during the last 24 hours. The time the firewall has been running on the firewall. System Click on this section, the DFL-700 displays the status information about the DFL-700. The other shows the state table usage during the last 24 hours. Administrator... may use the Status section to check the System Status, Interface statistics, VPN status, IP ...
Product Manual
Page 80
Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24 PSK: 1234567890 (Do not use this as your PSK) Retype PSK: 1234567890 80 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. LAN-to-LAN VPN using IPSec Settings for Branch office 1.
Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click Add new Name the tunnel ToMainOffice Local net: 192.168.4.0/24 PSK: 1234567890 (Do not use this as your PSK) Retype PSK: 1234567890 80 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. LAN-to-LAN VPN using IPSec Settings for Branch office 1.
Product Manual
Page 81
Setup policies for the remote network Click Apply 3. Select Tunnel type: LAN-to restart Click Activate and wait for the firewall to -LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4.
Setup policies for the remote network Click Apply 3. Select Tunnel type: LAN-to restart Click Activate and wait for the firewall to -LAN tunnel Remote Net: 192.168.1.0/24 Remote Gateway: 194.0.2.20 Enable Automatically add a route for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4.
Product Manual
Page 82
Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.0/24 PSK: 1234567890 (Note! Settings for the remote network" Click Apply 82 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. You should use a key that is hard to guess) Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable "Automatically add a route for Main office 1.
Setup IPSec tunnel, Firewall->VPN: Under IPSec tunnels click add new Name the tunnel ToBranchOffice Local net: 192.168.1.0/24 PSK: 1234567890 (Note! Settings for the remote network" Click Apply 82 Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 2. You should use a key that is hard to guess) Retype PSK: 1234567890 Select Tunnel type: LAN-to-LAN tunnel Remote Net: 192.168.4.0/24 Remote Gateway: 194.0.2.10 Enable "Automatically add a route for Main office 1.
Product Manual
Page 83
To get a more secure solution read the A more secure LAN-to restart This example will allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. 3. Click Activate and wait for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all traffic between the two offices. Setup policies for the firewall to -LAN VPN solution section of this user guide.
To get a more secure solution read the A more secure LAN-to restart This example will allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. 3. Click Activate and wait for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all traffic between the two offices. Setup policies for the firewall to -LAN VPN solution section of this user guide.
Product Manual
Page 84
LAN-to-LAN VPN using PPTP Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. Setup PPTP client, Firewall->VPN: Under PPTP/L2TP clients click Add new PPTP client Name the tunnel toMainOffice 84
LAN-to-LAN VPN using PPTP Settings for Branch office 1. Setup interfaces, System->Interfaces: WAN IP: 194.0.2.10 LAN IP: 192.168.4.1, Subnet mask: 255.255.255.0 2. Setup PPTP client, Firewall->VPN: Under PPTP/L2TP clients click Add new PPTP client Name the tunnel toMainOffice 84
Product Manual
Page 86
Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 86 Under MPPE encryption 128 bit should be the only checked option. Click Activate and wait for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. Setup policies for the firewall to restart. Settings for Main office 1. Leave Use IPSec encryption unchecked Click Apply 3.
Setup interfaces, System->Interfaces: WAN IP: 194.0.2.20 LAN IP: 192.168.1.1, Subnet mask: 255.255.255.0 86 Under MPPE encryption 128 bit should be the only checked option. Click Activate and wait for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 4. Setup policies for the firewall to restart. Settings for Main office 1. Leave Use IPSec encryption unchecked Click Apply 3.
Product Manual
Page 87
2. Setup PPTP server, Firewall->VPN: Under L2TP / PPTP Server click Add new PPTP server Name the server pptpServer Leave Outer IP and Inner IP blank Set client IP pool to 192.168.1.100 - 192.168.1.199 Check Proxy ARP dynamically added routes Check Use unit's own DNS relayer addresses Leave WINS settings blank
2. Setup PPTP server, Firewall->VPN: Under L2TP / PPTP Server click Add new PPTP server Name the server pptpServer Leave Outer IP and Inner IP blank Set client IP pool to 192.168.1.100 - 192.168.1.199 Check Proxy ARP dynamically added routes Check Use unit's own DNS relayer addresses Leave WINS settings blank
Product Manual
Page 88
Under MPPE encryption 128 bit should be the only checked option. Under authentication MSCHAPv2 should be the only checked option. Leave Use IPsec encryption unchecked Click Apply 3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 88
Under MPPE encryption 128 bit should be the only checked option. Under authentication MSCHAPv2 should be the only checked option. Leave Use IPsec encryption unchecked Click Apply 3. Setup policies for the new tunnel, Firewall->Policy: Click Global policy parameters Enable Allow all VPN traffic: internal->VPN, VPN->internal and VPN->VPN Click Apply 88
Product Manual
Page 89
...: Select Local database Click Apply 5. Click Activate and wait for the firewall to 192.168.1.200. Add a new user, Firewall->Users: Under Users in local database click Add new Name the new user BranchOffice Enter password: 1234567890 Retype password: 1234567890 Leave static client IP empty... the IP pool from the PPTP server settings are used). Set Networks behind user to -LAN VPN solution section. This example will allow all traffic between the two offices. To get a more secure solution read the A more secure LAN-to 192.168.4.0/24 Click Apply 6. If no IP is set to restart. 4.
...: Select Local database Click Apply 5. Click Activate and wait for the firewall to 192.168.1.200. Add a new user, Firewall->Users: Under Users in local database click Add new Name the new user BranchOffice Enter password: 1234567890 Retype password: 1234567890 Leave static client IP empty... the IP pool from the PPTP server settings are used). Set Networks behind user to -LAN VPN solution section. This example will allow all traffic between the two offices. To get a more secure solution read the A more secure LAN-to 192.168.4.0/24 Click Apply 6. If no IP is set to restart. 4.