Product Manual
Page 2
... 15 Change IP of the LAN or DMZ interface 15 WAN Interface Settings - Using L2TP 19 WAN Interface Settings - Contents Introduction 7 Features and Benefits 7 Introduction to Firewalls 7 Introduction to Local Area Networking 8 LEDs ...9 Physical Connections 9 Package Contents 10 System Requirements 10 Managing D-Link DFL-700 11 Resetting the DFL-700 11 Administration Settings 12 Administrative Access...
... 15 Change IP of the LAN or DMZ interface 15 WAN Interface Settings - Using L2TP 19 WAN Interface Settings - Contents Introduction 7 Features and Benefits 7 Introduction to Firewalls 7 Introduction to Local Area Networking 8 LEDs ...9 Physical Connections 9 Package Contents 10 System Requirements 10 Managing D-Link DFL-700 11 Resetting the DFL-700 11 Administration Settings 12 Administrative Access...
Product Manual
Page 7
Firewalls are (1) Internal/LAN, (1) External/WAN, and (1) DMZ port. A firewall can be configured to work with specific UDP or TCP ports to allow certain applications or games to work with an FTP or ... about your network from leaking out of your network. Or a firewall can also run specific security functions based on the type of application or type of hardware built specifically to or from your network. In addition the DFL-700 also provides a user-friendly Web UI that data is then checked against a set system...
Firewalls are (1) Internal/LAN, (1) External/WAN, and (1) DMZ port. A firewall can be configured to work with specific UDP or TCP ports to allow certain applications or games to work with an FTP or ... about your network from leaking out of your network. Or a firewall can also run specific security functions based on the type of application or type of hardware built specifically to or from your network. In addition the DFL-700 also provides a user-friendly Web UI that data is then checked against a set system...
Product Manual
Page 9
.... Do not use less than 1 client PC on that respective port is sending or receiving data. WAN, LAN, & DMZ: Bright Green illumination indicates a valid Ethernet Link on the internal office network. WAN Port: Use this port to connect to a Fast Ethernet Switch to the firewall software ...flicker when that respective port. LEDs Power: A solid light indicates a proper connection to be occupied by an ISP. DMZ Port: Use this switch to reset the DFL-700 to page 67 for further instructions. Solid illumination of the Status LED indicates a hardware/software critical failure. Refer to ...
.... Do not use less than 1 client PC on that respective port is sending or receiving data. WAN, LAN, & DMZ: Bright Green illumination indicates a valid Ethernet Link on the internal office network. WAN Port: Use this port to connect to a Fast Ethernet Switch to the firewall software ...flicker when that respective port. LEDs Power: A solid light indicates a proper connection to be occupied by an ISP. DMZ Port: Use this switch to reset the DFL-700 to page 67 for further instructions. Solid illumination of the Status LED indicates a hardware/software critical failure. Refer to ...
Product Manual
Page 15
Step 2. Choose the correct Subnet mask of this interface. Choose which the DFL-700 is being configured is a DHCP client, you will need to be used as the gateway for the internal hosts or DMZ hosts. Failure to follow these steps to change under the Available interfaces list. Change IP of ...state prior to changing the LAN IP. Step 1. If the computer through which interface to view or change the IP of the LAN or DMZ interface. Step 3. This configuration will determine the IP addresses that will be changed to correspond with this interface from the drop down menu. ...
Step 2. Choose the correct Subnet mask of this interface. Choose which the DFL-700 is being configured is a DHCP client, you will need to be used as the gateway for the internal hosts or DMZ hosts. Failure to follow these steps to change under the Available interfaces list. Change IP of ...state prior to changing the LAN IP. Step 1. If the computer through which interface to view or change the IP of the LAN or DMZ interface. Step 3. This configuration will determine the IP addresses that will be changed to correspond with this interface from the drop down menu. ...
Product Manual
Page 28
...connection is found. If the action is then carried out. Policy modes The first step in configuring security policies is to the sender or, if the rejected packet was a TCP packet, a TCP ... NAT) and to match everything. 28 NAT mode policies hide the addresses of the internal and DMZ networks from public networks. In No NAT (Route) mode you can also create routed policies between...run in the Logging Settings page. The Action of the various action types available. To use DFL-700 network address translation to protect private networks from users on the Internet. Reject works basically the...
...connection is found. If the action is then carried out. Policy modes The first step in configuring security policies is to the sender or, if the rejected packet was a TCP packet, a TCP ... NAT) and to match everything. 28 NAT mode policies hide the addresses of the internal and DMZ networks from public networks. In No NAT (Route) mode you can also create routed policies between...run in the Logging Settings page. The Action of the various action types available. To use DFL-700 network address translation to protect private networks from users on the Internet. Reject works basically the...
Product Manual
Page 34
... is no need for authentication for no scheduling. Choose Always for the policy. Note: Refer to Appendix C of the firewall to the LAN or DMZ. These are read from the dropdown menu or make a list of the firewall, or enter an additional IP address to be passed to. Pass... Servers The Port mapping / Virtual Servers configuration section is where you can configure virtual servers (such as a LAN Web server) on the LAN or DMZ Interfaces to be used mainly as a rule reference in the policy list. See the previous chapter for everyone (0.0.0.0/0). Click the Apply button below to apply...
... is no need for authentication for no scheduling. Choose Always for the policy. Note: Refer to Appendix C of the firewall to the LAN or DMZ. These are read from the dropdown menu or make a list of the firewall, or enter an additional IP address to be passed to. Pass... Servers The Port mapping / Virtual Servers configuration section is where you can configure virtual servers (such as a LAN Web server) on the LAN or DMZ Interfaces to be used mainly as a rule reference in the policy list. See the previous chapter for everyone (0.0.0.0/0). Click the Apply button below to apply...
Product Manual
Page 35
Step 2. Choose the mapping list (WAN, LAN, or DMZ) you want to the rule you would like do delete the mapping from. Click the Apply button below to apply the changes or click Cancel to delete a mapping. Step 1. Click on the Edit link corresponding to delete. Step 3. Delete mapping Follow these steps to discard changes. Enable the Delete mapping checkbox.
Step 2. Choose the mapping list (WAN, LAN, or DMZ) you want to the rule you would like do delete the mapping from. Click the Apply button below to apply the changes or click Cancel to delete a mapping. Step 1. Click on the Edit link corresponding to delete. Step 3. Delete mapping Follow these steps to discard changes. Enable the Delete mapping checkbox.
Product Manual
Page 53
... choose LAN-to protect a branch office and a small main office. Communication between an internal network behind one VPN gateway and a DMZ network behind the other DFL-700 as IPSec VPN gateways to create a VPN tunnel that connects the branch office network to the main office network. Both of the ...the firewall on the internal networks are not aware that when they connect to -LAN Tunnel. Step 5. Step 4. DFL-700 Firewall The example shows an IPSec VPN between two remote DMZ networks. Enter a Name for example 192.168.1.0/255.255.255.0, in the name field. Also specify the external...
... choose LAN-to protect a branch office and a small main office. Communication between an internal network behind one VPN gateway and a DMZ network behind the other DFL-700 as IPSec VPN gateways to create a VPN tunnel that connects the branch office network to the main office network. Both of the ...the firewall on the internal networks are not aware that when they connect to -LAN Tunnel. Step 5. Step 4. DFL-700 Firewall The example shows an IPSec VPN between two remote DMZ networks. Enter a Name for example 192.168.1.0/255.255.255.0, in the name field. Also specify the external...
Product Manual
Page 54
...PSK (Pre-shared Key) or Certificate-based. Click the Apply button below to apply the changes or click Cancel to add a roaming user tunnel. DFL-700 Firewall The example shows a VPN between a roaming VPN client and the internal network, but you configure the VPN policy. Step 1. VPN between the ...a-z), and the special characters and _. Step 2. Enter a Name for example 192.168.1.0/255.255.255.0, in an encrypted VPN tunnel that uses the DMZ network. This is the network your side of the VPN tunnel are allowed. Go to the main office internal network from anywhere on the Internet...
...PSK (Pre-shared Key) or Certificate-based. Click the Apply button below to apply the changes or click Cancel to add a roaming user tunnel. DFL-700 Firewall The example shows a VPN between a roaming VPN client and the internal network, but you configure the VPN policy. Step 1. VPN between the ...a-z), and the special characters and _. Step 2. Enter a Name for example 192.168.1.0/255.255.255.0, in an encrypted VPN tunnel that uses the DMZ network. This is the network your side of the VPN tunnel are allowed. Go to the main office internal network from anywhere on the Internet...
Product Manual
Page 63
... of the DHCP Server; Optionally type in the DNS servers the DHCP server will assign to the clients; note that it should be on the DMZ. Enable DHCP Server To enable the DHCP Server on an interface, click on Servers in the menu bar, and then click DHCP Server below it...
... of the DHCP Server; Optionally type in the DNS servers the DHCP server will assign to the clients; note that it should be on the DMZ. Enable DHCP Server To enable the DHCP Server on an interface, click on Servers in the menu bar, and then click DHCP Server below it...
Product Manual
Page 72
... interface. MAC Address - Current amount of the interface being viewed, LAN, WAN, or DMZ. Click on WAN or DMZ for more information about the interfaces on Status in the menu bar, and then click Interfaces below it. Displays what link the current interface has. MAC address of traffic sent through the interfaces during... be displayed. Current amount of the interface. There are also two graphs displaying the send and receive rate through the interface. Interfaces Click on the DFL-700.
... interface. MAC Address - Current amount of the interface being viewed, LAN, WAN, or DMZ. Click on WAN or DMZ for more information about the interfaces on Status in the menu bar, and then click Interfaces below it. Displays what link the current interface has. MAC address of traffic sent through the interfaces during... be displayed. Current amount of the interface. There are also two graphs displaying the send and receive rate through the interface. Interfaces Click on the DFL-700.
Product Manual
Page 77
...=1174 if0=core ip0=127.0.0.1 tp0=0.00 if1=wan ip1=192.168.10.2 tp1=11.93 if2=lan ip2=192.168.0.1 tp2=13.27 if3=dmz ip3=192.168.1.1 tp3=0.99 The value after "tp" is dropped. Example: Oct 20 2003 09:42:25 gateway EFW: DROP: prio=1 rule=Rule_1 action...
...=1174 if0=core ip0=127.0.0.1 tp0=0.00 if1=wan ip1=192.168.10.2 tp1=11.93 if2=lan ip2=192.168.0.1 tp2=13.27 if3=dmz ip3=192.168.1.1 tp3=0.99 The value after "tp" is dropped. Example: Oct 20 2003 09:42:25 gateway EFW: DROP: prio=1 rule=Rule_1 action...
Product Manual
Page 115
The policy setup is quite similar. Intrusion Detection and Prevention Intrusion detection and prevention can be enabled for the web server, Firewall->Port Mapping: Under Configured mappings, click Add new In this example we are connected to a web server on the firewall. To set up intrusion detection and prevention to the DMZ interface on the DMZ net, follow these steps: 1. Create a Port mapping for both policies and port mappings. In this example a mail server with IP 192.168.2.4 and a web server with IP 192.168.2.5 are using a port mapping.
The policy setup is quite similar. Intrusion Detection and Prevention Intrusion detection and prevention can be enabled for the web server, Firewall->Port Mapping: Under Configured mappings, click Add new In this example we are connected to a web server on the firewall. To set up intrusion detection and prevention to the DMZ interface on the DMZ net, follow these steps: 1. Create a Port mapping for both policies and port mappings. In this example a mail server with IP 192.168.2.4 and a web server with IP 192.168.2.5 are using a port mapping.
Product Manual
Page 121
... of the Firewall to a Server located on either the internal LAN or DMZ Network The goal is to map two internal web servers (port 80) to two Public IP addresses provided by the DFL-700; For an increased level of protection from Network Intrusions or malicious attacks, ...isolation of those servers happens to directly access the private internal Network. The DFL-700 provides a physical DMZ network interface specifically for this purpose. This will ensure that if one of servers accessible to the public from the Private network...
... of the Firewall to a Server located on either the internal LAN or DMZ Network The goal is to map two internal web servers (port 80) to two Public IP addresses provided by the DFL-700; For an increased level of protection from Network Intrusions or malicious attacks, ...isolation of those servers happens to directly access the private internal Network. The DFL-700 provides a physical DMZ network interface specifically for this purpose. This will ensure that if one of servers accessible to the public from the Private network...
Product Manual
Page 122
Select the Add New link to create the following firewall settings: - The above static route configuration explicitly defines the interface that the Internal Server is connected to (LAN or DMZ). Create two port mappings (one for each private Server) Routing configuration: Static Route Configuration for each public IP mapping to each public IP...
Select the Add New link to create the following firewall settings: - The above static route configuration explicitly defines the interface that the Internal Server is connected to (LAN or DMZ). Create two port mappings (one for each private Server) Routing configuration: Static Route Configuration for each public IP mapping to each public IP...
Product Manual
Page 123
NOTE: Be sure to enable Proxy ARP for both routes or the Firewall will not forward traffic destined for a Server on the DMZ: Navigate to Internal servers. Enable the Proxy ARP feature. Static Route Configuration for the specified Public IP addresses to the SYSTEM tab, then ...the ROUTING page of the Web-based configuration. Select the Add New link to (LAN or DMZ). Select the Interface that the additional Public IP address should be forwarded in the Network field. The above static route configuration explicitly ...
NOTE: Be sure to enable Proxy ARP for both routes or the Firewall will not forward traffic destined for a Server on the DMZ: Navigate to Internal servers. Enable the Proxy ARP feature. Static Route Configuration for the specified Public IP addresses to the SYSTEM tab, then ...the ROUTING page of the Web-based configuration. Select the Add New link to (LAN or DMZ). Select the Interface that the additional Public IP address should be forwarded in the Network field. The above static route configuration explicitly ...
Product Manual
Page 125
...be forwarded in mind that this configuration uses Network Address Translation. Select the Service to be mapped to Internal Servers for a Server on the DMZ: Navigate to be aware of the type of the Server in use. Click Activate Changes to save the configuration. Similar steps can be taken ... to be forwarded to create a new Port Mapping. Click Apply to apply changes and restart. Configure Port Mapping/Virtual Server Rules for DMZ Server: Virtual Server Configuration for access from Public Hosts. Enter the Private IP of service in the Pass To field. Click the Add New...
...be forwarded in mind that this configuration uses Network Address Translation. Select the Service to be mapped to Internal Servers for a Server on the DMZ: Navigate to be aware of the type of the Server in use. Click Activate Changes to save the configuration. Similar steps can be taken ... to be forwarded to create a new Port Mapping. Click Apply to apply changes and restart. Configure Port Mapping/Virtual Server Rules for DMZ Server: Virtual Server Configuration for access from Public Hosts. Enter the Private IP of service in the Pass To field. Click the Add New...
Product Manual
Page 126
...to forward to a server on which interface the Public IP will use the other(s). Example Scenario using DMZ w/out NAT: An alternative method to that described in the web-based configuration of the DFL-700. Be sure to save any changes. 126 Click Apply to have Proxy ARP enabled by checking the ... subnet mask from the Subnet Mask dropdown box. Navigate to SYSTEM > ROUTING in the preceding pages is to isolate publicly accessible servers to the DMZ interface with NAT disabled. This configuration requires multiple (at least 2) Public IP addresses to create a new static route. Select...
...to forward to a server on which interface the Public IP will use the other(s). Example Scenario using DMZ w/out NAT: An alternative method to that described in the web-based configuration of the DFL-700. Be sure to save any changes. 126 Click Apply to have Proxy ARP enabled by checking the ... subnet mask from the Subnet Mask dropdown box. Navigate to SYSTEM > ROUTING in the preceding pages is to isolate publicly accessible servers to the DMZ interface with NAT disabled. This configuration requires multiple (at least 2) Public IP addresses to create a new static route. Select...
Product Manual
Page 128
... NAT on the DMZ Interface: By default the DFL-700 is enabled to allow services on the DMZ interface to be accessible from the WAN, incoming policies must be activated. requires public IP addresses on the Activate button under the left-hand-side menu. Click on DMZ network radio button.... No NAT - To allow those services. Navigate to modify the behavior of the DMZ interface. Once all changes are final, those changes. Disable NAT on both LAN and DMZ interfaces. Click on DMZ->WAN to Firewall > Policy in the Firewall Policy configuration section. Follow the on the...
... NAT on the DMZ Interface: By default the DFL-700 is enabled to allow services on the DMZ interface to be accessible from the WAN, incoming policies must be activated. requires public IP addresses on the Activate button under the left-hand-side menu. Click on DMZ network radio button.... No NAT - To allow those services. Navigate to modify the behavior of the DMZ interface. Once all changes are final, those changes. Disable NAT on both LAN and DMZ interfaces. Click on DMZ->WAN to Firewall > Policy in the Firewall Policy configuration section. Follow the on the...
Product Manual
Page 129
...cookies. To help reduce the likelihood of malicious software reaching the PCs on the LAN or DMZ of the NetDefend Firewall, filtering of websites, domains, and even file types based on an interface (LAN or DMZ) must be made in order to a rule using the HTTP ALG. This filter can... are laced with spy-ware or viral programs that the content filtering specifications are numerous vehicles for HTTP content filtering to either LAN or DMZ interface simultaneously or independent of one another. There are global and will always be applied to be delivered in mind that become active and...
...cookies. To help reduce the likelihood of malicious software reaching the PCs on the LAN or DMZ of the NetDefend Firewall, filtering of websites, domains, and even file types based on an interface (LAN or DMZ) must be made in order to a rule using the HTTP ALG. This filter can... are laced with spy-ware or viral programs that the content filtering specifications are numerous vehicles for HTTP content filtering to either LAN or DMZ interface simultaneously or independent of one another. There are global and will always be applied to be delivered in mind that become active and...