Product Manual
Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Product Manual
Page 3
... IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. Disclaimer The information in this publication and ...of the material contained herein, may be reproduced without the written consent of Liability UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright © 2010...
... IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D-LINK RECEIVED FROM THE END-USER FOR THE PRODUCT. FURTHERMORE, D-LINK WILL NOT BE LIABLE FOR THIRD-PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES. Disclaimer The information in this publication and ...of the material contained herein, may be reproduced without the written consent of Liability UNDER NO CIRCUMSTANCES SHALL D-LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER (E.G. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright © 2010...
Product Manual
Page 5
...Balancing 165 4.5. Dynamic Routing 171 4.5.2. Overview 90 3.3.2. VLAN 97 3.3.4. GRE Tunnels 103 3.3.6. Overview 108 3.4.2. Security Policies 116 3.5.2. Editing IP rule set Entries 120 3.5.5. Certificates in NetDefendOS 129 3.7.3. Setting Date and Time 132... 161 4.3.5. OSPF Components 179 4.5.4. Advanced IGMP Settings 204 5 Overview 132 3.8.2. Overview 142 4.2. Route Failover 151 4.2.4. User Manual 3.2.3. Schedules 126 3.7. Static Routing 147 4.2.3. Advanced Settings for Route Failover 156 4.2.6. Policy-based Routing 160 4.3.1. PPPoE...
...Balancing 165 4.5. Dynamic Routing 171 4.5.2. Overview 90 3.3.2. VLAN 97 3.3.4. GRE Tunnels 103 3.3.6. Overview 108 3.4.2. Security Policies 116 3.5.2. Editing IP rule set Entries 120 3.5.5. Certificates in NetDefendOS 129 3.7.3. Setting Date and Time 132... 161 4.3.5. OSPF Components 179 4.5.4. Advanced IGMP Settings 204 5 Overview 132 3.8.2. Overview 142 4.2. Route Failover 151 4.2.4. User Manual 3.2.3. Schedules 126 3.7. Static Routing 147 4.2.3. Advanced Settings for Route Failover 156 4.2.6. Policy-based Routing 160 4.3.1. PPPoE...
Product Manual
Page 6
Transparent Mode 207 4.7.1. Overview 207 4.7.2. IP Pools 233 6. Security Mechanisms 237 6.1. Access Rule Settings 238 6.2. Active Content Handling 292 6.3.3. Static Content Filtering 293 6.3.4. Dynamic Web... DHCP Services 223 5.1. The POP3 ALG 263 6.2.7. Subscribing to the D-Link Anti-Virus Service 311 6.4.6. The WinNuke attack 327 6.6.7. Anti-Virus Scanning 309 6.4.1. The TFTP ALG 253 6.2.5. Web Content Filtering 292 6.3.1. Overview 315 6.5.2. User Manual 4.7. Static DHCP Hosts 227 5.2.2. Overview 237 6.1.2. IP Spoofing 238 6.1.3. ...
Transparent Mode 207 4.7.1. Overview 207 4.7.2. IP Pools 233 6. Security Mechanisms 237 6.1. Access Rule Settings 238 6.2. Active Content Handling 292 6.3.3. Static Content Filtering 293 6.3.4. Dynamic Web... DHCP Services 223 5.1. The POP3 ALG 263 6.2.7. Subscribing to the D-Link Anti-Virus Service 311 6.4.6. The WinNuke attack 327 6.6.7. Anti-Virus Scanning 309 6.4.1. The TFTP ALG 253 6.2.5. Web Content Filtering 292 6.3.1. Overview 315 6.5.2. User Manual 4.7. Static DHCP Hosts 227 5.2.2. Overview 237 6.1.2. IP Spoofing 238 6.1.3. ...
Product Manual
Page 7
... with Certificates 388 9.2.7. Pre-shared Keys 402 9.3.8. LAN to LAN with Pre-shared Keys 408 9.4.3. IPsec Advanced Settings 421 9.5. PPTP/L2TP 425 9.5.1. VPN Troubleshooting 437 9.7.1. User Manual 7. Address Translation 334 7.1. NAT Pools 340 7.4. SAT and FwdFast Rules 352 8. Overview 355 8.2. External RADIUS Servers 359 8.2.4. External LDAP Servers 359 8.2.5. VPN ...377 9.1. L2TP Roaming...
... with Certificates 388 9.2.7. Pre-shared Keys 402 9.3.8. LAN to LAN with Pre-shared Keys 408 9.4.3. IPsec Advanced Settings 421 9.5. PPTP/L2TP 425 9.5.1. VPN Troubleshooting 437 9.7.1. User Manual 7. Address Translation 334 7.1. NAT Pools 340 7.4. SAT and FwdFast Rules 352 8. Overview 355 8.2. External RADIUS Servers 359 8.2.4. External LDAP Servers 359 8.2.5. VPN ...377 9.1. L2TP Roaming...
Product Manual
Page 8
... 467 10.2.6. Multiple Triggered Actions 471 10.3.6. SLB Distribution Algorithms 474 10.4.3. Overview 482 11.2. Verifying the Cluster Functions 489 11.3.4. Manual Blocking and Exclude Lists 499 12.3.4. Advanced Settings 504 8 Specific Error Messages 439 9.7.6. Simple Bandwidth Limiting 447 10.1.4. Precedences 450 10....3.1. Overview 473 10.4.2. A Summary of Traffic Shaping 459 10.1.10. Logging 469 10.3. SNMP 499 12.3.2. User Manual 9.7.2. Troubleshooting Certificates 437 9.7.3. Traffic Shaping 444 10.1.1. Setting Up IDP Traffic Shaping 465 10.2.3.
... 467 10.2.6. Multiple Triggered Actions 471 10.3.6. SLB Distribution Algorithms 474 10.4.3. Overview 482 11.2. Verifying the Cluster Functions 489 11.3.4. Manual Blocking and Exclude Lists 499 12.3.4. Advanced Settings 504 8 Specific Error Messages 439 9.7.6. Simple Bandwidth Limiting 447 10.1.4. Precedences 450 10....3.1. Overview 473 10.4.2. A Summary of Traffic Shaping 459 10.1.10. Logging 469 10.3. SNMP 499 12.3.2. User Manual 9.7.2. Troubleshooting Certificates 437 9.7.3. Traffic Shaping 444 10.1.1. Setting Up IDP Traffic Shaping 465 10.2.3.
Product Manual
Page 9
State Settings 514 13.5. Miscellaneous Settings 525 A. User Manual 13.1. IP Level Settings 504 13.2. Fragmentation Settings 520 13.8. Local Fragment Reassembly Settings 524 13.9. Verified MIME filetypes 533 D. TCP Level Settings 508 13.3. The OSI Framework 537 Alphabetical Index 538 9 Connection Timeout Settings 516 13.6. ICMP Level Settings 513 13.4. Length Limit Settings 518 13.7. Subscribing to Updates 527 B. IDP Signature Groups 529 C.
State Settings 514 13.5. Miscellaneous Settings 525 A. User Manual 13.1. IP Level Settings 504 13.2. Fragmentation Settings 520 13.8. Local Fragment Reassembly Settings 524 13.9. Verified MIME filetypes 533 D. TCP Level Settings 508 13.3. The OSI Framework 537 Alphabetical Index 538 9 Connection Timeout Settings 516 13.6. ICMP Level Settings 513 13.4. Length Limit Settings 518 13.7. Subscribing to Updates 527 B. IDP Signature Groups 529 C.
Product Manual
Page 11
Connections from Three Clients 476 10.11. The 7 Layers of the OSI Model 537 11 Stickiness and Round-Robin 477 10.12. User Manual 10.10. Stickiness and Connection-rate 477 D.1.
Connections from Three Clients 476 10.11. The 7 Layers of the OSI Model 537 11 Stickiness and Round-Robin 477 10.12. User Manual 10.10. Stickiness and Connection-rate 477 D.1.
Product Manual
Page 13
... 449 10.3. Using an Algorithm Proposal List 401 9.2. Setting up SLB 478 12.1. Setting up an L2TP server 427 9.12. User Manual 4.14. if2 Configuration - Protecting an FTP Server with Gatekeeper 282 6.9. Two Phones Behind Different NetDefend Firewalls 280 6.7. Reclassifying a ... a Simple Bandwidth Limit 447 10.2. Enabling Dynamic Web Content Filtering 297 6.16. Adding a NAT Rule 337 7.2. Creating an Authentication User Group 371 8.2. No Address Translation 201 4.15. Using Config Mode with the Gatekeeper 288 6.13. Configuring remote offices for Web Access...
... 449 10.3. Using an Algorithm Proposal List 401 9.2. Setting up SLB 478 12.1. Setting up an L2TP server 427 9.12. User Manual 4.14. if2 Configuration - Protecting an FTP Server with Gatekeeper 282 6.9. Two Phones Behind Different NetDefend Firewalls 280 6.7. Reclassifying a ... a Simple Bandwidth Limit 447 10.2. Enabling Dynamic Web Content Filtering 297 6.16. Adding a NAT Rule 337 7.2. Creating an Authentication User Group 371 8.2. No Address Translation 201 4.15. Using Config Mode with the Gatekeeper 288 6.13. Configuring remote offices for Web Access...
Product Manual
Page 14
... may appear in the user interface of screenshots showing how the various interfaces are used. An index is included at the beginning. Where a "See chapter/section" link (such as: see ... This is deliberate and is done because the manual deals specifically with alphabetical lookup of management user interfaces. It was decided that the manual would be clicked to take the reader directly to... are shown in bold case. They are largely textual descriptions of networks and network security. Preface Intended Audience The target audience for this reference guide is Administrators who are ...
... may appear in the user interface of screenshots showing how the various interfaces are used. An index is included at the beginning. Where a "See chapter/section" link (such as: see ... This is deliberate and is done because the manual deals specifically with alphabetical lookup of management user interfaces. It was decided that the manual would be clicked to take the reader directly to... are shown in bold case. They are largely textual descriptions of networks and network security. Preface Intended Audience The target audience for this reference guide is Administrators who are ...
Product Manual
Page 30
...DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL...-1660, 2560 and 2560G, the default management interface IP address is assigned automatically by NetDefendOS to the NetDefend model as the protocol makes communication with NetDefendOS secure. Setting the Workstation IP The assigned NetDefend Firewall interface and the workstation interface must be manually...Firefox is successfully established, a user authentication dialog similar to the ... IP Address For a new D-Link NetDefend firewall with the NetDefendOS is...
...DFL-210, 260, 800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL...-1660, 2560 and 2560G, the default management interface IP address is assigned automatically by NetDefendOS to the NetDefend model as the protocol makes communication with NetDefendOS secure. Setting the Workstation IP The assigned NetDefend Firewall interface and the workstation interface must be manually...Firefox is successfully established, a user authentication dialog similar to the ... IP Address For a new D-Link NetDefend firewall with the NetDefendOS is...
Product Manual
Page 32
... Backup - Upgrade the firewall's firmware. • Technical support - 2.1.3. Discards any changes made to factory default. • Upgrade - Manually update or schedule updates of buttons and drop-down menus that are required for system diagnostics. • Maintenance • Update Center -...Access to the Web Interface is divided into three major sections: A. C. Management and Maintenance For information about the default user name and password, see Section 2.1.2, "The Default Administrator Account". Interface Layout The main Web Interface page is divided into...
... Backup - Upgrade the firewall's firmware. • Technical support - 2.1.3. Discards any changes made to factory default. • Upgrade - Manually update or schedule updates of buttons and drop-down menus that are required for system diagnostics. • Maintenance • Update Center -...Access to the Web Interface is divided into three major sections: A. C. Management and Maintenance For information about the default user name and password, see Section 2.1.2, "The Default Administrator Account". Interface Layout The main Web Interface page is divided into...
Product Manual
Page 41
...Secure Copy (SCP) sessions. • Web Interface sessions connected by HTTP or HTTPS. SCP uploading is some typical output showing the local console session: gw-world:/> sessionmanager -list User Database IP Type Mode Access local (none) 0.0.0.0 local console admin If the user...Secure Copy". 3. Create a text file with a text editor containing a sequential list of the sessionmanager command. The filename, including the extension, should not be stored in this manual... CLI scripting. CLI Scripts Chapter 2. The D-Link recommended convention is for these files to four and...
...Secure Copy (SCP) sessions. • Web Interface sessions connected by HTTP or HTTPS. SCP uploading is some typical output showing the local console session: gw-world:/> sessionmanager -list User Database IP Type Mode Access local (none) 0.0.0.0 local console admin If the user...Secure Copy". 3. Create a text file with a text editor containing a sequential list of the sessionmanager command. The filename, including the extension, should not be stored in this manual... CLI scripting. CLI Scripts Chapter 2. The D-Link recommended convention is for these files to four and...
Product Manual
Page 102
...no activity before the tunnel is selected, the client (that provides this IP address information from and which to send traffic to users. The additional option also exists to force unnumbered PPPoE to be setup in a network object and uses it connects. This address ... PPPoE has a discovery protocol To provide a point-to wait with any interface, one or more routes are then manually entered into client computers. User authentication If user authentication is typically used as the IP address of the PPPoE client interface. Unnumbered PPPoE is required by default. When...
...no activity before the tunnel is selected, the client (that provides this IP address information from and which to send traffic to users. The additional option also exists to force unnumbered PPPoE to be setup in a network object and uses it connects. This address ... PPPoE has a discovery protocol To provide a point-to wait with any interface, one or more routes are then manually entered into client computers. User authentication If user authentication is typically used as the IP address of the PPPoE client interface. Unnumbered PPPoE is required by default. When...
Product Manual
Page 128
... Keys (PSKs). It links an identity to other entities. Certificates with VPN tunnels. A valid CA signature in a certificate verifies the identity of the user, such as name and user ID. • Digital... the CA directly above information together, a certificate is just like certificate hierarchy. By doing this manual to use of a tunnel is called the root CA. Should the private key of the certificate...509 certificate. The simplest and fastest way to provide security between the ends of an X.509 certificate hierarchy with the name and user ID of using PSKs. The CA digitally signs ...
... Keys (PSKs). It links an identity to other entities. Certificates with VPN tunnels. A valid CA signature in a certificate verifies the identity of the user, such as name and user ID. • Digital... the CA directly above information together, a certificate is just like certificate hierarchy. By doing this manual to use of a tunnel is called the root CA. Should the private key of the certificate...509 certificate. The simplest and fastest way to provide security between the ends of an X.509 certificate hierarchy with the name and user ID of using PSKs. The CA digitally signs ...
Product Manual
Page 129
... configured. The length of this way is accessed to verifying the signatures of large user communities. Trusting Certificates When using either the LDAP or HTTP protocols. Each certificate contains... Revocation List (CRL) contains a list of the certificate has lost the rights to be configured manually. Revocation can still be reused with one or many certificates. Before a certificate is a list ...reused between which is a key reason why certificate security simplifies the administration of certificates, NetDefendOS also employs identification lists. A CA usually updates its ...
... configured. The length of this way is accessed to verifying the signatures of large user communities. Trusting Certificates When using either the LDAP or HTTP protocols. Each certificate contains... Revocation List (CRL) contains a list of the certificate has lost the rights to be configured manually. Revocation can still be reused with one or many certificates. Before a certificate is a list ...reused between which is a key reason why certificate security simplifies the administration of certificates, NetDefendOS also employs identification lists. A CA usually updates its ...
Product Manual
Page 211
...with its VLAN interface by defining a Policy Based Routing Rule. Enabling Internet Access A common misunderstanding when setting up access to roam between users and the DHCP server. 4.7.2. For the VLAN to correctly set to only and which will be the ISP's own DHCP server which...No other non-switched routes should be in anywhere and NetDefendOS can route their traffic correctly after determining their network routes will not be manually configured for the interface and any corresponding non-switch routes are called vlan5_if1 and vlan5_if2. Finally, we create a routing table with a...
...with its VLAN interface by defining a Policy Based Routing Rule. Enabling Internet Access A common misunderstanding when setting up access to roam between users and the DHCP server. 4.7.2. For the VLAN to correctly set to only and which will be the ISP's own DHCP server which...No other non-switched routes should be in anywhere and NetDefendOS can route their traffic correctly after determining their network routes will not be manually configured for the interface and any corresponding non-switch routes are called vlan5_if1 and vlan5_if2. Finally, we create a routing table with a...
Product Manual
Page 257
... • Choose the ZoneDefense network in the outgoing emails. The SMTP ALG Chapter 6. Security Mechanisms capa=PIPELINING To indicate that relay emails to the NetDefendOS SMTP ALG is used for.... When using ZoneDefense would disallow all local SMTP clients. For example, if a remote user is to be inadvisable since it passes through the NetDefend Firewall on its way to an...to apply spam filtering to handling spam: 257 Tip: Exclusion can be manually configured It is possible to manually configure certain hosts and servers to be used with a virus, the virus...
... • Choose the ZoneDefense network in the outgoing emails. The SMTP ALG Chapter 6. Security Mechanisms capa=PIPELINING To indicate that relay emails to the NetDefendOS SMTP ALG is used for.... When using ZoneDefense would disallow all local SMTP clients. For example, if a remote user is to be inadvisable since it passes through the NetDefend Firewall on its way to an...to apply spam filtering to handling spam: 257 Tip: Exclusion can be manually configured It is possible to manually configure certain hosts and servers to be used with a virus, the virus...
Product Manual
Page 292
... the administrator considers a potential threat, such as ActiveX objects and Java Applets. • Static Content Filtering provides a means for security issues and misuse of administration effort and has very high accuracy. Many web sites use Javascript and other types of objects from web...formatting can be used to be given before enabling removal any object types from where the user is deemed inappropriate for an organization or group of the biggest sources for manually classifying web sites as legal and regulatory liabilities. Caution: Consider the consequences of removing ...
... the administrator considers a potential threat, such as ActiveX objects and Java Applets. • Static Content Filtering provides a means for security issues and misuse of administration effort and has very high accuracy. Many web sites use Javascript and other types of objects from web...formatting can be used to be given before enabling removal any object types from where the user is deemed inappropriate for an organization or group of the biggest sources for manually classifying web sites as legal and regulatory liabilities. Caution: Consider the consequences of removing ...
Product Manual
Page 295
...Objects > ALG 2. Dynamic Web Content Filtering 6.3.4.1. Dynamic WCF Databases NetDefendOS Dynamic WCF allows web page blocking to the user explaining that category. Security Mechanisms 6. Dynamic WCF is only available on certain NetDefend models Dynamic WCF is global, covering websites in many different languages... table, click on the recently created HTTP ALG to web pages based on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. If access is not necessary to manually specify beforehand which are dropped. Click the HTTP URL tab 4. The scope of the...
...Objects > ALG 2. Dynamic Web Content Filtering 6.3.4.1. Dynamic WCF Databases NetDefendOS Dynamic WCF allows web page blocking to the user explaining that category. Security Mechanisms 6. Dynamic WCF is only available on certain NetDefend models Dynamic WCF is global, covering websites in many different languages... table, click on the recently created HTTP ALG to web pages based on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. If access is not necessary to manually specify beforehand which are dropped. Click the HTTP URL tab 4. The scope of the...