Product Manual
Page 1
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 SecurSiteycurity Network Security Solution http://www.dlink.com
Product Manual
Page 3
...-USER FOR THE PRODUCT. Limitations of merchantability or fitness for a particular purpose. D-Link reserves the right to change without the written consent of such revision or changes. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22... Copyright © 2010 Copyright Notice This publication, including all rights reserved. D-Link makes no representations or warranties with all photographs...
...-USER FOR THE PRODUCT. Limitations of merchantability or fitness for a particular purpose. D-Link reserves the right to change without the written consent of such revision or changes. User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22... Copyright © 2010 Copyright Notice This publication, including all rights reserved. D-Link makes no representations or warranties with all photographs...
Product Manual
Page 5
...Rules 185 4.5.5. Setting Up OSPF 188 4.5.6. Overview 194 4.6.2. Custom Service Timeouts 89 3.3. VLAN 97 3.3.4. PPPoE 101 3.3.5. Security Policies 116 3.5.2. Editing IP rule set Entries 120 3.5.5. Setting Date and Time 132 3.8.3. The Principles of Routing 143 4.2.2....130 3.8. Overview 132 3.8.2. Settings Summary for Date and Time 136 3.9. Interface Groups 107 3.4. Certificates in NetDefendOS 129 3.7.3. User Manual 3.2.3. Routing Table Selection 161 4.3.5. Custom IP Protocol Services 88 3.2.5. Interfaces 90 3.3.1. Time Servers 133 3.8.4. Service Groups 88 3.2.6....
...Rules 185 4.5.5. Setting Up OSPF 188 4.5.6. Overview 194 4.6.2. Custom Service Timeouts 89 3.3. VLAN 97 3.3.4. PPPoE 101 3.3.5. Security Policies 116 3.5.2. Editing IP rule set Entries 120 3.5.5. Setting Date and Time 132 3.8.3. The Principles of Routing 143 4.2.2....130 3.8. Overview 132 3.8.2. Settings Summary for Date and Time 136 3.9. Interface Groups 107 3.4. Certificates in NetDefendOS 129 3.7.3. User Manual 3.2.3. Routing Table Selection 161 4.3.5. Custom IP Protocol Services 88 3.2.5. Interfaces 90 3.3.1. Time Servers 133 3.8.4. Service Groups 88 3.2.6....
Product Manual
Page 6
... Nestea ...... 327 6.6.5. TCP SYN Flood Attacks 329 6.6.9. Blacklisting Hosts and Networks 331 6 User Manual 4.7. Transparent Mode 207 4.7.1. Overview 207 4.7.2. Enabling Internet Access 211 4.7.3. Transparent Mode Scenarios 213 4.7.4. Spanning Tree BPDU Support 217 ...4.7.5. Advanced Settings for D-Link Models 315 6.5.3. Overview 223 5.2. Static DHCP Hosts 227 5.2.2. Custom Options 228 5.3. DHCP Relaying 230 5.3.1. DHCP Relay Advanced Settings 231 5.4. IP Pools 233 6. Security Mechanisms 237 6.1. Overview 237 6.1.2. IP Spoofing 238...
... Nestea ...... 327 6.6.5. TCP SYN Flood Attacks 329 6.6.9. Blacklisting Hosts and Networks 331 6 User Manual 4.7. Transparent Mode 207 4.7.1. Overview 207 4.7.2. Enabling Internet Access 211 4.7.3. Transparent Mode Scenarios 213 4.7.4. Spanning Tree BPDU Support 217 ...4.7.5. Advanced Settings for D-Link Models 315 6.5.3. Overview 223 5.2. Static DHCP Hosts 227 5.2.2. Custom Options 228 5.3. DHCP Relaying 230 5.3.1. DHCP Relay Advanced Settings 231 5.4. IP Pools 233 6. Security Mechanisms 237 6.1. Overview 237 6.1.2. IP Spoofing 238...
Product Manual
Page 7
... 9.2.3. LAN to LAN with Certificates 388 9.2.7. Fetching CRLs from an alternate LDAP server 413 9.4.5. IPsec Advanced Settings 421 9.5. L2TP/PPTP Server advanced settings 430 9.5.4. User Manual 7. Port Translation 350 7.4.5. External RADIUS Servers 359 8.2.4. A Group Usage Example 369 8.2.8. IPsec LAN to -One Mappings (N:1 350 7.4.4. NAT Traversal 399 9.3.6. Troubleshooting with Pre-shared Keys...
... 9.2.3. LAN to LAN with Certificates 388 9.2.7. Fetching CRLs from an alternate LDAP server 413 9.4.5. IPsec Advanced Settings 421 9.5. L2TP/PPTP Server advanced settings 430 9.5.4. User Manual 7. Port Translation 350 7.4.5. External RADIUS Servers 359 8.2.4. A Group Usage Example 369 8.2.8. IPsec LAN to -One Mappings (N:1 350 7.4.4. NAT Traversal 399 9.3.6. Troubleshooting with Pre-shared Keys...
Product Manual
Page 8
...473 10.4.1. Setting Up HA 487 11.3.1. HA Hardware Setup 487 11.3.2. HA Advanced Settings 495 12. Overview 497 12.2. Manual Blocking and Exclude Lists 499 12.3.4. Traffic Shaping 444 10.1.1. Simple Bandwidth Limiting 447 10.1.4. Pipe Groups 455 10.1.8. IDP ...A P2P Scenario 467 10.2.6. SLB Algorithms and Stickiness 476 10.4.5. Setting Up SLB_SAT Rules 478 11. HA Mechanisms 484 11.3. NetDefendOS Manual HA Setup 488 11.3.3. Upgrading an HA Cluster 493 11.6. SNMP 499 12.3.2. IPsec Troubleshooting Commands 438 9.7.4. Traffic Shaping in Both Directions...
...473 10.4.1. Setting Up HA 487 11.3.1. HA Hardware Setup 487 11.3.2. HA Advanced Settings 495 12. Overview 497 12.2. Manual Blocking and Exclude Lists 499 12.3.4. Traffic Shaping 444 10.1.1. Simple Bandwidth Limiting 447 10.1.4. Pipe Groups 455 10.1.8. IDP ...A P2P Scenario 467 10.2.6. SLB Algorithms and Stickiness 476 10.4.5. Setting Up SLB_SAT Rules 478 11. HA Mechanisms 484 11.3. NetDefendOS Manual HA Setup 488 11.3.3. Upgrading an HA Cluster 493 11.6. SNMP 499 12.3.2. IPsec Troubleshooting Commands 438 9.7.4. Traffic Shaping in Both Directions...
Product Manual
Page 9
Connection Timeout Settings 516 13.6. Fragmentation Settings 520 13.8. Local Fragment Reassembly Settings 524 13.9. Subscribing to Updates 527 B. ICMP Level Settings 513 13.4. Length Limit Settings 518 13.7. IDP Signature Groups 529 C. Miscellaneous Settings 525 A. State Settings 514 13.5. IP Level Settings 504 13.2. Verified MIME filetypes 533 D. The OSI Framework 537 Alphabetical Index 538 9 User Manual 13.1. TCP Level Settings 508 13.3.
Connection Timeout Settings 516 13.6. Fragmentation Settings 520 13.8. Local Fragment Reassembly Settings 524 13.9. Subscribing to Updates 527 B. ICMP Level Settings 513 13.4. Length Limit Settings 518 13.7. IDP Signature Groups 529 C. Miscellaneous Settings 525 A. State Settings 514 13.5. IP Level Settings 504 13.2. Verified MIME filetypes 533 D. The OSI Framework 537 Alphabetical Index 538 9 User Manual 13.1. TCP Level Settings 508 13.3.
Product Manual
Page 11
Connections from Three Clients 476 10.11. Stickiness and Round-Robin 477 10.12. The 7 Layers of the OSI Model 537 11 Stickiness and Connection-rate 477 D.1. User Manual 10.10.
Connections from Three Clients 476 10.11. Stickiness and Round-Robin 477 10.12. The 7 Layers of the OSI Model 537 11 Stickiness and Connection-rate 477 D.1. User Manual 10.10.
Product Manual
Page 12
...79 3.6. Configuring a PPPoE Client 103 3.12. Defining a Static ARP Entry 110 3.16. Setting the Time Zone 133 3.22. Enabling the D-Link NTP Server 136 3.28. Creating the Route 162 4.5. Adding a Configuration Object 52 2.7. Enable Logging to an SNMP Trap Receiver 58 2.13. ...an OSPF AS into an OSPF AS 193 4.12. Address Translation 198 12 Defining a VLAN 100 3.11. Displaying a Configuration Object 50 2.5. Manually Triggering a Time Synchronization 135 3.25. Displaying the Core Routes 150 4.3. Forwarding of Examples 1. Adding an IP Protocol Service 88 3.10. ...
...79 3.6. Configuring a PPPoE Client 103 3.12. Defining a Static ARP Entry 110 3.16. Setting the Time Zone 133 3.22. Enabling the D-Link NTP Server 136 3.28. Creating the Route 162 4.5. Adding a Configuration Object 52 2.7. Enable Logging to an SNMP Trap Receiver 58 2.13. ...an OSPF AS into an OSPF AS 193 4.12. Address Translation 198 12 Defining a VLAN 100 3.11. Displaying a Configuration Object 50 2.5. Manually Triggering a Time Synchronization 135 3.25. Displaying the Core Routes 150 4.3. Forwarding of Examples 1. Adding an IP Protocol Service 88 3.10. ...
Product Manual
Page 13
... based VPN tunnel for Scenario 2 215 5.1. Setting up a PPTP server 426 9.11. Setting up an Access Rule 239 6.2. Applying a Simple Bandwidth Limit 447 10.2. User Manual 4.14. IGMP - No Address Translation 201 4.15. Group Translation 203 4.17. Protecting an FTP Server with IPsec Tunnels 413 9.9. Stripping ActiveX and Java applets 293...
... based VPN tunnel for Scenario 2 215 5.1. Setting up a PPTP server 426 9.11. Setting up an Access Rule 239 6.2. Applying a Simple Bandwidth Limit 447 10.2. User Manual 4.14. IGMP - No Address Translation 201 4.15. Group Translation 203 4.17. Protecting an FTP Server with IPsec Tunnels 413 9.9. Stripping ActiveX and Java applets 293...
Product Manual
Page 14
... lookup of management interface usage. Examples Examples in the user interface of networks and network security. An index is being introduced for the first time or being in a new window ... is designated by the header Example and appear with an explanatory image. Where a "See chapter/section" link (such as: see Chapter 9, VPN) is found here, sometimes with a gray background as appropriate. ...in the main text outside of an example, it will appear in italics. Text that the manual would appear here. Examples are given but these are also typically a numbered list showing what...
... lookup of management interface usage. Examples Examples in the user interface of networks and network security. An index is being introduced for the first time or being in a new window ... is designated by the header Example and appear with an explanatory image. Where a "See chapter/section" link (such as: see Chapter 9, VPN) is found here, sometimes with a gray background as appropriate. ...in the main text outside of an example, it will appear in italics. Text that the manual would appear here. Examples are given but these are also typically a numbered list showing what...
Product Manual
Page 30
... be shown in other words, https://192.168.1.1). If communication with NetDefendOS secure. Enter your username and password and click the Login button. The Web Interface...800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is 192.168.10.1. Assignment of a Default IP Address For a new D-Link...or the LAN interface on the workstation (the latest version of the workstation must be manually given the following static IP values: • IP address: 192.168.1.30 •...
... be shown in other words, https://192.168.1.1). If communication with NetDefendOS secure. Enter your username and password and click the Login button. The Web Interface...800, 860, 1600 and 2500, the default management interface IP address is 192.168.1.1. • On the NetDefend DFL-1660, 2560 and 2560G, the default management interface IP address is 192.168.10.1. Assignment of a Default IP Address For a new D-Link...or the LAN interface on the workstation (the latest version of the workstation must be manually given the following static IP values: • IP address: 192.168.1.30 •...
Product Manual
Page 32
... the internal network. C. Main Window The main window contains configuration or status details corresponding to analyze a problem. Saves and activates the configuration. • Discard Changes - Manually update or schedule updates of the system configuration. This can be used to perform configuration tasks as well as for maintaining the system. • Status...
... the internal network. C. Main Window The main window contains configuration or status details corresponding to analyze a problem. Saves and activates the configuration. • Discard Changes - Manually update or schedule updates of the system configuration. This can be used to perform configuration tasks as well as for maintaining the system. • Status...
Product Manual
Page 41
... to easily store and execute sets of the sessionmanager command. The D-Link recommended convention is a predefined sequence of CLI commands which can be executed after they can forcibly terminate another management session using Secure Copy (SCP). 2.1.5. The command without any options gives a summary ...CLI Reference Guide and specific examples of the command is the tool used for creating a CLI script are fully documented in this manual. Use the CLI command script -execute to the NetDefend Firewall using the -disconnect option of CLI commands, NetDefendOS provides a feature...
... to easily store and execute sets of the sessionmanager command. The D-Link recommended convention is a predefined sequence of CLI commands which can be executed after they can forcibly terminate another management session using Secure Copy (SCP). 2.1.5. The command without any options gives a summary ...CLI Reference Guide and specific examples of the command is the tool used for creating a CLI script are fully documented in this manual. Use the CLI command script -execute to the NetDefend Firewall using the -disconnect option of CLI commands, NetDefendOS provides a feature...
Product Manual
Page 102
... User authentication If user authentication is used in a network object and uses it connects. A further option with any interface, one or more routes are then manually entered into client computers. If unnumbered PPPoE is provided by the ISP, the username and password can be the destination interface.
... User authentication If user authentication is used in a network object and uses it connects. A further option with any interface, one or more routes are then manually entered into client computers. If unnumbered PPPoE is provided by the ISP, the username and password can be the destination interface.
Product Manual
Page 104
... updated. This option would normally be given a value. GRE allows tunneling though the network device. An ICMP Ping can be necessary to manually create the required route. 104 The Advanced settings for the communication and is to set the source IP on the IP rule that is ...to distinguish between the same two endpoints. 3.3.5. GRE Security and Performance A GRE tunnel does not use any encryption for a GRE interface are : • IP Address This is achievable because of data integrity...
... updated. This option would normally be given a value. GRE allows tunneling though the network device. An ICMP Ping can be necessary to manually create the required route. 104 The Advanced settings for the communication and is to set the source IP on the IP rule that is ...to distinguish between the same two endpoints. 3.3.5. GRE Security and Performance A GRE tunnel does not use any encryption for a GRE interface are : • IP Address This is achievable because of data integrity...
Product Manual
Page 109
...). Flushing the ARP Cache This example shows how to flush the ARP Cache from the cache and forces NetDefendOS to issue new ARP queries to manually force the update. The default value for . Flushing can be necessary to discover the MAC/IP address mappings for dynamic ARP entries is 3 seconds. The...
...). Flushing the ARP Cache This example shows how to flush the ARP Cache from the cache and forces NetDefendOS to issue new ARP queries to manually force the update. The default value for . Flushing can be necessary to discover the MAC/IP address mappings for dynamic ARP entries is 3 seconds. The...
Product Manual
Page 128
...509 certificate hierarchy with VPN tunnels. Certificates provide a means to better manage security in order to establish whether a public key truly belongs to accomplish key ... the entire path from one certificate to a certificate means a X.509 certificate. In this manual to another. When verifying the validity of the certificate holder, and guarantees that the information ...CA be examined before establishing the validity of an intended recipient. Certificates Chapter 3. It links an identity to a tree-like any third party. Certificate Authorities A certificate authority ...
...509 certificate hierarchy with VPN tunnels. Certificates provide a means to better manage security in order to establish whether a public key truly belongs to accomplish key ... the entire path from one certificate to a certificate means a X.509 certificate. In this manual to another. When verifying the validity of the certificate holder, and guarantees that the information ...CA be examined before establishing the validity of an intended recipient. Certificates Chapter 3. It links an identity to a tree-like any third party. Certificate Authorities A certificate authority ...
Product Manual
Page 129
... happen for each certificate to several reasons. They are normally held on an external server which is a key reason why certificate security simplifies the administration of the CRL has to validate a user certificate in this interval depends on servers that all the remote identities...up to the trusted root CA. • Verify the signatures of all certificates in NetDefendOS Chapter 3. Revocation can no longer be configured manually. In those cases the location of large user communities. Trusting Certificates When using either the LDAP or HTTP protocols. The ability to ...
... happen for each certificate to several reasons. They are normally held on an external server which is a key reason why certificate security simplifies the administration of the CRL has to validate a user certificate in this interval depends on servers that all the remote identities...up to the trusted root CA. • Verify the signatures of all certificates in NetDefendOS Chapter 3. Revocation can no longer be configured manually. In those cases the location of large user communities. Trusting Certificates When using either the LDAP or HTTP protocols. The ability to ...
Product Manual
Page 130
...and .key files required by NetDefendOS. Uploading a Certificate The certificate may either be uploaded: self-signed certificates and remote certificates belonging to manually create the required files for the certificate 3. Specify a suitable name for a Windows CA server using one of the IPsec tunnel 3. ... request for a certificate in the .pfx format. • Convert the .pfx file into the .pem format. 130 Web Interface 1. Manually Creating Windows CA Server Requests The NetDefendOS Web Interface (WebUI) does not currently include the ability to a CA server for doing this. Self...
...and .key files required by NetDefendOS. Uploading a Certificate The certificate may either be uploaded: self-signed certificates and remote certificates belonging to manually create the required files for the certificate 3. Specify a suitable name for a Windows CA server using one of the IPsec tunnel 3. ... request for a certificate in the .pfx format. • Convert the .pfx file into the .pem format. 130 Web Interface 1. Manually Creating Windows CA Server Requests The NetDefendOS Web Interface (WebUI) does not currently include the ability to a CA server for doing this. Self...