D-Link DFL-260 Product Manual

D-Link DFL-260 - NetDefend - Security Appliance Manual

Get D-Link DFL-260 - NetDefend - Security Appliance manuals and user guides
UPC - 790069296802
Free D-Link DFL-260 manuals!

D-Link DFL-260 manual table of contents:

  • D-Link DFL-260 | Product Manual - Page 1
    Network Security Firewall User Manual DFL-210/ 800/1600/ 2500 DFL-260/ 860/1660/ 2560(G) Ver 2.27.01 Security Security Network Security Solution http://www.dlink.com
  • D-Link DFL-260 | Product Manual - Page 2
    User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.com Published 2010-06-22 Copyright © 2010
  • D-Link DFL-260 | Product Manual - Page 3
    User Manual DFL-210/260/800/860/1600/1660/2500/2560/2560G NetDefendOS Version 2.27.01 Published 2010-06-22 Copyright © 2010 Copyright Notice This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. ...
  • D-Link DFL-260 | Product Manual - Page 4
    ... Boot Menu ...47 2.1.8. Management Advanced Settings ...48 2.1.9. Working with Configurations ...49 2.2. Events and Logging ...55 2.2.1. Overview ...55 ... ...73 2.7.1. Auto-Update Mechanism ...73 2.7.2. Backing Up Configurations ...73 2.7.3. Restore to Factory Defaults ...74 3. Fundamentals ...77 3.1....
  • D-Link DFL-260 | Product Manual - Page 5
    User Manual 3.2.3. ICMP Services ...86 3.2.4. Custom IP Protocol Services ...88 3.2.5. Service Groups ...88 3.2.6. Custom Service Timeouts ... Actions ...119 3.5.4. Editing IP rule set Entries ...120 3.5.5. IP Rule Set Folders ...121 3.5.6. Configuration Object Groups ...122 3.6. Schedules ...126 ...
  • D-Link DFL-260 | Product Manual - Page 6
    User Manual 4.7. Transparent Mode ...207 4.7.1. Overview ...207 4.7.2. Enabling Internet Access ...211... ALG ...265 6.2.9. The H.323 ALG ...275 6.2.10. The TLS ALG ...289 6.3. Web Content... 6.4.4. The Signature Database ...311 6.4.5. Subscribing to the D-Link Anti-Virus Service ...311 6.4.6. Anti-Virus...
  • D-Link DFL-260 | Product Manual - Page 7
    User Manual 7. Address Translation ...334 7.1. Overview ...334 7.2. NAT ...335 7.3. NAT Pools ...340 7.4. SAT ...343 7.4.1. ...Proposal Lists ...401 9.3.7. Pre-shared Keys ...402 9.3.8. Identification Lists ...403 9.4. IPsec Tunnels ...406 9.4.1. Overview ...406 9.4.2. LAN to LAN Tunnels with Pre-...
  • D-Link DFL-260 | Product Manual - Page 8
    User Manual 9.7.2. Troubleshooting Certificates ...437 9.7.3. IPsec Troubleshooting Commands ...438 9.7.4. Management Interface Failure... Shaping ...459 10.1.10. More Pipe Examples ...460 10.2. IDP Traffic Shaping ...12.3.1. SNMP ...499 12.3.2. Threshold Rules ...499 12.3.3. Manual Blocking and Exclude ...
  • D-Link DFL-260 | Product Manual - Page 9
    User Manual 13.1. IP Level Settings ...504 13.2. TCP Level Settings ...508 13.3. ICMP Level Settings ...513 13.4. State Settings ...514 13.5. Connection Timeout Settings ...516 13.6. Length Limit Settings ...518 13.7. Fragmentation Settings ...520 13.8. Local Fragment Reassembly Settings ...524...
  • D-Link DFL-260 | Product Manual - Page 10
    ... OSPF Providing Route Redundancy ...173 4.10. Virtual Links Connecting Areas ...177 4.11. Virtual Links with Partitioned Backbone ...178 4.12. NetDefendOS OSPF Objects ...... Database Updating ...316 7.1. NAT IP Address Translation ...335 7.2. A NAT Example ...337 7.3. Anonymizing with ...
  • D-Link DFL-260 | Product Manual - Page 11
    User Manual 10.10. Connections from Three Clients ...476 10.11. Stickiness and Round-Robin ...477 10.12. Stickiness and Connection-rate ...477 D.1. The 7 Layers of the OSI Model ...537 11
  • D-Link DFL-260 | Product Manual - Page 12
    ...133 3.23. Enabling Time Synchronization using SNTP ...134 3.24. Manually Triggering a Time Synchronization ...135 3.25. Modifying the Maximum ... Value ...135 3.26. Forcing Time Synchronization ...136 3.27. Enabling the D-Link NTP Server ...136 3.28. Configuring DNS Servers ...139 4.1. Displaying the ...
  • D-Link DFL-260 | Product Manual - Page 13
    User Manual 4.14. IGMP - No Address Translation ...201 4.15. if1 Configuration ...202 4.16. if2 Configuration - Group Translation ... roaming clients ...411 9.7. Setting Up Config Mode ...412 9.8. Using Config Mode with IPsec Tunnels ...413 9.9. Setting up an LDAP server ...413 9.10. Setting up a ...
  • D-Link DFL-260 | Product Manual - Page 14
    ...a browser in a new window (some systems may not allow this). For example, http://www.dlink.com. Screenshots This guide contains a minimum of screenshots. This is deliberate and is done because the manual deals specifically with NetDefendOS and administrators have ...
  • D-Link DFL-260 | Product Manual - Page 15
    ... Item Z Now enter: • • DataItem1: datavalue1 DataItem2: datavalue2 Highlighted Content Special sections of text which the reader should pay special ... reader should read and understand. Warning This is essential reading for the user as they should be aware that a serious situation may result if ...
  • D-Link DFL-260 | Product Manual - Page 16
    ...• NetDefendOS State Engine Packet Flow, page 23 1.1. Features D-Link NetDefendOS is the base software engine that drives and controls the range of NetDefend Firewall ... Address Translation (SAT) is supported, and resolves most types of address translation needs. This feature is covered in ...
  • D-Link DFL-260 | Product Manual - Page 17
    ...Anti-Virus scanning is only available on certain D-Link NetDefend product models. Intrusion Detection ...Full IDP is available on all D-Link NetDefend product models as a subscription service. On some models,... 6.3, "Web Content Filtering". Note Dynamic WCF is only available on some D-Link NetDefend...
  • D-Link DFL-260 | Product Manual - Page 18
    ...Note Threshold Rules are only available on certain D-Link NetDefend product models. Operations and ... is possible through either a Web-based User Interface (the WebUI) or via a Command Line... NetDefendOS ZoneDefense is only available on certain D-Link NetDefend product models. NetDefendOS Documentation...
  • D-Link DFL-260 | Product Manual - Page 19
    ... the doorways through which network traffic enters or leaves the NetDefend Firewall. Without interfaces, a NetDefendOS system has no means ... instance, contains named objects representing host and network addresses. Another example of logical objects are services which represent specific protocol and ...
  • D-Link DFL-260 | Product Manual - Page 20
    ...IP Rules, which are used to define the layer 3 IP filtering policy as well as carrying out ...ID (Virtual LAN identifier), the system checks for a configured VLAN interface with a corresponding VLAN ID.... are evaluated to find out if the source IP address of the new connection is allowed on the received ...
  • D-Link DFL-260 | Product Manual - Page 21
    ...Source and destination interfaces Source and destination network IP protocol (for example TCP, UDP, ICMP) TCP/UDP ports ICMP ..., to further analyze or transform the traffic. If the contents of the packet is encapsulated (such as with IPsec, PPTP/L2TP or some other type of tunneled protocol), then the ...
  • D-Link DFL-260 | Product Manual - Page 22
    1.2.3. Basic Packet Flow Chapter 1. NetDefendOS Overview processing such as encryption or encapsulation might occur. The next section provides a set of diagrams illustrating the flow of packets through NetDefendOS. 22
  • D-Link DFL-260 | Product Manual - Page 23
    .... There are three diagrams, each flowing into the next. It is not necessary to understand these diagrams, however, they can be useful as a reference when configuring NetDefendOS in certain situations. Figure 1.1. Packet Flow Schematic Part I The packet flow is continued on the following page. 23
  • D-Link DFL-260 | Product Manual - Page 24
    1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.2. Packet Flow Schematic Part II The packet flow is continued on the following page. 24
  • D-Link DFL-260 | Product Manual - Page 25
    1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Figure 1.3. Packet Flow Schematic Part III 25
  • D-Link DFL-260 | Product Manual - Page 26
    1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview Apply Rules The figure below presents the detailed logic of the Apply Rules function in Figure 1.2, "Packet Flow Schematic Part II" above. Figure 1.4. Expanded Apply Rules Logic 26
  • D-Link DFL-260 | Product Manual - Page 27
    1.3. NetDefendOS State Engine Packet Flow Chapter 1. NetDefendOS Overview 27
  • D-Link DFL-260 | Product Manual - Page 28
    ... most challenging environments. A good understanding on how NetDefendOS configuration is performed is crucial for proper usage of the system. For this reason, this section provides an in-depth presentation of the configuration subsystem as well as a description of how to work with the various ...
  • D-Link DFL-260 | Product Manual - Page 29
    ... be entered by pressing any console key between power-up and NetDefendOS starting. It is the D-Link firmware loader that is being accessed with the boot menu. This ... connecting through a specific IPsec tunnel. By default, Web Interface access is enabled for users on the network connected ...
  • D-Link DFL-260 | Product Manual - Page 30
    ... software. Assignment of a Default IP Address For a new D-Link NetDefend firewall with factory defaults,... differs according to the NetDefend model as follows: • • On the NetDefend DFL-210, 260, 800, 860,...IP address is 192.168.1.1. On the NetDefend DFL-1660, 2560 and 2560G, the default management ...
  • D-Link DFL-260 | Product Manual - Page 31
    ... support is provided by a set of separate resource files. These files can be downloaded from the D-Link website. It may occasionally be the case that a NetDefendOS upgrade can contain features that temporarily lack a complete non-english translation ...
  • D-Link DFL-260 | Product Manual - Page 32
    ... can be used for system diagnostics. Maintenance Update Center - Manually update or schedule updates of the intrusion detection and antivirus signatures... firewall or reset to factory default. Upgrade - Upgrade the firewall's firmware. Technical support - This option provides the option to download a...
  • D-Link DFL-260 | Product Manual - Page 33
    .../HTTPS remote management policy, for example https Check the HTTPS checkbox Select the following from the dropdown lists 5. User Database: AdminUsers ... Click OK Caution: Don't expose the management interface The above example is provided for informational purposes only. It is never recommended to ...
  • D-Link DFL-260 | Product Manual - Page 34
    ... summary for using the CLI. For a complete reference for all CLI commands, see the separate D-Link CLI Reference Guide. The most often used CLI commands ... an IP address or a rule to a NetDefendOS configuration. set - Sets some property of an object to a value. For example, this might be used ...
  • D-Link DFL-260 | Product Manual - Page 35
    ...=< (tab) Will fill in the default value for LogSeverity: add LogReceiverSyslog example Address=example_ip LogSeverity=Emergency However, if the "." character is used instead: add LogReceiverSyslog example Address=example_ip LogSeverity=. (tab) A list of all possible ...
  • D-Link DFL-260 | Product Manual - Page 36
    ... before individual objects can be manipulated. This is the case, for example, with routes. There can be more than ... their names when displayed by a show command. For example: RoutingTable/. Specifying Multiple Property Values ...into Rule Lists Rule lists such as the IP rule set have an ordering which ...
  • D-Link DFL-260 | Product Manual - Page 37
    ... might be used with the CLI are: • • The Remote Endpoint for IPsec, L2TP and PPTP tunnels. The Host for LDAP servers. When DNS ...a serial connection to a PC or dumb terminal. To locate the serial console port on your D-Link hardware, see the D-Link Quick Start Guide . To use the console port, you...
  • D-Link DFL-260 | Product Manual - Page 38
    ...> Remote Management > Add > Secure Shell Management Enter a Name for the SSH remote management policy, for example ssh_policy Select the following from the dropdown lists 4. User Database: AdminUsers Interface: lan Network: lannet Click OK Logging ...
  • D-Link DFL-260 | Product Manual - Page 39
    ... is recommended to use only printable characters. To change the password to, for example, my-password the following CLI commands are used. First... is: gw-world:/> where Device is the model number of the NetDefend Firewall. This can be customized, for example, to my-prompt:/>, by using the CLI command:...
  • D-Link DFL-260 | Product Manual - Page 40
    ... commands, it is possible to explicitly check for any problems in a configuration using the command: gw-world:/>... -errors This will cause NetDefendOS to scan the configuration about to be activated and list any problems. A possible... Ethernet interface if2 which has an IP address 10.8.1.34. Firstly, we...
  • D-Link DFL-260 | Product Manual - Page 41
    ... is described in the CLI Reference Guide and specific examples of usage are detailed in the following sections. See also Section 2.1.4, "The CLI" in this manual. Only Four Commands are Allowed in Scripts The commands allowed in a script file are ...
  • D-Link DFL-260 | Product Manual - Page 42
    ... launches a named script file that has been previously uploaded to the NetDefend Firewall. For example, to execute the script file my_script.sgs which has already ... name of the script file itself. For example, a script called my_script.sgs is to be executed with IP address 126.12.11.01 replacing all ...
  • D-Link DFL-260 | Product Manual - Page 43
    ... memory by using the script -store command. To move the example my_script.sgs to non-volatile memory ... script -remove command can be used. To remove the example my_script.sgs script file, the command ...Size (bytes 8 10 To list the content of a specific uploaded script file, for example my_script.sgs ...
  • D-Link DFL-260 | Product Manual - Page 44
    ... and then uploaded to and executed on other NetDefend Firewalls to duplicate the objects. For example, suppose the requirement is to create the same set ... create all IP4Address address objects in that unit's configuration. The created file's contents might, for example, be: add add add add IP4Address...
  • D-Link DFL-260 | Product Manual - Page 45
    ...> The source or destination NetDefend Firewall is of the form: @:. For example: [email protected]..> must be a defined NetDefendOS user in the administrator user group. Note: SCP examples do not show the password prompt SCP will normally prompt ...
  • D-Link DFL-260 | Product Manual - Page 46
    ...The SSH client key object type. Examples of Uploading and Downloading In some cases, a file is ...is admin1 and the IP address of the NetDefend Firewall is 10.5.62.11 then to upload a configuration backup... config.bak [email protected]: To download a configuration backup to the current local directory, ...
  • D-Link DFL-260 | Product Manual - Page 47
    .../my_script.sgs ./ Activating Uploads Like all configuration changes, SCP uploads only become ... by commit to make the change permanent. Uploads of firmware upgrades (packaged in .upg files) or a full ... uploads which do not affect the configuration. 2.1.7. The Console Boot Menu The NetDefendOS loader ...
  • D-Link DFL-260 | Product Manual - Page 48
    ... there is no console password. Restore default NetDefendOS executables along with the default configuration. Revert to default configuration This will... reset the configuration to be the original, default NetDefendOS configuration file. Other options, such as console security, will not be affected. ...
  • D-Link DFL-260 | Product Manual - Page 49
    ...HTTPS traffic. Only RSA certificates are supported. Default: HTTPS 2.1.9. Working with Configurations Configuration Objects The system ... any kind. Examples of configuration objects are routing table entries, address book entries, service definitions, IP rules and so on. Each configuration object has...
  • D-Link DFL-260 | Product Manual - Page 50
    ...object is to show its contents, in other words the values of the object properties. This example shows how to display the contents of a configuration object representing the telnet service. Command-Line Interface gw-world:/> show Service ServiceTCPUDP telnet ...
  • D-Link DFL-260 | Product Manual - Page 51
    ... to modify the behavior of NetDefendOS, you will most likely need to modify one or several configuration objects. This example shows how to edit the Comments property of the telnet service. Command-Line Interface gw-world:/> set Service ServiceTCPUDP telnet ...
  • D-Link DFL-260 | Product Manual - Page 52
    ... 2.6. Adding a Configuration Object This example shows how to add a new IP4Address object, here creating the IP address 192.168.... Click OK Verify that the new IP4 address object has been added to the list Example 2.7. Deleting a Configuration Object This example shows how to delete the newly added ...
  • D-Link DFL-260 | Product Manual - Page 53
    ... object can always be restored until the configuration has been activated and committed. This example shows how to restore the deleted ... be aware that if any changes that affect the configurations of live IPsec tunnels are committed, then those live tunnels connections will be terminated and must be ...
  • D-Link DFL-260 | Product Manual - Page 54
    ...can help prevent a remote administrator from locking themselves out. Example 2.10. Activating and Committing a Configuration This example shows how to activate and commit a new ...be committed before changes are saved. All changes to a configuration can be ignored simply by not committing a ...
  • D-Link DFL-260 | Product Manual - Page 55
    ... event message is generated, it can be filtered and distributed to all configured Event Receivers. Multiple ... can be configured by the administrator, with each event receiver having its own customizable event filter..... The events range from high-level, customizable, user events down to low-level and ...
  • D-Link DFL-260 | Product Manual - Page 56
    ... and Maintenance By default, NetDefendOS sends all messages of level Info and above to configured log servers. The Debug category is intended for troubleshooting only and should only be turned on if required when trying to solve a problem. All log messages of all ...
  • D-Link DFL-260 | Product Manual - Page 57
    ...and Severity fields The Prio= field in SysLog messages contains the same information as the Severity field for D-Link Logger messages. However, the ordering of the numbering is reversed. Example 2.11. Enable Logging to a Syslog Host To enable ...
  • D-Link DFL-260 | Product Manual - Page 58
    ...MIB (where NNN indicates the model number of the firewall) is provided by D-Link and defines the SNMP objects and data types ... NetDefendOS sends SNMP Traps which are based on the SNMPv2c standard as defined by RFC1901, RFC1905 and RFC1906. Example 2.12. Sending SNMP Traps to an SNMP Trap Receiver To...
  • D-Link DFL-260 | Product Manual - Page 59
    ... 3. 4. 5. Go to Log & Event Receivers > Add > SNMP2cEventReceiver Specify a name for the event receiver, for example my_snmp Enter 195.11.22.55 as the IP Address Enter an SNMP Community String if needed by the trap receiver Click OK The ...
  • D-Link DFL-260 | Product Manual - Page 60
    ... is no longer authenticated, for example, after the user logs out or the session time expires.... The information included in these statistics is user configurable. The contents of the START and STOP messages... name of the authenticated user. NAS IP Address - The IP address of the NetDefend Firewall. NAS...
  • D-Link DFL-260 | Product Manual - Page 61
    ... Name - The user name of the authenticated user. NAS IP Address - The IP address of the NetDefend Firewall. NAS Port - The port on the NAS on which the user was authenticated. (... a physical port and not a TCP or UDP port). User IP Address - The IP address of the authenticated user. This ...
  • D-Link DFL-260 | Product Manual - Page 62
    ...in the list above indicates that the sending of the parameter is optional and is configurable. 2.3.3. Interim Accounting Messages In addition to START and STOP messages... and the default port number used is 1813 although this is user configurable. 2.3.6. RADIUS Accounting and High Availability In an...
  • D-Link DFL-260 | Product Manual - Page 63
    ...NetDefendOS must first send a STOP message for any authenticated users to any configured RADIUS servers before commencing with the shutdown....therefore occur with users who have the same IP address. This can happen, for example, when several users are behind the same network using NAT to allow network...
  • D-Link DFL-260 | Product Manual - Page 64
    ...RADIUS use with both accounting and authentication. Default: 1024 Example 2.13. RADIUS Accounting Server Setup This example shows configuring of a local RADIUS server known as radius-accounting with IP address 123.04.03.01 using port 1813. Web ...
  • D-Link DFL-260 | Product Manual - Page 65
    ... hardware operational parameters such as the current temperature inside the firewall. This feature is referred to as Hardware Monitoring. The D-Link NetDefend models that currently support hardware monitoring are the DFL-1600, 1660, 2500, 2560 and 2560G....
  • D-Link DFL-260 | Product Manual - Page 66
    ... CLI output above and is presented as a list of choices in the Web Interface. For example, Temp. • Sensor This is the number of the sensor as shown in the CLI ... This is the Name of the sensor as shown in the CLI output above. For example, SYS Temp. • Enabled An individual sensor can be enabled or...
  • D-Link DFL-260 | Product Manual - Page 67
    ... can connect to a network device which supports the SNMP protocol to query and control it. NetDefendOS supports SNMP version 1 and version 2. Connection can be made by any SNMP ... are permitted for security reasons. Specifically, NetDefendOS supports the following SNMP request operations by a client ...
  • D-Link DFL-260 | Product Manual - Page 68
    ... can help prevent attacks through SNMP overload. Example 2.14. Enabling SNMP Monitoring This example enables SNMP access through the internal lan interface from the network mgmt-net using .... SNMP Before RulesLimit Enable SNMP traffic to the firewall regardless of configured IP Rules. 68
  • D-Link DFL-260 | Product Manual - Page 69
    2.5.1. SNMP Advanced Settings Chapter 2. Management and Maintenance Default: Enabled SNMP Request Limit Maximum number of SNMP requests that will be processed each second by NetDefendOS. Should SNMP requests exceed this rate then the excess requests will be ignored by NetDefendOS. Default: 100 ...
  • D-Link DFL-260 | Product Manual - Page 70
    ... for packet capture. The complete syntax of the pcapdump command is described in the CLI Reference Guide. A Simple Example An example of pcapdump usage is the following sequence: gw-world:/> gw-world:/> gw-world:/> gw-world:/> gw-world:/> ...
  • D-Link DFL-260 | Product Manual - Page 71
    ...specified and can be one of -tcp, -udp or -icmp. Downloading the Output File As shown in one of the examples above, the -write option of pcapdump can save buffered packet information to a file on the NetDefend Firewall. These output files are placed into the NetDefendOS root ...
  • D-Link DFL-260 | Product Manual - Page 72
    ... these filter expressions together in order to further refine the packets that are of interest. For example we might want to examine the packets going to a particular destination port at a particular destination IP address. Compatibility with Wireshark The open source tool Wireshark (...
  • D-Link DFL-260 | Product Manual - Page 73
    ... signature databases in order to provide protection against the latest threats. To facilitate the Auto-Update feature D-Link maintains a global infrastructure of servers providing update services for NetDefend Firewalls. To ensure availability and low ...
  • D-Link DFL-260 | Product Manual - Page 74
    ...be applied so that it is possible to return to the original hardware state that existed when the NetDefend Firewall was shipped by D-Link. When a restore is applied all data such as the IDP and Anti-Virus databases are lost and must be reloaded...
  • D-Link DFL-260 | Product Manual - Page 75
    ... unit left the factory will be lost. Reset Procedure for the NetDefend DFL-210, 260, 800 and 860 To reset the NetDefend DFL-210/260/800/860 models, hold down the reset button ...192.168.1.1 will be assigned to the LAN interface. Reset Procedure for the NetDefend DFL-1600, 1660, 2500, 2560 and ...
  • D-Link DFL-260 | Product Manual - Page 76
    2.7.3. Restore to Factory Defaults Chapter 2. Management and Maintenance 76
  • D-Link DFL-260 | Product Manual - Page 77
    ... make up a NetDefendOS configuration. These objects include such items as IP addresses and ... a number of important benefits It increases understanding of the configuration by using meaningful symbolic names. Using ... A single host is represented simply by its IP address. For example, 192.168.0.14. 77
  • D-Link DFL-260 | Product Manual - Page 78
    ... 0-32 correspond to the number of binary ones in the netmask. For example: 192.168.0.0/24. IP Range A range of IP .... They may include any span of IP addresses. For example, 192.168.0.10-192.168.0.15... > IP address Specify a suitable name for the IP network, for example wwwsrvnet Enter 192.168.10.0/24...
  • D-Link DFL-260 | Product Manual - Page 79
    ... successfully deleted but NetDefendOS will not allow the configuration to be saved to the NetDefend Firewall. 3.1.3. Ethernet Addresses Ethernet Address ...MAC addresses). This is useful, for example, when populating the ARP table with static ARP entries, or for other parts of the configuration where ...
  • D-Link DFL-260 | Product Manual - Page 80
    ... a suitable name for the Ethernet Address object, for example wwwsrv1_mac Enter 08-a3-67-bc... configuration. Consider a number of public servers that should be accessible from the Internet. The servers have IP ... of all the addresses. For example, if a group contains the following two IP address ranges:...
  • D-Link DFL-260 | Product Manual - Page 81
    ...-name>_net. As an example, an interface named lan will have an associated interface IP object ... address has been provided during the setup phase, the wan_gw object will contain that address.... addresses. The all-nets IP object is used extensively in the configuration of NetDefendOS and it is important ...
  • D-Link DFL-260 | Product Manual - Page 82
    ... type of traffic. For example, an IP rule in a NetDefendOS IP rule set has a service object associated... grouped by type with the service groups appearing first: ServiceGroup Name -----------all_services all_tcpudp ipsec-suite l2tp... TCP and UDP services All TCP and UDP services The IPsec+IKE suite L2TP...
  • D-Link DFL-260 | Product Manual - Page 83
    ... Comments All ICMP services Web Interface 1. Go to Objects > Services Example 3.7. Viewing a Specific ...-Line Interface gw-world:/> show Service ServiceTCPUDP echo The output will look similar ... in Section 3.2.3, "ICMP Services". IP Protocol Service - A service based on a user defined protocol....
  • D-Link DFL-260 | Product Manual - Page 84
    ...delivery speed is of greatest importance, for example with streaming audio and video, the User Datagram Protocol... as a single number. Some services use a range of destination ports. As an example, the NetBIOS protocol... only a single TCP/UDP service object. For example, all Microsoft Windows networking...
  • D-Link DFL-260 | Product Manual - Page 85
    ... as a means of attack. • ALG A TCP/UDP service can be linked to an Application Layer Gateway (ALG) to enable deeper inspection of certain protocols. This is ... for this service across all interfaces. For a service involving, for example, an HTTP ALG the default value can often be too...
  • D-Link DFL-260 | Product Manual - Page 86
    ... Control Message Protocol (ICMP) is a protocol that is integrated with IP for error reporting and transmitting control information. For example, the ICMP Ping feature uses ICMP to test Internet connectivity. ICMP Types and Codes 86
  • D-Link DFL-260 | Product Manual - Page 87
    ... the ICMP message and a Code that is used to further qualify the message. For example, the message type Destination Unreachable uses the Code parameter ... type can be specified in the same way that port numbers are specified. For example, if the Destination Unreachable type is selected with the comma ...
  • D-Link DFL-260 | Product Manual - Page 88
    ... for one service. For example, specifying the range 1-4,7 will match the protocols ICMP, IGMP, GGP, IP.../assignments/protocol-numbers Example 3.9. Adding an IP Protocol Service This example shows how to add... Specify a suitable name for the service, for example VRRP Enter 112 in the IP Protocol control...
  • D-Link DFL-260 | Product Manual - Page 89
    3.2.6. Custom Service Timeouts Chapter 3. Fundamentals configuration and decrease the ability to troubleshoot problems. 3.2.6. Custom Service Timeouts Any service can have its custom timeouts set. These can also be set globally in NetDefendOS ...
  • D-Link DFL-260 | Product Manual - Page 90
    ... NetDefendOS. All network traffic that transits through, originates from or is terminated in the NetDefend Firewall, does so through one or more ... traffic that originates from or enters a NetDefend Firewall will pass through one of the physical interfaces. NetDefendOS currently supports Ethernet as ...
  • D-Link DFL-260 | Product Manual - Page 91
    ... transformations can be applied to the network traffic depending on the type of tunnel interface. For example, when routing traffic over an IPsec interface, the payload is usually encrypted to achieve confidentiality. NetDefendOS supports the following tunnel ...
  • D-Link DFL-260 | Product Manual - Page 92
    ... corresponds to a physical Ethernet port in the system. The number of ports, their link speed and the way the ports are realized, is dependent on the ...names of the Ethernet interfaces can be changed to better reflect their usage. For example, if an interface named dmz is connected to a wireless LAN, ...
  • D-Link DFL-260 | Product Manual - Page 93
    ... and dmz, where N represents the number of the interface if your NetDefend Firewall has more than one of these interfaces. In most of the examples in this guide lan is used for LAN traffic and wan is used for WAN traffic. If your NetDefend ...
  • D-Link DFL-260 | Product Manual - Page 94
    ... _dns2. Note: A gateway IP cannot be deleted with DHCP enabled If ... Ethernet interface then any gateway IP address that is defined for that interface cannot be deleted.... for an interface. The available options are: i. ii. • The speed of the link can be set. Usually this is best left...
  • D-Link DFL-260 | Product Manual - Page 95
    ... heartbeats from this interface. • Quality Of Service The option exists to copy the IP DSCP precedence to the VLAN ... of two methods: • Change the IP address directly on the interface. For example, if we want...-world:/> set Interface Ethernet lan IP=10.1.1.2 As explained next, this way of changing...
  • D-Link DFL-260 | Product Manual - Page 96
    3.3.2. Ethernet Interfaces Chapter 3. Fundamentals Property Value Name: wan_ip Address: 0.0.0.0 UserAuthGroups: NoDefinedCredentials: No Comments: IP address of interface wan To show the current interface assigned to the network wan_net: gw-world:/> show Address IP4Address ...
  • D-Link DFL-260 | Product Manual - Page 97
    ... hardware has been replaced and Ethernet card settings are to be changed, or if configuring the interfaces when running NetDefendOS on non-D-Link hardware. For example, to display Ethernet port information use the command: gw-world:/> show EthernetDevice...
  • D-Link DFL-260 | Product Manual - Page 98
    ...explained in more detail below, VLAN configuration with NetDefendOS involves a combination of VLAN trunks from the NetDefend Firewall to switches and these switches ... LANs but can still share the same physical Ethernet link. The following principles underlie the NetDefendOS processing of VLAN tagged ...
  • D-Link DFL-260 | Product Manual - Page 99
    ..., the physical connections are as follows: • One of more VLANs are configured on a physical NetDefend Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk. The switch used must support port based VLANs. ...
  • D-Link DFL-260 | Product Manual - Page 100
    ... in that they require both appropriate IP rules and routes to exist in the NetDefendOS configuration for traffic to flow through them. For example, if no IP rule with a particular VLAN interface as the source interface is defined allowing traffic...
  • D-Link DFL-260 | Product Manual - Page 101
    ...PPP uses Link Control Protocol (LCP) for link establishment, configuration and testing. Once the LCP is initialized, one ... that multiple protocols can interoperate on the same link, for example, both IP and IPX traffic can share a PPP link. PPP Authentication PPP authentication is optional with PPP....
  • D-Link DFL-260 | Product Manual - Page 102
    ... PPPoE is typically used when ISPs want to allocate one or more preassigned IP addresses to users. These IP addresses are then manually entered into client computers. The ISP does not assign an IP address to the PPPoE client at the time it ...
  • D-Link DFL-260 | Product Manual - Page 103
    ...operate correctly. It should there not be configured with HA. Example 3.11. Configuring a PPPoE Client This example shows how to configure a PPPoE client on the wan interface with traffic routed over PPPoE.... protocol which is tunneled using GRE through the intervening network. Examples of GRE usage ...
  • D-Link DFL-260 | Product Manual - Page 104
    ... other tunnels in NetDefendOS such as an IPsec tunnel, a GRE Tunnel is treated as a logical interface by NetDefendOS, with the same filtering, traffic shaping ... normally be checked in order that the routing table is automatically updated. The alternative is to manually create the required route. 104
  • D-Link DFL-260 | Product Manual - Page 105
    ... be done if, for example, you are using ARP publishing and want the tunnel to be setup by an ARP published IP...so NetDefendOS knows what IP addresses should be accepted and sent through the tunnel. An Example GRE Scenario The diagram above shows a typical GRE scenario, where two NetDefend Firewalls ...
  • D-Link DFL-260 | Product Manual - Page 106
    ... Allow Src Int lan GRE_to_B Src Net lannet remote_net_B Dest Int GRE_to_B lan Dest Net remote_net_B lannet Service All All 4. Setup for NetDefend Firewall "B" Assuming that the network 192.168.11.0/24 is lannet on the lan interface, the steps ...
  • D-Link DFL-260 | Product Manual - Page 107
    3.3.6. Interface Groups Chapter 3. Fundamentals IPsec tunnels have a status of being either up or not up. With ...NetDefendOS this doesn't really apply. The GRE tunnel is up if it exists in the configuration. However, we can check on the what is going on with a GRE tunnel. For example, if the tunnel ...
  • D-Link DFL-260 | Product Manual - Page 108
    ... protocol (OSI layer 3) address to a data link layer hardware address (OSI layer.... ARP operates at the OSI layer 2, data link layer, and is encapsulated by Ethernet headers... ARP entry which tells us that IP address 192.168.0.10 is mapped... binding the IP address 10.5.16.3 to Ethernet address 4a:32:12:6c...
  • D-Link DFL-260 | Product Manual - Page 109
    ...default value for this setting is 3 seconds. Example 3.13. Displaying the ARP Cache The contents of the ARP Cache... of the host but sometimes it may be necessary to manually force the update. The easiest way to achieve... can be done with the CLI command arp -flush. Example 3.14. Flushing the ARP Cache...
  • D-Link DFL-260 | Product Manual - Page 110
    ... packets being sent to that IP address. It does not apply to packets being sent from that IP address. Example 3.15. Defining a Static ARP Entry This example will create a static mapping between IP address 192.168.10.15 and Ethernet address 4b:86:f6:...
  • D-Link DFL-260 | Product Manual - Page 111
    ...: 4b-86-f6-c5-a2-14 4. Click OK Published ARP Objects NetDefendOS supports publishing IP addresses on a particular interface, optionally along with a ... for any ARP requests received on the interface related to the published IP addresses. This can done for a number of reasons: • To ...
  • D-Link DFL-260 | Product Manual - Page 112
    ... result will be the same. Publishing Entire Networks When using ARP entries, IP addresses can only be published one at a time. However, the administrator can use the alternative Proxy ARP feature in NetDefendOS to handle publishing of entire networks (see Section 4.2.6, "Proxy ARP")....
  • D-Link DFL-260 | Product Manual - Page 113
    ... connections. However, not allowing this may cause problems if, for example, a network adapter is replaced since NetDefendOS will not accept the new address until the... or not such situations are logged. Sender IP 0.0.0.0 NetDefendOS can be configured for handling ARP queries that have...
  • D-Link DFL-260 | Product Manual - Page 114
    .... Allowing this to take place may facilitate hijacking of local connections. However, not allowing this may cause problems if, for example, a network adapter is replaced, as NetDefendOS will not accept the new address until the previous ARP table entry has ...
  • D-Link DFL-260 | Product Manual - Page 115
    ...the largest directly-connected LAN contains 500 IP addresses then the size of the ARP entry hash ... largest directly-connected VLAN contains 500 IP addresses, the size of the ARP entry hash should ... least 1000 entries. Default: 64 ARP IP Collision Determines the behavior when receiving an ARP request ...
  • D-Link DFL-260 | Product Manual - Page 116
    ...to which IP rule sets belong. Security Policy Characteristics NetDefendOS security policies are configured by the administrator to regulate the way in which traffic can flow through the NetDefend Firewall... define a protocol/port type. Examples are HTTP and ICMP. Service objects also define ...
  • D-Link DFL-260 | Product Manual - Page 117
    ... triggers authentication to take place (source net/interface only) and are described in Chapter 8, User Authentication. IP Rules and the Default main IP ... critical packet filtering function of NetDefendOS, regulating what is allowed or not allowed to pass through the NetDefend Firewall,...
  • D-Link DFL-260 | Product Manual - Page 118
    ...for the destination network to leave the NetDefend Firewall on the interface decided by the route. If the IP rule used is an Allow rule then this is ... in Section 1.3, "NetDefendOS State Engine Packet Flow". For example, before the route lookup is done, NetDefendOS first checks ...
  • D-Link DFL-260 | Product Manual - Page 119
    ... Drop or Reject then the new connection is refused. Tip: Rules in the wrong order sometimes cause problems It is important to remember the principle that NetDefendOS searches the IP rules from top to bottom, looking for the first matching rule. ...
  • D-Link DFL-260 | Product Manual - Page 120
    ... the Reject action is recommended instead of the Drop action because a "polite" reply is required from NetDefendOS. An example of such a situation is when responding to the IDENT user identification protocol. Some applications will pause for a timeout if ...
  • D-Link DFL-260 | Product Manual - Page 121
    .... Example 3.16. Adding an Allow IP Rule This example shows how to create a simple Allow rule that ... 3. Go to Rules > IP Rules > Add > IPRule Specify a suitable name for the rule, for example LAN_HTTP Now enter Name: A suitable name for the rule. For example lan_http Action: Allow Service: http 121
  • D-Link DFL-260 | Product Manual - Page 122
    ... be very useful for someone seeing a configuration for the first time, such as technical support staff. In an IP rule set that contains ... group editing must be done through the Web Interface and this is described next. A Simple Example As an example, consider the IP rule set main which contains just...
  • D-Link DFL-260 | Product Manual - Page 123
    3.5.6. Configuration Object Groups Chapter 3. Fundamentals Note The screen images used in this example show just the first few columns of the object .... We would like to create an object group for the two IP rules for web surfing. This is done with the following steps: • •...
  • D-Link DFL-260 | Product Manual - Page 124
    ... by clicking any color in the box with the mouse. In this example, we might change the name of the group.... Once we do this for the second IP rule in our example then the result will be the following..., such as an IP rule, is within a group, the context of move operations becomes the group. For example...
  • D-Link DFL-260 | Product Manual - Page 125
    ... Configuration Object Groups Chapter 3. Fundamentals Moving Groups Groups can be moved in the same... includes options to move the entire group. For example, the Move to Top option moves the entire.... It is up to the administrator how to best use these features to best arrange NetDefendOS objects. 125...
  • D-Link DFL-260 | Product Manual - Page 126
    ... outside that department during normal office hours. Another example might be that authentication using a specific VPN connection is only ... date and time are set correctly. This is also important for some other features such as certificate usage in VPN tunnels. Preferably, time synchronization has ...
  • D-Link DFL-260 | Product Manual - Page 127
    ...Fundamentals Example 3.17. Setting up a Time-Scheduled Policy This example creates a schedule object for office hours on weekdays, and attaches the object to an IP Rule that ... to the top level: gw-world:/main> cc Configuration changes must be saved by then issuing an activate ...
  • D-Link DFL-260 | Product Manual - Page 128
    ... with public-key cryptography to accomplish key distribution and entity authentication. References in this manual to a certificate means a X.509 certificate. A certificate is a digital proof of identity. It links an identity to a public key in...
  • D-Link DFL-260 | Product Manual - Page 129
    ...servers that all certificate users can access, using either the LDAP or HTTP protocols. Revocation can happen for ... this field. In those cases the location of the CRL has to be configured manually. A CA usually updates its CRL at a given interval. The length of this interval depends on how the CA is ...
  • D-Link DFL-260 | Product Manual - Page 130
    ...remote certificate Click OK and follow the instructions Example 3.19. Associating Certificates with IPsec Tunnels To associate an imported certificate with an...cer and .key files required by NetDefendOS. It is possible, however, to manually create the required files for a Windows CA server using the...
  • D-Link DFL-260 | Product Manual - Page 131
    ...pfx -out gateway.pem -nodes In this command line example, the file exported from the CA server is assumed to be... the extension .cer for one and .key for the other. For example, gateway.cer and gateway.key might ...the names. Start a text editor and open the downloaded .pem file and locate the line that ...
  • D-Link DFL-260 | Product Manual - Page 132
    ... and Time The administrator can set the date and time manually and this is recommended when a new NetDefendOS installation is started for the first time. Example 3.20. Setting ...date order is year, then month and then day. For example, to set the date and time to 9:25 in the morning ...
  • D-Link DFL-260 | Product Manual - Page 133
    ...setting reflects the time zone where the NetDefend Firewall is physically located. Example 3.21. Setting the Time ... when to adjust for DST. Instead, this information has to be manually provided if daylight saving time ... during the daylight saving time period. Example 3.22. Enabling DST To enable DST...
  • D-Link DFL-260 | Product Manual - Page 134
    ...available Time Servers. Important: DNS servers need to be configured in NetDefendOS Make sure at least one external..."DNS"). This is not needed if using IP addresses for the servers. Example 3.23. Enabling Time Synchronization using SNTP In this example, time synchronization is set up to use the...
  • D-Link DFL-260 | Product Manual - Page 135
    ... 86400 seconds (equivalent to one day) is used. Example 3.24. Manually Triggering a Time Synchronization Time synchronization can be triggered from the CLI. The output below shows... system time...Server time: 2008-02-27 12:21:52 (UTC+00:00) Local time: 2008-02-27 12:24:30 (UTC+00:00) (...
  • D-Link DFL-260 | Product Manual - Page 136
    ...then possible to manually force a synchronization and disregard the maximum adjustment parameter. Example 3.26.... default values for the synchronization are used. Example 3.27. Enabling the D-Link NTP Server To enable ... to have an external DNS server configured so that the D-Link Time Server URLs can...
  • D-Link DFL-260 | Product Manual - Page 137
    ...Time Protocol). Default: SNTP Primary Time Server DNS hostname or IP Address of Timeserver 1. Default: None Secondary Time Server DNS hostname...Timeserver 2. Default: None teriary Time Server DNS hostname or IP Address of Timeserver 3. Default: None Interval between synchronization Seconds between...
  • D-Link DFL-260 | Product Manual - Page 138
    3.8.4. Settings Summary for Date and Time Maximum time drift in seconds that a server is allowed to adjust. Default: 600 Chapter 3. Fundamentals Group interval Interval according to which server responses will be grouped. Default: 10 138
  • D-Link DFL-260 | Product Manual - Page 139
    ... for CA signed certificates. UTM features that require access to external servers such as anti-virus and IDP. Example 3.28. Configuring DNS Servers In this example, the DNS client is configured to use one primary and one secondary DNS server, having IP addresses 10...
  • D-Link DFL-260 | Product Manual - Page 140
    ... side of the tunnel has a dynamic address then the NetDefendOS VPN keep alive feature... it easy to correctly format the URL needed for that service. For example, the http:// URL for the dyndns.org... console command httpposter can be used to troubleshoot problems by seeing what NetDefendOS is sending and...
  • D-Link DFL-260 | Product Manual - Page 141
    3.9. DNS Chapter 3. Fundamentals 141
  • D-Link DFL-260 | Product Manual - Page 142
    Chapter 4. Routing This chapter describes how to configure IP routing in NetDefendOS. • Overview, page 142 • Static Routing, ...mechanisms: • • Static routing Dynamic routing NetDefendOS additionally supports route monitoring to achieve route and link redundancy with fail-over capability. 142
  • D-Link DFL-260 | Product Manual - Page 143
    ..." refers to the fact that entries in the routing table are manually added and are therefore permanent (or static) ..., or whenever the network topology is complex, the work of manually maintaining static routing tables can ... access via an ISP then the public IP address of the ISP's gateway router would ...
  • D-Link DFL-260 | Product Manual - Page 144
    ...below explains this parameter in more depth. Local IP Address and Gateway are mutually exclusive... Scenario The diagram below illustrates a typical NetDefend Firewall usage scenario. Figure 4.1. A Typical... and the address of the ISP gateway to the public Internet is 195.66.77.4. The associated routing...
  • D-Link DFL-260 | Product Manual - Page 145
    ... be evaluated prior to the wider one (in other words, the network that is contained within the other has priority). In the above example, a packet with a destination IP address of 192.168.0.4 will theoretically match both the first route and the ...
  • D-Link DFL-260 | Product Manual - Page 146
    ..., ARP queries as though the interface had that IP address. The diagram below illustrates a scenario where this feature could be used. The network 10... have their Default Gateway set to 10.2.2.1 in order to reach the NetDefend Firewall. This feature is normally used when an additional network is to be ...
  • D-Link DFL-260 | Product Manual - Page 147
    ...section describes how routing is implemented in NetDefendOS, and how to configure static routing. NetDefendOS supports multiple routing tables. A default table... performed before any of the various policy rules get evaluated (for example, IP rules). Consequently, the destination interface is known at ...
  • D-Link DFL-260 | Product Manual - Page 148
    ... for destinations that are not aligned with traditional subnet masks. For example, it is perfectly legal to define one route for the destination IP address range 192....17 and another route for IP addresses 192.168.0.18 to 192.168.0.254. This is a feature that makes NetDefendOS highly ...
  • D-Link DFL-260 | Product Manual - Page 149
    ... table changes can take place for different reasons. For example, if dynamic routing with OSPF has been ... can also cause routing table contents to change over time. Example 4.1. Displaying the main Routing Table This example illustrates how to display the contents of the default main routing table. ...
  • D-Link DFL-260 | Product Manual - Page 150
    ...These automatically added routes cannot be removed manually by deleting them one at a time from a routing ... to your ISP for public Internet access. If using the NetDefendOS setup wizard, this route ... table, you have to specify an option to the routing command. Example 4.2. Displaying the Core Routes ...
  • D-Link DFL-260 | Product Manual - Page 151
    ...0 core (Iface IP) 0 lan 0 wan 0 core (Iface IP) 0 wan 213.124.165.1 0 Web Interface 1. 2. 3. ... often deployed in mission-critical locations where availability and connectivity is crucial. For example, an enterprise relying heavily on access to the Internet could have operations severely disrupted if...
  • D-Link DFL-260 | Product Manual - Page 152
    ... physically attached and that the cabling is working as expected. As any changes to the link status are instantly noticed, this method provides the fastest ...Setting the Route Metric When specifying routes, the administrator should manually set a route's Metric. The metric is a positive integer that ...
  • D-Link DFL-260 | Product Manual - Page 153
    ...to take some precautionary steps to ensure that policies and existing connections will be maintained. To illustrate the problem, consider the following configuration: Firstly, there is one IP rule that will NAT all HTTP traffic destined for the ...
  • D-Link DFL-260 | Product Manual - Page 154
    ... for Route Failover Overview To provide a more flexible and configurable way to monitor the integrity of routes, NetDefendOS provides the additional ... reliable to check accessibility to external hosts. Just monitoring a link to a local switch may not indicate a problem in another part of the internal...
  • D-Link DFL-260 | Product Manual - Page 155
    ... can provide a higher certainty that any network problem resides in the local network rather than ...period of time after startup or after reconfiguration of the NetDefend Firewall which NetDefendOS will wait before ... period allows time for all network links to initialize once the firewall comes online....
  • D-Link DFL-260 | Product Manual - Page 156
    ... of testing if an application is offline. If, for example, a web page response from a server can ...Issue When No External Route is Specified With connections to an Internet ISP, an external network route should ... interface the network which exists between the NetDefend Firewall and the ISP can be found...
  • D-Link DFL-260 | Product Manual - Page 157
    ..., consider a network split into two sub-networks with a NetDefend Firewall between the two. Host A on one sub-network might ...find out the MAC address for the IP address of host B on the other sub-network. With the proxy ARP feature configured, NetDefendOS responds to this ARP request instead of host ...
  • D-Link DFL-260 | Product Manual - Page 158
    ... in mind that if the host has an ARP request for an IP address outside of the local network then this will be sent to the gateway configured for that host. The entire example is illustrated below. Figure 4.4. A Proxy ARP Example Transparent Mode as an...
  • D-Link DFL-260 | Product Manual - Page 159
    ...ARP cannot be enabled for automatically added routes. For example, the routes that NetDefendOS creates at initial startup ... routes have a special status in the NetDefendOS configuration and are treated differently. If Proxy... should first be deleted and then manually recreated as a new route. Proxy ARP...
  • D-Link DFL-260 | Product Manual - Page 160
    ... than one ISP is used to provide Internet services, Policy-based Routing can ... originating from different sets of users through different routes. For example, traffic from one address ... rule can be triggered by the type of service (HTTP for example) in combination with the Source/Destination Interface...
  • D-Link DFL-260 | Product Manual - Page 161
    ...packet's source/destination interface/network as well as service. If a matching rule is found then ...see Section 6.1, "Access Rules" for more details of this feature). If there are no Access Rules ... with the original, untranslated address. If allowed by the IP rule set, the new connection is opened...
  • D-Link DFL-260 | Product Manual - Page 162
    ... of a default all-nets route will mean that the connection will be dropped. Example 4.3. Creating a Policy-based Routing Table In this example we ...the core interface (which are routes to NetDefendOS itself). Click OK Example 4.4. Creating the Route After defining the routing table TestPBRTable, we ...
  • D-Link DFL-260 | Product Manual - Page 163
    ... 4.5. Policy-based Routing Configuration This example illustrates a multiple ISP scenario which is a common ... scenario, publicly accessible servers will be configured with two separate IP addresses: one from each... Return VR table r2 r2 To configure this example scenario: Web Interface 1. 2. 3. 4. Add...
  • D-Link DFL-260 | Product Manual - Page 164
    4.3.5. The Ordering parameter Chapter 4. Routing Note Rules in the above example are added for both inbound and outbound connections. 164
  • D-Link DFL-260 | Product Manual - Page 165
    ... in a policy driven fashion. To balance simultaneous utilization of multiple Internet links so networks are not dependent on a single ISP. To allow balancing of traffic across multiple VPN tunnels which might be setup over different physical interfaces. Enabling RLB...
  • D-Link DFL-260 | Product Manual - Page 166
    ...is similar to Round Robin but provides "stickiness" so that unique destination IP addresses always get the same route from a lookup. The ... particular destination application can see all traffic coming from the same source IP address. • Spillover Spillover is not similar to the previous algorithms. ...
  • D-Link DFL-260 | Product Manual - Page 167
    4.4. Route Load Balancing Chapter 4. Routing Figure 4.6. The RLB Spillover Algorithm Spillover Limits are set separately for ingoing and outgoing traffic with only one of these typically being specified. If both are specified then only one of them needs to be exceeded continuously for Hold Timer ...
  • D-Link DFL-260 | Product Manual - Page 168
    ... has the narrowest range that matches the destination IP address used in the lookup. In the above example, 10.4.16.0/24 may be chosen over 10.4.16... connected via the LAN interface of the NetDefend Firewall and these will access the internet. Internet access is available from either ...
  • D-Link DFL-260 | Product Manual - Page 169
    ...100 We will not use the spillover algorithm in this example so the routing metric for both routes ... All All The service All is used in the above IP rules but this should be further refined to a service or service group that covers all the traffic that will be allowed to flow. Example 4.6. Setting ...
  • D-Link DFL-260 | Product Manual - Page 170
    ... to try and use RLB to balance traffic between two IPsec tunnels, the problem that arises is that the Remote Endpoint for any two IPsec tunnels in ... solution has the advantage of providing redundancy should one ISP link fail. • Use VPN with one tunnel that is IPsec based and another tunnel that is ...
  • D-Link DFL-260 | Product Manual - Page 171
    ... mechanism: • • A Distance Vector (DV) algorithm. A Link State (LS) algorithm. How a router decides ... to neighboring routers to inform them of changes. Link State Algorithms In contrast to DV algorithms, Link State (LS) algorithms enable routers to keep routing tables that reflect the topology ...
  • D-Link DFL-260 | Product Manual - Page 172
    ... on all D-Link NetDefend models The OSPF feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 and 260. An OSPF enabled router first identifies the routers and sub-networks that are directly ...
  • D-Link DFL-260 | Product Manual - Page 173
    ... 4.9. OSPF Providing Route Redundancy In addition, we now have route redundancy between any two of the firewalls. For example, if the direct link between A and C fails then OSPF allows both firewalls to know immediately that there is an alternate ...
  • D-Link DFL-260 | Product Manual - Page 174
    ...RFC 1583. OSPF is not available on all D-Link NetDefend models The OSPF feature is only available on the NetDefend DFL-800, 860, 1600, 1660 2500, 2560 and 2560G. OSPF is not available on the DFL-210 and 260. OSPF functions by routing IP packets based only on the...
  • D-Link DFL-260 | Product Manual - Page 175
    ... area is not directly connected to the backbone it needs a virtual link to it. OSPF networks should be designed by beginning with the backbone.... or into which AS external advertisements are not flooded. When an area is configured as a stub area, the router will automatically advertise a default route...
  • D-Link DFL-260 | Product Manual - Page 176
    ... minimize the routing table. To set this feature up in NetDefendOS, see Section 4.5.3.5, "OSPF Aggregates". Virtual Links Virtual links are used ... that does not have a direct connection to the backbone area. B. Linking backbone areas when the backbone is partitioned. The two uses are discussed ...
  • D-Link DFL-260 | Product Manual - Page 177
    ... one of them, fw1, is connected physically to the backbone area. Figure 4.10. Virtual Links Connecting Areas In the above example, a Virtual Link is configured between fw1 and fw2 on Area 1 as it is used as the transit area. In this configuration only the Router ID...
  • D-Link DFL-260 | Product Manual - Page 178
    ... Links with Partitioned Backbone The virtual link is configured between fw1 and fw2 on Area 1 as it is used ...ID has to be configured, as in the example above show fw2 need to have a virtual link to fw1 ... versa. These virtual links need to be configured in Area 1. To set this feature up in NetDefendOS,...
  • D-Link DFL-260 | Product Manual - Page 179
    ... ID Specifies a symbolic name for the OSPF AS. Specifies the IP address that is used to identify the router in a AS. If no Router ID is configured, the firewall computes the Router ID based on the highest IP address of any interface participating in the OSPF ...
  • D-Link DFL-260 | Product Manual - Page 180
    ... are encrypted. If the OSPF traffic needs to be encrypted then they must be sent using a VPN. For example, using IPsec. Sending OSPF packets through an IPsec tunnel is discussed further in Section 4.5.5, "Setting Up OSPF". 180
  • D-Link DFL-260 | Product Manual - Page 181
    ... be the same on all routers If a passphrase or MD5 authentication is configured for OSPF, the passphrase or authentication key must be the same on all... An area collects together OSPF interfaces, neighbors, aggregates and virtual links. An OSPF area is a child of the OSPF router process and there can ...
  • D-Link DFL-260 | Product Manual - Page 182
    ... discovery of neighboring routers. • Point-to-Point - Point-to-Point is used for direct links which involve only two routers (in other words, two ... of this is a VPN tunnel which is used to transfer OSPF traffic between two firewalls. The neighbor address of such a link is configured by defining 182
  • D-Link DFL-260 | Product Manual - Page 183
    ...4. Routing an OSPF Neighbour object. Using VPN tunnels is discussed further in Section 4.5.5, "Setting Up ... networks, where there is more then one router in a link that does not have OSI Layer 2... for Router Process is enabled then the values configured in the router process properties are used. If ...
  • D-Link DFL-260 | Product Manual - Page 184
    ...tunnel. This type of VPN usage with IPsec tunnels is described further in Section 4.5.5, “Setting Up OSPFମ. this is not possible and in that case a Virtual Link (VLink) can be used to connect to the backbone ... Router ID Symbolic name of the virtual link. The Router ID of the router on the other side...
  • D-Link DFL-260 | Product Manual - Page 185
    ... 4. Routing Authentication Use Default For AS Use the values configured in the AS properties page. Note: Linking partitioned backbones If the backbone area is partitioned, a virtual link is used to connect the different parts. In most, simple OSPF scenarios, ...
  • D-Link DFL-260 | Product Manual - Page 186
    ... instead there is a hop to another router on the way to the destination network. The all-nets route defined for Internet access via an ISP is an example of such a route. In this case, a dynamic routing export rule must be created to explicitly export the ...
  • D-Link DFL-260 | Product Manual - Page 187
    ... needs to be in between. Specifies if the rule should filter on Router ID. Specifies if the rule ... change should be imported. If needed, specifies the IP to route via. Specifies a tag for this route. This tag can be used in other routers for filtering. Specifies what the kind of external route type. ...
  • D-Link DFL-260 | Product Manual - Page 188
    ... simple scenario described earlier with just two NetDefend Firewalls. In this example we connect together the two NetDefend Firewalls with OSPF so they can share the ... is not, the network assigned to the physical interface is used. For example if lan is the interface then lannet will be ...
  • D-Link DFL-260 | Product Manual - Page 189
    ... to another OSPF Router (in other words, with another NetDefend Firewall that acts as an OSPF router). For example, the interface may only be connected to a... to another firewall which is set up as an OSPF Router. In this example, the physical interface connected to the other firewall would have this ...
  • D-Link DFL-260 | Product Manual - Page 190
    ...Sending OSPF Traffic Through a VPN Tunnel In some cases, the link between two NetDefend Firewalls which are configured with OSPF Router Process objects may ...9.2, "VPN Quick Start". This IPsec tunnel is now treated like any other interface when configuring OSPF in NetDefendOS. ...
  • D-Link DFL-260 | Product Manual - Page 191
    ...-nets will allow all traffic into the tunnel. In the routing section of the IPsec properties, the Specify address manually option needs to be enabled and the IP address in this ... B using the same IPsec tunnel but using a different random internal IP network for OSPF setup. Tip: Non-...
  • D-Link DFL-260 | Product Manual - Page 192
    ... as_0 Click OK This should be repeated for all the NetDefend Firewalls that will be part of the OSPF AS. Example 4.8. Add an OSPF Area Now add an... 0.0.0.0 Click OK This should be repeated for all the NetDefend Firewalls that will be part of the OSPF area. Example 4.9. Add OSPF Interface Objects ...
  • D-Link DFL-260 | Product Manual - Page 193
    ... Rule Specify a suitable name for the rule. For example, ImportOSPFRoutes. Select the option From OSPF Process ... policy rule Specify a name for the rule. For example, ExportAllNets Select the option From Routing Table ... list Choose all-nets in the ...Or is within filter Click OK Next, create an OSPF ...
  • D-Link DFL-260 | Product Manual - Page 194
    ...words, to NetDefendOS itself). SAT Multiplex rules are set up in the IP rule set in order to perform forwarding to the correct interfaces. This is demonstrated in the examples described later. Note: Interface multicast handling must be On or Auto For multicast to ...
  • D-Link DFL-260 | Product Manual - Page 195
    ... core interface. By default, the multicast IP range 224.0.0.0/4 is always routed to core and does not have to be manually added to the routing tables. Each specified output interface can individually be configured with static address translation of the ...
  • D-Link DFL-260 | Product Manual - Page 196
    ... below) but cannot be a FwdFast or SAT rule. Example 4.12. Forwarding of Multicast Traffic using the SAT Multiplex Rule In this example, we will create a multiplex rule in order to...traffic. IGMP has to be configured separately. Web Interface A. Create a custom service for multicast called ...
  • D-Link DFL-260 | Product Manual - Page 197
    ... Under General enter 3. Name: a name for the rule, for example Multicast_Multiplex Action: Multiplex SAT Service: multicast_service Under Address Filter enter... interface and, if address translation of a group is needed, an IP address. If, for example, multiplexing of the multicast group 239.192.100...
  • D-Link DFL-260 | Product Manual - Page 198
    ... rule matching the SAT Multiplex rule. Example 4.13. Multicast Forwarding - Address Translation ... needs to be configured to match the scenario described above: Web Interface A. Create a custom service... > Add > IP Rule Under General enter. • Name: a name for the rule, for example Multicast_Multiplex...
  • D-Link DFL-260 | Product Manual - Page 199
    4.6.3. IGMP Configuration Chapter 4. Routing • • 3. Action: Multiplex SAT Service: multicast_service Under Address Filter enter Source Interface:... is needed. If a neighboring router is statically configured to deliver a multicast stream to the NetDefend Firewall, an IGMP query would also not...
  • D-Link DFL-260 | Product Manual - Page 200
    ... behalf of its clients. 4.6.3.1. IGMP Rules Configuration - No Address Translation This example describes the IGMP rules needed for configuring IGMP according to the No Address Translation scenario ... towards the upstream router and therefore IGMP must be configured to run in proxy mode. 200
  • D-Link DFL-260 | Product Manual - Page 201
    4.6.3. IGMP Configuration Chapter 4. Routing Example 4.14. IGMP - No Address Translation The following example requires a configured interface group IfGrpClients including interfaces if1, if2 and if3. The ip address of the upstream IGMP router is known as ...
  • D-Link DFL-260 | Product Manual - Page 202
    ...Configuration Chapter 4. Routing 4.6.3.2. IGMP Rules Configuration - Address Translation The following examples illustrates the IGMP rules needed ... each pair of report and query rule. The upstream multicast router uses IP UpstreamRouterIP. Example 4.15. if1 Configuration The following steps needs ...
  • D-Link DFL-260 | Product Manual - Page 203
    ....192.10.0/24 Click OK Example 4.16. if2 Configuration - Group Translation The following ... General enter 3. Name: A suitable name for the rule, for example Reports_if2 Type: Report Action: Proxy ...General enter 3. Name: A suitable name for the rule, for example Queries_if2 Type: Query Action: Proxy ...
  • D-Link DFL-260 | Product Manual - Page 204
    ... core routes in all routing tables for the multicast IP address range 224.0.0.0/4. If the setting is... Before Rules For IGMP traffic, by-pass the normal IP rule set and consult the IGMP ...protocol version that will be globally used on interfaces without a configured IGMP Setting. Multiple querying IGMP ...
  • D-Link DFL-260 | Product Manual - Page 205
    4.6.4. Advanced IGMP Settings Chapter 4. Routing group-and-source specific query. Global setting on interfaces without an overriding IGMP Setting. Default: 5,000 IGMP Max Total Requests The maximum global number of IGMP messages to process each second. Default: 1000 IGMP Max Interface Requests ...
  • D-Link DFL-260 | Product Manual - Page 206
    4.6.4. Advanced IGMP Settings Chapter 4. Routing The time in milliseconds between repetitions of an initial membership report. Global setting on interfaces without an overriding IGMP Setting. Default: 1,000 206
  • D-Link DFL-260 | Product Manual - Page 207
    ... to different types of services (for example HTTP) and in specified directions. As long as users are accessing ... exactly which users are on which interface. Usage Scenarios Two examples of Transparent Mode... Mode can control what kind of service is permitted to these IP addresses and in what direction...
  • D-Link DFL-260 | Product Manual - Page 208
    ...-n-play" fashion, without changing their IP address (assuming their IP address is fixed). The user can still obtain the same services as before (for example HTTP, FTP) without any need to change routes. The same network address range can...
  • D-Link DFL-260 | Product Manual - Page 209
    ... any Dest Network all-nets Service all 2. Restricting the Network Parameter As NetDefendOS ... to the routing table as it discovers on which interface IP addresses are located. As the name suggests, single .... Multiple Switch Routes are Connected Together The setup steps listed above describe placing ...
  • D-Link DFL-260 | Product Manual - Page 210
    ... are associated with the switch routes, transparency will exist between them. For example, if the interfaces if1 to if6 appear in a switch routes in ... with VLANs If transparent mode is being set up for all hosts and users on a VLAN then the technique described above of using multiple routing tables ...
  • D-Link DFL-260 | Product Manual - Page 211
    ... retaining the same IP address. Secondly, and more importantly, their network routes will need to be manually configured for proxy ARP. Transparent Mode with DHCP ...which will hand out public IP addresses to users. In this case, NetDefendOS MUST be correctly configured as a DHCP Relayer to ...
  • D-Link DFL-260 | Product Manual - Page 212
    ... are treated as a single logical IP network in Transparent Mode with a common address range (in this example 192.168.10.0/24). Figure 4.19. Transparent Mode Internet Access In ... the ISP gateway. These same users should also configure the Internet gateway on their local computers to ...
  • D-Link DFL-260 | Product Manual - Page 213
    ...then use that object in a single defined route. In the above example, 85.12.184.39 and 194.142.215.15 ... of users accessing the Internet usually need to be public IP addresses. If NATing needs to be performed in the example above to hide individual addresses from the Internet, it would have to be done...
  • D-Link DFL-260 | Product Manual - Page 214
    ... Mode Scenario 1 Example 4.17. Setting up Transparent Mode for Scenario 1 Web Interface Configure the interfaces: 1. 2. Go to Interfaces > Ethernet > Edit (wan) Now enter 3. 4. 5. IP Address: 10... Mode: Enable 6. Click OK Configure the rules: 1. 2. Go to Rules > IP Rules > Add > IPRule Now ...
  • D-Link DFL-260 | Product Manual - Page 215
    ...) share the 10.0.0.0/24 address space. As this is configured using Transparent Mode any IP address can be used for ...but traffic is still controlled by the IP rule set. Figure 4.21. Transparent Mode Scenario 2 Example 4.18. Setting up Transparent Mode for Scenario 2 Configure a Switch Route over the...
  • D-Link DFL-260 | Product Manual - Page 216
    ... route for interface network: Disable 6. Click OK Configure the interface groups: 1. 2. Go to Interfaces > Interface ...: Select lan and dmz Click OK Configure the routing: 1. 2. Go to Routing > Main Routing ...24 Metric: 0 Click OK Configure the rules: 1. 2. Go to Rules > IP Rules > Add > IPRule ...
  • D-Link DFL-260 | Product Manual - Page 217
    ...Spanning Tree BPDU Support Chapter 4. Routing 3. 4. 5. Click OK Go to Rules > IP Rules ... includes support for relaying the Bridge Protocol Data Units (BPDUs) across the NetDefend Firewall....enables the switches to run the STP protocol. Two NetDefend Firewalls are deployed in transparent mode between...
  • D-Link DFL-260 | Product Manual - Page 218
    ... Settings for Transparent Mode Chapter 4. Routing Figure 4.22. An Example BPDU Relaying Scenario Implementing BPDU Relaying The ... checks the contents of BDPU messages to make sure the content type is supported. If it is not, the frame is dropped. Enabling/Disabling BPDU Relaying BPDU relaying is ...
  • D-Link DFL-260 | Product Manual - Page 219
    ... the firewall in Transparent Mode. Default: Disabled Dynamic CAM Size This setting can be used to manually configure the size of the CAM table. Normally Dynamic is ...: Enabled L3 Cache Size This setting is used to manually configure the size of the Layer 3 Cache. Enabling Dynamic ...
  • D-Link DFL-260 | Product Manual - Page 220
    4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing Null Enet Sender Defines what to do when receiving a packet that has the sender hardware (MAC) address in Ethernet header set to null (0000:0000:0000). Options: • • Drop - Drop packets DropLog - Drop and log packets Default: ...
  • D-Link DFL-260 | Product Manual - Page 221
    4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing • • Drop - Drop the packets DropLog - Drop packets log the event Default: Drop Relay MPLS When set to Ignore all incoming MPLS packets are relayed in transparent mode. Options Ignore - Let the packets pass but do not log Log...
  • D-Link DFL-260 | Product Manual - Page 222
    4.7.5. Advanced Settings for Transparent Mode Chapter 4. Routing 222
  • D-Link DFL-260 | Product Manual - Page 223
    ... Relaying, page 230 • IP Pools, page 233 5.1. Overview Dynamic Host Configuration Protocol ...receives a request from a DHCP client, it returns the configuration parameters (such as an IP address, a MAC address,... the lease and release the IP address. The lease time can be configured in a DHCP server ...
  • D-Link DFL-260 | Product Manual - Page 224
    5.2. DHCP Servers Chapter 5. DHCP Services 5.2. DHCP Servers DHCP servers assign and manage the IP addresses taken from a specified ... server ordering in the list can, of course, be changed through one of the user interfaces. Using Relayer IP Address Filtering As explained above a DHCP server is ...
  • D-Link DFL-260 | Product Manual - Page 225
    5.2. DHCP Servers Chapter 5. DHCP Services The following options can be configured for a DHCP server: General Parameters Name Interface Filter IP Address Pool Netmask Optional Parameters Default GW Domain Lease Time Primary/Secondary DNS Primary/Secondary...
  • D-Link DFL-260 | Product Manual - Page 226
    ... DHCP Servers Chapter 5. DHCP Services This example shows how to set up a DHCP server ... IP address pool called DHCPRange1. This example assumes that an IP range for the DHCP Server has ... lan IP Address Pool: DHCPRange1 Netmask: 255.255.255.0 Click OK Example ...00-02-54 10.4.13.1 00-12-79-3b-dd-45 10...
  • D-Link DFL-260 | Product Manual - Page 227
    ... Static DHCP Hosts Chapter 5. DHCP Services The asterisk "*" before a MAC address means ...given IP to a specific MAC address. In other words, the creation of a static host. Static Host ...: Host MAC Address Client Identified This is the IP address that will be handed out to the client. This is the MAC...
  • D-Link DFL-260 | Product Manual - Page 228
    .... Example 5.3. Static DHCP Host Assignment This example shows how to assign the IP address 192.168.1.1 to... MAC address 00-90-12-13-14-15. The examples assumes that the DHCP server ... DHCP leases that are sent out. An example of this is certain switches that require the IP address of a TFTP server from...
  • D-Link DFL-260 | Product Manual - Page 229
    ... Custom Options Chapter 5. DHCP Services Custom Option Parameters The following parameters can ... exists. This describes the type of data which will be sent. For example, if the type is String then the data ... of the data is determined by the Code and Type. For example, if the code is set to 66 (TFTP ...
  • D-Link DFL-260 | Product Manual - Page 230
    ...DHCP server in the local network and acts as the link between the client and a remote DHCP ..., the interface is the source interface and not core. Example 5.4. Setting up a DHCP Relayer ... interfaces to obtain IP addresses from a DHCP server. It is assumed the NetDefend Firewall is configured with VLAN...
  • D-Link DFL-260 | Product Manual - Page 231
    5.3.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services • • 3. Name: ipgrp-dhcp Interfaces: select vlan1 and vlan2 from the Available ...-dhcpserver Action: Relay Source Interface: ipgrp-dhcp DHCP Server to relay to: ip-dhcp Allowed IP offers from server: all-nets Under the Add Route tab, ...
  • D-Link DFL-260 | Product Manual - Page 232
    5.3.1. DHCP Relay Advanced Settings Chapter 5. DHCP Services will be reduced down to this value. Default: 10000 seconds Max Auto Routes How many relays that can be active at the same time. Default: 256 Auto Save Policy What policy should be used to save the relay list to the disk, possible ...
  • D-Link DFL-260 | Product Manual - Page 233
    ... IP Pools is with IKE Config Mode which is a feature used for allocating IP addresses to remote clients connecting through IPsec tunnels. For more information on this see Section 9.4.3, "Roaming Clients". Basic IP Pool Options The basic options available for ...
  • D-Link DFL-260 | Product Manual - Page 234
    5.4. IP Pools Chapter 5. DHCP Services Receive Interface A "simulated" virtual DHCP server receiving interface. This ... status of an IP pool. The simplest form of the command is: gw-world:/> ippool -show This displays all the configured IP pools along with their status. The status information is ...
  • D-Link DFL-260 | Product Manual - Page 235
    ... administrator to change the pool size and to free up IP addresses. The complete list of command options can be found in the CLI Reference Guide. Example 5.5. Creating an IP Pool This example shows the creation of an IP Pool object that will use the ...
  • D-Link DFL-260 | Product Manual - Page 236
    5.4. IP Pools Chapter 5. DHCP Services 236
  • D-Link DFL-260 | Product Manual - Page 237
    ... security features. • Access Rules, page 237 • ALGs, page 240 • Web Content ... connection's source IP. Custom Access Rules are Optional For most configurations the Default Access ... any of the custom Access Rules. The recommendation is to initially configure NetDefendOS without any custom Access ...
  • D-Link DFL-260 | Product Manual - Page 238
    ... source address. The second point prevents any local host from launching the spoof. 6.1.3. Access Rule Settings The configuration of an access rule is similar to other types of rules. It contains Filtering Fields as well as the Action to take. If ...
  • D-Link DFL-260 | Product Manual - Page 239
    ...with an action of Drop. Troubleshooting Access Rule Related Problems It should be noted that Access Rules are a first filter of traffic before any... as setting up VPN tunnels, precisely because of this. It is always advisable to check Access Rules when troubleshooting puzzling problems in case a rule...
  • D-Link DFL-260 | Product Manual - Page 240
    ... which only inspects packet headers in protocols such as IP, TCP, UDP, and ICMP, NetDefend Firewalls provide Application Layer Gateways (... as a mediator in accessing commonly used Internet applications outside the protected network, for example web access, file transfer and multimedia transfer. ALGs ...
  • D-Link DFL-260 | Product Manual - Page 241
    ... 6. Security Mechanisms Maximum Connection Sessions The service associated with an ALG has a configurable parameter associated with it called Max Sessions and ... a response string, followed by a message of its own. That message might be, for example, an HTML file to be shown in the Web browser or an ...
  • D-Link DFL-260 | Product Manual - Page 242
    ...looks at the file's contents (in a way similar to MIME checking) to confirm the file is what it claims to be. If, for example... are also examined to verify the file's contents. If, for example, .jpg files are allowed and... then no files can be downloaded. Additional filetypes not included by default can...
  • D-Link DFL-260 | Product Manual - Page 243
    ... the same way for the FTP, POP3 and SMTP ALGs. • Download File Size Limit - A file size limit can additionally be specified for any single download (this option is available only for HTTP and SMTP ALG downloads). The Ordering for HTTP Filtering HTTP filtering obeys the following processing ...
  • D-Link DFL-260 | Product Manual - Page 244
    ... that service object with an IP rule in the IP rule set. A number of predefined HTTP services could be used with the ALG. For example, the http service might be selected for this purpose. As long as the associated service is associated with an IP rule then the ALG will be ...
  • D-Link DFL-260 | Product Manual - Page 245
    ... the firewall to an FTP server on the Internet. The IP rule is then configured to allow network traffic ... be summarized as follows The FTP client can be configured to use passive mode, which is the recommended mode for clients. The FTP server can be configured to use active mode, which is the safer ...
  • D-Link DFL-260 | Product Manual - Page 246
    ...if the server is using passive mode. The default range is 1024-65535. These options can determine if hybrid mode is required to complete the connection. For example, if the client connects with passive mode but this is not allowed to the server then hybrid mode is automatically used and the FTP ALG ...
  • D-Link DFL-260 | Product Manual - Page 247
    ... are allowed in the control channel. Allowing 8-bit characters enables support for filenames containing international characters. For example, accented or umlauted characters. Filetype Checking The FTP ALG offers the same filetype verification for ...
  • D-Link DFL-260 | Product Manual - Page 248
    ... this scenario, the administrator configures the address of the server to be within the range of the network to block. When a client downloads an infected file, ...Chapter 12, ZoneDefense. Example 6.2. Protecting an FTP Server with an ALG As shown, an FTP Server is connected to the NetDefend Firewall ...
  • D-Link DFL-260 | Product Manual - Page 249
    ...ALG will handle all conversion if a client connects using passive mode. The configuration is performed as follows: Web Interface A. Define the ALG: (The ALG ftp-inbound is already predefined by NetDefendOS but in this example we will show how it can be created from scratch.) 1. 2. 3. 4. 5....
  • D-Link DFL-260 | Product Manual - Page 250
    ...: SAT-ftp-inbound Action: SAT Service: ftp-inbound-service For Address Filter enter Source Interface: any ... Name: NAT-ftp Action: NAT Service: ftp-inbound-service For Address Filter enter Source Interface: ... Name: Allow-ftp Action: Allow Service: ftp-inbound-service For Address Filter enter: 250
  • D-Link DFL-260 | Product Manual - Page 251
    ... Network: wan_ip Click OK Example 6.3. Protecting FTP Clients In this scenario shown below the NetDefend Firewall is protecting a...option. This allows clients on the inside to connect to FTP servers that support active and passive mode across the Internet. The configuration is performed as follows:...
  • D-Link DFL-260 | Product Manual - Page 252
    ...UDP Service Now enter 3. Name: ftp-outbound-service Type: select TCP from the dropdown list Destination:...-ftp-outbound Action: Allow Service: ftp-outbound-service For Address Filter enter Source Interface...-ftp-outbound Action: NAT Service: ftp-outbound-service For Address Filter enter: • Source ...
  • D-Link DFL-260 | Product Manual - Page 253
    ...client connects with this mode then the FTP server must return an IP address and port to the client on which it can set up the data transfer connection. This IP address is normally manually specified by the administrator in the FTP server software and the natural choice is to specify the...
  • D-Link DFL-260 | Product Manual - Page 254
    ... mail sent by remote SMTP servers will traverse the NetDefend Firewall to reach the local server (this setup is illustrated later in Section 6.2.5.1, "Anti-Spam Filtering"). Local users will then use email client software to retrieve their email...
  • D-Link DFL-260 | Product Manual - Page 255
    ...address is on the blacklist or that the mail has been flagged as Spam. The content of an attached file can be checked .... Spam filtering (if enabled). Anti-virus scanning (if enabled). As described above,... be blocked if it also found on the blacklist. Spam filtering, if it is enabled, is still applied...
  • D-Link DFL-260 | Product Manual - Page 256
    ... to specify all possible email addresses for some_domain.com. If, for example, wildcarding is used in the blacklist to block all addresses for a ... it will respond with a list of the extensions that it supports. These extensions are defined by various separate RFCs. For example, RFC 2920 defines the ...
  • D-Link DFL-260 | Product Manual - Page 257
    ... since it would disallow all incoming emails from the blocked email server. For example, if a remote user is...local SMTP clients. It is made sure that the SMTP-server is excluded from this range. Tip: Exclusion can be manually configured It is possible to manually configure certain hosts and servers ...
  • D-Link DFL-260 | Product Manual - Page 258
    ... address of known spamming SMTP servers and these can be queried over the public... Queries When the NetDefendOS Anto-Spam filtering function is configured, the IP address of the email's sending.... Figure 6.5. Anti-Spam Filtering Creating a DNSBL Consesus The administrator can configure the NetDefendOS...
  • D-Link DFL-260 | Product Manual - Page 259
    ... recipient with notifying text inserted into it. A Threshold Calculation Example As an example, lets suppose that three DNSBL servers are configured: dnsbl1, dnsbl2 and ... for dropped email: • A special email address can be configured to receive all dropped email. If this is done...
  • D-Link DFL-260 | Product Manual - Page 260
    ...of their inbox contents. The individual user could then decide to set up their own filters in .... Allow the email to pass but tag it using the configured spam tag. When sender address verification is enabled, there is an additional option to only compare the domain names in the "From" addresses. 260
  • D-Link DFL-260 | Product Manual - Page 261
    ... event since all email will be allowed through if this happens. Setup Summary To set up DNSBL Spam filtering in the SMTP ALG, the following ...is written over first. There are two parameters which can be configured for the address cache: • Cache Size This is the number of entries ...
  • D-Link DFL-260 | Product Manual - Page 262
    ... emails. For each DNSBL server accessed Number of positive (is Spam) responses from each configured DNSBL server. Number of queries sent to each...-show Drop Threshold : 20 Spam Threshold : 10 Use TXT records : yes IP Cache disabled Configured BlackLists : 4 Disabled BlackLists : 0 Current Sessions :...
  • D-Link DFL-260 | Product Manual - Page 263
    ... a mail transfer protocol that differs from SMTP in that the transfer of mail is directly from a server to a user's client software. POP3 ALG Options Key features of the POP3 ALG are: Block clients from sending USER and PASS command Block connections between client and ...
  • D-Link DFL-260 | Product Manual - Page 264
    ... be multiplexed through a single PPTP tunnel between the firewall and the server. PPTP ALG Setup Setting up the .... The full sequence of steps for setup is as follows: • • Define a new PPTP ALG object with an appropriate name, for example pptp_alg. The full list of options for the ALG are listed ...
  • D-Link DFL-260 | Product Manual - Page 265
    ...service object can be defined, for example called pptp_service. The service must have the following characteristics:... of all-nets. The single IP rule below shows how the custom service object called ...Idle timeout for Echo messages in the PPTP tunnel. Idle timeout for user traffic messages in the PPTP ...
  • D-Link DFL-260 | Product Manual - Page 266
    ... management. NetDefendOS SIP Setup When configuring NetDefendOS to handle SIP sessions the following steps are needed Define a single Service object for SIP ... SIP communications which use the defined Service object. SIP ALG Options The following options can be configured for a SIP ALG object: 266
  • D-Link DFL-260 | Product Manual - Page 267
    ... large number of potentially dangerous connections must be allowed by the IP rule set. This problem does not occur if the local ...the exchange of media data. The exchange of the media data itself, for example the coded voice data which constitute a VoIP phone call. In the SIP setups described below, ...
  • D-Link DFL-260 | Product Manual - Page 268
    ...local clients - Proxy located on the Internet The SIP session is between a client on the local, protected side of the NetDefend Firewall and a client ... 1 Protecting local clients - Proxy located on the Internet The scenario assumed is an office with VoIP users on a private internal network where the ...
  • D-Link DFL-260 | Product Manual - Page 269
    ...be located remotely across the Internet. The proxy should be configured with the Record-Route feature enabled to insure all .... Note: NAT traversal should not be configured SIP User Agents and SIP Proxies should not be configured to employ NAT Traversal in any setup. For instance the Simple Traversal...
  • D-Link DFL-260 | Product Manual - Page 270
    ... requests to the user. The ALG takes care of the address translations needed. 4. Ensure the clients are correctly configured. The .... Note: NAT traversal should not be configured SIP User Agents and SIP Proxies should not be configured to employ NAT Traversal in any setup. For instance, the Simple ...
  • D-Link DFL-260 | Product Manual - Page 271
    ... proxy and the local clients are hidden behind the IP address of the NetDefend Firewall. The setup steps are as follows: 1. 2. Define a single SIP ... the local proxy and the clients on the internal network to the remote clients on, for example, the Internet. The SIP ALG will take care of all address ...
  • D-Link DFL-260 | Product Manual - Page 272
    ...Record-Route is enabled then the Source Network for outbound traffic from proxy users can be further restricted in the above rules by using "ip_proxy"...client, bypassing the SIP proxy. This will happen automatically without further configuration. Solution B - Without NAT Without NAT, the outbound NAT ...
  • D-Link DFL-260 | Product Manual - Page 273
    ... Solution A - Using NAT The following should be noted about this setup: • • The IP address of the SIP proxy must be a globally routable IP address. The NetDefend Firewall does not support hiding of the proxy on the DMZ. The IP address of the DMZ ...
  • D-Link DFL-260 | Product Manual - Page 274
    ...on the SIP ALG's internal state. • 4. An Allow rule for inbound traffic from, for example the Internet, to the proxy behind the DMZ. If Record-Route is not ... level. An Allow rule for inbound SIP traffic from, for example the Internet, to the IP address of the DMZ interface. The reason for this is ...
  • D-Link DFL-260 | Product Manual - Page 275
    ...rule for inbound SIP traffic from the Internet to clients on the local network. The IP rules with Record-Route ... over packet-based networks such as the Internet. It specifies the components, protocols and procedures ... multimedia communication, including Internet phone and voice-over-IP (VoIP). H.323...
  • D-Link DFL-260 | Product Manual - Page 276
    ...NATing device with only one public IP. MCUs provide support for conferences of three or more ...closing of logical channels. A logical channel could be, for example, an audio channel used for voice communication.... and allowed through the NetDefend Firewall. The H.323 ALG has the following features: 276...
  • D-Link DFL-260 | Product Manual - Page 277
    ... order to correctly configure the NetDefend Firewall to let calls through. NAT and SAT rules are supported, allowing clients ...scenarios where H.323 ALG use is applicable. For each scenario a configuration example of both the ALG and the rules are presented. The three service definitions used in these...
  • D-Link DFL-260 | Product Manual - Page 278
    ...1. 2. Go to Rules > IP Rules > Add > IPRule Now enter 3. Name: H323AllowOut Action: Allow Service: H323 Source Interface: lan Destination Interface: any Source ...1. 2. Go to Rules > IP Rules > Add > IPRule Now enter 3. Name: H323AllowIn Action: Allow Service: H323 Source Interface:...
  • D-Link DFL-260 | Product Manual - Page 279
    6.2.9. The H.323 ALG Chapter 6. Security Mechanisms Example 6.5. H.323 with private IP addresses In this scenario a H.323 phone is connected to the NetDefend Firewall on a ...2. Go to Rules > IP Rules > Add > IPRule Now enter 3. Name: H323Out Action: NAT Service: H323 Source ...
  • D-Link DFL-260 | Product Manual - Page 280
    ... are placed behind the firewall, one SAT rule has to be configured for each phone. This means that multiple external addresses have to..."H.323 with Gatekeeper" scenario, as this only requires one external address. Example 6.6. Two Phones Behind Different NetDefend Firewalls This scenario consists of ...
  • D-Link DFL-260 | Product Manual - Page 281
    ...(all-nets) Destination Network: lannet Comment: Allow incoming calls Click OK Example 6.7. Using Private IP Addresses This scenario consists of two H.323... on the phones, incoming traffic need to be SATed as in the example below. The object ip-phone below should be the internal...
  • D-Link DFL-260 | Product Manual - Page 282
    ... as this only requires one external address. Example 6.8. H.323 with Gatekeeper In this scenario, a H.323 gatekeeper is placed in the DMZ of the NetDefend Firewall. A rule is configured in the firewall to allow traffic between the private network where the H....
  • D-Link DFL-260 | Product Manual - Page 283
    ...: 1. 2. Go to Rules > IP Rules > Add > IPRule Now enter 3. 4. 1. 2. Name: H323In Action: SAT Service: H323-Gatekeeper Source Interface: any Destination Interface: core ... OK Go to Rules > IP Rules > Add > IPRule Now enter Name: H323In Action: Allow Service: H323-Gatekeeper Source ...
  • D-Link DFL-260 | Product Manual - Page 284
    ... call the external phones that are registered with the gatekeeper. Example 6.9. H.323 with Gatekeeper and two NetDefend Firewalls This scenario is quite ... should be configured exactly as in scenario 3. The other NetDefend Firewall should be configured as below. The rules need to be added to the rule...
  • D-Link DFL-260 | Product Manual - Page 285
    ... to use the network for both voice communication and application sharing. It is assumed that the VPN tunnels are correctly configured and that all offices use private IP-ranges on their local networks. All outside calls are done over the...
  • D-Link DFL-260 | Product Manual - Page 286
    ... placed a H.323 Gatekeeper in the DMZ of the corporate NetDefend Firewall. This firewall should be configured as follows: Web Interface 1. 2. Go to Rules > IP Rules > Add ...OK Go to Rules > IP Rules > Add > IPRule Now enter Name: LanToGK Action: Allow Service: H323-Gatekeeper 286...
  • D-Link DFL-260 | Product Manual - Page 287
    ...323 Gateway on the DMZ Click OK Go to Rules > IP Rules > Add > IPRule Now enter Name: GWToLan Action: Allow Service: H323... Rules > IP Rules > Add > IPRule Now enter Name: BranchToGW Action: Allow Service: ... Rules > IP Rules > Add > IPRule Now enter Name: BranchToGW Action: Allow Service: ...
  • D-Link DFL-260 | Product Manual - Page 288
    ...H.323 ALG Chapter 6. Security Mechanisms 3. Click OK Example 6.11. Configuring remote offices for H.323 If the branch and... the Gatekeeper connected to the Head Office DMZ Click OK Example 6.12. Allowing the H.323 Gateway to register with the Gatekeeper The branch office NetDefend Firewall has a...
  • D-Link DFL-260 | Product Manual - Page 289
    ... secure access by clients to servers and avoids many of the complexities of other types of VPN solutions such as using IPsec. Most web browsers support TLS and users can therefore easily have secure server access without requiring additional software. ...
  • D-Link DFL-260 | Product Manual - Page 290
    ... of unencrypted data to/from servers. The advantages of this approach are TLS support can be centralized in the NetDefend Firewall instead of being set up on individual ... of the servers and the NetDefend Firewall. Decrypted TLS traffic can be subject to other NetDefendOS features such as traffic ...
  • D-Link DFL-260 | Product Manual - Page 291
    ... the TLS ALG object with the newly created service object. Create a NAT or Allow IP rule for the targeted traffic and associate .... The other limitations that should be noted Client authentication is not supported (where NetDefend Firewall authenticates the identity of the client). Renegotation is ...
  • D-Link DFL-260 | Product Manual - Page 292
    ... a potential threat, such as ActiveX objects and Java Applets. Static Content Filtering provides a means for manually classifying web sites as "good" or "bad". This is also known as URL blacklisting and whitelisting. Dynamic Content Filtering is a ...
  • D-Link DFL-260 | Product Manual - Page 293
    ... ALG object and presumes you have done one of the previous examples. Command-Line Interface gw-world:/> set ALG ... Filtering takes place before Dynamic Content Filtering (described below), which allows the possibility of manually making exceptions from the automatic dynamic classification process. In ...
  • D-Link DFL-260 | Product Manual - Page 294
    ... a general surfing policy prevents users from downloading .exe-files. However, the D-Link website provides secure and necessary program files which should ... whitelist: gw-world:/content_filtering> add ALG_HTTP_URL URL=www.D-Link.com/*.exe Action=Whitelist Web Interface Start by...
  • D-Link DFL-260 | Product Manual - Page 295
    ... located in many different countries. Dynamic WCF is only available on certain NetDefend models Dynamic WCF is only available on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. WCF Processing Flow When a user of a web browser requests ...
  • D-Link DFL-260 | Product Manual - Page 296
    ... in the databases, then the webpage content at the URL will automatically be downloaded to D-Link's central data warehouse... anonymously New, uncategorized URLs sent to the D-Link network are treated as anonymous submissions and... and Not Sites NetDefendOS dynamic filtering categorizes web pages and not...
  • D-Link DFL-260 | Product Manual - Page 297
    ...be disallowed if the WCF databases were accessible. Example 6.15. Enabling Dynamic Web Content Filtering This example shows how to setup a dynamic content filtering policy for ...to all-nets. The policy will be configured to block all search sites, and this example assumes that the system is...
  • D-Link DFL-260 | Product Manual - Page 298
    ... Specify a suitable name for the Service, for example http_content_filtering Select the TCP in the Type dropdown list... rule handling your HTTP traffic Select the Service tab Select your new... to browse to a search site. For example, www.google.com. If everything is configured correctly, the web browser...
  • D-Link DFL-260 | Product Manual - Page 299
    ... Mode This example is based on the same scenario as the previous example, but now with audit mode enabled. Command-Line Interface First, ... rule to use the new service, are described in the previous example. Allowing Override On some occasions, Active Content Filtering may prevent users carrying out ...
  • D-Link DFL-260 | Product Manual - Page 300
    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms manually propose a new classification of sites. This ... URL to the requested web site as well as the proposed category will then be sent to D-Link's central data warehouse for manual inspection. That inspection may result in the web...
  • D-Link DFL-260 | Product Manual - Page 301
    ... News category if its content includes information articles on recent events pertaining to topics surrounding a locality (for example, town, ... and interviews, as well as staff recruitment and training services. Examples might be: • • www.allthejobs.com www.yourcareer.com Category 4: Gambling A ...
  • D-Link DFL-260 | Product Manual - Page 302
    ...(16), Clubs and Societies (22) and Music Downloads (23). Examples might be: • • www.celebnews.com www.hollywoodlatest.com Category 8: Chatrooms A... category if its content focuses on or includes the review of games, traditional or computer based, or incorporates the facilities for downloading 302
  • D-Link DFL-260 | Product Manual - Page 303
    ... category if its content includes the description, promotion or instruction in, criminal or terrorist activities, cultures or opinions. Examples might be:... category if its content includes the description or depiction of, or instruction in, systems of religious beliefs and practice. Examples might be...
  • D-Link DFL-260 | Product Manual - Page 304
    ... be classified under the Sports category if its content includes information or instructions relating to recreational or professional sports, or reviews on sporting events and sports scores. Examples might be: • • www.sportstoday.com www.soccerball.com ...
  • D-Link DFL-260 | Product Manual - Page 305
    ...classified under the Business Oriented category if its content is relevant to general day-to-day business or proper functioning of the Internet, for example Web browser updates. Access to web sites in this category would in most cases not be considered unproductive or ...
  • D-Link DFL-260 | Product Manual - Page 306
    ...category may also be categorized under the Health category. Examples might be: • • www.the-cocktail-guide.com www.stiffdrinks.com Category 29: Computing/... the Computing/IT category if its content includes computing related information or services. Examples might be: • • www.purplehat.com www...
  • D-Link DFL-260 | Product Manual - Page 307
    ...goes through the necessary steps. Example 6.18. Editing Content Filtering HTTP Banner Files This example shows how to modify the contents of the URL forbidden HTML page. Web Interface 1. 2. 3. 4. 5. 6. 7. 8. 9. Go ... 13. Click OK 14. Go to Configuration > Save & Activate to activate the new file...
  • D-Link DFL-260 | Product Manual - Page 308
    6.3.4. Dynamic Web Content Filtering Chapter 6. Security Mechanisms Tip: Saving changes In the above example, more than one HTML file can be ... the commit CLI commands must be used to activate the changes on the NetDefend Firewall. 2. HTML Page Parameters The HTML pages contain ...
  • D-Link DFL-260 | Product Manual - Page 309
    ... ALG Note: Anti-Virus is not available on all NetDefend models Anti-Virus scanning is available only on the D-Link NetDefend DFL-260, 860, 1660, 2560 and 2560G. 6.4.2. Implementation Streaming As a file transfer is streamed through the NetDefend Firewall,...
  • D-Link DFL-260 | Product Manual - Page 310
    ...is implemented through an Application Level Gateway (ALG), specific protocol specific features are implemented in NetDefendOS. With FTP, for example, scanning is aware of the dual control and data transfer channels that are opened and can send ...
  • D-Link DFL-260 | Product Manual - Page 311
    ... SafeStream database should therefore be updated regularly and this updating service is enabled as part of the subscription to the D-Link Anti-Virus subscription. 6.4.5. Subscribing to the D-Link Anti-Virus Service The D-Link Anti-Virus feature is purchased as an ...
  • D-Link DFL-260 | Product Manual - Page 312
    ...system time set if the auto-update feature in the Anti-Virus module can function ...Clusters Updating the Anti-Virus databases for both the NetDefend Firewalls in an HA Cluster is performed automatically ... determines there is a new update and downloads the required files for the update. The active unit ...
  • D-Link DFL-260 | Product Manual - Page 313
    .... For example: A local client downloads an infected file from a remote FTP server over the Internet. ... of how the feature can be used. For more information about this topic refer to Chapter 12, ZoneDefense. Example 6.... anti_virus Antivirus=Protect Next, create a Service object using the new HTTP ALG:...
  • D-Link DFL-260 | Product Manual - Page 314
    ...HTTP ALG you just created in the ALG dropdown list Click OK C. Finally, modify the NAT rule (called NATHttp in this example) to use the new service: 1. 2. 3. 4. 5. Go to Rules > IP Rules Select the NAT rule handling the traffic between lannet and...
  • D-Link DFL-260 | Product Manual - Page 315
    .... Worms, trojans and backdoor exploits are examples of such attacks which, if successful, .... An intrusion manifests itself as a malicious pattern of Internet data aimed at bypassing server security ... in the sections which follow. 6.5.2. IDP Availability for D-Link Models Maintenance and Advanced IDP ...
  • D-Link DFL-260 | Product Manual - Page 316
    ...Maintenance IDP is the base IDP system included as standard with the NetDefend DFL 210, 800, 1600 and 2500.... next. IDP does not come as standard with the DFL-260, 860, 1660, 2560 and 2560G ... database updates. This IDP option is available for all D-Link NetDefend models, including those that don't come...
  • D-Link DFL-260 | Product Manual - Page 317
    ... by NetDefendOS system at a configurable interval. This is done via an HTTP connection to the D-Link server network ...IDS) are used interchangeably in D-Link literature. They all refer to the same feature, which is IDP....system time set if the auto-update feature in the IDP module can function correctly...
  • D-Link DFL-260 | Product Manual - Page 318
    ...encoded using other hex escape sequences. An example would be the original sequence %2526 where %25 ... is not part of an existing connection or is rejected by the IP rule set then it is dropped. The source ... in all traffic, even the packets that are rejected by the IP rule set check for new connections...
  • D-Link DFL-260 | Product Manual - Page 319
    ... by the targeted application. This results is two different streams of data. As an example, consider a data stream broken up into 4 packets: ...by infrequent and unusually complex patterns of data in the stream. Recommended Configuration By default, Insertion/Evasion protection is enabled for all IDP ...
  • D-Link DFL-260 | Product Manual - Page 320
    ... their new attacks can appear "in the wild" quickly. To counter this, D-Link IDP uses an approach where the module scans for these reusable... D-Link documentation but instead, are available on the D-Link website at: http://security.dlink.com.tw Advisories can be found under the "NetDefend IDS" option ...
  • D-Link DFL-260 | Product Manual - Page 321
    ...level of naming describes the type of application or protocol. Examples are BACKUP DB DNS FTP HTTP... of the group and often specifies the application, for example MSSQL. The Sub-Category may not... and Category are sufficient to specify the group, for example APP_ITUNES. Listing of IDP Groups A listing...
  • D-Link DFL-260 | Product Manual - Page 322
    ... triggers the IDP Rule can be de-activated through the D-Link ZoneDefense feature. For more details on how ZoneDefense functions see Chapter 12, ZoneDefense. ... Minimum Repeat Time seconds before sending a new email. The IP Address of SMTP Log Receivers is Required When specifying an...
  • D-Link DFL-260 | Product Manual - Page 323
    ... Receiver for IDP Events Chapter 6. Security Mechanisms Example 6.20. Configuring an SMTP Log Receiver In this example, an IDP Rule is configured with an SMTP Log Receiver. Once an IDP event occurs, ... checkbox in the Log Settings tab Click OK Example 6.21. Setting up IDP for a Mail Server...
  • D-Link DFL-260 | Product Manual - Page 324
    ... Service to use is the SMTP service. Source Interface and Source Network defines where traffic is coming from, in this example the external network....IDPMailSrvRule, and applies to the SMTP service. Source Interface and Source Network define where traffic is coming from, in this example, the external ...
  • D-Link DFL-260 | Product Manual - Page 325
    ..., and what NetDefendOS should do when a possible intrusion is detected. In this example, intrusion attempts will cause the connection to be dropped, so Action ... Click OK If logging of intrusion attempts is desired, this can be configured by clicking in the Rule Actions tab when creating an IDP rule ...
  • D-Link DFL-260 | Product Manual - Page 326
    ...company reach a larger number of customers via the Internet, it can serve them faster and... Internet connections and business critical systems in overload. This section deals with using NetDefend..., disk space, or CPU time. Disruption of configuration information, such as routing information. Disruption...
  • D-Link DFL-260 | Product Manual - Page 327
    ... the total size exceeding 65535 bytes. In addition to that, there are configurable limits for IP packet sizes in Advanced Settings. Ping of death ... IP spoofing protection to all packets. In its default configuration, it will simply compare arriving packets to the contents of the routing table; if a ...
  • D-Link DFL-260 | Product Manual - Page 328
    ... an amplifier network can also consume great resources. In its default configuration, NetDefendOS explicitly drops packets sent to broadcast address of directly connected networks (configurable via Advanced Settings > IP > DirectedBroadcasts). However, with a reasonable inbound policy, no ...
  • D-Link DFL-260 | Product Manual - Page 329
    ...Flood Protection option is enabled in a service object associated with the rule in the IP rule set that triggers ... other operating systems can exhibit problems with as few as 5 outstanding half-open connections,... enough, no logging will occur. The sender IP address may be spoofed. 6.6.10. Distributed...
  • D-Link DFL-260 | Product Manual - Page 330
    6.6.10. Distributed DoS Attacks Chapter 6. Security Mechanisms attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims. Although recent DDoS attacks have been launched from both ...
  • D-Link DFL-260 | Product Manual - Page 331
    ... IP addresses which can be utilized to protect against traffic coming from specific Internet ...lost if the NetDefend Firewall shuts down and restarts. Whitelisting To ensure that Internet traffic... Tip: Important IP addresses should be whitelisted It is recommended to add the NetDefend Firewall itself...
  • D-Link DFL-260 | Product Manual - Page 332
    ...be used to remove a host from the blacklist using the -unblock option. Example 6.22. Adding a Host to the Whitelist In this example we will add an IP address object called white_ip ...host Now select the IP address object white_ip so it is added to the whitelist Select the service all_tcp to...
  • D-Link DFL-260 | Product Manual - Page 333
    6.7. Blacklisting Hosts and Networks Chapter 6. Security Mechanisms 333
  • D-Link DFL-260 | Product Manual - Page 334
    .../interface as well as based on the type of protocol. Two types of NetDefendOS IP rules, NAT rules and SAT rules are used to configure address translation. This section describes and provides examples of configuring NAT and SAT rules. 334
  • D-Link DFL-260 | Product Manual - Page 335
    ... firewall's IP address. Only the firewall needs a public IP address for public Internet access. Hosts and networks behind the firewall can be allocated private IP addresses but can still have access to the public Internet through the public IP address. NAT Provides many-to-one ...
  • D-Link DFL-260 | Product Manual - Page 336
    ... the NetDefend Firewall and a particular external host IP, the NetDefendOS NAT pools feature... entry configured for the outbound interface. Otherwise, the return traffic will not be received by the NetDefend Firewall... free port on the NetDefend Firewall and which is above port 1024. In this example, we...
  • D-Link DFL-260 | Product Manual - Page 337
    ... these events is illustrated further in the diagram below. Figure 7.2. A NAT Example Example 7.1. Adding a NAT Rule To add a NAT rule that...cc IPRuleSet main Now, create the IP rule: gw-world:/main> add IPRule Action=NAT Service=http SourceInterface=lan SourceNetwork=lannet DestinationInterface=any ...
  • D-Link DFL-260 | Product Manual - Page 338
    ...Chapter 7. Address Translation Web Interface 1. 2. 3. Go to Rules > IP Rules > Add > IPRule Specify a suitable name for the rule, for example NAT_HTTP Now enter 4. 5. Action: NAT Service: http Source Interface: lan Source Network: lannet Destination Interface: any...
  • D-Link DFL-260 | Product Manual - Page 339
    ...shall examine the typical case where the NetDefend Firewall acts as a PPTP server and terminates the PPTP tunnel for PPTP clients. Clients that... local ISP using PPTP. The traffic is directed to the anonymizing service provider where a NetDefend Firewall is installed to act as the PPTP server for the ...
  • D-Link DFL-260 | Product Manual - Page 340
    ... limitation is overcome by allocating extra external IP addresses for Internet access and using NAT ... balance connections across several external ISP links while ensuring that an external host will always ... all the connections for a single host behind the NetDefend Firewall no matter which external ...
  • D-Link DFL-260 | Product Manual - Page 341
    ... router sends ARP queries to the NetDefend Firewall to resolve external IP addresses included in a NAT Pool... Pool on all interfaces but this can cause problems sometimes by possibly creating routes to interfaces on...rule. This association brings the NAT Pool into use. Example 7.2. Using NAT Pools 341
  • D-Link DFL-260 | Product Manual - Page 342
    ... Pools Chapter 7. Address Translation This example creates a NAT pool with the external IP address range 10... enter 3. 4. Name: stateful_natpool Pool type: stateful IP Range: nat_pool_range Select the Proxy ARP ...Interface: wan Destination Network: all-nets Service: HTTP 4. Select the NAT tab and ...
  • D-Link DFL-260 | Product Manual - Page 343
    ...Unlike NAT, SAT requires more than just a single IP rule to be defined. A SAT rule must first be added to specify...to as a Virtual IP or Virtual Server in some other manufacturer's products. The Role of the DMZ At this point in the manual, it's relevant to discuss the concept and role of the network ...
  • D-Link DFL-260 | Product Manual - Page 344
    ... LAN. Figure 7.4. The Role of the DMZ Note: The DMZ port could be any port On all models of D-Link NetDefend hardware, there is a specific Ethernet port which ... Web Server in a DMZ In this example, we will create a SAT policy that will translate and allow connections from the Internet to a...
  • D-Link DFL-260 | Product Manual - Page 345
    ... name for the rule, for example Allow_HTTP_To_DMZ Now enter 4. 5. Action: Allow Service: http Source ... two rules allow us to access the web server via the NetDefend Firewall's external... internal machines to be dynamically address translated to the Internet. In this example, we use a rule that permits...
  • D-Link DFL-260 | Product Manual - Page 346
    ...basis, taking all circumstances into account. Example 7.4. Enabling Traffic to a Web Server on an Internal ... chosen to use this model in our example. In order for external users to access the web server,... a public address. In this example, we have chosen to translate port 80 on the NetDefend Firewall...
  • D-Link DFL-260 | Product Manual - Page 347
    ... internal machines to be dynamically address translated to the Internet. In this example, we use a rule that permits ... exactly what happens, we use the following IP addresses wan_ip (195.55.66.... in the same way as described above, will solve the problem. In this example, for no particular reason, we ...
  • D-Link DFL-260 | Product Manual - Page 348
    ... should be accessible using a unique public IP address. Example 7.5. Translating Traffic to Multiple Protected Web Servers In this example, we will create a SAT policy that will translate and allow connections from the Internet to....55.66.81. The web servers have IP addresses in the range 10.10.10.5...
  • D-Link DFL-260 | Product Manual - Page 349
    ... to Objects > Address Book > Add > IP address Specify a suitable name for the object, for example wwwsrv_pub Enter 195.55.66.77 ... to Objects > Address Book > Add > IP address Specify a suitable name for the object, for example wwwsrv_priv_base Enter 10.10.10.5 as the IP Address Click OK Publish the ...
  • D-Link DFL-260 | Product Manual - Page 350
    ... a corresponding Allow rule: 1. 2. 3. Go to Rules > IP Rules > Add > IPRule Specify a suitable name for the rule, for example Allow_HTTP_To_DMZ Now enter 4. Action: Allow Service: http Source Interface:any Source Network: all-nets Destination Interface: wan ...
  • D-Link DFL-260 | Product Manual - Page 351
    ... the web servers private address - port 1084. Note: A custom service is needed for port translation In order to create a SAT rule that...some way or another, the addresses visible on IP level are the same as those embedded in the data. Examples of this include FTP and logons to NT domains via NetBIOS....
  • D-Link DFL-260 | Product Manual - Page 352
    ...must be explicitly granted and translated. The following rules make up a working example of static address translation using FwdFast rules to a web server ...All We now add a NAT rule to allow connections from the internal network to the Internet: # 5 Action NAT Src Iface lan Src Net lannet Dest Iface...
  • D-Link DFL-260 | Product Manual - Page 353
    ... match rules 1 and 4, and will be sent to wwwsrv. The sender address will be the NetDefend Firewall's internal IP address, guaranteeing that return traffic passes through the NetDefend Firewall. Return traffic will automatically be handled by the NetDefend Firewall's ...
  • D-Link DFL-260 | Product Manual - Page 354
    7.4.7. SAT and FwdFast Rules Chapter 7. Address Translation 354
  • D-Link DFL-260 | Product Manual - Page 355
    ... chapter deals specifically with user authentication performed with username/password combinations that are manually entered by a user attempting to gain access to resources. Access to the external public Internet through a NetDefend Firewall by internal...
  • D-Link DFL-260 | Product Manual - Page 356
    8.1. Overview Chapter 8. User Authentication To remain secure, passwords should also Not be recorded anywhere in written form. Never be revealed to anyone else. Changed on a regular basis such as every three months. 356
  • D-Link DFL-260 | Product Manual - Page 357
    ...Setup 8.2.1. Setup Summary The following list summarizes the steps for User Authentication setup with NetDefendOS: • Have an authentication source which consists of ...source: i. ii. The local user database internal to NetDefendOS. A RADIUS server which is external to the NetDefend Firewall. iii. An...
  • D-Link DFL-260 | Product Manual - Page 358
    ... group but members are only allowed to view the configuration and cannot change it. PPTP/L2TP Configuration If a client is connecting to the NetDefend Firewall using PPTP/L2TP ... using this option will be. For example, setting this option to all-nets will possibly direct all Internet traffic ...
  • D-Link DFL-260 | Product Manual - Page 359
    ... responding to requests from NetDefendOS. To provide this, NetDefendOS supports the Remote Authentication Dial-in User Service (RADIUS) protocol. RADIUS Usage ... the messages sent from the RADIUS client to the server and is commonly configured as a relatively long text string. The string can contain ...
  • D-Link DFL-260 | Product Manual - Page 360
    ... attribute. An LDAP attribute is a tuple (a pair of data values) consisting of an attribute name (in this manual we will call this the attribute ID to avoid confusion) and an attribute value. An example might be a tuple for a username attribute ...
  • D-Link DFL-260 | Product Manual - Page 361
    8.2.4. External LDAP Servers Chapter 8. User Authentication The following general parameters are used for configuration of each server: • Name The name given to the server object for reference purposes in NetDefendOS. For example, NetDefendOS authentication rules may be defined which reference ...
  • D-Link DFL-260 | Product Manual - Page 362
    ... LDAP Servers Chapter 8. User Authentication successful authentication. The domain name is the host name of the LDAP server, for example myldapserver. The ... ii. None - This will not modify the username in any way. For example, testuser. Username Prefix - When authenticating, this will put
  • D-Link DFL-260 | Product Manual - Page 363
    ... part of the full domain name. In our examples above, the Domain Name is myldapserver. The full ... name is a dot separated set of labels, for example, myldapserver.local.eu.com. This option is only ... Authentication LDAP server authentication is automatically configured to work using LDAP Bind Request ...
  • D-Link DFL-260 | Product Manual - Page 364
    8.2.4. External LDAP Servers Chapter 8. User Authentication If the domain is mydomain.com then the username for myuser might need to... statistics are available for real-time monitoring of LDAP server access for user authentication Number of authentications per second. Total number of authentication...
  • D-Link DFL-260 | Product Manual - Page 365
    ... encrypted digest form and do not provide automatic mechanisms for doing this. It must therefore be done manually by the administrator as they add new users and change existing users passwords. This clearly involves some effort from the administrator, as...
  • D-Link DFL-260 | Product Manual - Page 366
    ... with CHAP, MS-CHAPv1 or MS-CHAPv2 Important: The link to the LDAP server must be protected Since the ... sending back passwords in plain text to NetDefendOS, the link between the NetDefend Firewall and the server must be protected. A VPN link should be used if the link between the two is not local. ...
  • D-Link DFL-260 | Product Manual - Page 367
    ... IKE authentication method which is used as part of VPN tunnel establishment with IPsec. XAuth is an extension to the normal IKE exchange and provides... since one single rule with XAuth as the agent will be used for all IPsec tunnels. However, this approach assumes that a single authentication source ...
  • D-Link DFL-260 | Product Manual - Page 368
    ... specify how multiple logins are handled where more than one user from different source IP addresses try to login with the same username.... coming from this network and data which is one of the following types 3. 4. 5. 6. HTTP traffic HTTPS traffic IPsec tunnel traffic L2TP tunnel traffic PPTP tunnel...
  • D-Link DFL-260 | Product Manual - Page 369
    ... Group Usage Example Chapter 8. User Authentication Any packets from an IP address that fails ... Usage Example To illustrate Authentication Group usage, lets suppose that there are a set of users ... port number should be changed before configuring authentication. Do this by going to Remote Management ...
  • D-Link DFL-260 | Product Manual - Page 370
    ... allow authentication to take place. If we consider the example of a number of clients on the local network lannet who would like access to the public Internet through the ... this setup, when users that are not authenticated try to surf to any IP except lan_ip they will fall through the ...
  • D-Link DFL-260 | Product Manual - Page 371
    ...user group "users" is used to enable user authentication on "lannet". This example shows how to configure the user group in the NetDefendOS database. Web ... users group into the lannet_auth_users folder Example 8.2. User Authentication Setup for Web Access The configurations below shows how to enable...
  • D-Link DFL-260 | Product Manual - Page 372
    ... Destination Interface any Destination Network all-nets Click OK Example 8.3. Configuring a RADIUS Server The following steps illustrate how a ... User Database Now enter: a. b. c. d. e. Name: Enter a name for the server, for example ex-users Type: Select RADIUS IP Address: Enter the IP address of ...
  • D-Link DFL-260 | Product Manual - Page 373
    ...options available for HTTP authentication processing are as follows When a user attempts to use a browser to open a web... Files The WebUI provides a simple way to download and edit the files and then.... The original Default object cannot be edited. The example given below goes through the customization...
  • D-Link DFL-260 | Product Manual - Page 374
    ... in the FormLogin page if that is used. Example 8.4. Editing Content Filtering HTTP Banner Files This example shows how to modify the contents of the URL forbidden HTML page. Web Interface 1. 2. 3. 4. 5. 6. 7. 8. 9. Go... file changes need to be saved In the above example, more than one HTML file...
  • D-Link DFL-260 | Product Manual - Page 375
    ... Customizing HTML Pages Chapter 8. User Authentication 2. A new Auth Banner Files object ... object which contains a copy of all the Default user auth banner files. 3. The modified file is...Section 2.1.6, "Secure Copy". 4. Using the CLI, the relevant user authentication rule should now be set ...
  • D-Link DFL-260 | Product Manual - Page 376
    8.3. Customizing HTML Pages Chapter 8. User Authentication 376
  • D-Link DFL-260 | Product Manual - Page 377
    .... • Overview, page 377 • VPN Quick Start, page 381 • IPsec Components, page 391 • IPsec Tunnels, page 406 • PPTP/L2TP, page 425 • CA Server Access, page 434 • ... providing a highly cost effective means of establishing secure links between two co-operating computers so that ...
  • D-Link DFL-260 | Product Manual - Page 378
    ... - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the NetDefend Firewall to which the client connects and the VPN tunnel is set up between them. 9.1.2. VPN Encryption ...
  • D-Link DFL-260 | Product Manual - Page 379
    ...security is only as high as the security of the tunnel endpoints. It is becoming increasingly common for users on the move to connect ...-to-LAN connection? One key for all users and one key for all LAN-... since it will be easier to adjust access per user (group) in the future. Should the keys be changed...
  • D-Link DFL-260 | Product Manual - Page 380
    9.1.5. The TLS Alternative for VPN Chapter 9. VPN "The TLS ALG". 380
  • D-Link DFL-260 | Product Manual - Page 381
    ... various tunnel object types which are used to do this, such as an IPsec Tunnel object. • A Route Must Exist Before any ... when the tunnel is defined and this can be checked by examining the routing tables. If a route is defined manually, the tunnel is treated exactly like a physical interface in ...
  • D-Link DFL-260 | Product Manual - Page 382
    ... network is attached to the NetDefendOS lan interface. 3. 4. Create an IPsec Tunnel object (let's call this object ...remote_gw. Set Encapsulation mode to Tunnel. Choose the IKE and IPsec algorithm proposal lists ... Key object defined in step (1) above. The IPsec Tunnel object can be treated exactly ...
  • D-Link DFL-260 | Product Manual - Page 383
    ... the remote network at the other end of the tunnel. Interface ipsec_tunnel Network remote_net Gateway 9.2.2. IPsec LAN to LAN with Certificates LAN to LAN security is ... needs just the certificate file added. Set up the IPsec Tunnel object as for pre-shared keys, but specify...
  • D-Link DFL-260 | Product Manual - Page 384
    ...Clients with Pre-shared Keys This section details the setup with roaming clients connecting through an IPsec tunnel with pre-shared keys. There are two...they connect. The client's IP address will be manually input into the VPN client software. 1. Set up user authentication. XAuth user authentication ...
  • D-Link DFL-260 | Product Manual - Page 385
    ...Interface any Client Source IP all-nets (0.0.0.0/0) 2. The IPsec Tunnel object ipsec_tunnel should ...nets. Set Encapsulation mode to Tunnel. Set the IKE and IPsec algorithm proposal lists ...option Require IKE XAuth user authentication for inbound IPsec tunnels. This will enable a search for the first ...
  • D-Link DFL-260 | Product Manual - Page 386
    ... Enable the IKE Config Mode option in the IPsec Tunnel object ipsec_tunnel. • • Configuring IPsec Clients In both cases (A) ... mentioned above, many third party IPsec client products are available and this manual will not discuss any particular client. The step to set up user authentication is ...
  • D-Link DFL-260 | Product Manual - Page 387
    ... mode instead of tunnel mode. The steps for L2TP over IPsec setup are: 1. Create an IP object (let...4. Define a Pre-shared Key for the IPsec tunnel. Define an IPsec Tunnel object (let's call this ... IPsec algorithm proposal lists to be used. Enable the IPsec tunnel routing option Dynamically add route ...
  • D-Link DFL-260 | Product Manual - Page 388
    ... combination. The Group string for a user can also be specified. This is explained in the same step in the IPsec Roaming Clients section above. • Define a User Authentication Rule: ...Now go back to the L2TP Tunnel properties, select the Security tab and click on the IPsec Settings button...
  • D-Link DFL-260 | Product Manual - Page 389
    ... Root Certificate into NetDefendOS. When setting up the IPsec Tunnel object, specify the certificates to use under... set up user authentication is optional since this is additional security to certificates. Also review Section 9.6,...simpler to set up than L2TP since IPsec is not used and instead relies ...
  • D-Link DFL-260 | Product Manual - Page 390
    ...new routes automatically into the main routing table. Define a User Authentication Rule, this is almost identical to L2TP: Agent PPP... NAT rule lets the clients access the public Internet via the NetDefend Firewall. 5. Set up the client. For Windows XP, the procedure is exactly as described for L2TP ...
  • D-Link DFL-260 | Product Manual - Page 391
    ... Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up of two parts: • • Internet Key Exchange protocol (IKE) IPsec protocols (AH/ESP/both) ...
  • D-Link DFL-260 | Product Manual - Page 392
    ... The difference between the two must be a minimum of 5 minutes. This allows for the IPsec connection to be re-keyed simply by performing another phase-2 .... The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports for protecting the connection and it is...
  • D-Link DFL-260 | Product Manual - Page 393
    ... today. PSK and certificates are supported by the NetDefendOS VPN module. IKE Phase-2 - IPsec Security Negotiation In phase 2, another negotiation is performed,...that the roaming client may connect from anywhere. Tunnel / Transport Mode IPsec can be used in two modes, tunnel...
  • D-Link DFL-260 | Product Manual - Page 394
    ...can be used to secure a connection from a VPN client directly to the NetDefend Firewall, for example for IPsec protected remote configuration. This setting will typically be set to "tunnel" in most configurations. Remote Endpoint The remote endpoint ...
  • D-Link DFL-260 | Product Manual - Page 395
    ... Internet Key Exchange (IKE) Chapter 9. VPN Note NetDefendOS does not support ...size of the encryption key used. The algorithms supported by NetDefendOS IPsec are AES Blowfish Twofish Cast128 ... in the IKE negotiation phase. The algorithms supported by NetDefendOS IPsec are: • • IKE DH Group IKE ...
  • D-Link DFL-260 | Product Manual - Page 396
    ... ESP is used without encryption. The algorithms supported by NetDefend Firewall VPNs are IPsec Authentication AES Blowfish Twofish Cast128 3DES ... use ESP without authentication. The algorithms supported by NetDefend Firewall VPNs are: • • SHA1 MD5 IPsec Lifetime This is the lifetime of the VPN...
  • D-Link DFL-260 | Product Manual - Page 397
    ... keys as well as some other parameters are directly configured on both sides of the VPN tunnel. Note NetDefendOS does not support manual keying. Manual Keying Advantages Since it is very straightforward it will be quite interoperable. ...
  • D-Link DFL-260 | Product Manual - Page 398
    ...-Shared Keying has a lot of advantages over manual keying. These include endpoint authentication, ... more aspects that have to be configured, and there is more that can go wrong. 9.3.4. IPsec Protocols (... negotiated by IKE. There are two protocols associated with IPsec, AH and ESP. These are covered ...
  • D-Link DFL-260 | Product Manual - Page 399
    ... data has not been tampered with on its way through the Internet. Apart from the IP packet data, AH also authenticates parts of ..., or authentication only. Figure 9.2. The ESP protocol 9.3.5. NAT Traversal Both IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were ...
  • D-Link DFL-260 | Product Manual - Page 400
    ... add-on to the IKE and IPsec protocols that allows them to function when being NATed. NetDefendOS supports the RFC3947 ...Additions to IKE that lets IPsec peers tell each other that they support NAT traversal,... of the draft it supports. Achieving NAT Detection To achieve NAT detection both IPsec peers ...
  • D-Link DFL-260 | Product Manual - Page 401
    ... two firewalls have the same external IP address IP - An IP address can be manually entered DNS - A DNS ... is altered while being transmitted. Note that this example does not illustrate how to add the specific IPsec tunnel object. It will also be used in a later example. Command-Line Interface First ...
  • D-Link DFL-260 | Product Manual - Page 402
    ... is a randomly generated hexadecimal key. Note that this example does not illustrate how to add the specific IPsec tunnel object. Command-Line Interface First create a Pre-... be: gw-world:/> pskgen MyPSK -size=512 Or alternatively, to add the Pre-shared Key manually, use: 402
  • D-Link DFL-260 | Product Manual - Page 403
    ... here> Now apply the Pre-shared Key to the IPsec tunnel: gw-world:/> set Interface ...textbox Click OK Then, apply the pre-shared key to the IPsec tunnel: 1. 2. 3. 4. Go to Interfaces ... When certificates are used as authentication method for IPsec tunnels, the NetDefend Firewall will accept all remote ...
  • D-Link DFL-260 | Product Manual - Page 404
    ... primary identifier. Note that this example does not illustrate how to add the specific IPsec tunnel object. ...[email protected] gw-world:/MyIDList> cc Finally, apply the Identification List to the IPsec tunnel:....[email protected] Click OK Finally, apply the Identification List to the IPsec tunnel: 1. Go ...
  • D-Link DFL-260 | Product Manual - Page 405
    9.3.8. Identification Lists Chapter 9. VPN 2. 3. 4. 5. 6. Select the IPsec tunnel object of interest Under the Authentication tab, choose X.509 Certificate Select the appropriate certificate in the Root Certificate(s) and Gateway Certificate controls ...
  • D-Link DFL-260 | Product Manual - Page 406
    ... to a local NetDefend Firewall, the list of currently defined IPsec tunnels in the NetDefendOS configuration is examined.... to set up IP rules that explicitly allow the packets that implement IPsec itself. IKE ... setting. An example of why this might be done is if there are a high number of IPsec tunnel...
  • D-Link DFL-260 | Product Manual - Page 407
    .... If replies to the ping messages are not received then the tunnel link is assumed to be broken and an attempt is automatically made to re-establish the tunnel. This feature is only ... Quick Start This section covers IPsec tunnels in some detail. A quick start checklist of setup steps for ...
  • D-Link DFL-260 | Product Manual - Page 408
    ..., private link. Secure communication is achieved through the use of IPsec tunneling, with the tunnel extending ...Pre-Shared key. Set up the VPN tunnel properties. Set up the Route in the main ... client connects. In the example below this is the case and the IPsec tunnel is configured to dynamically add ...
  • D-Link DFL-260 | Product Manual - Page 409
    ... PSK based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients ... based VPN tunnel for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming ...
  • D-Link DFL-260 | Product Manual - Page 410
    ...you want to grant access rights according to the instructions above D. Configure the IPsec tunnel: 1. 2. Go to Interfaces > IPsec > Add > IPsec Tunnel Now enter 3. Name: RoamingIPsecTunnel Local Network... Click OK E. Finally configure the IP rule set to allow traffic inside the tunnel. 410
  • D-Link DFL-260 | Product Manual - Page 411
    ...up CA Server Certificate based VPN tunnels for roaming clients This example describes how to configure an IPsec tunnel at the head office NetDefend Firewall for roaming clients ...ID List > Add > ID List Enter a descriptive name, for example sales Click OK Go to Objects > VPN Objects ...
  • D-Link DFL-260 | Product Manual - Page 412
    ...Click OK D. Finally configure the IP rule set to allow traffic inside the tunnel. Using ... VPN clients. It is used to dynamically configure IPsec clients with IP addresses and corresponding ... Mode In this example, the Config Mode Pool object is enabled by associating with it an already configured IP ...
  • D-Link DFL-260 | Product Manual - Page 413
    ..., the only remaining action is to enable Config Mode to be used with the IPsec Tunnel. Example 9.8. Using Config Mode with IPsec Tunnels ...LDAP servers. Example 9.9. Setting up an LDAP server This example shows how to manually setup and specify an LDAP server. Command-Line Interface gw-world:/> add ...
  • D-Link DFL-260 | Product Manual - Page 414
    ...: mypassword Confirm Password: mypassword Port: 389 Click OK 9.4.5. Troubleshooting with ikesnoop VPN Tunnel Negotiation When setting up IPsec tunnels, problems can arise because the initial negotiation fails when the devices at either end ...
  • D-Link DFL-260 | Product Manual - Page 415
    ... Troubleshooting with ikesnoop Chapter 9. VPN negotiation and the server refers to the device which is the responder. Step 1. Client Initiates Exchange by Sending a Supported Algorithm List The verbose option output... data length : 152 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 Protocol ID...
  • D-Link DFL-260 | Product Manual - Page 416
    ... e7 68 47 e4 3f 96 84 80 12 92 ae Description : draft-stenberg-ipsec-nat-traversal-02 VID (Vendor ID) Payload... type: Seconds or kilobytes Life duration: No of seconds or kilobytes VID: The IPsec software vendor plus what standards are supported. For example, NAT-T Step 2. Server Responds to Client A...
  • D-Link DFL-260 | Product Manual - Page 417
    ... Association) Payload data length : 52 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 Protocol ID : ISAKMP SPI... 31 90 ac 27 c0 Description : draft-stenberg-ipsec-nat-traversal-01 VID (Vendor ID) Payload ... e4 3f 96 84 80 12 92 ae Description : draft-stenberg-ipsec-nat-traversal-02 VID (Vendor ID) ...
  • D-Link DFL-260 | Product Manual - Page 418
    9.4.5. Troubleshooting with ikesnoop Chapter 9. VPN NAT-D (NAT Detection) Payload data length : 16 bytes Step 4. Server ... Step 5. Client Sends Identification The initiator sends the identification which is normally an IP address or the Subject Alternative Name if certificates are used. IkeSnoop: ...
  • D-Link DFL-260 | Product Manual - Page 419
    ...16 bytes Step 7. Client Sends a List of Supported IPsec Algorithms Now the client sends ...list of supported IPsec algorithms to the server. It will also contain the proposed host/networks that are allowed in the tunnel.... data length : 164 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 Protocol ID...
  • D-Link DFL-260 | Product Manual - Page 420
    ... host. Step 8. Client Sends a List of Supported Algorithms The server now responds with a matching IPsec proposal from the list sent by the client. As in step 2 above, if ... SA (Security Association) Payload data length : 56 bytes DOI : 1 (IPsec DOI) Proposal 1/1 Protocol 1/1 420
  • D-Link DFL-260 | Product Manual - Page 421
    ... : 16 bytes 9.4.6. IPsec Advanced Settings The following NetDefendOS advanced settings are available for configuring IPsec tunnels. IPsec Max Rules This specifies the total number of IP rules that can be connected to IPsec tunnels. By ...
  • D-Link DFL-260 | Product Manual - Page 422
    ... Chapter 9. VPN Specifies the total number of IPsec tunnels allowed. This value is initially taken from the maximum tunnels allowed by the license. The setting is used by NetDefendOS to allocate memory for IPsec. If ... a restart to take effect. Default: Enabled IPsec Before Rules Pass IKE and ...
  • D-Link DFL-260 | Product Manual - Page 423
    ...to an LRU (Least Recently Used) algorithm. Default: 1024 IPsec Gateway Name Cache Time Maximum number of certificates/... packets from the other side of the tunnel) within the time frame, no DPD-R-U-THERE messages will be sent. For example, if the other side of the tunnel has not sent any ESP packets ...
  • D-Link DFL-260 | Product Manual - Page 424
    9.4.6. IPsec Advanced Settings Chapter 9. VPN In other words, this is the length of time in seconds for which DPD-R-U-THERE messages will be sent. If the other side of the tunnel has not sent a response to any messages then it is considered to be dead (...
  • D-Link DFL-260 | Product Manual - Page 425
    ...PPTP/L2TP The access by a client using a modem link over dial-up public switched ...companies that includes Microsoft. It is an OSI layer 2 "data-link" protocol (see Appendix D, The OSI Framework... of clients with the software already installed. Troubleshooting PPTP A common problem with setting up PPTP...
  • D-Link DFL-260 | Product Manual - Page 426
    ...lcp_negotiation_stalled ppp_terminated Example 9.10. Setting up a PPTP server This example shows how to setup a PPTP Network Server. The ... the PPTP tunnel you also need to configure authentication rules, which will not be covered in this example. 9.5.2. L2TP Servers Layer 2 Tunneling Protocol (L2TP...
  • D-Link DFL-260 | Product Manual - Page 427
    ... tunnel you also need to configure authentication rules, which is not covered in this example. Example 9.12. Setting up an L2TP Tunnel Over IPsec This example shows how to setup a fully working L2TP Tunnel based on IPsec encryption and will ...
  • D-Link DFL-260 | Product Manual - Page 428
    ... is the same IP as the IP that the L2TP tunnel will connect to, wan_ip. Furthermore, the IPsec tunnel needs to be configured to dynamically add ... > IPsec Tunnel Enter a name for the IPsec tunnel, for example l2tp_ipsec Now enter: a. b. c. d. e. f. 4. 5. 6. 7. 8. Local Network: wan_ip Remote Network: ...
  • D-Link DFL-260 | Product Manual - Page 429
    ... Server IP: wan_ip Under the PPP Parameters tab, check the Use User Authentication ... using the L2TP tunnel, a user authentication rule needs to be configured. D. Next will be setting up ... Authentication > User Authentication Rules > Add > UserAuthRule Enter a suitable name for the rule, for example ...
  • D-Link DFL-260 | Product Manual - Page 430
    ...Web Interface 1. 2. 3. Go to Rules > IP Rules > Add > IPRule Enter a name for the rule, for example AllowL2TP Now enter 4. 5. 6. 7. Action: Allow Service: all_services Source Interface... Enter a name for the rule, for example NATL2TP Now enter Action: NAT Service: all_services Source Interface...
  • D-Link DFL-260 | Product Manual - Page 431
    ... PPTP or L2TP clients. This can be useful if PPTP or L2TP is preferred as the VPN protocol instead of IPsec. One NetDefend Firewall can act as a client and connect to ... Assigned Addresses Both PPTP and L2TP utilizes dynamic IP configuration using the PPP LCP protocol. When NetDefendOS ...
  • D-Link DFL-260 | Product Manual - Page 432
    ... way of achieving multiple PPTP clients being NATed like this, is for the NetDefend Firewall to act as a PPTP client when it connects to the PPTP server. To summarize the setup: • • A PPTP tunnel is defined between NetDefendOS and the server. A route is added to ...
  • D-Link DFL-260 | Product Manual - Page 433
    9.5.4. PPTP/L2TP Clients Chapter 9. VPN Figure 9.3. PPTP Client Usage 433
  • D-Link DFL-260 | Product Manual - Page 434
    ...server behind the NetDefend Firewall and the tunnels are set up over the public Internet but ... be done: a. b. A private DNS server must be configured so that NetDefendOS can locate the private... in certificates sent to clients can be resolved. For example, NetDefendOS may send a certificate to a client...
  • D-Link DFL-260 | Product Manual - Page 435
    ... to have at least one public DNS server address configured to resolve the FQDNs in the certificates it receives. • It must be also possible for ... Components CA Server Access by Clients In a VPN tunnel with roaming clients connecting to the NetDefend Firewall, the VPN client software may need to ...
  • D-Link DFL-260 | Product Manual - Page 436
    ... the internal side of the firewall then the IP address of the internal DNS server must be configured in NetDefendOS so that these .... Turning Off FQDN Resolution As explained in the troubleshooting section below, identifying problems with CA server access can be done by turning off the requirement to...
  • D-Link DFL-260 | Product Manual - Page 437
    ... Allow Src Interface vpn_tunnel Src Network all-nets Dest Interface core Dest Network all-nets Service ICMP • Ensure that another IPsec Tunnel definition is not preventing the correct definition being reached. The tunnel list is scanned from top to ...
  • D-Link DFL-260 | Product Manual - Page 438
    ... Access". • 9.7.3. IPsec Troubleshooting Commands A number of commands can be used to diagnose IPsec tunnels:... be used to show that IPsec tunnels have correctly established. A representative example of output is: gw-... one line per SA-bundle IPsec Tunnel -----------L2TP_IPSec IPsec_Tun1 Local Net...
  • D-Link DFL-260 | Product Manual - Page 439
    ... with a small number, for example -num=10, is recommended. The ikesnoop console command A common problem with setting up IPsec is a list of proposed algorithms that is ... -on -verbose Once issued, an ICMP ping can then be sent to the NetDefend Firewall from the remote end of the ...
  • D-Link DFL-260 | Product Manual - Page 440
    ...later in the symptom section. There are also some settings on the IPsec tunnel's IKE tab that can be involved in a no-...before your defined tunnel if it is above it in the tunnel list. For example, consider the following IPsec tunnel definitions: Name VPN-1 VPN-2 L2TP VPN-3 Local Network lannet lannet...
  • D-Link DFL-260 | Product Manual - Page 441
    ...). Verify that you are using the same type on both sides of the IPsec tunnel. If one side is using Hex and the ... can provide important clues as to what the problem could be. A good suggestion before you start to troubleshoot certificate based tunnels is to first configure it as a PSK tunnel and then ...
  • D-Link DFL-260 | Product Manual - Page 442
    ... for the local network, remote network, IKE proposal list and IPsec proposal list on both sides to try to identify a miss-match. For example, suppose we have the following IPsec settings at either end of a tunnel: • Side A Local Network = 192.168.10...
  • D-Link DFL-260 | Product Manual - Page 443
    9.7.6. Specific Symptoms Chapter 9. VPN 443
  • D-Link DFL-260 | Product Manual - Page 444
    .../IP A weakness of TCP/IP is the lack of true Quality of Service (QoS) functionality. QoS is the ability to guarantee and limit network bandwidth for certain services and users. Solutions such as the Differentiated ... own traffic. If the users cannot be relied upon then the network equipment must make ...
  • D-Link DFL-260 | Product Manual - Page 445
    ... Traffic shaping operates by measuring and queuing IP packets with respect to a number of configurable parameters. The objectives are Applying bandwidth limits and ... that passes through them and then apply the administrator configured limits for the pipe as a whole or for Precedences and/or Groups (...
  • D-Link DFL-260 | Product Manual - Page 446
    ... source/destination interface/network as well as the service to which the rule is to apply. Once a new connection is permitted by the IP rule set, the ... are the pipe or pipes that will be used for outgoing (leaving) traffic from the NetDefend Firewall. One, none or a series of pipes may be specified....
  • D-Link DFL-260 | Product Manual - Page 447
    ... applies a bandwidth limit to inbound traffic only. This is the direction most likely to cause problems for Internet connections. Example 10.1. Applying a Simple Bandwidth Limit Begin with creating a simple pipe that limits all traffic that gets passed...
  • D-Link DFL-260 | Product Manual - Page 448
    ... in the Return Chain control Click OK This setup limits all traffic from the outside (the Internet) to 2 megabits per second. No priorities are ... the pipe limit exactly in two between the two directions. In the previous example only bandwidth in the inbound direction is limited. In most situations, ...
  • D-Link DFL-260 | Product Manual - Page 449
    ... the desired result. The following example goes through the setup for this. Example 10.2. Limiting Bandwidth ... pipe chain of the rule created in the previous example: Command-Line Interface gw-world... Differentiated Limits Using Chains In the previous examples a static traffic limit for all outbound ...
  • D-Link DFL-260 | Product Manual - Page 450
    ... give priorities to different types of competing traffic. 10.1.6. Precedences The Default Precedence is Zero All packets that pass through NetDefendOS traffic shaping pipes have a Precedence. In the examples so far, precedences have not been explicitly set and so all packets have had the same 450
  • D-Link DFL-260 | Product Manual - Page 451
    ... or lower than another precedence and not from the number itself. For example, if two precedences are used in a traffic shaping scenario, choosing ... Service (ToS) bits are included in the IP packet header. Specifying Precedences Within Pipes When a pipe is configured, a Default Precedence, a Minimum...
  • D-Link DFL-260 | Product Manual - Page 452
    ... be the limit used). Tip: Specifying bandwidth Remember that when specifying network traffic bandwidths, the prefix Kilo means 1000 and NOT 1024. For example, 3 Kbps means 3000 bits per second. Similarly, the prefix Mega means one million in a traffic bandwidth context. Precedence Limits are also ...
  • D-Link DFL-260 | Product Manual - Page 453
    ... no meaning. Applying Precedences Continuing to use the previous traffic shaping example, let us add the requirement that SSH and Telnet traffic is... are sent first when the total bandwidth limit specified in the pipe's configuration is exceeded. Lower priority packets will be buffered and sent when ...
  • D-Link DFL-260 | Product Manual - Page 454
    ... SSH and Telnet traffic from the previous example to a 96 kbps guarantee, the precedence 2 limit ... and will be ignored by NetDefendOS. Differentiated Guarantees A problem arises if the aim is to give a specific ... as std-out only. Again, to simplify this example, we concentrate only on inbound traffic...
  • D-Link DFL-260 | Product Manual - Page 455
    ... limit and/or guarantee specified for them in the pipe. For example, if grouping is done by source IP then each user corresponds to each unique source... by port is selected then this implicitly also includes the IP address. For example, port 1024 of host computer A is not ...
  • D-Link DFL-260 | Product Manual - Page 456
    ...specifies a limit for each user within the grouping. For example, if the grouping is by source IP address ..., guarantees (not limits) for each user in a group. For example, precedence 3 might have the value... rules that trigger on particular users. For example, if grouping is by source IP then different...
  • D-Link DFL-260 | Product Manual - Page 457
    ...10. Traffic Management Figure 10.6. Traffic Grouped By IP Address Another Simple Groups Example Consider another situation where the ...is a guarantee and the Pipe Limits value for the same precedence is a limit. For example, if traffic is being grouped by source IP and the Group Limits precedence 5 ...
  • D-Link DFL-260 | Product Manual - Page 458
    ...of 30 bps for users at precedence 2 is moved down to the best effort precedence. Continuing with the previous example, we could limit how much guaranteed bandwidth each inside user gets... bandwidth limit is then placed on, for example, each user of a network where the users must share a 458
  • D-Link DFL-260 | Product Manual - Page 459
    ...same effect as bandwidth consumed by parties outside of administrator control but sharing the same connection. Troubleshooting For a better understanding of what is happening in a live setup, the console command: gw-world:/> pipe -u ...
  • D-Link DFL-260 | Product Manual - Page 460
    ... a pipe, traffic can also be separated on a Group basis. For example, by source IP address. Each user in a group (for example, each source IP address) can be given a ...be used to solve particular problems. A Basic Scenario The first scenario will examine the configuration shown in the image below,...
  • D-Link DFL-260 | Product Manual - Page 461
    ...is especially true with asynchronous links such as ADSL. First, two pipes called in-pipe and out-pipe need to be ...a headquarters office. Lets assume we have a symmetric 2/2 Mbps link to the Internet. We will allocate descending priorities and traffic requirements to the following users Priority 6 - ...
  • D-Link DFL-260 | Product Manual - Page 462
    ... the pipe all non-VPN traffic using the same physical link. The pipe chaining can be used as a solution to the problem of VPN overhead. A limit ... of this term). Again, we will assume a 2/2 Mbps symmetric link. The pipes required will be: • vpn-in • • Priority 6: VoIP 500 kpbs ...
  • D-Link DFL-260 | Product Manual - Page 463
    10.1.10. More Pipe Examples Chapter 10. Traffic Management Total: 1700 •... effort. SAT with Pipes If SAT is being used, for example with a web server or ftp server, that traffic also...traffic shaping and ruin the planned quality of service. In addition, server traffic is initiated from the outside ...
  • D-Link DFL-260 | Product Manual - Page 464
    10.1.10. More Pipe Examples Chapter 10. Traffic Management Note: SAT and ARPed IP Addresses If the SAT is from an ARPed IP address, the wan interface needs to be the destination. 464
  • D-Link DFL-260 | Product Manual - Page 465
    ...the traffic management issues caused by bandwidth hungry applications. A typical example of this is traffic related to peer-to-peer (P2P) data transfer ... transfers can often have a negative impact on the quality of service for other network users as bandwidth is quickly absorbed by such applications....
  • D-Link DFL-260 | Product Manual - Page 466
    ...shaping. At least one side of associated connection has to be in the IP range specified for it to be included in traffic shaping. 10.2.3. Processing... A new connection is opened by one host to another through the NetDefend Firewall and traffic begins to flow. The source and destination IP address of ...
  • D-Link DFL-260 | Product Manual - Page 467
    ...avoid these unintended consequences, we specify the IP addresses of client A and client B in the Network ...Network range but this is done on the assumption that client B is a user whose traffic might also have ... data transfer. The sequence of events is The client with IP address 192.168.1.15 initiates...
  • D-Link DFL-260 | Product Manual - Page 468
    ... manipulated using the normal CLI pipes command. For example, to show all currently defined pipes, ... is appended if name duplication occurs. For example, the first pipes created with a limit of 1000 ... are Shared There is not a 1 to 1 relationship between a configured IDP action and the pipes created. ...
  • D-Link DFL-260 | Product Manual - Page 469
    .... When a timer for piping news connections expires, a log message is generated indicating that new connections to or from the host are no longer piped. There are also some other log messages which indicate less common conditions. All log messages are documented in the Log Reference Guide. 469
  • D-Link DFL-260 | Product Manual - Page 470
    ... state-engine). Note: Threshold Rules are not available on all NetDefend models The Threshold Roles feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. Threshold Policies A Threshold Rule is like other ...
  • D-Link DFL-260 | Product Manual - Page 471
    ... Threshold Rules and ZoneDefense Threshold Rules are used in the D-Link ZoneDefense feature to block the source of excessive connection attmepts from internal ... the source network associated with the rule. If the Threshold Rule is linked to a service then it is possible to block only that service. ...
  • D-Link DFL-260 | Product Manual - Page 472
    10.3.8. Threshold Rule Blacklisting Chapter 10. Traffic Management NetDefendOS. The length of time, in seconds, for which the source is blacklisted can also be set. This feature is discussed further in Section 6.7, "Blacklisting Hosts and Networks". 472
  • D-Link DFL-260 | Product Manual - Page 473
    ... more requests than a single server. Note: SLB is not available on all D-Link NetDefend models The SLB feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. The illustration below shows a typical SLB scenario, with...
  • D-Link DFL-260 | Product Manual - Page 474
    ... Chapter 10. Traffic Management Figure 10.9. A Server Load Balancing Configuration Additional Benefits of SLB Besides improving performance and scalability, SLB ... a load is shared across a set of servers. NetDefendOS SLB supports the following two algorithms for load distribution: Round-robin The ...
  • D-Link DFL-260 | Product Manual - Page 475
    ... stickiness can be associated with a network instead of a single IP address. The network is specified by stating its size as a parameter. For example, if the network size is specified as 24 (the default) then an IP address 10.01.01.02 will be assumed to belong to the...
  • D-Link DFL-260 | Product Manual - Page 476
    ...Stickiness This section discusses further how stickiness functions with the different SLB algorithms. An example scenario is illustrated in the figure below. In this example, the NetDefend Firewall is responsible for balancing connections from 3 clients with different addresses...
  • D-Link DFL-260 | Product Manual - Page 477
    ...open any more connections to it until the server is restored to full functionality. D-Link Server Load Balancing provides the following monitoring modes: ... 4. SLB attempts to connect to a specified port on each server. For example, if a server is specified as running web services on port 80, the SLB ...
  • D-Link DFL-260 | Product Manual - Page 478
    ...NAT rule, which is possible, means that webservers would see only the IP address of the NetDefend Firewall. Example 10.3. Setting up SLB In this example server load balancing is to be done between 2 HTTP webservers which are situated behind the NetDefend ...
  • D-Link DFL-260 | Product Manual - Page 479
    ...Add > IP Address Enter a suitable name, for example server1 Enter the IP Address as 192.168.1.10 Click... > Add > IP4 Group Enter a suitable name, for example server_group Add server1 and server2 to the... Rule Sets > main > Add > IP Rule Enter 3. 4. 5. Name: Web_SLB Action: SLB_SAT Service: HTTP Source ...
  • D-Link DFL-260 | Product Manual - Page 480
    10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 1. 2. Go to Rules > IP Rule Sets > main > Add > IP Rule Enter Name: Web_SLB_ALW Action: Allow Service: HTTP Source Interface: any Source Network: all-nets Destination Interface: core Destination Network: ip_ext 3. Click OK 480
  • D-Link DFL-260 | Product Manual - Page 481
    10.4.6. Setting Up SLB_SAT Rules Chapter 10. Traffic Management 481
  • D-Link DFL-260 | Product Manual - Page 482
    ... of fault tolerance. Note: High Availability is only available on some NetDefend models The HA feature is only available on the D-Link NetDefend DFL-1600, 1660, 2500, 2560 and 2560G. The Master and Active Units When reading this section on HA, ...
  • D-Link DFL-260 | Product Manual - Page 483
    ...normal with the changes automatically being made to the configurations of both the master and the slave. Load-sharing D-Link HA clusters do not... detects the active unit is not responding. Hardware Duplication D-Link HA will only operate between two NetDefend Firewalls. As the internal operation of ...
  • D-Link DFL-260 | Product Manual - Page 484
    ... implement the high availability feature. Basic Principles D-Link HA provides a redundant, state-synchronized hardware configuration. The state of the active unit,...In other words, 11-00-00-C1-4A-nn. Link-level multicasts are used over normal unicast packets for security...
  • D-Link DFL-260 | Product Manual - Page 485
    ...will routinely occur. These updates involve downloads from the external D-Link databases and they require NetDefendOS reconfiguration to occur for the new database contents to ...The active (master) unit downloads the new database files from the D-Link servers. The download is done via the ...
  • D-Link DFL-260 | Product Manual - Page 486
    .... The number of connections could be compared with the stats command. If IPsec tunnels are heavily used, the ipsecglobalstat -verbose command could be used instead and significant differences in the numbers of IPsec SAs, IKE SAs, active users and IP pool statistics would indicate a ...
  • D-Link DFL-260 | Product Manual - Page 487
    ...shared IP address cannot be used for remote management or monitoring purposes. When using, for example, SSH for remote management of the NetDefend Firewalls in an HA Cluster, the individual IP addresses of each firewall's interfaces must be ...
  • D-Link DFL-260 | Product Manual - Page 488
    11.3.2. NetDefendOS Manual HA Setup Chapter 11. High Availability The illustration below shows the arrangement...via a switch or broadcast domain. 11.3.2. NetDefendOS Manual HA Setup To set up an HA cluster manually, the steps are as follows: 1. 2. 3. Connect to the master unit with the WebUI. Go to...
  • D-Link DFL-260 | Product Manual - Page 489
    ... and set the High Availability, Private IP Address field to be the name of the IP4 HA... activate the new configuration. 10. Repeat the above steps for the other NetDefend Firewall but... to be Slave. Making Cluster Configuration Changes The configuration on both NetDefend Firewalls needs to be the same...
  • D-Link DFL-260 | Product Manual - Page 490
    ...effect. Where a cluster has a very high number (for example, tens of thousands) of simultaneous connections then ... pair of matching hardware interfaces so that, for example, the lan1 interface on the master unit will appear ... uses a shared ARP table. Such problems can be hard to diagnose which is why ...
  • D-Link DFL-260 | Product Manual - Page 491
    ... The following points should be kept in mind when managing and configuring an HA Cluster. All Cluster Interfaces Need IP Addresses All interfaces on... in dynamically NATed connections or publishing services on them, will inevitably cause problems since unique IPs will disappear when the ...
  • D-Link DFL-260 | Product Manual - Page 492
    ... to provide OSPF metrics if the main designated router should fail. PPPoE Tunnels and DHCP Clients For reasons connected with the shared IP addresses of an HA cluster, PPPoE tunnels and DHCP clients should not be configured in an HA cluster. 492
  • D-Link DFL-260 | Product Manual - Page 493
    ... Once the inactive unit is identified, upgrade this unit with the new NetDefendOS version. This is done exactly as though the unit were not in a cluster. For example, the Web Interface can be used to do the upgrade. Important: Make sure the inactive unit is ALIVE Before going to the next step make ...
  • D-Link DFL-260 | Product Manual - Page 494
    11.5. Upgrading an HA Cluster Chapter 11. High Availability console and issue the ha -deactivate command. This will cause the active unit to become inactive, and the inactive to become active. gw-world:/> ha -deactivate HA Was: ACTIVE HA going INACTIVE...To check that the failover has completed ...
  • D-Link DFL-260 | Product Manual - Page 495
    ...is not operating normally and then taking over on its own initiative. Enabling this setting shortens the time where no node is active during configuration deployments. Default: Enabled Reconf Failover Time Number of non-responsive seconds before failover at HA reconfiguration. The default value of ...
  • D-Link DFL-260 | Product Manual - Page 496
    11.6. HA Advanced Settings Chapter 11. High Availability 496
  • D-Link DFL-260 | Product Manual - Page 497
    ... them using the Web or Command Line interface. Note: ZoneDefense is not available on all NetDefend models The ZoneDefense feature is only available on the D-Link NetDefend DFL-800, 860, 1600, 1660, 2500, 2560 and 2560G. 497
  • D-Link DFL-260 | Product Manual - Page 498
    ...ZoneDefense Switches Switch information regarding every switch that is to be controlled by the firewall has to be manually specified in the firewall configuration. The information needed in order to control a switch includes The IP address of the management interface ...
  • D-Link DFL-260 | Product Manual - Page 499
    ... SNMP Managers A typical managing device, such as a NetDefend Firewall, uses the SNMP protocol to monitor and... devices The managed devices must be SNMP compliant, as are D-Link switches. They store state data ...please see Section 10.3, "Threshold Rules". 12.3.3. Manual Blocking and Exclude Lists ...
  • D-Link DFL-260 | Product Manual - Page 500
    12.3.3. Manual Blocking and Exclude Lists Chapter 12. ZoneDefense As a complement to threshold ...statically blocked or excluded. Manually blocked hosts and networks can be blocked by default or based ... 192.168.2.0/24 for example) from accessing the switch completely. A D-Link switch model DES-3226S ...
  • D-Link DFL-260 | Product Manual - Page 501
    ...action to take if exceeded: 1. 2. Go to Add > Threshold Action Configure the Theshold Action as follows Action: Protect Group By: Host... scanning and then block the source by communicating with switches configured to work with ZoneDefense. This feature is activated through the following ALGs HTTP - ...
  • D-Link DFL-260 | Product Manual - Page 502
    ... a minute or more. A second difference is the maximum number of rules supported by different switches. Some switches support a maximum of 50 rules while others support up to 800 (usually, in order to block a ... clear the entire ACL rule set on the switch before executing the ZoneDefense setup. 502
  • D-Link DFL-260 | Product Manual - Page 503
    12.3.5. Limitations Chapter 12. ZoneDefense 503
  • D-Link DFL-260 | Product Manual - Page 504
    Chapter 13. Advanced Settings This chapter describes the additional configurable advanced settings for NetDefendOS that are not already described in the manual. In the Web Interface these settings are found under System > Advanced Settings. ...
  • D-Link DFL-260 | Product Manual - Page 505
    13.1. IP Level Settings Chapter 13. Advanced Settings Block 0000 Src Block 0.0.0.0 as source address. Default: Drop Block 0... Default: 255 Layer Size Consistency Verifies that the size information contained in each "layer" (Ethernet, IP, TCP, UDP, ICMP) is consistent with that of other layers. 505
  • D-Link DFL-260 | Product Manual - Page 506
    ... options are small blocks of information that may be added to the end of each IP header. This function checks the size of well known option types ...regardless of this setting. Default: DropLog IP Options Timestamps Time stamp options instruct each router and firewall on the packet's route to indicate...
  • D-Link DFL-260 | Product Manual - Page 507
    ...IP Level Settings Chapter 13. Advanced Settings IP Reserved Flag Indicates what NetDefendOS will do if there is data in the "reserved" fields of IP headers. In normal circumstances, these fields should... Mismatch option What action to take when Ethernet and IP multicast addresses does not match. ...
  • D-Link DFL-260 | Product Manual - Page 508
    ...falls below the stipulated TCPMSSMin value. Values that are too low could cause problems in poorly written TCP stacks. Default: DropLog TCP MSS Max ... exceeds the stipulated TCPMSSMax value. Values that are too high could cause problems in poorly written TCP stacks or give rise to large quantities of...
  • D-Link DFL-260 | Product Manual - Page 509
    ..., TSOPT is used to prevent the sequence numbers (a 32-bit figure) from "exceeding" their upper limit without the recipient being aware of it. This is not normally a problem. Using TSOPT, some TCP stacks optimize their connection by measuring the time it takes for a packet to travel to and from its ...
  • D-Link DFL-260 | Product Manual - Page 510
    13.2. TCP Level Settings Chapter 13. Advanced Settings initially intended to be used in negotiating for the use of better checksums in TCP. However, these are not understood by any today's standard systems. As NetDefendOS cannot understand checksum algorithms other than the standard algorithm, ...
  • D-Link DFL-260 | Product Manual - Page 511
    ...standard called Explicit Congestion Notification also makes use of these TCP flags, but as long as there are only a few operating systems supporting this standard, the flags should be stripped. Default: StripLog TCP Reserved Field Specifies how NetDefendOS will deal with information present in the ...
  • D-Link DFL-260 | Product Manual - Page 512
    13.2. TCP Level Settings Chapter 13. Advanced Settings TCP sequence number validation is only possible on connections tracked by the state-engine (not on packets forwarded using a FwdFast rule). Possible values are: Ignore - Do not validate. Means that sequence number validation is completely ...
  • D-Link DFL-260 | Product Manual - Page 513
    13.3. ICMP Level Settings Chapter 13. Advanced Settings 13.3. ICMP Level Settings ICMP Sends Per Sec Limit Specifies the maximum number of ICMP messages NetDefendOS may generate per second. This includes ping replies, destination unreachable messages and also TCP RST packets. In other words, this...
  • D-Link DFL-260 | Product Manual - Page 514
    ... packet cannot open a new connection. One example of this is a TCP packet that, although allowed by the Rules ... the expected state switching diagram of a connection, for example, getting TCP FIN packets in response ... is enabled for either Allow or NAT rules in the IP rule set; they will not be logged....
  • D-Link DFL-260 | Product Manual - Page 515
    ... that is set up in the NetDefendOS state-engine. Traffic whose destination is the NetDefend Firewall itself, for example NetDefendOS management traffic, is not subject to this setting. The log message includes port, service, source/destination IP ...
  • D-Link DFL-260 | Product Manual - Page 516
    ... will therefore be closed even if the other side continues to transmit data. Default: Disabled Ping Idle Lifetime Specifies in seconds how long a Ping (ICMP ECHO) connection can remain idle before it is closed. Default: 8 IGMP Idle Lifetime Connection lifetime for IGMP in seconds. Default: 12 516
  • D-Link DFL-260 | Product Manual - Page 517
    13.5. Connection Timeout Settings Chapter 13. Advanced Settings Other Idle Lifetime Specifies in seconds how long connections using an unknown protocol can remain idle before it is closed. Default: 130 517
  • D-Link DFL-260 | Product Manual - Page 518
    ... a TCP packet including the header. This value usually correlates with the amount of IP data that can be accommodated in an unfragmented packet, since TCP usually...of an ESP packet. ESP, Encapsulation Security Payload, is used by IPsec where encryption is applied. This value should be set at the size ...
  • D-Link DFL-260 | Product Manual - Page 519
    ... maximum size of an AH packet. AH, Authentication Header, is used by IPsec where only authentication is applied. This value should be set at the size ... of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN connections when IPsec is not used. This value should be set at the size of the ...
  • D-Link DFL-260 | Product Manual - Page 520
    ... 13. Advanced Settings 13.7. Fragmentation Settings IP is able to transport up to 65536 bytes ...cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into ...recipient reassemble the original packet correctly. Many IP stacks, however, are unable to handle incorrectly ...
  • D-Link DFL-260 | Product Manual - Page 521
    ... that one or more fragments were lost on their way across the Internet, which is a quite common occurrence. NetDefendOS was forced to interrupt the ... failures involving "suspect" fragments. Such failures may arise if, for example, the IllegalFrags setting has been set to Drop rather than DropPacket. ...
  • D-Link DFL-260 | Product Manual - Page 522
    ... be expressed in bytes. Although the arrival of too many fragments that are too small may cause problems for IP stacks, it is usually not possible to set... this number of seconds in order to prevent further fragments, for example old duplicate fragments, of that packet from arriving. Default:...
  • D-Link DFL-260 | Product Manual - Page 523
    13.7. Fragmentation Settings Chapter 13. Advanced Settings Reassembly Illegal Limit Once a whole packet has been marked as illegal, NetDefendOS is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving. Default: 60 523
  • D-Link DFL-260 | Product Manual - Page 524
    13.8. Local Fragment Reassembly Settings Chapter 13. Advanced Settings 13.8. Local Fragment Reassembly Settings Max Concurrent Maximum number of concurrent local reassemblies. Default: 256 Max Size Maximum size of a locally reassembled packet. Default: 10000 Large Buffers Number of large ( over...
  • D-Link DFL-260 | Product Manual - Page 525
    ... does not need to be anywhere near the number of actual users, or the number of statefully tracked connections. If there are no configured pipes, no pipe users will be allocated, regardless of this setting. For more information about pipes and pipe users...
  • D-Link DFL-260 | Product Manual - Page 526
    13.9. Miscellaneous Settings Chapter 13. Advanced Settings 526
  • D-Link DFL-260 | Product Manual - Page 527
    ...access to the public Internet is possible when' doing this). Tip: A registration guide can be downloaded A step-by-step "Registration manual" which explains registration and update service procedures in more detail is available for download from...
  • D-Link DFL-260 | Product Manual - Page 528
    ... -status Antivirus Querying Server Status To get the status of the D-Link network servers use the command: gw-world:/> updatecenter ... database updates require a couple of seconds to be optimized once an update is downloaded. This will cause the firewall to momentarily pause in its operation. It can ...
  • D-Link DFL-260 | Product Manual - Page 529
    ...Groups For IDP scanning, the following signature groups are available for selection. These groups are available only for the D-Link Advanced IDP Service. There is a version of each group under the three Types of IDS, IPS and Policy. For further information...
  • D-Link DFL-260 | Product Manual - Page 530
    ... IMAP protocol/implementation AOL IM Instant Messenger implementations MSN Messenger Yahoo Messenger IP protocol and implementation Overflow of IP protocol/implementation Internet Relay Chat General LDAP clients/servers Open LDAP License management for CA software ...
  • D-Link DFL-260 | Product Manual - Page 531
    ... TELNET_GENERAL TELNET_OVERFLOW TFTP_DIR_NAME TFTP_GENERAL Intrusion Type Denial of Service for POP Post Office Protocol v3 Password guessing ...SMTP command attack Denial of Service for SMTP SMTP protocol and implementation SMTP Overflow SPAM SNMP encoding SNMP protocol/implementation SOCKS protocol ...
  • D-Link DFL-260 | Product Manual - Page 532
    ... CVS Subversion Virus VoIP protocol and implementation SIP protocol and implementation Coldfusion file inclusion File inclusion Web application attacks JSP file inclusion Popular web application packages PHP XML RPC SQL Injection Cross-Site-Scripting MS WINS Service Worms Generic X applications 532
  • D-Link DFL-260 | Product Manual - Page 533
    ... Application Layer Gateways (ALGs) have the optional ability to verify that the contents of a downloaded file matches the type that the filetype in the filename ... offer the option to explicitly allow or block certain filetypes as downloads from a list of types. That list is the same one found in this...
  • D-Link DFL-260 | Product Manual - Page 534
    ... PCX Bitmap file Debian Linux Package file DjVu file Windows dynamic link library file DPA archive data TeX Device Independent Document EET archive... JPEG file Jrchive compressed archive Just System Word Processor Ichitaro KDE link file LHA compressed archive file Limit compressed archive LIM archive ...
  • D-Link DFL-260 | Product Manual - Page 535
    ...files msa niff, nif noa nsf obj, o ocx ogg out pac pbf pbm pdf pe pfb pgm pkg pll pma png ppm ps psa psd qt, mov,... Bitmap Nancy Video CODEC NES Sound file Windows object file, linux object file Object Linking and Embedding (OLE) Control Extension Ogg Vorbis Codec compressed WAV file Linux executable ...
  • D-Link DFL-260 | Product Manual - Page 536
    Appendix C. Verified MIME filetypes Filetype extension tfm tiff, tif tnef torrent ttf txw ufa vcf viv wav wk wmv wrl, vrml xcf xm xml xmcd xpm yc zif zip zoo zpk z Application TeX font metric data Tagged Image Format file Transport Neutral Encapsulation Format BitTorrent Metainfo file TrueType ...
  • D-Link DFL-260 | Product Manual - Page 537
    ... Presentation Session Transport Network Data-Link Physical Figure D.1. The 7 Layers of the OSI Model ...: Layer 7 - Application Layer Defines the user interface that supports applications directly. Protocols: HTTP, ...Layer Layer 3 - Network Layer Layer 2 - Data-Link Layer Layer 1 - Physical Layer 537
  • D-Link DFL-260 | Product Manual - Page 538
    ..., 65 high availability, 495 ICMP, 513 IP level, 504 IPsec, 421 L2TP/PPTP, 430 length limit, 518 logging, 59 ..., 512 amplification attacks, 328 anonymizing internet traffic, 338 anti-spam filtering (see spam ..., 232 auto-update, 73 B backing up configurations, 73 bandwidth guarantees, 454 538
  • D-Link DFL-260 | Product Manual - Page 539
    ... list, 129 self-signed, 129, 383, 409 validity, 128 with IPsec, 386 VPN troubleshooting, 437 chains (in traffic shaping),... interface (see CLI) config mode, 412 configuration object groups, 122 and folders, 125... setting, 495 dead peer detection (see IPsec) Decrement TTL setting, 219 default access...
  • D-Link DFL-260 | Product Manual - Page 540
    ... DMZ, 343 DNS, 139 dynamic lookup, 139 DNS black lists for Spam filtering, 258 documentation, 18 DoS attack (see denial of service) downloading files with SCP, 45 DPD Expire Time (IPsec) setting, 423 DPD Keep Time (IPsec) setting, 423 DPD Metric ...
  • D-Link DFL-260 | Product Manual - Page 541
    ...quick start guide, 381 roaming clients setup, 384 troubleshooting, 437 tunnel establishment, 406 tunnels, 406 IPsec Before Rules setting, 422 usage, ... with PPP, 364 MS Active Directory, 360 servers, 413 link state algorithms, 171 Local Console Timeout setting, 49 local...
  • D-Link DFL-260 | Product Manual - Page 542
    ... Max IPIP/FWZ Length setting, 519 Max IPsec IPComp Length setting, 519 Max L2TP ... router process, 179 setting up, 188 virtual links, 176, 184 Other Idle Lifetimes setting, 516 overriding content filtering, ... with LDAP, 364 PPPoE, 101 client configuration, 101 unnumbered support, 102 with HA, 102 PPTP,...
  • D-Link DFL-260 | Product Manual - Page 543
    ... Index ALG, 264 client, 431 problem with NAT, 432 quick start guide, 389 server, 425 ..., 218, 220 restore to factory defaults, 74 restoring configuration backups, 73 reverse path forwarding (see ... ALG, 254 ESMTP extensions, 256 header verification, 260 log receiver with IDP, 322 whitelist precedence, ...
  • D-Link DFL-260 | Product Manual - Page 544
    Alphabetical Index SNMP Request Limit setting, 68, 69 source based routing, 160 spam filtering, 257 caching, 261 logging, 260 tagging, 259 spam WCF category, 306 spanning tree relaying, 217 spillover RLB algorithm, 165 spoofing, 238...
  • D-Link DFL-260 | Product Manual - Page 545
    Alphabetical Index with SIP, 265 VoIP (see voice over IP) VPN, 377 planning, 378 quick start guide, 381 troubleshooting, 437 W Watchdog Time setting, 525 WCF (see web content filtering) webauth, 369 web content filtering, 295 fail mode, 297 ...



Type your new search above

The manual viewer requires the flash plugin to be installed and enabled.
To view this page ensure that Adobe Flash Player version 10 or greater is installed.

D-Link DFL-260 - NetDefend - Security Appliance Manual