D-Link D DFL-500 DFL-500 User Manual Download

Page: 1 / 122

DFL-500 User Manual

D-Link

DFL-500

Network Security Firewall

Manual

Building Networks for People

Summary of Contents for D DFL-500 DFL-500

Page 1: ...DFL 500 User Manual 1 D Link DFL 500 Network Security Firewall Manual Building Networks for People ...

Page 2: ... transmitted or translated in any form or by any means electronic mechanical manual optical or otherwise for any purpose without prior written permission of D Link Systems Inc DFL 500 User Manual 2 July 2002 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders Regulatory Compliance FCC Class A Part 15 CSA CUS ...

Page 3: ...e setup wizard 16 Reconnecting to the web based manager 16 Using the command line interface 16 Configuring the DFL 500 NPG to run in NAT Route mode 16 Connecting to your networks 17 Configuring your internal network 18 Completing the configuration 18 Setting the date and time 18 Transparent mode installation 19 Preparing to configure Transparent mode 19 Using the setup wizard 19 Changing to Transp...

Page 4: ...ices 33 Schedules 34 Creating one time schedules 34 Creating recurring schedules 35 Adding a schedule to a policy 35 Virtual IPs 35 Adding static NAT virtual IPs 36 Using port forwarding virtual IPs 37 Adding policies with virtual IPs 38 IP pools 39 IP MAC binding 40 Configuring IP MAC binding for packets going through the firewall 40 Configuring IP MAC binding for packets going to the firewall 41...

Page 5: ...he P2 proposal 58 About replay detection 58 About perfect forward secrecy PFS 59 Adding a manual key VPN tunnel 59 Adding a VPN concentrator 60 Adding an encrypt policy 61 Viewing VPN tunnel status 63 Viewing dialup VPN connection status 64 Testing a VPN 64 PPTP and L2TP VPNs 66 PPTP VPN configuration 66 Configuring the DFL 500 NPG as a PPTP gateway 67 L2TP VPN configuration 69 Configuring the DFL...

Page 6: ... System status 81 Upgrading the DFL 500 NPG firmware 82 Displaying the DFL 500 NPG serial number 84 Backing up system settings 84 Restoring system settings 84 Restoring system settings to factory defaults 84 Changing to Transparent mode 85 Changing to NAT Route mode 85 Restarting the DFL 500 NPG 86 Shutting down the DFL 500 NPG 86 System status monitor 86 Network configuration 87 Configuring the i...

Page 7: ...nfiguration 96 Setting system date and time 97 Changing web based manager options 98 Adding and editing administrator accounts 98 Configuring SNMP 99 Glossary 101 Index 104 Technical Support 116 Limited Warranty 119 Registration 122 ...

Page 8: ...ode Transparent Mode provides firewall protection to a pre existing network with public addresses The internal and external network interfaces of the DFL 500 NPG must be in the same subnet and the DFL 500 NPG can be inserted into your network at any point without the need to make any changes to your network About this document This user manual describes how to install and configure the DFL 500 NPG...

Page 9: ...0 CLI Reference Guide DFL 500 online help Customer service and technical support For updated product documentation technical support information and other resources please visit D Link local web site You can contact D Link Technical Support at your local D Link office See Technical Support To help us provide the support you require please provide the following information Name Company Name Locatio...

Page 10: ...s Mounting Powering on Initial configuration Connecting to the web based manager Connecting to the command line interface CLI Next steps Package contents The DFL 500 package contains the following items the DFL 500 NPG one orange cross over ethernet cable one gray regular ethernet cable one null modem cable DFL 500 QuickStart Guide A CD containing this DFL 500 User Manual and the DFL 500 CLI Refer...

Page 11: ...lights light The Status light flashes while the DFL 500 NPG is starting up and remains lit when the system is up and running DFL 500 LED indicators LED State Description Green The DFL 500 NPG is powered on Power Off The DFL 500 NPG is powered off Flashing Green The DFL 500 NPG is starting up Green The DFL 500 NPG is running normally Status Off The DFL 500 NPG is powered off Green The correct cable...

Page 12: ...er 207 194 200 1 External interface Manual Secondary DNS Server 207 194 200 129 Connecting to the web based manager The web based manager is the primary tool for installing and configuring your DFL 500 NPG Configuration changes made with the web based manager are effective immediately without the need to reset the firewall or interrupt service To connect to the web based manager you need a compute...

Page 13: ...e effective immediately without the need to reset the firewall or interrupt service To connect to the DFL 500 CLI you need a computer with an available communications port the null modem cable included in your DFL 500 package terminal emulation software such as HyperTerminal for Windows The following procedure describes how to connect to the DFL 500 CLI using Windows HyperTerminal software You can...

Page 14: ...rompt appears Type for a list of commands For information on how to use the CLI see the DFL 500 CLI Reference Guide Next steps Now that your DFL 500 NPG is up and running you can proceed to configure it for operation If you are going to run your DFL 500 NPG in NAT Route mode go to NAT Route mode installation If you are going to run your DFL 500 NPG in Transparent mode go to Transparent mode instal...

Page 15: ...__ _____ IP _____ _____ _____ _____ Netmask _____ _____ _____ _____ Default Gateway _____ _____ _____ _____ Primary DNS Server _____ _____ _____ _____ Manual Secondary DNS Server _____ _____ _____ _____ DHCP If your Internet Service Provider ISP supplies you with an IP address using DHCP no further information is required User name _______________________ Password ________________________ External...

Page 16: ...you configure For each server located on your internal network the DFL 500 NPG adds an Ext Int policy Reconnecting to the web based manager If you changed the IP address of the internal interface using the setup wizard you must reconnect to the web based manager using a new IP address Browse to https followed by the new IP address of the internal interface Otherwise you can reconnect to the web ba...

Page 17: ...P or PPPoE Set the default route to the Default Gateway IP Address that you recorded in NAT Route mode settings not required for DHCP and PPPoE Enter set system route number number gw1 IP address Example set system route number 1 gw1 204 23 1 2 You have now completed the initial configuration of your DFL 500 NPG and you can proceed to connect the DFL 500 NPG to your network using the information i...

Page 18: ...etwork for DHCP When the DFL 500 NPG is connected make sure that it is functioning properly by connecting to the Internet from a computer on your internal network You should be able to connect to any Internet address Completing the configuration Use the information in this section to complete the initial configuration of the DFL 500 NPG Setting the date and time For effective scheduling and loggin...

Page 19: ... gateway if the DFL 500 NPG must connect to a router to reach the management computer Primary DNS Server _____ _____ _____ _____ DNS Settings Secondary DNS Server _____ _____ _____ _____ Using the setup wizard From the web based manager you can use the setup wizard to create the initial configuration of your DFL 500 NPG To connect to the web based manager see Connecting to the web based manager Ch...

Page 20: ...0 NPG using the command line interface CLI To connect to the CLI see Connecting to the command line interface CLI Use the information that you gathered in Transparent mode settings to complete the following procedures Changing to Transparent mode Log into the CLI if you are not already logged in Switch to Transparent mode Enter set system opmode transparent After a few seconds the following prompt...

Page 21: ...rate You can either manually set the time or you can configure the DFL 500 NPG to automatically keep its time correct by synchronizing with a Network Time Protocol NTP server To set the DFL 500 NPG date and time see Setting system date and time Connecting to your network When you have completed the initial configuration you can connect the DFL 500 NPG between your internal network and the Internet...

Page 22: ...DFL 500 User Manual 22 DFL 500 network connections ...

Page 23: ...entication before the connection is allowed or process the packet as an IPSec VPN packet You can enable and disable policies You can add schedules to policies so that the firewall can process connections differently depending on the time of day or the day of the week month or year You can also enable web content filtering for policies that control the HTTP service Use Int Ext policies to control h...

Page 24: ...ur network at any point without the need to make changes to your network or any of its components In Transparent mode you add policies to accept or deny connections between interfaces The DFL 500 NPG applies policies to control network traffic without modifying the packets in any way Changing to Transparent mode Use the procedure Changing to Transparent mode to switch the DFL 500 NPG from NAT Rout...

Page 25: ... and Fixed Port Dynamic IP Pool Select Dynamic IP Pool to translate the source address to an address randomly selected from an IP pool added to the destination interface of the policy To add IP pools see IP pools You cannot select Dynamic IP Pool for Int Ext policies if the external interface is configured using DHCP or PPPoE Fixed Port Select Fixed Port to prevent NAT from translating the source ...

Page 26: ...s you should make sure that users can use DNS through the firewall without authentication If DNS is not available users cannot connect to a web FTP or Telnet server using a domain name Web filter Enable web filter content filtering for traffic controlled by this policy You can select Web filter if Service is set to ANY or HTTP or to a service group that includes the HTTP service For web filter con...

Page 27: ...or address group that matches the source address of the packet Before you can add this address to a policy you must add it to the source interface To add an address see Addresses Destination Select an address or address group that matches the destination address of the packet Before you can add this address to a policy you must add it to the source interface To add an address see Addresses Schedul...

Page 28: ...g this policy they are prompted to enter a firewall username and password If you want users to authenticate to use other services for example POP3 or IMAP you can create a service group that includes the services for which you want to require authentication as well as HTTP Telnet and FTP Then users could authenticate with the policy using HTTP Telnet or FTP before using the other service In most c...

Page 29: ...e list for the first policy that matches the connection attempt source and destination addresses service port and time and date at which the connection attempt was received The first policy that matches is applied to the connection attempt If no policy matches the connection is dropped The default policy accepts all connection attempts from the internal network to the Internet From the internal ne...

Page 30: ...ntaining the policy to disable Clear the check box of the policy to disable Enabling a policy Enable a policy that has been disabled so that the firewall can match connections with the policy Go to Firewall Policy Select the tab for the policy list containing the policy to enable Select the check box of the policy to enable Addresses All policies require source and destination addresses To add an ...

Page 31: ...f a subnetwork for example 192 168 1 0 The address must be a valid address for one of the networks or computers connected to the interface Enter the NetMask The netmask should correspond to the address The netmask for the IP address of a single computer should be 255 255 255 255 The netmask for a subnet should be 255 255 255 0 Select OK to add the address Deleting addresses Delete an address to ma...

Page 32: ...l Address Group Select the interface list to which to add the address group New Int Group or New Ext Group Adding an internal address group Enter a Group Name to identify the address group The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed To add addresses to the address group select an addre...

Page 33: ...service uses one port number enter this number into both the low and high fields If the service has more than one port range select Add to specify additional protocols and port ranges If you mistakenly add too many port range rows select Delete to remove each extra row Select OK to add the custom service You can now add this custom service to a policy Grouping services To make it easier to add pol...

Page 34: ... can use recurring schedules to create policies that are effective only at specified times of the day or on specified days of the week This section describes Creating one time schedules Creating recurring schedules Adding a schedule to a policy Creating one time schedules You can create a one time schedule that activates or deactivates a policy for a specified period of time For example your firew...

Page 35: ...ces are not allowed Select the days of the week on which the schedule should be active Set the Start and Stop hours in between which the schedule should be active Recurring schedules use the 24 hour clock Select OK Adding a schedule to a policy After you have created schedules you can add them to policies to schedule when the policies are active You can add the new schedules to policies when you c...

Page 36: ...nslation PAT You can also use port forwarding to change the destination port of the forwarded packets If you use the setup wizard to configure internal server settings the firewall adds port forwarding virtual IPs and Ext Int policies for each server that you configure Virtual IPs are not required in Transparent mode This section describes Adding static NAT virtual IPs Using port forwarding virtua...

Page 37: ... Enter a Name for the virtual IP The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Change Type to Port Forwarding In the External IP Address field enter the external IP address to be mapped to an address in the more secure zone You can set the External IP Address to the address of external i...

Page 38: ... packets when they are forwarded If you do not want to translate the port enter the same number as the External Service Port If you want to translate the port enter the port number to which to translate the destination port of the packets when they are forwarded by the firewall Select the protocol to be used by the forwarded packets Select OK to save the port forwarding virtual IP Adding policies ...

Page 39: ...ple if the IP address of the internal interface is 192 168 1 99 a valid IP pool could have a start IP of 192 168 1 10 and an end IP of 192 168 1 20 This IP pool would give the firewall 11 addresses to select from when translating the source address If you add IP pools for an interface you can select Dynamic IP Pool when you configure a policy with its destination set to this interface If you add I...

Page 40: ... connecting to the firewall or passing through the firewall If you enable IP MAC binding and change the IP address of a computer with an IP address or MAC address in the IP MAC list you must also change the entry in the IP MAC list or the computer will not have access to or through the firewall You must also add the IP MAC address pair of any new computer that you add to your network or this compu...

Page 41: ...lect Enable IP MAC binding going to the firewall Go to Firewall IP MAC Binding Static IP MAC Select New to add IP MAC binding pairs to the IP MAC binding list All packets normally allowed to connect to the firewall are compared with the entries in the IP MAC binding table If a match is found in the IP MAC binding table If IP MAC binding is set to Allow traffic then IP MAC binding allows the packet...

Page 42: ...ct Enable IP MAC binding going to the firewall to turn on IP MAC binding for packets connecting to the firewall Configure how IP MAC binding handles packets with IP and MAC addresses that are not defined in the IP MAC list Select Allow traffic to allow all packets with IP and MAC address pairs that are not added to the IP MAC list Select Block traffic to block packets with IP and MAC address pairs...

Page 43: ...or that user name the user cannot authenticate and the connection is dropped If Password is selected for that user and the password matches the connection is allowed If the password does not match the connection is dropped If RADIUS is selected and RADIUS support is configured and the user name and password match a user name and password on the RADIUS server the connection is allowed If the user n...

Page 44: ...etters A Z a z and the special characters and _ Other special characters and spaces are not allowed RADIUS Require the user to authenticate to a RADIUS server Select the name of the RADIUS server to which the user must authenticate You can only select a RADIUS server that has been added to the DFL 500 RADIUS configuration See Configuring RADIUS support Select Try other servers if connect to select...

Page 45: ...ng RADIUS servers Deleting RADIUS servers Adding RADIUS servers To configure the DFL 500 NPG for RADIUS authentication Go to User RADIUS Select New to add a new RADIUS server Enter the name of the RADIUS server You can enter any name The name can contain numbers 0 9 uppercase and lowercase letters A Z a z and the special characters and _ Other special characters and spaces are not allowed Enter th...

Page 46: ...figuration L2TP VPN configuration Only users in the selected user group can use L2TP If you add a user group to a policy or remote gateway or to your PPTP or L2TP configuration do not delete the user group until you remove it from the policy remote gateway or configuration This section describes Adding user groups Deleting user groups Adding user groups To add a user group Go to User User Group Se...

Page 47: ...ers list and select the left arrow to remove the name or RADIUS server from the group Select OK Deleting user groups You cannot delete user groups that have been selected in a policy or remote gateway PPTP or L2TP configuration To delete a user group Go to User User Group Select Delete beside the user group that you want to delete Select OK ...

Page 48: ...ialup VPN Both AutoIKE key and manual key configurations are used to connect remote clients or VPN gateways that have static IP addresses to a DFL 500 VPN gateway Dialup VPN uses an AutoIKE key configuration that allows clients or remote gateways with dynamic IP addresses to connect to the DFL 500 VPN gateway IPSec VPN is not supported in Transparent mode This chapter describes Interoperability wi...

Page 49: ...feNet IPSec VPN client Secure Computing Sidewinder SSH Sentinel For more information about DFL 500 VPN interoperability contact D Link technical support Configuring AutoIKE key IPSec VPN An AutoIKE key VPN configuration consists of a remote gateway an AutoIKE key VPN tunnel the source and destination addresses for both ends of the tunnel and an encrypt policy to control access to the VPN tunnel No...

Page 50: ...user authentication For information about dialup VPN authentication see About dialup VPN authentication To create a dialup VPN configuration Add a remote gateway and select Dialup User See Adding a remote gateway When you configure the Remote Gateway you can require users to authenticate before accessing the remote gateway by choosing a user group in the User Group field Selecting a user group is ...

Page 51: ...cludes the tunnels added in steps 2 and 3 See Adding a VPN concentrator Add one encrypt policy for each member VPN Use the following configuration for each policy Source VPN concentrator address Destination Member VPN address Action ENCRYPT VPN Tunnel The member VPN tunnel name Allow inbound Select allow inbound Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required Outbou...

Page 52: ...ress Destination Remote member VPN address Action ENCRYPT VPN Tunnel The VPN tunnel added in step 2 Allow inbound Select allow inbound Allow outbound Select allow outbound Inbound NAT Select inbound NAT if required Outbound NAT Select outbound NAT if required Configuring IPSec redundancy IPSec redundancy allows you to create a redundant AutoIKE key IPSec VPN configuration to two remote VPN gateway...

Page 53: ... DFL 500 NPG User Group If you select Dialup User the User Group field appears For authentication purposes you can select the group of users that will have access to the remote gateway For information about dialup VPN authentication see About dialup VPN authentication Mode Select Aggressive or Main ID Protection mode Both modes establish a secure channel Main mode offers greater security because i...

Page 54: ...e Keepalive Frequency field This number specifies in seconds how frequently empty UDP packets are sent through the NAT device to ensure that the NAT mapping does not change until P1 and P2 keylife expires The keepalive frequency can be from 0 to 900 seconds Select OK to save the remote gateway Adding a remote gateway Dialup User selected About dialup VPN authentication For dialup VPN authenticatio...

Page 55: ... key Local ID empty empty Main mode with a user group selected In this configuration the server and the clients use main mode for key exchange A user group has been selected in the server dialup remote gateway Clients authenticate with the server using their authentication keys The client authentication key can be one of the following The same as the server authentication key A username and passwo...

Page 56: ... that can be created at both ends of the VPN tunnel without communicating the key across the Internet You can select from DH group 1 2 and 5 DH group 5 produces the most secure shared secret key and DH group 1 produces the least secure key However DH group 1 is faster that DH group 5 About the P1 proposal AutoIKE key IPSec VPNs use a two phase process for creating a VPN tunnel During the first pha...

Page 57: ... a DIALUP remote gateway to associate with the VPN tunnel Select a static remote gateway if you are configuring IPSec redundancy See Configuring IPSec redundancy If you select a static gateway you can select up to three remote gateways To decrease the number of remote gateways select the minus sign To increase the number of remote gateways select the plus sign P2 Proposal Select up to three encryp...

Page 58: ...ully each VPN gateway must have at least one encryption and one authentication algorithm in common Select DES to propose to encrypt packets using DES encryption Select 3DES to propose to encrypt packets using triple DES encryption Select MD5 to propose to use MD5 authentication Select SHA1 to propose to use SHA1 authentication Select NULL to propose that the VPN packets not be encrypted or that a ...

Page 59: ...t also specify the encryption keys and optionally the authentication keys used by the tunnel Because the keys are created when you configure the tunnel no negotiation is required for the VPN tunnel to start However the VPN gateway or client that connects to this tunnel must use the same encryption algorithm and must have the same encryption and authentication keys To create a manual key VPN tunnel...

Page 60: ...ant the tunnel to be part of a hub and spoke VPN configuration See Adding a VPN concentrator Select OK to save the manual key VPN tunnel Adding a manual key VPN tunnel Adding a VPN concentrator You can add VPN tunnels to a VPN concentrator grouping to create a hub and spoke configuration The VPN concentrator allows VPN traffic to pass from one tunnel to the other through the DFL 500 NPG To add a h...

Page 61: ...y added to its configuration to connect to the remote DFL 500 NPG VPN gateway and the DFL 500 NPGs use their remote gateway and VPN tunnel configurations to establish a VPN tunnel between them Using encrypt policies you can control the direction of traffic flow through the VPN the addresses that can connect to the VPN tunnel The source and destination addresses that you specify when you add an enc...

Page 62: ...ddress of the client computer Go to Firewall Policy Int Ext Select New to add a new policy Adding an encrypt policy Set Source to the VPN source address Set Destination to the VPN destination address Set Action to ENCRYPT Service is set to ANY and cannot be changed Configure the ENCRYPT parameters VPN Tunnel Select an AutoIKE key or Manual Key tunnel For information about adding VPN tunnels see Ad...

Page 63: ...ave the encrypt policy To make sure that the encrypt policy is matched for VPN connections arrange the encrypt policy above other policies with similar source and destination addresses in the policy list Viewing VPN tunnel status You can use the IPSec VPN tunnel list to view the status of all IPSec AutoIKE key VPN tunnels For each tunnel the list shows the status of each tunnel as well as the tunn...

Page 64: ...he Timeout column displays the time before the next key exchange The time is calculated by subtracting the time elapsed since the last key exchange from the keylife The Proxy ID Source column displays the actual IP address or subnet address of the remote peer The Proxy ID Destination column displays the actual IP address or subnet address of the local peer Testing a VPN To confirm that a VPN betwe...

Page 65: ...d correctly start a VPN client and use the ping command to connect to a computer on the internal network The VPN tunnel initializes automatically when the client makes a connection attempt You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network ...

Page 66: ... a user group to the DFL 500 NPG configuration This user group can contain users added to the DFL 500 NPG user database RADIUS servers or both After you have added a user group configure your DFL 500 NPG to support PPTP by enabling PPTP and specifying a PPTP address range The PPTP address range is the range of addresses that must be reserved for remote PPTP clients When a remote PPTP client connec...

Page 67: ...way Create a user group for your PPTP users See Users and authentication Go to VPN PPTP PPTP Range Select Enable PPTP Enter the Starting IP and the Ending IP for the PPTP address range Select the User Group that you added in step Create a user group for your PPTP users Select Apply to enable PPTP through the DFL 500 NPG ...

Page 68: ...interface The addresses can be grouped into an address group Add an Ext Int policy to allow PPTP clients to connect through the DFL 500 NPG Configure the policy as follows Source The address group that matches the PPTP address range Destination The address to which PPTP users can connect Service The service that matches the traffic type inside the PPTP VPN tunnel For example if PPTP users can acce...

Page 69: ...he DFL 500 NPG Make sure that your ISP supports L2TP connections Add firewall policies with an external source address to control the access that L2TP clients have through the DFL 500 NPG Add the addresses in the L2TP address range to the external interface address list To make policy configuration easier you can create an address group for L2TP that contains the IP addresses that can be assigned ...

Page 70: ...ternal interface address list The addresses can be grouped into an external address group Add the addresses to which L2TP users can connect to the internal interface The addresses can be grouped into an address group Add an Ext Int policy to allow L2TP clients to connect through the DFL 500 NPG Configure the policy as follows Source The address group that matches the L2TP address range Destination...

Page 71: ... policies or Adding Transparent mode policies Select Web filter to enable web content filtering protection for this policy Select show settings to view the current web content filtering configuration Select OK to save the policy Repeat this procedure for any HTTP policies for which to enable web content filtering Blocking web pages that contain unwanted content Block web pages that contain unwante...

Page 72: ... You cannot include special characters in banned words Select OK The word or phrase is added to the banned word list In the Modify column check the box beside the new entry in the banned word list so that the DFL 500 NPG blocks web pages containing this word or phrase You can enter multiple banned words or phrases and then select Check All to activate all entries in the banned word list Enable Ban...

Page 73: ...can block individual pages on a website by including the the full path and filename of the web page to block When the DFL 500 NPG blocks a web page the user who requested the blocked page receives a block message and the DFL 500 NPG writes a message to the event log This section describes Configuring URL blocking Clearing the URL block list Changing the URL block message Downloading the URL block ...

Page 74: ...remove all URLs from the URL block list Changing the URL block message To customize the message that users receive when the DFL 500 NPG blocks web pages Go to Web Filter URL Block Select Edit Prompt to edit the URL block message Change the text of the message You can add HTML code to this message Select OK to save your changes The DFL 500 NPG display this message when a URL is blocked Downloading ...

Page 75: ...Each page of the URL block list displays 100 URLs Use Page Down and Page Up to navigate through the URL block list You can continue to maintain the URL block list by making changes to the text file and uploading it again Removing scripts from web pages Use the following procedure to configure the DFL 500 NPG to remove scripts from web pages You can configure the DFL 500 NPG to block Java applets c...

Page 76: ...goodsite com from all content and URL filtering rules unless goodsite com without the www is added to the Exempt URL list Select Enable to exempt the URL Select OK to add the URL to the Exempt URL list You can enter multiple URLs and then select Check All to activate all entries in the Exempt URL list Each page of the Exempt URL list displays 100 URLs Use Page Down and Page Up to navigate through ...

Page 77: ...xempt URL list using the web based manager are lost when you upload a new list However you can download your current Exempt URL list add more URLs to it using a text editor and then upload the edited list to the DFL 500 NPG In a text editor create the list of URLs to exempt Using the web based manager go to Web Filter Exempt URL Select Upload URL Exempt List Enter the path and filename of your Exe...

Page 78: ...ds server Selecting what to log Recording logs on a remote computer Use the following procedure to configure the DFL 500 NPG to record logs onto a remote computer The remote computer must be configured with a syslog server Go to Log Report Log setting Select Log to Remote Host to send the logs to a syslog server Add the IP address of the computer running syslog server software Select Apply to save...

Page 79: ...de you can select Log All Events Traffic logs are also recorded when you select Log Traffic for a firewall policy Select Log All Events to record management and activity events in the event log Management events include changes to the system configuration as well as administrator and user logins and logouts Activity events include system activities such as VPN tunnel establishment web content bloc...

Page 80: ...ds These are the actual email addresses that the DFL 500 NPG sends alert emails to Select Apply to save the alert email settings Testing alert email You can test your alert email settings by sending a test email Go to Log Report Alert Mail Configuration Select Test to send test email messages from the DFL 500 NPG to the Email To addresses that you have configured Enabling alert email You can confi...

Page 81: ... Transparent mode Setting DNS server addresses Configuring routing Adding routing gateways Adding a default route Adding routes to the routing table Configuring the routing table Enabling RIP server support Adding routes Transparent mode Providing DHCP services to your internal network System configuration Setting system date and time Changing web based manager options Adding and editing administr...

Page 82: ...irm that the updated firmware has been installed successfully Upgrading the firmware from a TFTP server using the CLI To use this procedure you must install a TFTP server and be able to connect to this server from the internal interface The TFTP server should be on the same subnet as the internal interface Installing new firmware using the CLI deletes all changes that you have made to the configur...

Page 83: ...t the execute reboot command Type the address of the TFTP server and press Enter The following message appears Enter Local Address 192 168 1 188 Type the address of the internal interface of the DFL 500 and press Enter The following message appears Enter File Name image out Enter the firmware image file name and press Enter The TFTP server uploads the firmware image file to the DFL 500 and message...

Page 84: ... The system settings file is backed up to the management computer Select Return to go back to the Status page Restoring system settings This procedure does not restore the web content and URL filtering lists To restore these lists see Backing up and restoring the banned word list Uploading a URL block list and Uploading an Exempt URL list You can restore system settings by uploading a previously d...

Page 85: ...ted This includes the default route that is part of the default NAT Route configuration Go to System Status Select Change to Transparent Mode Select Transparent in the operation mode list Select OK The DFL 500 NPG changes operation mode To reconnect to the web based manager connect to the interface configured for Transparent mode management access and browse to https followed by the Transparent mo...

Page 86: ...The DFL 500 NPG shuts down and all traffic flow stops The DFL 500 NPG can only be restarted after shutdown by disconnecting and reconnecting the power System status monitor You can use the system status monitor to view system activity including the number of active communication sessions and information about each session The system status monitor also displays DFL 500 NPG CPU usage memory usage a...

Page 87: ...s the following information about each active firewall connection Protocol The service type or protocol of the connection From IP The source IP address of the connection From Port The source port of the connection To IP The destination IP address of the connection To Port The destination port of the connection Expire The time in seconds before the connection expires Clear Stop and active communica...

Page 88: ...SH connections to the CLI through the internal interface SNMP To allow a remote SNMP manager to request SNMP information by connecting to the internal interface See Configuring SNMP Select OK to save your changes If you changed the IP address of the internal interface and you are connecting to the internal interface to manage the DFL 500 NPG you must reconnect to the web based manager using the ne...

Page 89: ...s configuration is required if your ISP uses DHCP to assign the IP address of the external interface Go to System Network Interface For the external interface select Modify Set Addressing mode to DHCP and select OK to change to DHCP mode Both the IP address and Netmask change to 0 0 0 0 Select Enable Connect to DHCP server if you want the DFL 500 NPG to automatically connect to a DHCP server when ...

Page 90: ...from the PPPoE server the new addresses and netmask are displayed in the external IP address netmask and default gateway IP address fields If the PPPoE connection with your ISP is dropped the DFL 500 NPG automatically attempts to re establish the connection Select Enable Connect to PPPoE server if you want the DFL 500 NPG to automatically connect to a PPPoE server when it starts up Controlling man...

Page 91: ...connection you can adjust the maximum transmission unit MTU of the packets that the DFL 500 NPG transmits from its external interface Ideally you want this MTU to be the same as the smallest MTU of all the networks between the DFL 500 NPG and the Internet If the packets that the DFL 500 NPG sends are larger they get broken up or fragmented which slows down transmission speeds Trial and error is th...

Page 92: ...You can configure routing to add static routes from the DFL 500 NPG to local routers You can also use routing to add multiple routing gateways This section describes Adding routing gateways Adding a default route Adding routes to the routing table Configuring the routing table Enabling RIP server support Adding routes Transparent mode Adding routing gateways The first step in configuring DFL 500 N...

Page 93: ...System Network Routing Table Select New to add a new route Set the Source IP and Netmask to 0 0 0 0 Set the Destination IP and Netmask to 0 0 0 0 Set Gateway 1 to the IP address of the routing gateway that routes traffic to the Internet If you are adding a default route source and destination IPs and netmasks set to 0 0 0 0 you do not have to use the procedure Adding routing gateways to add this r...

Page 94: ...o move and select Move to change its order in the routing table Type a number in the Move to field to specify where in the routing table to move the route and select OK Select Delete to remove a route from the routing table Enabling RIP server support Enable routing information protocol RIP server support to configure the DFL 500 NPG to act like a RIP server The RIP routing protocol maintains up t...

Page 95: ...ion Enter the interval in seconds after which a DHCP client must ask the DHCP server for a new address The lease duration must be between 300 and 604800 seconds Domain Optionally enter in the domain that the DHCP server assigns to the DHCP clients DNS IP Enter the IP addresses of up to 3 DNS servers that the DHCP clients can use for looking up domain names Default Route Enter the default route to ...

Page 96: ...00 NPG adds these addresses to the dynamic IP MAC list and if IP MAC binding is enabled the addresses in the dynamic IP MAC list are added to the list of trusted IP MAC address pairs For more information about IP MAC binding see IP MAC binding To view the dynamic IP list Go to System Network DHCP Select Dynamic IP List The dynamic IP list appears Example Dynamic IP list System configuration Go to ...

Page 97: ...TP server that you can use see http www ntp org To set the date and time Go to System Config Time Select Refresh to display the current DFL 500 NPG date and time Select your Time Zone from the list If required select Daylight Saving Time Optionally select Set Time and set the DFL 500 NPG date and time to the correct date and time Example date and time setting To configure the DFL 500 NPG to use NT...

Page 98: ...utton on the upper right of the web based manager Select Apply The options that you have selected take effect Adding and editing administrator accounts When the DFL 500 NPG is initially installed it is configured with a single administrator account with the user name admin From this administrator account you can add and edit administrator accounts You can also control the access level of each of t...

Page 99: ... to 255 255 255 0 Set the Permission level for the administrator Select OK to add the administrator account Editing administrator accounts The admin account user can change individual administrator account passwords configure the IP addresses from which administrators can access the web based manager and change the administrator permission levels Administrator account users with Read Write access ...

Page 100: ...ge the default get community string to keep intruders from using get requests to retrieve information about your network configuration The get community string must be used in your SNMP manager to enable it to access DFL 500 SNMP information The get community string can be up to 31 characters long and can contain spaces numbers 0 9 uppercase and lowercase letters A Z a z and the special characters...

Page 101: ... method of automatically exchanging authentication and encryption keys between two secure servers IMAP Internet Message Access Protocol An Internet email protocol that allows access to your email from any IMAP compatible browser With IMAP your mail resides on the server IP Internet Protocol The component of TCP IP that handles routing IP Address An identifier for a computer or device on a TCP IP n...

Page 102: ...er name and password This information is passed to a RADIUS server which checks that the information is correct and then authorizes access to the ISP system Router A device that connects LANs into an internal network and routes traffic between them Routing The process of determining a path to use to send data to its destination Routing table A list of valid paths through which data can be transmit...

Page 103: ...e network and that data cannot be intercepted Virus A computer program that attaches itself to other programs spreading itself through computers or networks by this mechanism usually with harmful intent Worm A program or algorithm that replicates itself over a computer network usually through email and performs malicious actions such as using up the computer s resources and possibly shutting the s...

Page 104: ...trusted host aggressive mode remote gateway alert email configuring critical firewall or VPN events allow traffic IP MAC binding authentication policy option timeout authentication key IPSec VPN remote gateway manual key VPN tunnel AutoIKE key adding VPN remote gateway adding VPN tunnel VPN configuring VPN tunnel B backing up system settings banned word list backing up clearing restoring blacklist...

Page 105: ...critical firewall events alert email critical VPN events alert email custom service customer service D date setting date and time setting example daylight saving time default gateway configuring Transparent mode default route destination policy option detection about replay detection DH group about DHCP external interface internal network internal network settings dialup VPN configuring 51 viewing...

Page 106: ...nt log blocked page message exclusion range DHCP Exempt List adding URLs clearing downloading uploading expire system status external interface configuring configuring DHCP configuring PPPoE management access F factory default restoring system settings firewall authentication timeout overview policy mode security policy mode firewall events alert email firewall policy configuring L2TP configuring ...

Page 107: ... web content filtering HTTPS hub and spoke VPN I ICMP ID protection mode IPSec VPN remote gateway IKE IMAP internal address example internal address group example internal interface configuring internal network configuring Internet key exchange interoperability third party products IP Address IPSec VPN Remote Gateway IP addresses configuring from the CLI IP pool adding IP MAC binding adding allow ...

Page 108: ...nnel status IPSec VPN tunnel adding AutoIKE key tunnel adding manual key tunnel enabling perfect forward secrecy PFS enabling replay detection keep alive keylife P2 proposal PFS remote gateway replay detection testing tunnel name J Java applets removing from web pages K keep alive IPSec AutoIKE key VPN tunnel keepalive frequency IPSec VPN remote gateway keylife IPSec AutoIKE key VPN tunnel IPSec V...

Page 109: ...er selecting what to log settings M MAC address main mode IPSec VPN remote gateway management access controlling management interface Transparent mode management IP address Transparent mode manual key adding VPN tunnel IPSec VPN IPSec VPN encryption algorithm IPSec VPN encryption key IPSec VPN remote gateway manual key VPN tunnel adding authentication key matching policy memory usage system status...

Page 110: ...e changing P P1 proposal about IPSec VPN remote gateway P2 proposal about IPSec AutoIKE key VPN tunnel password adding PAT perfect forward secrecy about enabling PFS about IPSec AutoIKE key VPN tunnel PING management access policy adding IPSec firewall policy adding L2TP firewall policy adding PPTP firewall policy adding Transparent mode arranging in the policy list disabling enabling matching pol...

Page 111: ... schedule creating remote gateway adding 55 IPSec AutoIKE key VPN tunnel IPSec VPN IPSec VPN manual key IPSec VPN remote gateway user groups remote SPI IPSec VPN manual key removing scripts from web pages replay detection about enabling IPSec manual key VPN tunnel reporting restarting restoring system settings to factory defaults RIP enabling server support route adding default adding to the routi...

Page 112: ...ity parameter index security policy mode serial number displaying service custom group policy option pre defined user defined service group adding session clearing setup wizard starting shutting down SMTP SNMP configuring contact information first trap receiver IP address get community system location trap community source policy option squidGuard SSH SSL starting IP DHCP L2TP PPTP static IP MAC l...

Page 113: ...tem status monitor T technical support testing email alerts VPN third party products interoperability time setting timeout firewall authentication IPSec VPN web based manager to IP system status to port system status Transparent mode adding firewall policies adding routes changing to configuring the default gateway logging management interface management IP address trap community SNMP trusted host...

Page 114: ...nnel status virtual IP adding mapping port forwarding static NAT VPN adding concentrator adding hub and spoke AutoIKE key compatibility with IPSec VPN products concentrator configuring L2TP configuring L2TP gateway configuring PPTP configuring PPTP gateway definition dialup VPN hub and spoke IPSec IPSec VPN features L2TP L2TP configuration manual key PPTP PPTP configuration remote gateway testing ...

Page 115: ... filtering ActiveX cookies enabling Java applets Web filter policy option web pages content blocking web based manager changing options connecting to language timeout WebTrends recording logs on a WebTrends server whitelist URL wizard firewall setup starting ...

Page 116: ...0800 7250 4000 toll free REPAIR LINE 00800 7250 8000 E MAIL info dlink de URL www dlink de IBERIA D LINK IBERIA Gran Via de Carlos III 84 3 Edificio Trade 08028 BARCELONA TEL 34 93 4090770 FAX 34 93 4910795 E MAIL info dlinkiberia es URL www dlinkiberia es INDIA D LINK INDIA Plot No 5 Kurla Bandra Complex Road Off Cst Road Santacruz E Bombay 400 098 India TEL 91 22 652 6696 FAX 91 22 652 8914 E MA...

Page 117: ... support your product 1 Where and how will the product primarily be used Home Office Travel Company Business Home Business Personal Use 2 How many employees work at installation site 1 employee 2 9 10 49 50 99 100 499 500 999 1000 or more 3 What network protocol s does your organization use XNS IPX TCP IP DECnet Others_____________________________ 4 What network operating system s does your organi...

Page 118: ...DFL 500 User Manual 118 ...

Page 119: ...ective Hardware All Hardware or part thereof that is replaced by D Link or for which the purchase price is refunded shall become the property of D Link upon replacement or refund Limited Software Warranty D Link warrants that the software portion of the product Software will substantially conform to D Link s then current functional specifications for the Software as set forth in the applicable doc...

Page 120: ...ack of reasonable care repair or service in any way that is not contemplated in the documentation for the product or if the model or serial number has been altered tampered with defaced or removed Initial installation installation and removal of the product for repair and shipping costs Operational adjustments covered in the operating manual for the product and normal maintenance Damage that occur...

Page 121: ...such as translation transformation or adaptation without permission from D Link Corporation D Link Systems Inc as stipulated by the United States Copyright Act of 1976 FCC Warning This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference...

Page 122: ...DFL 500 User Manual 122 Registration Register the D Link DFL 500 Office Firewall online at http www dlink com sales reg ...

Search results

Summary of Contents for D DFL-500 DFL-500

Reviews:

Related manuals for D DFL-500 DFL-500

Brands by name

Popular brands

D-Link D DFL-500 DFL-500, Manual

Search results

Summary of Contents for D DFL-500 DFL-500

Reviews:

Related manuals for D DFL-500 DFL-500

Brands by name

Popular brands