D-Link DFL-1100 - Security Appliance Manual Download

Page: 5 / 91

Restoring the DFL-1100’s Configuration....................................................68

Restart/Reset ...................................................................................... 69

Restarting the DFL-1100 ...........................................................................69

Restoring system settings to factory defaults ............................................69

Upgrade .............................................................................................. 71

Upgrade Firmware ....................................................................................71

Upgrade IDS Signature-database .............................................................71

Status ............................................................................................72

System ................................................................................................ 72

Interfaces ............................................................................................ 73

HA ....................................................................................................... 74

VLAN................................................................................................... 75

VPN..................................................................................................... 76

Connections ........................................................................................ 77

DHCP Server ...................................................................................... 78

How to read the logs....................................................................79

USAGE events .................................................................................... 79

DROP events ...................................................................................... 79

CONN events ...................................................................................... 79

Appendixes...................................................................................81

Appendix A: ICMP Types and Codes .................................................. 81

Appendix B: Common IP Protocol Numbers ....................................... 83

LIMITED WARRANTY .....................................

錯誤

尚未定義書籤。

Summary of Contents for DFL-1100 - Security Appliance

Page 1: ...D Link DFL 1100 Network Security Firewall Manual Building Networks for People...

Page 2: ...nterface 13 System 14 Interfaces 14 Change IP of the LAN DMZ or ETH4 interface 14 WAN Interface Settings Using Static IP 15 WAN Interface Settings Using DHCP 15 WAN Interface Settings Using PPPoE 16 W...

Page 3: ...34 Add a new policy 35 Change order of policy 36 Delete policy 36 Configure Intrusion Detection 36 Configure Intrusion Prevention 37 Port mapping Virtual Servers 38 Add a new mapping 38 Delete mapping...

Page 4: ...roposal List 56 IPSec Proposal List 56 Certificates 57 Trusting Certificates 57 Local identities 57 Certificates of remote peers 57 Certificate Authorities 57 Identities 58 Content Filtering 59 Edit t...

Page 5: ...69 Upgrade 71 Upgrade Firmware 71 Upgrade IDS Signature database 71 Status 72 System 72 Interfaces 73 HA 74 VLAN 75 VPN 76 Connections 77 DHCP Server 78 How to read the logs 79 USAGE events 79 DROP e...

Page 6: ...ter and the Internet that prevents unauthorized access to or from your network A firewall can be a computer using firewall software or a special piece of hardware built specifically to act as a firewa...

Page 7: ...ave a Network Interface Card NIC which communicates the data between computers A NIC is usually a 10Mbps network card or 10 100Mbps network card or a wireless network card Most networks use hardware d...

Page 8: ...ght the unit is defective Console Serial access to the firewall software 9600 8bit None Parity 1Stop bit External Port WAN Use this port to connect to the external router DSL modem or Cable modem Inte...

Page 9: ...on Guide Power cord If any of the above items are missing please contact your reseller System Requirements Computer with a Windows Macintosh or Unix based operating system with an installed Ethernet a...

Page 10: ...need to login again This have to be done before a configurable timeout has been reached this can be set on the Activate Configuration Changes page by choosing the time from the dropdown menu Resettin...

Page 11: ...L 1100 and change configuration can be HTTPS or HTTP and HTTPS Read Only If enabled allows all users with read only access to connect to the DFL 1100 and look at the configuration can be HTTPS or HTTP...

Page 12: ...to an interface To add admin access click on the interface you would like to add it to Only users with the administrator rights can login on an interfaces where there is only admin access enabled Fol...

Page 13: ...r a range Step 4 Specify protocol used to access the DFL 1100 from the dropdown menu either HTTP and HTTPS Secure HTTP or only HTTPS Click the Apply button below to apply the setting or click Cancel t...

Page 14: ...ace to view or change under the Available interfaces list Step 2 Fill in the IP address of the LAN DMZ or ETH4 interface These are the address that will be used to ping the firewall remotely control i...

Page 15: ...ress of the WAN interface This is the address that may be used to ping the firewall remotely control it and be used as source address for dynamically translated connections Subnet Mask Size of the ext...

Page 16: ...P address of the external interface You will have to fill the username and password provided to you by your ISP Username The login or username supplied to you by your ISP Password The password supplie...

Page 17: ...ISP PPTP Server IP The IP of the PPTP server that the DFL 1100 should connect to Before PPTP can be used to connect to you ISP the physical WAN interface parameters need to be supplied it s possible t...

Page 18: ...1100 For example the policy for the web server might be given higher priority than the policies for most employees computers You can use traffic shaping to guarantee the amount of bandwidth available...

Page 19: ...down transmission speeds Trial and error is the only sure way of finding the optimal MTU but there are some guidelines that can help For example the MTU of many PPP connections is 576 so if you connec...

Page 20: ...Fill in the IP address of the VLAN interface This is the address that will be used to ping the firewall remotely control it and use as gateway for hosts on that VLAN Step 6 Choose the correct Subnet m...

Page 21: ...to the firewall interface no gateway address is specified Local IP Address The IP address specified here will be automatically published on the corresponding interface This address will also be used...

Page 22: ...s network is behind a remote gateway enable the checkbox Network is behind remote gateway and specify the IP of that gateway Click the Apply button below to apply the setting or click Cancel to discar...

Page 23: ...the firewall will merely experience the failover procedure as a slight burst of packet loss and as TCP always does in such situations retransmit the lost packets within a second or two and go on commu...

Page 24: ...er mechanism Both firewalls in the cluster know about the shared IP address ARP queries for the shared IP address or any other IP address published via the ARP configuration section or through Proxy A...

Page 25: ...vel multicasts were chosen over normal unicast packets for security reasons using unicast packets would have meant that a local attacker could fool switches to route the heartbeats somewhere else caus...

Page 26: ...cable between the fourth interfaces on each unit this interface ETH4 will no longer be possible to use as an extra DMZ or LAN interface when running HA Login to the master firewall and click on System...

Page 27: ...red on the first unit When you click Apply the unit should transfer the configuration from the first unit and you HA cluster should be operating Interface Monitoring When HA is configured it s possibl...

Page 28: ...gs its activities by sending the log data to one or two log receivers in the network All logging is done to Syslog recipients The log format used for syslog logging is suitable for automated processin...

Page 29: ...wall follow the sets below and the firewall will start logging all traffic trough the firewall this is needed for running third party log analyzers on the logs and to see how much traffic different co...

Page 30: ...lick on System in the menu bar and then click Time below it This will give you the option to either set the system time by syncing to an Internet Network Time Server NTP or by entering the system time...

Page 31: ...nc to an Internet Time Server Step 1 Enable synchronization by checking the Enable NTP box Step 2 Enter the Server IP Address or Server name with which you want to synchronize Click the Apply button b...

Page 32: ...network to the dmz interface and a public network such as the Internet to the external interface Then you can create NAT mode policies to accept or deny connections between these networks NAT mode pol...

Page 33: ...on either the TCP or the UDP protocol The following is used when making a custom service Custom source destination ports For many services a single destination port is sufficient The source port most...

Page 34: ...ve configured the traffic limits on the WAN interface this limit is sometimes lowered to allow traffic with higher priorities to have precedence By using Guarantee you can traffic using a policy a min...

Page 35: ...y or write Any for any authenticated user If it s left blank there is no need for authentication for the policy Destination Nets Specifies the span of IP addresses to be compared to the destination IP...

Page 36: ...policy Step 1 Choose the policy list you would like do delete the policy in from the available policy lists Step 2 Click on the Edit link on the rule you want to delete Step 3 Enable the Delete policy...

Page 37: ...ve IDP on Step 2 Click on the Edit link on the rule you want to delete Step 3 Enable the Intrusion Detection Prevention checkbox Step 4 Choose Prevention from the mode drop down list Step 5 Enable the...

Page 38: ...wing values Name Specifies a symbolic name for the rule This name is used mainly as a rule reference in log data and for easy reference in the policy list Source Nets Specify the source networks leave...

Page 39: ...ose the mapping list WAN LAN or DMZ you would like do delete the mapping from Step 2 Click on the Edit link on the rule you want to delete Step 3 Enable the Delete mapping checkbox Click the Apply but...

Page 40: ...users in each access level Add Administrative User Follow these steps to add a new administrative user Step 1 Click on add after the type of user you would like to add Admin or Read only Step 2 Fill i...

Page 41: ...ike to change level of Step 2 Choose the appropriate level from the drop down menu Click the Apply button below to apply the setting or click Cancel to discard changes Change Administrative User Passw...

Page 42: ...these steps to delete an Administrative User Step 1 Click on the user you would like to change level of Step 2 Enable the Delete user checkbox Click the Apply button below to apply the setting or cli...

Page 43: ...t end to other authentication services The DFL 1100 RADIUS Support The DFL 1100 can use RADIUS to verify users against for example Active Directory or Unix password file It is possible to configure up...

Page 44: ...for the management WebUI to listen on as the user authentication will use the same ports as the management WebUI is using Click the Apply button below to apply the setting or click Cancel to discard...

Page 45: ...and password can contain numbers 0 9 and upper and lower case letters A Z a z Special characters and spaces are not allowed Change User Password To change the password of a user click on the user nam...

Page 46: ...w these steps to delete a user Step 1 Click on the user you would like to change level of Step 2 Enable the Delete user checkbox Click the Apply button below to apply the setting or click Cancel to di...

Page 47: ...a day For example an organization may only want the firewall to allow the internal network users to access the Internet during work hours Therefore one may create a schedule to allow the firewall to...

Page 48: ...Schedules and choose Add new Step 2 Choose the starting and ending date and hour when the schedule should be active Step 3 Use the checkboxes to set the times this schedule should be active inside the...

Page 49: ...g source ports 1024 65535 and destination ports 80 82 90 92 95 In this case a TCP or UDP packet with the destination port being one of 80 81 82 90 91 92 or 95 and the source port being in the range 10...

Page 50: ...cial characters and spaces are allowed Step 3 Select IP Protocol Step 4 Specify a comma separated list of IP protocols Click the Apply button below to apply the change or click Cancel to discard chang...

Page 51: ...sting connection Check this option to enable this feature for connections using this service ALG Like other stateful inspection based firewalls DFL 1100 filters on information found in packet headers...

Page 52: ...s by defining a set of Security Associations SAs for each connection SAs are unidirectional so there will be at least two SAs per IPSec connection The other part is the actual IP data being transferre...

Page 53: ...ind another or between two DMZ networks The networks at the ends of the VPN tunnel are selected when you configure the VPN policy Creating a LAN to LAN VPN Tunnel Follow these steps to add LAN to LAN...

Page 54: ...el Follow these steps to add a roaming users tunnel Step 1 Go to Firewall and VPN and choose Add new Step 2 Enter a Name for the new tunnel in the name field The name can contain numbers 0 9 and upper...

Page 55: ...recy is enabled a new Diffie Hellman exchange is performed for each phase 2 negotiation While this is slower it makes sure that no keys are dependent on any other previously used keys no keys are extr...

Page 56: ...VPN gateway one after another until a matching proposal is found IKE Proposal List Cipher Specifies the encryption algorithm used in this IKE proposal Supported algorithms are AES 3DES DES Blowfish Tw...

Page 57: ...al identities This is a list of all the local identity certificates that can be used in VPN tunnels A local identity certificate is used by the firewall to prove its identity to the remote VPN peer To...

Page 58: ...nel is established if the certificate of the remote peer is present in the Certificates field in the VPN section or if the remote peer s certificate is signed by a CA whose certificate is present in t...

Page 59: ...content filtering can also be configured to strip contents like ActiveX Flash and cookies There is also a URL whitelist for URLs that should be excluded from all Content Filtering Note For HTTP URL fi...

Page 60: ...and choose Edit global URL blacklist Step 2 Add edit or remove the URL that should be checked with the Content Filtering Click the Apply button below to apply the change or click Cancel to discard cha...

Page 61: ...ould like to strip For example to strip ActiveX and Flash enable the checkbox named Strip ActiveX objects It s possible to strip ActiveX Flash Java JavaScript and VBScript it s also possible to block...

Page 62: ...ay address DNS Servers WINS Servers Domain name The DFL 1100 DHCP Server assigns and manages IP addresses from specified address pools within the firewall to the DHCP clients Note Leases are remembere...

Page 63: ...click Cancel to discard changes Enable DHCP Relay To enable the DHCP Relay on an interface click on Servers in the menu bar and then click DHCP Server below it Follow these steps to enable the DHCP R...

Page 64: ...wall itself Enable DNS Relayer Follow these steps to enable the DNS Relayer Step 1 Enable by checking the Enable DNS Relayer box Step 2 Enter the IP numbers that the DFL 1100 should listen for DNS que...

Page 65: ...ble DNS Relayer Follow these steps to disable the DNS Relayer Step 1 Disable by un checking the Enable DNS Relayer box Click the Apply button below to apply the setting or click Cancel to discard chan...

Page 66: ...Echo Requests to Number of packets Number of ICMP Echo Request packets to send up to 10 Packet size Size of the packet to send between 32 and 1500 bytes Ping Example In this example the IP Address is...

Page 67: ...s menu to enter Dynamic DNS configuration The firewall provides a list of a few predefined DynDNS service providers users have to register with one of these providers before trying to use this functio...

Page 68: ...g the DFL 1100 s Configuration Follow these steps to export the configuration Step 1 Under the Tools menu and the Backup section click on the Download configuration button Step 2 When the File Downloa...

Page 69: ...ttings to factory defaults Use the following procedure to restore system settings to the values set at the factory This procedure will possibly change the DFL 1100 firmware version to lower version if...

Page 70: ...ection click on the Reset to Factory Defaults button Step 2 Click OK in the dialog to reset the unit to factory default or press Cancel to cancel You can restore your system settings by uploading a pr...

Page 71: ...e file name of the newest version of the firmware then click Upload firmware image The updating process won t overwrite the system configuration so it is not necessary but still a good idea to backup...

Page 72: ...rmation about the DFL 1100 Uptime The time the firewall have been running since the last reboot or start CPU Load Percentage of cpu used Connections Number of current connections trough the firewall F...

Page 73: ...e of the interface shown LAN WAN or DMZ IP Address IP address of the interface Link status Displays what link the current interface has the speed can be 10 or 100 Mbps and the duplex can be Half or Fu...

Page 74: ...ured in the DFL 1100 Status Status of the cluster will show if the unit is active or inactive Cluster Peer Status of the other unit in the cluster Cluster ID ID used for this cluster Configuration Sta...

Page 75: ...N Interface Name of the virtual interface shown VLAN ID ID assigned to the vlan IP Address IP address of the virtual interface Send rate Current amount of traffic sent trough the interface Receive rat...

Page 76: ...ation about the first VPN tunnel will be show to see another one click on that VPN tunnels name The two graphs display the send and receive rate trough the selected VPN tunnel during the last 24 hours...

Page 77: ...eives packets from each end of the connection The value shown in the Timeout column is the lower of the two values Possible values in the State column include TPC_CLOSE TCP_OPEN SYN_RECV FIN_RECV and...

Page 78: ...plays the configured ranges of IP s that are given out as DHCP leases Usage Display how much of the IP range is give out to DHCP clients Active leases are the current computers using this DHCP server...

Page 79: ...ip1 192 168 10 2 tp1 11 93 if2 lan ip2 192 168 0 1 tp2 13 27 if3 dmz ip3 192 168 1 1 tp3 0 99 The value after conns is the number of open connections trough the firewall when the usage log was sent T...

Page 80: ...Another event is generated when the connection is closed The information included in the event is the same as in the event sent when the connection was opened with the exception that statistics regard...

Page 81: ...Don t Fragment was Set RFC792 5 Source Route Failed RFC792 6 Destination Network Unknown RFC792 7 Destination Host Unknown RFC792 8 Source Host Isolated RFC792 9 Communication with Destination Networ...

Page 82: ...Parameter Problem 0 Pointer indicates the error RFC792 1 Missing a Required Option RFC1108 2 Bad Length RFC792 13 Timestamp 0 No Code RFC792 14 Timestamp Reply 0 No Code RFC792 15 Information Request...

Page 83: ...4 IP IP in IP encapsulation RFC2003 5 ST Stream RFC1190 RFC1819 6 TCP Transmission Control RFC793 8 EGP Exterior Gateway Protocol RFC888 17 UDP User Datagram RFC768 47 GRE General Routing Encapsulati...

Page 84: ...ble of correction or if D Link determines in its sole discretion that it is not practical to repair or replace the defective Hardware the price paid by the original purchaser for the defective Hardwar...

Page 85: ...th all shipping costs prepaid D Link may reject or return any product that is not packaged and shipped in strict compliance with the foregoing requirements or for which an RMA number is not visible fr...

Page 86: ...not apply This limited warranty provides specific legal rights and the product owner may also have other rights which vary from state to state Wichtige Sicherheitshinweise 1 Bitte lesen Sie sich dies...

Page 87: ...nur Orginalersatzteile bzw den Orginalteilen entsprechende Teile verwendet werden Der Einsatz von ungeeigneten Ersatzteilen kann eine weitere Besch digung hervorrufen 17 Wenden Sie sich mit allen Fra...

Page 88: ...g the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures Reorient or relocate the receiving antenna Increase the separation between...

Page 89: ...k Avenue North Ryde NSW 2113 Australia TEL 61 2 8899 1800 FAX 61 2 8899 1868 URL www dlink com au India D Link House Kurla Bandra Complex Road Off CST Road Santacruz East Mumbai 400098 India TEL 91 02...

Page 90: ...product 1 Where and how will the product primarily be used Home Office Travel Company Business Home Business Personal Use 2 How many employees work at installation site 1 employee 2 9 10 49 50 99 100...

Page 91: ......

Search results

Summary of Contents for DFL-1100 - Security Appliance

Reviews:

Related manuals for DFL-1100 - Security Appliance

Brands by name

Popular brands

D-Link DFL-1100 - Security Appliance, Manual

Search results

Summary of Contents for DFL-1100 - Security Appliance

Reviews:

Related manuals for DFL-1100 - Security Appliance

Brands by name

Popular brands