D-Link NetDefend DFL-CP310 Скачать руководство пользователя

Страница: 221 / 485

Setting the Firewall Security Level

This
level…

Does this…

Further Details

able 31: Firewall Security Levels

Low

Enforces basic control on

incoming connections,

ile

outgo

All inbound traffic is blocked to the external

NetDefend firewall IP address, except for ICMP

echoes ("pings").

permitting all

ing connections.

All outbound connections are allowed.

Medium

Enfor

all incoming connections,

while

outgo g

This i

and is rec

most cases. Leave it

unchanged u

have

rity

level.

nbound traffic is blocked.

to the Internet

ows file sharing (NBT ports 137,

High

Enforces strict control on

ming and outgoing

All inbound traffic is blocked.

(IMAP, POP3, SMTP), ftp, newsgroups, Telnet,

DNS, IPSEC IKE and VPN traffic.

ces strict control on

All i

pe mitting safe

All outbound traffic is allowed

in connections.

except for Wind

s the default level

138, 139 and 445).

ommended for

nless you

a specific need for a

r or lower secu

hig

all inco

connections.

Restricts all outbound traffic except for the

following: Web traffic (HTTP, HTTPS), email

Note:

If the security policy is remotely managed, this lever might be disabled.

Chapter 9: Setting Your Security Policy

205

Содержание NetDefend DFL-CP310

Страница 1: ...D Link NetDefend firewall Security VPN Firewall NetDefend secured by Check Point User Guide Version 1 0 Revised 01 17 2006...

Страница 2: ...he software and 2 offer you this license which gives you legal permission to copy distribute and or modify the software Also for each author s protection and ours we want to make certain that everyone...

Страница 3: ...alent access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may n...

Страница 4: ...TY PRECAUTIONS Carefully read the Safety Instructions the Installation and Operating Procedures provided in this User s Guide before attempting to install or operate the appliance Failure to follow th...

Страница 5: ...l Security Services 5 Power Pack Features 5 Package Contents 6 Network Requirements 7 Getting to Know Your NetDefend firewall 8 Rear Panel 8 Front Panel 10 Getting to Know Your NetDefend firewall 11 R...

Страница 6: ...tDefend Portal 46 Main Menu 47 Main Frame 48 Status Bar 48 Logging off 51 Configuring the Internet Connection 53 Overview 53 Using the Internet Wizard 54 Using a Direct LAN Connection 56 Using a Cable...

Страница 7: ...twork 93 Configuring Network Settings 93 Configuring a DHCP Server 94 Changing IP Addresses 105 Enabling Disabling Hide NAT 107 Configuring a DMZ Network 108 Configuring the OfficeMode Network 110 Con...

Страница 8: ...161 Overview 161 About the Wireless Hardware in Your NetDefend firewall 162 Wireless Security Protocols 163 Manually Configuring a WLAN 165 Using the Wireless Configuration Wizard 176 WPA PSK 178 WEP...

Страница 9: ...eleting Rules 219 Using SmartDefense 220 Configuring SmartDefense 221 SmartDefense Categories 224 Using Secure HotSpot 256 Setting Up Secure HotSpot 257 Enabling Disabling Secure HotSpot 258 Customizi...

Страница 10: ...tomatic and Manual Updates 294 Checking for Software Updates when Remotely Managed 294 Checking for Software Updates when Locally Managed 295 Working With VPNs 297 Overview 297 Site to Site VPNs 298 R...

Страница 11: ...Traces for VPN Connections 356 Managing Users 359 Changing Your Password 359 Adding and Editing Users 361 Adding Quick Guest HotSpot Users 365 Viewing and Deleting Users 367 Setting Up Remote VPN Acc...

Страница 12: ...ion 415 Importing the NetDefend firewall Configuration 416 Resetting the NetDefend firewall to Defaults 418 Running Diagnostics 421 Rebooting the NetDefend firewall 422 Using Network Printers 423 Over...

Страница 13: ...Problems 443 Specifications 445 Technical Specifications 445 CE Declaration of Conformity 449 Federal Communications Commission Radio Frequency Interference Statement 451 Glossary of Terms 453 Index 4...

Страница 14: ......

Страница 15: ...t and preceded by the Note icon Each task is marked with an ic Warning Warnings are denoted by indented text and preceded by the Warning icon on indicating the NetDefend product required to perform th...

Страница 16: ......

Страница 17: ...rnet the NetDefend Secured by Check Point Product Family includes both wired and wireless models The D Link firewall based on the world leading Check Point Embedded NGX Stateful Inspection technology...

Страница 18: ...sed users by installing node upgrades Contact your reseller for more details NetDefend Features and Compatibility Connectivity The NetDefend series includes the following features LAN ports 4 ports 10...

Страница 19: ...ditional features Wireless LAN interface with dual diversity antennas supporting up to 108 Mbps Super G and Extended Range XR Integrated USB print server Wireless QoS WMM Firewall The NetDefend series...

Страница 20: ...SHA1 MD5 Hardware Based Secure RNG Random Number Generator IPSec NAT traversal NAT T Route based VPN Backup VPN gateways Management The NetDefend series includes the following features Management via...

Страница 21: ...tion VStream Embedded Antivirus Updates VPN Management Security Reporting Vulnerability Scanning Service Power Pack Features The table below describes the differences between the standard DFL CP310 an...

Страница 22: ...Site VPN Managed 10 tunnels 100 tunnels Included VPN 1 SecuRemote client Licenses 5 users 25 users When managed by SofaWare Security Management Portal SMP Package Contents The NetDefend series packag...

Страница 23: ...orer 5 0 or higher or Netscape Navigator 4 7 and higher CAT 5 STP Category 5 Shielded Twisted Pair Straight Through Ethernet cable for each attached device Note The NetDefend firewall automatically de...

Страница 24: ...your NetDefend firewall Figure 1 NetDefend firewall Rear Panel Items Figure 2 NetDefend firewall Rear Panel Items The following table lists the NetDefend firewall s rear panel elements Table 1 NetDefe...

Страница 25: ...have to re configure your NetDefend firewall Do not reset the unit without consulting your system administrator RS 232 Serial A serial port used for connecting computers in order to access the NetDef...

Страница 26: ...atus LEDs see the table below Table 2 NetDefend firewall Status LEDs LED State Explanation PWR SEC Off Power off Flashing quickly Green System boot up Flashing slowly Green Establishing Internet conne...

Страница 27: ...our NetDefend firewall R to the NetDefend firewall are made via the rear panel of your NetDefend firewall ear Panel All physical connections network and power Figure 4 NetDefend firewall Rear Panel It...

Страница 28: ...onsulting your system administrator USB Two USB 2 0 ports used for connecting USB based printers RS232 A serial RS 232 port used for connecting computers in order to access the NetDefend CLI Command L...

Страница 29: ...LEDs see the table below Table 4 NetDefend firewall Status LEDs LED State Explanation PWR SEC Off Power off Flashing quickly Green System boot up Flashing slowly Green Establishing Internet connection...

Страница 30: ...eceived VPN Flashing Green VPN port in use Serial Flashing Green Serial port in use USB Flashing Green USB port in use WLAN Flashing Green WLAN in use Contacting Technical Support If there is a proble...

Страница 31: ...tion 35 Setting Up the NetDefend firewall 36 Before You Install the NetDefend firewall Prior to connecting and setting up your NetDefend firewall for operation you must do the following Check if TCP I...

Страница 32: ...it is recommended to disable it if you are using a NetDefend firewall since the NetDefend firewall offers better protection Checking the TCP IP Installation 1 Click Start Settings Control Panel The Co...

Страница 33: ...ll the NetDefend firewall The Network and Dial up Connections window appears 3 Right click the icon and select Properties from the pop up menu that opens Chapter 2 Installing and Setting up the NetDef...

Страница 34: ...n the components list and if it is properly configured with the Ethernet card installed on your computer If ou must install it as described in In the above window check if TCP IP appears i TCP IP doe...

Страница 35: ...rties window click Install The Select Network Component Type window appears 2 Choose Protocol and click Add The Select Network Protocol window appears 3 Choose Internet Protocol TCP IP and click OK TC...

Страница 36: ...PC but rather to obtain an IP address automatically If for some reason you need to assign a static IP address select Specify an IP address type in an IP address in the range of 192 168 10 129 254 ent...

Страница 37: ...efend firewall Win Checking the TCP IP Installation 1 Click Start Settings Control Panel The Control Panel window appears dows 98 Millennium 2 Double click the icon Chapter 2 Installing and Setting up...

Страница 38: ...y configured with th appears in the network components list e Ethernet card installed on your computer Installing TCP IP Protocol Note If TCP IP is already installed and configured on your co section...

Страница 39: ...ol window appears 3 In Manufacturers list choose Microsoft and in the Network Protocols list choose TCP IP 4 Click OK If Windows asks for original Windows installation files provide the installation C...

Страница 40: ...g LAN consult your network manager for the correct configurations 1 In the Network window double click the TCP IP service for the Ethernet card which has been installed on your computer e g The TCP IP...

Страница 41: ...Before You Install the NetDefend firewall 3 Click the DNS Configuration tab and click the Disable DNS radio button Chapter 2 Installing and Setting up the NetDefend firewall 25...

Страница 42: ...ss type in an IP address in the range of 192 168 10 129 254 enter 255 255 255 0 in the Subnet Mask field and click OK to save the new settings Note that 192 168 10 is the default value and it may vary...

Страница 43: ...ol Panels TCP IP The TCP IP window appears 2 Click the Connect via drop down list and select Ethernet 3 Click the Configure drop down list and select Using DHCP Server 4 Close the window and save the...

Страница 44: ...irewall Mac OS X Use the following procedure for setting up the TCP IP Protocol 1 Choose Apple System Preferences The System Preferences window appears 2 Click Network The Network window appears 28 D...

Страница 45: ...Before You Install the NetDefend firewall 3 Click Configure Chapter 2 Installing and Setting up the NetDefend firewall 29...

Страница 46: ...Apply Now ounting the Appliance If desired you can mount your NetDefend firewall on the wall To mount the NetDefend firewall on the wall 1 Decide where you want to mount your NetDefend firewall 2 Dec...

Страница 47: ...wo plastic conical anchors into the holes Note The conical anchors you received with your NetDefend firewall are suitable for concrete walls If you want to mount the appliance on a plaster wall you mu...

Страница 48: ...ainst Theft The NetDefend firewall f ht panel which enables you to secure your appliance against theft using an anti theft security device eatures a security slot to the rear of the rig Note Anti thef...

Страница 49: ...y cable to the appliance s security slot To install an anti theft device on the NetDefend firewall 1 If your anti theft device has a combination lock set the desired code as that came with your device...

Страница 50: ...then slide the bolt to the Closed position until the bolt holes are aligned 5 Thread the anti theft device s pin through the bolt s holes and insert the pin into the main body of the anti theft devic...

Страница 51: ...of the unit Connect the other end to PCs hubs or other network device Connect the WAN cable Connect one end of the Ethernet cable to the WAN port at the unit office network 4 Connect the power adapter...

Страница 52: ...ties Failure to observe this warning may cause damage to the appliance and void the warranty For information on setting up network printers see Setting up Network Printers on S tting page 424 e Up the...

Страница 53: ...liance on page 397 Setting up a wireless network DFL CPG310 only Configuring a Wireless Network on page 161 Installing the Product Key Upgrading Your Software Product on page 379 Registering your NetD...

Страница 54: ...ss the Setup Wizard ab The Firmware page appears 1 Click Setup in the main menu and click the Firmware t 2 Click end Setup Wizard NetDef The NetDefend Setup Wizard opens with the Welcome page displaye...

Страница 55: ...to the NetDefend Portal 39 Logging on to the NetDefend Portal 42 Accessing the NetDefend Portal Remotely Using HTTPS 44 Using the NetDefend Portal 46 Logging off 51 Initial Login to the NetDefend Port...

Страница 56: ...assword both in the Password and the Confirm Password fields 2 Note The password must be five to 25 characters letters or numbers Note You can change your password at any time For further information...

Страница 57: ...two Internet connections To use Internet Setup click Cancel and refer to Using Internet Setup on page 63 our Internet connection using one of the following ways Wizard Th rnet Wizard is the first part...

Страница 58: ...ule to allow access from the WLAN See Using Rules on page 209 O Enable HTTPS access from the Internet See Configuring HTTPS on pag To log on to the NetDefend Portal 1 Do one of the Browse to Or o log...

Страница 59: ...Logging on to the NetDefend Portal The login page appears 2 Type your username and password 3 Click OK Chapter 3 Getting Started 43...

Страница 60: ...eb server It is used to transfer confidential user information If desired you can also use HTTPS to access the NetDefend Portal from your internal network Note In order to access the NetDefend Portal...

Страница 61: ...the certificate in the NetDefend firewall is not yet known to the browser so the Security Alert dialog box appears To avoid seeing this dialog box again install the certificate of the destination NetD...

Страница 62: ...ch enables yo manage and The NetDefend Portal consists of t able 5 NetDefend Portal Elem ent Description Main menu Used for navigating between the various topics such as Reports Security and Setup Mai...

Страница 63: ...mation R active computers and established connections Securit y computer in Antivirus Services eports Provides reporting capabilities in terms of event logging traffic monitoring y Provides controls a...

Страница 64: ...o log off of the NetDefend Portal sers Allows you to manage NetDefend users PN Allows you to manage configure and log on to VPN sites Provides conte gout Al ain Frame ain and tab you s are using The d...

Страница 65: ...nternet connectivity Not Connected The Internet connection is down Establishing Connection The NetDefend firewall is connecting to the Internet Contacting Gateway The NetDefend firewall is trying to c...

Страница 66: ...s Web Filtering and Email Antivirus Your subscription services status may be one of the following Not Subscribed You are not subscribed to security services Connection Failed The NetDefend firewall fa...

Страница 67: ...the NetDefend Portal will require re entering of the administration ssword log off of the NetDefend Porta Do one of the following If you are connected through HTTP click Logout in the main menu The I...

Страница 68: ......

Страница 69: ...et connection using ing setup tools d is the Internet Wizard For further all Guides you through the Internet connection configuration y step Internet Setup Offers the following advanced setup options...

Страница 70: ...following three types of broadband connection methods onnection PPTP or PPPoE dialer you to configure your NetDefend firewall for Internet and easily through its us Direct LAN C Cable Modem automatic...

Страница 71: ...zard opens with the Welcome page displayed 3 Click Next The Internet Connection Method dialog box appears 4 Select the Internet connection method you want to use for connecting to the Internet Chapter...

Страница 72: ...are to 5 Click Next U No further settings are required for a direct LAN Local Area Network connection sing a Direct LAN Connection The Confirmation screen appears 1 Click Next he system attempts to co...

Страница 73: ...Using the Internet Wizard At the end of the connection process the Connected screen appears 2 Click Finish Chapter 4 Configuring the Internet Connection 57...

Страница 74: ...ess Otherwise you may leave this field blank If your ISP requires the MAC address do either of the following Click This Computer to automatically clone the MAC address of your computer to the NetDefen...

Страница 75: ...creen appears 5 Click Finish Using a PPTP or PPPoE Dialer Connection If you selected the PPTP or PPPoE dialer connection method the DSL Connection Type dialog box appears 1 Select the connection metho...

Страница 76: ...1 the fields using the information in the table below 2 The Confirmation screen appears 4 Click Finish Click Next 3 Click Next The system attempts to connect to the Internet via the DSL connection The...

Страница 77: ...password Type your password again Service Type your service name This field can be left blank Using PPTP If you selected the PPTP connection method the DSL Configuration dialog box appears 1 Complete...

Страница 78: ...nection Fields In this field Do this Connecting screen appears Username Type your user name Password Type your password Confirm password Type your password again Service Type your service name Serve T...

Страница 79: ...to manually configure your Internet connection igure the using Internet Setup 1 Click Network in the main menu and click the Internet tab To conf Internet connection 2 Next to the desired Internet con...

Страница 80: ...ng intend to use c ing steps should be performed in accordance with the connection type nection Type drop down list select the Internet connection ty The display The follow you have chosen hanges acco...

Страница 81: ...Using Internet Setup Using a LAN Connection 1 Complete the fields using the relevant information in Internet Setup Fields on page 77 Chapter 4 Configuring the Internet Connection 65...

Страница 82: ...Click Apply The NetDefen ar displays the Internet status Connecting This may take several seconds Once the connection is made the Status Bar displays the Internet status Connected d firewall attempts...

Страница 83: ...Using Internet Setup Using a Cable Modem Connection 1 Complete the fields using the relevant information in Internet Setup Fields on page 77 Chapter 4 Configuring the Internet Connection 67...

Страница 84: ...Click Apply The NetDefend firewall attempts to connect to the Internet and the Status Bar displays the Internet status Connecting This may take several seconds Once the connection is made the Status...

Страница 85: ...Using Internet Setup Using a PPPoE Connection 1 Complete the e on page 77 fi lds using the relevant information in Internet Setup Fields Chapter 4 Configuring the Internet Connection 69...

Страница 86: ...t and the Status Bar s Connecting This may take several seconds Once the connection is made the Status Bar displays the Internet status Connected Click Apply The NetDefend firewall attempts to connect...

Страница 87: ...Using Internet Setup Using a PPTP Connection 1 Comp the relevant information in Internet Setup Fields lete the fields using page 77 on Chapter 4 Configuring the Internet Connection 71...

Страница 88: ...pending on the check boxes you selected 2 Click Apply The NetDefend firewall attempts to connect to the Internet and the Status Bar displays the Internet status Connecting This may take several second...

Страница 89: ...this Internet re subscribed to Telstra BigPond Internet Telstra BigPond is a trademark of Telstra Corporation Limited Connected Usin tra BPA Use connection type only if you a 1 Complete the fields usi...

Страница 90: ...Click Apply The NetDefend firewall attempts to connect to the Internet and the Status Bar displays the Internet status Connecting This may take several seconds Once the connection is made the Status...

Страница 91: ...tion see Setting Up a Dialup Modem on page 84 To use this connection type you must first set up the dialup modem For 1 Complete the fields using the relevant information in Internet Setup Fields on pa...

Страница 92: ...lick Apply The NetDefend firewall attempts to connect to the Internet and the Status Bar ay take several seconds On ternet status Connected displays the Internet status Connecting This m ce the connec...

Страница 93: ...ce name leave this field empty Server IP If you selected PPTP type the IP address of the PPTP server as given by your ISP If you selected Telstra BPA type the IP address of the Telstra authentication...

Страница 94: ...a Backup or Master see Configuring High Availability on page 119 On outgoing activity Select this option to specify that the dialup modem should only dial a connection if no other connection exists a...

Страница 95: ...d slightly lower than your Internet connection s maximum measured upstream speed in the field provided It is recommended to try different rates in order to determine which one provides the best result...

Страница 96: ...shaping of inbound traffic less accurate than the shaping of outbound traffic It is therefore recommended to enable traffic shaping for incoming traffic onl necessary For information on using Traffic...

Страница 97: ...In the secondary Internet connection this field is enabled only if the DMZ WAN2 port is set to WAN2 High Availability The High Availability area only appears in NetDefend with Power Pack Do not conne...

Страница 98: ...ternet mined that the Internet connection is down and two Internet connections are defined a failover will be performed to the second Internet connection ensuring continuous Internet connectivity This...

Страница 99: ...n the 1 2 and 3 fields If for 45 seconds none of the defined gateways respond the Internet connection is considered to be down Use this option if you have Check Point VPN gateways and you want loss of...

Страница 100: ...imary or secondary Internet connection me ess is unavailable disconnected when not in use For information on setting up a dialup backup Setting Up a Dialup Backup Connection on page 92 To egular or IS...

Страница 101: ...tting Up a Dialup Modem The Ports page appears 3 4 ly 5 Next to the RS232 drop down list click Setup In the RS232 drop down list select Dialup Click App Chapter 4 Configuring the Internet Connection 8...

Страница 102: ...s 9 Configure a Dialup Internet connection using the information in Setup on page 63 able 11 Dialup Fields this field Do this Mode If you selected Custom the Installation String field is enabled Other...

Страница 103: ...ation You can view information on your Internet connection s in terms of status duration and activity To view Internet connection information 1 Click Network in the main menu and click the Internet ta...

Страница 104: ...enabl rmation see Enabling Disabling the In nnection on page 88 number of data packets rece Sent Packets number of data packets sent in the active connection Enabling Disabling the Internet Connection...

Страница 105: ...ick the Internet tab ernet pag 2 Next to the Internet connection do one of the following To enable the The Int e appears connection click The button changes to and the connection is enabled To disable...

Страница 106: ...up Internet Connection ary and a secondary Internet connection The sec ls the NetD ternet page you can establish a quick Intern the same manner you can term currently selected connection type In activ...

Страница 107: ...g Internet Setup on page Important The two c be LAN DHCP connections onnections can be of different types However they cannot both Using the NetDefend firewall s DMZ WAN2 Port To set up a LAN or broad...

Страница 108: ...primary m on page 84 2 g Internet Setup on page 63 Internet connection fails To set up a dialup backup Internet connection 1 Setup a dialup modem For instructions see Setting Up a Dialup Mode Configu...

Страница 109: ...y Using Static Routes Managing Ports nfiguring Network Settings Warning These are advanced settings Do not change them unless it is necessary and you are qualified to do so correct the error you can r...

Страница 110: ...IP address within the DHCP address range If you already have a DHCP server in your instead o HCP server since you cannot have two DHCP servers or relays on the same network segment he Internet or via...

Страница 111: ...er for internal networks Note E network nabling and disabling the DHCP Server is not available for the OfficeMode To enable disable the NetDefend DHCP server menu and click the My Network tab The My N...

Страница 112: ...appears 6 If you enabled the DHCP server your computer obtains an IP address in the DHCP address range 5 Click OK A success message appears If your computer is configured to obtain its IP address aut...

Страница 113: ...eserved for statically addressed computers If desired you can set the NetDefend DHCP range manually Note Setting the DHCP range manually is not available for the OfficeMode network To configure the DH...

Страница 114: ...tomatic DHCP range check box 5 Click Apply A warning message appears 6 Click OK A success message appears 7 If your computer is configured to obtain its IP address automatically using DHCP and either...

Страница 115: ...ind a NAT device Note Configuring DHCP options are not available for the OfficeMode network CP relay 1 nu and click the My Network tab rk page appears 2 click Edit 3 elect Relay To configure DH Click...

Страница 116: ...DHCP server 5 6 7 puter is configured to obtain its IP address automatically using DHCP ther DHCP server is enabled restart your computer Click Apply A warning message appears Click OK A success mess...

Страница 117: ...servers VoIP call managers TFTP server and boot filename Note Configuring DHCP options are not available for the DMZ or VLANs To configure DHCP options 1 Click Network in the main menu and click the...

Страница 118: ...Configuring Network Settings The DHCP Server Options page appears 4 levant information in the table below Complete the fields using the re 102 D Link NetDefend firewall User Guide...

Страница 119: ...tains an IP a e 13 DHCP Server Options Field is field Do this Domai resolving of non fully qualified names For example if the domain suffix n Name Type a default domain suffix that should be passed to...

Страница 120: ...gateway to act as a DNS relay server and pass its own IP address to DHCP clients Normally it is recommended to leave this option selected The DNS Server 1 and DNS Server 2 fields appear NS Server 1 2...

Страница 121: ...hese tas e existing network and don you are using a DHCP server other than the NetDefend firewall that assigns addresse To chang I 1 Click The M 2 In the LAN network s row click Edit The Edit Network...

Страница 122: ...estart your computer herwise manually reconfigure your computer to use the new on configuring 192 168 100 1 192 168 100 254 The default internal network range is 192 168 10 A warning message appears 6...

Страница 123: ...is enabled b must obtain a range of Internet IP addresses y default Note Static N T can be used together le disable H 1 Click Network in ork tab page appears 2 In the desired network s row click Edit...

Страница 124: ...es controlling traffic to and from the Z see Default S figure a DMZ network 1 Connect the DMZ computer to the DMZ port If you have more a hub or switch to the DMZ port and connect the DMZ computers to...

Страница 125: ...HCP server See Configuring a DHCP Server on page 94 e IP Address field type the IP address of the DMZ network s default y The My Network page appears 6 In the DMZ network s row click Edit Mode 8 If de...

Страница 126: ...hrough the VPN link Some networking protocols or resources may require the client s IP address to be an internal one eMode solves these problems by enabling the NetDefend DHCP Server to atically ass n...

Страница 127: ...raffic fir AN and other networks passes through the fi LAN to any other internal network including ot de ce network congestion For e nt VLA less of their physical location The members of a division wi...

Страница 128: ...gned an identifying number called a VLAN ID also referred to as a VLAN tag All outgoing traffic from a tag based VLAN contains the VLAN s tag in the packet headers Incoming traffic to the VLAN must co...

Страница 129: ...port to a separate VLAN Figure 11 Port based VLAN capable switch and is therefore simpler to use than tag based VLAN However port based VLAN is limited because the appliance s internal switch has onl...

Страница 130: ...N site click Add VLAN To edit a VLAN site click Edit in the desired VLAN s row The Edit Network Settings page for VLAN networks appears add or edit a port based VLAN Click Network in the main m 3 In N...

Страница 131: ...e Enabling Disabling Hide NAT on page 107 8 If desired configure a DHCP server See Configuring a DHCP Server on page 94 9 Click Apply A warning message appears ears 11 Click Ports tab Ports rk s name...

Страница 132: ...name for the VLAN 4 In the Type drop down list select Tag Based VLAN The VLAN Tag field appears 5 In the VLAN Tag field type a tag for the VLAN 6 This must be an integer between 1 and 4095 In the IP...

Страница 133: ...aware switch s VLAN trunk port Click Apply 11 Click OK A success message appears Click Network in the main menu and click the Ports tab The Ports page appears 13 In the DM Click Apply The DMZ WAN2 po...

Страница 134: ...Apply 2 Click Network in menu and click the My Network tab ork desired VLAN s row click the Erase a Click T in the main menu and click the Ports tab e appears ents to the VLAN by selecting other netw...

Страница 135: ...tifying the other gateways in the clu s priority is now the highest it becomes the Active Gateway The NetDefend firewall supports Internet connection tracking which means that each firewall tracks its...

Страница 136: ...work segment To this end each cluster must be assigned a unique ID number AN HA and it is useful in g an IP address conflict rk ust be met When HA is configured you can specify that only the Active Ga...

Страница 137: ...terface need not be dedicated for synchronization only It may be shared with an active internal network You can configure HA for any internal network except the OfficeMode network You must have at lea...

Страница 138: ...to include in the HA cluster To configure HA on a NetDefend firewall 1 Set the appliance s internal IP addresses and network range Each appliance must have a different internal IP address See Changin...

Страница 139: ...al IP field type the default gateway IP address and must be the same for all 6 Click the Synchronization radio button next to the network you want to use as the synchronization interface You can choos...

Страница 140: ...nternet Setup on page 63 Table 14 High Availability Page Fields In this field Do this may become active causing unpredictable problems 7 Complete the fields using the information the tabl Click Apply...

Страница 141: ...nnection on page 90 Configuring a LAN1 2 3 4 Type th Ethernet li e a ateway s priority if the LAN port s nk is DMZ Type the amount to reduce the gateway s priority if the DMZ WAN2 port s Ethernet link...

Страница 142: ...work Subnet Mask 255 255 255 0 255 255 255 0 et Connections Primar The gateways have two internal networks in common LAN and DMZ This means that you can configure HA for the LAN network the DMZ networ...

Страница 143: ...work computers of Gateways A and B to hub 1 Connect the DMZ network computers of Gateways A and B to hub 2 the following on Gateway A Set the gateway s internal IP addresses and network range to the v...

Страница 144: ...ck the Synchronization radio button next to DMZ i In the My Priority field type 60 The low priority means that Gateway B will be the Passive Gateway j In the Internet Primary field type 20 Gateway B w...

Страница 145: ...nal IP address and not the Internet IP address to which the internal IP address is mapped For further information see Using Rules on page 209 twork object You can configure the following settings for...

Страница 146: ...re HotSpot on page 256 ng and E g Network Objects Assign the network object s IP addre Normally the NetDefend DHCP server cons address to a different computer If you want to guarantee that a particula...

Страница 147: ...ork Objects page appears with a list of network objects 2 Do one of the following network object click New To add a To edit an existing network object click Edit next to the desired computer in the li...

Страница 148: ...k Obje Type dialog box displayed ct Do one of the following 3 r or 4 To specify that the network object should represent a single compute device click Single Computer To specify that the network objec...

Страница 149: ...e dialog box includes the Perform St x appears If you chose Single Computer atic NAT option If you chose Network the dialog box does not include this option 5 Comp 6 Click lete the fields using the in...

Страница 150: ...g box appears 7 Type a name for the network object in the field 8 Click Finish rts in the main menu and click the Active Computers tab To add or edit a network object via the Active Computers page 1 C...

Страница 151: ...ars next to it 2 Do one of the following To add a network object click Add next to the desired computer To edit a network object click Edit next to the desired computer The NetDefend Network Object Wi...

Страница 152: ...dialog box appears with the network object s name If you are adding a new network object this name is the computer s name 7 To change the network object name type the desired name in the field 8 Click...

Страница 153: ...ering see Configuring a Wireless Network on page 161 MAC Address Type the MAC address you want to assign to the network object s IP address or click This Computer to specify your computer s MAC Perfo...

Страница 154: ...sses of the same size You must then fill in the External IP Range field Type the Internet IP address range to which you want to map the network s IP address range Select this enforcement Viewing and j...

Страница 155: ...m the Accounting department should be sent via WAN1 and another static route specifying that traffic originating from the Marketing department should be sent via default and indicates whether each rou...

Страница 156: ...page appears with a list of existing static routes 2 Do one of the following To add a static route click New Route To edit an existing st list atic route click Edit next to the desired route in the 14...

Страница 157: ...ce and Destination dialog box 3 To select a specific source network source routing do the following rce drop down list select Specified Network a In the Sou New fields appear he Network field type the...

Страница 158: ...c destination network do the following a In the Destination drop down list select Specified Network New fields appear b In the Network field type the IP address of the destination network c In the Net...

Страница 159: ...f the gateway next hop router to ou 7 In the Metric The gateway destination and has the lowest metric The default v 8 Click Next which to r te the packets destined for this network field type the stat...

Страница 160: ...elete a static route The Static Routes page appears with a list of existing static routes 2 In the desired not be deleted 1 Click Network in the main menu and click the Routes tab route row click the...

Страница 161: ...n its ports to different uses as shown in the table below Furthermore you can restrict each port Table 18 Ports and Assignments You can assign this port To these uses to a specific link speed and dupl...

Страница 162: ...state This is useful if you need to the To view port statuses 1 Click Network in the main menu and click the Ports tab The Ports page appears check whether the appliance s physical connections are wo...

Страница 163: ...drop down list displays DMZ Link Config Full Duplex duplex or Automatic Detection indicates that th detect the link speed and duple Status The detected link speed and duplex No Link indicates that th...

Страница 164: ...page 388 Setting Up a Dialup Modem on page 84 To modify a port as 1 Click Networ n The Ports page In the Assign sired port assignment 2 Click Apply The port is re signment k i the main menu and click...

Страница 165: ...uplex This is the d 3 Click Apply rt use Defend automatically detects the link speed and anually restrict the NetDefend firewall s ports to t s link configuration k in the main menu and click the Port...

Страница 166: ...to etwor he Ports pa 2 Click Default A confirmati 3 Click OK The ports are rese link configuration All currently ault settings may be broken For example if you were using the DMZ WAN2 port as WAN2 th...

Страница 167: ...s are assigned weights of 30 and 10 respectively If the lines are congested Traffic Shaper will maintain the ratio of bandwidth allocated to Web traffic and FTP traffic at 3 1 If a specific class is n...

Страница 168: ...ing weight bandwidth limits and i eters DiffServ marks packets as belonging to a certain Quality of Service class These packets are t class Availa the bandwidth Each c bandwidth lim c nnections belong...

Страница 169: ...the Traffic Sh Inte packets und traffic less accurate than the shaping of outbound traffic It is therefore recommended to enable traffic shaping for incomin 2 If you are us that reflect your communica...

Страница 170: ...ffic Shaper automatically assigns Predefined the connection type to the predefined Default class QoS Classes Traffic Shaper provides the following predefined QoS classes Using Rules 209 Table 21 Prede...

Страница 171: ...ng delays For example SMTP traffic outgoing email ow Priority 5 Low Traffic that i Adding and Editing Classes In Simplified Traffic Shaper these classes cannot be changed To in menu and click the Traf...

Страница 172: ...y of Service Parameters dialog box displayed 3 le below 4 Click Th Complete the fields using the relevant information in the tab Next e Step 2 of 3 Advanced Options dialog box appears lete the fields...

Страница 173: ...It is therefore recommended to enable traffic shaping for incoming traffic only if necessary For information on enabling Traffic Shaper for incoming and outgoing traffic see Using Internet Setup on p...

Страница 174: ...re quick user response such as telnet th a lower latency That is Traffic Shaper attempts to send packets with a High Interactive Traffic level before packets with a Medium Normal Traffic or Low Bulk O...

Страница 175: ...DiffServ You ain the correct DSCP value from your ISP or private WAN e oint Select this option to mark packets belonging to this class DSCP in the field provided to their DSCP can obt administrator D...

Страница 176: ...s to use the Default class If one of the addi Note This will delete any additional classes you defined in Traffic tional classes is currently used by a rule you or not by viewing the page 1 haper tab...

Страница 177: ...MZ networks you can define a wireles twork called a WLAN wireless LAN network when using the DF ormation on default security p WLAN see Default Security Policy on You can configure a WLAN network in e...

Страница 178: ...is tigh egrated with the firewall and hardware accelerated VPN The DFL CPG310 supports the latest 802 11g standard up to 54Mbps and backwards compatible with the older 802 11b standard up to 11Mbps s...

Страница 179: ...ts attempting to connect to the access point authenticator must first be authenticated by a RADIUS server authentication server which supports 802 1x All messages are passed in EAP Extensible Authenti...

Страница 180: ...ntication encryption The WPA PSK security method is a variation of WPA that does not require an authentication server WPA PSK periodically changes and authenticates encryption keys This is called reke...

Страница 181: ...r information see p Your NetDefend firewall as a T Prepare the appliance for a wireless connection as described in Network Installation on page 35 ecurity mode for the WLAN configure a RADIUS server F...

Страница 182: ...In he The fields are enabled 6 If desired enable or disable Hide NAT See Enabling Disabling Hide NAT on page 107 7 If desired configure a DHCP server See Configuring a DHCP Server on page 94 t Mode dr...

Страница 183: ...the Advanced WLAN Settings Fields on page 172 New fields appear page 168 9 To configure advanced settings click Show Advanced Settings fields using the information in 10 A s telling you that you are...

Страница 184: ...s Settings Network Name Type the network name SSID that identifies your wireless network This ibl tions passing near your access point unless you enable the Hide the Network Name SSID option It can be...

Страница 185: ...ly 802 11g Super stations will be able to connect 802 11g Super 11 54 108 Operates in the 2 4 GHz range and offers a maximum theoretical rate of 108 Mbps When using this mode 802 11b stations 802 11g...

Страница 186: ...ha Alte Secu or information on the supported security protocols see Wireless Security Protocols on page 163 If you select WEP encryption the WEP Keys area opens If you select WPA the Require WPA2 802...

Страница 187: ...he key need not be selected as the transmit key on the a K lengt 0 characters y length is 26 characters 152 Bits The key length is 32 characters Note Some wireless card vendors call these lengths 40 1...

Страница 188: ...e your network s SSID by selecting one of the following Yes Hide the SSID Only devices to which your SSID is known can connect to your network No Do not hide the SSID Any device within range can detec...

Страница 189: ...ot nded to rely n this setting alone for security Address ng Specify w of the follo Yes Enable MAC address filtering Only MAC ad o o recomme Wireless Transmitter Transmission Rate Select the transmiss...

Страница 190: ...hem antenna diversity s security appliance has two antennas Specify which antenna to use fo antennas and automatically selects the antenn distortion signal to use for communicating The made on a per s...

Страница 191: ...a value equal to the fragm RTS E M mode is disabled Enabled XR mode is enabled XR will be automatically nabled wireless stations and used as For more information on XR mode see About the Wireless Hard...

Страница 192: ...appliance for a wireless connection as described in Network Installation on page 35 2 Click Network in the main menu and click the My Network tab The My Network page appears 3 In the WLAN network s ro...

Страница 193: ...1i Click WEP to use the WEP security mode ns must use a pre shared key to connect to your re and is supported mainly for t support other the following WPA PSK periodically changes a recommended securi...

Страница 194: ...ng a WLAN on page 165 10 Click Next K If you chose WPA PSK the Wireless Configuration WPA PSK dialog box appears iguring these m WPA PS Do the follow 1 In the text cessing the network or click Random...

Страница 195: ...izard The Wireless Security Confirmation dialog box appears 3 Click Next 4 The Wireless Security Complete dialog box appears 5 Click Finish The wizard closes 6 Prepare the wireless stations Chapter 7...

Страница 196: ...xadecimal characters 152 Bits The key length is 32 hexadecimal characters Some wireless card vendors call these lengths 40 104 128 respectively Note that WEP is generally considered to be insecure reg...

Страница 197: ...eless Security No T less Security Co Complete dialog box appears 5 Click Finish The wizard closes 6 Prepare the wireless stations See Preparing the Wireless Stations on page 182 Security he Wireless S...

Страница 198: ...the wireless stations administrator The wireless connect them to the WLAN Refer to the wireless cards documentation for details Note Some wireless cards have Infrastructure and Ad ho are also called...

Страница 199: ...n t Automatic see Manually Config Relocate the NetDefend firewall to a place with better reception and avoid obstru mounting the appliance in a high place with a direct line of sight to the wirele C c...

Страница 200: ...s between wireless stations What should I do If you have many concurrently active wireless stations there may be collisions between them Such collisions may be the result of a hidden node problem not...

Страница 201: ...TS Threshold value equal to the Fragmentation Threshold va effectively disables RTS m not getting the full speed W lue a hat should I do The actual s with d Read er speed nabled in the ess point For a...

Страница 202: ......

Страница 203: ...rack network activity using the Event Log The Event Log displays the most recent events and color codes them able 26 Event Log Color Coding n event marked in is color Indicates T A th Blue Changes in...

Страница 204: ...lock icon in the This information is useful for troubleshooting You can export the logs to an xls Microsoft technical support certain types of connections should be er the connections are incoming or...

Страница 205: ...f the attacking The NetDefend firewall queries the Internet WHOIS server and a window displays the name of the entity to whom the IP address is registered and their contact information This informatio...

Страница 206: ...se to a destination directory of your choice r the configuration file and click Save tory 5 nts a Click Clear A confirmation message appears b Click OK All events are cleared d Type a name fo The xls...

Страница 207: ...the procedure Configuring Traffic Monitor Settings on page 193 In network traffic reports the traffic is color coded as described in the table below In the All QoS Classes report the traffic is color...

Страница 208: ...per see Using Internet Setup on page 63 The selecte 3 To refresh all traffic reports click Refresh 4 To clear all traffic reports click Clear The list in ludes all cu Cho inf QoS Classes to display a...

Страница 209: ...the NetDefend firewall should colle network traffic reports 1 Cl rts in the main menu and click the Traffic Monitor ta Monitor page appears gs Monitor Settings page appears 3 In the Sample monitoring...

Страница 210: ...file and view the file in Microsoft Excel c report rts in the main m 2 Click Ex A stan 3 Click Save File Download dialog box appears The Save s dialog box appears destination directory of your choice...

Страница 211: ...reless station has been blocked from accessing the Internet through the NetDefend firewall the reason why it was blocked is shown in red If you are exceeding the maximum number of computers allowed by...

Страница 212: ...number of computers allowed by your license you can upgrade your product For further information see Upgrading Your Software ct for bject ing and editing network objects see g Network Objects on page...

Страница 213: ...he Active Connections tab The Active Connections page appears The page displays the information in the table below 2 To refresh the display click Refresh 3 To view information on the destination machi...

Страница 214: ...s The destination IP address Destination Port he destination port Q O T oS Class The QoS class to which the connection belongs ptions An icon indicating further details The connection is encrypted The...

Страница 215: ...Statistics his field Displays Wireless Mode The operation mode used by the WLAN followed by the transmission rate in Mbps MAC Address ce Domain s point s region Cou untry configured for the WLAN Cha...

Страница 216: ...umber of unicast frames transmitted and received Broadcast Frames The number of broadcast frames transmitted and received Multicast Frames The number of multicast frames transmitted and received To vi...

Страница 217: ...M Fr W nt s operation mode indicating the client s maximum speed are B G and 108G rmation see Basic WLAN Settings Fields on page 168 X s client supports Extended Range XR mode Possible values are rame...

Страница 218: ...Statistics This field Displays Cipher The security protocol used for the connection with the wireless client For more information see Wireless Security Protocols on page 163 202 D Link NetDefend fire...

Страница 219: ...HotS 256 ining an Exposed Host 261 D The default security policy includes the following rules Setting Your Security Policy This chapter escribes ho You Filtering an ce your security policy by subscrib...

Страница 220: ...ernal networks except the WLAN The W AN can only access tal using HTTPS unless a specific user defined rule g erver function see Using Network Printers on page lowed Access from the WAN t These rules...

Страница 221: ...level nbound traffic is blocked to the Internet ows file sharing NBT ports 137 High Enforces strict control on ming and outgoing All inbound traffic is blocked IMAP POP3 SMTP ftp newsgroups Telnet DN...

Страница 222: ...resent the security policy Security updates downloaded from a policy and change these definitions vel ain menu and click the Firewall tab To change the firewall security le 1 Click Security in the m T...

Страница 223: ...ur own Web ser FTP server Note C fi imple Allow and Forward rules for comm s t to creating Allow and Forward rules in the pa a serv 1 Click Security in the main menu and click the Servers tab The Serv...

Страница 224: ...IP address of the computer that will run the service one of your network computers or click the corresponding This C allow your computer to host the service To stop the for 1 Click Secur rvers tab Th...

Страница 225: ...olicy rules the accounting department will be able to connect to all company computers while the rest of the employees will not be able to access any sensitive information on the accounting department...

Страница 226: ...pecific IP address you can move the rule down in the the desired IP Rules ress and m than the first rule In the f exception is rule num igure below the general rule is rule number 2 and the ber 1 The...

Страница 227: ...f your network uses Hide NAT Note You ca es that forward the same service low and orward This rule type enables you to do the following Permit incoming access from the Internet to a specific service i...

Страница 228: ...g Web traffic as specified in the bandwidth policy for the Urgent class For information on Traffic Shaper and QoS classes see Using Traffic Shaper on page 151 Note You cannot use an Allow rule to perm...

Страница 229: ...ck Security s tab The Rules p e a rule in the main menu and click the Rule ag appears 2 Do one of the following To add a new rule click Add Rule To edit an existing rule click the Ed it icon next to t...

Страница 230: ...Type dialog box wizard o 3 Select the type of r ate 4 Click Next w rule ule you want to cre The p 2 Service dialog box appears The example below shows an Allo Ste 5 Complete the fields using the relev...

Страница 231: ...ion Source dialog box appears 7 Complete the fields using the relevant information in the table below he Step 4 T Done dialog box appears 8 Click Finish The new rule appears in the Firewall Rules page...

Страница 232: ...ule should apply Ports To specify the port range to which the rule applies type the start port number in the left text box and the end port numb r in the right text box ou do not enter a port range th...

Страница 233: ...of class o assign the specified connections QoS class If Traffic Shaper r information on Traffic Shaper and fic Shaper on page 151 rule Log accepted connections Log blocked onnections By default acce...

Страница 234: ...en defining an Allow and Forward rule Enabling Disabling Rules You can temporarily disable a user defined rule To enable disable a rule 1 Click Security in the main menu and click the Rules tab The Ru...

Страница 235: ...the rule up in the table Click next to the desired rule to move the rule down in the table The rule s priority chang Deleting Rules es accordingly To delete an existing rule 1 Click Security in the ma...

Страница 236: ...aring operations and File Transfer Protocol FTP uploading among others firewall includes Check Point SmartDefense Services based on pplication Intelligence SmartDefense provides a combination of ds an...

Страница 237: ...he settings it contains appear as nodes For information on each category and the nodes it contains see SmartDefense Categories on page 224 Each node represents an attack type a sanity check or a proto...

Страница 238: ...Security in the main m The Smart efense pag The left pane displays a tree containing SmartDefense categories To expand a category click the icon next to it To collapse a category click the icon next t...

Страница 239: ...e following a Complete the fields using the relevant information in SmartDefense Categories on page 224 b Click Apply 4 To reset the node to its default values a Click Default A confirmation message a...

Страница 240: ...tDefense includes the following IP and ICMP on page 229 e 39 n age 242 FTP on page 245 Microsoft Networks on page 249 IGMP on page 251 Denial of Service nial of Service DoS attacks are aimed at overwh...

Страница 241: ...n to take when a Teardrop atta of the following Track Specify whether to log Teardrop attacks by selecting one of the following Log Log the attack This is the default None Do not log the attack Ping o...

Страница 242: ...ttack This is the default None No action Track Specify whether to log Ping of Death attacks by selecting one of the following Log Log the attack This is the default None Do not log the attack LAND In...

Страница 243: ...by selecti Log Log the attack This is the default None Do not log the attack Non TCP Flooding Advanced firewal table In non TCP Flooding attacks the attacker sends high volumes of non TCP traffic Sinc...

Страница 244: ...shold e following any additional non TCP connections None No action This is the default for non TCP connecti Select one of th Block Block Track Specif Non TCP Traffic y selecting one of the following...

Страница 245: ...UDP and TCP header lengths dropping IP options and the TCP flags You can conf This category configure various protections against IP following and ICMP related attacks It includes the page 231 on page...

Страница 246: ...of the following True Disable relaxed UDP length verification The NetDefend firewall will drop packets that fail the UDP length verification check False Do not disable relaxed UDP length verification...

Страница 247: ...ttacks by limiting the allowed size for ICMP echo requests Table 40 Max Ping Size Fields In this field Do this Action Max Specify what action to take when an ICMP echo response exceeds the Ping Size t...

Страница 248: ...ttack common behavior and break the data section of a single packet into several fragmented packets Without reassembling the fragments it is not always possible to detect such an attack Therefore the...

Страница 249: ...Number of Incomplete Packets Type the maximum number of fragmented packets allowed Packets exceeding this threshold will be dropped The default value is 300 Timeout for Discarding Incomplete Packets W...

Страница 250: ...ota Fields In this field Do this Action Specify what action to take when the number of network connections ond per Source IP Block Block all new connections from the source Existing None No action fro...

Страница 251: ...a The default value is 100 Note Setting thi searching for other live computers to It does so by sending a specific ping packet to a target and waiting for the nals that the target is alive This flood...

Страница 252: ...e of the lowing None Do not log the attack Spe fol Log Log the attack This is the default C ersion 4 IP isco IOS device is sent a specially crafted sequence of IPv4 packets with protocol type 53 SWIPE...

Страница 253: ...of the following Block Block the attack This is the default None No action T N be protected rack Specify whether to log Cisco IOS DOS attacks by selecting one of the following Log Log the attack This...

Страница 254: ...et of the s Block Drop default yload Some worms such as Sasser use ICMP echo request packets with null payload to detect potentially vuln r You can configure how null payload ping packets should be ha...

Страница 255: ...41 Strict TCP Out of state TCP packets are SYN ACK or data packets that arrive out of order before the TCP SYN packet ry allows you to configure various protections related to t includes the following...

Страница 256: ...of the following n Specify what action to take when an out of state TCP packet arrives by Block Block the packets None No action This is the default Track Specify whether to log null payload ping pack...

Страница 257: ...e server against this attack by specify Table 47 Small PMTU Fields In this field Do this Action Specify what action to take when a packet is smaller tha Size threshold by selecting one of the followin...

Страница 258: ...an attack This is most commonly done by attempting to access a port nse indicates whether or not the port is open pes of port scans Host Port Scan The attacker scans a specific host s ports to determi...

Страница 259: ...a period of seconds value in order for SmartDefense to consider the activity a scan Type the minimum number of ports that must be accessed within the In a period of seconds period in order for SmartDe...

Страница 260: ...ort scan For example if this value is 20 and the Number of ports accessed threshold is exceeded for 15 seconds SmartDefens will detect the activity as a port ot detect the activity as a port scan e sc...

Страница 261: ...unce When connecting to an FTP server the client sends a PORT command specifying the IP address and port to which the FTP server should connect and send data An FTP Bounce attack is when an attacker s...

Страница 262: ...y selecting one of the Log Log the attack This is the default e attacks b following None Do not log the attack Block Known Port an choos ports s You c e to block the FTP server from connecting to well...

Страница 263: ...connection None No action This is the default Block Port Overflow FTP clients send PORT commands when connecting to the FTP sever A PORT f numbers between 0 and 255 separated by To enforce compliance...

Страница 264: ...ction Blocked FTP Command So ty and int u through the s me seldom used FTP commands may compromise FTP server securi egrity Yo can specify which FTP commands should be allowed to pass security rver an...

Страница 265: ...ommands box select the desired FTP command 2 Click Accept The FTP command appears in the Allowed commands box 3 Click Apply The FTP command will be allowed regardless of whether FTP command blocking i...

Страница 266: ...o take when a CIFS worm attack is detected b Track Specif worm attacks by selecting one of the followi Log o attack No D g the attack This is the default CIFS worm patterns list Select the worm patter...

Страница 267: ...y includes ftware hardware used by sending specially crafted IGMP attacks should be handled Table 53 IGMP Fields In this field Do this Action one Specif of Block Block the attack This is the default N...

Страница 268: ...o non multicast None No action h packets MP pa y whether to allow or block IG Block Block IGMP packets tha addresses This is the default Peer to Peer SmartDefense can block peer to peer traffic by ide...

Страница 269: ...Track Specify whether to log peer to peer connections by selecting one of the following Log Log the connection None Do not log the connection This is the default Bl pr proprietary protocols should be...

Страница 270: ...headers This category includes the following nodes Skype Yahoo ICQ tant Messengers Note SmartDefense can detect instant messaging traffic regardless of the TCP port being used to initiate the session...

Страница 271: ...selecting one of the following Log Log the connection None Do not log the connection This is the default Block proprietary protocols on all ports Specify whether proprietary protocols should be block...

Страница 272: ...e My HotSpot page Note HotSpot users are automatically logged out after one hour of inactivity Secure HotSpot is useful in any wired or wireless environment where Web based user authentication or term...

Страница 273: ...twork segment traffic that does not pass rough p S th the firewall Setting U ecure HotSpot To set up Sec 1 En ure able Secure HotSpot for the desired networks e Enabling 258 ize Secure HotSpot as desi...

Страница 274: ...Spot tab The My HotSpot page appears e HotSpot 2 In the HotSpot Networks area do one of the following To enable Secure HotSpot for a specific network select the check box next to the network To disabl...

Страница 275: ...in menu and click the My HotSpot tab The My HotSpot page appears g the information in the table below 2 Complete the fields usin Additional fields may appear 3 To preview the My HotSpot page click Pre...

Страница 276: ...pr accept the terms of use before accessing the network The Allow a user to login from more than one computer at the same time check box Allow a user to login from more than one computer at the same...

Страница 277: ...posed host computer The exposed host receives all traffic that was not forwarded to another computer by use of Allow and Forward rules Warning Entering an IP address may make the designated computer v...

Страница 278: ...the exposed host 3 Click Apply The selected computer is now defined as an exposed host The Exposed Host page appears 2 Click 3 Cl the Exposed Host field type the IP address of To clear the exposed hos...

Страница 279: ...us stores only minimal state information per connection it can scan thousands of connections rms When VStream Antivirus detects malicious content the action it takes depends on the protocol in which t...

Страница 280: ...SMTP Rejects the virus infected email with error code 554 Sends a Virus detected message to the sender The standard TCP port 25 FTP Terminates the data connection Sends a Virus detected message to th...

Страница 281: ...f Email Antivirus is specific to email scanning incoming POP3 and orts POP3 information on not defined Enabling Disabling VStream Antivirus Email Antivirus is centralized redirecting traffic through t...

Страница 282: ...daily database and a main database The daily Periodically the contents of the daily da ain database leaving the database a You can v ases currently in use database is updated frequently with the newes...

Страница 283: ...ng VStream Antivirus You can configure VStream Antivirus in the following ways Configuring the VStream Antivirus Policy on page 267 Configuring VStream Advanced Settings on page 275 Configuring the VS...

Страница 284: ...gher loc irus Policy table than the first rule In the figure below the general rule er 2 and the exception is rule number 1 etDefend firewa The N ll will process rule 1 first passing outgoing SMTP tra...

Страница 285: ...f a virus is found it is blocked and logged Adding and Editing Rules To add or edit a rule 1 Click Antivirus in the main menu and click the Policy tab The Antivirus Policy page appears 2 Do one of the...

Страница 286: ...p 1 Rule Type dialog box displayed 3 Select the type of rule you want to create 4 Click Next The Step 2 Service dialog box appears The example below shows a Scan rule 5 Complete the fields using the r...

Страница 287: ...p 3 Destination Source dialog box appears 7 Complete the fields using the relevant information in the table below The Step 4 Done dialog box appears 8 Click Finish The new rule appears in the Firewall...

Страница 288: ...select Specified IP and type the desired IP address in the filed provided To specify an IP address range select Specified Range and type the desired IP address range in the fields provided Click this...

Страница 289: ...tal and network printers select This Gateway This option is not a Data Direction Select the direction of connections to which the rule should apply Download and Upload data The rule applies to downloa...

Страница 290: ...ntivirus Policy page appears Click Antivirus in the main 2 Do one of the following Click next to the desired rule to move the rule up in the table Click next to the desired rule to move the rule down...

Страница 291: ...tivirus ad Click Antivirus in the main menu and click the Advanced tab The Advanced Antivirus Settings page appears 2 Complete the fields using the table below 3 Click Apply 4 To restore the default V...

Страница 292: ...es in email messages Select this option to block all emails containing potentially unsafe attachments Unsafe file types are DOS Windows executables libraries and drivers Compiled HTML Help files VBScr...

Страница 293: ...scanned and the rest of the file is skipped efault Selecting this option reduces the load on the gateway by skipping safe file types This option is selected by d St Maximum nesting level Type the maxi...

Страница 294: ...g Pass file without scanning Scan only the number of compressible files and skip scanning archives that cannot be extracted because they are corrupt This is the default Block file Block the file When...

Страница 295: ...y up to date with no need for user intervention However you can still check for updates manually if needed To update the VStream Antivirus virus signature database 1 Click Antivirus in the main menu a...

Страница 296: ......

Страница 297: ...ervice Center in your area This ch Co ect 281 s Information 287 r Service Center Connection 288 C D 289 W 290 A 294 Connecting to a Service Center apter includes the following topics ing to a Service...

Страница 298: ...Connecting to a Service Center The Account page appears 2 In the Service Account area click Connect 282 D Link NetDefend firewall User Guide...

Страница 299: ...IP and then in the Specified ter s IP address as given to you by ste rator 5 Click Connect Make sure the Connect to a different Service Center check box is selected Do one of the following To connect...

Страница 300: ...ogin box appears Enter your gateway ID and registration key in the appropriate fields as given to you by The Conne The Confir log box appears with a list of services to which you are subscribed your s...

Страница 301: ...n The ish following n If a new fi downloadi l minutes Once the download is plete the NetDef The Welcome page appears things happe rmware is available the NetDefend firewall may start ng it This may ta...

Страница 302: ...ed are now available on your nd listed as such on the Account page See Viewing on page 287 for further information NetDefend firewall a Services Information The Services submenu includes the services...

Страница 303: ...Gateway ID Your gateway ID Subscription will end on The date on which your subscription to services will end Service The services available in your service plan Subscription The status of your subscri...

Страница 304: ...nd firewall s connection to the Service Center and ref To refresh your Service Center connection 1 t page appears 2 In the Service Account area click Refresh The NetDefend firewall reconnects to the S...

Страница 305: ...ur Service Center from your Service Center If desired you can disconnect To 1 Click Se enu and click the Account tab 2 In the Service Account area click Connect The NetDefend Services Wizard opens wit...

Страница 306: ...eb Filtering pop up window ice is enabled access to Web content is restricted ing to the catego able to view Web pages with no re Note Web Filtering is only available if you are connected to a Service...

Страница 307: ...ed with an define which types of Web sites should be considered appropriate fo r office members by selecting the categories Categorie will r hile categories marked with emain visible w will be blocked...

Страница 308: ...ltering If To temporarily disable Web Filtering 1 Click Services in the main menu and click the Web Filtering tab The Web Filtering page appears 2 Click Snooze Web Filtering is temporarily disabled fo...

Страница 309: ...pens 3 he We page rnal network computers g page the button changes to Snooze To re enable the service click Resume either in the popup window or on t b Filtering The service is re enabled for all inte...

Страница 310: ...e if you are connected to a Service Center bscribed to this service Chec anaged king for Software Updates when Remotely M If your NetDefend firewall is remotely managed it automatically checks for sof...

Страница 311: ...s when Locally Managed If your NetDefend firewall is locally managed you can set it to automatically check for software updates or you can set it so that software updates must be checked for manually...

Страница 312: ...s its schedule Note Wh can still manually check fo 3 To set the NetDefend firewall so that software updates must be checked for manually dra The NetDefen ly 4 To manually che The system checks for new...

Страница 313: ...le they can securely read email use the company s intranet or access the company s database from home The are four types of VPN sites Remote Access VPN Server Makes a network remotely available to aut...

Страница 314: ...emote software Gateway network VPN must include at least one Remote Access V Server or gate type of VPN you want to y The type of VPN sites you include in a VPN depends on th create Site to Site or Re...

Страница 315: ...Overview networks function as a single network You can use this type of VPN to mesh office branches into one corporate network Figure 12 Site to Site VPN Chapter 12 Working With VPNs 299...

Страница 316: ...wing ite to Site VPN Gateway or create a unnel to the first VPN site using the procedure Adding and page 308 b Then enable the Remote Access VPN Server using the procedure emote Access VPN b Enable th...

Страница 317: ...fice network remotely available to authorized users su o the office Remote Access VPN PN Clients ote Access VPN Server or Site to S ore Remote Access VPN Clients You can use this ch as employees worki...

Страница 318: ...etwork Inter al security threats cause outages downtime and lost revenue Wired e internal network on page 308 See Setting Up Your NetDefend firewall as a Remote Acce page 303 You can use your NetDefen...

Страница 319: ...less network may pose a significant security risk For information on setting up your NetDefend firewall as an internal VPN Server 03 Setting Up Your NetDefend firewall as a VPN Server see Setting Up Y...

Страница 320: ...te VPN Access for Users on page 367 To accept remote access connections from the Internet See Configuring the Rem To accept connection See Configuring the Internal VPN Serv 2 If you configured the int...

Страница 321: ...ote Access VPN Server To er 1 tab page appears configure the Remote Access VPN Serv Click VPN in the main menu and click the VPN Server The SecuRemote VPN Server 2 Select the llow SecuRemote users to...

Страница 322: ...Bypass the 5 Click Apply Configuring the Internal VPN Server connecting to your internal network select the Bypass and access your internal network without restriction select the firewall check box T...

Страница 323: ...ecified connection types Ins To allow authenticated users co firewall and access your internal network without restricti the firewall check box Bypass NAT is always enable disabled Click Apply The int...

Страница 324: ...uRemote PN Client icon in the taskbar select Settings and then click Help Adding and Editing VPN Sites the main m link The VP 3 Follow the online instructions cuRemote for NetDefend page o SecuRemote...

Страница 325: ...ng VPN Sites The VPN Sites page appears with a list of VPN sites 2 VPN site click New Site Do one of the following To add a To edit a VPN site click Edit in the desired VPN site s row Chapter 12 Worki...

Страница 326: ...isplayed 3 Do one of the following Select Remote Access VPN to establish remote access from your Remote Access VPN Client to a Remote Access VPN Server el ano VPN Gateway 4 Click Next ect Site to Site...

Страница 327: ...g box appears 1 Enter want to 2 3 the IP address of the Remote Access VPN Server to which you connect as given to you by the network administrator To allow the VPN site to bypass the firewall and acce...

Страница 328: ...ou want to obtain the VPN network configuration Refer to VPN The following things happen in the order below If you chose Specify Configuration a second VPN Network Configuration g bo Network Configura...

Страница 329: ...e information in VPN Network Configuration Fields on page 320 and click Next The Auth entication Method dialog box appears 6 Complete the fields using the information in Authentication Methods Fields...

Страница 330: ...od ox appears If you selected Username and Password the VPN Login dialog b e the fields using the information in VPN Login Fields o 1 Complet n page 322 2 Click Next rs If you selected Automatic Login...

Страница 331: ...nnect to the Remote Access V to Con Warning If you try to connect to the VPN site before c existing tunnels will be terminated ompleting the wizard all the Connecting ialog box appears 2 Click Next If...

Страница 332: ...page reappears If you added a VPN site the new site appears in the VPN Sites list If you edited a VPN site the modifications are reflected in the VPN Sites list Certificate Authentication Method If yo...

Страница 333: ...If you try to connect to the VPN site befo existing tunnels will be terminated 2 Click Next ateway the Connecting screen appears and then the Contacting VPN Site screen appears re completing the wiza...

Страница 334: ...s in the VP eflected in the t RSA SecurID Authentication Method If you selected RSA SecurID the Site Name dialog box appears page reappears If you added a VPN site the new site app N Sites list If you...

Страница 335: ...d screen appears Enter a name for the VPN 2 Click Next 3 pears in the VPN Sites list If you edited a VPN site the modifications are reflected in the Click Finish The VPN Sites page reappears If you ad...

Страница 336: ...connecting to a Check Point VPN 1 or NetDefend Site to Site VPN Gateway Specify Configuration Click this option to provide the netwo nfiguration manually Route All Traffic Click this option to route a...

Страница 337: ...ual tunnel interface VTI for this site so at it can participate in a route based VPN oute based VPNs allow routing connections over VPN tunnels so that mote VPN sites can participate in tworks For con...

Страница 338: ...ect this option a certificate must have been installed Refer to rmation about tificate RSA SecurID Token Select this option to use an RSA SecurID token for VPN authentication orted in Remote Access ma...

Страница 339: ...ormation on Automatic and Manual A Click this option to enable the NetDefend firewall to log on to the VPN site You must then fill in the Username and Password fields Automatic Login provides all the...

Страница 340: ...Address dialog box appears If you selected Site to Site VPN the VPN Gateway 1 Complete the fields using the information in VPN Gateway Address Field page 335 s on 2 Click Next g box appears The VPN N...

Страница 341: ...er to VPN Network Configuration Fields on page 320 4 Click Next If you chose Specify Configuration a second VPN Network Configuration dialog box appears Complete the fields using the information in VP...

Страница 342: ...rs Complete the fields using the information in Route Based VPN Fields on 6 an Authent page 33 The d then click Next ication Method dialog box appears 5 Complete the fi Fields on page 337 6 Click Next...

Страница 343: ...the Authentication dialog box appears If you sele Shared Sec If you chose Download Configuration the dialog box contains additional fields 1 Complete the fields using the information in VPN Authentic...

Страница 344: ...s dialog box appears 2 To configure advanced security settings click Show Advanced Settings New fields appear 3 Complete the fields using the information in Security Methods Fields on page 337 and cli...

Страница 345: ...eway check box This allows you to test the VPN connection Warning If you try to connect to the VPN site b leting the wizard all existing tunnels will be terminated Click If you selected Try to Connect...

Страница 346: ...Enter e VPN site You m e 7 To keep the tunnel to the VPN site alive even if there is no network traffic between the NetDefend firewall and the VPN site select Keep this site alive Click Next a name f...

Страница 347: ...firewall should The VPN Sites page reappears If you added a VPN site the new site appears in site the modifications are reflected in the Certificate Authentication Method ping in order to keep the tu...

Страница 348: ...ication dialog box appears Complete the fields using the information in VPN Authentication Fields on page 337 and click Next The Security Methods dialog box appears 1 To configure advanced security se...

Страница 349: ...fo 337 and click Next rmation in Security Methods Fields on page The Connect dialog box appears 3 To try to connect to the R the VPN Gateway check b emote Access VPN Server select the Try to Connect t...

Страница 350: ...ialog box appears 4 Click Next If you selected Try to Con happen The Connecting screen appears The Contacting VPN Site scree The Site Nam 5 Enter a name for the VPN site You may choose any name 6 To k...

Страница 351: ...p to three IP addresses which the NetDefend firewall should e tunnel to the VPN site alive The VPN Site Created screen appears 8 Click Finish The VPN Sites page reappears If you added a VPN site the n...

Страница 352: ...our internal network without restriction T In able 67 Route Based VPN Fields this field Do this T Type a local IP address for this end of the VPN tunnel unnel Local IP Tunnel Remote IP Type the IP add...

Страница 353: ...been installed Refer to Installing a Certificate on page 345 for more information about certificates and instructions on how to install a certificate Table 69 VPN Authentication Fields In this field D...

Страница 354: ...ti he interval in minutes between IKE Phase 1 key negotiations This me but impacts heavily on e SA lifetime around its default value The default value is 1440 minutes one day Phase 2 for VPN traffic A...

Страница 355: ...bled This is the default Enabling PFS will g and renew th PFS increases security but lowers performance It is recommended to D gr ellman group to use Automatic The NetDefend firewall automatically sel...

Страница 356: ...The VPN site is deleted nabling Disabling a VPN Site E You can only connect to VPN sites that are enabled To enable disable a VPN site page appears with a list of VPN sites o he following 1 Click VPN...

Страница 357: ...on and traffic is sent to the VPN site a VPN tunnel is established Only the computer from which you logged on can use the tunnel To sh ers your home network you must log on to the VPN site from those...

Страница 358: ...a VPN site through the NetDefend Portal 1 Click VPN in the main menu and click the VPN Login tab The VPN Login page appears 2 From the Site Name list select the site to which you want to log on Note D...

Страница 359: ...guration If when adding the VPN site you NetDefend firewall attempts to create a tunnel to the VPN site Once the NetDefend f Status box appears The Status field displays Connected The VPN Login Status...

Страница 360: ...ration the NetDefend firewall downloads the network configuration If when adding the VPN site you specified a network configuration the NetDefend firewall attempts to create a tunnel to the VPN site T...

Страница 361: ...provide verifiable information e c ished Name DN identifying information of the entity as well as the public key information about itself After two entities excha encrypting inform etween themselves...

Страница 362: ...PKCS 12 file obtain one from your network security administrator porting a Certificate on page 350 Note To use unique certificate Do not use the same certificate for more than one g certificates auth...

Страница 363: ...cate page appears 2 Click Install Certificate The NetDefend Certificate Wizard opens with the Certificate Wizard dialog box displayed 3 Click Generate a self signed security certificate for this gatew...

Страница 364: ...rs 4 5 The NetDefend firewall generates the certificate This may take a few seconds Complete the fields using the information in the table below Click Next The Done dialog box appears displaying the c...

Страница 365: ...ys the following information The gateway s certificate The gateway s name The gateway certificate s fingerprint The CA s certificate The name of the CA that issued the certificate in this case the Net...

Страница 366: ...must renew the certificate when it expires Name be visible to remote users inspecting the certificate This field is filled in automatically with the gateway s MAC address If alid Until Use the drop d...

Страница 367: ...browser from which to locate and select the file Th 5 The Import Certificate Passphrase dialog box appears This may take a few mo e filename that you selected is displayed Click Next ments 6 Type the...

Страница 368: ...e gateway s certificate and the CA s certificate are valid Uninstalling a Certificate The CA s c The CA certificate s finge The starting a nding dates between w If you uninstall the certificate no cer...

Страница 369: ...red for Automatic Login and Site to Site nnel is ver your computer attem munication with a computer at the VPN site The tunnel is closed when not in use for a period of time A tu com created whene pts...

Страница 370: ...includes the information described in the table below 2 To refresh the table click Refresh Table 72 VPN Tunnels Page Fields This field Displays Type The currently active security protocol IPSEC Source...

Страница 371: ...nd firewall supports AES 3DES and DES encryption Establish nel was established This information is presented in the format hh mm ss where ss seconds rity The type of encr Message Authentication Code M...

Страница 372: ...t is recommended to do the following The NetDefend firewall stores traces for all recent IKE negotiations If you want to view only new IKE trace data clear all IKE trace data currently stored on the N...

Страница 373: ...y This file contains lished VPN tunnels 7 Use the IKE View tool to open and view the elg file or send the file to technical support VPN Tunnels on page 353 2 Click Reports in the main menu and click t...

Страница 374: ......

Страница 375: ...ADIUS Authentication 368 Configuring the RA 372 Changing Your Password ribes how to manage NetDefend firewall users You can defi ir passwords and assign them various permissions Changing rd 359 Users...

Страница 376: ...Internal Users page appears 2 your username click Edit rd opens displaying the Set User Details dialog box In the row of The Account Wiza 3 Edit the Password and Confirm password fields 360 D Link Net...

Страница 377: ...g and Editing Users ick Finish This procedure explains how to add and edit users For information on quickly adding guest HotSpot users via a shortcut that the firewall provides see Adding Quick Guest...

Страница 378: ...New User existing user click Edit next to the desire user Th unt Wizard opens d x To edit an e Acco isplaying the Set User Details dialog bo 3 Complete the fields using the information in Set User Det...

Страница 379: ...6 Click Finish e user is saved T In this field Do this you are using 5 Complete the fields using the information in Set Use Th able 74 Set User Details Fields Usern Enter a username for the user ame P...

Страница 380: ...on to the NetDefend Portal but liance page For example you could assign this administrator level to technical support personnel who need to view the Event Log The default level is No Access changed d...

Страница 381: ...Users The NetDefend firewall provides a shortcut for quickly adding a guest HotSpot user This is useful in situations where you want to grant temporary network access to gue xample in an Int guest use...

Страница 382: ...the Save Quick Guest dialog box create a guest user Users the main menu n The Internal Quick Guest Acco The 3 In the Expires field click on the arrows to specify the expiration date and time e user d...

Страница 383: ...d users appears in red 2 To delete a use he desired user s row click the Erase icon onfirmation mess A c age appears OK ll expired users do the following ation message b Click OK The expired users are...

Страница 384: ...Portal s RADIUS page However you can configure the RADIUS server to pass the NetDefend firewall a specific set of permissions to grant the authenticated user instead of these default permissions This...

Страница 385: ...sion set for this To The page appears user use RADIUS authentication 1 Click Users in the main menu and click the RADIUS tab RADIUS 2 Complete the fields using the table below Apply 3 Click 4 To resto...

Страница 386: ...efend firewall sends a request to the primary RADIUS server first If the primary RADIUS server does not respond after three attempts the NetDefend firewall will send the request to the secondary RADIU...

Страница 387: ...ute is configured for a user the fields in this area will have no effect and the user will be granted the permissions specified in the VSA If the VSA is not configured for the user the permissions con...

Страница 388: ...Specific Attribute For detailed instructions and examples refer to the Configuring the RADIUS Vendor Specific Attribute white paper To assign permissions to specific RADIUS authenticated users 1 Crea...

Страница 389: ...String none The user cannot ac level of access to the NetDefend Portal NetDefend Portal but cannot m can log on to the NetDefend Portal and modi VPN n he user can remotely access the network via VPN...

Страница 390: ...s the Internet via My HotSpot false The user HotSpot This permission is only relevant if the Secure HotSpot feature is enabled cannot access the Internet via My U hether e Web 4 String true The user c...

Страница 391: ...V etDefend firewall This chapter includes the following topics Updating the Firmware 377 Registering Your NetDefend firewall 383 Configuring Syslog Logging 384 Configuring SSH Configuring SN Setting...

Страница 392: ...ollowing information Tabl T xample e 78 Firmware Status Fields his field Displays For e WAN MAC Address The MAC address used for the Internet connection 00 80 11 22 33 44 Firmware Version The current...

Страница 393: ...ormed If au rod ct features and protection against ne ler r the availability of Software Updates and other services For information on subscribing to services see Co ge 281 e Software Updates service...

Страница 394: ...ate image file appears in the Browse text box 5 Click Upload Your NetDefend firewall firmware is updated Updating may take a few minutes during which time the PWR SEC LED may start flashing red or ora...

Страница 395: ...u have today There is no need to replace your hardware You can also purchase node upgrades as needed u can upgrade your NetDefend fire Note To purchase the Power Pack or node upgrades contact your Net...

Страница 396: ...pens with the Install Product Key dialog box displayed Enter a d 3 Click ent Product Key iffer Product Key field enter the new Product Key 4 In the 5 Click Next The Installe dialog box appears d New P...

Страница 397: ...ialog box appears 7 Do one of the following To register your NetDefend firewall later on clear the I want to register my product check box and then click Next To register your NetDefend firewall now d...

Страница 398: ...your contact information in the appropriate fields 3 To receive email notifications regarding new firmware versions ears The third Registration dialog box appears and services select the check box 4...

Страница 399: ...or otherwise disclose any of your personal or contact details without your explicit permission To register your NetDefend firewall 1 Click Setup in the main menu and click the Firmware tab The Firmwa...

Страница 400: ...tocol used for the communication attempt for example TCP or UDP This same information is also available in the Event Log page see Viewing the However while the Event Log can display hundreds of Furthe...

Страница 401: ...yslog Serv Type the IP address of the computer that will run the Syslog service twork computers or click This Computer to allow your er one of your ne computer to host the service C Click to clear the...

Страница 402: ...page 386 Using a console connected to the NetDefend firewall For information see Using the Serial Console on page 388 Using an SSH client See Configuring SSH on page 392 Using the NetDefend Portal mma...

Страница 403: ...Controlling the Appliance via the Command Line The Tools page appears 2 Click Command The Command Line page appears 3 In the upper field type a command Chapter 14 Maintenance 387...

Страница 404: ...ole to the NetDefend firewall and use the consol ntrol the appliance via the command lin Yo e to co e Note Your terminal emulation software must be set to 57600 bps N 8 1 To For information on locatin...

Страница 405: ...ts page appears 3 In the RS232 drop down list select Console 4 Click Apply You can now control the NetDefend firewall from the serial console For information on all supported commands refer to the Net...

Страница 406: ...and click the Management tab The Management page appears 2 Specify from where HTTPS access to the NetDefend Portal should be granted See Access Options on page 391 for information Warning If remote HT...

Страница 407: ...desired IP address range in the fields provided 4 Click Apply now access the NetDefend Portal through the Internet using the procedure S o The HTTPS configuration is saved If you configured remote HT...

Страница 408: ...all users can control the unit via the command line using the SSH Secure Shell management protocol You can enable users to do so via the Internet by configuring remote SSH access You can also integrat...

Страница 409: ...ficult to guess If you selected IP Address Range additional fields appear 3 If you selected IP Address Range enter the desired IP address range in the fields provided 4 Click Apply The SSH configurati...

Страница 410: ...MP access The NetDefend firewall supports the following SNMP MIBs SNMPv2 MIB RFC1213 MIB IF MIB IP MIB All SNMP access is read only To configure SNMP 1 Click Setup in the main menu and click the Manag...

Страница 411: ...in the fields ed 4 In the Community field type the name of the SNMP community string SNMP clients uses the SNMP community string as a password when connecting to the NetDefend firewall The default va...

Страница 412: ...Configure the SNMP clients w Table 81 Advanc MP Settings System Location Ty e a description of the appliance s location Th e visible to SN seful for admi oses p is information will b MP clients and i...

Страница 413: ...e time displayed in the NetDefend Portal during initial appliance setup If desired you can change the date and time using the procedure below To set the time 1 Click Setup in the main menu and click t...

Страница 414: ...ime Wizard Fields on page 400 4 The following things happen in the order below If you selected Specify date and time the Specify Date and Time dialog rs Click Next box appea Set the date time and time...

Страница 415: ...selected Use a Time Server the Time Servers dialog box appears Complete the fields using the information in Time Servers Fields on page 0 then click Next The Date and Time Updated screen appears 40 5...

Страница 416: ...ed to the right of this option Use a Time Server Synchronize the applianc Time Protocol NTP server Specify date and time Set the appliance to a specific date and time nce s time e time with a Network...

Страница 417: ...IP Tools on page 402 T Display a list of all routers used to Using IP Tools on page 402 W a specific IP address or DNS name is registered This P raceroute connect from the NetDefend firewall to a spe...

Страница 418: ...Go If you selected Ping the following things happen The NetDefend firewall sends packets to the specified the IP address or DNS name The IP Tools window opens and displays the percentage of packet lo...

Страница 419: ...outers used to make the If you selected WHOIS the following thi The NetDefend firewall queries the Inte tit or DNS tact info ngs happen rnet WHOIS server y to which the IP address rmation A window dis...

Страница 420: ...alyze the file or you can al runs on mputing platforms and w etherea click the e appears 2 Click Sniffer The Packet Sniffer window opens niffer tool which enables you etDefend port This is useful tr c...

Страница 421: ...ng on the ackets 5 Click Stop to stop collecting packets box appears The Save As dialog box appears 7 Browse to a destination directory of your choice 8 Type a name for the configuration file and clic...

Страница 422: ...marks ter string way Select this option to capture incom gateway only If this option is not selected Pack traffic on the interface lter String Type the filter string t packets that m ring the captured...

Страница 423: ...age 413 udp on page 414 For detailed information on filter syntax refer to http www tcpdump org and ate filter ts ter string elem element element ilter String Syntax The following represents a li and...

Страница 424: ...TERS IP Address or String The computer to which the packet is his can be the following address host name at a dst PURPOSE The dst element captures all packets SYNTAX dst destination P destination sent...

Страница 425: ...g filter string saves packets th dst port 80 to capture packets of a specific ether protocol YNTAX er proto protocol ng The protocol type of the packet wing ip ip6 arp rarp lk aarp dec net sca lat mop...

Страница 426: ...is sent This can be the following An IP address A host name EXAMPLE The following filter string saves all packets that either originated from IP address 192 168 10 1 or are destined for that same IP a...

Страница 427: ...0 1 or IP address 192 168 10 10 src 192 168 10 1 or src 192 168 10 10 or UR Th or must match at least on ing elements The filtered packets ents SYNTAX element or element or elem element element elem P...

Страница 428: ...ring T which the packet is sent This can be th An IP address A host name llowing filter string saves packets that or address 192 168 10 1 src 192 168 10 1 rc URPOSE The src element captures all pack e...

Страница 429: ...OSE he tcp element cap is element ca ted elements ip proto tc Note When not prepended to other elemen uivalent of p ent P nt String A port re string element that should be restricted to saving followi...

Страница 430: ...other elements udp element ERS nt String A port re t should be restricted to sav DP packets This can be the following dst port C for a specific po port Captures al s originating from or destined t src...

Страница 431: ...lanation of the CLI script f supported CLI nds see the NetDefend CLI Reference G Exporting the NetDefend firewall Configuration g file and use this ll your settings The file If desired you can edit th...

Страница 432: ...der to restore your NetDefend firewall s co m a configuration file you m T d firewall configuration 1 Click Setup in the main menu and click t s tab s page appears t page appears nfiguration fro ust i...

Страница 433: ...ation file 4 Click Upload A confirmatio OK The NetDefend firewall settings are imported The Import of implementing each configuration command uration file s c abl Note If the appliance s IP add your...

Страница 434: ...tion erases all your settings You will new password and reconfigure yo Internet or information on performing these tasks see Setting Up the Y etDefend firewall to default ment i r by manually pressing...

Страница 435: ...version that shipped with the appliance select the check box 4 Click OK The Please Wait screen appears The NetDefend firewall returns to its factory defaults The NetDefend firewall is restarted the PW...

Страница 436: ...the NetDefend firewall to boot up until the system is ready PWR SEC LED flashes slowly or illuminates steadily in green light For information on the appliance s front and rear panels see the relevant...

Страница 437: ...lick the Tools tab The Tools page appears 2 Click Diagnostics Technical information about your NetDefend firewall appears in a new window 3 To save the displayed information to an html file a Click Sa...

Страница 438: ...rebooting it may solve the problem To reboot the NetDefend firewall 1 Click Setup in the main menu and click the Firmware tab The Firmware page appears 2 Click Restart A confirmation message appears...

Страница 439: ...d printers to the appliance and share them across the network Note When using computers with a Windows 2000 XP operating system the NetDefend firewall supports connecting up to four USB based printers...

Страница 440: ...lationT on page 35 2 Turn the printer on 3 In the NetDefend Portal click Setup in the main menu and click the Printers tab The Printers page appears If the NetDefend firewall detected the printer the...

Страница 441: ...the replacement printer s port number to the old printer s port number and you can skip the next step 7 Configure each computer from which you want to enable printing to the network printer See TConf...

Страница 442: ...trol Panel window opens 3 Click Printers and Faxes The Printers and Faxes window opens 4 Right click in the window and click Add Printer in the popup menu The Add Printer Wizard opens with the Welcome...

Страница 443: ...ally detect and install my Plug and Play printer check box 7 Click Next The Select a Printer Port dialog box appears 8 Click Create a new port 9 In the Type of port drop down list select Standard TCP...

Страница 444: ...ield type the NetDefend firewall s LAN IP address or my firewall You can find the LAN IP address in the NetDefend Portal under Network My Network The Port Name field is filled in automatically 13 Clic...

Страница 445: ...og box opens 16 In the Port Number field type the printer s port number as shown in the Printers page 17 In the Protocol area make sure that Raw is selected 18 Click OK The Add Standard TCP IP Printer...

Страница 446: ...del If your printer does not appear in the lists insert the CD that came with your printer in the computer s CD ROM drive and click Have Disk 22 Click Next 23 Complete the remaining dialog boxes in th...

Страница 447: ...the latest version of the MAC OS X operating system Note This procedure may not apply to earlier MAC OS X versions To configure a computer to use a network printer 1 If the computer for which you want...

Страница 448: ...nters 432 D Link NetDefend firewall User Guide The System Preferences window appears 3 Click Show All to display all categories 4 In the Hardware area click Print Fax The Print Fax window appears 5 In...

Страница 449: ...ct IP Printing 8 In the Printer Type drop down list select Socket HP Jet Direct 9 In the Printer Address field type the NetDefend firewall s LAN IP address or my firewall You can find the LAN IP addre...

Страница 450: ...11 In the Printer Model list select the desired printer type A list of models appears 12 In the Model Name list select the desired model 13 Click Add The new printer appears in the Printer List windo...

Страница 451: ...inter is processing a print job Restarting The printer server is restarting Fail An error occurred See the Event Log for details TViewing the Event LogT on page 187 2 To refresh the display click Refr...

Страница 452: ...enu and click the Printers tab The Printers page appears 2 In the printer s Printer Server TCP Port field type the desired port number 3 Click Apply Resetting Network Printers You can cause a network...

Страница 453: ...roblems you may encounter while using the NetDefend firewall Note For information on troubleshooting wireless connectivity see TTroubleshooting Wireless ConnectivityT on page 183 This chapter includes...

Страница 454: ...to http my firewall and see whether Connected appears on the Status Bar Make sure that your NetDefend firewall network settings are configured as per your ISP directions Check your TCP IP configurati...

Страница 455: ...ernet adapter MAC address onto the NetDefend firewall For instructions see TConfiguring the Internet ConnectionT on page 53 Some cable ISPs require using a hostname for the connection Try reconfigurin...

Страница 456: ...Ethernet card There may be an IP address conflict in your network Check that the TCP IP settings of all your computers are configured to obtain an IP address automatically I changed the network settin...

Страница 457: ...256 TCP 264 ESP IP protocol 50 TCP 981 I cannot receive audio or video calls through the NetDefend firewall What should I do To enable audio video you must configure an IP Telephony H 323 virtual ser...

Страница 458: ...ess that exceeds the licensed node limit the Active Computers page displays a warning message and marks nodes over the node limit in red These nodes will not be able to access the Internet through the...

Страница 459: ...tion see TSetting the Time on the ApplianceT on page 397 I cannot use a certain network application What should I do Look at the Event Log page If it lists blocked attacks do the following Set the Net...

Страница 460: ......

Страница 461: ...echnical Specifications Table 86 NetDefend Appliance Attributes Attribute DFL CP310 DFL CPG310 General Dimensions width x height x depth 20 x 3 1 x 15 5 cm 7 9 x 1 2 x 6 1 inches 20 x 3 1 x 15 5 cm 7...

Страница 462: ...m 11 4 x 9 8 x 3 inches 29 x 25 x 7 6 cm 11 4 x 9 8 x 3 inches Retail box weight 1 35 kg 3 lbs 1 35 kg 3 lbs Environmental Conditions Temperature Storage Transport 5 C to 70 C 5 C to 70 C Temperature...

Страница 463: ...pecifications 447 Attribute DFL CP310 DFL CPG310 Quality ISO9001 2000 TL9000 HW R3 0 ISO14001 Ohsas18001 1999 ISO9001 2000 TL9000 HW R3 0 ISO14001 Ohsas18001 1999 Mean Time Between Failures MTBF 68 00...

Страница 464: ...e Table 87 NetDefend Wireless Attributes Attribute DFL CPG310 series Operation Frequency 2 412 2 484 MHz Transmission Power 79 4 mW Modulation OFDM DSSS 64QAM 16QAM QPSK BPSK CCK DQPSK DBPSK WPA Authe...

Страница 465: ...73 23 EEC Low Voltage Directive LVD Directive 99 05 EEC Radio Equipment and Telecommunications Terminal Equipment Directive In accordance with the following standards Table 88 NetDefend Appliance Sta...

Страница 466: ...1993 EN 61000 4 10 1993 EN 61000 4 11 1994 EN 61000 4 12 1995 Safety EN 60950 2000 IEC 60950 1999 EN 60950 2000 IEC 60950 1999 The CE mark is affixed to this product to demonstrate conformance to the...

Страница 467: ...or modifications to this product not explicitly approved by the manufacturer could void the user s authority to operate the equipment and any assurances of Safety or Performance and could result in vi...

Страница 468: ......

Страница 469: ...computer to the Internet via the cable television network Cable modems offer a high speed always on connection Certificate Authority The Certificate Authority CA issues certificates to entities such a...

Страница 470: ...ewall DNS The Domain Name System DNS refers to the Internet domain names or easy to remember handles that are translated into IP addresses An example of a Domain Name is www sofaware com Domain Name S...

Страница 471: ...t number that identifies each computer sending or receiving data packets across the Internet When you request an HTML page or send e mail the Internet Protocol part of TCP IP includes your IP address...

Страница 472: ...ement unit for the rate of data transmission MTU The Maximum Transmission Unit MTU is a parameter that determines the largest datagram than can be transmitted by an IP interface without it needing to...

Страница 473: ...ple computer users on an Ethernet local area network to a remote site or ISP through common customer premises equipment e g modem PPTP The Point to Point Tunneling Protocol PPTP allows extending a loc...

Страница 474: ...ting through the Internet For example when an HTML file is sent to you from a Web server the Transmission Control Protocol TCP program layer in that server divides the file into one or more packets nu...

Страница 475: ...urce depends on the Internet application protocol On the Web which uses the Hypertext Transfer Protocol an example of a URL is http www sofaware com V VPN A virtual private network VPN is a private da...

Страница 476: ......

Страница 477: ...Overflow 247 Block rules explained 213 Blocked FTP Commands 248 C CA explained 345 453 cable modem connection 58 67 explained 453 cable type 35 certificate explained 345 generating self signed 346 im...

Страница 478: ...454 F File and Print Sharing 249 firewall levels 204 rule types 211 setting security level 204 firmware explained 375 454 updating manually 377 viewing status 375 FTP Bounce 245 G gateways backup 119...

Страница 479: ...105 explained 455 hiding 107 IP Fragments 232 IPSEC VPN mode 455 ISP explained 456 L LAN cable 35 configuring High Availability for 119 connection 54 56 65 explained 456 ports 35 LAND 226 licenses 19...

Страница 480: ...eMode about 110 configuring 110 P packet 87 139 401 455 457 Packet Sanity 229 Packet Sniffer filter string syntax 407 using 404 Pass rules explained 268 password changing 359 setting up 39 Peer to Pee...

Страница 481: ...3 305 explained 297 Remote Access VPN sites 311 reports active computers 194 active connections 197 event log 187 node limit 194 traffic 191 viewing 187 wireless statistics 198 routers 90 119 401 438...

Страница 482: ...connecting to 281 disconnecting from 289 refreshing a connection to 288 services software updates 294 Web Filtering 290 Setup Wizard 39 54 Site to Site VPN gateways 308 explained 297 installing a cer...

Страница 483: ...setting up for Windows XP 2000 16 Teardrop 224 technical support 14 Telstra 73 Traceroute 401 Traffic Monitor configuring 193 exporting reports 194 using 191 viewing reports 191 traffic reports export...

Страница 484: ...creation and closing of 353 establishing 341 explained 297 459 viewing 353 VStream Antivirus about 263 configuring 267 configuring advanced settings 275 configuring policy 267 enabling disabling 265 r...

Страница 485: ...dex 469 wireless stations preparing 182 viewing 198 WLAN configuring 161 defined 459 preparing stations for 182 troubleshooting connectivity 183 viewing statistics for 198 WPA 161 163 WPA2 163 WPA PSK...

Результаты поиска

Содержание NetDefend DFL-CP310

Отзывы:

Похожие инструкции для NetDefend DFL-CP310

Бренды по названию

Популярные бренды

D-Link NetDefend DFL-CP310, Руководство пользователя

Результаты поиска

Содержание NetDefend DFL-CP310

Отзывы:

Похожие инструкции для NetDefend DFL-CP310

Бренды по названию

Популярные бренды