hit counter script
D-Link DFL-700 Manual
  1. Manuals
  2. Brands
  3. D-Link Manuals
  4. Firewall
  5. DFL-700 - Security Appliance
  6. Manual

D-Link DFL-700 Manual

Network security firewall
Hide thumbs Also See for DFL-700:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Manual
D-Link DFL-700
TM
Network Security Firewall
Manual
Building Networks for People
(02/03/2005)

Advertisement

Table of Contents
loading

Related Manuals for D-Link DFL-700

Summary of Contents for D-Link DFL-700

  • Page 1 D-Link DFL-700 Network Security Firewall Manual Building Networks for People (02/03/2005)

  • Page 2: Table Of Contents

    Introduction to Local Area Networking ... 7 LEDs ... 8 Physical Connections... 8 Package Contents ... 9 System Requirements ... 9 Managing D-Link DFL-700 ... 10 Resetting the DFL-700...10 Administration Settings... 11 Administrative Access ...11 Add ping access to an interface...13 Add Admin access to an interface...13...
  • Page 3 Add Administrative User...35 Change Administrative User Access level ...36 Change Administrative User Password...36 Delete Administrative User...37 Users... 38 The DFL-700 RADIUS Support...38 Enable User Authentication via HTTP / HTTPS...39 Enable RADIUS Support...39 Add User ...40 Change User Password ...40 Delete User ...41 Schedules ...
  • Page 4 Ping ... 62 Ping Example ...62 Dynamic DNS... 63 Add Dynamic DNS Settings ...63 Backup ... 64 Exporting the DFL-700’s Configuration...64 Restoring the DFL-700’s Configuration...64 Restart/Reset ... 65 Restarting the DFL-700...65 Restoring system settings to factory defaults ...65 Upgrade ... 67 Upgrade Firmware ...67...
  • Page 5 Interfaces ... 69 VPN... 70 Connections ... 71 DHCP Server ... 72 How to read the logs... 73 USAGE events ... 73 DROP events ... 73 CONN events ... 73 Appendixes... 75 Appendix A: ICMP Types and Codes ... 75 Appendix B: Common IP Protocol Numbers ...

  • Page 6: Introduction

    The DFL-700 provides three 10/100M Ethernet network interface ports, which are (1) Internal/LAN, (1) External/WAN, and (1) DMZ port. It also provides easily operated software WebUI that allows users to set system parameters or monitor network activities using a Web browser.

  • Page 7: Introduction To Local Area Networking

    STP twisted pair wire.) On the other hand, wireless networks do not use wires; instead they communicate over radio waves. Each computer must have a Network Interface Card (NIC), which communicates the data between computers. A NIC is usually a 10Mbps network card, or 10/100Mbps network card, or a wireless network card.

  • Page 8: Leds

    External Port (WAN): Use this port to connect to the external router, DSL modem, or Cable modem. Reset: Use to reset the DFL-700 to the original default settings. DC Power: Connect one end of the power supply to this port, the other end to the...

  • Page 9: Package Contents

    Straight-through CAT-5 cable Note: Using a power supply with a different voltage rating than the one included with the DFL-700 will cause damage and void the warranty for this product. If any of the above items are missing, please contact your reseller.

  • Page 10: Managing D-Link Dfl-700

    Activate Configuration Changes page, by choosing the time from the dropdown menu. Resetting the DFL-700 To reset the DFL-700 to factory default settings you must hold the reset button down for at least 15 seconds after powering on the unit. You will first hear one beep, which will indicate that the firmware is being restored.

  • Page 11: Administration Settings

    Ping – If enabled, it specifies who can ping the IP interface of the DFL-700. Enabling Default allows anyone to ping the interface IP. Admin – If enabled, it allows all users with admin access to connect to the DFL-700 and change configuration; this can be HTTPS or HTTP and HTTPS.
  • Page 12 SNMP – Specifies if SNMP should or should not be allowed on the interface. The DFL-700 only supports read-only access.

  • Page 13: Add Ping Access To An Interface

    Step 3. Specify which networks are allowed to access the interface, for example 192.168.1.0/24 for a whole network or 172.16.0.1 – 172.16.0.10 for a range. Step 4. Specify protocol used to access the DFL-700 from the dropdown menu, either HTTP and HTTPS (Secure HTTP) or only HTTPS.

  • Page 14: Add Read-Only Access To An Interface

    Step 3. Specify which networks are allowed read-only access to the interface, for example 192.168.1.0/24 for a whole network or 172.16.0.1 – 172.16.0.10 for a range. Step 4. Specify protocol used to access the DFL-700 from the dropdown menu, either HTTP and HTTPS (Secure HTTP) or only HTTPS.

  • Page 15: System

    Interfaces Click on System in the menu bar, and then click interfaces below it. Change IP of the LAN or DMZ interface Follow these steps to change the IP of the LAN or DMZ interface. Step 1. Choose which interface to view or change under the Available interfaces list. Step 2.

  • Page 16: Wan Interface Settings - Using Static Ip

    If you are using Static IP, you have to fill in the IP address information provided to you by your ISP. All fields are required except the Secondary DNS Server. Note: Do not use the numbers displayed in these fields, they are only used as an example.

  • Page 17: Wan Interface Settings - Using Pppoe

    Use the following procedure to configure DFL-700 external interface to use PPPoE (Point-to-Point Protocol over Ethernet). This configuration is required if your ISP uses PPPoE to assign the IP address of the external interface. You will have to fill in the username and password provided to you by your ISP.

  • Page 18: Wan Interface Settings - Using Pptp

    • PPTP Server IP – The IP of the PPTP server that the DFL-700 will connect to. Before PPTP can be used to connect to you ISP, the physical (WAN) interface parameters need to entered. You can use either DHCP or Static IP, depending on the type of ISP used.

  • Page 19: Wan Interface Settings - Using Bigpond

    DFL-700. For example, the policy for the Web server might be given higher priority than the policies for most employees' computers.

  • Page 20: Mtu Configuration

    Ideally, you want this MTU to be the same as the smallest MTU of all the networks between the DFL-700 and the Internet. If the packets the DFL-700 sends are larger, they get broken up or fragmented, which could slow down transmission speeds.

  • Page 21: Routing

    Click on System in the menu bar, and then click Routing below it; this will provide a list of all configured routes, and it will look something like this: The Routes configuration section describes the firewall’s routing table. The DFL-700 uses a slightly different method of describing routes compared to most other systems. However, we believe that this method of describing routes is easier to understand, making it less likely for users to cause errors or breaches in security.

  • Page 22: Add A New Static Route

    Add a new Static Route Follow these steps to add a new route. Step 1. Go to System and Routing. Step 2. Click on Add new in the bottom of the routing table. Step 3. Choose the interface that the route should be sent trough from the dropdown menu.

  • Page 23: Logging

    The D-Link DFL-700 provides several options for logging activity. The D- Link DFL-700 logs activity by sending the log data to one or two log receivers in the network. All logging is done to Syslog recipients. The log format used for syslog logging is suitable for automated processing and searching.

  • Page 24: Enable Logging

    Step 2. Choose the sensitivity level. Step 3. In the SMTP Server field, fill in the SMTP server to which the DFL-700 will send the e-mail alerts. Step 4. Specify up to three valid email addresses to receive the e-mail alerts.

  • Page 25: Time

    Time Click on System in the menu bar, and then click Time below it. This will give you the option to either set the system time by syncing to an Internet Network Time Server (NTP) or by entering the system time manually.

  • Page 26: Changing Time Zone

    Follow these steps to change the time zone. Step 1. Choose the correct time zone in the drop down menu. Step 2. Specify the dates to begin and end daylight saving time or choose no daylight saving time by checking the correct box. Click the Apply button below to apply the settings or click Cancel to discard changes.

  • Page 27: Firewall

    The first step in configuring security policies is to configure the mode for the firewall. The firewall can run in NAT or No NAT (Route) mode. Select NAT mode to use DFL-700 network address translation to protect private networks from public networks. In NAT mode, you can connect a private network to the internal interface, a DMZ network to the dmz interface, and a public network, such as the Internet, to the external interface.

  • Page 28: Source And Destination Filter

    Intrusion Detection / Prevention The DFL-700 Intrusion Detection/Prevention System (IDS/IDP) is a real-time intrusion detection and prevention sensor that identifies and takes action against a wide variety of suspicious network activity. The IDS uses intrusion signatures, stored in the attack database,...

  • Page 29: Traffic Shaping

    In response to an attack, the IDS protects the networks behind the DFL-700 by dropping the traffic. To notify of the attack the IDS sends an e-mail to the system administrators if e-mail alerting is enabled. D-Link updates the attack database periodically.

  • Page 30: Add A New Policy

    Add a new policy Follow these steps to add a new outgoing policy. Step 1. Choose the LAN->WAN policy list from the available policy lists. Step 2. Click on the Add new link. Step 3. Fill in the following values: Name: Specifies a symbolic name for the rule.

  • Page 31: Change Order Of Policy

    Follow these steps to change the order of a policy. Step 1. Choose the policy list for which you would like to change the order from the available policy lists. Step 2. Click on the Edit link corresponding to the rule you want to move. Step 3.

  • Page 32: Configure Intrusion Prevention

    Configure Intrusion Prevention Follow these steps to configure IDP on a policy. Step 1. Choose the policy you would like have IDP on. Step 2. Click on the Edit link corresponding to the rule you want to configure. Step 3. Enable the Intrusion Detection / Prevention checkbox. Step 4.

  • Page 33: Port Mapping / Virtual Servers

    The Port mapping / Virtual Servers configuration section is where you can configure virtual servers like Web servers on the DMZ or similar servers. It is also possible to regulate how bandwidth management, traffic shaping, is applied to traffic flowing through the WAN interface of the firewall.

  • Page 34: Delete Mapping

    Delete mapping Follow these steps to delete a mapping. Step 1. Choose the mapping list (WAN, LAN, or DMZ) you would like do delete the mapping from. Step 2. Click on the Edit link corresponding to the rule you want to delete. Step 3.

  • Page 35: Administrative Users

    The first column show the access levels, Administrator and Read-only. An Administrator user can add, edit and remove rules, change settings of the DFL-700, and so on. The Read- only user can only look at the configuration. The second column displays the users in each access level.

  • Page 36: Change Administrative User Access Level

    To change the access level of a user click on the user name and you will see the following screen. From here you can change the access level selecting appropriate level from the drop-down menu. Access levels • Administrator – The user can add, edit and remove rules, change...

  • Page 37: Delete Administrative User

    Note: The password should be at least six characters long. The password can contain numbers (0-9) and upper and lower case letters (A-Z, a-z). Special characters and spaces are not allowed. Delete Administrative User To delete a user click on the user name and you will see the following screen. Follow these steps to delete an Administrative User.

  • Page 38: Users

    Before any traffic is allowed to pass through any policies configured with username or groups, the user must first authenticate him/her-self. The DFL-700 can either verify the user against a local database or pass along the user information to an external authentication server, which verifies the user and the given password, and transmits the result back to the firewall.

  • Page 39: Enable User Authentication Via Http / Https

    Follow these steps to enable User Authentication. Step 1. Enable the checkbox for User Authentication. Step 2. Specify if HTTP and HTTPS or only HTTPS should be used for the login. Step 3. Specify the idle-timeout, the time a user can be idle before being logged out by the firewall.

  • Page 40: Add User

    Follow these steps to add a new user. Step 1. Click on add corresponding to the type of user you would like to add, Admin or Read-only. Step 2. Fill in User name; make sure you are not trying to add one that already exists.

  • Page 41: Delete User

    To delete a user click on the user name and you will see the following screen. Follow these steps to delete a user. Step 1. Click on the user you would like to delete. Step 2. Enable the Delete user checkbox.

  • Page 42: Schedules

    The DFL-700 can be configured to have a start time and stop time, as well as 2 different time periods in a day. For example, an organization may...

  • Page 43: Add New One-Time Schedule

    Add new one-time schedule Follow these steps to add a new one-time schedule. Step 1. Go to Firewall and Schedules and choose Add new. Step 2. Choose the starting and ending date and hour when the schedule should be active. Step 3.

  • Page 44: Services

    A service is basically a definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as using the TCP protocol with destination port 80. Services are simplistic, in that they cannot carry out any action in the firewall on their own. Thus, a service definition does not include any information whether the service should be allowed through the firewall or not.

  • Page 45: Adding Ip Protocol

    When the type of the service is IP Protocol, an IP protocol number may be specified in the text field. To have the service match the GRE protocol, for example, the IP protocol should be specified as 47. A list of some defined IP protocols can be found in the appendix named “IP Protocol Numbers.”...

  • Page 46: Protocol-Independent Settings

    It is generally not a good idea to allow any inbound ICMP message to be able to have those error messages forwarded. To solve this problem, the DFL-700 can be instructed to pass an ICMP error message only if it is related to an existing connection. Check this option to enable this feature for connections using this service.

  • Page 47: Vpn

    IPSec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at the network layer. An IPSec based VPN, such as DFL-700 VPN, is made up by two parts: •...

  • Page 48: Ipsec Vpn Between Two Networks

    PSK, make sure both firewalls use exactly the same PSK. Step 5. For Tunnel Type, choose LAN-to-LAN tunnel and specify the network behind the other DFL-700 as Remote Net. Also specify the external IP of the other DFL-700, this can be an IP or a DNS name.

  • Page 49: Ipsec Vpn Between Client And An Internal Network

    Internet. Communication between the client and the internal network takes place in an encrypted VPN tunnel that connects the DFL-700 and the roaming users across the Internet. The example shows a VPN between a roaming VPN client and the internal network, but you can also create a VPN tunnel that uses the DMZ network.

  • Page 50: Vpn - Advanced Settings

    Advanced settings for a VPN tunnel is used when the user needs to change some characteristics of the tunnel to, for example, try to connect to a third party VPN Gateway. The different settings per tunnel are: Limit MTU With this setting it is possible to limit the MTU (Max Transferable Unit) of the VPN tunnel. IKE Mode Specify if Main mode IKE or Aggressive Mode IKE should be used when establishing outbound VPN Tunnels.

  • Page 51: Proposal Lists

    To agree on the VPN connection parameters, a negotiation process is performed. As the result of the negotiations, the IKE and IPSec security associations (SAs) are established. As the name implies, a proposal is the starting point for the negotiation. A proposal defines encryption parameters, for instance encryption algorithm, life times etc, that the VPN gateway supports.

  • Page 52: Certificates

    Web interface to provide HTTPS access. Note: The certificate named Admin can only be replaced, not deleted or renamed. This is used for HTTPS access to the DFL-700. Certificates of remote peers This is a list of all certificates of individual remote peers.

  • Page 53: Certificate Authorities

    This is a list of all CA certificates. To add a new Certificate Authority certificate, click Add new. The following pages will allow you to specify a name for the CA certificate and upload the certificate file. This certificate can be selected in the Certificates field on the VPN page. Note: If the uploaded certificate is a CA certificate, it will automatically be placed in the Certificate Authorities list, even if Add New was clicked in the Remote Peers list.

  • Page 54: Content Filtering

    DFL-700 HTTP content filtering can be configured to scan all HTTP content protocol streams for URLs or for Web page content. If a match is found between a URL on the URL block the DFL-700 blocks the Web page. You can configure URL blacklist to block all or just some of the pages on a website. Using this feature you can deny access to parts of a website without denying access to it completely.

  • Page 55: Edit The Url Global Blacklist

    Follow these steps to add or remove a URL. Step Firewall and Content Filtering and choose Edit global blacklist. Step 2. Add/edit or remove the URL that should be checked with Content Filtering. Click Apply button below to apply the changes or click Cancel discard changes.

  • Page 56: Active Content Handling

    Active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip. For example to strip ActiveX and Flash, enable the checkbox named Strip ActiveX objects. It is possible to strip ActiveX, Flash, Java, JavaScript, and VBScript.

  • Page 57: Servers

    Note: Leases are remembered over a re-configure or reboot of the firewall. The DFL-700 also includes a DHCP Relayer. A DHCP Relayer is a form of gateway between a DHCP Server and its users. The relayer intercepts DHCP queries from the users and forwards them to a DHCP server while setting up dynamic routes based on leases.

  • Page 58: Enable Dhcp Server

    To enable the DHCP Server on an interface, click on Servers in the menu bar, and then click DHCP Server below it. Follow these steps to enable the DHCP Server on the LAN interface. Step 1. Choose the LAN interface from the Available interfaces list. Step 2.
  • Page 59 Click the Apply button below to apply the settings or click Cancel to discard changes.

  • Page 60: Dns Relayer Settings

    Click on Servers in the menu bar, and then click DNS Relay below it. The DFL-700 contains a DNS Relayer that can be configured to relay DNS queries from the internal LAN to the DNS servers used by the firewall itself.

  • Page 61: Disable Dns Relayer

    Disable DNS Relayer Follow these steps to disable the DNS Relayer. Step 1. Disable by un-checking the Enable DNS Relayer box. Click the Apply button below to apply the settings or click Cancel to discard changes.

  • Page 62: Tools

    Ping Click on Tools in the menu bar, and then click Ping below it. This tool is used to send a specified number of ICMP Echo Request packets to a given destination. All packets are sent in immediate succession rather than one per second. This method is the best suited for diagnosing connectivity problems.

  • Page 63: Dynamic Dns

    The Dynamic DNS (requires Dynamic DNS Service) allows you to alias a dynamic IP address to a static hostname, allowing your device to be more easily accessed by a specific name. When this function is enabled, the IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by ISP.

  • Page 64: Backup

    System Administrators can restore the firewall’s configuration file with the one stored on disc. Exporting the DFL-700’s Configuration Follow these steps to export the configuration. Step 1. Under the Tools menu and the Backup section, click on the Download configuration button.

  • Page 65: Restart/Reset

    Restoring system settings to factory defaults Use the following procedure to restore system settings to the factory defaults. This procedure will possibly change the DFL-700 firmware version to a lower version if it has been upgraded. This procedure deletes all of the changes that you have made to the DFL-700 configuration and reverts the system to its original configuration, including resetting interface addresses.
  • Page 66 Step 2. Click OK in the dialog to reset the unit to factory defaults, or press Cancel to cancel. You can restore your system settings by uploading a previously downloaded system configurations file to the DFL-700 if a backup of the device has been done.

  • Page 67: Upgrade

    Upgrade IDS Signature-database To upgrade the signature-database first download the newest IDS signatures from D-Link. After downloading the newest version of the software, connect to the firewall’s WebUI, enter Upgrade on the Tools menu, click Browse in the Upgrade Unit’s signature-database...

  • Page 68: Status

    In this section, the DFL-700 displays the status information about the Firewall. Administrator may use Status to check the System Status, Interface statistics, VPN, connections, and DHCP Servers. System Click on Status in the menu bar, and then click System below it. A window will appear providing some information about the DFL-700.

  • Page 69: Interfaces

    Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the interfaces on the DFL-700. By default, information about the LAN interface will be displayed. To see another one, click on that interface (WAN or DMZ).

  • Page 70: Vpn

    Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the VPN connections on the DFL-700. By default information about the first VPN tunnel will be displayed. To see another one, click on that VPN tunnels name.

  • Page 71: Connections

    Click on Status in the menu bar, and then click Connections below it. A window will appear providing information about the content of the state table. The state table shows the last 100 connections opened through firewall. Connections are created when traffic is permitted to pass via the policies.

  • Page 72: Dhcp Server

    Click on Status in the menu bar, and then click DHCP Server below it. A window will appear providing information about the configured DHCP Servers. By default, information about the LAN interface will be displayed. To see another one, click on that interface.

  • Page 73: How To Read The Logs

    Although the exact format of each log entry depends on how your syslog recipient works, most are very similar. The way in which logs are read is also dependent on how your syslog recipient works. Syslog daemons on UNIX servers usually log to text files, line by line. Most syslog recipients preface each log entry with a timestamp and the IP address of the machine that sent the log data: Oct 20 2003 09:45:23 gateway...
  • Page 74 One event will be generated when a connection is established. This event will include information about the protocol, receiving interface, source IP address, source port, destination interface, destination IP address, and destination port. Open Example: Oct 20 2003 09:47:56 gateway EFW: CONN: prio=1 rule=Rule_8 conn=open connipproto=TCP connrecvif=lan connsrcip=192.168.0.10 connsrcport=3179 conndestif=wan conndestip=64.7.210.132 conndestport=80 In this line, traffic from 192.168.0.10 on the LAN interface is connecting to 64.7.210.132 on...

  • Page 75: Appendixes

    Appendix A: ICMP Types and Codes The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field; many of these ICMP types have a "code" field. Here we list the types with their assigned code fields. Type Name Echo Reply...
  • Page 76 Redirect Echo Router Advertisement Router Selection Time Exceeded Parameter Problem Timestamp Timestamp Reply Information Request Information Reply Address Mask Request Address Mask Reply Traceroute Datagram Conversion Error Photuris Redirect Datagram for the RFC792 Network (or subnet) Redirect Datagram for the RFC792 Host Redirect Datagram for the...

  • Page 77: Appendix B: Common Ip Protocol Numbers

    Source: http://www.iana.org/assignments/icmp-parameters Appendix B: Common IP Protocol Numbers These are some of the more common IP Protocols. For a list of all protocols, follow the link after the table. Decimal Keyword Description ICMP Internet Control Message IGMP Internet Group Management Gateway-to-Gateway IP in IP (encapsulation) Stream...
  • Page 79 Software. Except as otherwise agreed by D-Link in writing, the replacement Software is provided only to the original licensee, and is subject to the terms and conditions of the license granted by D-Link for the Software. Replacement Software will be warranted for the remainder of the original Warranty Period and is subject to the same limitations and exclusions.
  • Page 80 UPS Ground or any common carrier selected by D-Link. Return shipping charges shall be prepaid by D-Link if you use an address in the United States, otherwise we will ship the product to you freight collect. Expedited shipping is available upon request and provided shipping charges are prepaid by the customer.
  • Page 81 Authorized D-Link Service Office. Improper or incorrectly performed maintenance or repair voids this Limited Warranty. Disclaimer of Other Warranties: EXCEPT FOR THE LIMITED WARRANTY SPECIFIED HEREIN, THE PRODUCT IS PROVIDED “AS-IS” WITHOUT ANY WARRANTY OF ANY KIND WHATSOEVER INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
  • Page 82 Limitation of Liability: TO THE MAXIMUM EXTENT PERMITTED BY LAW, D-LINK IS NOT LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL OR EQUITABLE THEORY FOR ANY LOSS OF USE OF THE PRODUCT, INCONVENIENCE OR DAMAGES OF ANY CHARACTER, WHETHER DIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL (INCLUDING, BUT...
  • Page 83 • Consult the dealer or an experienced radio/TV technician for help. For detailed warranty information applicable to products purchased outside the United States, please contact the corresponding local D-Link office. Offices AUSTRALIA D-LINK AUSTRALIA 1 Giffnock Ave,North Ryde, NSW 2113, Australia...
  • Page 84 NORWAY D-LINK NORWAY Waldemar Thranesgt. 77, 0175 Oslo, Norway TEL: 47-22-991890 FAX: 47-22-207039 RUSSIA D-LINK RUSSIA 129626 Russia, Moscow, Graphskiy per., 14 Tel /fax +7 (095) 744-00-99 mailto:mail@dlink.ru , Web: www.dlink.ru SINGAPORE D-LINK INTERNATIONAL 1 International Business Park, #03-12 The Synergy, Singapore 609917 TEL: 65-774-6233 FAX: 65-774-6322 E-MAIL: info@dlink.com.sg URL: www.dlink-intl.com...
  • Page 85 Product registration is entirely voluntary and failure to complete or return this form will not diminish your warranty rights.

This manual is also suitable for:

Netdefend dfl-700

Table of Contents