DFL-500 User Manual 1 D-Link DFL-500 Network Security Firewall Manual Building Networks for People
DFL-500 User Manual 10Getting started This chapter describes unpacking, setting up, and powering on your DFL-500 NPG. When you have completed the proc
DFL-500 User Manual 100System Location Describe the physical location of the DFL-500 NPG. The system location description can be up to 31 characters l
DFL-500 User Manual 101Glossary Connection : A link between machines, applications, processes, and so on that can be logical, physical, or both. DNS,
DFL-500 User Manual 102Netmask : Also called subnet mask. A set of rules for omitting parts of a complete IP address to reach a target destination wit
DFL-500 User Manual 103VPN, Virtual Private Network : A network that links private networks over the Internet. VPNs use encryption and other security
DFL-500 User Manual 104Index A action policy option ActiveX removing from web pages address adding editing group IP/MAC binding virtual IP address gr
DFL-500 User Manual 105C clear communication sessions CLI configuring IP addresses connecting to concentrator adding VPN hub and spoke configuration h
DFL-500 User Manual 106DHCP dynamic IP list viewing dynamic IP/MAC list E email alert testing enabling a policy encryption adding IPSec firewall
DFL-500 User Manual 107first trap receiver IP address SNMP fixed port policy option from IP system status from port system status G gateway adding
DFL-500 User Manual 108IPSec IPSec VPN adding firewall policy AutoIKE key AutoIKE key remote gateway AutoIKE key VPN tunnel compatibility with I
DFL-500 User Manual 109user groups L2TP gateway configuring language web-based manager lease duration DHCP Local ID IPSec VPN remote gateway loca
DFL-500 User Manual 11Dimensions • 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm) Weight • 1.5 lb. (0.68 kg) Power requirements • DC input voltage:
DFL-500 User Manual 110IP addresses policy policy, adding NAT traversal about NAT/Route mode Nat-traversal IPSec VPN Remote Gateway netmask admi
DFL-500 User Manual 111external interface PPTP adding firewall policy configuring configuring gateway definition enabling ending IP network co
DFL-500 User Manual 112RIP routing gateway adding routing table adding a default route adding routes adding routes (Transparent mode) configurin
DFL-500 User Manual 113IPSec VPN tunnel viewing dialup connection status viewing VPN tunnel status subnet subnet address switching operating mode
DFL-500 User Manual 114URL block list clearing downloading uploading URL block message changing URL blocking configuring URLs blocking access e
DFL-500 User Manual 115name viewing status W web content filtering ActiveX cookies enabling Java applets Web filter policy option web pages co
DFL-500 User Manual 116Technical Support Offices AUSTRALIA D-LINK AUSTRALIA Unit 16, 390 Eastern Valley Way, Roseville, NSW 2069, Australia TEL
DFL-500 User Manual 117Registration Card Print, type or use block letters. Your name: Mr./Ms _________________________________________________________
DFL-500 User Manual 118
DFL-500 User Manual 119 Limited Warranty D-Link Systems, Inc. (“D-Link”) provides this 1-Year warranty for its product only to the person or entity wh
DFL-500 User Manual 12Front and back view of the DFL-500 NPG Initial configuration When the DFL-500 NPG is first powered on, it is running i
DFL-500 User Manual 120Submitting A Claim. Any claim under this limited warranty must be submitted in writing before the end of the Warranty Period to
DFL-500 User Manual 121GOVERNING LAW: This 1-Year Warranty shall be governed by the laws of the state of California. Some states do not allow exclusio
DFL-500 User Manual 122Registration Register the D-Link DFL-500 Office Firewall online at http://www.dlink.com/sales/reg
DFL-500 User Manual 13• Using the crossover cable or the ethernet hub and cables, connect the Internal interface of the DFL-500 NPG to the computer et
DFL-500 User Manual 14Data bits 8 Parity None Stop bits 1 Flow control None • Press Enter to connect to the DFL-500 CLI. The following prompt appears:
DFL-500 User Manual 15NAT/Route mode installation This chapter describes how to install your DFL-500 NPG in NAT/Route mode. If you want to install the
DFL-500 User Manual 16 Ending IP: _____._____._____._____ Netmask: _____._____._____._____ Default Route: _____._____._____._____ DNS IP
DFL-500 User Manual 17• Set the IP address and netmask of the external interface to the external IP address and netmask that you recorded in NAT/Route
DFL-500 User Manual 18DFL-500 NPG network connections Configuring your internal network If you are running the DFL-500 NPG in NAT/Route mode, your in
DFL-500 User Manual 19Transparent mode installation This chapter describes how to install your DFL-500 NPG in Transparent mode. If you want to install
DFL-500 User Manual 2 © Copyright 2003 D-Link Systems, Inc. All rights reserved. No part of this publication including text, examples, diagrams
DFL-500 User Manual 20Starting the setup wizard • Select Easy Setup Wizard (the button in the upper right corner of the web-based manager). • Use th
DFL-500 User Manual 21The CLI lists the Management IP address and netmask. Configure the Transparent mode default gateway • Login to the CLI if you ar
DFL-500 User Manual 22DFL-500 network connections
DFL-500 User Manual 23Firewall configuration By default, the users on your internal network can connect through the DFL-500 NPG to the Internet. The f
DFL-500 User Manual 24NAT/Route mode and Transparent mode The first step in configuring firewall policies is to configure the mode for the firewall. T
DFL-500 User Manual 25You can also select Insert Policy before on a policy in the list to add the new policy above a specific policy. • Configure th
DFL-500 User Manual 26Telnet, or FTP. For users to be able to authenticate you must add an HTTP, Telnet, or FTP policy that is configured for authenti
DFL-500 User Manual 27Adding a NAT/Route Int -> Ext policy Adding Transparent mode policies Add Transparent mode policies to control the network
DFL-500 User Manual 28Action Select how the firewall should respond when the policy matches a connection attempt. You can configure the policy to dire
DFL-500 User Manual 29Adding a Transparent mode Int -> Ext policy Configuring policy lists The firewall matches policies by searching for a match
DFL-500 User Manual 3Table of Contents Introduction ...
DFL-500 User Manual 30 Policies that require authentication must be added to the policy list above matching policies that do not; otherwise, the po
DFL-500 User Manual 31Adding addresses • Go to Firewall > Address . • Select the interface to which to add the address. The list of addresses add
DFL-500 User Manual 32Organizing addresses into address groups You can organize related addresses into address groups to make it easier to add policie
DFL-500 User Manual 33• Predefined services • Providing access to custom services • Grouping services Predefined services To view the list of predefin
DFL-500 User Manual 34Adding a service group • To add services to the service group, select a service from the Available Services list and select th
DFL-500 User Manual 35• Set the Start date and time for the schedule. Set Start and Stop times to 00 for the schedule to cover the entire day. • Set
DFL-500 User Manual 36create an external address for the web server on the Internet. You must then add a virtual IP to the firewall that maps the exte
DFL-500 User Manual 37Adding a static NAT virtual IP • In the Map to IP field, enter the real IP address on the more secure network, for example, t
DFL-500 User Manual 38Adding a Port Forwarding virtual IP • Enter the External Service Port number for which to configure port forwarding. The exte
DFL-500 User Manual 39Destination Select the virtual IP. Schedule Select a schedule as required. Service Select the service that matches the Map to Se
DFL-500 User Manual 4Firewall configuration... 23 NAT/Route mode and Tr
DFL-500 User Manual 40Adding an IP Pool IP/MAC binding IP/MAC binding protects the DFL-500 NPG and your network from IP spoofing attacks. IP spoofin
DFL-500 User Manual 41All packets that would normally be matched with policies to be able to go through the firewall are first compared with the entri
DFL-500 User Manual 42Viewing the dynamic IP/MAC list • Go to Firewall > IP/MAC Binding > Dynamic IP/MAC . Enabling IP/MAC binding • Go to Fir
DFL-500 User Manual 43Users and authentication DFL-500 NPGs support user authentication to the DFL-500 user database or to a RADIUS server. You can ad
DFL-500 User Manual 44• Select New to add a new user name. Adding a user name • Enter the user name. The user name can contain numbers (0-9) and upp
DFL-500 User Manual 45 Deleting the user name deletes the authentication configured for the user.Configuring RADIUS support If you have configured R
DFL-500 User Manual 46Configuring user groups Use the following information to add user groups to your DFL-500 configuration. You can add user names a
DFL-500 User Manual 47Adding a user group • To remove users or RADIUS servers from the user group, select a user or RADIUS server from the Members
DFL-500 User Manual 48IPSec VPNs Using IPSec Virtual Private Networking (VPN), you can securely join two or more widely separated private networks or
DFL-500 User Manual 49• ESP security in tunnel mode • DES and 3DES (TripleDES) encryption • Diffie-Hellman groups 1, 2, and 5 • HMAC MD5 authenticatio
DFL-500 User Manual 5Configuring user groups...
DFL-500 User Manual 50See Adding an encrypt policy. Configuring manual key IPSec VPN A manual key VPN configuration consists of a manual key VPN tunne
DFL-500 User Manual 51Configuring the VPN concentrator On the VPN concentrator network, you must create one VPN tunnel for each of the prospective VPN
DFL-500 User Manual 52See Adding an AutoIKE key VPN tunnel. Or, add a manual key VPN tunnel. See Adding a manual key VPN tunnel. • Add one encrypt po
DFL-500 User Manual 53The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy. See Adding an e
DFL-500 User Manual 54Mode. Enter the IP address of the dialup user or the domain name of the dialup user (for example, domain.com). If you do not add
DFL-500 User Manual 55For each variation, the remote gateway field of the dialup server remote gateway configuration must be set to dialup user and al
DFL-500 User Manual 56Aggressive mode with no user group Field Server Clients User Group None N/A Mode Aggressive Aggressive Authentication Key The s
DFL-500 User Manual 57About NAT traversal NAT (Network Address Translation) converts private IP addresses into routable public IP addresses. The DFL-5
DFL-500 User Manual 58Autokey Keep Alive Enable Autokey Keep Alive to keep the VPN tunnel running even if no data is being processed. Concentrator Sel
DFL-500 User Manual 59The DFL-500 NPG sends an alert email when replay detection detects a replay packet. To receive the alert email, you must configu
DFL-500 User Manual 6Changing the URL block message ...
DFL-500 User Manual 60 For all 3DES encryption algorithms, enter three hexadecimal numbers of up to 16 digits each. Use the same encryption key at bot
DFL-500 User Manual 61• Select OK to add the VPN concentrator. Adding a VPN concentrator Adding an encrypt policy Add encrypt policies to connect us
DFL-500 User Manual 62The destination address is the IP address of the remote network behind the remote VPN gateway. The destination address is the IP
DFL-500 User Manual 63Allow outbound Select Allow outbound to enable outbound users to connect to the destination address. Inbound NAT The DFL-500 NPG
DFL-500 User Manual 64AutoIKE key tunnel status Viewing dialup VPN connection status You can use the dialup monitor to view the status of dialup VPN
DFL-500 User Manual 65To confirm that a VPN between a network and one or more clients has been configured correctly, start a VPN client and use the pi
DFL-500 User Manual 66PPTP and L2TP VPNs Using PPTP and L2TP Virtual Private Networking (VPN), you can create a secure connection between a client com
DFL-500 User Manual 67PPTP VPN between a Windows client and the DFL-500 NPG Configuring the DFL-500 NPG as a PPTP gateway • Create a user group for
DFL-500 User Manual 68Example PPTP Range configuration When using a RADIUS server for user authentication, PPTP and L2TP encryption is not supp
DFL-500 User Manual 69L2TP VPN configuration L2TP clients must be able to authenticate with the DFL-500 NPG to start a L2TP session. To support L2TP a
DFL-500 User Manual 7System configuration ...
DFL-500 User Manual 70• Select Enable L2TP. • Enter the Starting IP and the Ending IP for the L2TP address range. • Select the User Group that you ad
DFL-500 User Manual 71Web content filtering Use DFL-500 web content filtering for: • Enabling web content Filtering • Blocking web pages that contain
DFL-500 User Manual 72The DFL-500 NPG is now configured to block web pages containing words and phrases added to the banned word list. • Select New t
DFL-500 User Manual 73• Select Backup Banned Word List . The DFL-500 NPG downloads the banned word list to a text file on the management computer. Y
DFL-500 User Manual 74 URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does
DFL-500 User Manual 75You can add a URL list created by a third-party URL block or blacklist service. For example, you can download the squidGuard bla
DFL-500 User Manual 76• Clearing the Exempt URL list • Downloading the Exempt URL list • Uploading an Exempt URL list Adding URLs to the Exempt URL Li
DFL-500 User Manual 77Uploading an Exempt URL list You can create an Exempt URL list in a text editor and then upload the text file to the DFL-500 NPG
DFL-500 User Manual 78Logging and reporting You can configure the DFL-500 NPG to record 3 types of logs: • Traffic logs record all traffic that attemp
DFL-500 User Manual 79Example log settings Selecting what to log Use the following procedure to configure the type of information recorded in DFL-50
DFL-500 User Manual 8Introduction The DFL-500 Network Protection Gateway (NPG) is an easy-to-deploy and easy-to-administer solution that delivers exce
DFL-500 User Manual 80Configuring alert email • Go to System > Network > DNS . • If they have not already been added, add the primary and seco
DFL-500 User Manual 81Administration This chapter describes how to use the web-based manager to administer and maintain the DFL-500 NPG. It contains t
DFL-500 User Manual 82• Shutting down the DFL-500 NPG If you log into the web-based manager with any other administrator account, you can go to System
DFL-500 User Manual 83• Enter the following command to restart the DFL-500 NPG: > execute reboot As the DFL-500 NPG reboots, messages similar to t
DFL-500 User Manual 84When the interface addresses are changed, you can access the DFL-500 from the web-based manager and restore your configuration f
DFL-500 User Manual 85 This procedure deletes the changes that you have made to the DFL-500 NPG configuration and reverts the system to its original
DFL-500 User Manual 86The DFL-500 NPG changes operation mode. • To reconnect to the web-based manager, browse to the interface that you have configure
DFL-500 User Manual 87System status monitor At the top of the display, the system status monitor shows: CPU usage The current CPU usage statistics
DFL-500 User Manual 88Configuring the internal interface To configure the internal interface: • Go to System > Network > Interface . • For the
DFL-500 User Manual 89• Controlling management access to the external interface • Changing the external interface MTU size to improve network performa
DFL-500 User Manual 9• Administration describes DFL-500 management and administrative tasks. • The Glossary defines many of the terms used in this doc
DFL-500 User Manual 90Configuring the external interface Configuring the external interface for PPPoE Use the following procedure to configure the e
DFL-500 User Manual 91• For the external interface, select Modify . • Select the management Access methods for the external interface. HTTPS To all
DFL-500 User Manual 92Configuring the management interface (Transparent mode) In Transparent mode, you can configure the management interface for mana
DFL-500 User Manual 93If you select dead gateway detection you can also configure ping target, detection interval, and Fail-over detection for the rou
DFL-500 User Manual 94• Select OK to save the new route. Arrange routes in the routing table from more specific to more general. To arrange route
DFL-500 User Manual 95• Repeat these steps to add more routes as required. Providing DHCP services to your internal network If the DFL-500 NPG is oper
DFL-500 User Manual 96Sample DHCP settings Viewing the dynamic IP list If you have configured your DFL-500 NPG as a DHCP server, you can view a lis
DFL-500 User Manual 97• Setting system date and time • Changing web-based manager options • Adding and editing administrator accounts • Configuring SN
DFL-500 User Manual 98• Specify how often the DFL-500 NPG should synchronize its time with the NTP server. A typical Syn Interval would be 1440 minute
DFL-500 User Manual 99• Select New to add an administrator account. • Type a login name for the administrator account. The login name must be at leas
Commentaires sur ces manuels