SOHO UTM Firewall User Manual DFL-160 Security Ver 1.00 Security Network Security Solution http://www.dlink.com.
User Manual D-Link DFL-160 Firewall NetDefendOS Version 2.25 D-Link Corporation No. 289, Sinhu 3rd Rd, Neihu District, Taipei City 114, Taiwan R.O.C. http://www.DLink.
User Manual D-Link DFL-160 Firewall NetDefendOS Version 2.25 Published 2009-05-14 Copyright © 2009 Copyright Notice This publication, including all photographs, illustrations and software, is protected under international copyright laws, with all rights reserved. Neither this manual, nor any of the material contained herein, may be reproduced without written consent of the author. Disclaimer The information in this document is subject to change without notice.
Table of Contents 1. Product Overview .............................................................................................. 5 1.1. The DFL-160 Solution ............................................................................. 5 1.2. Ethernet Interfaces ................................................................................... 7 1.3. The LED Indicators ................................................................................. 9 2. Initial Setup ...................................
User Manual C. Apple Mac IP Setup ........................................................................................ 116 D. D-Link Worldwide Offices .............................................................................. 118 Alphabetical Index .............................................................................................
Chapter 1. Product Overview • The DFL-160 Solution, page 5 • Ethernet Interfaces, page 7 • The LED Indicators, page 9 1.1. The DFL-160 Solution The NetDefend SOHO UTM product is a D-Link hardware/software solution designed for situations where a conventional IP router connected to the public Internet in a small organization or home environment does not have sufficient capabilities to provide the network security required to combat today's universe of potential external threats.
1.1. The DFL-160 Solution Chapter 1. Product Overview "Inside" and "Outside" Networks The NetDefendOS provides the administrator with the ability to control and manage the traffic that flows between the trusted "inside" networks and the much more threatening public Internet that lies "outside". The "outside" Internet network is connected to the DFL-160's WAN interface and the trusted "inside" network is connected to the LAN interface.
1.2. Ethernet Interfaces Chapter 1. Product Overview 1.2. Ethernet Interfaces Physical Interface Arrangement The DFL-160 has a number of physical Ethernet interfaces which can be used to plug into other Ethernet networks. The image below shows these interfaces at the back of the hardware unit. Interface Network Connections The illustration below shows the typical usage of network connections to the DFL-160 interfaces.
1.2. Ethernet Interfaces Chapter 1. Product Overview are intended for connection to local, internal networks which will be protected from the outside internet by the highest security available from the DFL-160. Interfaces LAN1 to LAN4 are connected together via a switch fabric in the DFL-160 which means that traffic travelling between them will not be subject to the control of NetDefendOS. All four are considered to be part of the single logical LAN interface.
1.3. The LED Indicators Chapter 1. Product Overview 1.3. The LED Indicators On the front portion of the DFL-160 casing are a set of indicator lights which show system status and Ethernet port activity. Power and Status The power light is illuminated when power is applied and the status light is illuminated after NetDefendOS has completed start up or if the boot menu has been entered prior to complete startup (the latter is described in Chapter 8, The Console Boot Menu).
1.3. The LED Indicators Chapter 1.
Chapter 2. Initial Setup • Unpacking, page 11 • Web Browser Connection, page 13 • Browser Connection Troubleshooting, page 18 • Console Port Connection, page 19 2.1. Unpacking Package Contents Carefully open the product packaging and inside you will find the following: • The DFL-160 hardware unit. • The DFL-160 Quick Installation Guide. • A plug-in 12 Volt/1.2 Amp power supply with connecting cable. • One Category 5e Ethernet cable.
2.1. Unpacking Chapter 2. Initial Setup Environmental and Operating Parameters The following table lists the key environmental and operatíng parameters for the DFL-160 hardware.
2.2. Web Browser Connection Chapter 2. Initial Setup 2.2. Web Browser Connection This section describes the steps for accessing a DFL-160 for the first time through a web browser. The user interface accessed in this way is known as the NetDefendOS Web Interface (or WebUI). 1. Connect the Cables The DFL-160 and a management workstation (typically a Windows PC) running a web browser should be physically connected together so they are on the same Ethernet network.
2.2. Web Browser Connection Chapter 2. Initial Setup 4. Connect to the DFL-160 by Surfing to the IP address 192.168.10.1 Using a web browser (Internet Explorer or Firefox is recommended), surf to the IP address 192.168.10.1. This can be done using either HTTP or the more secure HTTPS protocol in the URL. These two alternatives are discussed next. A. Using HTTP Enter the address http://192.168.10.1 into the browser navigation window as shown below. This will send an initial browser request to the DFL-160.
2.2. Web Browser Connection Chapter 2. Initial Setup The available management web interface language options are selectable at the bottom of this dialog. This defaults to the language set for the browser if NetDefendOS supports that language. Now login with the username admin and the password admin. The full web interface will now appear as shown below and you are ready to begin setting up the initial DFL-160 configuration.
2.2. Web Browser Connection Chapter 2. Initial Setup of time is fixed. After automatic logout occurs, the next interaction with the management web interface will take the browser to the login page. Connecting to the Internet In the typical DFL-160 installation the next step is to connect to the public Internet. To do this the WAN interface should be connected to your Internet Service Provider (ISP). This is usually done through other equipment such as a broadband modem.
2.2. Web Browser Connection Chapter 2. Initial Setup features of the product and bring into use those which meet the needs of a particular installation. It is recommended that adminstrators familiarize themselves with the web interface by clicking on the main menu options and exploring the individual options available with each. The later part of this manual has a structure which reflects the naming and order of these menu options.
2.3. Browser Connection Troubleshooting Chapter 2. Initial Setup 2.3. Browser Connection Troubleshooting If the management interface does not respond after the DFL-160 has powered up and NetDefendOS has started, there are a number of simple steps to trouble shoot basic connection problems: 1. Check that the LAN interface is being used The most obvious problem is that the wrong DFL-160 interface has been used for the initial connection.
2.4. Console Port Connection Chapter 2. Initial Setup 2.4. Console Port Connection Initial setup of the DFL-160 can be done using only the web interface but DFL-160 also provides a Command Line Interface (CLI) which can be used for certain administrative tasks. This is accessed through a console connected directly to the unit's RS232 COM port, which is shown below. All CLI commands are listed in Appendix A, CLI Reference.
2.4. Console Port Connection Chapter 2. Initial Setup buffer allocated for output. This buffer limit means that a single large volume of console output may be truncated. This happens rarely and only with certain commands. The DFL-160 USB Port Next to the RS232 port is a USB port. This port is not used with the current version of NetDefendOS.
2.4. Console Port Connection Chapter 2.
Chapter 3. The System Menu • Administration, page 22 • Internet Connection, page 25 • LAN Settings, page 27 • DMZ Settings, page 30 • Logging, page 33 • Date and Time, page 35 • Dynamic DNS Settings, page 37 The System menu options allow the administrator to control and manage essential operating settings of the DFL-160. The sections that follow describe the options in this menu in the order they appear. 3.1.
3.1. Administration Chapter 3. The System Menu The recommendation is to restrict the interfaces which allow management access and to always use the HTTPS protocol to ensure that management communication is encrypted. The only advantage in using HTTP for management access is to avoid the issue with certificates.
3.1. Administration Chapter 3. The System Menu For instance, if HTTPS is used for management access and HTTPS inbound traffic is enabled (this is done in Section 4.3, “Inbound Traffic Options”) then both will use the port number 443 and there will be a problem. The port number for management traffic and normal HTTPS traffic must be unique. The solution is to change the HTTPS port for administrator access to, for example, port 400. Then the administrator surfs to the IP https://192.168.10.
3.2. Internet Connection Chapter 3. The System Menu 3.2. Internet Connection The options on this page allow the administrator to specify the communications protocol with which the WAN interface is connected to the public Internet via an Internet Service Provider (ISP). Your ISP will provide details of their connection. The first task is to make a physical Ethernet connection between the DFL-160's WAN interface and the ISP.
3.2. Internet Connection Chapter 3. The System Menu The Idle Timeout is the length of time with inactivity that passes before PPPoE disconnection occurs if the Dial-on-Demand is selected. DNS servers are set automatically after connection with PPPoE. D. PPTP Connection With this option, the username and password supplied by your ISP for PPTP connection should be entered.
3.3. LAN Settings Chapter 3. The System Menu 3.3. LAN Settings The settings in this part of the management web interface determine how the DFL-160's LAN interface operates. These settings are very similar to the corresponding page for the DMZ interface (see Section 3.4, “DMZ Settings”). The Logical LAN Interface There are four physical interfaces in the DFL-160 hardware which are labeled: LAN1...LAN4. As explained in Section 1.
3.3. LAN Settings • Chapter 3. The System Menu NAT Mode This mode enables Dynamic Network Address Translation (NAT) use between the LAN and WAN interfaces. This means that the individual IP addresses of hosts on the LAN interface will be hidden from the public internet. All traffic coming from the public Internet to LAN hosts will be directed to the public IP address of the WAN interface and NetDefendOS will perform the necessary IP address translation.
3.3. LAN Settings Chapter 3. The System Menu with a particular MAC address. When a request for a DHCP lease is received on the interface, NetDefendOS checks the MAC address of the requesting DHCP client against the list. If a match is found, the IP address that has been associated with the MAC address is the one that is handed out. The screenshot below shows how this option appears in the web interface. Combinations of IP address and MAC address can be added to the list.
3.4. DMZ Settings Chapter 3. The System Menu 3.4. DMZ Settings The settings in this part of the management web interface determine how the DFL-160's DMZ interface operates. These settings are very similar to the corresponding page for the LAN interface (see Section 3.3, “LAN Settings”). DMZ Interface Options There are three sections on this page of the web interface: A. DMZ Interface Settings B. Mode C. DHCP Server Settings A.
3.4. DMZ Settings • Chapter 3. The System Menu Router Mode This is the mode used if NAT is not used. It means that each the individual hosts and users on the DMZ network need their own public IP addresses if they are to communicate with the public Internet. Although not recommended when WAN is connected to the public internet, there may be situations where NAT cannot be applied and the individual DMZ network addresses need to be exposed through the WAN interface.
3.4. DMZ Settings Chapter 3. The System Menu This feature allows the same IP address to be always allocated to a particular DHCP client. Transparent Mode and the Interface IP Address There are some considerations that should be noted with the DMZ IP address when transparent mode is enabled: • In transparent mode, the DMZ interface will take on the same IP address as the WAN interface.
3.5. Logging Chapter 3. The System Menu 3.5. Logging NetDefendOS Log Messages During NetDefendOS operation, log messages are routinely generated to indicate when certain events occur. These messages form an important audit trail that show what has occurred during system operation and can dealt with in various ways. There are dozens of events for which event messages can be generated. The events range from high-level user events down to low-level system events.
3.5. Logging Chapter 3. The System Menu messages generated by NetDefendOS. By enabling this option, these log messages will be included. C. Email Alerts NetDefendOS can be configured to send emails to up to three email addresses when log messages are generated that are equal to or exceed a defined threshold. This threshold is referred to as the sensitivity.
3.6. Date and Time Chapter 3. The System Menu 3.6. Date and Time A variety of NetDefendOS functions depend on the system date and time being set correctly for the DFL-160. It is therefore recommended to set the correct time and date as soon as possible. There are three time and date options: A. General B. Time zone and daylight saving time settings C. Automatic time synchronization A.
3.6. Date and Time Chapter 3. The System Menu When usage of time servers is enabled, NetDefendOS will poll them on a regular basis and then adjust the DFL-160 system clock with the exact time. If the time server and the current time differ by more than one hour (60 minutes) then the time server is ignored.
3.7. Dynamic DNS Settings Chapter 3. The System Menu 3.7. Dynamic DNS Settings A DNS feature offered by NetDefendOS is the ability to explicitly inform DNS servers when the external IP address of the DFL-160 has changed. This is sometimes referred to as Dynamic DNS (DDNS) and is useful where the DFL-160 has an external IP address that can change.
3.7. Dynamic DNS Settings Chapter 3.
Chapter 4. The Firewall Menu • Outbound LAN Traffic Options, page 40 • Outbound DMZ Traffic Options, page 42 • Inbound Traffic Options, page 44 • VPN Options, page 46 • VPN Users, page 51 • Web Content Filtering, page 52 • Anti-Virus, page 61 • IDP Options, page 64 • Schedules, page 67 The options in the Firewall menu allow the administrator to control and manage the features of the DFL-160 that are specific to a firewall.
4.1. Outbound LAN Traffic Options Chapter 4. The Firewall Menu against internal resources. • Time schedules can be set up which can be then used to specify the times when security policies are applied. • Lists of users that are allowed to access protected resources can be specified. The sections that follow describe the options in this menu in the order they appear. 4.1.
4.1. Outbound LAN Traffic Options Chapter 4. The Firewall Menu For a custom protocol it is necessary to specify if the protocol uses TCP or UDP connections or both and to specify the port number the protocol will try and connect to at the other end of the connection. Specifying a Schedule A named Schedule can be defined through the Firewall > Schedules menu option and this can then be used with any individual protocol allowed for outgoing traffic from the LAN interface.
4.2. Outbound DMZ Traffic Options Chapter 4. The Firewall Menu 4.2. Outbound DMZ Traffic Options The Meaning of Outbound These options determine what types of traffic can pass between the DMZ network and the WAN interface when the connection is initiated by a client or host on the DMZ network. For instance, the retrieval of data from a web server on the public Internet is still considered part of outbound traffic if the retrieval request is initiated by a web surfer sitting on the DMZ network.
4.2. Outbound DMZ Traffic Options Chapter 4. The Firewall Menu Specifying a Schedule A named Schedule can be defined through the Firewall > Schedules menu option and this can then be used with any individual protocol allowed for outgoing traffic from the LAN interface. Schedules specify a period of time when a particular selection is valid. For example, the administrator might decide to not allow web surfing during working hours.
4.3. Inbound Traffic Options Chapter 4. The Firewall Menu 4.3. Inbound Traffic Options This set of NetDefendOS options deals using firewalling to protect against inbound traffic. The term inbound refers to connections that are initiated from the public Internet on the WAN interface. These connections are typically made to access some resource that sits behind the DFL-160, such as an HTTP server that is sitting on the DMZ network.
4.3. Inbound Traffic Options Chapter 4. The Firewall Menu C. Custom Traffic If a particular protocol does not appear in the standard list of protocols then a Custom Traffic "rule" can be created which allows incoming TCP or UDP traffic through on a specified port. As explained above, the custom rule must have a destination IP address specified which either an internal IP address if NAT is being used of a public IP if NAT is not being used.
4.4. VPN Options Chapter 4. The Firewall Menu 4.4. VPN Options VPN Usage The Internet is increasingly used as a means to connect together computers since it offers efficient and inexpensive communication. The requirement therefore exists for data to traverse the Internet to its intended recipient without another party being able to read or alter it. VPN allows the setting up of a tunnel between two devices known as tunnel endpoints. All data flowing through the tunnel is then secure.
4.4.1. IPsec Chapter 4. The Firewall Menu In summary, a VPN allows the public Internet to be used for setting up secure communications or tunnels between DFL-160s or between a DFL-160 and other security gateway devices or clients. VPN with the DFL-160 NetDefendOS supports setting up tunnels using the following types of tunnel protocols for secure communication: • IPsec tunnels. • L2TP tunnels. Using L2TP tunnels the DFL-160 can either be: • 1. An L2TP client - which connects to an L2TP server. 2.
4.4.1. IPsec Chapter 4. The Firewall Menu • IKE negotiates how IKE should be protected. • IKE negotiates how IPsec should be protected. • An IPsec tunnel is established which is used to securely transport data. The following sections are used in the web interface for IPsec setup: A. General B. Authentication C. Tunnel Type A. General Here, a textual Name for the tunnel is specified. This is used only for identifying the tunnel for management purposes in the web interface.
4.4.2. L2TP/PPTP Client Chapter 4. The Firewall Menu Currently established IPsec tunnels can be listed and their usage examined through the IPsec option in the Status menu (see Section 6.8, “IPsec Status”). 4.4.2. L2TP/PPTP Client This option allows a tunnel to be set up where the DFL-160 acts as a L2TP or PPTP client. In this mode, a tunnel is set up where the DFL-160 connects to an L2TP or PPTP server.
4.4.3. L2TP/PPTP Server Chapter 4. The Firewall Menu The Idle Timeout is the length of time with inactivity that passes before tunnel disconnection occurs. 4.4.3. L2TP/PPTP Server This option allows VPN tunnels to be set up based on the L2TP protocol, where the DFL-160 acts as a L2TP or PPTP server, receiving connection requests from external clients.
4.5. VPN Users Chapter 4. The Firewall Menu 4.5. VPN Users The User Database This page in the web interface allows the administrator to enter the details of new users into the NetDefendOS user database and to also administer these users by making deletions or changes. There is no limit on the database size. The NetDefendOS user authentication database is used only with VPN.
4.6. Web Content Filtering Chapter 4. The Firewall Menu 4.6. Web Content Filtering 4.6.1. Options The Web Content Filtering (WCF) options allow control over the types of web surfing allowed by clients on the LAN or DMZ. When web browsers try to access a URL on the public Internet through the WAN interface, NetDefendOS checks the URL against a D-Link URL database to find out what category it is. For instance, a URL for web site like CNN might belong to the News category.
4.6.1. Options Chapter 4. The Firewall Menu B. Web Content Filter The option here is to enable or disable web content filtering. Note that HTTP and HTTPS traffic (or all traffic) should be allowed in the outgoing traffic options for the LAN or DMZ interfaces for clients on those networks to able to reach the public Internet. C. Categories The administrator adds the categories that are to be blocked from the choices in the left table to the selected list in the right.
4.6.2. The Content Categories Chapter 4. The Firewall Menu It is possible to explicitly allow or explicitly block certain URLs by adding one or more Static URL Filters. This is also referred to as whitelisting and blacklisting and the URLs specified in such filters are not looked up by the WCF subsystem. When defining a URL filter it is important to note that wildcarding can be used when specifying the URL. The wildcard character "*" can represent any sequence of characters in the URL.
4.6.2. The Content Categories Chapter 4. The Firewall Menu online news publications and technology or trade journals. This does not include financial quotes, refer to the Investment Sites category (11), or sports, refer to the Sports category (16). Examples might be: • www.newsunlimited.com • www.dailyscoop.com Category 3: Job Search A web site may be classified under the Job Search category if its content includes facilities to search for or submit online employment applications.
4.6.2. The Content Categories Chapter 4. The Firewall Menu form of entertainment that is not specifically covered by another category. Some examples of this are music sites, movies, hobbies, special interest, and fan clubs. This category also includes personal web pages such as those provided by ISPs.
4.6.2. The Content Categories Chapter 4. The Firewall Menu A web site may be classified under the E-Banking category if its content includes electronic banking information or services. This category does not include Investment related content; refer to the Investment Sites category (11). Examples might be: • www.nateast.co.uk • www.borganfanley.
4.6.2. The Content Categories Chapter 4. The Firewall Menu Category 18: Violence / Undesirable A web site may be classified under the Violence / Undesirable category if its contents are extremely violent or horrific in nature. This includes the promotion, description or depiction of violent acts, as well as web sites that have undesirable content and may not be classified elsewhere. Examples might be: • www.itstinks.com • www.ratemywaste.
4.6.2. The Content Categories Chapter 4. The Firewall Menu A web site may be classified under the Music Downloads category if it provides online music downloading, uploading and sharing facilities as well as high bandwidth audio streaming. Examples might be: • www.onlymp3s.com • www.mp3space.
4.6.2. The Content Categories Chapter 4. The Firewall Menu Category 29: Computing/IT A web site may be classified under the Computing/IT category if its content includes computing related information or services. Examples might be: • www.purplehat.com • www.gnu.org Category 30: Swimsuit/Lingerie/Models A web site may be categorized under the Swimsuit/Lingerie/Models category if its content includes information pertaining to, or images of swimsuit, lingerie or general fashion models.
4.7. Anti-Virus Chapter 4. The Firewall Menu 4.7. Anti-Virus Overview The NetDefendOS Anti-Virus module protects against malicious code carried in file downloads. Files may be downloaded as part of a web-page in an HTTP transfer or in an FTP download or perhaps as an attachment to an email delivered through SMTP.
4.7. Anti-Virus Chapter 4. The Firewall Menu leader in the field of virus detection. The database provides protection against virtually all known virus threats including trojans, worms, backdoor exploits and others. The database is also thoroughly tested to provide near zero false positives. NetDefendOS Anti-Virus scanning is a subscription based service and yearly subscriptions can be purchased from your local D-Link agent. After purchase, you will receive a code which is then used for activating IDP.
4.7. Anti-Virus Chapter 4. The Firewall Menu the exclusion list such a file might not be scanned. To avoid this situation, NetDefendOS always performs MIME checking where it looks inside the file to determine what the true filetype of the data is. Only if the filetype determined by MIME checking is on the exclude list is virus scanning skipped.
4.8. IDP Options Chapter 4. The Firewall Menu 4.8. IDP Options The Intrusion Threat Computer servers can sometimes have vulnerabilities which leave them exposed to attacks carried by network traffic. Worms, trojans and backdoor exploits are examples of such attacks which, if successful, can potentially compromise or take control of a server. A generic term that can be used to describe these server orientated threats are Intrusions.
4.8. IDP Options Chapter 4. The Firewall Menu Enabling IDP for a Protocol The IDP page of the NetDefendOS web interface lists a set of protocols which can be scanned by the IDP subsystem. Selecting any of the protocols switches on IDP scanning. Dropping Connections or Only Logging When IDP is enabled, the administrator has two options for how detected intrusions are dealt with: • Log only. • Log and drop connection.
4.8. IDP Options Chapter 4. The Firewall Menu This category is similar to Scanners in that it is not protocol specific but provides an additional "catch all" protection against intrusion attempts that are not specific to a particular protocol. With both Worms and Malware and Scanners, it is important to use them with caution since they will use more processing resources by increasing the scanning load.
4.9. Schedules Chapter 4. The Firewall Menu 4.9. Schedules Schedules are used to determine when certain features in NetDefendOS are enabled. For instance, it may be decided to allow web surfing from clients on the LAN interface only at certain times of the day. In this case, we would create a schedule that contained the times when surfing is allowed and then associate the schedule with the enabled HTTP option of Outbound LAN Traffic in the Firewall menu options.
4.9. Schedules Chapter 4. The Firewall Menu The comments field allows some text explanation to be added to the schedule. It serves only as a reminder to the administrator what the schedule was intended for.
4.9. Schedules Chapter 4.
Chapter 5. The Tools Menu • Ping, page 70 The Tools menu provide access to features which can be helpful in overall system operation. The sections that follow describe the options in this menu in the order they appear. 5.1. Ping The ICMP ping protocol provides a simple query/response tool to determine if a particular network component is alive. A ping request ask the question "are you there" on a given IP address and the response is either "yes I am" or there is no response and the request times out.
5.1. Ping Chapter 5.
Chapter 6. The Status Menu • System Status, page 73 • Logging Status, page 75 • Anti-Virus Status, page 76 • Web Content Filtering Status, page 77 • IDP Status, page 78 • Connections Status, page 79 • Interfaces Status, page 80 • IPsec Status, page 82 • User Authentication Status, page 83 • Routes, page 84 • DHCP Server Status, page 85 The Status menu of the DFL-160 web interface provides various views of the current status, performance and loading of the various subsystems that make up NetDefendOS.
6.1. System Status Chapter 6. The Status Menu 6.1. System Status The System Status page is the default page that is shown when the web interface opens after logging in to NetDefendOS as administrator. The status display is divided into three parts: A. System Resources B. UTM Statistics C. Log History A. System Resources Various graphical displays and numerical values show the current status of the DFL-160 system and how its resources are being used. B.
6.1. System Status Chapter 6. The Status Menu Clicking the More... link in the display will take you to the Logging option in the System menu for a more complete list of recent events and the filters to analyze them. The details of NetDefendOS logging can be found in Section 3.5, “Logging”.
6.2. Logging Status Chapter 6. The Status Menu 6.2. Logging Status Various events that occur in NetDefendOS cause log messages to created. All possible log messages generated are documented in the accompanying DFL-160 Log Message Reference Guide. An external SysLog server can be configured to receive these events, as described in Section 3.5, “Logging”. That section also describes setting up email alerts for certain events.
6.3. Anti-Virus Status Chapter 6. The Status Menu 6.3. Anti-Virus Status This page of the web interface provides the ability to view and filter out the last 500 log messages generated by just the Anti-Virus subsystem. These same messages can also appear mixed in with other messages in the Logging page in the Status menu (described in Section 6.2, “Logging Status”).
6.4. Web Content Filtering Status Chapter 6. The Status Menu 6.4. Web Content Filtering Status This page of the web interface provides the ability to view and filter out the last 500 log messages generated by just the Web Content Filtering (WCF) subsystem. These same messages can also appear mixed in with other messages in the Logging page in the Status menu (described in Section 6.2, “Logging Status”).
6.5. IDP Status Chapter 6. The Status Menu 6.5. IDP Status This page of the web interface provides the ability to view and filter out the last 500 log messages generated by just the IDP subsystem. These same messages can also appear mixed in with other messages in the Logging page in the Status menu (described in Section 6.2, “Logging Status”). Log messages are visible in 100 message blocks on the page and tools are also provided for filtering out messages of interest based on various criteria.
6.6. Connections Status Chapter 6. The Status Menu 6.6. Connections Status A connection in NetDefendOS refers to either a normal TCP/IP connection set up to perform a transfer of data or a UDP packet based "connection", where a stream of packets is being sent from a sender to a receiver (such as in a streaming video transfer). This page of the web interface shows the currently established connections.
6.7. Interfaces Status Chapter 6. The Status Menu 6.7. Interfaces Status This option can show the current status for each of the DFL-160 interfaces. When one of the interfaces is selected from a drop-down box in this page, information about the interface's status is displayed, both in numerical and graphical form. The sections displayed for the chosen interface are: A. Interface Status B. Driver Information/Hardware Statistics C. Throughput Statistics A.
6.7. Interfaces Status Chapter 6. The Status Menu Secondly, the statistics for received (incoming) traffic are shown over the last 24 hours. An example is shown below (the image is also truncated on the right side).
6.8. IPsec Status Chapter 6. The Status Menu 6.8. IPsec Status List VPN Interfaces This option (the default) shows all the currently established VPN tunnels (also known as VPN interfaces). An example of this display is shown below. List all active IKE SAs An IKE Security Association (SA) is an entity that defines the encryption methods and other parameters that will be used for data flowing from one end of an IPsec tunnel to the other.
6.9. User Authentication Status Chapter 6. The Status Menu 6.9. User Authentication Status This page of the web interface displays the users who have been authenticated and are using a VPN tunnel. An example of the user authentication display is shown below. The Forcibly Logout Option For each user, the administrator has the option to force a logout of a user with this option. This can be useful if suspicious activity is seen coming from a particular logged in user.
6.10. Routes Chapter 6. The Status Menu 6.10. Routes A Brief Overview of Routing A list of all routes are maintained by NetDefendOS in its internal routing table. The routing table indicates which networks can be found on which interface. When traffic arrives at the DFL-160 on one interface, the routing table is consulted by NetDefendOS to determine on which interface the traffic should be forwarded so it gets to its intended destination.
6.11. DHCP Server Status Chapter 6. The Status Menu 6.11. DHCP Server Status As explained in Section 3.3, “LAN Settings” and Section 3.4, “DMZ Settings”, the LAN and DMZ interfaces can be configured to act as DHCP servers, allocating IP addresses from a predefined IP range to any users or hosts that require them. This option in the Status menu allows the administrator to see which DHCP servers are configured and the status of these servers.
6.11. DHCP Server Status Chapter 6.
Chapter 7. The Maintenance Menu • The Update Center, page 87 • Licenses, page 89 • Backups, page 91 • Reset to Factory Defaults, page 92 • Upgrades, page 93 • Technical Support, page 94 The Maintenance menu options deal with routine administrative tasks such as backups and software upgrades. The sections that follow describe the options in this menu in the order they appear. 7.1.
7.1. The Update Center Chapter 7. The Maintenance Menu The default interval is Daily and this is recommended to keep the databases updated with the latest releases. It is not often that the databases are updated more than once in a day. C. History This tab shows the history of recent database updates and can also indicate if there were problems with server access or downloading.
7.2. Licenses Chapter 7. The Maintenance Menu 7.2. Licenses The license page shows information about the current license installed in the DFL-160. When the DFL-160 is initially delivered it comes with a standard license preinstalled which determines the capabilities of the system.
7.2. Licenses • Chapter 7. The Maintenance Menu PPP Tunnels The maximum number of PPP tunnels which terminate at the WAN interface that can be created. To expand the capabilities of the standard product license, consult with your local D-Link representative.
7.3. Backups Chapter 7. The Maintenance Menu 7.3. Backups The administrator has the ability to take a snapshot of a NetDefendOS system at a given point in time and restore it when necessary. The snapshot can be of two types: • A configuration backup which does not include the installed NetDefendOS version. This is a recommended precaution to allow the configuration at a given point in time to be restored provided the NetDefendOS version does not change.
7.4. Reset to Factory Defaults Chapter 7. The Maintenance Menu 7.4. Reset to Factory Defaults Reset Through Software A restore to factory defaults can be applied so that it is possible to return to the original hardware state that existed when the DFL-160 was shipped by D-Link. When a restore is applied in this way, all configuration data is lost and the IDP and Ant-Virus databases are lost which means they must be reloaded.
7.5. Upgrades Chapter 7. The Maintenance Menu 7.5. Upgrades New releases of NetDefendOS are routinely made available by NetDefendOS. These releases are available as a single file which can be uploaded to the DFL-160 through this page in the web interface. NetDefendOS upgrades can be downloaded for free from your local D-Link site or from the D-Link NetDefend Center at http://security.dlink.com.tw.
7.6. Technical Support Chapter 7. The Maintenance Menu 7.6. Technical Support This section of the web interface allows the user to easily download a file of useful troubleshooting information that can be emailed to technical support personnel. After clicking on the button Download support file, a file is automatically generated by the NetDefendOS and downloaded to the web interface and can be saved to the local disk.
7.6. Technical Support Chapter 7.
Chapter 8. The Console Boot Menu The NetDefendOS loader is the base software on top of which NetDefendOS runs and the administrator's direct interface to this is called the console boot menu (also known simply as the boot menu). This section discusses the boot menu options. Accessing the Console Boot Menu The boot menu is only accessible through a console device attached directly to the serial console located on the DFL-160 (see Section 2.4, “Console Port Connection”).
Chapter 8. The Console Boot Menu A password should be set for console access. If a password is not set, anyone can use the console. After it is set, the console will prompt for the password before access is allowed to either the boot menu or the command line interface (CLI) (more on the CLI can be found in Appendix A, CLI Reference).
Chapter 9. Troubleshooting When the DFL-160 does not behave as expected, the following CLI tools are available to troubleshoot problems. The stat CLI Command If a serious NetDefendOS problem is suspected then the first step should be to use the console command: > stat The stat command will indicate the date and time of the last system shutdown and can indicate if there has been a serious error in NetDefendOS operation.
Chapter 9. Troubleshooting ' ' Although dconsole output may be difficult to interpret by the administrator, it can be emailed to D-Link support representatives for further investigation. The dconsole command supersedes the crashdump command found in earlier versions of NetDefendOS. Restarting If a system is in a non-functional "frozen" state then system restart can offer a simple way to clear all error conditions. This can take a few minutes and while restart occurs no traffic can flow through the unit.
Appendix A. CLI Reference This section summarizes in alphabetical order the command set that can be entered through a console connected to the RS232 console port on the DFL-160. Details of how to connect up a console device to the console COM port on the DFL-160 can be found in Section 2.4, “Console Port Connection”.
Buffers Appendix A. CLI Reference Example: DFL-160:/> arpsnoop all ARP snooping active on interfaces: lan wan dmz ARP on wan: gw-world requesting wan_ip ARP on lan: 192.168.123.5 requesting lan_ip Buffers This command can be useful for troubleshooting. For example, if an unexpectedly large number of packets begin queuing or when traffic does not seem to be flowing for an unknown reason.
CfgLog Appendix A. CLI Reference Shows the contents of the most recently used buffer. Example: DFL-160:/> buff . Decode of buffer number 1059 lan: Enet 0050:dadf:7bbf > 0003:325c:cc00 type 0x0800 len 1058 IP 192.168.123.10 -> 193.13.79.1 IHL:20 DataLen:1024 TTL:254 Proto:ICMP ICMP Echo reply ID:6666 Seq:0 CfgLog Shows the results of the most recent reconfiguration or start up of the firewall. This text is the same as is shown on-screen during reconfiguration or start up.
Dconsole Appendix A. CLI Reference Displays the contents of the file crashdump.dmp stored by NetDefendOS. The file contains critical diagnostic information which can help determine the reason for a critical system event. Syntax: crashdump Dconsole Displays a list of event information that is useful in pinpointing the occurrence of critical system errors. Syntax: dconsole DHCP Syntax: dhcp [options] Options: -renew - Force interface to renew its lease.
Frags Appendix A. CLI Reference Syntax: dns Options: -list - List pending DNS queries. -query= - Resolve domain name. -remove - Remove all pending DNS queries. Example: DFL-160:/> dns DNS client is initialized. Using servers: DNS Server 0 : 10.5.0.19 DNS Server 1 : Not set DNS Server 2 : Not set Frags Shows the 20 most recent fragment reassembly attempts. This includes both ongoing and completed attempts.
IfStat Appendix A. CLI Reference HTTPPoster_URL3: Host : "" Port : 0 Path : "" Post : "" User : "" Pass : "" Status: (not configured) IfStat Syntax: ifstat Shows a list of the interfaces installed. Example: DFL-160:/> ifstat Configured interfaces: Iface IP Address PBR membership ----- ----------------------core 127.0.0.1 mgmt 10.9.0.36 wan 172.16.87.252 lan 192.168.121.1 pptp 10.10.240.131 Interface type ---------------------Null (sink) Builtin e100 - Intel(R) 8255..
Ikesnoop Appendix A. CLI Reference The Dropped counter in the software section states the number of packets discarded as the result of structural integrity tests or rule set drops. The IP Input Errs counter in the software section specifies the number of packets discarded due to checksum errors or IP headers broken beyond recognition. The latter is most likely the result of local network problems rather than remote attacks. Ikesnoop Ikesnoop is used to diagnose problems with IPsec tunnels.
License Appendix A. CLI Reference Killsa Kills all IPsec and IKE SAs for the specified IP-address. Syntax: killsa Example: DFL-160:/> killsa 192.168.0.2 Destroying all IPsec & IKE SAs for remote peer 192.168.0.2 License Shows the content of the license-file. Syntax: license Lockdown Sets local lockdown on or off. During local lockdown, only traffic from admin nets to NetDefendOS itself is allowed. Everything else is dropped.
ReConfigure Appendix A. CLI Reference using PBR table "main". Echo reply from 192.168.12.1 seq=0 time= 10 ms TTL=255 DFL-160:/> ping 192.168.12.1 -v Sending 1 ping to 192.168.12.1 from 192.168.14.19 using PBR table "main". ... using route "192.168.12.0/22 via wan, no gw" in PBR table "main" Echo reply from 192.168.12.1 seq=0 time=<10 ms TTL=255 ReConfigure Reinitializes NetDefendOS. Syntax: reconfiure Example: DFL-160:/> reconfigure Shutdown RECONFIGURE. Active in 1 seconds.
Rules Appendix A. CLI Reference Proxy ARP on : Local IP : (use iface IP in ARP queries) Metric : 0 Flags : Rules Shows the contents of the Rules configuration section. Syntax: rules [] [] Options: -schedule - Filter out rules that are not currently allowed by selected schedules. -type - Type of rules to display. -verbose - show all parameters of the rules. The range parameter specifies which rules to include in the output of this command.
Shutdown Appendix A. CLI Reference ARPExpireUnknown ARPMulticast ARPBroadcast ARPCacheSize ARPHashSize ARPHashSizeVLAN : : : : : : 15 DropLog DropLog 4096 512 64 Shutdown Instructs NetDefendOS to perform a shutdown in a given number of seconds. It is not necessary to perform a shutdown before the system is powered off. Syntax: shutdown If the parameter is not specified then the default value is 5 seconds. Options: -normal - Perform a normal shutdown (the default).
Techsupport Appendix A.
Urlcache Appendix A. CLI Reference Database Version: 2 2006-10-04 10:13:18 HW Support: lc2350a Hardware DB Version: Latest Full:2006-10-04 10:13:18 Patch:N/A Status: Update server available Next update scheduled for: 2008-01-25 05:11:00 Urlcache Displays information related to the URL cache used by the Web Content Filtering function. Syntax: urlcache [options] Options: -v - Verbose option to list all information. -c - Display the cache count. -hash - Display information regarding the hashing.
Userdb Appendix A.
Appendix B. Windows IP Setup A Microsoft Windows PC can be used as the management workstation for initial setup of a DFL-160. Usually explicit configuration of the IP address of the PC's chosen Ethernet interface should not be needed since the DFL-160 automatically assigns the workstation's address using DHCP. If DHCP cannot be used, the workstation IP address should be configured manually and this section describes the steps to do that.
Appendix B. Windows IP Setup The assigned IP address 192.168.10.30 could, infact, be another address from the 192.168.10.0/24 network. However, 192.168.10.30 is normally used by D-Link as a convention.
Appendix C. Apple Mac IP Setup An Apple Mac can be used as the management workstation for setup of a DFL-160. Usually configuration of the IP address of the MAC's chosen Ethernet interface should not be needed since the DFL-160 automatically assigns the address using DHCP. If DHCP cannot be used, the workstation IP address should be configured manually. The steps to do this with MacOS X are as follows: 1. Go to the Apple Menu and select System Preferences. 2. Click on Network. 3.
Appendix C. Apple Mac IP Setup 5. 6. Now set the following values: • IP Address: 192.168.10.30 • Subnet Mask: 255.255.255.0 • Router: 192.168.10.1 Click Apply to complete the static IP setup. Note Your revision of MacOS may differ slightly from the screenshots shown above but the setup method should be principal.
Appendix D. D-Link Worldwide Offices Below is a complete list of D-Link worldwide sales offices. Please check your own country area's local website for further details regarding support of D-Link products as well as contact details for local support. Australia 1 Giffnock Avenue, North Ryde, NSW 2113, Australia. TEL: 61-2-8899-1800, FAX: 61-2-8899-1868. Website: www.dlink.com.au Belgium Rue des Colonies 11, B-1000 Brussels, Belgium. Tel: +32(0)2 517 7111, Fax: +32(0)2 517 6500. Website: www.dlink.
Appendix D. D-Link Worldwide Offices Italy Via Nino Bonnet n. 6/b, 20154 – Milano, Italy. TEL: 39-02-2900-0676, FAX: 39-02-2900-1723. Website: www.dlink.it LatinAmerica Isidora Goyeechea 2934, Ofcina 702, Las Condes, Santiago – Chile. TEL: 56-2-232-3185, FAX: 56-2-232-0923. Website: www.dlink.cl Luxemburg Rue des Colonies 11, B-1000 Brussels, Belgium TEL: +32 (0)2 517 7111, FAX: +32 (0)2 517 6500. Website: www.dlink.be Middle East (Dubai) P.O.
Alphabetical Index A about CLI command, 100 administration, 22 username, 23 anti-virus, 61 status, 76 apple MAC IP setup, 116 arp CLI command, 100 arpsnoop CLI command, 100 audit username, 23 automatic logout, 15 B backups, 91 boot menu, 19, 96 browser connection, 13 buffers CLI command, 101 C certificate based IPsec, 48 cfglog CLI command, 102 CLI command reference, 100 connecting cables, 13 connecting power, 13 connections CLI command, 102 connections status, 79 console output truncation, 19 port connec
Alphabetical Index P phishing (see content filtering) ping, 70 ping CLI command, 70, 107 power LED, 9 PPTP client, 49 server, 50 pre-shared key with IPsec, 48 product support, 118 R reconfigure CLI command, 108 reset to factory defaults, 92 restoring a backup, 91 routes, 84 metrics, 84 routes CLI command, 108 rules CLI command, 109 userauth CLI command, 112 user authentication status, 83 user database, 51 userdb CLI command, 112 W WAN interface, 7 web content filtering, 52 categories, 54 status, 77 wild
Appendix: Product Statement FCC EMI for Class B Statements FCC Interference Information This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) This device must accept any interference received, including interference that may cause undesired operation. This Equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC rules.
