Systems Network Security Firewall Manual

ManualsBrandsD-Link ManualsNetwork CardDFL-500

DFL-500 User Manual

D-Link DFL-500

Network Security Firewall

Manual

Building Networks for People

Summary of content (122 pages)

PAGE 1
D-Link DFL-500 Network Security Firewall Manual Building Networks for People DFL-500 User Manual 1
PAGE 2
© Copyright 2003 D-Link Systems, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of D-Link Systems, Inc. DFL-500 User Manual 2 July 2002 Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders.
PAGE 3
Table of Contents Introduction .................................................................................................... 8 NAT/Route mode and Transparent mode....................................................................................................... 8 NAT/Route mode ........................................................................................................................................ 8 Transparent mode ..................................................................
PAGE 4
Firewall configuration .................................................................................. 23 NAT/Route mode and Transparent mode..................................................................................................... 24 NAT/Route mode ...................................................................................................................................... 24 Transparent mode .............................................................................................
PAGE 5
Configuring user groups................................................................................................................................ 46 Adding user groups................................................................................................................................... 46 Deleting user groups................................................................................................................................. 47 IPSec VPNs .......................................
PAGE 6
Changing the URL block message ........................................................................................................... 74 Downloading the URL block list ................................................................................................................ 74 Uploading a URL block list........................................................................................................................ 74 Removing scripts from web pages..........................................
PAGE 7
System configuration .................................................................................................................................... 96 Setting system date and time ................................................................................................................... 97 Changing web-based manager options.................................................................................................... 98 Adding and editing administrator accounts............................
PAGE 8
Introduction The DFL-500 Network Protection Gateway (NPG) is an easy-to-deploy and easy-to-administer solution that delivers exceptional value and performance for small office and home office (SOHO) applications. Your DFL-500 is a dedicated easily managed security device that delivers a full suite of capabilities that include firewall, VPN, traffic shaping, and web content filtering. NAT/Route mode and Transparent mode The DFL-500 can operate in NAT/Route mode or Transparent mode.
PAGE 9
• Administration describes DFL-500 management and administrative tasks. • The Glossary defines many of the terms used in this document. For more information In addition to the DFL-500 User Manual , you have access to the following DFL-500 documentation: • DFL-500 QuickStart Guide • DFL-500 CLI Reference Guide • DFL-500 online help Customer service and technical support For updated product documentation, technical support information, and other resources, please visit D-Link local web site.
PAGE 10
Getting started This chapter describes unpacking, setting up, and powering on your DFL-500 NPG. When you have completed the procedures in this chapter, you can proceed to one of the following: • If you are going to run your DFL-500 NPG in NAT/Route mode, go to NAT/Route mode installation. • If you are going to run your DFL-500 NPG in Transparent mode, go to Transparent mode installation.
PAGE 11
Dimensions • 8.63 x 6.13 x 1.38 in. (21.9 x 15.6 x 3.5 cm) Weight • 1.5 lb. (0.68 kg) Power requirements • DC input voltage: 5 V • DC input current: 3 A Environmental specifications • Operating temperature: 32 to 104°F (0 to 40°C) • Storage temperature: -13 to 158°F (-25 to 70°C) • Humidity: 5 to 95% non-condensing Powering on To power on the DFL-500 NPG: • Connect the AC adapter to the power connection at the back of the DFL-500 NPG. • Connect the AC adapter to a power outlet.
PAGE 12
Front and back view of the DFL-500 NPG Initial configuration When the DFL-500 NPG is first powered on, it is running in NAT/Route mode and has the basic configuration listed in DFL-500 NPG initial power on settings. DFL-500 NPG initial power on settings Operating mode: NAT/Route Administrator account: Internal interface: External interface: Manual: User name: admin Password: (none) IP: 192.168.1.99 Netmask: 255.255.255.0 IP: 192.168.100.99 Netmask: 255.255.255.0 Default Gateway: 192.168.
PAGE 13
• Using the crossover cable or the ethernet hub and cables, connect the Internal interface of the DFL500 NPG to the computer ethernet connection. • Start Internet Explorer and browse to the address https://192.168.1.99 . The DFL-500 login appears. • Type admin in the Name field and select Login. The Register Now window appears. Use the information on this window to register your DFL-500 NPG. Register your DFL-500 NPG so that D-Link can contact you for firmware updates.
PAGE 14
• Data bits 8 Parity None Stop bits 1 Flow control None Press Enter to connect to the DFL-500 CLI. The following prompt appears: DFL-500 login: • Type admin and press Enter. The following prompt appears: Type ? for a list of commands. For information on how to use the CLI, see the DFL-500 CLI Reference Guide .
PAGE 15
NAT/Route mode installation This chapter describes how to install your DFL-500 NPG in NAT/Route mode. If you want to install the DFL500 NPG in Transparent mode, see Transparent mode installation.
PAGE 16
Ending IP: _____._____._____._____ Netmask: _____._____._____._____ Default Route: _____._____._____._____ DNS IP: _____._____._____._____ The DFL-500 NPG contains a DHCP server that you can configure to automatically set the addresses of the computers on your internal network. Using the setup wizard From the web-based manager, you can use the setup wizard to create the initial configuration of your DFL500 NPG. To connect to the web-based manager, see Connecting to the web-based manager.
PAGE 17
• Set the IP address and netmask of the external interface to the external IP address and netmask that you recorded in NAT/Route mode settings. To set the manual IP address and netmask, enter: set system interface external static ip Example set system interface external static ip 204.23.1.5 255.255.255.
PAGE 18
DFL-500 NPG network connections Configuring your internal network If you are running the DFL-500 NPG in NAT/Route mode, your internal network must be configured to route all internet traffic to the address of the internal interface of the DFL-500 NPG. This means changing the default gateway address of all computers connected directly to the internal network. If you are using the DFL-500 NPG as the DHCP server for your internal network, configure the computers on your internal network for DHCP.
PAGE 19
Transparent mode installation This chapter describes how to install your DFL-500 NPG in Transparent mode. If you want to install the DFL500 NPG in NAT/Route mode, see NAT/Route mode installation.
PAGE 20
Starting the setup wizard • Select Easy Setup Wizard (the button in the upper right corner of the web-based manager). • Use the information that you gathered in Transparent mode settings to fill in the wizard fields. Select the Next button to step through the wizard pages. • Confirm your configuration settings and then select Finish and Close.
PAGE 21
The CLI lists the Management IP address and netmask. Configure the Transparent mode default gateway • Login to the CLI if you are not already logged in. • Set the default route to the Default Gateway that you recorded in Transparent mode settings. Enter: set system route number gateway Example set system route number 1 gateway 204.23.1.2 You have now completed the initial configuration of the DFL-500 NPG and you can proceed to the next section.
PAGE 22
DFL-500 network connections DFL-500 User Manual 22
PAGE 23
Firewall configuration By default, the users on your internal network can connect through the DFL-500 NPG to the Internet. The firewall blocks all other connections. The firewall is configured with a default policy that matches any connection request received from the internal network and instructs the firewall to forward the connection to the Internet. Default policy Policies are instructions used by the firewall to decide what to do with a connection request.
PAGE 24
NAT/Route mode and Transparent mode The first step in configuring firewall policies is to configure the mode for the firewall. The firewall can run in NAT/Route mode or Transparent mode. NAT/Route mode Run the DFL-500 NPG in NAT/Route mode to protect a private network from a public network. When the DFL-500 NPG is running in NAT/Route mode, you can connect a private network to the internal interface and a public network, such as the Internet, to the external interface.
PAGE 25
You can also select Insert Policy before specific policy. • on a policy in the list to add the new policy above a Configure the policy: Source Select an address or address group that matches the source address of the packet. Before you can add this address to a policy, you must add it to the source interface. To add an address, see Addresses. Destination Select an address or address group that matches the destination address of the packet.
PAGE 26
Telnet, or FTP. For users to be able to authenticate you must add an HTTP, Telnet, or FTP policy that is configured for authentication. When users attempt to connect through the firewall using this policy they are prompted to enter a firewall username and password. If you want users to authenticate to use other services (for example POP3 or IMAP) you can create a service group that includes the services for which you want to require authentication as well as HTTP, Telnet, and FTP.
PAGE 27
Adding a NAT/Route Int -> Ext policy Adding Transparent mode policies Add Transparent mode policies to control the network traffic that is allowed to pass through the firewall when you are running the it in Transparent mode. • Go to Firewall > Policy . • Select a policy list tab. • Select New to add a new policy. You can also select Insert Policy before specific policy.
PAGE 28
Action Select how the firewall should respond when the policy matches a connection attempt. You can configure the policy to direct the firewall to ACCEPT the connection or DENY the connection. If you select ACCEPT, you can also configure Authentication for the policy. Log Traffic Select Log Traffic to write messages to the traffic log whenever the policy processes a connection.
PAGE 29
Adding a Transparent mode Int -> Ext policy Configuring policy lists The firewall matches policies by searching for a match starting at the top of the policy list and moving down until it finds the first match. You must arrange policies in the policy list from more specific to more general. For example, the default policy is a very general policy because it matches all connection attempts. To create exceptions to this policy, they must be added to the policy list above the default policy.
PAGE 30
Policies that require authentication must be added to the policy list above matching policies that do not; otherwise, the policy that does not require authentication is selected first. Changing the order of policies in a policy list • Go to Firewall > Policy . • Select the tab for the policy list that you want to rearrange. • Choose a policy to move and select Move To • Type a number in the Move to field to specify where in the policy list to move the policy and select OK.
PAGE 31
Adding addresses • Go to Firewall > Address . • Select the interface to which to add the address. The list of addresses added to that interface is displayed. • Select New to add a new address to the selected interface. • Enter an Address Name to identify the address. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Spaces and other special characters are not allowed. Adding a firewall address • Enter the IP Address.
PAGE 32
Organizing addresses into address groups You can organize related addresses into address groups to make it easier to add policies. For example, if you add three addresses, and then add them to an address group, you only have to add one policy for the address group rather than three separate policies, one for each address. You can add address groups to both interfaces. The address group can only contain addresses from that interface.
PAGE 33
• Predefined services • Providing access to custom services • Grouping services Predefined services To view the list of predefined services, go to Firewall > Service > Pre-defined . You can add predefined services to any policy. Providing access to custom services Add a custom service if you need to create a policy for a service that is not in the predefined service list. • Go to Firewall > Service > Custom . • Select New. • Enter a Name for the service.
PAGE 34
Adding a service group • To add services to the service group, select a service from the Available Services list and select the right arrow to copy it to the Members list. • To remove services from the service group, select a service from the Members list and select the left arrow to remove it from the group. • Select OK to add the service group. Schedules Use scheduling to control when policies are active or inactive. You can create one-time schedules and recurring schedules.
PAGE 35
• Set the Start date and time for the schedule. Set Start and Stop times to 00 for the schedule to cover the entire day. • Set the Stop date and time for the schedule. One-time schedules use the 24-hour clock. • Select OK to add the one-time schedule. Creating recurring schedules You can create a recurring schedule that activates or deactivates policies at specified times of the day or on specified days of the week.
PAGE 36
create an external address for the web server on the Internet. You must then add a virtual IP to the firewall that maps the external IP address of the web server to the actual address of the web server on your internal network. To allow connections from the Internet to the web server, you must then add an Ext -> Int firewall policy and set Destination to the virtual IP.
PAGE 37
Adding a static NAT virtual IP • In the Map to IP field, enter the real IP address on the more secure network, for example, the IP address of a web server on your internal network. The firewall translates the source address of outbound packets from the host with the Map to IP address to the virtual IP External IP Address, instead of the firewall external address. • Select OK to save the virtual IP. You can now add the virtual IP to Ext -> Int firewall policies.
PAGE 38
Adding a Port Forwarding virtual IP • Enter the External Service Port number for which to configure port forwarding. The external service port number must match the destination port of the packets to be forwarded. For example, if the virtual IP provides access from the Internet to a Web server on your internal network, the external service port number would be 80 (the HTTP port).
PAGE 39
Destination Select the virtual IP. Schedule Select a schedule as required. Service Select the service that matches the Map to Service that you selected for the port-forwarding virtual IP. Action Set action to ACCEPT to accept connections to the internal server. You can also select DENY to deny access. NAT Select NAT if the firewall is protecting the private addresses on the destination network from the source network.
PAGE 40
Adding an IP Pool IP/MAC binding IP/MAC binding protects the DFL-500 NPG and your network from IP spoofing attacks. IP spoofing attempts to use the IP address of a trusted computer to connect to or through the firewall from a different computer. The IP address of a computer can easily be changed to a trusted address, but MAC addresses are added to ethernet cards at the factory and cannot easily be changed.
PAGE 41
All packets that would normally be matched with policies to be able to go through the firewall are first compared with the entries in the IP/MAC binding list. If a match is found, then the firewall attempts to match the packet with a policy. For example, if the IP/MAC pair IP 1.1.1.1 and 12:34:56:78:90:ab:cd is added to the IP/MAC binding list: • A packet with IP address 1.1.1.1 and MAC address 12:34:56:78:90:ab:cd is allowed to go on to be matched with a firewall policy. • A packet with IP 1.1.1.
PAGE 42
Viewing the dynamic IP/MAC list • Go to Firewall > IP/MAC Binding > Dynamic IP/MAC . Enabling IP/MAC binding • Go to Firewall > IP/MAC Binding > Setting . • Select Enable IP/MAC binding going through the firewall to turn on IP/MAC binding for packets that could be matched by policies. • Select Enable IP/MAC binding going to the firewall to turn on IP/MAC binding for packets connecting to the firewall.
PAGE 43
Users and authentication DFL-500 NPGs support user authentication to the DFL-500 user database or to a RADIUS server. You can add user names to the DFL-500 user database and then add a password to allow the user to authenticate using the internal database. You can also add the name of a RADIUS server and select RADIUS to allow the user to authenticate using the selected RADIUS server. You can also disable users so that they cannot authenticate with the DFL-500 NPG.
PAGE 44
• Select New to add a new user name. Adding a user name • Enter the user name. The user name can contain numbers (0-9) and uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. • Select one of the following authentication configurations: Disable Prevent this user from authenticating. Enter the password that this user must use to authenticate. The password should be at least six Password characters long.
PAGE 45
Deleting the user name deletes the authentication configured for the user. Configuring RADIUS support If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the DFL-500 NPG contacts the RADIUS server for authentication. When using a RADIUS server for user authentication, PPTP and L2TP encryption is not supported and you should not select Require data encryption when configuring Windows clients for PPTP or L2TP.
PAGE 46
Configuring user groups Use the following information to add user groups to your DFL-500 configuration. You can add user names and RADIUS servers to user groups. You can then add user groups to: • Policies that require authentication (Adding NAT/Route mode policies, and Adding NAT/Route mode policies). Only users in the selected user group or that can authenticate with the RADIUS servers added to the user group can authenticate with these policies.
PAGE 47
Adding a user group • To remove users or RADIUS servers from the user group, select a user or RADIUS server from the Members list and select the left arrow to remove the name or RADIUS server from the group. • Select OK. Deleting user groups You cannot delete user groups that have been selected in a policy or remote gateway, PPTP, or L2TP configuration. To delete a user group: • Go to User > User Group • Select Delete • Select OK.
PAGE 48
IPSec VPNs Using IPSec Virtual Private Networking (VPN), you can securely join two or more widely separated private networks or computers together through the Internet. For example, if you are away from home, you can use a VPN to securely connect through your DFL-500 NPG to your home network. If you tele-commute, you can securely connect from your home network through your DFL-500 NPG to your employer's private network.
PAGE 49
• ESP security in tunnel mode • DES and 3DES (TripleDES) encryption • Diffie-Hellman groups 1, 2, and 5 • HMAC MD5 authentication/data integrity or HMAC SHA1 authentication/data integrity • Aggressive and Main Mode • NAT Traversal • Replay Detection • IPSec Redundancy • Perfect Forward Secrecy • VPN concentrator for hub and spoke configurations To successfully establish an IPSec VPN tunnel, the DFL-500 IPSec VPN configuration must be compatible with the third-party product IPSec VPN confi
PAGE 50
See Adding an encrypt policy. Configuring manual key IPSec VPN A manual key VPN configuration consists of a manual key VPN tunnel, the source and destination addresses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunnel. To create a manual key VPN configuration: • Add a manual key VPN tunnel. See Adding a manual key VPN tunnel. • Add an encrypt policy that includes the tunnel, source address, and destination address for both ends of the tunnel.
PAGE 51
Configuring the VPN concentrator On the VPN concentrator network, you must create one VPN tunnel for each of the prospective VPN concentrator members and then add these tunnels to a VPN concentrator. You can add both AutoIKE and manual key VPN tunnels to a VPN concentrator. Encrypt policies control the direction of traffic through the VPN concentrator. You must create a separate encrypt policy for each VPN added to the concentrator.
PAGE 52
See Adding an AutoIKE key VPN tunnel. Or, add a manual key VPN tunnel. See Adding a manual key VPN tunnel. • Add one encrypt policy between the member VPN and the VPN concentrator. Use the following configuration: Source Member VPN address. Destination VPN concentrator address. Action ENCRYPT VPN Tunnel The VPN tunnel added in step 2. Allow inbound Select allow inbound. Allow outbound Select allow outbound. Inbound NAT Select inbound NAT if required.
PAGE 53
The source and destination of both policies must be the same. Add a different AutoIKE key tunnel to each policy. See Adding an encrypt policy. Adding a remote gateway Add a remote gateway configuration to define the parameters that the DFL-500 NPG uses to connect to and establish an AutoIKE key VPN tunnel with a remote VPN gateway or a remote VPN client.
PAGE 54
Mode. Enter the IP address of the dialup user or the domain name of the dialup user (for example, domain.com). If you do not add a local ID, the DFL-500 external interface automatically becomes the Local ID. For information about the Local ID, see About dialup VPN authentication. Nat-traversal Select Enable if you expect the IPSec VPN traffic to go through a gateway that performs NAT. If no NAT device is detected, enabling NAT traversal will have no effect.
PAGE 55
For each variation, the remote gateway field of the dialup server remote gateway configuration must be set to dialup user and all of the clients must have their remote gateway or equivalent set to the static IP address of the remote gateway server. The following sections describe how to configure authentication on the server and clients for each of these variations. A dialup user must use the same mode as the VPN dialup server. For information about user groups, see Configuring user groups.
PAGE 56
Aggressive mode with no user group Field Server Clients User Group None N/A Mode Aggressive Aggressive Authentication Key The server and the clients must have the same authentication key. Local ID empty empty Aggressive mode with a user group selected In this configuration, the server and the clients use aggressive mode for key exchange. A user group is selected in the server dialup remote gateway. The format of the authentication key depends on the information in the Local ID field.
PAGE 57
About NAT traversal NAT (Network Address Translation) converts private IP addresses into routable public IP addresses. The DFL-500 NPG uses NAPT (Network Address Port Translation), in which both IP addresses and ports are mapped. Mapping both components allows multiple private IP addresses to use a single public IP address. Because a NAT device modifies the original IP address of an IPSec packet, the packet fails an integrity check. This failure means that IPSec VPN does not work with NAT devices.
PAGE 58
Autokey Keep Alive Enable Autokey Keep Alive to keep the VPN tunnel running even if no data is being processed. Concentrator Select a concentrator if you want the tunnel to be part of a hub and spoke VPN configuration. If you use the procedure, Adding a VPN concentrator to add the tunnel to a concentrator, the next time you open the tunnel, the Concentrator field displays the name of the concentrator to which you have added the tunnel. • Select OK to save the AutoIKE key VPN tunnel.
PAGE 59
The DFL-500 NPG sends an alert email when replay detection detects a replay packet. To receive the alert email, you must configure alert email and select "Enable alert email for critical firewall/VPN events or violations". For information about alert email, see Configuring alert email.
PAGE 60
For all 3DES encryption algorithms, enter three hexadecimal numbers of up to 16 digits each. Use the same encryption key at both ends of the tunnel. Required for encryption algorithms that include MD5 or SHA1 authentication. Authentication Key For MD5 authentication, enter two hexadecimal numbers of 16 digits each. Use the same authentication key at both ends of the tunnel. For SHA1 authentication, enter two hexadecimal numbers, one of 16 digits and one of 20 digits.
PAGE 61
• Select OK to add the VPN concentrator. Adding a VPN concentrator Adding an encrypt policy Add encrypt policies to connect users on your internal network to a VPN tunnel. Encrypt policies are always Int -> Ext policies. The source of the encrypt policy must be an address on your internal network. The destination of this policy must be the address of the network behind the remote DFL-500 NPG gateway.
PAGE 62
The destination address is the IP address of the remote network behind the remote VPN gateway. The destination address is the IP address of the remote network behind the remote VPN gateway. If you are adding an encrypt policy for a VPN with a remote VPN client connected to the Internet, the destination address should be the Internet address of the client computer. • Go to Firewall > Policy > Int->Ext . • Select New to add a new policy. Adding an encrypt policy • Set Source to the VPN source address.
PAGE 63
Allow outbound Select Allow outbound to enable outbound users to connect to the destination address. Inbound NAT The DFL-500 NPG translates the source address of incoming packets to the IP address of the DFL-500 interface connected to the source address network. Outbound NAT The DFL-500 NPG translates the source address of outgoing packets to the IP address of the DFL-500 interface connected to the destination address network.
PAGE 64
AutoIKE key tunnel status Viewing dialup VPN connection status You can use the dialup monitor to view the status of dialup VPNs. The dialup monitor lists the remote gateways and the active VPN tunnels for each gateway. The monitor also lists the tunnel lifetime, timeout, proxy ID source, and proxy ID destination for each tunnel. To view dialup connection status: • Go to VPN > IPSec > Dialup. The Lifetime column displays how long the connection has been up.
PAGE 65
To confirm that a VPN between a network and one or more clients has been configured correctly, start a VPN client and use the ping command to connect to a computer on the internal network. The VPN tunnel initializes automatically when the client makes a connection attempt. You can start the tunnel and test it at the same time by pinging from the client to an address on the internal network.
PAGE 66
PPTP and L2TP VPNs Using PPTP and L2TP Virtual Private Networking (VPN), you can create a secure connection between a client computer running Microsoft Windows and your internal network. PPTP is a Windows VPN standard. You can use PPTP to connect computers running Windows to a DFL-500 NPG-protected private network without using third-party VPN client software. L2TP combines Windows PPTP functionality with IPSec security. L2TP is supported by most recent versions of Windows.
PAGE 67
PPTP VPN between a Windows client and the DFL-500 NPG Configuring the DFL-500 NPG as a PPTP gateway • Create a user group for your PPTP users. See Users and authentication. • Go to VPN > PPTP > PPTP Range . • Select Enable PPTP. • Enter the Starting IP and the Ending IP for the PPTP address range. • Select the User Group that you added in step Create a user group for your PPTP users.. • Select Apply to enable PPTP through the DFL-500 NPG.
PAGE 68
Example PPTP Range configuration When using a RADIUS server for user authentication, PPTP and L2TP encryption is not supported and you should not select Require data encryption when configuring Windows clients for PPTP or L2TP. • Add the addresses from the PPTP address range to the external interface address list. The addresses can be grouped into an external address group. • Add the addresses to which PPTP users can connect to the internal interface. The addresses can be grouped into an address group.
PAGE 69
L2TP VPN configuration L2TP clients must be able to authenticate with the DFL-500 NPG to start a L2TP session. To support L2TP authentication, you must add a user group to the DFL-500 NPG configuration. This user group can contain users added to the DFL-500 NPG user database, RADIUS servers, or both. After you have added a user group, configure your DFL-500 NPG to support L2TP by enabling L2TP and specifying a L2TP address range.
PAGE 70
• Select Enable L2TP. • Enter the Starting IP and the Ending IP for the L2TP address range. • Select the User Group that you added in step Create a user group for your L2TP users.. • Select Apply to enable L2TP through the DFL-500 NPG. Sample L2TP address range configuration When using a RADIUS server for user authentication, PPTP and L2TP encryption is not supported and you should not select Require data encryption when configuring Windows clients for PPTP or L2TP.
PAGE 71
Web content filtering Use DFL-500 web content filtering for: • Enabling web content Filtering • Blocking web pages that contain unwanted content • Blocking access to URLs • Removing scripts from web pages • Exempting URLs from content or URL blocking Enabling web content Filtering Enable web content filtering by selecting the Web filter option in firewall policies that allow HTTP connections through the DFL-500 NPG.
PAGE 72
The DFL-500 NPG is now configured to block web pages containing words and phrases added to the banned word list. • Select New to add a word or phrase to the banned word list. • Choose a language or character set for the banned word or phrase. You can choose Western, Chinese Simplified, Chinese Traditional, Japanese, or Korean. Your computer and web browser must be configured to enter characters in the character set that you choose. • Type a banned word or phrase.
PAGE 73
• Select Backup Banned Word List . The DFL-500 NPG downloads the banned word list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file. You can make changes to the text file and upload it from your management computer to the DFL-500 NPG. Each banned word or phrase must appear on a separate line in the text file. Use ASCII and western language characters only. All words are enabled by default.
PAGE 74
URL blocking does not block access to other services that users can access with a web browser. For example, URL blocking does not block access to ftp://ftp.badsite.com . Instead, you can use firewall policies to deny FTP connections. • Select Enable to block the URL. • Select OK to add the URL to the URL block list. You can enter multiple URLs and then select Check All Each page of the URL block list displays 100 URLs. • Use Page Down and Page Up to activate all entries in the URL block list.
PAGE 75
You can add a URL list created by a third-party URL block or blacklist service. For example, you can download the squidGuard blacklists, available at http://www.squidguard.org/blacklist/ as a starting point for creating your own URL block list. Three times a week, the squidGuard robot searches the web for new URLs to add to the blacklists.
PAGE 76
• Clearing the Exempt URL list • Downloading the Exempt URL list • Uploading an Exempt URL list Adding URLs to the Exempt URL List • Go to Web Filter > Exempt URL . • Select New to add an entry to the Exempt URL list. • Type the URL to exempt. Enter a complete URL, including path and filename, to exempt access to a page on a website. For example, www.goodsite.com/index.html exempts access to the main page of this example website. You can also add IP addresses; for example, 122.63.44.67/index.
PAGE 77
Uploading an Exempt URL list You can create an Exempt URL list in a text editor and then upload the text file to the DFL-500 NPG. Add one URL to each line of the text file. You can follow the URL with a space and then a 1 to enable or a zero (0) to disable the URL. If you do not add this information to the text file, the DFL-500 NPG automatically enables all URLs in the Exempt list when you upload the text file.
PAGE 78
Logging and reporting You can configure the DFL-500 NPG to record 3 types of logs: • Traffic logs record all traffic that attempts to connect through the DFL-500 NPG. • Event logs record management and activity events.
PAGE 79
Example log settings Selecting what to log Use the following procedure to configure the type of information recorded in DFL-500 logs. • Go to Log&Report > Log setting . • Select Log All Internal Traffic To Firewall to record all connections to the internal interface. This setting is not available in Transparent mode. • Select Log All External Traffic To Firewall to record all connections to the external interface. This setting is not available in Transparent mode.
PAGE 80
Configuring alert email • Go to System > Network > DNS . • If they have not already been added, add the primary and secondary DNS server addresses provided to you by your ISP. Because the DFL-500 NPG uses the SMTP server name to connect to the mail server, it must be able to look up this name on your DNS server. • Select Apply. • Go to Log&Report > Alert Mail > Configuration. • In the SMTP Server field, enter the name of the SMTP server to which the DFL-500 NPG should send email.
PAGE 81
Administration This chapter describes how to use the web-based manager to administer and maintain the DFL-500 NPG.
PAGE 82
• Shutting down the DFL-500 NPG If you log into the web-based manager with any other administrator account, you can go to System > Status to view the system settings including: • Displaying the DFL-500 NPG serial number All administrative users can also go to System > Status > Monitor and view system status. • System status monitor Upgrading the DFL-500 NPG firmware D-Link releases new versions of the DFL-500 NPG firmware periodically.
PAGE 83
• Enter the following command to restart the DFL-500 NPG: > execute reboot As the DFL-500 NPG reboots, messages similar to the following appear: BIOS Version 2.2 Serial number: FGT-502801021075 SDRAM Initialization. Scanning PCI Bus...Done. Total RAM: 256M Enabling Cache...Done. Allocating PCI Resources...Done. Zeroing IRQ Settings...Done. Enabling Interrupts...Done. Configuring L2 Cache...Done. Boot Up, Boot Device Capacity=62592k Bytes. Press Any Key To Download Boot Image. ...
PAGE 84
When the interface addresses are changed, you can access the DFL-500 from the web-based manager and restore your configuration files and content and URL filtering lists. Displaying the DFL-500 NPG serial number • Go to System > Status . The serial number is displayed in the Status window. The serial number is specific to your DFL-500 NPG and does not change with firmware upgrades. Backing up system settings This procedure does not back up the web content and URL filtering lists.
PAGE 85
This procedure deletes the changes that you have made to the DFL-500 NPG configuration and reverts the system to its original configuration, including resetting interface addresses. • Go to System > Status . • Select Restore Factory Defaults. • Select OK to confirm. The DFL-500 NPG restarts with the configuration that it had when it was first powered on. • Reconnect to the web-based manager and review the system configuration to confirm that it has been reset to the default settings.
PAGE 86
The DFL-500 NPG changes operation mode. • To reconnect to the web-based manager, browse to the interface that you have configured for management access using https:// followed by the IP address of the interface. Restarting the DFL-500 NPG Use the following procedure to restart the DFL-500 NPG: • Go to System > Status . • Select Restart. The DFL-500 NPG restarts. Shutting down the DFL-500 NPG Use the following procedure to shut down the DFL-500 NPG: • Go to System > Status . • Select Shutdown.
PAGE 87
System status monitor At the top of the display, the system status monitor shows: CPU usage The current CPU usage statistics of the DFL-500 NPG. Memory usage The percentage of available memory being used by the DFL-500 NPG. Up time The number of days, hours, and minutes since the DFL-500 NPG was last started. Total Number of Sessions The total number of active communication sessions to and through the DFL-500 NPG.
PAGE 88
Configuring the internal interface To configure the internal interface: • Go to System > Network > Interface . • For the internal interface, select Modify • Change the IP address and Netmask as required. • Select the management Access methods for the internal interface. . HTTPS To allow secure HTTPS connections to the web-based manager through the internal interface. PING If you want the internal interface to respond to pings. Use this setting to verify your installation and for testing.
PAGE 89
• Controlling management access to the external interface • Changing the external interface MTU size to improve network performance Configuring the external interface with a static IP address • Go to System > Network > Interface . • For the external interface, select Modify • Set Addressing mode to Manual. • Change the IP address and Netmask as required. • Select OK to save your changes. .
PAGE 90
Configuring the external interface Configuring the external interface for PPPoE Use the following procedure to configure the external interface to use PPPoE. This configuration is required if your ISP uses PPPoE to assign the IP address of the external interface. • Go to System > Network > Interface . • For the external interface, select Modify . • Set Addressing mode to PPPoE and select OK to change to PPPoE mode. • Enter your PPPoE account User Name and Password. • Select OK.
PAGE 91
• For the external interface, select Modify • Select the management Access methods for the external interface. . HTTPS To allow secure HTTPS connections to the web-based manager through the external interface. PING If you want the external interface to respond to pings. Use this setting to verify your installation and for testing. SSH To allow secure SSH connections to the CLI through the external interface.
PAGE 92
Configuring the management interface (Transparent mode) In Transparent mode, you can configure the management interface for management access to the DFL-500 NPG. • Go to System > Network > Management . • Change the Management IP and Mask as required. These must be valid addresses for the network from which you will manage the DFL-500 NPG. • Select the management Access methods for each interface. By default in Transparent mode, you manage the DFL-500 NPG by connecting to the internal interface.
PAGE 93
If you select dead gateway detection you can also configure ping target, detection interval, and Failover detection for the routing gateway. • Set Ping Target to the IP address that the DFL-500 NPG should ping to test connectivity with the gateway.
PAGE 94
• Select OK to save the new route. Arrange routes in the routing table from more specific to more general. To arrange routes in the routing table, see Configuring the routing table. Configuring the routing table As you add routes, they appear on the routing table. The routing table shows the source and destination addresses of each route as well as the gateways added to the route. For each gateway, the routing table displays the gateway connection status.
PAGE 95
• Repeat these steps to add more routes as required. Providing DHCP services to your internal network If the DFL-500 NPG is operating in NAT/Route mode, you can configure it to be the DHCP server for your internal network: • Go to System > Network > DHCP . • Select Enable DHCP. • Configure the DHCP settings. Starting IP Ending IP Enter Starting IP and the Ending IP to configure the range of IP addresses that the DFL-500 NPG can assign to DHCP clients.
PAGE 96
Sample DHCP settings Viewing the dynamic IP list If you have configured your DFL-500 NPG as a DHCP server, you can view a list of IP addresses that the DHCP server has added, their corresponding MAC addresses and the expiry time and date for these addresses. The DFL-500 NPG adds these addresses to the dynamic IP/MAC list and if IP/MAC binding is enabled, the addresses in the dynamic IP/MAC list are added to the list of trusted IP/MAC address pairs.
PAGE 97
• Setting system date and time • Changing web-based manager options • Adding and editing administrator accounts • Configuring SNMP Setting system date and time For effective scheduling and logging, the DFL-500 NPG time should be accurate. You can either manually set the DFL-500 NPG time or you can configure the DFL-500 NPG to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server.
PAGE 98
• Specify how often the DFL-500 NPG should synchronize its time with the NTP server. A typical Syn Interval would be 1440 minutes for the DFL-500 NPG to synchronize its time once a day. • Select Apply. Changing web-based manager options You can change the web-based manager idle time out and firewall user authentication time out. You can also change the language and character set used by the web-based manager. • Go to System > Config > Options . • Set the web-based manager idle time-out.
PAGE 99
• Select New to add an administrator account. • Type a login name for the administrator account. The login name must be at least 6 characters long and can contain numbers (0-9), and upper case and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. • Type and confirm a password for the administrator account.
PAGE 100
System Location Describe the physical location of the DFL-500 NPG. The system location description can be up to 31 characters long and can contain spaces, numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. The \ < > [ ] ` $ % & characters are not allowed. Contact Information Add the contact information for the person responsible for this DFL-500 NPG.
PAGE 101
Glossary Connection : A link between machines, applications, processes, and so on that can be logical, physical, or both. DNS, Domain Name Service : A service that converts symbolic node names to IP addresses. Ethernet : A local-area network (LAN) architecture that uses a bus or star topology and supports data transfer rates of 10 Mbps. Ethernet is one of the most widely implemented LAN standards. A newer version of Ethernet, called 100 Base-T (or Fast Ethernet), supports data transfer rates of 100 Mbps.
PAGE 102
Netmask : Also called subnet mask. A set of rules for omitting parts of a complete IP address to reach a target destination without using a broadcast message. It can indicate a subnetwork portion of a larger network in TCP/IP. Sometimes referred to as an Address Mask. NTP , Network Time Protocol : Used to synchronize the time of a computer to an NTP server. NTP provides accuracies to within tens of milliseconds across the Internet relative to Coordinated Universal Time (UTC).
PAGE 103
VPN, Virtual Private Network : A network that links private networks over the Internet. VPNs use encryption and other security mechanisms to ensure that only authorized users can access the network and that data cannot be intercepted. Virus : A computer program that attaches itself to other programs, spreading itself through computers or networks by this mechanism usually with harmful intent.
PAGE 104
Index A action policy option ActiveX removing from web pages address adding editing group IP/MAC binding virtual IP address group example address name admin administrator account administrator account adding admin editing netmask trusted host aggressive mode remote gateway alert email configuring critical firewall or VPN events allow traffic IP/MAC binding authentication policy option timeout authentication key IPSec VPN remote gateway manual key VPN tunnel AutoIKE key adding VPN remote gateway adding VPN t
PAGE 105
C clear communication sessions CLI configuring IP addresses connecting to concentrator adding VPN hub and spoke configuration hub and spoke VPN connecting to your network web-based manager contact information SNMP content blocking content filtering configuring enabling cookies blocking CPU usage system status critical firewall events alert email critical VPN events alert email custom service customer service D date setting date and time setting example daylight saving time default gateway configuring (Trans
PAGE 106
DHCP dynamic IP list viewing dynamic IP/MAC list E email alert testing enabling a policy encryption adding IPSec firewall policy algorithm encryption algorithm manual key IPSec VPN encryption key manual key IPSec VPN ending IP DHCP L2TP PPTP environmental specifications event log blocked page message exclusion range DHCP Exempt List adding URLs clearing downloading uploading expire system status external interface configuring configuring DHCP configuring PPPoE management access F factory default restoring s
PAGE 107
first trap receiver IP address SNMP fixed port policy option from IP system status from port system status G gateway adding remote gateway IPSec VPN remote gateway name routing get community SNMP group address grouping services H HTTP enabling web content filtering HTTPS hub and spoke VPN I ICMP ID protection mode IPSec VPN remote gateway IKE IMAP internal address example internal address group example internal interface configuring internal network configuring Internet key exchange interoperability third-p
PAGE 108
IPSec IPSec VPN adding firewall policy AutoIKE key AutoIKE key remote gateway AutoIKE key VPN tunnel compatibility with IPSec VPN products concentrator configuring remote gateway definition dialup VPN features hub and spoke manual key manual key exchange VPN tunnel remote gateway status timeout user groups viewing tunnel status IPSec VPN tunnel adding AutoIKE key tunnel adding manual key tunnel enabling perfect forward secrecy (PFS) enabling replay detection keep alive keylife P2 proposal PFS remote gateway
PAGE 109
user groups L2TP gateway configuring language web-based manager lease duration DHCP Local ID IPSec VPN remote gateway local SPI IPSec VPN manual key log traffic policy option logging log all events log all external traffic to firewall log all internal traffic to firewall log to remote host log to WebTrends recording logs on a remote computer selecting what to log settings M MAC address main mode IPSec VPN remote gateway management access controlling management interface Transparent mode management IP addres
PAGE 110
IP addresses policy policy, adding NAT traversal about NAT/Route mode Nat-traversal IPSec VPN Remote Gateway netmask administrator account network address translation introduction network configuration changing NTP setting system date and time O one-time schedule creating operating mode changing P P1 proposal about IPSec VPN remote gateway P2 proposal about IPSec AutoIKE key VPN tunnel password adding PAT perfect forward secrecy about enabling PFS about IPSec AutoIKE key VPN tunnel PING management access po
PAGE 111
external interface PPTP adding firewall policy configuring configuring gateway definition enabling ending IP network configuration starting IP user groups VPN configuration PPTP gateway configuring pre-defined services protocol system status R RADIUS adding server address example configuration read & write administrator account read only administrator account recurring schedule creating remote gateway adding 55 IPSec AutoIKE key VPN tunnel IPSec VPN IPSec VPN manual key IPSec VPN remote gateway user groups
PAGE 112
RIP routing gateway adding routing table adding a default route adding routes adding routes (Transparent mode) configuring S schedule applying to a policy creating one-time creating recurring policy option script filter scripts removing from web pages security parameter index security policy mode serial number displaying service custom group policy option pre-defined user-defined service group adding session clearing setup wizard starting shutting down SMTP SNMP configuring contact information first trap re
PAGE 113
IPSec VPN tunnel viewing dialup connection status viewing VPN tunnel status subnet subnet address switching operating mode system configuration system date and time setting system location SNMP system name SNMP system settings backing up restoring restoring to factory defaults system status CPU usage system status monitor T technical support testing email alerts VPN third-party products interoperability time setting timeout firewall authentication IPSec VPN web-based manager to IP system status to port syst
PAGE 114
URL block list clearing downloading uploading URL block message changing URL blocking configuring URLs blocking access exempting from blocking user group IPSec VPN Remote Gateway user groups deleting user name and password adding user names adding user-defined services V viewing dialup connection status VPN tunnel status virtual IP adding mapping port forwarding static NAT VPN adding concentrator adding hub and spoke AutoIKE key compatibility with IPSec VPN products concentrator configuring L2TP configuring
PAGE 115
name viewing status W web content filtering ActiveX cookies enabling Java applets Web filter policy option web pages content blocking web-based manager changing options connecting to language timeout WebTrends recording logs on a WebTrends server whitelist, URL wizard firewall setup starting DFL-500 User Manual 115
PAGE 116
Technical Support Offices AUSTRALIA BENELUX CANADA CHILE CHINA DENMARK EGYPT FINLAND FRANCE GERMANY IBERIA INDIA ITALY JAPAN NORWAY RUSSIA SINGAPORE S. AFRICA SWEDEN TAIWAN U.K. U.S.A. D-LINK AUSTRALIA Unit 16, 390 Eastern Valley Way, Roseville, NSW 2069, Australia TEL: 61-2-9417-7100 FAX: 61-2-9417-1077 TOLL FREE: 1800-177-100 (Australia), 0800-900900 (New Zealand) E-MAIL: support@dlink.com.au, info@dlink.com.au URL: www.dlink.com.
PAGE 117
Registration Card Print, type or use block letters. Your name: Mr./Ms_____________________________________________________________________________ Organization: ________________________________________________ Dept.
PAGE 118
DFL-500 User Manual 118
PAGE 119
Limited Warranty D-Link Systems, Inc. (“D-Link”) provides this 1-Year warranty for its product only to the person or entity who originally purchased the product from: • • D-Link or its authorized reseller or distributor. Products purchased and delivered with the fifty United States, the District of Columbia, US Possessions or Protectorates, US Military Installations, addresses with an APO or FPO.
PAGE 120
Submitting A Claim. Any claim under this limited warranty must be submitted in writing before the end of the Warranty Period to an Authorized D-Link Service Office. • • • • The customer must submit as part of the claim a written description of the Hardware defect or Software nonconformance in sufficient detail to allow D-Link to confirm the same.
PAGE 121
GOVERNING LAW: This 1-Year Warranty shall be governed by the laws of the state of California. Some states do not allow exclusion or limitation of incidental or consequential damages, or limitations on how long an implied warranty lasts, so the foregoing limitations and exclusions may not apply. This limited warranty provides specific legal rights and the product owner may also have other rights which vary from state to state. Trademarks Copyright® 2001 D-Link Corporation.
PAGE 122
Registration Register the D-Link DFL-500 Office Firewall online at http://www.dlink.