D-Link DFL-500 manual

DFL-500 User Manual 1 D-Link DFL-500 Network Security Firewall Manual Building Networks for People[...]

DFL-500 User Manual 2 © Copyright 2003 D-Link Systems, Inc. All rights reser ved. No part of this publication including text, examp les, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any mean s, electronic, mechanical, man ual, optical or other wise, for any purpose, without prior written permission of D[...]

DFL-500 User Manual 3 Table of Contents Introduction ........................................ ........................ ....................... ............. 8 NAT/Route mode and Transparent mode ................... ................... ................... .................. ................. .......... . 8 NAT/Route mode .................. .... ....[...]

DFL-500 User Manual 4 Firewall configuration ................... ........................ ....................................... 23 NAT/Route mode and Transparent mode ................... ................... ................... .................. ................. ......... 24 NAT/Route mode .................. .... .... ... .... .... .... ... ....[...]

DFL-500 User Manual 5 Configuring user groups....................... ................... ................... ................... ................... ....... ................... ... 46 Adding user groups.............................. ................... ................ ... ............... .... ............... ....... ............... ....... 46 Dele[...]

DFL-500 User Manual 6 Changing the URL block message .......... ....... .... .... .... ... .... .... .... ... .... .... .... .... .... ... ........ .... ... .... .... .... ....... ... 74 Downloading the URL block list ...................... ................ ... ............... ................... ................... ... ..... .......... 74 Uploadin[...]

DFL-500 User Manual 7 System configuration ............ ................... ................... .... ................... ................... ............... ....... .................. 96 Setting system date and time ...................... .................. ................... ................... ................... .. ......... ....... 97 Changing[...]

DFL-500 User Manual 8 Introduction The DFL-500 Network Protection Gateway (NPG) is an e asy-to-deploy and easy-to- administer solution that delivers exce ption al value an d pe rforma n ce for s mall office and home office (SOHO) ap plications. Your DFL-500 is a de dicated easily managed security device that delivers a full suite of capabilities th[...]

DFL-500 User Manual 9 • Administration describes DF L-500 m an agem ent and administ ra tive tas k s . • The Glossary defines many of the terms used in this document. For more information In addition to the DFL-500 User Manual , you have access to the follo wing DFL-500 documentation: • DFL-500 QuickStart Gu ide • DFL-500 C LI Refere nce Gu[...]

DFL-500 User Manual 1 0 Getting st arted This chapter describes unp acking, setting up, and powering on your DFL-500 NPG. When yo u have completed the pr ocedures in this chapte r, you can proceed to one of the following: • If you are going to run y ou r DFL-500 NP G in NAT/Ro ute mode, go to NAT/Route mode installation . • If you are going to [...]

DFL-500 User Manual 11 Dimensions • 8.63 x 6. 13 x 1.3 8 in. (21. 9 x 15.6 x 3.5 cm) Weight • 1.5 lb. (0.68 kg) Pow er requ irements • DC input voltage: 5 V • DC input current: 3 A Environmental specifications • Operating temperat ure: 32 to 104 ° F (0 to 40 ° C) • Storage te mperature : -13 to 1 58 ° F (- 25 to 70 ° C) • Humidity[...]

DFL-500 User Manual 1 2 Front and back view of the DFL-500 NPG Initial configuration When the DFL-500 NPG is first powered on, it is ru nning in NAT/Route mode and has the basic configura tion listed in DFL-500 NPG initial power on settings . DFL-500 NPG initial power on settings Operating mode: NAT/Route User name: admin A dministrator account: Pa[...]

DFL-500 User Manual 1 3 • Using the crossover cable or the ethernet hub and cables, connect the Interna l interface of the DFL- 500 NPG to the computer ethernet connection. • Start Internet Explor er and browse to the addr ess https://192.168.1.99 . The DFL-500 log i n ap pears . • Type admin in the Name field an d select Login. The Register [...]

DFL-500 User Manual 14 Data bits 8 Parity None Stop bit s 1 Flow contr ol None • Press Enter to co nnect to the DFL -500 CLI. The following prompt appears: DFL-500 login: • Type admin and press Ent er. The following prompt appears: Type ? for a list of commands. For information on how to use the CLI, see the DFL-500 C LI Refere nce Guide . Next[...]

DFL-500 User Manual 1 5 NA T/Route mode inst allation This chapter describes how to install your DFL-500 NPG in NAT/Route mode. If you want to install the DFL- 500 NPG in Transpar ent mode, see Transparent mode installa tion . This chapter includes: • Preparing to co nfigure NAT/Route mo de • Using t he setup w izard • Using the command line [...]

DFL-500 User Manual 1 6 Ending IP : _____._____._____. _____ Netmask: _____._____._____. _____ Default Route: _____._____._____. _____ DNS IP: _____._____._____. _____ The DFL-500 NPG contains a DHCP server that you can configure to automatically set the addresses o f the computers on y our internal network. Using the setup wizard From the web-base[...]

DFL-500 User Manual 1 7 • Set the IP address and ne tmask of the external inter face to the external IP addr ess and netmask that you recorded in NAT/Route mode settings . To set the manual IP addr ess and netmask, enter: set system interface external static ip <IP address> <ne tmask> Example set system interface external static ip 20[...]

DFL-500 User Manual 1 8 DFL-500 NPG netwo r k conn ections Configuring your internal network If you are running the DFL-500 NPG in NAT/Route mod e, your internal net work must be configured to route all internet traffic to the add ress of the internal inter face of the DFL-500 NPG. This means chan ging the default gatew ay address of all comput ers[...]

DFL-500 User Manual 1 9 T ransp arent mode inst allation This chapter describes how to install your DFL-5 00 NPG in Transparent mode. If you want to install the DFL- 500 NPG in NAT/Route mode, see NAT/Route m ode installat ion . This chapter includes: • Preparing to configure Tr ansparent mode • Using t he setup w izard • Using the command li[...]

DFL-500 User Manual 2 0 Starting the setup wizard • Select Easy Setup Wizard (the button in the upper right corner o f the web-based manager). • Use the information that you ga thered in Transparent mode setting s to fill in the wizard fields. Select the Next butto n to step th roug h the w i z ard page s . • Confirm your configuration settin[...]

DFL-500 User Manual 21 The CLI lists the Management IP addre ss and netmask. Configure the Transpar en t mode default gateway • Login to the CLI if you are not alre ady logged in. • Set the default route to the Default Gateway that you recorded in T ransparent m ode settings . Enter: set system route num ber <number> gat eway <IP addre[...]

DFL-500 User Manual 2 2 DFL-500 network conn ections[...]

DFL-500 User Manual 2 3 Firewall configuration By default, the user s on your inte rnal network can c onnect through th e DFL-500 NPG to t he Internet. The firewall blocks all other co nnections. The firewall is configu red with a default p olicy that matches any connection request re ceived from the internal netw ork and inst ructs the firew all t[...]

DFL-500 User Manual 24 NAT/Route mode and Transparent mode The first step in config uring firewall policies is to configure the mode for the firewall. The firewall can run in NAT/Route mode or Tr ansparent mo de. NAT/Route mode Run the DF L-500 NPG in NAT/Rout e mode to prote ct a private ne twork from a public netw ork. When the DFL-500 NPG is ru [...]

DFL-500 User Manual 2 5 You can also select Insert Policy before on a policy in the lis t to add the new policy above a specific policy. • Configure the policy: Source Select an address or address group that matche s the source address of the packet. Before you can add this addre ss to a policy, y ou must add it to the source interface. To add an[...]

DFL-500 User Manual 2 6 Telnet, or FTP. For users to be able to authentic ate you must a dd an HTTP, Telnet, or FTP policy that is configured for authen ticati on. When users attempt to conn ect through the fi rewall usin g this policy they are prompted to enter a firewall usern ame and password. If you want users to authenticate to use othe r serv[...]

DFL-500 User Manual 2 7 A dding a NAT/Route Int -> Ext policy Adding Transparent mode policies Add Transparent mode policies to control the n etwork traffic that is allowed to pass thr ough the firewall when you are running th e it in Transparen t mode. • Go to Firewall > Po licy . • Select a policy list tab. • Select New to add a new p[...]

DFL-500 User Manual 2 8 Ac t i o n Select how the firewall should respond when the policy matches a connection a ttempt. You can configure the policy to direct the firewall to A CCEPT the connectio n or DENY the connection. If you select ACCEPT, y ou can also configure Authentication for the policy. Log Traffic Select Log Traffic to write messages [...]

DFL-500 User Manual 2 9 A dding a Transparent mode In t -> Ext policy Configuring policy lists The firewall matche s policies by searching for a match starting at the top of th e policy list and moving down until it finds the first match. You mu st arrange policies in the policy list from more specific to more general. For example, the default p[...]

DFL-500 User Manual 3 0 Policies that require authenticatio n must be added to the policy list above matching policies that do not; otherwise, the policy that does no t r equire authenticatio n is selected first. Changing the order of pol icies in a policy list • Go to Firewall > Po licy . • Select the tab for the policy list that you want t[...]

DFL-500 User Manual 31 Adding addresses • Go to Firewall > Ad dress . • Select the interface to which to add the address. The list of addresses added to that interface is displayed. • Select New to add a new address to the selected interface. • Enter an Add ress Name to id entify the address. The name can contain numbe rs (0-9), uppercas[...]

DFL-500 User Manual 3 2 Organizing addresses into address groups You can organize related addresses into add ress gr oups to make it easier to add policies. For example, if you add three addresses, and then add them to an address group, you only have to add one policy for the address group ra ther than three separate policie s, one for eac h addres[...]

DFL-500 User Manual 3 3 • Predefined service s • Providing ac cess to c ustom service s • Grouping services Predefined services To view the list of predefin ed services, go to Firewall > Service > Pre-defined . You can add predefined services to any policy. Providing access to custom services Add a custom service if you need to create a[...]

DFL-500 User Manual 34 A dding a service group • To add services to the service group, select a ser vice from the Available Services list and select the right arrow to c opy it to the Members list. • To remove services from the serv ic e grou p, selec t a service from the Members list and select the left arrow to remove it from the group . • [...]

DFL-500 User Manual 3 5 • Set the Start date and time for the schedu le. Set Start and Stop times to 00 for the schedule to cover the e ntire day. • Set the Stop date and time for the sched ule. One-time schedules use the 24-hour clock. • Select OK to add the one- time schedule. Creating recurr ing schedules You can create a recur ring s ched[...]

DFL-500 User Manual 3 6 create an external ad dress for the web server on the Interne t. You must then add a virtual IP to th e firewall that maps the extern al IP address of the web server to the actual ad dress of the web server on your inter nal network. To allo w connections from the Internet to the web server, you must then add an Ext -> In[...]

DFL-500 User Manual 3 7 A dding a static NA T virtual IP • In the Map to IP field, enter the real IP add ress on the more secure ne twork, for example, the IP address of a web server on your interna l network. The firewall translates the source address of outbound pa ckets fro m the host with the Map to IP address to the virtual IP External IP Ad[...]

DFL-500 User Manual 3 8 A dding a Port Forwarding virtual IP • Enter the External Service Port num ber for which to configure port fo rwarding. The external service port nu mber must match the destination po rt of the packets to be forwarded. For example, if the virtual IP provides access fr om the Internet to a Web server on your in ternal netwo[...]

DFL-500 User Manual 3 9 Destination Select the virtual IP. Schedule Select a schedule as requ ired. Service Select the ser vice that matches the Map to Se rvice that y ou selected for the port-forwarding virtual IP. Ac t i o n Set action to ACCEPT to accept connections to th e internal s erver. You can al so select DENY to deny a ccess. NA T Select[...]

DFL-500 User Manual 4 0 A dding an IP Pool IP/MAC binding IP/MAC binding protects th e DFL-500 NPG and your network from IP spoofing attacks. IP spoofing attempts to use the IP ad dress of a trusted computer to connect to or through the fire wall from a different computer. The IP address of a computer can easily be changed to a trusted address, but[...]

DFL-500 User Manual 41 All packets that would normally be matched with policies to be able to go through the firewall are first compared with the entr ies in the IP/MAC binding list. If a match is found, th en the firewall attempts to match the packet with a policy. For example, if the IP/M AC pair IP 1.1.1.1 and 12:34:56:78 :90:ab:cd is added to t[...]

DFL-500 User Manual 4 2 Viewing the dy namic IP/MAC list • Go to Firewall > IP/MAC Binding > Dynamic IP/MAC . Enabling IP/MAC binding • Go to Firewall > IP/MAC Binding > Setting . • Select Enable IP/MAC binding going thro ugh the firewall to turn on IP/MAC binding fo r packets that could be m atched by po licies. • Select Enable[...]

DFL-500 User Manual 4 3 Users and authentication DFL-500 NPGs suppor t user authentication to the DFL- 500 user database or to a RADIUS ser ver. You can add user name s to the DFL- 500 user database and then add a password to allow the user to authenticate using the internal database. You can also ad d the name of a RADIUS server and select RADIUS [...]

DFL-500 User Manual 44 • Select New to add a new user name. A dding a us er name • Enter the user name. The user name can conta in numbers (0-9) and uppercase and lo wercase letters (A-Z, a-z), and the special characters - and _. Other specia l characters and spaces ar e not allowed. • Select one of the following authenticatio n configuration[...]

DFL-500 User Manual 4 5 Deleting the user na me deletes the au then tication configured for th e user. Configuring RADIUS support If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the DFL-500 NPG contacts the RADIUS server for authenticatio n. When using a RADIUS server for user authentication , PPT[...]

DFL-500 User Manual 4 6 Configuring user groups Use the following informatio n to add user groups to your DFL-500 configur ation. You can add user name s and RADIUS servers to user groups. You can then add user groups to: • Policies that require authe ntication ( Adding NAT/Route mo de policies , and Adding NAT/Route mo de policies ). Only users [...]

DFL-500 User Manual 4 7 A dding a user grou p • To remove use rs or RADIU S servers from the user group, selec t a user or RAD IUS serv er from the Members list an d select the le ft arrow t o remove the name or RADI U S server from th e group. • Select OK. Deleting user groups You cannot delete u ser groups that have been selecte d in a policy[...]

DFL-500 User Manual 4 8 IPSec VPNs Using IPSec Virtual Private Networking (VPN), you can securely join two or more widely separated private networks or computers together through the Internet. For example, if you are away from home, you can use a VPN to securely connect through your DFL-5 00 NPG to your home network. If you tele- commute, you can s[...]

DFL-500 User Manual 4 9 • ESP security in tunnel mode • DES and 3DES (TripleDES) encryption • Diffie-Hellman groups 1, 2, and 5 • HMAC MD5 authentication/data integrity or HMAC SHA1 authentication/data integr ity • Aggressive and Main Mode • NAT Traversal • Replay De tection • IPSec Redund ancy • Perfect Forward Secrecy • VPN co[...]

DFL-500 User Manual 5 0 See Adding an encrypt policy . Configuring manual key IPSec VPN A manual key VPN configur ation consists of a manual key VPN tunnel, the so urce and destination addre sses for both ends of the tunnel, and an encrypt policy to control access to the VPN tunn el. To create a man ual key VPN configuration: • Add a manual key V[...]

DFL-500 User Manual 51 Configuring the VPN concentrator On the VPN concentrator network, yo u must create one VPN tunnel for each of the prospective VPN concentrator members and then add these tu nnels to a VPN concen trator. You can add both AutoIKE and manual key VPN tunnels to a VPN concentrator. Encrypt policies control the d irection of traffi[...]

DFL-500 User Manual 5 2 See Adding an Auto IKE key VPN tunnel . Or, add a manu al key VPN tunnel. See Adding a manua l key VPN tunnel . • Add one encrypt policy between the member VPN and the VPN concentrator. Use the following configurat ion: Source Member VPN address. Destination VPN concentrator address. Ac t i o n ENCRYPT VPN Tunnel The VPN t[...]

DFL-500 User Manual 5 3 The source and destina tion of both policies must be th e same. Add a differen t AutoIKE key tunnel to each policy. See Adding an encrypt policy . Adding a remote gateway Add a remote gate w ay configuration to define the parameters that the DFL-500 NPG uses to connect to and establish an AutoIKE key VPN tunnel with a remote[...]

DFL-500 User Manual 54 Mode. Enter the IP address of the dialup user o r the domain name of the d ialup user (for example, do main.com). If you d o not add a local ID, the DFL-500 e xternal interface automatically becomes th e Local ID. For information about the Loca l ID, see About dialup VPN authentication . Nat-traversal Select Enable if you exp[...]

DFL-500 User Manual 5 5 For each variation, th e remote gateway field of the dialup server remote gateway configuration must be set to dialup user and all of the clients must have their remote gateway or equivalent set to the stat ic IP address of the remote gateway server. The following sections d escribe how to configure authen tication on the se[...]

DFL-500 User Manual 5 6 A ggres siv e mode with no user gr oup Field Server Clients User Group None N/A Mode Aggressive Aggressive A uthentication Key T he server and the clients must hav e the same authen tication key. Local ID empty empty Aggressive mode with a user group selected In this configuration, the server and the clients use ag gressive [...]

DFL-500 User Manual 5 7 About NAT traversal NAT (Network Address Translation) converts pr ivate IP addresses into routable public IP addresses. The DFL-500 NPG uses NAPT (Net work Address Port Transla tion), in which both IP addresses an d ports are mapped. Mapp ing both components allo ws multiple private IP addresses to use a single pu blic IP ad[...]

DFL-500 User Manual 5 8 A uto key Keep A liv e Enable Autokey Keep Alive to keep the VPN tunnel running even if no d ata is being processed. Concen trat or Select a concentrator if you want the tun nel to be part of a hub and spoke VPN configuration. If yo u use the procedure, Adding a VPN conce ntrator to add the tu nnel to a concentrator, the nex[...]

DFL-500 User Manual 5 9 The DFL-500 NPG sends an alert e mail when rep lay detection dete cts a rep lay packet. To receive the aler t email, you must configure alert email and select "Enable alert email for critica l firewall/VPN events or violations". For information ab out alert email, see Configuring ale rt email . About perfect forwar[...]

DFL-500 User Manual 6 0 For all 3DES encry ption algorithms, enter three hexadecimal numbe rs of up to 16 digits each. Use the same encryption key at both ends of the tunne l. Required for encryption algorithms that include MD5 or SHA1 authentica tion. For MD5 authentication, en ter two hexadecimal n umbers of 16 digits each. Use th e same authenti[...]

DFL-500 User Manual 61 • Select OK to add the VPN concentr ator. A dding a VPN concentrator Adding an encrypt policy Add encrypt policies to co nnect users on your internal network to a VPN tunnel. Encrypt policies are always Int -> Ext policies. The source of th e encrypt policy mu st be an address on your inter nal network. The destination o[...]

DFL-500 User Manual 6 2 The destination address is the IP addre ss of the remote network behind the re mote VPN gateway. The destination address is the IP addre ss of the remote network behind the re mote VPN gateway. If you are adding a n encrypt policy for a VPN with a remote VPN client connected to the Internet, the destination address shou ld b[...]

DFL-500 User Manual 6 3 A llow outbound Select Allow o utbound to enable outbound users to conn ect to the destination addres s. Inbound NA T The DFL-500 NPG translates the source address of incoming packets to the IP address o f the DFL-500 interface con nected to the source addre ss network. Outbound NA T The DFL-500 NPG translates the source add[...]

DFL-500 User Manual 64 A utoIKE key tunnel status Viewing dialup VPN connection status You can use the dialup monitor to view the status of dialup VPNs. Th e dialup monitor lists the remote gateways and the active VPN tunnels for each ga teway. The monitor also lists the tunnel lifetime , timeout, proxy ID source, and proxy ID destination for e ach[...]

DFL-500 User Manual 6 5 To confirm th at a VPN between a netw ork and on e or more c lients has be en configur ed correct ly, start a V PN client and use the ping command to connect to a computer on the inte rnal network. The VP N tunnel initializes automatically when the client makes a connection attempt. You can start the tunnel and test it at th[...]

DFL-500 User Manual 6 6 PPTP and L2TP VPNs Using PPTP and L2TP Virtua l Private Networking (VPN), you can cr eate a secure connection between a client computer running Micr osoft Windows and your internal network. PPTP is a Wi ndows VPN stan dard. You can use PPTP to con nect computers runn ing Windows to a DFL- 500 NPG-protected p rivate network w[...]

DFL-500 User Manual 6 7 PPTP VPN betw een a Window s client and the DFL-500 NPG Configuring the DFL-50 0 NPG as a PPTP gateway • Create a user gro up for your PPTP user s. See Users and authentication . • Go to VPN > PPTP > PPTP Ran ge . • Select Enable PPTP. • Enter the Starting IP a nd the Ending IP for the PPTP ad dress range. • [...]

DFL-500 User Manual 6 8 Example PPTP Range configur ation When using a RADIUS server for user authenticatio n, PPTP and L2TP encryption is not supported a nd you should no t select Require data encryption when configuring Windows clients for PPTP or L2TP. • Add the addresses from the PPTP ad dress range to the exte rnal interface addr ess list. T[...]

DFL-500 User Manual 6 9 L2TP VPN configuration L2TP clients must be ab le to authenticate with th e DFL-500 NPG to start a L2TP session. To support L2TP authentication, you must add a user group to th e DFL-500 NPG configuration. This u ser group can contain users added to the DFL-500 NPG user database, RADIUS servers, or both. After you have a dde[...]

DFL-500 User Manual 7 0 • Select Enable L2TP. • Enter the Starting IP a nd the Ending IP for the L 2TP address range . • Select the User Group tha t you added in step Create a user group fo r your L2TP user s. . • Select Apply to enable L2TP thro ugh the DFL-50 0 NPG. Sample L2TP address range configuration When using a RADIUS server for us[...]

DFL-500 User Manual 71 W eb content filtering Use DFL-500 web content filtering fo r: • Enabling web content Filtering • Blocking web pages that contain unwanted content • Blocking access to URLs • Removing scripts from web pages • Exempting URLs from content or URL blocking Enabling web content Filtering Enable web content filtering by s[...]

DFL-500 User Manual 7 2 The DFL-500 NPG is now configured to block web pages containing words and phrases added to the banned word list. • Select New to add a word or phrase to the ba nned word list. • Choose a language or cha racter set for the banned word or phrase. You can choose Western, Chinese Simplified , Chinese Traditional, Japan ese, [...]

DFL-500 User Manual 7 3 • Select Backup Banned Word List . The DFL-500 NPG downloads the banne d word list to a text file on the management comp uter. You can specify a location to which to download the text file as well as a name for the text file. You can make changes to the text file an d upload it from your man agement computer to the DFL-500[...]

DFL-500 User Manual 74 URL blocking does not block access to other services that users can access with a web browser. For example, URL b locking does not block access to ftp://ftp.badsi te.com . Instead, you can use firewall policies to deny FTP connections. • Select Enable to block the URL. • Select OK to add the URL to the URL block list. You[...]

DFL-500 User Manual 7 5 You can add a URL list created by a third-par ty URL block or blacklist service. For example, you can download the squidGuard blacklists, available at http://www.squidg uard.org/blacklist/ as a starting point for creating your own URL bloc k list. Three times a w eek, the squidGuard robot searches the w eb for new URLs to ad[...]

DFL-500 User Manual 7 6 • Clearing th e Exempt U RL list • Downloading the Exempt URL list • Uploading an Exempt URL list Adding URLs to the Exempt URL List • Go to Web Filter > Exempt URL . • Select New to add an entry to the Exempt URL list. • Type the URL to exempt. Enter a com plete URL, in cluding path an d filename, to exe mpt [...]

DFL-500 User Manual 7 7 Uploading an Exempt URL list You can create an Exempt URL list in a text editor and the n upload th e text file to the DFL-500 NPG. Add one URL to each line of the text file. You can follow th e URL with a space and th en a 1 to enable or a zero (0) to disable the URL. If you do not ad d this information to the text file, t [...]

DFL-500 User Manual 7 8 Logging and reporting You can configure the DFL-500 NPG to record 3 types of logs: • Traffic logs record all traffic that att e mpts to c onnect thro ug h the DFL- 50 0 NPG. • Event logs record manageme nt and activity events. You can also use Log & Repor t to configure the DFL-500 NPG to send ale rt emails for: • [...]

DFL-500 User Manual 7 9 Example log settings Selecting what to log Use the following procedure to con figure the type of informa tion recorded in DFL- 500 logs. • Go to Log&Re port > Log setting . • Select Log All Internal Traffic To Fir ewall to record all connections to the internal inte rface. This setting is not availa ble in Tra nsp[...]

DFL-500 User Manual 8 0 Configuring alert email • Go to System > Network > DNS . • If they have not alrea dy been added, add the primary and secondar y DNS server addresses provide d to you by your ISP. Because the DFL-50 0 NPG uses the SMTP server name to con nect to the mail server, it must be able to look up this n ame on your DNS serv[...]

DFL-500 User Manual 81 Administration This chapter describes how to use the web-based manager to administer and maintain the DFL-500 NPG. It contains the following s ections: • System status • Upgrading the DFL-500 NPG firmware • Displaying the DFL-500 NPG serial numbe r • Backing up system settings • Restor ing syste m setti ngs • Rest[...]

DFL-500 User Manual 8 2 • Shutting down the DFL-500 NPG If you log into the web-based manager with any other administrator a c count, you can go to Syste m > Status to view the system settings including: • Display in g the D FL-50 0 N PG s eria l number All administrat ive users c an als o go to Sys tem > S t at us > Moni tor a nd view[...]

DFL-500 User Manual 8 3 • Enter the following command to restart the DFL-5 00 NPG: > execute reboot As the DFL-500 NPG reboots, message s similar to the following appear: BIOS Version 2.2 Serial number: FGT- 502801021 075 SDRAM Initialization. Scanning PCI Bus...Done. Total RAM: 256M Enabling Cache...Done. Allocating PCI Resources...Done. Zero[...]

DFL-500 User Manual 84 When the interface addresses ar e changed, you can access the DF L-500 from the web-based manager and restore your configuration files a nd content a nd URL filtering lists. Displaying the DFL-500 NPG serial number • Go to System > Status . The serial n umber is displa yed in the Sta tus window. The serial number is spec[...]

DFL-500 User Manual 8 5 This procedure deletes th e changes that you have made to the DFL-500 NPG configuration and reverts the sy stem to its original configuration, inc l uding resetting in terface addresses. • Go to System > Status . • Select Rest ore Factory Defaults. • Select OK to confirm. The DFL-500 NPG restarts with the configurat[...]

DFL-500 User Manual 8 6 The DF L-50 0 NPG c hanges op eration mode. • To reconnect to the web-ba sed manager, browse to the inter face that you have configured for management access using https:// followed by the IP add ress of the interface. Restarting the DFL-500 NPG Use the following procedure to re start the DFL-50 0 NPG: • Go to System >[...]

DFL-500 User Manual 8 7 System status monitor At the top of the display, the system status moni tor shows: CPU usage The current CPU usage statistics of the DFL-500 NPG. Memory usage The percentage of available memory b eing used by the DFL-500 NPG. Up time The number of days, h ours, and minutes si nce the DFL-500 NPG was last starte d. Total Numb[...]

DFL-500 User Manual 8 8 Configuring the internal interface To configure the in ternal interface: • Go to System > Network > Interface . • For the internal interface, select Modify . • Change the IP addr ess and Netmask as require d. • Select the management Acce ss methods for the interna l interface. HTTPS To allow secure HTT PS conne[...]

DFL-500 User Manual 8 9 • Controlling management access to the external interface • Changing t he external inte rface MTU size to impro ve netw ork performance Configuring the external interface wi th a static IP address • Go to System > Network > Interface . • For the external inte rface, select Modify . • Set Addressing mo de to M[...]

DFL-500 User Manual 9 0 Configuring th e external in terface Configuring the external interface for PPPoE Use the following proced ure to configu re the external inter face to use PPPoE. T his configuration is re quired if your ISP uses PPPoE to assign the IP addre ss of the external interface. • Go to System > Network > Interface . • For[...]

DFL-500 User Manual 91 • For the external inte rface, select Modify . • Select the management Acce ss methods for the external in terface. HTTPS To allow secure HTT PS connections to the web-based manager throug h the external interface . PING If you wa nt the external interface to respond to pings. Use this setting to verify y our installation[...]

DFL-500 User Manual 9 2 Configuring the management in terface (Transparent mode) In Transparent mode, you can configure the manageme nt interface for management access to the DFL-500 NPG. • Go to System > Netw ork > Managem ent . • Change the Manageme nt IP and Mask as required . These must be valid addres ses for the network from which y[...]

DFL-500 User Manual 9 3 If you select dead gateway detection you can also configu re ping target, detectio n interval, and Fail- over detec tion for the ro ut ing gatew ay. • Set Ping Target to the IP add ress that the DFL-50 0 NPG should ping to test connectivity with the gateway. The ping target could be the IP address of the gateway but it is [...]

DFL-500 User Manual 94 • Select OK to save the new route. Arrange routes in the routing table from mo re specific to more general. To a rrange routes in the rou ting table, see Configuring the ro uting table . Configuring the routing table As you add routes, they a ppear on th e routing table. The routin g table shows the source a nd destination [...]

DFL-500 User Manual 9 5 • Repeat these steps to add more r outes as required. Providing DHCP services to your internal network If the DFL-500 NPG is opera ting in NAT/Route mode, you can configure it to be the DHCP server fo r your internal netw ork: • Go to System > Network > DHCP . • Select Enable DHCP. • Configure the DHCP settin g[...]

DFL-500 User Manual 9 6 Sample DHCP settings Viewing the dynamic IP list If you have c onfigured your DFL- 500 NPG as a DHCP ser ver, you can vie w a list of IP addr esses that the DHCP server has add ed, their correspondin g MAC addresses and the expiry time and da te for these addresses. The DFL-500 NPG adds these ad dresses to the dynamic IP/MAC[...]

DFL-500 User Manual 9 7 • Setting system date and time • Changing web-based mana ger options • Adding and editing admin istrator accoun ts • Configuring SNMP Setting system date and time For effective scheduling and logg ing, the DFL-50 0 NPG time should be accurate . You can eith er manu ally set the DFL-500 NPG time or you can configure t[...]

DFL-500 User Manual 9 8 • Specify how often the DFL-500 NPG should synchronize its time with the NTP server . A typical Syn Interval w ould be 144 0 minutes for the DFL-500 N PG to sync hronize it s time once a day. • Select Apply. Changing web-based manager options You can change th e web-based ma nager idle time out and fire wall user a uthen[...]

DFL-500 User Manual 9 9 • Select N ew to add an administrat or account. • Type a log in name for th e administ rator accou nt. The login name must be at least 6 characters long an d can contain numbers (0-9 ), and upper case and lowercase letters (A-Z, a-z), and the special characters - and _. Othe r special characters and spaces are not allowe[...]

DFL-500 User Manual 10 0 System Location Describe the physical location o f the DFL-500 NP G. The sy stem location description can be up to 31 characters long a nd can contain spaces, numbers (0 -9), uppercase and lowerca se letters (A-Z, a-z), and the special ch aracters - and _. The < > [ ] ` $ % & characte rs are not allowed. Contact[...]

DFL-500 User Manual 101 Glossary Connection : A link between machines, applications, processes, and so on that can be logical, physica l, or both. DNS, Domain Name Service : A service that converts symbolic node names to IP addresses. Ethernet : A local-area network (LAN) architecture that uses a bus or star top ology and supports data transfer rat[...]

DFL-500 User Manual 10 2 Netmask : Also called subnet mask. A set of r ules for omitting parts of a complet e IP address to re ach a target destination without using a broadcast message. It can indicate a subn etwork portion of a larger ne twork in TCP/IP. Sometimes referr ed to as an Address Mask. NTP , Network Time Proto col : Used to sync hroniz[...]

DFL-500 User Manual 10 3 VPN, Virtual Private Networ k : A network that links p rivate networks over the Inte rnet. VPNs use encryption and other security mechan isms to ensure that on ly authorized users can access the ne twork and th at data cannot be in tercepted. Virus : A computer program that attaches itself to other programs, spreading itsel[...]

DFL-500 User Manual 104 Index A action policy optio n ActiveX removing from web p ages address adding editing group IP/MAC bindi ng virtual IP address group example address name admin administrator account administrator account adding admin editing netmask trusted host aggressive mode remote gatew ay alert email configuring critical firewall or VPN[...]

DFL-500 User Manual 10 5 C clear communication sessions CLI configuring IP addresses connecting to concentrator adding VPN hub and sp oke configuration hub and spoke VPN connecting to your network web-based manager contact information SNMP content blocking content filtering configuring enabling cookies blocking CPU usage system sta tus critical fir[...]

DFL-500 User Manual 10 6 DHCP dynamic IP list viewing dynamic IP/MAC list E email alert testing enabling a policy encryption adding IPSec firewall policy algorithm encryption algorithm manual key IPSec VPN encryption key manual key IPSec VPN ending IP DHCP L2TP PPTP environmental specifications event log blocked page message exclusion range DHCP Ex[...]

DFL-500 User Manual 10 7 first trap re ceiver IP address SNMP fixed por t policy optio n from IP system sta tus from port system sta tus G gateway adding remote gateway IPSec VPN remote gateway name routing get community SNMP group address grouping services H HTTP enabling web content filte ring HTTPS hub and spoke VPN I ICMP ID protection mode IPS[...]

DFL-500 User Manual 10 8 IPSec IPSec VPN adding firewall policy AutoIKE ke y AutoIKE key remote gat eway AutoIKE key VPN tunnel compatibility with IPSec VPN products concentrator configuring remote gateway definition dialup V PN features hub and spoke manual key manual key ex change VPN tunnel remote gatew ay status timeout user groups viewing tunn[...]

DFL-500 User Manual 10 9 user groups L2TP gateway configuring language web-based manager lease duration DHCP Local ID IPSec VPN remote gateway local SPI IPSec VPN manual key log traffic policy optio n logging log all events log all ex ternal tra ffic to firewa ll log all internal traffic t o firewall log to remo te host log to WebTrends recording l[...]

DFL-500 User Manual 11 0 IP addresses policy policy, add ing NAT traversal about NAT/Route mode Nat-traversa l IPSec VPN Rem ote Gateway netmask administrator account network address translation introduction network configuration changing NTP setting system date and time O one-time schedule creating operating mode changing P P1 proposal about IPSec[...]

DFL-500 User Manual 111 external interface PPTP adding firewall policy configuring configuring gateway definition enabling ending IP network configuration starting IP user groups VPN configuration PPTP gateway configuring pre-defined services protocol system sta tus R RADIUS adding server address example configura tion read & write administrato[...]

DFL-500 User Manual 11 2 RIP routing gateway adding routing table adding a default route adding routes adding routes (Transparent mo de) configuring S schedule applying to a policy creating one-time creating recurring policy optio n script filter scripts removing from web p ages security parameter ind ex security po licy mode serial number displayi[...]

DFL-500 User Manual 11 3 IPSec VPN tunnel viewing dialup connectio n status viewing VPN tunnel status subnet subnet address switching operating mode system configuration system date an d time setting system location SNMP system name SNMP system settings backing up restoring restoring to fact ory defau lts system status CPU usage system status monit[...]

DFL-500 User Manual 114 URL block list clearing downloading uploading URL block message changing URL blocking configuring URLs blocking access exempting from blocking user group IPSec VPN Rem ote Gateway user groups deleting user name and password adding user names adding user-defined services V viewing dialup connection status VPN tunnel status vi[...]

DFL-500 User Manual 11 5 name viewing status W web content filtering ActiveX cookies enabling Java applets Web filter policy optio n web pages content blocking web-based manager changing options connecting to language timeout WebTrends recording logs on a WebTrends server whitelist, URL wizard firewall setup starting[...]

DFL-500 User Manual 11 6 T echnical Support Offices AUSTRALIA D-LINK AUSTRALIA Unit 16, 390 Easter n Valley Way, Rosev ille, NSW 2069 , Australia TEL: 61-2-941 7-7100 FAX: 61-2-9417-1077 TOLL FRE E: 1800-177-100 (Aus tralia), 0800-900900 (New Zealand ) E-MAIL: support@dlin k.com.au, info@d link.co m.au URL: www.d link.com .au BENELUX D- LINK BENELU[...]

DFL-500 User Manual 11 7 Registration Card Print, type or use block letters. Your name: Mr./Ms _____________ ___________ _________ ___________ ________ ___________ _________ _____ Organization: ___________________________ _____________________ Dept. ___ ___________ _________ _____ Your title at organization: ________ __ __ ___ __ __ __ __ __ ___ __[...]

DFL-500 User Manual 11 8[...]

DFL-500 User Manual 11 9 Limited W arranty D-Link Systems, Inc. (“D-Link”) provides this 1-Year warranty for its product only to the person or entity who originally purchased the product from: • D-Link or its author ized reseller or di stributor. • Products purchase d and de live red w i th the fifty Unite d Stat es , the Dist rict of Colum[...]

DFL-500 User Manual 12 0 Submitting A Claim . Any claim under this limited warranty must be su bmitted in writing befor e the end of the Warranty Period to an Authorized D-L ink Service Office. • The customer must submit as part of th e claim a written description of the Hardware defect or Software nonconformance in sufficient deta il to allow D-[...]

DFL-500 User Manual 121 GOVERNING LAW : This 1- Year Warranty shall be governed by the laws of the state of Califor nia. Some states do not allo w exclusion or limitation of in cidental or consequential da mages, or limitations on how long an implied warranty last s, so the foregoing limitat ions and ex clusions m ay not apply . This limited warran[...]

DFL-500 User Manual 12 2 Registration Register the D-Link DFL-500 Office Firewall online at http://www.dlink.com/sales/reg[...]