Introduction to Local Area Networking ..........7 LEDs & Physical Connections............... 8 Package Contents ................. 9 System Requirements ................9 Managing D-Link DFL-1100 ............10 Resetting the DFL1100................10 Administration Settings............... 11 Administrative Access ................11 Add ping access to an interface ..............12 Add Admin access to an interface .............12...
Page 3
Change Administrative User Access level ..........41 Change Administrative User Password .............41 Delete Administrative User ................42 Users....................43 The DFL-1100 RADIUS Support ...............43 Enable User Authentication via HTTP / HTTPS.........44 Enable RADIUS Support ................44 Add User ....................45 Change User Password ................45 Delete User ....................46...
Page 4
Disable DHCP Server/Relayer ..............63 DNS Relayer Settings ................. 64 Enable DNS Relayer .................64 Disable DNS Relayer ................65 Tools....................66 Ping ..................... 66 Ping Example ....................66 Dynamic DNS..................67 Add Dynamic DNS Settings ..............67 Backup ....................68 Exporting the DFL-1100’s Configuration............68...
Page 5
Restoring the DFL-1100’s Configuration............68 Restart/Reset ..................69 Restarting the DFL-1100 ................69 Restoring system settings to factory defaults ..........69 Upgrade ....................71 Upgrade Firmware ..................71 Upgrade IDS Signature-database .............71 Status .................... 72 System ....................72 Interfaces .................... 73 HA ....................... 74 VLAN....................
Introduction The DFL-1100 provides four 10/100MB Ethernet network interface ports, which are (1) Internal/LAN, (1) External/WAN, (1) DMZ port and (1) port that can be configured as High Availability Sync port or as ETH4 port. It also provides easily operated software WebUI that allows users to set system parameters or monitor network activities using a web browser.
Introduction to Local Area Networking Local Area Networking (LAN) is the term used when connecting several computers together over a small area such as a building or group of buildings. LAN’s can be connected over large areas. A collection of LAN’s connected over a large area is called a Wide Area Network (WAN).
LEDs & Physical Connections WAN, LAN, DMZ & ETH4/Sync: Ethernet Link port indicators, Green. The Act LED flickers when the ports are sending or receiving data. Power: A solid light indicates a proper connection to the power supply. Status: System status indicators, flashes to indicate an active system. If the LED has a solid light the unit is defective.
Package Contents Contents of Package: • D-Link DFL-1100 Firewall • Manual and CD • Quick Installation Guide • Power cord If any of the above items are missing, please contact your reseller. System Requirements • Computer with a Windows, Macintosh, or Unix based operating system with an installed Ethernet adapter •...
Activate Configuration Changes page, by choosing the time from the dropdown menu. Resetting the DFL-1100 To reset the DFL-1100 to factory default settings you must shorten pin 7 and 9 (it’s also possible to shorten 7, 8 and 9) of the serial-console port directly after powering on the unit.
Administration Settings Administrative Access Ping – If enabled, specifies who can ping the interface IP of the DFL-1100. Default if enabled is to allow anyone to ping the interface IP. Admin – If enabled allows all users with admin access to connect to the DFL-1100 and change configuration, can be HTTPS or HTTP and HTTPS.
Step 3. Specify what networks are allowed to ping the interface, for example 192.168.1.0/24 for a whole network or 172.16.0.1 – 172.16.0.10 for a range. Step 4. Specify protocol used to access the DFL-1100 from the dropdown menu, either HTTP and HTTPS (Secure HTTP) or only HTTPS.
Step 3. Specify what networks are allowed to ping the interface, for example 192.168.1.0/24 for a whole network or 172.16.0.1 – 172.16.0.10 for a range. Step 4. Specify protocol used to access the DFL-1100 from the dropdown menu, either HTTP and HTTPS (Secure HTTP) or only HTTPS.
System Interfaces Click on System in the menu bar, and then click interfaces below it. Change IP of the LAN, DMZ or ETH4 interface Follow these steps to change the IP of the LAN or DMZ interface. Step 1. Choose which interface to view or change under the Available interfaces list.
WAN Interface Settings – Using Static IP If you are using Static IP you have to fill in the IP address information provided to you by your ISP. All fields are required except the Secondary DNS Server. You should probably not use the numbers displayed in these fields, they are only used as an example.
WAN Interface Settings – Using PPPoE Use the following procedure to configure DFL-1100 external interface to use PPPoE (Point-to-Point Protocol over Ethernet). This configuration is required if your ISP uses PPPoE to assign the IP address of the external interface. You will have to fill the username and password provided to you by your ISP.
ISP. • PPTP Server IP – The IP of the PPTP server that DFL-1100 should connect to. Before PPTP can be used to connect to you ISP the physical (WAN) interface parameters need to be supplied, it’s possible to use either DHCP or Static IP, this depends on the type of ISP used and this information should be supplied by them.
Ideally, you want this MTU to be the same as the smallest MTU of all the networks between the DFL-1100 and the Internet. If the packets the DFL-1100 sends are larger, they get broken up or fragmented, which could slow down transmission speeds.
VLAN Click on System in the menu bar, and then click VLAN below it, this will give a list of all configured VLANs, it will look something like this: Add a new VLAN Follow these steps to add a new route. Step 1.
Click on System in the menu bar, and then click Routing below it, this will give a list of all configured routes, it will look something like this: The Routes configuration section describes the firewall’s routing table. DFL-1100 uses a slightly different way of describing routes compared to most other systems. However, we believe that this way of describing routes is easier to understand, making it less likely for users to cause errors or breaches in security.
Add a new Static Route Follow these steps to add a new route. Step 1. Go to System and Routing. Step 2. Click on Add new in the bottom of the routing table. Step 3. Choose the interface that the route should be sent trough from the dropdown menu.
As is the case with all other firewalls supporting stateful failover, the D-Link High Availability will only work between two D-Link DFL-1100 Firewalls. As the internal workings of different firewalls, and, indeed, different major versions of the same firewall, can be radically different, there is no way of communicating "state"...
IP Addresses explained For each cluster interface, there are three IP addresses: • Two "real" IP addresses; one for each firewall. These addresses are used to communicate with the firewalls themselves, i.e. for remote control and monitoring. They should not be associated in any way with traffic flowing through the cluster; if either firewall is inoperative, the associated IP address will simply be unreachable.
Cluster heartbeats A firewall detects that its peer is no longer operational when it can no longer hear "cluster heartbeats" from its peer. Currently, a firewall will send five cluster heartbeats per second. When a firewall has "missed" three heartbeats, i.e. after 0.6 seconds, it will be declared inoperative.
Setting up a High Availability cluster First of all, the two DFL-1100 needs to be setup so far that you can manage them over the web interface. In this example the two units are configured as follow, the master DFL-1100 will be configured with 192.168.1.2 on its internal interface, and the slave DFL-1100 with...
When this is done you should click on Apply. Now login to the slave firewall and click on System in the menu bar, and then click HA below it; in this screen you will click on Receive configuration from first unit. This will show the screen below;...
Logging, the ability to audit decisions made by the firewall, is a vital part in all network security products. The D-Link DFL-1100 provides several options for logging its activity. The D-Link DFL-1100 logs its activities by sending the log data to one or two log receivers in the network.
Step 2. Choose the sensitivity level. Step 3. In the SMPT Server field, fill in the SMTP server to which the DFL-1100 should send email. Step 4. Specify up to three valid email addresses to receive the email alerts.
Time Click on System in the menu bar, and then click Time below it. This will give you the option to either set the system time by syncing to an Internet Network Time Server (NTP) or by entering the system time by hand.
Changing time zone Follow these steps to change the time zone. Step 1. Choose the correct time zone in the drop down menu. Step 2. Specify your daylight time or choose no daylight saving time by checking the correct box. Click the Apply button below to apply the setting or click Cancel to discard changes.
The first step in configuring security policies is to configure the mode for the firewall. The firewall can run in NAT or No NAT (Route) mode. Select NAT mode to use DFL-1100 network address translation to protect private networks from public networks. In NAT mode, you can connect a private network to the internal interface, a DMZ network to the dmz interface, and a public network, such as the Internet, to the external interface.
The IDS uses intrusion signatures, stored in the attack database, to identify the most common attacks. In response to an attack, the IDS protect the networks behind the DFL-1100 by dropping the traffic. To notify of the attack the IDS sends an email to...
What is commonly referred to as policy based routing, is, simply put, an extension of what fields of the packet we look at to determine the routing decision. In the DFL-1100, each rule in the firewall policy can specify its own routing decision; in essence, we route according to the source and destination IP addresses and ports.
Add a new policy Follow these steps to add a new outgoing policy. Step 1. Choose the LAN->WAN policy list from the available policy lists. Step 2. Click on the Add new link. Step 3. Fill in the following values: Name: Specifies a symbolic name for the rule.
Change order of policy Follow these steps to change order of a policy. Step 1. Choose the policy list you would like do change order in from the available policy lists. Step 2. Click on the Edit link on the rule you want to delete. Step 3.
Configure Intrusion Prevention Follow these steps to configure IDP on a policy. Step 1. Choose the policy you would like have IDP on. Step 2. Click on the Edit link on the rule you want to delete. Step 3. Enable the Intrusion Detection / Prevention checkbox. Step 4.
Port mapping / Virtual Servers The Port mapping / Virtual Servers configuration section is where you can configure virtual servers like Web servers on the DMZ or similar. It’s also possible to regulate how bandwidth management, traffic shaping, is applied to traffic flowing through the WAN interface of the firewall.
Delete mapping Follow these steps to delete a mapping. Step 1. Choose the mapping list (WAN, LAN or DMZ) you would like do delete the mapping from. Step 2. Click on the Edit link on the rule you want to delete. Step 3.
The first column show the access levels, Administrator and Read-only. An Administrator user can add, edit and remove rules, change settings of the DFL-1100 and so on. The Read- only user can only look at the configuration. The second column shows the users in each access level.
Change Administrative User Access level To change the access lever of a user click on the user name and you will see the following screen. From here you can change the access level choosing appropriate level from the drop-down menu. Access levels •...
Delete Administrative User To delete a user click on the user name and you will see the following screen. Follow these steps to delete an Administrative User. Step 1. Click on the user you would like to change level of. Step 2.
Before any traffic is allowed to pass through any policies configured with username or groups, the user must first authenticate him/her-self. The DFL-1100 can either verify the user against a local database or passes along the user information to an external authentication server, which verifies the user and the given password, and transmits the result back to the firewall.
Enable User Authentication via HTTP / HTTPS Follow these steps enable User Authentication. Step 1. Enable the checkbox for User Authentication. Step 2. Specify if HTTP and HTTPS or only HTTPS should be used for the login. Step 3. Specify the idle-timeout, the time a user can be idle before being logged out by the firewall.
Add User Follow these steps to add a new user. Step 1. Click on add after the type of user you would like to add, Admin or Read-only. Step 2. Fill in User name; make sure you are not trying to add one that already exists.
Delete User To delete a user click on the user name and you will see the following screen. Follow these steps to delete a user. Step 1. Click on the user you would like to change level of. Step Enable Delete user checkbox.
Add new one-time schedule Follow these steps to add new recurring schedule. Step 1. Go to Firewall and Schedules and choose Add new. Step 2. Choose the starting and ending date and hour when the schedule should be active. Step 3. Use the checkboxes to set the times this schedule should be active inside the specified timeframe.
Services A service is basically a definition of a specific IP protocol with corresponding parameters. The service http, for instance, is defined as to use the TCP protocol with destination port 80. Services are simplistic, in that they cannot carry out any action in the firewall on their own. Thus, a service definition does not include any information whether the service should be allowed through the firewall or not.
Adding IP Protocol When the type of the service is IP Protocol, an IP protocol number may be specified in the text field. To have the service match the GRE protocol, for example, the IP protocol should be specified as 47. A list of some defined IP protocols can be found in the appendix named “IP Protocol Numbers”.
To solve this problem, DFL-1100 can be instructed to pass an ICMP error message only if it is related to an existing connection. Check this option to enable this feature for connections using this service.
IPSec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force, to provide IP security at the network layer. An IPSec based VPN, such as DFL-1100 VPN, is made up by two parts: •...
PSK make sure both firewalls use exactly the same PSK. Step 5. As Tunnel Type choose LAN-to-LAN tunnel and specify the network behind the other DFL-1100 as Remote Net also specify the external IP of the other DFL-1100, this can be an IP or a DNS name.
Internet. Communication between the client and the internal network takes place in an encrypted VPN tunnel that connects the DFL-1100 and the roaming users across the Internet. The example shows a VPN between a roaming VPN client and the internal network, but you can also create a VPN tunnel that uses the DMZ network.
VPN – Advanced Settings Advanced settings for a VPN tunnel is used when one need change some characteristics of the tunnel when using for example trying to connect to a third party VPN Gateway. The different settings to set per tunnel is the following: Limit MTU Whit this setting it’s possible to limit the MTU (Max Transferable Unit) of the VPN tunnel.
Proposal Lists To agree on the VPN connection parameters, a negotiation process is performed. As the result of the negotiations, the IKE and IPSec security associations (SAs) are established. As the name implies, a proposal is the starting point for the negotiation. A proposal defines encryption parameters, for instance encryption algorithm, life times etc, that the VPN gateway supports.
HTTPS access. Note: The certificate named Admin can only be replaced, not deleted or renamed. This is used for HTTPS access to the DFL-1100. Certificates of remote peers This is a list of all certificates of individual remote peers.
Note: If the uploaded certificate is a CA certificate, it will automatically be placed in the Certificate Authorities list, even if Add New was clicked in the Remote Peers list. Similiarly, a non-CA certificate will be placed in the Remote Peers list even if Add New was clicked from the Certificate Authorities list.
Content Filtering DFL-1100 HTTP content filtering can be configured to scan all HTTP content protocol streams for URLs or for web page content. If a match is found between a URL on the URL block the DFL-1100 blocks the web page.
Edit the URL Global Blacklist Follow these steps to add or remove a url. Step 1. Go to Firewall and Content Filtering and choose Edit global URL blacklist Step 2. Add/edit or remove the URL that should be checked with the Content Filtering.
Active content handling Active content handling can be enabled or disabled by checking the checkbox before each type you would like to strip. For example to strip ActiveX and Flash enable the checkbox named Strip ActiveX objects. It’s possible to strip ActiveX, Flash, Java, JavaScript and VBScript, it’s also possible to block cookies.
Note: Leases are remembered over a re-configure or reboot of the firewall. The DFL-1100 also includes a DHCP Relayer. A DHCP relayer is a form of gateway between a DHCP Server and its users. The relayer intercepts DHCP queries from the users and forwards them to a DHCP server while setting up dynamic routes based on leases.
Enable DHCP Server To enable the DHCP Server on an interface, click on Servers in the menu bar, and then click DHCP Server below it. Follow these steps to enable the DHCP Server on the LAN interface. Step 1. Choose the LAN interface from the Available interfaces list. Step 2.
DNS Relayer Settings Click on Servers in the menu bar, and then click DNS Relay below it. The DFL-1100 contains a DNS relayer that you can be configured to relay DNS queries from the internal LAN to the DNS servers used by the firewall itself.
Disable DNS Relayer Follow these steps to disable the DNS Relayer. Step 1. Disable by un-checking the Enable DNS Relayer box. Click the Apply button below to apply the setting or click Cancel to discard changes.
Tools Ping Click on Tools in the menu bar, and then click Ping below it. This tool is used to send a specified number of ICMP Echo Request packets to a given destination. All packets are sent in immediate succession rather than one per second. This behavior is the best one suited for diagnosing connectivity problems.
Dynamic DNS The Dynamic DNS (require Dynamic DNS Service) allows you to alias a dynamic IP address to a static hostname, allowing your device to be more easily accessed by specific name. When this function is enabled, the IP address in Dynamic DNS Server will be automatically updated with the new IP address provided by ISP.
System Administrators can restore the firewall’s configuration file with the one stored on disc. Exporting the DFL-1100’s Configuration Follow these steps to export the configuration. Step 1. Under the Tools menu and the Backup section, click on the Download configuration button.
Restoring system settings to factory defaults Use the following procedure to restore system settings to the values set at the factory. This procedure will possibly change the DFL-1100 firmware version to lower version if it has been upgraded. This procedure deletes all of the changes that you have made to the DFL-1100 configuration and reverts the system to its original configuration including resetting interface addresses.
Page 70
Step 2. Click OK in the dialog to reset the unit to factory default, or press Cancel to cancel. You can restore your system settings by uploading a previously downloaded system configurations file to the DFL-1100 if a backup of the device has been done.
Upgrade IDS Signature-database To upgrade the signature-database first download the newest IDS signatures from D-Link. After having the newest version of software connect to the firewall’s WebUI, enter Upgrade on the Tools menu, click Browse in the Upgrade Unit’s signature-database section and choose the file name of the newest version of the IDS signatures, then click Upload signature database.
Status In this section, the DFL-1100 displays the status information about the Firewall. Administrator may use Status to check the System Status, Interface statistics, VPN, connections and DHCP Servers. System Click on Status in the menu bar, and then click System below it. A window will appear providing some information about the DFL-1100.
Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the interfaces in the DFL-1100. By default information about the LAN interface will be show, to see another one click on that interface (WAN or DMZ).
Page 74
Click on Status in the menu bar, and then click HA below it. A window will appear providing information about the HA Cluster configured in the DFL- 1100. Status - Status of the cluster, will show if the unit is active or inactive. Cluster Peer - Status of the other unit in the cluster.
Click on Status in the menu bar, and then click VLAN below it. A window will appear providing information about the virtual interfaces configured in the DFL-1100. VLAN Interface – Name of the virtual interface shown. VLAN ID – ID assigned to the vlan.
Click on Status in the menu bar, and then click Interfaces below it. A window will appear providing information about the VPN connections done in the DFL-1100. By default information about the first VPN tunnel will be show, to see another one click on that VPN tunnels name.
Connections Click on Status in the menu bar, and then click Connections below it. A window will appear providing information about the content of the state table. Shows the last 100 connections opened through the firewall. Connections are created when traffic is permitted to pass via the policies.
DHCP Server Click on Status in the menu bar, and then click DHCP Server below it. A window will appear providing information about the configured DHCP Servers. By default information about the LAN interface will be show, to see another one click on that interface.
Oct 20 2003 09:45:23 gateway This is followed by the text the sender has chosen to send. All log entries from DFL-1100 are prefaced with "EFW:" and a category, e.g. "DROP:" Oct 20 2003 09:45:23 gateway EFW: DROP: Subsequent text is dependent on the event that has occurred.
Page 80
Oct 20 2003 09:47:56 gateway EFW: CONN: prio=1 rule=Rule_8 conn=open connipproto=TCP connrecvif=lan connsrcip=192.168.0.10 connsrcport=3179 conndestif=wan conndestip=64.7.210.132 conndestport=80 In this line, traffic from 192.168.0.10 on the LAN interface is connecting to 64.7.210.132 on port 80 on the WAN side of the firewall (internet). Another event is generated when the connection is closed.
Appendixes Appendix A: ICMP Types and Codes The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field; many of these ICMP types have a "code" field. Here we list the types with their assigned code fields. Type Name Code...
Page 82
Redirect Datagram for the RFC792 Host Redirect Datagram for the RFC792 Type of Service and Network Redirect Datagram for the RFC792 Type of Service and Host Echo No Code RFC792 Router Advertisement Normal router advertisement RFC1256 Does not route common traffic RFC2002 Router Selection No Code...
Appendix B: Common IP Protocol Numbers These are some of the more common IP Protocols, for all follow the link after the table. Decimal Keyword Description Reference ICMP Internet Control Message RFC792 IGMP Internet Group Management RFC1112 Gateway-to-Gateway RFC823 IP in IP (encapsulation) RFC2003 Stream RFC1190, RFC1819...
Such repair or replacement will be rendered by D-Link at an Authorized D-Link Service Office. The replacement Hardware need not be new or of an identical make, model or part; D-Link may in its discretion may replace the defective Hardware (or any part thereof) with any reconditioned product that D-Link reasonably determines is substantially equivalent (or superior) in all material respects to the defective Hardware.
Page 85
D-Link, 17595 Mt. Herrmann Street Fountain Valley, CA 92708 USA, with all shipping costs prepaid. D-Link may reject or return any product that is not packaged and shipped in strict compliance with the foregoing requirements, or for which an RMA number is not visible from the outside of the package.
Page 86
THE ENTIRE RISK AS TO THE QUALITY, SELECTION AND PERFORMANCE OF THE PRODUCT IS WITH THE PURCHASER OF THE PRODUCT. Limitation of Liability: TO THE MAXIMUM EXTENT PERMITTED BY LAW, D-LINK IS NOT LIABLE UNDER ANY CONTRACT, NEGLIGENCE, STRICT LIABILITY OR OTHER LEGAL OR...
Page 87
6A und einem Gerätegewicht gr ßer 3kg ist eine Leitung nicht leichter als H05VV-F, 3G, 0.75mm2 einzusetzen. Trademarks Copyright 2002 D-Link Corporation. Contents subject to change without prior notice. D-Link is a registered trademark of D-Link Corporation/D-Link Systems, Inc. All other trademarks belong to their respective proprietors.
Page 88
FCC Warning This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications.
Page 90
8. What category best describes your company? Aerospace Engineering Education Finance Hospital Legal Insurance/Real Estate Manufacturing Retail/Chainstore/Wholesale Government Transportation/Utilities/Communication System house/company Other________________________________ 9. Would you recommend your D-Link product to a friend? Don't know yet 10.Your comments on this product? __________________________________________________________________________________________ __________________________________________________________________________________________...
Need help?
Do you have a question about the DFL-1100 and is the answer not in the manual?
Questions and answers