1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
Also See for D-Link DFL-1000
Related Manuals for D-Link DFL-1000
-
Firewall D-Link DFL-1000 Quick Install Manual
(6 pages)
-
Firewall D-link DFL-1100 Installation Manual
Network security firewall (25 pages)
-
Firewall D-link DFL-1100 User Manual
Network security firewall (86 pages)
-
Firewall D-link DFL-1100 User Manual
Network security firewall (144 pages)
-
Firewall D-Link DFL-1100 Manual
(91 pages)
-
Firewall D-link DFL-1600 Quick Manual
Network security firewall (22 pages)
-
Firewall D-link DFL-1600 User Manual
Network security firewall (366 pages)
-
Firewall D-Link DFL-1660 User Manual
Network security firewall (483 pages)
-
Firewall D-Link DFL-1660 Installation Manual
(45 pages)
-
Firewall D-Link DFL-1660 User Manual
Network security firewall (595 pages)
-
Firewall D-Link NetDefend SOHO DFL-160 User Manual
Netdefend soho utm firewall (130 pages)
-
Firewall D-Link NetDefend SOHO DFL-160 Reference Manual
Utm firewall (356 pages)
-
Firewall D-Link DFL-160 Quick Installation Manual
(61 pages)
-
Firewall D-Link DFL-160 Quick Installation Manual
(33 pages)
-
Firewall D-Link DFL-1660-IPS-12 Manual
Utm firewall registration & activation manual, network security solution (20 pages)
Summary of Contents for D-Link DFL-1000
- Page 1 DFL-1000 Workgroup Firewall ’ User s Manual Rev. 02 (March, 2002) D-Link Systems, Inc. DFL-1000 User’s Manual...
- Page 2 No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of D-Link Systems, Inc. DFL-1000 User’s Manual Version 2.2...
-
Page 3: Table Of Contents
Configuring the DFL-1000 from the CLI ....................19 Connecting to the CLI......................... 20 Configuring the DFL-1000 to run in NAT mode.................. 20 Configuring the DFL-1000 to run in Transparent mode ..............21 Connecting the DFL-1000 to your network..................... 22 NAT mode connections ........................22 Transparent mode connections...................... - Page 4 Adding traffic shaping to a policy......................45 VPN pass through........................... 46 Adding IPSec and PPTP pass through ....................46 IPSec VPNs ....................47 Compatibility with third-party VPN products ................... 47 Autokey IPSec VPN between two networks ................... 47 Creating the VPN tunnel........................48 DFL-1000 User’s Manual...
- Page 5 Configuring the DFL-1000 as an L2TP server..................63 Configuring a Windows 2000 Client for L2TP ..................64 Configuring a Windows XP Client to connect to a DFL-1000 L2TP VPN .......... 65 RADIUS authentication for PPTP and L2TP VPNs ................66 Adding RADIUS server addresses .....................
- Page 6 Downloading a log file to the management computer ................ 89 Deleting all of the messages in an active log ..................90 Deleting a saved log file ........................90 Administering the DFL-1000 ..............91 Logging into the web-based manager ....................91 System status ............................91 Changing the operating mode ......................
- Page 7 Configuring SNMP..........................102 Using the DFL-1000 CLI.................104 Connecting to the DFL-1000 CLI......................104 Connecting to the DFL-1000 communications port................104 Connecting to the DFL-1000 CLI using SSH..................105 CLI basics ............................. 105 Recalling commands ........................105 Editing commands ..........................105 Using command shortcuts ........................
- Page 8 Logging ..............................114 Technical Support..................116 DFL-1000 User’s Manual...
-
Page 9: Introducing The Dfl-1000
Introducing the DFL-1000 The DFL-1000 is one of a series of new generation all-layer security products that provide comprehensive protection for your internal network. These products, Application Security Gateways, combine key security technologies into a dedicated platform designed for high performance and reliability. In a compact, easy to install and configure package the DFL-1000 combines: •... -
Page 10: Network Address Translation (Nat)
Network Address Translation (NAT) In NAT mode, the DFL-1000 is installed as a privacy barrier between the internal network and the Internet. The firewall provides network address translation to protect the private network. In NAT mode, you can add a DMZ network to provide public access to Internal servers while protecting them behind the firewall on a separate internal network. -
Page 11: Vpn
Dynamic link libraries (dll) • MS Office files You can configure DFL-1000 virus scanning to block the target files or scan them for viruses and worms. You can configure three levels of virus protection: • High level protection removes target files from HTTP transfers and email attachments before they pass through the firewall With high level protection turned on, the DFL-1000 does not perform virus scanning. -
Page 12: Secure Installation, Configuration, And Management
Secure installation, configuration, and management Installation is quick and simple. All that is required to get the DFL-1000 up and running and protecting your network is to connect to the web-based manager and use the Quick Setup Wizard to configure the DFL-1000. -
Page 13: Command Line Interface
• Report configuration changes Logs can be sent to a remote syslog server or saved on an optional hard drive installed in the DFL-1000. About this document This user manual describes how to install and configure the DFL-1000. This document contains the following chapters: •... -
Page 14: Customer Service And Technical Support
Administering the DFL-1000 describes DFL-1000 management and administrative tasks • Using the DFL-1000 CLI introduces the DFL-1000 CLI and describes the basics of connecting to and using the CLI • Glossary defines many of the terms used in this document •... -
Page 15: Installing The Dfl-1000
Completing the configuration Before you start Before starting the installation of the DFL-1000, you must decide whether you are going to be running it in NAT mode or Transparent mode. This choice determines the information that you require to install the DFL-1000 as well as the installation steps that you perform. -
Page 16: Transparent Mode Install
Primary Secondary If you plan to use the DFL-1000 as a DHCP server to assign IP addresses to the computers on 5. DHCP Server your internal network, you must specify the IP address range reserved to be assigned by the (optional) DHCP server. -
Page 17: Unpacking The Dfl-1000
DFL-1000 package contents Mounting the DFL-1000 The DFL-1000 can be mounted on a standard 19-inch rack. It requires 1 U of vertical space in the rack. The DFL-1000 can be installed as a free-standing appliance on any stable surface. For free-standing installation, make sure the appliance has at least 1.5 in. -
Page 18: Powering On The Dfl-1000
• Turn on the power switch. The DFL-1000 starts up. The Power and Status lights light. The Status light flashes while the DFL-1000 is starting up and remains lit when the system is up and running. Using the Quick Setup Wizard Use the procedures in this section to connect to the web-based manager and use the Quick Start Wizard to create your initial DFL-1000 configuration. -
Page 19: Starting The Quick Setup Wizard
• Confirm your configuration settings and then click Finish and Close. You have now completed the initial configuration of the DFL-1000, and you can proceed to connect the DFL-1000 to your network using the information in Connecting the DFL-1000 to your network. -
Page 20: Connecting To The Cli
Configuring the DFL-1000 to run in Transparent mode. Configuring the DFL-1000 to run in NAT mode The procedures in this section describe how to use the CLI to configure the DFL-1000 to run in NAT mode. Configuring NAT mode IP addresses •... -
Page 21: Configuring The Dfl-1000 To Run In Transparent Mode
DFL-1000 to your network using the information in Connecting the DFL-1000 to your network. Configuring the DFL-1000 to run in Transparent mode The procedures in this section describe how to use the CLI to configure the DFL-1000 to run in Transparent mode. Changing to Transparent mode •... -
Page 22: Connecting The Dfl-1000 To Your Network
The CLI lists the IP address and netmask settings for each of the DFL-1000 interfaces. The address and netmask of the DMZ interface should be set to the Management IP Address and Netmask. Configure the Transparent mode default gateway •... -
Page 23: Transparent Mode Connections
NAT mode connections: Transparent mode connections To connect the DFL-1000 running in Transparent mode: • Connect the Internal interface to the hub or switch connected to your internal network. • Connect the External Interface to the public switch or router provided by your Internet Service Provider. -
Page 24: Configuring Your Internal Network
DHCP. Use the internal address of the DFL-1000 as the DHCP server IP address. If you are running the DFL-1000 in Transparent mode, you do not have to make any changes to your network. Once the DFL-1000 is connected, make sure it is functioning properly by connecting to the internet from a computer on your internal network. -
Page 25: Setting The Date And Time
For effective scheduling and logging, the DFL-1000 date and time should be accurate. You can either manually set the DFL-1000 time or you can configure the DFL-1000 to automatically keep its time correct by synchronizing with a Network Time Protocol (NTP) server. -
Page 26: Firewall Configuration
Accepting incoming connections in NAT mode The most secure way to operate an Internet server is to run the DFL-1000 in NAT mode and isolate the server on your DMZ network. Isolating the server on the DMZ is more secure because from there the server cannot be used to indirectly attack the internal network. -
Page 27: Accepting Incoming Connections In Transparent Mode
Add the Internal address of the server to the Internal address list. See Adding addresses. • Go to Firewall > Policy > Incoming . • Click New to add a new incoming policy. • Configure the policy. DFL-1000 User’s Manual... -
Page 28: Denying Incoming Connections
Schedule Select a schedule to control when the policy denies connections. Service Select the service that matches the service of the policy to deny. Action Select Deny so that the DFL-1000 denies connections defined by the policy. DFL-1000 User’s Manual... -
Page 29: Arranging Policies In The Incoming Policy List
Controlling connections to the Internet By default, the DFL-1000 accepts all connections from the internal network to the Internet. If you do not want to enforce restrictions on access to the Internet, you do not have to change anything. The default policy accepts connections from any address on the internal network to any address on the Internet at any time, and for any service. -
Page 30: Denying Connections To The Internet From The Internal Network
Optionally select Log Traffic to add messages to the traffic log whenever the policy accepts a Log Traffic connection. Traffic Optionally, select Traffic Shaping to control the bandwidth available to and set the priority of Shaping the traffic processed by the policy. • Click OK to save the policy. DFL-1000 User’s Manual... -
Page 31: Accepting Connections To The Internet From The Internal Network
• Configure the policy. Source Select the Internal address from which to accept connections. Destination Select the Internet address for which to accept connections. DFL-1000 User’s Manual... -
Page 32: Requiring Authentication To Connect To The Internet
Requiring authentication to connect to the Internet When running the DFL-1000 in NAT mode, you can configure policies to require users on the internal network to enter a user name and password to access the Internet. To require authentication you must... -
Page 33: Controlling Connections To And From The Dmz
Controlling connections to and from the DMZ By default the DFL-1000 firewall denies connections between the DMZ and the Internet and between the DMZ and the internal network. You can configure the firewall to accept, deny, or require authentication for connections between these networks by adding policies to the following policy lists: •... -
Page 34: Default Policy
The parts of a DFL-1000 policy Identifying information Source The IP address from which a user or service can connect to the firewall. Address Destination The location to which a user or service is attempting to connect when intercepted by the firewall. -
Page 35: Editing Policies
POP3 to get email, use FTP to download files through the DFL-1000 and so on. If the default policy is at the top of the internal policy list, the DFL-1000 allows all connections from the internal network to the Internet because all connections match with the default policy. -
Page 36: Adding Addresses
Click the Internal, External, or DMZ tab corresponding to the type of address you want to edit. • Choose an address to edit and click Edit • Make the required changes and click OK to save your changes. DFL-1000 User’s Manual... -
Page 37: Organizing Addresses Into Address Groups
Use services to control the types of communication accepted or denied by the firewall. You can add any of the pre-configured services listed in DFL-1000 pre-defined services to a policy. You can also create your own custom services and add services to service groups. -
Page 38: Pre-Defined Services
Pre-defined services The DFL-1000 pre-defined services are listed in DFL-1000 pre-defined services. DFL-1000 pre-defined services Service Description Protocol, source and destination ports name Match connections on any port. tcp/53:0-65535 Domain name servers for looking up domain names. udp/53:0-65535 FINGER Finger service. -
Page 39: Providing Access To Custom Services
Members list. • To remove services from the service group, select a service from the Members list and click the left arrow to remove it from the group. 1. Click OK to add the service group. DFL-1000 User’s Manual... -
Page 40: Schedules
Specify the Start date and time for the schedule. Set start and stop times to 00 for the schedule to cover the entire day. • Specify the Stop date and time for the schedule. One-time schedules use the 24-hour clock. DFL-1000 User’s Manual... -
Page 41: Creating Recurring Schedules
Select the days of the week that are working days. • Set the Start Hour and the End Hour to the start and end of the work day. The Recurring schedule uses a 24-hour clock. • Click OK. DFL-1000 User’s Manual... -
Page 42: Applying A Schedule To A Policy
Arranging a one-time schedule in the policy list to deny access: Users and authentication You can configure the DFL-1000 to require users to authenticate (enter a user name and password) to access services through the firewall. To configure authentication you need to add user names and passwords to the firewall and then add policies that require authentication. -
Page 43: Adding Authentication To A Policy
Click New. • Enter a User Name and Password to add users to the DFL-1000. The password must be at least 6 characters long and may contain numbers (0-9) and upper and lower case letters (A-Z, a-z) but no spaces. -
Page 44: Virtual Ips
IP/MAC binding provides added security against IP Spoofing attacks. IP Spoofing attempts to use the IP address of a trusted computer to access the DFL-1000 from a different computer. The IP address of a computer can easily be changed to a trusted address, but MAC addresses are added to ethernet cards at the factory and cannot easily be changed. -
Page 45: Adding Ip/Mac Binding Addresses
Traffic Shaping makes it possible to control which policies have the highest priority when large amounts of data are moving through the DFL-1000. For example, the policy for the corporate web server might be given higher priority than the policies for most employees' computers. An employee who needs unusually high speed Internet access could have a special outgoing policy set up with higher bandwidth. -
Page 46: Vpn Pass Through
Internet. VPN pass through allows the VPN connection to pass-through your firewall and connect to the destination VPN. The DFL-1000 performs address translation on the connection, so that it seems to the target VPN gateway that the connection to its VPN is originating from the external interface of your DFL-1000. -
Page 47: Ipsec Vpns
Because the DFL-1000 supports the IPSec industry standard for VPN, you can configure a VPN between the DFL-1000 and any third party VPN client or gateway/firewall that supports IPSec VPN. To successfully establish the tunnel, the VPN settings must be the same on the DFL-1000 and the third party product. -
Page 48: Creating The Vpn Tunnel
Communication between the two networks takes place in an encrypted VPN tunnel that connects the two DFL-1000 VPN gateways across the Internet. Users on the internal networks are not aware that when they connect to a computer on the other network that the connection is across the Internet. -
Page 49: Adding Internal And External Addresses
VPN in Example VPN between two internal networks. In the example, both IP addresses are for internal networks. IPSec Autokey VPN addresses Main Office (VPN Branch Office (VPN Description Gateway 1) Gateway 2) DFL-1000 User’s Manual... -
Page 50: Adding An Ipsec Vpn Policy
Internet to the other VPN gateway using the VPN tunnel. Example IPSec Autokey VPN policy configuration Main Office (VPN Branch Office (VPN Description Gateway 1) Gateway 2) Source IP The Internal IP address (See IPSec Autokey Main_Office Branch_Office address addresses). DFL-1000 User’s Manual... -
Page 51: Autokey Ipsec Vpn For Remote Clients
Communication between the remote users and the internal network takes place over an encrypted VPN tunnel that connects the remote user to the DFL-1000 VPN gateway across the Internet. Once connected to the VPN, the remote user's computer appears as if it is installed on the internal network. -
Page 52: Configuring The Vpn Tunnel For The Client Vpn
To accept connections from a client at a static IP address (for example, 2.2.2.2). 2.2.2.2 Remote Gateway To accept connections from any Internet address (for a client with a dynamic IP 0.0.0.0 address). Keylife The amount of time (5 to 1440 minutes) before the encryption key expires. When 100 DFL-1000 User’s Manual... -
Page 53: Adding Internal And External Addresses
Authentication Enter up to 20 characters. The VPN gateway and clients must have the same ddcHH01887d key. Complete the following procedure on the DFL-1000 VPN gateway. • Go to VPN > IPSEC > Autokey IKE . • Click New to add a new Autokey IKE VPN tunnel. -
Page 54: Configuring The Vpn Client
Manual key exchange IPSec VPN between two networks DFL-1000 IPSec VPNs can be configured to use Autokey IKE and manual key exchange. In most cases the Autokey key exchange is preferred because it is easier to configure and maintain. However, manual key exchange may be necessary in some cases for compatibility with third party VPN products. -
Page 55: Configuring The Vpn Tunnel
Enter a hexadecimal number of up to eight digits (digits can be 0 to 9, a to f). This number must be Remote SPI added to the Local SPI at the opposite end of the tunnel. Remote Enter the external IP address of the DFL-1000 or other IPSec gateway at the opposite end of the Gateway tunnel. Encryption... -
Page 56: Adding An Ipsec Vpn Policy
Communication between the remote users and the internal network takes place over an encrypted VPN tunnel that connects the remote user to the DFL-1000 VPN gateway across the Internet. Once connected to the VPN, the remote user's computer appears as if it is installed on the internal network. -
Page 57: Testing A Vpn
The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the DFL-1000. To confirm that a VPN between a network and one or more clients has been configured correctly, start a VPN client and use the ping command to connect to a computer on the internal network. -
Page 58: Pptp And L2Tp Vpns
RADIUS authentication for PPTP and L2TP VPNs PPTP VPN configuration This section describes how to configure the DFL-1000 as a PPTP VPN server. This section also describes how to configure Windows 98, Windows 2000, and Windows XP clients to connect to the PPTP VPN. -
Page 59: Configuring The Dfl-1000 As A Pptp Server
Configuring a Windows XP Client to connect to a DFL-1000 PPTP VPN Configuring the DFL-1000 as a PPTP server Use the following procedure to configure the DFL-1000 to be a PPTP server. • Go to VPN > PPTP > PPTP User . -
Page 60: Configuring A Windows 98 Client For Pptp
Use the following procedure to configure a client machine running Windows 98 so that it can connect to a DFL-1000 PPTP VPN. To configure the Windows 98 client, you must install and configure windows dial- up networking and virtual private networking support. -
Page 61: Configuring A Windows 2000 Client For Pptp
• If the Public Network dialog box appears, choose the appropriate initial connection and click Next. • In the VPN Server Selection dialog, enter the external IP address or hostname of the DFL-1000 to connect to and click Next. •... -
Page 62: L2Tp Vpn Configuration
This user name and password is not the same as your VPN user name and password. L2TP VPN configuration This section describes how to configure the DFL-1000 as an L2TP VPN server. This section also describes how to configure Windows 2000 and Windows XP clients to connect to the L2TP VPN. -
Page 63: Configuring The Dfl-1000 As An L2Tp Server
Configuring a Windows XP Client to connect to a DFL-1000 L2TP VPN Configuring the DFL-1000 as an L2TP server Use the following procedure to configure the DFL-1000 to be an L2TP server. • Go to VPN > L2TP > L2TP User . -
Page 64: Configuring A Windows 2000 Client For L2Tp
For Network Connection Type, select Connect to a private network through the Internet and click Next. • For Destination Address, enter the external address of the DFL-1000 to connect to and click Next. • Set Connection Availability to Only for myself and click Next. -
Page 65: Configuring A Windows Xp Client To Connect To A Dfl-1000 L2Tp Vpn
• If the Public Network dialog box appears, choose the appropriate initial connection and click Next. • In the VPN Server Selection dialog, enter the external IP address or hostname of the DFL-1000 to connect to and click Next. •... -
Page 66: Radius Authentication For Pptp And L2Tp Vpns
This user name and password is not the same as your VPN user name and password. RADIUS authentication for PPTP and L2TP VPNs If you have RADIUS servers installed, you can configure the DFL-1000 to use RADIUS for authenticating PPTP and L2TP users. To configure RADIUS authentication you must add the IP addresses of your RADIUS servers to the DFL-1000 VPN configuration and then turn on RADIUS support for PPTP and L2TP. -
Page 67: Adding Radius Server Addresses
If you have added PPTP and L2TP user names and passwords and configured RADIUS support, when a PPTP or L2TP user connects to a DFL-1000, their user name and password are checked against the DFL-1000 PPTP or L2TP user name and password list. If a match is not found, the DFL-1000 contacts the RADIUS server for authentication. -
Page 68: Intrusion Detection System (Ids)
With attack prevention configured, the DFL-1000 monitors Internet connections for up to 11 common network attacks. If the DFL-1000 detects one of these attacks, it takes action to prevent the attack from affecting your Internet connection. All attacks are recorded in the attack log. You can also configure the DFL-1000 to send alert emails to system administrators if an attack is detected. -
Page 69: Testing Email Alerts
Make sure that the DNS server settings are correct for the DFL-1000. See Setting DNS server addresses. Because the DFL-1000 uses the SMTP server name to connect to the mail server, it must be able to look up this name on your DNS server. Example alert email settings: Testing email alerts You can test your email alert settings by sending a test email. -
Page 70: Virus Protection
If the DFL-1000 detects a virus or worm in a file, the file is deleted from the data stream and replaced with an alert message. DFL-1000 content virus and worm prevention is transparent to the end user. Client and server programs require no special configuration and D-Link high performance hardware and software ensure there are no noticeable download delays. -
Page 71: Configuring High Level Virus Protection For Your Internal Network
You would not normally run the DFL-1000 with high level protection turned on. However, it is available for extremely high risk situations, where there is no other way to prevent viruses from entering your network. -
Page 72: Configuring Medium Level Virus Protection For Your Internal Network
High Security Alert!!! You are not allowed to download this type of file . Configuring medium level virus protection for your internal network Medium level protection scans all target files for viruses. You can configure the DFL-1000 to perform up to four different types of virus scans on each target file: •... -
Page 73: Configuring Low Level Virus Protection For Your Internal Network
IMAP traffic. When the DFL-1000 detects a virus and removes the infected file, the user who requested the file receives a message similar to the following: Sorry, Dangerous Attachment has been removed. -
Page 74: Configuring Worm Protection For Your Internal Network
Even though viruses and worms are distributed from your internal and DMZ networks by being uploaded through your firewall, an incoming connection to a server on your DMZ or internal network must first be started. It is this incoming connection that triggers DFL-1000 incoming virus protection. This section describes: •... -
Page 75: Medium Level Virus Protection For Incoming Connections
IMAP traffic originating from your internal or DMZ network. When the DFL-1000 blocks a file, the user who requested the file receives the following message: High Security Alert!!! You are not allowed to download this type of file . -
Page 76: Low Level Virus Protection For Incoming Connections
IMAP traffic originating from your internal or DMZ network. When the DFL-1000 detects a virus and removes the infected file, the user who requested the file receives a message similar to the following: Sorry, Dangerous Attachment has been removed. -
Page 77: Updating Your Antivirus Database
Configuring automatic antivirus database updates You can configure the DFL-1000 to automatically check an update center to see if a new version of the antivirus database is available. If it finds a new version the DFL-1000 automatically downloads and installs the updated database. -
Page 78: Displaying Virus And Worm Lists
Scroll through the virus list to view the names of all of the viruses in the list. • Click Worm List to display the worm list. • Scroll through the worm list to view the names of all of the worms in the list. DFL-1000 User’s Manual... -
Page 79: Web Content Filtering
Block web pages that contain content that you want to keep out of your internal network by enabling content blocking and then creating a list of banned words. With content blocking enabled and a list of banned words in place, the DFL-1000 blocks access to all web content that contains any of the banned words. -
Page 80: Temporarily Disabling The Banned Word List
Creating the banned word list using a text editor You can create a list of banned words in a text editor and then upload this text file to the DFL-1000. •... -
Page 81: Blocking Access To Internet Sites
To block access to internet sites, you enable URL blocking and then create a list of URLs and URL patterns to be blocked. With URL blocking enabled and a list of URLs to be blocked, the DFL-1000 blocks access to all web pages with the specified URLs or URL patterns. -
Page 82: Clearing The Url Block List
URLs from the URL block list. Creating the URL block list using a text editor You can create a URL block list in a text editor and then upload this text file to the DFL-1000. •... - Page 83 Example Script filtering settings to block Java Applets and ActiveX: DFL-1000 User’s Manual...
-
Page 84: Logging And Reporting
• Viewing and maintaining logs Configuring logging You can configure logging to record logs on a remote computer or on the DFL-1000. You can also configure the kind of information that is logged. • Recording logs on a remote computer •... -
Page 85: Selecting What To Log
Go to Log&Report > Log setting . • Click Sent Alert Email to add an entry to the event log whenever the DFL-1000 sends an alert email. • Click Log All Internal Traffic To Firewall to record all connections to the internal interface. -
Page 86: Traffic Log Message Format
Traffic log message format Traffic log messages record each connection made to a DFL-1000 interface. Each message records the date and time at which the connection was made, the source and destination address of the connection, and whether the connection was accepted or denied by the firewall. -
Page 87: Attack Log Message Format
When running in Transparent mode, the DFL-1000 does not create an Attack log. Attack log messages are created when the DFL-1000 detects one of the attacks listed on the IDS > Attack Prevention page. Attack log message format describes the attack log message format. -
Page 88: Viewing And Maintaining Logs
Sample Traffic log list: • To view the active log or a saved log file, click View • The web-based manager displays the messages in the selected log. Sample Event Log messages: DFL-1000 User’s Manual... -
Page 89: Searching Logs
Downloading a log file to the management computer Use the following procedure to download a traffic, event, or attack log file to the management computer. • Go to Log&Report > Logging . DFL-1000 User’s Manual... -
Page 90: Deleting All Of The Messages In An Active Log
For each log, the list shows the date and time at which an entry was last added to the log, the size of the log file, and its name. • To delete a saved log file, click Delete • Click OK to delete the log file. DFL-1000 User’s Manual... -
Page 91: Administering The Dfl-1000
Make sure the computer from which you are going to connect to the web-based manager is correctly configured on the same network as the DFL-1000 interface to which you are going to connect. If the DFL-1000 is running in NAT mode, connect to the internal interface If the DFL-1000 is running in Transparent Mode, connect to the DMZ interface •... -
Page 92: Changing The Operating Mode
• Shutting down the DFL-1000 • See System status monitor Changing the operating mode Use the following procedure to switch the operating mode of the DFL-1000 between NAT mode and Transparent mode. • Go to System > Status . •... -
Page 93: Restoring System Settings
Use the following procedure to restore system settings to the values set at the factory. This procedure does not change the version of the Firmware or the Antivirus database. This procedure deletes all of the changes that you have made to the DFL-1000 and reverts the system to its original configuration including resetting interface addresses. - Page 94 Default NAT mode system configuration When the DFL-1000 is first powered up or when it is reset to default, the system has the following standard configuration: • Operation Mode: Network Address Translation • Internal Address: 192.168.1.99, mask 255.255.255.0 • External Address: 192.168.100.99, mask 255.255.255.0 •...
-
Page 95: Restarting The Dfl-1000
Click Shutdown. The DFL-1000 shuts down and all traffic flow through the firewall stops. The DFL-1000 can only be restarted after shutdown by turning the power off and on. System status monitor You can use the system status monitor to view system activity including the number of active connections to the DFL-1000 and information about the connections. -
Page 96: Network Configuration
• Click DHCP and click OK. The DFL-1000 changes to DHCP mode and attempts to contact the DHCP server to set the external IP address, netmask, and default gateway IP address. When the DFL-1000 gets this information from the DHCP server, the new addresses and netmask are displayed in the external IP address, netmask, and default gateway IP address fields. -
Page 97: Changing Mtu Size To Improve Network Performance
For example, the MTU of many PPP connections is 576, so if you connect to the Internet via PPP or PPPoE, you might want to set the MTU of the DFL-1000 to 576. DSL modems may also have small MTU sizes. -
Page 98: Configuring Routing
If there are multiple routers installed on your network, you can configure static routes to determine the path that data follows over your network before and after it passes through the DFL-1000. You can also use static routing to allow different IP domain users to access the Internet through the DFL-1000. -
Page 99: Providing Dhcp Services To Your Internal Network
Providing DHCP services to your internal network If it is operating in NAT mode, you can configure the DFL-1000 to be the DHCP server for your internal network. • Go to System > Network > DNS . • If they have not already been added, add the primary and secondary DNS server addresses provided to you by your ISP. -
Page 100: System Configuration
• Select your Time Zone from the list. • Optionally, click Set Time and set the DFL-1000 date and time to the correct date and time. • To configure the DFL-1000 to use NTP, click Synchronize with NTP server. •... -
Page 101: Changing Web-Based Manager Options
The appearance of the web-based manager changes. Adding and editing administrator accounts When the DFL-1000 is initially installed, it is configured with a single administrator account. This administrator has permission to change all DFL-1000 settings. From the web-based manager, you can add administrator accounts and control their level of administrative access. -
Page 102: Configuring Snmp
To delete an administrator account, choose the account to delete and click Delete Configuring SNMP Configure SNMP for the DFL-1000 so that the SNMP agent running on the DFL-1000 can report system information and send traps. Traps can alert system administrators about problems with the DFL-1000. - Page 103 Optionally specify the IP address of a second SNMP monitor to which to send traps. Address Third Trap Receiver IP Optionally specify the IP address of a third SNMP monitor to which to send traps. Address • Click Apply. Sample SNMP configuration: DFL-1000 User’s Manual...
-
Page 104: Using The Dfl-1000 Cli
This chapter explains how to connect to the DFL-1000 CLI and also describes some of the basics of using the CLI. You can use CLI commands to view all system information and to change all system configuration settings. -
Page 105: Connecting To The Dfl-1000 Cli Using Ssh
Type the password for this administrator and press Enter. The following prompt appears: Type ? for a list of commands. You have connected to the DFL-1000 CLI, and you can proceed to enter CLI commands as if you have connected through the DFL-1000 communications port. CLI basics This section describes the basics of using the DFL-1000 CLI to enter commands. -
Page 106: Using Command Shortcuts
DFL-1000. This procedure deletes all of the changes that you have made to the DFL-1000 configuration and reverts the system to its default configuration, including resetting interface addresses. Before installing new firmware make... - Page 107 Make sure the Internal interface of the DFL-1000 is connected to your internal network. • To confirm that you can connect to the TFTP server from the DFL-1000, start the DFL-1000 CLI and use the following command to ping the computer running the TFTP server. If the TFTP server's IP address is 192.168.100.101:...
- Page 108 Once the interface addresses are changed you can access the DFL-1000 from the web-based manager and upload your configuration files. DFL-1000 User’s Manual...
-
Page 109: Glossary
(private) network. Typically, the DMZ contains servers accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (e-mail) servers and DNS servers. DMZ interface : The DFL-1000 interface that is connected to your servers that are accessible from the Internet. - Page 110 Routing : The process of determining a path to use to send data to its destination. Routing table : A list of valid paths through which data can be transmitted. SCCU , Security and Content Control Units : D-Link products that provide high-performance, hardware-based protection against content-based security threats, such as viruses and worms, combined with firewall, VPN, intrusion detection, content filtering, and traffic shaping.
- Page 111 Worm : A program or algorithm that replicates itself over a computer network, usually through email, and performs malicious actions, such as using up the computer's resources and possibly shutting the system down. DFL-1000 User’s Manual...
-
Page 112: Troubleshooting Faqs
This most often occurs when adding a single address and forgetting to change the netmask from 255.255.255.0 to 255.255.255.255. Q: My policies are set correctly but I still cannot connect to the Internet from one or more of the computers on my internal network. DFL-1000 User’s Manual... -
Page 113: Schedules
Check the default gateway setting on that particular computer. Its default gateway must match the internal address of the DFL-1000. Q: I checked the default gateway and it matches but I still cannot connect to the Internet. Make sure that the external address and external gateway of the firewall have been properly set to your Internet Service Provider's (ISP) specifications. -
Page 114: Virus Protection
Internet, and most can be very easily set up. In some cases a more advanced commercial version is available for a modest fee. • If you are running the DFL-1000 in NAT mode, the computer running the syslog server must be connected to the same network as the Internal interface of the DFL-1000 DFL-1000 User’s Manual... - Page 115 • If you are running the DFL-1000 in Transparent mode, the computer running the syslog server must be connected to the same network as the DMZ interface of the DFL-1000 DFL-1000 User’s Manual...
-
Page 116: Technical Support
Le Florilege #2, Allee de la Fresnerie, 78330 Fontenay le Fleury France TEL: 33-1-302-38688 FAX: 33-1-3023-8689 E-MAIL: info@dlink-france.fr URL: www.dlink-france.fr GERMANY D-LINK Central Europe/D-Link Deutschland GmbH Schwalbacher Strasse 74, D-65760 Eschborn, Germany TEL: 49-6196-77990 FAX: 49-6196-7799300 INFO LINE: 00800-7250-0000 (toll free) HELP LINE: 00800-7250-4000 (toll free) - Page 117 8. What category best describes your company? Aerospace Engineering Education Finance Hospital Legal Insurance/Real Estate Manufacturing Retail/Chainstore/Wholesale Government Transportation/Utilities/Communication System house/company Other________________________________ 9. Would you recommend your D-Link product to a friend? Don't know yet 10.Your comments on this product? __________________________________________________________________________________________ __________________________________________________________________________________________ DFL-1000 User’s Manual...
- Page 118 DFL-1000 User’s Manual...