D-Link DFL-1000 Manual

Network security firewall

Hide thumbs Also See for DFL-1000:

Manual (144 pages)

User manual (118 pages)

Quick install manual (9 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

Table of Contents

Quick Links

Download this manual

D-Link DFL-1000

Network Security Firewall

Manual

Building Networks for People

DFL-1000 User Manual

Table of Contents

Need help?

Do you have a question about the DFL-1000 and is the answer not in the manual?

Questions and answers

Summary of Contents for D-Link DFL-1000

Page 1 D-Link DFL-1000 Network Security Firewall Manual Building Networks for People DFL-1000 User Manual...
Page 2 No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of D-Link Systems, Inc. DFL-1000 User Manual Version 2.36...
Page 3: Table Of Contents
Starting the setup wizard ........................23 Reconnecting to the web-based manager..................23 Using the command line interface ......................24 Configuring the DFL-1000 NPG to run in NAT/Route mode .............. 24 Connecting to your networks ........................25 Configuring your networks ........................25 Completing the configuration........................
Page 4 Adding a schedule to a policy......................46 Virtual IPs ............................... 47 Adding static NAT virtual IPs ......................47 Adding port forwarding virtual IPs ...................... 49 Adding policies with virtual IPs ......................50 IP pools ..............................51 IP/MAC binding............................52 DFL-1000 User Manual...
Page 5 About dialup VPN authentication......................73 About DH groups ..........................75 About the P1 proposal ........................75 About NAT traversal ........................... 75 Adding an AutoIKE key VPN tunnel ....................... 76 About the P2 proposal ........................77 About replay detection........................77 DFL-1000 User Manual...
Page 6 Hub and spoke VPN (VPN concentrator) ....................97 Configuring the hub ..........................98 Configuring the spokes........................98 Configuring the remote gateways....................... 99 Configuring the AutoIKE key tunnels....................99 Configuring the VPN concentrator....................100 Adding source and destination addresses ..................100 DFL-1000 User Manual...
Page 7 Adding encrypt policies........................101 PPTP and L2TP VPNs ................103 PPTP VPN configuration ........................103 Configuring the DFL-1000 NPG as a PPTP gateway ..............104 Configuring a Windows 98 client for PPTP ..................105 Configuring a Windows 2000 client for PPTP .................. 106 Configuring a Windows XP client for PPTP..................
Page 8 Recording logs on the DFL-1000 hard disk..................124 Logging event log to memory ......................125 Selecting what to log ........................125 Viewing event log saved to memory..................... 126 Viewing event log ..........................126 Searching event log.......................... 126 Clearing event log messages ......................127 Viewing and maintaining logs saved to the hard disk................
Page 9 Enabling RIP server support......................146 Adding routes (Transparent mode) ....................146 Configuring the DFL-1000 NPG for multiple Internet connections........... 146 Providing DHCP services to your internal network................148 System configuration ..........................150 Setting system date and time ......................150 Changing web-based manager options.................... 151 Adding and editing administrator accounts ..................152...
Page 10: Introduction
If a match is found between a URL on the URL block list, or if a web page is found to contain a word or phrase in the content block list, the DFL-1000 NPG blocks the web page. The blocked web page is replaced with a message that you can edit using the DFL-1000 web-based manager.
Page 11: Nat/Route Mode
Transparent mode provides the same basic firewall protection as NAT mode. Packets received by the DFL-1000 NPG are intelligently forwarded or blocked according to firewall policies. The DFL-1000 NPG can be inserted in your network at any point without the need to make changes to your network or any of its components.
Page 12: Secure Installation, Configuration, And Management
For troubleshooting and professional scripting, you can access the DFL-1000 command line interface (CLI) by connecting a management computer serial port to the DFL-1000 RS-232 serial Console connector. You can also use the SSH protocol to create a secure connection to the DFL-1000 CLI from DFL-1000 User Manual...
Page 13: Logging And Reporting
Firewall Suite server using the WebTrends enhanced log format. Some models can also save logs to an optional internal hard drive. If a hard drive is not installed, you can configure most DFL-1000 NPGs to log the most recent events to shared system memory.
Page 14 Local DFL-1000 user database You can add user names to the local DFL-1000 user database. When you add a user name, you can specify a password or that the user can be authenticated using a RADIUS server. You can then add user names to user groups and make these user groups available for authenticating with firewall policies, dialup VPN, PPTP VPN, and L2TP VPN.
Page 15: About This Document
About this document This user manual describes how to install and configure the DFL-1000 NPG. This document contains the following information: • Getting started describes unpacking, mounting, and powering on the DFL-1000 NPG. • NAT/Route mode installation describes how to install the DFL-1000 NPG if you are planning on running it in NAT/Route mode.
Page 16 • Company Name • Location • Email address • Telephone Number • Software Version • Serial Number • Detailed description of your problem DFL-1000 User Manual...
Page 17: Getting Started
Getting started This chapter describes unpacking, setting up, and powering on your DFL-1000 NPG. When you have completed the procedures in this chapter, you can proceed to one of the following: • If you are going to run your DFL-1000 NPG in NAT/Route mode, go to NAT/Route mode installation.
Page 18: Mounting
The DFL-1000 NPG can be installed on any stable surface. Make sure that the appliance has at least 1.5 in. (3.75 cm) of clearance on each side to allow for adequate air flow and cooling. The DFL-1000 NPG can also be mounted on a standard 19-inch rack. It requires 1 U of vertical space in the rack.
Page 19: Initial Configuration
Flashing amber Network activity at this interface. interfaces (back) No link established. Initial configuration When the DFL-1000 NPG is first powered on, it is running in NAT/Route mode and has the basic configuration listed in DFL-1000 NPG initial power-on settings. DFL-1000 NPG initial power-on settings...
Page 20: Connecting To The Command Line Interface (Cli)
Connecting to the command line interface (CLI) As an alternative to the web-based manager, you can install and configure the DFL-1000 NPG using the CLI. Configuration changes made with the CLI are effective immediately without the need to reset the firewall or interrupt service.
Page 21: Next Steps
For information on how to use the CLI, see the DFL-1000 CLI Reference Guide . Next steps Now that your DFL-1000 NPG is up and running, you can proceed to configure it for operation: • If you are going to run your DFL-1000 NPG in NAT/Route mode, go to NAT/Route mode installation.
Page 22: Nat/Route Mode Installation
NAT/Route mode installation This chapter describes how to install your DFL-1000 NPG in NAT/Route mode. If you want to install the DFL-1000 NPG in Transparent mode, see Transparent mode installation. This chapter includes: • Preparing to configure NAT/Route mode •...
Page 23: Dmz Interface
IPs and firewall policies for each server that you configure. For each server located on your internal network the DFL-1000 adds an Ext -> Int policy. For each server located on your DMZ network, the DFL-1000 NPG adds an Ext -> DMZ policy.
Page 24: Using The Command Line Interface
Confirm that the addresses are correct. Enter: get system interface The CLI lists the IP address, netmask and other settings for each of the DFL-1000 NPG interfaces as well as the mode of the external interface (manual, DHCP, or PPPoE).
Page 25: Connecting To Your Networks
DFL-1000 NAT/Route mode connections Configuring your networks If you are running the DFL-1000 NPG in NAT/Route mode, your networks must be configured to route all Internet traffic to the IP address of the DFL-1000 NPG interface connected to that network. For your...
Page 26: Completing The Configuration
IP address of the DFL-1000 NPG internal interface. For your DMZ network, change the default gateway address of all computers and routers connected directly to your DMZ network to the IP address of the DFL-1000 DMZ interface. For your external network, route all packets to the DFL- 1000 NPG external interface.
Page 27: Transparent Mode Installation
Connecting to the web-based manager. Changing to Transparent mode The first time that you connect to the DFL-1000 NPG, it is configured to run in NAT/Route mode. To switch to Transparent mode using the web-based manager: • Go to System > Status .
Page 28: Starting The Setup Wizard
IP default gateway field. Using the command line interface As an alternative to the setup wizard, you can configure the DFL-1000 NPG using the command line interface (CLI). To connect to the CLI, see Connecting to the command line interface (CLI).
Page 29: Configure The Transparent Mode Default Gateway
<number> gateway <IP address> Example set system route number 1 gateway 204.23.1.2 You have now completed the initial configuration of the DFL-1000 NPG, and you can proceed to the next section. Setting the date and time For effective scheduling and logging, the DFL-1000 NPG date and time should be accurate.
Page 30 DFL-1000 Transparent mode connections DFL-1000 User Manual...
Page 31: Firewall Configuration
(port number). For the packet to be connected through the DFL-1000 NPG, you must have added a policy that matches the packet's source address, destination address, and service. The policy directs the action that the firewall should perform on the packet.
Page 32: Nat/Route Mode And Transparent Mode
Run the DFL-1000 NPG in Transparent mode to provide firewall protection to a network with public addresses. The DFL-1000 NPG can be inserted in your network at any point without the need to make changes to your network or any of its components.
Page 33 Select Allow outbound so that users can connect to the destination address behind the outbound remote VPN gateway. Inbound NAT Select Inbound NAT to translate the source address of incoming packets to the DFL-1000 NPG internal IP address. Outbound Select Inbound NAT to translate the source address of outgoing packets to the DFL-1000 NPG external IP address.
Page 34 Limit bandwidth to keep less important services from using bandwidth needed for Bandwidth more important services. Select High, Medium, or Low. Select Traffic Priority so that the DFL-1000 NPG manages the relative priorities of different types of traffic. For example, a policy for connecting to a secure Traffic web server needed to support e-commerce traffic should be assigned a high traffic priority.
Page 35: Adding Transparent Mode Policies
Adding a NAT/Route Int -> Ext policy Adding Transparent mode policies Add Transparent mode policies to control the network traffic that is allowed to pass through the DFL-1000 NPG when you are running the firewall in Transparent mode. • Go to Firewall > Policy .
Page 36 Select OK to add the policy. The policy is added to the policy list. • Arrange policies in the policy list so that they have the results that you expect. Arranging policies in a policy list is described in Configuring policy lists. DFL-1000 User Manual...
Page 37: Configuring Policy Lists
The DFL-1000 NPG then starts at the top of the selected policy list and searches down the list for the first policy that matches the connection attempt source and destination addresses, service port, and time and...
Page 38: Changing The Order Of Policies In A Policy List
POP3 to get email, use FTP to download files through the DFL-1000 NPG, and so on. If the default policy is at the top of the Int -> Ext policy list, the firewall allows all connections from the internal network to the Internet because all connections match the default policy.
Page 39: Adding Addresses
The netmask should correspond to the address. The netmask for the IP address of a single computer should be 255.255.255.255. The netmask for a subnet should be 255.255.255.0. • Select OK to add the address. Adding an internal address DFL-1000 User Manual...
Page 40: Editing Addresses
Members list. • To remove addresses from the address group, select an address from the Members list and select the left arrow to remove it from the group. • Select OK to add the address group. DFL-1000 User Manual...
Page 41: Services
• Predefined services • Providing access to custom services • Grouping services Predefined services The DFL-1000 predefined firewall services are listed in DFL-1000 predefined services. You can add these services to any policy. DFL-1000 predefined services Service name Description Protocol Port Match connections on any port.
Page 42 Rlogin service for remotely logging into a server. Routing Information Protocol. SMTP For sending mail between email servers on the Internet. 161-162 SNMP For communicating system status information. 161-162 SSH service for secure connections to computers for remote management. tcp DFL-1000 User Manual...
Page 43: Providing Access To Custom Services
This name appears in the service list when you add a policy and cannot be the same as a predefined service name. The name can contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _. Other special characters and spaces are not allowed. DFL-1000 User Manual...
Page 44: Schedules
Internet at all times. You can add a one-time schedule to block access to the Internet during a holiday period. One-time schedules use the 24-hour clock. • Go to Firewall > Schedule > One-time . DFL-1000 User Manual...
Page 45: Creating Recurring Schedules
You can also create a recurring schedule that runs for 24 hours by setting the start and stop times to the same time. Recurring schedules use the 24-hour clock. • Go to Firewall > Schedule > Recurring . • Select New to create a new schedule. DFL-1000 User Manual...
Page 46: Adding A Schedule To A Policy
For example, to use a one-time schedule to deny access to a policy, add a policy that matches the policy to be denied in every way. Choose the one-time schedule that you added and set Action to DENY. Then place the policy containing the one-time schedule in the policy list above the policy to be denied. DFL-1000 User Manual...
Page 47: Virtual Ips
Adding static NAT virtual IPsSee Adding static NAT virtual IPs • Adding static NAT virtual IPsSee Adding port forwarding virtual IPs • Adding static NAT virtual IPsSee Adding policies with virtual IPs Adding static NAT virtual IPs • Go to Firewall > Virtual IP . DFL-1000 User Manual...
Page 48 Firewall policies to which you can add virtual IPs External interface Map to IP Firewall policy Same subnet as the internal interface. Ext -> Int external Same subnet as the DMZ interface. Ext -> DMZ Same subnet as the internal interface. DMZ -> Int DFL-1000 User Manual...
Page 49: Adding Port Forwarding Virtual Ips
80 (the HTTP port). • In Map to IP, enter the real IP address on the more secure network, for example, the IP address of a web server on your DMZ network. DFL-1000 User Manual...
Page 50: Adding Policies With Virtual Ips
Virtual IP settings and corresponding policy types External Interface MAP to IP Policy type external Internal network IP address. Ext -> Int external DMZ network IP address. Ext -> DMZ Internal network IP address. DMZ -> Int DFL-1000 User Manual...
Page 51: Ip Pools
IP pool. If you have configured the external interface to use PPPoE or DHCP, you can only set the Start IP and End IP to the current IP address of the external interface. • Select OK. DFL-1000 User Manual...
Page 52: Ip/Mac Binding
IP/MAC binding protects the DFL-1000 NPG and your network from IP spoofing attacks. IP spoofing attempts to use the IP address of a trusted computer to connect to or through the DFL-1000 NPG from a different computer. The IP address of a computer can easily be changed to a trusted address, but MAC addresses are added to ethernet cards at the factory and cannot easily be changed.
Page 53: Configuring Ip/Mac Binding For Packets Going To The Firewall
Configuring IP/MAC binding for packets going to the firewall Use the following procedure to use IP/MAC binding to filter packets that would normally connect with the firewall (for example, when an administrator is connecting to the DFL-1000 NPG for management). •...
Page 54: Enabling Ip/Mac Binding
• Select Enable IP/MAC binding going to the firewall to turn on IP/MAC binding for packets connecting to the DFL-1000 NPG. • Configure how IP/MAC binding handles packets with IP and MAC addresses that are not defined in the IP/MAC list.
Page 55: Example Policies
Routing policy for access to a server from the internal network The following example routing policy, to accept connections from the internal network and forward them to the DMZ network, is similar to any routing policy. In this example, the DFL-1000 NPG is running in DFL-1000 User Manual...
Page 56: Transparent Mode Policy For Public Access To A Server
Select New to add a new policy. • Configure the policy. Source External_All. Destination The address added in step 1. Schedule Always. Select a service to match the Internet server. Service For a web server, select HTTP. DFL-1000 User Manual...
Page 57: Denying Connections From The Internet
The following example procedure, to periodically deny access to a public web server to allow for regular maintenance, is similar to any procedure to deny a connection that would otherwise be accepted by an existing policy. In this example, the DFL-1000 NPG is running in NAT/Route mode. To use a schedule to deny access: •...
Page 58: Adding Policies That Accept Connections
The following example procedure, to prevent all users on the internal network from using POP3 to connect to an email server on the Internet, is similar to any procedure to deny a connection that would otherwise be accepted by the default policy. In this example, the DFL-1000 NPG is running in NAT/Route mode.
Page 59: Requiring Authentication To Connect To The Internet
The following example procedure describes how to configure the firewall to require users on the internal network to authenticate to access POP3 servers on the Internet. In this example, the DFL-1000 NPG is running in NAT/Route mode, but the configuration would be the same for a DFL-1000 NPG running in Transparent mode.
Page 60 DNS by making sure that the default policy is not removed from the policy list. You can also add a policy to the top of the Int -> Ext policy list that includes the DNS service, has action set to ACCEPT, and does not include authentication. DFL-1000 User Manual...
Page 61: Users And Authentication
DFL-1000 NPGs support user authentication to the DFL-1000 user database or to a RADIUS server. You can add user names to the DFL-1000 user database and then add a password to allow the user to authenticate using the internal database. You can also add the name of a RADIUS server and select RADIUS to allow the user to authenticate using the selected RADIUS server.
Page 62: Adding User Names And Configuring Authentication
DFL-1000 RADIUS configuration. See Configuring RADIUS support. • Select Try other servers if connect to selected server fails if you want the DFL-1000 NPG to try to connect to other RADIUS servers added to the DFL-1000 RADIUS configuration. • Select OK.
Page 63: Configuring Radius Support
If you have configured RADIUS support and a user is required to authenticate using a RADIUS server, the DFL-1000 NPG contacts the RADIUS server for authentication. When using a RADIUS server for user authentication, PPTP and L2TP encryption is not supported and you should not select Require data encryption when configuring Windows clients for PPTP or L2TP.
Page 64: Configuring User Groups
Adding user groups • Deleting user groups Adding user groups Use the following information to add user groups to your DFL-1000 configuration. You can add user names and RADIUS servers to user groups. To add a user group: • Go to User > User Group.
Page 65: Deleting User Groups
You cannot delete user groups that have been selected in a policy or remote gateway, PPTP, or L2TP configuration. To delete a user group: • Go to User > User Group • Select Delete beside the user group that you want to delete. • Select OK. DFL-1000 User Manual...
Page 66: Ipsec Vpns
Remote or travelling workers can use a VPN client to connect to their office private network. The DFL-1000 NPG is an excellent choice for connecting a satellite office to a main office VPN. The main office would usually be protected by a high-capacity product such as the DFL-1000-400 NPG or DFL- 1000-500 NPG.
Page 67: Interoperability With Ipsec Vpn Products
Interoperability with IPSec VPN products Because the DFL-1000 NPG supports the IPSec industry standard for VPN, you can configure a VPN between a DFL-1000 NPG and any client or gateway/firewall that supports IPSec VPN. DFL-1000 IPSec VPNs support: • IPSec Internet Protocol Security standard •...
Page 68: Configuring Manual Key Ipsec Vpn
Use a dialup VPN configuration to allow remote clients or VPN gateways with dynamic IP addresses to connect to a DFL-1000 VPN gateway. Clients or gateways with dynamic IP addresses can be home or travelling users who dial into the Internet and are dynamically assigned an IP address by their ISP (using PPPoE, DHCP, or a similar protocol).
Page 69: Configuring A Vpn Concentrator For Hub And Spoke Vpn
Configuring a VPN Concentrator for hub and spoke VPN A hub and spoke VPN consists of a VPN Concentrator on a central DFL-1000 NPG (the hub) and two or more VPN tunnels (the spokes). The spoke VPNs communicate with each other through the hub VPN Concentrator.
Page 70: Configuring The Member Vpns
Add additional encrypt policies between the member VPNs. Use the following configuration: Source Local member VPN address. Destination Remote member VPN address Action ENCRYPT VPN Tunnel The VPN tunnel added in step 2. Allow inbound Select allow inbound. DFL-1000 User Manual...
Page 71: Configuring Ipsec Redundancy
Adding a remote gateway Add a remote gateway configuration to define the parameters that the DFL-1000 NPG uses to connect to and establish an AutoIKE key VPN tunnel with a remote VPN gateway or a remote VPN client. The remote gateway configuration consists of the IP address of the remote VPN gateway or client as well as the P1 proposal settings required to establish the VPN tunnel.
Page 72 Mode. Enter the IP address of the dialup user or the domain name of the dialup user (for Local ID example, domain.com). If you do not add a local ID, the DFL-1000 external interface automatically becomes the Local ID. For information about authentication and the Local ID, see About dialup VPN authentication.
Page 73: About Dialup Vpn Authentication
Adding a remote gateway (Dialup User selected) About dialup VPN authentication For dialup VPN authentication to work you must create compatible configurations on the DFL-1000 NPG that is the dialup server and its dialup clients. The configurations required for the server and the clients are different for different dialup gateway configurations.
Page 74 Clients authenticate with the server using their authentication keys. Aggressive mode with no user group Field Server Clients User Group None Mode Aggressive Aggressive Authentication Key The server and the clients must have the same authentication key. Local ID empty Empty DFL-1000 User Manual...
Page 75: About Dh Groups
When you configure the remote gateway P1 proposal, you are selecting the algorithms that the DFL-1000 NPG proposes during phase 1 negotiation. You can select up to three different encryption and authentication algorithm combinations. Choosing more combinations might make it easier for P1 negotiation, but you can restrict the choice to one if required.
Page 76: Adding An Autoike Key Vpn Tunnel
Concentrator next time you open the tunnel, the Concentrator field displays the name of the concentrator to which you have added the tunnel. • Select OK to save the AutoIKE key VPN tunnel. DFL-1000 User Manual...
Page 77: About The P2 Proposal
If packets arrive out of sequence, the DFL-1000 NPG discards them. The DFL-1000 NPG sends an alert email when replay detection detects a replay packet. To receive the alert email, you must configure alert email and select "Enable alert email for critical firewall/VPN events or violations".
Page 78: Adding A Manual Key Vpn Tunnel
Local SPI at the opposite end of the tunnel. The Remote SPI value must be greater than bb8. Remote Gateway Enter the external IP address of the DFL-1000 NPG or other IPSec gateway at the opposite end of the tunnel.
Page 79: Adding A Vpn Concentrator
You can add VPN tunnels to a VPN concentrator grouping to create a hub and spoke configuration. The VPN concentrator allows VPN traffic to pass from one tunnel to the other through the DFL-1000 NPG. To add a hub and spoke configuration: •...
Page 80: Adding An Encrypt Policy
For example, if you have users on your internal network that should be able to connect to a network behind a remote DFL-1000 NPG VPN gateway on the Internet, you must add an Int -> Ext encrypt policy. The source of this policy must be an address on your internal network. The destination of this policy must be the address of the network behind the remote DFL-1000 NPG gateway.
Page 81 Select Allow outbound to enable outbound users to connect to the destination address. outbound Inbound The DFL-1000 NPG translates the source address of incoming packets to the IP address of the DFL-1000 interface connected to the source address network. Outbound The DFL-1000 NPG translates the source address of outgoing packets to the IP address of the DFL-1000 interface connected to the destination address network.
Page 82: Viewing Vpn Tunnel Status
The Status column displays the status of each tunnel. If Status is Up, the tunnel is active. If Status is Down, the tunnel is not active. The Timeout column displays the time before the next key exchange. The time is calculated by subtracting the time elapsed since the last key exchange from the keylife. DFL-1000 User Manual...
Page 83: Viewing Dialup Vpn Connection Status
The IPSec VPN tunnel starts automatically when the first data packet destined for the VPN is intercepted by the DFL-1000 NPG. To confirm that a VPN between a network and one or more clients has been configured correctly, start a VPN client and use the ping command to connect to a computer on the internal network.
Page 84: Ipsec Vpn Configuration Examples
DFL-1000 NPG to protect a branch office and a small main office. Both of these DFL-1000 NPGs can be configured as IPSec VPN gateways to create the VPN that connects the branch office network to the main office network.
Page 85: Configuring The Remote Gateway For A Remote Network
Mode Main (ID Protection) Main (ID Protection) P1 Proposal 1- Encryption 3DES 3DES Authentication SHA1 SHA1 DH Group Keylife 28800 seconds 28800 seconds Authentication (Pre-shared Key) ddcHH01887d ddcHH01887d Local ID Blank Blank NAT-traversal Enable Enable Keepalive Frequency DFL-1000 User Manual...
Page 86: Configuring The Autoike Key Tunnel For A Remote Network
Go to VPN > IPSEC > Remote Gateway . • Select New to add a remote gateway. • On the Main Office DFL-1000 NPG configure the remote gateway using the Main Office information in Example remote gateway configuration. • On the Branch Office DFL-1000 NPG configure the remote gateway using the Branch Office...
Page 87: Adding Source And Destination Addresses For A Network-To-Network Vpn
Go to Firewall > Address > Internal . • Select New to add an address. • On the Main Office DFL-1000 NPG, enter the Address Name, IP Address, and NetMask, using the Main Office source address information in IPSec VPN source and destination addresses.
Page 88: Autoike Key Vpn For Remote Clients
• Select Int -> Ext. • Select New to add a new policy. • On the Main Office DFL-1000 NPG set Source and Destination to the Main Office Source and Destination shown in Example encrypt policies. • On the Branch Office DFL-1000 NPG set Source and Destination to the Branch Office Source and...
Page 89: Configuring The Remote Gateway For Remote Clients
AutoIKE key tunnel for the example VPN in Example VPN between a main office internal network and a remote client. Example AutoIKE key tunnel configuration Field name Tunnel information Tunnel Name Client_VPN DFL-1000 User Manual...
Page 90: Adding Source And Destination Addresses For A Remote Client Vpn
Enter the Address Name, IP Address, and NetMask, using the Source Address information in Example source and destination addresses for a client with a static IP address. • Select OK to save the source address. • Repeat these steps (this time selecting the External address list) to add destination address. DFL-1000 User Manual...
Page 91: Adding An Encrypt Policy For A Remote Client
The VPN client must be running industry-standard IPSec AutoIKE key VPN client software, such as the D-Link Remote VPN Client. Configure the client as required to connect to the DFL-1000 VPN gateway using an IPSec VPN configuration. Make sure that the client configuration matches the DFL-1000 remote gateway and VPN...
Page 92: Dialup Vpn
Use a dialup VPN configuration to allow remote VPN gateways or clients with dynamic IP addresses to connect to a DFL-1000 VPN gateway. Gateways or clients with dynamic IP addresses can be home or travelling users who dial into the Internet and are dynamically assigned an IP address by their ISP (using PPPoE, DHCP, or a similar protocol).
Page 93: Adding A Dialup Remote Gateway
If you are configuring dialup VPN for a remote client, use the procedures in Adding source and destination addresses for a remote client VPN. Use the information in Example source and destination addresses for a client with a static IP address. DFL-1000 User Manual...
Page 94: Adding Encrypt Policies For Dialup Vpn
Configuring remote IPSec VPN gateways for dialup VPN The remote IPSec VPN gateways must be DFL-1000 IPSec VPN gateways or third-party IPSec VPN gateways running industry-standard IPSec AutoIKE key VPN software. Configure the VPN gateway as required to connect to the dialup VPN gateway using an IPSec AutoIKE key VPN configuration.
Page 95: Configuring The Manual Key Vpn Tunnel
• Repeat steps Select New to add a manual key tunnel. Select OK to save the manual key tunnel. the appropriate DFL-1000 NPG, using the Branch Office information in Example manual key tunnel configuration. Adding source and destination addresses Use the procedure Adding source and destination addresses for a network-to-network VPN.
Page 96: Manual Key Vpn For Remote Clients
The Local and Remote SPI values for the DFL-1000 VPN gateway and the client should complement each other. You can use any HEX characters for the Local and Remote SPI. The Local SPI on the DFL-1000 VPN gateway should match the Remote SPI on the client. The Remote SPI on the DFL-1000 VPN gateway should match the Local SPI on the client.
Page 97: Adding Internal And External Addresses
Using a VPN concentrator you can create a hub and spoke VPN configuration to direct traffic through a central DFL-1000 NPG from one VPN tunnel to another VPN tunnel. You create the hub and spoke configuration by adding a VPN concentrator to the central (or hub) DFL-1000 NPG and then adding VPN tunnels to the concentrator.
Page 98: Configuring The Hub
Adding encrypt policies Configuring the spokes For Branch 1 and Branch 2, you create remote gateways and AutoIKE key tunnels and then add the tunnels to the VPN concentrator. You then add policies to direct the VPN traffic. DFL-1000 User Manual...
Page 99: Configuring The Remote Gateways
Main Office information information information Tunnel Name Branch1_VPN Branch2_VPN Main_Office_VPN Main_Office_VPN Remote Gateway Branch1_gw Branch2_gw Main_Office_gw Main_Office_gw P2 Proposal 1- Encryption 3DES 3DES 3DES 3DES Authentication SHA1 SHA1 SHA1 SHA1 Enable replay detection Select Select Select Select DFL-1000 User Manual...
Page 100: Configuring The Vpn Concentrator
Main Office information Branch 1 information Branch 2 information Source Address Address Name Main_Office Branch1 Branch2 IP address 192.168.1.0 192.168.2.0 192.168.3.0 Netmask 255.255.255.0 255.255.255.0 255.255.255.0 Destination Address Address Name Branch1 Branch2 Main_Office Main_Office IP address 192.168.2.0 192.168.3.0 192.168.1.0 192.168.1.0 DFL-1000 User Manual...
Page 101: Adding Encrypt Policies
Branch 1 to Branch 2 Source 192.168.2.0 Destination 192.168.3.0 Action Encrypt VPN Tunnel Name Main_Office_VPN Branch Office 2 encrypt policies Field name Policy information Branch 2 to Main Office Source 192.168.3.0 Destination 192.168.1.0 Action Encrypt VPN Tunnel Name Main_Office_VPN DFL-1000 User Manual...
Page 102 Branch 2 to Branch 1 Source 192.168.3.0 Destination 192.168.2.0 Action Encrypt VPN Tunnel Name Main_Office_VPN DFL-1000 User Manual...
Page 103: Pptp And L2Tp Vpns
L2TP VPN configuration PPTP VPN configuration PPTP clients must be able to authenticate with the DFL-1000 NPG to start a PPTP session. To support PPTP authentication, you must add a user group to the DFL-1000 NPG configuration. This user group can contain users added to the DFL-1000 NPG user database, RADIUS servers, or both.
Page 104: Configuring The Dfl-1000 Npg As A Pptp Gateway
• Configuring a Windows XP client for PPTP PPTP VPN between a Windows client and the DFL-1000 NPG Configuring the DFL-1000 NPG as a PPTP gateway Create a user group for the PPTP clients. Users and authentication. • Go to VPN > PPTP > PPTP Range .
Page 105: Configuring A Windows 98 Client For Pptp
Use the following procedure to configure a client computer running Windows 98 so that it can connect to a DFL-1000 PPTP VPN. To configure the Windows 98 client, you must install and configure Windows dialup networking and virtual private networking support.
Page 106: Configuring A Windows 2000 Client For Pptp
For Network Connection Type, select Connect to a private network through the Internet and select Next. • For Destination Address, enter the IP address or host name of the DFL-1000 NPG to connect to and select Next. • Set Connection Availability to Only for myself and select Next.
Page 107: Configuring A Windows Xp Client For Pptp
If the Public Network dialog box appears, choose the appropriate initial connection and select Next. • In the VPN Server Selection dialog, enter the IP address or host name of the DFL-1000 NPG to connect to and select Next. •...
Page 108: L2Tp Vpn Configuration
This user name and password is not the same as your VPN user name and password. L2TP VPN configuration L2TP clients must be able to authenticate with the DFL-1000 NPG to start a L2TP session. To support L2TP authentication, you must add a user group to the DFL-1000 NPG configuration. This user group can contain users added to the DFL-1000 NPG user database, RADIUS servers, or both.
Page 109: Configuring The Dfl-1000 Npg As An L2Tp Gateway
Add the addresses to which L2TP users can connect to the interface connected to the destination network. The addresses can be grouped into an address group. • Add a policy to allow L2TP clients to connect through the DFL-1000 NPG. DFL-1000 User Manual...
Page 110: Configuring A Windows 2000 Client For L2Tp
For Network Connection Type, select Connect to a private network through the Internet and select Next. • For Destination Address, enter the address of the DFL-1000 NPG to connect to and select Next. • Set Connection Availability to Only for myself and select Next.
Page 111: Configuring A Windows Xp Client For L2Tp
If the Public Network dialog box appears, choose the appropriate initial connection and select Next. • In the VPN Server Selection dialog, enter the IP address or host name of the DFL-1000 NPG to connect to and select Next. •...
Page 112 • In the connect window, enter the User Name and Password that you use to connect to your dialup network connection. This user name and password is not the same as your VPN user name and password. DFL-1000 User Manual...
Page 113: Web Content Filtering
When the DFL-1000 NPG blocks a web page, the user who requested the blocked page receives a block message and the DFL-1000 NPG writes a message to the event log.
Page 114: Enabling The Banned Word List
• Type a banned word or phrase. If you type a single word (for example, banned ), the DFL-1000 NPG blocks all web pages that contain that word. If you type a phrase (for example, banned phrase ), the DFL-1000 NPG blocks web pages that contain both words.
Page 115: Temporarily Disabling The Banned Word List
Select Backup Banned Word list The DFL-1000 NPG downloads the banned word list to a text file on the management computer. You can specify a location to which to download the text file as well as a name for the text file.
Page 116: Restoring The Banned Word List
When the DFL-1000 NPG blocks a web page, the user who requested the blocked page receives a block message and the DFL-1000 NPG writes a message to the event log.
Page 117: Adding Urls To The Url Block List
Change the text of the message. You can add HTML code to this message. • Select OK to save your changes. The DFL-1000 NPG will now display this message when a URL is blocked. Adding URLs to the URL block list •...
Page 118: Temporarily Disabling The Url Block List
Uploading a URL block list You can create a URL block list in a text editor and then upload the text file to the DFL-1000 NPG. Add one URL to each line of the text file. You can follow the URL with a space and then a 1 to enable or a zero (0) to disable the URL.
Page 119: Removing Scripts From Web Pages
Removing scripts from web pages Use the following procedure to configure the DFL-1000 NPG to remove scripts from web pages. You can configure the DFL-1000 NPG to block Java applets, cookies, and ActiveX. Blocking of any of these items might prevent some web pages from working properly.
Page 120: Adding Urls To The Exempt Url List
You can enter multiple URLs and then select Check All to activate all entries in the Exempt URL list. Each page of the Exempt URL list displays 100 URLs. • Use Page Down and Page Up to navigate through the Exempt URL list. DFL-1000 User Manual...
Page 121: Temporarily Disabling Entries In The Exempt Url List
Uploading an Exempt URL list You can create a Exempt URL list in a text editor and then upload the text file to the DFL-1000 NPG. Add one URL to each line of the text file. You can follow the URL with a space and then a 1 to enable or a zero (0) to disable the URL.
Page 122 Enter the path and filename of your Exempt URL list text file, or select Browse and locate the file. • Select OK to upload the file to the DFL-1000 NPG. • Select Return to display the updated Exempt URL list.
Page 123: Logging And Reporting
• the DFL-1000 system memory (if your DFL-1000 NPG does not contain a hard disk). Logging to system memory is not available on all DFL-1000 models. The optional hard disk is not available for all DFL-1000 models. You can also configure the kind of information that is logged.
Page 124: Recording Logs On The Dfl-1000 Hard Disk
Example log settings with optional hard disk Recording logs on the DFL-1000 hard disk You can record log files on the DFL-1000 hard disk if one is installed on your system. If you do not have a hard disk installed, see...
Page 125: Logging Event Log To Memory
Logging event log to memory If your DFL-1000 does not contain a hard disk, you can use the following procedure to configure the DFL- 1000 to reserve some system memory for storing current event log messages. The DFL-1000 can store a limited number of messages in system memory.
Page 126: Viewing Event Log Saved To Memory
Select Apply to save your log settings. Viewing event log saved to memory If the DFL-1000 is configured to save event log messages to memory, you can use the web-based manager to view, search, and clear the event log messages. This section describes: •...
Page 127: Clearing Event Log Messages
• Select OK. Viewing and maintaining logs saved to the hard disk If your DFL-1000 contains a hard disk for recording logs, you can use the following procedures to view, search and maintain traffic and event logs: • Viewing logs •...
Page 128: Searching Logs
You can download traffic, or event log files to the management computer as plain text files. After downloading, you can view the log file with any text editor. Use the following procedure to download log files: • Go to Log&Report > Logging . • Select Traffic Log , or Event Log. DFL-1000 User Manual...
Page 129: Deleting All Messages In An Active Log
If they have not already been added, add the primary and secondary DNS server addresses provided to you by your ISP. Because the DFL-1000 uses the SMTP server name to connect to the mail server, it must be able to look up this name on your DNS server.
Page 130: Testing Alert Emails
Critical VPN events include when replay detection detects a replay packet. Replay detection can be configured for both manual key and AutoIKE Key VPN tunnels. • Select Send alert email when disk is full to have the DFL-1000 send an alert email when the hard disk is almost full. •...
Page 131: Event Log Message Format
Each event log message records the date and time of the event and a description of the event. For connections to the DFL-1000 for management and for configuration changes, the event log message also includes the IP address of the management computer.
Page 132: Administration
Administration This chapter describes how to use the web-based manager to administer and maintain the DFL-1000 NPG. It contains the following sections: • System status • Upgrading the DFL-1000 firmware • Displaying the DFL-1000 NPG serial number • Backing up system settings •...
Page 133: Upgrading The Dfl-1000 Firmware
If you log into the web-based manager with any other administrator account, you can go to System > Status to view the system settings including: • Displaying the DFL-1000 NPG serial number All administrative users can also go to System > Status > Monitor and view DFL-1000 NPG system status: • System status monitor Upgrading the DFL-1000 firmware D-Link releases new versions of the DFL-1000 firmware periodically.
Page 134 The following message appears: Enter TFTP Server Address [192.168.1.168]: You only have 3 seconds to press any key. If you do not press any key soon enough, the DFL-1000 NPG reboots and you must log in and repeat the execute reboot command.
Page 135: Displaying The Dfl-1000 Npg Serial Number
Displaying the DFL-1000 NPG serial number • Go to System > Status . The serial number is displayed in the Status window. The serial number is specific to your DFL-1000 NPG and does not change with firmware upgrades. Backing up system settings This procedure does not back up the web content and URL filtering lists.
Page 136: Changing To Transparent Mode
DFL-1000 NPG. Changing to Transparent mode Use the following procedure if you want to switch the DFL-1000 NPG from NAT/Route mode to Transparent mode. Changing to Transparent mode deletes all NAT/Route mode policies and addresses. In addition any routing set in NAT mode is also deleted.
Page 137: System Status Monitor
The number of days, hours, and minutes since the DFL-1000 NPG was last started. Total Number of Sessions The total number of active communication sessions to and through the DFL-1000 NPG. Each line of the system status monitor displays the following information about each active firewall...
Page 138: Network Configuration
The time, in seconds, before the connection expires. Clear Stop and active communication session. Network configuration Go to System > Network to make any of the following changes to the DFL-1000 NPG network settings: • Configuring the internal interface •...
Page 139: Configuring The External Interface
Go to System > Network > Interface . • For the external interface, select Modify • Set Addressing mode to Manual. • Change the IP address and Netmask as required. • Select OK to save your changes. DFL-1000 User Manual...
Page 140 Set Addressing mode to DHCP and select OK to change to DHCP mode. Both the IP address and Netmask change to 0.0.0.0. • Select Enable Connect to DHCP server if you want the DFL-1000 NPG to automatically connect to a DHCP server when it starts up. •...
Page 141 (MTU) of the packets that the DFL-1000 NPG transmits from its external interface. Ideally, you want this MTU to be the same as the smallest MTU of all the networks between the DFL-1000 NPG and the Internet. If the packets that the DFL-1000 NPG sends are larger, they get broken up or fragmented, which slows down transmission speeds.
Page 142: Configuring The Dmz Interface
Select the management Access methods for each interface. By default in Transparent mode, you manage the DFL-1000 NPG by connecting to the internal or dmz interface. However, you can configure the management interface so that you can manage the DFL- 1000 NPG by connecting to any interface.
Page 143: Setting Dns Server Addresses
The first step in configuring DFL-1000 NPG routing is to add routing gateways. Routing gateways are the gateways on your network that you want to route DFL-1000 NPG traffic to. You can add the IP address of each routing gateway, and you can also optionally configure the DFL-1000 NPG to ping the routing...
Page 144: Adding A Default Route
Select New to add a new routing gateway. • Enter the IP address of the routing gateway. This IP address should be on the same subnet as the DFL-1000 NPG interface that connects to this gateway. • Select Dead gateway detection if you want the DFL-1000 NPG to confirm connectivity with the gateway.
Page 145: Adding Routes To The Routing Table
The DFL-1000 NPG assigns routes by searching for a match starting at the top of the routing table and moving down until it finds the first match. You must arrange routes in the routing table from more specific to more general.
Page 146: Enabling Rip Server Support
Routing table Enabling RIP server support Enable routing information protocol (RIP) server support to configure the DFL-1000 NPG to act like a RIP server. The RIP routing protocol maintains up-to-date dynamic routing tables between nearby routers. When you enable RIP server support, the DFL-1000 NPG acts like a RIP server, broadcasting RIP packets to other nearby routers to: •...
Page 147 WAN connection to the DMZ interface. The WAN networks have the following IP addresses: Example multiple Internet connection configuration External interface 15.1.2.99 T1 gateway connected to external interface 15.1.2.1 DMZ interface 16.1.2.99 Broadband gateway connected to DMZ interface 16.1.2.1 Internal interface 192.168.1.99 DFL-1000 User Manual...
Page 148: Providing Dhcp Services To Your Internal Network
16.1.2.1 15.1.2.1 Providing DHCP services to your internal network If the DFL-1000 NPG is operating in NAT/Route mode, you can configure it to be the DHCP server for your internal network: • Go to System > Network > DHCP .
Page 149 Viewing the dynamic IP list If you have configured your DFL-1000 NPG as a DHCP server, you can view a list of IP addresses that the DHCP server has added, their corresponding MAC addresses, and the expiry time and date for these addresses.
Page 150: System Configuration
Example dynamic IP list System configuration Go to System > Config to make any of the following changes to the DFL-1000 NPG system configuration: • Setting system date and time • Changing web-based manager options • Adding and editing administrator accounts •...
Page 151: Changing Web-Based Manager Options
To configure the DFL-1000 NPG to use NTP, select Synchronize with NTP Server. By default, the DFL-1000 NPG is configured to connect to an NTP server at IP address 192.5.5.250, which is the IP address of an NTP server maintained by the Internet Software Consortium at Palo Alto, CA, USA.
Page 152: Adding And Editing Administrator Accounts
Optionally type a Trusted Host IP address and netmask for the location from which the administrator can log into the web-based manager. If you want the administrator to be able to access the DFL-1000 NPG from any address, set the trusted host to 0.0.0.0 and the wildcard mask to 255.255.255.255.
Page 153: Configuring Snmp
Select Enable SNMP. • Configure SNMP settings: Type a name for this DFL-1000 NPG. The system name can be up to 31 characters long and can System Name contain numbers (0-9), uppercase and lowercase letters (A-Z, a-z), and the special characters - and _.
Page 154 Also called read community, get community is a password to identify SNMP get requests sent to the DFL-1000 NPG. When an SNMP manager sends a get request to the DFL-1000 NPG, it must include the correct get community string. The default get community string is "public". Change the default get community string to keep intruders from using get requests to retrieve information about your network configuration.
Page 155 L2TP DFL-1000 traps The DFL-1000 agent can send traps to up to three SNMP trap receivers on your network that are configured to receive traps from the DFL-1000 NPG. The DFL-1000 agent sends traps in response to the events listed in SNMP traps.
Page 156: Glossary
HTTPS : The SSL protocol for transmitting private documents over the Internet using a Web browser. Internal interface : The DFL-1000 interface that is connected to your internal (private) network. Internet : A collection of networks connected together that span the entire globe using the NFSNET as their backbone.
Page 157 Subnet : A portion of a network that shares a common address component. On TCP/IP networks, subnets are defined as all devices whose IP addresses have the same prefix. For example, all devices with IP addresses that start with 100.100.100. would be part of the same subnet. Dividing a network into DFL-1000 User Manual...
Page 158 VPN, Virtual Private Network : A network that links private networks over the Internet. VPNs use encryption and other security mechanisms to ensure that only authorized users can access the network and that data cannot be intercepted. DFL-1000 User Manual...
Page 159: Troubleshooting Faqs
Change the administrator password. See Adding and editing administrator accounts. Q: I have the DFL-1000 configured the way I want it. Is there some way to save the configuration before making any more changes? Backing up system settings Restoring system settings.
Page 160: Schedules
Q: I am worried about dangerous web content so I set the Script Filter options to block all scripts, Java Applets, ActiveX, and cookies. Now people are complaining that some web sites are inaccessible or don't work properly. Removing scripts from web pages. DFL-1000 User Manual...
Page 161: Logging
Q: How can I record DFL-1000 logs on a remote computer, such as a management computer? You can send DFL-1000 logs to a WebTrends server or a syslog server. To do this, configure one of these servers and go to Log&Report > Log Setting . Select Log to remote host and enter the IP address of the computer running the syslog server.
Page 162: Technical Support
Le Florilege #2, Allee de la Fresnerie, 78330 Fontenay le Fleury France TEL: 33-1-302-38688 FAX: 33-1-3023-8689 E-MAIL: info@dlink-france.fr URL: www.dlink-france.fr GERMANY D-LINK Central Europe/D-Link Deutschland GmbH Schwalbacher Strasse 74, D-65760 Eschborn, Germany TEL: 49-6196-77990 FAX: 49-6196-7799300 INFO LINE: 00800-7250-0000 (toll free) HELP LINE: 00800-7250-4000 (toll free)
Page 163: Registration Card
8. What category best describes your company? Aerospace Engineering Education Finance Hospital Legal Insurance/Real Estate Manufacturing Retail/Chainstore/Wholesale Government Transportation/Utilities/Communication System house/company Other________________________________ 9. Would you recommend your D-Link product to a friend? Don't know yet 10.Your comments on this product? __________________________________________________________________________________________ __________________________________________________________________________________________ DFL-1000 User Manual...
Page 164 DFL-1000 User Manual...
Page 165: Limited Warranty
(90) days after any replacement Software is delivered. If a material non-conformance is incapable of correction, or if D-Link determines in its sole discretion that it is not practical to replace the non- conforming Software, the price paid by the original licensee for the non-conforming Software will be refunded by D-Link;...
Page 166 D-Link Systems Inc., 53 Discovery Drive, Irvine CA 92618. D-Link may reject or return any product that is not packaged and shipped in strict compliance with the foregoing requirements, or for which an RMA number is not visible from the outside of the package. The product owner agrees to pay D-Link’s reasonable handling and return shipping charges for any product...
Page 167 Trademarks Copyright® 2001 D-Link Corporation. Contents subject to change without prior notice. D-Link is a registered trademark of D-Link Corporation/D-Link Systems, Inc. All other trademarks belong to their respective proprietors.
Page 168: Registration
Registration Register the D-Link DFL-500 Office Firewall online at http://www.dlink.com/sales/reg DFL-1000 User Manual...

D-Link DFL-1000 Manual

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for D-Link DFL-1000

Summary of Contents for D-Link DFL-1000

Table of Contents